Scan from a Hewlett-Packard ScanJet

I received several mails recently that my document was scanned and sent to me.

Subjects may be (there are many variants where the number differs):

Re: Scan from a HP ScanJet #920330420
Fwd: Re: Scan from a Hewlett-Packard ScanJet 02872405

That notification is great, besides for the fact I didn't scan anything:


You received your document !

The text reads:

Attached document was scanned and sent
to you using a Hewlett-Packard I-25625SL.
SENT BY : ORPHA
PAGES : 4
FILETYPE: .DOC [Word2003 File]

Classical social engineering trick: they let you believe the file is a Word document. If we open the ZIP-archive, we can clearly see it's just an EXE file. Did they forget to change the icon for a Word icon perhaps ?



The filetype is clearly an application, not a Word document



Let's see some more information about this file:

HP_Scan_N989397452.exe
Result: 18/41
MD5: e187763c92e2acc6bb1c804309ebb381
VirusTotal Report
ThreatExpert Report
Anubis Report


The file tries to phone home to 78.46.64.17 - to fetch instructions - which seems to be part of the Feodo botnet. - IPvoid result

In case you're wondering, the mails were sent by the Cutwail spam botnet. Some example IPs:
190.43.118.189 - IPvoid result
211.221.155.211 - IPvoid result




Conclusion

Pretty simple. Never open any emails from unknown senders, and certainly not attachments.

League of Legends RP hack

I recently blogged about a (still current) scam targeting players of the online game League of Legends: Free Riot codes scam . See the conclusion at the end of this post for tips and tricks.

When re-checking several websites and Facebook pages, I came across an interesting file that will supposedly generate Riot Codes for you:


League of Legends RP hack 2012. Looks legit.

You need to insert your username, password and the RP value. Looks legit. No wait, it doesn't generate anything, it will just send your credentials to the scriptkiddie. The file is obviously written (read: copy/paste) in Visual Basic and uses the SmtpClient class to send your credentials to a certain mail address:



Voila, here's the email being used
Thanks to the mail address provided, I was able to pull more information by performing a simple Google search; for example real mail address, Facebook, age, location ... I will however not publish any details.


League of Legends RP hack 2012.exe
Result: 2/42
MD5: f6c05598e9b4b7ae2264e4f0a8bcb6ca
VirusTotal Report


In case you're wondering, the file on itself is not malicious. It will only do harm if you filled in your username and password and actually clicked the "Press here for RP" button. In that case, change your password immediately.


There are similar programs out there, a few examples:


Example #1



Example #2



Conclusion

Conclusion is pretty straightforward: besides the normal scams I see "programs" like this rise more and more, not only on Facebook, but also on forums and mainly on YouTube as well.

Don't be fooled by a nice interface or promising words, it's all fake. Remember:
if it looks too good to be true, it probably is!

Also as stated before, the programs I encountered above are not malicious on itself. However, it is possible some of these are in fact malicious and may contain a keylogger or viruses. Always be wary when downloading something you don't really know. Use a service like VirusTotal to check for any malicious activity, or run the program in a Sandbox.

Has your account been hacked? Head to the following link from Riot to recover it as soon as possible: http://forums.euw.leagueoflegends.com/board/showthread.php?t=1064749 

Some DO's and DO NOT's by Riot themselves:
https://support.leagueoflegends.com/entries/21552105-Protecting-Your-Account

Repeating: if it looks too good to be true, it probably is!

LinkedIn spam, exploits and Zeus: a deadly combination ?

Is this the perfect recipe for a cybercriminal ?:

1. Hacking LinkedIn's password (and possibly user-) database.
2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
3. A user unawarely clicking on the link.
4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
5. User's computer is now a zombie (part of a botnet).

I would definitely say YES.

A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the "To" and/or "CC" field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth...

Here's the email in question:


Reminder from LinkedIn. You got a new message !


Subjects of this email might be:
"Relationship LinkedIn Mail‏", "Communication LinkedIn Mail‏", "Link LinkedIn Mail" or "Urgent LinkedIn Mail‏". No doubt the subjects of this email will vary, and are not limited to these four.


Step 1 and step 2 of the cybercrook's scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.

Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

• Adobe Reader
  
• Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.

In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:


The green highlighting indicates the spawning of a new process

What's this ? There's a process from Adobe Reader loaded under our Internet Explorer ? Which seems to spawn a .dll file ? Which in turn spawns another file .... Okay, you get the point here.

The PDF file has several embedded files, which are dropping malicious executables and executing them. After the process of spawning and dropping processes and executables, the malware will also clean-up any leftovers, including the PDF file at first:


Message from Adobe Reader it has crashed. Have a guess why

After the user clicks OK, everything looks fine. Right ? No, of course not. Ultimately, there's a malicious executable which will start every time the computer boots.

