Overblog
Suivre ce blog Administration + Créer mon blog
4 juin 2010 5 04 /06 /juin /2010 20:56

Well this is not the first one, but at least I find it relevant since it is not being detected by (almost) any AV engines - I mean command line versions on VirusTotal.

 

Here is what the MSN message looks like:

 

msg_MSN_040610.jpeg

 

 

I clicked on the link aztec-casino.uk... the browser popped up and offered me to download a file named installcasino.exe.

 

Unfortunately for the bad guys, a BSD derivative kernel is kindda immune to Win 32 PE files... :)

 

According to VirusTotal, only 1 engine out of 41 detects the sample:

http://www.virustotal.com/fr/analisis/09b2b1ea08b19ff9a4e1c3609a39fa8f6ae60b8827260e8dd034630af754343c-1275677556

 

The only detection is an heuristic one. Please keep in mind that VirusTotal uses command line versions of AV engines, and this may reduce heuristic features or particular content dynamic analysis.

 

I'm waiting for an online sandbox analysis results.

 


What about URL filtering? not better either:

- nothing for McAfee TrustedSource:

http://www.trustedsource.org/en/feedback/query?sid=&p=&q=www.aztec-casino.uk.mn

- nothing for IronPort / SurfControl:

http://mtas.surfcontrol.com/MTASResults.asp  (says 'not in our list' at the time of writting).

 


What about domain informations?

- a bit weird according to Netcraft: UK or De?

http://toolbar.netcraft.com/site_report?url=http://www.aztec-casino.uk.mn

- brazilian IP address according to DomainCrawler? no WhoIs information...

http://www.domaincrawler.com/domains/view/www.aztec-casino.uk.mn

 

 

What about DNS?

> server 208.67.222.222
Default server: 208.67.222.222
Address: 208.67.222.222#53

 

> www.aztec-casino.uk.mn
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:

Name:   www.aztec-casino.uk.mn
Address: 188.40.70.45

OpenDNS and my ISP do agree about the IP resolution, therefore that should be correct.

 

Then I guess RIPE will be a pretty reliable about geo-localization:

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=+188.40.70.45&do_search=Search

and (this winner is): Germany.

 

 

 

 

 

Partager cet article

Repost0
30 avril 2010 5 30 /04 /avril /2010 00:12

I'm not gonna deal here with the real McAfee DAT 5958 issue by itself. What I find interesting is what's coming around this incident.

Some other AV vendors warned that users attempts t download the DAT that fixes the 5958 failure may be used to infect their computers.

I was honestly thinking about fake DAT packages: malware linked to a real exefile DAT from McAfee, or even just malwares called 'SDAT5959'...

But what I discovered is actually worse, to me.

Consider the following Google request: download mcafee DAT 5959. Quite natural and obvious, isn't it?

Here is the URL of the 5th page

 http://www.google.fr/search?hl=fr&safe=off&q=download+mcafee+DAT+5959&start=40&sa=N

 

But this is where the danger shows up. Let's have a look at the first link of the Google's page of results:

RQ_Google_tolstiy.co.cc_290410.jpg

 

The website domain name is: tolstiy.co.cc.

The Google preview of its content even includes the Google logo.. This should not be dangerous, right?

You may notice all the relevant keywords the website may need to be well indexed and appear at a good place in Google's results: 'sdat 5959 free download license mcafee superdat failure SDAT5959 EM. exe mcafee8.5i, McAfee®: 5960 Update '

This could help SEO hijacking (or poisonning) for sure!

Nonetheless the point is that the user will immediately be redirected to another website: endroiturlredirect.com

exploit_alertAV_endroiturlredirect.com_290410.jpg

 

Then the malicious part shows up. This pages hosts an exploit!

Avira prompted then a warning:

MSG_Avira_endroiturlredirect.com_290410-copie-1.jpg

 

A PDF exploit for a DAT update rescue... that's probably funny (or weird).

Therefore I strongly recommend to any users and admins to really pay attention to where they download updates (including antivirus ones), at any time, especially in case of emergencies.

 

More about the website: http://tolstiy.co.cc/

You have to pay attention to notice something quite strange.

I said that the thumbnail of it seems to include a Google's logo... yes but guess what, the Google logo, buttons and request bar are all a simple picture in fact!

And here is the URL of it: http://www.webopedia.com/quick_ref/img/google_screen001.jpg

And what about the WhoIs of it? http://www.domaincrawler.com/domains/view/tolstiy.co.cc

Hey, more interesting: the IP address seems to be a Brazilian one, and the rest of the WhoIS info appears to be protected by an anonymization system. Quite obscure, but a kindda habit in VX methods.


But what if I use Internet Explorer 8?

Surprinsingly (or not?) the page redirected me to: malware-checker-free.com. And I.E. 8 screamed about a phishing risk while accessing this website.

Here is a screenshot of what I saw:

MSG_IE8_malware-checker-free.com_290410.jpg


And what about other browsers? (PoC: Win 7, 64 bits, full patched).

- Safari (last version) did not alert me in anayway

- Firefox 32 & 64 bits (last versions): no alert

- Opera 10 (last version): no alert.

- Chrome (last version) : no alert.


So here is what an user could see if he does not use I.E.:

controlpanel_malware-checker-free.com_300410.jpg


And the (funny but) annoying part of it is an endless loop behind this popup:

msg_malware-checker-free.com_290410-copie-1.jpg


Whatever an user will do ('cancel', or 'OK'), the popup will come back, and furthermore will try to download an exefile on the computer.

This file is called: 'win_protection_update.exe'

Here is the VT results for it (let me remind that VT is a list of command line AV scanners, not the realtime protection they could offer in a regular installation):

http://www.virustotal.com/fr/analisis/415af935f5ce82f68f15ad133af4542813e34c40a7c5825fed9cdf0d2a46d304-1272584528

Ok so that's 20 out of 41 engines, not bad.


About the malicious URL by itself: http://malware -checker -free.com/secure1/?id=ololo


If you try to access it with only the FQDN, let's say malware-checker -free.com  you may be redirected to... Google. A bit funny.

But if you try to change subdolder and/or page, such like: http://malware -checker-free.com/test   here is what shows up: 

Apache/2.2.3 (CentOS) Server at malware-checker-free.com Port 80

 

Either the bad guys forgot to update (and secure) their web server, or they hacked a third party one to host their malicious page and files...



Last, if you look at the source code of the webpage http://malware -checker-free.com/secure1/?id=ololo   (thanks to Opera!), you may have an idea about how the bad guys tried to obfuscate their source code:


<!--

Page protected by ionCube - HTML/JavaScript Encoder

Copyright (c) 2003 RWJD.Com and ionCube Ltd.  All Rights Reserved.

Any analysis of this  source code,  embedded data  or file by any means and by any entity whether human or otherwise  to including but without  limitation to discover details  of internal operation, to  reverse  engineer, to  de-compile object code, or to modify  for the purposes  of modifying behavior or scope of their usage is forbidden.

-->

 

To finish with, a Google request will suggest that ionCube is a proprietary solution to "protect and license" the PHP pages... well, I'm not sure the bad guys did pay for the ionCube license (just guessing).



 


Partager cet article

Repost0
20 avril 2010 2 20 /04 /avril /2010 00:55

Une fois n'est pas coutume, je n'étais même pas en train de faire de la veille, que l'un de mes comptes MSN a reçu en rafale deux messages, de deux contacts différents.

Evidemment, les contacts en question étaient censés être "hors ligne" au moment de l'envoi, et (bizarre vous avez dit bizarre... ?) il m'envoient le même message.

Voici un échantillon :

msg2_MSN_180410_annonym.jpg


On notera qu'il s'agit apparemment d'un lien pointant sur une photo... un procédé qui n'est pas nouveau.

