ABC of how people easily get infected

Discussion in 'malware problems & news' started by CloneRanger, Jul 10, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Happens every day to countless numbers of people. This is just one example of the steps involved in this particular exploit. User interaction is required, but as you will see it wouldn't automatically ring alarm bells to lots of people, i imagine. Scripting is also needed, but for most people, it would already be running by default :(

    The site is what you might call, a little risque, so if you are offended by such things don't visit. And if you do at your own risk.


    stv.gif

    Click on ANY image, ample :D to choose from, blank fake player placeholder appears

    play.gif

    fl1a.gif

    fl2.gif

    Next post
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    exe.gif

    f-exe.gif

    If instead you click

    fl1b.gif

    Click ANY option

    says.gif

    You still get the nasty, no surprise there then :D

    Unfortunately, to the unsuspecting the update alert process etc, ALL looks very authentic :( and something they might well have seen on a legit Flash update www.

    flash_player.exe = Trojan.Win32.Ransom = VT Result = 22/41 (53.66%)

    Ransomware = Not good :mad:
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Whilst i was doing all this, i was using ShadowDefender.

    After i had finished taking all the sceenies and posting the above, i tried to run flash_player.exe ProcessGuard lept in with allow/deny, clicked allow and my comp froze :eek: Did a hard reboot and all traces of my last session eliminated :)

    I doubt if that's what they intended to happen :D I'm not sure right now why the nasty didn't take hold ? But that doesn't mean it wouldn't on another comp, maybe yours, or someone you know :(
     
  4. wat0114

    wat0114 Guest

    So there's people dumb enough to allow a foreign version of ADODE FLASH on their machine's :eek: ?
     
  5. adik1337

    adik1337 Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    199
    played around w/ this file on sandboxie :D no match at all, just click terminate all programs and viola!.... @CloneRanger ... the website link on your screenshots should have been removed. Somebody who thinks he is an expert might try this one and end up screwing himself. :)

    sandbox.PNG
     
    Last edited: Jul 11, 2010
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Who knows, maybe, but this is just an example of how things can happen that appear in EVERY way to be genuine ! Imagine if it was in a persons local language and/or one they understand. I think lots of people could very well be taken in by it and/or something similar, in fact they do Every day in Large numbers :( Not many people on here of course, but out there, well that's a different matter.

    :thumb:

    They are NOT clickable :thumb: and neither are ALL the ones you included in your screenie :p
     
  7. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    Hey I went to the site and had a blast. ;)

    This is a quite common method to lure people in to downloading malware.
     
  8. adik1337

    adik1337 Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    199
    :D ... if you have new ones mind sharing the fun w/ me? (PM the link if you would) Thanks. :D
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    One of the most common and easy to fall for infection vectors that most PC newcomers encounter= P2P borne installs/infections.

    So today I searched a random string(Topical string but random none the less) and oh my look at all these files that are returned on the search results.

    Now at this point take it for granted that if i had used another random search term or in fact a legitmate search term those very same files would be returned in the search results(albeit with the new string inserted in the file title) as that is how they are spammed.

    Limsey.jpg
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Ade,

    Are all of those files infected with malware?


    thanks,

    ----
    rich
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi ya Rich,

    Of various descriptions...

    The Zips + Torrent are all sources for the installer executable for the Tracur botnet.

    The media files are a mix of Wimads exploits(prompts for file download of Tracur installer MZ under some phoney name) and License acqusition downloaders are mostly grabbing Mirar,PlayMP3z or Hotbar adware bundle installers.

    1 LA.jpg
    N2 LA.jpg

    Unfortunetly as all victims find out after installing the file,there is no free media at the end of trail.Just an annoying adware install that serves up ads around every 30-60 secs :(
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Ade, for your continuing good work!

    So, do people using P2P have to scan everything before daring to install anything? This sounds like a nightmare!

    ----
    rich
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hey Rich heres another OMG moment for some vendors:eek:

    I fired up Limsey and searched "Codec" in all programs search.

    codecs.jpg

    Top results are 3 zips containing Tracur trojan as forecasted in my first post.

    The next group of zips, all around ~3500kb all contain the IFrame$ bundle downloader=Yellow key icon executable that imports TDSS rooter,FraudPack ABC downloader,Hiloti and a backdoor bot that has password stealing capabilities.

    That not the OMG part for me tho its the next lot of executable files listed(~10000kb+) that knocked my socks off when i first found them.

    Limewire by operations will not list the same MD5 twice even if the files have different names,so each line represents one unique binary.

    Here goes then, I went to one of the 10,000kb executables listing and selected browse host,standard practice when hunting malware on P2P land:thumb:

    Spam directory.jpg

    Not sure if its visble in the picture or not but when i took the screenshot the number of executable files on that host had exceeded 30000 but was still rising.

    A quick look through the directory confirms that they are all related to the ones seen under Codec's search but now we have shedloads of different search terms seeded. 30,000 unique trojan binaries= Why P2P is a high risk practice unless folks are clued up as to what they are doing:thumb:
     
    Last edited: Jul 15, 2010
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I didn't think many people used closed programs such as LimeWire anymore. Haven't most people moved on to acquiring "trusted" torrents from either private websites or public websites that have a large userbase that comment on nearly every torrent uploaded?

    Thanks.
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    To be honest Rich,

    No executable should be trusted from P2P land whether downloaded intentionally or imported by a media file.The risks out-weigh the gains by a country mile.

    The PlayMp3 installer had 11/42 hits at VT just now and the 2 biggest AV companies on the web and there alledged 100's of researchers just failed.

    I then uploaded one of the large executables to VT and got 17/42 hits(Mostly heuristic detections and only a couple positive identifications).

    That is the lay of the land today but i have seen 1000's of new malware binaries from the P2P land over the years either have none or dismal detections when sent to VT...
     
  16. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Some have migrated onto such practices where as others stay with what they know\have known.

    Reputation based downloads is one way of reducing risks but that said even reputation ratings can be manipulated so all risks are not mitigated.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Fascinating! Thanks for the explanations.

    rich
     
  18. wat0114

    wat0114 Guest

    Maybe these people don't care because they can reformat and reinstall Windows again (this procedure because they probably know squat about imaging/restore software and anyway couldn't be bothered with the time it takes. Their out of date Nortons (sic) will save their butts ...LOL). Oh well, they will for sure get their movies, games, music and any codecs they need eventually, even if it takes getting slaughtered by a few malware files along the way. Heck, they can't be expected to tame all that adrenalin :p The way I perceive it, there are safe (within reason) p2p sites just as there are safe porn sites. It takes a bit of moxie is all to spot them :D
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    LimeWire is still used by lots of people i come across, and that's mainly, but not everywhere, they get blasted from.

    In nearly every case i've seen, it's usually teenagers looking for pirated music/films/apps/scr's etc. Serves them right :D Trouble is, a lot of them don't learn, or want to, thinking they were just unlucky those times, and next time will be different. Not :D

    *

    By the way, the www is still up and offering a nasty as a Flash update :(

    *

    @fcukdat

    Thanks for the extra info and screenies :thumb:
     
  20. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    WOW, this turned in to a enlightening and educational thread.

    Amazingly I have several friends who download from "trusted" P2P and never scan. Then they spend days clearing up an infection; the kicker is nothing learned in the process. They go right back to their old habits.
     
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Here's an example of a perfectly legit www that has been compromised with a nasty, and according to MDL it's a zeus v3 trojan :eek:

    un1.gif

    There is a file called ban00.jpg on there which is associated in some way with an .exe file

    I didn't get to DL the actual .exe but did grab the code - MZ@!L!This program cannot be run in DOS mode etc etc

    virscan.org Scanner results : 39% Scanner(s) (14/36) found malware!

    I presume the ban00.jpg might be in one of the Gallery pages ? as i didn't have time to go through them all.

    gal.gif

    Naturally the .exe would have to run to infect, but i imagine as people were viewing a legit www many would allow it, or it "might" auto run :(
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I couldn't get that page to load, but found references to that .jpg file elsewhere.

    Why do you suppose a site would have an .exe file spoofed as .jpg?

    You can't click to open because the default .jpg editor will throw an error:

    ban00.gif

    I use a text editor to double check:

    ban00-2.gif

    Usually spoofed executables are used in remote code execution exploits. (such as the current .lnk exploit where DLLs are seen as .tmp files on the USB drive).

    I used the MS06-014 exploit to demonstrate. The code attempts to dl the .jpe file, then rename it to an .exe, and then execute it:

    ban00code.gif

    banjpe.gif

    Since ban00.jpe was blocked from downloading, the code cannot create the svchost.exe file, hence, the error.


    ----
    rich
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833

    Hi rich, this is my experience with that www, whether it's a spoofed .jpg or not ? But something funny is happening on there o_O

    I had the www, including /ban00.jpg appended to it, scanned here

    unjs.gif

    The MZ file was detected, DL'd the Zip and uploaded it to virscan.org and got 14/36 hits as shown in my last post.

    Went back today and with the /ban00.jpg appended www i see this

    unwww.gif

    and even with scripting, nothing happens, and i don't see anything in the source ?

    I again DL'd 4a14b881d9d7fb2a7c0531bc917381f75bcc9ac6.zip from jsunpack and converted it to ban00.txt and also a copy of it. Then opened ban00.txt with metapad and deleted everything between PK and MZ and renamed it ban00.exe. Then renamed copy of ban00.txt to ban00.jpg

    fold.gif

    Uploaded seperately all 3 files to VT

    File ban00.jpg - Result: 17/42 (40.48%)

    File 4a14b881d9d7fb2a7c0531bc917381f75 - Result: 17/41 (41.47%)

    File ban00.exe- Result: 0/41 (0%)

    The detects are variously listed as ZeroDayThreat/Trojan/BackDoor/Sinowal

    Now either all those detects are FP's ? or something nasty is on that www.

    Regards
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  25. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    "MZ@!L!This program cannot be run in DOS mode"
    This string found in an .exe .sys .dll would be normal?

    In a .jpg should send off alarm bells?
     
Loading...
Thread Status:
Not open for further replies.