Interesting to note is, that there is also an attempt to exploit CVE-2006-0003. An exploit from 2006 nonetheless !

Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected. With what you may ask ? Well, let's review all the associated files:


The initial Java exploit - set.jar -
(when I first uploaded this sample a few hours before this blogpost, there were ZERO detections)
Result: 2/42
MD5: b0697a5808e77b0e8fd9f85656bd7a80
VirusTotal Report
ThreatExpert Report

I just now re-uploaded set.jar (17:47:41 UTC), it has now 6 detections. Most probably the Blackhole exploit kit is responsible for this attack. Microsoft identifies the file as
"Exploit:Java/CVE-2010-0840.NQ".
The corresponding CVE can be found here.



"I got Java patched, always", you might say. Great ! How about Adobe Reader ?
c283e[1].pdf
Result: 11/38
MD5: ad5c7e3e018e6aa995f0ec2c960280ab
VirusTotal Report
PDFXray Report
MWTracker Report


Thanks to PDFiD, we are able to see there's an AcroForm action and 6 embedded files. Basically, AcroForm is just another way to execute JavaScript in a PDF document. Embedded files are... files hidden in your PDF document:


PDFiD results



Here's our first dropped file - calc[1].exe
Result: 5/38
MD5: 4eead3bbf4b07bd362c74f2f3ea72dc4
VirusTotal Report
ThreatExpert Report
Anubis Report


Calc[1].exe will drop other files. Examples:


amutwa.exe
Result: 9/42
MD5: e7e25999ef52e5886979f700ed022e3d
VirusTotal Report
ThreatExpert Report
Anubis Report


nyyst.exe
Result: 10/42
MD5: fbc4bb046449fd9cef8a497941457f4f
VirusTotal Report
ThreatExpert Report
Anubis Report


The malware will try to 'phone home' or connect to the following IP addresses:
188.40.248.150 - IPVoid Result
46.105.125.7 - IPVoid Result

The IPs above (188.40.248.150 in particular) are part of a known botnet.

After all 4 steps have been executed, Step 5 of the process is completed as well and the machine will be successfully part of a botnet. The Zeus botnet. For more information about Zeus, you can read upon the (limited in information, but sufficient) Wikipedia article:
Zeus (Trojan Horse)

There are also numerous articles on the Zeus botnet, the takedowns by Microsoft (whether they were successful or not, I'll leave in the middle), and many other reports.



Conclusion

So, what did we learn today ? If you do not know the answer to this question, please re-read the article again.

PATCH PATCH PATCH people ! Keep ALL of your software up-to-date ! This means Adobe, Java, but don't forget other software, for example VLC, Windows Media Player.... You get the picture.

This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed.

If possible, avoid using Adobe and/or Java. There are alternatives. An alternative for Adobe is for example Sumatra PDF. Just don't forget to patch the alternatives as well !

Finally, use an up-to-date Antivirus product to keep your machine safe should you not have done any patching. Chances are you might still be infected, but are already less likely.

If you are in a corporate or business network, take the necessary actions and include several layers of protection. This also includes informing your users to not click on everything in an email ! Applying the appropriate Security Rights on a machine can prevent you from having a whole lot of work.... and lack of sleep ;-) .


Note:
If you are interested in the files discussed in this post, contact me on Twitter:
@bartblaze

You HAVE to check this picture

In today's post, we'll be highlighting an older trick that's being used again by spammers and malware authors.

I received the following mail:


"Excuse me,I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??."


Some other example mails with a similar subject and content:

RE:Check the attachment you have to react somehow to this picture
Hello ,
I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than I thought about you man :)))) .

RE:You HAVE to check this photo in attachment man
Hi there ,
But I really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.

There are a few more but I'll stop there. In all cases, you HAVE to check the picture in attachment, how else can you be sure it's not you in an embarrasing photo ;-) ?

Attached is a file called IMG9837.dat. In fact, an executable is embedded with the exact same name:


An Adobe icon is used to trick the user


When executing this file, it will phone home or call back (this term is used for malware that is connecting to a remote address for either receiving instructions or downloading additional malware) to the following IP: 92.246.166.131


Scanreport by IPvoid - http://ipvoid.com/scan/92.246.166.131


In this case, the malware downloads an additional executable called fas.exe. Let's review some more information about both files:


IMG9837.exe
Result: 26/42
MD5: bc3f1b422b01781ad23bd33340ece671
VirusTotal Report
ThreatExpert Report
Anubis Report


fas.exe
Result: 3/41
MD5: 6ffb6ce20915dfb7f723d46fcea87b3f
VirusTotal Report
ThreatExpert Report
Anubis Report


In this case, fas.exe will load one of the known fake Defragger rogues, for example:


System Defragmenter. This rogueware also hides your Desktop and Start Menu
(picture: bleepingcomputer.com)



Prevention

- Be wary when receiving such emails, even if it's from someone you know.
- Don't open attachments from unknown senders - ever.



Desinfection

If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

BleepingComputer's Virus Removal


Conclusion

Pretty simple. Never open any emails from unknown senders, and certainly not attachments.

Keep your Antivirus and Operating System up-to-date, as well as your applications (for example Adobe and Java) !

Follow the steps above should you have been hit by this spam campaign/rogueware.

Hacked Hotmail accounts... and the consequences

It's a trend I'm seeing more and more, even with some of my relatives:

Their Hotmail account is getting hacked, and from then on is being used by scammers or malware authors to spread their malicious intent.

In almost all cases, you'll receive an email with (No Subject), and the only content is a link pointing to some website. But wait: it seems that all those websites have (probably an outdated version of) Wordpress installed.

When you click the link, you will be redirected to either a scam/phishing page or scareware/rogueware.

Either way, you'll first get the following message:


Message you receive when clicking on the link

So let's take a closer look at the 2 scenarios you get on your plate:

Scenario #1 - scam


Scam page

In scenario number one, you'll be presented with an awesome News page, where you can read several testimonials of how great working from home is.

It also has some fascinating news stories on how to make lots of money by simply being at your comfortable home. This includes reactions on the articles - of course this is all fake.

If you click on any of the links on this website, you'll be ultimately redirected to - hxxp://internetprofitpacket.com

Administrative Contact:
WhoisGuard
WhoisGuard Protected
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US


UrlQuery Result:
Suspicious
http://urlquery.net/report.php?id=40849

URLvoid Result:
1/25 (4.00%)
http://www.urlvoid.com/scan/internetprofitpacket.com/


Ultimately you land on the following page:


Landing page where you'll need to pay

After paying a small price, you'll get lifetime access to the Internet Profit Package ! What honor !

Obviously, you'll get scammed and your credit card details might get stolen.


Scenario #2 - scareware

Likewise as in scenario #1, you'll get the nice message that you got here thanks to your friend.


Seems like you're infected ... right ?

You'll then be presented with a pop-up indicating critical process activity has been found and a scan will be launched... (I think we all know this one by now) :


Fake Explorer window indicating numerous infections

If you click on any button, a file will be downloaded with the name of setup.exe.

In this case, the file was downloaded from:
hxxp://fail-safetylow.info/bb61f9bcec711d56/29/setup.exe

This site and several other rogueware pages are hosted on the IP:
64.120.207.107


Several other rogueware sites are hosted on this IP


We'll now see some more details about the downloaded file:

setup.exe
Result: 5/40
MD5: 8b0c16a50c0bca1eb0b45bd411eb30e5
VirusTotal Report
ThreatExpert Report
Anubis Report

This file drops another executable:

Protector-hfpt.exe
Result: 5/42
MD5: f04cb906356f19a1dbf68c62f162c4e7
VirusTotal Report
Anubis Report


The payload is a rogueware called "Windows Antibreaking System" :


Windows Antibreaking System setup screen



Windows Antibreaking System main screen


Prevention

- Most important of all: use a strong password ! You can verify your current password, or create a new one to check its strength on the following website: http://www.passwordmeter.com

- Second important rule: don't use the same password for each and every website !

- Be wary when receiving such a mail, even if it's from someone you know.

- Use browser extentions to verify the integrity of an image or URL. Useful add-ons are for example WOT or NoScript.

- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.

- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL + ALT + DEL) and killing your browser's process:

• a) For Google Chrome: chrome.exe or chrome.exe *32

• b) For Mozilla Firefox: firefox.exe or firefox.exe *32

• c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32

Desinfection

If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

BleepingComputer's Virus Removal


Also, if you know the sender personally, notify him/her that they've been hacked and they need to change their password. If you don't know the sender, immediately remove the email.

In Hotmail, you even have a useful option if you know the sender. Open the email, select Mark as and click on My friend's been hacked!


Help your friend by stating (s)he's been hacked


If you happen to have a Wordpress website, be sure to update it regularly as well as any Wordpress plugins you may have installed. This website will aid you in the matter: Hardening WordPress



Conclusion

Don't fall for either of these, in both cases you'll lose a lot of money !

Follow the above prevention tips to decrease the chance of your computer becoming infected.