Brazilian banking Trojan tricks

So I encountered what I suspect to be a banker focused on Brazilian banks. (Win32/Bancos)


Part 1 - spam mail:

Fiscal note

Mail from: mail.unimedsc.com.br - 187.115.59.244 - IPvoid Result

The mail reads:

Emissão de Nota Fiscal
Prezado cliente,
Segue abaixo o(s) link(s) para acesso à nota fiscal eletrônica.
Notas Fiscais
Nota    Codigo de Verificacao    Visualizar
11932075    DTU8DBSW    NF-eletronica-8457348947..Docx
Atenciosamente,
Equipe de Cobrança:

Roughly translated:

Issue of Invoice
Dear customer,
Below is a (s) link (s) to access electronic invoices.
invoices
Note the Verification Code View
11932075 DTU8DBSW NF-electronic-8457348947 .. Docx
Sincerely,
Team Collection:

Clicking on the link leads to a ZIP file on Dropbox. I've already requested the file/URL to be removed.



Part 2 - executing the file:

The victim needs to unzip the file and run the malware:

So-called .docx with a mismatching icon

Seems the malware authors got their filetypes wrong, a .docx file should have a Word icon, not a MPEG-4 icon. ;-)
Either way, the malware is neither a Word or MPEG file, it's actually an executable, as can be seen in the screenshot above.


Some details about the file:
NF-eletronica-987812165162.Docx.exe
MD5: 65ba9ff22e4e9073dda5ecae0fd056a7
Detections: 4/46 
VirusTotal Result
Anubis Result
ThreatExpert Result

The file connects to the following IPs:
54.244.228.88 - IPvoid Result
91.136.8.9 - IPvoid Result
187.45.193.134 - IPvoid Result

This is where it gets a bit more interesting: the file downloads from 54.244.228.88 a .hlp file called:
updados.hlp - VirusTotal Result

Basically, this is a compressed .hlp file (Help-file for Windows) which contains 3 more .hlp files:
help01.hlp
help02.hlp
help03.hlp

The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example:
C:\Program Files\2x8H8g

Most malware of today gets dropped in %systemroot% or %appdata%. The following entries were added to the registry to ensure persistance:

Autorun entries with fancy icons

Part 3 - the consequenses:

• Your (financial) data will be stolen
• You might get a pop-up next time you log in to your bank asking for credentials
• You might be diverted to a fake login page
• You might finance the malware author's next vacation by unwillingly transferring X amount of money
• Other malware might be downloaded 

Part 4 - gathered files:

Note how the .hlp files have the exact same filesize as the .exe files. (they're the same files)

Contact me for a copy.

Gathered files

Conclusion

• Don't click on any link(s) of unknown senders. In fact, don't even open mail from unknown senders.
• Have you indeed ordered something? Check the status of it directly on the supplier's website.
• Don't be fooled by the fancy icons, they are actually EXE files. You can enable an option in Windows so you're always sure of the filetype being used:
  Enable Viewing of Filename Extensions for Known File Types
• Install an antivirus and antimalware product and keep it up-to-date & running.

Exploits, exploits everywhere

It's the exploit season (especially for Java).

This time, I'm seeing a lot of mails supposedly from PayPal:

Apparently you bought an expensive watch. For someone you don't know.
Looks legit.

Originating IP of this mail:
188.33.40.190 - IPvoid Result

Seems to be sent out by the Cutwail botnet.

When clicking on one of the links (they all point to the same hacked webpage):

Adobe Reader giving a warning

Firstly, a blank webpage opens up and you're getting a PDF or Java exploit which is being launched.

Adobe crashes with a warning. Should raise some suspicions.

The latest trick the malware authors perform is to ultimately redirect you to a fake pharmacy:

'Pharmacy Express'. Fake pharmacy.

