Stream of Bits

I guessed everyone should knew that US had shut down 1 of the world largest online file hosting site, Megaupload. The owner of the site, Mr. Kim Dotcom and some of the staffs had been caught. If you want to know more about the incident, you can read more at here, Megaupload.

Famous online hacktivist group, Anonymous, had came out an operation named #OpMegaupload in order to fight back for Megaupload. They took down many famous sites such as FBI, US Justice, and etc. So, how did Anonymous took down those famous sites? FBI, possible? The answer is very simple ! Yes, possible and the attack they launched was called DDoS. If you want to know more about the attack, you can read more at DDoS. The attack can be visualized using the picture below:



In order to launch a successful DDoS attack, Anonymous needs to pass through 2 phases. The first phase is recruitment and the second phase is intrusion. In the recruitment phase, Anonymous needs to recruit members to join their attack. The more members they have, the more successful the attack will be. Those members that they recruited will be called zombie.

How they recruit members (zombies) in the past?

When an operation is announced, the operation will be given a name and the target of attack will be announced too. This message will be passed around the world. Whoever that are willing to join the attack need to download and run this tool, LOIC. This tool is written in C# and it is very easy to use, insert the target URL and attack. A kid that get the message can run this tool and take part in the operation to shut down the target. What this tool does is just browse to the target site and keep refreshing the target site. Imagine 20 thousands members take part in this operation, the result of the attack is pretty devastating !

How they recruit members (zombies) in #OpMegaupload ?

In this operation, Anonymous is getting smarter! Whoever that are willing to take part in the operation does not need to download and run LOIC anymore. Instead, they can just browse to this page and insert the URL. IF YOU ARE ASKED TO JOIN THE ATTACK #OpMegaupload, PLEASE SAY NO ! IS ILLEGAL !



Many people are taking part in this operation because of the simplicity and whatever reasons that you can think of. This action resulted famous sites such as FBI, US Justice and etc shut down.

Become part of the operation and took down FBI is cool right ? Hell no ! Please wake up, because this is illegal and you might get caught !

Conclusion, please ignore the invitation and stay out of all these illegal operations ! If you think that you are part of the solution, think again ! You are not part of the solution, but part of the problem !

Be safe !

I received an email from a bank called Halifax which is located in United Kingdom. Obviously when I am not a resident of United Kingdom, I would not have an account with them. The email is telling me that my account had been suspended.



In the email, there is an attachment. The attachment is a normal HTML file. I opened up the HTML file and instantly phishing attempt can be confirmed.



The form is asking for so many information including username and password. If these 2 information are given out by the victim, gone case !

By reading the source code of the HTML file, it can be concluded that the stolen credentials are send to "bellville.com.br/images/Image.php".



Doing some reconnaissance on the site, it is an e-commerce site from Portugal. After messing around with the web application, I am able to gain access to the underlying operating system. Opppps !



I read through the malicious file, "Image.php". It is just the same old technique, collect the information from the form and send to the malicious hacker.

Everyone is exciting about the release of new IPhone 5 from Apple. Various sites on the Internet are posting up fake updates and pictures about IPhone 5, especially sites from China. Obviously, those information and updates are fake. In fact, there is no IPhone 5, but only IPhone 4S.

F-Secure posted up an interesting article a few days ago about spammers started to send out malicious emails to target users. The spam email obviously contained fake information about the latest IPhone 5. Inside the spam email, there is also an attachment. The attachment contained a malicious executable file.

This is a nice trick to infect mass amount of innocent users. The spammers know that users around the world are very curious and excited to know the latest update of Apple IPhone 5. Users might just download the attachment thinking that the attachment is just some document file or picture.

In order to perform the analysis, I got myself the malicious executable file.



Based on this malware tracking site, it seems like the malware is being released to the Internet as early as May 2011. The malware is hosted up on 7 different hacked servers. Surprisingly, most of the hacked servers are still serving the malware now.

I download a copy of the malware to my machine. The malware author is trying to make use of double extension to trick users to execute the malicious executable file. This is the look of the malware on my desktop.



Most of the home computers will turn off the show extension functionality on Windows. In fact, that is the default setting on all the Windows computers. Therefore, this malicious executable file will look like a GIF file to most of the home users.

