I’m trying to run a script with crontab so that it runs at a certain time. Nothing new here…

However, my script involves PGP and for some strange reason, PGP will not decrypt anything while in crontab (user-agent blablabla… and other bogus errors). The frustrating thing was that the script runs just fine if I manually run it.

Anyway, since crontab did not want to cooperate I decided to create my own scheduler. First you need a script that loops indefinitely, and then this piece of code will execute myscript.sh at 1 PM every day.

You create a variable and you assign it the current time. A little sed removes the colon (i.e. 13:00)

Then if the variable equals the time you manually preset, it’s a Go!

Hey, it may not be very pretty, but it saved me a lot of time!

It’s funny in our jobs how many times we’re stuck on something that just doesn’t make any sense. I usually try a quick way around which saves me hours.

Jerome Segura

Fake porn sites (real Trojan Horses), fake watches (real scams), password cracking (wallet cracking) : Welcome to the world of online crime!

All these sites were taken from the same IP address, namely 210.51.187.{sanitized}. I’m going to show you a wide portfolio of online threats and scams.

To start off, a fake porn site called Pornotube pushes some mailicious files onto your computer. There is the nice way (an EXE file) or the hard way (a malicious PDF).

The files are detected by most AV products:

http://www.virustotal.com/analisis/2b6cc5d84db7dd946ee8358ec2bf40435755ef9895e10c4fe13b513f8f8a255e-1257269784

http://www.virustotal.com/analisis/4d0fe75335c352ef7bb544e6b1eea9d1dd2d083a260292275be75580ce98efca-1257224665

Oh, and there’s the cousin website as well, with another PDF exploit ‘in-your-face’.  Those sites are nasty looking, but that’s another story.

Now, on to the fake watches. What better way than putting a bit of a Swiss flag in there too… Yes, the Swiss are known for their quaility products, and watches in particular. The first time I flew to Geneva, I was amazed by just how many ads and posters of watches were all throughout the airport. If you take a walk near lake Geneva (le Leman), you will see many old buildings with big signs on them, such as Omega, TAG Heuer etc. I stopped in front of a Cartier store to look at some of the watches, of course none of them had price tags on
You may get the feeling that I like watches hehe… I have a nice (although modest) Swiss Military watch.

Back to our story, here is a “replica” site… I personally would call it a “counterfeit” store, but it wouldn’t sound as nice, would it? They offer “Free shipping worldwide”, how convenient! I really hate counterfeit stuff. Recently I read an article about that industry in China and it really is an out of control problem.

Finally, a page designed for those who want to hack the Russian version of Facebook (vkontakte.ru):

I had Google translate the Russian text for me:

Payment can be made through one of these institutions:

Anything else for you today?

Please note that ICQ hacks are on the ‘winter sale’:

Don’t forget to use the:

Jerome Segura

Warning: all links contained in this post may be dangerous!

We are doing some more testing and putting the final pieces together on our URL Clearing House project.

When will it be ready? I can’t say for sure yet. We need to add user accounts (don’t worry, the service will be free) for our own stats, put a Terms Of Service, do some security checks on the server etc..

In the meantime, we are aggregating data from our HoneyPots:

Query for Exploits:

Query for Trojan:

Anyway, I hope this will be a valuable source of information for all malware researchers.

Jerome Segura

Our HoneyPot was missing an important feature, given that many (if not most) malicious websites use PHP to serve their payload.

Up until now, our HoneyPot was only looking for pure exploits in:

- browser
- flash
- pdf
- quicktime
- java

However, a large number of malware files is downloaded using PHP.

Here is this new feature in action:

Rogue installer:
2009.10.30 10:27:37 -08:00 Pacific Standard Time,”smarttestdrive.com/download.php”,”smarttestdrive.com/install.exe”

Malicious PDF:
2009.10.30 10:31:40 -08:00 Pacific Standard Time,”erorr.net/pdf.php”,”erorr.net/asdfgh.pdf”

This will come in handy for our upcoming URL clearing house

Jerome Segura

This one comes as a zip file, extracts to yahoo.html.exe

0l.zzkk11.com/yahoo.html.zip

and it is an OnlineGames Trojan.

