Monday, September 15, 2008

Automated spreading of malware through vBulletin forums

Where would it be better to attack then where all the people trust each other?
A single individual or a group of individuals of which tracks lead to turkish people and chinese hosting or chinese partners is spreading viruses though infected files and setup installations shared in vBulletin forums. It seems these individuals have a registration bot with captcha bypass mechanism for vBulletin 3.7.xx versions (may be other versions too) and they are using it to spread all kinds of malware.

I first found this when examining another Kaspersky 2009 installation located at:
http://www.httpshare.net/%E4%E5%F8%E3%E5%FA-%FA%E5%EB%F0%E5%FA-%7C-software-download/427522-kaspersky-antivirus-2009-full-34-p-ece-test-key-no-problem.html

The username spreading this message is "hakan_72_123" and with a simple google search we can see:
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Ahe%3Aofficial&hs=sgc&q=hakan_72_123&btnG=Search

Hakan is not very shy to use the bot with his own name, go figure maby he is infecting thousands of forums manually?!
Anyway he in www.vbhackers.com/members/hakan_72_123/ which explains a lot :)

So what did he do? he took the time to upload Kaspersky 2009 to
http://rapidshare.com/files/115362254/Kaspersky_2009_Full_Sueruem_by_hakan.rar

Well I just checked and it has been 2 month since I found it and the bad guy extended the business for torrents too, this is the same virus under the title "Kaspersky Antivirus 2009 Full + Key [App][www.zonatorrent.com] ":
http://isohunt.com/download/44622492/kaspersky.torrent

Inside the rar there is a txt file with the text:
1- program demo deðil full sürümdür.

2- key girmek için þu sýrayý takip et
license-merge-activate using key-brovse= buradan keyleri
çýkarttýðýn klasörü seçip listenin en altýndakin üzerine çýft týklayýp
keyi gir.

HAZIRLAYAN: Hakan

www.avrasyaforum.net
What they did is instead of the standard shared .msi file, they put a WinRAR self-extracting archive with an icon of an msi file. They made the archive so that WinRar's shell extension doesn't recognize it as extractable. Once executed it drops a file called svchost.exe in "%ProgramFiles%\Outlook Express\" which is a refreshing path to drop a trojan downloader in :)
It executes the svchost.exe (compressed with MiniPE) which then executes
the trojan downloaded to %temp%\wmoptimizer.dll using rundll32.exe:
rundll32.exe "%temp%\wmoptimizer.dll", RunSetup_Install
svchost.exe uses the classic URLDownloadToFileW and ShellExecuteW to download and execute: http://loansquotesinsurance.com/f/Resident.bin

These is the whois information for http://loansquotesinsurance.com:
Registration Service Provided By: Chinese DQ Network Tech Corp.
Contact: xixipai@hotmail.com

Domain name: loansquotesinsurance.com

Registrant Contact:
Shawn Lee
Shawn Lee

B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN

Administrative Contact:
Shawn Lee
Shawn Lee (webmasters@loansquotesinsurance.com)
+86.02033875805
Fax: +86.02033875805
B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN

Technical Contact:
Shawn Lee
Shawn Lee (webmasters@loansquotesinsurance.com)
+86.02033875805
Fax: +86.02033875805
B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN
The email xixipai@hotmail.com also registers "http://3290.com"

Registration Service Provided By: Chinese DQ Network Tech Corp.
Contact: xixipai@hotmail.com

Domain name: 3290.com

Administrative Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng (xixipai@hotmail.com)
+1.05306260800
Fax: +299.05306260803
ZhongHuaDonglu 1038hao
HeZe, 274000
CN

Technical Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng (xixipai@hotmail.com)
+1.05306260800
Fax: +299.05306260803
ZhongHuaDonglu 1038hao
HeZe, 274000
CN

Registrant Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng

ZhongHuaDonglu 1038hao
HeZe, 274000
CN
Well this is the part where I can only say, if you are reading this and in some kind of cyber police, DO SOMETHING!!!

