Thursday, August 14, 2008

msnbc.com Malspam

The Rustock botnet has moved from spam related CNN Alerts to MSNBC Breaking News Alerts. The MSNBC emails use the subject “msnbc.com - BREAKING NEWS:” followed by a variable message. Sample messages include:

“Google launches free music downloads in China”
“Mexican arrested on billion-dollar graft case”
“NASA Claim to Have Achieved First Zero-Gravity Erection”
“Even The New Yorker 'Cartoon Dogs' Are Pissed at the 'Obama Cover”




The “Find out more at…” hyperlink redirects to various web pages that offer a Video ActiveX Object necessary to view the video. The Video ActiveX Object download typically named something like adobe_flash.exe is a CbEvtSvc trojan variant. Sample URLs include:

http://gekkoeurope.com/up.html (195.47.247.83, DK)
http://bg-buttisholz.ch/up.html (80.74.155.30, CH)
http://sprtx.com/msn.html (72.232.91.106, US)
http://ebuzzdigital.com/msnlive.html (74.54.81.143, US)

Find out more at <a href="http://bg-buttisholz.ch/up.html">http://breakingnews.msnbc.com>/a><br>



Malware Analysis

The msnbc.com - BREAKING NEWS spam hyperlink loads a CNN or MSN codec download page. A sample from http[:]//bg-buttisholz.ch/up.html downloads adobe_flash.exe. The trojan adobe_flash.exe copies itself as C:\WINDOWS\System32\CbEvtSvc.exe and installs CbEvtSvc.exe as a service named CbEvtSvc.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
"DisplayName" = CbEvtSvc
"ErrorControl" = 1
"ImagePath" = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
"ObjectName" = LocalSystem
"Opt"
"Start" = 2
"Type" = 10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum
"0" = Root\LEGACY_CBEVTSVC\0000
"Count" = 1
"NextInstance" = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security
"Security" = 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

The CbEvtSvc.exe trojan downloads additional malware. A sample CbEvtSvc.exe execution downloaded 13scan.exe, install.exe, and fg.exe from 78.109.19.50 (UA).

Install.exe
The malware install.exe is a rustock variant that causes the host to join a spam botnet. The malware install.exe copies itself as C:\Documents and Settings\LocalService\Application Data\728739263.exe (variable name). The malware 728739263.exe creates C:\WINDOWS\TEMP\7.tmp which creates the hidden device service %System%\drivers\962e1fdd.sys (variable name).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\962e1fdd
ImagePath = "%System%\drivers\962e1fdd.sys"
Type = 1
Start = 1
ErrorControl = 1

The malware hooks "%System%\drivers\beep.sys" and hides its registry subkeys (ZwCreateEvent, ZwCreateKey, ZwOpenKey). The rustock trojan perfomed DNS lookups for google.com A records and google.com, yahoo.com, aol.com, microsoft.com, and 208.72.168.191 MX records. The malware made the following POST connections to receive spam instructions.

POST http://208.72.168.191/login.php
POST http://208.72.168.191/data.php

13scan.exe
The malware 13scan.exe copies itself as C:\Documents and Settings\LocalService\Application Data\668311381.exe. The malware 668311381.exe failed to execute due to application errors. The malware is a rogue security product such as Antivirus XP 2008.

fg.exe
The malware fg.exe copies itself as C:\Documents and Settings\LocalService\Application Data\521632863.exe. The malware 521632863.exe creates setupapi.dll in the Program Files folder of installed web browsers. The dll hooks into iexplore.exe, firefox.exe, etc. The malware serves as an infostealer trojan.

C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\Mozilla Firefox\setupapi.dll

The following files were observed during malware analysis.

Filename MD5 Size
13scan.exe 1debb2fcbb4ae9a912bb309ea560241e 129536
521632863.exe 202ce1f4d8ffedd868c722763a40f4f2 34816
668311381.exe 1debb2fcbb4ae9a912bb309ea560241e 129536
7.tmp 831e11da49fee6b692d009b8f71822cf 137216
962e1fdd.sys fc5be1b115c13c707ad8f33d8411be51 109762
adobe_flash.exe 61229aa4f0bb47a80df0b1026cb30fe9 74752
CbEvtSvc.exe 61229aa4f0bb47a80df0b1026cb30fe9 74752
fg.exe 202ce1f4d8ffedd868c722763a40f4f2 34816
install.exe 831e11da49fee6b692d009b8f71822cf 137216
setupapi.dll cf63737c8b5ea3d2cd9fe130cc4c7519 52736

References

http://www.marshal.com/trace/traceitem.asp?article=742
http://www.symantec.com/security_response/writeup.jsp?docid=2008-041717-0829-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)