More compromised Irish Sites

Quick one before I head out of the office

An Irish domain, Ivote.ie is currently being used by criminal gangs as part of an SEO poisoning attack

Take the following two examples of popular search terms (I got these from Google Trends). Standard warning applies about visiting these sites (Here be Dragons):

SEARCH: steve phillips girlfriend picture:



RESULT:

http://www.gsarchives.net/index2.php?t=steve-phillips-girlfriend-picture

-> http://guardsyszone.com/?p=WKmimHVlcW6HjsbIo22EeXZe0KCfZ1bVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeYpWcZWliaGaalGCIo6THodjXoGJdpqmikpVuaGdpZmxmbF%2FEkKE%3D

->-> http://www.ivote.ie/jjjr/Steve-Phillips-Girlfriend-Picture.htm

->->->http://cakuqe.cn/22/?uid=13700 (which infects the users machine with malware)



SEARCH: explosion in puerto rico:



RESULT:

http://www.gsarchives.net/index2.php?t=explosion-in-puerto-rico

-> http://guardzone-sys.com/?p=WKmimHVlcW6HjsbIo22EeXZe0KCfZlbVoKDb2YmHWJjOxaCbkX1%2Ba16orKWeYpWcZWliaGaalGCIo6THodjXoFerpXOWk5hvZWRsZnFqXpzEag%3D%3D

->->http://www.ivote.ie/jjjr/Explosion-In-Puerto-Rico.htm

->->->http://cakuqe.cn/22/?uid=13700 (which infects the users machine with malware)

Same result with “steve phillips wife photos” and many other search terms which are popular in Google today

It appears that the IVOTE.IE domain has been compromised (similar to the Zdesign.com domain in the last post). Normal deal - most likely one of IVOTE’s employees machines became infected, that person had access to their webserver (probably FTP access), and the malware simply stole the credentials. These credentials would then have been sold in bulk (normally 10,000 at a time) to a seperate criminal gang, who in turn sell compromised sites to a third gang which upload the malware onto the site.

I've contact the host providers of IVote to have the page cleaned up

More AIB Scams

WARNING: This blog contains some links to phishing sites.

I'm sure I was not the only person to wake up this morning to find this in my mailbox - a delightful little email informing me that my AIB account had been "temporarily limited".

As a concerned AIB customer I obviously have when my account gets "temporarily limited" (whatever the hell that means). Needless to say the email accounts@aib.ie looks legitimate, but changing any field in an email (especially the From field) is childs play. Also they specifically ask the victim not to reply to the mail (no need to let AIB know there is a new scam doing the round after all)

So lets take a look at the actual link I would need to click on to "resolve the problem"

http://zdesign.com/aibinternetbanking.aib.ie/login.htm

See what they did there? Clever eh... no not particularly.

Before we go look at the dodgy domain lets have a look at what the phishing site actually looks like - see can you figure out which is the real page:



Pretty well done isn't it - needless to say it is the one on the left (the one which does not warn you not to click on fraudulent emails). All of the images are loaded directly from AIB, and all of the links with the exception of the next button also point to legitimate AIB pages. I'm not sure if AIB monitors for external sites linking to their internet banking images, but it would certainly be a useful tool for identifying these types of phishing sites.

After a user enters their registration number, they are prompted for 3 digits of their pin number as is normal procedure for AIB logins. However instead of been logged into their account, they are then brought to a very non-AIB looking page which ask for all sorts of information including Credit Card details and the person's full pin code:

http://zdesign.com/aibinternetbanking.aib.ie/data.htm

Once you kindly provide the scammer with this information you are informed that someone may ring you shortly to confirm your details and to have your code card ready, before being redirected to the real AIB site. As I did not bother entering any real data (and I assume the scammer would check if my pin code worked before ringing me to grab all my code card details), I'm unsure if the attacker would actually really follow up with a call.

So there you have it - pretty standard phishing scam - lets looks at some of the details about the actual site used however.

First of all http://zdesign.com/ seems to be a legitimate design company, the wayback engine shows their sites existance since 1998. As such it looks like their site was compromised and the phishing scam was uploaded to their webserver. The webserver is not exclusive to ZDesign, there are plenty of other companies running websites on it, so it obviously a shared hosted server.

