Friday, August 29, 2008

Journalists shot in Georgia - Georgia.zip

Around 19 August 2008, numerous security researchers and vendors reported the proliferation of malspam emails related to the Russia/Georgia conflict. The emails had the subject “Journalists shot in Georgia” and the password protected attachment Georgia.zip. The email body contained a message concerning the Russia/Georgia conflict and the password for the zip file. The following is a sample message:

Turkish television has released video of four journalists on assignment in Georgia being shot at.
The crew from NTV were in an area of Georgian-Russian fighting between the Georgian town of Gori and South Ossetia.

Real photo in the attachment

attach password: 123

The Georgia.zip file contains joined.exe. When executed, the malware creates %Temp%\LOADER.19B099.EXE and uses the BITS (Background Intelligent Transfer Service) to download filebyaka.exe and exe.php from the Chinese hosted site reddii.org (220.196.42.217). The exe.php page returns a 404 error.

http[:]//reddii.org//traffic/all/files/filebyaka.exe
http[:]//reddii.org/traffic/ft08/exe.php


filebyaka.exe
The malware filebyaka.exe copies itself as %system%\lphcavej0e7bp.exe and creates the following files

%system%\phcavej0e7bp.bmp
%system%\blphcavej0e7bp.scr
%temp%\.tt2.tmp
%temp%\.tt2.tmp.vbs
%temp%\.tt3.tmp
%temp%\.tt4.tmp
%temp%\.tt5.tmp
%temp%\.tt6.tmp

The following registry keys set phcavej0e7bp.bmp and blphcavej0e7bp.scr as the Windows desktop background and screensaver respectively.

HKEY_CURRENT_USER\Control Panel\Desktop
"ConvertedWallpaper" = C:\WINDOWS\System32\phcavej0e7bp.bmp
"SCRNSAVE.EXE" = C:\WINDOWS\System32\blphcavej0e7bp.scr
"WallpaperStyle" = 0
"ScreenSaveActive" = 1
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
"EulaAccepted" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
"InstallID" = Data: dfc9f3e6-e26c-4c13-bbb8-0bda4ea03ccd
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"NoDispBackgroundPage" = 1
"NoDispScrSavPage" = 1


A registry key launches the malware lphcavej0e7bp.exe at startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"lphcavej0e7bp" = Data: C:\WINDOWS\System32\lphcavej0e7bp.exe


The file .tt2.tmp.vbs is used to prevent installation restore points in System Restore.

The malware lphcavej0e7bp.exe retrieves graphics from the following domains and performs unresolved DNS requests for variable_string.chr.santa-inbox.com.

avxp-2008.net (78.159. 96.17)
stat-avxp-2008.net (78.159. 96.16)
www[.]avxp-2008.net (78.159. 96.16)

DNS Sample:
404562.1.ea1791ca31f623f9821f379c529dc3f5.chr.santa-inbox.com

.tt5.tmp:1288
The file .tt5.tmp:1288, originally created by filebyaka.exe, creates several temp files and a persistent window that attempts to force a victim into installing the rogue antispyware program Antivirus XP 2008.

%Temp%\nsn7.tmp
%Temp%\nsn8.tmp
%Temp%\nsn9.tmp
%Temp%\nsd9.tmp\MachineKey.dll
%Temp%\nsd9.tmp\Mutex.dll
%Temp%\nsd9.tmp\System.dll
%Temp%\.tt5.tmp.exe
%Temp%\nsd9.tmp\md5dll.dll
%Temp%\nsd9.tmp\rc4hex.dll
%Temp%\nsd9.tmp\euladlg.dll

Clicking on the persistent Antivirus XP 2008 window causes the file .tt5.tmp:1288 to create the Program Files folder rhcevej0e7bp and several Antivirus XP 2008 installation files.

