Archive for May, 2010

Just another MSN’s fake address

May 30, 2010

Hi all

another fake address I have discovered these days. It’s of the same family of my first previous post regard this field.

The address today is: NikiaPortisienrh@hotmail.com

The behaviour is the same of the previous contacts analyzed other times. Let’s go to see a chat form:

As you can see after a couple of messages, the contact invites the victim to go to an address to see the pseudo-girlfriend in cam, after that the victim has accepted one invite. The link sended by the fake account is: http://shortlinks.co.uk/1mc3
This link redirects the victim at a main URL where the fraud acts: http://www.webcamcrush.com/StephiesAss20. This URL is presents also in Personal Message form.

As you can understand the page is the same of the other fake accounts of the previous analysis, as it had announced. Here a screenshot:

To the right there is a form to chat with the girl. So, typing ” Hi! “, you recive immediately an error which says: Error: You must complete age verification process to communicate with this member. Click here to verify your age!


The link “Click here to verify your age!” acts as a fake age verify, because it serves to accept the invite

infact clicking it we’ll redirect to this page:

Scroll down and you can see a classic registation form, which asks you Name, Surname, E-Mail, etc…

Here the screenshot regards the credit fraud:

So friends, this is all! Block and delete this address and similar!

See you in the next post. Bye. =)

A brief analysis about Trojan.Banker.Delf.ZLR

May 22, 2010

Hi to all!

Today I will speak very briefly about a new threat that affects banks. Specifically the Brazilian bank Bradesco [hxxp://www.bradesco.com.br/].

Some info about the Bradesco Bank:


Type: Public (BM&F Bovespa:BBDC3 / BBDC4 NYSE: BBD BMAD: XXBDC)

Industry: Finance and Insurance

Founded: 1943

Headquarters: Osasco, Brazil

Key people: Luiz Carlos Trabuco Cappi (CEO) Lázaro de Mello Brandão (Chairman of the Board of Directors) Antônio Bornia (Vice-Chairman of the Board of Directors)

Products: Banking

Revenue: ▲US$ 36.1 Billion (2009)

Net income: ▲US$ 4.5 Billion (2009)

Total assets: ▲US$ 299.0 Billion (2010)

Employees: 85,577

The Trojan banker in question is called, in according to the nomenclature of the antivirus houses; Trojan.Banker.Delf.ZLR.

Before I start talking about what makes the virus, I give you some general information about the target, such as: the geometry of the PE format, any packer/compressed/Cryptor, etc…

The threat, at the time of this writing, is recognized by 15/41 AV as suggested by VirusTotal.

Hash MD5: fc3f089f7d64eb4dcc7113c5add3bda7

Hash SHA-1: ae521a311bde3667d7bcb74460b4a6e92a8cd2c8

Imports:

advapi32.dll

comctl32.dll

gdi32.dll

kernel32.dll

oleaut32.dll

user32.dll

version.dll

Sections:

UPX0

UPX1

.rsrc

There is also the presence of TLS Directory, so if anyone wants to analyze this virus more in depth must keep in mind to ensure that, going to make a dynamic analysis through a debugger like OllyDbg need to configure the debugger so that it stops before the TLS Callback to prevent any action that the virus anticipates before it goes to the OEP.

It’s easy to understand that the file is packed with the very common free compressor UPX. Since it is so let’s go to decompress it. I did through the splendid suite of Ntoskrnl Explorer Suite which also includes a UPX utility for this purpose.

Immediately after decompressed the file, analyzing it with a PE Scanner, such as PEiD or RDG Packer Detector, and we note that is written in Delphi. Another info which is very helpfull in most cases but not in this specific sample. In Malware Analysis more info we can get from target study and much easier is to analyze our target.

As I already said, this virus is one of those classics that tries to steal the credentials of the bank accounts of the poor unfortunate. That’s why they are called Trojans Banker ;). Trojan.Banker.Delf.ZLR essentially does nothing special. Basically is a fake program was created specifically to belive you need to perform banking transactions directly from your PC.

It consists of a classical form which contains 3 special edit for entering your bank account and a way to “simulate” the installation of this false account management program. But let’s go to see how it is made:

When the victim had entered the bank account details, click on “Instalar” notice that will be simulated to download a dll. I say simulated because it actually does not download any dll, as you can check by running Wireshark while performing these steps, which shows no GET request from any site, but also going to search for the name ib2k1.dll find anything on the system. All this is done only to make the installation process look better.

Simulated the download of this dll, we get the form to enter your account credentials, such as the account holder, password and secret word. This is then sent to the site who created the fake program to steal these credentials.
Between the strings contained by the file I found very interesting two particular things: a URL and a sentence, respectively,

http://firefoxxx.t35.com/Dario.envio.desco.php

Bradesco by D4RiO

What we understand is that he who created the software is called Dario and the URL that contact is: http://firefoxxx.t35.com/Dario.envio.desco.php

Here a screenshot about:

Then we come to form of the credit card owner. In this form must be included the last three digits of its Credit Card Number and press Confirm to send everything that was stored by the program to the URL mentioned above.

For this time it’s all guys. See you at the next post. =)