Monday, August 18, 2008

The Analysis of Mystery Web Attack Hijacks Your Clipboard

Recently, The Register reported "Mystery web attack hijacks your clipboard", what happened? The conclusion is attacker tries to lure users to install a fake antivirus software and most people guess attacker uses Adobe Flash's vulnerability.

When clicked link (first picture), it will display the following screens:

























When clicked, wireshark captures files downloaded as below:



==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CANNOT find it as below:



finjan URL analysis CAN find it as below:



Dr.Web URL analysis CANNOT find it as below:



Exploit Prevention Labs's LinkScanner CANNOT find it as below:



Symantec Safe Web CANNOT find it as below:



==The following focus on AV Scanners Testing==

File AV2009Install_77011807.exe received on 08.17.2008 09:39:49 (CET)

Result: 8/36 (22.22%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.15 -
AntiVir 7.8.1.19 2008.08.16 -
Authentium 5.1.0.4 2008.08.16 -
Avast 4.8.1195.0 2008.08.15 -
AVG 8.0.0.161 2008.08.16 Downloader.FraudLoad.E
BitDefender 7.2 2008.08.17 Trojan.FakeAlert.Gen.1
CAT-QuickHeal 9.50 2008.08.16 -
ClamAV 0.93.1 2008.08.16 -
DrWeb 4.44.0.09170 2008.08.17 -
eSafe 7.0.17.0 2008.08.14 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.16 -
F-Prot 4.4.4.56 2008.08.16 -
F-Secure 7.60.13501.0 2008.08.17 Trojan-Downloader.Win32.FraudLoad.vbef
Fortinet 3.14.0.0 2008.08.17 -
GData 2.0.7306.1023 2008.08.16 Trojan-Downloader.Win32.FraudLoad.vbef
Ikarus T3.1.1.34.0 2008.08.17 -
K7AntiVirus 7.10.417 2008.08.15 -
Kaspersky 7.0.0.125 2008.08.17 Trojan-Downloader.Win32.FraudLoad.vbef
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.17 -
NOD32v2 3361 2008.08.16 a variant of Win32/Adware.XPAntivirus
Norman 5.80.02 2008.08.15 -
Panda 9.0.0.4 2008.08.16 -
PCTools 4.4.2.0 2008.08.16 -
Prevx1 V2 2008.08.17 Fraudulent Security Program
Rising 20.57.61.00 2008.08.17 -
Sophos 4.32.0 2008.08.17 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.16 AntiVirus2009
TheHacker 6.3.0.3.046 2008.08.13 -
TrendMicro 8.700.0.1004 2008.08.16 -
VBA32 3.12.8.3 2008.08.15 -
ViRobot 2008.8.16.1338 2008.08.16 -
VirusBuster 4.5.11.0 2008.08.16 -
Webwasher-Gateway 6.6.2 2008.08.17 -

Additional information
File size: 123904 bytes
MD5…: 978e985fc9f6e206fe9622ba42dc3d56
SHA1..: a8b20d587d62e34865814053c8f87574e1ffe790
SHA256: a53458279fa483236a453d7abdc718de69c361198f09a74a9a1b44d259f573ad
SHA512: 392bd1b0fe6b93a7df153e0faf25e0dd0ac68b38bae642a8061e459b2942d26a
d168fcb8ddf6d5d3e09437d539f476aab5809a2745f617ff7b6ee30e23e22e4a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×401210
timedatestamp…..: 0×45beb2d0 (Tue Jan 30 02:52:00 2007)
machinetype…….: 0×14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57af 0×5800 5.19 922e2eb51ad64e063aa3d5aa5876de09
.data 0×7000 0×11557 0×11600 7.59 49b48fe56d5a4dcb86a792659875b88a
.tls 0×19000 0xdd 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0×1a000 0×18 0×200 0.23 735b48446022cb7f0d9c4163b238a9be
.idata 0×1b000 0×5a0 0×600 3.29 97c93ffb47f18bb84d88652306581d5e
.rsrc 0×1c000 0xf4a3 0×6600 5.76 0d0781c1bba73476a7428d3a1667a138

( 2 imports )
> KERNEL32.DLL: CreateProcessA, GetCommandLineA, DeleteAtom, GetFileSize, GetCPInfo, GetComputerNameA, ReadConsoleA, Sleep, WriteFile, OpenFile, GlobalFree, GetFileTime, DeleteFileW, ExitThread, FindFirstFileA, GetConsoleMode, DeleteFileA, SetLastError, OpenFileMappingA, FindAtomA, ReadFile, GetLastError
> USER32.DLL: LoadCursorA, GetCursor, DrawIconEx, CreateIcon, GetFocus, DialogBoxParamW, CopyRect, InsertMenuA, GetWindowTextA, DrawIcon

After executed, it has the following behaviors:

[Added process]
C:\Program Files\AV9\av2009.exe

[Modified service]
NAME: srservice
DISPLAY: System Restore Service (Turn off system restore service)
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\svchost.exe-1 -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Desktop\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\_freescan[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\winsystem[2].dll
C:\Documents and Settings\Administrator\Start Menu\Antivirus 2009\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
C:\Program Files\AV9\av2009.exe
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc11.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\scui.cpl
C:\WINDOWS\system32\winsrc.dll

[Added COM/BHO]
{037C7B8A-151A-49E6-BAED-CC05FCB50328}-C:\WINDOWS\system32\winsrc.dll

[Added egistry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=67760428610125642112784689834240
Data=C:\Program Files\AV9\av2009.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=ieupdate
Data=”C:\WINDOWS\system32\ieupdates.exe”

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=67760428610125642112784689834240
Data=C:\Program Files\AV9\av2009.exe

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=ieupdate
Data=”C:\WINDOWS\system32\ieupdates.exe”

27 comments:

Anonymous said...

