Overblog
Suivre ce blog Administration + Créer mon blog
17 mars 2010 3 17 /03 /mars /2010 00:29
Quelquefois, pas besoin de chercher pour qu'un élément malveillant à analyser pour qu'un ben échantillon vienne à moi.
Les mauvaises langues diront que ce sont tous mes pots de miel qui sont derrière ce constat... pas à tout à fait faux.

Bref, en lisant mes courriels le plus naturellement du monde, j'ai reçu une notification de Viadeo me disant que j'avais un message non lu.
Ce message est en fait une pratique frauduleuse d'extorsion de fond :
le scam 419, du numéro de l'article de loi nigérian (4.1.9) interdisant ce type de pratiques.

ATTENTION donc, ce message cache une pratique dangereuse, je déconseille à tous de prendre contact avec toute personne l'ayant envoyé, ni même de chercher à "investiguer"...


Voici le message en question, si cela peut aider certains à comprendre ce qui peut leur arriver dans leur boîte aux lettres.


bonne charité

Bonsoir très cher Monsieur J’accuse bonne réception de votre réponse et je vous remercie pour son 
contenu, Je suis Monsieur josé paulo fernandez, née le 18 mars 1946
au portugal
Je souffre d'un cancer de gorge depuis maintenant près d'un
mois et demi et je souffre terriblement en ce moment.Mon medecin 
traitant vient de m'informer que mes jours sont comptés du fait de mon 
état de santé dégradante.
C'est par Amour pour les enfants que je veux léguer cette somme.Je 
suppose que je peux vous faire confiance car vous savez ce qu'est cette 
maladie qui me ronge.

je n’ai pas eu d’enfants avec mon épouse Maria (que la terre lui soit 
légère) de puis 15 ans ce qui fait que j'ai personne a qui léger mon 
héritage.

Pour ce fait je voudrais de façon gracieuse et dans le souci d’aider 
les démunis vous donner ce dit héritage s’élevant à une valeur de 
cinq millions de dollars americain (6.000.000 §) pour vous 
permettre d'établir une fondation de bienfaisance en ma mémoire afin 
que la grâce de Dieu soit avec moi jusqu'à ma dernière demeure pour que 
je puisse bénéficier d'une place honorable auprès du Seigneur notre 
père.

N'ayez aucune crainte car avant de vous contacter j'ai prié pendant 
plusieurs nuits pour que le seigneur Jésus Christ puisse m'accorder le 
contact d'une personne de confiance à qui je pourrai confier cette 
affaire et c'est à la suite de cela que j'ai fais des recherches qui 
m'ont permis d'avoir votre adresse.
Sachez que vous pouvez conserver la moitié de cet argent pour vous et 
le reste servira à crée une fondation de bienfaisance en ma mémoire 
ainsi qu'une fédération de lutte contre le cancer et construis une 
maison de charité pour aider les démunis.
J'ai se projet en tête de depuis fort le temps maintenant que je dois 
mourir plus que c'est mon voeux qui me coûte chère je dois le faire 
maintenant avant de quitter cette terre des humains.
Je voudrais avoir les informations suivantes :
Votre nom et prénoms, votre adresse précise et votre contact 
téléphonique permanent afin de les transmettre à mon notaire pour 
qu'ensemble vous effectuez les démarches de transaction.
Je vais transmettre vos coordonnées au Notaire qui va s’occuper de 
cette transaction par la suite,il prendra contact avec vous dès demain 
pour entamer la procédure de transfert et le changement du bénéficiaire.
Je lui demanderais de vous contacter pour la procédure à suivre.
Je vous souhaite une Très bonne comprehension.
Sur ce, recevez mes très cordiales salutations.

Monsieur josé paulo fernandez


mon adresse email : josefernandez2010@live.fr






************** ENGLISH part ****************


Sometimes (but more and more often), I don't even have to look for malicious things to analyse: they directly come to me.

So I was just reading my emails, like naturally. I received an alert from viadeo: I had a message to read. There comes the best part of it: it is a new variant of scam 419, but on profesionnal networks.

Just a reminder: scam 419 comes from the article of the nigerian law 4.1.9 which forbids such financial fraudulent activities.

There we go: I'm gonna copy the whole message above, if that can help in any way those who wonder what that is.

Sorry, it's written in French ;) not all the bad things on the Internet are in English... unfortunately...


 

Partager cet article

Repost0
11 mars 2010 4 11 /03 /mars /2010 22:46
I was not even really monitoring the LAN when I noticed strange requests... 

Why strange? because of the following:
- Netbios over TCP protocol whereas the proxy should handle that kindda name resolution (part of web requests)
- broadcast name query, spreading on the LAN waiting for WINS reply, while this should not be that way
- unknown domain name on the LAN & AD...  not even a workgroup.
 
But what drew my attention is that neither
DNS nor WINS were able to resolve it.

What is this domain name?  teamscrew.com. Never heard about it.

First, let's say that IronPort URL filtering engine categorizes as pornography. Okay...

Then, I decide to try using other DNS. Well, it's getting more and more strange :

- according to SFR (french ISP) DNS:
C:\>nslookup
Default Server :   box
Address:  192.168.1.1

> teamscrew.com
Server :   box
Address:  192.168.1.1

*** neufbox ne parvient pas à trouver teamscrew.com : Server failed

- according to OpenDNS:
> server 208.67.222.222
Serveur par defaut :   resolver1.opendns.com
Address:  208.67.222.222

> teamscrew.com
Serveur :   resolver1.opendns.com
Address:  208.67.222.222

Réponse ne faisant pas autorité :
Nom :    teamscrew.com
Address:  67.215.66.132


Well that's a difference! Guess why I prefer to use (and strongly recommend) the DNS provided by the OpenDNS Project!

Anyway... impossible to access the website.

So now, I'm gonna try other DNS and domain information gathering services. One of my favorites is domaincrawler.com.
Here is the result of my request:
http://www.domaincrawler.com/domains/view/teamscrew.com

Thus now, teamscrew.com is supposed to resolve to: 208.97.178.13 


There must be a tricky part somewhere. Let's check using the authoritative NS that DomainCrawler found:

> server ns1.dreamhost.com
Serveur par defaut :   ns1.dreamhost.com
Address:  66.33.206.206

> teamscrew.com
Serveur :   ns1.dreamhost.com
Address:  66.33.206.206

teamscrew.com   MX preference = 0, mail exchanger = mx1.balanced.postal.mail.dreamhost.com
teamscrew.com   nameserver = ns3.dreamhost.com
teamscrew.com   nameserver = ns2.dreamhost.com
teamscrew.com   internet address = 66.33.212.15
teamscrew.com   nameserver = ns1.dreamhost.com
teamscrew.com   MX preference = 0, mail exchanger = mx2.balanced.postal.mail.dreamhost.com
teamscrew.com
        primary name server = ns1.dreamhost.com
        responsible mail addr = hostmaster.dreamhost.com
        serial  = 2009110801
        refresh = 16033 (4 hours 27 mins 13 secs)
        retry   = 1800 (30 mins)
        expire  = 1814400 (21 days)
        default TTL = 14400 (4 hours)
mx1.balanced.postal.mail.dreamhost.com  internet address = 208.97.132.51
ns3.dreamhost.com       internet address = 66.33.216.216
ns1.dreamhost.com       internet address = 66.33.206.206
mx2.balanced.postal.mail.dreamhost.com  internet address = 208.97.132.52
ns2.dreamhost.com       internet address = 208.96.10.221


Okay, looks more or less consistent.

After that, let's try to know what's running of this server...  I think about an IRC service, to control Bots, or a download / update service for compromised hosts.