Jerome Segura

Malware ID: 133e78f1e76aace342e4d07cea6f80f9.zip

I downloaded an update for Adobe Reader today and I was quite unimpressed to watch the Adobe Download Manager show me a bunch of Ads. Is this a new form of advertisement?

I also couldn’t help but notice that the traditional Google Toolbar “bundle” had been replaced by a McAfee Security Scan:

Mind you, if you do install Adobe Reader, it is a good idea to have another security product running. We see countless numbers of PDF exploits on the web these days.

Jerome Segura

The following site (Russian language), igra.newvksoft.org.ua, downloads a rar file onto your computer.

If you extract the file you will get this:

file.exe is malware

It’s not often I see malware coming through a rar file.

Did you know?  The rar file compression format was developed by a Russian software engineer, Eugene Roshal.

It probably is just a coincidence that this file also targets Russian users.

Jerome

Malware ID: 8a0a4749ddd176c08f4c58d8a52a866c.zip

Warning: all links contained in this post may infect your computer!

The following Czech site (otylkaaotesanek.cz ) contains an exploit:

In Google Chrome you will see a PDF automatically downloaded (thankfully I did not have Adobe reader installed on this machine)

The malware author took the time to credit this PDF to security researcher miekiemoes. That sounds pretty similar to a Dancho Danchev fan club

This is a malicious PDF:

Only one AV vendor from Virus Total (Sophos) detected this threat:

Opening the PDF with a vulnerable version of Adobe Reader will launch the following payload:

dom2cn.cn/13b/load.php?spl=pdf_exp
jzion.cn/etc242342534252435223/1.php
jzion.cn/etc242342534252435223/soft14.exe

The last file is a Trojan detected by 35% of the AV vendors from Virus Total, at the time of writing.

Jerome Segura

Malware ID: t1L8XD644LtNd.pdf.zip

Warning: all links contained in this post may infect your computer!

globalfundforeducation.org has been compromised.

Obfuscated JavaScript:

A little bit of fiddling around with the JS code allows us to display what it actually does:

An iframe:

Which is also referenced in the main code:

The final payload seemed to come from soft-siski.com in the form of several executables.

Jerome Segura

Warning: all links contained in this post may infect your computer!

There’s an article about: “Don’t bug me: why Macs are still virus free” I read today.

“The real answer is UNIX, the foundation technology Mac OS X is based on” says Neal Costello.

While it is true that Unix systems have been designed with a very different approach, it does not mean that they are impenetrable.

The reason why we see less malware on Linux is because malware authors are money driven. If I was a bad guy and wanted to infect as many people as possible, I would write a virus for Windows. It would guarantee me the highest ROI.

Thinking that you are safe because you are running a Mac is making a big mistake. In fact, in most malware infections, the weakest link is the end user. That type of thinking will get you in big trouble when a fake codec will pop up and you blindly install it. A well-educated PC user will not fall for that.

Same for phishing scams, having a Mac does not protect you any better than having Windows. You click a link in your email to “update” your bank account. It turns out it’s a fake site and it just stole your credentials. Well, Mac OS X or not you have just been a victim of Identity Theft.

There is a lot of buzz about Bots and Botnets… You may be surprised, but they exist on the Mac as well:

Extract from the source code:

At the end of the day, you may want to choose whatever OS you wish but don’t believe everything you hear. It’s good for marketing to say “Macs have no viruses” because people are genuinely concerned with security… Remember when everybody was saying “don’t use IE, use Firefox”? Well, the number of exploits for Firefox rose significantly… Again, the bad guys will go where the money is. It may take them longer to bypass a UNIX system, but if it’s worth the effort, they will gladly do it.

Updated to add:

Neal Costello from makemineamac.info, responded to my post:

Interesting to see the shift from “Virus free” to “relatively low number of exploits”

I’ve had quite a few people tell me “you don’t have a Mac product so why the heck do you bother talking about Mac threats?”. Well, to that my answer is that I blog about security threats. They could be on your PSP, iPhone, Atari… doesn’t matter!

Jerome Segura