NoBirusThanks Blog

Rogue security software XP Total Security spreads by email

admin — Fri, 21 Dec 2012 15:12:22 +0000

We have received an email that states we have an unread message and someone has sent us a private message. But it does not state if the unread message is from a social network, it only says it comes from SecureMessage.System, as you can see from this image:

The body of the email is this:

Inside the body of the email there are 4 links in total that are clickable and we have extracted 3 different malicious and very dangerous URLs that are all active, as of the time of writing this message, and all of them point to a remote file named link.php:

hxxp:// datingcool2012 . asia/ link.php
hxxp:// site-dating2010 . info/ link.php
hxxp:// datingbest2011 . asia/ link.php

We have analyzed the activity of one URL and we can clearly see that the malicious URL leads to a web page that tries to scare the user by displaying an alert window stating the PC is infected by trojans and spyware, a well known method used to spread rogue security software:

When the button “Clean computer” is clicked, we are prompted to download a file:

File: freescan_seven_2013_exe
Size: 274624 bytes
MD5 Hash: 42DD7BD51C37B15965E67357517BFCBF
SHA1 Hash: 8D2D541CD4E3C7D0E9246940AA21DF84DAC06C49
SHA256 Hash: 7D6918FAA12EA588D6F7838267C60C6F8A3F51D5AC27A894D472F74E8B037CFB
SHA384 Hash: B7EEDBEF30B55276EAB875CABE5BFE33AD7A3B3DE1D772EF78B06651FA906362EACD6845DD2BAC3C5C7C2BD8E541C1EA
SHA512 Hash: EAEA7C1623F27BA75D11A6A2F1174DCF10B89461A5185C95E5E66FBD9A6400218247E8262DC6F3D96D88ED46A1877A657AB84444EEFA3B5608B9BE9E08569366

When the file is executed, it installs the rogue security software XP Total Security:

This is the network traffic generated by the malicious web page:

GET /link.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: datingcool2012 . asia
 
GET /?affid=00110&promo_type=5&promo_opt=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: datingcool2012 . asia
 
GET /images/alert.png HTTP/1.1
Referer: hxxp:// datingcool2012 . asia/?affid=00110&promo_type=5&promo_opt=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: datingcool2012 . asia
Cookie: PHPSESSID=umr4543d59rfa2lmq2fhbnue07
 
GET /index/two/ HTTP/1.1
Referer: hxxp:// datingcool2012 . asia /?affid=00110&promo_type=5&promo_opt=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: datingcool2012 . asia
Cookie: PHPSESSID=umr4543d59rfa2lmq2fhbnue07

This is the data logged by the sandbox after the malicious file has been executed:

Process Created - C:\WINDOWS\explorer.exe - %Desktop%\freescan_2013.exe - Unknown Publisher - A413A21AF671DD1DA45E3CFA81515D11 - 274624 bytes
File Modified - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe
Process Created - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe - Unknown Publisher - 0F5AB3B66E5F14CDDBA31B7258DDB168 - 274624 bytes
File Created - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe - 0F5AB3B66E5F14CDDBA31B7258DDB168 - 274624 bytes - attr: [-hidden] - PE
File Deleted - %LocalAppData%\epi.exe - %Desktop%\freescan_2013.exe - 274624 bytes
Write Registry - %LocalAppData%\epi.exe - \REGISTRY\USER\S-1-5-21-1177236615-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe
Connection Established - %LocalAppData%\epi.exe - TCP - 212.48.8.140 - 80
Connection Established - %LocalAppData%\epi.exe - UDP - 192.168.119.2 - 53
Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d44623
Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d4462a
Connection Established - %LocalAppData%\epi.exe - TCP - 127.0.0.1 - 1116
Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d4462f
Connection Established - %LocalAppData%\epi.exe - TCP - 127.0.0.1 - 80
Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d44635

New malicious URL logged:

hxxp:// statav2013 . com / a6a7ccfae1135dbe00110050d44635

This is the malicious executable file installed by the rogue software:

Links to the scan reports generated by URLVoid:

http://www.urlvoid.com/scan/datingcool2012.asia/
http://www.urlvoid.com/scan/site-dating2010.info/
http://www.urlvoid.com/scan/datingbest2011.asia/
http://www.urlvoid.com/scan/mailstorybig.info/
http://www.urlvoid.com/scan/statav2013.com/

Other scan reports related malicious URLs of XP Total Security:

http://www.urlvoid.com/scan/pyxes.asia/
http://www.urlvoid.com/scan/terlies.asia/
http://www.urlvoid.com/scan/purveying.asia/

The post Rogue security software XP Total Security spreads by email appeared first on NoBirusThanks Blog.

Scam: Account suspicious activity – Facebook.Team

admin — Thu, 20 Dec 2012 11:50:34 +0000

We started to receive emails that state our Facebook account has been blocked due to suspicious activity and to activate it we should click on a URL. Clearly this is a scam, the email seems to be sent by an email account from China, see the image below:

This is an image of the body message:

A quick note is that there is no Facebook logo, the email has been sent to an email address that was found in the WHOIS data of a domain name that has not yet a website, it is supposed to not have a Facebook account yet.

The URL redirects to an external malicious URL that is clearly not facebook.com:

hxxp:// cooldating2013 .info/link.php

View the scan report from URLVoid.

The post Scam: Account suspicious activity – Facebook.Team appeared first on NoBirusThanks Blog.

KBOT C&C Malware

admin — Tue, 27 Nov 2012 02:10:59 +0000

We just logged a new C&C bot named KBOT:

Content of the /js/ folder:

Content of the /images/ folder:

Content of the /css/ folder:

Malware activity (cb119a6b42da7bba1b6151f2e0bd6f1e):

File Created - %SAMPLE% - %Temp%\epbUex.UxO - A7A21220689BD796F6B74E5D983D810E - 2560 bytes - attr: [] - PE
Connection Established - C:\WINDOWS\system32\svchost.exe - UDP - 65.55.21.21 - 123
Process Created - %SAMPLE% - %SAMPLE% - malboxsofts - CB119A6B42DA7BBA1B6151F2E0BD6F1E - 536064 bytes
File Created - %SAMPLE% - %Temp%\EYEbMADiaiRT - NOTHING TO HASH - 0 bytes - attr: [-hidden] - -
File Created - %SAMPLE% - %Temp%\data1.dmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %SAMPLE% - %Temp%\data2.dmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %SAMPLE% - %Temp%\data.dmp - C10DBECA73F8835240E08E4511284B83 - 54 bytes - attr: [] - -
Connection Established - %SAMPLE% - TCP - 91.234.106.251 - 80
Web Request - %SAMPLE% - GET - wedontforget. ogspy. net - /poo/index.php?action=add&username=admin&password=0p0p0-0p0p0-0p0p0-0p0p0-0p0p0&app=Windows%20XP%20x86&pcname=%PCNAME%&sitename=Microsoft

Dangerous URLs:

hxxp://wedontforget.ogspy. net

Malware activity (91b13d987937c800f33458f17f320651):

Process Created - %SAMPLE% - %SAMPLE% - FileZilla Project - 91B13D987937C800F33458F17F320651 - 387584 bytes
File Modified - %SAMPLE% - %UserProfile%\crss.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Profile Manager2 - %UserProfile%\crss.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Document Explorer2 - %UserProfile%\Documents\crss.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Download Manager2 - %UserProfile%\Downloads\crss.exe
Process Created - %SAMPLE% - %UserProfile%\crss.exe - FileZilla Project - 91B13D987937C800F33458F17F320651 - 387584 bytes
Process Created - %UserProfile%\crss.exe - %UserProfile%\crss.exe - FileZilla Project - 91B13D987937C800F33458F17F320651 - 387584 bytes
Write Registry - %UserProfile%\crss.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Profile Manager2 - %UserProfile%\crss.exe
Write Registry - %UserProfile%\crss.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Document Explorer2 - %UserProfile%\Documents\crss.exe
Write Registry - %UserProfile%\crss.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Download Manager2 - %UserProfile%\Downloads\crss.exe
Connection Established - %UserProfile%\crss.exe - TCP - 8.23.224.90 - 80
Web Request - %UserProfile%\crss.exe - GET - purebot2. sytes.net - /
Connection Established - %UserProfile%\crss.exe - TCP - 46.105.116.182 - 80
Web Request - %UserProfile%\crss.exe - GET - ns224291. ovh.net - /pt/gate.php
Connection Established - %UserProfile%\crss.exe - TCP - 127.0.0.1 - 1044
Connection Established - %UserProfile%\crss.exe - TCP - 68.168.119.237 - 80
Web Request - %UserProfile%\crss.exe - GET - aqwadorient .com - /xs/minchrxxx.exe

Dangerous URLs:

hxxp://purebot2. sytes.net
hxxp://aqwadorient. com/xs/minchrxxx.exe
hxxp://68.168.119.237:80
hxxp://ns224291.ovh. net/pt/gate.php

Malware activity (3c08ae8e84c87b4f5f916d3ac9f6fa07):

File Modified - %SAMPLE% - %AppData%\LOCALS~1\Temp\aut2.tmp
File Deleted - %SAMPLE% - %Temp%\aut2.tmp - 3206 bytes
Process Created - %SAMPLE% - %SAMPLE% - Unknown Publisher - 3C08AE8E84C87B4F5F916D3AC9F6FA07 - 375599 bytes
File Modified - %SAMPLE% - %UserProfile%\explorer.exe
File Created - %SAMPLE% - %AppData%\LOCALS~1\Temp\aut2.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %SAMPLE% - %AppData%\LOCALS~1\Temp\hiuhtra - NOTHING TO HASH - 0 bytes - attr: [] - -
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Profile Manager - %UserProfile%\explorer.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Document Explorer - %UserProfile%\Documents\explorer.exe
Write Registry - %SAMPLE% - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Download Manager - %UserProfile%\Downloads\explorer.exe
Process Created - %SAMPLE% - %UserProfile%\explorer.exe - Unknown Publisher - 3C08AE8E84C87B4F5F916D3AC9F6FA07 - 375599 bytes
File Modified - %UserProfile%\explorer.exe - %AppData%\LOCALS~1\Temp\aut3.tmp
File Deleted - %UserProfile%\explorer.exe - %Temp%\aut3.tmp - 3206 bytes
Process Created - %UserProfile%\explorer.exe - %UserProfile%\explorer.exe - Unknown Publisher - 3C08AE8E84C87B4F5F916D3AC9F6FA07 - 375599 bytes
Write Registry - %UserProfile%\explorer.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Profile Manager - %UserProfile%\explorer.exe
Write Registry - %UserProfile%\explorer.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Document Explorer - %UserProfile%\Documents\explorer.exe
Write Registry - %UserProfile%\explorer.exe - \REGISTRY\USER\S-1-5-21-1177238915-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - Download Manager - %UserProfile%\Downloads\explorer.exe
File Created - %UserProfile%\explorer.exe - %AppData%\LOCALS~1\Temp\aut3.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %UserProfile%\explorer.exe - %AppData%\LOCALS~1\Temp\qlmdfvx - NOTHING TO HASH - 0 bytes - attr: [] - -
Connection Established - %UserProfile%\explorer.exe - TCP - 8.23.224.90 - 80
Web Request - %UserProfile%\explorer.exe - GET - h4r3.hopto.org - /
Connection Established - %UserProfile%\explorer.exe - TCP - 46.105.116.182 - 80
Web Request - %UserProfile%\explorer.exe - GET - ns224291.ovh.net - /pt/gate.php
Connection Established - %UserProfile%\explorer.exe - TCP - 127.0.0.1 - 1054
Connection Established - %UserProfile%\explorer.exe - TCP - 213.186.33.87 - 80
Web Request - %UserProfile%\explorer.exe - GET - ovatec.fr - /xs/spyxxxxx.exe
File Modified - %UserProfile%\explorer.exe - %InternetCache%\Content.IE5\8YPELNXD\spyxxxxx[1].exe
File Created - %UserProfile%\explorer.exe - %UserProfile%\Cookies\%UserName%\@ovatec[1].txt - 576B13CB892DA082AEB395D43E910654 - 76 bytes - attr: [] - -
File Created - %UserProfile%\explorer.exe - %InternetCache%\Content.IE5\8YPELNXD\spyxxxxx[1].exe - E6854368B0BE650F336147351EB23C1E - 81920 bytes - attr: [] - -
File Modified - %UserProfile%\explorer.exe - %AppData%\LOCALS~1\Temp\88518.exe

