ProperBlog

Security for the masses

Skip to: Content | Sidebar | Footer

PC Support Phone Scam

31 July, 2011 (10:47) | A cat called password. | By: Blogkeep

On the 20th of July my telephone rang at 12:31pm the callers number was witheld. The caller informed me that my PC was infected with viruses and that it has sent messages over the Internet to the company he worked for, he said the company was called Internet Control. Out of curiosity I played dumb and went along with him, the guy had a heavy Indian accent.

He guided me through the opening of the windows inf and prefetch folders and told me that all the files within those folders were viruses. (These are infact windows system files that Windows needs to function correctly) He then guided me to open Windows event viewer and told me that all the Warnings in the application events log were evidence of infection. Playing dumb I asked him what I could do about it.

He passed me on to another person whom he said was his supervisor. This “supervisor” had an Eastern European accent. This supervisor asked me to download a program from the Internet to help him diagnose and fix the problem. The program he asked me to download was ammyy admin from ammyy.com this is a remote desktop server. I am unaware if Ammyy are complicit in anyway with this scam, I have no evidence to support such a claim. However the Whois for Ammyy.com reports that the registrant is protected by WhoisGuard. A company that hides the true owners of a domian from a whois lookup. I would advise the looking up of ammyy and ammyy.com in a search engine and you to drawn your own conclusions. Just because one has nothing to fear doesn’t mean one cannot choose to hide anyway.

I quickly fired up a VM of XP pro and downloaded the Ammyy software. After running the software it connected to an IP address owned by plusserver.de. This supervisor then ran through exactly what I had been asked to do previously, showing me the contents of Windows inf and prefetch folders and telling me that all the files in those folders were viruses.

Whilst remotely connected to my VM XP he didn’t notice the shortcuts to Immunity and IDA, nor the folder marked analysis tools or the Virtual box tool icon in the icon tray.

I asked him what I could do about all the “viruses” on my PC. He opened notepad and pasted a price list into it. I was told I could purchase a support contract that would rid my PC of viruses and keep it clean for a year. He then asked for an email address to which he could send information on how to pay. Under pressure to provide him with an email address quickly I made the mistake of giving him a propergander.org.uk email address. He was expecting me to use the VM XP install he was connected to to retrieve my email, as I use this VM to analyse malware I don’t have email set up on it. When I told him I use a different machine for my email he began to get suspicious and opened the propergander (this) website in a browser. Well game up, I never got the email. He was very angry that I had strung him along and asked why. I told him I was investigating how the scam he was running worked and that this little episode would make an ideal entry in my blog. He protested that he was not running a scam, I replied that I had recorded the conversation and had evidence of the lies and deception used to convince me my PC was infected. He then immediately hung up the phone.

I reported the abuse of this IP address to abuse@plusserver.de who replied “Our staff has investigated your complaint and checked your data. There are several indications that your complaint is well-grounded.”

Overall this was very amusing, but not so for ordinary users with no clue as to how operating systems work. This is a nasty scam. One that all computer users should be aware of.

Not so smooth WordPress update

23 June, 2011 (10:05) | Propergander. | By: Blogkeep

I made a stupid error updating WordPress to 3.1.3. I deleted my theme and had to restore from back up.

Something very strange happened though, when I brought the site back up the blog did not work. Clicking on the link to the blog made my browser attempt to connect to the IP of a Verizon address pool! Instead of propergander.org.uk, all the WordPress links were pointing to this address. Confused, I checked the source code for the site and discovered that this address was coming from the WordPress database. After further investigation I discovered that somehow the content of the WordPress database table wp_options had changed during my update. I quickly did some manual SQL updates on this table and corrected the option_values for a couple of records, namely option_id=1 and option_id=39.

All is fine now, but I am completely at a loss as to how this 70.105.xxx.xxx address got into my WordPress tables.

Ubuntu 9.04 to 10.04 LTS

11 January, 2011 (11:46) | LAMP | By: Blogkeep

I built this server on Ubuntu 9.04 which only has an 18 month update cycle. It is time to upgrade to a LTS or long term support version. I am going to upgrade to 10.04. The first thing to do is make a full back up of the current system. For this I used tar and issued the following command as root:

tar cvpjf backup.tar.bz2 --exclude=/proc -exclude=/lost+found --exclude=/backup.tar.bz2 --exclude=/mnt --exclude=/sys /

The exclude options stop the backing up of running processes, mounted file systems like USB drives and CD roms the /sys directory which is a virtual file system generated at each boot and the backup file itself.

Once the command had completed I moved the resulting file to my home folder and SFTP’d it to a windoze box.

upgrading directly to 10.04 from 9.04 is not supported so I will be upgrading to 9.10 first. I will do this buy issuing the command:

sudo do-release-upgrade
twice, the first time to upgrade 9.04 to 9.10 and the second time to upgrade 9.10 to 10.04 LTS.

I normally ssh into my server for updates and general admin, even though it is under my desk, it is quicker than fishing the keyboard out and switching the input of my monitor. However performing a release upgrade is not recommended over ssh.

I will start the upgrade to 9.10 now and if all goes well I will back soon to comment on the process.

OK I’m back, that wasn’t as smooth as I expected. This entry in my fstab caused my system to fail at mounting the root partition, as well as /dev/shm which just doesn’t exist.


# Reconfig of shared memory security measure-matthewlyle-ubuntu-sec
tempfs /dev/shm tempfs defaults,ro 0 0

I commented out this mount point and the system booted OK and here I am. I will have to look into this “shared memory security measure”. So now the server is at 9.10, time to upgrade to 10.04 LTS.

Back soon or much later….

Well that went very smooth, server now running 10.04 LTS

Moving /dev to new disk in a VM

29 September, 2010 (09:26) | LAMP | By: Blogkeep

When I built a development server on VirtualBox, I thought 8Gb would be enough disk space. It wasn’t. I decided that moving /dev to another virtual disk would be a solution. I could have imaged my vm created a larger disk and wrote the image back to the new bigger disk. However, this is what I did to get more space:

This was done with VirtualBox running 64bit Ubuntu.

Create a new virtual disk (vdi) of the size required, and add this disk to your Ubuntu VM
Boot the VM and login. Start a terminal(if using a desktop)

Make sure the disk has been detected:


> sudo fdisk -l

This command lists the disks in the system for my system the following is returned:


Disk /dev/sda: 8589 MB, 8589934592 bytes
255 heads, 63 sectors/track, 1044 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000aaa52


Device Boot Start End Blocks Id System
/dev/sda1 * 1 32 248832 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 32 1045 8136705 5 Extended
/dev/sda5 32 1045 8136704 8e Linux LVM

Disk /dev/sdb: 8213 MB, 8213495808 bytes
255 heads, 63 sectors/track, 998 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000


disk /dev/sdb doesn't contain a valid file system

We have determined the new virtual disk /dev/sdb has been detected.

OK it doesn’t contain a valid file system, so we create one.
Firstly we partition the disk, I decided to use the whole disk. My responses to prompts are in bold:


> sudo fdisk /dev/sdb


Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xc7872ee1.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.


Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
switch off the mode (command 'c') and change display units to
sectors (command 'u').


Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-998, default 1): 1
Last cylinder, +cylinders or +size{K,M,G} (1-998, default 998):998

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Let us check the disk has been partitioned properly:


>sudo fdisk -l /dev/sdb

Disk /dev/sdb: 8213 MB, 8213495808 bytes
255 heads, 63 sectors/track, 998 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xc7872ee1

Device Boot Start End Blocks Id System
/dev/sdb1 1 998 8016403+ 83 Linux

There is our new partition sdb1 on disk sdb.
Now to create the file system, I used ext4:


> sudo mkfs.ext4 -v /dev/sdb1

mke2fs 1.41.11 (14-Mar-2010)
fs_types for mke2fs.conf resolution: 'ext4', 'default'
Calling BLKDISCARD from 0 to 8208793600 failed.
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
501952 inodes, 2004100 blocks
100205 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2055208960
62 block groups
32768 blocks per group, 32768 fragments per group
8096 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.

Create a directory to mount the new disk:


> sudo mkdir /mnt/new

Mount the new disk:


> sudo mount /dev/sdb1 /mnt/new

Now we are ready to copy /dev to the new disk.
Firstly we need to drop run level into single user mode because we do not want disk writes happening in /var whilst we are copying it.


>sudo init 1

Copy data in var, not the /var directory itself.


> cd /var
> cp -ax * /mnt/new

Rename the /var directory, don’t delete until we are sure it all works.


> cd /
> mv var var.old

Make new var directory,


> mkdir var

unmount the new partition,


> umount /dev/sdb1

remount it as /var.


> mount /dev/sdb1 /var

Finally edit /etc/fstab to include the new partition, with /var given as the mount point, so that it will be included automatically at boot.

I added this line to my fstab: /dev/sdb1 /var ext4 defaults 0 0

After rebooting and you are sure everything works as it should you can delete the var.old directory.

A sensible, grammatically correct Tweet for C&C

15 September, 2010 (16:33) | A cat called password. | By: Blogkeep

I read an article recently on The Register
regarding tweet controlled bot nets and I thought of this:

Tweet about anything but create sensible and grammatically correct text.

Bot is hard coded with a sequence of numbers that bot uses to read single characters from any/all the words of a tweet.
The bot reads a tweet taking the first letter/word as a mode switch.

modes:
Read this tweet as a string of commands.
Read this tweet as new number sequence for reading commands from future tweets.
Read this tweet as an new target address range.

Some jobs running scripts against a database of the number sequences that the bots use to read the tweets are
fed into some clever software(wetware) that writes and submits grammatically correct and sensical tweets.

Now how can this be filtered?

I speculate now, for what if the bots were coded to tweet without the wetware being involved, pre-programmed to C&C other bots to maintain connections should one avenue fail. Can Twitter account generation be accomplished by a bot yet?

As an after thought: Why use Twitter, if one controls a botnet that re-interprets written text posted to the Internet as command and control codes. The possibilities are almost limitless, forums, social networking sites, Usenet news posts, popular blogs etc.

Zeus Botnet vs UK bank accounts

12 August, 2010 (14:46) | A cat called password. | By: Blogkeep

Security researchers tracked down a Zeus-based botnet that raided more than $1m from 3,000 compromised UK online banking accounts.

Using browser and application based vulnerabilities and drive-by download attacks cyber criminals managed to install version 3 of the Zeus trojan onto compromised machines. There are kits available via the underground that make such installs trivial for all but the most simple minded people.

Version 3 of Zeus uses an encrypted tunnel to communicate with it’s C&C servers.

A white paper by M86 Security can be found here Warning:PDF. Link opens in new window.

Unfortunately such exploits succeed because the vast majority of computer users are not IT literate, they are just consumers, with very little idea of the distinction between computer hardware and software. They see the computer as a whole. A little box pops up advising the user that an upgrade to a component is required. To the average consumer this is not a subtle attempt by a rogue website to install malicious software. It is a request by their computer to perform a required update. So the malicious software is installed by the consumer in the false belief that the update is legitimate.

Only update your machine with files downloaded directly from the software developers site. Regardless of the website you are visiting, if a request pops in your browser advising that an update to a component… be that Adobe, Flash, browser plugins or the OS itself is needed to proceed, ignore it and close the browser. Go directly to the developers site for that component and see if there are any actual updates. I advise the use of Firefox and the NoScript add on. Yes, NoScript will break some websites, but it is simple enough to allow the scripted content once you determine that you can trust the site.

Where have the scams gone?

28 June, 2010 (20:14) | A cat called password. | By: Blogkeep

I have been rather busy over the past couple of months. Not only that, I have 14 email accounts on several domains and not one of them has attracted anything malicious, other than standard product marketing spam in those months. I am aware that a couple of major botnets have been impacted by the closure of cybercriminal sympathetic hosting companies. Still I miss those links to malicious web pages and malware files. I haven’t even had a mail from a gorgeous eastern European girl looking for love.

I have received offers of employment from dubious sources. The kind of employment that involves me processing sales orders through my own bank account. Obviously others have received such emails too. Just in case any of you think that this might be a good way to earn some extra cash, be wary, in all likelihood these jobs are a front for money laundering.

Fake Swine Flu Alerts

3 December, 2009 (17:05) | A cat called password. | By: Blogkeep

Alerts regarding H1N1 (swine flu) virus are arriving in inboxes in an attempt to trick users into visiting bogus websites for the Center of Disease Control and Prevention. The email attempts to trick users into believing they are part of a H1N1 vaccination program. Once the link embedded in the email is clicked a web page opens which is a convincing imitation of a CDC web page. Visitors are then prompted to create a user profile, it is during this process that malware gets installed on the victims machine. A link to a “Vaccination profile” is in fact a link to an executable file. The file is a Trojan know as Kryptic or Xpack which attempts to download and install further malware. It also creates a backdoor for remote hackers to control the computer.

More information can be found at ZDNet

Malware blocks Internet access, demands payment

1 December, 2009 (15:09) | Diagnosis, Prognosis, Treatment. | By: Blogkeep

A new malware program, a ransomware program is installing itself on the machines of those installing uFast Download Manager. The program blocks Internet access until a user makes a payment via sms to register the software. More information from the person who discovered this is available here:

CA Blog

Facebook email scam with PDF twist

26 November, 2009 (18:26) | Diagnosis, Prognosis, Treatment. | By: Blogkeep

Another facebook email scam in my mail box today, this time with a twist. As usual it was a html email.

Header:

From – Thu Nov 26 10:23:04 2009
X-Account-Key: account3
X-UIDL: UID112-1238682728
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path:
Envelope-to: admin@xxxxxxxx.xxx
Delivery-date: Thu, 26 Nov 2009 07:39:15 +0000
Received: from abxt60.neoplus.adsl.tpnet.pl ([83.9.13.60]:4351)
by REMOVED
(return-path ); Thu, 26 Nov 2009 07:39:14 +0000
Received: from 83.9.13.60 by rounsley.com; Thu, 26 Nov 2009 08:37:41 +0100
From: “Facebook”
To:
Subject: new login system
Date: Thu, 26 Nov 2009 08:37:41 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_0006_01CA6E6B.56025570″
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6QY99QN4ZD0K9XZUL7DP1EW6GO2==
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Message-ID: <000d01ca6e6b$56025570$6400a8c0@fracturek03>

End Header

I searched the source and found the following link: hxxp: //www.facebook.com.hyffvsq.be/usersdirectory/LoginFacebook.php?ref=3D4953366229553272678044627418784951492819094102373604358972561&email=3Dadmin@.com

The domain name in the email field for the fake login page did not match the email address of the recipient, so if this was an attempt to confirm active email addresses for spam or match the recipient to Facebook account it failed.

I pasted this:

hxxp: //www.facebook.com.hyffvsq.be/usersdirectory/LoginFacebook.php

into a new Firefox window, I should have done this on a VM but I considered NoScript to the only protection I would need at this stage.

Before the fake login page appeared, I was prompted to download or view a pdf file, (I don’t have the browser automatically open files that could contain executable code) I saved the file under its default name of:

pdf.pdf MD5: 80758E30F8BEB7FA79F6346B85F6CF31.

More about that later.

The site finally opened and offered updatetool.exe md5:853631A285ED6DD86E81E044DCBC4C28 a zbot variant (VirusTotal Analysis) for me to download and install.

The PDF I saved, well I opened it in notepad2 and discovered this:
NOTE: I have removed most of the initialisation data for variable s, it will become clear why later.

13 0 obj
<>
stream
p =””;

var s = ” 10{ 118{ 97{ … 71{ 119{ 41{ 59{ 10{ 125{ 10{ 125{ 10″;
ib=eval;
vk=ib;
p =””;
s=s.replace(/[A-Z]/g,function (sda){}).split(“{ “);

var JknB=”f”+”o”;
var qqeerR=”r”;
var qrt=”(“+”i”;
var HHjdxc=”=”+”0″;
var uiuTW=”i”+”<"; var Vqweqwet="l"+"en"; var df="+"+"+"; var TTyreQ="=S"; var nmMJ="o"; var tyuid="o"; var YUiotr="["+"i]"+")"+";"+"}"; vk(JknB+qqeerR+qrt+HHjdxc+";"+uiuTW+"s."+Vqweqwet+"gth"+";i"+df+"){"+"p+"+TTyreQ+"tri"+"ng"+".fr"+nmMJ+"mC"+"h"+"arC"+tyuid+"de"+"(s"+YUiotr); vk(p); endstream endobj Obviously something has been obfuscated possibly to avoid AV detection: So I un-obfuscate and comment: p =""; var s = " 10,118,97,... 125,10,125,10"; ib=eval; vk=ib; p =""; s=s.replace(/[A-Z]/g,function (sda){}).split("{ "); //changes s into an array of numbers:10,118,97,... 125,10,125,10 eval(for(i=0;i<s.length;i++) { p+=String.fromCharCode(s[i]);}); //Cycles through s converting number to ascii and appends it to the string p. //Now p contains an ascii text string that has been derived from the decimal ascii codes initialised in s. eval(p); The obfuscated code was simple enough work out yet disguised well enough to get past my AV when I downloaded the PDF. Once I had the actual exploit code, after it was converted from its decimal ascii code representation (s initialisation), my AV warned of a malicious script. It took a moment for me to recognise the code was buffer overflow attempt. On closer examination, and a little searching I discovered it was code that that examines the version of Adobe in use before attempting an Adobe printf() or collectEmailInfo() exploit.

I transfered the pdf to a vm and attempted to view it using the latest version of Foxit Reader whilst running AV. First I scanned the pdf with Avast!, nothing was detected. I used Foxit Reader V3.1.4.1125 to open the file, a bank one page document was shown. No doubt if I was running a vulnerable version of this viewer I would have experienced a crash or a compromise of my vm as the obfuscation in the code was enough to fool my AV.

So two attempts at compromising a PC; One via running updatetool.exe and installing a zbot variant and one from the pdf file attempting to exploit the Adobe Reader plugin. One attempt to compromise me and gain Facebook credentials: The fake login page. And a possible attempt to verify an email address; The passing of the link embedded email address to the linked login function, all wrapped up in one email. I guess in a global recession even cyber criminals have to increase efficiency, at least that’s what one would have thought. It is hardly efficient to send the same email to the same email address 10+ times. Isn’t this kind of spamming likely to arouse suspicion?

Evidence that it is essential that applications as well as your operating system be updated asap after a security fix or update is released, after of course you have created a suitable restore route for your system should something conflict.

It isn’t very difficult to buy a domain name, get some hosting and copy paste an exploit together in the hope of stealing someones identity or bank details. In fact it is too easy.