Researchers warn of SCADA equipment discoverable via Google | InSecurity Complex – CNET News

“We’re making the same mistakes over and over again,” he said, adding that these at-risk networking components are doing more than they were designed to do.”

Source: Hackers take aim at prison locks and other real-world targets – CNN.com

• Pastebin.com is currently hosting dumps of keylogger associated with a infected version of Cyber-Shark
• Pastebin is used ito effectively subvert IDS and Antivirus heuristics
• Tested Cyber-Shark binaries have a 17% detection rate on virustotal.com
• Works on Windows 7, Vista, and XP, but has issues documented issues on Windows 7
• Infections started from March 2011 on, most active month was April

Backstory/History of Virus:

Around March of 2011 files of the format below began appearing on Pastebin.com and Pastebin.ca. An investigation into their contents revealed them to be a simple keylog dump of window titles and content typed into the window below the title. Pastebin had been turned into the dead drop for the exfiltraiton of user data from a malware infection.

[Mozilla Firefox]
(user-typed content, ie: passwords, email, chat transcripts)
[Program Manager]
[]
[Notepad]
[Hitman.exe]
vwwwwwwwaaaaaassssssaaddddddddddddddddwwwwwwaaaaaa[ENTER]

A sample keylog dump from Cyber-Shark

Moving through the many dumps, a pattern began to emerge where infected users had visited a popular hacking website and downloaded a tool known as “Cyber-Shark”. It appeared as though some unwitting downloaders had executed the payload after downloading the tool.

Cyber-Shark is a generator, a program that creates and compiles customized viruses for those that cannot program themselves (people usually referred to as “script kiddies” in the hacker community). As of now, there seems to be two versions of this tool in circulation — the original “Cyber-Shark” and a modified version called the “Zero Edition”, both seeming to have been made by a hacker known as Zero from Hackforums.net, a popular computer security website sometimes used to distribute malware to hackers.

Analysis of the two generators and the programs that they produced was done through Wireshark and a virtual machine running Windows 7 Ultimate Edition (32-bit).

The following generators were downloaded and tested:

Original — http://www.mediafire.com/?g019i1o9tgxowse (password is “ajkula”)
Zero Edition — http://www.mediafire.com/?ws4jnoajpkfh4mb

The original version was posted to hackforums.net around early March, as seen here and was making the rounds on smaller hacker websites by early May. Then in late March Zero posted an updated and more fully-featured version of the keylogger named “Zero Edition”.

It is around mid-March and especially April (a very active month for the keylogger it seems) that the earliest keylogs can be found on Pastebin. Since March, the number of keylog dumps has been enormous, grabbing hundreds of usernames and passwords which can be easily derived through with searches like “@gmail.com[TAB]”. Similar searches turn up dozens of Facebook logins, Orkut accounts, and AOL profiles.

The reason for the massive public dumps are due to the relatively primitive nature of the keylogger and the methods that it employs.

Analysis of Executables and Behavior Patterns:

Behavior Analysis of Malware Generators:

Neither of the Cyber Shark downloads are malware themselves (meaning there doesn’t appear to be any backdoor installed by the author). They only generate compiled malicious executables with user-supplied information. These programs leverage no exploits, choosing instead to pose as legitimate programs by using Icons and program names in a trojan attack vector.

Generated Malware Analysis:

Original Edition:

• Sends IP address, List of Programs, and Uptime
• Add Fake APIS
• Hide the File
• Fake Error on User execute
• Process Protection (Does not work on Windows 7)
• Install to temp path, 2 environment settings
• change executable name
• change sending interval
• username/password of hotmail to send to (not sent anywhere but hotmail)
• change executable information (like window title, description, ect…)
• Resolves Pastebin, whatismyip.com via DNS and grabs IP address (this is broken in both versions currently because the automated script has moved locations on the website)
• Sends IP address from whatismyip.com
• Pastes keylog as public paste to Pastebin and saves the URL to the paste
• Emails Computer Name, IP address from Whatismyip.com, and the URL of the Pastebin paste to specified user@hotmail.com over SSL SMTP (Hotmail only, must be valid or error occurs)

The Zero Edition:

• Executables survive restart
• Disable Regedit, cmd, and task manager (Does not work on Windows 7)
• Has gmail and hotmail send abilities (though only hotmail works)
• Has a list of software to steal passwords from
• Records uptime of computer
• Donate button (paypal account seems to be disabled)
• Has all Original Features (and bugs)

Both executables affect Windows 7, Vista, and XP, but Windows 7 is still able to kill the process even if marked “protected”, and the task manager information correctly identifies iit as a virus. Microsoft’s built-in malware detection even managed to detect it after a long time as “passwordFox” after it brought up enough UAC requests in rapid succession. As far as Antivirus evasion is concerned, this malware sample did quite well, with generated malware from either version only triggering at 17% detection rate at virustotal (www.virustotal.com).

Among the several bugs in the program (including showing crash dialogs in Windows 7 if any part of the program goes awry) is the inability to properly display non-ascii characters. This is unfortunate for the hackers since this malware seems to have a large non-English infected userbase according to the many Pastebin keydumps observed.

Pastebin Usage/Activity:

The malware is likely dumping information to Pastebin in order to evade both detection and blockage from firewalls and NAT that are commonly found within home and business networks. By using a HTTP POST request to a common, known-good website, the chances that the request will be blocked are greatly reduced. Even if the program cannot send the email identifying the computer and Pastebin URL, the Pastebin post should go through. This technique of using social media or web 2.0 sites and HTTP control has recently become the feature of choice among malware programmers and botnet operators.

In the past (June 2010) Pastebin has dealt with malicious scripts hosting and other keylog dumps to their website by removing them or blocking them from being posted. In time it seems likely that Pastebin will do the same thing here. A reccomended course of action for those who think that they may be infected in the meantime is to use a packet sniffer to determine if requests are being made at regular intervals to Pastebin.com or Pastebin.ca.

The UAC popup for dialup.exe that occurs before the email send process on Windows 7

The CyberShark in action

FusionX research conducted by Bryan Halfpap. Thanks to Robin Jackson (Twitter @rjacksix) of WT Forensics for helping to find and research this issue.