I had a look at some of the other companies to see if they had been compromised in a similar way, but none that I checked appeared to have been. What most likely happened in this case was that one of ZDesigns employees machines became infected, that person had access to their webserver (probably FTP access), and the malware simply stole the credentials. These credentials would then have been sold in bulk (normally 10,000 at a time) to a seperate criminal gang, who in turn sell compromised sites to a third phishing gang. Ah the joys of modern day criminal malware writers.

Anyhow - if you see one of these emails, ignore it or better yet delete it. In the mean time I've contacted AIB, ZDesign and IRISS (Irish CERT). I've also blocked the URL for any Trend Micro customers.

Happy long weekend everyone :)

Also available on Twitter

Hi everyone,

Just a quick message to let everyone know that I am now also using Twitter. Feel free to follow me on http://www.twitter.com/bobmcardle . I will continue to use this blog (as well as the official Trend Micro blog) for articles that take longer than 140 characters to get the message across :)

Have not updated too much here in a while as I am currently doing so Web Application Security research, but once I have the results of that it will be going up here.

For anyone who is attending the IRISS conference in Dublin on the 19th of November I hope to see you all there.

Bob

Succeeding in IT Security

I was interviewed recently for a jobs site (Odinjobs) asking what it takes to succeed in IT Security - the interview, along with those from other people is up at the following URL

http://www.odinjobs.com/blogs/careers/entry/it_security_what_it_takes

Attacker Mindset

An unfortunate necessity of working in the security industry, and particularly in analysing malware / hacking attacks everyday is that you quite often need to put yourself in the mind of a criminal in order to properly understand the motives behind an attack. The downside is that it can be hard to turn this off. Its often been said that the only difference between a hacker and a penetration tester is "permission", as in permission to access the target you are testing. Well the only difference between a security professional and a hacker are "ethics". Both have very similar skillsets, and both are very good at spotting scams and flaws in systems - the difference is that hackers act on this information for financial gain, wheras security professionals generally try to fix the problem, or at the very least do not act on it (we'd all be making MUCH more money if we did :P )

So it was in this frame of mind that I visited one of Ireland biggest hardware stores at the weekend to drop back a couple of items that we did not need. While waiting for about 15 minutes at the customer service desk an idea hit me. I'd love to hear others feedback on this situation:

• A scammer can walk into a store (in this case a hardware store but other stores would work). He goes around the shop and spends a couple of hundred (not too much or this would probably not work) on a variety of items.
• Scammer comes back the following day, walks around the store and takes several of the same items of the shelves. They bring these items to customer service, along with their reciept, to "drop them back".
• End result scammer spends a couple of hundred, gets the majority of it back, and keeps all the goods (which can then be sold on for a tidy profit.
  

There are couple of conditions for this attack to work:

• Needs to be big busy store, otherwise it is easier to see the attacker is simply dropping back good from the shelves
• Item must not have an electronic tag which indicates that they have been sold already (for example the tags you see in a lot of clothes stores).
• Barcodes must not be individual. In other word all copys of product X should have the exact same barcode (otherwise the customer service can uniquely identify each item). TV Shops tend to have individualised codes.

Having said that there are a lot of stores that fall into this category (particually Hardware stores, where individual items can be quite expensive). I very much doubt that this is an old scam, but would love to hear peoples thoughts on it (or if you have worked in / ran a store, how did they address this issue)?

All feedback is good feedback

In our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

Poshel-ka ti na hui drug aver

This string roughly translates to “Screw you my friend Aver” (well its actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean “AVer” (a slang term used mainly on english virus writing forums meaning AV researcher).

Doh!

This is not the first time that malware writers have left hidden message that are only revealed during reverse engineering. My personal favorite was from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

Dear Symantec:
For years I have longed for just one thing,
to make malware with just the right sting,
you detected my creation and got my domains killed,
but I will not stop,
I can rebuild.

P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

The Rinbot authors where particulary well known for getting frustrated at AV companies for detecting their creations (ironically made easier by all of those nice messages they included for us to use in malware signatures). They were fairly generous in distributing their pent up annoyance with everyone from SANS to CNN included. In particular they really disliked people refusing to name their malware as they had intended.

