Security Researcher Mila Parkour has discovered a new zero-day exploit affecting Adobe Reader and Adobe Acrobat.

In her blog she posted some information about the file, which was sent as an email attachment.

Adobe has published a security bulletin for CVE-2010-2883 but hasn’t released a fix yet.

I verified the exploit on a fresh Windows 7 machine with the latest version of Adobe Reader. Upon opening the PDF document, a malicious file is downloaded.

We recommend users to be extremely careful when opening up email attachments as well as keeping their AV up-to-date with real time protection enabled.

Kudos to Mila for finding and sharing her discovery.

Jerome Segura

We added a new generic signature to detect malicious PDFs.

Hackers never run short of new ideas to obfuscate malicious code. The use of hexadecimal characters is quite typical to give parsing engines a hard time at detecting strings of code that mean no good.

The payload is usually stored in a stream object and PDF readers will let it execute when the document is opened. (Can’t wait to see the new Adobe Sandboxing system!!!).

You can run the tool on the command line like this: pdf_scan.exe filename.pdf

Or you can use the included batch script to scan your entire system.

Download it here.

Your feedback is welcome.

Jerome Segura

This is a very well done scam, targeting the Google AdWords program.

If you follow the link (which by the way is a decoy) you land on mastererectorsllc.com/cache/main.php):

By login in with your Google account you immediately send your username and password to some criminal (or punk).

If the bad guys are smart enough, they will change the password and security question immediately so that you are locked out of your account and cannot reset it. That gives them a head start to harvest all the information they need, before you file a complaint with Google for fraud.

I hate scammers… My wife had her wallet stolen the other day and it just made me boil inside. Although the credit card companies are good at dealing with fraud, there are still a bunch of other cards that contain sensitive information about your identity… and that you can’t get back. Identity theft in all its forms (real life or online) is a growing concern.

I feel it very satisfying to report shady or exploit sites. My 2 cents in this crazy world

Jerome Segura

Phishing scams are a very real threat and yet most anti-phishing technologies are still playing catch up.

As always, the human factor is the key to identify a phishing attempt and not fall for it. Having said that, the level of sophistication employed by criminals is such that even the wisest person cannot always tell the difference.

Here is an example of a Bank Of America email notification:

If you are a Bank Of America customer, this email looks legitimate. So, what gives it away?

Several typos:
“Bank of Amerca”
“www.bankofamerica.com/SingOn”

Never trust a link within an email. Although it appears normal on screen, scammers can actually embed a different destination URL. In doubt, right click on the link and choose “copy hyperlink”. Then open Notepad and paste it. If the two links do not match, it is a scam.

Note: the typo give-away is still a good trick to remember but cannot be a total guarantee. Criminals may eventually take grammar lessons and use spell checkers (Lol!).

This second screenshot shows a PayPal phish:

In this scam, more than usual is asked from you. For example, your Credit Card Number, CC Expiry date etc… That is a common thing seen in phishing scams. Criminals think they might as well harvest as much information about you as they can while they have you fooled.

In the following screenshot, the bad guys are asking you for your PIN! This is totally unjustified.

So, if a site is asking for more than your typical username and password, use extreme caution.

All the previous phishing scams relate to stealing your personal information by completing web forms. Unfortunately, they are not the only way the bad guys will steal your identity.

Malicious attachments or links can infect your computer and install various pieces of malware that can search your hard drive for confidential documents, passwords etc… as well as install keyloggers that will capture all sensitive information you type, and send it back to the criminals.

Most malicious attachments are zipped (the original document has been compressed in an archive) because it is one of the ways to evade instant deletion by your Email or Webmail provider, as well as deletion by Anti-Virus products running on your computer.
However, Windows can open default archives with its built-in extracting feature, so it really is an affordable means to send bad files.
Criminals also play with you one step further by masquerading the files they send you. They give them custom icons, rename them so they look like such or such program when in fact they’re not.

The file below has a Microsoft Word icon, and extra spaces were added to its name so that you can’t see the actual extension:

The safest thing to do when you’re not sure about a file is to check it on VirusTotal. This free service scans it against more than 40 different AntiVirus engines in less than a minute. In most cases, a malicious file will be detected by at least one vendor.

Malicious URLs can also be checked on VirusTotal. In fact, ParetoLogic is one of the engines they are using
Again, remember to copy the link by doing a right click on it and then selecting “copy hyperlink”. The link in the actual email can be just a façade for a real nasty URL.

Hopefully these few tips will help you recognize phishing scams. Your best ongoing protection is to stay informed about the latest trends… that way you may hear about something before it actually finds its way into your inbox!

ParetoLogic maintains a dedicated site exposing the latest phishing scams. You can search and report existing scams or just take a look at what’s new with this very lucrative crime!

Jerome Segura

Every now and again, a particular URL flagged by our HoneyPots catches my eye. This one is quite familiar to me, it is the website of a French hockey club, known as the “Bruleurs de loups” (literally “wolves burners”), based in my hometown of Grenoble.

It looks like their site has been hacked and is serving a piece of malware at: www.bruleursdeloups.com/.gd1nlpq/?getexe=p.exe

The last part of the URL is a trademark of the Koobface gang. VirusTotal report here.

I have contacted the webmaster and hopefully they can get the site cleaned up soon.

