Interesting crypto paper:
Reconstructing
the Cryptanalytic Attack behind the Flame Malware
Fillinger, Maximilian Johann
This paper is analyzing this algorithm the authors of the Flame malware (2012) used an MD5
collision to forge a Windows code-signing certificate.
It claims that complexity of the MD5 attack used to fake RSA
certificate signatures as used in Flame
was approximately 2^46 - 2^49 of MD5 operations.
It is surprise that it is not (dramatically) faster than the other
known solutions as it was originally expected.
So it is contrary to original speculations on it using some backdoor
in MD5 or some NSA special intelligenco on MD5 not known to public
:).
------------------------------------
Just to recap history of attacks to MD5:
1996 - collisions found in the compression function of MD5 (and rest
of the MD family)
2004 - identical prefix collision - Wang et al. - 2^40 operations
2005 - identical prefix collision - Wang
and
Yu - 2^39 operations
2005 - identical prefix collision - Vlastimil Klima -
2^33 operations
2006 - identical prefix collision -Marc
Stevens - 2^32 of MD5
2006 - identical prefix collision - Peter
Selinger - code published based on Wang et al. 2^39 operations
2007 - identical prefix collision - Mark
Stevens - 2^25
2007 - choosen prefix collision - Mark
Stevens,Arjen K. Lenstra, and Benne de Weger - 2^49 operations
2008 - identical prefix collision - Xie et al. - 2^21
operations
2009 - identical prefix collision - Mark
Stevens - 2^16 operations
2009 - choosen prefix collision - Mark
Stevens,Arjen K. Lenstra, and Benne de Weger - 2^39 operations
2010 - single block collision - Tao Xie, Dengguo Feng
- 2^47 MD5 operations
2012 - single block collision - Mark
Stevens - 2^50 operations
2013 - single block collision - Tao Xie, Fanbao Liu,
Dengguo Feng - 2^41
Sites related:
http://marc-stevens.nl/research/
http://www.win.tue.nl/hashclash/
http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/
2014-01-24
2014-01-16
Cridex malware
Third party analysis:
- 2014-01-20 - Abuse.ch introducing Feodo (Cridex) tracker
- 2014-01-16 - MalwareMustDie - pastebin
- 2014-01-16 - Chip - Vodafone, Telekom: Phishing mit falscher Rechnung
- 2014-01-16 - Mimikama - Trojaner warnung Vodafone online rechnung
- 2014-01-17 - MalwareMustDie - Cridex Fareit Infection
- 2013-01-07 - x1a0ran - malware analysis worm cridex
The cridex malware is being spread across german speaking countries with a phishing emails traying to convince the receivers that there is a bill to pay - from vodafone, telecom, volkers bank.
So far I have seen these download places:
151.248.114.193 - RU active
192.240.96.11 - currently down, last seen 2014-01-15
212.7.219.75 - currently down
37.58.57.162 - currently down, last seen 2014-01-07
37.58.57.175 - currenlty down, last seen 2014-01-08
5.133.179.12 - GB active
5.254.96.215 - currenlty down, last seen 2014-01-17
5.254.96.216 - currently down
5.254.96.237 - RO active
5.254.96.238 - currently down, last seen 2014-01-16
5.254.96.239 - currenlty down, last seen 2014-01-15
5.39.47.13 - currenlty down, last seen 2014-01-15
62.4.8.133 - currenlty down, last seen 2014-01-13
64.15.75.70 - CA active
69.197.18.171 - OK ... this is blackhole
75.87.188.28 - currenlty down
85.158.241.184 - currenlty down, last seen 2014-01-10
85.158.241.33 - currenlty down, last seen 2014-01-15
92.53.104.167 - currenlty down, last seen 2014-01-09
Examples:
2014-01-20 14:59 http://serverrequiestcont.ru/volksbank_eg/ active 151.248.114.193 RU
2014-01-20 14:58 http://alishkasuper.ru/telekom_deutschland/ active 151.248.114.193 RU
2014-01-20 14:58 http://frtyui.ru/vodafone_online/ active 151.248.114.193 RU
2014-01-20 14:57 http://markelooo.ru/volksbank_eg/ active 151.248.114.193 RU
2014-01-20 14:53 http://frtyui.ru/vodafone_online/ active 151.248.114.193 RU
2014-01-20 14:40 http://gerbercvt.ru/volksbank_eg/ active 151.248.114.193 RU
2014-01-20 03:00 http://upddezember.com/telekom/ active 5.133.179.12 GB
2014-01-20 02:57 http://lopper.ru/vodafone_online/ active 151.248.114.193 RU
2014-01-16 18:21 http://basanaj.ru/telekom/ active 5.254.96.215 RO
2014-01-16 18:23 http://gorbache.ru/vodafone_online/ active 64.15.75.70 CA
2014-01-16 18:28 http://opa-oba.ru/vodafone_online/ active 64.15.75.70 CA
... + many other domain names
2014-01-16 18:33 http://upddezember.com/telekom/ active 5.133.179.12 GB
http://pososh.ru/vodafon/
2014-01-16 09:18 http://byuhera.ru/volksbank/ active 5.254.96.238
... + many oyther domains
2014-01-15 19:31 http://5g4xte.vol.com.br/vodafon/ active 5.39.47.13 FR
Once the malware is executed it stores itself with a name that mimics the MS updates.
