Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-10-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

AV Phone Scan via Fake BSOD Web Pages

Published: 2015-10-13
Last Updated: 2015-10-14 10:37:04 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

A few days ago, I found a malicious website which tries to lure the visitor by simulating a Microsoft Windows Blue Screen of Death (BSOD) and popping up error messages within their browser. This is not a brand new attack but it remains in the wild. For a while, we saw "Microsoft engineers" calling people to warn them about an important problem with their computer (I blogged about this last year). In this case, it is different: the computer itself warns the user about a security issue and users trust their computer! The following URL (it changes depending on the ongoing campaign) is accessed by the browser and:

  • Displays a fake BSOD
  • Displays constant Javascript pop-up messages containing technical information about a process failure
  • Plays a MP3 with a female voice asking you to not reboot your computer and to call a provided toll-free number

The URL contains also many parameters which, I presume, can help the attacker to identify his victim and adapt the social engineering scenario based on browser, location, etc. Here is an example of such URL:

hxxp://makeitfaster.website/blut924/?campaign=0f72fd0a-3507-4370-bf5c-21f9b8cd7643&os=Windows&domain=&isp=Wz%20Communications%20inc.&state=Florida&city=Miami&ip=<redacted>&tracking=vwwlv.voluumtrk.com&browser=Opera&browserversion=Opera%2020&voluumdata=vid..00000000-54a7-440a-8000-000000000000__vpid..7d250800-6905-11e5-8dee-e0e7be81898c__caid..0f72fd0a-3507-4370-bf5c-21f9b8cd7643__rt..H__lid..4c4a0d7d-d78e-48aa-9f68-f2dd9d51c91b__oid1..4dedcb41-feee-41c5-a0fd-ed93f8447dbc__oid2..13034530-ab85-4189-adbf-aea214fb4794__var1..2821__rd..astoob\.\org__aid..__sid..&source=2821&clickid=

The domain has been registered in July 2015 (whois details) and the index page calls an index.js file with obfuscated JavaScript. Here is the decoded content:

<table width="904" height="645" border="0" align="center" cellpadding="2" cellspacing="2">
<tbody><tr>
<td height="631" bgcolor="#000093"><div align="center" class="style1">
<p class="style5">0x000000CE DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS</p>
<p class="style6">&nbsp;</p>
<p class="style4">WINDOWS HEALTH IS CRITICAL<br>DO NOT RESTART</p>
<p class="style4">PLEASE CONTACT MICROSOFT-CERTIFIED TECHNICIANSS</p>
<p class="style2">BSOD: Error 333 Registry Failure of operating system - Host :<br>BLUE SCREEN ERROR 0x000000CE</p>
<p class="style4">Please contact microsoft-certified technicians Toll Free at:<br><script>document.write(var_number);</script></p>
<p class="style4">To Immediately Rectify issue to prevent Data Loss</p>
</div></td>
</tr>
</tbody></table>
<audio autoplay="autoplay" loop>
<source src="gp-msg.mp3" type="audio/mpeg">
</audio>
<div style="height:1px;width:1px;"><a style="height:1px;width:1px;" href="http://link.everythingfastagain.link/click/2">.</a></div>

Note the link to the MP3 file, which can be played as is (the link is a safe copy available from my blog). Interesting, the phone number displayed in message is customized and, in my cases, I received different numbers:

  • (855) 348 1197
  • (888) 725 1202

It was too tempting to call them. I picked up the first one and reached a call center broadcasting professional messages ("your call can be monitoring and recorded", "your call is very important to us"). After waiting for a few minutes, I spoke to a human guy (without Indian accent!) who presented himself as working for a premium technical support for computers. I explained to him my problem ("It seems that my computer is infected by a virus") but he was not able to help me!?  I did not test the second number but it has already been reported as malicious by other people.