If users execute the malware, a picture will be displayed to the users.



Users might feel disappointment after looking at the picture because this IPhone is fake. This IPhone is fat and I guess nobody likes this kind of IPhone. At this point, the malware is doing a lot of works in the background.

A folder "Cookies" will be created at "C:\Windows\Temp" and all the malicious files will be written into this folder. All the malicious files will be hidden to the users.



The file "catchme.bat" will be executed first by the malware. This is the content of "catchme.bat".



The "catchme.bat" first ran "temporarly.reg". This is the content of "temporarly.reg". It is a simple registry file.



The "temporarly.reg" simply added in some keys into the registry so that the "daemon.exe" will be ran automatically without any user interaction after a restart.

The "catchme.bat" then ran "daemon.exe". The "daemon.exe" is an IRC Bot that will be used by the malware to connect to a few IRC Channels. The IRC Bot will silently connect to one of these IRC Channels and obtain instructions from the bot master.



In fact, the connections to these various IRC Channels had been logged down by Wireshark. This is the proof of the connections.



From the picture, the IRC Bot was trying to connect to a Class A public IP address of 94.125.182.255 most of the time. According to WHOIS record, this particular IP address is from Hungary and it will be resolved to ircu.atw.hu. More information can be found here : WHOIS Record.

I tried to connect to that IP address, but it seems like that particular IP address is down. Too bad !

There are some interesting files that I wanted to show. This is one of the file that was written to the folder by the malware, "fullname.txt".



Here is another one, "away.txt". It looks like a chat log to me. Somebody is angry in this conversation.



Here is another one, "remote.ini". Do you notice username, passwords and channel ?



Finally, the infected computer will become an IRC Bot. The computer will automatically connect to one of the IRC servers owned by the malicious hacker to obtain new instructions. For your information, the instructions are always bad. The malicious hacker can also connect back to the infected computers to steal sensitive data such as username, passwords, personal pictures, credit card numbers and etc.

Be safe people !

I received an email from my friend and it was a phising email targeted CIMB customers. My friend received so many phishing emails, did this indirectly told me that my friend was a rich man ? I should planned to rob him soon. Seriously, there were so many phishing emails targetted CIMB customers recently. Anyway, this was the content of the email:



By reading through the content of the email, i felt that it was so fake. A security advisor of a big /popular bank will send you an email for this little / small / un-important matter ? Funny ! Ridiculous !

I clicked on the link inside the email and it brought me here :

This was the main page of the CIMB phishing site. For your information, CIMB bank had changed the design of their site. The legit site did not look like this anymore. Obviously, this was fake !



I threw in a random username and password and it brought me to this page. It was asking me for my email address and email password. I didn't remember CIMB Bank asked for email address and email password before when I was performing online transaction.



I threw in a random email and password and it brought me to this page. It was asking for TAC code.



The page was asking me to key in the TAC code.



I entered some random TAC code and it brought me to the logout page.



I visited the original site and the site looked really fungly. It was an e-commerce site in Poland. All the words and sentences were written in Polish and I did not understand any of them.





The site was so ugly right ? The momment of finding how the malicious hacker hacked into the site. After conducting some reconnaissance on the site, I found out that there were indeed a few serious vulnerabilities on the site. I took advantage on the first vulnerability and I got into the control panel of the site.







I was in big trouble because I did not understand Polish. I spend some time exploring the site. It was really a pain in da ass ! I took advantage of the second vulnerability and I successfully gainned accessed to the web server.



These were all the phishing pages.



In order to prevent anyone falling into the phishing page. I planned to remove the malicious pages from the site.



After I removed the malicious pages from the site, the site was offically clean now.



I re-visited the malicious site again, it was gone !



I did some analysis to the malicious code. All the username and passwords from the innocent victims will be send to these 2 email addresses which were belong to the malicious hacker.



Be safe people ! Amen !

It had been a long time since I received any new phishing emails. I missed the time to investigate the tracks left down by the malicious hackers. I missed the time to investigate the methods used by the malicious hackers to gain unauthorized access to the web server. I missed the time to dig out information about the malicious hackers. I missed the time to report the malicious attempts to the authorities.

Today, as usual I opened up my Hotmail to check my emails. I received a new email from CIMB Bank. The first thing appeared in my mind was this was a phishing email and I shouldn't clicked on it. This was the contents inside the phishing email:



The phishing email was saying that there were suspicious activities occurred in my personal bank account. This trick might worked if it was applied to normal users because they were not aware of the phishing attacks. Therefore, I planned to dig deeper into the hole to find out more information about the attack. I clicked on the link supplied by the malicious hacker in the phishing email. It brought me to this nice-looking-legit website.



This was the first page of the phishing site. The site looked completely legit but only according to the old design. The new design of the web interface did not looked like this anymore. This is the new design of the web interface : CIMB Bank . I entered some dummy data into the form and it leaded me to the page below :



The page was asking for 2 important information from the victims. The page needed the victims to key in "Last 4 digits of ID number" and "Mother Maiden Name". Why did the malicious hacker needed these 2 information ? The answer was very easy, the malicious hacker can key in both information in the "Recover Password" page if they wanted to recover the victims' password. I key in some dummy data and the website brought me to the next page. This was how it looked like :



When the victim reached this page, it also meant that the malicious hacker already obtained the victim's credentials such as username and password. The malicious hacker will logged into the bank account of the victim and requested the TAC code on behalf of the victim. In a few minutes, the TAC code will be send to the victim's mobile phone. This page had a timer and it will redirected the victim to a new page.



The new page required the victim to enter their TAC code. If the victim did not enter the TAC code into this page, that mean that the bank account was still partially safe. This is because without the TAC code, the malicious hacker cannot transferred out the money. If the victim entered the TAC code into this page, it can be concluded that the victim was doomed ! After the victim entered the TAC code, the victim will be redirected to this particular page :



The victim will be automatically logged out from the page after they entered the TAC code. This was hows the phishing site worked !

I did not want to stop at this stage, I planned to get closer to the malicious hacker. I visited the original website where the phisher was hosted on and this was how it looked like :



It was an e-commerce site from Australia selling all kinds of emu oils. Seriously, I did not have any knowledge on that emu oils. I did some research on the domain and i got some information about the owner :



The information showed that the owner of the site was Mr. Thomas Carol. The email and address were there as well. I did not know whether Mr. Thomas Carol knew that his site was hacked by the malicious hacker and now the site was used by the malicious hacker to serve phishing site.

I did some vulnerability assessment on the website and found out a way to gain unauthorized access to the web server. I strongly confirm that the malicious hacker was using this particular way as well. Therefore, I exploited the vulnerability on the website and I successfully landed into one of the directory. I was lucky and I had landed in the directory where the phisher was hosted.



All the pages that made up the phisher was hosted up in this directory. I downloaded all the pages so that I can did some code analysis in the future. I continue to move around the file system and I found a zip archive that contained the phisher.



I downloaded the zip archive from the directory as well. After that, I move to "public_html" folder to gather more information. This was how "public_html" looked like :



This directory was the most interesting one because it contained a lot of sensitive information such as password into the site, paypal, database files, and etc. This was a nice place to gather information.

In this stage, it was also possible to gain un-authorized access into the backend MySQL database. This was how it looked like :



The malicious hacker keyed in the username and password and access to the MySQL backend database will be granted. One question here, where can I get the username and password into MySQL backend database ? The answer was very easy, if you were a seasoned PHP programmer, you will knew that the username and password will be hard coded into the PHP scripts. Therefore, the malicious hacker just need to read through all the PHP scripts until he / she successfully got the username and password. In this case, the data inside MySQL backend database will not be showed here because this was an e-commerce site and the database contained sensitive data. :)

This was a Linux server and I moved to the root directory and this was how it looked like :



I did not searched through all these directories because there were too many of them and I just got lazy. Anyway, I tried to help the site owner to secure his site, but there were just too many PHP scripts to go through. So, urrggghh, just fuck it !

I reported the phishing page to Google Team and hoped that they could took down the phishing site as soon as possible.



Finally, I did some code analysis on the phishing pages and found this piece of interesting information :



Can you spot something nice from the picture above ? Yes, this was all the credentials went to ! I suspected that the malicious hacker was an Indian, but I am not racist here !

The effective way to prevent against phishing attack was user awareness. Please looked at the URL to make sure that you landed at the right / legit site.

See ya ! Peace !