Overblog
Suivre ce blog Administration + Créer mon blog
6 juin 2011 1 06 /06 /juin /2011 00:31

Voici l'avertissement que j'ai eu en me connectant ce soir à l'interface d'administration du blog :

avertissement_navigateur_060611.JPG

 

Cela me semble un peu surprenant sachant que la machine est un Windows 7, avec IE 9 (version 9.0.8112.16421), et tous les correctifs...

 

Il est donc d'autant plus nécessaire d'avoir divers navigateurs sur la même machine : car dans ce cas, malgré l'utilisation de IE 9, certaines fonctions nécessaires d'administration du blog ne fonctionnaient plus (mode de compatibilité ou non).

 

Je ne peux que recommander d'avoir sous la main Opéra, voire Chromium !


Partager cet article

Repost0
5 juin 2011 7 05 /06 /juin /2011 02:29

On ne le dira peut-être jamais assez, toute authentification devrait être sécurisée : au minimum, le mot de passe ne devrait pas transiter en clair sur le réseau ; et cerise sur le gâteau, il devrait être possible d'authentifier le serveur distant.

 

HTTPS répond à ces problématiques. Pour ce qui est des messageries grand public bien connues, l'on a vu GMail passer de HTTP à HTTPS il y a quelques temps. Et voilà que Microsoft (avec Live Mail) semble suivre le mouvement.

 

Jusque là, tout irait bien. Seulement, voilà le message qui apparaît quand on se connecte à un compte LiveMail non ouvert depuis quelques temps :

Connexion avec HTTPS 

En utilisant HTTPS, nous pouvons sécuriser votre compte, notamment contre les pirates informatiques, si vous utilisez souvent des ordinateurs publics ou des connexions sans fil non sécurisées.

Remarque importante : l'activation de SSL fonctionnera pour Hotmail sur le Web, mais entraînera des erreurs si vous essayez d'accéder à Hotmail via des programmes tels que :
  • Outlook Hotmail Connector
  • Windows Live Mail
  • L'application Windows Live pour Windows Mobile et Nokia

Si vous avez besoin d'une connexion HTTPS temporaire, entrez "https" devant l'adresse Web au lieu de "http".


 

 

 

Ainsi donc, sauf erreur ma part :

- si je force le HTTPS, alors je ne suis plus censé pouvoir utiliser les clients lourds ("intelligents" ou "paramétrables" ?) comme LiveMial (pourtant édité par Microsoft, justement)

- si je veux pouvoir continuer à utiliser LiveMail ou Outlook Hotmail Connector, il faut que je ne force pas le HTTPS, et que je le saisisse manuellement dans l'URL  (avec donc un certain risque de l'oublier...).

 

J'ai donc décidé de forcer le HTTPS, et ne peux que vous encourager à faire de même... et vais garder un oeil sur le sujet. Je prévois notamment un test avec Thunderbird...

A bon entendeur...!

Partager cet article

Repost0
26 mai 2011 4 26 /05 /mai /2011 22:45

Un contact, que je remercie au passage, m'a informé que sa compagne avait eu une petite surprise en voulant choisir "son activité" dans une SmartBox.

deface_romeo-juliette.fr_260511.JPG

Par les entêtes HTTP, il semble difficile de déceler si le serveur n'était pas à jour en termes de correctifs (ce qui aurait pu faciliter l'intrusion). Je vais revenir sur ce point plus bas.

 

Un Nmap donne un résultat assez surprenant, par prise d'empreinte (cf. The Art of TCP Scanning) :

 

C:\>"c:\Program Files (x86)\Nmap\nmap.exe" -O --osscan-guess www.romeo-juliette.fr

Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-26 22:42 Paris, Madrid (heure dÆÚtÚ)

Nmap scan report for www.romeo-juliette.fr (82.165.52.73)

Host is up (0.12s latency).

rDNS record for 82.165.52.73: kundenserver.de

Not shown: 938 filtered ports, 57 closed ports

PORT    STATE SERVICE

21/tcp  open  ftp

22/tcp  open  ssh

80/tcp  open  http

81/tcp  open  hosts2-ns

443/tcp open  https

Device type: WAP|general purpose|firewall|broadband routerRunning (JUST GUESSING): Linksys Linux 2.4.X (99%), Linux 2.4.X|2.6.X (98%), Asus Linux 2.6.X (93%), Check Point Linux 2.4.X (90%)

Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (99%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 -2.4.34) (98%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (98%), Linux 2.6.9 - 2.6.21 (95%), Linux 2.6.19 - 2.6.24 (95%), Linux 2.6.18 (94%), Linux 2.6.20.6 (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.17 - 2.6.21) (94%), Asus RT-N16 WAP (Linux 2.6) (93%), Linux 2.6.22 (Fedora 7) (93%)No exact OS matches for host (test conditions non-ideal).

 

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 24.22 seconds

 

 

Avec un autre scanner, LanSpy, il apparaît que le reverse DNS de l'IP du site est bien sur le domaine : kundenserver.de mais aucune bannière n'est récupérable pour les services actifs sur la machine.

Concernant l'adresse IP elle-même, elle apparatient à l'AS8560, située en Allemagne :

http://www.domaincrawler.com/82.165.52.73

Et avec Robtex, il semble que cette adresse IP soit largement sujette à mutualisation :

http://www.robtex.com/ip/82.165.52.73.html#shared

Liste de domaines "pointant vers la même adresse IP" :

1066artgallery.co.uk
1066artgallery.com
arabianweekends.com
architekt-mergel.com
bds-esc-rouen.fr
bonaventura-gymnasium.de
calindastudio.com
carthago-sb.de
catalystjobs.com
comcat4u.com
djk-aviation.co.uk
ehvw.biz
ehvw.net
elaart.com
emiliano-h.com
esm-mouthpiece.de
eventidee.net
forschungszentrum-ruhr.com
forschungszentrum-ruhr.de
forschungszentrum-ruhr.eu
fridaysound.com
fridaysounds.com
fz-r.com
harfieldpackaging.co.uk
harfieldpackaging.com
hm-interieur.de
hs-design-box.com
hsdesign.de
hsdesignbox.com
i4cem.com
i4cem.info
i4cem.net
i4cem.org
julesetcesar.com
kalkan-holidays.com
kephweb.info
label-design.com
liedergalerie.com
liedergalerie.de
lightfantastique.com
marketing-moderation.de
meliorator.com
mini-centre.co.uk
packung.com
pappelhof.biz
pappelhof.info
perfectweddingsandhoneymoons.com
perfectweddingsandhoneymoons.net
praxis-dermos.com
rbeckerweb.net
romeo-juliette.fr
siktalen.com
sithandone.fr
sporteventoftheyear.com
studiocalinda.com
subjektiveobjekte.com
taekwondo-rosny.org
thorsten-eberhardt.de
tiersarg.net
torschaenke.com
tourment.info
versicherte-gewinnspiele.com
versicherte-gewinnspiele.net
volk-s-wagen.com
www.sithandone.fr
www.thorsten-eberhardt.de
youlovefriday.com

En testant certains de ces domaines, dont http://label-design.com/, il semble que la compromission ne touche pas le serveur HTTP entièrement, mais uniquement certains des domaines qu'il héberge. S'agissant d'un Apache, on pourrait donc supposer que la compromission s'est limitée à un (ou plus) VirtualHost.

 

En poussant un peu plus loin l'investigation, on se rend compte que :

- le site défacé a été indexé par Google (donc le défacement ne date pas d'il y a quelques heures, à priori)

- il reste d'autres pages légimites du site (toujours accessibles via Google), exemple : http://www.romeo-juliette.fr/index.html. Donc tout le "virtualHost" Apache n'a pas été effacé...

- la page d'accueil index.php n'est en fait pas utilisée, et affiche un message intéressant :

index_romeo-juliette.fr_260511.JPG


En accédant à http://www.romeo-juliette.fr/index.html  là, magie, la page de défacement apparaît !

Evidemment, je déconseille d'accéder à ce type de sites compromis (à moins d'utiliser des configurations "durcies"), car leur code source "après altération" peut très bien contenir un petit code d'exploitation !

 

Maintenant, en considérant que la page "malveillante" injectée est en HTML, il est normal que les entêtes HTTP concernant le moteur PHP n'apparaissent pas.

 Le PHP est en version 4.4.9 ! 

 Merci à ACE pour m'avoir fait la remarque :)


Moralité : rien ne sert de durcir l'affichage de la version Apache et ses modules (par la directive ServerTokens, qui serait ici en "ProductOnly"), si le champ "X-Powered-By" des entêtes HTTP indique la version de PHP... idem pour les autres champs visibles dans les entêtes (notamment pour les CMS...).

 

Au passage, la page "index.html" injectée ne semble pas malveillante à première vue en parcourant le code source, ni d'ailleurs d'après VirusTotal :

URL Analysis tool Result
Avira Clean site
BitDefender Clean site
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
TrendMicro Unrated site
Websense ThreatSeeker Clean site
Wepawet Unrated site
Normalized URL: http://www.romeo-juliette.fr/index.html
URL MD5: f94ecfd338a3f063f266d2022c69f5f5

Et Norton Safeweb ne donne rien non plus :

http://safeweb.norton.com/report/show?url=www.romeo-juliette.fr%2Findex.html


Partager cet article

Repost0
23 mai 2011 1 23 /05 /mai /2011 00:32

I was just looking for Google images of an american actor of a serie. Then my browser was trapped, as one of the Google Image results lead it to:

http://www.google.fr/imgres?imgurl=http://www.celebritylatest.com/wp-content/uploads/premieres/marg_helgenberger_mr_brooks_premiere_3.jpg&imgrefurl=http://www.mainstream.fr/img/-%%%%%-dating.html&usg=__grAZHQrnfxcFdhmvNprdLlOKD70=&h=808&w=1000&sz=70&hl=fr&start=17&sig2=jTOL3-NJ0X06PCeKxHJQ0Q&zoom=1&tbnid=SBAcGCvMS_01OM:&tbnh=120&tbnw=149&ei=KJXZTYXXMoub-gbgwuHGAQ&prev=/search%3Fq%3D

and celebritylatest.com has most likely been hacked. Therefore, my browser went to: http://bervert. osa.pl/2.php 

 

I came to that link:

http://www1.smartyauscanner .co.cc/6zf9gss?jtkay6=jt3j2t6hsNrF1uzyw5vozMWroZeqkOTUxbZpmc7D1Oa2sci6ic3hq5aioZra1Lat6aSH1N3dntfSpsng3dLXkO3lxdxz3dPQ6Nfih9jWoKfAlM7ip6ydj6tpqpuSqaenkq2Z1tXP4trlp6WR2OKasKWYpZrt1eGwl5Keo5mjnKXQl7Jc5%2BCeo6epl6ajlpOjpovW2eHMyudz6uTYpaLswuvYxcna0srYz%2BLexqeipeWP1%2BmfyeTbyp7n1c7T2Zrdxt9z2%2BHV4pmsopqlqYagtMfX3OrQ0%2B1k4uDCoOTlhqe5lY%2Fe1tWW

There is first a nice warning, telling me my computer was at risk of being infected by a malware...

