Sunday, August 10, 2008

Fake "CNN Alerts: My Custom Alert"

After fake "CNN.com Daily Top 10" Video, another fake "CNN Alerts: My Custom Alert" appears recently. When clicked the link, it will download "adobe_flash.exe" and it identifies as TR/Crypt.XPACK.Gen.

Fake "CNN Alerts: My Custom Alert" email as below:



Fake "CNN Alerts: My Custom Alert" email header as below:



After clicked the links in email, it will display as below:




The above link contains a malicious script as below:



==The following focus on Web Reputation Service Testing==

Google Search can find it as below:



McAfee SiteAdvisor finds nothing as below:



Trend Micro WRS finds nothing as below:



finjan URL analysis finds nothing as below (regard it as legitimate):



Dr.Web URL analysis finds nothing as below:



Symantec Safe Web finds nothing as below:



==The following focus on AV Scanners Testing==

The following test result is from VirusTotal (14/36 (38.89%)):

File adobe_flash.exe1109.safe received on 08.09.2008 17:23:24 (CET)

AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.08 -
AVG 8.0.0.156 2008.08.08 I-Worm/Nuwar.V
BitDefender 7.2 2008.08.09 Trojan.Downloader.Exchanger.Gen.2
CAT-QuickHeal 9.50 2008.08.08 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 Trojan.DownLoad.3248
eSafe 7.0.17.0 2008.08.07 Suspicious File
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 Trojan-Downloader.Win32.Exchanger.lj
Ikarus T3.1.1.34.0 2008.08.09 Win32.SuspectCrc
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 Trojan-Downloader.Win32.Exchanger.lj
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 Trojan:Win32/Tibs.gen!K
NOD32v2 3341 2008.08.08 a variant of Win32/Agent.ETH
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 Malware Dropper
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 Mal/EncPk-DA
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 Trojan.Crypt.XPACK.Gen

Additional information
File size: 78848 bytes
MD5...: 0e41b670cbccce9051fb8d1188aebd0a
SHA1..: d9a952ef59c5ee30e63b9d3dd781a7477911c866
SHA256: a5528757cd736d7a801443d0d4490b0d6d7c54a09e014afc240c62fd45ddadf6
SHA512: 1654e3b70376b817c9428007d26b34474f081e3082acdcbd3759b136d0dbe4f0
a04ba3c8da0d9ee1b84689d3b3f437f9595f3a4c763fed578d67ae201acc6cc4
PEiD..: -

After executed, this malware has the following behaviors:

[Added process]
C:\WINDOWS\System32\CbEvtSvc.exe

[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Desktop\adobe_flash.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cnncurrent[1].htm
C:\Documents and Settings\LocalService\Application Data\666410720.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\install[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\08scan[1].exe
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\91226516.sys (Rootkit Behavior)
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\A9.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp

4 comments:

Anonymous said...

http://www.trustedsource.org/en/feedback/query?sid=&p=&q=http%3A%2F%2Fkooler.net.ua%2Fcnncurrent.html

Anonymous said...

Note that you tested VirusTotal with the actual executable file: [adobe_flash.exe] while using just the URL of the HTML page for the other tests above.

Next time better try to be more consistence with your tests to get similar results ... or at least mention the differences as each solution operates differently.

Roger Chiu said...

Next time I will describe in detail.

In here, I test two functions, one is web reputation service, another is AV scanner.

Google, SiteAdvisor, etc. focus on testing web reputation service, VirusTotal focuses on testing antivirus scanners.

Sometimes many AV scanners cannot malicious PE files, but they cannot detect malicious scripts, that is why AV companies start to release web reputation service to block malicious domains.

Custom Papers Writing said...

Many institutions limit access to their online information. Making this information available will be an asset to all.