Nice work, good to see the breakdown like this.

Anonymous said...

Excellent description.

My father has this on his PC, how should he go about removing it?

Roger Chiu said...

According to "After executed, it has the following behaviors", use Process Explorer (www.sysinternals.com) or GMER (http://www.gmer.net/gmer.zip) to remove related files, registries, processes etc.

halojones-fan said...

I'm just a little confused, here. If I get that first faux-dialog pop-up, does that mean I already have have this virus? Or does it just mean that I'll get it if I click "OK"?

Roger Chiu said...

When you saw faux-diag pop-up, some components already have installed into your system, you can check step by step according to "after executed, it has the following behaviors".

Anonymous said...

What's so funny about these fake antivirus products is the distinct lack of branding - who'd call their antivirus "XP 2009"? Thankfully for us they haven't bothered to use any real trademarks such as "Norton Antivirus" yet on their products....

Unknown said...

thanks for admin
sohbet siteleri
sohbet
sohbet sitesi

Unknown said...

Tatil için Erken Rezervasyon
Tabela için Tabela
Forum için Forum

game reviews said...

Wonderful information, I will save this and show it to my friend, she is huge fan of this. It's been a pleasure to read your post.
Hannah from SheepArcade
If you like to play games, visit sheep arcade and play poker games and much more free games.

Juan said...
This comment has been removed by the author.
Anonymous said...

Thank you very much

omegle chat
omegle
sevişme sahneleri

Anonymous said...

thankss omegle | omegle | path | aşk sözleri

Careprost said...

Nice post, I would like to request you to one more post about that Keep it up

dijital baskı said...

www.gorselbaski.com Görsel Dijital Baskı Merkezi - dijital, baskı, görsel, reklam, branda, vinil, foreks, forex, fotoblok, folyo, one way vision, fuar, stand, tual, pano, poster, cutout, rollup, mesh, floor grafik, dakota, afiş, vitrin yazı, araç yazı, etiket, tabela, matbaa, cephe giydirme, grafik, cam yazı,web tasarım, ayaklı pano, retouch, digital print, görsel reklam, dijital baskı, folyo kesim, araç kaplama, ayaklı pano, görsel baskı

temel izolasyonu said...

I need it for information, Thank you for article..
mantolama

Mobile Computing said...

Wow, Great post,Nice work, I would like to read your blog every day Thanks

Sohbet Odaları said...

I sent a letter to both of my senators, my representative, and my governor. I recommend that everyone who uses any type of on-line radio service do the same. If enough voices are heard things can be changed

tatil sehri said...

tatil sehri

viagra how it works said...

Great post. I think one of the basic things that we should know know is that we must always make sure that you are safe in every transactions you wanted to indulge with.

Anonymous said...

a very dedicated service and can be applied anywhere you want and get better results. Excellent brief and this article helped me alot. Say thank you I looking for your information
Chat Sohbet
Chat

Caverta said...

Great information you got here. I've been reading about this topic for one week now for my papers in school and thank God I found it here in your blog. I had a great time reading this.

Sgfx Financial Limited said...

HIii.. I like your article so that I read all of your articles in a day. Please continue and keep on writing excellent posts.

Avrasya Dizayn said...

Cialis Türkiye yetkilisi olup gerçek ve güvenilir tek adres http://www.cialis-hap.com . Sizde cialis
burdan alın gecelerinizi hem uzatın hem de zevkinize bakın. 24-48 veya acil gönderme durumları mevcuttur. Memnun Kalıcaksınız.

cialis

küpeşte

sineklik

IT Support North London said...

It’s a great Blog to visit because it’s like a learning experience and building the confidence up. Nice and filled with complete detail in black and white. It must be share with friends and colleagues.
IT Support North London

Anonymous said...

Harika popüler 2013 güzel sözler yollayabilirsiniz ayrıca gülmek isterseniz komik sözler bulabilirsiniz, duygusallaşmak istiyorsanızda hemen duygusal sözler'e bakabilirsiniz.

Unknown said...



cinsel sohbet
cinsel sohbet odalari
cinsel chat
cinsel chat odalari
pasif sohbet
pasif sohbet odalari
pasif chat
pasif chat odalari
gabile chat odalari
gabile chat
gabile sohbet
sohbet
gabile sohbet odalari
sohbet odalari
chat
chat odalari
mobil chat
mobil sohbet
istanul sohbet
izmir sohbet
ankara sohbet
bursa sohbet

whatsapp plus themes said...

Very Usefull Info,Thanks For Shearing This Post. yowhatsapp