Wednesday, May 20, 2015

Bad Practice

I was surprised when I saw this one in some logs today. The smart phone application Parlor, exposes your username and password in the HTTP URI through their API, plain as day. These are what we like to call "easy wins" as they require no effort to find in standard event logs, and require no digging through the frames of PCAP files. Here is a screencap of the HTTP field:


Be careful when signing up for some of these applications on your smart phone, you never know what is exposed.

Indicators - Geodo Malware Part 3

Since the last two updates I have collected a few more indicators, and I have decided to make an indicator page. I didn't want to create a tracking page, as there is a much better resource, rather I wanted to create a list of indicators that I have found. Below are a few new additions that I will be adding to the new Geodo indicator list; there are no new C2 servers or use-agent strings.

Link to the Geodo indicator page.

Threat Name: Geodo

File Download Locations:

These are live malware files, download with caution.

hXXp://obchod.vianatura.cz:80/YRgXCNup2zn8/9049.exe
hXXp://f3x.pl:80/modules/mod_aratipas/ex_mss3.exe
hXXp://zonaliberabraila.ro/ud3yRXLgSw2
hXXp://marjav.cl/g3aTdqlJI8
hXXp://intellinum.com/7UPYmxe150K
hXXp://blog.northpointindia.com/gKBwOvxeq

Further Reading:

rebus snippets

Tuesday, May 12, 2015

Indicators - Geodo Malware Part 2

I have some more Geodo/Feodo indicators for you since yesterdays posting. If this keeps up I will make a page dedicated to Geodo indicators similar to the one I created for the Houdini RAT.

Threat Name: Geodo

File Download Locations:

These are live malware files, download with caution.

hXXp://altvramagazine.com:80/wp-content/themes/altura/cr_mss3.exe
hXXp://www.hairlosstreatments4u.com:80/4KVHAGFUPB/949.exe
hXXp://arasshahintools.com:80/wp-content/themes/darya/cr_mss3.exe
hXXp://www.greago.com:80/wp-content/themes/flowmaster/cr_mss3.exe
hXXp://holyspirit.wa.edu.au:80/wp-content/uploads/cr_mss3.exe
hXXp://heliosradio.com:80/WGNz20QXeyK/9049.exe
hXXp://photowaaley.com:80/2g9IiGaouYBOQ/9049.exe
hXXp://region-magdeburg.ramminger-berlin.de:80/modules/mod_aratipas/cr_mss3.exe
hXXp://jomigym.nl:80/80dUCBiJXg/9049.exe
hXXp://tasheelseries.com.au:80/modules/mod_aratipas/cr_mss3.exe

Virustotal File Analysis:

9049.exe

Command and Control Servers:

Request Method: POST

94.126.171.85:8080
94.176.2.168:8080
103.16.26.36:8080
37.59.0.141:8080
46.32.233.226:8080
76.74.252.88:8080
99.249.191.195:8080

Enjoy! Look out for a new indicator list for this malware.

Monday, May 11, 2015

Indicators - Geodo Malware

I have been seeing an influx of Geodo malware and have compiled some data on finding this infection on your network.

Threat Name: Geodo

File Download Locations:

These are live malware files, download with caution.

hXXp://altvramagazine.com:80/wp-content/themes/altura/cr_mss3.exe
hXXp://aqua-system.com.ua/AXMqjiFob
hXXp://arasshahintools.com:80/wp-content/themes/darya/cr_mss3.exe
hXXp://bicycle.ns.ca:80/wp-content/themes/shadow/cr_mss3.exe
hXXp://conservation-wildlife.asn.au/eSxai7o0d/Status_zu_Sendung_916907832086.zip
hXXp://cucifineart.com/wp-content/Z5LIHdweGyb/Status_zu_Sendung_916907832086.zip
hXXp://dpsharma.com/wp-content/themes/twentyfifteen/Hvcmrq2un/Status_zu_Sendung_916907832086.zip
hXXp://fcmtravel.co.ke/7HTCkvNV
hXXp://www.allcameras.tk:80/wp-content/themes/twentyfifteen/cr_mss3.exe
hXXp://www.hairlosstreatments4u.com:80/4KVHAGFUPB/949.exe
hXXp://www.hertzlease.com.mt:80/mCVXg3ucvfG/949.exe

Virustotal File Analysis:


Command and Control Servers:

Request Method: POST

121.50.46.81:8080
173.230.130.252:8080
188.165.235.13:8080
192.126.123.10:8080
192.163.204.172:8080
200.159.128.189:8080
200.75.7.92:8080
201.175.17.35:8080
42.62.40.103:8080

User-agent Strings:

I have yet to determine if these are unique to the malware or not, so please be careful using them to block and/or detect malicious network traffic. If anyone has anymore information on these, then please leave a comment.

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)

Further Reading:

Geodo Tracker - website dedicated to tracking all Geodo information. The owner of the site has a blog as well and is well worth the reading.
Hybrid Analysis Results - sandbox analysis results for the executable of the zip file listed above.