You are eventually ending up on this page, probably to make you think 'it was just Viagra spam, that's all'. Wrong! In fact, you're being infected as we speak. A file gets dropped to the %appdata% folder:

xydyswylmylh.exe

Result: 6/45

MD5: 22f3c0fd2a5d9e1799699097836bb5dc

VirusTotal Result

ThreatExpert Result

Anubis Result

There were a lot of HTTP connections, possible password stealer?

Pastebin link: http://pastebin.com/6LhCfu6q

Additionally, it connects to the following IPs & ports: 

Pastebin link: http://pastebin.com/LDrzfKHN

Malware was downloaded from:

188.93.211.151 - IPvoid Result

Adobe/PDF exploit being used: CVE-2010-0188 - CVE Report

Oracle/Java exploit being used: CVE-2013-0431 - CVE Report (tip from @eromang)

All files gathered, contact me for a copy:

Gathered files in this attack

This spreading is still going on, if you'd like to know the source of these exploits (be careful though, they can still be live!), you can see these results from URLquery:

URLquery search results

Conclusion

• Don't click on any link(s) of unknown senders.
  In fact, don't even open mail from unknown senders.
• Have you paid for an expensive watch for somebody you don't even know? I didn't think so.
• Install an antivirus and antimalware product and keep it up-to-date & running. 
• Use for example NoScript in Firefox to counter these attacks.
• And above all: patch Java, Adobe and any other 3d party software you may have!

Java exploits lurking around

Update - 31/08/2012

Oracle has issued a patch for the exploit. You can download the patch from:

Java SE Downloads

Oracle has also issued an alert concerning this exploit.

---End update

I'm sure everyone has heard about the latest Java exploits lurking around.

I received the following mail recently:


Mail from ADP, which seems to be a payroll/HR outsourcing firm


Example mails:
#1

ADP Funding Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

#2

ADP Generated Message: Final Notice - Digital Certificate Expiration

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.

---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 1
Expiration date: Aug 27 23:59:59 GMT-03:59 2012

--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.

When clicking on one of the links in the mail, you get redirected to a compromised webpage, which will load the exploit on your system. The exploit kit responsible is Blackhole.

The exploit in question:
CVE-2012-4681


The following file was downloaded:

Pre.jar
Result: 13/42
MD5: 08fd3413aef2012f2b078fa07855e398
VirusTotal Report



Related files:

adb92c406847e55d699d22ccd36e5e25ff32
Result: 2/42
MD5: b97a943420c13a51af37acbfbcd11d48
VirusTotal Report


js.js
Result: 1/42
MD5: f11a182170557829c150617613cfbb6c
VirusTotal Report


I didn't investigate further at the point when I got the mails, but normally a file called updateflashplayer.exe would have been downloaded as well. At time of writing, it is already offline.


Files were hosted on the IP: 209.59.222.146 - IPVoid result
& 209.59.222.174 - IPVoid result



Google Safe Browsing Diagnostic page


The same reported exploit, but different Jar files and droppers:

applet.jar
Result: 25/42
MD5: 4af58300ee5cd6d61a3eb229afe0da9f
VirusTotal Report


hi.exe
Result: 36/42
MD5: 4a55bf1448262bf71707eef7fc168f7d
VirusTotal Report
Anubis Report


mspmsnsv.dll
Result: 24/42
MD5: 2f8ac36b4038b5fd7efad8f1206c01e2
VirusTotal Report


The malware tries to phone home to:
223.25.233.244 - IPVoid result




Prevention

Disable Java in your browser(s) or uninstall if you have no use for it. Brian Krebs has made a nice post on how to disable Java on several platforms & browsers:
How to Unplug Java from the Browser

Specifically for this exploit, you can block the following IP ranges in your Firewall or hostfile:
(or at least block the ones mentioned in this post)
223.25.233.0 --> 223.25.233.255
209.59.222.0 --> 209.59.222.255

There's an excellent post over at DeepEnd Research as well, which includes a workaround and patch (you will need to request this):
Java 7 0-Day vulnerability information and mitigation



Conclusion

Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.

To test whether your version of Java is out of date and vulnerable you can use:
Zscaler Java test
Is your Java exploitable?
What Version of Java Are You Using?

Use an antivirus which has or uses behavioural technologies and/or exploit prevention.

Delete emails from unknown senders, never click on links in a mail you allegedly get from your bank, from UPS, or in this case ADP. If you happen to have placed an order or a bank transfer of any kind; go to the website directly in your browser, by typing it in manually.

Note that the links to ADP in this post are not malicious, however the URL behind them was. You can verify this by 'hovering' over the URL to check what is really behind.

Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.

Download the latest Java updates from here.

LinkedIn spam, exploits and Zeus: a deadly combination ?

Is this the perfect recipe for a cybercriminal ?:

1. Hacking LinkedIn's password (and possibly user-) database.
2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
3. A user unawarely clicking on the link.
4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
5. User's computer is now a zombie (part of a botnet).

I would definitely say YES.

A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the "To" and/or "CC" field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth...

Here's the email in question:


Reminder from LinkedIn. You got a new message !


Subjects of this email might be:
"Relationship LinkedIn Mail‏", "Communication LinkedIn Mail‏", "Link LinkedIn Mail" or "Urgent LinkedIn Mail‏". No doubt the subjects of this email will vary, and are not limited to these four.


Step 1 and step 2 of the cybercrook's scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.

Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

• Adobe Reader
  
• Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.

In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:


The green highlighting indicates the spawning of a new process

What's this ? There's a process from Adobe Reader loaded under our Internet Explorer ? Which seems to spawn a .dll file ? Which in turn spawns another file .... Okay, you get the point here.

The PDF file has several embedded files, which are dropping malicious executables and executing them. After the process of spawning and dropping processes and executables, the malware will also clean-up any leftovers, including the PDF file at first:


Message from Adobe Reader it has crashed. Have a guess why

After the user clicks OK, everything looks fine. Right ? No, of course not. Ultimately, there's a malicious executable which will start every time the computer boots.

Interesting to note is, that there is also an attempt to exploit CVE-2006-0003. An exploit from 2006 nonetheless !

Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. With what you may ask ? Well, let's review all the associated files:


The initial Java exploit - set.jar -
(when I first uploaded this sample a few hours before this blogpost, there were ZERO detections)
Result: 2/42
MD5: b0697a5808e77b0e8fd9f85656bd7a80
VirusTotal Report
ThreatExpert Report

I just now re-uploaded set.jar (17:47:41 UTC), it has now 6 detections. Most probably the Blackhole exploit kit is responsible for this attack. Microsoft identifies the file as
"Exploit:Java/CVE-2010-0840.NQ".
The corresponding CVE can be found here.



"I got Java patched, always", you might say. Great ! How about Adobe Reader ?
c283e[1].pdf
Result: 11/38
MD5: ad5c7e3e018e6aa995f0ec2c960280ab
VirusTotal Report
PDFXray Report
MWTracker Report


Thanks to PDFiD, we are able to see there's an AcroForm action and 6 embedded files. Basically, AcroForm is just another way to execute JavaScript in a PDF document. Embedded files are... files hidden in your PDF document:


PDFiD results



Here's our first dropped file - calc[1].exe
Result: 5/38
MD5: 4eead3bbf4b07bd362c74f2f3ea72dc4
VirusTotal Report
ThreatExpert Report
Anubis Report


Calc[1].exe will drop other files. Examples:


amutwa.exe
Result: 9/42
MD5: e7e25999ef52e5886979f700ed022e3d
VirusTotal Report
ThreatExpert Report
Anubis Report


nyyst.exe
Result: 10/42
MD5: fbc4bb046449fd9cef8a497941457f4f
VirusTotal Report
ThreatExpert Report
Anubis Report


The malware will try to 'phone home' or connect to the following IP addresses:
188.40.248.150 - IPVoid Result
46.105.125.7 - IPVoid Result

The IPs above (188.40.248.150 in particular) are part of a known botnet.

After all 4 steps have been executed, Step 5 of the process is completed as well and the machine will be successfully part of a botnet. The Zeus botnet. For more information about Zeus, you can read upon the (limited in information, but sufficient) Wikipedia article:
Zeus (Trojan Horse)

There are also numerous articles on the Zeus botnet, the takedowns by Microsoft (whether they were successful or not, I'll leave in the middle), and many other reports.



Conclusion

So, what did we learn today ? If you do not know the answer to this question, please re-read the article again.

PATCH PATCH PATCH people ! Keep ALL of your software up-to-date ! This means Adobe, Java, but don't forget other software, for example VLC, Windows Media Player.... You get the picture.

This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed.

If possible, avoid using Adobe and/or Java. There are alternatives. An alternative for Adobe is for example Sumatra PDF. Just don't forget to patch the alternatives as well !

Finally, use an up-to-date Antivirus product to keep your machine safe should you not have done any patching. Chances are you might still be infected, but are already less likely.

If you are in a corporate or business network, take the necessary actions and include several layers of protection. This also includes informing your users to not click on everything in an email ! Applying the appropriate Security Rights on a machine can prevent you from having a whole lot of work.... and lack of sleep ;-) .


Note:
If you are interested in the files discussed in this post, contact me on Twitter:
@bartblaze

Technoviking ? I am not amused

So yesterday I was looking on Google Images for the 'Technoviking'. I'm sure most of you know the guy/meme but just to be sure:


http://knowyourmeme.com/memes/technoviking

In case you're wondering, I do not remember why he flashed in my mind all of a sudden, but I was listening to some music on Youtube and I suppose there was a Suggested Video .

Either way, some of the Google Images were in fact redirecting to a scareware page, urging you to download a file to "clean" your computer. Some of the images that were infected:



Some infected Google Image results


If you click on any of them, you would get the following message:


"Windows Security" will perform a fast scan of system files


... and when clicking on "OK" you'll get the well-known fake scanning page:



Fake Scanning page finding numerous infections


The following file was downloaded:

BestAntivirus2011.exe
Result: 18/41 (43.9%)
MD5: e705b657f5830eb2a43eee3a32f549c3
VirusTotal Report
ThreatExpert Report
Anubis Report

Today I checked again and the scareware/rogueware campaign is still active. I was now presented with another file that has a very low detection rate on VirusTotal:

BestAntivirus2011.exe
Result: 2/41 (4.9%)
MD5: 56ce5479183913f2082bf0fd790dbaea
VirusTotal Report


The payload is a rogueware called 'MS Removal Tool'.

When executing the dropped file (BestAntivirus2011.exe) :


MS Removal Tool fake scanning screen


It is interesting to note that you would only get redirected when using Internet Explorer or Google Chrome. Neither on Firefox 3.6 or Firefox 4.0 the redirect would commence.


Prevention

- Be careful when visiting any webpage. A useful trick is to check the real URL behind the image. Most of the times you can verify this by checking in the left corner of your browser:

Clicked on a picture and started loading this website instead of the original one

- Use browser extentions to verify the integrity of an image or URL. Useful add-ons for Google Chrome are for example VTchromizer, NotScripts and WOT .

- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.

- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL + ALT + DEL) and killing your browser's process:

• a) For Google Chrome: chrome.exe or chrome.exe *32

• b) For Mozilla Firefox: firefox.exe or firefox.exe *32

• c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32

Desinfection

If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

Remove MS Removal Tool

Conclusion

Don't be fooled by Google's preview of images, you can still get infected even though the site appears to be safe.

Follow the above prevention tips to decrease the chance of your computer becoming infected.

"m28sx" worm: back in business ?

You might remember my previous post about a new Twitter worm called "m28sx" that spreads a fake antivirus (aka rogueware) called Security Shield:

Twitter worm spreading virally

Today I got an email with the subject "HELLoo" and only a link in it. The link ended with m28sx.html.

Different redirects starting at the compromised website

There are 3 redirects before you eventually land on the fake scanner page:

Messagebox alerting you of infections on your system

Fake scan message showing numerous infections

The following file is dropped:

pack.exe

Result: 7/43 (16.3%)

MD5: b7fcca77d20fb5ac43792ad56f6fc75e

VirusTotal

ThreatExpert

Anubis

The payload is a rogueware called 'Security Shield'.

When executing the dropped file (pack.exe) :

A warning that Security Shield was installed successfully

Security Shield rogueware finding (non-existant) infections

Conclusion

Always be careful when clicking on a URL that you do not recognize or is shortened so you cannot see the real URL. In this case, a website was compromised and the "m28sx.html" was placed. Actually, be careful with ANY URL ;) .

If you do happen to land on one of these rogueware pages presenting you a fake scan of your disks, open Task Manager and end your browser's process.

As an extra note: this one might re-surface again on Twitter, so be on the lookout these days for links that end with "m28sx".

Twitter worm spreading virally

Since today there's a Twitter worm spreading virally with the name "m28sx" . People and bots tweeting links that end with m28sx.html or have only an URL in their tweet are common today on the social network platform.

At time of writing this threat still persists, although Google has already disabled a lot of URLs. (URLs used in this attack are mainly t.co and goo.gl)

After different redirects starting at:

to

and eventually landing on

Presents you with a nice message that you are infected:

Immediately you receive the well known fake scan page:

Infected search terms on Twitter also include:

50th anniversary of JFK's inauguration
John F. Kennedy inaugural address
Love the new homepage

Check out these search results for m28sx (be careful with the links on these pages, some of them might still be active ! ) on Twitter:
https://twitter.com/#!/search/links/m28sx.html or
https://search.twitter.com/search?q=m28sx.html

Dropped files:

pack.exe

Result: 3/43 (7.0 %)

MD5: bae499fc5844d814f942e870900c9d57

VirusTotal

ThreatExpert

pack(2).exe

Result: 3/43 (7.0 %)
MD5: 921b903e2ff6ae23833301aa2961be95

VirusTotal
ThreatExpert

They payload is a rogueware called 'Security Shield'.

When executing either of the dropped files:

A warning that Security Shield was installed successfully.

Security Shield rogueware finding (non-existant) infections.

Conclusion

Pretty straightforward: do not click on any of the links ! ( You also might want to use a 3d party application to browse on Twitter, like Echofon or Twhirl. )

Always be careful when clicking on a URL that you do not recognize or is shortened so you cannot see the real URL.

If you do happen to land on one of these rogueware pages presenting you a fake scan of your disks, open Task Manager and end your browser's process.

RapidShare used to spread rogueware

Besides the usual spam this morning, in the likes of "very good news . now you can buy new iphone 4 from this site! ",

I had also received an email from someone I know. It was sent to all of his contacts, including me. The message only contained the following URL:


Link to Rapidshare to download a file called "surprise.exe" I have obfuscated the URL for your safety.

It comes to no surprise that actually this file is rogueware with the name Security Shield. Below you can find an example screenshot of this rogue:


Security Shield rogueware

surprise.exe

Result: 11/42 (26.2%)

MD5: a6af97e7a5fd59c82b4c08a568eae882
VirusTotal
Anubis Report
ThreatExpert Report

When executing the downloaded file ( surprise.exe ):



Conclusion


Besides coming from a trusted person, this rogueware program is also using Rapidshare as a 'mirror' for spreading. Also, the file has the name "surprise.exe" which may convince you even further that your friend has just sent you a message with a nice surprise e-card or similar. After all, you know the person who sent it, why would it hurt ?

The above pictures proove why. I doubt you'd want some rogueware sitting on your computer. The trick is you should never trust an email which has:

- only a URL included in the message
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Peace out.