With a name like this…

March 9th, 2010

Some people have a sense of humor, or maybe they’re just taunting us.

Check it for yourself:

Also, whois information is a joke. Doesn’t someone verify it?

 Other domains on that same IP are used to deliver malware:

091809.ru
agelis.ru
all-winners-2010.com
all-winners-2010.ru
allwinners.cn
analystics.cn
asspuc.com
blacktraf.su
brutapukamuk.com
compy.info
crysisanet.com
elesha-ncc30.all-winners-2010.ru
favoritenews.info
gheeny.com
gomoneygo.info
google-counter.org
hostmaster.all-winners-2010.com
hostmaster.allwinners.cn
hostmaster.asspuc.com
hostmaster.crysisanet.com
hostmaster.gheeny.com
hostmaster.google-counter.org
hostmaster.klimckoe.net
hostmaster.makecashz.cn
hostmaster.pvo-tut.net
hostmaster.soprocms.com
hostmaster.super-win-2010.com
hostmaster.viphack.net
hostmaster.vseseriozno.cn
hostmaster.yougoodvideo.net
hostmaster.zflaersroot.cn
inclabtec.biz
inclabtec.info
jisufvrr.com
klimckoe.net
klimskoe.cn
mail.agelis.ru
mail.brutapukamuk.com
mail.klimskoe.cn
mail.ssl-molotok.ru
makecashz.cn
mordes.su
pvo-tut.net
roothostings.com
s-domain.cn
ssl-molotok.ru
super-win-2010.com
super-win-2010.ru
viphack.biz
viphack.net
vseseriozno.cn
wftguy.com
workernew.cn
www.gheeny.com
www.mordes.su
www.xstine.cn
xstine.cn
yougoodvideo.net
zflaersroot.cn
netnic.com.cn

These guys are on our watchlist. Feel free to blacklist them too.

Jerome Segura

  • Posted in Exploits
  • |
  • (0) comments
  • |
  • Add your comments

Google dorks, the bad guys love them!

March 8th, 2010

Google has revolutionized the way we search the web. It has raised the bar so high, it almost killed all competition in this domain.

A technique known as Google hacking (AKA Google Dorks) makes use of the power behind Google to identify weak sites, personal information, etc. that Google has indexed.

It’s a quick way for the bad guys to find their next prey and really effective at doing that.

Just how many searches are Google dorks? Well, too many!

A popular query (the auto-complete shows suggestions) to harvest passwords:

I suppose there are ‘good’ Google dorks, by that I mean legitimate usage of such queries. After all, that is what makes Google such a great tool to find stuff on the web.

As if to make matters worse, tools such as Goolag are built-in with loads of Google dorks. This tool is called a ’scanner’, but put it in the wrong hands and you can imagine the damage. (Sounds like: “it’s not the gun’s fault, it’s whoever uses the gun”.)

Goolag is detected as a hacker tool by most AV vendors (VT results here).

What can we learn from this? Google dorks are here to stay, so make sure you don’t leave anything that you wouldn’t someone to look at. Search engines are good, way too good at crawling everything there is to index.

Alternatively, you can use html code to prevent Search Engines from scanning your site or parts of your site. Here is an example below:

<html>
<head>
<title>…</title>
<META NAME=”ROBOTS” CONTENT=”NOINDEX, NOFOLLOW”>
</head>

Keep in mind that this tag works well for legit crawler, which will ‘respect’ what you instruct them. Hackers can use custom made tools that will bypass robots exclusion. Again, keep the stuff that’s important inaccessible!

Jerome Segura

  • Posted in Research
  • |
  • (0) comments
  • |
  • Add your comments

Kuwait, Saudi… and PrIv8 ActiveX ExploiT

March 5th, 2010

We all know Brazilian hackers have mastered the art of creating banking trojans. The Chinese are very fond of password stealers targeting online games. The bad guys do have preferences for what type of malware they are creating based on their geolocation.

Well, I found this exploit source code from a domain named kuwait{removed}.com

The exploit downloads a file named unek.exe, very well known to be an IRC bot.

Looking for other websites using that expoit lead me to a lot of pages in Arab language, one of them being a Saudi hacker forum:

The exploit is readily available for download there and it also shows a custom made VirusTotal page revealing that no AV was detecting it (this picture reveals the time was around Dec. of last year):

It may be a bit of a stretch to insinuate that this exploit has roots in this region of the world, but nonetheless I found the coincidence worth to be mentioned.