Rinbot is not the only malware to include such strings, recently the TSPY_ZBOT family also started with messages giving out about blog articles by Avira and Microsoft. In fact these messages have been going on for years, another one from a WORM_MYDOOM variant back in 2004 read:

we will attack f-secure,symantec,trendmicro,mcafee , etc.
The 11th of march is the skynet day lol .

Its always nice to get feedback on your work, even more so when its the bad guys complaining that we are doing too good of a job.

5 Must Have Tools (from ISSA Talk)

On Tuesday I attended the very interesting talk held by the ISSA in Dublin, where several Microsoft employees spoke about Windows 7, their own internal IT security setup, and a good overview of the Conficker Worm by Elda Dimakiling and Francis Ten Seng. This was followed by 2 short presentations - Paul Collins, head of IT with Hypo Real Estate Group showed the capabilities of the very useful MSAT tool, and I demoed some useful malware analysis tools. Overall really enjoyed the event, and will continue to attend the ISSA events in the future.

I thought that I may as well stick up the tools in question on this blog post so that they are all linked in one location. I often get asked to fix friends computers, and always carry around a copy of these tools on a USB key - if you know what you are doing you can clean about 90% of all Windows malware with them. I'd advise any security professional to download all 5 and play around with them for 30 minutes, you'll be happy you did.

Ice Sword (Mirrored Download - Use This)
Ice Sword is a fantastic tool for Rootkit detection. It will allow you to see hidden processes, registry keys, services etc on the infected machine. In addition to this it will actually let you directly read and write areas of process memory, and includes a basic dissassembler. It also has another host of features such as inspection the systems SSDT and looking at Layered Service Providers. In any malware analysis Icesword is my first port of call, remove any rootkits from the system so that you can continue your analsis.

GMER
Gmer is another Rootkit removal tool, again with many other features built in. Personally I prefer Ice Sword, but you really should have both at hand - sometimes malware will successfully hide, or kill one or the other.

Autoruns
Now that you have removed the rootkits from the PC, Autoruns is Step 2. It is a fantastic tool which shows every singles system load point (i.e. All of the executable which will be started during Windows startup). As it returns quite a large amount of information, here are some tips on where to start looking (as you get more used to the tool, this will become 2nd nature):

• Check the following Tabs first - Logon, Internet Explorer, Scheduled Task, Services, Image Hijacks, Winlogon.
  
• Pay particular attention to any entries that do not have an associated Publisher or Description, especially anything in the System32 or Windows folders. There is a very nice Right-Click-> Verify function that will test the digital signature of the executable.
• For executables you are unfamiliar with try the Right-Click->Search Online feature. Interestingly this uses Yahoo search - but I would not be surprised to see a Bing version in future.
• Delete any suspicious load points and then refresh. If the value is being recreated thats normally a sure sign that its bad.
  

Process Explorer
Think Task Manager on steroids. Some tips:

• Pay particular attention to Packed Images (highlighted in Purple)
• As well as killing processes, you can also suspend them. This can sometimes be better as some malware will have a 2nd process or dll watching the first, and if it is removed from memory will automatically restart it - suspending the process means that it is still in memory, but not doing anything.
• Most of the really cool stuff is in the Right-Click->Properties menu. The Thread tab is very powerful - allowing you to kill/suspend individual threads within a process. Malware likes to create remote threads in processes so if you are having difficulties removing it pay close attention to any threads injected into Winlogon, Explorer or IExplore.
• The TCP/IP tab will show you any network activity of the process.
• Strings is another excellent tab - showing human readable strings in a file. Note that you can look for strings in the Image (the file) or in Memory. Memory is normally more useful especially if the file is packed.

Process Monitor
A very simple, yet incredibly powerful tool. Every single File, Registry, Process and Network access performed on the system is intercepted and logged. You can use Filters to only see the details you are interested in. This is particulary useful if you are noticing certain registry keys, files or processes being recreated by a threat - as it will show you the process responsible for recreating them (quite often Explorer or Winlogon, which indiciates an injected malicious thread).

Oh and if you have spent the suggested 30 minutes mucking about with these and want to know where next to go on your quest to become a security tool guru - all of the Microsoft Sysinternals tools are now available in single download - http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx .

I know that I've lost all my street cred by actually praising a Microsoft product (none of the cool kids are returning my calls), but sometimes they really do get it 100% right