New Hacker Challenge for you all
There is a new hacker challenge up on the ethical hacker network based on Serenity.
Matt who works with fellow handlers Ed and Mike has put this one together for us all to enjoy on, what is here a wet and cold weekend. The challenge can be found here, enjoy.
Mark H - Shearwater
Attack involving .hk domains
Eric, one of our many valued contributors wrote in yesterday with various spam messages that contained nothing but a short piece of text and a link to a very simple HK domain. Different domains were used in each message.
Subject line: Hello, Pal
Body: look
http://[domain].hk
When investigating this, we noticed that these domains have no less than 10 authorative nameservers. Most interesting is that each of these appear to be located within an ISPs dynamic IP address range. This is naturally highly suspicious. Random querying for A records shows that a large number of other compromised hosts are being used to host the actual website.
On each of these servers, the index.html page contains nastiness:
- One piece of obfuscated javascript code, that once decoded appears to exploit a known vulnerability in msdss.dll;
- One piece of obfuscated javascript which contains iframe inclusion of three other files, exp1.htm, exp2.htm and exp3.htm and a link to an icon file 123.htm. The three HTM files attempt to exploit three vulnerabilities in Internet Explorer, the 123.htm file in fact turns out to be a malicious ANI file.
- A final piece of human readable text that invites a user to click on a link, should the ‘download not start automatically’. Once you click on this link, a file ‘fun.exe’ will be downloaded from this same web server.
The resulting file ‘fun.exe’ appears to be different on each single server. We have currently seen the following SHA1 hashes:
810cac98916a018162792494bb1029cd52136431
64d4d736dd973bdee2be325560d2e2896992838c
9399cdd56e92c492dff1430de2da98dbbec60af8
Detection of the code by regular Anti-virus is very spotty, shown by the following output of Virustotal. These were the only solutions that detected malicious code. As you can see, even these are mostly generic detections:
BitDefender 7.2 06.16.2007 GenPack:Trojan.Peed.NG
CAT-QuickHeal 9.00 06.15.2007 (Suspicious) - DNAScan
DrWeb 4.33 06.16.2007 Trojan.Packed.138
eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm
Fortinet 2.85.0.0 06.16.2007 suspicious
F-Secure 6.70.13030.0 06.15.2007 Tibs.gen111
Kaspersky 4.0.2.24 06.16.2007 Email-Worm.Win32.Zhelatin.eu
Norman 5.80.02 06.15.2007 Tibs.gen111
Sophos 4.18.0 06.12.2007 Mal/EncPk-E
Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 06.16.2007 Worm.Win32.Malware.gen (suspicious)
This type of well-prepared and extensive attack is very difficult to shut down, mostly due to the amount of servers and authorities involved. As such, the most effective way of responding would be to have the domain itself taken down. This issue has been reported to the HKCERT as well as the administrators of the .hk TLD. In addition, we’re working with anti virus vendors to improve coverage of both the resulting file and the trojan droppers being used on the malicious site.
Cheers,
Maarten Van Horenbeeck
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago