Cybercrime « M86 Security Labs Blog

Archive for the ‘Cybercrime’ Category

The Cridex Trojan Targets 137 Financial Organizations in One Go

By Daniel Chechik • March 1st, 2012 • Botnets Cybercrime Malware Spam

A few weeks ago M86 Security Labs alerted that cybercriminals managed to compromise hundreds of WordPress-based sites. These attacks started with several large spam campaigns as reported in our most recent blog post on Cutwail. These emails included embedded URL links or HTML attachments that tricked the user to browse to the compromised Web sites. All these links eventually lead to Web pages infected with the Phoenix exploit kit. These cybercriminals operate Fast flux networks, which are a DNS technique used by botnets to hide the main C&C servers.

After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine. The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carberp and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.

VirusTotal scan of Cridex

Let’s take a look how this Trojan operates step by step.

Once the Cridex Trojan is loaded to the victims’ machine it executes several actions. First, it copies itself to drive C: as KB00447841.exe and creates the following files:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\POS1.tmp.BAT
C:\Documents and Settings\Administrator\Application Data\KB00447841.exe

The BAT file upon its execution removes the original malware downloaded by the Phoenix exploit kit.

In the second phase, the malware hooks into the “explorer.exe” process. Then it communicates with its C&C which is done over Fast flux networks to make it harder to identify and shut down their C&C servers. Every several hours one domain becomes unavailable and is replaced by another one. In some cases, the traffic flow of the Trojan can look like this:

Fiddler dump of the Trojan’s traffic activity

Cridex consistently tries to find a live proxy to reach the C&C server. At first glance the domain names look random. However, when taking a closer look, we see that the Trojan generates a new domain name before every attempt to access the C&C:

Ollydbg - Debugging of "Explorer.exe" infected by the Trojan

Here is a pseudo code of the Trojan’s code:

ECX = ECX * 0x19660D
ECX = ECX + 0x3C6EF35F
ECX = ECX << 0×10
ECX = ECX – 0x7FFF
EAX = ECX
EDX = 0
EAX = EAX XOR 0×88
EBP = 0x1A
EAX = EAX / 0x1A
EDX = EAX % 0x1A
ESI++
EDX = EDX + 0×61
Address[EBX + ESI] = DX
If not reached the end of the domain name length continue

Using this logical algorithm to generate and access domains, the cybercriminals can resume the attack even after their server(s) are offline for some period of time.

Once the Trojan finds a live proxy, it connects to the C&C server and downloads a customized configuration from the Cridex botnet. The cybercriminals are currently running multiple botnets with over 25,000 infected machines.

Cridex botnet control panel

This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.

The configuration panel of the Cridex Trojan

The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time. They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.

What’s new in the Cridex Trojan compared to Zeus or SpyEye?

Cridex has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks. Yes, one hundred, thirty seven different banks or financial organizations from all over the world!

Data collected by the "WORLD BANK CENTER" plug-in

This control panel provides simple user experience for the cybercriminals. It contains the structure of the banking organization’s Web site pages, so the Trojan can identify which valuable fields to send back to the C&C. Moreover, the cybercriminals can create and change forms that are normally completed by the victim.

Templates of "WORLD BANK CENTER" plug-in

In conclusion, the Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.

M86 MailMarshal Secure Email Gateway customers are protected against these blended threat spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix exploit kit and in particular against the Cridex Trojan.

M86 Security Threat Report for the Second Half of 2011 is Now Available

By Ziv Mador • February 8th, 2012 • Botnets Cybercrime Reports Social Networking Spam Vulnerabilities

We are releasing today our bi-annual Threat Report for 2H 2011. The report relies on M86 Security Labs analysis of spam and malware activity, including the current use of exploit kits, fraudulent digital certificates and social networking schemes. Key points from the M86 Security Labs for the second half of 2011 are:
1. Targeted attacks became sophisticated and pursued a wider range of organizations, including commercial, national critical infrastructure and military targets.
2. Use of stolen or fraudulent digital certificates has become more common, especially as part of targeted attacks.
3. In several targeted attacks, malware was hidden by embedding itself in various file formats—with a few cases of multiple embedding layers. This method can evade security software that fails to scan deep enough.
4. Blackhole has become the most prevalent exploit kit in the second half of 2011 with a huge margin over other exploit kits. Some of the exploit kits which were active in the past are rarely used now or were practically abandoned.
5. Newer versions of Blackhole are being deployed first in Eastern Europe. Its authors increased its update frequency and added new exploits and tricks to evade detection, such as checking the software version on the client machine before attempting to exploit it.
6. Fake social media notifications are now a mainstream way for spammers to dupe users into clicking links.
7. Facebook continues to be a conduit for spam and malware, as many campaigns are spreading virally by enticing users to share posts that promise gift cards or other rewards.
8. Hacked, but otherwise legitimate, websites played a major role in distributing spam and malware by redirecting browsers to the ultimate destination.
9. Malicious Web content currently exploits more than 50 vulnerabilities in various software products. The most commonly exploited products are Microsoft Internet Explorer, Oracle Java, Adobe Acrobat Reader, Adobe Flash and Microsoft Office products.
10. The overall volume of spam continued to decline in 2011, reaching a four-year low in December 2011.
11. Eight spamming botnets were responsible for 90% of the spam monitored by M86 Security Labs. All of these botnets are familiar and have been established for some time.
12. The proportion of malicious spam rose in the second half of the year from less than 1% to 5%, including a massive spike in malicious attachments in August and September. Later in the year, the focus shifted from malicious attachments to malicious links that led to exploit kits, in particular, the Blackhole exploit kit.
13. Some noticeable wins by law enforcement authorities and researchers against cybercriminals, botnets and affiliate programs like fake AV and rogue online pharmacies, took place this year.
14. Malicious Web content hosted in China targets mostly older versions of Internet Explorer, which is popular in that country.
15. Almost half of the global malicious Web content is hosted in the U.S. The states hosting most malware are Florida, California, Texas and Washington.

The report provides statistics about the geographical distribution of web-based malware, about the most commonly used exploits and about the prevalence of exploit kits. Statistics about spam categories and spam botnets are also provided. In addition to these statistics, the report includes eleven featured articles about current cyber threats and ends with recommendations for administrators, Website owners and end users.
The M86 Security Labs Report can be downloaded from http://m86.it/2HSecReport.
We hope you find the information in this report useful.
M86 Security Labs

Massive Compromise of WordPress-based Sites but ‘Everything will be Fine’

By Daniel Chechik • January 30th, 2012 • Cybercrime Malware

A few days ago, hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit. Its logs show that users from at least four hundred compromised sites were redirected to Phoenix exploit pages. Here is a partial list of those websites:

: Partial list of compromised WordPress websites

The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine. The general motivation of attackers to compromise websites is mainly to bypass URL reputation mechanisms, spam filters and certain security policies.
In order to lure users to these pages, the attacker sent thousands of malicious emails querying an unfamiliar bill and asking recipients to click on a link as described by Websense blog. The link points to the aforementioned uploaded page.

The malicious uploaded page

The page is obfuscated and adds a hidden IFRAME that leads to the Phoenix Exploit Kit:

The exploit page is hosted in a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”, showing a certain sense of humor by these attackers.
The Phoenix Exploit Kit identifies the User Agent of the client machine and delivers a customized exploit Web page. The following obfuscated page was served when accessing with Internet Explorer 6:

The obfuscated Phoenix exploit page

The obfuscated page above generates code which attempts exploiting multiple vulnerabilities in Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java as described in the Phoenix Exploit Kit blog. Among those exploits is the latest Java Rhino vulnerability as shown in the following screenshot and taken from the original malicious server.

Statistics on Phoenix Exploit Kit control panel

Note the successful exploitation rate of the Java Rhino vulnerability and of the PDF Libtiff vulnerability. Even the MDAC vulnerability is successfully exploited which is surprising given that it only exists in the old version 6 of Internet Explorer.

Interestingly enough, the “Browser statistics” chart in the screen shot above shows that none of the victims used Google Chrome. Taking a closer look at the source code of the Phoenix Exploit Kit reveals that Chrome browser is explicitly excluded, for no obvious reason:

: Phoenix Exploit Kit source code

All M86 Secure Web Gateway customers are protected against this attack by default. The access to the exploit page is blocked.

As usual, stay safe and be careful not to click links in suspicious emails.

Tags: compromised websites | Java Rhino | Phoenix exploit kit 3.0 | Phoenix Exploit Kit source code | Wordpress

Prevalent Exploit Kits Updated with a New Java Exploit

By Daniel Chechik • December 16th, 2011 • Cybercrime Malware Vulnerabilities

Until recently, most of the vulnerabilities exploited by popular exploit kits were found last year or even earlier. Moreover, it would take authors at least a month to update their kits with the new exploits that had been discovered in the wild. However, in the past few weeks, authors released an updated version of their kits with a new recent exploit before a patch had been released.

First, a new version of the Blackhole exploit kit was released, version 1.2.1:

: Live Blackhole Exploit Kit control panel

The Blackhole exploit kit presented above was modified to exploit clients that have Java installed, using the recently discovered CVE-2011-3544 vulnerability. This is the only vulnerability that is actually being exploited.
A few days later, a new version of Phoenix exploit kit 3.0 was released, just a few weeks after the release of its predecessor, Phoenix 2.9.

Live Phoenix Exploit Kit 3.0 control panel

Notice the red boxes in the screen shots above: A new exploit was added to those exploit kits, which is the reason for the upgrade.

A few weeks ago Michael ‘mihi’ Schierl described a design error in Java. Basically this vulnerability is similar to other Java vulnerabilities where an untrusted code is executed in elevated privileges. Rhino is a Javascript engine that runs under the JVM and can interact with Java applets. An attacker can bypass the scripting engine protection by generating an error object, using Rhino script, which runs in elevated privileges and executing code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.

Not long after the discovery, an exploit module was published in Metasploit. First, the code binds a Rhino object with the applet:

import javax.script.*;
…
ScriptEngine engine = new ScriptEngineManager().getEngineByName(“js”);
Bindings b = engine.createBindings();
b.put(“applet”, this);

The Java code executes a script that bypasses the Security Manager protection by using the “toString” method inside a script context:

Object proxy = (Object) engine.eval(
“this.toString = function() {” +
“                      java.lang.System.setSecurityManager(null);” +
“                      applet.callBack();” +
“                      return String.fromCharCode(97 + Math.round(Math.random() * 25));”+
“};” +
“e = new Error();” +
“e.message = this;” +
“e”, b);

The script throws an exception, and the rest of the code would be executed.

catch (ScriptException e) {
e.printStackTrace();
}

The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor.

Customers of all versions of M86 Secure Web Gateway are safe, as it provides zero-day protection against this vulnerability by default.

We highly encourage users to keep their Java updated, or remove it if it is not needed. A patch for this Java vulnerability is available by now: Look for Java 6 Update 29, or Java 7 Update 1.

Typosquatters exploit misspelled variations of YouTube.com domain name

By Rodel Mendrez • September 8th, 2011 • Cybercrime

Here is a scenario that may sound familiar to you. You were in front of your computer one night and decided to watch some YouTube clips. So you opened your favourite browser and because you have clumsy fingers, instead of typing “YouTube.com” in the address bar you entered “YoutTube.com”. A second later, a Web page loads up, but instead of YouTube’s homepage, the page redirects you to an online survey. You got confused and didn’t expect this webpage, but since the website looks like the real YouTube site, and you get a chance to win an awesome Macbook Air, iPhone 4 or an iPad 2, you decided to take the plunge anyway.

Welcome to typosquatting. Typosquatting is a form of cybersquatting where someone registers an intentionally misspelled domain name which is nearly identical to the target’s brand name and takes advantage of users who mistakenly enter misspelled domain names. Typosquatting is not a new phenomenon but it is widespread. Only last week the folks at OpenDNS observed a typosquatting scam driven off Twitter’s domain.

In our YouTube example, traffic is redirected to the “online survey” website videorewardsonline.com when the user enters YoutTube.com. According to Alexa.com, the domain videorewardsonline.com was only created on August 24 and has had a rapid spike in traffic with a 29% increase in the percentage of global page views. We believe this spike was due to users being redirected by typosquatted domain names.

We have found the following misspelled variations of “YouTube” domains redirecting to either, a “survey” website, or to an online dating website.

Yotube.com

Yutube.com

Yuube.com

Youtbe.com

Youtue.com

Youtub.com

Youube.com

Tubeyou.com

Yutbe.com

Outube.com

Yotub.com

Yutub.com

Youtbue.com

Youttube.com

Yyoutube.com

The survey website also caters for localized versions of itself. It utilizes the IP address geolocation to make it appear more convincing. In the screenshot below, a German webpage is shown if you are located in Germany.

At first glance, the survey website looks rather harmless. However, in order to participate and “win” prizes it requires entering your email and mobile number. At this point you may feel that this is starting to look somewhat dodgy.

However, the worst part comes after you enter your mobile number. The screenshot below shows that main purpose of the “survey” is to convince people to subscribe to an auto-renewing SMS subscription service which will be charged to the user’s phone bill.

You can clearly see how the people behind this typosquatting scam take advantage of an organization’s strong visual brand to trick unsuspecting users in parting with their personal information. In this case, by imitating YouTube’s look and feel, the scamsters piggyback on that brand’s trust to make the “rewards” seem genuine.

Be careful what you type in your browser’s address bar, and always read the fine print to avoid being scammed.

Tags: Legitimate Sites | Online Survey | Social Engineering | Typosquatting | YouTube

0-day exploit used in a targeted attack – CVE-2011-1255

By Avri Schneider • June 26th, 2011 • Cybercrime Malware Vulnerabilities

Time Element Memory Corruption – a remote code execution vulnerability, recently patched by Microsoft as part of MS11-050, bearing the Common Vulnerabilities and Exposures (CVE) number CVE-2011-1255 is being actively exploited in the wild.

M86 Security Labs team was contacted and asked to inspect the URL of a legitimate website of a large private company that was blocked by one of the proactive detection rules implemented in our Secure Web Gateway product.

