Overblog
Suivre ce blog Administration + Créer mon blog
6 septembre 2011 2 06 /09 /septembre /2011 10:46

I've already posted something regarding my favourites Firefox extensions when it's about security. Let's point out here what would be useful to mitigate those AC / HTTPS certificates issues (see: http://blog.trendmicro.com/diginotar-iranians-the-real-target/):

 

- Certificate Patrol

- Calomel SSL

- CERT viewer plus

- SSL BlackList

 

I can tell I saw a "certificate change" for Google, a few days ago! (with Certificate Patrol).

 

And after that, yes, you may still want to use HTTPS Everywhere :)

Partager cet article

Repost0
21 août 2011 7 21 /08 /août /2011 01:10

This article will aim to help a little bit the guys who try to understand/find tracks on a Tomtom GPS. The model being investigated is a Tomtom Rider 2, 2010.

 

First of all, extract the SD Card, and then plug it to a safe/secured computer.

 

At the root of the card, you'll find a file called settings.dat. You may open it using gVim. It contains the list of the cell phones that have been associated to the GPS (via Bluetooth connection).  

The syntax is quite simple, apart of a bit of garbage within the file: the phone name, and its MAC address (the separator is a simple comma).

 

Then the folder named "contacts" is quite interesting. It contains 3 files: called.txt, callers.txt, contacts.txt.

Those filenames are pretty relevant to the data the corresponding files contain. Furthermore, the data is in plain-text!

AFAIK, the "contacts.txt" file will only contain data if the cellphone contacts have been synchronized with the GPS (it does automatically offer synchronization the first time it's being associated via Bluetooth).

 

Then, depending on the principal map that has been used on the GPS, you'll find a folder named accordingly. For instance, here, the folder's name is "france".

Inside this folder, there are several files. One of them will probably be quite important to the analyst: MapSettings.cfg.

It contains the addresses that have been typed and triggered a roadmap calculation.

The file is in plain-text. It appears that the addresses are being chronologically printed.

 

Quite strange, at the end of the same file, there is the name and MAC address of the headset that has been used with the Tomtom (could be useful, who knows). Here it is: TomTom Headset (scala-rider),00:0A:9B:20:AE:99.

 

To those who may be interested, here is the whole list of files that are stored on the SD card:

liste fichiers GPS  SD card GPS files   

 

I hope this helps and will tell people how easy it is to find personal information about them... 

 

 

Partager cet article

Repost0
21 août 2011 7 21 /08 /août /2011 00:00

I felt that Kaspersky antivirus was taking a lot or resources, generating lots of HDD requests.

 

So I tried to monitor what was going on, and used SysInternals Procmon. BTW, hi and congrats Mark :)

 

I set up a filter targeting avp.exe (one of the main exefiles of KAV).

 

After a few hours, the computer became very very slow. Pretty close to a DoS, with applications yelling they needed to be closed in order to prevent from data loss... So I had a look at the "computer panel":

 

disque_210811.jpg

 

 Apart of the data drive (D:), there appears to be a real problem with the disk space remaining on C:...

 

There should be 10 GB of free disk space... where did they go?  I was about to launch WinDirStat, and analyse the whole partition in depth. But, just double-clicking on the C: revealed something that drove my attention:

 

disk_C_pagefile_210811.jpg

 

 Wow... 12.580 GB of pagefile.sys! I understand the only 54MB remaining of the disk drive...

 

 And what does Procmon say?

 

procmon_avp_210811.exe.jpg

 

 See? at the bottom: 24 millions of events, "backed in page file"...

 

BTW, avp.exe did generate 1.2 millions of events itself! Around 1 out of 20, that's something. It proves once again Kaspersky AV takes oa lot of system resources. Yes, K Labs did find a trick to use less of CPU cycles (they use GPU... still system resources), but what about the disk? It can't be replaced by something else!

 

Back to business: Procmon gives up!

procmon_DoS_210811.jpg

 

In a nutshell, here is what I would say to sysadmins:

- be very careful while monitoring system issues with Procmon: you may just crash the system with a pagefile.sys taking all the disk space!

-  do not let less than 10GB of free disk space on the System partition...

Partager cet article

Repost0
19 août 2011 5 19 /08 /août /2011 22:05

 

Cette fois-ci, j'ai préféré ne pas évaluer l'efficience de solutions de sécurité à l'instant T où la menace atteignait le poste, mais quelques temps après...

