Showing posts with label blackhole exploit kit. Show all posts
Showing posts with label blackhole exploit kit. Show all posts

Tuesday, 12 March 2013

Exploits, exploits everywhere


It's the exploit season (especially for Java).

This time, I'm seeing a lot of mails supposedly from PayPal:

Apparently you bought an expensive watch. For someone you don't know.
Looks legit.




Originating IP of this mail:
188.33.40.190 - IPvoid Result

Seems to be sent out by the Cutwail botnet.




When clicking on one of the links (they all point to the same hacked webpage):

Adobe Reader giving a warning



Firstly, a blank webpage opens up and you're getting a PDF or Java exploit which is being launched.

Adobe crashes with a warning. Should raise some suspicions.





The latest trick the malware authors perform is to ultimately redirect you to a fake pharmacy:
'Pharmacy Express'. Fake pharmacy.

You are eventually ending up on this page, probably to make you think 'it was just Viagra spam, that's all'. Wrong! In fact, you're being infected as we speak. A file gets dropped to the %appdata% folder:

xydyswylmylh.exe
Result: 6/45
MD5: 22f3c0fd2a5d9e1799699097836bb5dc
VirusTotal Result
ThreatExpert Result
Anubis Result


There were a lot of HTTP connections, possible password stealer?
Pastebin link: http://pastebin.com/6LhCfu6q


Additionally, it connects to the following IPs & ports: 
Pastebin link: http://pastebin.com/LDrzfKHN

Malware was downloaded from:
188.93.211.151 - IPvoid Result

Adobe/PDF exploit being used: CVE-2010-0188 - CVE Report
Oracle/Java exploit being used: CVE-2013-0431 - CVE Report (tip from @eromang)


All files gathered, contact me for a copy:
Gathered files in this attack



This spreading is still going on, if you'd like to know the source of these exploits (be careful though, they can still be live!), you can see these results from URLquery:
URLquery search results


Conclusion


  • Don't click on any link(s) of unknown senders.
    In fact, don't even open mail from unknown senders.
  • Have you paid for an expensive watch for somebody you don't even know? I didn't think so.
  • Install an antivirus and antimalware product and keep it up-to-date & running. 
  • Use for example NoScript in Firefox to counter these attacks.
  • And above all: patch Java, Adobe and any other 3d party software you may have!





By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , ,

Wednesday, 13 February 2013

New exploit kit tricks


In today's post, we'll be reviewing a (potentially) new trick by the exploit kit authors.

As usual, it all starts with.... a great portion of spam:

Verizon important account information! ;-)























When clicking on any of the links you get redirected of course.... and some tasty exploits are served.... See for more information on Pastebin links further below....

However, this time, when you don't have a vulnerable Java or Adobe version installed, you'll get redirected (after 61000 milliseconds ~1 minute to be exact) to another page where you can download the brand new version of Adobe Flash Player:


Download the new Flash Player... Note it's not the official Adobe website!


















Of course this is not the real Flash Player, in fact, as far as I could find, this version does not exist.

Something that has always bothered me about the download of Flash is the notification circled in red. Yes, on the real website of Adobe, this notification is also present:
"You may have to temporarily disable your antivirus software" --> Great thinking, right?


The bad guys have basically just done a copy/paste of the download page of Flash and changed the version number. When clicking on Download now, you're presented with:





update_flash_player.exe
MD5: 1b7d3393018d65e9d37566089b7626d5
VirusTotal Report
Anubis Report
ThreatExpert Report


The payload seems to be Zeus/Zbot, it also phones home to:
88.190.210.199

Infection URLs from the same campaign, hat tip to @MalwareMustDie :
URLquery search results



Samples that were gathered, contact me if you'd like a copy:













Pastebin links for the Javascripts:
http://pastebin.com/hhQe6RCP
http://pastebin.com/nt5JmGp3




Conclusion

- Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders
- Patch your Java & Adobe or uninstall it if you don't need it
- Install an antivirus and antimalware product and keep it up-to-date & running
- Use NoScript in Firefox or NotScripts in Chrome


By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , ,

Wednesday, 30 January 2013

Facebook spam leads to Exploit Kit


To no wonders, the Blackhole Exploit Kit is still trying to infect users. One of the techniques commonly used is to send the victim an email from for example Facebook, Linkedin, Twitter, .... Asking to click on a link.

We'll take a small peek at those tactics. We received the following email:

You have received a new comment
















Hi ,
You have disabled your Facebook account. You can restore your account at any moment by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in usual way.
Thanks,
The Facebook Team


Obviously, Facebook didn't disable your account at all. There are some factors to easily determine this email is fake:

  • The 'From' field says it's from "Facebook", however, the sender is clearly 'nondrinker@iztzg.hr'.
  • Have you disabled your account? If not, then there's no reason to receive this mail.
  • The subject and the content of the email do not match.
  • Hovering over the links in the email reveals the real URL, which are not Facebook URLs.


When clicking on any of the links, you are presented (after several redirects) with the Blackhole Exploit Kit (aka BH EK). It tries to load a Java exploit on the machine by firstly detecting which plugin and Java version you are using:

PluginDetect
 








The payload? Probably ransomware or a Banker Trojan.


You can find the full JavaScript and the infection source on Pastebin :
http://pastebin.com/9PgDTXsb



Prevention

Use the NoScript add-on in Firefox or NotScripts in Chrome to prevent this.
Use the WOT add-on to check on the status of a website.
Use your common sense and ask yourself the proper questions (see below).
Use a URL scanner if you're unsure about a URL. Some examples are VirusTotal, URLvoid and URLquery.




Conclusion

As usual with this kind of emails, be alerted and always ask yourself the proper questions:

Why did this get in my Unwanted Email or Spam folder if I normally get Facebook mails in my normal Inbox?
Why would Facebook send me this when my account isn't disabled at all?
Why are those links not pointing to Facebook websites?
Why is the sender not from Facebook itself? What can I see in the headers?

Use your common sense, update your 3d-party applications as well as Windows, and use a decent antimalware and antivirus product.

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , ,

Friday, 7 September 2012

LinkedIn Spam, exploits and Zeus: Revisited

In my post from June this year, I already reported on an excellent recipe for a cybercrook:

  1. Hacking LinkedIn's password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User's computer is now a zombie (part of a botnet).

You can find that post back here:
LinkedIn spam, exploits and Zeus: a deadly combination ?


Seems this scheme is still being successfully employed, as well the usage of the latest Java exploit (CVE-2012-4681).

Let's clearly divide this clever trick into the 3 parts.


Part 1 - the spam email:


So called reminder from LinkedIn


Example subjects of this email:
Communication LinkedIn Mail
Connection LinkedIn Mail
Contact LinkedIn Mail
Immediate LinkedIn Mail
Invitation reminders LinkedIn
Link LinkedIn Mail
LinkedIn Updates
PENDING MESSAGES - LinkedIn Mail
Relation LinkedIn Mail
Relationship LinkedIn Mail
Rush LinkedIn Mail
Signaling LinkedIn Mail
Urgent LinkedIn Mail



First part of the whole set-up or scheme is of course letting the user click on a malicious link.

This is your typical social engineering trick: it seems you have pending messages from LinkedIn and you can check your inbox by clicking on the link.

Note that the other links also trigger the exploit.


Part 2 - the -in this case Java- exploit

When clicking on one of the links, you are redirected to a website which is hacked and is hosting a Javascript file:


Malicious Javascript

This Javascript is not very malicious, it just redirects to another website (again) where the exploit is hosted:


Location of the actual exploit


Eventually, you'll get on a webpage which contains heavily obfuscated Javascript. Note that the Blackhole exploit kit is responsible for this one. Here's a small part:


Small part of the code; you can see a file called Leh.jar and 2 of its classes



Leh.jar classes, which contains CVE-2012-4681 exploit code

There's an excellent article over at the Immunity blog which takes a closer look at the classes used in this exploit. Remember the classes are just a name, they don't indicate something particular (as far as I know):
Java 0day analysis (CVE-2012-4681)


Here's a link to the fully obfuscated Javascript on PasteBin:
http://pastebin.com/5FeC02UM

...and here's the same file, deobfuscated:
http://pastebin.com/P1Jy2qt1




Part 3 - the Trojan - Zeus/Zbot


I have used Revelo to deobfuscate the malicious Javascript, which now neatly shows our Trojan as well:


File called 3Wcg.exe will be downloaded and executed


When executing this file....:


...it crashed. Badly coded or Sandbox/VM aware


As you can see from the figure above, the sample crashed upon execution... Not much to do here.

Most probably your banking credentials and/or passwords would have been stolen, or you would be sending spam.


Some more information on the associated files:

bv6rcs3v1ithi.htm
Result: 13/42
MD5: 25b67f22490800881c4e13b15f7ac477
VirusTotal Report


Leh.jar
Result: 17/42
MD5: ddf9093ceafc6f7610dcc3fcf2992b98
VirusTotal Report
ThreatExpert Report


3Wcg.exe
Result: 26/41
MD5: df79dfd605eed6d578063089a48d670b
VirusTotal Report
ThreatExpert Report
Malwr Report



Conclusion

Same as one of my previous posts in regards to exploits:
Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.

Use an antivirus which has or uses behavioural technologies and/or exploit prevention.

Always check the URL of a link. you can verify this by 'hovering' over the URL to check what is really behind.
If you really have messages waiting for you on LinkedIn, and you're curious, just go directly to it by typing it manually in your browser. Delete emails from unknown senders and never open any attachments from them!

Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , ,
Subscribe to: Posts (Atom)