Exploits, exploits everywhere

It's the exploit season (especially for Java).

This time, I'm seeing a lot of mails supposedly from PayPal:

Apparently you bought an expensive watch. For someone you don't know.
Looks legit.

Originating IP of this mail:
188.33.40.190 - IPvoid Result

Seems to be sent out by the Cutwail botnet.

When clicking on one of the links (they all point to the same hacked webpage):

Adobe Reader giving a warning

Firstly, a blank webpage opens up and you're getting a PDF or Java exploit which is being launched.

Adobe crashes with a warning. Should raise some suspicions.

The latest trick the malware authors perform is to ultimately redirect you to a fake pharmacy:

'Pharmacy Express'. Fake pharmacy.

You are eventually ending up on this page, probably to make you think 'it was just Viagra spam, that's all'. Wrong! In fact, you're being infected as we speak. A file gets dropped to the %appdata% folder:

xydyswylmylh.exe

Result: 6/45

MD5: 22f3c0fd2a5d9e1799699097836bb5dc

VirusTotal Result

ThreatExpert Result

Anubis Result

There were a lot of HTTP connections, possible password stealer?

Pastebin link: http://pastebin.com/6LhCfu6q

Additionally, it connects to the following IPs & ports: 

Pastebin link: http://pastebin.com/LDrzfKHN

Malware was downloaded from:

188.93.211.151 - IPvoid Result

Adobe/PDF exploit being used: CVE-2010-0188 - CVE Report

Oracle/Java exploit being used: CVE-2013-0431 - CVE Report (tip from @eromang)

All files gathered, contact me for a copy:

Gathered files in this attack

This spreading is still going on, if you'd like to know the source of these exploits (be careful though, they can still be live!), you can see these results from URLquery:

URLquery search results

Conclusion

• Don't click on any link(s) of unknown senders.
  In fact, don't even open mail from unknown senders.
• Have you paid for an expensive watch for somebody you don't even know? I didn't think so.
• Install an antivirus and antimalware product and keep it up-to-date & running. 
• Use for example NoScript in Firefox to counter these attacks.
• And above all: patch Java, Adobe and any other 3d party software you may have!

New exploit kit tricks

In today's post, we'll be reviewing a (potentially) new trick by the exploit kit authors.

As usual, it all starts with.... a great portion of spam:

Verizon important account information! ;-)

When clicking on any of the links you get redirected of course.... and some tasty exploits are served.... See for more information on Pastebin links further below....

However, this time, when you don't have a vulnerable Java or Adobe version installed, you'll get redirected (after 61000 milliseconds ~1 minute to be exact) to another page where you can download the brand new version of Adobe Flash Player:

Download the new Flash Player... Note it's not the official Adobe website!

Of course this is not the real Flash Player, in fact, as far as I could find, this version does not exist.

Something that has always bothered me about the download of Flash is the notification circled in red. Yes, on the real website of Adobe, this notification is also present:
"You may have to temporarily disable your antivirus software" --> Great thinking, right?


The bad guys have basically just done a copy/paste of the download page of Flash and changed the version number. When clicking on Download now, you're presented with:

update_flash_player.exe
MD5: 1b7d3393018d65e9d37566089b7626d5
VirusTotal Report
Anubis Report
ThreatExpert Report


The payload seems to be Zeus/Zbot, it also phones home to:
88.190.210.199

Infection URLs from the same campaign, hat tip to @MalwareMustDie :
URLquery search results



Samples that were gathered, contact me if you'd like a copy:

Pastebin links for the Javascripts:
http://pastebin.com/hhQe6RCP
http://pastebin.com/nt5JmGp3




Conclusion

- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders
- Patch your Java & Adobe or uninstall it if you don't need it
- Install an antivirus and antimalware product and keep it up-to-date & running
- Use NoScript in Firefox or NotScripts in Chrome

LinkedIn spam, exploits and Zeus: a deadly combination ?

Is this the perfect recipe for a cybercriminal ?:

1. Hacking LinkedIn's password (and possibly user-) database.
2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
3. A user unawarely clicking on the link.
4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
5. User's computer is now a zombie (part of a botnet).

I would definitely say YES.

A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the "To" and/or "CC" field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth...

Here's the email in question:


Reminder from LinkedIn. You got a new message !


Subjects of this email might be:
"Relationship LinkedIn Mail‏", "Communication LinkedIn Mail‏", "Link LinkedIn Mail" or "Urgent LinkedIn Mail‏". No doubt the subjects of this email will vary, and are not limited to these four.


Step 1 and step 2 of the cybercrook's scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.

Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

• Adobe Reader
  
• Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.

In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:


The green highlighting indicates the spawning of a new process

What's this ? There's a process from Adobe Reader loaded under our Internet Explorer ? Which seems to spawn a .dll file ? Which in turn spawns another file .... Okay, you get the point here.

The PDF file has several embedded files, which are dropping malicious executables and executing them. After the process of spawning and dropping processes and executables, the malware will also clean-up any leftovers, including the PDF file at first:


Message from Adobe Reader it has crashed. Have a guess why

After the user clicks OK, everything looks fine. Right ? No, of course not. Ultimately, there's a malicious executable which will start every time the computer boots.

Interesting to note is, that there is also an attempt to exploit CVE-2006-0003. An exploit from 2006 nonetheless !

Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. With what you may ask ? Well, let's review all the associated files:


The initial Java exploit - set.jar -
(when I first uploaded this sample a few hours before this blogpost, there were ZERO detections)
Result: 2/42
MD5: b0697a5808e77b0e8fd9f85656bd7a80
VirusTotal Report
ThreatExpert Report

I just now re-uploaded set.jar (17:47:41 UTC), it has now 6 detections. Most probably the Blackhole exploit kit is responsible for this attack. Microsoft identifies the file as
"Exploit:Java/CVE-2010-0840.NQ".
The corresponding CVE can be found here.



"I got Java patched, always", you might say. Great ! How about Adobe Reader ?
c283e[1].pdf
Result: 11/38
MD5: ad5c7e3e018e6aa995f0ec2c960280ab
VirusTotal Report
PDFXray Report
MWTracker Report


Thanks to PDFiD, we are able to see there's an AcroForm action and 6 embedded files. Basically, AcroForm is just another way to execute JavaScript in a PDF document. Embedded files are... files hidden in your PDF document:


PDFiD results



Here's our first dropped file - calc[1].exe
Result: 5/38
MD5: 4eead3bbf4b07bd362c74f2f3ea72dc4
VirusTotal Report
ThreatExpert Report
Anubis Report


Calc[1].exe will drop other files. Examples:


amutwa.exe
Result: 9/42
MD5: e7e25999ef52e5886979f700ed022e3d
VirusTotal Report
ThreatExpert Report
Anubis Report


nyyst.exe
Result: 10/42
MD5: fbc4bb046449fd9cef8a497941457f4f
VirusTotal Report
ThreatExpert Report
Anubis Report


The malware will try to 'phone home' or connect to the following IP addresses:
188.40.248.150 - IPVoid Result
46.105.125.7 - IPVoid Result

The IPs above (188.40.248.150 in particular) are part of a known botnet.

After all 4 steps have been executed, Step 5 of the process is completed as well and the machine will be successfully part of a botnet. The Zeus botnet. For more information about Zeus, you can read upon the (limited in information, but sufficient) Wikipedia article:
Zeus (Trojan Horse)

There are also numerous articles on the Zeus botnet, the takedowns by Microsoft (whether they were successful or not, I'll leave in the middle), and many other reports.



Conclusion

So, what did we learn today ? If you do not know the answer to this question, please re-read the article again.

PATCH PATCH PATCH people ! Keep ALL of your software up-to-date ! This means Adobe, Java, but don't forget other software, for example VLC, Windows Media Player.... You get the picture.

This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed.

If possible, avoid using Adobe and/or Java. There are alternatives. An alternative for Adobe is for example Sumatra PDF. Just don't forget to patch the alternatives as well !

Finally, use an up-to-date Antivirus product to keep your machine safe should you not have done any patching. Chances are you might still be infected, but are already less likely.

If you are in a corporate or business network, take the necessary actions and include several layers of protection. This also includes informing your users to not click on everything in an email ! Applying the appropriate Security Rights on a machine can prevent you from having a whole lot of work.... and lack of sleep ;-) .


Note:
If you are interested in the files discussed in this post, contact me on Twitter:
@bartblaze