Overblog
Suivre ce blog Administration + Créer mon blog
7 juin 2010 1 07 /06 /juin /2010 15:51

Just after the Adobe and French CERTA advisories, I wanted to talk a lil bit about the website that is said to host the Adobe 0day.


Here is Adobe's advisory:

http://www.adobe.com/support/security/advisories/apsa10-01.html


According to Symantec (see: http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-060601-3020-99, the suscpicious website is:

google-analytics. dynalias.org.


It quite clearly seems to be a fake Google Analytics portal. Not sure that it does steal user's credentials anyway...


Please note that :

- Netcraft did not warn about it (at the time of writing)

- IronPort does not detect it

- Secure Computing (trustedsource.org) does not detect it

- Firefox 3.6 does not tell anything

- internet Explorer 8 neither

and a very few AV vendors are said to be able to detect the PDF...


Here is what the website looks like:


capture_googleAnalytics_dynalias_070610.jpg


The IP address 180.149.252.136 is apparently located in Hong Kong... see:

http://www.robtex.com/dns/google-analytics.dynalias.org.html

and blacklisted at least once!


So I strongly recommend to remain prudent with that domain.




Partager cet article

Repost0
4 juin 2010 5 04 /06 /juin /2010 20:56

Well this is not the first one, but at least I find it relevant since it is not being detected by (almost) any AV engines - I mean command line versions on VirusTotal.

 

Here is what the MSN message looks like:

 

msg_MSN_040610.jpeg

 

 

I clicked on the link aztec-casino.uk... the browser popped up and offered me to download a file named installcasino.exe.

 

Unfortunately for the bad guys, a BSD derivative kernel is kindda immune to Win 32 PE files... :)

 

According to VirusTotal, only 1 engine out of 41 detects the sample:

http://www.virustotal.com/fr/analisis/09b2b1ea08b19ff9a4e1c3609a39fa8f6ae60b8827260e8dd034630af754343c-1275677556

 

The only detection is an heuristic one. Please keep in mind that VirusTotal uses command line versions of AV engines, and this may reduce heuristic features or particular content dynamic analysis.

 

I'm waiting for an online sandbox analysis results.

 


What about URL filtering? not better either:

- nothing for McAfee TrustedSource:

http://www.trustedsource.org/en/feedback/query?sid=&p=&q=www.aztec-casino.uk.mn

- nothing for IronPort / SurfControl:

http://mtas.surfcontrol.com/MTASResults.asp  (says 'not in our list' at the time of writting).

 


What about domain informations?

- a bit weird according to Netcraft: UK or De?

http://toolbar.netcraft.com/site_report?url=http://www.aztec-casino.uk.mn

- brazilian IP address according to DomainCrawler? no WhoIs information...

http://www.domaincrawler.com/domains/view/www.aztec-casino.uk.mn

 

 

What about DNS?

> server 208.67.222.222
Default server: 208.67.222.222
Address: 208.67.222.222#53

 

> www.aztec-casino.uk.mn
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:

Name:   www.aztec-casino.uk.mn
Address: 188.40.70.45

OpenDNS and my ISP do agree about the IP resolution, therefore that should be correct.

 

Then I guess RIPE will be a pretty reliable about geo-localization:

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=+188.40.70.45&do_search=Search

and (this winner is): Germany.

 

 

 

 

 

Partager cet article

Repost0
30 avril 2010 5 30 /04 /avril /2010 00:12

I'm not gonna deal here with the real McAfee DAT 5958 issue by itself. What I find interesting is what's coming around this incident.

Some other AV vendors warned that users attempts t download the DAT that fixes the 5958 failure may be used to infect their computers.

I was honestly thinking about fake DAT packages: malware linked to a real exefile DAT from McAfee, or even just malwares called 'SDAT5959'...

But what I discovered is actually worse, to me.

Consider the following Google request: download mcafee DAT 5959. Quite natural and obvious, isn't it?

Here is the URL of the 5th page

 http://www.google.fr/search?hl=fr&safe=off&q=download+mcafee+DAT+5959&start=40&sa=N

 

But this is where the danger shows up. Let's have a look at the first link of the Google's page of results:

RQ_Google_tolstiy.co.cc_290410.jpg

 

The website domain name is: tolstiy.co.cc.

The Google preview of its content even includes the Google logo.. This should not be dangerous, right?

You may notice all the relevant keywords the website may need to be well indexed and appear at a good place in Google's results: 'sdat 5959 free download license mcafee superdat failure SDAT5959 EM. exe mcafee8.5i, McAfee®: 5960 Update '

This could help SEO hijacking (or poisonning) for sure!

