Mobile and print friendly view | Contagio Exchange - Contagio community malware dump

Tuesday, May 31, 2011

May 17 CVE-2010-2883 PDF Bin Laden's successor from spoofed Nationalpost.com

SIZE 103981 bytes
EXPLOIT TYPE         CVE-2010-2883
FILE NAME             Bin Ladens successor.pdf

Post Updates

The file uses Fonts/SING CVE_2010-2883 exploit, which does not seem to be metasploit generated.

The sender is often uses compromised servers of different organizations
    *     Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

    *     Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account


     It is unclear whether this time it is a compromised server or the attacker uses the services of this internet provider as a customer    

    Beyond the Network America, Inc. (BTNaccess) is a wholly owned subsidiary of PCCW, and is headquartered in Reston, Virginia and Hong Kong with offices in Los Angeles, New York City, Philadelphia, Houston, London, Moscow, Prague, Kuala Lumpur, Singapore, Shenzhen, Tokyo, Mumbai and New Delhi.

    PCCW, a global leader in next generation broadband solutions, is the largest telecommunications provider in Hong Kong. PCCW is the operator of one of the world’s most advanced broadband networks and has over 700,000 broadband customers and 12,500 employees worldwide. As a global player, PCCW has portrayed innovation within the industry and demonstrated financial stability with 2003 revenues reaching US$2.89 billion.


    Wednesday, May 25, 2011

    W32.Qakbot aka W32/Pinkslipbot or infostealer worm

    W32.Qakbot aka W32/Pinkslipbot

      W32.Qakbot in Detail by Symantec Nicolas Falliere

    W32.Qakbot is a worm that has been seen spreading through network shares, removable drives, and infected webpages, and infecting computers since mid-2009. Its primary purpose is to steal online banking account information from compromised computers. The malware controllers use the stolen information to access client accounts within various financial service websites with the intent of moving currency to accounts from which they can withdraw funds. It employs a classic keylogger, but is unique in that it also steals active session authentication tokens and then piggy backs on the existing online banking sessions. It then quickly uses that information for malicious purposes.

    The following screenshot is from the paper you see above 


      General File Information


    MD5  076bc0533d63826e1e809ad9fcbe2fb8
    SHA1 33d9b4a712c29304478da235f17cd28978a93d2f
    File size :55808 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)
     
    MD5 120d845ac973b4a0cde2bc88d8530b3d
    SHA1 120d845ac973b4a0cde2bc88d8530b3d
    File size :87040 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)

    MD5 150d006eab34528e3305fbbb5ad82164
    SHA1 551a9f3ce5b86cf77df90eda61be233c821be6b2
    File size :267776 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)



    Download


    Wednesday, May 11, 2011

    May 2 MAC Defender + May 11 Mac Protector Fake Antivirus Programs

    MAC Defender Fake Antivirus Program

    INTEGO SECURITY MEMO – May 2, 2011 MAC Defender Fake Antivirus Program Targets Mac Users

    Quote from Intego: Description: Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results).
    When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen:

      General File Information




     Added Mac Protector - May 11, Thanks to anonymous donation

    Malware: OSX/MacDefender.Aand Mac protector.A
    Distribution: Web browsing  Low; in the wild, but not very widespread for now

    Download

     File name:MacProtector
    Submission date:2011-05-09 19:49:55 (UTC)
    Result:14 /43 (32.6%)
    http://www.virustotal.com/file-scan/report.html?id=2e9a751efb38ff8e971a9dd4c629bd5066c9fb802a0d821ef5c250e0b1c43382-1304970595
    ClamAV     0.97.0.0     2011.05.09     Trojan.OSX.MacDefender.C
    Emsisoft     5.1.0.5     2011.05.09     Hoax.Mac.MacProtector!IK
    F-Secure     9.0.16440.0     2011.05.09     Rogue:OSX/FakeMacDef.F
    Fortinet     4.2.257.0     2011.05.09     OSX/MacProtector.A
    Ikarus     T3.1.1.103.0     2011.05.09     Hoax.Mac.MacProtector
    Kaspersky     9.0.0.837     2011.05.09     Hoax.Mac.MacProtector.a
    Microsoft     1.6802     2011.05.09     Rogue:MacOS_X/FakeMacdef
    NOD32     6107     2011.05.09     OSX/AdWare.MacDefender.E
    PCTools     7.0.3.5     2011.05.09     RogueAntiSpyware.MacProtector
    Sophos     4.65.0     2011.05.09     OSX/FakeAV-A
    Symantec     20101.3.2.89     2011.05.09     MacProtector
    TrendMicro     9.200.0.1012     2011.05.09     OSX_FAKEAV.A
    TrendMicro-HouseCall     9.200.0.1012     2011.05.09     OSX_FAKEAV.A

    VirusBuster     13.6.345.0     2011.05.09     FraudTool.OSX.Defma.G
    Additional information
    Show all
    MD5   : 1f8e9cd3f0717a85b96f350e4f4a539a

    MAC DEFENDER
    Archive.pax
    Current status:
    9 /41 (22.0%)
    AntiVir     7.11.7.150     2011.05.04     MACOS/FakeAV.A
    BitDefender     7.2     2011.05.04     MAC.OSX.Trojan.FakeAlert.A
    ClamAV     0.97.0.0     2011.05.04     Trojan.OSX.MacDefender
    DrWeb     5.0.2.03300     2011.05.05     Trojan.Fakealert.20856
    F-Secure     9.0.16440.0     2011.05.04     Rogue:OSX/FakeMacDef.A
    GData     22     2011.05.05     MAC.OSX.Trojan.FakeAlert.A
    Kaspersky     9.0.0.837     2011.05.05     not-a-virus:FraudTool.OSX.Defma.a
    Microsoft     1.6802     2011.05.04     Rogue:MacOS_X/FakeMacdef
    Sophos     4.64.0     2011.05.05     OSX/FakeAV-DMP
    MD5   : c0c866fde6336764da0def483f635dc9
    SHA1  : a61f2cb78bbb0472d95d2b967e3eda5f786e07ac

    http://www.virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304457284
    MacDefender
    Submission date:
    2011-05-03 21:14:44 (UTC)
    Result:6 /41 (14.6%)
    DrWeb     5.0.2.03300     2011.05.03     Trojan.Fakealert.20856
    Kaspersky     9.0.0.837     2011.05.03     not-a-virus:FraudTool.OSX.Defma.a
    Microsoft     1.6802     2011.05.03     Rogue:MacOS_X/FakeMacdef
    PCTools     7.0.3.5     2011.05.03     MACDefender
    Sophos     4.64.0     2011.05.03     OSX/FakeAV-DMP
    Symantec     20101.3.2.89     2011.05.03     MACDefender
    MD5   : 2f357b6037a957be9fbd35a49fb3ab72
    SHA1  : fb6f092624d48fe9a496c50f615b424b27cf3515





    Tuesday, May 3, 2011

    May 3 CVE-2010-3333 DOC Courier who led U.S. to Osama bin Laden's hideout identified

    Common Vulnerabilities and Exposures (CVE)number

    CVE-2010-3333

    Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

      General File Information

    File   Laden's Death.doc
    MD5   dad4f2a0f79db83f8976809a88d260c5
    SHA1  4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
    File size : 163065 bytes
    Type:  DOC
    Distribution: Email attachment

    Post Updates

    May 6   Updated analysis by Hermes Bojaxhi from CyberESI 

    May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

    May 4, 2011 Kate Milton sent the extracted binary (decoded and not) and the decoy clean file. Many thanks.

    It was sent to many targets in the US Government today.

    Also see the same payload in the following messages

    http://contagiodump.blogspot.com/2010/09/sep14-cve-2010-2883-adobe-0-day-fwd.html

    http://contagiodump.blogspot.com/2010/09/cve-2009-4324-cve-2010-1297-cve-2009.html



    Download

    Message


    Tue, 03 May 2011 11:34:06 -0400 (EDT)
    Source-IP: 220.228.120.62 
    Message-ID: <000c01cc0998$15c8ec70$0201a8c0@protech.com.tw>
    From: XXXXXXXXXXXXXXXXXXX
    To: XXXXXXXXXXXXXXXXXXX
    Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
    Date: Tue, 3 May 2011 21:43:28 +0800
    X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
            boundary="----=_NextPart_000_0009_01CC09DB.23A97E20"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.3790.2929
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168


    This is a multi-part message in MIME format.

    ------=_NextPart_000_0009_01CC09DB.23A97E20
    Content-Type: text/plain;
            format=flowed;
            charset="big5";
            reply-type=original
    Content-Transfer-Encoding: 7bit

    To whom it may concern.

    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXX  Signature spoofed  XXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


    ------=_NextPart_000_0009_01CC09DB.23A97E20
    Content-Type: application/octet-stream;
            name="Laden's Death.doc"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
            filename="Laden's Death.doc"

    Sender

    220.228.120.62 (there are other IPs from that company used as well)

    Lotus Notes mail server, apparently compromised

    Hostname:    notess1.protech.com.tw
    ISP:    New Centry InfoComm Tech. Co., Ltd.
    Organization:    PROTECHSYSTEMSCO.,LTD.
    Assignment:    Static IP
    Country:    Taiwan


    Automated Scans

    File name: Laden's Death.doc
    Submission date:2011-05-03 15:34:52 (UTC)
    http://www.virustotal.com/file-scan/report.html?id=4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342-1304436892#
    1/ 41 (2.4%)
    Commtouch    5.3.2.6    2011.05.03    CVE-2010-3333!Camelot
    Show all
    MD5   : dad4f2a0f79db83f8976809a88d260c5
    SHA1  : d563029a2dfe3cfcddc7326b1b486213095e58e5
    SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
    ssdeep: 1536:njNRRUfwR/JvinctjMA+2cg1WoQ98k//qL+fV7UswHOv6fNtcrm2XDt/:nBJRvinBADAOk
    661UswH/fNGy2XB
    File size : 163065 bytes
    First seen: 2011-05-03 15:34:52
    Last seen : 2011-05-03 15:34:52

    Analysis

    May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit


    Clean file (thanks to Kate Milton for the binary and the clean decoy file submission)



    File name:exe_decoded.bin
    http://www.virustotal.com/file-scan/report.html?id=a40b5cf0689aebaaf2352b61e8a9f4544ec69ef8ea3dc558f53646964a85755b-1304567158
    Submission date:2011-05-05 03:45:58 (UTC)
    Result:17 /40 (42.5%)

    AntiVir     7.11.7.150     2011.05.04     BDS/Protux.tg
    BitDefender     7.2     2011.05.05     Trojan.Generic.KDV.211541
    Commtouch     5.3.2.6     2011.05.05     W32/Virut.AI!Generic
    rWeb     5.0.2.03300     2011.05.05     BackDoor.Diho.163
    eTrust-Vet     36.1.8307     2011.05.04     -
    F-Prot     4.6.2.117     2011.05.04     W32/Virut.AI!Generic
    GData     22     2011.05.05     Trojan.Generic.KDV.211541
    Ikarus     T3.1.1.103.0     2011.05.05     Backdoor.Win32.Protux
    Kaspersky     9.0.0.837     2011.05.05     Backdoor.Win32.Protux.tg
    McAfee     5.400.0.1158     2011.05.05     Artemis!30C8C4C99430
    McAfee-GW-Edition     2010.1D     2011.05.05     Artemis!30C8C4C99430
    NOD32     6095     2011.05.05     Win32/Protux.NAK
    Panda     10.0.3.5     2011.05.04     Suspicious file
    PCTools     7.0.3.5     2011.05.04     Trojan.Generic
    SUPERAntiSpyware     4.40.0.1006     2011.05.05     -
    Symantec     20101.3.2.89     2011.05.05     Trojan Horse
    TrendMicro     9.200.0.1012     2011.05.04     PAK_Generic.001
    TrendMicro-HouseCall     9.200.0.1012     2011.05.05     BKDR_PROTUX.GE
    VBA32     3.12.16.0     2011.05.04     Backdoor.Protux.ta
    Additional information
    Show all
    MD5   : 30c8c4c9943044287cf06996863c2261
    SHA1  : e7addde85f18c6ce22f7a1abc1ed78e662ce90f2

    ----------------------------------------------------------------------------------------------------------
    See the payload analysis here  http://www.cyberesi.com/2011/05/03/ladens-death-doc-cve-2010-3333/

    Hermes Bojaxhi from CyberESI  http://www.cyberesi.com provided the following details about the payload

    File Name:  dhcpsrv.dll
    File Size:  44504 bytes
    MD5:        06ddf39bc4b5c7a8950f1e8d11c44446
    SHA1:       b8c11c68f3e92b60cc4b208bd5905c0365f28978
    PE Time:    0x4D9C2616 [Wed Apr 06 08:36:38 2011 UTC]
    Sections (4):
     Name      Entropy  MD5
     .text     6.14     5c8b018d10792fdb74b5f289f97c5d06
     .rdata    4.73     88003ece00266ee44c21ac6242a7eafd
     .data     4.99     1d745a13a1f55e75b2f68adee97c6f59
     .reloc    5.7      e437cc92e10504181d7b712478db6af3


    beacons to these domains:

    checkerror.ucparlnet.com

    ssi.ucparlnet.com
    www.dnswatch.info
    picture.ucparlnet.com
    ==============
    C2 domain info

    checkerror.ucparlnet.com   -  203.67.127.165 Hostname:    protech.com.tw  Digital United Inc. Taiwan
    ssi.ucparlnet.com  - 58.34.152.233  ChinaNet Shanghai Province Network China
    www.dnswatch.info - 82.96.118.210
    Probe Networks Planet-Hosting.cz Germany
    picture.ucparlnet.com -
    203.67.127.165 Hostname:    protech.com.tw  Digital United Inc. Taiwan

    ucparlnet.com IP Address hosting history

    Event Date Action Pre-Action IP Post-Action IP
    2010-08-10 New -none- 58.34.152.162
    2010-08-13 Change 58.34.152.162 58.37.54.66
    2010-08-23 Change 58.37.54.66 58.34.148.241
    2010-09-03 Change 58.34.148.241 220.246.76.125
    2010-09-24 Change 220.246.76.125 127.0.0.1
    2010-10-25 Change 127.0.0.1 58.37.182.29
    2010-11-28 Change 58.37.182.29 58.34.149.104
    2010-12-09 Change 58.34.149.104 58.34.152.202
    2010-12-31 Change 58.34.152.202 127.0.0.1
    2011-02-24 Change 127.0.0.1 125.141.233.16
    2011-04-10 New -none- 125.141.233.16

    dnswatch.info  - is not a malicious domain