Lloyds Bank "PCI DSS" Malware

In common with the Facebook scam post earlier we don't usually bother blogging about malware and phishing emails as they're usually handled well by companies and are pretty common.. this email was a bit more interesting.

Had an email from Lloyds Bank <pciportal@lloydsbankcardnetpcidss.com> entitled PCI DSS Compliance Programme:

Looks pretty legit.. PCI too, that's a security thing isn't it!  The attachment looked like this:

So PDF icon with a .scr suffix. That's a Windows screensaver file which will run the code the same as a .exe when it's double clicked (for our younger viewers).

Basically it's a known piece of malware with reasonable detection according to Virus Total:

Interesting all the same, obviously targeted at business rather than end user targets. Be vigilant!

Trend Micro File Harvesting

Going back a year or two we blogged about Microsoft's SmartScreen filter sending potentially sensitive file information to Microsoft's servers who download files after they've been downloaded by Internet Explorer.  If you're putting super-secret-file.zip on a server for someone you probably don't want anyone else coming along and hoovering that up!

We've recently become aware that some versions of Trend antivirus products do exactly the same..

Forbes Cracked Passwords from Feb 2014

Did a really quick analysis of the Forbes password hashes leaked by the Syrian Electronic Army earlier. From the 1,071,734 password hashes that hashcat recognised as WordPress, 2713 were cracked in about 30 minutes.

There were no switches, GPUs, rules or anything used.. I just used the unedited top 25 passwords taken from the top 10,000 list published by Mark Burnett (xato.net). -> blog post here

The results show that 975 people have 123456 as a password.. some things never change! Top 25 cracked hashes follow:

fully@SQ:~/hc$ cat forbescracked.txt|cut -d : -f 2| sort|uniq -c|sort -r -n
    975 123456
    534 password
    159 qwerty
    147 12345678
    146 abc123
    111 111111
     75 letmein
     66 monkey
     64 baseball
     62 1234567
     50 shadow
     35 michael
     32 jordan
     31 dragon
     29 superman
     29 master
     28 mustang
     28 football
     25 harley
     23 jennifer
     22 696969
     21 12345
     18 1234
      2 2000
      1 pussy

Microsoft Windows Unquoted Service Path Exploit

It's been over a year since this Windows issue has had credentialed checks available in Nessus and it showed up again on a recent test. If you're not aware of the issue http://www.commonexploits.com/unquoted-service-paths/ has a great writeup and is referenced in the associated Nessus plugin (Nessus plugin ID 63155)

In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:

C:\Program.exe
C:\Program Files\Test.exe
C:\Program Files\Test App\app.exe

On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:

C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

I ran that on a system and got the following results:

CorsairSSDTool  CorsairSSDToolBox  C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe  Auto
Internet Pass-Through Service  PassThru Service  C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto

Metasploit has a privilege escalation module to take advantage of this but I couldn't find a simple standalone way of showing a proof of concept for this issue.  Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper Windows service application, we decided to write our own service to demo this!