Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Tuesday, February 16, 2010

Olympics 2010 news ending up with Malware

Recently I covered how malware authors use Blackhat SEO poisoning to distribute malware on unsuspecting victims. Since then, I have been closely monitoring the news trends and this time the bad guys are targeting is searches related to Vancouver Olympic games 2010.

Tragedy struck at the Olympic games Luge (ice racing) event, when a 21 year old athlete Nodar Kumaritashvili died during a practice session on Friday. Apparently a video of live footage spread across YouTube and other news channels like wild fire.

The IOC moved quickly to take the Luge crash videos off the Internet thus increasing the popularity of this search even further as those not glued to early coverage were desperate to get news on the Luge crash. The bad guys were quick enough to capitalize on this and started poisoning the search results with a lot of “bad” links.

Normally I find just a couple of links poisoned on the first page but this is the first time I saw more than 6 to 7 bad links on the first page of the Google search result itself !

LugeCrash_Search

Once you click on the poisoned link, you are presented with a YouTube like video loading screen which then displays a “ActiveX object missing” error.

LugeCrash_ActiveX

If you click on any of the buttons above a downloader Trojan gets installed on your PC which further downloads more malware. Unlike last time where it appeared that the machine was being scanned by AV, here its “missing video object” that is used to convince a unsuspecting victim to download the malware.

I am not sure why Google is not removing the bad links from their searches as they did last time when valentine day searches were getting poisoned results. This just shows that the bad guys are getting better with every new tragedy that is happening out there.

I would advise caution for all the readers who are trying to search for latest news videos out there. Do not click or install anything that claims to be a missing video codec or object.

99.9% of websites require only Adobe Flash player to be installed in order to play streaming videos. If you find a website that is not playing a video, just find another link that works with Flash ! And incase Flash is not installed, go and install it from adobe’s website rather than from the site which is hosting the video.

Wednesday, February 3, 2010

Trojan using MS SQL ??

Well its my first post in 2010 :) … rather late, apologize for that.

Recently came across a Trojan sample that actually connects to a Database server and does some SQL commands ! This is the first time I saw something like this.

Normally, Backdoors and other malware use HTTP interfaces (POST/GET commands) to talk to their command servers, but in this case the malware was talking directly to the Microsoft SQL Server using standard DB commands on TCP port 1433.

image

After looking around for details on this Trojan, I realized that this malware was one of the components that a variant of Zbot downloads.  Not many AV vendors detected this malware sample.

Once executed, the Trojan attempts to connect  to dbsq0002.whservidor.com on TCP port 1433. I don’t exactly speak TDS (Tabular Data Stream) format but from the looks of it, it tries to access “estargames1” DB and then executes the following SQL command -

SELECT * from TBL_002 where localizador = A0D23C2E

If the Query does not return any results, it goes ahead makes an entry into the database using -

INSERT into TBL_002 (localizador,data,horas) VALUES (‘A0D23C2E’, ‘2/3/2009’, ‘11:09:29 AM’)

The string “A0D23C2E” appears to be random and keeps changing with every infection.

Now the fact the some cares to install a Microsoft SQL database on standard port open facing internet  is really funny ! :) Makes me wonder what’s the exact intention of this malware ? – Is it some online gaming server as the name suggest or is the malware author trying to track the infections of its Trojan ??

Drop me a comment if you have more info on this !