Custom search

Wednesday, March 1, 2017

Karthik Nagarajan- An Actor and our author:

Karthik Nagarajan


Karthik Nagarajan is an actor, known for Yeto Vellipoyindhi Manasu (2012), Iru Mugan (2016) and Lightman (2017). Karthik Nagarajan is also life coach, keynote speaker and corporate trainer. Karthik has been highly successful with audiences across all industries and live event formats. Whatever the event, Karthik consistently delivers that one-of-a-kind factor with a unique ability to deliver his audience Energy, Entertainment and Inspiration in an expert manner. He also started foundation called "the solution guy foundation".


The Solution Guy Foundation is established to support the financially underprivileged students with their educational needs. The Solution Guy Foundation collect funds to support the needs of the students by paying their fees, buying them books and dresses. Also they conduct free seminars in and around the city of Chennai to empower students with valuable life skills, management skills and soft skills. That makes the students to face the future with confident.


His imdb link: http://www.imdb.com/name/nm4941643/
The solution guy foundation FB page: https://www.facebook.com/thesolutionguyfoundation/ 


Image may contain: 1 person, eyeglasses and text
Karthik Nagarajan in his film 'Lightman'

MD5 Collision:

MD5 collision is very interesting topic in the field of cryptography. If you browse on this topic you will find good research articles on the collision and even you able to think about what is the future. Very recently google came up with SHA-1 collision.





Google said "We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed."
 Here are some numbers that give a sense of how large scale this computation was:
  • Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
  • 6,500 years of CPU computation to complete the attack first phase
  • 110 years of GPU computation to complete the second phase





Lets go back to our topic MD5 collision:


d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f89 
55ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5b 
d8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0 
e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70
and
d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f89 
55ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5b 
d8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0 
e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70 
Each of these blocks has MD5 hash 79054025255fb1a26e4bc422aef54eb4.                              


 This above pair was found in 2005 by researchers from Shandong university in China.


        


We got two set of executable files: one set for windows and other set for Linux.
MD5 for windows file: cdc47d670159eef60916ca03a9d4a007
https://www.virustotal.com/en/file/1316543942a8c6cd754855500cd37068edbbd8b31c4979d2825a4e799fed6102/analysis/1488349995/
https://www.virustotal.com/en/file/60d13913155644883f130b85eb24d778314014c9479aedb5f6323bf38ad3a451/analysis/1488359868/




MD5 for Linux file: da5c61e1edc0f18337e46418e48c1290
https://www.virustotal.com/en/file/1c4ff4e490b15b2b214f26c5654decccbcbea9eb900f88649dc7b1e42341be56/analysis/1488350080/
https://www.virustotal.com/en/file/fad878bd261840a4ea4a8277c546d4f46e79bbeb60b059cee41f8b50e28d0e88/analysis/1488359933/




















                                                                                                                                                                         Post made by
newWorld

Comments for Explorer.exe in Virustotal:

This post is kind of random one. When we seen legit explorer.exe file in virustotal (popular online scanner for malware), it is flagged as clean (obviously clean, since it is legit file).

Interesting part in this submission is the comment section. A good amount of comments which we seen and we love to share it here.


User1:
exe has been exploited by varient of Trojan.backdoor and Trojan.VBS.Autorun Should be considered malicious in this instance. Executable is legit by default and belongs to the windows operating system, the trojan leaves little indication of its presence. Picked up in the wild, known to infect usb drives and spread through copying itself to usb, also picked up from malicious webpages, worm is usually dropped by the trojan after it gains entry. Tries to modify Regkey for SuperHidden to hide itself even if see hidden files is checked in settings. Also infects network drives and can spread through the network. Drops malicious code to any file it choses on the file system, esculates privliges, deletes files. Not known to damage hardware, copies itself to the root of every disk volume, replaces autorun.inf file so that it loads next time volume is mounted. Manual removal recommendation none, although most antivirus programs detect the worm itself and remove it, the damage created to the file system can not be fixed as easily. Recommendation for removal; Full format with windows disk , disconnect all devices from network, flush router, reset router, full reinstall on computers before connecting back to network. As with any worm of this type the risk for this infection is severe.

