Friday, October 25, 2013

PHP.net compromised


Unless you didn't have any internet access today, you must have heard about the compromise of PHP.net today. An excerpt:

One of the first confirmations that PHP.net is was in fact compromised






Google Safe Browsing warning













You can read the full discussion on whether PHP was compromised or not here:

Statements by PHP.net itself:
I think it's pretty clear by now how it (could have) happened: insertion of a malicious - or change of- a Javascript file on their website.

Let's start with the first entry of infection, most likely userprefs.js on the main page. Some heavily obfuscated Javascript is present, which redirects to either:
Redirects







Here's a Pastebin link containing the modified userprefs.js: http://pastebin.com/yZWxxk2h

After either of those redirects, PluginDetect (which is a legit Javascript library to detect browser plugins) determines your version of Adobe & Java. If you have any of those vulnerable versions installed, you'll get served with several flavors of malware. Your browser will either crash or "hang" for a while.

Interestingly enough, another PluginDetect was also trying to check for vulnerable versions of VLC, SilverLight and Flash.

If you don't have any of these installed, you're possibly being redirected to a website with the text "He took over Russia with a wooden plough, but left it equipped with atomic weapons" (seems to be a letter about Stalin, see here) which contains the following fancy YouTube video:
http://www.youtube.com/watch?v=9Mnmhtr4ThE


Let's move on to the actual payload. Thanks to a blogpost by Barracuda Labs, I was able to download the PCAP file they gathered. 


The PCAP file proved to be very interesting. Besides being able to pull the usual malicious Javascript files, I was able to gather some payloads as well, which aren't very friendly to your machine.

The following malware was seen to be downloaded: Fareit, ZeroAccess (GoogleUpdate/Google Desktop variant), Zeus and even ransomware (unknown) in one instance!

Fareit and Zeus/Zbot have been known for going hand in hand for some time now, see here for an earlier blogpost. When executed, you'll either have to pay up a fine (ransomware), get a rootkit (ZeroAccess) or get your information stolen (Fareit & Zeus). An overview of the information that will be stolen:

Your data being stolen





















I don't need to mention that this is quite bad. Have you visited PHP.net yesterday or today and saw your browser crash? Did you notice any strange behavior? Yes? No? Either way, perform a scan of your machine right away. We'll get back to that though.

MD5s of samples gathered:
c73134f67fd261dedbc1b685b49d1fa4
406d6001e16e76622d85a92ae3453588
dc0dbf82e756fe110c5fbdd771fe67f5
78a5f0bc44fa387310d6571ed752e217
18f4d13f7670866f96822e4683137dd6

Callbacks:
85.114.128.127



Prevention

  • Patch your Java & Adobe or uninstall it if you don't need it.
    Same goes for their browser plugins or add-ons!
  • Keep your browser of choice up-to-date.
  • Install an antivirus and antimalware product and keep it up-to-date & running.
  • Use NoScript in Firefox or NotScripts in Chrome.
  • Block the above IP. (either in your firewall or host file)


Disinfection 


  • Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware.


Conclusion

  • Every website can be injected with malicious Javascript, even well-known websites!
  • Received a Google Safe Browsing warning? Don't simply ignore it, either look up if anything's known about that website being hacked or if you're not sure, stay away from it for a while. (best case is to contact the site owner as well.)


Thursday, October 24, 2013

Twitter account suspended


This is just a small post to indicate that my Twitter account was suspended last week. (15 October 2013)
(don't worry, if you haven't been following, it's back up already since the 18th)

I received the following mail from Twitter:
Mail from Twitter










My account was inaccessible until the 18th of October, when they "un-suspended" it. Luckily my followers & following were recovered. As to this date, I haven't had any reply from Twitter, despite replying to their ticket.

As to the cause of my suspension? I'm unsure. I often tweet about malicious things, but I do keep malicious URLs out of them, even obfuscated ones. (easier just redirecting on Pastebin)

I have noticed however that I was tweeting about an account which was massively spamming Twitter. That tweet is still deleted. Not sure if it had anything to do with it, but I don't see too many other possibilities.


