Email message sample:

Actually code looks like:

Attack, actually, run for about 48 hours already at least. You may see traces of it on URLQuery [36 entries by now]

When clicked – lead to BHEK2

BHEK2 payload – Cridex [22/46] and Fareit.

Second binary is interesting one, yes Wait for updates.

Stay safe!

D.L.

- frame delivered to unique users only, no frame on repeat. 

So – How it looks like for victim and how implemented?

Since than Linux/Chapro.A was posted in SecLists and  analysed by Kaspersky and ESET.

Afterwards Eric Romang provided some details, that it appear to be version of Darkleech module.

And here it appear again: UnixFreaxJP blog report about massive attack on Japanese segment of Internet.

Well, It’s time to see, is it DarkLeech and how anti-forensics implemented there from client PoV

Ok. Let’s see on any of servers that in list:

Stage 1. Victim request the infected page:

if You analyse the page retrieved, it clean. All content is legit, or at least not malicious…

But after full analysis, let me cheat a bit and draw Your attention to Date and Set-Cookie fields.

Well, at 11:40:12  GMT request was sent to Apache server. And Apache respond with Cookie, that have PHP_SESSION_ID and Expiration date in 5 minutes...

ok move on.

Stage 2. infector appear:

I hope It’s clear to You, that browsing a web go as SET of HTTP requests. So – second HTTP request come to Apache server already with Cookie value set:

Cookie: PHP_SESSION_ID=1345283934

And response is:

Sorry for huge pic, but You have to see it

Well, what we have?

Red line – injected code. iframe that forward victim to BHEK2 in this case…

See pic from Eric Romang’s blog – here [second from top]

Structure is very similar, IMHO. So I think it is a Darkleech. 

Now – let’s see, how it works

Green line – Cookie updated. Now it have PHP_SESSION_ID with -1 value, that will expire only in 7 days. 

Stage 3. Full picture:

Ok, now we can combine all that knowledge in one algorithm, Darkleech coders use for one-time infection attempt per client: 

1. Victim visit website, provided with Cookie, that:

    – have expiration date in 5 minutes

    – have ID unique per client

2.  Second request victim pass Cookie value to server with Darkleech attached.

    – Darkleech respond with altered webpage, included malicious iframe.

    – In addition, DarkLeech set Cookie ID to -1 and “mark” this client for 7 days from been infected again. Even if it IP changes, because cookie remain for 7 days

3.  Any following requests from same IP appear to be clean for at least 60 mins. [still investigating time limit]. Looks like IP also “marked” in some local list. 

       : 

This is how it looks like from victim side..

Credits: 

Thx @unixfreaxjp for original path and been good friend.

Thx Eric Romang for his blog

Thx to all researchers, that You keep head up and fight against malware

Stay Safe

D.L.

Prerequisites: 

Temperature: 37.8 C

Local Time: 23:00

Mood: [censored]

Test machine: fully updated (pdf, flash, java up to 7.u17)

Live Exploit Kits in list: 5

What we testing:

How dangerous can be surfing for those who follow best practices – at least performing updates.

Results:

All behavior among tested Exploit Kits, can be described as:

- If plugin-detect present, than system realize that no vulnerable plugins detected, and

- no exploit served at all [Safe End]

- last available Java exploit served. [Fail]

- If plugin-detect not present, than all available exploits execute and fail.

* Sometimes LibTiff exploit crash the PDF plugin, once Java cause error message appears…

Bottom line – if machine is up to date – well, leave it, there are plenty of easy targets around. 

Except for Cool Exploit Kit. Let me show You some fun stuff there… 

It landing page with plugin-detect served, push Java CVE-2013-0431 exploit (see it analysis by @SecObscurity )

It require permission to run

Ok. If You click Cancel – blank page for few seconds…

Waiting…

Second try! Ok, lets allow it, who cares!

Well, in here – same exploit. VT [6/45]

Well, that’s it, no harm?

No, as I said – “Cool Exploit Kit” mojo “We try harder!”

Voila:

Ha, since no exploits for our machine, let’s use  old school trick! VT [22/45]

Nice try, that eventually reach it target – amount of “installs” grows.

Conclusions:

Well, once Cool EK was announced, it was quite similar to BHEK2… Than it appear that new exploits added there faster and work more “clean”. Fast implementation of recent line of Java and Flash exploits. Hard obfuscation techniques. Maybe, after Yesterday’s patch Tuesday we’ll see new exploits there.. But here we may see also some tricks that add sophistication to this Exploit kit… It actually try harder… Kinda like to have such enemies, it’s more fun to defeat them.

Stay Safe

D.L.

I wrote huge philosophic part here… But then – I realized, that too much ideology already dumped into Net, no need to add.

So – see mr. Churchill quote and add “BlackListing” instead of “Democracy” << this is exactly my point.

And making long story short – in providing protection against malware – blacklisting fail.

Why? Simple.

Blacklisting – “…a blacklist or block list is a basic access control mechanism that allows through all elements (email addresses, users, URLs, etc.), except those explicitly mentioned. Those items on the list are denied access…” (WikiPedia.org)

So, basically, how it should work:

1. Someone detect that IP x.x.x.x or domain badassmalwarehomepage.com is spreading malware, got Exploit Kit installed or some other malicious activity detected

2. IP or domain list added to blacklist – now all software that work with that blacklist, protected from entering this bad site.

3. Internet Safe! (Yeah… )

And how it works now:

1. Malicious IP or domain detected. It take some time to detect new attack, discover all infectors, gather all evidence and prepare to be reported

2. IP\domain reported. There are plenty of different lists, each have it rules. Take some time to re-check and add to list – otherwise it can be used for malicious purposes. 

3. Clients not up to date, lists delivered from time to time, check with list take time and traffic. And bottom line – in fastest way it take 2-3 days to get stuff done. Attacker already got profit, monetized and planning new attack. 

Nothing new for many of You, and as I said – it’d terrible solution, but we dont have another now.

But wait – it even worse

Malware don’t need to have it’s own IP\domain exposed to victims, or even malware researchers, on any level. Let me show You, how. 

BTW: For those who want to send me “Hey, why publish ideas that bad guys will use” – let me assure You, bad guys use it for some time already. Almost all of them, even complete script kiddies. Nothing new for bad guys disclosed here. But maybe, some good guys still stay not updated.

If You know basics of networking, You know what proxy server is. Tor is good example of complicate system of proxy gates.

But less people know, that You may turn almost any web server into proxy server. All what required – shell on this server. No root needed.

Here is small part from sample of  “4 horses club” delivery system.

Basically, what this script do, it check if new binary available on remote server, and if so – download it to local system (website) and continue to deliver.

Another code from sample – from TDS system that rented to forward traffic to various EK during last year

This sample intercept request to web page, on the fly form request to malicious server and receive unique inject for each victim.

Among anti-forensic features, implemented here:

- Various obfuscation techniques

- GeoIP -based attacks

- Filter-off repeat requests.

And all – in one .php script.

Famous Redkit have very similar technique I described here. In active state, forwarder looks like this:

Sorry for blank space – very, very sophisticated piece of malware, don’t want add ideas to others ) But every malware researcher can see here wildcard for so popular:

./[abcd].html

./887.jar

./332.jar

./987.pdf

Among features, that NOT require server [really-malicious] interception, but done on victim website:

1. Filter of crawlers, bots, search agents etc.

2. Filter of “wrong” requests.

3. Filter of repeat requests.

4. Tracking of infection process per client.

5. Local caching of transferred data.

6. Ability to act as C&C proxy for transferred back data\files.

7. Polymorphic features.

8. Non-standard encryption\obfuscation.

9. Remote management.

Yes, all those requests are intercepted and forwarded to remote server on the fly.

In addition – active phase of RedKit infector is between 30 mins to few hours. Afterwards – server appear “clean” to requests – 404 error returned.

And more and more…

What common for all those samples – they intend to be placed on hacked website. That mean, legit person create legit family business website, upload content, got hacked (multiple ways) and became an evil drone for spreading malware. Simple, and for now – bulletproof schema. And this schema defeat blacklisting for now. What to do? No idea.

that’s it for now…

Stay safe.

D.L.

p.s. and yeah, I am terrible in blog article namings… sorry for that too…

KahuSecurity

MalwareSigs

So I will not paste all details step-by-step. Who interested – see it here.

What was interesting in this case in particular – Java exploit, that  try to convince victim, that it is Adobe Flash Player .

Not new, actually, You right. @kafeine recently posted some details about similar behavior of recent Java exploit in Popads EK.

So – as You may see, idea appear to spread among other malware spreaders as well.

Actually, if You press “Cancel” in this point, no harm done to Your machine (if Java is up to date).

If Java is outdated – 2 additional exploits served as well.

Here samples on VT:

Java:

JAR1 JAR2 JAR3

Exe:

Bin [6/46]

That’s all

Stay safe

D.L.

But this time some new piece of software used..

It call itself  ”Portal TDS – You monster v 2.02”

List of detected links on URLQuery1 or URLQuery2 (looks like not yet in list of known TDS patterns?)

TDS Administrator login page:

Link management form:

Google indexed few results of this TDS, most of them – traces of  Admin console. It is possible that domain portal-tds.ru and demo.portal-tds.ru , but this domain is currently down. IP that various system logged as belong to this domain is 194.28.68.124 (Ukraine)

Domain Register Details: 

domain: PORTAL-TDS.RU
nserver: ns1.portal-tds.ru. 194.28.x.x (Updated: request from owner of IP range. They claim that registered users were banned and no malicious activity accepted from their IP range. If so, thx. )
nserver: ns2.portal-tds.ru. 78.26.184.129
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2011.08.21
paid-till: 2013.08.21
free-date: 2013.09.21
source: TCI

Currently live TDS detected:

sydinex.net > 94.250.251.43

corn.ptds3.ru > 194.28.x.x (Updated: request from owner of IP range. They claim that registered users were banned and no malicious activity accepted from their IP range. If so, thx. )

Also known hosts, currently dead:

intermediac.com

jpegprovider.ru

gsm-poisg.ru

agnese.portal-tds.ru

Schema used is quite classic:

1. Spam message sent to victim, trying to impersonate LinkedIn message:

2. Victim click on link and forwarded to TDS, which forward it to BlackHole2, in case victim looks legit, not bot\crawler

3. BlackHole2 landing page served to victim.

4. Profit.

 Dropped binary You may see here: https://www.virustotal.com/en/file/c7ea76b4e4543ebf1556bd93c466258ed729527609824dc6a38aac1060d3007c/analysis/

p.s. Sorry for been less available recently – making few changes in regular schedule

p.p.s. Should I credit PSY and HYUNA as soundtrack for this small dig-in? I think -yes )

Need Your help.

For last few month we were looking former Redkit spreading all over, using compromised websites to get into victim machines.

At this point, united tracker results indicate that at least 2725 unique domains were compromised and participated in Redkit spreading from 11.11.2012 till 31.01.2013

Since I literally have no free time to manage all cleanup process and no resources to provide support to owners of those web-resources (major part of them even not respond to mail), here is list 

Please note, that this list not 100% solid, there were few changes in Exploit Kit spreading system that tracking agent need to be reconfigured, but bottom line is – its at least 90% accurate.

Some domains were cleaned up, some – abused and took down by hoster company or owner. Most of listed hosts still infected, I assume. And since MDS system reuse them frequently, once they’ll appear to be malicious again. Please act accordingly.

In case Your website listed in here:

Removal instructions [for site\host\shared hosting services Owners]:

1. Search for .htaccess files and php.ini or .user.ini files in root directories, check them for mod_rewrite.c entries (see more details here)

2. Clean  files attached in mod_rewrite.c section of .htaccess

3. Hire security professional that will harden Your website\service to prevent future intrusions. If not – malware will return. 

Stay Safe!

D.L.

Some time ago I posted info about ransomware from “4 horses club”. Grab it HERE.

Here is login page of this Aff program for partners (click for bigger pic)

All concept of page – based on very good book of Soviet Authors  Ilya Ilf and Eugene Petrov - “The Twelve Chairs” - very good, IMHO. If You read russian, and not read it yet – please do Even name of partner program referenced to some place and story in this book

Well, except Bender pic (funny fact, that name of main hero in book is also Bender). And on picture it presented same as in famous musical “The Twelve Chairs”(1976) played by actor Andrey Mironov:

As You may see, unmistakable similarity here

Ok, so back to binary

You may see a LOT of it recently over net.

After I had a time for fresh look on a binary IDA\Ollydbg in this binary, there are few interesting things I like to share.

Binary compiled in Delphi7, and use a lot of VBScript files to execute commands needed. Literally, binary create a dit, extract a VB file in it, and execute it to perform some tasks. Bottom line of those tasks You may see in previous post. Here we looking for social info?

Have a look on this screen. Those files were created on victim’s system as temporary, and then removed.

First of all – look at the path “The First Evidence”? Actually, it is  Still looking for second one, BTW. And “Guatemala is a magical”

Then – look at VB code – it’s a good opportunity to look inside source code that developer (in this case – malicious developer) wrote. Vars he\she uses – Egypt, Ibiza, Muson (slang for Music), REMONT (repairs, [RUS]), SPRITZ (probably injector, syringe [RUS] )..

another part that can be found in code:

this is string stored in binary  to be saved as .bat file and then executed to modify hosts file. Variable carries  it’s portion  of intel too.

So here we are starting to make assumptions:  

Well, there are some details about person (or at least 2 persons) we see here.

First one is about 35-45 Years old man, maybe slightly older, who is familiar with Soviet literature of XX century, have good knowledge in IT, maybe he is in charge or  a leading position, employer.

The other one is younger (25-35?), it is a programmer, that code on Delphi, uses VB-Script, thinks about music, party, vacation and other stuff that people who work for salary think of. He\She is an employee or a minor partner. Not a Rap culture lover, apparently, and definitely native Russian speaker.

ups, it became bigger than I planned initially…

Well, need to take a break, real life calling

Stay Safe! 

D.L.

See Microsoft Encyclopedia for screenshots and some details about it.

interesting is, that most of  removal instructions that Google found start from Boot in “Safe mode”

And my sample from 2 days ago infect victim in way, that in “Safe mode” nice window that demand money, reappear (!)

Ok, how?

Simple, actually. It inject itself into WMI service, as ServiceDLL both in ControlSet001 and ControlSet003

Local path of DLL is victim current %TEMP% folder

So, updated cleanup instructions for Reveton.N malware:

1. Reboot and press F8, choose “Safe mode with command prompt” and boot with Your current user

2. In command prompt (black window) type in

cd %TEMP%

and press Enter

then type in

del /q *.dll

and press Enter

type in

shutdown /r /f /t 00

press Enter

Computer will restart

3. Download proper antivirus and clean Your computer with it from all other malware You have on Your PC. 

Stay Safe!

D.L.

Friends, WTF is SPL Exploit Kit? urlquery.net/report.php?id=… << sample detection by @urlquery.

— Denis Laskov (@it4sec) January 7, 2013

So URLquery named it SPL Exploit kit, and almost no additional info about it present. Weird? Yep.

So me and @nsmfoo had  a look at it, to see what we can learn.

Well, first of all, as I understand, name to this EK was given based on some tech specs, that return in each installation detected. Since then tech details slightly changed, but major idea is the same.

Ok, lets begin…

First Stage: Got infected

Classic always work ) malicious JS or iframe that lead to TDS

Ok. Moving…

and we land on first page of EK. It’s more visual part, which main purpose is to scary You and in background forward browser to actual exploit.

Some screenshots:

All this is same HTML page with JS in it to create vision of victim’s PC gone crazy.

Nice one, but have a look on JS code, responsible for one of alerts

Looks like Sophos guys doing good job, if it gone that far

Actual  forwarder looks also very familiar

Landing page is:

in this case it was - JAVA CVE-2012-1723 – sample on VT [5/46]

What JAR do, I hope colleague of mine will blog soon in details.

Update2: And here is expected part from @kahusecurity – please have a read “Unpacking a Malicious Java Applet”

Update3: Another good analysis of SPL EK JAR file, and detailed step by step technique of it unpack & understand, by @Gunther_AR - grab it here: “Malicious Java Applet Deobfuscation”

Many thx to @kahusecurity for tools and readiness to help and share  

But wait, also thx to @kafeine, we all now know about recent 0day on Java ver 7u10 – CVE-2013-0422

And here it is, served thru SPL Expoit kit to any Java client ver 7. VT [2/46]

Payload is the same, packed and XORed

Second stage: Binary behavior

Victim experience:

Actually, as You may see, display name of malware depends on location and OS version. thx TomU for this tip!  It also behaves differently.

What it do:

1. Binary extracted from JAR

2. It copy itself to Local Settings\Application Data folder and name new binary as [3 vary letters].exe with attributes Hidden and System

3. Delete a copy in %Temp% folder

4. Remove registry data, that point to Windows Update\Automatic Update services

5. Update current registry values for multiple internet-related programs and addons, so now each time any binary, addon or internet-related program executed, malware catch it execution in first place.

Now, when executed and run, it demand money Of course!

And  here where those ”transactions” go to verify:

109.206.174.38 was before few days

109.206.174.45 – recent.

Great, simple known schema, but…

In addition – during execution FakeAV try to get another  binary data.exe

This one two days old – VT [21/45]

And this one – today VT [7/46]

It’s malware of Necurs family. 

Have a look on Anubis report of it activity on machine.

It actually re-crypted very often, and in time of serving detection is about 3-4 from 46. according to VirusTotal. 

Conclusions:

1. SPL exploit kit looks simple and lame (for brief look) in compare to EK we saw previously – simple page, some HTML code, JAR etc. But this assumption is  wrong. It include:

- on the fly generated JAR file, with only one exploit per victim, which most suitable.

- binary embedded into JAR re-packed and re-crypted very often.

- SPL EK included  0-day  Java few days afer disclosure of it. Not before – for sure, but few days after it was announced (between 07.01 and 11.01)

- as a result – detection ratio of every served payload is extremely low, got also a bunch of FUD’s during tests.

2. Malware binary, that  SPL EK serve to victims, is quite old. Original name is “XP Home Security 2011″ (hard-coded in binary), and then themes applied according to current victim.

3. As part of this FakeAV, also rootkit\backdoor Necurs served. Nasty and very low detect ratio too.

4. Well, bottom line, this EK is quite successful in it main purpose – serving malware and gather installs.

Removal instructions:

Go to Local Settings\Application Data\ folder, find there hidden filename. Rename it

Open Task Manager and kill process named same as renamed file

Then You need to update AV, maybe perform return to Last Known Good Config or so to restore registry keys.

Credits:

@nsmfoo for started all this and continue with it even now

@kahusecurity for tools and great support in de-XORing binary

@kafeine for advises and valuable knowledge

@c_APT_ure for useful tips

@unixfreaxjp for help with JAR and Java

@MalwareMustDie and all participants of a project for their valuable input!

thx Friends!

Additional readings:

Article about SPL EK by @MalwareSigs  - “SPL Exploit Kit” << see here regex for checking SPL EK presence.

That’s all for now

Stay Safe

D.L.

Update1: Oh, my english is terrible… Fixing