Tuesday, August 31, 2010

"Bindaas Spaces" Spam from India

For years I have been tracking an India-based spam operation which I'll call "Bindaas Spaces" (based on one of its primary domains).  Very little information about this spam ring has been published online to date; most of the information you'll find comes from my reports on McAfee SiteAdvisor and Web of Trust.  The organization has been spamming since October 2007 if not earlier.  Their unsubscribe request pages are not functional, meaning once you've been added to their list, there's no way to opt out.  Their primary domain registrar, Net 4 India, has completely ignored all spam and abuse reports that I have submitted.

I intend to update this blog post in the future whenever I discover new domains related to this spam ring.  If you have been spammed by this group, please see the "How to Report Spam from This Organization" section below.

Affiliated Domains

Following is a list of all the domains I'm aware of that this organization has linked or advertised in their spam.  I've included some relevant links to McAfee SiteAdvisor, Web of Trust, and/or URLVoid reports for these domains.  Many of the domains listed below are (or have previously been) classified as "yellow" or worse due to "suspicious behavior... which may pose a security risk," spam, and/or excessive popups:
How to Report Spam from This Organization

Please report this spam to the domain registrar by forwarding unsolicited e-mails that either contain links to or are sent from these domains (or redirect to/through one of these domains) to the registrar's abuse address. The most common registrar for these domains is Net 4 India Limited, whose abuse addresses are abuse@net4.in, abuse@net4domains.com, and abuse@net4india.net.  So far all of my reports to Net 4 India have been ignored.

These spammers violate CAN-SPAM by sending unsolicited commercial e-mail that does not contain functional opt-out instructions, does not clearly state that it's an advertisement, and never contains a postal mailing address. United States residents who receive any junk mail in violation of the CAN-SPAM Act should forward the e-mail to spam@uce.gov.

Please report spam to the anti-spam site KnujOn by forwarding the spam to nonregistered@coldrain.net.

If you receive spam that links to one of these domains through a bit.ly redirect URL, please forward the spam to abuse@bit.ly.  Thankfully, bit.ly takes spam reports seriously and will often put up an interstitial warning page when users click on a spammed bit.ly URL.  However, so far it appears that bit.ly hasn't shut down the spam group's bit.ly account; their account page with a list of several of their links can be found here: http://bit.ly/u/funnyjoke — note that a couple of their spammed links have gotten more than 100,000 clicks, and several others have had tens of thousands of clicks.

If you receive spam that links to one of these domains through a tiny.cc redirect URL, please forward the spam to tinylink@gmail.com.  So far all of my reports to tiny.cc have been ignored.

Also, please add a comment to this post if you have been spammed by the Bindaas Spaces operation, and share any affiliated domains you've seen linked in their spam (don't link to them, just paste the domain in plain text).


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posted by the JoshMeister at 11:59 PM 0 comments
Labels:

Saturday, July 31, 2010

Favicon Security Issue Fixed in Safari 5.0

Earlier this month, Apple released Safari version 5.0 for Mac OS X v10.5 Leopard and v10.6 Snow Leopard as well as Windows XP, Vista, and 7 (in addition to Safari version 4.1 for Mac OS X v10.4 Tiger). Apple listed 49 separate security-related bug fixes in their "About the security content of Safari 5.0 and Safari 4.1" Knowledge Base article.

Apple fixed at least one other security-related issue that was not included in the list. I initially observed and reported this issue in June 2007 and again reported it on 15 June 2009. The following is based on my 2009 bug report submission to Apple:

Summary:
Safari has a checkbox for "Display images when the page opens" in the Appearance section of the Preferences dialog. When unchecked, this supposedly allows a user to disable the display of all images when a page opens. However, a Web page's favicon still loads even with this option unchecked. In the past, there have been numerous exploits in Safari where maliciously crafted images can lead to remote code execution, so it is very important that when people explicitly disable images, *ALL* images should be disabled.

Steps to Reproduce:
1) On any Mac or Windows PC, open Safari, go to the Preferences, go to the Appearance section, and uncheck "Display images when the page opens".
2) Go to any Web site that has a favicon and which you have not already visited (to ensure that the favicon isn't just being loaded from the cache). You will see that the favicon loads in the address bar even though the rest of the images on the page do not load.

Expected Results:
Safari should not load favicon images when "Display images when the page opens" is unchecked, so as to avoid exploitation and potential remote code execution via a maliciously crafted image.

Actual Results:
Safari loads favicon images regardless of whether "Display images when the page opens" is unchecked.

Regression:
This vulnerability has existed in Safari for many versions, including the latest version for Mac OS X and Windows. This bug has been verified to exist in the recently released Safari Version 4.0 (5530.17).

Notes:
I originally submitted this security bug report sometime after the original version of Safari for Windows was released (Safari 3.0). I will give Apple a reasonable period of time to fix this security problem before going public with this information.

I would appreciate Apple's acknowledgment of this issue and a time frame in which I can expect it to be fixed. Please reply ASAP. Thank you.

I discovered this issue because after the initial release of Safari for Windows I began using the Web browser as a sandbox for loading potentially harmful sites, disabling all active content (including JavaScript, Java, Flash and other plug-ins) as well as images.

Apple representatives e-mailed me after the release of Safari 5.0 and Safari 4.1 to inform me that this issue had finally been resolved.

Apple still has yet to resolve an arguably more serious issue: Safari 5.0.1 still hides the Status Bar by default, making it impossible to know a link's destination before clicking on it. The average user will not be security conscious enough to enable the Status Bar on his or her own. The workaround is simple (just select "Show Status Bar" in the "View" menu) but the point is that Apple should make it easier for its millions of Safari users to identify suspicious links with the default settings.


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posted by the JoshMeister at 11:29 PM 0 comments
Labels: ,

Friday, June 25, 2010

Deposit Scam: Malaysian Oil Company Manager

Deposit scams (also called 419 scams, advance-fee fraud schemes, etc.) are a common e-mail phenomenon. The sender typically purports to have some money that they need someone else to handle, claiming that if the e-mail recipient accepts the invitation to help, he or she will get to keep some of the money. Although many such scams have originated in Nigeria, there are numerous examples of this type of fraud from around the world.