Dangerous URLs:

hxxp://h4r3.hopto. org
hxxp://ns224291.ovh. net/pt/gate.php
hxxp://ovatec. fr/xs/spyxxxxx.exe

Other malware URLs (PE):

hxxp://ovatec. fr/xs/11.exe
hxxp://ovatec. fr/xs/an26.exe
hxxp://ovatec. fr/xs/lock26.exe
hxxp://ovatec. fr/xs/min26.exe
hxxp://ovatec. fr/xs/ppi.exe
hxxp://ovatec. fr/xs/spy.exe

File 11.exe:

Size: 86016 bytes
MD5: 753E06472FF07E7620498F828E726A54
SHA1: 6EF12A9AC49ACA2BF8814CE5385FA4215395F59E
SHA256: E596583DBC0D0190DABE5965AB8C234C274089F620BA027829E6B556C2372E81
SHA384: 53B4BD628C874B7FF183A5785B45F52E246A66D91B5F2A5BB77A1D459710F9CE94E80D7EEF13C3CDFFC8209FFC619485
SHA512: 6C8EE2663D5D555B33FF34FF925AB1891C8A5C210879CDF49606117374B4A18D33D317B86C69E30C8E9B877F2DA5A1296EAB20D4B11A7596D6CFA45014DB8789

File an26.exe:

Size: 52224 bytes
MD5: D21E13CCA5BDCBB506B19118B95BFF44
SHA1: 5C8B462A7FCF4E89DAF59231F8300F13E59EE623
SHA256: BBBA88E36D374C1F431C346F006A637FAC18B491E6F12ABB609F20C2F6BCF47B
SHA384: 88058E8D833D106730D67ED3ADBC85B557216C697AB576C791C0B5BF150BB83943743BB036439702F605B5111AE78D98
SHA512: F1B95657201FE15573A6D015018E4C76F76C61F4DF780073BBF1D3BBBDE4DE596093EDFFB89A6E4942E8ABF8B399EA74BEFB936D6F4AF5E29535F5083E420B78

File lock26.exe:

Size: 77824 bytes
MD5: BE33C2C5856136E496DC1F3155533DC7
SHA1: A6CF2F278BA2F09C8BDCD6527B362267D580940C
SHA256: A488C36048A6C0F3DC0EAB6069C3C73632438BFFF902AE2722B74984ABBB7B62
SHA384: 2ECEF8AB69E06F7759A8176F68E0BE970F84D632858A6D725319A9D18448436B06C62F8178A7AF70595F87B4419C8F43
SHA512: 18CA870E0D84327916956CAC2F8B4E6763B16AC618D9C5C807075C309033DD06A52A42FF81F7AFB08DB8D6865C618331CB7013EDFE0DC0E738688D98E81775A2

File min26.exe:

Size: 81920 bytes
MD5: 145D31147D440DC42380E90C9A3375DA
SHA1: B3B30BEC507ED43F39B8A62A238CEE792BE8EEA2
SHA256: 2CA6DF7E6796D99353E8407AB5DB936250E9C446B9EB55FFE246C76C93ABFED9
SHA384: 6D9D33F6B02F500CF5B08A1DDEDE7FAF38695B4B981EE3AB89E6BDB1A8ED04297BAF05A55221945BA10808FEA573789C
SHA512: D6A3751AF18E6F85B7BED47AD2389225CD4123C1C7F99A5BF5D754E5ADC82CCA40586943DC926E6219789FFB55AF888ACA88C43E583938C545842351C67314E0

File ppi.exe:

Size: 73728 bytes
MD5: 03E5C843E2BD8339DB31ED4F8A407C1D
SHA1: 2C2F39EDE684BA2CA02597E6D9B182BBD1997DE4
SHA256: 37C30E45F4D946CBF1952EBB1D7B4D1CEA83380975849128EF729960329519A8
SHA384: 1C3CC5B1C9BB117993161EF2B1B3567C6F4B22AF91B3F99DCC911D9576366C4802E92A31C1C71710CF991925B6B4CBBB
SHA512: F869B63CE3F7781C13B6BFC70666D0BAF8F0E21AA3AD7A06C0EB4EF9061D64AEB1571B0BF3B28DED2E32B66E1E1495FAA497D8EA18E8E616D9FF92D07485E1B7

File spy.exe:

Size: 487424 bytes
MD5: 3CD58F4D27F42AEFF79C7813FF772CF9
SHA1: AFE10513E0A62AB8F327FA6963711F53AAB6DC70
SHA256: 642CF5AD05472AD2729C9C06EE7AA0CCB4E5D3E5B37A804E62CCBCCAEC902B63
SHA384: 5A73576A689C2C8F31A7E95D1916F95BA7590B7358563EC37210AC99D482A8F7F5F558C8C42FCD8AD19171D096896A93
SHA512: D6475A2BD4FFEF2A33C4DED910C76C5163E86EC45D024EA7ECA9C1A615F90AEBDC6FB2013E44AFBE39029E1DBD355B7AFF996314B86EC60224BCEE03DA42DF76

The post KBOT C&C Malware appeared first on NoBirusThanks Blog.

Phishing: Compromised Account (PayPal)

admin — Thu, 23 Feb 2012 11:11:46 +0000

We received another suspicious email that spreads a phishing URL:

The A HREF link redirects to the phishing URL:

hxxp:// restore.account.sysadmin-center .com/paypal/restore/webscrcmd=_login-run/webscrcmd=_account-run/confirm-paypal/restore=_paypal-account/updates-paypal/

Email header details:

Received: from main.pensativo.nl (main.benefiet.eu [141.138.139.44])
Received: from [202.175.132.8] (helo=administrator) by main.pensativo.nl with esmtpa (Exim 4.77)
From: "Paypal Department"
Subject: Compromised Account
Date: Thu, 23 Feb 2012 15:55:40 +1300
To: undisclosed-recipients:;

The post Phishing: Compromised Account (PayPal) appeared first on NoBirusThanks Blog.

Phishing: Skype Incident Updating Your Information To the new security

admin — Thu, 16 Feb 2012 14:17:15 +0000

New phishing email used to steal Skype login details:

The A HREF link:

Please click here to verify your identity

Redirects users to the malicious URL:

hxxp://login.skype.com.kad-s .com/

The post Phishing: Skype Incident Updating Your Information To the new security appeared first on NoBirusThanks Blog.

Find out who visits your Facebook profile: it is a fake, the link redirects to malicious websites

admin — Tue, 14 Feb 2012 00:44:02 +0000

We have noted recently various messages posted by Facebook users that promote few methods to find out who visits your Facebook profile. At the end of the message there is a link to a Bit.ly shortened URL, as you can see from this image:

The shortened URL redirects the users to a malicious URL:

HTTP/1.1 301 Moved
Server: nginx
Date: Mon, 13 Feb 2012 23:18:08 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=4f399a30-002d0-041e9-281cf10a;domain=.bit.ly;expires=Sat Aug 11 23:18:08 2012;path=/; HttpOnly
Cache-control: private; max-age=90
Location: hxxp:// pabulums .info/nukiy.bnw
MIME-Version: 1.0
Content-Length: 122

Extracted malicious URL:

hxxp:// pabulums .info/nukiy.bnw

Domain details:

The website pabulums .info is hosted at SingleHop and its current IP address is 184.154.106.126 (r90.servebyte.com). The server machine is located in – (-) and in the same server there are hosted other 1 websites. The domain is registered with the suffix INFO and the name pabulums. The organization is Servebyte.

URLVoid report:

http://urlvoid.com/scan/pabulums.info

When the malicious URL is visited, there is a new redirect:

HTTP/1.1 302 OK
Date: Mon, 13 Feb 2012 23:18:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Location: hxxp:// alexins .co.cc/170588/nukiy.bnw
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 786

Extracted malicious URL:

hxxp:// alexins .co.cc/170588/nukiy.bnw

Domain details:

The website alexins .co.cc is hosted at SingleHop and its current IP address is 184.154.106.125 (r90.servebyte.com). The server machine is located in – (-) and in the same server there are hosted other 1 websites. The domain is registered with the suffix CO.CC and the name alexins. The organization is Servebyte.

URLVoid report:

http://urlvoid.com/scan/alexins.co.cc

Remember to do not click in unknown URLs, posted by known and unknown Facebook users, even if they are in your friends list. Most of the Facebook virus can hijack with javascript the login session and they can automatically put “Likes” on malicious Facebook pages or they can post a message containing malicious link in your profile or in the profile of all your friends, so pay attention when you click with the mouse!

The post Find out who visits your Facebook profile: it is a fake, the link redirects to malicious websites appeared first on NoBirusThanks Blog.

Malware: Cotacao solicitada (relatorio.scr)

admin — Sun, 12 Feb 2012 14:07:39 +0000

We have received a suspicious email:

Received: from unknown (HELO userb) (***@globaltires.es@177.0.120.119)
Subject: Cotacao solicitada.
MIME-Version: 1.0
Date: Sat, 11 Feb 2012 17:56:37 -0300

Email message is in HTML and the page source looks like:

As you can see, from this code:

relatorio1379-pdf. (63kb)

The A HREF link redirects the user to an external (malicious) website:

hxxp://groupnetvect .co.de

Domain details:

The website groupnetvect .co.de is hosted at Hetzner Online AG and its current IP address is 78.46.102.86 (www8.subdomain.com). The server machine is located in Germany (DE) and in the same server there are hosted other 1 websites. The domain is registered with the suffix CO.DE and the name groupnetvect. The organization is Hetzner Online AG.

URLVoid report:

http://www.urlvoid.com/scan/roupnetvect .co.de

HTTP response:

HTTP/1.1 302 Found
Date: Sun, 12 Feb 2012 13:01:07 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Location: hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php
Vary: Accept-Encoding
Content-Length: 21
Content-Type: text/html; charset=iso-8859-1

The user is redirected again to another external (malicious) link:

hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php

Domain details:

The website consumer-electronics .junderhilltherapy .com is hosted at HostDime.com and its current IP address is 66.7.193.50 (west.superdomainzone.com). The server machine is located in United States (US) and in the same server there are hosted other 1 websites. The domain is registered with the suffix COM and the name junderhilltherapy. The organization is HostDime.com.

URLVoid report:

http://www.urlvoid.com/scan/consumer-electronics .junderhilltherapy .com

HTTP response:

HTTP/1.1 200 OK
Date: Sun, 12 Feb 2012 13:03:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Disposition: attachment; filename="relatorio.scr"
Connection: close
Content-Type: application/log

Now we can see that a file “relatorio.scr” is prompted to be downloaded:

File details:

File: relatorio_scr
Size: 23042 bytes
MD5: BFE2E1EB1C8780149C40FAE98C353BCA
SHA1: 4C69371B15E9738FC663A381C1841315FAC030A0
SHA256: 2DF1080C551E9603F2B8F197DE62D4A643B12BF31F6D3CEE47C0649037C51CF6
SHA384: E30FBFFAD035E7F35BA62B4C6689438ED9A66C3D2F494F4896387EE89C63E445F9AA07FF0D0BF4D1C84EAE282D3F5040
SHA512: 8D9D7B7D4FBF3ACBF984B88CB027D44E98EE997915E2823D61A882B1FDD6D7DD4F5630B518D2C602649D4D42D74DAF863804924D57AC30E8B0D33161D31F706C

The file is detected by Antivirus as Suspect.Trojan.Generic.FD-1 (ClamAV), Trojan-Banker.Win32.VB!IK (Emsisoft), Trojan-Banker.Win32.VB (Ikarus).

The post Malware: Cotacao solicitada (relatorio.scr) appeared first on NoBirusThanks Blog.