Jerome Segura

  • Posted in Exploits
  • |
  • (0) comments
  • |
  • Add your comments

.vbe Malware and JSUNPACK

March 4th, 2010

Found this rather odd pop up:

The page also contains obfuscated code. I used the great free service JSUNPACK (http://jsunpack.jeek.org) to show me the malicious javascript.

It downloads a file with a .vbe extension

This file is a ’script’ that runs with wscript like this:

C:\Windows\System32\wscript.exe update.vbe

Looks like gibberish but is malicious.

Virus Total results here.

Jerome Segura

  • Posted in Exploits
  • |
  • (0) comments
  • |
  • Add your comments

URL Clearing House: couple new features

March 3rd, 2010

We’ve added a couple new features to our URL Clearing House.

You can now search all URLs for a specific domain:

A forum for your questions, requests etc.

http://mdl.paretologic.com

Jerome Segura

  • Posted in Research
  • |
  • (0) comments
  • |
  • Add your comments

Foxit used to create Adobe Malware

March 2nd, 2010

 The following site was caught by our HoneyPots as being malicious: stoptibetcrisis.net

Source code snippet:

Malcode injection triggers a drive-by download from: redriveruk.com/tibet.pdf

There is pretty much no doubt that this is a malicious PDF file:

 

Looking at the file properties reveals two things:

The ‘author’ :

I’m certain this is not the same guy behind this, but nonetheless, it gives me a bit of information to search for ;-)

Also, I learn that this malicious PDF was crafted with Foxit, another PDF viewer/editor:

Back to our supposed ‘author’, Stephan Huck. Doing searches with this name and Foxit will return lots of results for serials and torrents site.

What does this all mean? This identity has been used to create a cracked license that is being redistributed all over the Internet. Not surprisingly, the bad guys don’t buy their software, they crack it and then use it to create malware.

I don’t know how the Foxit licensing system works, but something tells me that this Stephan Huck guy is using a lot of license seats!

Jerome Segura

  • Posted in Research
  • |
  • (0) comments
  • |
  • Add your comments

Ali Baba & 40 (AKA Koobface gang) still going strong

March 2nd, 2010

As blogged earlier by TrendMicro, Koobface is making a comeback.

I got a copy of it that I analyzed so that our AntiSpyware Database would be up-to-date.

The  Worm uses the infected PCs as a captcha breaker workforce. What happens is your screen turns dark and you get sort of locked out. To get back in, you must type the words, thus giving the Koobface gang some cheap and quick captcha breaking service:

The captcha breaker code is powered by a DLL, conveniently called captcha21.dll, located under %Program Files% and hidden as a system file.

Here is the traffic that happens in the background. In red, the server that is contacted with the captcha keywords.

lite.facebook.com/p/
b.static.ak.fbcdn.net/rsrc.php/z28UA/hash/5m63milq.js
b.static.ak.fbcdn.net/rsrc.php/z1H14/hash/afck6×17.css
static.ak.fbcdn.net/rsrc.php/zAZWP/hash/6mpt0xry.js
dynasales.net/.sys/?action=captcha&a=put&id=25568554&v=21&code=<<CAPTCHA GOES HERE>>
lite.facebook.com/
b.static.ak.fbcdn.net/rsrc.php/z28UA/hash/5m63milq.js
b.static.ak.fbcdn.net/rsrc.php/z1H14/hash/afck6×17.css
static.ak.fbcdn.net/rsrc.php/zAZWP/hash/6mpt0xry.js

Another characteristic of the Koobface Worm is to pop up scareware programs:

The malware modifies your Hosts file adding the following IP:

If you browse to it, you will recognize their trademark signature:

They are thieves indeed!

Jerome Segura

  • Posted in scams
  • |
  • (0) comments
  • |
  • Add your comments

Lots of malcode in there

March 1st, 2010

 During the course of my research, I sometimes come across sites that have many surprises. You think you saw everything, and then you find some more, just like Russian dolls ;-)

This domain hosted in Latvia (79.135.152.5) contains exploit code all over the place:

 arraysaw.net/konec.php

 And more here:

It also hosts a few malicious PDFs:

arraysaw.net/files/eccentricbamboo.pdf
arraysaw.net/files/g.i.surprise.pdf
arraysaw.net/files/goofybeautiful.pdf
arraysaw.com/files/bufferoldhat.pdf
arraysaw.com/files/palinshakysituation.pdf

One of the binaries pushed from ( arraysaw.net/newload.php?ids=MDAC) is poorly detected on VirusTotal. It is one of those mass downloaders. One file that downloads and runs a multitude more malware.

Needless to say, your machine is hosed and pwned after such an infection occurs:

 

After a quick scrape, I was able to collect even more files:

One of the malware files’ purpose is to download some very graphic pictures onto your PC (probably pay per click or other traffic ranking hack). 

Which also serves as a double purpose helped by pretty clear bookmarks placed right on the Desktop:


‘Naughty boy anyone?’

The guilty husband may want to remove those ASAP and is ‘invited’ to purchase some ’soft’ antivirus software (who are they kidding? Lol)

The company’s bio states it was founded in 2000, and underwent significant changes in 2003. Oh yeah, sure it did.

Strangely enough, the site was created Feb 21, 2010, so my guess is the company is still young:

Exploits, porn and rogues: That pretty much sums up this one. If you got infected with this piece of malware, cleaning up the mess is going to be a daunting task. The mass downloader was not detected by very many AV products at the time of posting, so my guess is that it could slip by real time blocking protection and unleash its fury.

Regular backups are once again your best friend. It takes very little time to restore a clean backup and it saves you a lot of excessive swearing! ;-)

Jerome Segura

  • Posted in Research, ransomware
  • |
  • (0) comments
  • |
  • Add your comments

Rozlyn Papa sex tape rumours lead to malware

February 26th, 2010

Cast member Rozlyn Papa of ‘The Bachelor’ is in the midst of rumours regarding a sex tape.

The bad guys didn’t wait very long before exploiting this scandal.

When doing searches for the alleged sex tape, you may encounter pages such as this one.

Following the shortened URL will redirect you to a fake video codec site:

tubetimeonline.com

The malware comes from: quickmedialinks.com/New-Video-Addon.45210.exe

and is only detected by a handful of AV products on VirusTotal.

Upon installation, it creates two files, also poorly detected:

Dvh.exe (temp folder)
msa.exe (%Windir%)

They say ‘Sex sells’. Couldn’t be more right.

Jerome Segura

  • Posted in Fake codecs
  • |
  • (0) comments
  • |
  • Add your comments

Scareware templates: cheaper by the dozen

February 26th, 2010

 All the following alerts come from the same IP (109.232.225.21)

109.232.225.21/movie1.html
109.232.225.21/movie2.html
109.232.225.21/movie3.html
109.232.225.21/movie4.html
109.232.225.21/movie5.html

The pages have been designed so that search engines do not index them:

And also use heavy obfuscation

If you go to the main IP (on the root), you get the classic fake online scan:

The file that is downloaded from all these pages is a rogue scanner. It is only detected by 17% of the AV vendors featured on VirusTotal.

A couple of them detect it as:

Automation can produce some interesting results ;-)

Jerome Segura

  • Posted in Fake codecs, Rogue software
  • |
  • (0) comments
  • |
  • Add your comments

« Previous Entries



ParetoLogic, a Microsoft Certified Partner

 

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site
Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages

  • URL Clearing House
  • VB2009 pictures
  • Zheng™ Technology
  • About
  • Contact Us



Security Software

  • XoftSpySE Anti-Spyware
  • Anti-Virus PLUS
  • Privacy Controls



Malware Top 10

  • Koobface Worm
  • DNS Changer Trojan
  • Fake Alert Trojan
  • Windows System Suite
  • Smart Protector
  • Home Antivirus 2010
  • PC Antispyware 2010
  • System Security
  • AVCare
  • Perfect Defender 2009



Archives

  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008



Categories

  • Adware (1)
  • Banker Trojans (4)
  • Botnets (3)
  • Conferences (4)
  • DDos (1)
  • Exploits (47)
  • Fake codecs (37)
  • IM threats (1)
  • Interviews (5)
  • Keyloggers (2)
  • Mac security (15)
  • Malware Trends (69)
  • Phishing (8)
  • Podcast (1)
  • ransomware (5)
  • Research (46)
  • Rogue software (53)
  • Rootkits (2)
  • scams (8)
  • Social Networking (5)
  • Uncategorized (118)
  • Wireless Security (1)
  • world map (1)



 
 
 
Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries.

© 2010 ParetoLogic Inc.