|
Mila Parkour <milaparkour@gmail.com> |
|
The file "Office2010-kb2289161-fullfile-x64-glb.exe" has been suspended |
Wednesday, September 7, 2011
Mediafire DMCA Office2010-kb2289161-fullfile-x64-glb.exe patch email
Saturday, September 3, 2011
So long and thanks for all the phish
I will be away until Sept 17 and will not be posting until at least Sept 25.
My internet connection will be intermittent but I will reply to all messages
as soon as I can ~ Mila
Sept 3. Liberating Taiwan: one phish at a time. 2010-2011
 |
| chineseposters.net |
I will be traveling most of September but I wanted to leave you with something to play with while I am away.
These 175 phishing messages were received over the course of 18 months by one recipient, who also happens to be a former Taiwan government official and an expert on China. The recent exploits used are mostly CVE-2010-3333 and CVE-2011-0611 and CVE-2010-2883 but you will find a good variety, as well as a lot of RAR files with RTLO and exe. The senders and the recipient are in Asia so these document give you a good idea about the phishing landscape there (in many ways it is similar to what you see in USA, for understandable reasons)
There might be a few documents that are not malicious, esp. image files.
The first folder inside zip contains files named as DATERECEIVED_NAME.EXT and the second has the same files named DATERECEIVED_SENDERADDR_SUBJECT_NAME.EXT. Use whichever works for you better. I also posted details about two messages to give you an idea.
Monday, August 29, 2011
Aug 28 Morto / Tsclient - RDP worm with DDoS features
I can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of traffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control servers.
Judging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be cybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with Jiangsu Bangning Science & technology Co. Ltd.in China. One of the domains existed for a few years and changed several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common in China (I don't have stats for other Asian countries but I am guessing common there too :)
I want to thank jsunpack.jeek.org and malc0de.com for the sample.
Thursday, August 11, 2011
Targeted attacks against personal Gmail accounts Part II - CNAS Report
 |
| popartmachine.com |
I received a phishing email sample indicating that the attackers described in the above post continue their efforts with a very slight modifications to the original themes and I must note that this incident is even more simple than the previous one. I don't know if any accounts were compromised this time, I hope the public disclosure of the previous attacks along with the notifications on Forward rules and two-factor authentication in Gmail helped prevent most if not all compromises.
P.S. Google are aware of this, there is not much they can do to prevent these from coming in but I am sure they are trying. If you are concerned about your account safety, please use two-factor authentication and change your passwords often.
Wednesday, August 10, 2011
Microsoft and Adobe Flash patches vs corresponding document and web exploits (non PDF, CVE numbered)
Again, thanks to Malware Tracker keeping exploit timeline for Microsoft products (MS Office, HTML help, Windows thumbnail), these are the patches you need to have installed for protection or should not *not* have if you want successful sandbox testing of these exploits.
Some of these like Flash were also used as Web exploits. The table below includes only exploits used in documents.
There are too many Flash exploits to list with the links, however, the two lists below allow very easy correlation
Tuesday, August 9, 2011
Adobe Reader versions vs corresponding exploits (CVE numbered) - Downloads for testing
Building VM sandbox environment for testing malicious documents? I found that sometimes tracking all the full versions and minor updates of Adobe Reader via Old Apps or Adobe.com and corresponding CVE numbers is more time consuming than actual testing. Here are all the necessary for testing versions available from Contagio download. In some cases you need to install the base version and then apply all the incremental updates to get to the version you needMany thanks to Malware tracker for making this easier - see their PDF threats timeline post here Current PDF Threats
Or, Download all together from HERE
Wednesday, July 27, 2011
Jul 25 Mac Olyx backdoor + Gh0st Backdoor in RAR archive related to July 2009 Ürümqi riots in China (Samples included)
The recently discovered Backdoor for Mac Olyx (Criminals gain control over Mac with BackDoor.Olyx) was used for targeted attacks (or what it appears to be), which is not surprising. As Microsoft pointed out, in addition to malware, the package contains an html page and photos from a Wikipedia page for events dated July 5, 2009, however it appears that all photos relate to one event - July 2009 Ürümqi riots in China.
"Government censors disabled keyword searches for "Urumqi", and blocked access to Facebook and Twitter as well as local alternatives Fanfou and Youku. Chinese news sites mainly fed from Xinhua news service for updates about the rioting in Urumqi, comments features on websites were disabled on some stories to prevent negative posts about the lack of news. Internet connections in Urumqi were reportedly down.Many unauthorized postings on local sites and Google were said to have been "harmonised" by government censors, and emails containing terms related to the riots were blocked or edited to prevent discord."
Perhaps the trojans found in the package Ghostnet backdoor as Backdoor:Win32/Remosh.A. and the new Backdoor:MacOS_X/Olyx.A were destined for a Chinese human rights activist, as he/she would be likely to be interested in this particular event update. In addition, it is known that many of the Gh0stnet targets were human rights activists.
Monday, July 25, 2011
Jul 12 RTLO rar with trojan Taidoor - former President Lee Teng-hui seriously ill
I wanted to release this one as part of a pack (several semi related posts together) but seems like it takes too long, so I just post it. This one is not much different from what you saw before, just another taidoor trojan for your collection sent within RTLO rar archive. According to Microsoft Malware Protection Center Trojan Taidoor / Rubinurd is a bot capable to download and upload files to / from the attackers' server, and execute commands on the system. It is prevalent in Taiwan (at least 1/2 of all detections are there) and is relatively new - emerged in September 2010. This is a file sent in Taiwan from a Taiwan server.
Exploit Information
RTLO
More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:
More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:
"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.
Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”
TROJAN TAIDOOR/ RUBINURD (as payload)
It produces traffic as below
http://someipordomain/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string - which is encoded mac address of the system
Saturday, July 23, 2011
Thursday, July 14, 2011
Jul 13 CVE-2010-2883 PDF Meeting Agenda with more Poison Ivy www.adv138mail.com | 112.121.171.94
Here is one more for a full collection - same malware and sender as in the previous post. This message, targeting experts on Japan, China, Taiwan / USA relationship, was sent on July 13,2011. The attached pdf exploits CVE-2010-2883 (2/43 VT, encrypted) with poison ivy (keylogging) payload, connecting to www.adv138mail.com. The domains serving PI and listed below were registered by DNS.com.cn, which has a poor reputation. These domains/IP have been CnC for poison ivy for a while, consider the posts below.
Other PI domains noted are:
web.adv138mail.com; -2011
dns.adv138mail.com - 2011 (thank you, John)
web.adv138mail.com; -2011
dns.adv138mail.com - 2011 (thank you, John)
www.adv138mail.com - 2011 - 112.121.171.94
pu.flower-show.org - 2011 - 112.121.171.94
pu.flower-show.org - 2011 - 112.121.171.94
cecon.flower-show.org - 2010
posere.flower-show.org - 2009
posere.flower-show.org - 2009
112.121.171.94 Nov.adv138mail.com, ftp.adv138mail.com and asm.adv138mail.com point to 112.121.171.94.
- Contagio | Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org
- Contagio | More flowers with some poison ivy - Feb. 10, 2010
- F-secure | Watch Out for flower-show.org - Feb.10, 2010
- ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010
 |
Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org
Update Jul 13. Considering that this pdf is very low detection, I decided to post some of the target domains here in case it helps them to prevent or identify infections.
The non-gmail domains included:
usjapancouncil.org, spfusa.org, vanderbilt.edu, comdt.uscg.mil, miis.edu
If you work at one of those places and must know the actual recipient, you can contact me. ~ Mila
Contagio | More flowers with some poison ivy - Feb. 10, 2010
F-secure | Watch Out for flower-show.org - Feb.10, 2010
ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010
Other PI domains noted are:
pu.flower-show.org - 2011
cecon.flower-show.org - 2010
posere.flower-show.org - 2009
pu.flower-show.org - 2011
cecon.flower-show.org - 2010
posere.flower-show.org - 2009
|
Monday, July 11, 2011
New CONTAGIOminiDUMP - mobile malware is moving !!!
Please welcome the new section of Contagio - CONTAGIOminiDUMP.BLOGSPOT.COM
The old mobile malware Mini-dump (aka "Take a sample, leave a sample" ) grew too large and difficult to use. This section will allow better organization of all the mobile malware. There are not that many samples but it is steadily growing.
This is a work in progress and please send or post your comments regarding the design, hosting, organization and such.
Many thanks to Tim Strazzere for catalyzing the upgrade :)
You will be able to access the new location from contagio - it won't be too hard to find.
~ Mila
The old mobile malware Mini-dump (aka "Take a sample, leave a sample" ) grew too large and difficult to use. This section will allow better organization of all the mobile malware. There are not that many samples but it is steadily growing.
This is a work in progress and please send or post your comments regarding the design, hosting, organization and such.
Many thanks to Tim Strazzere for catalyzing the upgrade :)
You will be able to access the new location from contagio - it won't be too hard to find.
~ Mila
Friday, July 8, 2011
Take a sample, leave a sample. Mobile malware mini-dump - July 8 Update
This post and all mobile malware moved to contagiominidump.blogspot.com
I frequently get requests for already published on Contagio mobile malware and also new files that might be mentioned in the media and blogs. I do not really have a large collection of mobile malware but I welcome the submissions.
Here is a folder with the most recent files I have. If you use upload feature on the blog (see below) and send more mobile malware samples, they will be added to this folder for everyone to come and use.
Download
Download files from the mobile malware mini-dump (new link)use infected for the password
Current list (~50+ downloads = around 200 individual files as of June, 2011). Hyperlinks lead to Virustotal
Download from the dump link above or click on "download" link if present
- Zitmo Android Edition (Zeus for mobile) ecbbce17053d6eaf9bf9cb7c71d0af8d Download (thanks to anonymous, July 8, 2011) Zitmo hits Android Axelle Apvrille- Fortinet
- GoldDream.A BloodvsZombie_com.gamelio.DrawSlasher_1_1.0.1.apk b87f2f3a927bf967736ed43ca2dbfb60 (many thanks for the sample to oren@avg-mobilation July 6,2011) Download Read more:Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets Xuxian Jiang
- GoldDream.B v1.0_com.GoldDream.pg_1_1.0.apk f66ee5b8625192d0c17c0736d208b0b (many thanks for the sample to oren@avg-mobilation July 6,2011) Download Read more: Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets Xuxian Jiang
- DroidKungFu2 -A _com.allen.txthej_1_1.0 F438ED38B59F772E03EB2CAB97FC7685 (many thanks for the sample to oren@avg-mobilation July 3,2011) Download Read more: Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets
- DroidKungFu2 -B __com.tutusw.onekeyvpn_7_1.1.6_54bc7a8fb184884a26e4cce74697d3a5 (many thanks for the sample to oren@avg-mobilation July 3,2011) Download Read more: Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets
Thursday, July 7, 2011
Rootkit TDL-4 (TDSS, Alureon.DX, Olmarik, TDL) 32-bit and 64-bit Sample + Analysis links - Update July 7
Old version 3 - See August 27, 2010 TDL3 dropper (x86 compatible with x64 systems).
General File Information - April 2011
This is an updated version of TDL4, which made a lot of news recently thanks to being named the ‘indestructible’ botnet. This is the last / current version and it is dated April 2011 (the previous version is from January 2011)
All the credits and many thanks for the files and comments go to @EP_X0FF @InsaneKaos @markusg @USForce from KernelMode.info. I am posting the files and their comments here because of the the large number of inquiries for the updated version.
1) Bypassed Microsoft patch (STATUS_INVALID_IMAGE_HASH error overwritten) to be able again to infect x64 OS
2) Bypasssed Microsoft patch to kdcom.dll (this version of TDL4 checks kdcom resource directory size on the x64 version of it, whether it is == 0x110 || 0xFA)
2) Improved disk minport filtering hook
Version history:
- 0.01 firstly detected ITW in the end of July 2010
- 0.02 August 2010, version with x64 support
- 0.03 September 2010, small changes, new C&C library
- In April 2011 Microsoft released KB2506014 targeting 0.03 version, exactly boot loader and kd dll - and it was able to successfully prevent TDL4 from working. However, the rootkit support strike back within two weeks releasing their update, which could bypass the MS patch. The rootkit version wasn't changed.
Related articles:
- The Evolution of TDL: Conquering x64 ESET Eugene Rodionov, Aleksandr Matrosov
- June 27, 2011 TDL4 – Top Bot - Kaspersky - Sergey Golovanov, Igor Soumenkov
- May 1, 2011 TDL4 rootkit is coming back stronger than before - Prevx Marco Giuliani
File: TDL4.exe
Size: 146944
MD5: 4A052246C5551E83D2D55F80E72F03EB
http://www.virustotal.com/file-scan/report.html?id=b75fd580c29736abd11327eef949e449f6d466a05fb6fd343d3957684c8036e5-1305275113
File: dll (2).exe
Size: 140288
MD5: D69B02C1ACD87B5A5C33B19693E24020
http://www.virustotal.com/file-scan/report.html?id=fe165840b709adb5b7765ea329c317f64d05a402873c8d8cea84873cbe192bf4-1304405700
File: DLL.exe
Size: 140288
MD5: A1DE5B3607845F5C6597528BE02EBDA5
http://www.virustotal.com/file-scan/report.html?id=1aa5708519389ddcf96fa6206cf274844414c58bff6e3f8338188364449f4509-1304402425
Download TDL4 - April 2011 edition files listed above as a password protected archive (contact me if you need the password)
Subscribe to:
Posts (Atom)