[ Security Alert ] 12 November, 2012 18:57

AgeisLab found a URLwww.hv20.com/payroll/djia-finance.php was posioned by Blackhat SEO.

The attack scenario as following:

Google search -> djia finance

-> hxxp://www.hv20.com/payroll/djia-finance.php

-> hopping site -> hxxp://78.159.118.51/in.cgi?10

-> the final download site -> hxxp://proddingappsumo.info/guaranteeing/means_phone- pool_occurs.php?tjn=33:2v:1h:2w:1m&wrgglxs=38&ciooh=33:30:32:2w:30:1n:31:1f:1m:1i&zuhy=1n:1d:1g:1d:1h:1d:1f

!! (attempt to download a malicious pdf file) !! 

Virustotal scan result (3/44): 

https://www.virustotal.com/file/e7c42a18ff9a8acdd4eb9f5808ec5bd5cafac1cd8ca6ac1ef6b71cdfe2106f67/analysis/1352442238/ 

 

As our analysis and observation, this download site format made by Blackhole Exploit Kit 2.0.

So far, this "djia finance" Blackhat SEO poisoning still keep alive and no any warning message in Google search results. 

 

 

 

AegisLab urge our customer to keep WG signature in latest version.


by AegisLab WG Team 

 

[ Security Alert ] 20 September, 2012 14:46
  Unlike Flame and Stuxnet, ZeroAccess botnet is not that famous, but yes it may be even more harmful that the former two owing to the fact that it continues to infect over 9 million PCs.

   According to our observation and research, the botnet is not ran by the usually protocols of IRC and HTTP, ZeroAccess connects to a P2P botnet. The peer-to-peer protocol used by the latest version of ZeroAccess contains only a few commands and is designed to spread files and IP addresses across the network quickly. It is encrypted to avoid easy detection and there are a number of measures taken to avoid the network being poisoned or taken over.

  AegisLab already has Anti-Virus and IDP signatures to detect most of the instances and call-home behavior. We urge our customers to keep Anti-Virus and IDP signatures up to date.

[ Security Alert ] 10 August, 2012 10:59

    According to Fox-IT International blog, a new virus called "XDocCrypt/Dorifel" will search MS Word file on victim computer and encrypt it by RC4 (Figure 1). You will not decrypt the word file without RC4 key. But this virus doesn't look like a ransomware, because it doesn't show any message note. By now there are over 2,200 government, public sector, and networks of private companies of Netherlands affected (Figure 2).

Figure 1: encrypt file by RC4 (source: Fox-IT International Blog)

 

Figure 2: NL tops the rank, followed by DK  (source: Fox-IT International Blog)

AegisLab has collected 18 "XDocCrypt/Dorifel" virus samples as below, the detection rate in VT is about 25%-30%, there are 3 not in VT DB: 


AegisLab Antivirus can destroy the "XDocCrypt/Dorifel" virus and their mutants. We will keep watching on this emerging threat.

 

--------------------------------------------------------   

0810 updated: This virus only infect WORD/EXCEL file on network share drives or USB drives in order to spread itself quickly and masquerade itself "look" like a normal WORD/EXCEL file by abusing RTLO (right-to-left-override) vulnerability.

 

[ Security Alert ] 08 August, 2012 10:04

    AegisLab discovered many "mail.htm" were trojanized by drive-by download attack with embedded <iframe>. By now, there are 311 victim websites and increasing.


If you connect to the victim website without HTTP referer, it will redirect you to Google website.

Victim #1: 

 

Victim #2: 

 

Victim #3:  

 

But with porper HTTP referer, you will be redirected to the following websites:

  • hxxp://online-cammunity.ru:8080/forum/w.php?f=182b5&e=2
  • hxxp://zenedin-zidane.ru:8080/forum/w.php?f=5e91c&e=4 
  • hxxp://spb-koalitia.ru:8080/forum/w.php?f=182b5&e=2
  • (and more...)
You can see the polymorphic URLs have the similar type: {hostname}.ru:8080/forum/w.php?f=...
 
"Onerussiaboard.ru", "online- cammunity.ru", "mysqlfordummys.ru" are no longer valid currently but the latest domain hxxp://spb-koalitia.ru:8080/forum/w.php?f=182b5&e=2 is still alive. As we know, Google Safe Browsing doesn't block it yet (see figure below)

 

 

Besides "mail.htm", we found many "upload.htm" are also trojanized due to the software packages they use are vulnerable.

 

The software packages that victim websites use listed as below:

  • hxxp://www.r-toto.com.cn/mail.htm -> Metinfo 4.0
  • hxxp://www.tiyidi.com/mail.htm -> Discuz X2
  • hxxp://www.kshaoye.com/mail.htm -> WordPress 3.4.1

  

Finally, the program we downloaded from malicious websites is called "win32.exe" and its detection rate in VT is as below:


AegisLab WebGuard has blocked all of the malicious websites and Antivirus can destroy the malicious program.

 

[ Security Alert ] 01 August, 2012 10:10

    While the official olympic mobiles games are released (Figure 1) in July, hackers are aggressive to use the hot topic to trick people. Recently, AegisLab found fake olympic mobile games are on several russian android markets. Once you install the app, your phone bill will increase dramatically because the app send premium-rate SMS stealthily. AegisLab reminds you don't download and install apps from untrusted android markets to prevent personal sensitive information and money leaking.

Malicious android markets that AegisLab discovered are as below:

  • igry-for-android.ru (Figure 2)
  • samsungs5570.ru (Figure 3)
The following apps are downloaded from the malicious android markets, whose reports in VirusTotal are as below:(detection rate is inside parentheses)

 

Figure 1:You can download official mobile games both on Google Play and Apple App Store.

 

Figure 2:Fake olympic mobile games 

 

Figure 3:Fake olympic mobile games 

 

by AegisLab 

[ Security Alert ] 30 July, 2012 15:16

    Last week, AegisLab found a strange domain name: hxxp://adobe-upgrade.org/w.php?f=28f52. Does it look like an official Adobe domain name ?! Actually it's not! It's registered by attacker in order to trick victim to download malicious program. After analyzing the program in depth, we found it's a fake AV. Once installed completely, it will show you the virus scaning page (Figure 1) and show how many files are infected in this computer. It's all fake but you will really get infected after the "scaning" finished :-)

   VirusTotal details

SHA256: e69d29b7b09449e64474b0caed08461f527b9ce1577f95f4ef3409e7424d5e36
SHA1: b0742f1f07e30620d0643029375786873d897177
MD5: 4c57cf16bbe1e1f5e8e38b3773f5e07a
File size: 404.0 KB ( 413696 bytes )
File name: about.exe
File type: Win32 EXE
Tags: peexe armadillo
Detection ratio: 7 / 41
Analysis date: 2012-07-23 05:55:56 UTC 

 

Figure 1: Fake virus scan page

 

by AegisLab 

«Previous   1 2 3 4 5 6 7 ... 18 19 20  Next»