Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 1 sec ago

YARA Rules For Shellcode, (Mon, Mar 30th)

3 hours 48 min ago

I had a guest diary entry about my XORSearch tool using shellcode detection rules from Frank Boldewins OfficeMalScanner. To detect malicious documents, Frank coded rules to detect shellcode and other indicators of executable code inside documents.

I also translated Franks detection rules to YARA rules. You can find them here, the file is maldoc.yara.

This is an example:

rule maldoc_API_hashing{ meta: author = Didier Stevens (https://DidierStevens.com) strings: $a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF} $a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF} condition: any of them} (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 30th 2015 http://isc.sans.edu/podcastdetail.html?id=4417, (Sun, Mar 29th)

Sun, 03/29/2015 - 15:35
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Malicious XML: Matryoshka Edition, (Sun, Mar 29th)

Sun, 03/29/2015 - 02:23

A couple of days ago I received another malicious document (078409755.doc B28EF236D901A96CFEFF9A70562C9155). Unlike the XML file I wrote about before, this one does not contain VBA macros:

But as you can see, it should contain an embedded object. The base64 code found inside the XML object decodes to an OLE file. The single stream present in this OLE file contains ZLIB compressed data (identifiable via byte 0x78). Decompressing this ZLIB stream reveals another OLE file. Which in turn contains an embedded OLE object that turns out to be a VBS script:

And the base64 string in this VBS script is a PowerShell command:

If you are interested to see how you can analyze this sample with oledump, you can take a look at this video I produced.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Friday Digest - 27 MAR 2015, (Fri, Mar 27th)

Fri, 03/27/2015 - 16:59

JS Malware uptick

Weve been seeing an uptick in JS malware (TrojanDownloader:JS/Nemucod.K) loosely disguised as .doc files. The JavaScript is reasonably obfuscated but if executed does result in a trojand system. Payloads have been delivered as resumes, invoices, or shipping notices. Youll note payloads given nomenclature such as payload.doc.js.
Feel free to let us know if youve noticed similar, and send along samples via the diary submittal form for comparison (best submitted a password protected zip).

VirusTotal sample data:
1081e3e1ef855b011eaadfeea5f9e9c1
3a155fd510f16efc4104022e228de88d

Security Weekly

I was interviewed for Episode 411 of Paul Asadoorians Security Weekly. While I had to often speak in sadly generic and vague terms, a few key takeaways popped out in the conversation.
We all largely agreed that the best tooling and datasets mean nothing when protecting organzations without applied context.
Consider the fact that one of the best ways for a security team to properly design and implement tooling and monitoring is to leverage the network architect to better understand design and layout. This allows goals to be established. Rather than a mission that is based on implementing a tool, the mission should be goal based. What are you trying to protect, not what are trying to install. The premise of operational threat modeling really factors here too. The practice can help prioritize area of importance (avoid boiling the ocean) and allow better goals determination.
Great talking with Paul and team, I appreciate the opportunity.

On a related note, check out Episode 409 with Keren Elazari, go watch her TED talk, then get a copyof this months Scientific American which includesher article,How To Survive Cyberwar.

Book offering

Wiley is offering a free download (for a limited time) of The Database Hacker">GitHub DDoS

GitHub has been under a brutal DDoS attack for 24 hours +.
https://github.com/blog/1981-large-scale-ddos-attack-on-github-com
Keep an eye on https://twitter.com/githubstatus for updates.

Doh!

Overheard by a pentester after a recent">|@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, March 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4415, (Fri, Mar 27th)

Thu, 03/26/2015 - 19:01
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, March 26th 2015 http://isc.sans.edu/podcastdetail.html?id=4413, (Thu, Mar 26th)

Wed, 03/25/2015 - 19:16
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Pin-up on your Smartphone!, (Thu, Mar 26th)

Wed, 03/25/2015 - 16:59

Yeah, okay, I admit that headline is cheap click bait. Originally, it said Certificate Pinning on Smartphones. If you are more interested in pin-ups on your smartphone, I fear youll have to look elsewhere :).

Recently, an email provider that I use changed their Internet-facing services completely. I hadnt seen any announcement that this would happen, and the provider likely thought that since the change was transparent to the customer, no announcement was needed. But Im probably a tad more paranoid than their normal customers, and am watching what my home WiFi/DSL is talking to on the Internet. On that day, some device in my home started speaking IMAPS with an IP address block that I had never seen before. Before I even checked which device it was, I pulled a quick traffic capture, to look at the SSL certificate exchange, where I did recognize the domain name, but not the Certificate Authority. Turns out, as part of the change, the provider had also changed their SSL certificates, and even including the certificate issuer (CA).

And my mobile phone, which happened to be the device doing the talking? It hadnt even blinked! And had happily synchronized my mail, and sent my IMAP login information across this session, all day long.

Since I travel often, and am potentially using my phone in less-than-honest locations and nations, it is quite evident that this setup is pretty exposed to a man in the middle attack (MitM). Ironically, the problem would be almost trivial to solve in software, all that is needed is to store the fingerprint of the server certificate locally on the phone, and to stop and warn the user whenever that fingerprint changes. This approach is called Certificate Pinning or Key continuity, and OWASP has a great write-up that explains how it works.

Problem is .. this is only marginally supported in most implementations, and what little support there is, is often limited to HTTPS (web). In other words, all those billions of smart phones which happily latch onto whatever known WiFi or mobile signal is to be had nearby, will just as happily connect to what they think is their mail server, and provide the credentials. And whoever ends up with these credentials, will have access for a while .. or when was the last time YOU changed your IMAP password?

If you wonder how this differs from any other man in the middle (MitM) attack ... well, with a MitM in the web browser, the user is actively involved in the connection, and at least stands *some* chance to detect what is going on. With the mobile phone polling for email though, this happens both automatically and very frequently, so even with the phone in the pocket, and a MitM that is only active for five minutes, a breach can occur. And with the pretty much monthly news that some trusted certificate authority mistakenly issued a certificate for someone elses service, well, my mobile phones childishly nave readiness to talk to strangers definitely isnt good news.

While certificate pinning would not completely eliminate this risk, it certainly would remove the most likely attack scenarios. Some smart phones have add-on apps that promise to help with pinning, but in my opinion, the option to pin the certificate on email send/receive is a feature that should come as standard part of the native email clients on all Smartphones. Which we probably should be calling Dumbphones or Navephones, until they actually do provide this functionality.

If your smartphone has native certificate pinning support on imap/pop/smtp with any provider (not just Chrome/GMail), or you managed to configure it in a way that it does, please share in the comments below.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Nmap/Google Summer of Code, (Wed, Mar 25th)

Wed, 03/25/2015 - 08:06

The Nmap security scanner project is participating again in its 11th Google Summer of Code. We often get queries from students on how they can get into this field, and this is an excellent way to get experience while using your powers for good.

Details are available here: http://nmap.org/soc/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

F-Secure: FSC-2015-2: PATH TRAVERSAL VULNERABILITY, (Wed, Mar 25th)

Wed, 03/25/2015 - 07:20

F-Secure has announced a security vulnerability affecting their corporate and consumer protection products. The details are available here:https://www.f-secure.com/en/web/labs_global/fsc-2015-2

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP 5.5.23 is available, (Wed, Mar 25th)

Wed, 03/25/2015 - 06:55

From the fine folks at php.net:

The PHP development team announces the immediate availability of PHP 5.5.23. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.5 users are encouraged to upgrade to this version.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, March 25th 2015 http://isc.sans.edu/podcastdetail.html?id=4411, (Wed, Mar 25th)

Tue, 03/24/2015 - 19:19
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Repurposing Logs, (Tue, Mar 24th)

Tue, 03/24/2015 - 08:11

Keeping an eye on your logs is critical (really, its number 14 on the SANS critical list of controls: https://www.sans.org/critical-security-controls/control/14 .) Earlier Rob VandenBrink shared some techniques to find nuggets hiding in your logs (https://isc.sans.edu/forums/diary/Syslog+Skeet+Shooting+Targetting+Real+Problems+in+Event+Logs/19449/ .) Today Im going to share some tricks to squeeze every last bit out of your logs through repurposing logs. I mean repurposing log files, not this: https://www.pinterest.com/dawnreneedavis/repurposed-logs/ .

Logs are given their original purpose when programs determine when and how theyre going to record a log entry. Today I want to discuss unintended value, or how to get more out of your logs than the programmers intended, or how to recover value that is easily overlooked.

