MDL: URL Clearing House in testing phase
We are doing some more testing and putting the final pieces together on our URL Clearing House project.
When will it be ready? I can’t say for sure yet. We need to add user accounts (don’t worry, the service will be free) for our own stats, put a Terms Of Service, do some security checks on the server etc..
In the meantime, we are aggregating data from our HoneyPots:
Query for Exploits:
Query for Trojan:
Anyway, I hope this will be a valuable source of information for all malware researchers. 
Jerome Segura
|
New feature added to the HoneyPot
Our HoneyPot was missing an important feature, given that many (if not most) malicious websites use PHP to serve their payload.
Up until now, our HoneyPot was only looking for pure exploits in:
- browser
- flash
- pdf
- quicktime
- java
However, a large number of malware files is downloaded using PHP.
Here is this new feature in action:
Rogue installer:
2009.10.30 10:27:37 -08:00 Pacific Standard Time,”smarttestdrive.com/download.php”,”smarttestdrive.com/install.exe”
Malicious PDF:
2009.10.30 10:31:40 -08:00 Pacific Standard Time,”erorr.net/pdf.php”,”erorr.net/asdfgh.pdf”
This will come in handy for our upcoming URL clearing house
Jerome Segura
|
Are you part of the Koobface botnet?
Our Honeypots collect a lot of IPs from PCs infected with the Koobface worm.
I did not quite know what to do with this information until a couple days ago.
We’ve decided to put all those IPs into a DB and have a PHP page query the user’s IP against our list.
Want to try it? Follow this URL:
http://zhengupload.paretologic.com/koobface.php
The number of IPs should grow steadily and any IP detected will display a time stamp of the last time it was active:
Jerome Segura
|
Sea, Hex and Sun
In this post I’m going to show you some tricks used by malware authors to evade detection. We shall see redirections, obfuscated javascripts and rootkit.
First things first, here is a site that has been compromised (chinaforge.cn). The last line of code from the source page shows a “script”.
The URL is of course obfuscated. It is a redirect to a malicious site: w.siyou.org.cn
That page has rather interesting code starting with an if statement.
if (document.location.href.indexOf(”gov”)>=0) {} else payload
In other words, the script detects where the user is coming from, and if the string ‘gov’ is found it will do nothing. (Government sites?)
If the payload gets the green light, we get an iframe to the following domain: w.jsguangji.cn
That page contains yet again 2 iframes as well as javascript code:
Let’s take a turn and follow the first iframe:
Alright. We are going to stop here for a moment and see what this is all about.
What appears to be links to pictures is actually pieces of code (javascript). Here is the code revealed from one of the ‘picture’:
I downloaded all the ‘pictures’ and compiled the code together. Here is what it looks like:
More obfuscated javascript!
This time we may actually have reached our final destination:
Yes, all of that for a single file.
For the end user, however, things are a lot more simple. You browse to a compromised site, get redirected once, twice and then: wham! bam! a drive-by download as shown below:
Upon execution a file is created: c:\windows\tasks\conime.exe
To make things more difficult, the file is hidden:
But just to prove it is there, I rebooted under Ubuntu (dual boot) to show you:
The file is detected by about half the AV vendors on VirusTotal:
Programs / OS used for this post:
Malzilla
FileAlyzer
Ubuntu
If you want to do more research, I have uploaded the ‘pictures’ and the malware sample to our FTP.
Malware ID: jscode.zip
Malware ID: 3b10f98238023336aa753f9e072fb244.zip
Jerome Segura
|
HoneyPot Workflow
As mentioned in a previous post, our HoneyPots look for exploits with the most common browsers (and plugins).
We generate a pool of URLs refreshed every day, as well as get incoming spam URLs in real time.
An array of machines process those URLs. Every time a malicious URL is found, it gets added to our blacklist.
URLs on the blacklist are verified every hour to make sure the content:
- is the same
- has a different payload
- no longer is there
Jerome Segura
|
HoneyPots update
Just finished re-organizing our HoneyPots after what was a much needed update.