 MSG_malware_smartyauscanner_230511.JPG

Then, whatever I do, my browser will be send to this webpage:

AV-scan_malware_smartyauscanner_230511.JPG

 

There is also another URL that does the same:

http://www1.powervorsoft .co.cc/j48zmy?1rdgeik=Vd%2FN1KLSzNjS3Ivn39OvpqGemqHbyKSYj8zS0emiwsm2mN%2Fio6VhqIrW2Kbi5qadx9varNTSss7moN%2FJjdDY2NvhtMfs69Tq2t%2BM15SvqrmL0tutp6mTpKmmoKSmmaJiqora2crf5eK0i%2Bnf06%2BrppmapebQpJmam6WjqJej26WrmePZsWKllJ2WmZ%2Bioq6L1uXc09zdo%2Buo6ZeV2Mrh1dHf0dbb1dfh4suinaTclcrekejg28rTs%2BLl3NjJ3KKY1szLptPk4%2BeKpbeUpLmUmLqT19bdytvfnt7qxqDm25eltZiiodrUiw%3D%3D

 

Now, obviously, if I click on the "remove all" button (which I do NOT recommend you to do), an exefile shows up as a download... how interesting!

 

Here is the real URL of the website hosting the file:

http://www2.save-mastermme .byinter.net/qjsh106_328.php?kan9=j87XprDK182Q0ofo3cmvoJ%2BdkdHXnbCUnMaPz9OwxLi5k9nYqJKeb5nQ6aKk45iZ1s7Wqs%2FErsngqODGnNCc2szlscfs4tLd0tGUnNaevLdT1tGwrJegn6CcmZKlbKGSroug4cLn6divk%2BTOz56mcKaH6tmZqpWkpJqmnp%2BW0JenX%2BfUs5ZgnZekpJmkoKSLz9DbmtzPs9yk5JSh58bo0s%2FN18XTn9jP6cpb2ZProsrnk%2BXWz8bPdubU386Q1dKZ5srYqtXZ39GTbLSGqKtSn6fV2dfo0t%2FZmdDhmqHR4opfs5Oh5M3ik%2BDazaTbnbDU29ORs8rf2Yk%3D

 

What does VT says for this sample, well... only 10 out of 43 engines do detect it :(  and Kaspersky Security Network did not help.

http://www.virustotal.com/file-scan/report.html?id=e8f307051d84cfc90e5d7a7973a5b9a503136771bee9137325719b840ad28ee0-1306104047

Antivirus Version Last update Result
AhnLab-V3 2011.05.23.00 2011.05.22 -
AntiVir 7.11.8.93 2011.05.22 TR/Dropper.Gen2
Antiy-AVL 2.0.3.7 2011.05.22 -
Avast 4.8.1351.0 2011.05.22 Win32:Delf-PIK
Avast5 5.0.677.0 2011.05.22 Win32:Delf-PIK
AVG 10.0.0.1190 2011.05.22 -
BitDefender 7.2 2011.05.22 -
CAT-QuickHeal 11.00 2011.05.22 -
ClamAV 0.97.0.0 2011.05.22 -
Commtouch 5.3.2.6 2011.05.22 -
Comodo 8797 2011.05.22 -
DrWeb 5.0.2.03300 2011.05.23 -
Emsisoft 5.1.0.5 2011.05.22 Trojan-Dropper.Gen2!IK
eSafe 7.0.17.0 2011.05.22 -
eTrust-Vet 36.1.8339 2011.05.20 -
F-Prot 4.6.2.117 2011.05.22 -
F-Secure 9.0.16440.0 2011.05.22 Rogue:W32/FakeAv.BI
Fortinet 4.2.257.0 2011.05.22 W32/Injector.fam!tr
GData 22 2011.05.23 Win32:Delf-PIK
Ikarus T3.1.1.104.0 2011.05.22 Trojan-Dropper.Gen2
Jiangmin 13.0.900 2011.05.22 -
K7AntiVirus 9.103.4693 2011.05.20 -
Kaspersky 9.0.0.837 2011.05.22 -
McAfee 5.400.0.1158 2011.05.23 -
McAfee-GW-Edition 2010.1D 2011.05.22 -
Microsoft 1.6903 2011.05.22 -
NOD32 6142 2011.05.22 Win32/TrojanDownloader.FakeAlert.BHH
Norman 6.07.07 2011.05.22 -
nProtect 2011-05-22.01 2011.05.22 -
Panda 10.0.3.5 2011.05.22 Suspicious file
PCTools 7.0.3.5 2011.05.19 -
Prevx 3.0 2011.05.23 -
Rising 23.58.06.03 2011.05.22 -
Sophos 4.65.0 2011.05.22 -
SUPERAntiSpyware 4.40.0.1006 2011.05.23 -
Symantec 20111.1.0.186 2011.05.23 -
TheHacker 6.7.0.1.202 2011.05.20 -
TrendMicro 9.200.0.1012 2011.05.22 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.23 -
VBA32 3.12.16.0 2011.05.20 -
VIPRE 9359 2011.05.22 -
ViRobot 2011.5.21.4472 2011.05.22 -
VirusBuster 13.6.367.0 2011.05.22 -
MD5: 6075aad44942356f46c5f33be00f7726
SHA1: 905329745352f85fd20901491ea9aacdacc790d0
SHA256: e8f307051d84cfc90e5d7a7973a5b9a503136771bee9137325719b840ad28ee0
File size: 302080 bytes
Scan date: 2011-05-22 22:40:47 (UTC)

