I received a message today with a link to hxxp://201[.]3[.]192[.]61/~compras/postcard[.]jpg[.]exe.

Postcard.jpg.exe has been identified as Hoax.Phiscop.A by various anti-virus vendors, and contains the following hashes:

MD5: 7f283acb3ce6a004697c2ada3c0da539
SHA1: c8cd13b4232942ef64114e90795f8d6f7ca82aeb

Once launched, the binary performs a DNS lookup for www.phishcop.net, and attempts to get star.gif from the website.


The application then pops up an alert window insulting the user:

Or for those who prefer, the screenshot of the actual window:



I've always been a big fan of user education - however I beleive this is taking it too far. Whois reports show that the domain was registered in 2005, and it does not appear there is anything malicious with the domain or the binary. Still, this is an irresponsible way to educate users not to click links in email.

Furthermore, visiting http://201[.]3[.]192[.]61/~compras/ shows the following page:


Looking back through the Phishcop site, I noticed: Total unique IP addresses that have visited a fixed phishing site: 70465.

This suggests to me that the individual(s) behind www.phishcop.com have placed files on the remote server. A remote server that they may not control. By doing so, they have damaged forensic data, accessed and modified data that did not belong to them, and depending on the phish, could have stolen private data. After several years working as a incident investigator and even more working in the botnet scene, I find it hard to believe the owner of the site would authorize "phishcop" make these modifications on their behalf.

Looking through my webspider history, it looks like Phishcop has been very active over the last few months. Dozens of phishing sites have redirects to Phishcop.

In the event you come across a phish or malware hosted site -- please be careful what you do with the information. You have no rights to hack a server that does not belong to you - even if it is spewing illegal or malicious data. In fact, you may damage any chance of investigation by doing so. Report phishing, malware, and other such activities to your governments CERT team, law enforcement, the victims hosting provider or well known anti-malware/phishing teams like Shadowserver. These individuals are more likely to be trained in proper incident handling and forensic gathering procedures. Additionally, this gives the victim the best chance to fix the code that allowed the attacker in.

Please report any PhishCop modified websites as well. If you feel uncomfortable speaking with the above mentioned groups - you may report them to me. I will contact the proper authorities and victims for you.

UPDATE:

Threat Expert has something up on this as well: http://www.threatexpert.com/report.aspx?md5=7f283acb3ce6a004697c2ada3c0da539

This Google Search shows other sites with "PhishCop" pages:
http://www.google.com/search?q=%22This+has+been+a+public+service+of+http://www.phishcop.net%22+-site:www.phishcop.net&hl=en&filter=0

Note the ftp.klos.com hit is actually the guy who owns Phishcop. The FTP server also has some PHP shells/backdoors that could be used to further compromise a server.

If your site contains any of the following files, it may indicate that PhishCop was there:

7f283acb3ce6a004697c2ada3c0da539 bozo.exe
5277986a08f49d19b97ab501479b73ac CAUTION.jpg
87e023db582e9fa341f1620d77e72895 fix
5f56f34fba5556a6ca8eb7090a494c42 scamfiles.zip
80e62bbd9942b9db626833a3c50abe3b scam.html
80e62bbd9942b9db626833a3c50abe3b scam.html.txt
a9a49a861cf1408fdc8c6da2c9f6a58b scam.php
c539a96344c50d65107ce7cd563a7166 scam.php.txt
1a003f76318f6d3e3d2ae110ff7901cc tools2.php
509ef4118b930fe08e92f5136caeed6d tools.php

Labels: Botnet monitoring, fake malware, hack-backs, Mailbag, phishcop, phishing, trickery

I was reading through my twitter feed, and found a "trending topic" that caught my eye...

Since I share the common name and the link had the word girls in it -- I felt a burning desire to visit.

OMG!!! PORN!!! .. [click][click][click][click][click][click][click]!!!!





Yes!! YES !! Whatever!!! GIMME PORN!!!!!!








Damn!! It doesn't play in Linux! Where's my windows virtual machine?!?!?!? I gotta have that porn!!!!

As you might guess, the file is malicious.

It communicates with:

reportsystem32.com (216.240.146.119) (*C&C Traffic: senm.php?data=)
thenewpic.com (66.148.80.4)
theimagesphoto.com (98.126.41.36)

It uses a "wget 3.0" user agent.

The binary hashes are:
bb2b506b53a8f3322f850c9810b888f3 TubeViewer.ver.6.48305.exe
a1c8cc33e806315af751373821ca1ed574b239e0 TubeViewer.ver.6.48305.exe

The dropper created a.exe and b.exe in my %temp% directory.

Virus total shows that only 10 out of 40 AV's catch the initial downloader.

Anubis results are available here.

Bottom line -- no porn.

Labels: base64 encoded, fake porn codec, http botnet, twitter

I spend lots of time on the road, both professionally and personally. Generally I have no problems connecting to a hotel or lounge access point and opening an SSH tunnel to a personal server.

From there I open up a SOCKS proxy and tunnel all of my web connections. If you've read my Twitter feed, you know that I recently went on a trip to Southeastern Colorado. While I was there, I connected to the wireless network at the hotel.