Take for example this latest scam from someone who claims to be an oil company manager in Malaysia:
From: "Farouk Mohanla" {faroukmohanla @ gmail . com}
Reply-To: {faroukmohanla @ gmail . com}
Subject: Please read this message carefully.
Date: June 25, 2010
My name is Farouk Mohanla, I work as a manager for oil company here in Malaysia. I write to solicit your assistance and cooperative supports to enable us retrieve the balance of $10,000,000 which is for a contractor who executed a supply of Hi-Tec Crude Oil mini-refinery CDU Unit to my company, he passed on few months ago after completing his contract and left no beneficiary to his contract balance benefits upon completion. I need to know if you will stand as his beneficiary to receive his contract benefits.
I sincerely assure you this is absolutely risk-free and shall follow legal procedures in confirmation that there is no risk involved and with trust and understanding we would be able to collect these funds to our own mutual benefits. If you are interested reply me back.

Farouk Mohanla..
If someone you don't even know randomly e-mails you and offers you a share of $10 million, hopefully you'll recognize it as a scam and report it to the authorities and the e-mail provider of the Reply-To address (in this case Gmail).  For several major e-mail providers such as Gmail, Yahoo!, and Hotmail, the address for reporting fraudulent account activity is abuse@[provider's domain].com.  Reputable e-mail providers will suspend the offending account to ensure that nobody else can send replies to it. I also recommend forwarding such messages to depositscams@coldrain.net, operated by the anti-spam and anti-fraud organization KnujOn.

Further reading about deposit scams:
http://www.knujon.com/depscam.html
http://en.wikipedia.org/wiki/Advance-fee_fraud
http://www.ic3.gov/crimeschemes.aspx

If you believe you have been defrauded, you can file a complaint with the Internet Crime Complaint Center (IC3):
http://www.ic3.gov/

Speaking of online scams, Microsoft released a video earlier this month that supposedly shows what happened when they set up a fake bank in New York and asked real customers for their sensitive personal information. The video is an advertisement for Internet Explorer (which I don't necessarily recommend), and I should point out that all other major browsers (Firefox, Safari, Chrome, and Opera) also have built-in anti-phishing protection.



For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posted by the JoshMeister at 11:36 AM 0 comments
Labels: , ,

Monday, May 31, 2010

7 Easy Steps to Increase Adobe Reader Security

I've been meaning to write an article about Adobe security for some time.  Adobe Flash and Adobe Acrobat/Reader are considered by some to be necessarily evils; Flash and PDF content is widely distributed on the Internet, but Adobe has a poor reputation when it comes to product security.

I recently worked on a PC that had become infected, and I determined through forensic analysis that the infection vector was a PDF exploit hosted on a malicious domain (see details at the end of this article).  I decided that it was time to write an article on how to improve Adobe Reader's security by tweaking some settings.  Note that these instructions are based on version 9.3.2, the latest version available as of when I'm writing this, but will likely apply to future versions as well.

7 Easy Steps to Increase Adobe Reader Security
  1. Download and install the latest version of Adobe Reader from http://get.adobe.com/reader/ (be sure to uncheck any toolbar options first).  After installation, open Adobe Reader and check for updates by clicking on the Help menu and selecting "Check for Updates...".  (You may be asking yourself why this is necessary when you just downloaded the latest version straight from Adobe's site.  Sadly, Adobe is notorious for distributing old versions of Reader that are not fully patched and leaving it up to the user to figure this out and patch it on their own.)  Install any updates as prompted.
     
  2. Disable JavaScript.  This rarely used feature of Adobe Reader is much more likely to do harm than good—in fact, lots of PDF malware uses it—so it's best to turn it off.  To do so, open Adobe Reader and click on the Edit menu and select "Preferences...".  (Note that in the Mac version of Adobe Reader, you'll find Preferences under the "Adobe Reader" menu directly to the right of the Apple menu.)  In the left side of the window, select JavaScript.  Now on the right side of the window you'll see a checkbox labeled "Enable Acrobat JavaScript".  Uncheck that box to disable JavaScript in Adobe Reader, then click OK.
      
  3. Disable "non-PDF file attachments".  This is another rarely used and potentially dangerous feature that Adobe currently enables by default.  To disable it, open Adobe Reader and click on the Edit menu and select "Preferences...".  In the left side of the window, select Trust Manager.  Now on the right side of the window in the "PDF File Attachments" section you'll see a checkbox labeled "Allow opening of non-PDF file attachments with external applications".  Uncheck that box to disable the feature, then click OK.  (For more information on why this feature is dangerous and should be disabled, see this blog post by Didier Stevens.)
      
  4. Enable "Automatically install updates".  Make sure that Adobe Reader is configured to update itself automatically.  Open Adobe Reader, click on the Edit menu, and select "Preferences...".  In the left side of the window, select Updater.  Now on the right side of the window in the "Check for updates" section you'll see a radio button labeled "Automatically install updates".  Click on that button to allow Adobe Reader to update itself automatically, then click OK.  (Note that this option is not available in the Mac version. The next best choice is "Automatically download updates, but let me choose when to install them".)
        
  5. Disable inline PDF display in your Web browsers.  This is a bit more extreme and may not be right for everyone since some legitimate sites require the ability to view embedded PDFs, but remember that accidentally browsing to a malicious or infected site with an embedded PDF can trigger an exploit and compromise your system; you'll have to weigh the pros and cons and decide for yourself whether this step is worth it for you.  The easiest way to disable PDF support for most Windows browsers is to open Adobe Reader, click on the Edit menu, select "Preferences...", then in the left side of the window select Internet, then on the right side of the window under "Web Browser Options" uncheck "Display PDF in browser", then click OK.
     
    The United States Computer Emergency Readiness Team (US-CERT) also recommends configuring Internet Explorer to not open PDF files without user interaction.  To do so, open the Notepad application (look in the Start menu under Programs, Accessories), paste the following text, and save it as a file with .REG at the end of the file name (e.g. DisableIEPDF.REG):
     
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\AcroExch.Document.7]
    "EditFlags"=hex:00,00,00,00
     
    After saving the .REG file, double-click on it to add the above to the Windows Registry.
     
    In the Mac version of Adobe Reader, the option you'll need to disable is "Display PDF in browser using:".  You will also need to disable Safari's built-in PDF reader functionality as well.  To do so, first open the Terminal application (in the /Applications/Utilities folder; if you can't find it, click on the magnifying glass in the top-right corner of the screen and type the word Terminal, then click on the application when it appears in the list).  Then type or paste the following command and then press Return or Enter:  

    defaults write com.apple.Safari WebKitOmitPDFSupport -bool YES
     
  6. Disable PDF preview in your file browser (i.e. Windows Explorer or the Mac OS X Finder).  This will prevent accidentally reading data from a malicious PDF file by merely opening the folder that contains that file.  On Windows, click on Start, Run (if you don't see Run, search for cmd and open it instead) and type or paste the following command and then press Enter:
     
    regsvr32 /u "%CommonProgramFiles%\Adobe\Acrobat\ActiveX\pdfshell.dll"
     
    You'll also want to make sure that the Windows Indexing service doesn't accidentally access a malicious PDF file.  The easiest way to do this is to disable the Indexing Service altogether.  If you're unfamiliar with how to disable Windows services, here's a tutorial that details how to disable the Indexing Service in Windows XP, Vista, and 7.  If you don't want to disable the Indexing Service entirely, US-CERT has some vague instructions for specifically disabling PDF integration with the service (note that the instructions are vague because each version of Adobe Acrobat and Adobe Reader puts its files in a different folder based on the version number, rather than sticking to something consistent like C:\Program Files\Adobe\Acrobat\ or C:\Program Files\Adobe\Reader\).
     
    On the Mac, PDF integration is a major part of the operating system, so disabling it entirely would be extremely difficult.  One way to potentially help prevent the OS (Leopard, Snow Leopard, or later) from accidentally previewing a malicious PDF is to change the Downloads folder in the Dock to display as a Folder in List view (as opposed to a Stack in Fan or Grid view, all of which show previews automatically).  To do so, right-click on Downloads (or hold down the Control key and click, if you're using a one-button mouse), and under "Display as" select Folder, then right-click on Downloads again and under "View content as" select List.  Now when new files are downloaded to the Downloads folder, a preview of the file won't appear in the Dock.  You can also disable previews in specific folders in the Finder, for example the desktop or the Downloads folder.  To disable file previews on the desktop or for a specific folder, click on the desktop or open the folder, then click on the View menu and select "Show View Options", then uncheck "Show icon preview".
       
  7. Install good antivirus software.  As an additional line of defense, antivirus software from a reputable company may catch some malicious PDFs when downloaded onto your system.  I list this step last because it is unwise to rely solely on antivirus software to catch malicious PDFs; there are lots of PDF vulnerabilities, many of which are yet undiscovered, and even the best antivirus won't prevent against every undiscovered PDF exploit.
Note that these steps won't make your computer 100% safe from PDF exploits.  You will still need to make sure that Adobe Reader is properly updating itself.  Even if you keep Adobe Reader up-to-date, there's still the problem of zero-day vulnerabilities (security flaws that Adobe hasn't patched yet).  As demonstrated in my previous post, it's possible for a determined individual to find PDF vulnerabilities through fuzzing, which could lead to the creation of maliciously crafted PDF files.  Nevertheless, following the steps above will help mitigate the threat of malicious PDF documents infecting your computer.

UPDATE, 1 Jun 2010 @ 13:28 PDT: Steven Burn from Ur I.T. Mate Group, maintainer of the excellent hpHosts site, e-mailed me to suggest a Windows alternative to Adobe Reader called Sumatra PDF.  According to the developer's site, Sumatra is "a slim, free, open-source PDF viewer for Windows. Portable out of the box."  It does not support JavaScript or launching external applications like cmd.exe from within PDF files, making it inherently safer out of the box than Adobe Reader or Foxit Reader.  I'm very interested to know how well Sumatra handles other types of vulnerabilities and fuzzed PDFs; readers, if you're aware of any research on this, please post a comment.


Following are some details about the malicious domain that I mentioned earlier, and an affiliated domain:

http://safeweb.norton.com/report/show?name=relwqin.com
http://www.malwareurl.com/listing.php?domain=relwqin.com
http://www.mywot.com/en/scorecard/relwqin.com
http://hosts-file.net/?s=relwqin.com

http://www.mywot.com/en/scorecard/antispyfortress.com
http://www.siteadvisor.com/sites/antispyfortress.com#reviewercommentssummary
http://www.malwareurl.com/listing.php?domain=antispyfortress.com


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posted by the JoshMeister at 11:59 PM 0 comments
Labels: , , , , ,

Friday, April 9, 2010

Charlie Miller on Pwn2Own, Mac Security, and Fuzzing

I recently interviewed Charlie Miller about Mac security for MacTech Magazine's podcast, MacTech Live. Charlie talked about fuzzing, a technique that can be used to find vulnerabilities in software. Using 5 lines of Python code, Charlie recently fuzzed PDFs for testing Adobe Reader and Apple Preview, and fuzzed PPTs for testing Microsoft PowerPoint and OpenOffice.org Impress, and found dozens of exploitable bugs (approximately 20 of which he was prepared to use at CanSecWest to remotely exploit Safari).

Charlie recently won the Mac prize at CanSecWest's Pwn2Own contest for the third year in a row by successfully executing a remote code exploit against Safari on a fully patched Mac.

Listen to or download the interview (19 minutes): MP3

If you enjoy the interview, you may also be interested in checking out:

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posted by the JoshMeister at 12:14 PM 0 comments
Labels: , , , , , ,

Thursday, April 8, 2010

Google Analytics Typosquatters Hosting Malicious JavaScript Files

Typosquatting has been around practically since the dawn of the Web. Often if you're typing a site address whose domain ends in .gov or .org and you mistakenly type .com or .net instead, you'll end up somewhere you didn't expect. There are also countless domains based on various misspellings of google.com, microsoft.com, and numerous other sites.

I recently noticed when browsing through MalwareURL's database that some malefactors are actively using typosquatted Google Analytics domains for nefarious purposes. Google Analytics is a service that allows webmasters to keep track of anonymized statistics about visits to their site. The recently discovered typosquatted Google Analytics domains contain a JavaScript file named urchin.js or ga.js in the root directory—the same filenames and locations of the scripts on the real Google Analytics domain (google-analytics.com).

The operators of the typosquatter domains probably have one of the following scenarios in mind. The first is that they're banking on the idea that some webmasters might have mistyped the Google Analytics code (very unlikely since virtually everyone would have copied and pasted the code directly from Google's site), and if they mistyped the domain just so, they could end up inadvertently injecting malicious JavaScript code into their Web pages. The second scenario is that the typosquatters plan to put this code into their own pages, and they're hoping that individuals or companies that maintain their own URL blacklists might have made the mistake of whitelisting */urchin.js or */ga.js instead of whitelisting the full URL of those scripts on the official Google domain. Either way, it seems like there's an extremely remote chance that it would actually make a difference to go to the trouble of trying to emulate Google Analytics' JavaScript URLs, but someone did it anyway.

To mitigate the threat of malicious JavaScript code, you can do your casual Web browsing or searching in a separate browser with JavaScript disabled. More advanced users may prefer to use the NoScript add-on for Firefox.

Following are additional details that may be of interest to fellow security researchers, including reports for the domains that have been actively hosting malicious urchin.js files in their root directories within the past week and domains to which the obfuscated JavaScript code attempted to redirect:

google-abalytics .info
http://wepawet.iseclab.org/view.php?hash=5fe48a81a1823241ed4a87583a421e30&t=1269703815&type=js
http://wepawet.iseclab.org/view.php?hash=fd99d0ea4496fbc54fc5432231c6829d&type=js
http://wepawet.iseclab.org/view.php?hash=5fe48a81a1823241ed4a87583a421e30&t=1270222974&type=js
http://www.mywot.com/en/scorecard/google-abalytics.info
http://www.mywot.com/en/scorecard/sonyfreevouchers.com
http://www.mywot.com/en/scorecard/finalearth2010.com
http://www.mywot.com/en/scorecard/ladygagaprivate.com

google-nalytics .info
http://wepawet.iseclab.org/view.php?hash=799f31fa4be2dbef7e7c76cf79643141&t=1269367107&type=js
http://wepawet.iseclab.org/view.php?hash=799f31fa4be2dbef7e7c76cf79643141&t=1270224122&type=js
http://www.mywot.com/en/scorecard/google-nalytics.info
http://www.mywot.com/en/scorecard/dragon4star.com
http://www.mywot.com/en/scorecard/dragon4ebay.com

google-aqalytics .info
http://wepawet.iseclab.org/view.php?hash=82a03924c835405e731e7e14a9a06b00&t=1269292716&type=js
http://wepawet.iseclab.org/view.php?hash=82a03924c835405e731e7e14a9a06b00&t=1270225409&type=js
http://www.mywot.com/en/scorecard/google-aqalytics.info
http://www.mywot.com/en/scorecard/novellstars2.com
http://www.mywot.com/en/scorecard/finalearth2010.com again

94.102.52 .27
http://wepawet.iseclab.org/view.php?hash=79d4ff894aa25a5f7fa38c84ba105ab2&t=1269570600&type=js
http://www.mywot.com/en/scorecard/discovermetallica.com
http://www.mywot.com/en/scorecard/google-azalitics.info (mentioned at hxxp://94.102.52 .27)

google-acalytics .info
http://wepawet.iseclab.org/view.php?hash=ba9cd1beb7c3dcda941488a1912efdad&t=1269305698&type=js
http://www.mywot.com/en/scorecard/google-acalytics.info
http://www.mywot.com/en/scorecard/allgirlsvideos2.com

Following are VirusTotal analyses for each of 11 variants of this JavaScript (note that these are current scans, not the original scans prior to when I submitted samples to AV vendors):

https://www.virustotal.com/analisis/e9d1acf3859dca3ca09eaa91b83964b434877a3cf591ca853a2828f8a5e57528-1270753931
https://www.virustotal.com/analisis/cd425d4accdfcd7381ee9762f03f6db66da28cd3e858660d6720c0c91bac1df6-1270753951
https://www.virustotal.com/analisis/c2ae0940214095ff71df887aa6d770741ab8d2409f81f8077812289977358fc4-1270753970
https://www.virustotal.com/analisis/e55157f3c20964ad2e878c5f1a0369b330fa4a7d6698db9385ce2544bc7c295f-1270753988
https://www.virustotal.com/analisis/bfca9da96841ab5dfec4fe23540d11811dbf2af89446f6b7c1981a0b695820d5-1270753997
https://www.virustotal.com/analisis/8807ad064a87978b2ce9b9ac167a6baf134a0f99761121af5f13af524dd3aa48-1270754013
https://www.virustotal.com/analisis/4a5f715f7212fb530a735b24d0989e8f410fc3ea634f44a294f3eaf426f4e365-1270754021
https://www.virustotal.com/analisis/fc4f88247dca91a7d0cc335f29ba5badda5f4e2eb619d542bfd264f2df020232-1270754039
https://www.virustotal.com/analisis/8ac6c153881d8d1bd63bd048b654ed83e52ff519121a75b4a1b96e978db59738-1270754048
https://www.virustotal.com/analisis/eb8c478ad68ac6c2dd7a69c3a3676e728697e60d86f5de0594c724c6dab26cae-1270754067
https://www.virustotal.com/analisis/b55a9b61336f576b28f40949b9c36ef8f143cffb701a70f40f2ea51744a93cb9-1270754105