This is not a brand new attack but it can make non-technical people scary. I also found that, since June 2015, Emerging Threats provides rules to detect this in their open rule set:

# grep "Fake AV Phone Scam" emerging-current_events.rules |awk 'match($0, /sid:[0-9]+/) { print substr($0, RSTART, RLENGTH)}'
sid:2021177
sid:2021181
sid:2021182
sid:2021183
sid:2021206
sid:2021207
sid:2021256
sid:2021255
sid:2021258
sid:2021285
sid:2021286
sid:2021287
sid:2021288
sid:2021294
sid:2021295
sid:2021357
sid:2021358
sid:2021359
sid:2021365
sid:2021366
sid:2021367
sid:2021368
sid:2021447
sid:2021448
sid:2021449
sid:2021500
sid:2021522
sid:2021811

I recorded a small video of the web page.

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

Keywords:
4 comment(s)

October 2015 Microsoft Patch Tuesday

Published: 2015-10-13
Last Updated: 2015-10-13 17:37:02 UTC
by Alex Stanford (Version: 1)
3 comment(s)

Overview of the October 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-106 Cumulative Security Update for Internet Explorer (Replaces MS15-095)
Internet Explorer
CVE-2015-2482
CVE-2015-6042
CVE-2015-6044
CVE-2015-6045
CVE-2015-6046
CVE-2015-6047
CVE-2015-6048
CVE-2015-6049
CVE-2015-6050
CVE-2015-6051
CVE-2015-6052
CVE-2015-6053
CVE-2015-6055
CVE-2015-6056
CVE-2015-6059
KB 3096441 None Severity:Critical
Exploitability: 1,1,4,1,2,1,1,1,4,1,2,4,1,1,2
Critical Important
MS15-107 Cumulative Security Update for Microsoft Edge (Replaces MS15-094, MS15-095, MS15-097, MS15-098, MS15-101, MS15-102, MS15-105)
Microsoft Edge
CVE-2015-6057
CVE-2015-6058
KB 3096448 None Severity:Important
Exploitability: 3,3
Important Important
MS15-108 Remote Code Execution in JScript and VBScript (Replaces MS15-066)
JScript / VBScript Windows 2008 and Vista
CVE-2015-2482
CVE-2015-6052
CVE-2015-6055
CVE-2015-6059
KB 3089659 . Severity:Critical
Exploitability: 4,4,4
Critical Important
MS15-109 Remote Code Execution in Windows Shell (Replaces MS15-088, MS15-020)
Windows Shell
CVE-2015-2525
CVE-2015-2548
KB 3096443 None Severity:Critical
Exploitability: 1,4
Critical Important
MS15-110 Remote Code Execution in Microsoft Office (Replaces MS15-036, MS15-046, MS15-070, MS15-081, MS15-099)
Microsoft Office
CVE-2015-2555
CVE-2015-2556
CVE-2015-2557
CVE-2015-2558
CVE-2015-6037
CVE-2015-6039
KB 3096440 None Severity:Important
Exploitability: 2,4,4,2,3,3
Critical Important
MS15-111 Elevation of Privilege Vulnerability in Windows Kernel (Replaces MS15-025, MS15-038, MS15-052, MS15-076)
Windows Kernel
CVE-2015-2549
CVE-2015-2550
CVE-2015-2552
CVE-2015-2553
CVE-2015-2554
KB 3096447 CVE-2015-2553 has been publicly disclosed. Severity:Important
Exploitability: 2,2,4,1,1
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

-- 
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

Keywords: mspatchday
3 comment(s)

Adobe Updates Acrobat and Adobe Reader

Published: 2015-10-13
Last Updated: 2015-10-13 17:35:12 UTC
by Alex Stanford (Version: 1)
3 comment(s)

Adobe has released APSB15-24 which addresses 56 vulnerabilities: CVE-2015-5583, CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6685, CVE-2015-6686, CVE-2015-6687, CVE-2015-6688, CVE-2015-6689, CVE-2015-6690, CVE-2015-6691, CVE-2015-6692, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE-2015-6696, CVE-2015-6697, CVE-2015-6698, CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6705, CVE-2015-6706, CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7615, CVE-2015-7616, CVE-2015-7617, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7621, CVE-2015-7622, CVE-2015-7623, CVE-2015-7624

-- 
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

Keywords: adobe
3 comment(s)
ISC StormCast for Tuesday, October 13th 2015 http://isc.sans.edu/podcastdetail.html?id=4695
Diary Archives