Nonetheless the point is that the user will immediately be redirected to another website: endroiturlredirect.com

exploit_alertAV_endroiturlredirect.com_290410.jpg

 

Then the malicious part shows up. This pages hosts an exploit!

Avira prompted then a warning:

MSG_Avira_endroiturlredirect.com_290410-copie-1.jpg

 

A PDF exploit for a DAT update rescue... that's probably funny (or weird).

Therefore I strongly recommend to any users and admins to really pay attention to where they download updates (including antivirus ones), at any time, especially in case of emergencies.

 

More about the website: http://tolstiy.co.cc/

You have to pay attention to notice something quite strange.

I said that the thumbnail of it seems to include a Google's logo... yes but guess what, the Google logo, buttons and request bar are all a simple picture in fact!

And here is the URL of it: http://www.webopedia.com/quick_ref/img/google_screen001.jpg

And what about the WhoIs of it? http://www.domaincrawler.com/domains/view/tolstiy.co.cc

Hey, more interesting: the IP address seems to be a Brazilian one, and the rest of the WhoIS info appears to be protected by an anonymization system. Quite obscure, but a kindda habit in VX methods.


But what if I use Internet Explorer 8?

Surprinsingly (or not?) the page redirected me to: malware-checker-free.com. And I.E. 8 screamed about a phishing risk while accessing this website.

Here is a screenshot of what I saw:

MSG_IE8_malware-checker-free.com_290410.jpg


And what about other browsers? (PoC: Win 7, 64 bits, full patched).

- Safari (last version) did not alert me in anayway

- Firefox 32 & 64 bits (last versions): no alert

- Opera 10 (last version): no alert.

- Chrome (last version) : no alert.


So here is what an user could see if he does not use I.E.:

controlpanel_malware-checker-free.com_300410.jpg


And the (funny but) annoying part of it is an endless loop behind this popup:

msg_malware-checker-free.com_290410-copie-1.jpg


Whatever an user will do ('cancel', or 'OK'), the popup will come back, and furthermore will try to download an exefile on the computer.

This file is called: 'win_protection_update.exe'

Here is the VT results for it (let me remind that VT is a list of command line AV scanners, not the realtime protection they could offer in a regular installation):

http://www.virustotal.com/fr/analisis/415af935f5ce82f68f15ad133af4542813e34c40a7c5825fed9cdf0d2a46d304-1272584528

Ok so that's 20 out of 41 engines, not bad.


About the malicious URL by itself: http://malware -checker -free.com/secure1/?id=ololo


If you try to access it with only the FQDN, let's say malware-checker -free.com  you may be redirected to... Google. A bit funny.

But if you try to change subdolder and/or page, such like: http://malware -checker-free.com/test   here is what shows up: 

Apache/2.2.3 (CentOS) Server at malware-checker-free.com Port 80

 

Either the bad guys forgot to update (and secure) their web server, or they hacked a third party one to host their malicious page and files...



Last, if you look at the source code of the webpage http://malware -checker-free.com/secure1/?id=ololo   (thanks to Opera!), you may have an idea about how the bad guys tried to obfuscate their source code:


<!--

Page protected by ionCube - HTML/JavaScript Encoder

Copyright (c) 2003 RWJD.Com and ionCube Ltd.  All Rights Reserved.

Any analysis of this  source code,  embedded data  or file by any means and by any entity whether human or otherwise  to including but without  limitation to discover details  of internal operation, to  reverse  engineer, to  de-compile object code, or to modify  for the purposes  of modifying behavior or scope of their usage is forbidden.

-->

 

To finish with, a Google request will suggest that ionCube is a proprietary solution to "protect and license" the PHP pages... well, I'm not sure the bad guys did pay for the ionCube license (just guessing).



 


Partager cet article

Repost0
20 avril 2010 2 20 /04 /avril /2010 00:55

Une fois n'est pas coutume, je n'étais même pas en train de faire de la veille, que l'un de mes comptes MSN a reçu en rafale deux messages, de deux contacts différents.

Evidemment, les contacts en question étaient censés être "hors ligne" au moment de l'envoi, et (bizarre vous avez dit bizarre... ?) il m'envoient le même message.

Voici un échantillon :

msg2_MSN_180410_annonym.jpg


On notera qu'il s'agit apparemment d'un lien pointant sur une photo... un procédé qui n'est pas nouveau.