Keylogger Running Under Kaspersky 2009

The last posts clearly show It is well known that static virus detection is not something AV vendors do well enough. Now this one is quite a story. As I was researching many trojans I was moving files into and out of my Virtual PC machine used to test viruses. My computer has kaspersky 2009 installed and running with maximum security settings (including keyloggers and kernel object modifications).

I accidently executed without noticing on my host PC one of the samples I was testing in the VM. I was using my computer as usual and I began noticing some kind of tiny delays when typing a lot of text, the kind of delays I was experiencing when I first wrote my first keylogger. I was completely suprised to have this suspicous since I felt "almost safe" with my updating every 4 hours Kaspersky 2009.

Opening "Process Explorer" I began examining the running processes and noticed some wiered dll files running in all my processes.
kbdth2sys.dll
kbdvntcapi.dll
They were in system32 and these are the AV test results for these 2 files day (also 2 month ago):
























I was surprised by two things:
1) Kaspersky Anti-Keylogger "live protection" compromised all my personal information
2) Symantec was the only AV really detecting this and as a keylogger, which is very funny because their AV is a joke, I will send a few posts about that later

I can't believe this! I am now uploading the files again to virustotal to see the updated scan results for today and i notice this:



















The file was first received by virustotal in 2007.10.23 which is almost 2 years ago!!!!!!!!!
This only prooves us 3 things:
1) The malicous code writers WERE INDEED using virustotal's "don't distribute samples to AV vendors" which was lately removed!
2) All Anti-Viruses didn't detect this wide spread keylogger which is used to steal peoples information for THE LAST TWO YEARS!!!
3) Its better to write keyloggers in Delphi ;)

I here by thank the creator of the matrix for letting me find it on my PC after just 2 days.
Here are today's result for kbdth2sys.dll:
http://www.virustotal.com/en/analisis/ae172aaf34a59733d149476e4b4bcb9c























So after 2 YEARS it has been undetected and 2 MONTH after the AV vendors got my uploaded samples we get this amazing 10 of 36 result which leaves it undetected for: Kaspersky, DrWeb, McAfee, BitDefender, Microsoft, Panda, F-Secure, Fortinet and others...

As for kbdvntcapi.dll after all this, detection hasn't really changed, 4 huristic decetions and 1 symantec keylogger detection, still a sad story (at least for most people :)
http://www.virustotal.com/he/analisis/d51626cb8f0b04219b0ad4c010036f0d























Well, I uninstalled my kaspersky 2009 :)

AVs fail Again

Lately I have seen many web downloads, some at forums and some at rapidshare and also a few torrents such as "Adobe Acrobat 9" that include installation and a crack.
The installation or crack is in a password protected rar file that in order to get the password, one must run the supplyed tool called "XXX Password Generator".

This installs another variant of the AntiVirus 2008, I can truely say I can't tell anymore if it comes from the same guys, ok of course it's them but there is just no way they got so much man power to write so many completely different versions!!!
Here are the websites it pops up to purchase from:



































































Installs executables at:
%ProgramFiles%\Antivirus 2008\Antivirus-2008.exe
which is today detected by 24 of 36 AV vendors
http://www.virustotal.com/en/analisis/5ca67e83d763a44d2719de3c40ab0086

This virus adds a scary DANGER! iframe to your desktop.htt, who would remove this for you?
<\div style="position: absolute; left: 0pt; top: 0pt; width: 1280px; height: 836px;">
<\img src="file:///C:/WINDOWS/web/wallpaper/Bliss.bmp" cache="" style="position: absolute; left: 0pt; top: 0pt; width: 100%; height: 100%;" />

<\iframe id="1" marginwidth="0" marginheight="0" name="DeskMovrW" src="file:///C:%5CWINDOWS%5Cprivacy_danger%5Cindex.htm" resizeable="XY" subscribed_url="" style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; position: absolute; left: 0pt; top: 0pt; width: 1280px; height: 806px; z-index: 0;" frameborder="0">
It installed some dlls and executables which are very known to AVs:
http://www.virustotal.com/en/analisis/3ed55959b67a666973798fa0c35f23f5
http://www.virustotal.com/en/analisis/c44ccd7ef6b11f700a52042bdb09057f
http://www.virustotal.com/en/analisis/ee13a4586807956432b3989534febf60
http://www.virustotal.com/en/analisis/2af01563b34916780ac23799ec1368df
http://www.virustotal.com/en/analisis/0e309871a713b62a6e68a0071ac54b06
http://www.virustotal.com/en/analisis/1f5371eb356e9c893c3dbec8b496641b
http://www.virustotal.com/en/analisis/0d012def38cd3adfe5ada8d7c45b3041
http://www.virustotal.com/en/analisis/0d9eacd2a5c15fb03a91f2b044000bc3
http://www.virustotal.com/en/analisis/bbef207525a04ba4152509a1e458d1e4

There is as another variant I found called "AntiMalwareGuard_Free.exe" packed with PECompact 2.xx, this is considered detected relatevly to the other variants 19 of 36 AV vendors detect it.
http://www.virustotal.com/en/analisis/c0b7c0498a9b0f684f9e3cbbcc0e5b53

So where is the problem???
The Troajn Downloader it self wasn't detected by any vendor and now 2 month after I found it (which means the vendors got the samples from my virustotal file upload 2 month ago), now it is detected by only 15 AV vendors!!!
http://www.virustotal.com/he/analisis/a38ab04057b44c6bd870ef0446a19a5e
Kaspersky! McAfee! TrendMicro! Panda! F-Secure! Fortinet! Where are you people?!?!?!?!

The malicious guys have no problem replacing the executables at the server side to avoid detection, they even have the man power to write completely new ones.

Google fooled by the "Fake Anti-Virus Virus"

You probably know by now about the fake Anti-Virus that is planted everywhere to fool people into buying it, go figure maby it will self update some day and will start stealing bank accounts...
I can't believe we have come to this to point where it is so spread and has so much different domains and versions and nobody stops them!!!
The internet needs some kind of global FBI to keep control over these criminals!!!
These guys operate from Russia and they are the "180 Solutions" team (i proove it below) which shows everyone that a criminal business in the internet is profitable and grows over the last 5 years, at least if its running from a country safe for cyber criminals (Russia!!!)

These is a wide viral network and they check for existance of any of their products, I saved the list of internet explorer blocked/trusted they look here: http://theinsider.deep-ice.com/evilnetwork.txt

So they infect us through cracks and software installations (fake setups, SFX, exe binding) and p2p (torrent, emule) and of course OS and browser exploits through warez websites.
Still, something is missing... it's working too well this time! well get this!!

Please join my experiment, let's assume someone just opends google and wants to download the mp3 of the Sopranos T.V series titled "you got yourself a gun", so he should search "download mp3 sopranos got yourself a gun", you can test it yourself:

http://www.google.com/search?hl=iw&client=firefox-a&rls=org.mozilla%3Ahe%3Aofficial&hs=X1V&q=download+mp3+sopranos+got+yourself+a+gun&btnG=%D7%97%D7%99%D7%A4%D7%95%D7%A9&meta=

Last week result number three was:
Sopranos Theme Song
You woke up this morning Got yourself a gun, Complete Guide to Entertaining - Sopranos Stile! Entertaining with The Sopranos May 25, 2008 Download Sopranos ...
www.geocities.com/owhfmqhoqxu/sopranos-theme-song.html - 13k

Now result number six is :
mas woemns rights woems woemsn bottle opener woen woen am woen of ...
... up this morning got yourself a woke up this morning got yourself a gun woke ... sopranos woke up this morning mp3 woke up this morning mp3 sopranos woke ...
http://hauton.net/2/2289/ - 35k
One can clearly see that last week result is very very convincing and the new one is also similar to a way a warez/mp3 website would appear in google, this leads directly to a page with auto download offering of this fraud virus.

1) Why isn't this blocked by google who "maps all the evil pages in the world"?!
2) Google search engine is helping the bad guys to publish their virus in the top 10 results!

