Tuesday, June 24, 2014

Adware Utilizes Google Docs to Scam Users

Spammers are no stranger to exploiting existing file-sharing services to propagate their warez and Google has been used in the past to bring some sense of legitimacy to a scam.  In a scam that we recently uncovered, user's will receive a URL shortened link, which will lead them to a malicious ad, hosted within Google Docs. There is no malware explicitly hosted on Google docs, but rather a link to a scam which is too tempting not to click...

A must-click to be sure.

This particular scam is capitalizing on PC video gamer's desire to download free software. The download link will take the user to freeware site that will supposedly give them the most innovative Goat game to date.

gripped(.)biz redirects the user to many different Adware packages

User's will leave the site disappointed however, when they realize that the only thing available is a series of fake codecs, media players, and Browser Helper Objects.

User's come for the Goat Simulator, but stay for the bogus media player.

In this specific attack, user's are subjected to just about every modern adware scam to date.  I attempted the download a few times and uncovered separate packages which scored very low on VirusTotal.

ShopAtHome Toolbar - b181e5f9cfa97c43841fe2e385c974fa
MediaPlayerClassic - 408e8969cd0abd153eab6696f8add363

Sadly, neither download provides access to Goat Simulator 2014, but instead just continues to take advantage of the user's good faith by offering them free gift cards if they enter their e-mail address and Personal Identifiable Information.

Any e-mail address will be spammed.

The conclusion that users and administrator's should come to is that there is no safe haven from malicious or suspicious content on the Internet.  All content should come under the scrutiny of a security solution, including Google Document Sharing. Nothing in this life is free, let alone the most innovative Goat Simulator ever conceived by man.

Beware of Skype Adware

During our daily log analysis, we recently encountered a sample purporting to power up Skype with different emoticons. The binary, when installed, integrated itself with Skype and sent the following message contacts without further intervention.

The binary in question (SkypEmoticons.exe) can be downloaded from hxxp://skypemoticons.com/.

Home page of hxxp://skypemoticons.com/ 

After installation it dropped following executable files:


Most of the dropped files are Adware which may lead to some malicious activities.
Here is the VT report for SkypeEmotions.exe.


VT reports of the various dropped samples:

MD5 VT Hits
aa9af86b02f4e497eb0284872b50af41 21/54
e96f6d6257bdcb54c297569d42219e97 22/54
1d283dd3ae2312eee624e8b8c46f6adb 45/51
666ab79b63833a2a2502c119f0843b4a 22/54
364207a743ff39207667a0c89ff38768 20/53
02861acc8be1b59be2db226947a384b2 5/54
23912df27a61ea0463c5509ba6a97579 38/52
cee68ad38668785cd39e37ca069f8b85 19/54
b4eb856acc30b0005a44b87566850fb3 3/54
2830932fca42074f17c46c56b4942ac2 23/54

Contacted sites from which dropped files were downloaded:
  • hxxp://homebestmy.info
  • hxxp://superstoragemy.com
  • hxxp://setepicnew.info
  • hxxp://198.7.61.118
  • hxxp://54.187.76.32
  • hxxp://54.213.103.160
We also observed User-Agent: TixDll being used for downloading the files, which provided a handy mechanism to do some data mining and identify other domains associated with the adware. The following malicious domains were observed to be contacted via this User-Agent:

hxxp://getapplicationmy.info          zulu report
hxxp://applicationgrabb.com              zulu report
hxxp://appmegga.info                               zulu report
hxxp://downlloaddatamy.info           zulu report

Other domains identified in our logs contacted by this User-Agent are not currently showing any malicious activity, but may deliver some malicious content in the future:

hxxp://appussajob.info
hxxp://dirgreatbestepicl.info
hxxp://embededstub.de.drive-files-b.com
hxxp://embededstub.download.dmccint.com
hxxp://fra-7m17-stor06.uploaded.net
hxxp://getdirfrfee.info
hxxp://getgoolld.info
hxxp://getinstaal.info
hxxp://getmeegan.info
hxxp://homebestmy.info
hxxp://setepicnew.info
hxxp://softservers.net
hxxp://superstoragemy.com
hxxp://xml.dljs.org

Use caution when installing any add-on program, especially one that is able to control a powerful communication tool such as Skype.  

Tuesday, June 17, 2014

FIFA World Cup Fake Streaming

We all love football and when the world cup is around, we take a break from office, switch on the TV and enjoy the game! According to the estimates, billions of people will watch the matches live. A good proportion of people watch it online as well. Not surprisingly, the Brazil World cup matches are being used as an opportunity by attackers to post spam links, adware and Trojans in various sports related websites. The chances of visiting these websites is of course much given World Cup fever. One of the more popular websites to watch live streamed sports matches is lshunter.com.

I recently tried to watch the Brazil vs Croatia match on lshunter.com. It asked me to click on ‘Start’ button to begin the live stream.


When we start the video stream, it redirects to hxxp://www.sofler.com/lp/videoperformer/v18/?v=18&cid=4151&clickid=0066965515096773257&a=8, asking for the installation of the ‘Latest Video Converter’. The page looks similar to Adobe’s Flash update website and tricks the user into downloading an updater executable. In our excitement to watch the match, we may sometimes just follow the links and install the update/software before even verifying the source.



Our internal analysis confirmed that the installer is a Potentially Unwanted Program(PUP) that contains adware, installs toolbars or has other unclear objectives. It can be downloaded directly from: hxxp://www.appoder.com/download3/$m%2BI%2FeZA3ZUMplwkZ?v=18&cid=4151&clickid=0066965515096773257&a=8&cert=r2&installer=tt&resources=tt&maker=pth.
Such programs are made mainly for advertising purposes and for inflating a site's page rank in Google search results. At the same time it troubles the user by changing some browser settings like default home page and default search engine.

File : VideoPerformerSetup.exe
MD5: 99bbdce5fa1fe4692164a7c5425e552f
VirusTotal Report: 11/54

Another such example we found was located at hxxp://antenasport.net

When clicking on the link, we are taken to a fake torrent software download page.

Here, if we try to install the video downloader, it again redirects to a downloader page with a very long URL: hxxp://cdn.download-videos-free.com/lp/?appid=277&subid=20rUiz2FyHs6jI4D3kXVAW1wVn4T000.&line_item=561741&info=pofmEapp80E6INYWRNmO4mqpVFObUblO_p545PzWE3wDvFkwmYxuAws6V3b9JwlAAMpdDEBVqI1MAGjnAhR42oEkD1ayVdvtbk58EoMVzP-drJwzQc45A5_E45moeuFdo_4OJSqWOWCfsTNEqmfOuXT8HnMKJ4i1KttwhluLoWozLv6d9-xZfxFFbEn7jNV61ThZLh_GXzyLdW9Cr-QM-PNrQqvedi_bDlFQzq2ZbiqXn8rg7AK6IgEi6_bI6_5kez-PierrqxpxeerYycsgkJBUFScZ3dORrBTQI34wLsA3IvvGLNs8m9hbfW0X87dwcCVMqHGUuUeTwdE8Vrg1AQqFzD9QOcHGxAi9Zhp9JYYkXIJwYVmX7Q0lw5y7Mk3oacvtN8SHuCfoMYc23rZWR6jTKUBhynZ9qm4v4gv9bZdd-P22981310_CR17481133_CA18661040&dp=pofmEapp80E6INYWRNmO4mqpVFObUblO_p545PzWE3wDvFkwmYxuAws6V3b9JwlAAMpdDEBVqI1MAGjnAhR42oEkD1ayVdvtbk58EoMVzP-drJwzQc45A5_E45moeuFdo_4OJSqWOWCfsTNEqmfOuXT8HnMKJ4i1KttwhluLoWozLv6d9-xZfxFFbEn7jNV61ThZLh_GXzyLdW9Cr-QM-PNrQqvedi_bDlFQzq2ZbiqXn8rg7AK6IgEi6_bI6_5kez-PierrqxpxeerYycsgkJBUFScZ3dORrBTQI34wLsA3IvvGLNs8m9hbfW0X87dwcCVMqHGUuUeTwdE8Vrg1AQqFzD9QOcHGxAi9Zhp9JYYkXIJwYVmX7Q0lw5y7Mk3oacvtN8SHuCfoMYc23rZWR6jTKUBhynZ9qm4v4gv9bZdd&dp2=P22981310_CR17481133_CA18661040&c8=service.srvmd6.com

Our dynamic and behavioral analysis runs confirmed it to be adware. It also drops few DLLs, tmp and gif files in system folder to support its activities.
File:
setup.exe
MD5: 77a2f54fee9438a7dd4c20199a85737c
VirusTotal Report:8/54

Users also need to be aware of various random Facebook posts and comments mentioning live streaming sites like hxxp://soccertv.blogdns.com/. We have also encountered such links when shared by friends on social networks.

The aforementioned link takes us to a video player updater site: hxxp://www.sweetplayer.com, which also hosts some adware scripts in it.
File: SweetPlayer_TSA24NBA7.exe
MD5: b035162687f54779a7c5739f08b9b79b
VirusTotal Report: 8/54

End users should be very wary of any site pushing executables. Browser plugin updates should only be proactively downloaded directly from the associated vendor. Don’t ever blindly trust a site suggesting a browser update.
Enjoy the World Cup!

Saturday, June 14, 2014

Android App Shares World Cup News at the Expense of Your Privacy

Everyone is excited about the football World Cup and apparently so are those peddling adware. Earlier we discussed some of the more aggressive Android advertising SDKs integrated apps flagged by AV vendors as Adware - Google Play vs AV vendors. We recently came across a particularly aggregious adware app promoting World Cup news.
Virus Total: 18/45
List of suspicious methods identified via static analysis:
  • getMACAddress
  • getLine1Number
  •  getsms
  •  getLongitude
  •  getLatitude
  •  getImei
  •  getImsi
  •  getAndroidId
  •  getEmail
  •  getManufacturer
  •  getOsVersion
  •  getNetworkconnectiontime

Let see how it harvests all information.

Device information

This app contains the Airpush and Revmob advertising SDKs. From the screenshot above, you can see the application harvesting  the device MAC address (something Apple has cracked down on), mobile ID, Android ID and serial numbers. Adware harvests such information for tracking users as this information allows for tracking the user’s device across applications using the same SDKs.

Device information

Above, you can see the application harvesting device model information, the SDK API version, manufacturer details and the device OS version. This information can then be used by advertisers to build statistics about app usage.
Phone number
In this screenshot, you can see the application also collecting the user's phone number. This is very sensitive information as such information can be used for phone based spamming and advertising campaigns.
Email

This app also collects the user's email account, again, this too is likely used for spamming and advertising campaigns.
IMEI
Finally, the application collects the device IMEI number, another valuable identifier for tracking the same device across applications sharing the same advertising SDKs.
Data sent

You can also see all of the info being delivered to a third party.
Google play store developer policy
As per the Google Developer policy, usage of MAC address and IMEI numbers is strictly prohibited. Still, apps are regularly permitted into the Google Play store and bypass Google's automated checks. This is an area where Apple is doing a better job of protecting end user privacy through both changes at the O/S level and via application reviews conducted prior to apps being included in the App Store. Apple would no longer permit an app with the level of data collection seen in this particular Android app. There is always confusion about content related to user privacy used by Android apps. In spite of clear guidelines from Google about data collection, developers are ignoring the rules and Google is not aggressively enforcing them.

Despite the aggressive data collection, this app is not malicious. Instead we (and many anti-virus vendors) consider this app an example of aggressive adware.

Stay safe while enjoying the World Cup.
-Viral.

Friday, June 6, 2014

Analyzing Android ‘Simplocker’ ransomware.

Recently we came across the sample of a new ransonware ‘Simplocker’ for Android. The ransomware encrypts the files present on SD card and later it demands ransom from victim to decrypt the files.

File Information:
File: fd694cf5ca1dd4967ad6e8c67241114c.apk
Size: 4917678
md5: fd694cf5ca1dd4967ad6e8c67241114c
Virustotal Report: 9/51

Let's analyze the ransomeware.

The ransomware  shows the ransom message in "Russian" language asking for ransom money.
Ransom message. 
The ransom message asks for "260 Ukrainian Hryvnia" along with the threat message of deleting the data if ransom not paid.

Translation of the message:
Translation of ransom message.
Let’s dive in to the code for more details.
Use of AES. 
Static strings
The above screenshot shows how ransomware is using AES encryption for encrypting files. Simplocker will scan for the filetypes jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 files from the SD card. Then it encrypts them with cypher key “jndlasf074hr”.
Suffix "enc"
The ransomware adds suffix “enc” for scanned files after encrypting them.
Device Informations: IMEI number.
Device Informations: Model and Manufacture id. 
It also harvests device informations like device IMEI number, modal number etc.
C&C.
After harvesting device’s details, it communicates with the CnC server, highlighted in screen shot. Interestingly ransomware uses ‘tor’ as a proxy to connect to CnC server for silent communication.

CnC Server:  hxxp://xeyocsu7fu2vjhxs.onion/

The proxy details are shown below.
Proxy Details.
It also keeps on monitoring the back key press on phone. This is done to keep displaying the ransom message again and again.
Monitoring back press.
We advice not to download or install apps from unauthorized app stores to stay away from such android malwares.

References: