Sandbox Awareness

Hi there,

In the last period, malware evolved to new Detection Ways, like Sandbox Awareness, if a malware is executed into one of the most famous Sandboxes it block execution.

Here a little piece of code taken fro a malware and readapted:

Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)

me32.dwSize = Len(me32)
Module32First hSnapShot, me32

Do While Module32Next(hSnapShot, me32) <> 0
    If InStr(1, LCase(me32.szModule), “sbiedll.dll”) > 0 Then ‘Sandboxie
       IsInSandbox = True
   ElseIf InStr(1, LCase(me32.szModule), “dbghelp.dll”) > 0 Then ‘ThreatExpert
        IsInSandbox = True
    End If
Loop

CloseHandle (hSnapShot)

If IsInSandbox = False Then
    hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, “Software\Microsoft\Windows\CurrentVersion”, 0, KEY_ALL_ACCESS, hKey)
    If hOpen = 0 Then
        hQuery = RegQueryValueEx(hKey, “ProductId”, 0, REG_SZ, szBuffer, 128)
        If hQuery = 0 Then
            If InStr(1, szBuffer, “76487-337-8429955-22614”) > 0 Then ‘Anubis
               IsInSandbox = True
           ElseIf InStr(1, szBuffer, “76487-644-3177037-23510”) > 0 Then ‘CWSandbox
                IsInSandbox = True
            ElseIf InStr(1, szBuffer, “55274-640-2673064-23950”) > 0 Then ‘JoeBox
               IsInSandbox = True
           End If
       End If
   End If
   RegCloseKey (hKey)
End If
End Function

It detects Sandboxie, ThreatExpert, JoeBox, CWSandBox and Anubis, by checking the Product Id or the presence of usual dll like sbiedll.dll and sbiedll.dll

Fraud/Scam – Fake JOB Proposal

Hi,

Some time ago a my contact adviced me about another kind of Scam/Fraud based on a Fake Job Proposal, contact receives an e-mail in which is said that they have seen CV and you’re good for a position as Financial Agent.

Here the First E-mail:

+—————————————————+

— Sun 14/12/08, Jolene PERRY <turnerbl@europe.com> ha scritto:

> Da: Jolene PERRY <turnerbl@europe.com>
> Oggetto: Ciao _NAME_
> Data: Sunday 14 dicembre 2008, 19:37
> Hello !
>
> We are looking for entry level specialists of various
> profiles. You must have adult age. Your previous operational
> experience is not important. The minimum education level
> necessary – High School.
>
> Location: Italy
>
>
> We have a lot of available vacancies.
>
> From you: some hours per week of a free time, the
> experience of PC and the
> Internet on a simple level.
>
> We will offer to you: the decent salary with system of
> bonuses and
> the complete legality & security.
>
>
> If you are interested in our offer – we are waiting for
> your reply.
> E-mail address only: hr.position4@googlemail.com

+—————————————————+

First of all as you can see, mail addresses are all from @europe and @googlemail it’s strange that a recruiting  company does not have a custom mail box..

About the position, it’s easy to understant that is only  a dream, a some hours per week of a free time work with entire assurance system is not suistenable by a Company.

After a reply that you’re intersted, here the second email:

+—————————————————+

> Dear Name and Surname,
>
>
> We are happy to inform you are acceptable for a Financial
> Representative job. You can find additional information
> about your salary, work schedule and duties in the attached
> file.
>
>
> To register:
>
>
>    1. Read the job specifications and descriptions. If you
> have any questions – ask me or   write a reply with your
> confirmation.
>    2. I will send you the employee’s Registration form
> and Labor Agreement. You should fill it in correctly, sign
> it and send it back.
>    3. Send a scanned image of your Driver’s License or
> your Passport for your identification.
>
>
> The procedure is simple and will not take more than 2 days.
>
>
> Note:
> You can easily find additional information on our website
> or feel free to ask any questions about your duties and
> salary.
>
>
> Right now we are at the very start of the process.
> Read the job specifications and descriptions. If you have
> any questions – ask me or write a reply with your
> confirmation
>
>
> I am here to help you and I will do my best to help you get
> along with this.
>
>
> Best regards,
> Xxxxxxxxxxxxxx
> Xxxxxxxxxxxxxxxx
> Web: xxxxxxxxxxxx
> Tel:  Xxxxxxxx
> Fax:  Xxxxxxxx

+—————————————————+

Uh really strange..

additional information about your salary, work schedule and duties in the attached  file.

In the attached doc the work schedule does not appears, and in not specificated how “work schedule” for a free time job is organized.

Here the really poor Job Description

+—————————————————+

<!– @page { margin: 2cm } P { margin-bottom: 0.21cm } –>

JOB DESCRIPTION

Position: Financial representative

Department: Cost accounting department

Salary: 2,000 USD a month + 5% from transaction

GENERAL

Receive payments from clients in your region; assist in company’s financial business.

PRINCIPAL DUTY

1. Receive payments from company’s clients in your region on your bank account.

2. Prepare reports for every and each transaction

3. Work with (Western Union/Money Gram) money transfer systems

ADDITIONAL DUTIES

1. Assistance in company’s financial business

REQUIRED SKILLS

1. Team work

2. Basic knowledge of MS Office.

3. Accuracy

4. More than 2 years experience in management

Working conditions

Work at your internet-office with banks and money transfer systems.

WORK PLAN

1. Our clients from your region make a payment on your account

2. Draw money out and send them to our office (company covers all taxes and expenses)

3. Make a financial statement on payment.

4. Receive 5% for every transaction immediately + 2,000 USD every month.

+—————————————————+

It’s really strange, a Free-Time work that requires a continuous presence to delivery payments, that has a per month salary plus 5% of transactions..

In the second part we will investigate more on the website and compare this proposal with another one (Differential Approach)

MSN Credential Theft – http://zopblob.com/

Hi there,

In these days is running another malicious domain specifically developed to Steal MSN Credentials, the propagation system is always the same, you receive an offline message by an already infected user of your msn list.

http://{ACCOUNT_NAME}zopblob.com/

The Server used is as usual lighttpd

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 791
Date: Sun, 25 Jan 2009 01:01:51 GMT
Server: lighttpd/1.4.19

and the link dissected appears as:

<html>
<head>
<title></title>
</head>
<frameset cols="0,*" frameborder=0>

<frame src=”pop.php” name=””> <frame src=”indexx.php” name=”mainwindow”>var sc_project=4080201;

</frameset>

This time we have also a little difference, this time malicious domain presents a tracking
functionality

<script type="text/javascript">

var sc_invisible=1;
var sc_partition=49;
var sc_click_stat=1;
var sc_security="0c7fe093"; 
</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' 
type='text/javascript'%3E%3C/script%3E"));
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-1033286-4");

pageTracker._trackPageview();http://www.networksolutions.com/whois-search/zopblob.com

</script>
</script>

A Domain Whois reveals that the Source of this Malicious Domain is always the same..from Panama:

See you to the next post.. :)

NtSetDebugFilterState as Anti-Dbg Trick Reverse Engineering

Hi,

Here you can download my last paper related to NtSetDebugFilterState UndocumentAPI that can be used as 
Anti Debugging Trick.

http://evilcry.netsons.org/tuts/NtSetDebugFilterState.pdf

Have a Nice Read 🙂
Giuseppe 'Evilcry' Bonfa'

http://crazy-new-year-party-pics.com – MSN Credential Theft

Hi,

New Year old Credential Theft Way 🙂

This morning my MSN-HoneyPot catched the following URL spreaded as oggline message:

http://_MSN_USER_NAME.crazy-new-year-party-pics.com/

Victim is driven to insert  [MSN-E-Mail] and [MSN-Password] to view the fake proclaimed New Year Pics, that does not exists.

I’ve already analysed this system in my other previous posts, there is a fake “Term UserConditions” that victim implicitly accepts and allows Spammers to user his account to promote to other contacts their Market Proposal.

As usual service is placed in Republic of Panama 😉

<title></title>
</head>
<frameset cols=”0,*” frameborder=0>
<frame src=”pop.php” name=””>
<frame src=”indexx.php” name=”mainwindow”>
</frameset>

Let’s analyse these links:

–>pop.php

function popup()
{
if(!UserClicked)
{
var win=window.open(“http://specialofferforu.info“,””,”width=1024,height=768″)
}
}

A simple Popup that opens speciallofferforu.info

->indexx.php

Is the page that you see when click on msn link.

These are the informations on the WebServer:

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 791
Date: Thu, 01 Jan 2009 17:15:18 GMT
Server: lighttpd/1.4.19

The Server as usual runs PHP/4.4.8 and lighttpd/1.4.19 as the previously seen Credentials Catchers, indeed if we investigate on Domains provenience we discover that all these services comes from HongKong.

IP Address:	202.64.61.208 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location	– Hong Kong – Ta_kung_pao
Response Code:	200
Domain Status:	Registered And Active Website

Finally after all these recurrences, we can Say that MSN Spam works in two Steps, there is a period that could be defined as

1) Data Mining Period, when HongKong cellar try to catch more User Credentials possible.

2)Spread Spam Period, when Collected Credentials are used to spread their Market Proposals.

Have a nice and Happy New Year! 🙂

Evilcry

A[ MaSN E-Mail ]

A