Since all the IT world busy with new release of BHEK, here some not BHEK stuff Ж)
Start point was sent by the friend with remark – “…maybe BHEK2″?
and here we have iframe with interesting structure of malware string:
Well, going further:
Ok, nice, again – jar file, good old java vuln and some ping-back
Going with the link:
Ok. We also have link to jar! Let’s download it?
Response: 404 ? What?
Again from the beginning – got file with different name.Ok.
Standard .jar – very low detection ratio, between 6 to 9/42 on VT. Sample is not relevant here, see 1 in bottom test results
After multiple tests, still cannot be 100% sure, but here are test results:
1. jar files generated per browser,
2. encoded with random obfuscation code
3. jar file alive for abouyt an hour, then removed and replaced with new one.
4. different payload delivered to different browsers. But sometimes same browser + plugins get different browsers. < still have no explanation.
5. Link cullback/?a=YWZmaWQ9MDUyODg= do not remove jar file, as i thought the beginning. It stay on server at least net 5 mins.
Ok, running jar – as a result – sent reply to server
And response: 2 bytes. OK.
Well, something gone as planned, and reported to mothership, that everything is ok.
After 2 minutes of silence:
:)) Nice! Fake Antivirus, named “Security Shield”
1. Stay in top of all windows
2. Continue to require updates, clean the computer and register itself. All those lead to buy page.(screenshot num 2)
3. Do not block regedit, taskmanager, cmd etc -
4. Can be closed by closeing service
5. Appear back after restart
Ok, this one not that harsh, as previous one.
Very interesting part is how payment handled:
When You fill the form (Visa\Master Card number checked against Luhn formula), also checked US State and ZIP.
When choosed “Get license”
Then, when CC data entered and You press BUY, data in POST request sent to same server.
then – Credit Card data transferred thru HTTP POST request
IP belong to some server of online shops, based on Cyprus. Anyone have family there?
Ok. We got infected, let’s see what and how?
After few checks, found, process pcshgy.exe, that run as user in TaskManager.
Let’s see it
VirusTotal: [0/42] https://www.virustotal.com/file/b2eb53ec594835bf2b7e69ce26abb1cbc38811248cd41bdc7853b1423f2046bb/analysis/1347539981/
Thank to my friend, @MalwareMustDie, for analysing the exe file
— Denis Laskov (@it4sec) September 13, 2012
And see VirusTotal comments by @unixfreakxp << thx!
How to clean
Since no antivirus for now detect and remove iy. here small recommendation on how to clean it from Your system.
1. Open Task Manager and find infected process [pcshgy.exe] in list of running processes. Kill it.
2. Perform full disk search and delete file [pcshgy.exe]
3. Download latest AV software and update it, if it not.
4. Contact Your AV vendor and ask, why this malware not detected by their program.
1. IMHO it’s not BHEK2. No tojans\rootkits\ddos bots and stealers detected on system, except FakeAV
2. System is still under heavy load of victims traffic, generating files per minute and working hard. Newest Hava vulnerability + 0 detection ratio between Antiviruses guarantee to this malware enough work.
3. System is under investigation, not all details are ibvious, that’s why part of servers not disclosed
4. Malware Distribution server poorly configured, so we may see process of generating new scripts live:
5. CC collecting server still alive, too
6. Your Antivirus will not protect You here, at least for now. Sorry. Follow the cleanup tips and contact Your AV in case of infection. Do not pay!
That’s all for now.
About source of infection - malicious Apache module, please read blog UnmaskParasites.com
More live infected websites – have a look on Securi.net blog
Looks like new vector of attack – compromise the webserver itself, not relate to hosted sites. And this cause to all websites, hosted by this server, became malicious. Interesting