Hackers’ hiding behind banks to send spam emails, cheating users is happening more frequently each day. The two latest victims are big banks: HSBC and Citibank.

Picture 1: Spam email disguising as from HSBC

Picture 2: Email impersonating HSBC

Besides attaching virus (executable file with word, excel, pdf, etc. icons; office files exploiting vulnerabilities), hackers do not forget faking banks’ note at the end of the mails to make them “look like real”.

When the attachment is opened, the virus will immediately infect computers, connect and get commands from control servers. Additionally, it silently gets and sends hackers cookies of browsers to steal users’ bank accounts, emails, etc.

Receiving similar emails, users are advised to be vigilant towards their attachments. To be more secured, you can run the files with Safe Run feature of Bkav Internet Security.

Pham Hoang Dat

Malware Researcher

Viruses propagating via Facebook Chat are recently increasing at a surprising rate. Exploiting online file sharing services to make the malicious links more trustworthy-like is hackers’ latest trick.  

Taking advantage of Facebook Chat to spread virus is not new. However, after a time of silence, these viruses suddenly continue spreading quickly.

Before, the links used were often strange, unfamiliar with users like http://5.k2[removed].su, http://1.8[removed]34.su. Lately, hackers begin to use user-friendly websites such as mediafire.com, 4shared.com, etc. These are all popular, trustworthy data storing sites. They are trusted on because files are checked by some antivirus softwares like BitDefender, etc. before being uploaded. Besides, users have long been familiar with sharing, downloading files from mediafire.com or 4shared.com. Therefore, they are much more likely to click on hackers’ links.

Picture 1: A malicious link spread via Facebook Chat

Normally, to download a file from sites like mediafire.com, users have to follow the link http://www.mediafire.com/?v8yvp0f9ix8572x, see the web interface and click on Download.

Understanding this, hackers have invested to purchase an account on mediafire.com to allow the direct downloading of virus file; then the web interface will no longer appear. This means the virus is quickly downloaded to users’ machine through just one click.

The downloaded virus is dubbed in the way a normal computer user names his files, and uses acquainted pictures (landscapes, models, folders, word file, excel files, and so on) as icons. In fact, it’s an executable file.

After being executed, the virus waits for users to login their Facebook and automatically chats with their friends, sends them messages containing malicious links. Users shouldn’t worry, because despite you have downloaded the virus, your machine still stays safe if you haven’t opened it.

It’s advisable that users make a habit of keeping vigilant when clicking on a link or executing a program. Verify the link’s origin or the downloaded file’s content first. With Facebook Chat, you just need to chat with your friends and ask them about the received content.

Pham Minh Dat

Malware Researcher

Table of Contents

1 Overview

2 IUAM: Simple but effective

3 War declarer Win32/DoS.OutFlare.A

4 CloudFlare’s answer

5 Conclusion

1 Overview

As you may know, DDoS (Distributed Denial of Service) attacks make computer or network systems become overloaded, consequently unable to continue providing services or even stop operating. The server is then overburdened with a huge number of connect requests, resulting in users’ failure to access services on websites being under DDoS attacks.

Of course, there are lots of products and services which aim to help network administrators struggle against this kind of attack. CloudFlare is one of them:

 “CloudFlare protects and optimizes online websites. If your website belongs to CloudFlare network, all connections to it will be optimized to help users easily surf your site and experience the apps there. Besides, CloudFlare blocks threats, illegal connections to economize on bandwidth and resource.”

Our main character today is Win32/DoS.OutFlare.A, a malware that can successfully bypass anti-DDoS mechanism of CloudFlare.

Before studying this malware’s operation, let’s look over CloudFlare’s anti-DDoS mechanism.

2 IUAM: Simple but effective

CloudFlare’s anti-DDoS mechanism, which is named “I’m Under Attack Mode” (IUAM), is quite simple. When a web server receives the first connecting request from a client, instead of instantly responding with the requested content as usual, it returns the client a challenge page. This page requires the browser on client’s machine to do a small calculation written in JavaScript then send the result back to the server. If the calculation is accurate, web server will return the requested content together with a cookie (cf_clearance) to make sure that future connections from that client will not be checked with challenge page again.

Challenge page

A simple but surprisingly effective mechanism for struggling against attacks on network’s Application layer. Connect requests that are not launched from browsers cannot run JavaScript to do the calculations.

The JavaScript set requires client’s browser to do a simple calculation

The cookie string cf_clearance confirms the client’s using of browser

3 War declarer Win32/DoS.OutFlare.A

Win32/DoS.OutFlare.A operates just like other malwares: automatically enables startup together with Windows, connects to IRC server (domained 7.xxx.lt) through tcp/9835 port and accesses #main channel. The malware then lies there, waiting for commands to perform popular DoS behaviors. We can see in the command list a strange string “cf” (whether this strange string has any links with CloudFlare?)

Tracking of this string leads us to a special code to bypass IUAM anti-DDoS mechanism of CloudFlare.