 

More to come (my cat reminds me time's up :) )

 

 

Update 1 (24 hours later):

Chromium does alert while trying to access the URL:

chromium_alert_url_240511.JPG

 

Update 2 (48 hours later):

Only 2 URL scanners do detect the URL, according to VT:

http://www.virustotal.com/url-scan/report.html?id=8a27b11a8ec194015b0bd305ca94b5b9-1306353987

URL Analysis tool Result
Avira Clean site
BitDefender Malware site
Dr.Web Error
Firefox Clean site
G-Data Malware site
Google Safebrowsing Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Error
Phishtank Clean site
TrendMicro Clean site
Websense ThreatSeeker Clean site
Wepawet Unrated site
Normalized URL: http://www1.smartyauscanner.co. cc/6zf9gss?jtkay6=jt3j2t6hsNrF1uzyw5vozMWroZeqkOTUxbZpmc7D1Oa2sci6ic3hq5aioZra1Lat6aSH1N3dntfSps
URL MD5: 8a27b11a8ec194015b0bd305ca94b5b9

 

And while browsing my disk drive, Kaspersky antivirus did pop up a warning regardng the file that had been downloaded after the "fake antivirus scan":

KAV_detect_260511.jpg

 

KAV did not alert by itself, I had to access the folder where the file formerly undetected is.

This proves again it is strongly recommended to let the antivirus software do a full system scan, on a regular basis (at least, very week, or more often if you have any doubt).

 

 

Partager cet article

Repost0
17 mai 2011 2 17 /05 /mai /2011 23:45

En circulation en ce moment !

Texte du SMS :

Vous avez reçu un message vidéo, pour le consulter: http://vvapvideo.com/a4869

Emetteur : +33664844033

 

On notera la ressemblance entre le "vv" de l'URL et un vrai "w", qui ferait donc "Wapvideo", certainement un terme connu (y compris du grand public)...

Quand on va sur le site en question (pas de chance pour les admins, c'était avec un vrai navigateur), voici ce qui apparaît :

vvapvideo.com_ie9_170511.jpg

Tiens, le service SMS+, déjà croisé pour des centres de téléchargements "gratuits et sécurisés" de logiciels, quelquefois sous licence (comme WinZIP ou WinRAR) ou pire, complètement libres (donc le simple téléchargement serait facturé plus de 3€ ??)

Les 3 liens qui sont visibles ont en fait pour commande : sms:81120?body=VIDEOX.

Donc, en fait, on envoie un SMS au numéro 81120, avec le code "X" de la vidéo... 

Le service est facturé à chaque fois plusieurs euros, et ici, c'est apparemment (cf. bas de page)  4€50 + prix du SMS lui-même !

