Tuesday, April 30, 2013

More Fake SourceForge Websites Show Up

Two weeks ago we reported on a fake SourceForge website, sourceforgechile.net, which was used to distribute malware. We have since seen more of these fake sites this past week:
  • sourceforgebulgaria.net, registered on 05/06/2013
  • sourceforgesweden.net, registered on 05/06/2013
  • sourceforgecyprus.net, registered on 05/02/2013
  • sourceforgeniger.net, registered on 05/01/2013
  • sourceforgeestonia.net, registered on 04/26/2013
  • sourceforgegrenada.net, registered on 04/26/2013
  • sourceforgepalau.net, registered on 04/22/2013
  • sourceforgeecuador.net, registered on 04/21/2013
  • sourceforgeindiana.net, registered on 04/20/2013
  • sourceforgemorocco.net,  registered on 04/19/2013
  • sourceforgemyanmar.net ,  registered on 04/19/2013
  • sourceforgeyemen.net, registered on 04/06/2013
Each domain has been registered with different WHOIS information, but with the same registrar. All of them are unreachable today (DNS does not resolve).

We were however able to obtain two malicious files found from the these websites before they went dark:
  • http://sourceforgeestonia.net/minecraft_xray_texture_pack.exe
  • http://sourceforgeecuador.net/airport_firefighter_simulator.exe
The files are very similar to the malicious files from sourceforgechile.net which we analyzed earlier. They drop and hide malicious binaries into the Recycle Bin and are detected as the ZeroAccess Trojan.

It looks like the attacker is still registering new fake SourceForge websites. I'll update this post with new domain that I uncover going forward.

Friday, April 26, 2013

scanning binaries for PE format anomalies


After processing tons of malicous binaries, I would like to share my findings about anomalies found in PE binaries. These anomaly information will be helpful for security researchers on suspicious sample validation and sample clustering.


1. Binary strings nearby EP

Of course, EP binary is very popular for AV companies to work out malware signatures. So I put it at first. 81ec8001000053555633db57895c2418c74424103091400033 is most frequent EP string used by malware, which stands for stack operations. The second one is 60e803000000e9eb045d4555c3e801000000eb5dbbedffffff





This finding is pretty much similar with another research work from http://www.hexacorn.com/blog/2012/07/04/random-stats-from-300k-malicious-samples-entry-points/
 That article listed top-10 EP strings as the followings:

  35498 55 8B EC 6A FF 68
  22712 55 8B EC 83 C4 F0
  14775 55 8B EC 53 8B 5D
   7711 4D 5A 90 00 03 00
   6959 55 8B EC 83 C4 C4
   5775 4D 5A 50 00 02 00
   3497 55 8B EC 83 C4 F4
   3190 60 E8 00 00 00 00
   3080 83 7C 24 08 01 75
   2152 55 8B EC 83 C4 B4
 
2. Section names

I concatenated each section name into a string. Here is the top ones.

 
UPX is still the favorite packer for malware wirters, followed by UPack.


The above figure shows the values of section number in DESC order.  Most malicious samples have 3 sections.

I also picked some funny section names in Chinese:
天使免杀
天外来客
黑教基地
荒山一鱼
BY 小广
放荡不羁挖出
木马彩衣
牧民战天
傻傻
狂少爷 

Here is the longest one:

国庆专版祖国大寿祖国繁荣人民安康祝福大家身体健康工作顺利合家欢乐心想事成万事如意笑脸敬上.

Google translate results:

National Day special edition birthday of the motherland motherland's prosperity and people's well being I wish you all good health and success in your work all wishes come true and good luck. And a big smile!

3. anomaly score

I defined about 10 anomaly features which were used to calculate the total anomaly score.
The following is the score distribution. 





Bitcoin: Regulations and Security

You have probably heard about Bitcoin, a relatively new virtual currency. It made headlines recently because it is starting to present a real alternative for traditional online payments, and has recently experienced wild swings in value.

One of the advantages of Bitcoin is the lack of regulation, which means it is largely free from the rules and regulations that govern banks and payment processing companies when dealing with "real" currencies. Payment transfers are also fast and free.

For me, Bitcoin actually highlights the benefits of strong regulation, which protects consumers.

Your Bitcoin Wallet is Actually Your Bank

Bitcoin users keep their currency in a Bitcoin "wallet". I think wallet is really a misnomer, it should be called a Bitcoin Bank since it holds all of the users currency, not simply want he wants to spend in the near future. A Bitcoin wallet is unsecured like a regular wallet - money can be stolen and the user as no recourse.