 

Voici le courriel, assez bien fait d'ailleurs :

email_maghegy.com_130811-copie-1.JPG

 

 Thunderbird 64 (Miramar) avait alerté sur un risque de "scam" pour ce courriel.

Mais que donnent les protections pour l'utilisateur, niveau navigateur, 6 jours donc après avoir reçu le courriel ?

 

- Internet Explorer 9 : OK, avertissement

- Opéra 11.50 : OK, avertissement

- Netcraft : OK, avertissement

 

- Firefox 5 : aucune alerte

- Safari 5 : aucune alerte

- Chrome 13 : aucune alerte

- WOT : aucune alerte

- Webutation : aucune alerte...

 

Pour Safari :

site_Safari_OK.jpg

 

Pour Chrome :

site_Chrome_OK.jpg

 

Et le plus intéressant, FIrefox 64 bits 4.0b12pre (avec WOT, Webutation, Netcraft...)

site_FF64_OK.jpg

 

 

Webutation, encore plus explicite ("tout va bien") :

site_webuptation_OK.JPG

 

 Heureusement, Netcraft réagit :

site_netcraft_alert.pg-copie-1.jpg

 

------------------------------------------------------------------

Et maintenant, si je tente de faire marcher la duperie jusqu'au bout ?

Remplissons le formulaire, adresse email et mot de passe, et validons...

Firebug indique clairement où part le mot de passe :

login_Firebug.jpg

 

La page qui suit l'envoi frauduleux des identifiants utilisateur, est assez intéressante !

site-page2_FF64_OK.jpg

 

Serait-ce lié à la campagne actuelle de fraude à la fausse facture ?

 

Au niveau réseau, le traffic est lui-aussi assez révélateur :

site-page2_firebug.jpg

   Diverses requêtes vers maghegy.com n'aboutissnet pas... pourtant le kit de hameçonnage semble marcher globalement.  

Il est notable que l'image avec tous les logso bancaires (certainement pour rassurer l'utilisateur, comme de "faux partenariats" : http://nsa25.casimages.com/img/2011/04/09//110409011725248635.jpg :

http://nsa25.casimages.com/img/2011/04/09//110409011725248635.jpg

Le serveur hébergeant cette image est chez OVH...

D'autres éléments (notamment images) sont récupérées ailleurs que chez Orange.fr... exemple pour le bonhomme orange :  http://img.woopic.com/common/g8/img/new_user_welcome.gif  

 

Jouons le jeu jusqu'au bout... je remplis donc le formulaire. Etrange, il m'est demandé à la fois mon numéro de carte ET mon numéro de compte !

On notera que le formulaire est tellement bien fait que je ne peux lui rentrer des numéros complètement fantaisistes :

site-page2_remplissage-detect.jpg

 

 En fait, c'est le vérificateur de Luhn qui est appliqué... (cf. http://www.thetaoofmakingmoney.com/2007/04/12/324.html)

Donc pour leurer le contrôle, je prends l'exemple 4552 7204 1234 5677.

Finalement, quand le formulaire est accepté, un clic sur "Valider" envoie une requête POST toujours vers le même domaine :

site-page2_POST.jpg

 Les données du formulaire sont bien visibles, et c'est la page "xeon.php" qui récupère le tout.

 

De manière assez classique, mais déjà éprouvée, cette requête POST est suivie d'une redirection vers le VRAI site  Orange (id.orange.fr). 

 

Et enfin, si l'on tente d'accéder à la racine de l'environnement de hameçonnage, la réponse HTML du serveur est étudiée pour renvoyer une vraie-fausse page Webmail Orange :

 <html> <script type="text/javascript"> echo = "logins2.html?-http/webmail1e.orange.fr/webmail/fr_FR/inbox.html?w=0&FromSubmit\
=true?rpsnv=11
&ct=1258553363&rver=6.0.5285.0&wp=MBI&wreply=http:%2F" self.location.replace(echo); window.location = echo; </script> </html>

 

------------------------------------------------------------------------------------------------------

Et à propos du serveur, me direz-vous ? 