It appears I'm not the first to have had this situation. Mikko Hypponen from F-Secure had it as well somewhere in 2009:


You can't send any links in DMs anymore, so I guess Twitter is getting more restrictive. Which is a good thing. I just hope they won't produce any more false positives ;-) .

Michael Krigsman from ZDNet had also written a short article on Mikko's suspension:
http://www.zdnet.com/blog/projectfailures/twitter-suspends-security-researchers-account-as-a-threat/6327


I will update when I receive any news from Twitter.

Friday, October 11, 2013

Funny Facebook files deliver malware


I've recently got notified on an interesting malware campaign. I'll start with some screenshots:


Save the file and run! It is funny :)

DivX plug-in Required!


























 
Download and execute the facebook app, please!














Some examples of files that can be downloaded:
IamFunnyPNG-facebook.com
IamFunnyPNG-fb.com
IamNakedBMP-facebook.com
IamNiceTIFF-fb.com
IamSexyPIC-fb.com
IamSexyPNG-fb.com
MeBitchTIFF-fb.com
MeFunnyJPG-facebook.com
MeNakedJPEG-fb.com
MeNakedPIC-facebook.com
MeNiceGIF-fb.com;
MeNicePNG-fb.com
MeSexyJPEG-facebook.com
MeSexyPNG-fb.com
YouNakedJPG-fb.com
YouNiceBMP-facebook.com
YouSexyJPEG-fb.com
YouSexyPIC-facebook.com
YouWhoreJPEG-facebook.com


I think you get the point here. Users are being socially engineered to download a file that seems to originate from Facebook. The file is supposed to be an image file (PNG, TIFF, BMP, JPEG and even "PIC") but is in fact an executable. The initial landing page also ends in names of females, for example "laura.html" or "birgitta.html" .


Let's take a look at one of the downloaded files:
IamWhoreJPG-facebook.com
MD5: 1273f3ea6ae76340270bab57b073b0b5
Anubis Result
Malwr Result
VirusTotal Result


Unfortunately I was unable to execute the malware, as I currently don't have a physical machine to test it. According to VirusTotal results, it may be a Trojan called Yakes or Tobfy:
Trojan:Win32/Tobfy is a family of ransomware trojans that targets people from certain countries. It locks your PC and displays a localized webpage that covers your desktop. This webpage demands the payment of a fine for the supposed possession of illicit material.

Some variants might also take webcam screenshots, play an audio message pretending to be from the FBI, closes or stops processes or programs, and prevents certain drivers from loading in safe mode - possibly to stop you from attempting to disable the trojan.
See: https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FTobfy

According to Ydklijnsma, this specific campaign drops bitcoin miner malware. See:
There's a good blogpost by Brian Krebs on the subject of bitcoin mining malware:
http://krebsonsecurity.com/2013/07/botcoin-bitcoin-mining-by-botnet/



Most of the malware seems to be hosted via the domain registrar "Hong Kong Sun Network":
Hong Kong Sun Network - hosting multiple malicious websites
























Some IPs that are involved - next to it their abuse contacts:









I'm betting it's safe to assume the worst and block these IPs (more investigation is needed though):
91.218.38.0/24
103.9.150.0/24
109.73.166.0/24
112.213.106.0/24
121.127.226.0/24
188.190.120.0/24

Most of the sites use the pattern described here:
If you're interested in some of the websites that are serving this malware, visit the following Pastebin:
http://pastebin.com/raw.php?i=8BqGPvhX
Note that links may still be live! 




Conclusion


  • Don't be fooled by websites that seem to resemble Facebook, always check the URL you are currently on before downloading or executing files
  • Install an antivirus and antimalware product and keep it up-to-date & running
  • Use a linkscanner to verify the integrity of a link on either http://www.urlvoid.com or https://www.virustotal.com/
  • Use NoScript in Firefox or NotScripts in Chrome to block malicious attempts on unknown sites
  • Running "funny Facebook files" will usually provide you with everything but fun