CyberSecurity Malaysia launch its own DNSChanger detection page

CSM just release another free services for checking DNSChanger trojan existence. By just simply visiting the following website you will be notice whether your current PC/notebook is infected with DNSChanger malware or not.

http://dnschanger.detect.my/

If your PC is clean you will be notice as 'Congratulation!' with green background otherwise you will be detected as red background. They also provided a free removal tools for Mac and Windows users.

Another Chinese Internet Fraudulent (yhoo-it.com)

While I was watching 'The Pacific' movie suddenly I just get a Yahoo Messenger popup message from my old friend (which is he's already Rest-In-Peace on Aug 2009 ago). This is interesting and kind of surprise for me while seeing my very close friend suddenly 'wake-up' from his long rest. I was monitoring this scammer about few months ago after surprising his online status. Check this out from the chatting using web browser YM:

From the given shortened URL it will redirect user to the following URL:

http://yhoo-it.com/?id=4ccda25f27843014&s=1&user=matkamil2000

The URL seem to be already expired. But soon it will appeared again. The actual website will appear some kind of offering  money that needs user to input their user name and email.

Let's take a look closer on the URL. The URL seem to be trying to fool the user that pretend it was coming from Yahoo. Based on whois information the URL was registered from China. Obviously.

Registration Service Provided By: Bizcn.com
Website: http://www.bizcn.com
Whois Server: whois.bizcn.com

Domain name: yhoo-it.com

Registrant Contact:
zhang yu
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn

Administrative Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn

Technical Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn

Billing Contact:
yu zhang [email protected]
0463965823 fax: 0463965823
changhailu12hao
nanning guangxi 230254
cn

DNS:
ns7.cnmsn.net
ns8.cnmsn.net

Created: 2011-12-04
Expires: 2012-12-04

The domain name seem to be newly registered and exactly the time I was start monitoring it. The domain has been pointed to two DNS ns7.cnmsn.net and ns8.cnmsn.net. The DNS server were also registered from China.

Registration Service Provided By: Bizcn.com
Website: http://www.bizcn.com
Whois Server: whois.bizcn.com

Domain name: cnmsn.net

Registrant Contact:
XiaMen Longtop Online Technology Co.,Ltd
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn

Administrative Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn

Technical Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn

Billing Contact:
huiping yi [email protected]
+865922577888 fax: +865922577111
61, WangHai Road, Longtop Group Building, Xiamen Software Park
xiamen fujian 361008
cn

DNS:
dns.bizcn.com
dns.cnmsn.net
ns5.cnmsn.net
ns6.cnmsn.net
ns1.4everdns.com
ns2.4everdns.com

Created: 2003-08-08
Expires: 2015-02-27

Well, lets dig some more.

Nmap scan report for yhoo-it.com (109.230.222.53)
Host is up (0.29s latency).
rDNS record for 109.230.222.53: hosted.by.xsserver.eu
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
25/tcp filtered smtp
80/tcp open http nginx 1.0.4
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0)
| ssh-hostkey: 1024 6e:96:96:b1:aa:4b:e2:1a:e5:9f:35:9c:6a:79:af:df (DSA)
|_2048 48:bb:c1:d4:bf:08:4d:c6:41:30:ea:57:3e:eb:fe:19 (RSA)
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1026/tcp filtered LSA-or-nterm
1027/tcp filtered IIS
4444/tcp filtered krb524
5432/tcp open postgresql PostgreSQL DB 8.4.1 - 8.4.4
6129/tcp filtered unknown
6580/tcp open parsec-master?
Device type: general purpose|WAP|router
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys Linux 2.4.X (92%), Netgear embedded (92%), D-Link embedded (92%), Linksys embedded (92%), Peplink embedded (92%)
, Asus Linux 2.6.X (91%)
Aggressive OS guesses: Linux 2.6.23 - 2.6.33 (95%), Linux 2.6.35 (94%), Linux 2.6.31 (94%), Linux 2.6.32 (94%), Linux 2.6.22 (94%), OpenWrt White Russian 0.9 (Linux 2.4.3
0) (92%), Linux 2.6.18 - 2.6.27 (92%), Linux 2.6.31 - 2.6.34 (92%), Linux 2.6.34 (92%), Netgear DG834G WAP (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 9 hops
Service Info: OS: Linux

TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 12.00 ms 60.53.173.202
2 16.00 ms 60.53.173.213
3 16.00 ms 60.53.173.213
4 228.00 ms 10.55.192.38
5 229.00 ms 10gigabitethernet1-3.core1.lax1.he.net (206.223.123.37)
6 290.00 ms 10gigabitethernet4-3.core1.nyc4.he.net (72.52.92.225)
7 333.00 ms 10gigabitethernet1-2.core1.lon1.he.net (72.52.92.242)
8 399.00 ms 10gigabitethernet4-2.core1.fra1.he.net (184.105.213.146)
9 290.00 ms hosted.by.xsserver.eu (109.230.222.53)

Since I don't trust any source from China even their web hosting provider, I make some Nmap scanning to seem what its got. The web server seem to be running on Unix machine with several web services port opened.