Téméraire que je suis dans mes analyses virales, je m'empresse de cliquer sur le lien.

Tiens donc, à la place d'une photo, c'est un fichier ".src" qui arrive sur mon disque. Ho les vieux temps de la virologie sont de retour...

Cependant, cette fois-ci l'antivirus bippe directement (NOD32 ,et Antivir)

Mieux que cela, une analyse comparative sur VT donne un résultat encourageant : presque 1 moteur sur 2 détecte (en mode ligne de commande) le fichier :

http://www.virustotal.com/fr/analisis/5a38a64a407f6093f8fe3ce737fd9ebe35835e0a0eac42a301e6c86c4def7850-1271593655

Alors que dire, pour les mauvaises langues : est-ce les antivirus qui sont tous à l'heure cette fois-ci, ou la menace virale qui est obsolète ?...

Partager cet article

Repost0
12 avril 2010 1 12 /04 /avril /2010 21:46

As you probably read on te web, at the same time people welcome new URL services such as goo.gl, others warn about new threats that come with them: bypassing URL filters using URL shorteners...


Here is a kindda new sample. Once again, over the MSN Network. 

message_msn_tinyurl_120410_annon.jpg

If you click on te URL, the tinyURL system will automatically redirect you to: http://www.camstranger.com/


Once again, I strongly warn any people to click on that link, unless you know what you do.

The website seems to be a kindda public chat, with webcam. AFAIK there is no viral component on it. But I would say anyway that this looks strange.

capture_camstranger.com_120410.jpg


My guess: some guys rented a BotNet and/or a stolen MSN accounts database to send a massive communication in order to promote that new public chat... 

I'll try to check that out later on :)

Partager cet article

Repost0
7 avril 2010 3 07 /04 /avril /2010 22:48

It's been a quite long time since I wanted to write this article. But taking into account the fact that I spent 3 hours at night to understand what was happening to my BIOS, I could not forget it, I guess...

How did all of that started? very simple. I thought of applying some of the best practices in laptop security: (BIOS) password at startup.

Very well, I entered the BIOS. I had a few difficulties, because the 'Care' button did not work that well, and the boot-splash did hide the key to press to enter the BIOS. Anyway, I'm more patient than that.

Once I had got into the BIOS, I went to the security tab. Setting a password up seemed to be quite simple, as usual.

Then, I started my laptop, like in a regular way. As usual, it remained on for a few days, without reboot. And obviously, the problem came out at the next reboot. Thanks Windows Update (automatic / forced) reboot at night, for that...

Not even scared, I saw the next evening the bootstrap stucked at the password check. So I entered my so said password. Yikes, it seemed to compute a lil bit, and then displayed a warning telling me that my password was wrong. I tried a second time, a third one... then forced reboot....

This time, I started to feel less at ease... 

My password was 7 letters long, with 2 more digits. I imagined the problem could be a keymap issue (Qwerty in the Bios, else Azerty). So I built all the combinations I could imagine: typos, and keymaps issues... 

3 hours later, I was still in front of a locked computer. Then, fortunately, a bit of 'password hardening experience' came to my mind: what if the Bios could not register my whole password?

After 5 minutes, bingo! Only the first 6 characters had been saved! 

But no warning told me that only 6 out of 9 characters were going to be saved... I find it quite abnormal and tricky!

I hope this will help other people, at night, in a rush... like I was...

Partager cet article

Repost0
26 mars 2010 5 26 /03 /mars /2010 23:07
Once again, I was not even expecting to get a sample that way...

Here is the
message I received on one of the Skype accounts I use as 'honeypots' (one day ago):

MSG_Skype_dreams-lady.com_250310.jpg 


I never requested in any way to receive such ads!

Okay so let's go to 'dreams-lady'. To be honest, at this point, I was really expecting a malicious website, or even a fake portal to steal my CB number...
Sometimes the habit does not help you out at 100%...

However, I was surprised to see the website that responds to dreams-lady. Here is a screenshot:
dreams-lady.com_250310-copie-1.jpg


Looks really like a kindda russian version of meetic, huh? just kidding.

Just in case of, I had a look at the WhoIs. And there came an unexpected surprise:
http://www.domaincrawler.com/domains/view/dreams-lady.com
 
Wow,
IP located in China? seems weird.  
Any other information provided by the WhoIs looks relevant to a russian origin.

Just a thought... let's see the
IP reputation...
An old tool: 
http://www.dnsbl.info/dnsbl-database-check.php
Bingo...!
59.53.91.107 listed! And I do trust SpamHaus' lists.

But that's not all. The IP address really seems to be a chineese one: 
http://www.ip-adress.com/whois/59.53.91.107

Okay then, russian domain name, chineese IP... still looks strange to me.

But the IP address reveals other interesting details:
http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=59.53.91.107
Listed because I is said to host a malware.

And guess what... ESET confirms it (access blocked while accessing it)

 

Partager cet article

Repost0
23 mars 2010 2 23 /03 /mars /2010 21:51
I was honestly not expecting it.
I recently found out that one of my Skype accounts had received an offline message, from an unknown contact (meaning I hadn't accepted myself!)

Here is a screenshot of it:
capture_thebulletintrackers.com_230310.jpg 

 At the time of writing (24 hours after I received the message), I still don't know if this is a new scam variant or not. In case of, I publish it (if anybody has got any additional information about it, feel free to post any comment).

But what I do know is that it  appears that Skype used an opt-out way to contact me. I never requested to receive such marketing ads (probably targeted ones...). 

If you visit the website 
http://thebulletintrackers.com/ , you'll see at the top of a page a link (yes it's quite small) called 'skype removal'... yes sounds weird since I did not subscribe to anything.
This weblink points to: http://thebulletintrackers.com/skyperemoval.php

I did try to unsubscribe myself, I'm gonna see what happens, and I'll keep my readers up to date. Untill then, I suggest anybody to be prudent with this marketing campaign. 

Partager cet article

Repost0
18 mars 2010 4 18 /03 /mars /2010 21:11
This is not the first, but I find this case quite interesting.

Some PC that were formerly compromised (I don't know the malware details at the time of writing) started around 6PM UTC to send messages to their MSN contacts.

Here is a sample of the message:

 
Msg_MSN_180310_annonym.jpg

Here is the suspicious web link : www.facebook- id.us/profil.php?=PICT18082010
Obviously,
DON'T CLICK ON THAT!

Please note the exact syntax of the word 'facebook' in the URL! Who's gonna notice the '-us' at the end?

On a safe and hardened operating system (such as a BSD derivative...), I see that the browser will directly try to download an exefile, which name is: PICT18082010-jpg-www-facebook-com.scr

Be carefull since this file has got a
fake icon: it looks like a picture (some kindda JPG file I'd say).

Some people had already tried VT for this sample:
http://forum.malekal.com/www-facebook-profil-php-pict18082010-t24041.html

The AV protection coverage does not look that good:
http://www.virustotal.com/analisis/72c7b58796d12793cf39debb98344bb71ac79670828f8db8540b343eedd5c83c-1268935265
14% !! 

So now, let's try to see
who's behind that domain facebook-id.us.

The first WhoIs results look stange:
http://www.domaincrawler.com/domains/view/facebook-id.us

Wow... it looks like Yahoo has got a problem... is it being as a real component of the attack campaign? 

Ripe.net did not give me any information. But another WhoIs tool seemed to have more detailed information:
http://www.raynette.fr/services/whois/index.php?action=domain_info&domain=facebook-id.us

Still a reference to Yahoo: 
 YNS1.YAHOO.COM

Quite worying if Yahoo has indeed been compromised.
 
Here is what the SFR DNS say about it:

Nom :  sbs-p11p.asbs.yahoodns.net
Addresses: 69.147.83.187
98.136.50.138
69.147.83.188
Aliases: www.facebook-id.us
  p11-pprr.geo.premiumservices.yahoo.com


And OpenDNS:
> www.facebook-id.us
Serveur :   resolver1.opendns.com
Address:  208.67.222.222

Réponse ne faisant pas autorité :
Nom : sbs-p11p.asbs.yahoodns.net
Addresses: 98.136.50.138
69.147.83.188
69.147.83.187
Aliases:  www.facebook-id.us
   p11-pprr.geo.premiumservices.yahoo.com


 Okay those different DNS seem to be consistent. Let's check now the NS that is said to be authoritative on the domain.

> server yns1.yahoo.com
Serveur par defaut :  yns1.yahoo.com
Address: 98.136.43.32
> yahoo.com
Serveur :  yns1.yahoo.com
Address: 98.136.43.32

***  Query refused
> facebook-id.us
Serveur : yns1.yahoo.com
Address:  98.136.43.32

Nom :  facebook-id.us
Addresses: 69.147.83.188
69.147.83.187
98.136.50.138

Hardly kidding but the IP address pointed by yns1.yahoo.com seems to be quite anonymous: http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=98.136.43.32&submit.x=12&submit.y=7&submit=Search


At this moment, I really wonder shat's happening. Yahoo NS does not reply to a standard query for "yahoo.com", but it does respond to a query for "facebook-id.us"!! 

What about URL filtering ?
- Trustedsource (McAfee): not listed  [reported]
- SurfControl: not listed  [reported]
- NetCraft: high risk, but no real warning  [reported]
- Firefox/Chrome (Google SafeBrowsing): no warning.  [reported]

If you acces the website using Firefox (and Firebug ;), you may obtain a few more details:


acces_facebook-id.us_180310_annonym.jpg


Please note the
'YTS' server and the host:  p11w9.geo.sp1.yahoo.com!!
FYI 'YTS' apparently stands for Yahoo! Trafic Server... see http://acronyms.thefreedictionary.com/Yahoo!+Traffic+Server


Then now,
let's try to figure what's going on the Yahoo.com NS. I'm gonna use a Yahoo NS server as one of my DNS (nslookup tool). Let's say ns1.yahoo.com.

Here are the
results:

> server ns1.yahoo.com
Serveur par defaut :   ns1.yahoo.com
Address:  68.180.131.16
 
> yahoo.com
Serveur :   ns1.yahoo.com
Address:  68.180.131.16
Nom :    yahoo.com
Addresses:  67.195.160.76
69.147.114.224
69.147.125.65
72.30.2.43
98.137.149.56
209.131.36.159
209.191.93.53
209.191.122.70
 
> yns1.yahoo.com
Serveur :   ns1.yahoo.com
Address:  68.180.131.16
Nom :    yns1.yahoo.com
Address:  98.136.43.32

Please not that the yns1.yahoo.com does not generate a 'non authoritative answer' within the reply of the official Yahoo DNS. So, we can honestly suppose the A pointer (for yns1.yahoo.com) has been added to the DNS, and... well... they've been rooted.


Therefore, until I've proof of the contrary, I do believe Yahoo NS (and probably one server) have been compromised. And Yahoo is taking part of an attack over MSN...
More to come if I can.

Partager cet article

Repost0
17 mars 2010 3 17 /03 /mars /2010 22:44
I'd heard that Norton (I mean the last version) has improved quite a lot.

It is said to be less system resource consuming, and more efficient. On my part, I spent almost 5 years cleaning computers that were supposed to be protected by Norton... (and others AV, that's true). This is the real life, I can't lie about it.

Anyway. Since I'm curious and I believe Symantec is able to improve its product, I decided to have a look at the famous "last Norton".

This came to me like in a natural way. I installed a software that offered me to install "Norton Security scan" as well (choice by default, please note that point...).

My main computer is being protected at the moment by an up to date AV (MS Security Essentials), and 2 AV on demand (Spybot + MalwareByte). 
I let the Norton Security Scan do...

What results? well... something like 35 'threats'! But, in fact, only cookies...
 
It is very well known that a cookie is a serious threat, able to destroy my computer... [bad joke]. Nonetheless, according to Norton, my computer is at risk, and a serious one.

To fix the 'dangerous items', users obviously have to buy Norton... They definitely are smart, at Symantec Corp.

But the trickky part is not there. 

The Norton Security Scan wakes by itself, from time to time, takes the focus, and displays its warning until you click on 'proceed to checkout' or 'no thank you'.
Please note that 'no thank you' is a very very small button on the popup, like if users were not supposed to see it. Furthermore, there is not "cancel" button on the default popup, you have to click on the cross to close it...!

Then the warning comes again and again. You may reboot the computer, it will still show up after a little bit of time.

Well, sounds like some viral technology... doesn't it? A software you can't really close and that reminds you it is there, and that goes back even after reboot is quite similar to what you can expect from a spyware, adware, or even a keylogger... isn't it?

Here is an example of the 'scary' message you can see, from Norton:

NortonSecScan_alert_080310.JPG


Sorry it's a French version, but quite badly translated.


Anyway, you may read
many complaints on the web about software that harvest and/or harass users until they pay for a so said license... Rogue antivirus are one of the best examples.

Is Norton playing the same way that rogue antivirus do? That's an interesting marketing strategy (use customers fear...).

In the past, we'd seen computers being sold with "antivirus pre-installed"... well yeah, just a 3 months demo license, which point was not clear to the customer. And after that, warnings coming from everywhere to remind the user to buy Norton...

Thus, new version right, but means even worse than in the past? I can't hardly believe what I saw on my screen.
 

Partager cet article

Repost0