Pak Hack Attack: Pastebin Reveals Attacks

Websense® researchers monitor sites like Pastebin, Facebook, Twitter, Blogspot and others to keep our finger on the pulse of hacking and other malicious activities. Pastebin, in particular, has become a popular place for hackers to show off their latest exploits. 

 

Our researchers recently observed a significant increase in malicious links posted to Pastebin:

 

On Tuesday, November 20, we detected a spike in compromised URLs posted to the site. A Pastebin user named “PCA-Master” was responsible for posting 572 of these compromised URLs.

Each compromised URL showed a similar pattern:

 

These hosts were invaded with images like this:

 


 
In all cases, Websense customers were protected by the real-time analytics offered by Websense solutions.

According to its FAQ, “Pastebin.com is a website where you can store text for a certain period of time. The website is mainly used by programmers to store pieces of sources code or configuration information, but anyone is more than welcome to paste any type of text.”

Despite its Acceptable Use Policy that specifically prohibits posting email lists, login details, password lists and personal information (among other items), all of these are routinely posted to Pastebin.

 

The “Pakistan Cyber Army” has been around for some time and regularly compromises large numbers of hosts in various countries, including many Indian websites, especially government sites. According to the Pakistan Cyber Army site:
 
“Pakistan Cyber Army is not a hacking or cracking group or anything illegal to be, Pakistan Cyber Army is a symbol of all the Pakistani Security Expert’s who wanted to safegaurd Pakistan Cyber Space from hacking attack’s […] We mastered it and now we are here to announce that we are no longer blackhat’s, there was a time when we used to be but only for our country safegaurd and our nation pride.”
 
Pakistan Cyber Army images have recently plastered sites in many countries. According to HackRead, a website with news about hacking, most of the affected sites belonged to “small and local businesses, such as banks, chemical factories, TV channels, online gaming and automotive industry etc.”

While hackers pose a serious problem for many organizations, on a lighter note, students from HaBetzefer, an Israeli school of advertising and art, and ad agency McCann Digital Israel have produced a campaign called “If you can’t fight them, redesign them” to combat the plague of what students are calling “uninspired designs each time: black background, grotesque low-res images and unbearable amounts of text.” One of the traits associated with hackers is their lack of style, as evidenced by the Pakistan Cyber Army’s hack page.

The students sent cheerful redesigned hack pages back to hacker groups with the friendly message, “We would like to end all cyberwars, but in the meantime — if you must hack our sites, at least leave something beautiful.” So far, none of the hackers has taken them up on the offer, but it’s clearly their loss:

 

Album release

“Lost In Translation” will be released in major digital distribution channels today. Some services may have a slight delay, and the actual publish date may vary depending on service. iTunes and Amazon are already distributing. The album can also be purchased at our artist aggregator, CDbaby.  

The post Album release appeared first on Lofven.

Malicious Email MMS Targets Mobile Phone Users

The Websense® ThreatSeeker® Network has detected a malicious spam campaign that tries to exploit customers of major mobile phone companies. Specifically, we have detected thousands of emails claiming users have received MMS content via email localized to Australian and German carriers late last week:


 

Because mobile phone use is an everyday activity, users could be tricked into opening and running attachments, especially those that appear to come from their carriers. Once the malware is launched, it connects to a list of remote servers to download more malicious binaries. What is interesting about these samples is that they are heavily encrypted and have many anti-debug tricks. Unlike other malware, this sample deploys several decryption phases before finally executing its malicious function. Even more interesting, it implements all its tricks, like decryption and patching, only in memory. 

 

The decryption process includes three phases. In the first phase, the malware copies itself as “C:\Documents and Settings\All Users\svchost.exe”, and registers itself as autorun by creating a Registry Key. As a result, when Windows boots up, the malware starts automatically. In one example:

 

Telstra-picture:656        “C:\Documents and Settings\All Users\svchost.exe”         Run\SunJavaUpdateSched         HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched

 

The malware then decrypts itself, and rewrites the memory image of itself. This way, the malware does not need to create a new PE file on the disk, and the original malware becomes a totally different one in memory, even the PE header and code entry point, thus leading us to the next phase. The phase two file is encrypted too, and implements many anti-debug tricks.

 

 

Taking a dive into the anti-debug measures that modern malware uses, we see that this one detects all the running processes in the system, and tries to find “VmwareService.exe”, ”VmwareUser.exe”, ”wireshark.exe”, and other monitors or antivirus processes. It does not use plain text strings to find all the process names. Instead, it uses some self-defined hash algorithm to calculate the name of a process into a HEX string, which is commonly used in shellcode to locate all the needed APIs.

 

This sample also queries the registry value of “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\disk\enum”, checking this local disk value and whether the 8-12 character of disk name references “awmw” or “xobv” or “umeq”. In other words, the malware checks to see if it’s been run under VMware, VirtualBox, and QEMU (an open source processor emulator). If it has, the malware stops infecting the computer. **Notice the malware creator’s typo on “awmw”; it should be “awmv”.

 

After carefully checking its environment, the malware continues to the next phase of decrypting itself. Instead of modifying the Windows Update Agent service “wuauclt.exe” file on the disk, or trying to find the process memory of “wuauclt.exe” and inject malicious code into it, the malware maps an image of “wuauclt.exe” into memory using the “Section” kernel object. It then injects all the malicious code into the memory page, and finally executes “wuauclt.exe”. 

 

 

Because the malware does not modify the Windows Update Agent on the hard disk and instead patches the process in memory using the “Section” kernel object, some monitors that hook APIs like “OpenFile” or “CreateFile” fail to catch this injection. Also, because the malware does not call “WriteProcessMemory”, it is hard for AV monitors to catch this memory injection.

 

This patched “wuauclt.exe” with the push-return above performs the real malicious function. It connects to several remote servers and downloads extra malicious binaries from some of them. Some of the website servers it connects to and many of the URLs are hosted at the same IP address:

 

 

It downloads malicious binaries from these remote servers:

 

 

During our analysis, some of the remote servers were still available, and the malicious binary files were still downloadable. Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine) in multiple stages: from the very first arrival of the malicious emails to all the “phone home” C&C URLs and malicious binaries.

Don’t miss our Websense® 2013 Security Predictions to read about this prediction, among others: Cybercriminals will become more “virtually aware” and find modern bypass methods to avoid detection.