 

En résumé, ne cliquez pas sur les liens et supprimez ce SMS.

De mon côté, je remonte l'échantillon au 33 700 (service de signalement national http://www.33700-spam-sms.fr/).

Partager cet article

Repost0
16 mai 2011 1 16 /05 /mai /2011 01:56

While surfing on the web (cf. previous post), I came to download a file that looked suspicious to me: Shopper Report (ShprRprt.exe)

Kaspersky Antivirus 2011, fully up to date, did not detect anything. But the problem is if I leave the file on my desktop, Windows Defender will detect a "adware:win32/ShopperReports"...

shoper-report_WinDefender_150511.jpg

Anyway, I decided to put the file into the KAV's quarantine. I failed to find the button "submit sample", but... I did hope it would be submitted automatically.

Well, 48hours after I put the file into the quarantine, KAV told me "there is no danger with the file, Kaspersly suggests me to restore it!"...

KAVV2011_Quarant-OK_shoperRprt_150511.jpg

 

Ermf... Altough KAV is up to date, and despite the fact that I accepted to be part of the Kaspersky Security Network (Cloud based antivirus analysis), KAV does not want to detect the sample...

Apparently the KSN did not help. How can a "lambda" user send a sample to the Kaspersky's labs? using GMail you may say? well no, since GMail does detect and refuses exefiles/suspicious files... and Hotmail/YahooMail tend to do quite the same.

 

Update:

Anyway, I found a mean to send the sample with a GMail account.

There is at the bottom of the Kaspersly labs' webpages the email address to send them a "new virus": newvirus@kaspersky.com

Then, you'll have to rename the file like: "exe" to "ex0". Then you zip it and set a password up (like "infected", very common to send samples to AV labs). Now GMail will accept the attachment. The pasword protected zip will also prevent other third party AV scanners to put the file in quarantine...

There we go!...

PS: for those that my interest, or that have a bit of VX history in mind, it seems that Shopper Report is related to 180Search Solutions, a quite well known malware I had studied in the past... It was said to be a visible part of a kindda mafia...! and there are other stories:

http://www.theinternetpatrol.com/search-marketing-company-180-solutions-sues-affiliates-over-botnet-installation-of-180solutions-software-on-users-computers/?amp;name=search-marketing-company-180-solutions-sues-affiliates-over-botnet-installation-of-180solutions-software-on-users-computers

What about right now?

PS #2: did I expose here a way to bypass GMail's filter for binary files? no way!

 

Update 2:

I got a reply for my email. They do provide a link to submit samples online:

http://support.kaspersky.com/virlab/helpdesk.html?LANG=en

And there is in fact a tool in the "Kasperky online user's profile", to do the same:

https://my.kaspersky.com/fr/support/viruslab 

I'm waiting for the Lab's response...


Update 3:

48h after I sent them the email, still no answer :(

   

Update 4 (29th of May, ToW): 

Still no answer for the sample sent by mail :(

But I've also sent a sample using the "My Kaspersky" portal (link: my.kaspersky.com), on the 27th of May, 10PM (Paris Time).

I got an answer, 29th of May 7PM:

Hello,

shprrprt.ex0 - not-a-virus:AdWare.Win32.
HotBar.dh
This file is an Advertizing Tool, it is detected by extended databases set. See more info about extended databases here: http://www.kaspersky.com/extraavupdates

Regards, Ilya Simonov
Virus Analyst


Well... the thing is that their FAQ only talks about KAV version 6 and 7. Mine is 11.0.2! Anyway, I did check, and I had already selected those "extra detection features".

I tryed to force the KAV definition update. But still, no detection of my sample. Even 7 hours after I received the mail, and once again forced updates, no detection. 

My guess: the definition update for my sample has not yet been put on the KAV updates servers... but what if I was really infected at the moment?

This is why it is quite important to check if the AV update is indeed available on the vendor's download servers, once you know they created a new signature. Because if you only rely on "AV automatic updates", you may face a few problems because the signature you need is not yet known to the AV product you use, despite its update checks...



Partager cet article

Repost0
14 mai 2011 6 14 /05 /mai /2011 01:41

KAV_OK_140511.jpg

To those who do not speak/read French, the screenshot proves that:

- KAV 2011 was updated the 12th of May, 10:40PM

- 2 days after that, the 14th of May, 01h40AM, Kaspersky still claims it is up to date!

- udpates are automatic, the default and recommended setting

Note the interface says "the computer is safe. Databases are up to date"...

In a world where antivirus definitions updates are provided quicker than every hour, I don't think more than 24 hours without any update could mean "computer is safe".

In a nutshell, it is not because your KAV says it does protect your antivirus at maximum that it is true...

Here is the proof of it:

KAV_OK_def_140511.jpg

 

After 10 minutes, KAV did start its automatic definitions update. Now, it claims to be "up to date", with a database file generated the 14th of May (ie: today!), 01:22AM!!

 

Update:

Now, taking that into account, a few advises:

- at the right moment the computer get internet connection, and beforce starting any network application (IM, browser, RSS reader, email client...): force Antivirus definition update.

- if your computer was in a sleep mode, or even in hibernation, then just the same: force the update at the right moment it has Internet access

- after the update process, make sure there is no need to reboot to "apply the update"

- then, your computer is preing protected the best your AV solution can

Partager cet article

Repost0
12 mai 2011 4 12 /05 /mai /2011 01:10

Configuration : W7 SP1, KAV 2011

Lorsque l'on imprime une facture depuis un navigateur (type Firefox 4), et via PDF Creator, alors Kaspersky émet une alerte indiquant que "pdfcreator ressemble à PDM.Invader":

KAV2011_Pdfcreator_PDM-invader.jpg

Ok, alors si je ne suis pas expert en virologie, "PDM.invader" késako ?

Quel est le risque réel ?

Pourquoi alerter pour une application aussi (re)connue que PDF Creator ? S'il y a un réel problème de sécurité avec ce logiciel, autant être clair et le bloquer réellement, me semble-t-il...

Noyer l'utilisateur sous les messages d'alerte n'est pas forcément le plus efficace, en sécurité.

Partager cet article

Repost0
11 mai 2011 3 11 /05 /mai /2011 23:47

KAV2011_certificat_expir_110511.jpg

 

To those who do not read French like easily ;), this screens comes from a Win 7 warning telling me that I should check the editor's identity of the file kav11.0.2.556FR-INT_213_VP.exe.

The certficate provided by KLabs to digitally sign the setup of KAV 2011 has expired on March 2011, the 8th...

But the software (and the file) is still being sold on the web...

How could we explain to users theyu should check carefully the digital signatures of the files they download/install after that?

NB: the version of the installer is 11.0.2.556.

 

Update 1:

 

After a few days without turning one PC, Kaspersky (and Windows) complains because it is "obsolete". Allright.

But when you launch the update, Win 7 displays a warning, to ask you for confirmation that you trust a Kaspersky file...!

 

Here are the (french version of the) warning, on the right, and the certificate details, showing it has expired since the 9th of March 2011...

KAV2011_certificat_wmiav.exe_270611.JPG

 


Partager cet article

Repost0
10 mai 2011 2 10 /05 /mai /2011 00:22

To those who still believe that downloading a file from "common downloadZ websites", here is (another?) kindda sample of how dangerous it can be for your computer...

First, the video file displays the following message in the Windows Media Player (or in VLC, if it's your default mediaplayer):

MSG_WinMedia_100511-copie-1.jpg

 

But at the same time, it will launch your default web browser:

freaktorrents.info_100511.jpg

The text "you are going to play a High Quality Video" seems only to be there to tempt the user...

As you can see, the link at the bottom of the page points to: freaktorrents .info/unlock/downloadvlc.

 

In fact, it will drive the user to:

clockdownloadsoftware.com_VLC_100511.jpg

Please note that the website will automatically translate to your language (the one of your browser).

What about the VLC they offer in "free download"?

Not only it is an obsolete version according to the filename: 

http://preview.licenseacquisition.org/48/1056428137.51143/vlc-1.0.1-win32.exe

In fact, once the download has started, the last version of VLC arrives on the computer.

 

But there is another file behind the "download" blue button:

http://origin-ics. clickpotato.tv/IC/GPLCPLite47/16866/0/3a9517da-aa34-46a5-ba0b-72db30c78707/VLCSetup.exe

it is not the real VLC, it is most likely a downloader, which is pretty well detected by VirusTotal! 26 engines out of 42... But surprisingly, neither Panda Cloud nor Immunet Cloud did detect the sample! 

http://www.virustotal.com/file-scan/report.html?id=0c8a5c2a1d472d2b5f7ed0a8f8c63f38acc051416967dc48e43917d88ec96717-1304978623

I find it interesting that this URL seems to appear only once... Probably they record the IP address of the visitor. Typically a VX trick.

So, please keep in mind not to download media files from untrusted websites!

 

Let's talk a bit more about the vlcsetup.exe:

 

The funny point I think is that the file is digitally signed! (Pinball Corp, what a name...)

VLCsetup.exe_appliSign_100511.jpg

Even legitimate software are often not digitally signed... anyway, the dark side also uses tools to drive user confidence.

 

Once the file is being run, here is the network traffic it creates:

vlc-setup_trafic1JPG-copie-1.JPG

 

One request is somewhat interesting:

POST /generate/software/?SAIRND=233525&icbrandid=10&os=5.1&browser=IE.6.0&hdid=00-03-FF-4B-E1-AF&cc=FR&chid=197164&cid=1315344&con=n&ix=gplcplite&v.installername=VLCSetup.exe&v.method=software&v.s=65536&v.rascsi=n&realplayer.code=0&rpwcdesktop.code=0&rpchrome.code=0&rpgoogletb.code=0&clickpotato.code=0&SrS3x.code=0&SrS31.code=0&SrS2x.code=0 

 

We can see in it, most likely:

- the browser: "IE.6.0"

- the OS (XP): "5.1"

- the MAC address (00-03-FF-4B-E1-AF): 00-03-FF-4B-E1-AF

- the country or keyboard layout: Fr!

- the filename that has been downloaded: ""VLCSetup.exe". This could probably mean the guys have various malicious files reporting to the same server...

- then comes what looks like a software inventory: realplayer.code=0: no realplayer found installed? / rpwcdesktop.code=0: I don't know :( / rpchrome.code=0: no Chrome installed? / rpgoogletb.code=0: no Google Toolbar found? / clickpotato.code=0: no "clickpotato" installed.

 

Well, it appears they create a profile of the computers...

 

Let's move on the installation procedure. If you run the file vlcsetup.exe (which I advise you no to do!), the following window will appear, it is obviously quite different from the official/real VideoLan installer!

VLC_setup_start.JPG

The button "next" triggers far more than a simple software installation:

- Domain ics.clickpotato.tv

HTTP GET /Software/SrS2xParam01/434/ShprRprt.exe?rnd=2296111 

HTTP GET /Software/QuestScan/496/brand.exe?rnd=2323420 

HTTP GET /Software/ClickPotatoLiteClient01/492/ClickPotatoLiteInstaller.exe?rnd=2340385 

- domain upgrade.questscanone.com

HTTP GET /download/questscan/1_26/questscan-setup.exe 9446 1599.561490

HTTP GET /download/QuestScan/1_27/upgrade.cab?upg=path 

 

and last! HTTP GET /Software/VLC/466/vlc-1.1.9-win32.exe?rnd=2368105 

 

 

 

 

 

Partager cet article

Repost0