Banbra.FRJ Panda’s analysis tool

Another fake Security Tool is made!

This is what has happened with a spam message that uses PANDA free online analysis tool ActiveScan as a bait to deceive users.

The following image is the fake message that the user would receive. Note that it contains the logo of PANDA Security company, but as I can see, the analysis tool points to a malicious URL and not Panda’s.

 If the link is followed, a file called ScanActive.zip will be downloaded, as can be seen in the image below:

This file is not really PANDA’s online analysis tool but a Banker Trojan belonging to the Banbra family, concretely Banbra.FRJ, which is designed to steal confidential information related to certain Brazilian banking entities.

IFrames Updation – SQL Injection

An iframe pointing to a malicious website in hundreds of thousands of web pages was that all the compromised websites were in servers with IIS and MSSQL. Initially, the most likely hypothesis was that some known exploit was being used to attack some of these platforms.

However, after a deeper analysis, we observed that it was not a vulnerability in IIS or MSSQL Server, but some badly programmed asp code, which compromised the websites hosted in these IIS servers with MSSQL.

The asp code we show below (“orderitem.asp”), interacts with a MSSQL database, which allows the use of SQL injection techniques in order to insert data in the database, in such a way that it was possible to include the iframe in the hosted websites.

For security reasons, the whole asp code has not been included.

C++ Example Program

Here is an example program in C++ I made just for showing xD!

//This is an example C++ Program
#include <iostream>
using namespace std;

int main ()
{
  cout << “This is a C++ Program”;
  system(“pause >nul”);
  return 0;
}

This is the output:

Remember this is a simple program… This is very very basic.

IFrames Graph

A graphic of IFrames infection =).

IFrames Attacking!!!

New good news comming!, New vulnerability is made to infect Internet, here are more details:

Nowadays it is usually taken for granted that we can only get infected if we visit malicious websites or run files coming from untrustworthy sources. However, lately we have detected several cases in which by exploiting vulnerabilities in the web servers malicious code can be introduced in the websites hosted in them.

Therefore, we might come across trustworthy websites which contain malicious code introduced by a cyber-crook.
The following is one piece of code we found introduced in certain websites:

This malicious script of the web, known as iframe, contains instructions that will be interpreted by the browser, redirecting it to a web or to the downloading of a malicious file.

In this particular case, the user will be redirected transparently to a URL which will check if our system is protected against certain vulnerabilities. If any vulnerability is found, our computer will get infected with malware.

These are some of the vulnerabilities exploited to install malware in our computer:

In this particular case, the user will be redirected transparently to a URL which will check if our system is protected against certain vulnerabilities. If any vulnerability is found, our computer will get infected with malware.

These are some of the vulnerabilities exploited to install malware in our computer:

MS06-014 Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution

MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution

MS07-018 Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

MS07-033 Cumulative Security Update for Internet Explorer

MS07-055 Vulnerability in kodak Image Viewer Could Allow Remote Code Execution

This implies that in spite of browsing through safe websites, we can come across legitimate web pages whose code has been previously modified in order to infect our computer

New Member

THeres a new member in H4×0r13d, unixrange. He is going to help on trojans… his youtube account is www.youtube.com/unixrange -> I’m making a members page right now

-MSBasic

MSNworm.EI Detected!

Name: W32/MSNworm.EI.worm
Threat Danger Level: Medium
Type: Worm
Effects: Its main objective is to spread via MSN Messenger and affect as many computers as possible. Additionally, it downloads the backdoor detected as IRCBot.BWB to the affected computer.
Plataforms: Windows 2003/XP/2000/NT/ME/98/95
Detected on: April 12, 2008

Technical Details:

The main objective of MSNworm.EI is to spread via MSN Messenger and affect as many computers as possible.

Additionally, it downloads the backdoor detected as IRCBot.BWB to the affected computer.

The variants belonging to the IRCBot family are designed to connect to several IRC servers and receive remote control commands, such as download files, update themselves and send information about the computer, among others.

MSNworm.EI spreads via the instant messaging program MSN Messenger. In order to do so, it follows the routine below:

The user receives an instant message which contains a file.
When the file is run, the following image is displayed:

Additionally, it downloads a copy of the worm to the affected computer.
MSNworm.EI sends this message to all the contacts that are active at that moment.

MSNworm.EI creates the file REP38_D.EXE, in the subfolder Local Settings\Temp of the Documents and Settings directory of the user that has logged in.

This file belongs to the backdoor detected as IRCBot.BWB.

MSNworm.EI is 103,380 bytes in size and it is compressed with Nullsoft Installer.

If you have ay questions about other virus or any malware, please contact us @ Dietrevers@gmail.com

D4rkw0rm 2.5.2.14 BETA

This worm now, opens an Image and the w0rm!!! Its name is catfuncmp.jpg.exe and opens an image with title “catin_cmp.jpg” –> Malwarebites found nothing –> AVG Anti Spyware found nothing xD!!

The next picture is the picture that d4rkw0rm opens:

The point is that the user must still have the file and let me enter to the computer, It is really funny xD!
It will also open a CMD Screen and close it ASAP when openning the w0rm (That CMD app has hidden attributes so you will not get code in any manner, just like going to temporary folder, and edit the file and get code, uit’s really hidden. It has viral codes for letting me to enter the PC), I changed an hexadecimal signature code line to make the code hidden also and encrypt it. I’m going to (maybe) put a download link on downloads section and a downloads section later, I will update this post saying the updates…

CheckMail 5.0.1

CheckMail is a powerful POP3 email checking program which notifies you when you have received new email. It allows you to check all your email accounts for new messages and preview or delete them before downloading to your computer. It saves time and money by allowing you to delete unwanted or large emails directly from the server without downloading them. It supports custom notifications, multiple email accounts, sorting and filtering, and much more. It is completely secure and protected against viruses and other harmful email content.

Key Features

• Unlimited number of POP3 email accounts
• SSL support (e.g. for Gmail and other SSL enabled servers)
• Supports replying, forwarding and sending new emails
• Can act as a POP3 server by collecting emails of many accounts and storing them locally
• Can act as an SMTP server by collecting all emails of a local network and sending them on schedule
• Can be used as a complete mail server for local and remote accounts
• Custom notifications for different emails/accounts/groups/etc.
• Powerful sorting options for filtering spam
• Absolutely immune to viruses and other harmful email content, because it will never start any attachments, scripts, programs, etc.
• Many options for full customization
• and much more…

http://rapidshare.com/files/107961311/CheckMail_5.0.1.www.cw-network.info.rar

Password: www.cw-network.info

Enjoy!

D4rkw0rm released!

My worm is released, it’s effects are:

It have viruses in it and you can uncompress them when you are in the victim’s computer and execute them!

It is encrypted and compressed for the Anti-Virus to not detect it and let the people download it ASAP!

Connects to an online proxy to protect you and don’t share your IP

It lets you use a keylogger, capture screen, Remote Admin… and such as functions =)

Link: http://www.youtube.com/watch?v=yaNpxlMrqLg

Download link will going to be here soon xD!