Additional Comments: Antivirus software is only an added layer of protection, when infected with Backdoors and Worms, the antivirus software may claim they are able to remove the threat (which in part is true), what are they are not able to do is repair the damage that the infection has created. When a system has been backdoored, the attacker then usually creates multiple backdoors by exploiting legit windows applications, along with creating new backdoors. Without being an NT/IT or having some other extensive knowledge about the windows file system and operating system, it is very hard to find and fix each exploit. While the original infection may be gone, there may be new infections still hiding, or worse while infected the attacker may have installed a rootkit which is nearly impossible to fix with a simple antivirus program, as many advanced rootkits can call on and modify data at the kernal level. They can intercept and modify system calls directly, or use hooks to catch the calls and then replace that with its own. Most antivirus say they can find rootkits, but that is what we tend to call "OverHype". Most rootkits avoid antivirus scan detection because they can read when the call is sent to run the antivirus engine, the rootkit can then temporarly replace the infect files with the original files, try to delay or stop the engine itself, replace the scan results of the antivirus with previous logged scans of a clean system, when it was still undetected, etc.

Antiviruses should never be considered a safe solution for bad habits. Users need to be careful of what they do online, just because you have a good antivirus does not mean you are safe. Prevention is the best solution. In my honest opinion, detection is only good for future prevention. Once a worm or virus is detected, it can then be reverse engineered to see how it works, and what it does. Once we know how it gains access and propagates, we can then find ways to restrict its access method, but for this to happen, someone/many someones will have to be infected first, then those someones will have to wait until either they show noticable symptoms and start requesting help from online sources such as https://bleepingcomputer.com or other help stations by performing multiple scans with multiple tools to fully diagnose the issue, or someone with computer knowledge notices subtle changes and starts investigating. Both of these situations could take days, to weeks, to months, to years. Then waiting for Microsoft to create a security patch could take years. This is why prevention is the key.        



User2:


Authenticode signature block and FileVersionInfo properties
Copyright© Microsoft Corporation. All rights reserved.
Product Microsoft® Windows® Operating System
Original name EXPLORER.EXE
Internal name explorer
File version 6.1.7601.17567 (win7sp1_gdr.110224-1502)
Description Windows Explorer
Signature verification Signed file, verified signature
Signing date 8:16 PM 2/28/2011
Signers
Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65    
   



User3:


https://virustotal.com/en/file/acc5b8c77bb11e758190f3d44bf60fa09fe93436a4498dca6a597f52fc290c88/analysis/

https://virustotal.com/en/file/4da8e2b990ea518e19be92062bce2ea7a4a4f94faf605f7ef02aa5c29a13f72a/analysis/

https://virustotal.com/en/file/2742ff3417bc70fc799b1ce2700307e1f4b870ca5b1a15cdcde39dcd857bfacc/analysis/

https://virustotal.com/en/file/6bed1a3a956a859ef4420feb2466c040800eaf01ef53214ef9dab53aeff1cff0/analysis/

https://virustotal.com/en/file/f9c00757c1965dd8bc152e7d2bf1c4286f233923246c48fe344fc93462e94c99/analysis/         
 





Post made by
newWorld

Tuesday, February 21, 2017

Malicious IP analysis

We don't know the following Ip address is malicious or not: 103.224.212(.)222
How to proceed our analysis?
Possible approach: try the search in Virus Total.
We got no one flagged it.
VT link: https://www.virustotal.com/en/url/8982272eaf4d679b32716bcbef0d86183e251e4abd49b16547d800d93e42d7c7/analysis/1487660842/
Detection: 0/65.
Additional info:
Quttera- https://quttera.com/sitescan/103.224.212.222 
Sucuri-  https://sitecheck.sucuri.net/results/103.224.212.222



Possible approach: try it in IPvoid or urlvoid.
In this case, IPvoid is our option since we are dealing with the Ip address. We got three results as black listed.