I first try using the IP address DomainCrawler gave me: 

C:\>nmap -O --osscan-guess 208.97.178.13

Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:16 Paris, Madrid
Interesting ports on apache2-noxim.fuze.dreamhost.com (208.97.178.13):
Not shown: 990 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
113/tcp  open  auth
548/tcp  open  afp
587/tcp  open  submission
5222/tcp open  unknown
5269/tcp open  unknown
5666/tcp open  nrpe
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: general purpose|WAP|router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), D-Link embedded (87%), Linksy
s embedded (87%), Peplink embedded (87%)
Aggressive OS guesses: Linux 2.6.22 (97%), Linux 2.6.15 - 2.6.26 (94%), Linux 2.
6.22 (Ubuntu, x86) (92%), Linux 2.6.27 (Ubuntu 8.10) (92%), Linux 2.6.23 (92%),
Linux 2.6.13 - 2.6.27 (89%), Linux 2.4.20 (Red Hat 7.2) (88%), Linux 2.6.17 - 2.
6.28 (88%), Linux 2.6.22 - 2.6.23 (88%), Linux 2.6.24 - 2.6.28 (88%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds


What? looks like an
ADSL box? 

 But this is not the last surprise. If I do the same using the other IP address I got for DNS resolution, here is the result:
 
C:\>nmap -O --osscan-guess 66.33.212.15

Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:42 Paris, Madrid
Interesting ports on ps7371.dreamhost.com (66.33.212.15):
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
587/tcp  open  submission
1030/tcp open  iad1
5666/tcp open  nrpe
Device type: WAP|router|general purpose|storage-misc
Running (JUST GUESSING) : Linksys Linux 2.4.X (97%), Linux 2.4.X|2.6.X (97%), Mi
kroTik RouterOS 3.X (94%), Belkin embedded (93%), ZyXEL embedded (91%), D-Link e
mbedded (90%), Enterasys embedded (90%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (97%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (97%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
7%), MikroTik RouterOS 3.0beta5 (94%), Linux 2.6.21 (94%), Linux 2.6.18 - 2.6.27
 (93%), Linux 2.4.21 - 2.4.31 (likely embedded) (93%), Linux 2.6.15 - 2.6.23 (em
bedded) (93%), Linux 2.6.15 - 2.6.24 (93%), Linux 2.6.15 - 2.6.26 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops

OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.91 seconds 

 Surprisingly, the scan results look similar!

Untill I have proof of the contrary, I therefore belive this is a malicious architecture, where boxes have been compromised and used to handle requests sent from compromised computers... 
There is also a quite obvious DNS synchronization issue in here. Still, OpenDNS remains the safest service to query.

If anybody has got further details about that domain and IP addresses, feel free to post a comment or send me an email. 

Partager cet article

Repost0
10 mars 2010 3 10 /03 /mars /2010 00:01

Recently, a new contact requested me to add her/him as a new MSN one.

Even if I did not recognize the address, I accepted the invitation. This was for analysing purpose, I do NOT recommend any people to do the same!

Anyway, here is the contact: altagraciatehney09 AT hotmail.com

One night, that person went online and started to talk to me. Within less than a minute, I had the impression I was talking to a bot. Check yourself, the talk (meaning her replies) is not logical...

The person said she was a girl. And shortly after that, she strongly suggested me to connect to:
http://www.freecamlink.net/jwu9

MSG1_MSN_pinkcamsecret.com_090310_annonym.jpg


which redirects to:
http://www.pinkcamsecret.com


Here is a screenshot of it:
capture_pinkcamsecret.com_090310.jpg


Then the real trick came out: it was about "age checking"...
I was supposed to give a credit card number!

MSG2_MSN_pinkcamsecret.com_090310_annonym.jpg

 
I was curious to see who had registered the domain name. Here is a new surprise!
http://www.domaincrawler.com/domains/view/www.pinkcamsecret.com

Domains by Proxy, Inc!!!  
an "old friend", regarding my VX watch 'n' analysis activity...!  (for those who are not familiar with it, it's mainly a registrar providing anonymous whois...).
 

Partager cet article

Repost0
9 mars 2010 2 09 /03 /mars /2010 22:12
Years ago, when I started to study viral threats, I discovered Zango.

