Continuing on the road of scammail-spread malwares, today I am going to analyze an interesting little toy i accidentally get in touch just yesterday when receiving this funny email at my Universitary address from a fake crafted address notifications@crema.unimi.it:

We are contacting you in regards to an unusual activity that was identified in your mailbox. 
As a result, your mailbox has been deactivated. To restore your mailbox, you are required to 
extract and run the attached mailbox utility.

Best regards, crema.unimi.it technical support.

As you may guess there was an attachment called utility.zip containing an utility.exe which VirusTotal rates with a 73%.

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

The management module has several categories, among which are:

* Iframe accounts. These are pages that have been injected malicious scripts through the iframe tag.
* Not Iframe. FTP accounts are basically violated. In this case, stored until several ftp accounts:

Ether Bunny is a script that I use to automatically startup and run Xen domains, copy files, and then execute them with Ether. It is a quick hack I put together. Most of the variables at the top of the file will need to be changed to match your configuration. This script is made available as-is. If it doesn't work you'll need to debug it on your own. That being said if you find it useful and modify it let me know and I'll be happy to update the public version.

You'll need to get a copy of Winexe as well to remotely run the files. There are some setup instructions at the Winexe page that will help you to configure your host machine.

Here's how I use it:

snoosnoo:/xen# ./eb.py 192.168.0.2 malware.exe
Ether Bunny v0.1 by Danny Quist

Analyzing malware.exe to on VM 192.168.0.50
Destroying old vm image /xen/winxp-sp2-malware-instance/
Restoring vm image...
Starting vm from /etc/xen/ramdisk-winxp-sp2.cfg
Copying malware.exe to VM 1166 at 192.168.0.50
Attempt: 1
Running malware.exe on VM winxp-sp2-ramdisk (1166) 192.168.0.50
Letting program run...
dos charset 'CP850' unavailable - using ASCII
EPOLL_CTL_ADD failed (Operation not permitted) - falling back to select()
Killing ether.
Destroying VM ID: 1166
Aborting...

Download Ether Bunny here.

Danny

Hi,

Today we will see how works Eleonore Exploit Pack directly from an infected website.

Essentially Eleonore Exploit Pack is a collection of Exploits and Data Statistics Collectors, this is the 'marketing' presentation of the exploit pack:

*---------------------------------------------------------------*
Hello!
I present new actual russian exploits pack "Eleonore Exp v1.2"

Exploits on pack:
> MDAC
> MS009-02
> Telnet - Opera
> Font tags - FireFox
> PDF collab.getIcon
> PDF Util.Printf
> PDF collab.collectEmailInfo
> DirectX DirectShow
> Spreadsheet

Today I'll dissect a website infected with PHP:Pbot-A according to Avast naming convenction.

Be careful link reported is still alive!

From a malicious domains DB emerged this infected URL

http://jamera2.justfree.com/cmdupload2.txt

As you can see it seems a classical .txt file, but this is a classical evidence of RFI Infection.

MD5 : da67134fc6953201d3556f5fedbcd50d

/*
*
* #crew@corp. since 2003
* edited by: devil__ and MEIAFASE
* Friend: LP
* COMMANDS:
*
* .user //login to the bot
* .logout //logout of the bot
* .die //kill the bot
* .restart //restart the bot

I'm glad to announce a new version of YARA which includes three new major features, some of them inspired by requests and suggestions of some users out there. They are:

* C-style includes. Now you can include a YARA source file into another just like you do in your C programs with the #include pre-processor directive.

* Metadata in rules. Rules now can contain associated metadata in identifier/value pairs. Metadata information can be string, integer or boolean values. This metadata can be accessed later from the yara-python extension.

* Multi-source compilation in yara-python. A group of YARA source files can be compiled together in yara-python. In this way rules from different sources can be matched at the same time against your data, which is more efficient than compiling and matching each source independently.

Here is an example of the "include" and "metadata" features:

include "./includes/some_other_rules.yar"

rule silent_banker : banker
{
    meta:                                         
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

For more info:
http://code.google.com/p/yara-project/

Turbodiff is a high-performance IDA plugin designed to detect differences between executable binaries.
It works on architectures supported by IDA 4.9 FREE, IDA 5.0 through 5.5.
Turbodiff was developed by Nicolas A. Economou, from the Exploit Writers Team of Core Security Technologies.

The tool's page is here: Coresecurity's Turbodiff

You can also read the
presentation of Turbodiff at Ekoparty '09.

Buenos Aires, Argentina.

Hi,

Here my last paper.

Abstract

Trojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. This long tutorial analyze this malware but is also a general document which explains how to analyze a modern nested-dolls malware.

http://www.accessroot.com/arteam/site/download.php?view.313

Regards,
Giuseppe 'Evilcry' Bonfa'

Hi folks,

I developed a tool which might be of interest for you/us reversers. It's
capable of creating histograms for the spreading of byte-codes for a
whole file as well as section-wise regarding PE-files. This will make
the detection of crypted and/or packed data much easier. The tool (a
windows and a linux version) and a decent description is available under
our CERT-homepage:

http://cert.at/downloads/software/bytehist_en.html

Plz let me know if you encounter any problems or have any questions.

Cheers,
Christian Wojner.
CERT.at

Some days ago a friend of mine posted me a suspicious malware, unfortunately I couldn’t look at it before yesterday night because I was out for work.

By submitting the file to virustotal.com I could see that only the 39,02% of the av recognizes it as a malware (some popular antivirus like Kaspersky or Symantec, for example, don’t recognize it), Microsoft calls it “TrojanDropper:Win32/Rustock.F” while for Panda it is “Trj/Rustock.L”.

As resulting from the analysis this is really a dropper for the famous malware Rustock.C.

A lot of papers has been written on Rustock.C so I will analyze only this dropper in order to make you know that this is a malware even if your antivirus does not signal it as a bad application.

The file I’m talking about is called “is7771.exe”.

In the article I will explain the behaviour of the dropper in details, take a look at it here:

http://revengstuff.wordpress.com/files/2009/09/rustock_f1.pdf