People don't hold all their savings at home because they know that doing so is not safe. Instead, they put their savings into a bank which offers protections, including being FDIC insured. However, many Bitcoin users keep all their Bitcoins on their own computer or mobile device. They are on their own to keep their system secure and have no insurance to cover loses, whether unintentional, or due to breaches in security.

There is nothing equivalent to a credit card in the Bitcoin world. While credit cards impose a fee on all transactions, they do provide significant protection to consumers. They allow people to carry and transfer money (like the cash in a wallet), while still benefiting from the strong protection of a bank. If a personal credit card is stolen and used, the owner will be reimbursed. The owner can also dispute charges and get reimbursed quite easily if a vendor does not deliver the product or service once paid.

Bitcoin users bear all the risks and we've already seen plenty. For example, there has been malicious software designed to steal from Bitcoin wallets. Recently, a malicious site faking a well known Bitcoin exchange contained an exploit that transferred money out of the Bitcoin wallet when users visited the site. There have also been many trojans and worms focused on stealing Bitcoins.

No Secure Bank

Bitcoin users can opt for storing their money in online Bitcoin Wallets. These could be construed as the equivalent of Online Banks...but without the insurance and security! Due to the absence of regulation, these online wallets don't have to adhere best security practices, have no audits and no certifications. It should not therefore come as a surprise that many Bitcoin online wallets have been hacked.

In one occurrence, the online Bitcoin wallet was hosted on a VPS (Virtual Private Server), which is a shared resource. This would have never been allowed for a bank. The attacker stole about $228,000 worth of Bitcoins at the time.

Just this month, InstaWallet was hacked. Users lost their Bitcoins and no insurance company will be reimbursing them. All is lost, forever.

While Bitcoin has some advantages, the risks of storing the money is just too high. Online wallets and exchanges can't be trusted as too many of them has shown to be run in a very unprofessional and insecure manner. Every time, the users pay the price.

If you can't keep your Bitcoin wallet encrypted and split onto 3 different secure USB keys in 3 different safes like the Winklevoss twins, Bitcoin is probably not for you.

Wednesday, April 17, 2013

Fake SourceForge site distributes malware

We spotted malware hosted on hxxp://sourceforgechile.net/ a couple of days ago. The website is not currently responding, but appears to been set up as a fake and malicious version of the popular open-source hosting site SourceForge.

sourceforgechile.net was registered on 04/05/213 in the US and is hosted in the Ukraine.

One of the malicious files downloaded was hxxp://sourceforgechile.net/minecraft_1.3.2.exe. Minecraft is a proprietary game with a significant following. Many open-source projects related to the game are hosted on SourceForge.

This file is a pretty nasty piece of malware:
  • It hides itself in the Recycle Bin
  • It disguises dropped files with names like Desktop.ini
  • It registers itself as a Windows service
  • It injects code in other threads and DLLs
  • It opens and listens to a port
  • It connects to about 20 IPs over port 16471
  • etc.
This malware is related to the ZeroAccess trojan. The malware makes money by clicking on ads (click fraud) and using the infected PC as part of a wider botnet (zombie PC).

You can get the VirusTotal report here. The detection rate among AV vendors has gone up in the past week, it is now flagged by most vendors.

As usual, be very careful about the files you download and run. In this case, ensure that you're downloading content from the official SourceForge site, not a clone.

Tuesday, April 9, 2013

Pinhout: Pinterest clone or phishing site?

Recently I stumbled upon pinhout.com. Look familiar?
Pinhout.com looks awfully familiar to...
It looks like a Turkish copy of Pinterest, a growing social network to share web content.
.. Pinterest (home page).

Official site?

I was wondering if this site is a Phishing site, a clone, or an official site from Pinterest. Whois records show that the domain has been registered by a Turkish Individual:
Registrant Contact Details: Pinhout Berat Yas (duruyas@hotmail.com) Ankara Ankara Alt?nda?,06000 TR Tel. +90.0533488xxxx

The website is hosted on 95.173.164.13. This IP hosts several other domains registered by different individuals. Pinhout.com is not the default domain for this IP either (see http://95.173.164.13/). All of this tells is that this is definitely not an official localized version of Pinterest.

Phishing site?

However, the site does not look like a Phishing site either. It is fully functional and phishing sites usually clone one or two pages only. The site can be browsed without having to login. I've tried to sign up with a Facebook test account, but the signup failed.
Then what is it?
The site could be used to harvest e-mail addresses, Facebook and Twitter accounts (both can be used to sign up), but that does not seem to be the case here. At least not yet...
This is either a dormant phishing/spam site, or most likely an unsanctioned clone of Pinterest by a bored programmer.