Some people have a sense of humor, or maybe they’re just taunting us.

Check it for yourself:

Also, whois information is a joke. Doesn’t someone verify it?

 Other domains on that same IP are used to deliver malware:

091809.ru
agelis.ru
all-winners-2010.com
all-winners-2010.ru
allwinners.cn
analystics.cn
asspuc.com
blacktraf.su
brutapukamuk.com
compy.info
crysisanet.com
elesha-ncc30.all-winners-2010.ru
favoritenews.info
gheeny.com
gomoneygo.info
google-counter.org
hostmaster.all-winners-2010.com
hostmaster.allwinners.cn
hostmaster.asspuc.com
hostmaster.crysisanet.com
hostmaster.gheeny.com
hostmaster.google-counter.org
hostmaster.klimckoe.net
hostmaster.makecashz.cn
hostmaster.pvo-tut.net
hostmaster.soprocms.com
hostmaster.super-win-2010.com
hostmaster.viphack.net
hostmaster.vseseriozno.cn
hostmaster.yougoodvideo.net
hostmaster.zflaersroot.cn
inclabtec.biz
inclabtec.info
jisufvrr.com
klimckoe.net
klimskoe.cn
mail.agelis.ru
mail.brutapukamuk.com
mail.klimskoe.cn
mail.ssl-molotok.ru
makecashz.cn
mordes.su
pvo-tut.net
roothostings.com
s-domain.cn
ssl-molotok.ru
super-win-2010.com
super-win-2010.ru
viphack.biz
viphack.net
vseseriozno.cn
wftguy.com
workernew.cn
www.gheeny.com
www.mordes.su
www.xstine.cn
xstine.cn
yougoodvideo.net
zflaersroot.cn
netnic.com.cn

These guys are on our watchlist. Feel free to blacklist them too.

Jerome Segura

Google has revolutionized the way we search the web. It has raised the bar so high, it almost killed all competition in this domain.

A technique known as Google hacking (AKA Google Dorks) makes use of the power behind Google to identify weak sites, personal information, etc. that Google has indexed.

It’s a quick way for the bad guys to find their next prey and really effective at doing that.

Just how many searches are Google dorks? Well, too many!

A popular query (the auto-complete shows suggestions) to harvest passwords:

I suppose there are ‘good’ Google dorks, by that I mean legitimate usage of such queries. After all, that is what makes Google such a great tool to find stuff on the web.

As if to make matters worse, tools such as Goolag are built-in with loads of Google dorks. This tool is called a ’scanner’, but put it in the wrong hands and you can imagine the damage. (Sounds like: “it’s not the gun’s fault, it’s whoever uses the gun”.)

Goolag is detected as a hacker tool by most AV vendors (VT results here).

What can we learn from this? Google dorks are here to stay, so make sure you don’t leave anything that you wouldn’t someone to look at. Search engines are good, way too good at crawling everything there is to index.

Alternatively, you can use html code to prevent Search Engines from scanning your site or parts of your site. Here is an example below:

<html>
<head>
<title>…</title>
<META NAME=”ROBOTS” CONTENT=”NOINDEX, NOFOLLOW”>
</head>

Keep in mind that this tag works well for legit crawler, which will ‘respect’ what you instruct them. Hackers can use custom made tools that will bypass robots exclusion. Again, keep the stuff that’s important inaccessible!

Jerome Segura

We all know Brazilian hackers have mastered the art of creating banking trojans. The Chinese are very fond of password stealers targeting online games. The bad guys do have preferences for what type of malware they are creating based on their geolocation.

Well, I found this exploit source code from a domain named kuwait{removed}.com

The exploit downloads a file named unek.exe, very well known to be an IRC bot.

Looking for other websites using that expoit lead me to a lot of pages in Arab language, one of them being a Saudi hacker forum:

The exploit is readily available for download there and it also shows a custom made VirusTotal page revealing that no AV was detecting it (this picture reveals the time was around Dec. of last year):

It may be a bit of a stretch to insinuate that this exploit has roots in this region of the world, but nonetheless I found the coincidence worth to be mentioned.

Jerome Segura

Found this rather odd pop up:

The page also contains obfuscated code. I used the great free service JSUNPACK (http://jsunpack.jeek.org) to show me the malicious javascript.

It downloads a file with a .vbe extension

This file is a ’script’ that runs with wscript like this:

C:\Windows\System32\wscript.exe update.vbe

Looks like gibberish but is malicious.

Virus Total results here.

Jerome Segura

We’ve added a couple new features to our URL Clearing House.

You can now search all URLs for a specific domain:

A forum for your questions, requests etc.

http://mdl.paretologic.com

Jerome Segura

 The following site was caught by our HoneyPots as being malicious: stoptibetcrisis.net

Source code snippet:

Malcode injection triggers a drive-by download from: redriveruk.com/tibet.pdf

There is pretty much no doubt that this is a malicious PDF file:

Looking at the file properties reveals two things:

The ‘author’ :

I’m certain this is not the same guy behind this, but nonetheless, it gives me a bit of information to search for

Also, I learn that this malicious PDF was crafted with Foxit, another PDF viewer/editor:

Back to our supposed ‘author’, Stephan Huck. Doing searches with this name and Foxit will return lots of results for serials and torrents site.

What does this all mean? This identity has been used to create a cracked license that is being redistributed all over the Internet. Not surprisingly, the bad guys don’t buy their software, they crack it and then use it to create malware.

I don’t know how the Foxit licensing system works, but something tells me that this Stephan Huck guy is using a lot of license seats!

Jerome Segura

As blogged earlier by TrendMicro, Koobface is making a comeback.

I got a copy of it that I analyzed so that our AntiSpyware Database would be up-to-date.

The  Worm uses the infected PCs as a captcha breaker workforce. What happens is your screen turns dark and you get sort of locked out. To get back in, you must type the words, thus giving the Koobface gang some cheap and quick captcha breaking service:

The captcha breaker code is powered by a DLL, conveniently called captcha21.dll, located under %Program Files% and hidden as a system file.

Here is the traffic that happens in the background. In red, the server that is contacted with the captcha keywords.

lite.facebook.com/p/
b.static.ak.fbcdn.net/rsrc.php/z28UA/hash/5m63milq.js
b.static.ak.fbcdn.net/rsrc.php/z1H14/hash/afck6×17.css
static.ak.fbcdn.net/rsrc.php/zAZWP/hash/6mpt0xry.js
dynasales.net/.sys/?action=captcha&a=put&id=25568554&v=21&code=<<CAPTCHA GOES HERE>>
lite.facebook.com/
b.static.ak.fbcdn.net/rsrc.php/z28UA/hash/5m63milq.js
b.static.ak.fbcdn.net/rsrc.php/z1H14/hash/afck6×17.css
static.ak.fbcdn.net/rsrc.php/zAZWP/hash/6mpt0xry.js

Another characteristic of the Koobface Worm is to pop up scareware programs:

The malware modifies your Hosts file adding the following IP:

If you browse to it, you will recognize their trademark signature:

They are thieves indeed!

Jerome Segura

 During the course of my research, I sometimes come across sites that have many surprises. You think you saw everything, and then you find some more, just like Russian dolls

This domain hosted in Latvia (79.135.152.5) contains exploit code all over the place:

 arraysaw.net/konec.php

 And more here:

It also hosts a few malicious PDFs:

arraysaw.net/files/eccentricbamboo.pdf
arraysaw.net/files/g.i.surprise.pdf
arraysaw.net/files/goofybeautiful.pdf
arraysaw.com/files/bufferoldhat.pdf
arraysaw.com/files/palinshakysituation.pdf

One of the binaries pushed from ( arraysaw.net/newload.php?ids=MDAC) is poorly detected on VirusTotal. It is one of those mass downloaders. One file that downloads and runs a multitude more malware.

Needless to say, your machine is hosed and pwned after such an infection occurs:

After a quick scrape, I was able to collect even more files:

One of the malware files’ purpose is to download some very graphic pictures onto your PC (probably pay per click or other traffic ranking hack). 

Which also serves as a double purpose helped by pretty clear bookmarks placed right on the Desktop:

‘Naughty boy anyone?’

The guilty husband may want to remove those ASAP and is ‘invited’ to purchase some ’soft’ antivirus software (who are they kidding? Lol)

The company’s bio states it was founded in 2000, and underwent significant changes in 2003. Oh yeah, sure it did.

Strangely enough, the site was created Feb 21, 2010, so my guess is the company is still young:

Exploits, porn and rogues: That pretty much sums up this one. If you got infected with this piece of malware, cleaning up the mess is going to be a daunting task. The mass downloader was not detected by very many AV products at the time of posting, so my guess is that it could slip by real time blocking protection and unleash its fury.

Regular backups are once again your best friend. It takes very little time to restore a clean backup and it saves you a lot of excessive swearing!

Jerome Segura

Cast member Rozlyn Papa of ‘The Bachelor’ is in the midst of rumours regarding a sex tape.

The bad guys didn’t wait very long before exploiting this scandal.

When doing searches for the alleged sex tape, you may encounter pages such as this one.

Following the shortened URL will redirect you to a fake video codec site:

tubetimeonline.com

The malware comes from: quickmedialinks.com/New-Video-Addon.45210.exe

and is only detected by a handful of AV products on VirusTotal.

Upon installation, it creates two files, also poorly detected:

Dvh.exe (temp folder)
msa.exe (%Windir%)

They say ‘Sex sells’. Couldn’t be more right.

Jerome Segura

 All the following alerts come from the same IP (109.232.225.21)

109.232.225.21/movie1.html
109.232.225.21/movie2.html
109.232.225.21/movie3.html
109.232.225.21/movie4.html
109.232.225.21/movie5.html

The pages have been designed so that search engines do not index them:

And also use heavy obfuscation

If you go to the main IP (on the root), you get the classic fake online scan:

The file that is downloaded from all these pages is a rogue scanner. It is only detected by 17% of the AV vendors featured on VirusTotal.

A couple of them detect it as:

Automation can produce some interesting results

Jerome Segura