This issue goes way byhond searching for downloads, I even got it seaching people:
http://vivocurtindo.com.br/galeriaa/css/_images/toyota-tazz-wiring/my_searched_keyword1-my_searched_keyword2-home.html

This viral network is so large I truely believe only government power can stop it.
Some of the endless domains they use to spread this virus:
http://hauton.net/
http://www.geocities.com/owhfmqhoqxu/
http://scan.av2008check.com/100567/5/
http://dnld.av2008dl.com/load/setup_100567_4_.exe
http://antivirus-2008pro.com/scanner.php?aff=DB
http://antivir--2008.com/buy.php?aff=1001
http://antimalwareguardpro.com/2009/12/?cmpname=cspffxamg&a=cspamg&l=160&f=cs_189355130&ax=1&ed=2&h=10&ex=5&eu=http%3A%2F%2Fad2cash.net%2F%3Fcmpname%3Dcsppcpc%26a%3Dcsp_amex%26l%3D160%26f%3Dcs_189355130&al=&sub=csp&mt_info=6278_0_25073&rdr=1
http://top-pc-scanner.com/1/?xx=1&in=2&ag=2&end=1&g=1&affid=312&lid=1#
http://scan.free-antispyware-scanner.com/100567/4/?q=
http://dnld.getavxp.com/load/setup_100567_4_.exe
http://thefreescanner.com/4913144/1/1/
http://scanner.vav-x-scanner.com/36/?advid=0000004683
http://scanner.ms-scanner.com/35/?advid=0000004683

b.t.w its extremely intelligent to create a "virus not considered as a virus" and spread it as a fraud software which no law inforcment cares about and then once its planted in millions of computers just update it to do steal you want and then even change it back...combination of a breach in the law and in the way viruses are treated by the AV insdustry.

Saturday, September 13, 2008

SO Common and yet EVIL goes free :)

Before I start this one, I must say I never thought of myself as a blogger.
I was always reading other people's blog thinking they try to be "I am cool I have a blog" kind of people. Well, I just think the malicious stuff I see everyday should be shared with YOU :)

At these times, torrents are currently the world's most active network for file sharing. The current windows version is always One of the most shared files and therefore crime follows there :)

I recently decided to put it to the test and downloade the most "seeded" file I found, which was "Windows XP Pro.Corp. Edition SP3 June 2008 Update + SATA Driver", this is still one of the most shared files. Of course I scanned it using the latest fully updated version of Kaspersky 2009 and Dr.Web which according to my test, are currently the best detectors on the market. Well, nothing was found...

So I load the iso, the AutoRun executes and I just "feel" something is wrong!! I look at Process Explorer and I see a process called "file.exe"...hmmmmm....
I figured out that the bad guys replaced the original "setup.exe" with a silent self extract WinRar installation with the original setup icon, it extracts a Trojan Downloader called file.exe and the original setup.exe to the temp directory and executes both the Trojan and the original setup (with CurrentDirectory as the winrar install path).

Here is a scan of the malicious "setup.exe" (today, 2 month after I found this) installer:















I said O.K maby they didn't go through the trouble marking the "Installer", but they did all detect the Trojan Downloader, right?
















Well, they didn't :)
This is really funny to see that all you need to be "a top notch" malicious software is to just download WinRar and NIST (NullSoft Installation System) and create a windows xp sp3 installation torrent, this is after 20 years of Anti-Virus security techonology by 7 billion dollar a year market.

More funny stuff! the author of this virus was so lazy he just put a list the relative path to the real setup executable of all the software he will infect and share in the internet so the "setup.exe" he made will now try to execute a list of files which only one should exist on your infected download :)
Some Examples:
\Game\wws98.exe
\WinRoute.exe
\GAME\LBWIN.EXE
\vs.exe
\Pandora.exe

Be aware of what you download! it seems the best way to tell if its an infected setup is to right click setup.exe and see if WinRar suggests "Extract To" (I am joking of course)

The executed "file.exe" downloaded http://www.cxgr.com/3913574.exe which is also a NIST file and also a Trojan Downloader and my upload was the first time it was scanned in virustotal and you can guess the results:















Whats really annoying me in this result is that the 3-4 Anti-Viruses that "supply a solution" above and detect the downloader DOES NOT DETECT THE CONSTANT FILE IT DOWNLOADS which means all the malware creator needs to do is modify the downloader or use a new one and there he goes again infecting the entire planet and getting away with it!