Un vieux réflexe m'amène à tenter un nmap -O --osscan-guess. Le résultat est plutôt intriguant :

 

Starting Nmap 5.51 ( http://nmap.org ) at 2011-08-20 00:01 Paris, Madrid (heure dÆÚtÚ)
Nmap scan report for maghegy.com (46.252.201.1)
Host is up (0.040s latency).
rDNS record for 46.252.201.1: n1nlhg286c1286.shr.prod.ams1.secureserver.net
Not shown: 986 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
50000/tcp closed ibm-db2
50001/tcp closed unknown
50002/tcp closed iiimsf
50003/tcp closed unknown
50006/tcp closed unknown
50300/tcp closed unknown
50389/tcp closed unknown
50500/tcp closed unknown
50636/tcp closed unknown
50800/tcp closed unknown
Device type: general purpose|WAP|firewall|phone|printer
Running (JUST GUESSING): OpenBSD 4.X (95%), Linux 2.6.X|2.4.X (91%), Linksys Linux 2.4.X (91%), HID embedded (90%), Nokia Linux 2.6.X (89%), Netgear embedded (88%), Asus Linux 2.6.X (87%), Epson embedded (87%)
Aggressive OS guesses: OpenBSD 4.3 (95%), Linux 2.6.18-8.el5 (Red Hat Enterprise  Linux 5) (91%), Linux 2.6.20 (91%), Linux 2.6.20 (Ubuntu, x86_64) (91%), Linux 2.6.22 (91%), Linux 2.6.22 (Ubuntu, x86) (91%), OpenWrt White Russian 0.9 (Linux  2.4.30) (91%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (91%), HID EdgePlus Solo ES400 firewall (90%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.80 seconds

 

BSD, linux, point d'accès WiFI ?... le tout hébergé sur un prod.ams1.secureserver.net ? késako... (WTH? ;) certains comprendront).

Et toujours lancé sur Nmap, la détection de services me fait hausser les sourcils : 

PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 5.1 (protocol 2.0)
80/tcp open http Apache httpd
443/tcp open http Apache httpd

OpenSSH 5.1 ? même sur des machines dites sécurisées, je ne le croise presque jamais...!

 

Du coup, je vais tenter une identification par signature : HTTPrecon.

serveur_empreinte_HTTP.jpg

 Bingo, Apache 2.2.8 ! 

J'ai vu pire, mais c'est déjà une première porte d'entrée suceptible d'avoir compromis le serveur. Nessus tourne... 

Partager cet article

Repost0
14 août 2011 7 14 /08 /août /2011 19:45

While surfing on Twitter you may find such a profile... that may look interesting for a few guys :)

Capture_profil_twitter_sex_140811_annon-copie-2.jpg

 

 As you can see, several posts dealing with men/women... and "being single"...

 

But what I find more interesting is the link, that is quite visible, just below the girl's name:

 http://oseu.info/?Orgy-Sex-Parties60

 

 This is in fact a redirection... pointing to: http://getiton.com/go/f49077.sub1281_&tpa=103758a9fb4001fb6a4add7cf4dd87

Capture_site_profil-twitter_140811.jpg

 Wow... even automatic translation to French! Verisign logo, to assure people it's safe to pay online, on this website...  

 

So, is the Twitter girl a real one, or a bot?... who knows. 

 

Partager cet article

Repost0
8 août 2011 1 08 /08 /août /2011 00:06

Je m'attendais à tout autre chose en lisant le sujet du courriel...
Subject: La photo de votre profil est belle
From: "Lacie Peterson" <news@affiliate-promoter.com>

 

Le corps du courriel est simple, sans faute, plutôt convaincant :

 courriel_profil-FB_060811.jpg

 

 

Une fois que l'on clique sur le lien, à priori pas de charge virale (presque décevant...) mais par contre, jolie surprise pour le site :

site_060811-copie-1.jpg

 

Effectivement, je dois bien avoir un profil qui traîne sur ce site (rires).

 

 

Pourquoi ai-je reçu ce courriel ? il semble que l'antispam se soit emmêlé les pinceaux :

 1.0 LR_URI_NUMERIC_ENDING URI: Ends in a number of at least 4 digits 1.5 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words 0.1 HTML_MESSAGE BODY: HTML included in message -2.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.0 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 

 

Aïe, il semble que ce soit le Bayésien qui ai tout fait capoter... il a carrément viré dans le "confiance", et donc a appliqué le score en conséquence.  Par contre, Razor montre qu'il est toujours pertinent, et inflige un score de 3 à lui tout seul...

 

 

Enfin, le reste des entêtes semble révélateur :

 

Return-Path: <agent@ukrs238777.pur3.net>

Received: from smtp.server.com ([unix socket]) by hermes.reseau (Cyrus-Debian) with LMTPA;

Sat, 06 Aug 2011 18:26:45 +0200 X-Sieve: CMU Sieve 2.2

Received: from mta17311.pur3.net ([83.138.173.11]) by smtp.server.com with esmtp (Exim 4.69)(envelope-from <agent@ukrs238777.pur3.net>) id 1Qpjhy-0005fS-Nb for philippe.vialle@server.com;

Sat, 06 Aug 2011 18:26:45 +0200

Received: from localhost (127.0.0.1) by mta17310.pur3.net (PowerMTA(TM) v3.5r16) id h7llk40s4tkn for <philippe.vialle@server.com>;

Sat, 6 Aug 2011 17:26:05 +0100 (envelope-from <agent@ukrs238777.pur3.net>)

Subject: La photo de votre profil est belle

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="alternative_40dbada43dc5a2b347364ec8c576e434"

Content-Transfer-Encoding: 7bit

From: "Lacie Peterson" <news@affiliate-promoter.com>

Reply-To: "Lacie Peterson" <news@affiliate-promoter.com>

X-MailId: {~P91270321946634197420386293013~}

To: philippe.vialle@server.com

Date: Sat, 06 Aug 2011 17:26:05 +0100

Message-ID: <0.0.D8.50D.1CC54558A43966A.0@mta17310.pur3.net>


Tout de même, l'adresse IP du MTA est dans au moins 5 listes noires (cf. http://ip-blacklist.e-dns.org/83.138.173.11) :

LISTED 18ms 510 Software Group Blackholes
LISTED 20ms SORBS Aggregate zone (problems)
LISTED 20ms SORBS Spamhost (any time)
LISTED 20ms SORBS Spamhost (last 28 days)
LISTED 21ms SORBS Spamhost (last year)

 

 

Par contre, selon CISCO, la réputation sécurité de ce même serveur est "bonne" ! http://www.senderbase.org/senderbase_queries/rep_lookup?search_name=83.138.173.11&action%3ASearch=Search

senderbase_IP_080811.jpg

 

De même chez McAfee : http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=83.138.173.11

 

mcAfee_IP_080811.jpg

Partager cet article

Repost0
3 août 2011 3 03 /08 /août /2011 01:49

While trying o get the official "uptime" tool from MS's website (http://support.microsoft.com/kb/232243) I had a surprise.


The file got detected by the automatic AV scan which is shipped with IE9 (ie: Windows Defender).

 

msg_IE9_uptime.exe_030811-copie-1.jpg

 

And the VirusTotal's results are even more surprising:

https://www.virustotal.com/file-scan/report.html?id=f81cb05b34a85daf038b59cabde25d772a37ceacb94109bd8fe6a1103bd65631-1312329203

 

Antivirus Version Last update Result
AhnLab-V3 2011.08.02.01 2011.08.02 -
AntiVir 7.11.12.198 2011.08.02 -
Antiy-AVL 2.0.3.7 2011.08.02 -
Avast 4.8.1351.0 2011.08.02 -
Avast5 5.0.677.0 2011.08.02 -
AVG 10.0.0.1190 2011.08.02 -
BitDefender 7.2 2011.08.03 -
CAT-QuickHeal 11.00 2011.08.02 -
ClamAV 0.97.0.0 2011.08.02 -
Commtouch 5.3.2.6 2011.08.03 -
Comodo 9606 2011.08.02 -
DrWeb 5.0.2.03300 2011.08.03 -
Emsisoft 5.1.0.8 2011.08.02 -
eSafe 7.0.17.0 2011.08.01 Win32.Banker
eTrust-Vet 36.1.8479 2011.08.02 -
F-Prot 4.6.2.117 2011.08.03 -
F-Secure 9.0.16440.0 2011.08.02 -
Fortinet 4.2.257.0 2011.08.02 -
GData 22 2011.08.03 -
Ikarus T3.1.1.104.0 2011.08.02 -
Jiangmin 13.0.900 2011.08.02 -
K7AntiVirus 9.109.4973 2011.08.02 -
Kaspersky 9.0.0.837 2011.08.02 -
McAfee 5.400.0.1158 2011.08.03 -
McAfee-GW-Edition 2010.1D 2011.08.02 -
Microsoft 1.7104 2011.08.02 -
NOD32 6345 2011.08.02 -
Norman 6.07.10 2011.08.02 -
nProtect 2011-08-02.01 2011.08.02 -
Panda 10.0.3.5 2011.08.02 -
PCTools 8.0.0.5 2011.08.03 -
Prevx 3.0 2011.08.03 -
Rising 23.69.01.03 2011.08.02 -
Sophos 4.67.0 2011.08.02 -
SUPERAntiSpyware 4.40.0.1006 2011.08.02 -
Symantec 20111.1.0.186 2011.08.03 -
TheHacker 6.7.0.1.267 2011.08.02 -
TrendMicro 9.200.0.1012 2011.08.02 -
TrendMicro-HouseCall 9.200.0.1012 2011.08.03 -
VBA32 3.12.16.4 2011.08.02 -
VIPRE 10045 2011.08.03 -
ViRobot 2011.8.2.4601 2011.08.02 -
VirusBuster 14.0.150.0 2011.08.02 -
MD5: 415eda8d64e4b487a78218212f5db282
SHA1: b565a5b717497950b2b96b8a1ef809f2509f754e
SHA256: f81cb05b34a85daf038b59cabde25d772a37ceacb94109bd8fe6a1103bd65631
File size: 45672 bytes
Scan date: 2011-08-02 23:53:23 (UTC)

 

This also means that VirusTotal's results are kindda not reliable when it's about MS Antivirus product. But Microsoft detecting a file on its own official server, that's not regular.


BTW, e-Safe is also very likely to be mistaking... And I'm still looking for the Win Defender's logs to understand a bit more what happened!

Partager cet article

Repost0
25 juillet 2011 1 25 /07 /juillet /2011 23:56

That trick was really about to get me...

 

msg_Facebook_250711_annon.jpg

 

The bot would realy make you believe it is your Facebook contact talking to you, but it is not...

I sent the URL to VirusTotal, here are the results: nothing to worry about...

URL Analysis tool Result
Avira Clean site
BitDefender Clean site
Dr.Web Clean site
G-Data Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Error
Phishtank Clean site
TrendMicro Unrated site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Normalized URL: http://213.231.133.56/830578583
URL MD5: 57e229513f552a0ba3775213d1d6b8c6

https://www.virustotal.com/url-scan/report.html?id=57e229513f552a0ba3775213d1d6b8c6-1311622558#

 

Even the "downloaded file" analysis does not show any alert:

Antivirus Version Last update Result
AhnLab-V3 2011.07.26.00 2011.07.25 -
AntiVir 7.11.12.103 2011.07.25 -
Antiy-AVL 2.0.3.7 2011.07.25 -
Avast 4.8.1351.0 2011.07.25 -
Avast5 5.0.677.0 2011.07.25 -
AVG 10.0.0.1190 2011.07.25 -
BitDefender 7.2 2011.07.25 -
CAT-QuickHeal 11.00 2011.07.25 -
ClamAV 0.97.0.0 2011.07.25 -
Commtouch 5.3.2.6 2011.07.25 -
Comodo 9510 2011.07.25 -
DrWeb 5.0.2.03300 2011.07.25 -
Emsisoft 5.1.0.8 2011.07.25 -
eSafe 7.0.17.0 2011.07.25 -
eTrust-Vet 36.1.8464 2011.07.25 -
F-Prot 4.6.2.117 2011.07.25 -
Fortinet 4.2.257.0 2011.07.25 -
GData 22 2011.07.25 -
Ikarus T3.1.1.104.0 2011.07.25 -
Jiangmin 13.0.900 2011.07.25 -
K7AntiVirus 9.108.4945 2011.07.25 -
Kaspersky 9.0.0.837 2011.07.25 -
McAfee 5.400.0.1158 2011.07.25 -
McAfee-GW-Edition 2010.1D 2011.07.25 -
Microsoft 1.7104 2011.07.25 -
NOD32 6324 2011.07.25 -
Norman 6.07.10 2011.07.25 -
nProtect 2011-07-25.02 2011.07.25 -
Panda 10.0.3.5 2011.07.25 -
PCTools 8.0.0.5 2011.07.25 -
Prevx 3.0 2011.07.25 -
Rising 23.68.00.05 2011.07.25 -
Sophos 4.67.0 2011.07.25 -
SUPERAntiSpyware 4.40.0.1006 2011.07.25 -
Symantec 20111.1.0.186 2011.07.25 -
TheHacker 6.7.0.1.262 2011.07.24 -
TrendMicro 9.200.0.1012 2011.07.25 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.25 -
VBA32 3.12.16.4 2011.07.25 -
VIPRE 9964 2011.07.25 -
ViRobot 2011.7.25.4587 2011.07.25 -
VirusBuster 14.0.138.0 2011.07.25 -
MD5: a6e4771c5a15705054b529d6d9a74c5b
SHA1: 8cfbec24fb7623f888b6d6f156d9a8284299d319
SHA256: c91712143eefa0f98daec77036d6a22a2c1633556bfdbe895392ed8b559ad00a
File size: 61988 bytes
Scan date: 2011-07-25 21:45:21 (UTC)

https://www.virustotal.com/file-scan/report.html?id=c91712143eefa0f98daec77036d6a22a2c1633556bfdbe895392ed8b559ad00a-1311630321

 

And the reason is quite simple... there is neither automatic file download, nor drive-by-download. Once again, the user will be lured to download himself the "latest Flash player version"...

site_youtube_flash_250711_annon.jpg

 

Pretty well done, uh? But this is not youtube...

What I find pretty outstanding, is the fact that the "fake youtube" website did grab the Facebook victims's username, and furthermore, fake comments from the victim's contacts are also being displayed below the (fake) video!

 

Please note that the URL is a single IP address, no domain name! According to Netcraft, the server is being hosted in Bulgaria: http://toolbar.netcraft.com/site_report?url=http://213.231.133.56 

So, in order to view the video, the user is supposed to click on the link. I serves a Flash-Player.exe file, hosted on the same HTTP server.

And this time, the AV scans do tell us something interesting:

Antivirus Version Last update Result
AhnLab-V3 2011.07.26.00 2011.07.25 Virus/Win32.AntiAV
AntiVir 7.11.12.103 2011.07.25 TR/AntiAV.oao
Antiy-AVL 2.0.3.7 2011.07.25 -
Avast 4.8.1351.0 2011.07.25 -
Avast5 5.0.677.0 2011.07.25 -
AVG 10.0.0.1190 2011.07.25 -
BitDefender 7.2 2011.07.25 -
CAT-QuickHeal 11.00 2011.07.25 -
ClamAV 0.97.0.0 2011.07.25 -
Commtouch 5.3.2.6 2011.07.25 -
Comodo 9510 2011.07.25 Heur.Suspicious
DrWeb 5.0.2.03300 2011.07.25 Trojan.Siggen2.58184
Emsisoft 5.1.0.8 2011.07.25 Trojan.Win32.AntiAV!IK
eSafe 7.0.17.0 2011.07.25 -
eTrust-Vet 36.1.8464 2011.07.25 -
F-Prot 4.6.2.117 2011.07.25 -
Fortinet 4.2.257.0 2011.07.25 -
GData 22 2011.07.25 -
Ikarus T3.1.1.104.0 2011.07.25 Trojan.Win32.AntiAV
Jiangmin 13.0.900 2011.07.25 -
K7AntiVirus 9.108.4945 2011.07.25 -
Kaspersky 9.0.0.837 2011.07.25 Trojan.Win32.AntiAV.oao
McAfee 5.400.0.1158 2011.07.25 Artemis!7A3BC4D258CB
McAfee-GW-Edition 2010.1D 2011.07.25 Artemis!7A3BC4D258CB
Microsoft 1.7104 2011.07.25 Backdoor:Win32/Delf.KV
NOD32 6324 2011.07.25 Win32/Delf.QCZ
Norman 6.07.10 2011.07.25 -
nProtect 2011-07-25.02 2011.07.25 -
Panda 10.0.3.5 2011.07.25 -
PCTools 8.0.0.5 2011.07.25 Net-Worm.SillyFDC!rem
Prevx 3.0 2011.07.25 -
Rising 23.68.00.05 2011.07.25 -
Sophos 4.67.0 2011.07.25 Mal/Generic-L
SUPERAntiSpyware 4.40.0.1006 2011.07.25 -
Symantec 20111.1.0.186 2011.07.25 W32.SillyFDC
TheHacker 6.7.0.1.262 2011.07.24 -
TrendMicro 9.200.0.1012 2011.07.25 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.25 -
VBA32 3.12.16.4 2011.07.25 -
VIPRE 9964 2011.07.25 FraudTool.Win32.SecurityTool (v)
ViRobot 2011.7.25.4587 2011.07.25 -
VirusBuster 14.0.138.0 2011.07.25 -
MD5: 7a3bc4d258cbe30dfb0649ee863fae25
SHA1: 9735e42aed649b87bca6455ddccf92cc563cb17b
SHA256: 7a9578ad75913564178f1e5c5be2fade4abb20835ff9ec82eb0716ce7a151c7d
File size: 1185280 bytes
Scan date: 2011-07-25 21:39:44 (UTC)

https://www.virustotal.com/file-scan/report.html?id=7a9578ad75913564178f1e5c5be2fade4abb20835ff9ec82eb0716ce7a151c7d-1311629984#

 

Unfortunately, the URL itself does not trigger so many security systems:

- Internet Explorer (with Trend Micro Browser Guard): no alert

- Firefox 5: no alert

- Chrome 12.0.742: no alert 

- Safari 5: no alert.

- Webreputation: "domain not reachable"... 

In fact, most of these results are summarized within the VT's "URL analysis tool" report.

 

While investigating the threat, I noticed they apparently use a stealth system: you can't request access to the domain several times, even using different browsers, of you're gonna be blocked.

This works over HTTP, while the ping (ICMP) still responds.

 

 

 

 

 

Partager cet article

Repost0
23 juillet 2011 6 23 /07 /juillet /2011 00:50

Here is a screenshot of the message spreading:

 

MSG_200711-copie-2.jpg

 

The real URL is being displayed in the status bar.

 

I personaly used DynDNS some time ago... anyway.

 

This malware did trigger an alert from:

- Kaspersky

- IE 9 Smart screen filter

 

But the thing is, Kaspersky was talking about an EXE packer/wrapper. That drew my attention.

 

So, here we are, let's have a look at the file:

 

protect-ID_malware_230711.jpg

 

So, yeah, the file is being protected by PKLite32 v1.1!

 

That's what KAV was saying, allright. But, to me, it is not because a file is being protected or obfuscated by a specific technology, that this file is a malware for sure...

 

More details to come, I'm investigating that in deep...

 

BTW, here are the full VT's results

(see https://www.virustotal.com/file-scan/report.html?id=48a93a6d8384c58d07285826a00ff3e8c553676903e59e1273316b32c4dc9af3-1311421202# ):

Antivirus Version Last update Result
AhnLab-V3 2011.07.23.00 2011.07.22 Packed/Win32.Morphine
AntiVir 7.11.12.64 2011.07.22 TR/Spy.Banker.253440.3
Antiy-AVL 2.0.3.7 2011.07.23 -
Avast 4.8.1351.0 2011.07.23 Win32:Rootkit-gen [Rtk]
Avast5 5.0.677.0 2011.07.23 Win32:Rootkit-gen [Rtk]
AVG 10.0.0.1190 2011.07.23 PSW.Banker6.AFP
BitDefender 7.2 2011.07.23 Trojan.Generic.6346484
CAT-QuickHeal 11.00 2011.07.23 -
ClamAV 0.97.0.0 2011.07.23 -
Commtouch 5.3.2.6 2011.07.23 W32/Infostealer.A!Maximus
Comodo 9476 2011.07.23 TrojWare.Win32.TrojanDownloader.Dadobra.~JN12
DrWeb 5.0.2.03300 2011.07.23 Trojan.DownLoader4.18737
Emsisoft 5.1.0.8 2011.07.23 Gen.Trojan.TaskDisabler!IK
eSafe 7.0.17.0 2011.07.21 -
eTrust-Vet 36.1.8459 2011.07.22 -
F-Prot 4.6.2.117 2011.07.22 W32/Infostealer.A!Maximus
F-Secure 9.0.16440.0 2011.07.23 Trojan.Generic.6346484
Fortinet 4.2.257.0 2011.07.23 -
GData 22 2011.07.23 Trojan.Generic.6346484
Ikarus T3.1.1.104.0 2011.07.23 Gen.Trojan.TaskDisabler
Jiangmin 13.0.900 2011.07.22 Trojan/Hosts2.bd
K7AntiVirus 9.108.4937 2011.07.22 Trojan
Kaspersky 9.0.0.837 2011.07.23 Trojan.Win32.Hosts2.gen
McAfee 5.400.0.1158 2011.07.23 Generic.dx!babe
McAfee-GW-Edition 2010.1D 2011.07.23 Generic.dx!babe
Microsoft 1.7104 2011.07.23 Trojan:Win32/Comrerop
NOD32 6317 2011.07.23 Win32/Qhost.Banker.JE
Norman 6.07.10 2011.07.22 W32/Suspicious_Gen2.NQJPD
nProtect 2011-07-23.01 2011.07.23 Generic.Banker.Delf.1F2FDCDB
Panda 10.0.3.5 2011.07.22 -
PCTools 8.0.0.5 2011.07.23 Spyware.Keylogger!rem
Prevx 3.0 2011.07.23 -
Rising 23.67.04.03 2011.07.22 -
Sophos 4.67.0 2011.07.23 Mal/Behav-180
SUPERAntiSpyware 4.40.0.1006 2011.07.23 -
Symantec 20111.1.0.186 2011.07.23 Spyware.Keylogger
TheHacker 6.7.0.1.260 2011.07.22 -
TrendMicro 9.200.0.1012 2011.07.23 TROJ_COMREROP.AA
TrendMicro-HouseCall 9.200.0.1012 2011.07.23 TROJ_COMREROP.AA
VBA32 3.12.16.4 2011.07.22 suspected of Unknown.Win32Virus
VIPRE 9939 2011.07.23 Trojan.Win32.Generic!BT
ViRobot 2011.7.23.4585 2011.07.23 -
VirusBuster 14.0.134.1 2011.07.22 -
MD5: bcd76d2daa826d9737e2d63025ed03fc
SHA1: 8925af7ea3dba240087049ee3a2017b734d98264
SHA256: 48a93a6d8384c58d07285826a00ff3e8c553676903e59e1273316b32c4dc9af3
File size: 253440 bytes
Scan date: 2011-07-23 11:40:02 (UTC)

