11.01.2013, 09:47
tachion napisał(a):Zestaw Blackhole exploit kit 2.0 obchodzącyJava 7 Update 7,malware infekujące to ransom
Treść widoczna jedynie dla zarejestrowanych użytkowników
Mogę też poinformować że jest też zestaw blackhole exploit kit obchodzący jave 7u10 czyli najnowszą<!-- s--> <!-- s-->
Ale jaja, z tego linku przeszło przez javę 7u10
[Aby zobaczyć linki, zarejestruj się tutaj]
Teraz strona coś nie odpowiada...
Pomyliłem okna i zamiast wkleic link do maszyny wirtualnej, poszło na real. Mam nadzieje, że mi to g...no nie wyssało haseł, po ikonce javy się kapnąłem no i że na właściwym sysie, że działa (animuje się) - wcisnąłem panic button - hard reset (system miałem bez ochrony)
Analiza Trojan-PSW.Tepfer:
Detailed report of suspicious malware actions:
Anti-Malware Analyzer routine: Norman Sandbox detection
Checked for debuggers
FTP information stealer
Got computer name
Got user name information
Hooks Mozilla FireFox NSPR APIs
Internet connection: C:\Wirus\exp116d.tmp.EXE Connects to "110.164.58.250" on port 8080 (TCP)
Mail information stealer
Slept over 2 minutes
Transfered files from and/or to internet
[ General information ]
* Analysis duration: 00:03:50
* File name: c:\wirus\exp116d.tmp.exe
[ Changes to filesystem ]
* No changes
[ Changes to registry ]
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows\DisabledProcesses
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows\DisabledSessions
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{4fa4883c-5727-11e2-9b4c-00304f86f3e5}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{4fa48840-5727-11e2-9b4c-00304f86f3e5}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7142d801-e037-11e0-ae3a-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7142d802-e037-11e0-ae3a-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7142d803-e037-11e0-ae3a-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7692c15b-35dc-11e1-bba2-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7692c15c-35dc-11e1-bba2-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9149f237-3dca-11e1-b5e5-00304f86f3e5}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a3c143d6-2b31-11e2-915d-00304f86f3e5}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f553d417-2c1f-11e2-83a8-806e6f6e6963}
old value empty
* Creates value "HWID=7B39373245324244462D444431362D343031412D383633342D4143343735423931413532417D" in key HKEY_CURRENT_USER\software\WinRAR
* Creates value "Client Hash=B02FE0519BF33B1FD406EEBC39BB591C" in key HKEY_CURRENT_USER\software\WinRAR
[ Network services ]
* C:\Wirus\exp116d.tmp.EXE Connects to "110.164.58.250" on port 8080 (TCP).
* Downloads file from "110.164.58.250 /asp/intro.php".
* Uses POST methods in HTTP.
[ Process/window/string information ]
* Enables process privileges.
* Gets user name information.
* Gets computer name.
* Checks for debuggers.
* Contains string FTP information stealer ("32BitFtp.ini")
* Contains string FTP information stealer ("3D-FTP")
* Contains string FTP information stealer ("ALFTP")
* Contains string FTP information stealer ("BitKinex")
* Contains string FTP information stealer ("BlazeFtp")
* Contains string FTP information stealer ("BPFTP")
* Contains string FTP information stealer ("Bullet Proof FTP")
* Contains string FTP information stealer ("BulletProof")
* Contains string FTP information stealer ("ClassicFTP")
* Contains string FTP information stealer ("COREFTP")
* Contains string FTP information stealer ("CuteFTP")
* Contains string FTP information stealer ("DeluxeFTP")
* Contains string FTP information stealer ("EasyFTP")
* Contains string FTP information stealer ("FFFTP")
* Contains string FTP information stealer ("FileZilla.xml")
* Contains string FTP information stealer ("fireFTPsites.dat")
* Contains string FTP information stealer ("FlashFXP")
* Contains string FTP information stealer ("FreshFTP")
* Contains string FTP information stealer ("Frigate3")
* Contains string FTP information stealer ("FTP Explorer")
* Contains string FTP information stealer ("FTPClient")
* Contains string FTP information stealer ("FTPGetter")
* Contains string FTP information stealer ("FTPInfo")
* Contains string FTP information stealer ("ftplist.txt")
* Contains string FTP information stealer ("FTPNow")
* Contains string FTP information stealer ("FTPRush")
* Contains string FTP information stealer ("ftpshell.fsi")
* Contains string FTP information stealer ("FTPVoyager.ftp")
* Contains string FTP information stealer ("GoFTP")
* Contains string FTP information stealer ("GPSoftware\Directory Opus")
* Contains string FTP information stealer ("Ipswitch\WS_FTP")
* Contains string FTP information stealer ("LeapFTP")
* Contains string FTP information stealer ("LinasFTP")
* Contains string FTP information stealer ("NovaFTP")
* Contains string FTP information stealer ("NppFTP.xml")
* Contains string FTP information stealer ("PuTTY\Sessions")
* Contains string FTP information stealer ("Robo-FTP")
* Contains string FTP information stealer ("sites.xml")
* Contains string FTP information stealer ("SmartFTP")
* Contains string FTP information stealer ("Software\Far*\Host")
* Contains string FTP information stealer ("Staff-FTP")
* Contains string FTP information stealer ("TurboFTP")
* Contains string FTP information stealer ("UltraFXP")
* Contains string FTP information stealer ("wcx_ftp.ini")
* Contains string FTP information stealer ("WinFTP")
* Contains string FTP information stealer ("WinZip\FTP")
* Contains string FTP information stealer ("wiseftpsrvs.ini")
* Contains string Mail information stealer ("account.cfg")
* Contains string Mail information stealer ("accounts.ini")
* Contains string Mail information stealer ("Mailbox.ini")
* Contains string Mail information stealer ("outlook account manager passwords")
* Contains string Mail information stealer ("PocoSystem.ini")
* Contains string Mail information stealer ("The Bat!\Users depot")
* Contains string Anti-Malware Analyzer routine: Norman Sandbox detection ("CurrentUser")
* Sleeps 152 seconds.
Analiza Trojan.Bublik - niestety nie uruchomił się na wirtualnym:
Detailed report of suspicious malware actions:
Checked for debuggers
Created a mutex named: Global\f19866a7-5c04-11e2-b159-00304f86f3e5
Created a mutex named: Local\WERReportingForProcess2416
Created process: C:\Windows\SysWOW64\WerFault.exe,C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 112,C:\Windows\SysWOW64
Internet connection: C:\Windows\SysWOW64\WerFault.exe Connects to "65.55.53.190" on port 443 (TCP - HTTPS)
Internet connection: C:\Windows\SysWOW64\WerFault.exe Connects to "65.55.53.190" on port 80 (TCP - HTTP)
Queried DNS: watson.microsoft.com
Traces of Max++
Transfered files from and/or to internet
[ General information ]
* Analysis duration: 00:00:18
* File name: c:\wirus\kb01355330.exe
[ Changes to filesystem ]
* No changes
[ Changes to registry ]
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows\DisabledProcesses
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\SQMClient\Windows\DisabledSessions
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Consent
* Creates value "CheckingForSolutionDialog=3004060000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug\UIHandles
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\PeerDist\Service
* Modifies value "ExceptionRecord=050000C000000000000000006153400002000000080000006153400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug
old value "ExceptionRecord=050000C0000000000000000023F4E57302000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{4fa4883c-5727-11e2-9b4c-00304f86f3e5}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{4fa48840-5727-11e2-9b4c-00304f86f3e5}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7142d801-e037-11e0-ae3a-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7142d802-e037-11e0-ae3a-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7142d803-e037-11e0-ae3a-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7692c15b-35dc-11e1-bba2-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{7692c15c-35dc-11e1-bba2-806e6f6e6963}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{9149f237-3dca-11e1-b5e5-00304f86f3e5}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a3c143d6-2b31-11e2-915d-00304f86f3e5}
old value empty
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f553d417-2c1f-11e2-83a8-806e6f6e6963}
old value empty
* Creates value "CheckingForSolutionDialog=3004060000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles
* Creates value "WerFault.exe=5200610070006F00720074006F00770061006E00690065002000700072006F0062006C0065006D00F300770020007A002000730079007300740065006D0065006D002000570069006E0064006F00770073000000" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\SysWOW64
binary data=Raportowanie problemw z systemem Windows
[ Network services ]
* Queries DNS "watson.microsoft.com".
* C:\Windows\SysWOW64\WerFault.exe Connects to "65.55.53.190" on port 80 (TCP - HTTP).
* C:\Windows\SysWOW64\WerFault.exe Connects to "65.55.53.190" on port 443 (TCP - HTTPS).
* Downloads file from "watson.microsoft.com/StageOne/Generic/BEX/KB01355330_EXE/0_0_0_0/50ef7247/KB01355330_EXE/0_0_0_0/50ef7247/00005361/c0000005/00000008.htm?LCID=1045&OS=6.1.7601.2.00010100.1.0.1.17514&SM=System%20manufacturer&SPN=System%20Product%20Name&BV=0301&MID=30F2FD74-4BBF-4FA5-8C4D-228AD3D6373C".
[ Process/window/string information ]
* Enables process privileges.
* Checks for debuggers.
* Creates process "C:\Windows\SysWOW64\WerFault.exe,C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 112,C:\Windows\SysWOW64".
* Injects code into process "c:\windows\syswow64\werfault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess2416".
* Creates a mutex "Global\f19866a7-5c04-11e2-b159-00304f86f3e5".
* Opens a service named "WinHttpAutoProxySvc".
* Starts a service.
* Injects code into process "c:\program files\sandboxie\sandboxiecrypto.exe".
* Sleeps 5 seconds.
Proszę: 0-day na Javę 7u10 (CVE-2013-0422):
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
[Aby zobaczyć linki, zarejestruj się tutaj]
KIS/EIS/MKS, MBAM, HitmanPro, Eset Online, WF+uBlock