Wednesday, July 31, 2013

Malware using GoogleCode for distribution

Malware hosting sites rarely stay up for too long.  After the first few instances are seen by security vendors, they are added to blacklists which, in turn, are fed into other blacklists throughout the industry.  Malware writers are now turning to commercial file hosting sites to peddle their warez.  If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether.  The kicker is that this time we see that GoogleCode seems to have swallowed the bad pill.

The first file in question is hosted at: hxxps://code.google.com/p/onflashplayers/source/browse/AdobeFlashPlayer.exe


You may also recognize it by a few other names as seen here(21/45):
https://www.virustotal.com/en/file/12ba2c059963799fda3b48bce3d51f06940c7cdcb7b20559c752acdee2d43594/analysis/1375130106/

We also have reports of this file being downloaded via Dropbox, but it appears to have been taken down at the time of research




This incident sets a precedent that no file hosting service is beyond reproach.  Blind trust of specific domains should not be tolerated from an organizational or personal perspective.  So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location.

Other files from this location that were also flagged as malicious as noted below:
fc79708c4b5a7ac7ffc666c65af3d402 - 9/46
4372fa69e33307b8998447e3a79ed13a - 7/46
d9040e39cc4b9e2ce19dcb2fa26e2d36 - 17/46
93650214ef3c5e0f7fc657150fe4f670 - 13/46
9a85728e541c1dd34ec8ecca02f3ba92 - 6/46
f7dd919004cb65f89ae87f0360222f05 - 17/46
79bfcaf15acbb4f6e00df9f5e9e97078 - 4/45
6f197c2542933bb1a94916312f2075f7 - 5/45
a6a054ff40e24fe1e67230a4dec282cd - 21/46
9e49f709cd6df526cb261969a1239ef1 - 16/46
7d7b1329d25731c779fcd3ba41003cea - 9/46
86680f427e4c139f4112f506d8b2a770 - 21/46
3fd508edba21cb1c9f69e316828d8847 - 16/45
a1a66e2aadb4b4e231513f9e49166c72 - 16/46
3f8cd82f528fd7bd7635639583e4da09 - 22/46
5abbdd8b0f60e4ad80cd328d80fde7b9 - 12/46
3b1d052884949231f8a8ab927dffc0de - 5/46
e553a555c20a6a9caab15471fc147a4c - 8/46
38f148e53f44394911c6d876c6288407 - 5/46
3715ff5da288cfbb548b424722b664d6 - 6/46
04c3adff92b188dcfc0b944a457f3d74 - 5/46
4372fa69e33307b8998447e3a79ed13a - 7/46
fa694888e878efc6afb4e4781b007154 - 5/45
d256a34f4d9be8a74033c7bede40b2aa - 16/46
a842fcda221aaddd2fa21f77abaf91ce - 8/46
b4ee1ea0494f0800635e8d8398bc7779 - 22/46
7548f78f7e626403dd503421d1e6e42d - 6/46
d276561d27e2a343e2ace1fbbf9474e3 -  5/46
f951cfcfe8f293c2fa551297222fb37a - 13/46
9da48c984b71e26887b3c58f7a5c5d05 - 5/46
8fcb14b676fa0ecacbee92b702ce59b4 - 16/46
09e82c7811d1e155e6825a4aa98455bb - 8/46
3c76a70ffb42a9c2071b05bb0a430b5e - 5/46







Wednesday, July 24, 2013

Phishing for Ad Scams

Today we have a perfect storm of basic attack vectors which inevitably lead victims to a variety of advertising scams including adware executables, parked domains, pay-per-click scams or phishing sites.  First a small list of all of the websites seen to be hosting this threat.
  • 1yahoo.com/
  • testflightapps.com/
  • www.find-your-date.org/
  • www.conmdirect.de/
  • www.chanuteinsurancepool.net/
  • translateitonline.com/
  • compartel.gov.cofacebook.com/
  • www.autobypass.com/
  • rerbox.com/
  • ravelrey.com/
  • www.corall.com/
  • accountservices.wiipro.com/
  • losangeles.craigslst.org/
  • www.styel.com/
  • spritnpcs.com/
  • www.nbarumors.com/
  • www.eetime.com/
  • bleacherrepot.com/
  • www.elmundoe.es/
  • iflswa.com/
  • debshop.com/
  • www.cnnis.com/
  • myfintesspal.com/
  • televisaeportes.com/
  • www.testflightapps.com/
  • wwwbunte.de/
  • hiffingtonpost.com/
  • bhestbuy.com/
  • www.dbm.de/
  • noobroom6.com/
  • scripts.codingclick.com/
  • eaterny.com/
  • www.thatlantic.com/
  • usnwwc.com/
  • texasrangersmlb.com/
  • idlebrian.com/
  • laspass.com/
  • spliwise.com/
  • www.iflswa.com/
  • www.usbankhomemortagage.com/
  • www.linkdein.com/
  • mdrudgereport.com/
  • theeverywhereist.com/
  • www.hiffingtonpost.com/
  • redditt.com/
  • www.saukaryam.com/
  • malaimalar.com/
  • www.bradypeople.com/
  • bmohariss.com/
The thing that all of these websites have in common is that they all take advantage of cybersquatting, by registering slight variations of popular domain names. This common phishing technique is used to bring a false sense of certainty that the victim is on the intended website. These websites were pulled together from a list of referral URLs, which matched a common pattern for dubious redirection found in Javascript files.  Once the user visits the site, they are presented with a Javascript redirect via an iFrame, similar to the following:




This immediately takes you to a seemingly random series of advertising scams. One of the scams presents a "Click Here To Enter"link.

NO DON'T!
The above picture is the only visible addition to this page.  After clicking on the link, the victim is immediately sent to a page that leads them to suspect their Browser/Flash version is not up to date.




These cases both resolve to one of two adware binaries being installed on the customer's system.

https://www.virustotal.com/en/file/a157438070a712bbd3c26ff9de26eb8013af7b18d63d6d707553e45e3369c2f2/analysis/1374266431/
https://www.virustotal.com/en/file/56eebb8067af1febd1ecb35b4ece27fab83200ba6d4e1815749decdcdad9eb1b/analysis/1374266466/

In other cases, the victim is only redirected to a pay-per-click scam that promises "Free Vouchers" and free Apple products, but fails to deliver. 






Revisiting one such domain in the list will only lead the victim back to a parked domain page. This is done to discourage researchers from dissecting their threat to avoid meaningful detection from security vendors.  The best idea to avoid misdirection from such phishing attempts would be to tighten up your browser security.


Thursday, July 11, 2013

FlimKit coughs up more Malvertising

FlimKit is a known exploit kit which takes advantage of Java Vulnerabilities in order to drop malicious content on the victim's PC.  Previous iterations of this Exploit Kit were known to be distributed through at least 1 popunder service.  The EK itself is fairly straight forward.  Like so many other kits, it begins with a malicious flash based redirect from a malvertising ad.  From there it will exploit known Java vulnerabilities to drop JAR file which in turns will give you a malicious executable.  In most cases, this will be some variation of ZBOT.

The following domains were seen as newly added to the FlimKit drop:

  • 9euei.info
  • kvmhja.info
  • sdjeu7.info
  • adiwep.info
  • d0e9ue.info
  • idueya.info
  • sdioep.info
  • sieod.info
Previous iterations of this exploit were also sent as part of known ad services.  This instance is no different other than they have obviously branched out to other services to spread their malvertising message.  Through my research I found that the following ad services were known to send user's to the malicious Exploit Kit which exploits CVE-2013-2423:
  • yieldmanager.net
  • smxchange.com
  • glispa.com
As far as the actual exploit is concerned, there is solid example seen here.

Wednesday, July 10, 2013

Tracking a botnet infection


Recently we found several malicious executables with similar characteristics. These files were found on the following six domains:
  • janashfordplumbing.com
  • kalliskallis.com
  • lowes-pianos-and-organs.com
  • continental1.com
  • foreigntire.com
  • gjhimages.com
The URLs used, adhered to the following two formats:
  • http://www.[domain].com/awstats6_data/[a-f0-9]{10}/?f=sm_main.mp3&k=[0-9]{15}
  • http://www.[domain].com/images/[folder]/[folder]/[a-f0-9]{10}/?f=sm_main.mp3&k=[0-9]{15}
These six domains are otherwise legitimate sites that have been compromised and used to serve malicious content. While I didn't determine the vulnerability used to obtain  control of these websites, all of them were misconfigured, allowing directory listings (viewing all files available in folders) and/or having AWSTATS publicly available.

The malicious files kept changing, with different signatures. Their behavior, however, was always the same and was identified as a botnet. When executed, the botnet hides itself in the Recycle bin and infects other running processes. It connects to over 50 IP addresses over UDP/16471 and TCP/16471. These IPs keep changing with each file and each execution.

The botnet always connects to xlotxdxtorwfmvuzfuvtspel.com through HTTP, but the domain answers with an empty response. You'll notice that the malware uses HTTP/1.0 with a Host header (not RFC compliant), often a good sign of malicious HTTP activity.

HTTP request to C&C

We found the malicious samples through Behavior Analysis, then used our log correlation to find the source of the malicious executables.