First, the malware sends HTTP GET package to connect to the website. When the challenge page with JavaScript string is sent back, it analyzes the page’s HTML content to find the expression.

The code for finding and doing the calculation

Upon finding out the expression, a function will be called to analyze its syntax and do the calculation.

Next, the malware sends the result package to server.

If successful, web server will return the requested content and the confirming cookie set, which will be saved by the malware.

So, naturally, the malware’s bypass mechanism is as “simple but effective” as the way CloudFlare works out IUAM to struggle against DDoS attacks.

4 CloudFlare’s answer

Win32/DoS.OutFlare.A was first discovered on February 8, 2013. After only 5 days, CloudFlare succeeded in patching the vulnerability and its CEO blogged a writing about the issue and the enhancements.

How CloudFlare respond so quickly?

Basically, CloudFlare does not change its anti-DDoS mechanism which requires client’s browser to do a JavaScript calculation. The change is a new value added to the returned result, which is determined via some functions calculating the length of the JavaScript. Working out this value requires the real running of JavaScript and it’s difficult to analyze the syntax for the calculation.

CloudFlare adds a new calculation string

5 Conclusion

It’s has always been a tense race. During this race, new and strange techniques are continually added. Sometimes a simple technique shows amazing performance, just like the way CloudFlare has done. And we, the users, can benefit more from the systems that are getting more and more upgraded and secured.

Pham Cong Hieu

Malware Researcher

DJ.Activity camouflages as an app that provides porn contents. Actually, right after this fake app is run, the virus silently sends messages to high charged service numbers to take money out of user’ account.

Picture 1: DJ.Activity camouflages itself as an app providing porn contents

The malware is spread mainly via spam emails with “SexyVideoPro.apk” attached, hitting users’ curiosity to dupe them into installing the app. To hide itself from mobile network providers and avoid the service numbers being blocked, DJ.Activity does not fix the message receiving numbers in its code, but switches among the numbers via a control server mobile18x.info.

Picture 2: The service numbers are switched over via a control server

Bkav experts have decoded cofig of the virus’ control server and found out that the being in use number is 8777. This number charges users 15,000 VND for each message, not small at all.

To determine whether your phone is infected with this critical malware or not, you can download Bkav Mobile Security (from Google Play or from website http://mobile.bkav.com) and scan your device.

To protect your phone against such malwares, it’s advisable that you do not install apps not downloaded from Google Play, especially the ones attached in emails or downloaded from links in messages.

Nguyen Cong Cuong

Senior Malware Researcher

My last writing described in detail the hacking scenario used by hackers. However you maybe wonder that how hackers can change user’s password when they do not know the old one. Is this a new vulnerability of Facebook?

In the past, Facebook once urgently patched a critical vulnerability which allowed hackers to change the user’s password without current one. This made me think of a similar hole when beginning to analyze Facesy. However, after analyzing carefully, it turned out that Facesy used an interesting method, it’s add-on not a vulnerability.

W32.Facesy.Trojan, a virus which uses Add-on of Chrome, has the ability of taking control and stealing Facebook account.

The focal point of its method lies in cheating users to install Add-on for Chrome browser (the script was described in the last writing). This Add-on will inject code into Facebook login page. This code has function of taking value of password box, then request Facebook server to change the password.

Consequently, when users login Facebook by Chrome, and view the source code of the web (using F12), it’s possible to recognize the difference in the red crossed. That’s html code which was injected by the virus. About the interface, it is still the interface as usually, however the source code was changed with the aim to steal the account.

To take the user’s password, W32.Facesy.Trojan have to wait until users enter password in the website injected the code (as above), then it uses JavaScript command to take the value of account and password in the login page. It’s possible for users to login successfully take access token with necessary parameters. It uses the parameter and send AJAX message to Facebook’s server to change the password.

“fb_dtsg=AQBfQ-Aq&password_strength=2&password_old=MatKhauCu&password_new=

MatKhauMoi&password_confirm=MatKhauMoi&__user=100001758964913&__

a=1&__dyn=798aD5z5CCU&__req=6&phstamp=1658166102814565113181”

It noted that the login request and password changing  used HTTPS protocol, so Add-on is the best choice for stealing and sending request.

If you are a victim, you should quickly use the feature of password reset though Facebook email to get your controlling right back. At the same time, you should remove Add-on with the name Google Chrome Guncelle before malicious links full in your Wall.

If you cannot access the feature of Chrome extension (Option à Tool à Extension), you should set up the feature of showing hidden files and delete suspected <Extension ID> folders according to links as the following:

On Win 7:“C:\Users\<Current user>\AppData\Local\Google\Chrome\UserData\ Default\Extensions\<Extension ID>\”, delete folders <Extension ID>\”

On WinXP: C:\Documents and Settings\<Current user>\\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\<Extension ID>\”

For safety, users should not click on the poisonous links, untrusted articles with impressive content. Now, W32.Facesy.Trojan has injected in Chrome, however it can spread in any browsers.

Pham Minh Dat

Malware researcher