Then it starts dowloading secondary malware.
In cases I have analyzed it was from:
SITE IP Code Last active
beliyvolkalak.ru 185.10.201.168 GB 20140113
buriymishka.ru 185.10.201.186 GB 20140110
deepandtouch.ru 31.215.205.193 RO 20140113
djubkafriend.ru -
glebstark.ru 185.5.55.9 LT 20140116
godaddy-up.ru 185.5.55.9 LT 20140116
gossldirect.ru -
jvrdwnload.ru 212.7.219.46 PL 20140116
jarovojfanatik.ru -
kapikapifrmaleku.ru -
karabarad.ru -
karadubecc.ru -
kolodavoloda.ru -
korenlipi.ru
kuchereneltd.ru 94.76.240.56 UK 20140116
lightham.ru -
masterupdate.ru -
micrupdaserv.ru -
montierco.ru -
officialpartkkk.ru -
pianiykrolik.ru -
portasible.ru 37.235.48.69 PL 20140116
renataltd.ru 5.135.71.226 FR 20140116
securesrvr8.ru -
softsysdnl.ru -
ssshsecur.ru 185.10.201.168 GB 20140113
toolsdownloads17.ru -
travodoktor.ru -
updatecheck.co.ua -
updote-serv3.ru 91.230.204.132 PL 20131217
uppdate-servs.ru 91.230.204.229 PL 20131217
upper-service.ru -
volodakoloda.ru -
Based on the strings templates contained in the malware we can assume that it can steal passwords to FTP, POP3 and certificates, data from Internet Explorer, data from FireFox, . :
application/x-www-form-urlencoded
<http time="%%%uu"><url><![CDATA[%%.%us]]></url><useragent><![CDATA[%%.%us]]></useragent><data><![CDATA[
]]></data></http>
<httpshot time="%%%uu"><url><![CDATA[%%.%us]]></url><data><![CDATA[
]]></data></httpshot>
<ftp time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server><user><![CDATA[%%.%us]]></user><pass><![CDATA[
]]></pass></ftp>
<pop3 time="%%%uu"><server><![CDATA[%%u.%%u.%%u.%%u:%%u]]></server><user><![CDATA[%%.%us]]></user><pass><![CDATA[
]]></pass></pop3>
<cmd id="%u">%u</cmd>
<cert time="%u"><pass><![CDATA[
]]></pass><data><![CDATA[
]]></data></cert>
<ie time="%u"><data><![CDATA[
]]></data></ie>
<ff time="%u"><data><![CDATA[
]]></data></ff>
<mm time="%u"><data><![CDATA[
]]></data></mm>
<message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"><header><unique>%%.%us</unique><version>%%u</version><system>%%u</system><network>%%u</network></header><data>
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqc9owreYFWWw7dWyebIKAxYwYx+V6bdlMGyN35YV/AM6ziObAkkVHtrvZFziejahX+ctQFmjy+vClz4nZubNU8dZlK/tBUcHbax/yr2ZdzjzimhvWvsNdA3YG6DTqb30GfOjcXwOHPPIycn1iYSjg1igdbg3a9mXklAouWzaD6wIDAQAB
</data></message>