Malware hunt – wildfowl to find

2014.01.31

More than twice for the last 24 hours I was asked the non-trivial question:

Where do You find the targets for the malware hunt, if You’re not a  part of the big team, malware researcher or not own a honeynet.

Actually, if You do want to fight a malware, IMHO it is very useful to have a honey-pot system, or, at least, be in security business somehow. It will provide You a non-stop flow of the malicious targets to review. But if  You not, and You still want to help?

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, here are the few links, that  aggregate latest known threats, that You can practice on:

Read more…

List of compromised domains [2725] that spread RedKit EK.

2013.02.03

Hi all, folks.

Need Your help.

For last few month we were looking former Redkit spreading all over, using compromised websites to get into victim machines.

At this point, united tracker results indicate that at least 2725 unique domains were compromised and participated in Redkit spreading from 11.11.2012 till 31.01.2013

Since I literally have no free time to manage all cleanup process and no resources to provide support to owners of those web-resources (major part of them even not respond to mail), here is list 

Please note, that this list not 100% solid, there were few changes in Exploit Kit spreading system that tracking agent need to be reconfigured, but bottom line is – its at least 90% accurate.

Some domains were cleaned up, some – abused and took down by hoster company or owner. Most of listed hosts still infected, I assume. And since MDS system reuse them frequently, once they’ll appear to be malicious again. Please act accordingly.

In case Your website listed in here:

Removal instructions [for site\host\shared hosting services Owners]:

1. Search for .htaccess files and php.ini or .user.ini files in root directories, check them for mod_rewrite.c entries (see more details here)

2. Clean  files attached in mod_rewrite.c section of .htaccess

3. Hire security professional that will harden Your website\service to prevent future intrusions. If not – malware will return. 

Stay Safe!

D.L.

 

Reveton.N malware – Safe Mode included.

2013.01.31

Reveton.N malware quite known recently, it’s Ransomeware that lock Your PC and demand money.

See Microsoft Encyclopedia for screenshots and some details about it.

interesting is, that most of  removal instructions that Google found start from Boot in “Safe mode”

And my sample from 2 days ago infect victim in way, that in “Safe mode” nice window that demand money, reappear (!)

Ok, how?

Simple, actually. It inject itself into WMI service, as ServiceDLL both in ControlSet001 and ControlSet003

Local path of DLL is victim current %TEMP% folder

So, updated cleanup instructions for Reveton.N malware:

1. Reboot and press F8, choose “Safe mode with command prompt” and boot with Your current user

2. In command prompt (black window) type in

cd %TEMP%

and press Enter

then type in

del /q *.dll

and press Enter

type in

shutdown /r /f /t 00

press Enter

Computer will restart

3. Download proper antivirus and clean Your computer with it from all other malware You have on Your PC. 

Stay Safe!

D.L.

 

 

 

 

“Four Horses Club” – social networking locker malware -[Updated]

2012.12.27

This post is about “private” installs\monetize service named “Club Four Horses”:

logo

 

Actually, this is malicious service “affiliate program” to convert installs on RU zone and Russian-speaking users around the world. Since it localized to RU zone, You may say, that it’s less interesting, but wait 🙂 Implementation is for RU, but idea … 🙂

Read more…

Javascript include: from attacker to victim & how to check?

2012.11.19

Because of all that happened recently, let me be quick 🙂

Various soft present to automatically add text within webpages on compromised websites.

Those chain of samples for recent attack I followed 🙂

Step1:

Hacker intrude on poorly configured website: thru software flaw, poor configuration or stolen credentials.

Software (shell) uploaded to remotely manage such website, link written in database of compromised websites.

Step2:

Bundle of websites sent a command to add to each (or specific, default for example) page malicious code:

Sample1

Read more…

FakeAV: “System Progressive Protection” inside out.

2012.11.05

Yesterday my client was attached by some malware. And [censored] antivirus was unable to protect him.

[twitter link in WP not working, will check tomorrow]

So I had a free time to have a look on it.

Meet “System Progressive Protection”:

Read more…

Drive-by download malware within 643MB avi

2012.08.08

 

Did You know, that ASF (Advanced Systems Format) by design include feature that can be used as drive-by download? No? Then – this post for You.

Read more…

“Photo Printing Kiosk” Honeypot v0.1beta

2012.08.02

It is a problem, if You not in States or Finland, to monitor malware that spreading locally.  You need a honeypots, local lab etc.

Why it’s important, You ask?
1. This is easiest way to detect and prevent country-targeted, localized, narrowed attacks before fact became acknowledged by someone big.
2. It help local computer users stay less vulnerable to high-possible threats for them.
3. It’s cool, You see new stuff before even virustotal.com know about it.

Read more…

Free AV tools (updated 23.07.2012)

2012.07.23

Once I did list of free tools You may use to cleanup Your computer without payment.
Looks like it time to renew – for me and my guys to use, and to all to use for Your purposes.

Free Antivirus on-demand scanners:

CureIT (DrWeb project)
http://www.freedrweb.com/download+cureit/gr/

CureIT 7 beta

http://www.freedrweb.com/download+cureit+free/beta/

TrenDMicro free cleanup tool:
http://housecall.trendmicro.com/
All other free tools of TrendMicro (incl HijackThis):
http://free.antivirus.com/clean-up-tools/
Symantec Removal Tools:

Outdated, but in case You need it:
http://www.symantec.com/business/security_response/removaltools.jsp
AVZ
http://www.z-oleg.com/secur/avz/download.php

Kaspersky Removal Tool:

http://www.kaspersky.com/antivirus-removal-tool-register

Rootkit eliminator (BlackLight):
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/blacklight/index.html

Avast offline scanner:
http://files.avast.com/files/eng/aswclnr.exe
F-Secure offline scanner:
http://download.f-secure.com/estore/fseasyclean.exe

Microsoft Safety Scanner:

http://www.microsoft.com/security/scanner/en-us/default.aspx

Sophos Virus removal:

http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

Antimalware tools:
Malwarebytes:
http://www.malwarebytes.org/
Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Spybot:

http://www.spybot.info/en/mirrors/index.html

Microsoft Windows Malicious Software Removal Tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Comodo Cleaning Essentials (malware cleanup and process )

https://www.comodo.com/business-security/network-protection/cleaning_essentials.php

Emsisoft Emergency Kit:

https://www.emsisoft.com/en/software/eek/
Online Scanners
Symantec:
http://security.symantec.com/sscv6/WelcomePage.asp
McAfee:
http://home.mcafee.com/Downloads/FreeScanDownload.aspx?affid=0

BitDefender
http://www.bitdefender.com/scanner/online/free.html
Fast QuickScan (BitDefender Memory scan tool)
http://quickscan.bitdefender.com/
Panda:
http://www.pandasecurity.com/activescan/index/
F-Secure:
http://www.f-secure.com/en_EMEA/security/security-lab/tools-and-services/online-scanner/

CA Scanner:

http://cainternetsecurity.net/entscanner/

Rising AV:

http://www.rising-global.com/products/online-scanner-intro.html

Online File analysers:

http://www.virustotal.com/

Free AV solutions:

AV: Bitdefender Free
http://download.bitdefender.com/windows/installer/en/bitdefender_free.exe

AVG:

http://free.avg.com/us-en/download-free-antivirus

Rising

http://www.rising-global.com/Download/Rising-Free-Utilities/Rising-Free-Antivirus.html

Avira

https://www.avira.com/en/download-start/product/avira-free-antivirus

Microsoft Security Essentials

http://windows.microsoft.com/en-US/windows/products/security-essentials

 

URL Analysers:

Symantec: http://safeweb.norton.com

URLVoid (multiple engines): http://www.urlvoid.com/

DrWEB online check: http://online.drweb.com/?url=1

Useful tools:

HiJackThis

http://sourceforge.net/projects/hjt/

 Process Explorer by Mark Russinovich

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

AntiRootkit TDSSKiller by Kaspersky

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Updated 23.07.2012

Special thx for updates 0xerror http://www.scoop.it/t/h4x0r5

Facebook Malware Checkpoint

2012.07.15

Facebook announced the Malware Checkpoint – service for detecting malicious activity on user’s computers. Technical solutions provided  by Microsoft Security Essentials http://on.fb.me/infectedMSE  and McAfee’s Scan and Repair http://on.fb.me/infectedMcA .

Here is some overview of the process

Read more…