Lets start with an example. Suppose you work in a large siloed environment and you dont have access to the logs from every group. Youre in a security or investigative function, and have access to the AV logs. The obvious use of the logs is to record the alerts generated by the endpoints, or find machines that arent updating signatures properly or are have detection engines that are out of date. A bit that you might be overlooking is the value of the checkin message itself. Ive found it very useful to keep the checkins for a long period of time, which gives you a history of what IP and what user was logged into a machine when it regularly checks in. It doesnt have the resolution and accuracy that you would get from you AD authentication logs, or your DHCP logs, but you might not have easy access to those. This small investment in disk space, or simple database can give you quick snapshot views of machine and user mobility. You can easily see if this desktop consistently has this IP, or if this laptop moves around through your campus. You can get the same feel out of your user accounts too, without having to invasively dig through badge access logs.

This is the first technique that I want to share: extract a daily event out of your logs and store it over time. This creates an additional product that keeping a rolling history of logs cant provide.

Now consider what hidden and unexpected information might be hiding in your web proxy logs. Take a look at the W3C standard fields. If you reduce the displayed fields down to just timestamp, c-ip, r-host, and r-ip, youve got yourself a quick passive-DNS feed. Granted its just looking at web traffic, but a good chunk of your network mischief is traveling through that channel at least once.

Trick number two: look for unexpectedly-useful combinations of columns in your log entries.

On to number three: data reduction and indexing. Logs are big, and logs are noisy. While I recommend that you keep the raw logs for as long as you can, I understand that isnt possible and that you have to make tough choices on what you store and for how long. One way to squeeze out more time from your logs is to reduce the number of columns that you keep for your archives. Using the web proxy logs as an example, you might not be able to keep every log entry for 24 months, but keeping just the c-ip,r-host,r-ip columns can be very helpful when youre looking back through an old undiscovered compromise or are dealing with an information request like has any system on your network interacted with one of these IPs?

Years ago I would recommend further daily reduction and indexing of these files, but these days you probably have a splunk instance or an ELK stack (https://digital-forensics.sans.org/summit-archives/dfirprague14/Finding_the_Needle_in_the_Haystack_with_FLK_Christophe_Vandeplas.pdf) and you just dump logs in there and hope that magic happens. Theres value in examining and repurposing logs in these days of map reduce. The reduced files that you create from the logs are easy to drop into your hadoop cluster and build a hive table out of.

So, lets tie this all together. Youve received your list of IPs from your intelligence vendor and youre tasked with finding any activity on your network over the past 2 years. In your web proxy index you see that you had a hit 8 months ago. Now youve got an IP and and date, what machine had that IP then? Now you search through your AV checkin data and get machine name. But the AV checkin logs are daily, not logged by minute, so you search around for the IP history of that machine in the AV logs and hopefully you see it consistently checking in from that IP and not moving around a lot. If youre not so lucky, well, its time to open up request tickets to hopefully get at the DHCP logs from back then.

One last parting thought: do you have waste/useless logs? If you apply one or more of these techniques to it, can you find a way to process them into something useful?

-KL

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 24th 2015 http://isc.sans.edu/podcastdetail.html?id=4409, (Tue, Mar 24th)

Mon, 03/23/2015 - 19:20
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Interesting Home Depot Spam, (Mon, Mar 23rd)

Mon, 03/23/2015 - 08:34

We get a ridiculous amount of Spam at the Internet Storm Center. " />

At first glance it looks like yet another run of Home Depot Spam. Itisnt very sophisticated and isnt likely to fool many. The usual spelling mistakes and broken English.They didnt even bother to link in Home Depots logo.By the time I received it both of the URLs in the message were dead, so I wasnt able to measure what its intent was.

