AV Phone Scan via Fake BSOD Web Pages
A few days ago, I found a malicious website which tries to lure the visitor by simulating a Microsoft Windows Blue Screen of Death (BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw "Microsoft engineers" calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:
- Displays a fake BSOD
- Displays constant Javascript pop-up messages containing technical information about a process failure
- Plays a MP3 with a female voice asking you to not reboot your computer and to call a provided toll-free number
The URL contains also many parameters which, I presume, can help the attacker to identify his victim and adapt the social engineering scenario based on browser, location, etc. Here is an example of such URL:
The domain has been registered in July 2015 (whois details) and the index page calls an index.js file with obfuscated JavaScript. Here is the decoded content:
<tbody><tr>
<td height="631" bgcolor="#000093"><div align="center" class="style1">
<p class="style5">0x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS</p>
<p class="style6"> </p>
<p class="style4">WINDOWS HEALTH IS CRITICAL<br>DO NOT RESTART</p>
<p class="style4">PLEASE CONTACT MICROSOFT-CERTIFIED TECHNICIANSS</p>
<p class="style2">BSOD: Error 333 Registry Failure of operating system - Host :<br>BLUE SCREEN ERROR 0x000000CE</p>
<p class="style4">Please contact microsoft-certified technicians Toll Free at:<br><script>document.write(var_number);</script></p>
<p class="style4">To Immediately Rectify issue to prevent Data Loss</p>
</div></td>
</tr>
</tbody></table>
<audio autoplay="autoplay" loop>
<source src="gp-msg.mp3" type="audio/mpeg">
</audio>
<div style="height:1px;width:1px;"><a style="height:1px;width:1px;" href="http://link.everythingfastagain.link/click/2">.</a></div>
Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:
- (855) 348 1197
- (888) 725 1202
It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages ("your call can be monitoring and recorded", "your call is very important to us"). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem ("It seems that my computer is infected by a virus") but he was not able to help me!? I did not test the second number but it has already been reported as malicious by other people.
This is not a brand new attack but it can make non-technical people scary. I also found that, since June 2015, Emerging Threats provides rules to detect this in their open rule set:
sid:2021177
sid:2021181
sid:2021182
sid:2021183
sid:2021206
sid:2021207
sid:2021256
sid:2021255
sid:2021258
sid:2021285
sid:2021286
sid:2021287
sid:2021288
sid:2021294
sid:2021295
sid:2021357
sid:2021358
sid:2021359
sid:2021365
sid:2021366
sid:2021367
sid:2021368
sid:2021447
sid:2021448
sid:2021449
sid:2021500
sid:2021522
sid:2021811
I recorded a small video of the web page.
Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be
October 2015 Microsoft Patch Tuesday
Overview of the October 2015 Microsoft patches and their status.
| # | Affected | Contra Indications - KB | Known Exploits | Microsoft rating(**) | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS15-106 | Cumulative Security Update for Internet Explorer (Replaces MS15-095) | |||||
| Internet Explorer CVE-2015-2482 CVE-2015-6042 CVE-2015-6044 CVE-2015-6045 CVE-2015-6046 CVE-2015-6047 CVE-2015-6048 CVE-2015-6049 CVE-2015-6050 CVE-2015-6051 CVE-2015-6052 CVE-2015-6053 CVE-2015-6055 CVE-2015-6056 CVE-2015-6059 |
KB 3096441 | None | Severity:Critical Exploitability: 1,1,4,1,2,1,1,1,4,1,2,4,1,1,2 |
Critical | Important | |
| MS15-107 | Cumulative Security Update for Microsoft Edge (Replaces MS15-094, MS15-095, MS15-097, MS15-098, MS15-101, MS15-102, MS15-105) | |||||
| Microsoft Edge CVE-2015-6057 CVE-2015-6058 |
KB 3096448 | None | Severity:Important Exploitability: 3,3 |
Important | Important | |
| MS15-108 | Remote Code Execution in JScript and VBScript (Replaces MS15-066) | |||||
| JScript / VBScript Windows 2008 and Vista CVE-2015-2482 CVE-2015-6052 CVE-2015-6055 CVE-2015-6059 |
KB 3089659 | . | Severity:Critical Exploitability: 4,4,4 |
Critical | Important | |
| MS15-109 | Remote Code Execution in Windows Shell (Replaces MS15-088, MS15-020) | |||||
| Windows Shell CVE-2015-2525 CVE-2015-2548 |
KB 3096443 | None | Severity:Critical Exploitability: 1,4 |
Critical | Important | |
| MS15-110 | Remote Code Execution in Microsoft Office (Replaces MS15-036, MS15-046, MS15-070, MS15-081, MS15-099) | |||||
| Microsoft Office CVE-2015-2555 CVE-2015-2556 CVE-2015-2557 CVE-2015-2558 CVE-2015-6037 CVE-2015-6039 |
KB 3096440 | None | Severity:Important Exploitability: 2,4,4,2,3,3 |
Critical | Important | |
| MS15-111 | Elevation of Privilege Vulnerability in Windows Kernel (Replaces MS15-025, MS15-038, MS15-052, MS15-076) | |||||
| Windows Kernel CVE-2015-2549 CVE-2015-2550 CVE-2015-2552 CVE-2015-2553 CVE-2015-2554 |
KB 3096447 | CVE-2015-2553 has been publicly disclosed. | Severity:Important Exploitability: 2,2,4,1,1 |
Important | Important | |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.
--
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford
Adobe Updates Acrobat and Adobe Reader
Adobe has released APSB15-24 which addresses 56 vulnerabilities: CVE-2015-5583, CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6685, CVE-2015-6686, CVE-2015-6687, CVE-2015-6688, CVE-2015-6689, CVE-2015-6690, CVE-2015-6691, CVE-2015-6692, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6696, CVE-2015-6697, CVE-2015-6698, CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6705, CVE-2015-6706, CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7615, CVE-2015-7616, CVE-2015-7617, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7621, CVE-2015-7622, CVE-2015-7623, CVE-2015-7624
--
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford
Comments