Old PornTube, New Rogue AV

It’s one of those days when you have a bit of nostalgia for the stuff you used to do. Back a year or so ago, I used to hunt down fake AV and the like. It involved fake YouTube sites, porn and more porn.

Out of curiosity, I started some searches, the same that I used to do to find the bad stuff.

Like I said, this is quite old (Feb 2011). I clearly remember redspacetube.com, it used to do redirections to various sites using Dynamic DNS.

Guess what? It’s still working!

seonetwizard.com/in.cgi?16&parameter=%3ftube-videos
seonetwizard.com/in.cgi?4
seonetwizard.com/in.cgi?14
directredirection.com/LI8wbTB8ycreCciKd26F8mpTD70hFJDu.php?sid=3
ygafigyuhigi.mrface.com/land/?n=loli&id=1

The DNS service is provided by changeIP.com (click to enlarge):

This page is quite familiar but looks ancient by now…

The file takes forever and a day to download…:

ygafigyuhigi.mrface.com/land/maindirectory/adobeflashplayerv10.2.152.32.exe

The very low detection rate on VirusTotal makes me wonder whether this file is really old or just too new… (2/41).

Next, I checked whether the file was half broken… but clearly it was working just fine:

It installs a fake AV called “Windows Trouble Taker” (should have been called Trouble Maker IMHO ;-) )

A quick search confirms this is not an old rogue AV, but rather the new kid on the block:

This is one tenacious fake porn tube… Can someone unplug redspacetube.com for good?

Jerome Segura

A real life example of a website cleanup after malware infection

Yesterday I cleaned up a site hosted on bluehost. I will show you how I proceeded from malware identification to removal.

First, I did a quick look up on StopBadware’s Clearing House:

It reported three different links containing malware. I opened them in a VM, looked at the source code and confirmed the problem:

It was time for a full website inspection and clean up.

I got access to the cPanel admin account, unfortunately SSH was not enabled (it isn’t by default, and you need to contact customer support). So, I went with FTP instead.

The thing with FTP is that you need to browse each folder by hand and you can’t run a script.

The site being relatively small, I downloaded a local copy. This makes it easy to do all the work with whatever scripts and tools you have installed.

The code was found in almost all the ‘.php’ files (and there were a lot of them!):

A grep command was able to find all the files containing these pieces of code:

Before making any changes, I backed up each file with a ‘.bak’ extension. Each file was then disinfected using a sed command.

Website infections are very common. Because it is easy to set up a website but difficult to maintain it (from a security point of view), most websites fall to automated scripts exploiting vulnerabilities.

This particular website was affected by a XSS vulnerability:

At SparkTrust we look at both ends of the spectrum: We protect your site by doing regular security checks to make sure script kiddies can’t hack the site with readily available tools. But for our new customers that are already infected, we also provide disinfection services.

To learn more about our services please visit SparkTrust.com.

Jerome Segura

Malicious LinkedIn emails force BlackHole exploit kit

LinkedIn has always been target by the bad guys. I remember back a few years ago fake profiles by the thousands were used to load malware onto unsuspecting users’ computers.

Well, spammers have been launching email campaigns with fake LinkedIn invites or notifications:

Clicking on the link means trouble:

Here is one particular domain that was live when I did this bog entry.

sixlefts.comicgenesis.com/JnFh1KEz/index.html

That page loads several external javascripts (note they are all identical, but using more than one ensures if one of the sites is down, the next one will be tried, therefore limiting the risk of single point of failure).

The javascript loads the actual exploit toolkit:
174.133.92.122/MgGsg1Pp/js.js


41.222.33.141:8080/showthread.php?t=73a07bcb51f4be71
41.222.33.141:8080/favicon.ico
41.222.33.141:8080/content/hcp_vbs.php?f=14095&d=0
41.222.33.141:8080/q.php?e=5&f=14095

This server’s IP is from South Africa, I was expecting more like Ukrainian or Russian based hotspot…

Steer clear!

Jerome Segura

Huge text blurb allows malicious code to go undetected

I recently wrote a spider that crawls a site for malicious code. While testing it, I ran into a particular issue that I thought would be worth sharing.

The first thing this spider does is download the content of the site using a specially crafted wget command passing parameters such as user agent, number of tries, recursion level etc…

Then I came across a domain that had been hacked (as the picture below shows) but the page was so incredibly long that the spider got caught into downloading a huge file. The length of the file being unspecified, you cannot know in advance what you are up against…

This method could allow an attacker to fool security tools that try to parse a site’s source code in real-time, while still executing a malicious payload.

Jerome Segura

Web host serverpro.com hacked, couple hundred thousand customers left hanging

The guys over at Sucuri have reported that web hosting company ServerPro has been hacked and their site defaced.

Before:

After:

Here is the traffic log when connecting to their site:

serverpro.com/
apprendre-le-hack.webobo.biz/haut/a/p/p/imghaut_apprendre-le-hack.jpg
www.youtube.com/v/2vz8LqWEjx4&feature=related&autoplay=1&loop=1
serverpro.com/favicon.ico
www.topcities.com/404.shtml

As far as I can tell, there is no malicious code.

The pic with the “pirate computer” is hosted on a French website which can be translated to “learn to hack” (apprendre le hack). Given the hackers’ signature, I have a feeling they may be from North Africa (and possibly Tunisia).

The hackers also embedded a YouTube soundtrack:

This sort of hack says a lot about web security… Even large companies with the proper resources can still fall to script kiddies exploiting known vulnerabilities or insecure passwords.

 

It’s quite easy to find out what this web server is running by looking at the HTTP header response:

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 
X-Powered-By: PHP/5.2.9

 

Both Apache and PHP are out of date!

The latest Apache stable release is 2.2.22 (2.2 branch). The latest PHP version is 5.4.0 or (5.3.10 for the old stable release).

The version of Apache HTTP Server running on this host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild (CVE-2011-3192).

As if this was not enough, Apache 2.2.17 is also affected by these: CVE-2011-3368, CVE-2011-3607, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053.

As far as PHP 5.2.9 goes, the list of CVEs is quite long and scary (59 in total).

 

Vulnerability scanning and patch management are not a panacea but have their place in making it more difficult for hackers to break into servers.

Do you own a website? Have you ever checked what software is running on it? Try SparkTrust’s web vulnerability scanner and fix potential issues before it’s too late!

 

Jerome Segura

Who needs a new malware repo when you already got some?

Even though I’ve passed on most of my duties over at malwareblacklist.com, I still like to check out new user requests.

Here is one from a “Threat Research Analyst” at a company called Dyomo:

So I decided to take a look at dyomo.net, which redirects to dyomo.com:

I never like to see the “Java plugin-in needs your permission to run” message. Although, I must say thank you Google for it, as in most cases it means there is something not quite right with a website.

Well, I wasn’t mistaken on that one… obfuscated code is never a good sign:

This blurb translates into a malicious iframe:

tds38.findhere.org is hosted in Russia (91.196.216.149).

All I can say is for now this dude doesn’t need malwareblacklist.com, he can pick right from his own backyard.

Jerome Segura

How to get your website hacked? By falling for a cPanel phishing scam

cPanel is a web hosting control panel that lets you administer your website remotely.

Obviously, having access to a web server is quite valuable for cyber criminals. And that’s where phishing scams come into play:

One stone, two birds? You could say that: the crooks have hacked into a server and are using it to host a “cPanel login page”. They went as far as adding the favicon (in the browser’s address bar).

That’s pretty much giving them all the keys to the castle…

Jerome Segura

‘Want to be friends on Facebook’ spam links to malware

This clever spam campaign plays on the Facebook friend request notice to launch a nasty attack against your PC.

Clicking on the “Confirm Friend Request” button loads a page heavily obfuscated:

All that it is, is an iframe (a link to an external page) that will deliver the final payload.

The IP is located in Russia and it appears to be the Phoenix exploit toolkit.

As a rule of thumb, never open Facebook or Twitter links from within your mailbox. 99% of the time they will be legitimate but it’s not worth it to take that chance. Instead, log into Facebook, Twitter, LinkedIn etc… and do whatever you need to do.

Jerome Segura

Spammers hurry phishing attack but forget to pack in the goods

A Visa phishing scam is making the rounds but (un)fortunately, its intended payload is not working.

The point of this scam is to get the user to open the attached file (and html web page) that would normally contain malicious code to infect the user’s PC. But it seems as though our scammers got that one wrong:

There is nothing in there! It should be right below the <br> tag and include a large blurb of obfuscated javascript.

It’s kind of like a bomb with a detonator but no explosives.

I wouldn’t be surprised if in the next day or two they fix that issue.

Jerome Segura

YouTube ‘Your video has been approved’ scam

Beware of this YouTube phishing scam:

The link is not malicious but redirects you to a Canadian Pharmacy website:

cdu-edenkoben.de/authorize.html
pauseherbal.com/

Obviously, one should stay away from these ‘stores’. Often times, the merchandise is counterfeit and dangerous for use.

I mean, these power packs could cause unpleasant and lasting effects ;-)

Jerome Segura