Search this Blog

Loading...

Wednesday, January 30, 2013

Facebook spam leads to Exploit Kit


To no wonders, the Blackhole Exploit Kit is still trying to infect users. One of the techniques commonly used is to send the victim an email from for example Facebook, Linkedin, Twitter, .... Asking to click on a link.

We'll take a small peek at those tactics. We received the following email:

You have received a new comment
















Hi ,
You have disabled your Facebook account. You can restore your account at any moment by logging into Facebook using your old login email address and password. Subsequently you will be able to use the site in usual way.
Thanks,
The Facebook Team


Obviously, Facebook didn't disable your account at all. There are some factors to easily determine this email is fake:

  • The 'From' field says it's from "Facebook", however, the sender is clearly 'nondrinker@iztzg.hr'.
  • Have you disabled your account? If not, then there's no reason to receive this mail.
  • The subject and the content of the email do not match.
  • Hovering over the links in the email reveals the real URL, which are not Facebook URLs.


When clicking on any of the links, you are presented (after several redirects) with the Blackhole Exploit Kit (aka BH EK). It tries to load a Java exploit on the machine by firstly detecting which plugin and Java version you are using:

PluginDetect
 








The payload? Probably ransomware or a Banker Trojan.


You can find the full JavaScript and the infection source on Pastebin :
http://pastebin.com/9PgDTXsb



Prevention

Use the NoScript add-on in Firefox or NotScripts in Chrome to prevent this.
Use the WOT add-on to check on the status of a website.
Use your common sense and ask yourself the proper questions (see below).
Use a URL scanner if you're unsure about a URL. Some examples are VirusTotal, URLvoid and URLquery.




Conclusion

As usual with this kind of emails, be alerted and always ask yourself the proper questions:

Why did this get in my Unwanted Email or Spam folder if I normally get Facebook mails in my normal Inbox?
Why would Facebook send me this when my account isn't disabled at all?
Why are those links not pointing to Facebook websites?
Why is the sender not from Facebook itself? What can I see in the headers?

Use your common sense, update your 3d-party applications as well as Windows, and use a decent antimalware and antivirus product.

Thursday, January 24, 2013

Analysing malicious PDF files

This is an ongoing blogpost on how to analyse malicious PDF files... More information coming soon...
Content coming soon!

[...]

Source of PDF:
http://stopmalvertising.com/malvertisements/malvertisement-on-filestube-meet-cve-2013-0422-and-cve-2012-1723.html


test.pdf
https://www.malwaretracker.com/pdfsearch.php?hash=00cb4b06783620a997c673acc9496032
https://www.virustotal.com/file/26e3357a689437e469887aa1960533da8148eaa976a4ca4fa2e88a16a025fd7a/analysis/1358951918/
http://wepawet.iseclab.org/view.php?hash=00cb4b06783620a997c673acc9496032&type=js&t=1358889498
http://jsunpack.jeek.org/?report=516115790568fd46e1f72c952074a64755947796









Extracted
shellcode.js
https://www.virustotal.com/file/cf89cc1cb5919f85651ed9e66983fc9e4b6d27d3a1f6ccc090af70beee0994a5/analysis/
http://wepawet.iseclab.org/view.php?hash=fb436428b41ecfddc9163c3aae4344b3&type=js

Thursday, January 17, 2013

About YouTube top comments


Have you seen  the top comments on YouTube recently? Mostly, they're about the videoclip itself, or about other artists that do not live up to the talent of said videoclip ;-) .

Sometimes, however, spam reaches the top comments (whether or not with a lot of upvotes):
Another user is being addressed, "confirming" the site is real








I've seen this kind of Youtube spam unfold into 2 scenarios:
1) The usual survey scams, promising an iPad for example
2) The download of adware or a PUP (Potentially Unwanted Program) to your machine


Let's take a look at both scenarios, we will go more in depth about the second one, as it is the most interesting. This post includes prevention methods, a removal process and a conclusion at the bottom if you want to skip the investigation.



Investigation


1) Survey scam

As seen in above picture, another user is being addressed. This user did not make any comments on the video at all. I'm guessing they use this little trick to 'confirm' someone asked about it and they are 'just helping out'. The comment has several upvotes as well, thanks to the use of bots.

Clicking on the bit.ly link, you are being redirected to another website:
hxxp://alllightsfull.info/prize/prize.html
2/30 - URLvoid Result
2/33 - VirusTotal Result
AllLightsFull.info - Whois Record

Screenshot:
Congratulations! You won a... Survey scam!
















After clicking on Start Now!, you'll get redirected to fill in a survey for a chance in winning an iPad... Which will redirect you to another survey... To another survey.... Until you need to fill in personal details such as your email address. In my case, I had to subscribe to about 20 other instances (read: Brace yourselves, spam is coming) to win the iPad.

 Obviously, you won't win anything and your email address will end up on several spamlists.

 

 2) Adware / Potentially Unwanted Program

In this scenario, you end up on a different website, but with a similar, easy layout:
Download Youtube videos with "YouTubeSaved"



























Some information about the website:  
hxxp://www.youtubesaved.com 
1/30 - URLVoid Result
0/34 - VirusTotal Result 
YoutubeSaved.com - Whois Record

You can download from Download.com/CNET or directly via their website. I'm not sure what's worse: the fact that you can download this beautiful piece of crap via CNET or that it's Norton/VeriSign Secured.

The following file is downloaded:
cid_185425_sono.exe
Result: 3/46
MD5: a3675a8439b09049a76da7f9c93c4a34
VirusTotal Report
Anubis Report
ThreatExpert Report


In the following minutes, I got several new screens to install additional software:
FLV Media Player coming along with WhiteSmoke


FLV Media Player coming along with PriceGong, Freetwittube,...

















Some readers might remember WhiteSmoke from a few years ago, when it came bundled with a rootkit and was particularly annoying as well as hard to remove.

While I was eagerly clicking Next on all of the screens, there were a few connections. In fact, in those 5 minuts of installing FLV Media Player, (and thus also: Yontoo, Relevant Knowledge, Free Ride Games, Moyea, Remote Programs, PriceGong, Conduit and WhiteSmoke) there were about 1140 outbound HTTP requests installing even more adware.

If you're interested in these connections, I have uploaded a Fiddler log to Pastebin:
http://pastebin.com/QxcHca1Z


Interesting to note is that Firefox gave a warning about a particular toolbar:
https://addons.mozilla.org/en/firefox/blocked/i226
From that page:
This add-on is silently side-installed by other software, and doesn't do much more than changing the users' settings, without reverting them on removal.

Actually it does more than that, it redirects your searches (through ad-sponsored networks), changes your homepage, annoys you with pop-ups, .... This does not solely apply to WhiteSmoke.

A total of 63 newly created PE files was found on my machine. Seems like they really wanted me to install as much toolbars and adware as possible. Sometimes, besides being referred to as a PUP or adware, this kind of software is called foistware.

You can find a Pastebin here with all VirusTotal results:http://pastebin.com/87HspUgu



Prevention

Now, how do we prevent these applications from ever entering our system? Here are a few tips:

  • Carefully consider what you are installing. Is this program known at all? What does it do? Do I really need this installed? A simple Google search reveals a lot of answers.
  • Don't click Next, Next, Next or OK to everything or in any of the screens you get. This is a golden rule in general.
  • Read the EULA. No wait, what? Those EULAs are always way too long! That's right, luckily there's a tool available which can assist us in identifying unwanted behaviour. The tools is called EULAlyzer, by the same developer as SpywareBlaster (which also helps prevent these).

    I did a scan on a EULA from PriceGong which uncovered the following results:
    EULA states advertising, your searches being submitted and more










  • Use the extension WOT (Web of Trust) to get a second opinion about website X or Y.
  • If you encounter a link that is shortened (for example bit.ly, t.co, tinyurl, ....) you can use a website as GetLinkInfo or Unshorten to acquire more information on that link. Awesome!



Removal

Of course, it might be too late for some users. They are already seeing pop-ups everywhere, getting amazing deals or are getting redirect in their search engines. Again, you can find some hints:

  • Most of these programs can be easily removed via the Control Panel > Add/Remove Programs. There's also a small guide by Microsoft on how to do that. After uninstallation, these programs will open your browser and offer to reinstall the "product". Just close the browser when that happens.
  • "I removed these programs but am still getting redirected. Why?"
    Probably the Add-On, Extension or Plugin is still installed and active in your browser. Remove or disable this manually by following these steps:
    Removing extensions from Internet Explorer
    Removing extensions from Mozilla Firefox
    Removing extensions from Google Chrome

    Restart your browser afterwards and confirm the changes. It's possible you need to manually reset your homepage as well.

  • "Not everything is gone and I don't see anything in the Add/Remove Programs."
    When this happens, you can use a tool like AdwCleaner. Please keep the following in mind:
    - Close all browsers before executing AdwCleaner
    - Click on Search. A logfile will open. Review this carefully! AdwCleaner is pretty strict in removing adware. Then, you can select delete to delete all the unwanted/malicious entries.
    - More information can be found on the download page of AdwCleaner (see above).
  • After following these steps, use your already installed Antivirus and perform a full scan. When that's finished, you can also use Malwarebytes to perform a Quick Scan and ensure everything is gone. Be sure to select in the Settings tab > Scanner Settings that PUPs are shown in the scan results.
  • If you are having difficulties or are not too sure of following these steps all by yourself, you can always make a post on one of the several forums out there specialized in removing malware and other nonsense from a machine. An example forum where you can get help is BleepingComputer.



Conclusion

After reading this post, I'm sure you can now differentiate the thin line between goodware and foistware, adware, or Potentially Unwanted Programs. With the tips above, you should be able to weapon yourself against this kind of threats.

Some legit programs like Java or Adobe also offer these "toolbars". Don't be fooled! The same above rules should be applied here. Tick off those boxes and read carefully through the installation wizard! Why are these things still around you might ask? There's an interesting article here by Ed Bott:
Why does crapware still exist? Follow the Silicon Valley money trail

You might wonder why your antivirus didn't ring any bells when installing this software. The easy answer is: it is hard to differentiate if this is malicious behaviour, as the users consents and agrees on the EULA - which is basically an agreement to all these unwanted modifications!
The hard and longer answer is something to discuss in a future blogpost.

Conclusion: don't install something when you have no idea what it is or does. Google can be your friend.