IP Address Information

Analysis Date2017-02-21 03:53:30
Blacklist StatusBLACKLISTED 3/83
IP Address103.224.212.222 (Find Websites)
Reverse DNSlb-212-222.above.com
ASNAS133618
ASN OwnerTrellian Pty. Limited
ISPTrellian Pty. Limited
ContinentOceania
Country CodeFlag (AU) Australia
Latitude / Longitude-33.494 / 143.2104
CityUnknown
RegionUnknown





Possible approach: try the search in threat crowd
Now, we found plenty and which marks to two malicious files.
Threat crowd link: https://www.threatcrowd.org/ip.php?ip=103.224.212.222
First file: https://www.threatcrowd.org/malware.php?md5=c98dc3be0c7fa850ad1a3161c3f8014a
MD5: c98dc3be0c7fa850ad1a3161c3f8014a
Filename:  _b4c61441.tmp
VT link: https://www.virustotal.com/en/file/f42542c789a3d02513b0b031ab6ed1c7e5d0a476ea3e8c0b58e3a5c947a8867d/analysis/
Detection as Potentially unwanted application/ Adware.


Second file: https://www.threatcrowd.org/malware.php?md5=e8e956637f36a97f251746016be22c30
MD5: e8e956637f36a97f251746016be22c30
Filename diaiomjykaxu.exe
VT link: https://www.virustotal.com/en/file/56f64a3d7bb651b2f70b690e06be05ceab2a74eb147a12e13641b82eb0b5a5c3/analysis/
Detection as Ransomware locky/ Teslacrypt filedecoder.
Another possible approach is simple google search:
We found the following url-
It says that Ip belongs to locky ransomware.


Recommendation


It is advised to block this Ip address in the firewall, also need to add this Ip address in blacklist for future verification. If you found this Ip address in your network logs (any connection established with this Ip address), is having more chances of ransomware infection in the network. Advised to follow the general recommendation for ransomware infection.


We will see the analysis of those two files in the future post.


Post created by
newWorld

Monday, February 20, 2017

Analysis of suspicious pdf

Analysis of suspicious pdf:
SWIFT CONFIRMATION.pdf – this pdf file is looks to be suspicious. It came for analysis, we started to look in to the code.


MD5: 524BAE85DB8BA5E6B161BC52D5B34113


(I searched this MD5 in Virustotal, which is uploaded to VT just 7 hours back, when I am writing this post.




Clean result. Zero detection)


This pdf sample connects to the following url:
hxxp://tinyurl.com/jy69pnw
hxxp://bit.ly/2bPBbCF        
hxxps://www.dropbox.com/s/nsuquv0bs5fv4s3/Swift%20Confirmation.scr?dl=1


All these urls are suspicious.


 


 


Execution of the pdf:


I executed the pdf file and attached the screenshot below:


They masked the content and ask us to view adobe online. Again this follows to the dropbox link and leads to download the file named as swift confirmation.scr.



(View on Adobe is linking to dropbox url)


Conversion of shorten url to long url:


hxxp://tinyurl.com/jy69pnw  -  hxxp://www.childrenshomeinternational.org/https/PDF/cancel.htm


(Searched that in google, it goes to virustotal results- https://www.virustotal.com/en/url/10298ea7f52ad85cc4e2fe5ac36d8fcae679c1e4d9a9c23b18f845e54f977614/analysis/   - Flagged as malicious site)


 


hxxp://bit.ly/2bPBbCF  -  hxxp://www.pdfupdatersacrobat.top/website/indexy.html




Finally we got dropbox link:


hxxps://www.dropbox.com/s/nsuquv0bs5fv4s3/Swift%20Confirmation.scr?dl=1


Downloaded the swift confirmation.scr file by accessing that dropbox link in controlled environment at different network.



Executable file and which is not regular scr files. Pretty suspicious.  


Version info:



Looks it contain digital signatures, and version info says the file goes belongs to Samsung Electronics co. ltd.  
Digital signature is not matching, just check the below snapshot:



 
All these properties claims the file is suspicious. Let’s dive more into the code level:
We checked for compiler information, and it says Microsoft Visual Basic 5.0 / 6.0.
Compiler: Microsoft Visual Basic 5.0 / 6.0 . The file is packed one.


  

Wikipedia

Search results

Google Ads

Google Plus:

Ads

Total Pageviews

Translate

Hard work never fails!

Hard work never fails!