Zango used viral technologies to spread and remain resident on compromised computers. I won't give a new talk about the past Zango, search engines will on their own if you wanna try. Just a few examples:
http://www.spyany.com/program/article_adw_rm_Zango.html
http://www.virusbtn.com/news/virus_news/2006/11_21.xml
I was completely laughing out loud after I had read that: http://www.generation-nt.com/zango-logiciel-anti-espion-pc-tools-adware-spyware-actualite-41072.html (in French, sorry ;)


This time, one of the email addresses I use as 'honeypots' received a new email pretending to give me the opportuniy to check if some (former) MSN contacts had blocked me.
Well, this is quite very known: at least, nobody knows what they guys will do with your MSN credentials after the "test" :
- ID spoofing?
- social engineering?
- online purchase fraud (part of)?

Anyway. I however clicked on the link, to see if there was any malicious file I could analyse.

Here is the URL:
http://www.kiblok.net/

kiblock.net_accueil_080310.JPG

First of all, if you just click on "connexion" without providing any credentials, Google Chrome will alert you. Well then, but... a bit late! Why the hell Chrome does not warn at the very first access to this suspicious website?

kiblock.net_alert_Chrome_080310.JPG



But his is not my last (nor least!) surprise. Like a kindda reflex, I had a look at the source code of the webpage (try: 
view-source:http://www.kiblok.net/index.php?page=viewlist ). 

I was astonished to notice the following link: 
document.write('<scr' + 'ipt language="javascript" type="text/javascript" src="http://www.kiblok.net.powered-by.zango.com/?a772aa7bfe/ga679ab72f4&g"></scr' + 'ipt>

Wow ! powered by Zango!! Guess who was right suspecting it?

Hey guys, you couldn't be more discreet... :)
 

Partager cet article

Repost0
11 février 2010 4 11 /02 /février /2010 23:39
First of all, the problem of you wanna try Firefox 64bits version, is to find a way to download it.

I honestly don't even understand why Mozilla did not add any special page on the official Firefox portal, for the 64 bits version!

Why so...? don't know. 64 bits architectures are'nt so new, and above all, 64 bits operating systems are coming down...!

The point is that you have to use Google (still or former Mozilla's friend...? anyway) to find a piece of information about Mozilla 64bits. 

Well, here is the website I've found: 
http://www.mozilla-x86-64.com/

It appears that Firefox 64 bits is not being named... Firefox, but Shiretoko. Why not... after all the marketing campaign around Firebird, then Firefox... anyway.

Ah I should mention that I dared to take the risk to install Firefox and Shiretoko on the same system. It does work! 
Each one reads the central configuration.

Though, there is still a problem with the extensions. If you like FiIrefox extensions, or even you think they're essential, there may come a problem: compatibility!

But whithout being to much specific, let's talk about a very common extension, that most of the "modern" websites (I don't like that point of view) use: Flash Player!

And the thing is, I'm still looking for a way to install Flash for Shiretoko on Windows 7 64bits... weeks after I started my tests.

Here is what comes if you go to the adobe website:


 Firefox64bits_Flash_nondetect_110210.JPG

Okay you're gonna tell me: just go ahead and install it... 
Well, even if I start Shiretoko with admin privileges, it is not the first time I come to this screen, and the installation simply does not work...

What a good web experience without Flash...! 

Explication is there: http://kb2.adobe.com/cps/000/6b3af6c9.html

Okay this is not really Mozilla's fault, but at least, they could warn the user that the Flash extension is neither supported, nor supposed to work...

And you know what? Flash for 64bits Windows is not yet available, even in a beta version, while 64bits linux is already there! unbeleivable...


Then let's come back to the main subject: addons in general.

Users should be warned that they will have to check the Shiretoko compatibility for each addon, one by one...
By default, addon compatibility will be disabled. I recommend to use Addon Compatibility Reporter, and test each one by activating it.
 
You'll probably have suprises, since most of the addons you use everyday in the x86 version, will be marked as "not compatible". Just force the activation, and test.

Once again, this is more like a big beta test, than an real official version of one of the world's most-used browsers!