These variants have been variously detected as JS:Downloader-LP, JS.Crypt.CSA, JS.Siggen.84, JS/Agent.LP!tr.dldr, JS/Crypted.CP.gen, JS/Downloader, JS/Pakes, JS/Psyme.PP!tr.dldr, JS/Redir.AG.gen, JS/Redirector, JS/Redirector.AM!tr, TR/Click.Agent.NG, TR/Click.Agent.NI, TR/Dldr.Agent.fei.2, TR/Dldr.Agent.fej, TR/Dldr.Agent.fek, TR/Dldr.Agent.fel, TR/Dldr.Agent.fem, TR/Redirector.BU, TR/Redirector.BU.1, TR/Redirector.BU.2, Trojan-Clicker.JS.Agent.ng, Trojan-Clicker.JS.Agent.ni, Trojan-Downloader.JS.Agent.fei, Trojan-Downloader.JS.Agent.fej, Trojan-Downloader.JS.Agent.fek, Trojan-Downloader.JS.Agent.fel, Trojan-Downloader.JS.Agent.fem, Trojan.Click.Agent.NG, Trojan.Click.Agent.NI, Trojan.Clicker.JS, Trojan.Dldr.Agent.fei.2, Trojan.Dldr.Agent.fej, Trojan.Dldr.Agent.fek, Trojan.Dldr.Agent.fel, Trojan.Dldr.Agent.fem, Trojan.JS.Redirector, Trojan.JS.Redirector!IK, Trojan.JS.Redirector.bu, Trojan.Redirector.BU, Trojan.Redirector.BU.1, Trojan.Redirector.BU.2, Trojan.Script.397828, Trojan/JS.Redirector, Virus.JS.Downloader.LP, Virus.JS.Downloader.LP!IK, etc.

Additional domains that were actively hosting malicious urchin.js files in January or February according to MalwareURL:

gogle-analitics .info
http://wepawet.iseclab.org/view.php?hash=9366c7b0f0e2675f97f2014ae424ea3a&t=1267176549&type=js
http://www.mywot.com/en/scorecard/gogle-analitics.info
http://www.mywot.com/en/scorecard/wincreeps.com

google-amalytics .info
http://wepawet.iseclab.org/view.php?hash=05abc26abb5c007b3519120d67b64de9&t=1264815145&type=js
http://www.mywot.com/en/scorecard/google-amalytics.info
http://www.mywot.com/en/scorecard/2thomasjefferson.com

google-anaiytics .info
http://wepawet.iseclab.org/view.php?hash=12b02043d52f73a73a58e4de95c251bc&t=1265052560&type=js
http://www.mywot.com/en/scorecard/google-anaiytics.info
http://www.mywot.com/en/scorecard/delhiwebcamera.com

Here's another that apparently hosted a malicious ga.js file last month:

91.213.174 .101
http://www.mywot.com/en/scorecard/91.213.174.101

Strangely enough, most (if not all) of the domains to which the JavaScript code tries to redirect are offline. The Wepawet reports indicate that the sites were also offline when they conducted their initial scans.

See MalwareURL's lists of sites hosting urchin.js or ga.js files:
http://www.malwareurl.com/search.php?urls=on&rp=200&s=urchin.js
http://www.malwareurl.com/search.php?urls=on&rp=200&s=ga.js


For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posted by the JoshMeister at 1:06 PM 0 comments
Labels: , , ,

Monday, March 15, 2010

"Play 2 Emulator" Malware

Chris Boyd, Senior Threat Researcher for Sunbelt Software, recently blogged about a malicious site (appzkeygen .com) that claims to distribute a crack, keygen, and serial for "Play 2 Emulator" which the site claims is "a Playstation 2 Emulator that is by far superior to all other PS2 Emulators released before it."  However, the files linked from the site have nothing to do with PlayStation 2 emulation; they're actually Trojan downloaders that will install malware on a victim's computer.

According to Boyd, "A pair of files will be dropped onto your PC, including a randomly named executable in the Windows directory and xpysys.dll in your System32 Folder. You’ve actually wound up with Trojan-Downloader.Win32.CodecPack.2GCash.Gen."  Boyd says that this malware has been associated with fake antivirus and fake codec scams.

I've done some additional research over the past few days and have found that the appzkengen site has been updated daily with new download locations, each hosted on a new domain.  The malware changes slightly each time, as well; the MD5 hash is never the same, and most of the major antivirus vendors have had difficulty detecting the new variants.  The first variant I discovered was detected by only 3 out of 42 antivirus engines in the initial VirusTotal scan, and the latest variant was only detected by 13 out of 42 engines on its initial scan.  I have been submitting each sample to antivirus vendors and eventually most of them add detection for it, but unfortunately most vendors don't seem to be doing a very good job of using heuristics to identify and detect new variants automatically.

Details of the samples I've discovered so far, courtesy of VirusTotal:
File names: Crack_Play.2.Emulator.45059.exe, Keygen_Play.2.Emulator.45059.exe, Serial_Play.2.Emulator.45059.exe
File size: various including 82432 bytes, 84480 bytes, 89088 bytes
MD5...: various including ad566f1b58cdd7c7474df7769cb6df35, d146e96f86500d6f29b81912129d607f, e3a16274d2533c6bc80fbff38f13f5e9, 70722ca6f3995289acda48831f869e56, b094bae6429ec1b23ea588e286273028
SHA1..: various including b76dfe9b6218f66d344eb7dc40e012a4fc4733d0, d74402483f0d596313ffc71ba426d2450c6b7fa8, 26af00d4c02c251f677c16204d513842dd264948, 863c259827090f7ab574578476951fc2529bc841, 4d77f6399298ece12c3eaa6d7078618fb363f3cd
SHA256: various including 7bc482933d9f90585986abba32a8ddeb771c906ccff2389d9fb1ed29c41b0106, acc8413dfe0b510e42f2a0805d33d2ff09246532e3703330beb973d63ac68c62, aedfe6ce93b19f5fc612623558b48eda89e1b3d9afb30d7c162a70ae7b09f2d2, 52e0ae04d942dc5a749a2d265f73042612e394f503d4a5366b5e2f5167adbbb5, 793ff610c1e24fa44b35e13e76d3dd1f54db8a593bf172e34cd29d00789067bf
Variant 1 initial detection:  3/42 as of 2010.03.12 00:07:05 (UTC)
Variant 1 current detection: 33/42 as of 2010.03.15 17:15:39 (UTC)
Variant 2 initial detection: 11/41 as of 2010.03.12 17:46:27 (UTC)
Variant 2 current detection: 34/42 as of 2010.03.15 17:20:15 (UTC)
Variant 3 initial detection:  9/41 as of 2010.03.13 22:33:51 (UTC)
Variant 3 current detection: 26/42 as of 2010.03.15 17:20:49 (UTC)
Variant 4 initial detection: 10/42 as of 2010.03.14 06:09:36 (UTC)
Variant 4 current detection: 25/42 as of 2010.03.15 17:21:22 (UTC)
Variant 5 initial detection: 13/42 as of 2010.03.15 16:08:37 (UTC)
Variant 6 initial detection: 10/42 as of 2010.03.16 02:29:09 (UTC)
Variant 7 initial detection: 10/42 as of 2010.03.16 04:11:37 (UTC)
Variously identified as: a variant of Win32/Kryptik.CZE, a variant of Win32/Kryptik.DAQ, FakeAlert-MA.gen, FakeAlert.BWTM, FakeAV.AFB, Generic17.AKG, Mal/FakeAV-CO, Medium Risk Malware Dropper, Packed.Win32.Krap, Packed.Win32.Krap.as, Packed/Win32.Krap, Packed/Win32.Krap.gen, Packer.Win32.Agent.GEN, Sus/UnkPack-C, Suspicious.Insight, TR/Agent.AS.1828, TR/Agent.AS.2131, Trj/CI.A, TROJ_RENOS.SMAD, Trojan-Downloader:W32/Renos.gen!C, Trojan-Downloader.Win32.CodecPack, Trojan-Downloader.Win32.CodecPack.ktn, Trojan-Downloader/W32.CodecPack.84480.D, Trojan.Agent.AS.1828, Trojan.Agent.AS.2131, Trojan.DL.Renos.JEX, Trojan.DL.Win32.Crypt.ur, Trojan.DownLoader1.2182, Trojan.FraudPack-3439, Trojan.FraudPack-3440, Trojan.Gen, Trojan.Generic.KD.3368, Trojan.Generic.KD.3645, Trojan.Generic.KD.3955, Trojan.Generic.KD.4004, Trojan.Win32.Downloader.84480.AR, Trojan.Win32.Fraudpack, Trojan.Win32.Generic!BT, Trojan.Win32.Generic!SB.0, Trojan.Win32.Krap.82432.C, Trojan/FakeAV.gen, Trojan/Krap.as, TrojanDownloader:Win32/Renos.KO, W32/FAKEAV.CO!tr, W32/FraudPack.E!Generic, W32/Krap.AS!tr, W32/Packkrap.AS!tr, Win-Trojan/Agent.82432.BV, Win-Trojan/Downloader.84480.Q, Win32:Trojan-gen, Win32.DownloaderReno, Win32/FakeAlert.C!generic, Win32/TrojanDownloader.FakeAlert.AQI, Win32/Wardunlo.EG, etc.
Behavioral analyses of the fifth variant:
According to the Panda Autovin behavioral analysis, the latest variant may install sshnas21.dll into the system32 folder.  When cleaning this infection, be sure to remove xpysys.dll and sshnas21.dll if you find them in the C:\WINDOWS\system32\ directory.  You may need to boot from a live CD to delete these files, or alternatively you can try using a utility such as FileASSASSIN from Malwarebytes.

Following are links to Web of Trust reports for appzkeygen .com, affiliated download sites, and several domains to which the malware phones home:
UPDATE, 15 Mar 2010 @ 21:16 PDT: I've added information above about a sixth and seventh variant and the domains that host them (mediaatmedia .com and fileutiliteenligne .com).

Also, I've done some further investigation into one of the files that this malware downloads from the lookpike domain:
File name: setup.exe
File size: 97280 bytes
MD5...: 6a358143bac4b30e2103b052f2c5965a
SHA1..: fba4d30cd8bd5e75e39621dc43166f29872d4d4a
SHA256: 50509fed7e729d3525825869cd1b163cd8aad8fc5c56cde8c9932d942b332321
Initial detection:  9/42 as of 2010.03.16 02:54:38 (UTC)
Variously identified as: (Suspicious) - DNAScan, Backdoor.Tidserv, Backdoor.Tidserv!gen3, Heur.Packed.Unknown, Sus/UnkPack-C, Trj/Genetic.gen, Trojan.Generic.KD.4024, Trojan.Win32.Generic!BT, etc.
ThreatExpert report
Anubis report
    UPDATE, 16 Mar 2010 @ 09:44 PDT: I've added two new domains hosting this malware (dvdhomemedia .com and videodatavoice .com).  19:48 PDT: Added mediaprogrammet .com.

    UPDATE, 18 Mar 2010 @ 09:38 PDT: I've added two new domains that have hosted this malware (besttoolsonline .com and supermovieplugins .com).


    For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
    Posted by the JoshMeister at 12:54 PM 0 comments
    Labels: ,

    Monday, February 1, 2010

    New Koobface Domains [Updated]

    Following are several domains affiliated with the Koobface worm, most of which are new or not widely known yet in the security community:
    Many of the Wepawet reports also include a number of malicious URLs hosted at various IP addresses, at least some of which appear to be individual infected PCs whose IPs are probably dynamically assigned by the ISP.

    Credit to my wife for reporting suspicious bit.ly redirect URLs that were being spread by a hacked Facebook account, which led to my investigation and discovery of these domains.

