Tuesday, May 31, 2011

May 17 CVE-2010-2883 PDF Bin Laden's successor from spoofed

SIZE 103981 bytes
EXPLOIT TYPE         CVE-2010-2883
FILE NAME             Bin Ladens successor.pdf

Post Updates

The file uses Fonts/SING CVE_2010-2883 exploit, which does not seem to be metasploit generated.

The sender is often uses compromised servers of different organizations
    *     Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

    *     Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account

     It is unclear whether this time it is a compromised server or the attacker uses the services of this internet provider as a customer    

    Beyond the Network America, Inc. (BTNaccess) is a wholly owned subsidiary of PCCW, and is headquartered in Reston, Virginia and Hong Kong with offices in Los Angeles, New York City, Philadelphia, Houston, London, Moscow, Prague, Kuala Lumpur, Singapore, Shenzhen, Tokyo, Mumbai and New Delhi.

    PCCW, a global leader in next generation broadband solutions, is the largest telecommunications provider in Hong Kong. PCCW is the operator of one of the world’s most advanced broadband networks and has over 700,000 broadband customers and 12,500 employees worldwide. As a global player, PCCW has portrayed innovation within the industry and demonstrated financial stability with 2003 revenues reaching US$2.89 billion.

    Wednesday, May 25, 2011

    W32.Qakbot aka W32/Pinkslipbot or infostealer worm

    W32.Qakbot aka W32/Pinkslipbot

      W32.Qakbot in Detail by Symantec Nicolas Falliere

    W32.Qakbot is a worm that has been seen spreading through network shares, removable drives, and infected webpages, and infecting computers since mid-2009. Its primary purpose is to steal online banking account information from compromised computers. The malware controllers use the stolen information to access client accounts within various financial service websites with the intent of moving currency to accounts from which they can withdraw funds. It employs a classic keylogger, but is unique in that it also steals active session authentication tokens and then piggy backs on the existing online banking sessions. It then quickly uses that information for malicious purposes.

    The following screenshot is from the paper you see above 

      General File Information

    MD5  076bc0533d63826e1e809ad9fcbe2fb8
    SHA1 33d9b4a712c29304478da235f17cd28978a93d2f
    File size :55808 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)
    MD5 120d845ac973b4a0cde2bc88d8530b3d
    SHA1 120d845ac973b4a0cde2bc88d8530b3d
    File size :87040 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)

    MD5 150d006eab34528e3305fbbb5ad82164
    SHA1 551a9f3ce5b86cf77df90eda61be233c821be6b2
    File size :267776 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)


    Wednesday, May 11, 2011

    May 2 MAC Defender + May 11 Mac Protector Fake Antivirus Programs

    MAC Defender Fake Antivirus Program

    INTEGO SECURITY MEMO – May 2, 2011 MAC Defender Fake Antivirus Program Targets Mac Users

    Quote from Intego: Description: Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results).
    When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen:

      General File Information

     Added Mac Protector - May 11, Thanks to anonymous donation

    Malware: OSX/MacDefender.Aand Mac protector.A
    Distribution: Web browsing  Low; in the wild, but not very widespread for now


     File name:MacProtector
    Submission date:2011-05-09 19:49:55 (UTC)
    Result:14 /43 (32.6%)
    ClamAV     2011.05.09     Trojan.OSX.MacDefender.C
    Emsisoft     2011.05.09     Hoax.Mac.MacProtector!IK
    F-Secure     9.0.16440.0     2011.05.09     Rogue:OSX/FakeMacDef.F
    Fortinet     2011.05.09     OSX/MacProtector.A
    Ikarus     T3.     2011.05.09     Hoax.Mac.MacProtector
    Kaspersky     2011.05.09     Hoax.Mac.MacProtector.a
    Microsoft     1.6802     2011.05.09     Rogue:MacOS_X/FakeMacdef
    NOD32     6107     2011.05.09     OSX/AdWare.MacDefender.E
    PCTools     2011.05.09     RogueAntiSpyware.MacProtector
    Sophos     4.65.0     2011.05.09     OSX/FakeAV-A
    Symantec     20101.3.2.89     2011.05.09     MacProtector
    TrendMicro     2011.05.09     OSX_FAKEAV.A
    TrendMicro-HouseCall     2011.05.09     OSX_FAKEAV.A

    VirusBuster     13.6.345.0     2011.05.09     FraudTool.OSX.Defma.G
    Additional information
    Show all
    MD5   : 1f8e9cd3f0717a85b96f350e4f4a539a

    Current status:
    9 /41 (22.0%)
    AntiVir     2011.05.04     MACOS/FakeAV.A
    BitDefender     7.2     2011.05.04     MAC.OSX.Trojan.FakeAlert.A
    ClamAV     2011.05.04     Trojan.OSX.MacDefender
    DrWeb     2011.05.05     Trojan.Fakealert.20856
    F-Secure     9.0.16440.0     2011.05.04     Rogue:OSX/FakeMacDef.A
    GData     22     2011.05.05     MAC.OSX.Trojan.FakeAlert.A
    Kaspersky     2011.05.05     not-a-virus:FraudTool.OSX.Defma.a
    Microsoft     1.6802     2011.05.04     Rogue:MacOS_X/FakeMacdef
    Sophos     4.64.0     2011.05.05     OSX/FakeAV-DMP
    MD5   : c0c866fde6336764da0def483f635dc9
    SHA1  : a61f2cb78bbb0472d95d2b967e3eda5f786e07ac
    Submission date:
    2011-05-03 21:14:44 (UTC)
    Result:6 /41 (14.6%)
    DrWeb     2011.05.03     Trojan.Fakealert.20856
    Kaspersky     2011.05.03     not-a-virus:FraudTool.OSX.Defma.a
    Microsoft     1.6802     2011.05.03     Rogue:MacOS_X/FakeMacdef
    PCTools     2011.05.03     MACDefender
    Sophos     4.64.0     2011.05.03     OSX/FakeAV-DMP
    Symantec     20101.3.2.89     2011.05.03     MACDefender
    MD5   : 2f357b6037a957be9fbd35a49fb3ab72
    SHA1  : fb6f092624d48fe9a496c50f615b424b27cf3515

    Tuesday, May 3, 2011

    May 3 CVE-2010-3333 DOC Courier who led U.S. to Osama bin Laden's hideout identified

    Common Vulnerabilities and Exposures (CVE)number


    Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

      General File Information

    File   Laden's Death.doc
    MD5   dad4f2a0f79db83f8976809a88d260c5
    SHA1  4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
    File size : 163065 bytes
    Type:  DOC
    Distribution: Email attachment

    Post Updates

    May 6   Updated analysis by Hermes Bojaxhi from CyberESI 

    May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

    May 4, 2011 Kate Milton sent the extracted binary (decoded and not) and the decoy clean file. Many thanks.

    It was sent to many targets in the US Government today.

    Also see the same payload in the following messages



    Tue, 03 May 2011 11:34:06 -0400 (EDT)
    Message-ID: <000c01cc0998$15c8ec70$>
    Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
    Date: Tue, 3 May 2011 21:43:28 +0800
    X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.3790.2929
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168

    This is a multi-part message in MIME format.

    Content-Type: text/plain;
    Content-Transfer-Encoding: 7bit

    To whom it may concern.

    XXX  Signature spoofed  XXXXXXXXXXXXXXXXX

    Content-Type: application/octet-stream;
            name="Laden's Death.doc"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
            filename="Laden's Death.doc"

    Sender (there are other IPs from that company used as well)

    Lotus Notes mail server, apparently compromised

    ISP:    New Centry InfoComm Tech. Co., Ltd.
    Organization:    PROTECHSYSTEMSCO.,LTD.
    Assignment:    Static IP
    Country:    Taiwan

    Automated Scans

    File name: Laden's Death.doc
    Submission date:2011-05-03 15:34:52 (UTC)
    1/ 41 (2.4%)
    Commtouch    2011.05.03    CVE-2010-3333!Camelot
    Show all
    MD5   : dad4f2a0f79db83f8976809a88d260c5
    SHA1  : d563029a2dfe3cfcddc7326b1b486213095e58e5
    SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
    ssdeep: 1536:njNRRUfwR/JvinctjMA+2cg1WoQ98k//qL+fV7UswHOv6fNtcrm2XDt/:nBJRvinBADAOk
    File size : 163065 bytes
    First seen: 2011-05-03 15:34:52
    Last seen : 2011-05-03 15:34:52


    May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

    Clean file (thanks to Kate Milton for the binary and the clean decoy file submission)

    File name:exe_decoded.bin
    Submission date:2011-05-05 03:45:58 (UTC)
    Result:17 /40 (42.5%)

    AntiVir     2011.05.04     BDS/
    BitDefender     7.2     2011.05.05     Trojan.Generic.KDV.211541
    Commtouch     2011.05.05     W32/Virut.AI!Generic
    rWeb     2011.05.05     BackDoor.Diho.163
    eTrust-Vet     36.1.8307     2011.05.04     -
    F-Prot     2011.05.04     W32/Virut.AI!Generic
    GData     22     2011.05.05     Trojan.Generic.KDV.211541
    Ikarus     T3.     2011.05.05     Backdoor.Win32.Protux
    Kaspersky     2011.05.05
    McAfee     5.400.0.1158     2011.05.05     Artemis!30C8C4C99430
    McAfee-GW-Edition     2010.1D     2011.05.05     Artemis!30C8C4C99430
    NOD32     6095     2011.05.05     Win32/Protux.NAK
    Panda     2011.05.04     Suspicious file
    PCTools     2011.05.04     Trojan.Generic
    SUPERAntiSpyware     2011.05.05     -
    Symantec     20101.3.2.89     2011.05.05     Trojan Horse
    TrendMicro     2011.05.04     PAK_Generic.001
    TrendMicro-HouseCall     2011.05.05     BKDR_PROTUX.GE
    VBA32     2011.05.04     Backdoor.Protux.ta
    Additional information
    Show all
    MD5   : 30c8c4c9943044287cf06996863c2261
    SHA1  : e7addde85f18c6ce22f7a1abc1ed78e662ce90f2

    See the payload analysis here

    Hermes Bojaxhi from CyberESI provided the following details about the payload

    File Name:  dhcpsrv.dll
    File Size:  44504 bytes
    MD5:        06ddf39bc4b5c7a8950f1e8d11c44446
    SHA1:       b8c11c68f3e92b60cc4b208bd5905c0365f28978
    PE Time:    0x4D9C2616 [Wed Apr 06 08:36:38 2011 UTC]
    Sections (4):
     Name      Entropy  MD5
     .text     6.14     5c8b018d10792fdb74b5f289f97c5d06
     .rdata    4.73     88003ece00266ee44c21ac6242a7eafd
     .data     4.99     1d745a13a1f55e75b2f68adee97c6f59
     .reloc    5.7      e437cc92e10504181d7b712478db6af3

    beacons to these domains:
    C2 domain info   - Hostname:  Digital United Inc. Taiwan  -  ChinaNet Shanghai Province Network China -
    Probe Networks Germany - Hostname:  Digital United Inc. Taiwan IP Address hosting history

    Event Date Action Pre-Action IP Post-Action IP
    2010-08-10 New -none-
    2010-08-13 Change
    2010-08-23 Change
    2010-09-03 Change
    2010-09-24 Change
    2010-10-25 Change
    2010-11-28 Change
    2010-12-09 Change
    2010-12-31 Change
    2011-02-24 Change
    2011-04-10 New -none-  - is not a malicious domain