Now "3913574.exe" downloaded http://www.cxgr.com/Setup_ver1.1400.0.exe
Which is not packed by a known packer and even isn't identified as having a "packed entropy" by PEiD. Its a small application compiled by ms vc++ 7/8, 72kb.
Its import table it quite limited and it calls GetProcAddress to get:
SetProcessPriorityBoost, WriteFile, GetEnvironmentVariableA, InternetOpenA, ExitProcess, GetTempPathA, InternetCloseHandle, CloseHandle, TerminateProcess, CreateFileA, DeleteFileA,SHChangeNotify, lstrcpyA, lstrcpyn, InternetGetConnectedState, GetAdaptersInfo
SetThreadPriority, GetModuleFileNameA, Sleep, ShellExecuteEx, InternetOpenUrlA

Of course the strings are not plaintext and its also not XOR, how refreshing!!! its a nice code that identified a header byte and multiples the bytes with a word per this header, may be it is some kind of little compression.

Now more then 10 executables are downloaded into your system, some are detected by some AV's and some are not, they are packed with Armadillo v1.71 and some with ASPack v2.12
http://www.virustotal.com/he/analisis/7e8af73b605c1c82d0d990d204e12559
http://www.virustotal.com/he/analisis/f60edd90989cd53b73dfedd4df4d3aec
http://www.virustotal.com/he/analisis/6f0ab356e2bd80d4845fdb5ebbe619e1
http://www.virustotal.com/he/analisis/11232e1cf52a2c68b4f28815e7eedb60

These executables are saved in:
%programfiles%\MicroAV

  • MicroAV.exe

%windir%\PCHealthCenter

  • 1.exe, 2.exe, 3.exe, 4.exe, 5.exe, 7.exe

and of course to %windir%\system32

  • MicroAV.cpl, apgambly.dll, biqwetjd.dll and three dlls with names of a 8 random [a-zA-Z0-9] string
About 5-6 entries are added to registry->Run to load the processes that bug you in the system tray. This home made looking trojan is much more advanced then it appears to be...
Clearly these evil guys are advancing and they don't stop at loading from registry->Run
they start using advanced loading methods such as registering as Authentication Packages to be loaded inside LSA and as logon notification dlls to be loaded inside winlogon.exe(which is one of the best places to be in since it cannot be terminated)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxuSIb]
"Asynchronous"=dword:00000001
"DllName"="yayxuSIb.dll"
"Impersonate"=dword:00000000
"Logon"="o"
"Logoff"="f"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,43,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6c,00,6a,00,4a,00,44,00,57,00,4d,\
00,64,00,41,00,00,00,00,00

Sunday, September 7, 2008

Windows "Open File - Security Warning" Dialog

Not so long ago, I found one of the most bizzar bugs. It seems there is some kind of bug in the parsing of the command line read from the registry for filetype handled by explorer.exe. This was checked on Windows XP SP3 but I guess it existst in SP2 too. This bug allows controling the icon which appears in the "Open File - Security Warning" Dialog for all the executables downloaded from the internet.

Each time you download a file from the internet/intranet to a drive with NTFS file system an ADS (Alternate Data Stream) ini file which is called "Zone.Identifier" is created. This hidden ini file specifies the zone file came from, this can be the internet or the local network (intranet).

You can see it using the following in cmd:
more < exe_from_internet.exe:Zone.Identifier
The ini will be printed to the screen:
[ZoneTransfer]
ZoneId=3

When you "click" (shellexecute) a file which his handler is explorer.exe then the Zone.Identifier is checked and if the zone is 3 (internet) the following screen appears:

Well it appears that each time you try to open an executable that came from the internet, the icon that will apear in this dialog will be parsed from an executable file called ".exe" or "%1" in any directory of the "PATH" environment variable for the user running explorer.exe, for example:

c:\.exe
c:\windows\.exe
you can create such a file using "cmd /c type c:\windows\system32\calc.exe > c:\windows\.exe"
or write a code to use CreateFile :)

The file request is FASTIO_NETWORK_QUERY_OPEN and the icon is cached in memory until explorer.exe process is terminated. If you want to further explore this case, here is the call stack: