YouTube typo delivers IRC Bot
UPDATE:
The file is compressed with professional software (Armadillo) making the unpacking process almost impossible.
Once executed, the file uses some in-memory protection by running these two processes.
——–
Fresh from our HoneyPot we discovered a malware site using a typo in its domain name.
The site youtorube.com will push a fake video codec, on what appears to be a YouTube page (in Italian).
The domain is registered to:
Pretty soon after running the fake codec, I observed IRC traffic with the same IP address:
This lets me know that I am part of an IRC channel:
The IRC server’s IP (87.98.184.231) has some interesting connections, including a “p0nwed.de” domain. Hmm… 
I attempted to connect to that IRC channel manually, however the channel requires a key… In other words, I am not welcome.
Further analysis of the malware binary may reveal the channel’s key hard-coded.
The file itself is detected as:
Our Heuristic engine already detected it as:
However, at that point I have aggregated enough data to determine that this ‘codec’ actually turns your machine into a Bot, which is not a good thing.
Jerome Segura
Malware ID: f028c315649b7319e8ef2cc22dc67690.zip
|
Ali Baba and the Forty Thieves
When I was a kid, I used to love that tale about Ali Baba and the Forty Thieves.
They also made a French telefilm with unforgettable Fernandel.
If you wonder why I am reminisicing about the past, it’s because I stumbled upon this:
It seems the site had closed its door, so I pronounced the magic words “open sesame”.
and to my surprise golden and shiny malware appeared:
There is a bit of everything, kind of what Ali Baba found:
Nonaco, SillyProxy, Koobface and some new backdoors and trojans.
Watch out, the site is still live, magic words or not
Jerome Segura
|
All too familiar Mac OS X Trojan
Mac Malware is definitely getting pushed in the wild.
Again this morning I stumbled upon yet another sample:
Sites listed on the same IP: 93.190.140
all-softfree.com
allsoft-free.com
megafucklist.com
porn-tube09.com
pornmegatube.net
porntubenew.com
tube4-fuck.com
tubeporn08.com
tubeporn09.com
www.allsoft-free.com
www.porn-tube09.com
www.pornmegatube.net
www.porntubenew.com
www.tubeporn08.com
www.tubeporn09.com
www.uporntube07.com
www.xxxporn-tube.com
xxxporn-tube.com
Beware, those links are live and serve malware for both the Mac and the PC.
Jerome Segura
|
The Mac Trail to 213.182.197
Since following this Mac Trojan I have come across several valuable links.
In particular I am investigating 213.182.197
Check out what’s on there:
base record name ip reverse route as
bests.at a 213.182.197.2 (none) ?
fcoder.at a 213.182.197.2 (none)
kirgo.at a 213.182.197.2 (none)
8070372.com a 213.182.197.4 (none)
zeus-logs.biz a 213.182.197.4 (none)
- 213.182.197.7 (none)
bestxvids.info a 213.182.197.8 mxs.newhostgroup.ru
freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru
hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru
mail.2todays.com a 213.182.197.8 mxs.newhostgroup.ru
mail.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru
mail.hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru
mail.newhostgroup.ru a 213.182.197.8 mxs.newhostgroup.ru
mail.tubeololo.org a 213.182.197.8 mxs.newhostgroup.ru
mail.worldtube.su a 213.182.197.8 mxs.newhostgroup.ru
ns1.2todays.com a 213.182.197.8 mxs.newhostgroup.ru
ns1.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru
ns1.good777.ru a 213.182.197.8 mxs.newhostgroup.ru
ns1.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru
ns1.sabroski.com a 213.182.197.8 mxs.newhostgroup.ru
ns1.tubeololo.org a 213.182.197.8 mxs.newhostgroup.ru
ns1.zoosexvideo.net a 213.182.197.8 mxs.newhostgroup.ru
ns2.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru
ns2.hotfreexxx.info a 213.182.197.8 mxs.newhostgroup.ru
ns2.siteload.cn a 213.182.197.8 mxs.newhostgroup.ru
ns2.yesey.net a 213.182.197.8 mxs.newhostgroup.ru
ns2.zoosexvideo.net a 213.182.197.8 mxs.newhostgroup.ru
sabroski.com a 213.182.197.8 mxs.newhostgroup.ru
seexxxfree.info a 213.182.197.8 mxs.newhostgroup.ru
uniquexsoftware.com a 213.182.197.8 mxs.newhostgroup.ru
vipwarezz.com a 213.182.197.8 mxs.newhostgroup.ru
worldtube.su a 213.182.197.8 mxs.newhostgroup.ru
www.freewebxxx.info a 213.182.197.8 mxs.newhostgroup.ru
www.goxxxweb.info a 213.182.197.8 mxs.newhostgroup.ru
www.sabroski.com a 213.182.197.8 mxs.newhostgroup.ru
www.seexxxfree.info a 213.182.197.8 mxs.newhostgroup.ru
mxs.newhostgroup.ru ptr 213.182.197.8
ns2.bestxvids.info a 213.182.197.10 (none)
ns2.freewebxxx.info a 213.182.197.10 (none)
ns2.good777.ru a 213.182.197.10 (none)
ns2.mac-videos.com a 213.182.197.10 (none)
ns2.newhostgroup.ru a 213.182.197.10 (none)
ns2.viagrabe.com a 213.182.197.10 (none)
ns2.worldtube.su a 213.182.197.10 (none)
barmatuxa.info a 213.182.197.12 (none)
zapalinfo.info a 213.182.197.12 (none)
ns1.bestxvids.info a 213.182.197.13 (none)
ns1.hotfreexxx.info a 213.182.197.13 (none)
ns1.siteload.cn a 213.182.197.13 (none)
ns1.tube84.com a 213.182.197.13 (none)
wkontkte.ru a 213.182.197.13 (none)
hostnsload.cn a 213.182.197.14 (none)
mail.hostnsload.cn a 213.182.197.14 (none)
mail.megavipsite.cn a 213.182.197.14 (none)
mail.siteload.cn a 213.182.197.14 (none)
megavipsite.cn a 213.182.197.14 (none)
siteload.cn a 213.182.197.14 (none)
adultelitiest.ru a 213.182.197.20 (none)
dns-lv9720.com a 213.182.197.20 (none)
mail.dangerousteens.com a 213.182.197.20 (none)
mail.dns-lv9720.com a 213.182.197.20 (none)
mail.openstat.ws a 213.182.197.20 (none)
mail.toponline-video.net a 213.182.197.20 (none)
ns1.dns-lv9720.com a 213.182.197.20 (none)
ns2.dns-lv9720.com a 213.182.197.20 (none)
openstat.ws a 213.182.197.20 (none)
toponline-video.net a 213.182.197.20 (none)
- 213.182.197.21 (none)
ns1.freednshostserver.com a 213.182.197.23 (none)
ns2.bio-a.ru a 213.182.197.23 (none)
ns2.dub-dubom.ru a 213.182.197.23 (none)
ns2.icq-stanet-platnoy.ru a 213.182.197.23 (none)
ns2.iqdoza.ru a 213.182.197.23 (none)
ns2.lifezilla.ru a 213.182.197.23 (none)
ns2.litegreatestdirect.cn a 213.182.197.23 (none)
ns2.mixmediadirect.cn a 213.182.197.23 (none)
ns3.freednshostway.com a 213.182.197.23 (none)
- 213.182.197.28 (none)
traffanalizer.cn a 213.182.197.40 (none)
- 213.182.197.227 (none)
*.1st.abdulabah.cn a 213.182.197.229 (none)
1st.abdulabah.cn a 213.182.197.229 (none)
807037.com a 213.182.197.229 (none)
bjbotnet.cn a 213.182.197.229 (none)
domenzmonz.cn a 213.182.197.229 (none)
firex-labz.com a 213.182.197.229 (none)
groos.ru a 213.182.197.229 (none)
kazantipwords.ru a 213.182.197.229 (none)
lafi.babjr.cn a 213.182.197.229 (none)
mssys.net a 213.182.197.229 (none)
muhamed.cn a 213.182.197.229 (none)
odnoklassniki.groos.ru a 213.182.197.229 (none)
www.1st.abdulabah.cn a 213.182.197.229 (none)
www.abdulabah.cn a 213.182.197.229 (none)
www.acidbot.cn a 213.182.197.229 (none)
www.lafi.babjr.cn a 213.182.197.229 (none)
yes04ka.cn a 213.182.197.229 (none)
- 213.182.197.230 (none)
The sample flies totally under the radar, as shows this VirusTotal screenshot:
When you think it’s over, here is more from 213.182.197.13:
You can see the fake PornTube sites riddled with malware and, worth pointing out, a social networking site called Vkontakte. It is the equivalent of Facebook in Russia, Ukraine and Belarus.