    *Note that some of these domains were registered years ago. Their homepages may or may not be safe, but specific URLs hosted on these domains redirect to malicious sites or contain malware. Until the site owners remove the infected pages, these domains should not be trusted.

    UPDATE, 8 Feb 2010 @ 06:20 PST: Added a second batch of sites.
    UPDATE, 8 Feb 2010 @ 13:40 PST: Added pablopicassosite and VirusTotal links.
    UPDATE, 8 Apr 2010 @ 21:30 PDT: I recently noticed that the Unmask Parasites blog linked back to this post. They've added an incredible amount of depth to this discussion, so please check out their article.


    For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
    Posted by the JoshMeister at 2:40 AM 0 comments
    Labels: , ,

    Monday, January 11, 2010

    Malicious Site Reports: Dangerous .RU Domains

    The following .ru domains were all privately registered on one of two dates (2009.10.28 or 2009.11.22), were all last updated on the same date (2010.01.11), and all have been reported by Websense Security Labs, Malware Domain List, or others as being malicious.  Following are links to each domain's Web of Trust report:

    http://www.mywot.com/en/scorecard/ampsguide.ru
    http://www.mywot.com/en/scorecard/bestbob.ru
    http://www.mywot.com/en/scorecard/burkewebservices.ru
    http://www.mywot.com/en/scorecard/carswebnet.ru
    http://www.mywot.com/en/scorecard/funwebmail.ru
    http://www.mywot.com/en/scorecard/greatwebradio.ru
    http://www.mywot.com/en/scorecard/guidebat.ru
    http://www.mywot.com/en/scorecard/johnsite.ru
    http://www.mywot.com/en/scorecard/lagworld.ru
    http://www.mywot.com/en/scorecard/manbest.ru
    http://www.mywot.com/en/scorecard/suesite.ru
    http://www.mywot.com/en/scorecard/superaguide.ru
    http://www.mywot.com/en/scorecard/superore.ru
    http://www.mywot.com/en/scorecard/theaonline.ru
    http://www.mywot.com/en/scorecard/theatticsale.ru
    http://www.mywot.com/en/scorecard/theaworld.ru
    http://www.mywot.com/en/scorecard/thechocolateweb.ru
    http://www.mywot.com/en/scorecard/thelaceweb.ru
    http://www.mywot.com/en/scorecard/themobilewindow.ru
    http://www.mywot.com/en/scorecard/themobisite.ru
    http://www.mywot.com/en/scorecard/usaworldwideweb.ru
    http://www.mywot.com/en/scorecard/warbest.ru
    http://www.mywot.com/en/scorecard/webdesktopnet.ru
    http://www.mywot.com/en/scorecard/webdirectbroker.ru
    http://www.mywot.com/en/scorecard/weblessnet.ru
    http://www.mywot.com/en/scorecard/webnetenglish.ru
    http://www.mywot.com/en/scorecard/webnetlender.ru
    http://www.mywot.com/en/scorecard/webnetloans.ru
    http://www.mywot.com/en/scorecard/worldsouth.ru
    http://www.mywot.com/en/scorecard/worldwebworld.ru
    http://www.mywot.com/en/scorecard/xboxliveweb.ru

    Links to these sites usually contain deceptive subdomains and directories in an attempt to trick novice Web users and to increase search result rankings (see example URLs by clicking on the Malware Domain List link below).

    Sources:
    http://twitter.com/websenselabs/status/7449997556
    http://www.malwaredomainlist.com/mdl.php?search=dibs%40freemailbox.ru&colsearch=All&quantity=All
    http://www.siteadvisor.com/sites/burkewebservices.ru/postid/?p=3454286#post3454286

    See also these various other reports for the domains listed above:

    http://safeweb.norton.com/report/show?name=bestbob.ru ("red" rating for viruses)
    http://safeweb.norton.com/report/show?name=carswebnet.ru ("red" rating for viruses)
    http://safeweb.norton.com/report/show?name=guidebat.ru ("red" rating for viruses)
    http://safeweb.norton.com/report/show?name=superore.ru ("red" rating for viruses)
    http://safeweb.norton.com/report/show?name=theatticsale.ru ("red" rating for viruses)
    http://hosts-file.net/?s=theatticsale.ru ("EXP" category: "sites engaged in or alleged to be engaged in the exploitation of browser and OS vulnerabilities as well as the exploitation of gray-matter")
    http://safeweb.norton.com/report/show?name=themobilewindow.ru ("red" rating for viruses)
    http://safeweb.norton.com/report/show?name=themobisite.ru ("red" rating for viruses)
    http://www.siteadvisor.com/sites/weblessnet.ru ("red" rating: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution.")
    http://safeweb.norton.com/report/show?name=webnetenglish.ru ("red" rating for viruses)
    http://www.siteadvisor.com/sites/webnetloans.ru ("red" rating: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution.")
    http://safeweb.norton.com/report/show?name=worldwebworld.ru ("red" rating for viruses)


    For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
    Posted by the JoshMeister at 8:00 AM 0 comments
    Labels:

    Wednesday, January 6, 2010

    Malware and Malicious Site Reports: evamendesochka, showmelovetube, mp3dir, etc.

    On New Year's Day I found an old blog post from last June written by Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham (who referenced my "How to Preview Shortened URLs" article—thanks, Gary!).  I was curious to see whether one of the malware URLs mentioned in his blog post was still active more than 6 months later, and sure enough, it was.  Here's what I found out:

    showmealltube .com/paqi-video/7.html
    used obscured JavaScript code [see the Wepawet analysis] to redirect to
    evamendesochka .com/go.php?sid=9
    which redirected to
    jumbotubes .com/xplaymovie.php?id=40012

    (It doesn't redirect to jumbotubes anymore, but I'll get back to that.)  The jumbotubes page pretended to contain an embedded video which in reality linked to a malicious payload:

    megaloadfile .com/flash-HQ-plugin.40012.exe

    I submitted the file to VirusTotal and found that only 4 out of 39 engines detected it.  I sent the sample to multiple AV vendors, and detection improved gradually over the next several days:
    File name: flash-HQ-plugin.40012.exe
    File size: 111104 bytes
    MD5...: 84e8fcd09215fe4555b5532f22f1f96e
    SHA1..: 5084a5ecdfd16220809c59ef5a6ca8e692237841
    SHA256: 89d2f41d182fad11d71e4312b589c8b8a4ebdaf3384ae01ca9827091e4f55097
    4/39 detection rate as of 2010.01.01 20:50:54 (UTC)
    16/40 detection rate as of 2010.01.03 10:10:30 (UTC)
    21/40 detection rate as of 2010.01.04 07:48:32 (UTC)
    33/41 detection rate as of 2010.01.06 08:03:47 (UTC)
    Variously identified as: Artemis!84E8FCD09215, Downloader-BWS, Downloader.Generic9.AEFL, Mal/Krap-H, Medium Risk Malware, Trj/CI.A, Trojan-Downloader.Win32.FraudLoad, Trojan-Downloader.Win32.FraudLoad!IK, Trojan-Downloader.Win32.FraudLoad.ghh, Trojan-Downloader/W32.FraudLoad.111104.F, Trojan.DL.FraudLoad.VFX, Trojan.Dldr.FraudLoad.ghh, Trojan.DownLoad1.5059, Trojan.FakeAV, Trojan.FakeAV!gen11, Trojan.Generic.2928325, Trojan.Win32.FakeAV!IK, Trojan.Win32.Generic!BT, Trojan/Downloader.FraudLoad.ghh, Trojan/Win32.FraudLoad.gen, TrojanDownloader:Win32/Renos.JM, TrojWare.Win32.Trojan.Agent.Gen, W32/FakeAlert.EK.gen!Eldorado, W32/FraudLoad.GHH!tr.dldr, Win-Trojan/Downloader.111104.M, Win32:FakeAV-AES, Win32:Trojan-gen, Win32.Packed.Krap.ag.5, Win32.TrojanDownload, Win32/TrojanDownloader.FakeAlert.ADA, Win32/Warduncrypt!packed, etc.
    See the Web of Trust reports for the domains mentioned above:

    http://www.mywot.com/en/scorecard/showmealltube.com
    http://www.mywot.com/en/scorecard/evamendesochka.com
    http://www.mywot.com/en/scorecard/jumbotubes.com
    http://www.mywot.com/en/scorecard/megaloadfile.com

    This malware phones home to multiple domains according to the Panda Autovin, ThreatExpert, and Anubis behavioral analyses.  See the WOT reports for these phone-home domains, sorted roughly in order of least to most well known at the time of this post:

    http://www.mywot.com/en/scorecard/amhes.com
    http://www.mywot.com/en/scorecard/yourgot.com
    http://www.mywot.com/en/scorecard/art-port.net
    http://www.mywot.com/en/scorecard/artswoodfloors.com
    http://www.mywot.com/en/scorecard/chatpartyline.com
    http://www.mywot.com/en/scorecard/crystal-arts.net
    http://www.mywot.com/en/scorecard/houseartsarea.com
    http://www.mywot.com/en/scorecard/interhomesite.com
    http://www.mywot.com/en/scorecard/jet-arts-center.com
    http://www.mywot.com/en/scorecard/mediaartsgallery.net
    http://www.mywot.com/en/scorecard/superartswood.com

    There are dozens of other malware distribution sites similar to jumbotubes; a Google search reveals many such domains (note that SafeSearch is disabled in this query, and the results will likely lead to malware):

    google.com/search?hl=en&safe=off&q=inurl%3A%22xplaymovie.php%22

    In researching some of the phone-home domains on ThreatExpert using searches like this one, I found a number of related domains as well (again listed roughly in order of least to most widely known):

    http://www.mywot.com/en/scorecard/camcamera.com
    http://www.mywot.com/en/scorecard/heswar.com
    http://www.mywot.com/en/scorecard/safarel.com
    http://www.mywot.com/en/scorecard/soilness.com
    http://www.mywot.com/en/scorecard/fgage.com
    http://www.mywot.com/en/scorecard/gymandcardio.cn
    http://www.mywot.com/en/scorecard/thezasite.com
    http://www.mywot.com/en/scorecard/new-search-zone.com
    http://www.mywot.com/en/scorecard/myf2you.com

    While preparing to write this blog post, I retraced my steps and found that the evamendesochka site now redirects to a different site:

    showmelovetube .cn/tube.htm (WARNING: site contains explicit images in addition to malware)

    Once again, the site attempts to trick the user into clicking on what appears to be a video, which is actually just a link to a malicious file:

    mp3dir .cn/1/install_plugin.exe

    See the Web of Trust reports for these additional domains, neither of which seems to be well-known yet:

    http://www.mywot.com/en/scorecard/showmelovetube.cn
    http://www.mywot.com/en/scorecard/mp3dir.cn

    The initial detection rate for this second piece of malware is only 3 out of 41 anti-virus engines, with detection coming soon from Fortinet and McAfee:
    File name: install_plugin.exe
    File size: 38400 bytes
    MD5...: d9644ba632c0d774dcff57323eeb968d
    SHA1..: bce22a0c67da01441478cd327affbf632a9908c4
    SHA256: 46a9620c06c4d143a77c36f658d9f2e272960dd4db47ab2fb8f6208822e2d566
    3/41 detection rate as of 2010.01.06 06:41:05 (UTC)
    Variously identified as: Generic.TRA!d9644ba632c0, Medium Risk Malware Dropper, Trojan-Dropper.Win32.Agent.bkie, W32/Agent.BKI!tr, W32/Malware
    This malware disables Data Execution Prevention (DEP) for Internet Explorer and injects a new DLL into the system, among other things, as shown in these Anubis, ThreatExpert, and Panda Autovin reports.

    Stay safe out there!


    For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
    Posted by the JoshMeister at 2:04 AM 1 comments
    Labels: ,
    Subscribe to: Posts (Atom)