I immediately noted the connection monitor showing a large number of inbound packets. Curious, I launched TCPDump to monitor those incoming packets.

I had more incoming packets than I could possibly keep up with. Most of the packets came from two hosts on the network. These two hosts were trying to connect to my machine on common Microsoft ports. After a few moments, the connection attempts stopped, only to resume a few minutes later. These attempts slowed the network to a crawl - it was just not worth using the connection to build my tunnel.

Instead I fired up Nepenthes, a honeypot I regularly use for botnet and malware research. Nepenthes dutifully responded to the probe attempts, and quickly started gobbling up shellcode.

A number of attempts were made to download malware from a third server, which appeared down or could not be reached due to the poor network connectivity.

I quickly plugged in my broadband card, and attempted to "wget" the binary. No such luck - the remote server was in fact down. A quick look through my Shadowserver archive shows this IP was related to hostile activity several years ago.

I followed the email threads and found similar internal network denial of service statements. Without the actual binaries I can only assume that these are the same bots. If that is the case, this stager was pulled offline over a year ago. Even though the C&C didn't continue to spew commands, the bot continued to scan the network. Had the payload been slightly different, it could have continued to spread, and machines that had not been patched to this exploit would have been infected.

While it was unlikely that this host would have infected anyone in the hotel - I still felt obligated to contact the front desk. I gave them the IP and let them know that the machine was trying to attack my laptop. Of course the desk clerk reiterated the wireless terms of service, stating that they are not responsible for attacks from others on their network. I can't blame them. How many guests report that their firewall just identified a hacker every couple of hours?

As I left, he started complaining to a co-worker that the network was extremely slow; "Google wont even come up fast," he said.

Oh my... That will be the last time I stay at that hotel - who knows how many people have compromised their reservation system because its on the same network as their wireless customers? Who on Earth would surf from the same PC they use for storing customer data? Certainly none of you -- right?

Nicholas

Labels: Hotels, Nepenthes, Network Security, Wifi

The Storm/Waledac group has released a new trojan, this time looking to trick unsuspecting users into downloading an application that will monitor their significant other's SMS messages.

The email I received is:

From: "Nina Reyes" 
To: REDACTED
Subject: Is your partner cheating on you?

Keep a spy eye on your Girlfriend's mobile hxxp://ytgga[.]eccellentesms[.]com/ 
(url obscured by me)
The sites page looks like this:

The link points to smsspy.exe or smstrap.exe, a Waledac variant. Mine had the following MD5 and SHA1 hashes:


083800074c6bad01e08b62f05d19ba66 smsspy.exe (MD5)
14c49220f43e2aa53af032a5205520f72ae9d8a4 smsspy.exe (SHA1)

DNS mining revealed the following fast flux domains in use by this same campaign:

adoresong.com. 0 IN A 121.136.197.42
cherishpoems.com. 0 IN A 76.94.66.148
chinamobilesms.com. 0 IN A 98.14.24.206
downloadfreesms.com. 0 IN A 121.136.197.42
freecolorsms.com. 0 IN A 87.110.53.209
freeservesms.com. 0 IN A 221.133.145.111
freesmsorange.com. 0 IN A 115.88.229.37
fryroll.com. 0 IN A 67.215.66.132
miosmsclub.com. 0 IN A 211.218.197.220
nuovosms.com. 0 IN A 82.67.178.75
smsclubnet.com. 0 IN A 121.191.206.66
smsinlinea.com. 0 IN A 173.33.75.204
smspianeta.com. 0 IN A 86.122.211.93
virtualesms.com. 0 IN A 211.218.197.220
worshiplove.com. 0 IN A 82.4.234.6

Looks like this campaign has been around for a few days. I had disregarded the messages as suspect pharmacy/ED spam.

Are you going to generate a blocklist or search your netflow for signs of infection? You can start with the 200 or so IPs in this text file: waledac-4-21-2009.txt.

Labels: Botnets, fastflux, waledac

I received a tweet invite to play a speed typing game today.

The game is hosted at a site called Fast140. After a few attempts, the best I could do was about 105 words per minute, which is pretty amazing, since the text is simply repeating other individuals tweets. Some people have really poor spelling, and your first action is to correct their faults. My average was around 85-90 wpm.

The site even protected against cheating, I could not just cut and paste the text (without modifying the code).

Then I saw it...

All of my network traffic is captured for later analysis (malware research). A quick review of the packet data shows that the site simply updates the typing speed based on user input -- so by "replaying" one POST packet, with a slight modification; I was able to elevate myself to the fastest typist.

POST http://fast140.com:80/play/check_high_score.cfm?wpm=222.3 HTTP/1.1

Then I went overboard and exceeded 222 WPM, so I now rank "0".

I did not modify any other data, other than to change the POST variable from 105 to 122, 222, 215 then to 9999. Not really a hack - more of a cheat, but have you ever wondered what else you can do by modifying data sent to a website?

Does your site protect against this? It should!

PS: I know I wasn't the first to figure this out -- and judging by some of the other top 10 typists, its probably not even a secret. Its nothing more than an example.

Labels: cheating, twitter, web games