C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
C:\Program Files\rhcevej0e7bp\database.dat
C:\Program Files\rhcevej0e7bp\msvcp71.dll
C:\Program Files\rhcevej0e7bp\MFC71.dll
C:\Program Files\rhcevej0e7bp\MFC71ENU.DLL
C:\Program Files\rhcevej0e7bp\msvcr71.dll
C:\Program Files\rhcevej0e7bp\license.txt
C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe.local
C:\Program Files\rhcevej0e7bp\Uninstall.exe

The file rhcevej0e7bp.exe creates %system%\pphcavej0e7bp.exe

The following registry keys launch rhcevej0e7bp.exe (Antivirus XP 2008) at startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
"rhcevej0e7bp" = CA, 1E, B7, 48
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
"AntivirXP08" = AntivirXP08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SMrhcevej0e7bp" = C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcevej0e7bp "DisplayName" = AntivirXP08
"UninstallString" = "C:\Program Files\rhcevej0e7bp\uninstall.exe" HKEY_LOCAL_MACHINE\SOFTWARE\rhcevej0e7bp
"(Default)" = C:\Program Files\rhcevej0e7bp
"ADVid" = ea1791ca31f623f9821f379c529dc3f5
"AutomaticallyUpdates" = 1
"BackgroundScan" = 1
"BackgroundScanTimeout" = 1
"BuyDiscUrl" = HEX
"BuyUrl" = HEX
"DatabaseVersion" = 2.1
"DaysInterval" = 7
"domain" = HEX
"EngineVersion" = 2.1
"GuiVersion" = 2.1
"InstallDir" = C:\Program Files\rhcevej0e7bp
"LastTimeStamp" = 0C, 01, 00, 00
"MinimizeOnStart" = 0
"ProgramVersion" = 2.1
"ProxyName"
"ProxyPort" = 0
"ScanDepth" = 2
"ScanPriority" = 1
"ScanSystemOnStartup" = 1
"SoftID" = AntivirXP08


The rogue antispyware program Antivirus XP 2008 displays fake alerts in order to persuade users into buying the rogue antispyware program. The malware is detected as Trojan.Blusod (Symantec).

The following files were collected during malware analysis.

Filename, MD5 Size, (Bytes)
.tt2.tmp.vbs, 9df700c8f6fd43fac0a89aef04214bbd, 1002
.tt5.tmp.exe, 94d00b0ea3c0fc69c52f761efcb49c0c, 1613465
blphcavej0e7bp.scr, b10a43b9044b488dc8c7d33b250cfebb, 118784
filebyaka.exe, fc85dab5849416f8796b799fc209395a, 199168
Georgia.zip, b1698f9c3109c9fa723e68cad124eb60, 5915
joined.exe, 607af96b03addadf28cf9280701df191, 7680
license.bmp, 7003a7e6f2421213a24456724071e9d3, 2359350
lphcavej0e7bp.exe, fc85dab5849416f8796b799fc209395a, 199168
pphcavej0e7bp.exe, f18a4aa83fa2dc238536103731337759, 106496
database.dat, c19b001e6fe6c082e5069e4490898ccc, 1701
license.txt, b9df16a4c49ce4fe979d8f27d89a8106, 19598
MFC71.dll, f35a584e947a5b401feb0fe01db4a0d7, 1060864
MFC71ENU.DLL, baf751e7061ff626aa60f56d1d5d1fdc, 57344
msvcp71.dll, 561fa2abb31dfa8fab762145f81667c2, 499712
msvcr71.dll, 86f1895ae8c5e8b17d99ece768a70732, 348160
rhcevej0e7bp.exe, 02eb58055afb8b81a05ea623882a9034, 831488
Uninstall.exe, 423c6bcad6e91fb6e81a40689d1640e4, 110562

Thursday, August 14, 2008

msnbc.com Malspam

The Rustock botnet has moved from spam related CNN Alerts to MSNBC Breaking News Alerts. The MSNBC emails use the subject “msnbc.com - BREAKING NEWS:” followed by a variable message. Sample messages include:

“Google launches free music downloads in China”
“Mexican arrested on billion-dollar graft case”
“NASA Claim to Have Achieved First Zero-Gravity Erection”
“Even The New Yorker 'Cartoon Dogs' Are Pissed at the 'Obama Cover”




The “Find out more at…” hyperlink redirects to various web pages that offer a Video ActiveX Object necessary to view the video. The Video ActiveX Object download typically named something like adobe_flash.exe is a CbEvtSvc trojan variant. Sample URLs include:

http://gekkoeurope.com/up.html (195.47.247.83, DK)
http://bg-buttisholz.ch/up.html (80.74.155.30, CH)
http://sprtx.com/msn.html (72.232.91.106, US)
http://ebuzzdigital.com/msnlive.html (74.54.81.143, US)

Find out more at <a href="http://bg-buttisholz.ch/up.html">http://breakingnews.msnbc.com>/a><br>



Malware Analysis

The msnbc.com - BREAKING NEWS spam hyperlink loads a CNN or MSN codec download page. A sample from http[:]//bg-buttisholz.ch/up.html downloads adobe_flash.exe. The trojan adobe_flash.exe copies itself as C:\WINDOWS\System32\CbEvtSvc.exe and installs CbEvtSvc.exe as a service named CbEvtSvc.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
"DisplayName" = CbEvtSvc
"ErrorControl" = 1
"ImagePath" = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
"ObjectName" = LocalSystem
"Opt"
"Start" = 2
"Type" = 10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum
"0" = Root\LEGACY_CBEVTSVC\0000
"Count" = 1
"NextInstance" = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security
"Security" = 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00


The CbEvtSvc.exe trojan downloads additional malware. A sample CbEvtSvc.exe execution downloaded 13scan.exe, install.exe, and fg.exe from 78.109.19.50 (UA).

Install.exe
The malware install.exe is a rustock variant that causes the host to join a spam botnet. The malware install.exe copies itself as C:\Documents and Settings\LocalService\Application Data\728739263.exe (variable name). The malware 728739263.exe creates C:\WINDOWS\TEMP\7.tmp which creates the hidden device service %System%\drivers\962e1fdd.sys (variable name).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\962e1fdd
ImagePath = "%System%\drivers\962e1fdd.sys"
Type = 1
Start = 1
ErrorControl = 1

The malware hooks "%System%\drivers\beep.sys" and hides its registry subkeys (ZwCreateEvent, ZwCreateKey, ZwOpenKey). The rustock trojan perfomed DNS lookups for google.com A records and google.com, yahoo.com, aol.com, microsoft.com, and 208.72.168.191 MX records. The malware made the following POST connections to receive spam instructions.

POST http://208.72.168.191/login.php
POST http://208.72.168.191/data.php

13scan.exe
The malware 13scan.exe copies itself as C:\Documents and Settings\LocalService\Application Data\668311381.exe. The malware 668311381.exe failed to execute due to application errors. The malware is a rogue security product such as Antivirus XP 2008.

fg.exe
The malware fg.exe copies itself as C:\Documents and Settings\LocalService\Application Data\521632863.exe. The malware 521632863.exe creates setupapi.dll in the Program Files folder of installed web browsers. The dll hooks into iexplore.exe, firefox.exe, etc. The malware serves as an infostealer trojan.

C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\Mozilla Firefox\setupapi.dll

The following files were observed during malware analysis.

Filename MD5 Size
13scan.exe 1debb2fcbb4ae9a912bb309ea560241e 129536
521632863.exe 202ce1f4d8ffedd868c722763a40f4f2 34816
668311381.exe 1debb2fcbb4ae9a912bb309ea560241e 129536
7.tmp 831e11da49fee6b692d009b8f71822cf 137216
962e1fdd.sys fc5be1b115c13c707ad8f33d8411be51 109762
adobe_flash.exe 61229aa4f0bb47a80df0b1026cb30fe9 74752
CbEvtSvc.exe 61229aa4f0bb47a80df0b1026cb30fe9 74752
fg.exe 202ce1f4d8ffedd868c722763a40f4f2 34816
install.exe 831e11da49fee6b692d009b8f71822cf 137216
setupapi.dll cf63737c8b5ea3d2cd9fe130cc4c7519 52736


References

http://www.marshal.com/trace/traceitem.asp?article=742
http://www.symantec.com/security_response/writeup.jsp?docid=2008-041717-0829-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2