Saturday, December 31, 2011

Another Chinese Internet Fraudulent (yhoo-it.com)

While I was watching 'The Pacific' movie suddenly I just get a Yahoo Messenger popup message from my old friend (which is he's already Rest-In-Peace on Aug 2009 ago). This is interesting and kind of surprise for me while seeing my very close friend suddenly 'wake-up' from his long rest. I was monitoring this scammer about few months ago after surprising his online status. Check this out from the chatting using web browser YM:


From the given shortened URL it will redirect user to the following URL:

http://yhoo-it.com/?id=4ccda25f27843014&s=1&user=matkamil2000

The URL seem to be already expired. But soon it will appeared again. The actual website will appear some kind of offering  money that needs user to input their user name and email.


Let's take a look closer on the URL. The URL seem to be trying to fool the user that pretend it was coming from Yahoo. Based on whois information the URL was registered from China. Obviously.
Registration Service Provided By: Bizcn.com
Website: http://www.bizcn.com
Whois Server: whois.bizcn.com

Domain name: yhoo-it.com

Registrant Contact:
zhang yu
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn

Administrative Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn

Technical Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn

Billing Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn

DNS:
ns7.cnmsn.net
ns8.cnmsn.net

Created: 2011-12-04
Expires: 2012-12-04

The domain name seem to be newly registered and exactly the time I was start monitoring it. The domain has been pointed to two DNS ns7.cnmsn.net and ns8.cnmsn.net. The DNS server were also registered from China.
Registration Service Provided By: Bizcn.com
Website: http://www.bizcn.com
Whois Server: whois.bizcn.com

Domain name: cnmsn.net

Registrant Contact:
XiaMen Longtop Online Technology Co.,Ltd
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn

Administrative Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn

Technical Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn

Billing Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn

DNS:
dns.bizcn.com
dns.cnmsn.net
ns5.cnmsn.net
ns6.cnmsn.net
ns1.4everdns.com
ns2.4everdns.com

Created: 2003-08-08
Expires: 2015-02-27

Well, lets dig some more.
Nmap scan report for yhoo-it.com (109.230.222.53)
Host is up (0.29s latency).
rDNS record for 109.230.222.53: hosted.by.xsserver.eu
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
25/tcp filtered smtp
80/tcp open http nginx 1.0.4
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)
| ssh-hostkey: 1024 6e:96:96:b1:aa:4b:e2:1a:e5:9f:35:9c:6a:79:af:df (DSA)
|_2048 48:bb:c1:d4:bf:08:4d:c6:41:30:ea:57:3e:eb:fe:19 (RSA)
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1026/tcp filtered LSA-or-nterm
1027/tcp filtered IIS
4444/tcp filtered krb524
5432/tcp open postgresql PostgreSQL DB 8.4.1 - 8.4.4
6129/tcp filtered unknown
6580/tcp open parsec-master?
Device type: general purpose|WAP|router
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys Linux 2.4.X (92%), Netgear embedded (92%), D-Link embedded (92%), Linksys embedded (92%), Peplink embedded (92%)
, Asus Linux 2.6.X (91%)
Aggressive OS guesses: Linux 2.6.23 - 2.6.33 (95%), Linux 2.6.35 (94%), Linux 2.6.31 (94%), Linux 2.6.32 (94%), Linux 2.6.22 (94%), OpenWrt White Russian 0.9 (Linux 2.4.3
0) (92%), Linux 2.6.18 - 2.6.27 (92%), Linux 2.6.31 - 2.6.34 (92%), Linux 2.6.34 (92%), Netgear DG834G WAP (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 9 hops
Service Info: OS: Linux

TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 12.00 ms 60.53.173.202
2 16.00 ms 60.53.173.213
3 16.00 ms 60.53.173.213
4 228.00 ms 10.55.192.38
5 229.00 ms 10gigabitethernet1-3.core1.lax1.he.net (206.223.123.37)
6 290.00 ms 10gigabitethernet4-3.core1.nyc4.he.net (72.52.92.225)
7 333.00 ms 10gigabitethernet1-2.core1.lon1.he.net (72.52.92.242)
8 399.00 ms 10gigabitethernet4-2.core1.fra1.he.net (184.105.213.146)
9 290.00 ms hosted.by.xsserver.eu (109.230.222.53)

Since I don't trust any source from China even their web hosting provider, I make some Nmap scanning to seem what its got. The web server seem to be running on Unix machine with several web services port opened.

The Yahoo Messenger online status is coming from the expired phone number which probably has been taken by China scammer that live in Malaysia. Malaysia has multicultural country and it's not impossible that a Chinese from China can disguise as Chinese from Malaysia. Another thing is that probably the YM account has been stolen from his machine via malware infection.

More updates coming up soon.

Tuesday, December 6, 2011

MS Word Document (CVE-2010-3333) Exploit

A week ago as I checking for the new email and suddenly received an email with MS Word document as an attachment on my inbox (not spam box). This make me curious to know what the heck is that. Lets take a look closer. I rename the MSWord document to 'gigi.doc'. The .doc file size is about 160,192 bytes long.

The .doc file contain Rich Text Format (RTF) encoding format and we can see a lot of 0x41 slide until we found the exact shellcode within the slide character. Below show you the location of the exploit code in hex format:


As I convert the hex format to binary, we can see some interesting strings. I'm not sure why its trying to execute ping command to localhost. Well, after execute the malicious .doc file. It will create a file named csrss.exe (921C724CCB04B9F672B294FFFF83CE7B) and execute it then rename it to 'winword.exe'. Then it will launch the cmd.exe to execute the ping command to 127.0.0.1 with 1 byte. After that, the malware will execute a clean Word.doc file.

The running csrss.exe will create the Update.bat on user StartMenu startup folder with the following content:

Echo off
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe" /f
del %%0

The batch command file will add a startup into user Windows registry pointing to csrss.exe located in user temporary folder. Then, lets take a look through packet capture:


The captured packet show that the malicious file attempt to POST request to the following URL:
http://ymhz1.dyndns.biz:8080/
http://2011fm.dyndns.org:8080/
IP Addess: 114.248.90.120

The IP address was originated from China and still active at the time I was writing these. The csrss.exe will keep running on memory and sleep for every 60 second and check back to the given URL.

Note: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333

Friday, December 2, 2011

W32/Ramnit.C Quick Analysis

I just received a laptop from a friend of mine that heavily infected with multiple viruses. I don't know how he can comfortably using it for few months until he felt so many annoying activities coming from the viruses. One of my interesting sample to be quickly analyze is W32/Ramnit. Based on few security blogs that I found this malware has been already discovered around April 2010. Let's check it out.

At the first detection I was notice that a lot of infections is coming from the HTML files (as Avira detecting so many HTML infection).

The HTML files contains a small VB Script that carrying embedded EXE files in Hex format that will drop in Windows temporary folder once user opening the infected HTML in their browser (only IE6 support VBScript). At the end of the infected HTML files seem to be a random garbage character in attempt to prevent a static size of HTML files.

Once the EXE file has been dropped, it will automatically execute the file. The EXE is about 108,032 bytes sizes (9B49FEC7E03C33277F188A2819B8D726). I'll explain quick going through what is the characteristic of the EXE file. The EXE has been compressed with UPX 3.03. Upon execution the following routine will be started:

  • Search for EXE, DLL and  HTML file extensions.

  • Infect all EXE and DLL by creating additional .text section on the PE file.

  • Infect HTML files by overwriting it with VBScript and Hexdecimal format of the EXE file.

The infected PE file will be create an additional PE sections called .text as shown on image below:


A large size of additional .text section (about 540kb) created which is contains a malicious code. The EP has been modify to execute malicous code first and point it back to actual EP to execute original code.

Manual cleaning for this type of malware probably impossible for end-user. Mass infection on users PC make it difficult to remove. The best way to fix it is either using NOD32  On-Demand Scanner (Portable) or format your Hard drive and installing new Windows.

Friday, November 4, 2011

Revoking Trust in DigiCert by Certificate Authority

Just reading news today about revoking most commonly use cert especially in Malaysia. The news is taken from Mozilla Blog.
Issue

Entrust, Inc., a certificate authority in Mozilla’s root program, has informed us that one of their subordinate CAs, the Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised. Furthermore, certificates from this CA contain several technical issues. They lack an EKU extension specifying their intended usage and they have been issued without revocation information.

This is not a Firefox-specific issue. Nevertheless, given our concerns about the technical practices of this certificate authority, we intend to revoke trust in the DigiCert Sdn. Bhd. intermediate certificate authority.

DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). It bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla’s root program.

Impact

An attacker could use one of these weak certificates to impersonate the legitimate owners. This could deceive users into trusting websites or signed software appearing to originate from these owners, but actually containing malicious content or software. The certificates in question were issued to a mix of Malaysian government websites and internal systems. We do not believe other sites are at risk.

Status

Mozilla is revoking trust in all certificates issued by DigiCert Sdn. Bhd. and the update will be in Firefox 8 and Firefox 3.6.24. Entrust has issued their own statement on the subject.

Credit

The issue was reported to us by Entrust, Inc.

Source: http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/

 

 

Tuesday, April 26, 2011

New Version of Stuxnet 'Stars' Reported

Just read few news today that says new version of stuxnet has been appeared in Iran. At this moment I can't find any sample related to the new stuxnet v2 with codenamed 'Stars'. This news still remain unclear and could be another rumors or just another version of another malware. More update will be available soon.


UPDATES (1 MAY 2011):
After being investigated from most resources, I was unable to find the sample and strong news about related story. At this moment, I just consider that it is a hoax.

News related:
http://www.f-secure.com/weblog/
http://blogs.csoonline.com/1483/after_stuxnet_a_star_is_born
http://www.google.com.my/search?um=1&hl=en&prmdo=1&biw=1138&bih=519&q=%27stars%27%20stuxnet&ie=UTF-8&sa=N&tab=iw

Thursday, April 14, 2011

The 5th annual Counter-eCrime Operations Summit (CeCOS V)

The fifth annual Counter-eCrime Operations Summit (CeCOS V) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year's meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.


CeCOS V


The program will be spread across a three-day conference event on April 27, 28 and 29 in Kuala Lumpur, Malaysia at the Crown Plaza Hotel. The APWG believes under-appreciated operational issues are important enough to be the focus of a conference dedicated exclusively to them. They're often talked about as sidelights but rarely addressed directly as an organizational imperative for the entire counter-ecrime community. CeCOS V makes those operational issue the central focus of the program for the benefit of all ecrime fighters.


References:


http://www.antiphishing.org/events/2011_opSummit.html


 

Tuesday, April 5, 2011

Zeus source code leaked

Just read the news today that the Zeus source code has been made public and can be downloaded by anyone. Luckily that the RARed file is password protected and prevent malicious people from using it as the code was written in Visual C++ (probably VC++ 2005 - 2010) and PHP and easy to  compile it. The source code is already made public around couple of weeks ago and probably sold by the malware author.



At the time I was writing this blog, there is no sign that people already crack the password. This could be dangerous once the password is cracked especially when it's fall into a wrong hand.

UPDATE - 06/04/2011

The source code seem to be already posted at r00tw0rm.com which is currently down due to the missing file.


The CMS they are using is probably vBulletin which is contain missing file.

Tuesday, February 22, 2011

VERA: Reverse Engineering Malware in Visualize


VERA is a visualization tool for reverse engineer to produce a nice view and made easy to understand of program behavior. The latest version so far is v0.31 and can be download it from here. Setting up this tools probably a bit complicated if you got no experiences. Just follow the instruction manual and you should be fine.


References:

http://www.offensivecomputing.net/?q=node/1687
http://www.pentestit.com/2010/12/23/update-vera-v03/
http://ether.gtisc.gatech.edu/source.html

Thursday, January 6, 2011

Decrypt Strings:Geinimi Android Trojan

Just analyzing an Android trojan couple of days ago and I was able to decrypt the strings inside the binary sample. Here it is a source code written in VB.Net.

Imports CryptoSysAPI
Module Module1
Sub Main()
Dim Hexdata As String = "64656275675F696E7465726E656C0202" ' hex data here!
Dim plainHex As String = Des.Pad(Hexdata)
plainHex = Des.Decrypt(Hexdata, "0102030405060708", Mode.ECB, "")
Hexdata = Des.Unpad(plainHex)
If Hexdata.Length = plainHex.Length Then Return
Console.WriteLine("Input: {0}", Hexdata);
Console.WriteLine("Decrypt(DES-ECB): {0}", Cnv.StringFromHex(Hexdata))
End Sub
End Module


Example Output:
C:\>"C:\Projects\Krypton\Krypton\bin\Release\Krypton.exe"
Input: 64656275675F696E7465726E656C0202
Decrypt(DES-ECB): debug_internel


Note: You need CryptoSysAPI library in order to compile this code.

References:
http://www.alienvault.com/blog/jaime/Malware/Inside_Geinimi_Android_Trojan._Chapter_One_Encrypted_data_and_communication.html