It is not the real site though, a little typo, similar designs….
This, is the legitimate site:
The trail never seems to end! Fake codecs, illegal adult content, phishing sites… Stay clear off those sites!
Jerome Segura
|
Press coverage for new Mac Malware variant
Last week, I blogged about a new malware variant for the Mac.
The story quickly got picked up by Paul Baccas from Sophos, and then by Dancho Danchev on ZDNET.
Needless to say, this nice coverage made me quite happy 
As a security researcher, you spend hours tracking malicious stuff, and when recognition comes it makes your job even better.
I compiled all the press clippings into a single PDF.
Thanks everyone!
Jerome Segura
|
Web Threats
Today I did a short (it turned out to be long) presentation about WebThreats.
It is very high level, and I’m sure the expert will find it incomplete. But I thought it was a good way to introduce web security to a large crowd.
I’ve converted the PowerPoint into a PDF which you can find here.
Enjoy!
Jerome Segura
|
Exploits 4free
Today I was looking at an interesting website and a drive-by-download associated to it.
The file is not a JPG… in fact it is an exploit script. I detail what it does in the diagram below:
The hacker has left its Apache/2.2.9 PHP/5.2.6 Server wide open! The IP is located in Hong Kong China and actually hosts two different domains (that are mirrors of each other).
Because the server is not protected, you can easily browse through its file repository and find all the exploit code in there. If you check the date, these exploits are fairly recent.
There is a nice PHP management page, called PHPSpy that allows you to update your exploits:
I downloaded all the files in that repository for a closer look.
Amongst them, an AVI file that exploits a vulnerability in Explorer. In my case it just crashed it and did nothing else. The exploit happens when you select the file and it tries to display its properties in the details pane.
DLL files compiled in C# that bear no doubt as to what their intent is (exploit Shellcode):
Heavily obfuscated html pages loaded with exploits:
Following the PHPSpy link lead me to the Security Angel’s website (in Chinese).
A quick translation reveals (more or less) what it’s all about:
The “Security Angel team” has more exploits for grab:
It also has some tutorials and scripts for the newbies, such as this ‘man in the middle’ attack perl script:
I decided to analyze the main executable that these exploits push. It creates a service as well as injects a DLL file into System32.
A VirusTotal scan… the sample is detected but the descriptions are vague.
Security researchers interested in the actual location of the exploit server can contact me.
Jerome Segura
|
Setting up a web trap…
In order to better understand web threats, what better way than to create your own web server?
Web admin stuff is not my forte, so I decided to follow my friend JP’s advice and go the easy way with XAMPP.
XAMPP will install pretty much all the stuff you need to start your own web server. It configures Apache, MySql and a bunch of other components used by most servers.
The other advantage that this has for me is the fact that XAMPP is not recommended for ‘real life’ uses. It is mainly geared towards testing and development. One of the reasons is because by doing a lot of the ‘default’ set up for you, it is not making your server very secure right off the bat.
It happens that this what I want anyway.
I still have a lot to learn about Intrusion Detection Systems (IDS) and we’ve had a lot of malware lately causing us grief in our network, such as Conficker.
The idea here is to set up a vulnerable web server (Windows Server 2003) with very lax security settings (default passwords, open connections to DB etc.)
However, this site will not be available to the WWW. It is going to stay in our ‘very infected’ LAN, where I hope it will get owned soon.
Please do that’s what it’s for.
Jerome
|
Cyber Crime Series from McAfee
I just watched the first epsiode of H*Commerce from McAfee. I like the concept very much and I would recommend anyone interested in security and the internet to check it out.
It’s rather short but there are extra bits of vids on certain topics and the quality is crisp.
The first episode talks about wardriving and Cap’n Crunch.
Jerome
|
Malware Samples Share
We are sharing our malware samples with other trusted partners. New samples are uploaded every day.
Where do they come from?
- HoneyPots: we get lists of URLs from third-party partners, we build our own lists… Then we run these lists against our HoneyPots.
- Derived payload from Sandbox Analysis: after analysing a malware sample, we scrape the disk for malware samples. We are using different techniques to do that, mounting the NTFS partition from Linux, reading the registry and scrapping it. That way, we can get everything, including rootkits.
If interested, contact me at:
Jerome
|
