Crontab way around in Linux
I’m trying to run a script with crontab so that it runs at a certain time. Nothing new here…
However, my script involves PGP and for some strange reason, PGP will not decrypt anything while in crontab (user-agent blablabla… and other bogus errors). The frustrating thing was that the script runs just fine if I manually run it.
Anyway, since crontab did not want to cooperate 
I decided to create my own scheduler. First you need a script that loops indefinitely, and then this piece of code will execute myscript.sh at 1 PM every day.
You create a variable and you assign it the current time. A little sed removes the colon (i.e. 13:00)
Then if the variable equals the time you manually preset, it’s a Go!
Hey, it may not be very pretty, but it saved me a lot of time!
It’s funny in our jobs how many times we’re stuck on something that just doesn’t make any sense. I usually try a quick way around which saves me hours.
Jerome Segura
|
Malware in a zip
This one comes as a zip file, extracts to yahoo.html.exe
0l.zzkk11.com/yahoo.html.zip
and it is an OnlineGames Trojan.
Jerome Segura
Malware ID: 133e78f1e76aace342e4d07cea6f80f9.zip
|
Adobe Ads Manager (oops) Download Manager…
I downloaded an update for Adobe Reader today and I was quite unimpressed to watch the Adobe Download Manager show me a bunch of Ads. Is this a new form of advertisement?
I also couldn’t help but notice that the traditional Google Toolbar “bundle” had been replaced by a McAfee Security Scan:
Mind you, if you do install Adobe Reader, it is a good idea to have another security product running. We see countless numbers of PDF exploits on the web these days.
Jerome Segura
|
Home mortgage site gets owned and pwned
It’s late at the office, but I’m still here finding some bad stuff. The wife is out for dinner with a friend, and I get bored at home.
Anyway, our HoneyPots just picked up this drive-by from homemortgagenetwork.com
This is what the site looked like before it was owned:
This is what it looks like now:
Yes, a lot of blank space too!
But the interesting part can be found in its source code (click to enlarge):
It pushes a PDF exploit and the final download comes from:
mefa.ws/1/cjms1.exe
The file is, shall we say, poorly detected right now:
Warning, these links are live and may infect your PC!
Jerome Segura
Malware ID: 048346308777edf94dd4788dac20be54.zip
|
Mebroot: a pain for automation
I’ve spent most of the day trying to understand Mebroot a little better.
This MBR rootkit is a very sophisticated piece of malware using an old infection method (the master boot record) but with today’s best coding techniques.
Anyway, for us researchers, Mebroot breaks our testing environment on a regular basis and finds ways to be one of the biggest nuisance you could think of.
Several months ago we wrote a set of scripts in Linux to restore a clean MBR after each pass of an infected image. It worked well, but not well enough. Some of our HoneyPots need to prevent a Mebroot infection right there and then, and cannot wait for a reboot to restore a clean MBR.
So today I have been deep in batch scripting… I adopted a somewhat “shove down your throat” approach to neutralize Mebroot as it is trying its infection routine.
Can a simple batch script prevent a Mebroot infection? (I use a script and a few other files together.)
Well, I asked myself that very same question. I took my little script, downloaded 10 copies of Mebroot from Offensive Computing and put the script to the test.
First, I ran all the Mebroot samples, rebooted with a Live CD and uploaded my MBR to VirusTotal.
The result is clear, my PC is infected:
Then, I did the same test (on a clean image of course), ran my script first, and then launched all the Mebroot files.
Rebooted, uploaded the MBR and to my astonishment, it was clean:
I should mention too, that this new MBR has the same MD5 as my original ‘clean’ MBR. Also, to be sure, I repeated both steps twice (with and without batch script).
While I can’t disclose the script I am using (the bad guys read security blogs too), I can say that I use publicly available tools and simple Windows Batch scripting.
This solution may not be viable in the real world, but for our testing purposes, it works great.
Jerome Segura
|
Adult Site with wp gets hacked
Our HoneyPots caught the following URL:
free-adult-sites.net/wp-admin/gateway/k.exe
Which is a Trojan Zbot according to a Virus Total scan:
Now the site in question seems to have some problems with its Word Press configuration:
Older versions of WP are extremely vulnerable to a hack. It is possible that this one got compromised and allowed the hacker to host their malware file on there.
It’s a good segway to remind everyone to ensure their blog/site is running the latest version of WP.
Jerome Segura
Malware ID: d649e59fa752ebce2fb8110e4749039c.zip
|
How good is MSE?
There have been a lot of talks about Microsoft Security Essentials. A lot of criticism too.
Well, as far as I’m concerned, I find that it beats a lot of the paid AV products.
Take this pretty common Trojan from fastdor.ru/video/preview_tube.mpeg.exe
Well, only a handful of AV vendors are detecting it. A lot of the big guys don’t detect anything at all!
Microsoft picks it up without a problem:
Note that I downloaded this file several times from that site, and the binary constantly changed its MD5. Despite that, MSE continued to detect the file.
MSE’s main install only takes 11 MB out of your hard drive
While it’s DB remains small as well:
There are 2 main files for the full DB. mpasbase.vdm (anti-spyware) and mpavbase.vdm (anti-virus) which are respectively 9 and 29 MB.
What is Microsoft’s secret recipe for being so good? What kind of detection are they using that they can maintain such small Databases? I wanna know
Jerome Segura
Malware ID: 81d216b763f6de31fd7fa1508c50c03c.zip
|
What’s new?
It has been a busy past couple of weeks, and very few blogging posts in between.
I spent a lot of time working on fixing stuff; did about 200 installs of Linux and Windows OS combined and it got to me.
I got to work on the ‘MalwareDiariesList’ which I now call ‘clearing house’. It is almost done, well that is the front end… the back end is a continuous piece of work
For the back end, I am writing scripts at the moment, to automate much of the work. So far, we add stuff manually, but I plan on having this thing run by itself 24/7.
In my spare time I checked the other guys’ blogs… Hey, I heard about Mikko Hypponen being kicked out of Twitter for a while. This is silly, does not everybody out there know about Mikko? lol
One thing that made me shake my head was the message he got back from Twitter after the incident:
Is this from a teenager with a lot of acne on his face? Yo man! Clearly, a lack of professionalism.
All in all, things are not that bad for Mikko though. Before the incident: 3,200 followers
After: 4,354 followers
Mikko Hypponen is one of the veterans in the security industry, very well respected and appreciated. I met him twice (VB 2008, VB 2009); he is a nice guy.
Also heard from our friend Paperghost who stepped foot in Canada for the first time. Paperghost was presenting at SecTor about video games consoles security. The poor guy got attacked badly by forum trolls and what not. There are always people whining out there… sometimes you can ignore them, sometimes you got to use humor. Keep it up Paperghost, I like your work and your unique style. Still hope to meet with you someday… Toronto was close but not close enough from the West coast!
Jerome Segura
|
MalwareDiariesList Prototype
In the midst of network problems here at work, we are still making progress on the MalwareDiariesList.
We connected to the DB with a PHP page that pulls the URL information generated by our HoneyPots.
Here is a little sneak peak:
Jerome Segura
|
MalwareDiariesList: the comments
I’ve had a lot of feedback from my previous post about the MalwareDiariesList project.
Well, I’m glad so many people are passionate about it but some comments kind of got me going a little
Such as this one:
Bullsh**.. why ? simply any collected url is in my opinion public domain.
we @ netpilot dedicate bandwidth, storage and man power to consolidate these data, so we expect from your company to assist us by feeding your url’s to our database.
gerhard
Oh boy! You know gerhard, if you had asked nicely, I would probably have given you access. But now, don’t you expect anything.
My plan is to give access to all reputable people who are in the security field. The reason I do not want it public is the same as using password protection when exchanging malware. A lot of people don’t know what they’re doing and would just infect themselves. Other people would leverage that information to infect others (I don’t want it to fall into the wrong hands).
Collecting this data is work and in some ways our competitive advantage over other companies (we are not a charitable organisation). I thought sharing it for free was already good enough, but no, some folks are not happy.
I like nice people. I don’t like people who swear. I don’t have time for haters.
Have a nice day 
Jerome Segura
|
