Exploits 4free
Today I was looking at an interesting website and a drive-by-download associated to it.
The file is not a JPG… in fact it is an exploit script. I detail what it does in the diagram below:
The hacker has left its Apache/2.2.9 PHP/5.2.6 Server wide open! The IP is located in Hong Kong China and actually hosts two different domains (that are mirrors of each other).
Because the server is not protected, you can easily browse through its file repository and find all the exploit code in there. If you check the date, these exploits are fairly recent.
There is a nice PHP management page, called PHPSpy that allows you to update your exploits:
I downloaded all the files in that repository for a closer look.
Amongst them, an AVI file that exploits a vulnerability in Explorer. In my case it just crashed it and did nothing else. The exploit happens when you select the file and it tries to display its properties in the details pane.
DLL files compiled in C# that bear no doubt as to what their intent is (exploit Shellcode):
Heavily obfuscated html pages loaded with exploits:
Following the PHPSpy link lead me to the Security Angel’s website (in Chinese).
A quick translation reveals (more or less) what it’s all about:
The “Security Angel team” has more exploits for grab:
It also has some tutorials and scripts for the newbies, such as this ‘man in the middle’ attack perl script:
I decided to analyze the main executable that these exploits push. It creates a service as well as injects a DLL file into System32.
A VirusTotal scan… the sample is detected but the descriptions are vague.
Security researchers interested in the actual location of the exploit server can contact me.
Jerome Segura
|
Nasty malware sample attempts to evade detection
A lot of threats will not run if they can determine they are being monitored.
Here is an example of a Password Stealing Trojan from China which tried to infect my PC:
This must have been only one of the many processes that were launched… I know I was owned when I started seeing various pop ups coming straight from my taskbar including various Baidu ads as well as some Chinese adult sites.
Meanwhile, I was monitoring this threat and you can see a bit of what it did to my machine on the screenshot below.
Needless to say that after being infected, your system is at the mercy of those hackers… Also, browsing is now a lot slower!!
Jerome
|
You don’t get more straightforward than that
or do you?
PDF exploits are rampant… make sure you have the latest version of Adobe Acrobat Reader, or choose a different PDF viewer (Foxit, Cool-PDF etc…) there are tons of free ones, lesser known hence safer.
Jerome
|
Iframes, PDF exploits and RBN
Our honeypot caught several legit sites that were infected and pushing the same drive-by download. I decided to take a closer look.
Upon visiting the site, a PDF file will open (and crash) trying to run an executable exploiting an Acrobat Reader vulnerability.
I dug into the source code of the infected page. Strangely the malicious (and obfuscated) javascript code appears twice. The first occurrence was being commented out (did the web admin try to fix it?) but the second one was still active and in clear text.
I took a closer look at the JavaScript… It’s all gibberish, so you have to use tools to make it readable. I used the free program Malzilla which revealed the culprit:
An ugly Iframe!!!
I checked this IP address and it is listed as part of the RBN (Russian Business Network). If you visit that IP, you will see even more obfuscation:
Anyway, the PDF exploit can be opened with Notepad to reveal the malicious Javascript code:
Most AV vendors already detect it:
Jerome
|
LinkedIn fake profiles push malware
LinkedIn, the social-networking site with a business twist to it, is hosting thousands of fake infected profiles.
Basic social engineering techniques involving keywords such as: nude, sex tape, uncensored etc… direct to malicious profiles. If you follow the links, you will eventually get to some malware sites.
We have a YouTube video of this.

|
Malrus the dragon
Deep down in the dungeon there is a dragon called Malrus. He spits iframes, ofscucated Javascripts and much more.

Jerome
|
Free rider
A 404 is an expression that indicates an error when you try to access a page that does not exist.
But as I found out, many hackers use a 404 template to hide something nasty. The screenshot below shows you the page you will see when browsing that website. It looks like a typical error message. But underneath you will see the source code of that same page. The source code is made of Html tags which make up a webpage. Now, you may not be familiar with JavaScript, but you will recognize the text as incomprehensible. It is indeed obfuscated in order to evade classic AV detection, and it will execute a nasty payload.
By using such a disguise, the malware author hopes to be a “free rider” for some time, utilizing someone else’s ressources while benefitting from them.

JSegura
|
More YouTube Impersonations target weak web servers
Using popular websites in well crafted social engineering tricks in order to distribute malware is nothing new. However, I found this example that goes one step further.
For starters, it uses the default YouTube template and embeds an iframe into it to the malicious file. Of course, both pages are hosted on a compromised website. The only way you can tell (omitting the obvious adult video) that this is not the classic YouTube is by checking the Address bar, at the top of the browser. Although, the web site may not seem malicious, it is definitely not YouTube’s.
The site in question is a B2B online solutions portal which has been attacked by a hacker and is now serving “fake” adult movies. You got to feel sorry for the company, but unless they get an email notification from someone who cares, this situation could go on for a long time. Or maybe one day they’ll find themselves on a blacklist and wonder why… Google’s Stopbadware will prevent people from clicking on sites within search results if they have been identified as dangerous.
To go back to this hack, we have a fake YouTube page with a picture of an adult movie. The movie does not play, it is on “Pause”. Yes, there will be enough people that will want to see more and will do as they’re told: “Download Now Full Video”. By the way, isn’t that bad grammar? Hmm…

Now, another surprise, instead of a movie file, you will get an executable. But again, at least half the people who got to click on the link will proceed anyways. The file is - to nobody’s surpise - infected with a Trojan. Very bad things will happen once it is executed. Hijacked desktops, scary warning messages sound familiar?

Now an other thing that surprised me was to see how cozy the hacker had made himself into this hacked website. Not only this legitimate site is hosting the nasty Trojan Horse, but also all the adult pictures to create the fake video. As I noticed by clicking the refresh button, there are many more (46) adult content photos. This is bad too, from a legal point of view. Imagine for a minute that the hacker had put child pornography, the consequences for that business could be very detrimental.
To minimize the footprint on the webserver, the hacker naturally placed the pictures under the typical /images/ directory where company logos and other corporate things are!


As you can see by the date, this hack happened less than a week ago. Web administrators need to be very thorough when it comes to securing web servers. Weak passwords and unpatched software is a sure way to get hacked.
Jerome Segura
|
Several hundred sites hijacked
I uncovered at least 500 websites that have been compromised by hackers and are serving exploits.
Those sites are totally legit and most not even blacklisted by Google.

Now, take a look at the screen below: Google flags the first site has dangerous, while the second one, containing the same exact page is totally unknown.
Obviously, getadultaccess.com is a known bad site, whereas campodifiori.it is a legit Italian house rentals site that has been compromised.
That makes me wonder though, why can’t Google figure out a way to block all sites that match the same pattern, in this case, the same html file containing the malware?

JSegura
|
More Angelina…
First, can’t help but notice the spelling mistake: Anjelia?
Her full name is: Angelina Jolie Voight
I only knew the Angelina Jolie part, so thanks to this little research I learned that her father is actor Jon Voight.
Anyway, yet another spam campaing extremely popular, which I even got in my personal mailbox.
Funny how the spammers are trying to lure people with Microsoft’s blessing. Looks like some solid cut and paste.
If you click one the link if will open a nasty Trojan.

JSegura
|



