Jerome Segura

We received this email from Bell saying that our e-bill was attached:

The file attached is a web page, called e-bill.html which contains JavaScript code:

Note how the JavaScript obfuscates the URL it’s loading: “http:”+”//en”+”oyyouSJF“.substr(0,5)+”rhairQkwp“.substr(0,5)+”IUZcut.cIUZ“.substr(3,5)+”xvlom/2.lxv“.substr(3,5)”

This is basic string manipulation that makes URL detection harder to detect and block.

Here is the URL below, loaded in your browser (in clear text this time!):

That page contains an iframe:

Which ultimately leads to a malicious site (conspalopi.cz.cc):

The site loads a FakeAV scanner on your PC:

So let’s track back what happened here:

1) The bad guys get you to open an attachment in your email, through clever social engineering.
2) The attachment is a URL page that uses a compromised site to redirect your browser. However, the site’s URL is ‘disguised’ so as to be undetected.
3) The final payload (rogueware) is served.

By the way the compromised site (enjoyyourhaircut.com) also has a Facebook page:

Online criminals will use any means at their disposal to avoid being detected. Phishing scams can be very hard to block because a lot of the time spammers will use compromised PCs with real and legit email addresses to send their scam. That helps make it through anti spam filters. Although attachments can be scanned, the bad guys will not attach their payload directly. Instead, they will use apparently innocuous files that redirect you to their malware in a ‘cascading sort of way’.

Want to check out more phishing scams? Please visit our PhishingEmails.com site.

Jerome Segura

In the developers’ world, it is fairly common to name one’s creations after a particular interest or hobby.

I’m guessing the same goes for hackers… We identified these two domains pepperonni.ru and treminator.ru {sic} hosted on 159.148.117.209.

These domains host various exploits:

And it looks like the bad guys had some fun naming the URLs…

Of course, these domains are registered to a ‘Private Person’ and very little is known about them.

Except maybe that they’re located somewhere in Eastern Europe:

Wondering if this little trend will keep going and what else will be named after…

Feeling thirsty? How about Vodka.ru/dovgan/files/java.rar ?

Jerome Segura

I am proud to announce that our URL Scanner has been added to the VirusTotal URL validation service:

Our HoneyPots have been crawling hundreds of thousands of sites, night and day, looking for the latest exploits that we  publish in our URL Clearing House service. This gives security researchers and other malware enthusiasts a resource to study malicious URLs and their payload.

VirusTotal recently underwent some major changes. The new site offers the same features we are used to (uploading files to be scanned by a large number of AV products) with some improvements: a new vtuploader utility that supports multiple uploads as well as a larger upload size (20 Mb). Developers can also directly query VirusTotal with the new API, which is a really great addition.
A new cool feature to VirusTotal is URL scanning. You can now verify if a site is safe before visiting it.

Currently, the following engines will verify a URL:

There are many tools and services out there to check a website’s reputation. However, it is time consuming to look for them and do a search on each. Having them centralized is a very handy and quick way to determine if a site is clean or not.

Another neat thing on VirusTotal is the “VT Community” section. Registration is free and allows you to comment on files you upload, interact with other users, etc.

I want to thank the folks at VirusTotal for making us a part of their great services!

Jerome Segura

I’ve been working on this project for the last few weeks regarding phishing scams. You may have noticed that I publish some on this blog every now and again, and they deserved to have a place of their own. So here it is: http://www.phishingemails.com/

Unlike the PhishTank, we specialize in phishing emails.

Every day, we receive thousands of spam emails and instead of just ignoring them we parse them and keep the interesting ones. More particularly, phishing scams because they are a threat to your identity and banking accounts

Here is a simple classification:

Following a malicious link:

This is by far the most common of all the scams. By following a link that appears legitimate, victims are lured to enter sensitive information into a supposedly safe website. In reality, the site is a fake and all the information gathered will be forwarded to the scammers.

Running a malicious file:

Although not as used, malicious attachments still exist. Email clients or webmails are getting better all the time at filtering dangerous attachments, but some files are still able to make it through. The victim is lured to open the attachment and run it. Instead of being what they thought it was, the file will infect their computer and reside in memory so that it can catch sensitive information and relay it to the criminals.

Responding to a dubious Email address:

Last but not least, Nigerian scams also known as advance-fee fraud, can be used to steal private information (although it is not their primary goal). The victim may be lured to send money in advance and give certain confidential data about her (such as bank account number, date of birth, driver’s license number etc.)

Enjoy!

Jerome Segura

One of the most wanted carders (credit card scammer), Vladislav Horohorin AKA BadB, was arrested in Nice (France) , as he was about to board a plane bound for Moscow.

BadB had been very active in the  credit card fraud business, selling stolen cards in various “dumps”.

One of his sites, badb.biz was still active earlier today but appears to be down now.  I managed to salvage the main screen image, which is actually a Flash animation:

It is a depiction of the hacker’s ‘supposed’ desk which includes:

- A Mac
- A smartphone
- A Russian passport
- Airplane tickets
- The keys to a BMW
- US dollars
- Euros
- A cigar
- a coffee
- several Visa and MasterCard credit cards
- stripe reading machine

- etc.

Some of you may recognize something familiar in the pic… The crimepack toolkit homepage:

Same wallet and bills…

If the Cold War is over, the Cyber Cold War isn’t.

Russian and former Russian states hackers gloat about stealing from the ‘yankees’.

Part of it involves making fun of American culture:

But if capitalism is so evil, then why portray yourself in this way?

According to the media, BadB faces about 10 years in jail and a $250K fine. That seems so little for someone who has been making loads of money and most likely will return to his business as soon as he gets out.

Jerome Segura