R3v3rs3e's Blog

Archive for September, 2009

Bogus MS Update

Posted by Steve Espino on September 25, 2009

The analysts at the PC Tools Malware Research Centre have been receiving bogus emails claiming to be coming from Microsoft:

…public distribution of this Update through the official website »www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.

We have seen emails containing one of the following links:
hxxp://www2.sinel.com/microsoftupdate.html
hxxp://mail1.e-corecorporation.com/default.htm

They seem to be compromized websites being used by the bad guys in order to facilitate this attack.

The page default.html from hxxp://mail1.e-corecorporation.com/default.htm uses a refresh-type redirect to this url:
hxxp://0xc0.0xdc.0x6e.0xe4/microsoftupdate.html

The page microsoftupdate.html from sinel.com and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a file named update09.exe, which PC Tools Spyware Doctor with Antivirus detects as Trojan-Spy.Zbot.YETH.

Interestingly enough, this attack uses 0xc0.0xdc.0x6e.0xe4 to serve the malware. This IP-address translates to 192.220.110.228, which in turn resolves to summit102.summitdesign.net, another possibly compromised website used in this attack.

The presence of the following files/folders may indicate signs of infection:
%System%\sdra64.exe
%Temp%\tmp.exe
%System%\lowsec\

More here.

Posted in Malicious Intent | Tagged: , , , , , , , , , , , , , , , | Leave a Comment »

Another Shameless SEO based on Atlanta Flooding

Posted by Steve Espino on September 22, 2009

Users Googling “Atlanta flood pictures” receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here’s a screenshot of a google search result:
atlanta_flood_google

A Fiddler capture shows us the redirections:
atlanta_fiddle

So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN

An installer named Soft_207.exe will be presented for download, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.TotalSecurity.

At the moment, the PC Tools Malware Research Centre has observed the following domains being used for the distribution:
winfixscanner7(dot)com
15scanner(dot)com

These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60

But knowing the trend in scareware, there could be heaps more domains being created as we speak.

PC Tools Spyware Doctor with Antivirus protects its users from RogueAntiSpyware.TotalSecurity.

Posted in Uncategorized | Tagged: , , , , , , , , , , , , , , , , , , , | Leave a Comment »

Koobface on the Move, Serving Scareware

Posted by Steve Espino on September 18, 2009

The PC Tools Malware Research Centre has been seeing new movement on the koobface front Lately.

koob_fiddle

As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.

The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.

fake_facebook

Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:

koob_script

115.130.27.204
123.202.200.84
151.204.31.67
196.206.65.53
221.126.0.105
24.215.207.229
41.238.76.198
61.93.34.23
67.206.253.52
68.47.48.240
69.18.107.115
69.254.215.173
70.122.242.250
70.212.232.126
71.116.37.213
71.130.216.179
71.194.236.32
71.80.105.40
72.13.138.210
72.190.87.208
75.181.171.110
75.251.94.44
76.119.98.22
76.22.160.28
76.23.203.64
81.192.192.160
98.140.58.163
98.244.224.140
98.26.40.38
99.22.74.229

The javascript component being by used by koobface, remains bascically the same as before

And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:

rogue

gotrioscan(dot)com
plazec(dot)info

At some instances, we also get these warnings:

hardware_error
Internet_Antivirus_Pro

At the moment, these warnings are serving Internet Antivirus Pro.

In order to be protected against these attacks, users of PC Tools Spyware Doctor are advised to use the latest PC Tools update.

An earlier post about koobface can be found here.

Update:
Koobface has been going at it and here’s another one that spoofs youtube and serves koobface malware as a fake codec:

hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go

Posted in Malicious Intent, Rogue Apps | Tagged: , , , , , , , , , , , , , , , , , , , | 4 Comments »

 
Follow

Get every new post delivered to your Inbox.