 

As we can see, generic/heuristic/genotype signature technologies tend to prove their efficiency.

 

ThreatExpert does confirm Kaspersky detects PkLite32 compression: http://www.threatexpert.com/report.aspx?md5=bcd76d2daa826d9737e2d63025ed03fc

 

More to come...

Partager cet article

Repost0
14 juillet 2011 4 14 /07 /juillet /2011 00:24

For non French readers, executive summary follows.

 

Je vais présenter ici une liste d'extensions pour Firefox, qui permettent de protéger la navigation, et non pas d'auditer des sites ou applications.

Il y aura certainement des points communs avec Firecat, mais l'objectif n'est pas le même ici : le durcissement de la navigation.

 

- Netcraft toolbar : protection anti-hameçonnage

- Phishtank SiteChecker : idem que Netcraft

 

- Adblock Plus : protection anti-publicité (prendre les listes FR + USA)

- Search Engines Security : protection contre le détournement des moteurs de recherche

- Webreputation./org : pour évaluer une URL de façon communautaire

- WOT (Web Of Trust) : idem que Webreputation.org

 

- McAfee Secure URL Shortener....

 

- QuickJava : pour pouvoir bloquer à la demande : Java, Javascript, Flash, Silverlight, CSS... je le préfère à NoScript, vu qu'il est capable de bloquer plus de contenus actifs.

- CSFire : protection contre les CSRF (lien avec les tops OWASP)


- BetterPrivacy


- Calomel SSL Validation : pour vérifier/évaluer les certificats HTTPS

- Certificate Patrol : pour suivre les changements dans le magasin de certificats du navigateur

- HTTPS everywhere : forcer le HTTPS sur des sites proposant à la fois HTTP et HTTPS

- SSL BlackList

 

- Dr Web Antivirus Checker : pour pouvoir vérifier un fichier par simple clic droit.

 

- Browser Protect : contre le détournement des réglages du navigateur...

 

 

 

 

--------------------------------------- Executive summary ------------------------------------------

 

Here is a list of Firefox add-ons that I do recommend in order to harden the browser's security.

 

- Netcraft toolbar 

- Phishtank SiteChecker

 

- Adblock Plus 

- Search Engines Security 

- Webreputation./org 

- WOT 

 

- McAfee Secure URL Shortener....

 

- QuickJava 

- CSFire 


- BetterPrivacy


- Calomel SSL Validation 

- Certificate Patrol 


- HTTPS everywhere 

- SSL BlackList

 

- Dr Web Antivirus Checker 

 

- Browser Protect 

Partager cet article

Repost0