What makes it interesting then? If you look very carefully in the orange bar there is text. That text and the contents of the messagecontainwhat seems to be a rather good recipe for lettuce salad:

***************

* tablespoons olive oil* 1 12tablespoons fresh lemon juice* 1tablespoon red wine vinegar* 2garlic cloves, minced* 1teaspoon dried oregano(Mediterranean is best)*** Salad------------------------------------------------------------* 1head lettuce, torn into bite-size pieces ((I use Romaine)* 3large plum tomatoes, seeded and coarsely chopped* 1English cucumber, peeled and coarsely chopped (the long, thin, almost seedless ones)* 1medium red onion, cut into thin rings and soaked for 10 minutes in a small bowl of ice water to make it less sharp* 1small green pepper, cut into thin rings* 34cup kalamata olive* 34cup crumbled feta cheeseWe think that you will enjoy this. 1. Seed the bell peppers and cut them into 1-inch chunks. Stem the cherry tomatoes and halve one-half of them, leaving the others whole.2. Peel and thickly slice the cucumbers, and thinly slice the red onions. Cut the feta cheese into 1-inch cubes. Crush and mince the garlic clove.3. In a large bowl, combine the bell peppers, tomatoes, cucumbers, onions, feta cheese, olives, anchovies and capers and toss together.4. In a small bowl, whisk together the vinegar, garlic, dill, oregano, salt and pepper. While whisking, slowly drizzle in the olive oil to make a thick dressing."> This is the most delicious salad - fresh and wonderful-tasting. FYI, lettuce can very much be a part of any greek salad - if you want it to. We like lettuce in my family and I often add it. It would not be authentic in a Horiatiki (village) salad, but who cares?

*****************

Why?

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Watch for updated router firmware!, (Mon, Mar 23rd)

Mon, 03/23/2015 - 08:30

With the OpenSSLupdates this week I am sure you are all diligently testing and deploying to all your vulnerable servers. Something you may not have though of is that most">SOHO routers run some kind of *nix variant and will most likely make use of">. Be sure to watch for new firmware for those devices as well.

On Friday I livechatted withtwo of the larger manufacturers and neither had any timeline for deploying new firmware containing the OpenSSL patches and both said to watch for new releases of firmware.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 23rd 2015 http://isc.sans.edu/podcastdetail.html?id=4407, (Mon, Mar 23rd)

Sun, 03/22/2015 - 17:04
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Have you seen my personal information? It has been lost. Again., (Sat, Mar 21st)

Sat, 03/21/2015 - 04:53
Remember when milk cartons had pictures of lost children on them? I think of those cartons every timeI get a notice that my personal information may have been impacted as a result ofa data breach.As you might imagine, I recently received one of theseletters from an organization that needs my personal information in order to provide me with a valuable service. ">Thesenotification letters make me consider the risk of becomingnumb tothe impactof receiving so many of them. Will we eventually achieveperpetualIdentity Protection Services elite status that continually monitors for misuse of our sensitiveinformation for the rest of our lives? Iwonder if the value of thisservicehas the potential to become a little bit diluted with each andevery notice we">receive. Is itpossiblethatwe will will soon treat these noticeslike a replacement credit card that arrives in our mailboxes? What are you doing to reduce your risk afterreceivinga data breach notification letter in the mail? Please respond using ourcomments section. Russell Eubanks @russelleubanks teaching schedule (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Who Develops Code for IT Support Scareware Websites?, (Fri, Mar 20th)

Fri, 03/20/2015 - 13:38

When investigating a website used as part of an IT support scam, I came across a web page that attempted to fool the visitor into thinking that the persons system was infected. The goal was to persuade the potential victim to call a Microsoft Certified Live Technician at the designated phone number for assistance on how to remove malicious pop-ups.

The scareware page resided at 247tech.help (don" />

The source code of this scammy page, which you can see on Pastebin, included the following HTML comment:

Mirrored from clients.worldnetconsultants.com/Lander3/ by HTTrack Website Copier/3.x [XRCO2014], Thu, 08 Jan 2015 03:52:17 GMT

Such comments are automatically added using the non-malicious website-mirroring tool HTTrack Website Copier. This comment offered a pointer to the origin of the pages code.

The Lander3 page was available on the clients.worldnetconsultants.com server as of this writing. It showed a web page that was almost identical to the one captured above, except it lacked a pop-up and specified a different tech supportphone number: (855) 662-9616. Also, it contained pointers to YourTechSupport.org and YourTechSupport.com (dont go there), who may have been the client that paid to develop this code. You can see Lander3 source code on Pastebin.

The clients.worldnetconsultants.com server contained a publicly-accessible listing of other projects, which included other variations on landing pages for YourTechSupport.org, inviting people to get a free secure diagnostic session (lander1 screenshot), detect, diagnose and troubleshoot all spyware problems (lander2 screenshot), perform a security check" />

The server also contained code for other websites, which seemed to be associated with legitimate, less shady companies.

By performing some Google searches, I came across pop3.yourtechsupport.org (dont go there), which was live at the time of this writing. Its look-and-feel matched the lander1 screenshot.

Google also pointed me to yourtechsupport.org/L3 (don">YOUR COMPUTER MAY NOT BE PROTECTED FROM ADWARE / SPYWARE
Call 844-325-8014 immediately for assistance on how to remove potential spyware. The call is toll-free.

I captured a screenshot of that page for those who wish to see it in its full glory.

The site www.worldnetconsultants.com describes Worldnet Consultants Inc. The company positionsitself as a leading web design company in USA for offshore web design, offshore web development, etc. The site lists office addresses in Forest Hills, NY and Gurgaon, India. This company appears to have developed the code used by yourtechsupport.org and 247tech.help. I saw no indications that the software development firm is malicioushowever, they dont seem to be particularly selective about their clientele.

If this topic interests you, you might also like these articles of mine:

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

How Victims Are Redirected to IT Support Scareware Sites, (Fri, Mar 20th)

Fri, 03/20/2015 - 13:36

In the classic version of tech support scams, the fake technician initiated an unsolicited phone call to the victim. Now the awareness for this scheme has increased, scammers shifted tactics. Their latest approaches involve convincing the potential victim to be the one calling the impostor. Ive seen this accomplished in two ways:

  • Scammers use bots to respond to Twitter users who mention PC problems or malware. The bots search for the appropriate keyboards and send messages that include a phone number of a tech support firm. I described this approach when exploring how scammers prescreen potential victims.
  • Scammers set up scarewarewebsites that are designed to fool people into thinking their PC is infected, compelling visitors to call the fake tech support organization. Johannes Ullrich described a typo squatting variation of this technique in an earlier diary. Lets take a look a domain redirection variation of this scam below.

In the following example, the victim visited a link that was once associated with a legitimate website: 25yearsofprogramming.com. The owner of the domain appears to haveallowed its registration to expire in early 2014. At that point, the domain was transferred to Name Management Group, according to DomainTools Whois records. The record was assigned DNS servers under the domains cashparking.com, hastydns.com, dsredirection.com and eventually brainydns.com.

Name Management Group seems to own over 13,000 domains (according to DomainTools Whois records), including numerous domains that DomainTools classifies as malicious, such as 0357al.com, 18aol.com, 520host.com, 60dayworkout.us, 61kt.com, 7x24sex.net, 9tmedia.com, adobecrobat.info, adultfantasynetwork.com, allappsforpc.com, apkcracks.net, etc. (Dont visit these domains.)

Landing on the Fake Malware Warning Site

Visiting the once-legitimate URL a few days ago landed the victim on a scammyscareware page, designed to persuade the person to contact Microsoft Certified Live Techniciansat the specified toll-free phone number. The site employed social engineering techniques employed by rogue antivirus tools. Such schemespresentvictims with fake virus warnings, designed to scare people into submission.

The site in our example also">This is a Windows system warning! This is a Windows system warning! If you are hearing this warning message, the security of your Windows system has been compromised. Your Windows computer and data might be at risk because of adwares, spywares and malicious pop-ups! Your bank details, credit card information, email accounts, Facebook account, private photos and other sensitive files may be compromised. Please call the number mentioned now to resolve this issue.

To see and hear what the victim experienced, play the video clip below or watch it on YouTube.

Here are the redirection steps that brought the victim to the scareware site mentioned above:

http ://25yearsofprogramming.com/blog/2010/20100315.htm -https ://p2.dntrax.com/tr?id=f2d252736d65832f11811ad8cb43ceff00313e75.r -http ://247tech.help/crt/us_seg0303/m1/us_windos_3806/index.html

You can see the source code to the final page on Pasebin, if youre interested. According to the code, it was mirrored from clients.worldnetconsultants.com/Lander3 using the free non-malicious tool HTTrack Website Copier on 08 Jan 2015. (More on this interesting tidbit in my diary
Who Develops Code for IT Support Scareware Websites?)

If you visited the top page of the247tech.help website (dont go there), you would see a friendly, professional-lookingpage, gently inviting the visitor to Call Now for Instant Support by dialing 844-878-2550. Please don however, if youd like to hear a details account of what people experience when they do call, read my article">stark contrast to the">warnings-filled trap shown above, which redirection victims encountered.

Other Redirection Possibilities

The website hosting 25yearsofprogramming.com at the time of this writingredirects visitors to various places, perhaps randomly, perhaps based on the persons geography or browser details. I encountered twoother redirection flows that led to scarewarewebsites set up for IT support scams.

One redirection flow employed p2.dntrax.com, as the example above, but took the victim to alert.windows.com.computers-supports.com (dont go there):

http ://25yearsofprogramming.com/blog/2010/20100315.htm - https://p2.dntrax.com/tr?id=f2d252736d65832f11811ad8cb43ceff00313e75.r -http ://alert.windows.com.computers-supports.com/index-1.html?isp=Time%20Warner%20Cablebrowser=Internet%20Explorerbrowserversion=Internet%20Explorer%2011ip= 108.61.226.4os=Windowsosversion=Windows%208.1

The resulting site is a bit more sophisticated than the one in the previous example, because it uses JavaScript to customize the web page to include the victims ISP, browser name, IP address and Windows version. For instance:

document.write(getURLParameter(ip))

You can see the source code of that page on Pastebin. Here in this example, the website didnt receive the victims IP and other details and therefore didn" />

Sometimes the victim was redirected using a longer trail to a different IT support scareware site (dont go there):

http ://25yearsofprogramming.com/blog/2010/20100315.htm -http ://xml.revenuehits.com/click?i=cEuxzuX2fpc_0 -http ://zh.zeroredirect1.com/zcvisitor/fddce3a1-ccbb-11e4-ab5a-0a92e2e12617 -http ://claimyourfree.com/promo/base.php?c=734key=0cdc58908ab3a694320034e391aa520atarget=oscar-vox-zKU0jhQu -http ://fb.surveydonkeys.com/us/index.php?target=oscar-vox-zKU0jhQu -http ://ajax.surveydonkeys.com/imp/g38a0n?data=eyJicm93c2VyX3R6X29mZnNldCI6LTI0MCwiY2IiOjEwNTExNSwibHBfcmVmIjoiIiwibHBfdXJsIjoiaHR0cDovL2ZiLnN1cnZleWRvbmtleXMuY29tL3VzL2luZGV4LnBocD90YXJnZXQ9b3NjYXItdm94LXpLVTBqaFF1In0= -http ://securedgo.com/d3ed9240-61de-48c1-9a7b-b10dbafaa7d2 -http ://fb.surveydonkeys.com/us/windowswarning.php?os=Windowsosversion=Windows%208.1isp=Time%20Warner%20Cablebrowser=Internet%20Explorer" />

The design of this page matches closely the site">Johannes">">bed in the">typo squatting variation of this scenarioon December 15.The latest page employed the sound filegp-msg.mp3 to scare visitors.VirusTotal has a record of thisfile,which was first uploaded to VirusTotal on December 11, 2014.

Who is Redirecting, Why and How?

We seem to be dealing with two different redirection engines and companies: p2.dntrax.com and xml.revenuehits.com after the initial 25yearsofprogramming.com redirect.

The domain dnstrax.com was registered by Team Internet AG, which is associated with over 44,000 domains, including several that DomainTools classifies as malicious: anonse24.de, natursteindichtstoff.de, seospecialists.de, etc. The domain revenuehits.com is registered to MYADWISE LTD, which is associated with about 50 domains.

The companies behind these servers, as well as the firm presently controlling 25yearsofprogramming.com are probably receiving referral fees for their roles in the redirection scheme.

Theres much to explore regarding the domain names, systems and companies involved in the schemes outlined above. If you have additional information about these entities, or would like to contribute towards this analysis, please leave a comment. If you decide to explore any of these systems, do so from an isolated laboratory environment.

Also, if you encounter a tech support scam, please register it with our database of such incidents.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, March 20th 2015 http://isc.sans.edu/podcastdetail.html?id=4405, (Fri, Mar 20th)

Thu, 03/19/2015 - 18:40
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts