Tuesday, April 28, 2009

Google Chrome 1.0.154.59 "throw exception" Memory Exhaustion Vulnerability.

The Google chrome browser is vulnerable to memory exhaustion based denial of service which can be triggered remotely.The vulnerability is a result of arbitrary shell code which is rendered in a script tag with an exception that is raised directly with throw statement. It makes the browser to consume memory thereby impacting the focused window and leads to crash. The impact can be stringent based on different systems.

Read More

- EF

Monday, April 20, 2009

Scripting attack II. Conjunction of crimeware for increased infection

Another technique widely used by cyber-criminals to attack computers via web scripting is the injection of malicious instructions in the code of the page.

In this case, a website hosted on a server breach is used as a vector for spreading malware through the exploitation of vulnerabilities in computers unprotected. Some of the pages used are:

http://team-sleep.by .ru/default2 .html
http://team-sleep.by .ru/demo .html
http://team-sleep.by .ru/disco .html

http://team-sleep.by .ru/downloads .html
http://team-sleep.by .ru/enter .html
http://team-sleep.by .ru/gold .html
http://team-sleep.by .ru/googleanalyticsru .html
http://team-sleep.by .ru/guest .html
http://team-sleep.by .ru/guestbook .html
http://team-sleep.by .ru/media .html
http://team-sleep.by .ru/menu .html
http://team-sleep.by .ru/news .html
http://team-sleep.by .ru/photo2 .html
http://team-sleep.by .ru/poem .html
http://team-sleep.by .ru/press_reviews .html
http://team-sleep.by .ru/team-sleep .html
http://team-sleep.by .ru/wallpapers .html
http://team-sleep.by .ru/gmail .php
http://team-sleep.by .ru/haitou .php
http://team-sleep.by .ru/in .php
http://team-sleep.by .ru/xxx .php
http://team-sleep.by .ru/photo/team .html
http://team-sleep.by .ru/photo/wallz .html
http://team-sleep.by .ru/photo/live/index2 .html
http://team-sleep.by .ru/photo/live/imagepages/image1 .html
http://team-sleep.by .ru/photo/members/imagepages/image1 .html
http://team-sleep.by .ru/photo/team/imagepages/image1 .html


The list is long (98 pages of a site). However, through the graph are all represented.

Each of these web addresses are disseminated through channels such as email or instant messaging clients using a strategy of social engineering, and housed several different script containing obfuscated exploits.

Decoder to the scripts, we find the use of iframe tags that redirect to other URL's such as:
  • http://5rublei .com/unique/index .php
  • http://tochtonenado .com/yes/index .php
A very interesting point in relation to crimeware, refers directly to the concept of vulnerability, ie, the crimeware not a weakness is exempted by design flaws in its code, which allows us to elaborate a little more knowledge on crimeware violating their integrity.

As we see in the picture, it appears that it's the job of two known crimeware, Unique Sploits Pack and YES Exploit System.

This shows that cyber-criminals are constantly looking to find a quick and simple way, the more automated the better, different forms of attack to increase profits.

In this way, the work "professional" behind these malicious malware where the main actor is seeking to expand the range of infections, botmaster manage activities harmful to a greater flow of distribution.

Related Information
Scripting attack. Exploitation of multiple vulnerabilities - Spanish version
Exploitation of vulnerabilities through PDFs - Spanish version
Exploiting vulnerabilities through SWF - Spanish version
Exploitation of vulnerabilities through JS - Spanish version
Analysis of an attack of web-based malware - Spanish version
LuckySploit, the right hand of Zeus - Spanish version
Massive exploitation of vulnerabilities through servers ghosts - Spanish version


# Jorge Mieres

Sunday, April 19, 2009

Continuing the important and massive campaign scareware

During the past month, had written something on a major campaign of spreading malware type scareware, or rogue, using as a strategy of deception by pretending to be pages that Windows Explorer, in English and Spanish language.

A month later, the campaign continues to operate a mass number of important domains, the majority of Chinese origin.

However, its creators and disseminators channel all its efforts not only in domains quickly get through the registration hosting free or violated, but also to avoid detection by antivirus companies regardless of the life cycle of the installer, since it's changed almost daily.

Some of the binaries and domains involved are:
ia-scannerpro .com
scanplus4 .info
newscan4 .info
anytoplikedsite .com

topsecurity4you .com

cleanyourpcspace .com

fullsecurityshield .com

xw.dayindigo.cn/in .cgi?9

onlinedetect.com/in .cgi?6

greatsecurityshield .com

easycheckpoisonpro .cn/?

examineillnesslive .cn

easydefenseonline .cn

bigdefense2u .cn

vlo.bookadorable.cn/in .cgi?9

davidkramm.net/core/admin/bald-pussy-photo/red-pepper-humus-recipe .html

1000league .com/in .cgi?9

goscanstep .com/?uid=12724

in4ck .com/cki.php?uid=12724

data6scan .com/?uid=12724

bwgm.schoolh .cn/in.cgi?6
designroots .cn/in.cgi?6
drawingstyle .cn/in.cgi?6

ed.worksean .cn/in.cgi?6

housevisual .cn/in.cgi?6

kvk.housevisual .cn/in.cgi?6

oceandealer .cn/in.cgi?6

pub.oceandealer .cn/in.cgi?6

peopleopera .cn/in.cgi?6

rainfinish .cn/in.cgi?6

schoolh .cn/in.cgi?6

vitamingood .cn/in.cgi?6

websiteflower .cn/in.cgi?6

worksean .cn/in.cgi?6

xfln.housevisual .cn/in.cgi?6

yz.worksean .cn/in.cgi?6

securedantivirusonlinescanner .com

thankyou4check .com

antivirusonlineproscan .com

antivirus-pro-live-scan .com
antivirusonlineproscanner .com
allsoftwarepayments .com

powerdownloadserver .com

securitysoftwarecheck .com

wwwsafetyread .com

scan7live .com

traffbox .com/in.cgi?6

soft-traffic .com

rd-point .net/go.php?id=1188

ddors .info/in.cgi?10

truconv .com/?a=125&s=gen-asw

yourfriskviruspro .cn/?wm=70127&l=1

addedantivirusstore .com

myplusantiviruspro .com

realantivirusplus .com

yourguardstore .cn

addedantiviruslive .com

japanhostnet .com/in.cgi?mainy8com


While this list is quite generous, compared with the number of domains used in the campaign scareware represents only a small percentage.

Moreover, beyond the campaign itself, another factor of concern is the increasing effectiveness of this type of malicious code.

Related Information
Campaign scareware infection through false Windows Explorer - Spanish version
Malware infection through false Windows Security Center


# Jorge Mieres

Thursday, April 16, 2009

Scripting attack. Exploitation of multiple vulnerabilities

The execution of malicious code via scripting attacks are part of the folklore of the current malware. However, behind this whole battery of methods of infection, are involved applications designed to fully commit such malicious acts.

Usually, this is as crimeware applications zeus, barracuda, chamaleon, YES, etc., or remote shells written in PHP, as in this case, known r57shell.

There are many applications of this style (c99shell, c100shell, locus NetShell, etc.) that are implanted, usually in a vulnerable server via RFI (Remote File Inclusion) and used for mass-defacement that is say mass defacement of web pages.

However, while it's customary for the purpose of this, are fully employed to attacks via the Web through malicious code such as DDoS, SQL Injection and recruitment of zombie computers, among others.

As we can see through this second capture, the features it offers are many r57shell, and don't respond to a casual or trivial, the intention is to fully control the server where it's implanted. Ie, it's a backdoor from which an attacker to take complete control of the server, and each node in the same accommodation.

In this case, the PHP shell was being used to spread malware by exploiting the following vulnerabilities:
All exploits for these vulnerabilities are found in a single script whose appearance is similar to the following, which by the way, the catch has been cut.

Decoder to the script, you get the following URL's:
  • http://vsedlysna.ru/img/site/2/load.php?id=83 --> Download the file load.exe (MD5: 22027b5c4394c7095c4310e2ec605808) packed whith ASPack v2.12.
  • http://vsedlysna.ru/img/site/2/pdf.php?id=83 --> Download the file 9040.pdf (MD5: 3b9e76642e96f3626cf25b7f3f9d6c3a) where filename is a random value that changes for each download adopatando names like 8795.pdf, 7436.pdf, 6100.pdf, etc.
  • http://vsedlysna.ru/img/site/2/pdf.php?id=83&vis=1 --> Download pdf file with the extension whose name varies in each accessible following the same methodology as the previous case. In this case, the file is called 4099.pdf (MD5: 5caf548ff3e6ae0c9101ae647757a099).

# Jorge Mieres

Tuesday, April 14, 2009

YES Exploit System. Another crimeware made in Russia

The suite of applications used to automate different types of attacks via the Web (crimeware), have been transformed into a dangerous trend that clearly shows the inclination and demand criminal automate processes malicious.

I've noticed several of them of which Russia is a paradise for the creative development of crimeware. Also, technical support, in many cases, and the creation of crimeware packages "tailored" ready to implement and need only to know to modify the default password of admin panel via the web.

Which is an extra spice of proliferation of malicious acts performed by persons not familiar with the type of program you are using. Just purchased a modest cost ready to start spreading malicious instructions in bulk.

YES Exploit System, is another of the crimeware package that meets these characteristics of easy implementation and use.

The new version has recently presented a cost of 700 USD in the Russian black market and incorporates a series of "improvements" malicious functions with respect to the previous version, in addition to free updates for life.

Among the new features that are incorporated crimeware:
  • New exploits.
  • The possibility to obtain minimum statistical information through a new manager doesn't replace the statistical complete but supplements it.
  • Notice that no other infections have occurred through YES Exploit System in the victim computer.
  • Updating the GeoIP database.
  • Ability to download multiple files from the same page, for example, index.php can be downloaded from abc.exe, def.exe, ghi.exe.
  • Administration of downloading files via the control panel and not FTP.
  • Optimizing PHP code.
  • Elimination of statistics and guest checker FTP.
  • Control files downloaded through the administration panel.
  • Optimization of the general control panel for a better performance in loading it.
  • Added a new level of encryption code iframe.
  • Encryption binaries to avoid detection by the AV companies.
A new alternative to centralized management and automation of criminal activities using the Internet as a base for attacks.

Related Information
Russian prices of crimeware - Spanish version
Barracuda Bot. Botnet activamente explotada
Unique Sploits Pack. Crimeware para automatizar la explotación de vulnerabilidades

# Jorge Mieres

Saturday, April 11, 2009

Fake page used as a vector for spreading malware

The strategies of deception through social engineering are the order of the day on the Internet and the beginning of potential security risks, being, cloning, or the submission of false websites, one of the means to break the most exploited security the human factor.

Some are more complex than others and some more appealing or better prepared than others, but even that is trivial cheating, its effectiveness will be directly related to the level of education, security, who have access the trap of crime.

Ultimately, the following screenshot is an example with which I found recently. This is a fake site that downloads a binary file called surprise.exe (MD5: 9bd6a9cba442a88839a185eb47c2008c) which is a variant of the malicious code Virtumonde, so-called Vundo or Monde.

To display a matching component, the next is a screenshot of the actual page from sendspace.

One strategy employed by these techniques is to use domain names similar to the real, ie the page false is http://sendspace-us. com is real while the http://sendspace.com. This is, in this case, the principle of a potential infection.

Another more interesting data is that the domain represents the false site is the IP address 196.2.198.241, whose autonomous system AS33777 is of EgyptNetwork.

In turn, this IP address represents multiple domains more.

cd-soft.net
darthvader777.com

egns.vg
good1soft.com

greatlovingcore.net

kassperskylabs.cn

kentty.net

searchingforthevhostipadres.com

sendspace-us.com

sendspace.com.bz

throbilskirnir.com

thronofodin.com

ustechservic.com.cn

www.cd-soft.net

www.charming-woman.com

www.darthvader777.com

www.dx-software.com

www.egns.vg

www.good1soft.com

www.greatlovingcore.net

www.icm-com-services.com

www.sendspace.com.bz

www.throbilskirnir.com

www.thronofodin.com

www.ustechservic.com.cn


As we can see, even one of the domains on the list is kassperskylabs. cn, very similar to the known anti-virus security company.

Related Information
Phishing Kit In-the-Wild for cloning of web site, version 2 - Spanish version
Phishing Kit In-the-Wild for cloning of web site - Spanish version


# Jorge Mieres

Wednesday, April 8, 2009

Waledac. Follow-up of a latent threat

Controversial news of recent days about the worm Conficker are "capped" quite harmful actions of other threats, by its lower coverage, have not had a significant advertising or demand by the media, or misinformation in some cases. However, they still continue to increase its coverage of infection. One such case is Waledac.

This trojan, whose campaign of infection began to take shape through a wide repertoire of romantic images and, ultimately false news about explosions, which are used as strategies of social engineering is still a high rate of infection globally. In this regard, many expect that at any time, in the style Nuwar, edit again the strategy of visual deception.


Sudosecure has been doing an excellent job tracing the steps of Waledac since its offering updated reports with detailed data on the current state of the trojan. This monitoring can release information such as the top 10 most downloaded binaries and 10 more IP addresses used to download them.

The 10 countries spread over Waledac and 10 domains used.

Even the number of IP addresses to spread the trojan in the last 30 days.

Clearly understand the degree of spreading globally. And every time I see stuff like that, I wonder what is the rate of spread, in this case, Waledac locally (Argentina). This information can also be seen from the statistics that are in sudosecure.