We were asked to investigate if it was indeed a malicious page or a case of Over-Blocking.

The page looked benign, but inspecting each included JavaScript code, we saw that one of them:

Was injecting an iframe:

pointing to a malicious page that was very easilty classified as malicious due to shellcode patterns being part of the page’s DOM:

So, just another infected site – big deal right? But, after further inspection, we saw that it exploited an un-published security vulnerability in Internet Explorer. To verify this, we viewed the malicious page on the latest fully patched version of IE and saw a crash followed by execution of malicious code.

You can imagine the excitement on the team – finding a 0-day in the wild!

The excitement of finding a 0-day in the wild didn’t last that long, since soon after, Microsoft released details about this particular vulnerability.

Based on data we have reviewed from various sources, we can say with a high level of certainty, that the anonymous researcher who according to Microsoft’s security advisory, reported the vulnerability details to VeriSign iDefense, or at least one of his acquaintances, had used the vulnerability details for malicious purposes, as part of targeted attacks.

We decided that we should inspect the shellcode to see what the attacker was after. It used various anti-debugging tricks, but after decoding, it revealed a clear-text URL pointing to a malicious server already listed in our repository.

The attack sample stored in our repository was an attack for the well-known iepeers.dll vulnerability exploiting CVE-2010-0806.

It is interesting to note that the first saved sample of the attack was dated 21.3.10, while details of the vulnerability were reported and patched by Microsoft’s MS10-018 security patch for Internet Explorer on 30.3.10.

Two 0-day exploits served from the same server – impressive!

We wanted to find out where else he is serving his malicious code.

Remember the code snippet shown above, showing how the attacker hid the shellcode as part of the DOM?

Hiding data in the DOM of the page is a good obfuscation technique that bypasses security software that doesn’t act as an actual browser, and where their script engine does not have access to the actual DOM.

It turns out that one of the side-effects of hiding data inside DIV elements is that it makes the data indexable by search engines.

Google searching the pattern “TTu0d0f[...snip...]d0dLL1043416UU” revealed about 16 results and as of this writing, only a few were still alive.

Here is the list of the infected sites according to Google’s search result:

Not to mention the service of caching samples for us, it’s ironic that an attacker’s obfuscation technique can be used against him to find his infection servers using a simple Google search.

Tags: 0day | CVE-2011-1255 | exploit | Internet Explorer

Phoenix Exploit Kit (2.7) continues to be updated

By Daniel Chechik • June 4th, 2011 • Cybercrime

A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.

Phoenix Exploit’s Kit 2.7 logo

The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.

Tags: Exploit Kits | Java | PDF | Phoenix

k0desploit Exploit Kit and Stolen Credit Cards Discovered

By Avri Schneider • March 9th, 2011 • Cybercrime

During our investigative research into existing and emerging threats, we tend to make new discoveries. One of the most recent cases involved the discovery of a new toolkit:

k0de Sploit Pack

The phrase at the bottom of the page (“K0de.org Open Source Exploits”) caught our attention, as we wondered how ‘open-source’ this toolkit really was. A quick Google search lead us to the third result:

Leaked Message from Exploit Kit Author

The post (or ‘paste’ if we go by Pastie.org‘s terminology) contained a leaked message written by the toolkit author in a private hacker-forum. It reveals that this new toolkit is just a clone of the popular Eleonore with various improvements:

“As you can see it’s pretty much elenores lay out with a few touch ups & very badly made paint buttons. I’ve only been working on this for 2 hours or so, so please keep that in mind and I plan to add a lot more onto it in the coming days, so keep an eye out for news.”

The author was nice enough to provide us with interesting statistics from his own research:

“Now then, I’ve tested this on 1,000 unique hits from windows PC’s only (Xp, Vista & Win7 only) and I achieved 96 infections from it, that means the rough infection rate is at 9.6%, that is a 3.5% rise from the great Elenore mod posted by Blackdevil. Most of the infections was from MDAC & the IE kit.”

The author then calls upon fellow malware authors for their help with updating the exploits to ‘fix’ the rise in detection rate of the malicious iframe. Also, the author lists some of the modifications he has made in this toolkit:

“Since I have tested it, the detection of the iframe has risen a lot, so in order to conduct a good test, someone will have to UD the exploits again.

I have also slightly fixed up the chrome & firefox exploits, I’m not 100% sure but they seem to be hitting at least, whereas they used to do nothing.”

In addition to the “open-source” exploit kit, the page contains a long list of anonymous proxy servers near the bottom as well as stolen credit card numbers along with the login credentials of dozens of individuals.

Here’s a screen-shot of what it looked like:

Screenshot of Stolen Credentials including CC#'s

We have confirmed that upon our notice, both Google and pastie.org have removed the illegal content, prior to publishing this blog post.