Cut the crap

Adware vendor gets MVP

2006-10-07T02:56:00.000+02:00

Yeah, you heard me right. Patchou AKA Cyril Paciullo, the creator of Messenger Plus, a notorious program containing adware (LOP) has been rewarded with a Most Valued Professional award. Now, I've never been very kind to Microsoft's policies, but this one really takes the cake. It this Ballmer's "advertisers advertisers advertisers" upcoming nightmare? What in the hell are they thinking?

Anyway, more here, here, here, here and a bunch of other links you'll find there.

As you can see, they are all really happy.

Stats, dialers, and hilariously bad products

2006-08-31T21:50:00.000+02:00

People complaining about dialer requests, puzzled surfers, strange requests of installation of suspicious software on otherwise clean sites; welcome to Netvision's latest scam: "free" stats with hidden dialer installation.

It all starts with people looking for "free" stats for their website; since many do not have the possibility to install a server-side visitor statistics for their web page, they look for free alternatives. Never mind that these are always hideously inaccurate, unreliable, and often come with ugly logos to boot: people want statistics. Some services, such as Shinystat, have been around for many years; although this service represent a minor annoyance with its tracking cookies, it's nothing compared to the crap that comes with freestat.ws, mystat.ws, puntostat.com, and all the other creations of Netvision/Carima, one of the worst trojan/dialer pushers in the world.

"Freestat.ws" claims to offer free statistics with no limitations: all you need to do is publish the code that they give you on your web page. But let's take a look at an example this so-called code:

<script type="text/javascript" language="JavaScript" src="http://www.freestat.ws/logo.asp?utente=17166"></script>

This is a simple JavaScript that we can download and analyze:

$ wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" http://www.freestat.ws/logo.asp?utente=17166

The first thing we notice is an iframe with zero height and width. Now, anybody who has ever seen malware installations knows how much these scammers love small iframes. This one from the page also points to a site with a moronic name, also a bad sign:

So let's see what that is:

The JavaScript function location.search returns the parameters in the querystring, in this case st=1&p=2, so we can replace location.search with "st=1&p=2", remove the first "if", turn the document.write into an alert and see what the page calls. Which turns to be:

http://http-ssl256-number-secure-systemiiieifuf666777lliiiiiliiili-com.net/winsc1/script-2.asp?st=1

And there already we spot the first dialer:

We can also note that in the same page, the page checks the response timings of the JavaScript, avoiding loading the dialer if the user has adsl or faster connection. Also, it just won't give up: if you say "no" to the installation, it will prompt you again to install their so-called "100% virus free" (yeah, right) crap. And again. And again.

But let's go back for a while. Now, the first page also contained a commented-out link to another page on another domain:

Which turns to be this:

"Protected with Web Encrypt 2.4"? Uhhhh... color me scared.

Please. This kind of protection is trivial to break. The grammatically-challenged homepage for Web Encrypt says "ultimate HTML & Javascript code protection". Give me a break. Not only this thing breaks accessibility, slows down web pages, and gives a totally false sense of security, it's also the favorite tool by scammers in their stupid attempts at hiding malware installations.

By the way, just how hard is it to break this so-called "encryption"? It took me about 6 minutes, and I'm actually ashamed it took me so long:

The linked page,
http://software-free.org/winupg/script.asp?id=2&wm=17166 calls another trojan/dialer installation, this time on
http://deposito.hostance.net/dialer/605684.exe

Like the one before, this page also checks the loading time (this time that of an image, on
http://138.188.193.166/adsl.jpg) and prompts the installation of the trojan only for modem-like timings.

In the end, never ever put up a "free" web statistics on your web page if you are not sure what they provide. Also, block these domains as soon as possible, as they are all related to the ugly Netvision/Carima dialer crap:

software-free.org (dialer loader pages)

trafficredlight.net (trojan repository)

hostance.net (trojan repository)

138.188.193.166 (trojan "loader checks")

freestat.ws (dialer scam stats)

specialstat.com (dialer scam stats)

statistiche.ws (dialer scam stats)

webmobile.ws (dialer scam stats)

superstat.info (dialer scam stats)

megastat.net (dialer scam stats)

puntostat.com (dialer scam stats)

http-ssl256-number-secure-systemiiieifuf666777lliiiiiliiili-com.net (dialer loader pages)

67.15.56.230 (counter/trojan dialer starter)

free-default-update-win-mac-free-antivirus-nospam-download.net (Netvision-related crap)

Gromozon: all you need to know

2006-08-26T12:28:00.000+02:00

After some sleepless nights, and after quite a few warnings on my part about the nastiness, it seems something is definitely moving.

The merit goes to Marco Giuliani of PrevX, who collected collected a few of the discoverings by me and other researches, but most importantly all his own discoverings (which are very detailed, and include great behavior analysis of the threat on an infected system).

Head on to Marco's pdf here.

Use this link if you have problems with the one above.

My blocklist

2006-06-27T00:44:00.000+02:00

In September 2005, I posted this message on the Wilders Security Forums:

Ok, since some of you use block lists, this is a block list I compiled in some time (I use this on web sites at work, where content managers can insert links: these are banned, so these are all forbidden to link anywhere on sites); please note that the list does not really include subdomains: an entry for "[site name].biz" automatically means than any subdomain entry should be automatically banned, so for instance "[example].[site name].biz" is not included in the list but should actually be blocked (this is implemented code-wise on sites, feel free to implement this your own way).

The list includes entries from various existing block lists, plus:

- link spam and blog spam sites (sites that were found in guestbooks and forums around the web and which were CLEARLY only used to increase search engine rankings)

- malware-hosting sites (excuding sites that host malware while CLEARLY specifying it is malware)

- sites using exploits

- sites related to known spammers

- some "tracking-cookie" sites (not many)

There are no IPs in the list (I personally forbid to link to IPs without a hostname).

There are more than a few that I personally didn't find on other block lists. I personally checked all of those and they are ALL questionable sites for the reasons specified above.

The list is a simple .txt file with a domain on each line.

Maybe some of you will find it useful. If not, then well, too bad.

Now since this list has become quite a big one and one that took me a long time to create and maintain, I am going to put a permanent link to it (it's on rapidshare). You can find the link on the links section of the blog (under "Malware block list") along with the sha-1 hash of the .txt file. By the way, the latest one can be found here http://rapidshare.de/files/24217548/banned.zip.html (NB: old link. See below).

SHA1(banned.txt)= 14e12e151311cf96916e76e085a7f4b256d609bf

Everyone is welcome to test this (such as adding these domains to his own IE "restricted" zone) and give his own impression, and especially everyone is welcome contributing to this list (frankly, I found both IE-SpyAd and Spywareblaster's restricted domains lists to be somewhat limited, that's why I started this thing).

By the way, recently I started adding IPs as well. So you will find some, but really only a few.

Edit August 13, 2006: updated blocklist at http://rapidshare.de/files/29269253/banned.zip.html

Is the AV industry failing?

2006-06-16T22:10:00.000+02:00

Well, it's been a while since my last posting on this blog. In the meanwhile, it seems that the sleazebags described here have been quite busy. First of all, they have been putting their trash all over the place in Google by spamming blog comments, putting fake referers, etc. Second, their latest infection method involves a little bit of social engineering technique as well. And third, they have been making sure that antivirus applications miss their newest trojans, or at least some of them (and by the way, most antivirus engines are slipping lately, I've seen even the best of them -- KAV and NOD32, of course -- missing dozens of threats... I'll send you the samples, but get you acts together, please).

Anyway, here's what I found on a new page of theirs while searching for malware in Google (by the way, the sentence "clicca su si", Italian for "click on yes", yelds dozens of malware sites... these people are so damn predictable...)

The page (horus.dnshighspeed.com/~liberaco/2/temisvoltiolocausto.html... do NOT open if you don't know what you're doing) shows graphics like this:

Soon to be followed by a WMF exploit (pic.tiff) and a funny-named executable (www.google.com... clever, huh?). The www.google.com executable has, of course, nothing to do with the domain, but it's a COM command.

When launched, the www.google.com executable tries to contact first 195.225.177.22 on port 80, then 195.225.177.145 on port 80 and will stay active unless you terminate it. Both those IPs correspond to servers in the Ukraine. See a pattern here? Oh, yes... you guessed right.

And so, what do have antivirus applications have to say about that "nice" piece of executable code? This:

You're not doing very good, guys. So being me overly curious, I'm trying to see what these scammers are up to this time, again. So I let my system try to see what kind of good stuff they have for people who try to execute this "www.google.com".

Well, file downloaded from 195.225.177.22 is a random-named executable called "3e2a8d.exe". Will this one be detected? Nope.

This is awful, just awful. Well, let's see what this "3e2a8d.exe" does. It extracts launches a "ptwx1.exe":

A little better. Of course, by this point, you'll likely have already your system infected and rootkited (some system errors that happened in the sandbox I used really seem to indicate that attempt).

EDIT at 4.02: forwarded to a bunch of security sites and sent samples to a bunch of AV companies. KAV detects the first two trojans, now (after I sent them the samples).

EDIT June 20, 3.09 PM: the main downloader is finally starting getting detected:

PS: also detected by BOClean (I contacted them).

EDIT June 23, 0.28 PM: another one has appeared, and this one is YET AGAIN undetected by all the antivirus engines:

The original page was (DO NOT OPEN!) http://www2521.webattrezzi.com/hurghada/; many more domains linking to this malware have actually been created, I found them in link spammed pages. I'm going to post a list here soon.

EDIT June 23, 0.51 PM: here's a (certainly partial) list of the domains to block. Please note that these are DOMAINS that should include all subdomains under them, you can't put them in your HOSTS file (and frankly, from what I've seen the subdomains are probably so many that you most probably won't be able to):

accettazione.com
adluvio.net
allineare.com
ambrato.com
annuncitutti.com
attesa.net
attrezziutili.com
azionamento.com
bruciarsi.com
buoncodice.com
casadiarte.com
codicecarta.com
dannidicervello.com
datiimportanti.com
delsud.net
devevedere.com
eamicizia.com
festaattuale.com
gbeb.cc
gromozon.com
guerredellastella.com
horus.dnshighspeed.com
imparilo.com
importanti.net
lavostraricerca.com
maniinsu.com
nubibianche.com
nuovoordine.com
nuovosenso.com
potetefarli.com
sanguinante.com
sededolce.com
segualo.com
soddisfare.com
speziazona.com
stampabile.net
superaquota.com
unanuovavolta.com
unoprincipali.com
uomodelferro.com
webattrezzi.com

It's quite obvious that these are targeting Italy. It's also obvious that the authors of these exploit/trojans can NOT speak Italian (some words don't make any sense and they clearly come from an automated traslator).

EDIT June 23, 22.02: added gbeb.cc and gromozon.com to the "domains to block" list above, as I'm not sure it was clear (the previous article underlined that THOSE are respectively the javascript loader and the trojan repository, but it was written in Italian).

"what-to-do.net"

2006-05-30T01:49:00.000+02:00

Il 29 Maggio 2006 su it.comp.sicurezza.virus è stato segnalato un sito contenente una grande (ma purtroppo, neanche troppo "insolita") quantità di malware.

Ne segue un'analisi.

Il sito segnalato, http://virgilio.what-to-do.net/primisintomogravidanza/ (NON visitatelo se avete dei dubbi sull'efficacia delle vostre protezioni), contiene vari exploit e trojan, nonché una metodologia d'infezione che ricorda molto da vicino quella di iframecash/smitfraud.

La pagina su virgilio.what-to-do.net non contiene malware, ma questo è richiamato da un sito esterno tramite un javascript nel body:

Ormai pratica comune di questi script è quella di offuscarne i contenuti. Come da me precedentemente detto in questo blog, la "decodifica" risulta quasi sempre banale.

Il contenuto della pagina richiamata dal javascript è questo:

Per avere un'idea del contenuto effettivo (e cioè non "offuscato") dello script, è bastato aggiungere un paio di tag html e sostituire l'istruzione "eval" nello script con un alert:

Il risultato è stato questo:

A questo punto è stato possibile analizzare gli effettivi contenuti del malware. NB: Kaspersky 6 mi ha avvertito subito di due contenuti maligni (un exploit WMF ed un Trojan-Dropper.Win32.Small.aol) quando ho visitato la pagina sopra detta per la prima volta, ma dato ho già visto questo genere di pagine piene di exploit e mi rendo conto che gli antivirus per varie ragioni (prima fra tutte che non tutto ciò che è contenuto viene effettivamente caricato) segnalano solo una parte di ciò che è effettivamente contenuto.

Ho proceduto a visitare il secondo link, un IFRAME: i malware segnalati dal Kaspersky erano su quel dominio, ed il primo è un noto "contatore" di accessi.

Il suddetto IFRAME contiene altri 3 IFRAME, più un applet.

Il primo è gromozon.com/b88db6cc/50300/2/pic.php; questo contiene un refresh sull'exploit WMF localizzato su gromozon.com/b88db6cc/50300/2/pic.tiff (l'immagine non è una tif o tiff, è una WMF, è Internet Explorer la riconoscerà come WMF indipendentemente dall'estensione, per cui in una versione non patchata l'exploit avrà successo comunque):

L'applet immediatamente seguente si trova su gromozon.com/b88db6cc/50300/8/stat.jar. Anche questo è un noto malware/exploit:

Il secondo iframe, su gromozon.com/b88db6cc/50300/5/ccr.htm, è anch'esso codificato. Usando una tecnica simile alla precedente (leggermente diversa, ma non starò qui a descriverla), ne salta fuori che contiene un probabilissimo createControlRange exploit:

Stranamente, l'upload su Virustotal ha dato il file .js come completamente pulito. È possibile che questo sia dovuto ad una mancata (e abbastanza comune) rilevazione dei javascript come file maligni, oppure questo è effettivamente un nuovo exploit (un exploit createControlRange è già stato segnalato più di un anno fa, vedi http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0183.html). L'ho inviato a Kaspersky, staremo a vedere.

Il terzo IFRAME fa un refresh su gromozon.com/be7cc983/50300/1/Microsoft.exe; su VirusTotal:

L'ipotesi più probabile è che il precedente createControlRange exploit (esecuzione di codice da remoto) si occupi di lanciare l'eseguibile qui sopra senza interazione dell'utente.

Una delle cose più interessanti del sito è che i link cambiano in continuazione: tutti i link sopra descritti nel giro di mezz'ora non esistevano più. Una nuova visita al sito ha poi rivelato che i vari "b88db6cc" presenti nell'URL erano stati sostituiti con nuove stringhe pseudo/random. Probabilmente si tratta di un cron job automatico sul server che regolarmente cambia i link e il javascript che li carica.

Again on the botnet I found

2006-05-14T14:45:00.000+02:00

SANS published the story about the botnet I found last night (they are between the first I contacted). I see they contacted Google about blocking all payments of the clicks. That's good.

CWS... wide open?

2006-05-14T03:31:00.000+02:00

It was bound to happen, I guess. While doing the usual research for in-the-wild malware samples to send to antivirus/antitrojan vendors (ok, shut up, some hobbies are even dumber than this) I stumbled upon the classic site that the stupid admin left "wide open". The difference is, this was actually a Coolwebsearch hijacker remote admin site. Take at look at this:

This happens to ba remote console for the "hijacked" PCs, with IP, clicks, remote shutdown, etc. The page goes WAY down, in a few minutes I've seen this remote console reporting of 600-something hijacked PC online at the same time. Hum. Oh, yeah, the guys are so nice leaving everything wide open for us all to see. Thanks for your stupidity guys, now I've got:

- the hijacker malware sample that's gonna be sent to ALL the Antivirus companies in the World (apart from your own "rogue" trash, of course)

- a list of your sites that I didn't know of and that are gonna be added to my blocklist

I forwarded this to people who might be interested, too.

The 'hostance.net' dialers have a new home

2006-04-28T02:22:00.000+02:00

Well, this major repository (also known as TrafficAdvance and Carima Ltd), responsible of creating and hosting tens of thousands of repacked trojan/dialers, has a new home: traffic-advance.net (with dialers being typically pushed from deposito.traffic-advance.net).

Here's the whois:

Domain Name: traffic-advance.net

   Created on..............: 03 Apr 2006 12:55:10
   Expires on..............: 03 Apr 2008 12:55:10

Administrative Info:
   CARIMA ENTERPRISES LIMITED
   CARIMA ENTERPRISES
   45 Welbeck Street
   London, UK W1G 8DZ
   GB
   Phone: +1.2402555993
   Fax..: +1.2402555993
   Email: ******************@lycos.co.uk

Technical Info:
   CARIMA ENTERPRISES LIMITED
   CARIMA ENTERPRISES
   45 Welbeck Street
   London, UK W1G 8DZ
   GB
   Phone: +1.2402555993
   Fax..: +1.2402555993
   Email: ******************@lycos.co.uk

Registrant Info:
   CARIMA ENTERPRISES LIMITED
   CARIMA ENTERPRISES
   45 Welbeck Street
   London, UK W1G 8DZ
   GB
   Phone: +1.2402555993
   Fax..: +1.2402555993
   Email: ******************@lycos.co.uk

Status: Locked

Put "traffic-advance.net" in your block lists as soon as possible. There are reports of hijacks already.

EDIT: please note that "hostance.net" is still up as well, and still hosting trojans. So don't remove that one.

And another IE remote hole...

2006-04-28T00:14:00.000+02:00

Well, remember that day when the last IE remote hole was posted? Here's another one:

"A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of an affected system. This flaw is due to a race condition in the processing of security dialogs when prompting a user to install/execute an ActiveX control, which could be exploited by remote attackers to manipulate the dialog box and remotely compromise a vulnerable system by convincing a user to visit a specially crafted Web page and perform certain actions (e.g. write a specific text in a text field) that will cause a malicious ActiveX control to be inadvertently installed and/or executed".

http://www.frsirt.com/english/advisories/2006/1559

Yawn.

If you use Ethereal, update as soon as possible

2006-04-27T02:21:00.000+02:00

From SANS: "Yes, if you use Ethereal, it is time to upgrade. According an advisory posted by Frsirt, 28 vulnerabilities has been identified in Ethereal "which could be exploited by remote attackers to compromise a vulnerable system or cause a denial of service.""

http://isc.sans.org/diary.php?storyid=1288

28 vulnerabilities? Wow. Ethereal is a great program, but it's time they really think about security. OpenBSD even removed it from its ports as a consequence of its problems.

Maybe I'll try to "sandbox" it through Core Force and see what can be done, but still, it might be that because of Ethereal's inherent privileges it's not going to be enough.

Yet another IE remote security hole

2006-04-26T22:19:00.000+02:00

From Secunia: "Michal Zalewski has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the processing of certain sequences of nested "object" HTML tags. This can be exploited to corrupt memory by tricking a user into visiting a malicious web site.

Successful exploitation allows execution of arbitrary code".

Sheesh. "Execution of arbitrary code". And I thought this was serious *sarcasm*.

http://secunia.com/advisories/19762

Name change

2006-04-25T18:03:00.000+02:00

Well, I changed the name of this blog, since I found out that the "Destroy All Malware" name was already taken. Too bad, it was a nice name. Anyway, I didn't want to spend too much time thinking of a good name, so I just name it "Cut the Crap". You don't like it? I don't care.

2006-04-25T13:20:00.000+02:00

The guys at Sunbelt found a fake Red Cross site that tries to exploit the browser's vulnerabilities.

The interesting thing is that this one exploits Firefox too. It works only on quite old versions, but still, this is the first Firefox exploit "in the wild" I've seen being used by actual malware distributors.

So update your Firefox to the latest version if you haven't done it already.

What's behind link spam

2006-04-24T19:25:00.000+02:00

Chances are that if you ever created a weblog or a guestbook, you've come know that "nice" phenomenon known as link spam. I'll show you who the people behind this typically are, and they are not nice people.

Here's an example:

Lots of crappy links. Ever wondered what clicking on one does (note: DON'T). Well, it brings you to a page like this:

Nothing but a bunch of nonsense and pasted text. So why would anyone bring anybody to a page like that? Unfortunately, there's more than meets the eye. Notice that red circle on the top-left. In the center, you can see a small square. That's an iframe, one of the two idiotic techniques that people behind malware use when trying not to be seen.

The iframe itself, of course, uses the other idiotic technique: javascript obfuscation. Considering how easy it is to deobfuscate this things, I wonder why the bother in the first place. Oh, maybe because antivirus link checkers are completely fooled by something this simple. Heh.

So what's in the iframe? Well, this one for instance has:

That, in mechanism that took me the amazing incredible time of 2 minutes to decrypt, is something like this:

Note that I snipped the image, as the code extended way beyond: click to see the image with the whole code... and don't try that code at home... ;)

And what's that? Nothing but a series of exploits that attempt to break the visitor's machine as much as possible. This is the what the whole scam tries to do:

- determine whether you have Norton or McAfee antivirus through the use of an ActiveX object; if yes, they avoid loading some exploits that they know Norton and McAfee recognize; yes, IE, Norton and McAfee are such amazing products that they let the malware people directly manage what kind of exploits or malware it's safer to load. Wow

- it might determine (server-side) whether you are using Internet Explorer (if not, some of these iframes won't load anything); I wouldn't visit any of these links with the swiss cheese known as IE if I were you (then again I wouldn't visit ANY site with that swiss cheese anyway). But if you want to explore the actual "full exploits" page you can always download these through wget with the --user-agent option; you don't know what wget is or how to set the --user-agent? Don't bother in the first place.

- load, of course, a series of exploits and malware, such as this trojan (195.225.176.34/ad/0118/get.php?file=exe):

and this (195.225.176.34/ad/0118/files/spl/Microsoft_Windows_Advanced_Upgrade_Wizard_Logo2______________________________________________________________________.emf):

and this (195.225.176.34/ad/0118/files/spl/ani.anr):

and this (195.225.176.34/ad/0118/files/spl/java/java.jar):

and this (195.225.176.34/ad/0118/get.php?file=hta):

and this (195.225.176.34/ad/0118/files/spl/onload/fillmem.php):

Weird, they didn't use the CreateTextRange exploit, maybe they're slipping, huh?

And of course, who are these people? You guessed it, Coolwebsearch.

So, for the love of God, fix your guestbooks and blogs. Please. Don't let this criminals make money by infecting more people.