Day by day…

Reveton.N malware quite known recently, it’s Ransomeware that lock Your PC and demand money.

See Microsoft Encyclopedia for screenshots and some details about it.

interesting is, that most of  removal instructions that Google found start from Boot in “Safe mode”

And my sample from 2 days ago infect victim in way, that in “Safe mode” nice window that demand money, reappear (!)

Ok, how?

Simple, actually. It inject itself into WMI service, as ServiceDLL both in ControlSet001 and ControlSet003

Local path of DLL is victim current %TEMP% folder

So, updated cleanup instructions for Reveton.N malware:

1. Reboot and press F8, choose “Safe mode with command prompt” and boot with Your current user

2. In command prompt (black window) type in

cd %TEMP%

and press Enter

then type in

del /q *.dll

and press Enter

type in

shutdown /r /f /t 00

press Enter

Computer will restart

3. Download proper antivirus and clean Your computer with it from all other malware You have on Your PC. 

Stay Safe!

D.L.

 

 

 

 

Because of all that happened recently, let me be quick

Various soft present to automatically add text within webpages on compromised websites.

Those chain of samples for recent attack I followed

Step1:

Hacker intrude on poorly configured website: thru software flaw, poor configuration or stolen credentials.

Software (shell) uploaded to remotely manage such website, link written in database of compromised websites.

Step2:

Bundle of websites sent a command to add to each (or specific, default for example) page malicious code:

Sample1

Read more…

I don’t know how You working,, but I usually work thru Tor – and thx for our Friends from TorProject for their effort in anonymity.

But – If You research malware thru it – there are issues that I learned by myself, and now centralizing it for those who also interested.

My twitt

#tip #MalwareMustDie 1of issues if usingTor- You never know, if some researcher already hit EK pagethru it or not. recheck Your results)

— Denis Laskov (@it4sec) October 15, 2012

 

was, as it appear, not 100% clear and create more mess than clear things up.

So – let’s structure it a bit

Read more…

Well, it appear to be easy, but not for me

Here how looks like capture result in Wireshark:

If You Google “Content-Encoding: gzip decode”, You got list of solutions, none of which worked for me Ok, but I have to be sure it RedKit Exploit Kit payload page!

Ok, lets see what we can do.

Read more…

When You hunt for malware, it common situation when You got a lot of TCPDump files, where all the infecting process saved as step-by-step.

No matter what tool You use for dumping this stuff – You always can view it later with WireShark

Today I was in process of testing BHEK for malicious payload, when malware distributing host “suddenly” died. And part of samples i still not archived for future reversing!

But – wait a minute! sniffer dump file! just need to extract data. But how?

Read more…

More than twice for last 24 hours I was asked non-trivial question:

Where You find targets for malware hunt, if You not part of big team, malware researcher or not own a honeynet.

Actually, if You want to fight malware, IMHO it very useful to have honey-pot system, or at least be in security business somehow. It will provide You non-stop flow of malicious targets to review. But if not, and You still want to help?

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, here are few links, that aggregate latest known threats, that You can practice on:

1. Malware Domain List:

http://www.malwaredomainlist.com/update.php

2. URL Query

http://urlquery.net/

3. Malekal.com list of malware

http://www3.malekal.com/malwares/

4. VX Vault

http://vxvault.siri-urz.net/ViriList.php?

5. Site Inspector (by Comodo)

http://siteinspector.comodo.com/recent_detections

6. Scumware.org

http://www.scumware.org/index.scumware

7. Malc0de Database

http://malc0de.com/database/

8. Sucuri Malware Labs

http://labs.sucuri.net/?malware

9. Clean-MX Realtime database

http://support.clean-mx.de/clean-mx/viruses

10. Sourcefire Vulnerability Research Team Labs

http://labs.snort.org/iplists/

11. Zeus Tracker

https://zeustracker.abuse.ch/monitor.php?browse=binaries

12. NovCon Minotaur Analysis System

http://minotauranalysis.com/malwarelist-urls.aspx

p.s. Many thanks to DrM for almost tripling the list!

Note: threats usually detected by many participants, blocked and dead, as result (and this is good!), so if You looking for alive target- see recent updates, search for simulate domains, hosted on same IP etc.

Happy and lucky hunt. Share Your findings (You can do it also here http://twitter.com/MalwareMustDie ), and in case You know another good lists of malware urls and targets – comment and I will add it to list.

Happy and lucky hunt

Cheers

D.L.

Recently web-tool that I was using to download webm video from YouTube for offline courses, so I asked my Twitter friends to help find other way,  without toolbars and apps.

Youtube HTML5 video download without toolbars and extentions? #help

— Denis Laskov (@it4sec) August 22, 2012

and here is response after few hours from Friend of mine, Mohab Ali aka 0xAli:

@it4sec Ok after few hours between gaming and working on a project and this i did it 0xa.li/downloading-fr…

— Mohab Ali (@0xAli) August 22, 2012

On his site You can see the string You need to past at address bar when You at YouTube video page

this solution working, tested Opera and IE.

Cheers!

D.L.

 

If You have MSI file, its some sort of archive\, that Microsoft Installer use to pack installation files.
to analyze it, You need to extract them
Under Windows, in command line You run:
msiexec /a PathToSourseMSI /qb TARGETDIR=DirectoryToStoreExtractedFiles

Under *nix systems
1. rename file.msi to file.msi.zip
2. Extract as regular zip or  use 7zip unpacker.

Well, sometime You need to get local copy (or not local:) ) of some folders with Directory Listing enabled. It usually looks like basic webpage with “Index of …” at title

wget for each folder that mirrored, create multiple file copies of dynamically created Index page:

index.html 
index.html?C=D;O=A 
index.html?C=D;O=D 
index.html?C=M;O=A 
index.html?C=M;O=D 
index.html?C=N;O=A 
etc... 

Annoying, a lot of useless request to server (that already overloaded by Your good will) and not nice for eye to watch Your local copy.
Don't found simple solution on Google, so here is mine:

 wget -r -p -np -e robots=off -U mozilla -R index.html* http://website/file_archive/ 

Explanation: 
-r - recursive 
-p - get all 
-np - don’t ascend to the parent directory 
-e robots=off - don't care about what robots.txt say

-U mozilla - I am Mozilla!  )

-R index.html* - reject files index.html* (dangerous if files in subfolder include index.html files, but I am talking about archives)

Have fun and try to respect those whom sites You dump.

Facebook announced the Malware Checkpoint – service for detecting malicious activity on user’s computers. Technical solutions provided  by Microsoft Security Essentials http://on.fb.me/infectedMSE  and McAfee’s Scan and Repair http://on.fb.me/infectedMcA .

Here is some overview of the process

Read more…