Friday, 7 September 2012

LinkedIn Spam, exploits and Zeus: Revisited

In my post from June this year, I already reported on an excellent recipe for a cybercrook:

  1. Hacking LinkedIn's password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User's computer is now a zombie (part of a botnet).

You can find that post back here:
LinkedIn spam, exploits and Zeus: a deadly combination ?


Seems this scheme is still being successfully employed, as well the usage of the latest Java exploit (CVE-2012-4681).

Let's clearly divide this clever trick into the 3 parts.


Part 1 - the spam email:


So called reminder from LinkedIn


Example subjects of this email:
Communication LinkedIn Mail
Connection LinkedIn Mail
Contact LinkedIn Mail
Immediate LinkedIn Mail
Invitation reminders LinkedIn
Link LinkedIn Mail
LinkedIn Updates
PENDING MESSAGES - LinkedIn Mail
Relation LinkedIn Mail
Relationship LinkedIn Mail
Rush LinkedIn Mail
Signaling LinkedIn Mail
Urgent LinkedIn Mail



First part of the whole set-up or scheme is of course letting the user click on a malicious link.

This is your typical social engineering trick: it seems you have pending messages from LinkedIn and you can check your inbox by clicking on the link.

Note that the other links also trigger the exploit.


Part 2 - the -in this case Java- exploit

When clicking on one of the links, you are redirected to a website which is hacked and is hosting a Javascript file:


Malicious Javascript

This Javascript is not very malicious, it just redirects to another website (again) where the exploit is hosted:


Location of the actual exploit


Eventually, you'll get on a webpage which contains heavily obfuscated Javascript. Note that the Blackhole exploit kit is responsible for this one. Here's a small part:


Small part of the code; you can see a file called Leh.jar and 2 of its classes



Leh.jar classes, which contains CVE-2012-4681 exploit code

There's an excellent article over at the Immunity blog which takes a closer look at the classes used in this exploit. Remember the classes are just a name, they don't indicate something particular (as far as I know):
Java 0day analysis (CVE-2012-4681)


Here's a link to the fully obfuscated Javascript on PasteBin:
http://pastebin.com/5FeC02UM

...and here's the same file, deobfuscated:
http://pastebin.com/P1Jy2qt1




Part 3 - the Trojan - Zeus/Zbot


I have used Revelo to deobfuscate the malicious Javascript, which now neatly shows our Trojan as well:


File called 3Wcg.exe will be downloaded and executed


When executing this file....:


...it crashed. Badly coded or Sandbox/VM aware


As you can see from the figure above, the sample crashed upon execution... Not much to do here.

Most probably your banking credentials and/or passwords would have been stolen, or you would be sending spam.


Some more information on the associated files:

bv6rcs3v1ithi.htm
Result: 13/42
MD5: 25b67f22490800881c4e13b15f7ac477
VirusTotal Report


Leh.jar
Result: 17/42
MD5: ddf9093ceafc6f7610dcc3fcf2992b98
VirusTotal Report
ThreatExpert Report


3Wcg.exe
Result: 26/41
MD5: df79dfd605eed6d578063089a48d670b
VirusTotal Report
ThreatExpert Report
Malwr Report



Conclusion

Same as one of my previous posts in regards to exploits:
Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.

Use an antivirus which has or uses behavioural technologies and/or exploit prevention.

Always check the URL of a link. you can verify this by 'hovering' over the URL to check what is really behind.
If you really have messages waiting for you on LinkedIn, and you're curious, just go directly to it by typing it manually in your browser. Delete emails from unknown senders and never open any attachments from them!

Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , ,

Tuesday, 4 September 2012

Adsense Earning Proof : Latest Google Adsense Earning Proof in Pakistan

Adsense Earning Proof : Latest Google Adsense Earning Proof in Pakistan
Google Adsense Nice Program
By at No comments:
Labels:forex, iqoption, pubg Hacked , , , ,

Monday, 3 September 2012

Published in Hakin9: Basic Malware Cleaning

I've been published in Hakin9, an IT Security magazine. I will be explaining the basics on how you can detect, identify and of course disinfect a machine from malware. Below is a small excerpt:



Malware is common nowadays. Each day, machines get infected with viruses, spyware, Trojans, keyloggers, rogueware, ransomware, rootkits.

The list continues with more advanced malware like Conficker, Duqu, Stuxnet, Flame.
The malware scenario on itself has also drastically changed.
Where in the past, malware was created for showing off your skills
or gaining your 15 minutes of fame (remember LoveLetter?), it is now almost solely used for the purpose of making money.

If you are reading this article, you have already helped someone getting rid of malware infestations, or you at least have an
interest in the basics on how to clean malware from an infected machine.

WHAT YOU WILL LEARN
• Identifying malicious processes, terminating these processes and how to properly prevent them from running
• Identifying malicious startup entries and system modifications
• Identifying related malicious files, meaning droppers and payload
• Identifying the malware source and effectively tackling it

WHAT YOU SHOULD KNOW
• Basic computer knowledge and common sense
• Use a proper environment for testing purposes

Besides my article (called "Basic Malware Cleaning"), the following articles will also be available in the E-book:
  • Malware discovery and protection
  • Malware analysis with Cuckoo Sandbox
  • Malware Analysis
  • KeyLoggers: Approaches and countermeasures
  • Untold Story about Keylogger

As you can see, it's all about malware and how to analyse, detect and prevent or disinfect it. An interesting read for everyone, but especially for those who are (interested) in the field of Malware Research/Malware Analysis.