 

Partager cet article

Repost0
26 novembre 2009 4 26 /11 /novembre /2009 00:23
A few people I recently met asked me why I do write articles in English, and not (or almost not) in French. Well... the thing is Google Translation is not yet fully functional, and French used to be an international language but things change.

So... voila.
Cet article se base sur une annonce de campagne d'attaque publiée par McAfee sur son blog (AvertLabs) :
http://www.avertlabs.com/research/blog/index.php/2009/11/19/malicious-java-applet-attack-surfaces-as-carrie-prejean-video/

Un service de veille en sécurité que je connais, a relayé cette information, et je les en félicite.

Etant passionné de virologie, je n'ai pu m'empêcher de chercher un peu par moi-même. En effet, la firme Network Associates parle d'une campagne d'attaque utilisant une appliquette Java maline, qui tente de se propager via de l'empoisonnement des résultats Google ("SEO poisonning"). Bien sûr, Java n'est rien sans sa machine virtuelle, qui doit être installée au préalable sur toute machine voulant utiliser une appliquette Java. Ceci contribue donc à réduire la cible de cette attaque.

C'est là que j'ai découvert d'autres éléments intéressants, et qui ne sont pas mentionnés par McAfee dans son article.

En cherchant un peu à travers les moteurs de recherche, j'ai d'abord retrouvé la requête exacte qu'un utilisateur est censé taper dans Google, et qui doit le mener à une source virale :

La voici :
http://www.google.fr/search?rlz=1C1CHNU_enFR333FR333&sourceid=chrome&ie=UTF-8&q=carrie+prejean+sextape+video+download

Dans les premiers liens (5 premiers ! ) on trouve notamment celui-ci :
http://tagally.com/main/article/1DOj
qui relaie en fait vers :
http://mvnews.info/carrie-prejean-sextape-video-download/

On pourra noter d'ailleurs que les mots clefs sont présents dans l'URL, ce qui garantit de très bon classements dans les résultats Google pour ces mêmes mots-clefs.

Sur cette URL donc, on peut voir un "faux Windows Media Player" incrusté dans la page, tel qu'il le serait si un objet multimédia y faisait appel via le navigateur.


En regardant de plus près, un lien apparaît vers ... un site chinois !
http://yaknk.buenoos.cn/wbhoy

Et là, le piège se referme : dès que l'utilisateur tente d'interagir avec la page web piégée, le "faux" Windows Media Player lui renvoie un exécutable à télécharger.
Nom de la bête ? il semble varier dans le temps. Voici un exemple : flash-HQ-plugin.40069.exe. En fait, le nom générique est apparemment : flash-HQ-plugin.ABCDE.exe.

Alors, comme toujours,
voici la réponse de quelques solutions de sécurité à cette menace virale :
- Secure Computing (trusted source) : pas de détection
- ironPort : pas de détection (vendredi 20/11/09 au soir, tard...)
- Sophos Antivirus (embarqué) : détection le 20/11
- McAfee : pas de détection.

Les résultats VirusTotal parlent d'eux-mêmes :
- vendredi 20/11/09 :
http://www.virustotal.com/fr/analisis/79bf6154cd49650caec6dbed02391447d683f1336fb35f0acb6783212d1b7399-1258749801
- mardi 26/11/09 : http://www.virustotal.com/fr/analisis/1a7e51b8a01c6e13f292d6ee44315f9afc9e625c1048baf51638031af6f71508-1259192770
On pourra remarquer qu'en 6 jours, seul 1 moteur antiviral de plus détecte le fichier......



Evidemment, par rapport à l'article de McAfee, le fait qu'ici la campagne diffuse un code malin binaire, et non pas Java, étend de façon considérable le périmètre cible de l'attaque !

D'ailleurs, le pire n'est pas là. Il semble que le code viral diffusé via ce domaine chinois, évolue dans le temps. Ayant eu la bonne idée de conserver mon résultat VirusTotal de vendredi 20/11/09, en fait, on constate que les moteurs qui détectent le "faux Flash" ne sont pas forcément les mêmes, voire mieux : la détection annoncée n'est pas la même !
La capture ci-dessous parle d'elle même :

Voir notamment : l'alerte Sophos qui change, Authentium qui ne détecte plus, et McAfee qui ne voit rien 1 coup sur 2...


On peut également trouver d'autre sites via les résultats Google, et les liens pointés par ces mêmes réponses. Certains semblent correspondre encore à d'autre type d'attaque (notamment vraie-fausse loterie en ligne).

Exemples :

- http://carrieprejeansextapevideo.com/   ou http://tv.freeish.info/prejean-sextape/

redirige sur :
http://www.freelotto.com/register.asp?skin=FWinner&affiliateid=ox174&noepu=1&partner=1059366
Comme diraient certains : "ça pique les yeux leur IHM".


- http://celeb-sextapes.net/carrie+prejean+sex+tape  (ne marche plus)

- http://carrieprejeanvideodownload.topparked.com/  (marche partiellement en date du 26/11).

- http://clipmarks.com/clipmark/D5A02C68-3FCF-4D09-8251-1B6E3B817EFD/  qui pointe sur http://content3.clipmarks.com/view_clip.aspx?guid=D5A02C68-3FCF-4D09-8251-1B6E3B817EFD 
pointant lui-même sur : http://bear-hunter.biz/index.php?q=Carrie-Prejean-Sextape-Video 


et la charge virale est hébergée sur : http://mediastarnetwork.net/xvidplayer.45206.exe



Bref, il y avait à mon sens bien plus intéressant dans cette attaque que de parler d'une exploitation de faille Java qui a déjà des années, et pour laquelle toute JVM à partir de la 1.4 n'est plus vulnérable :
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

Ceci dit, le parc Java, notamment en entreprise, est une réelle plaie à mettre jour.
Et il y a bien plus de MS VM (Java v1.3) que l'on croit. Alors quand on sait en plus que tout Java hors 1.6 est obsolète (sauf si contrat support Business)... l'inquiétude peut persister.

Partager cet article

Repost0
2 novembre 2009 1 02 /11 /novembre /2009 22:17
I find it quite funny when an AV or any security system alerts for something regarding another security system.

This time, it is about antispam and AV vendor security newsletter...

The antispam is: Thunderbird  2.0.23
The newsletter is: Sophos enews

Here is what I found out within my mailbox "junk"  folder:

 

Basicly what happens is that the Thunderbird embedded antispam system believes Sophos enews is to be considered as spam.

But I don't! And the worst is that even if I tag almost any of these emails as "acceptable" (not junk), the next ones are still being deplaced within the Junk folder.

How can I tell Mozilla that Sophos enews is not spam? I subscribed to their newsletter, and above all, their are a antispam vendor...
 

Partager cet article

Repost0
20 octobre 2009 2 20 /10 /octobre /2009 21:33
Well, this is not new, but it is not a reason not to talk about that, I guess.

THis time, the supposed online MSN access server is hosted on the domain: come-face-the-truth.com.
To be more accurate, I recently received the following MSN message, coming from one of my contacts:



Here is a screeshot of the website the user is being sent to, if he clicks on the link provided in the MSN conversation:



Please don't give your MSN credentials to suspisicous websites!

I also found interesting this domain WhoIs: see
http://www.domaincrawler.com/domains/view/come-face-the-truth.com
- the server IP address is said to be in Hong Kong
- while all the provided contacts are located in Beijing.

Well, I would sincerely suggest everybody to be carefull with that.


About security means?

This URL is not yet very well classified within URL blocking systems, AFAIK, but:

- Google Chrome: no alert before the 19th of October. Now, it does display a warning while trying to access the website. So Firefox should do it as well (Google Safe Browsing functionnality).


- IE8? nothing... I reported it to the SmartScreen system. Let's see what happens next. 


- Safari? nothing...





I'll give more details as I find out.

Partager cet article

Repost0
14 octobre 2009 3 14 /10 /octobre /2009 23:50
As everybody would say, an antivirus is not supposed to take all the system ressources.
Taking that into account, I tested ESET Nod on my computers, because I knew it was said to prove quite reasonable memory and CPU usage.

Anyway, this was about real time protection, certainly just for a few hours long, right. But, what if I let my laptop running for days? That should not be a problem.

Nonetheless, I noticed that my computer was becoming really slower, with an almost permanent disk access. I decided to investigate a little bit about it, SysInternals tools are my friends.

Here is what I found out: the ESET modules were permanently accessing my HDD, ang generating SWAP activity.

The reason? It may be in the following screenshot:
As the ProcessExplorer's GUI says, the "ekrn.exe" binary (standing for ESET Kernel?) takes more than 750 MB of memory (virtual memory)!
This is quite strange, even abnormal. Just enough to stuck user's applications.


Since I use a limited user account (and I'll talk also about that later), the ProcessExplorer information window is not complete, as you can see:
This screenshot also tells how long the "ekrn.exe" module had run before I noticed its memory usage: it's about a month... (well, yeah, my laptop even works for me during the night... and the day... :) this can be also true for professional stations that are not shut down at night)

If that helps (the guys at ESET for example?), here is my config:
- Lenovo SL500
- Vista SP2, full patched
- Nod32 AV 3.0.684.0



Thus, to me and until I get a proof of the contrary, I think there is a memory leak in the "ekrn.exe" module of Nod32 Antivirus.

Partager cet article

Repost0
30 septembre 2009 3 30 /09 /septembre /2009 02:39
Let's act just for once as a Computer Security Incident Response Team member. What a great pleasure...

An user called the helpdesk because the antivirus was yelling about a supposed malicious PDF file.
The only problem was: this alert was happening while surfing on a professional website, a supposed 'trustworthy' one...

At first, I have to say I did not believe the AV detection was reliable, since I personaly worked on AV issues in PDF detection...

But... a quick check of the source code of the webpage proved that a strange link had been added. This link was pointing to a russian website, and more especially to a JS file (ECMA script). This obviously drew my attention.

First of all, about the domain itself:
www.bannerdriven.ru. The suspect script is: www.bannerdriven.ru/ads.js.

If you search for it using Google, you just find out that hundreds of websites have been compromised (their source code has been indexed by Google, and it shows to you the malicious link). Here is a screenshot of what I got on the 26th of september:




It appears that most (if not all of them) of those websites run IIS 5, 5.1, and 6.

It also seems that the attack is an automaticated one, targeting:
- the "TITLE" part of the webpage
- any link pointing to an ASP page hosted on a targeted website.

Thus, it is only needed to access a compromised website to see the attack being tried on the user's computer!

Then, about the internet domain. I find the DomainCrawler results quite interesting:
http://www.domaincrawler.com/domains/view/bannerdriven.ru
See NS servers, WhoIs, and even IP-addresses.


If you look at the malicious server itself, there is a surprise about the DNS. Here is a screenshot of requests through OpenDNS: differents IP, different machines... This is an evidence of the use of the fast flux system.



Running the suspect link on a hardened computer, Firebug helped me discovering the obfuscated JS file was just redirecting the user to:
http://bannert.ru/ad/index.php

Then, the victim is being redirected to:
-
http://bannert.ru/ad/js.php?id=1
- http://bannert.ru/ad/js.php?id=2&PHPSESSID=o0akmam1j3ida51vv4qltqlse5
- http://bannert.ru/ad/js.php?id=3&PHPSESSID=o0akmam1j3ida51vv4qltqlse5


A bit of reverse engineering made me understand the malicous website uses:
- cookie and PHP session ID, to make sure the attack is tried only once on a same computer
- autodefense system: wget download blocked!  (UserAgent detection, I guess)
- visitor's IP addresses recording, to make sure the attack is tried only once on a same computer


After that, two attacks are launched on the victim's computer:
- a malicious SWF:
http://bannert.ru/ad/spl/files/8628468724.swf
- the PDF, apparenlty downloaded from http://bannert.ru/ad/spl/files/info.php


At the end of it, a fake error page is being displayed to the user, not to warn him about something suspicious.