To clarify a little mystery, I have made a simple chart showing the relationship of domains, IP addresses and location from which the dissemination occurs Waledac.

That is, each of the IP address represents an infected computer. The graph is made based on the first 50 domains Waledac spreading from Argentina.

In some cases notice that the same IP address is used by multiple domains, because this is used Waledac complex propagation mechanisms such as Fast-Flux networks.

Perhaps many of us forget that transforms teams Waledac unwary users into zombies to feed even more important to the botnet from which, among other things, distribute spam in a distributed manner.

Related Information
Waledac more loving than ever -
Spanish version
Waledac, Social Engineering and San Valentine Day
- Spanish version

# Jorge Mieres

Saturday, April 4, 2009

Conficker IV. Related domains ... and controversial

After posting Conficker III. Campaign of spreading false cleaning tools, in this blog and in MiPistus blog, I received some emails asking why it had published names of domains that have no connection with what is stated in the post in question, is say, with false cleaning tools.

However, taking into account this situation, it's necessary to clarify how the fabric has a great propagandist strategy to "build" a positive in some cases and negative in others, the great demand that caught the word "conficker" as a result of the great wave of superstitions that linger around the worm.

What I mean by that? The situation was that the word is used as a campaign to attract more visitors and more advertising.

The point is that the campaign had two distinct strands. One given by those under the banner of security, where, with the intention of creating a "magnet" to use the word "conficker", some companies have acquired the domain which initially had been used for malicious to redirect to the download of a self-cleaning tool or information related to combat the threat posed by the worm.

For example, http://www.remove-conficker.org to redirect http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx, or http://downadup.org now redirects to http://www.bdtools.net.

On the other hand, who are constantly thinking of cheating strategies to increase their profits through unethical actions, also saw the word "conficker" a chance.

Accordingly, they began to appear many sites, under the promise of providing information on cleaning or conficker free tools, used the opportunity to gain visitation.

The word "conficker" is one of the most popular on the Internet, thanks to the global campaign of propaganda that the media were responsible for feeding, therefore, isn't nothing strange to find such actions.

Related Information
Conficker III. Campaign of spreading false cleaning tools - Spanish version
Conficker II. Worm infection distributed - Spanish versión
Conficker. When the media echoed all neglecting the problem of substance - Spanish version


# Jorge Mieres

Friday, April 3, 2009

Conficker III. Campaign of spreading false cleaning tools

The great impact that the worm had conficker world, not only did the media take on its activities, but these same effects are used to propagate malicious so other types of malicious code.

Some sites already reported the existence of websites that refer alleged cleaning tools for conficker but instead to download something malicious. That is, the promise of eradicating the threat of the team that many of these sites promise is false. It's simply a strategy of deception to propagate scareware type programs, or in some cases, trojans.

Some of the domains of this style are:

http://conficker-cleaner .com
http://confickerc .net

http://conficker .com

http://confickerc .org

http://conficker.co .uk
http://confickercvirus .com

http://confickercvirus .info

http://confickercvirus .net

http://confickercvirus .org

http://conficker .de

http://conficker .info

http://conficker .net

http://conficker .org

http://downadup .com

http://downadup.co .uk

http://downadup .de

http://downadup .info

http://downadup .net

http://downadup .org

http://downadupvirus .com

http://downadupworm .com

http://removeconficker .net

http://removeconficker .org

http://stopconficker .com

http://w32downadupc .com


Most antivirus companies have developed a cleaning tool specifically to help combat the worm conficker and some other security agencies also have alternatives that help detect threats.

Each of these sites represents a potential risk of infection, should therefore be avoided and filters.

Related Information
Conficker II. Worm infection distributed - Spanish versión
Conficker. When the media echoed all neglecting the problem of substance - Spanish version


# Jorge Mieres

Thursday, April 2, 2009

Conficker II. Worm infection distributed

After the "long-awaited day" when conficker supposedly wipe out everything, there are many ideas that are swarming by the vast network. Many security companies and professionals in the field predicted that a large wave carried away by the malicious worm media, were unanswered at seeing the end of the day and nothing happened :-)

Ie conficker no "left" with nothing new to the field, continued his career of infection as it has done since the start increasing the rate of infection had so far, which was not one that say "this does not mean that in the not too distant future conficker leaving the field with a larger battalion". This is logical, any malware can occur at any time god knows what.

Although not questioned conficker that is a dangerous malicious code, what has happened so far shows the intelligence of its creator (or creators) not only in planning the strategy of dissemination, but also in the strategy propaganda, social engineering and psychological action exerted through the media around the world, just to put a rumor.

Neither question has achieved a very high rate of infection discovering, as I commented in the previous post, you are still immature some security issues, both at home and, more disturbingly, at the corporate level.

In relation to the level of infection conficker, was reading a brief and very interesting report in Conficker Working Group called Infection Distribution, which is displayed through charts, the worm infection rates globally.

Infecciones a nivel mundial
Infecciones en Estados Unidos
Infecciones en Europa
Infecciones en Australia
Infecciones en Indonesia y Malasia
According Conficker Working Group, each of the maps were generated from all infections conficker produced from the beginning of its existence, which adds a total of approximately 35 million IP addresses.

While the maps don't express an exact number of infections, leaving a clear idea of the distribution of infections conficker achieved so far and the areas most affected by it.

Related Information
Conficker. When the media echoed all neglecting the problem of substance
- Spanish version

# Jorge Mieres

Wednesday, April 1, 2009

Conficker. When the media echoed all neglecting the problem of substance

The worm conficker isn't malicious code (worms) than many others that have existed and that continue to occur, and that exist today, but soon took care of all the media of information worldwide even many of them, grazing in a very thin line that divides the seriousness of addressing an issue as troubling as they are infections, and the yellow of the event, playing with that "if you are on everyone's lips sell, let conficker talking about. "

And nearly six months of existence, it's true! :-), is on everyone's lips with that of the "surprise" that has prepared for today, April 1.

While it's true that in a short time conficker achieving a high rate of infection worldwide, and worrying at the local level, it's also true that simply reflected the lack of maturity on the security management.

Many major companies have suffered the consequences, through conficker, not to meet the security in its just measure, while many others, as I said in another blog, not even felt the touch of instructions malicious code conficker. Why?

Perhaps a wise direction to get the consistent response to this question so trivial pass close by the ISMS (System Management Information Security). That is, if we want "quality" in security, "need" to rely on a systematic process such as that offered by the ISO 27001.

But without deviating too much, or go deep in the management of safety, I will only say that many of the problems caused conficker can be (and were) avoided simply by maintaining a proper management of the security updates on Windows platforms.

The reality is that conficker, any malicious code, is a potential danger to any information environment as a result many are suffering huge headaches for "cause" of the worm. So, how we attack the problem?

It isn't my intention to cover the actions of propagation vectors, etc., conficker of the network as much information, such as the excellent paper called Containing Conficker which is part of the Know Your Enemy series produced by the people of The Honeynet Project, or by writing Cert.at called Detecting Conficker in your Network.

But I would like to provide some tools with which we deal with the worm, since in most cases, not all AV companies offer a complete elimination of the threat, however, most have a free cleanup tool we can use.
Similarly, people from The Honeynet Project has released a PoC consisting of product research tools that have taken place on this issue.
  • Downatool2. Domain names of the different variants of conficker can be used to detect infected machines within a network.
  • Domains collision conficker C. Unlike the first and second generation variants conficker (conficker.A and .B) domains created by 250 days to download the updates, it's expected that the third generation, has more than 50,000 domains. This is a list of domains that are expected during april conficker download.
  • Disinfection of memory. Identify conficker becomes complicated due to the packing and encryption features, except when it's in memory.
  • Detection of files and registry modifications. Apparently, the file names and the names of the keys in the registry to create the variants B and C conficker aren't random, but are based on the name of each host infected. By contrast, variant A if you take names at random.
  • Simple Conficker Scanner (SCS). Network scanner to detect conficker. Requires the installation of the library "Impacket" python.
  • IDS. Depending on the patterns used by different generations of conficker it's possible to detect its presence through rules.
Conficker A

alert tcp any any -> $HOME_NET 445 (msg:
"conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10
80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c
cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4
c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92
96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95
e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5
dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07
a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb
eb|"; sid: 2000001; rev: 1;)

Conficker B

alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";
content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d
a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4
94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03
c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88
cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6
c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0
b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab
aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1;)

  • Nonficker Vaxination Tool. Conficker uses mutex to ensure that your computer is infected its latest version. This method can be used to prevent potential infections mimicking a raised through a dll.
Even we have a new version of nmap (4.85Beta5) which incorporates the detection routines conficker available for different platforms: Windows, OSX, Linux.

It's also advisable, since it isn't over, take short audits with the aim of verifying the level of security vulnerability in our environment. We can use, for example, tools like MBSA from Microsoft or CSI/PSI of Secunia.

Finally, don't forget to install the updates that fix critical security vulnerabilities exploited by conficker: MS08-067, MS08-068 and MS09-001.

# Jorge Mieres