New Malicious Iframe Code, Trojan.Java.Downloader and VBScript

admin — Sat, 04 Feb 2012 18:01:41 +0000

Honeypots have reported another case of malicious iframe code that is generally added after the end of the HTML tag, at the end of the website page, as you can see from the image below:

We have also noted another website that redirects users to a fake porn video streaming website with the main objective to install a VBScript (using a Java applet downloader) in the user’s system and use cmd.exe to download and execute a keylogger:

hxxp:// habbo-sluts-exposed .tk

The URL uses an iframe code to redirect the users to another website:

Extracted malicious URL:

hxxp:// b0ss.getenjoyment .net/two/

And now, there is another redirect:

The user is now redirected to:

hxxp:// b0ss.getenjoyment .net/two/index2.html

The new URL contains the malicious VBScript:

Download the dumped malicious code (pass is novirusthanks.org):
malicious_code.zip / 1 KB

With a malicious Java file that is probably used to download the VBScript:

File: Client.jar
Size: 2337 bytes
MD5 Hash: A6091A6335EC1FD34E8358010C044270
SHA1 Hash: 126BEED0FCE70142207DE46D58C69AADFF71645C
SHA256 Hash: 160D60C071F7A5E691C9B2537FCFA926EB9A80537D594B2E7382309E2ECD5F41
SHA384 Hash: EE4C9AC074E2B1FA5A2A28D586441008FA52FE2258DEF88AD39D4CBDA83934334FF7B4B16ABF85C44FAC565BB698B917
SHA512 Hash: EC422053D1852A1FD575485C8C8BFDF51C35347EBFED92A0A613854717EEE5933C6520936D7CE5FAA67B60A31DDC0D09F1B167EFA975D2CD9D814B51D09AB46D

Antivirus scan report:

As we can see from:

The script download and execute the malicious PE file located at:

hxxp:// b0ss.getenjoyment .net/boss.exe

File details:

File: boss.exe
Size: 1280512 bytes
MD5 Hash: C01246B6507DED92832F8A71BF1CDA2D
SHA1 Hash: 792BB694A5944B4CF70DA803586F8440C7AD1D30
SHA256 Hash: 0C3E7B048309541BE48A2F716BEFC91C90F27409B8BF0E3767F0C4CF8C8435AF
SHA384 Hash: 66EC0E377A78EB1EDCF63A26FA8C8E996D89A91CDCC034B507E1098592BB9E67C5C24F4AE9287AD421335D05311EF0A5
SHA512 Hash: ADF7AB9E2E05B788269C7B0FA46660687C868ED131162FDB29824DA54A8AC3C67F53962D43B900D8FFBC61050ADA46E53DFBA846C16461AD18E9703AA3ACEF02

Antivirus scan report:

The post New Malicious Iframe Code, Trojan.Java.Downloader and VBScript appeared first on NoBirusThanks Blog.

JavaScript Code Hidden in Image

admin — Wed, 01 Feb 2012 13:28:49 +0000

We noted few websites infected with the following code (Gumblar-style?):

Extracted malicious URL:

hxxp://vohfakai .co.cc/1584179.jpg

URLVoid report:

http://www.urlvoid.com/scan/vohfakai.co.cc

Unfortunately (fortunately) the malicious URL is not online, but I am sure it was used to spread malicious javascript code or iframe code, that would have redirected the users to an exploit kit.

The post JavaScript Code Hidden in Image appeared first on NoBirusThanks Blog.

Iframe Alias(dot)jjbworks(dot)com Mass Infection

admin — Tue, 31 Jan 2012 14:20:02 +0000

Another hidden and malicious iframe is spreading by infecting websites:

The iframe code is added before the BODY tag of the HTML page and is obfuscated:

The extracted malicious link is:

hxxp://alias .jjbworks .com/analytics.php

Details about the malicious domain:

Website: alias .jjbworks .com
Domain Hash: 2f8f518cb5d452fca78b8c11b3a53913
IP Address: 68.68.20.114 [SCAN]
IP Hostname: 68.68.20.114.customer.bluemilenetworks.com
IP Country: -- (--)
AS Number: 11013
AS Name: BLUE-AS - Bluemile, Inc

URLVoid report:

http://www.urlvoid.com/scan/alias.jjbworks.com

Websites infected with this malicious code:

sosumo .net

URLVoid report:

http://www.urlvoid.com/scan/sosumo.net

The post Iframe Alias(dot)jjbworks(dot)com Mass Infection appeared first on NoBirusThanks Blog.