Téméraire que je suis dans mes analyses virales, je m'empresse de cliquer sur le lien.

Tiens donc, à la place d'une photo, c'est un fichier ".src" qui arrive sur mon disque. Ho les vieux temps de la virologie sont de retour...

Cependant, cette fois-ci l'antivirus bippe directement (NOD32 ,et Antivir)

Mieux que cela, une analyse comparative sur VT donne un résultat encourageant : presque 1 moteur sur 2 détecte (en mode ligne de commande) le fichier :

http://www.virustotal.com/fr/analisis/5a38a64a407f6093f8fe3ce737fd9ebe35835e0a0eac42a301e6c86c4def7850-1271593655

Alors que dire, pour les mauvaises langues : est-ce les antivirus qui sont tous à l'heure cette fois-ci, ou la menace virale qui est obsolète ?...

Partager cet article

Repost0
12 avril 2010 1 12 /04 /avril /2010 21:46

As you probably read on te web, at the same time people welcome new URL services such as goo.gl, others warn about new threats that come with them: bypassing URL filters using URL shorteners...


Here is a kindda new sample. Once again, over the MSN Network. 

message_msn_tinyurl_120410_annon.jpg

If you click on te URL, the tinyURL system will automatically redirect you to: http://www.camstranger.com/


Once again, I strongly warn any people to click on that link, unless you know what you do.

The website seems to be a kindda public chat, with webcam. AFAIK there is no viral component on it. But I would say anyway that this looks strange.

capture_camstranger.com_120410.jpg


My guess: some guys rented a BotNet and/or a stolen MSN accounts database to send a massive communication in order to promote that new public chat... 

I'll try to check that out later on :)

Partager cet article

Repost0
18 mars 2010 4 18 /03 /mars /2010 21:11
This is not the first, but I find this case quite interesting.

Some PC that were formerly compromised (I don't know the malware details at the time of writing) started around 6PM UTC to send messages to their MSN contacts.

Here is a sample of the message:

 
Msg_MSN_180310_annonym.jpg

Here is the suspicious web link : www.facebook- id.us/profil.php?=PICT18082010
Obviously,
DON'T CLICK ON THAT!

Please note the exact syntax of the word 'facebook' in the URL! Who's gonna notice the '-us' at the end?

On a safe and hardened operating system (such as a BSD derivative...), I see that the browser will directly try to download an exefile, which name is: PICT18082010-jpg-www-facebook-com.scr

Be carefull since this file has got a
fake icon: it looks like a picture (some kindda JPG file I'd say).

Some people had already tried VT for this sample:
http://forum.malekal.com/www-facebook-profil-php-pict18082010-t24041.html

The AV protection coverage does not look that good:
http://www.virustotal.com/analisis/72c7b58796d12793cf39debb98344bb71ac79670828f8db8540b343eedd5c83c-1268935265
14% !! 

So now, let's try to see
who's behind that domain facebook-id.us.

The first WhoIs results look stange:
http://www.domaincrawler.com/domains/view/facebook-id.us

Wow... it looks like Yahoo has got a problem... is it being as a real component of the attack campaign? 

Ripe.net did not give me any information. But another WhoIs tool seemed to have more detailed information:
http://www.raynette.fr/services/whois/index.php?action=domain_info&domain=facebook-id.us

Still a reference to Yahoo: 
 YNS1.YAHOO.COM

Quite worying if Yahoo has indeed been compromised.
 
Here is what the SFR DNS say about it:

Nom :  sbs-p11p.asbs.yahoodns.net
Addresses: 69.147.83.187
98.136.50.138
69.147.83.188
Aliases: www.facebook-id.us
  p11-pprr.geo.premiumservices.yahoo.com


And OpenDNS:
> www.facebook-id.us
Serveur :   resolver1.opendns.com
Address:  208.67.222.222

Réponse ne faisant pas autorité :
Nom : sbs-p11p.asbs.yahoodns.net
Addresses: 98.136.50.138
69.147.83.188
69.147.83.187
Aliases:  www.facebook-id.us
   p11-pprr.geo.premiumservices.yahoo.com


 Okay those different DNS seem to be consistent. Let's check now the NS that is said to be authoritative on the domain.

> server yns1.yahoo.com
Serveur par defaut :  yns1.yahoo.com
Address: 98.136.43.32
> yahoo.com
Serveur :  yns1.yahoo.com
Address: 98.136.43.32

***  Query refused
> facebook-id.us
Serveur : yns1.yahoo.com
Address:  98.136.43.32

Nom :  facebook-id.us
Addresses: 69.147.83.188
69.147.83.187
98.136.50.138

Hardly kidding but the IP address pointed by yns1.yahoo.com seems to be quite anonymous: http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=98.136.43.32&submit.x=12&submit.y=7&submit=Search


At this moment, I really wonder shat's happening. Yahoo NS does not reply to a standard query for "yahoo.com", but it does respond to a query for "facebook-id.us"!! 

What about URL filtering ?
- Trustedsource (McAfee): not listed  [reported]
- SurfControl: not listed  [reported]
- NetCraft: high risk, but no real warning  [reported]
- Firefox/Chrome (Google SafeBrowsing): no warning.  [reported]

If you acces the website using Firefox (and Firebug ;), you may obtain a few more details:


acces_facebook-id.us_180310_annonym.jpg


Please note the
'YTS' server and the host:  p11w9.geo.sp1.yahoo.com!!
FYI 'YTS' apparently stands for Yahoo! Trafic Server... see http://acronyms.thefreedictionary.com/Yahoo!+Traffic+Server


Then now,
let's try to figure what's going on the Yahoo.com NS. I'm gonna use a Yahoo NS server as one of my DNS (nslookup tool). Let's say ns1.yahoo.com.

Here are the
results:

> server ns1.yahoo.com
Serveur par defaut :   ns1.yahoo.com
Address:  68.180.131.16
 
> yahoo.com
Serveur :   ns1.yahoo.com
Address:  68.180.131.16
Nom :    yahoo.com
Addresses:  67.195.160.76
69.147.114.224
69.147.125.65
72.30.2.43
98.137.149.56
209.131.36.159
209.191.93.53
209.191.122.70
 
> yns1.yahoo.com
Serveur :   ns1.yahoo.com
Address:  68.180.131.16
Nom :    yns1.yahoo.com
Address:  98.136.43.32

Please not that the yns1.yahoo.com does not generate a 'non authoritative answer' within the reply of the official Yahoo DNS. So, we can honestly suppose the A pointer (for yns1.yahoo.com) has been added to the DNS, and... well... they've been rooted.


Therefore, until I've proof of the contrary, I do believe Yahoo NS (and probably one server) have been compromised. And Yahoo is taking part of an attack over MSN...
More to come if I can.

Partager cet article

Repost0
11 mars 2010 4 11 /03 /mars /2010 22:46
I was not even really monitoring the LAN when I noticed strange requests... 

Why strange? because of the following:
- Netbios over TCP protocol whereas the proxy should handle that kindda name resolution (part of web requests)
- broadcast name query, spreading on the LAN waiting for WINS reply, while this should not be that way
- unknown domain name on the LAN & AD...  not even a workgroup.
 
But what drew my attention is that neither
DNS nor WINS were able to resolve it.

What is this domain name?  teamscrew.com. Never heard about it.

First, let's say that IronPort URL filtering engine categorizes as pornography. Okay...

Then, I decide to try using other DNS. Well, it's getting more and more strange :

- according to SFR (french ISP) DNS:
C:\>nslookup
Default Server :   box
Address:  192.168.1.1

> teamscrew.com
Server :   box
Address:  192.168.1.1

*** neufbox ne parvient pas à trouver teamscrew.com : Server failed

- according to OpenDNS:
> server 208.67.222.222
Serveur par defaut :   resolver1.opendns.com
Address:  208.67.222.222

> teamscrew.com
Serveur :   resolver1.opendns.com
Address:  208.67.222.222

Réponse ne faisant pas autorité :
Nom :    teamscrew.com
Address:  67.215.66.132


Well that's a difference! Guess why I prefer to use (and strongly recommend) the DNS provided by the OpenDNS Project!

Anyway... impossible to access the website.

So now, I'm gonna try other DNS and domain information gathering services. One of my favorites is domaincrawler.com.
Here is the result of my request:
http://www.domaincrawler.com/domains/view/teamscrew.com

Thus now, teamscrew.com is supposed to resolve to: 208.97.178.13 


There must be a tricky part somewhere. Let's check using the authoritative NS that DomainCrawler found:

> server ns1.dreamhost.com
Serveur par defaut :   ns1.dreamhost.com
Address:  66.33.206.206

> teamscrew.com
Serveur :   ns1.dreamhost.com
Address:  66.33.206.206

teamscrew.com   MX preference = 0, mail exchanger = mx1.balanced.postal.mail.dreamhost.com
teamscrew.com   nameserver = ns3.dreamhost.com
teamscrew.com   nameserver = ns2.dreamhost.com
teamscrew.com   internet address = 66.33.212.15
teamscrew.com   nameserver = ns1.dreamhost.com
teamscrew.com   MX preference = 0, mail exchanger = mx2.balanced.postal.mail.dreamhost.com
teamscrew.com
        primary name server = ns1.dreamhost.com
        responsible mail addr = hostmaster.dreamhost.com
        serial  = 2009110801
        refresh = 16033 (4 hours 27 mins 13 secs)
        retry   = 1800 (30 mins)
        expire  = 1814400 (21 days)
        default TTL = 14400 (4 hours)
mx1.balanced.postal.mail.dreamhost.com  internet address = 208.97.132.51
ns3.dreamhost.com       internet address = 66.33.216.216
ns1.dreamhost.com       internet address = 66.33.206.206
mx2.balanced.postal.mail.dreamhost.com  internet address = 208.97.132.52
ns2.dreamhost.com       internet address = 208.96.10.221


Okay, looks more or less consistent.

After that, let's try to know what's running of this server...  I think about an IRC service, to control Bots, or a download / update service for compromised hosts.

I first try using the IP address DomainCrawler gave me: 

C:\>nmap -O --osscan-guess 208.97.178.13

Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:16 Paris, Madrid
Interesting ports on apache2-noxim.fuze.dreamhost.com (208.97.178.13):
Not shown: 990 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
113/tcp  open  auth
548/tcp  open  afp
587/tcp  open  submission
5222/tcp open  unknown
5269/tcp open  unknown
5666/tcp open  nrpe
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: general purpose|WAP|router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), D-Link embedded (87%), Linksy
s embedded (87%), Peplink embedded (87%)
Aggressive OS guesses: Linux 2.6.22 (97%), Linux 2.6.15 - 2.6.26 (94%), Linux 2.
6.22 (Ubuntu, x86) (92%), Linux 2.6.27 (Ubuntu 8.10) (92%), Linux 2.6.23 (92%),
Linux 2.6.13 - 2.6.27 (89%), Linux 2.4.20 (Red Hat 7.2) (88%), Linux 2.6.17 - 2.
6.28 (88%), Linux 2.6.22 - 2.6.23 (88%), Linux 2.6.24 - 2.6.28 (88%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds


What? looks like an
ADSL box? 

 But this is not the last surprise. If I do the same using the other IP address I got for DNS resolution, here is the result:
 
C:\>nmap -O --osscan-guess 66.33.212.15

Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-11 23:42 Paris, Madrid
Interesting ports on ps7371.dreamhost.com (66.33.212.15):
Not shown: 991 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
587/tcp  open  submission
1030/tcp open  iad1
5666/tcp open  nrpe
Device type: WAP|router|general purpose|storage-misc
Running (JUST GUESSING) : Linksys Linux 2.4.X (97%), Linux 2.4.X|2.6.X (97%), Mi
kroTik RouterOS 3.X (94%), Belkin embedded (93%), ZyXEL embedded (91%), D-Link e
mbedded (90%), Enterasys embedded (90%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (97%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (97%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
7%), MikroTik RouterOS 3.0beta5 (94%), Linux 2.6.21 (94%), Linux 2.6.18 - 2.6.27
 (93%), Linux 2.4.21 - 2.4.31 (likely embedded) (93%), Linux 2.6.15 - 2.6.23 (em
bedded) (93%), Linux 2.6.15 - 2.6.24 (93%), Linux 2.6.15 - 2.6.26 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops

OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.91 seconds 

 Surprisingly, the scan results look similar!

Untill I have proof of the contrary, I therefore belive this is a malicious architecture, where boxes have been compromised and used to handle requests sent from compromised computers... 
There is also a quite obvious DNS synchronization issue in here. Still, OpenDNS remains the safest service to query.

If anybody has got further details about that domain and IP addresses, feel free to post a comment or send me an email. 

Partager cet article

Repost0
10 mars 2010 3 10 /03 /mars /2010 00:01

Recently, a new contact requested me to add her/him as a new MSN one.

Even if I did not recognize the address, I accepted the invitation. This was for analysing purpose, I do NOT recommend any people to do the same!

Anyway, here is the contact: altagraciatehney09 AT hotmail.com

One night, that person went online and started to talk to me. Within less than a minute, I had the impression I was talking to a bot. Check yourself, the talk (meaning her replies) is not logical...

The person said she was a girl. And shortly after that, she strongly suggested me to connect to:
http://www.freecamlink.net/jwu9

MSG1_MSN_pinkcamsecret.com_090310_annonym.jpg


which redirects to:
http://www.pinkcamsecret.com


Here is a screenshot of it:
capture_pinkcamsecret.com_090310.jpg


Then the real trick came out: it was about "age checking"...
I was supposed to give a credit card number!

MSG2_MSN_pinkcamsecret.com_090310_annonym.jpg

 
I was curious to see who had registered the domain name. Here is a new surprise!
http://www.domaincrawler.com/domains/view/www.pinkcamsecret.com

Domains by Proxy, Inc!!!  
an "old friend", regarding my VX watch 'n' analysis activity...!  (for those who are not familiar with it, it's mainly a registrar providing anonymous whois...).
 

Partager cet article

Repost0
9 mars 2010 2 09 /03 /mars /2010 22:12
Years ago, when I started to study viral threats, I discovered Zango.

Zango used viral technologies to spread and remain resident on compromised computers. I won't give a new talk about the past Zango, search engines will on their own if you wanna try. Just a few examples:
http://www.spyany.com/program/article_adw_rm_Zango.html
http://www.virusbtn.com/news/virus_news/2006/11_21.xml
I was completely laughing out loud after I had read that: http://www.generation-nt.com/zango-logiciel-anti-espion-pc-tools-adware-spyware-actualite-41072.html (in French, sorry ;)


This time, one of the email addresses I use as 'honeypots' received a new email pretending to give me the opportuniy to check if some (former) MSN contacts had blocked me.
Well, this is quite very known: at least, nobody knows what they guys will do with your MSN credentials after the "test" :
- ID spoofing?
- social engineering?
- online purchase fraud (part of)?

Anyway. I however clicked on the link, to see if there was any malicious file I could analyse.

Here is the URL:
http://www.kiblok.net/

kiblock.net_accueil_080310.JPG

First of all, if you just click on "connexion" without providing any credentials, Google Chrome will alert you. Well then, but... a bit late! Why the hell Chrome does not warn at the very first access to this suspicious website?

kiblock.net_alert_Chrome_080310.JPG



But his is not my last (nor least!) surprise. Like a kindda reflex, I had a look at the source code of the webpage (try: 
view-source:http://www.kiblok.net/index.php?page=viewlist ). 

