Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘analysis’
August 27th, 2014

Self-propagating ransomware written in Windows batch hits Russian-speaking countries

Ransomware steals email addresses and passwords; spreads to contacts.

Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.

msg
The message has a zip file in an attachment, which contains a downloader in Javascript. The attachment contains a simple downloader which downloads several files to %TEMP% and executes one of them.
payload
The files have .btc attachment, but they are regular executable files.

coherence.btc is GetMail v1.33
spoolsv.btc is Blat v3.2.1
lsass.btc is Email Extractor v1.21
null.btc is gpg executable
day.btc is iconv.dll, library necessary for running gpg executable
tobi.btc is   Browser Password Dump v2.5
sad.btc is sdelete from Sysinternals
paybtc.bat is a long Windows batch file which starts the malicious process itself and its replication

After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.

msg2 Read more…

March 18th, 2014

Fake Korean bank applications for Android – Pt 3

Recently, we discovered an account on GitHub, a service for software development projects, that has interesting contents. The account contains several projects; one of the latest ones is called Banks, and it has interesting source codes.  The account contains information like user name, photo, and email address, but we cannot tell who the guy in the picture is. He might not be related to the contents at all, it could be a fake picture, fake name, or simply his account may have been hacked, his identity stolen, and the Banks repository created by someone else without his consent. In this blog post, we will explore the source codes in detail.
korea-03

When we downloaded the repository, we found several directories – GoogleService and fake applications imitating mobile applications of five major Korean banks – NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank and Woori Bank.

korea-02

 

We previously published two blog posts with analyses of the above mentioned fake applications.

When we look at GitHub statistics, and Punchcard tab, it tells us what time the creators were most active. From the chart below you can see, that Saturday mornings and evenings and Sunday evenings were the most active times of comments of new versions. It seems that authors of this application do the development as a weekend job. At the time of writing this blogpost, the last update of fake bank applications was in the beginning of January 2014.

korea-20

This is not the first attack against users of Korean banks. About a year ago, we published this analysis.

Conclusion

Github, the web-based hosting service for software development projects, offers a lot of interesting contents, which depending on its settings can be later found and accessed by virtually anyone, including Google robots.  We managed to find the above mentioned repository by simply Googling the strings which occurred in a malicious Android application.

Acknowledgement:

The author would like to thank to Peter Kalnai and David Fiser for help and consultations related to this analysis.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

March 7th, 2014

Google Play: Whats the newest threat on the official Android market?

Official app stores are the primary sources to finding and downloading apps. Experts advise users to stay within the official app stores as they are approved ecosystems, which are widely recognized as safe. But are these sources really trustworthy? Some experts, however, claim that “Android malware is non-existent and security companies just try to scare us. Keep calm and don‘t worry.“ So which is it?

We’ve already blogged about plenty of threats that sneak onto your device from trusted sources, but here we have a really fresh one, one that  is still undetected by other security vendors. An Application called Cámara Visión Nocturna (package name: com.loriapps.nightcamera.apk), which is still available in the Google Play Store as I am writing this post, is something you definitely don’t want to have on your Android device.

Blg1

Starting with the application’s permissions you might notice there are some unusual requests for an app that should be able to work only using your camera.

    <uses-permission android:name=”android.permission.CAMERA” />

Read more…

March 3rd, 2014

Fake Korean bank applications for Android – part 2

In February, we looked at the first part of the fake Korean bank application analysis along with Android:Tramp (TRAck My Phone malicious Android application), which uses it. In this blogpost, we will look at another two Android malware families which supposedly utilize the same bunch of fake Korean bank applications. At the end of this article, we will discuss the origin of malware creators.

Analysis of Android:AgentSpy

It is interesting to search for references of bank applications package names – KR_HNBank, KR_KBBank, KR_NHBank, KR_SHBank, KR_WRBank. One reference goes to a malicious application called Android:AgentSpy. The infection vector of this application was described by Symantec, contagio mobile and Alyac. We will not delve into details, we will just mention that the malicious application is pushed to a connected mobile phone via ADB.EXE (Android Debug Bridge). The uploaded malicious file is called AV_cdk.apk.

Android:AgentSpy contains activity MainActivity and several receivers and service CoreService.

BootBroadcastReceiver

Monitors android.intent.action.BOOT_COMPLETED and android.intent.action.USER_PRESENT and if received, starts CoreService. It also monitors attempts to add or remove packages – android.intent.action.PACKAGE_ADDED and android.intent.action.PACKAGE_REMOVED.

CoreService

1) Calls regularly home and reports available connection types (wifi, net, wap), IMSI, installed bank apps

2) Regularly polls C&C and responds to the following commands

sendsms – sends SMS to a given mobile number

issms – whether to steal received SMS or not

iscall – whether to block outgoing call

contact – steals contact information and upload them to C&C

apps – list of installed bank apps

changeapp – replaces original bank applications with fake bank applications

move – changes C&C server

PhoneListener receiver

Moniors new outgoing calls. If android.intent.action.NEW_OUTGOING_CALL is received, information about the outgoing call is sent to C&C.

Config class

Contains C&C URL, name of bank packages (String array bank), name of fake bank packages (String array apkNames). It also contains reference to conf.ini configuration file.

koreanbanks_agentspy_config

Analysis of Android:Telman

One more Android malware family, which uses fake bank applications is called Android:Telman. Similarly to Android:Tramp and Android:AgentSpy, it checks for installed packages of the above mentioned banks. Read more…

February 17th, 2014

Fake Korean bank applications for Android – PT 1

About a year ago, we published this analysis about a pharming attack against Korean bank customers. The banks targeted by cybercriminals included NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank, and Woori Bank. With the rise of Android-powered devices, these attacks now occur not only on the Windows platform, but also on the Android platform. In this blogpost we will look at a fake bank application and analyze several malware families which supposedly utilize them.

Original bank application

We will show just one bank application for brevity. For other banks the scenario is similar. The real Hana Bank application can be downloaded from Google Play. It has the following layout and background.
korea-08

Read more…

January 27th, 2014

Malformed FileZilla FTP client with login stealer

Beware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3. We have noticed an increased presence of these malware versions of famous open source FTP clients.

The first suspicious signs are bogus download URLs. As you can see, the installer is mostly hosted on hacked websites with fake content (for example texts and user comments are represented by images.)

web_01 web_02 web_03

 

Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same.

The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.

The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.

about_windows

Read more…

November 21st, 2013

Ransomware shocks its victims by displaying child pornography pictures

In our blog, we wrote several times about various types of Ransomware, most recently about CryptoLocker. In most cases, ransomware has pretended to be a program installed into a victim’s computer by the police. Because of some alleged suspicious activities found on the user’s computer, ransomware blocks the user from using the computer and demands a ransom to unlock the machine or files.

Different ransomware families have different graphics and skins, usually showing intimidating images of handcuffs, logos of various government and law enforcement organizations, policemen performing inspections, government officials, etc… You can read some of our previous analyses on our blog – Reveton, Lyposit, Urausy – are the most prolific examples of such ransomware.

In this blog post, we will look at the functionally of the same type of ransomware, but one which displays more annoying and disturbing photos. After showing the message saying, “Your computer has been suspended on the grounds of viewing illegal content,” accompanied with the current IP address, name of internet service provider (ISP) and the geographical location, it displays several pictures of child pornography!
01_censored Read more…

Comments off
August 1st, 2013

Malicious Bitcoin Miners target Czech Republic

Single BitcoinToday we are going to talk to those of you who use Bitcoin digital currency to pay for a variety of goods and services – along with a warning about yet another source of Bitcoin miners – the sharing services. You may think that if you avoid cracks and keygens while browsing the web you will be safe. Well, we would recommend that you reconsider that position. Recently we found that on the uloz.to file sharing service someone uploaded a lot of fake files containing Bitcoin miners!

Bitcoin Mining service

First a little background for the uninitiated: Bitcoins can be obtained by trading real currency, goods, or services with people who have them or alternatively, through mining. The mining process involves running software that performs complex math problems for which you’re rewarded a share of the income. There are a finite amount of Bitcoins to be had, and mining for them can be compared to extracting gold or diamonds from the earth. The more you get, the fewer there are to be had, so it becomes increasingly harder and more expensive. Here’s a descriptive article about mining.

Bitcoin mining services such as bitminter.com use shared computer resources of their users to mine new Bitcoins. In order to participate, the mining users have to create an account and then register their computers (workers) with the service. Then they simply run the Bitcoin miner program provided with their credentials on as many computers as they have. In the end, if they had enough computation power and time they might end up with a few Bitcoins.

It can be expected that some people will not be satisfied just using their own machines so they will try to use the computing power of unsuspecting victims. And that’s exactly what the authors of this malware are doing: They use hardware that does not belong them to generate more money.

It’s not a Bitcoin problem; it’s a people problem

We must stress that there’s nothing wrong with Bitcoin or its mining services. The problem is that some greedy people are misusing them.

Some of them can be seen on the following image.  The word “cestina” means that the file should contain Czech localization of the referenced program. All of them contain a hidden feature, and sometimes the name is a complete fabrication. For example, The-Night-of-the-Rabbit-cestina.exe contains a crack for Call of Duty 4. Notice too, that all these files have an elevated popularity; no doubt a result of tampering. Some downloaders already suspect something fishy about these files.

Uloz.to malicious filesWarning comment on the sharing server.

Read more…

May 22nd, 2013

Grum lives!

 

Grum, one of the largest spamming botnets, suspected to be responsible for over 17% of worldwide spam (as described here), which was “killed” in July 2012, still lives.  We have been tracking its activity since January 2013.  We can confirm spiderlab’s doubts about the grum killing published in March 2013. The following article provides some details about registered grum activity.

We have seen grum activity on following sites:

  • servercafe.ru
  • hub.werbeayre.com
  • sec.newcontrrnd.com
  • sec.convertgame.com

Every bot client generates its own identification number (ID) on its first run. The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run.

 Black Energy bot id schema

 

After the bot sets its ID, it tries to connect to a C&C server.

1) The bot contacts C&C server with a HTTP GET request to get the FQDN of the client’s computer

http://%server/spm/s_get_host.php?ver=%botVer

2) The information is used to contact one of the SMTP servers obtained from DNS MX records from following domains which are used for sending spam:

  • hotmail.com
  • yahoo.com
  • aol.com
  • google.com
  • mail.com
  • mail.ru
  • yandex.ru

3) Then the C&C server is contacted by the following request

http://%s/spm/s_alive.php?id=%botID&ticks=%u&ver=%botVersion&smtp=%s&sl=%d&fw=%d&pn=%d&psr=

The smtp variable is set to ‘ok’ when the bot successfully contacts one of the SMTP servers and set to ‘bad’ if it does not.

4) The C&C server answers with a message which looks like a typical BASE64 encoding

For example:

Xu6hQoZL5+9/Hva9N3F3A2+gwPdLuk28BPA5Alm1IOS9MWvCLGp9r/UEqHksCNo4djEmA8SBk/tPRNvg1wc1rjZnwToThUorVw7kdU/h53sgoszvg0OX06MFQvEOxLqF7P4PQ+s=

Actually the message is encrypted by RC4 algorithm with key equals to the bot’s ID and then it is encoded by BASE64.

Grum bot low level Base64

parts of low level BASE-64 decoding

Grum bot low level RC4

low level decryption part of RC4

 

The whole decryption algorithm written in C# could look like this:

Grum decrypt

The bot id is 72176717204370682282907051332175 for the mentioned message.
After decryption process we can see the message:

http://84.200.70.131:9091/spm/s_task.php?id=72176717204370682282907051332175&tid=61853

5) The bot remembers the ot variable and sends the HTTP task request without the ot variable.

http://84.200.70.131:9091/spm/s_task.php?id=72176717204370682282907051332175&tid=61853

6) The C&C answers with spamming instructions including spam mail template which is also encrypted by the schema mentioned above.

The interesting thing is that sent spam is similiar to scam described on our blog in the past.

 

Finally, we provide a screenshot of encrypted instructions, a spam email and an example of decrypted instructions .

 

Spam

example of sended spam

encrypted spam instructions

encrypted spam instructions

 

 

<info>
taskid=61853
realip=x.x.x.x
dns=8.8.8.8
hostname=y
heloname=y
maxthread=25
from=usypc@ozucfx.net

type=0
try_tls=0
use_psr=0
use_dnsapi=1
try_mx_num=1
use_ehlo=1
</info>
<emails>
nadialee@hanmail.net
nadialee@hellokitty.com

nadialeitao@zipmail.com.br
nadia_leonita@yahoo.co.id
</emails>
<ac_list>
</ac_list>
<text>
Received: by work.ozucfx.net (Postfix, from userid %W_RND_INT[3])
id E%W_RND_INT[2]CE%W_RND_INT[5]E; %DATE
From: Work at Home <%FROM_EMAIL>
To: <%TO_EMAIL>
Subject: Your second chance in life just arrived

Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bi
Precedence: bulk
Message-Id: <%GMTDATA[yyyyMMddHHmm].E%W_RND_INT[2]C%W_RND_INT[5]F@web.ozucfx.net>

<html>
<body>

</body>
</html>
</text>

 

Categories: analyses, Virus Lab Tags: , , ,
Comments off
March 20th, 2013

Banker Omnia Vincit – A tale of signed Brazilian bankers

Let us present the long-term analysis of malware which was designed to steal credentials from more than 25 largest banking and payment systems in Brazil. The unique features of this banking malware include the usage of valid digital certificates, 3 years of evolution and stealing credentials from e-commerce admin pages. This feature opens doors for attackers, who can then log in to e-commerce systems and steal information about customers and their payments.

This malware family combines all of these powerful functionalities and serves as a comprehensive tool for stealing money and sensitive personal data with dangerous efficiency.

Download full whitepaper in PDF format here.

 

Comments off