Norton Safe Web, NSFW
I quite like the Norton Safe Web service. I find it a lot more in depth than Site Advisor.
For example it shows you drive-by downloads with the type of exploit:
However, there is something that bothered me… Anybody (without age verification) can query their database.
They show a screenshot of the site you’re checking and well, sometimes you don’t want to see that stuff:
I mean, it’s not work safe.
Is it?
Jerome Segura
|
XoftSpySE Anti-Spyware 7.0
Paretologic released XoftSpySE Anti-Spyware 7.0, its famous Anti-Spyware product now compatible with Windows 7.
Continuing on a tradition of small and fast programs, this version is less than 4 MB to download.
I decided to take it for a ‘test drive’. 
I loaded my Windows 7 PC and ran a bunch of malware samples.
Then I put XoftSpySE to the test and it found and removed all sorts of Trojans and Worms within a few minutes.
If you want to try the product to see if your PC is infected, you can run XoftSpySE for free.
|
A dirty rogue
This rogue anti spyware (LinkSafeness) is particularly messy.
The scary warning:
Bad English
It creates these garbage files in my System folder:
$49.95 for that?
No thank you.
|
‘Gulf War Vets’ site compromised
The site contains several exploits, in particular:
- Adobe Collab overflow
- Adobe util.printf overflow
- Adobe getIcon
They are located on ul{sanitized}os.com/counter/pdf.php
These days, most compromised sites use Adobe exploits. Make sure your Adobe software is up-to-date to stay safe!
Jerome Segura
|
The Johns get owned
I’m currently reading “The Johns: Sex for Sale and the Men Who Buy It” from Victor Malarek after having read “The Natashas: The New Global Sex Trade” from the same author.
The book draws a pretty sad but true picture of modern day sex slavery. Johns travel to poor countries in search of sex they can’t get at home.
Well, our HoneyPots caught this site promoting ‘Asian escort girls’:
Upon browsing the site, a malicious PDF gets pushed onto the user’s PC:
Now, how did this happen?
This Wepawet analysis reveals obfuscated code pointing to a malicious site (a Google Analytics typo):
The PDF is only detected by Kaspersky at the time of writing (VT analysis).
Looks like the Johns are getting owned this time.
Jerome Segura
Malware ID: example.zip
|
Crontab way around in Linux
I’m trying to run a script with crontab so that it runs at a certain time. Nothing new here…
However, my script involves PGP and for some strange reason, PGP will not decrypt anything while in crontab (user-agent blablabla… and other bogus errors). The frustrating thing was that the script runs just fine if I manually run it.
Anyway, since crontab did not want to cooperate I decided to create my own scheduler. First you need a script that loops indefinitely, and then this piece of code will execute myscript.sh at 1 PM every day.
You create a variable and you assign it the current time. A little sed removes the colon (i.e. 13:00)
Then if the variable equals the time you manually preset, it’s a Go!
Hey, it may not be very pretty, but it saved me a lot of time!
It’s funny in our jobs how many times we’re stuck on something that just doesn’t make any sense. I usually try a quick way around which saves me hours.
Jerome Segura
|
Malware in a zip
This one comes as a zip file, extracts to yahoo.html.exe
0l.zzkk11.com/yahoo.html.zip
and it is an OnlineGames Trojan.
Jerome Segura
Malware ID: 133e78f1e76aace342e4d07cea6f80f9.zip
|
Adobe Ads Manager (oops) Download Manager…
I downloaded an update for Adobe Reader today and I was quite unimpressed to watch the Adobe Download Manager show me a bunch of Ads. Is this a new form of advertisement?
I also couldn’t help but notice that the traditional Google Toolbar “bundle” had been replaced by a McAfee Security Scan:
Mind you, if you do install Adobe Reader, it is a good idea to have another security product running. We see countless numbers of PDF exploits on the web these days.
Jerome Segura
|
Home mortgage site gets owned and pwned
It’s late at the office, but I’m still here finding some bad stuff. The wife is out for dinner with a friend, and I get bored at home.
Anyway, our HoneyPots just picked up this drive-by from homemortgagenetwork.com
This is what the site looked like before it was owned:
This is what it looks like now:
Yes, a lot of blank space too!
But the interesting part can be found in its source code (click to enlarge):
It pushes a PDF exploit and the final download comes from:
mefa.ws/1/cjms1.exe
The file is, shall we say, poorly detected right now:
Warning, these links are live and may infect your PC!
Jerome Segura
Malware ID: 048346308777edf94dd4788dac20be54.zip
|
Mebroot: a pain for automation
I’ve spent most of the day trying to understand Mebroot a little better.
This MBR rootkit is a very sophisticated piece of malware using an old infection method (the master boot record) but with today’s best coding techniques.
Anyway, for us researchers, Mebroot breaks our testing environment on a regular basis and finds ways to be one of the biggest nuisance you could think of.
Several months ago we wrote a set of scripts in Linux to restore a clean MBR after each pass of an infected image. It worked well, but not well enough. Some of our HoneyPots need to prevent a Mebroot infection right there and then, and cannot wait for a reboot to restore a clean MBR.
So today I have been deep in batch scripting… I adopted a somewhat “shove down your throat” approach to neutralize Mebroot as it is trying its infection routine.
Can a simple batch script prevent a Mebroot infection? (I use a script and a few other files together.)
Well, I asked myself that very same question. I took my little script, downloaded 10 copies of Mebroot from Offensive Computing and put the script to the test.
First, I ran all the Mebroot samples, rebooted with a Live CD and uploaded my MBR to VirusTotal.
The result is clear, my PC is infected:
Then, I did the same test (on a clean image of course), ran my script first, and then launched all the Mebroot files.
Rebooted, uploaded the MBR and to my astonishment, it was clean:
I should mention too, that this new MBR has the same MD5 as my original ‘clean’ MBR. Also, to be sure, I repeated both steps twice (with and without batch script).
While I can’t disclose the script I am using (the bad guys read security blogs too), I can say that I use publicly available tools and simple Windows Batch scripting.
This solution may not be viable in the real world, but for our testing purposes, it works great.
Jerome Segura
|