I was astonished to notice the following link: 
document.write('<scr' + 'ipt language="javascript" type="text/javascript" src="http://www.kiblok.net.powered-by.zango.com/?a772aa7bfe/ga679ab72f4&g"></scr' + 'ipt>

Wow ! powered by Zango!! Guess who was right suspecting it?

Hey guys, you couldn't be more discreet... :)
 

Partager cet article

Repost0
26 novembre 2009 4 26 /11 /novembre /2009 00:23
A few people I recently met asked me why I do write articles in English, and not (or almost not) in French. Well... the thing is Google Translation is not yet fully functional, and French used to be an international language but things change.

So... voila.
Cet article se base sur une annonce de campagne d'attaque publiée par McAfee sur son blog (AvertLabs) :
http://www.avertlabs.com/research/blog/index.php/2009/11/19/malicious-java-applet-attack-surfaces-as-carrie-prejean-video/

Un service de veille en sécurité que je connais, a relayé cette information, et je les en félicite.

Etant passionné de virologie, je n'ai pu m'empêcher de chercher un peu par moi-même. En effet, la firme Network Associates parle d'une campagne d'attaque utilisant une appliquette Java maline, qui tente de se propager via de l'empoisonnement des résultats Google ("SEO poisonning"). Bien sûr, Java n'est rien sans sa machine virtuelle, qui doit être installée au préalable sur toute machine voulant utiliser une appliquette Java. Ceci contribue donc à réduire la cible de cette attaque.

C'est là que j'ai découvert d'autres éléments intéressants, et qui ne sont pas mentionnés par McAfee dans son article.

En cherchant un peu à travers les moteurs de recherche, j'ai d'abord retrouvé la requête exacte qu'un utilisateur est censé taper dans Google, et qui doit le mener à une source virale :

La voici :
http://www.google.fr/search?rlz=1C1CHNU_enFR333FR333&sourceid=chrome&ie=UTF-8&q=carrie+prejean+sextape+video+download

Dans les premiers liens (5 premiers ! ) on trouve notamment celui-ci :
http://tagally.com/main/article/1DOj
qui relaie en fait vers :
http://mvnews.info/carrie-prejean-sextape-video-download/

On pourra noter d'ailleurs que les mots clefs sont présents dans l'URL, ce qui garantit de très bon classements dans les résultats Google pour ces mêmes mots-clefs.

Sur cette URL donc, on peut voir un "faux Windows Media Player" incrusté dans la page, tel qu'il le serait si un objet multimédia y faisait appel via le navigateur.


En regardant de plus près, un lien apparaît vers ... un site chinois !
http://yaknk.buenoos.cn/wbhoy

Et là, le piège se referme : dès que l'utilisateur tente d'interagir avec la page web piégée, le "faux" Windows Media Player lui renvoie un exécutable à télécharger.
Nom de la bête ? il semble varier dans le temps. Voici un exemple : flash-HQ-plugin.40069.exe. En fait, le nom générique est apparemment : flash-HQ-plugin.ABCDE.exe.

Alors, comme toujours,
voici la réponse de quelques solutions de sécurité à cette menace virale :
- Secure Computing (trusted source) : pas de détection
- ironPort : pas de détection (vendredi 20/11/09 au soir, tard...)
- Sophos Antivirus (embarqué) : détection le 20/11
- McAfee : pas de détection.

Les résultats VirusTotal parlent d'eux-mêmes :
- vendredi 20/11/09 :
http://www.virustotal.com/fr/analisis/79bf6154cd49650caec6dbed02391447d683f1336fb35f0acb6783212d1b7399-1258749801
- mardi 26/11/09 : http://www.virustotal.com/fr/analisis/1a7e51b8a01c6e13f292d6ee44315f9afc9e625c1048baf51638031af6f71508-1259192770
On pourra remarquer qu'en 6 jours, seul 1 moteur antiviral de plus détecte le fichier......



Evidemment, par rapport à l'article de McAfee, le fait qu'ici la campagne diffuse un code malin binaire, et non pas Java, étend de façon considérable le périmètre cible de l'attaque !

D'ailleurs, le pire n'est pas là. Il semble que le code viral diffusé via ce domaine chinois, évolue dans le temps. Ayant eu la bonne idée de conserver mon résultat VirusTotal de vendredi 20/11/09, en fait, on constate que les moteurs qui détectent le "faux Flash" ne sont pas forcément les mêmes, voire mieux : la détection annoncée n'est pas la même !
La capture ci-dessous parle d'elle même :

Voir notamment : l'alerte Sophos qui change, Authentium qui ne détecte plus, et McAfee qui ne voit rien 1 coup sur 2...


On peut également trouver d'autre sites via les résultats Google, et les liens pointés par ces mêmes réponses. Certains semblent correspondre encore à d'autre type d'attaque (notamment vraie-fausse loterie en ligne).

Exemples :

- http://carrieprejeansextapevideo.com/   ou http://tv.freeish.info/prejean-sextape/

redirige sur :
http://www.freelotto.com/register.asp?skin=FWinner&affiliateid=ox174&noepu=1&partner=1059366
Comme diraient certains : "ça pique les yeux leur IHM".


- http://celeb-sextapes.net/carrie+prejean+sex+tape  (ne marche plus)

- http://carrieprejeanvideodownload.topparked.com/  (marche partiellement en date du 26/11).

- http://clipmarks.com/clipmark/D5A02C68-3FCF-4D09-8251-1B6E3B817EFD/  qui pointe sur http://content3.clipmarks.com/view_clip.aspx?guid=D5A02C68-3FCF-4D09-8251-1B6E3B817EFD 
pointant lui-même sur : http://bear-hunter.biz/index.php?q=Carrie-Prejean-Sextape-Video 


et la charge virale est hébergée sur : http://mediastarnetwork.net/xvidplayer.45206.exe



Bref, il y avait à mon sens bien plus intéressant dans cette attaque que de parler d'une exploitation de faille Java qui a déjà des années, et pour laquelle toute JVM à partir de la 1.4 n'est plus vulnérable :
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

Ceci dit, le parc Java, notamment en entreprise, est une réelle plaie à mettre jour.
Et il y a bien plus de MS VM (Java v1.3) que l'on croit. Alors quand on sait en plus que tout Java hors 1.6 est obsolète (sauf si contrat support Business)... l'inquiétude peut persister.

Partager cet article

Repost0
20 octobre 2009 2 20 /10 /octobre /2009 21:33
Well, this is not new, but it is not a reason not to talk about that, I guess.

THis time, the supposed online MSN access server is hosted on the domain: come-face-the-truth.com.
To be more accurate, I recently received the following MSN message, coming from one of my contacts:



Here is a screeshot of the website the user is being sent to, if he clicks on the link provided in the MSN conversation:



Please don't give your MSN credentials to suspisicous websites!

I also found interesting this domain WhoIs: see
http://www.domaincrawler.com/domains/view/come-face-the-truth.com
- the server IP address is said to be in Hong Kong
- while all the provided contacts are located in Beijing.

Well, I would sincerely suggest everybody to be carefull with that.


About security means?

This URL is not yet very well classified within URL blocking systems, AFAIK, but:

- Google Chrome: no alert before the 19th of October. Now, it does display a warning while trying to access the website. So Firefox should do it as well (Google Safe Browsing functionnality).


- IE8? nothing... I reported it to the SmartScreen system. Let's see what happens next. 


- Safari? nothing...





I'll give more details as I find out.

Partager cet article

Repost0