You can download the E-book from the following link:
By at No comments:
Labels:forex, iqoption, pubg Hacked , , ,

Thursday, 30 August 2012

Fake Symantec security check

Antivirus vendors sending out warnings to perform a scan of your computer? Sure, that must be legit... Right?



Email claiming to be from Symantec


If you click on download, a file called RemovalTool.exe will be downloaded.

The malware authors have used the Java symbol as icon. Not sure what's up with that, haven't they been following the news? ;-)


Java icon, trying to trick the user


RemovalTool.exe
Result: 3/42
MD5: ebb4ac5bb30b93e38a02683e3e7c98c6
VirusTotal Report
Anubis Report


When executing the file, you get a nice installer screen:


Alleged Java Setup screen


In the background, the following file is downloaded and executed:

Plugin[1].dll & JavaUpdate.dll
(it's the same file, just a different name so not to raise suspicion)
Result: 19/42
MD5: 67096009f35c6894441a221b6429d27c
VirusTotal Report


JavaUpdate.dll gets injected into explorer.exe to carry out other malicious activities and to ensure that it starts automatically.


The file tries to connect to URLs above




Conclusion

Always be wary when receiving a mail, even if it seems to be from an Antivirus vendor. In this case, the malware authors try to scare the user by saying you are infected and need to download a file to clean it up.

In case of doubt, perform a scan with your installed Antivirus and an online scan from another vendor. Remove the mail.



By at No comments:
Labels:forex, iqoption, pubg Hacked , , ,

Tuesday, 28 August 2012

Java exploits lurking around

Update - 31/08/2012
Oracle has issued a patch for the exploit. You can download the patch from:

Oracle has also issued an alert concerning this exploit.
---End update


I'm sure everyone has heard about the latest Java exploits lurking around.


I received the following mail recently:


Mail from ADP, which seems to be a payroll/HR outsourcing firm


Example mails:
#1
ADP Funding Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services



#2

ADP Generated Message: Final Notice - Digital Certificate Expiration

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.

---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 1
Expiration date: Aug 27 23:59:59 GMT-03:59 2012

--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.


When clicking on one of the links in the mail, you get redirected to a compromised webpage, which will load the exploit on your system. The exploit kit responsible is Blackhole.

The exploit in question:
CVE-2012-4681


The following file was downloaded:

Pre.jar
Result: 13/42
MD5: 08fd3413aef2012f2b078fa07855e398
VirusTotal Report



Related files:

adb92c406847e55d699d22ccd36e5e25ff32
Result: 2/42
MD5: b97a943420c13a51af37acbfbcd11d48
VirusTotal Report


js.js
Result: 1/42
MD5: f11a182170557829c150617613cfbb6c
VirusTotal Report


I didn't investigate further at the point when I got the mails, but normally a file called updateflashplayer.exe would have been downloaded as well. At time of writing, it is already offline.


Files were hosted on the IP: 209.59.222.146 - IPVoid result
& 209.59.222.174 - IPVoid result



Google Safe Browsing Diagnostic page


The same reported exploit, but different Jar files and droppers:

applet.jar
Result: 25/42
MD5: 4af58300ee5cd6d61a3eb229afe0da9f
VirusTotal Report


hi.exe
Result: 36/42
MD5: 4a55bf1448262bf71707eef7fc168f7d
VirusTotal Report
Anubis Report


mspmsnsv.dll
Result: 24/42
MD5: 2f8ac36b4038b5fd7efad8f1206c01e2
VirusTotal Report


The malware tries to phone home to:
223.25.233.244 - IPVoid result




Prevention

Disable Java in your browser(s) or uninstall if you have no use for it. Brian Krebs has made a nice post on how to disable Java on several platforms & browsers:
How to Unplug Java from the Browser

Specifically for this exploit, you can block the following IP ranges in your Firewall or hostfile:
(or at least block the ones mentioned in this post)
223.25.233.0 --> 223.25.233.255
209.59.222.0 --> 209.59.222.255

There's an excellent post over at DeepEnd Research as well, which includes a workaround and patch (you will need to request this):
Java 7 0-Day vulnerability information and mitigation



Conclusion

Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.

To test whether your version of Java is out of date and vulnerable you can use:
Zscaler Java test
Is your Java exploitable?
What Version of Java Are You Using?

Use an antivirus which has or uses behavioural technologies and/or exploit prevention.

Delete emails from unknown senders, never click on links in a mail you allegedly get from your bank, from UPS, or in this case ADP. If you happen to have placed an order or a bank transfer of any kind; go to the website directly in your browser, by typing it in manually.

Note that the links to ADP in this post are not malicious, however the URL behind them was. You can verify this by 'hovering' over the URL to check what is really behind.

Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.

Download the latest Java updates from here.

By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , , , ,
Subscribe to: Comments (Atom)