We now detect exploits for:
- IE6
- IE7
- IE8
- Firefox
- Chrome
- Safari OS X
In addition each machine has:
- Java Virtual Machine
- Flash Player
- Adobe Reader
- Office 2003
We crawl about 2.5 million sites per week. Exploits are sent in real time to our analysts for further investigation.
The malware found is added to our database which ensures the protection of our users against the most recent threats they may encounter while browsing. They include: DNS changer, rogue antivirus, banking trojans etc,
We also share samples with other AV companies / partners.
Jerome Segura
|
Read Without Prejudice
Jerome Segura is a Security Researcher at Paretologic. He and his team provide regular updates to the malware database used in products like XoftSpy SE, Paretologic Anti Virus Plus, PG Surfer etc.
Paretologic’s building
The team is composed of members with different backgrounds from former QA analysts to scientists who each contribute to the overall vision of the company of being “a global leader of world class software solutions that exceed the expectations of computer users around the world“.
Paretologic invested in deploying HoneyPots to detect new threats:
Jerome, checking on some HoneyPots
With our in-house hardware expert, every machine is recycled for good purposes:
An old server with an impressive 8 hard drives is being reused as HoneyPot.
Our scientist spends long hours studying algorithms and applying his science to malware detection:
He develops and maintains our heuristics scanner, Zheng:
With 100+ employees, Paretologic has also shown its commitment to online security with free products such as PGSurfer to keep kids and families safe.
Jerome Segura
|
Security Researchers and Porn: the misconceptions
There are a lot of misconceptions when your job involves analyzing sites with adult content.
Here are a few examples:
“Wow! You get to look at porn at work”
“You’re surfing porn all day, lucky you!”
I will clarify these misconceptions once and for all:
- We don’t look at porn: we look for exploits or other malicious code associated with adult oriented web-sites.
- It’s not a treat: believe me, some of the stuff we are subjected to is totally disgusting and would make sensitive people vomit.
- We do other things: this is one aspect of our work as security researchers. We are involved in many other projects such as analyzing malcode, sharing samples, writing about malware…
Thankfully for us, our HoneyPots do most of the dirty work for us. They browse millions of sites every week and find out exploits.
Jerome Segura
|
YouTube typo delivers IRC Bot
UPDATE:
The file is compressed with professional software (Armadillo) making the unpacking process almost impossible.
Once executed, the file uses some in-memory protection by running these two processes.
——–
Fresh from our HoneyPot we discovered a malware site using a typo in its domain name.
The site youtorube.com will push a fake video codec, on what appears to be a YouTube page (in Italian).
The domain is registered to:
Pretty soon after running the fake codec, I observed IRC traffic with the same IP address:
This lets me know that I am part of an IRC channel:
The IRC server’s IP (87.98.184.231) has some interesting connections, including a “p0nwed.de” domain. Hmm… 
I attempted to connect to that IRC channel manually, however the channel requires a key… In other words, I am not welcome.
Further analysis of the malware binary may reveal the channel’s key hard-coded.
The file itself is detected as:
Our Heuristic engine already detected it as:
However, at that point I have aggregated enough data to determine that this ‘codec’ actually turns your machine into a Bot, which is not a good thing.
Jerome Segura
Malware ID: f028c315649b7319e8ef2cc22dc67690.zip
|
Ali Baba and the Forty Thieves
When I was a kid, I used to love that tale about Ali Baba and the Forty Thieves.
They also made a French telefilm with unforgettable Fernandel.
If you wonder why I am reminisicing about the past, it’s because I stumbled upon this:
It seems the site had closed its door, so I pronounced the magic words “open sesame”.
and to my surprise golden and shiny malware appeared:
There is a bit of everything, kind of what Ali Baba found:
Nonaco, SillyProxy, Koobface and some new backdoors and trojans.
Watch out, the site is still live, magic words or not
Jerome Segura
|
