Wednesday, November 14, 2012

Diablo account phishing


Do you love the smell of phishing in the morning? I surely don't. In today's post we will be reviewing a phishing attempt for Diablo or Diablo III.

The following mail ended up in my mailbox:

You need to login as soon as possible to avoid account closing

There are other, less fancy examples:

Same trick as in the previous example. You need to "verify" your account


Subjects of the mail can vary, but these are the most common:
- Blizzard Notification About Diablo III Account
- Diablo III Account-Notice
- Diablo III Account - login validation‏
- You must verify your identity as the registered account .World of  Warcraft - Diablo III account (s).

The introduction in the email reads:

Greetings!   It has come to our attention that you are trying to sell your personal Diablo III account(s). As you may not be aware of, this conflicts with the EULA and Terms of Agreement. If this proves to be true, your account can and will be disabled.  It will be ongoing for further investigation by Blizzard Entertainment's employees. If you wish to not get your account suspended you should immediately verify your account ownership.


Let's move on to the actual link in the phishing mail. When clicked you'll land on the following page:

An exact copy of the real login page at Battle.net















Below you can find the list of URLs I've gathered in the past days, do not visit any of them as they may harm your computer (or even worse, your Diablo account ;-) ).

hxxp://battle.net.noreply-login.com
hxxp://cn15mcc.com
hxxp://eu.diablo.net.account.oy-login.in
hxxp://eu.diablo.net.account.ts-login.in
hxxp://eu.diablo.net.ca.zx-login.in
hxxp://eu.diablo.net.jiagedi.info
hxxp://eu.diablo.net.tianzhou58.info
hxxp://us.battle.com.wwowus.com
hxxp://us.battle.net.aacc.cn.com
hxxp://us.battle.net.cacc.cn.com
hxxp://us.battle.net.ccus.asia
hxxp://us.battle.net.ddeu.asia
hxxp://us.battle.net.eacc.cn.com
hxxp://us.battle.net.en.oo-rs.com
hxxp://us.battle.net.en.qq-rs.com
hxxp://us.battle.net.en.uu-rs.com
hxxp://us.battle.net.facc.cn.com
hxxp://us.battle.net.ffus.asia
hxxp://us.battle.net.gacc.cn.com
hxxp://us.battle.net.ggwow.asia
hxxp://us.battle.net.hhwow.asia
hxxp://us.battle.net.iacc.cn.com
hxxp://us.battle.net.iieu.asia
hxxp://us.battle.net.jacc.cn.com
hxxp://us.battle.net.kacc.cn.com
hxxp://us.battle.net.lacc.cn.com
hxxp://us.battle.net.lacc.cn.com
hxxp://us.battle.net.llus.asia
hxxp://us.battle.net.login.en.ddus.asia
hxxp://us.battle.net.login.en.yykiki.com
hxxp://us.battle.net.login.en.zkiki.com
hxxp://us.battle.net.ok.jjweb.asia
hxxp://us.battle.net.ok.kk-rs.com
hxxp://us.battle.net.ok.qw-rs.com
hxxp://us.battle.net.ok.uuweb.asia
hxxp://us.battle.net.ok.yywow.asia
hxxp://us.battle.net.pacc.cn.com
hxxp://us.battle.net.ppwow.asia
hxxp://us.battle.net.qacc.cn.com
hxxp://us.battle.net.racc.cn.com
hxxp://us.battle.net.rreu.asia
hxxp://us.battle.net.tacc.cn.com
hxxp://us.battle.net.uacc.cn.com
hxxp://us.battle.net.uuwow.asia
hxxp://us.battle.net.w.llweb.asia
hxxp://us.battle.net.wacc.cn.com
hxxp://us.battle.net.w-u.asia
hxxp://us.battle.net.xacc.cn.com
hxxp://us.battle.net.yacc.cn.com
hxxp://us.battle.net.zacc.cn.com
hxxp://us.battle.net-bizzard-d3-com.account-com.net
hxxp://us.diablo.net.en.rk-login.in




Most of the domains seem to be set up by the same person, someone named "Jin Yu":
Registrant Contact:
   Jin Yu
   Yu Jin jinyu2000@yahoo.cn
   +86.324242434233 fax: +86.324242434233
   ShengLiLu
   Shangraoshi Jiangxi 610041
   CN

Other email addresses associated with Jin Yu:
329409115@qq.com
service@511web.com


Almost all of the IP addresses are originating from China. The hosting companies are as follows, and seem to not care (or know) that malware and phishing pages are set up:

Beijing Weishichuangjie Technical Development Co. - IPvoid Result
DEEPAK MEHTA FIE - IPvoid Result
New World Telecom Ltd., Hong Kong - IPvoid Result
XIN XIN LING - IPvoid Result


Thanks to IPvoid you can easily see other sites hosted there, seems there is more of the same. (read: more malware & phishing pages are hosted)




Conclusion

Stay away from phishing mails like the ones pointed out in this post. There are several variants, some more graphical than others, but in the end they serve the same purpose:
Trying to steal your login credentials!

I'm sure that even when you open the mail, alarm bells should be going off if you simply check the URL, it's pointing to another address than the usual login page.

To be clear, the real webpage to login for your Battle.net account is:
https://battle.net/login/en/

If you're ever in doubt, visit the website directly and do not click on any links in emails from unknown senders. Use add-ons like WoT and/or NoScript to stay protected against these types of threats.
You can also use the URL scanning services at VirusTotal or URLvoid to double-check a URL.



Thursday, October 18, 2012

UPS spam downloads malware


Yes, you've read the title right. Not the usual spam/malware attachment, but in fact just a picture of UPS... which of course is clickable.

But wait! Seems like the bad guys forgot a letter in their HTML (facepalm). I received the following mail:

Subject of spam email: UPS #Print your postal label














Since they forgot the "h" in "http", the image is incorrectly displayed. What it should have been:

Your package was not delivered. You are asked to print the label 














The mail  is coming from (related to the Asprox botnet):
70.75.216.19 - IPVoid Result

What happens when you click on the "Print a shipping label" (or what it should have been):

Copy_of_UPS_Label.zip

A ZIP file gets saved, but you still need to open it and execute the file to become infected...


Copy_of_UPS_Label.exe






Result: 13/43
MD5: 2e9755cfce544627fbfd3be07af5d7d9
Anubis Report
Malwr Report
ThreatExpert Report 


If the file gets executed, it drops a copy of itself to the %appdata% folder and tries to connect to the following IPs:

46.105.112.99:8080 - IPVoid Result
50.22.136.150:8080 - IPVoid Result
78.46.31.53:8080 - IPVoid Result
173.224.211.194:8080 - IPVoid Result
178.77.103.54:8080 - IPVoid Result
184.154.20.226:8080 - IPVoid Result
188.165.212.160:8080 - IPVoid Result
202.169.224.202:8080 - IPVoid Result
217.160.236.108:84 - IPVoid Result


Also when executing the file, an instance of svchost (malware injected into it, thanks to SteveK for the headsup) gets started and opens an empty Notepad file:
Empty Notepad file created by the malware


If anyone has an idea on the why of this,be sure to let me know. Maybe to convince you it's really a UPS label after all? Second fail of the day, should have at least included some rubbish text in there.

This malware is known as Kuluoz, which can download and install additional malware on your system.


Conclusion


Pretty simple. Never open any emails from unknown senders, do not click on any links and certainly do not open any attachments.

Bells should be ringing already when you have not ordered anything. Always be wary when receiving mails where you need to click on a link or open an attachment to view this or that. Ask yourself:
"does this look legit?" If the answer is no, you know what to do.



Monday, October 8, 2012

Worm spreading through Skype and Messenger


Since Saturday, there's a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).

Someone who's infected with this worm will send you the following message:

Message in German asking to check your cool pictures



The link refers to goo.gl and is actually Google's URL Shortener service. You'll land on Hotfile.com, which is a legitimate file sharing website. (it's not the first time Hotfile has been used to spread malware, read more here. The file has already been removed by Hotfile.)

Links refers to Hotfile and will immediately download a ZIP file.




 
Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we'll find the following file, which is covered as a Skype setup file:

Looks like the real deal. But it's not.








When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:

The icon suggests it's uTorrent. But it's not.




This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:

74.208.112.178 - IPVoid Result
87.106.98.157 - IPVoid Result
199.15.234.7 - IPVoid Result
213.165.71.142 - IPVoid Result
213.165.71.153 - IPVoid Result
217.160.108.147 - IPVoid Result

Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive - skype_05102012_image.exe looks for the following processes:
msnmsgr.exe
msmsgs.exe
skype.exe


It will then automatically send a message, based on the OS language. It uses the following list to spread:
tas ir jusu jauna profila bildes?
seo do grianghraf prl nua?
ont uusi profiilikuva?
nai aft a fotografa profl sas?
sa kvo profili lusankary aquesta
s la teva nova foto de perfil?
hey ito sa iyong larawan sa profile?
hey lanh tieu cua ban?
hey ini foto profil?
hei zhni de gn zilio zhopin ma?
ni phaph porfil khxng khun?
hej er det din nye profil billede?
hej je to vasa nova slika profila?
hej je to tvuj nov obr zek profilu?
hei er dette din nye profil bilde?
hey la tua immagine del profilo nuovo?
hej to jest twj nowy obraz profil?
hej jeli ovo vasa nova profil skila?
hey bu yeni profil pic?
hej detta är din nya profilbild?
tung, cka paske lyp ti nket fotografi?
moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
hey is dit je nieuwe profielfoto?
ez az j profil ksta tu foto de perfil nuevo?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey c'est votre nouvelle photo de profil?
hoi schoni fotis hesch du uf dim profil ppe n
lol is this your new profile pic?



It will then add the link and subsequently adds your username after the equals '=' sign :
http://goo.gl/QYV5H?img=


Let's take a closer look at the files:

skype_05102012_image.exe
Result: 23/44
MD5: 98f74b530d4ebf6850c4bc193c558a98
Anubis Report
Malwr Report
ThreatExper Report


36A9.exe
Result: 16/44
MD5: 0d4b7f4c1731c91dff56afce0ecf37c5
Anubis Report
Malwr Report
ThreatExpert Report


The malware is commonly identified as Worm.Dorkbot and Worm.Agent or Generic Trojan.

Microsoft provides a description:
Win32/Dorkbot is a family of IRC-based worms that spreads via removable drives, instant messaging programs, and social networks. Variants of Win32/Dorkbot may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

On my testmachines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it's ransomware, rogueware....



Conclusion

Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
"Do I really have (embarassing) pictures of myself on this website? Better take a look!"

No, no, no!

Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.co, bit.ly, tinyurl, etc.)
Don't be fooled by known icons or "legit" file descriptions, this can easily be altered.

Even if you clicked the link and you're not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.

For checking what is really behind a short URL, you can use:
http://getlinkinfo.com/
http://longurl.org/

For checking whether a file is malicious or not:
https://www.virustotal.com/
http://virusscan.jotti.org/


Friday, September 7, 2012

LinkedIn Spam, exploits and Zeus: Revisited

In my post from June this year, I already reported on an excellent recipe for a cybercrook:

  1. Hacking LinkedIn's password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User's computer is now a zombie (part of a botnet).

You can find that post back here:
LinkedIn spam, exploits and Zeus: a deadly combination ?


Seems this scheme is still being successfully employed, as well the usage of the latest Java exploit (CVE-2012-4681).

Let's clearly divide this clever trick into the 3 parts.


Part 1 - the spam email:


So called reminder from LinkedIn


Example subjects of this email:
Communication LinkedIn Mail
Connection LinkedIn Mail
Contact LinkedIn Mail
Immediate LinkedIn Mail
Invitation reminders LinkedIn
Link LinkedIn Mail
LinkedIn Updates
PENDING MESSAGES - LinkedIn Mail
Relation LinkedIn Mail
Relationship LinkedIn Mail
Rush LinkedIn Mail
Signaling LinkedIn Mail
Urgent LinkedIn Mail




First part of the whole set-up or scheme is of course letting the user click on a malicious link.

This is your typical social engineering trick: it seems you have pending messages from LinkedIn and you can check your inbox by clicking on the link.

Note that the other links also trigger the exploit.


Part 2 - the -in this case Java- exploit

When clicking on one of the links, you are redirected to a website which is hacked and is hosting a Javascript file:


Malicious Javascript

This Javascript is not very malicious, it just redirects to another website (again) where the exploit is hosted:


Location of the actual exploit


Eventually, you'll get on a webpage which contains heavily obfuscated Javascript. Note that the Blackhole exploit kit is responsible for this one. Here's a small part:


Small part of the code; you can see a file called Leh.jar and 2 of its classes



Leh.jar classes, which contains CVE-2012-4681 exploit code

There's an excellent article over at the Immunity blog which takes a closer look at the classes used in this exploit. Remember the classes are just a name, they don't indicate something particular (as far as I know):
Java 0day analysis (CVE-2012-4681)


Here's a link to the fully obfuscated Javascript on PasteBin:
http://pastebin.com/5FeC02UM

...and here's the same file, deobfuscated:
http://pastebin.com/P1Jy2qt1




Part 3 - the Trojan - Zeus/Zbot


I have used Revelo to deobfuscate the malicious Javascript, which now neatly shows our Trojan as well:


File called 3Wcg.exe will be downloaded and executed


When executing this file....:


...it crashed. Badly coded or Sandbox/VM aware


As you can see from the figure above, the sample crashed upon execution... Not much to do here.

Most probably your banking credentials and/or passwords would have been stolen, or you would be sending spam.


Some more information on the associated files:

bv6rcs3v1ithi.htm
Result: 13/42
MD5: 25b67f22490800881c4e13b15f7ac477
VirusTotal Report


Leh.jar
Result: 17/42
MD5: ddf9093ceafc6f7610dcc3fcf2992b98
VirusTotal Report
ThreatExpert Report


3Wcg.exe
Result: 26/41
MD5: df79dfd605eed6d578063089a48d670b
VirusTotal Report
ThreatExpert Report
Malwr Report



Conclusion

Same as one of my previous posts in regards to exploits:
Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.

Use an antivirus which has or uses behavioural technologies and/or exploit prevention.

Always check the URL of a link. you can verify this by 'hovering' over the URL to check what is really behind.
If you really have messages waiting for you on LinkedIn, and you're curious, just go directly to it by typing it manually in your browser. Delete emails from unknown senders and never open any attachments from them!

Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.