Thursday, August 30, 2012

Fake Symantec security check

Antivirus vendors sending out warnings to perform a scan of your computer? Sure, that must be legit... Right?



Email claiming to be from Symantec


If you click on download, a file called RemovalTool.exe will be downloaded.

The malware authors have used the Java symbol as icon. Not sure what's up with that, haven't they been following the news? ;-)


Java icon, trying to trick the user


RemovalTool.exe
Result: 3/42
MD5: ebb4ac5bb30b93e38a02683e3e7c98c6
VirusTotal Report
Anubis Report


When executing the file, you get a nice installer screen:


Alleged Java Setup screen


In the background, the following file is downloaded and executed:

Plugin[1].dll & JavaUpdate.dll
(it's the same file, just a different name so not to raise suspicion)
Result: 19/42
MD5: 67096009f35c6894441a221b6429d27c
VirusTotal Report


JavaUpdate.dll gets injected into explorer.exe to carry out other malicious activities and to ensure that it starts automatically.


The file tries to connect to URLs above




Conclusion

Always be wary when receiving a mail, even if it seems to be from an Antivirus vendor. In this case, the malware authors try to scare the user by saying you are infected and need to download a file to clean it up.

In case of doubt, perform a scan with your installed Antivirus and an online scan from another vendor. Remove the mail.



Tuesday, August 28, 2012

Java exploits lurking around

Update - 31/08/2012
Oracle has issued a patch for the exploit. You can download the patch from:

Oracle has also issued an alert concerning this exploit.
---End update


I'm sure everyone has heard about the latest Java exploits lurking around.


I received the following mail recently:


Mail from ADP, which seems to be a payroll/HR outsourcing firm


Example mails:
#1
ADP Funding Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services



#2

ADP Generated Message: Final Notice - Digital Certificate Expiration

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.

---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 1
Expiration date: Aug 27 23:59:59 GMT-03:59 2012

--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.


When clicking on one of the links in the mail, you get redirected to a compromised webpage, which will load the exploit on your system. The exploit kit responsible is Blackhole.

The exploit in question:
CVE-2012-4681


The following file was downloaded:

Pre.jar
Result: 13/42
MD5: 08fd3413aef2012f2b078fa07855e398
VirusTotal Report



Related files:

adb92c406847e55d699d22ccd36e5e25ff32
Result: 2/42
MD5: b97a943420c13a51af37acbfbcd11d48
VirusTotal Report


js.js
Result: 1/42
MD5: f11a182170557829c150617613cfbb6c
VirusTotal Report


I didn't investigate further at the point when I got the mails, but normally a file called updateflashplayer.exe would have been downloaded as well. At time of writing, it is already offline.


Files were hosted on the IP: 209.59.222.146 - IPVoid result
& 209.59.222.174 - IPVoid result



Google Safe Browsing Diagnostic page


The same reported exploit, but different Jar files and droppers:

applet.jar
Result: 25/42
MD5: 4af58300ee5cd6d61a3eb229afe0da9f
VirusTotal Report


hi.exe
Result: 36/42
MD5: 4a55bf1448262bf71707eef7fc168f7d
VirusTotal Report
Anubis Report


mspmsnsv.dll
Result: 24/42
MD5: 2f8ac36b4038b5fd7efad8f1206c01e2
VirusTotal Report


The malware tries to phone home to:
223.25.233.244 - IPVoid result




Prevention

Disable Java in your browser(s) or uninstall if you have no use for it. Brian Krebs has made a nice post on how to disable Java on several platforms & browsers:
How to Unplug Java from the Browser

Specifically for this exploit, you can block the following IP ranges in your Firewall or hostfile:
(or at least block the ones mentioned in this post)
223.25.233.0 --> 223.25.233.255
209.59.222.0 --> 209.59.222.255

There's an excellent post over at DeepEnd Research as well, which includes a workaround and patch (you will need to request this):
Java 7 0-Day vulnerability information and mitigation



Conclusion

Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.

To test whether your version of Java is out of date and vulnerable you can use:
Zscaler Java test
Is your Java exploitable?
What Version of Java Are You Using?

Use an antivirus which has or uses behavioural technologies and/or exploit prevention.

Delete emails from unknown senders, never click on links in a mail you allegedly get from your bank, from UPS, or in this case ADP. If you happen to have placed an order or a bank transfer of any kind; go to the website directly in your browser, by typing it in manually.

Note that the links to ADP in this post are not malicious, however the URL behind them was. You can verify this by 'hovering' over the URL to check what is really behind.

Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.

Download the latest Java updates from here.

Friday, August 10, 2012

A word on XDocCrypt/Dorifel/Quervar

I'm sure everyone has heard by now about the so called XDocCrypt/Dorifel/Quervar malware.

It has mostly damaged machines in The Netherlands, but reports have come in from other countries (including the United States) as well. I myself have seen this infection on 08/08/2012, my initial thought was: ransomware. However, there isn't any message displayed, so it's either a failed ransomware attempt or the malware simply wants to annoy users.

This virus infects Office files, reverses the extension and adds “.scr” behind it (this is also known as the RTLO unicode hole, which makes it easy to hide the original file extensions. - I remember a blogpost from not too long, about this hole targeting users of the Arabic language, let me know if you find it - ). Renaming does not solve the issue, you cannot open the documents.



Office files affected by the malware


As is depicted in the figure above, Word and Excel files have their extension reversed, so now the files appear to be .scr files, which is the format for a Screensaver. The .jpg file is not affected in any way.

The files are encrypted with RC4, which is a very common encryption algorithm in the cryptography. SurfRight has developed a tool to decrypt (and recover) your files:
Dorifel decrypter



The malware has probably been downloaded by the Citadel or Zeus (aka Zbot) malware.


Zeus sample:

remyf.exe
Result: 12/42
MD5: 30e7785cb9eafcea34fe930631fbba07
VirusTotal Report
Anubis Report



Let's take a look at a few Dorifel samples:

Acquisit.exe
Result: 15/42
MD5: d913394b8011b317f6d916507ffb7f2f
VirusTotal Report
Anubis Report


gis-woz4_v8.exe
Result: 12/42
MD5: a311cd6f67cb112cba78a27b87320fc3
VirusTotal Report
Anubis Report


DGRAYP.exe
Result: 24/42
MD5: f05f4f5be8431f746e59fe409a0b9bb1
VirusTotal Report
Anubis Report


Y6TK9B.exe
Result: 11/42
MD5: c1fa3618d7b54ab6a7a25857d7b30b3c
VirusTotal Report
Anubis Report



The malware tries to connect to one of the following IP addresses:
184.82.162.163 - IPvoid result
184.22.103.202 - IPvoid result


Where it will attempt to download the following file:

a.exe
Result: 13/42
MD5: 493887a87cd95b004f9ffbbaaecd1ac6
VirusTotal Report
Anubis Report



I haven't taken an in-depth look at it, but besides encrypting your Office files, I have seen the malware will kill itself when you open up Task Manager. Not sure what the point is there. It also doesn't seem to start up again automatically.

It does create an .lnk file to the dropped malware and puts that as an autorun entry, so it will start every time the machine starts.



Conclusion

The infection vector (how it spreads) is via phishing or spam email, so as usual:

- Don't open attachments from unknown senders - ever.
- Some antivirus already detected Dorifel generically, so update your antivirus.

- If you're in a corporate network, use a strong spamfilter. It will prevent a lot of troubles if correctly configured.
- Educate your users: raise the general awareness. Not even a spamfilter stops 100% of all the spam, there's always a chance something slips through.




Thanks to @erikremmelzwaal from Medusoft for most of the samples.

External sources: