[ Security Alert ] 26 May, 2011 18:26

    Per hpHosts blog, a fake VirusTotal site is serving trojans and fake av. VirusTotal(www.VirusTotal.com)(Figure 1) is one of the most famous on-line virus scan and suspicious URL detection website, which facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.

 

 Figure 1

    The fake VirusTotal domain name is "new-virustotal.tk"(was suspedned by registrar), once innocent people get into the website, they will be redirected to the following site and forced to download the malicious file:

  • readman.pf-control.de/java/
  • readman.pf-control.de/java/signedapplet.jar
  • readman.pf-control.de/java/bot.exe 

    AegisLab warns you be careful while surfing the internet, don't trust and click any unknown links from mail or IM.

 

2011-05-27 Updated:

$ host new-virustotal.tk
  • new-virustotal.tk has address 93.170.52.30 
  • new-virustotal.tk has address 93.170.52.20 
These 2 IPs were found in 25th Jan. 2010 and pointed to "www.qqwg.tk".
Since 24th May 2011, the new domain "www1.trustzone-41p.tk" with same IPs also hosted FakeAV pages.
AegisLab found that there are 345 malicious sites pointed to these 2 IPs.

 

By AegisLab 

 

[ Security Alert ] 23 May, 2011 14:03

    AegisLab has found that "www.ezsaving.com.tw" contains a drive-by-download page(Figure 1). Once innocent people visited this page, they will be forced to download the malicious file. the analysis is as following:

Figure 1.

 

# index.html: contains 2 .js files, top.js and baidu statistics.

# top.js: check cookie first. If the cookie exists, then execute the attack script; if doesn't exist, set the cookie and use iframe to load "topp".html.

# topp.html

    1. Check the cookie if exists? if no, launch attack and goto step2 !

    2. Check the browser if it is IE on Windows XP? if yes, goto step3.

    3. If IE ver.< 7, execute AAAA function and use iframe to load "ie6.html".

    4. If IE ver. = 7, execute BBBB function and use iframe to load "ie.html".

    5. If IE ver. >= 8, execute CCCC function and use iframe to load "fun.html". 

    6. set cookie to avoid 2nd browsing and keep hiding!

# ie6.html and ie.html

    Execute exp() by DOM access.

    <BUTTON ID='EXP' STYLE='DISPLAY:NONE'></BUTTON>

    document.getElementById('EXP').onclick();

    Once executed, then download malicious file "test1.exe"

# fun.htm

    Download "test.exe"

The attack path is listed as below. 

[root]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/index.html
    [script]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/top.js
        [iframe]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/topp.html
        [exp]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/ie6.html
            [virus]hxxp://www.update-onlines.org/ma/test1.exe
        [exp]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/ie.html
            [virus]hxxp://www.update-onlines.org/ma/test1.exe
        [exp]hxxp://www.ezsaving.com.tw/bbs/forumdata/cache/coon/web/fun.htm

            [virus]hxxp://www.update-onlines.org/ma/test.exe 

 

The detection rate of "test1.exe" is 2.4% (1/42) in VirusTotal.  

The detection rate of "test.exe" is 76.7% (33/43) in VirusTotal.

The detection rate of this malicious link is 0% (0/23) in URLVoid.com. 

Since 20/05/2011,  AegisLab WebGuard has blocked this malicious site.

By AegisLab  

 

[ Security Alert ] 23 May, 2011 06:43

    AegisLab has found that "www.LavenderCottage.com.tw"contains massive BlackHat SEO poisoned pages which include many famous people name in order to reach top ranking on google searching result and these pages are hiding in the bottom of frontpage(figure 1). 

Figure 1.

For the 1st malicious link, the attack path is listed as below. 

[search] 'abigail clancy said' on Google
    [root] hxxp://abigailclancy7422.typepad.com/blog/2010/09/abigail-clancy-said.html
    [hop] hxxp://scandalvideo.co.tv/c.php?v=Celebrity+Sex+Tape

    [exe] hxxp://flashvideo.cz.cc/no/flashplayer.exe 

The detection rate of "test1.exe" is 0% (0/42) in VirusTotal.  

The detection rate of this malicious link is 4% (1/23) in URLVoid.com
 

Since 19/05/2011,  AegisLab WebGuard has blocked this malicious site.

By AegisLab 

 

[ Security Alert ] 11 May, 2011 23:15

     AegisLab found that the apps published by "zsone" were embedded with following code segments (or similar ones) to send SMS in the background to subscribe some paid service at some point after the app was launched. Usersmay be charged for this unknown subscription. So far as we know it works in China. Google Inc. was got notified and now these apps was took away from the market.

     The analysis is as the following. Take "iCartoon" for instance, it sends SMS to 1066185829, 106601412004, 1066953930 when the users click to shift images for 5th time, with special coded text like YXX1 or 921X1 to subscribe unknown service. It does this just once, to prevent got noticed by the user.

             Figure 1: One of the message it sends to 1066185829 behind the scene ...

             Figure 2: Only deliver at 5th click....(iCartoon case)

       Figure 3: Deliver SMS just once and save a tag to mark whether it's been done or not. 'Y' means done.

            Figure 4: Save a tag by SharedPreferences...


     Currently the malicious behavior we observed only works in China, therefore if your location is in China, please check your system and see if any zsone's apps appear on your device. If so, please remove it immediately or install AegisLab Antivirus tools to scan for you.

     Below is the list we found that are published by zsone and are suspicious (iSMS/iLife are not included,  still investigating):

iBook
iCartoon
LoveBaby
3D Cube horror terrible
Sea Ball
iCalendar
iMatch 对对碰
Shake Break
ShakeBanger
iMine
iGuide

   Table 1: Apps that are suspicious.          

By AegisLab



 

[ Activity ] 04 May, 2011 19:33

     AegisLab is very glad to announce we will attend Info Security Expo (Tokyo, Japan) to share our idea, signature service and solution in Android platform and mobile devices. Our booth is East#23-18 (Lionic).

   Time: 2011-05-11 to 2011-05-13.

   Place: Tokyo Big Sight (Japan).

  You can check more information from  http://www.ist-expo.jp/en/Home/.

   Welcome to visit us!

By AegisLab 

[ Security Alert ] 04 May, 2011 18:03

    AegisLab has found that www.GK99.COM.TW was hacked and injected with malicious files since the end of February. The file name was changed but content keeps remained. Most URL filters are not blocking the following links.

WAS: hxxp://www.gk99.com.tw/facebook.exe

IS: hxxp://www.gk99.com.tw/Facebook.scr

The detection rate of this virus is 87.2% (34/39) in VirusTotal.  

The detection rate of this malicious link is 21.4% (3/14) in VirusTotal.

Since the end of February 2011,  AegisLab WebGuard has blocked it.

By AegisLab 

 

1 2  Next»