The Yahoo Messenger online status is coming from the expired phone number which probably has been taken by China scammer that live in Malaysia. Malaysia has multicultural country and it's not impossible that a Chinese from China can disguise as Chinese from Malaysia. Another thing is that probably the YM account has been stolen from his machine via malware infection.

More updates coming up soon.

Revoking Trust in DigiCert by Certificate Authority

Just reading news today about revoking most commonly use cert especially in Malaysia. The news is taken from Mozilla Blog.

Issue

Entrust, Inc., a certificate authority in Mozilla’s root program, has informed us that one of their subordinate CAs, the Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with weak keys. While there is no indication they were issued fraudulently, the weak keys have allowed the certificates to be compromised. Furthermore, certificates from this CA contain several technical issues. They lack an EKU extension specifying their intended usage and they have been issued without revocation information.

This is not a Firefox-specific issue. Nevertheless, given our concerns about the technical practices of this certificate authority, we intend to revoke trust in the DigiCert Sdn. Bhd. intermediate certificate authority.

DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon (GTE CyberTrust). It bears no affiliation whatsoever with the US-based corporation DigiCert, Inc., which is a member of Mozilla’s root program.

Impact

An attacker could use one of these weak certificates to impersonate the legitimate owners. This could deceive users into trusting websites or signed software appearing to originate from these owners, but actually containing malicious content or software. The certificates in question were issued to a mix of Malaysian government websites and internal systems. We do not believe other sites are at risk.

Status

Mozilla is revoking trust in all certificates issued by DigiCert Sdn. Bhd. and the update will be in Firefox 8 and Firefox 3.6.24. Entrust has issued their own statement on the subject.

Credit

The issue was reported to us by Entrust, Inc.

Source: http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/

 

 

New Version of Stuxnet 'Stars' Reported

Just read few news today that says new version of stuxnet has been appeared in Iran. At this moment I can't find any sample related to the new stuxnet v2 with codenamed 'Stars'. This news still remain unclear and could be another rumors or just another version of another malware. More update will be available soon.

UPDATES (1 MAY 2011):
After being investigated from most resources, I was unable to find the sample and strong news about related story. At this moment, I just consider that it is a hoax.

News related:
http://www.f-secure.com/weblog/
http://blogs.csoonline.com/1483/after_stuxnet_a_star_is_born
http://www.google.com.my/search?um=1&hl=en&prmdo=1&biw=1138&bih=519&q=%27stars%27%20stuxnet&ie=UTF-8&sa=N&tab=iw

The 5th annual Counter-eCrime Operations Summit (CeCOS V)

The fifth annual Counter-eCrime Operations Summit (CeCOS V) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year's meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.

The program will be spread across a three-day conference event on April 27, 28 and 29 in Kuala Lumpur, Malaysia at the Crown Plaza Hotel. The APWG believes under-appreciated operational issues are important enough to be the focus of a conference dedicated exclusively to them. They're often talked about as sidelights but rarely addressed directly as an organizational imperative for the entire counter-ecrime community. CeCOS V makes those operational issue the central focus of the program for the benefit of all ecrime fighters.

References:

http://www.antiphishing.org/events/2011_opSummit.html

 

Zeus source code leaked

Just read the news today that the Zeus source code has been made public and can be downloaded by anyone. Luckily that the RARed file is password protected and prevent malicious people from using it as the code was written in Visual C++ (probably VC++ 2005 - 2010) and PHP and easy to  compile it. The source code is already made public around couple of weeks ago and probably sold by the malware author.

At the time I was writing this blog, there is no sign that people already crack the password. This could be dangerous once the password is cracked especially when it's fall into a wrong hand.

UPDATE - 06/04/2011

The source code seem to be already posted at r00tw0rm.com which is currently down due to the missing file.

The CMS they are using is probably vBulletin which is contain missing file.

VERA: Reverse Engineering Malware in Visualize

VERA is a visualization tool for reverse engineer to produce a nice view and made easy to understand of program behavior. The latest version so far is v0.31 and can be download it from here. Setting up this tools probably a bit complicated if you got no experiences. Just follow the instruction manual and you should be fine.

References:

http://www.offensivecomputing.net/?q=node/1687
http://www.pentestit.com/2010/12/23/update-vera-v03/
http://ether.gtisc.gatech.edu/source.html

"My Team Pest Control" - Malaysia Real World Scam?

Well, just a few hours ago a friend of mine has been scammed by local company that introduce them self as a registered pest control for mosquitoes, termite and blah blah blah. As I see from the receipt, the company has nothing to do with Ministry of Health (MoH). If so, they shouldn't force people to pay their services because government already pay their contract. Then, I just tell him to report to the police.

After checking their company registered number at Companies Commission of Malaysia, it seem that it has been registered. But who know what they were working for.

There is a lot of such scam in real world. Sometimes people can't decide which is real or not when they has been scammed in polite way at the first conversation. Base on Google Search, it seem a lot of people is already being scammed by these scammer.

Here it is a few information about these 'legit' look scammer:

MY TEAM PEST CONTROL
L21A-204, Jalan Cheras PSN,
Pandan 4, Pandan Jaya,
55100 Kuala Lumpur
Tel: 019-364 4157, 03-92812914

Just beware if you guys found these scammer coming into your houses and bringing their 'smoking machine' and start fogging into your house without permission. There is few news that already mention about this scam:

http://ly.my/vq
http://ly.my/vp
http://ly.my/vo

NOTE: I will update later for the receipt sample.

Facebook still can't recognize URL!

At the time I wrote this, it has been more than a years already since I discover Facebook can't recognize the correct URL while user posting a message with URL on their wall. Until now still can't recognize it. As you can see on image below, there is few 'W' letter with a dot in the middle of the word. Once you press 'Share' button you'll see it will automatically turn into hyperlink.

Just been testing on few web browser including latest Internet Explorer, FireFox and Chrome. All does same and absolutely not coming from web browser application. In fact, this is part of Facebook programming mistake.

Independence Day Web Defacement!

Got many web defacement last night regarding to Malaysia Independence Day. Most attacker from our neighbor country. Some of the website has been patched and restored. .My domain has been targeted and mostly from non-computer security background website.

http://ly.my/na

Embedded Script on Images file allowed Arbitrary Code Execution

Just made testing today that most of image file could cause arbitrary code execution when some simple script embedded into it. As shown below there is a normal PNG image file (adiksinchan.png) that will append with ujian.vbs which is a Visual Basic Scripting file. Once the ujian.vbs file has been appended at the end of image file then rename it into .HTA file extension. After that, just simply run the .HTA file and as you can see (for the demo) the calculator is running without any problem.

The interesting part, the PNG image file (or what ever image format) is still valid and can be viewed as normal if user did not rename it into .HTA extension. In worst cases, all the script can be obfuscate  to make it more undetectable from antivirus software or at least user can't see there is a script in it.

Most antivirus company should update their heuristic detection to detect this from future threat but I guess this issue is not new to the user for years and its not only image file format can do that. It could be all type of file format by just rename it to .HTA extension to execute the embedded script.

It seem none of antivirus detecting it as I got report from VirusTotal >> http://ly.my/lq

http://www.virustotal.com/file-scan/report.html?id=90f3d0d183a2a5c0891f443251b2e063213c7fc294418f1703228e3c25e9863d-1281433286

Twitter controlled by non-human!

Twitter is one of the most loyalty services once you got so many follower. But what I can see here, most of 'user' are not controlled by human. All goes automatically tweet and the real user not even know what their account twitting for. Twitter Bot is one of commonly use to control their account even to send a malicious command to their C&C BotNet. Some of them may send tweet message around 20-30 message per minutes. As the image shown below, there is 26 'user' generated with random name and obviously controlled by bot and keep following anyone including me.

Non of the listed user name above can be pronounces and all their follower and following user are almost equal to each other no wonder whenever user trying to access their account and twitter will said 'Twitter is over capacity. Too many tweets!'. It is not impossible soon twitter could be medium of threat since their API is flexible.

Youtube down?

At the time I was writing, Youtube appear to be down. Its rarely to find this giant video streaming site down. It was 3.25PM at Malaysian time. I'm pretty sure all over the world could see this error. 3.42PM, they restore the functionality.


p/s: Maybe youtube hired a practical student to take care the rest of PHP service and try their hello world pages.. LoL..

iPhone Worm - Ikee

While surfing on the internet at Bayu Beach Resort, Port Dickson, found something interesting on the internet. It is iPhoneOS.Ikee worm. This kind of virus is rarely found especially on Apple iPhone. The worm do some basic function such as spreading via SSH and changing wallpaper as their payload.

During infection, this little worm will change victim wallpaper to Rick Astley image (80's singer). The worm has been written by Ashley Town a 21 years old unemployed programmer from Wollogong, Australia.

Upon executing the virus code, the worm will scan an IP address using default SSH configurations. IP range may be vary at random pool as well as copying it self to the startup folder and do some payload by changing default wallpaper. The worm source code also has been reveal as the picture below show some function that change the wallpaper and various commented code.

More detail report can be found here.

New Portable Antivirus on few final stage!

This week I was updating new Portable Antivirus code with some user friendly features. This is one of the most advanced anti virus made by my self. Here it is a few change I have made this week for Portable Antivirus project:

+ New name; now it is Data0.Net Portable Antivirus.
+ Better system tray icon & pop up message.
+ Support multi language including Bahasa Melayu.
+ Speed up database reading for fast scanning.

Those code make me sleepless but its worth it. I'm happy to finish it but still got few more step. I need to finish up my beta sandbox tools called 'Malware Playground'. Sound funny but it could be an advanced sandbox soon.

Cyber-Communalism

Since a few years ago, Malaysia, Indonesia and other south east Asian country have make some mistake that generating communalism or in easy word 'big misunderstanding' whether about culture, political, terrorism or religious. In cyber world also get the impact of this misunderstanding. Indonesian could call Malaysia as 'Malingsia' while Malaysian people could call them as 'Indonesial'.

communalism art

Internet alone we can find so many articles, libel, forum, blog and many more about this issue (Example 1). Wikipedia also has been describe details about Communalism. This will give impact to all Asian country especially between Malaysia and Indonesia. As an example below show you many website from Malaysia has been defaced because of this issue:

 

Most of this issue produced by local/foreign media making the conflict more complicated and people will think different and negative perception each other by just read or hearing rumors. As I wrote this topic, there was the latest hot issue such as Pendet dance and Island. While the real thing is, there is none of this issue are truth.

New Microsoft Windows 7 RC Launch!

Just a few minutes ago, I've read google news that Microsoft is already launch a new Microsoft Windows 7 Release Candidate (RC). Well, I'm still not finish yet exploring Windows 7 Beta Build 7000 but this is the chance to get free and unlimited licenses number from Microsoft product. Gotta get it now.


To download Microsoft Windows 7 RC click here!

Are you with Windows 7?

After 4 month of using Microsoft Windows 7 Ultimate, I think there is much more improvement compared with Windows Vista Ultimate. Only a few minor bugs I found on Start Menu and visual effect thing. Well, as I read a news from ComputerWorld, Windows 7 could be lunch this August but still no specific date. Hope it much better after the first release.

Windows 7 taskbar have totally different compare with other Windows version. When many Windows opened, taskbar will appear only an icon with a great stable thumbnail preview. Also, when user try to open many Windows Explorer, all the Windows will be grouped into one icon on the taskbar until user over their mouse cursor on it to choose which Window they want to use.

Well, here it is a few minor uncomfortable thing/bugs I found my self on Windows 7 Ultimate Beta Build 7000:

1. Start menu scroll bar some time cannot be scroll or dragged by mouse.
2. In some cases, the wallpaper disappear and leave only plain color.
3. When I lock the Windows and the logged in back, the screen resolution reset to the recommended setting (another rarely situation).
4. Some old application (mine was Macromedia Fireworks 8) still can't totally support Aero/transparent window effect.

Data0.Net Temporary down!

This week Data0.Net and several website has temporary down due to the change of new server from Germany to Malaysia. This may take a week to transfer all the data. Hopefully, it work better than before.

You together with Conflicker!

Mmm... I have already monitoring this worm since it it was first version... I think around the end of last year. This worm have some unique technique to spread itself along with their payload. After I discover this worm hiding itself on 'recycler' folder on somebody USB flash drive. On some version this worm cannot be just delete to remove it. It will need special permission in order to remove it completely. But, once its running on your PCs with network. Your network could be clogged because this worm has an abilities to generate about 500 domain name by itself. The worm is not designed by non-professional programming. This 'guy' have a programming skill and the worm was designed to create a huge network clog. Quite interesting to me. 

The complete and detailed analysis can be found from the link below:

http://mtc.sri.com/Conficker/addendumC/index.html