If the attack succeeds, then the malicious software AntivirusPro2010 is downloaded and directly installed on the computer. Compromised computers even went to crash (BSOD, on WinXP SP2).
Clearly, this is again about financial fraud...


What about the Internet domain bannert.ru? well yeah, the DomainCrawler results are again quite interesting:
http://www.domaincrawler.com/domains/view/bannert.ru


Here is a VirusTotal comparative analysis of the malicious PDF: https://www.virustotal.com/fr/analisis/1fc413651af1fe6901581888f53b5bf53669067d270b3e2a291929fc4c4aab52-1254273671

Here is what I could say at the time of the discover (09/27):
- McAfee: detection OK (Exploit.gen PDF, updated 16th of September)
- Sophos: no detection (I sent them a sample on the 09/29)
- ESET: no detection (still true on the 30th of September)
- PC-Tools Antispyware: no detection (still true on the 30th of September)
- MalwareByte: no detection (still true on the 30th of September)


At the time of writing (09/29), we still don't know for sure the exact attack being used to compromise the IIS servers. I believe it is one of the last IIS vulns (IIS FTP?), other people think it is about ASP / SQL injection... 
I'll post further details as I find out.

------------------------------------------------------

Update 10/05:

Here is a VT analysis of the SWF file:
http://www.virustotal.com/fr/analisis/f247397f83e61b5ef7e1b05343ea46bc6af8fe526f8fb0ec6e8ab61993082083-1254781195
Still very few AV detection huh...  5 AV out of 41...


More about the IIS attack method:

Well yeah, I think I've lost my bet.
Apparently, it is a real SQL injection, like a classical one...  supposedly coming from an ancient BotNet (The ASProx one). A simple Google search,
http://www.google.fr/search?q=sql+injection+bannerdriven.ru&hl=fr&sa=2 led me last night to: http://garwarner.blogspot.com/ 
(see:
http://garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html)
I'd like to congratulate the author for his great job.

Further on, we even have IIS logs as an evidence of what happened:
http://www.sqlservercentral.com/Forums/Topic793970-357-1.aspx
Some of the first bursts have certainly been launched of the 25th of September...

For those who wanna see the whole SQL injection command line, I think there it is:
http://txtb.in/4Wz


Then, if that helps, some guys published automated tools (scripts) to clean up compromised MS SQL databases:
http://blog.strictly-software.com/2008/09/latest-sql-injection-urls.html
Use with care, in case of you don't know what you're doing exactly...


One last point should be emphasized, IMHO.
Compromised websites were indexed by Google, okay. But, if you search Google for the different malicious URL, you may discover that the compromised websites were indexed with a malicious JS file link, which is no longer the one you could see in their source code! (well, we assume here those websites are still compromised when you look at their source code...).
That means... that the BotNet has got a kindda update feature, which is able to change/update the URL being injected within vulnerable pages!
It also could mean that the attack is being tried repeatedly on IIS servers that were already compromised, but with a different malicious URL, and until the SQL injection weakness has been corrected.

Thus, the guys who try to clean up the SQL databases and webpages have to keep in mind that if they don't correct the security weakness which had permitted the SQL injection, their IIS will be compromised again sooner or later...


Update 10/20:

New domain being inserted within the webpages source code: doublebanner.ru.
There is a new file: counter.js.

Are the bad guys trying to count their victims?



--------------------------------------------------------------------------------------------------------

To conclude with, once again folks:
1- use NIPS (Network Intrusion Prevention System)
2- use WAF (Web Application Firewall) to protect your applications! Classical firewalls are not suitable to do that...
3- don't forget to sanitize the user data inputs... (a bit complex to do if the application is already deployed... I know)
4- update all your applications on the stations and servers, not only MS products!
5- if you website has been compromised, don't forget to tell your external customers (provide an AV procedure link...) and keep an eye on the services that could give a "bad security reputation" to your website
6- whether your website has been compromised or not, make sure your traceability is operational and protected!

Partager cet article

Repost0