Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-11-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SSH Honeypot Capture, Follow The Bouncing Malware (Part III)

Published: 2004-11-04
Last Updated: 2004-11-04 23:46:52 UTC
by Tom Liston (Version: 1)
0 comment(s)
SSH Honeypot Capture

Reader Steven Sim Kok Leong sent us a note explaining that his organization had monitored a SSH brute force compromise of a honeypot machine with a deliberately
added "weak" account/password matching those that we've noted scans for over the past several weeks. An analysis writeup on the compromise can be found at:



http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041102



Additional comments on protection from automated SSH hacks came from a gentleman whose father ;-) pointed out:



"Firewall parts of the 'net from which you do not anticipate legitimate traffic on a particular port. If you don't expect any legitmate SSH traffic from anywhere but your office and your mother's house, block connections from the rest of the world.



Use the SSHD configuration file to limit the accounts that can log on, and to generally tighten things. Exceptions to the defaults that I like are...



        PermitRootLogin no              
AllowUsers userA userB userC
Protocol 2
LoginGraceTime 20s
MaxStartups 5
Banner /etc/ssh/sshd_banner

Make sure userA, userB and userC have good passwords, of course.



You can also run SSH on a non-standard port if your users can accommodate this. The current attacks seem to use only the default port."





Follow The Bouncing Malware, Part III



Note: Most of the links in the following are not "clickable" on purpose. Think of it as a warning...



Before we begin our tumble down the rabbit hole once more, just a few brief words:



For those of you who have been following this little excursion: thank you for your patience. It?s probably difficult to completely understand the amount of time that each of these little essays takes to research and write. While I?ve been working on this particular installment, there were also the distractions of family, job, the daily ?stuff? coming in at the SANS ISC, MS04-028, GDIScan, turning the ISC into the GDIScan helpdesk (sorry gang!), windsurfing the halls at NS2004 in Vegas, etc..., etc... You have my sincere apologies for the wait, as well as my fervent hope that it was worth it.



With that out of the way, why don?t we ?warm up? by quickly retracing the path we?ve already trod? Perhaps now would be a good time to take a bathroom break and grab a fresh container of your favorite adult beverage, ?cause once this caravan rolls, we ain?t stoppin?. Go on, I?ll wait...



Ready? Good. Let?s go!



In the beginning, there was Joe Average. And Joe didst buy himself a computer and conneceth it to the Internet. And with his computer, Joe did surfeth, and readeth email, and playeth many games. And Joe looked upon the Internet, and it was Good.



But while Joe did possess knowledge of the Internet Good, he did not understand that Evil too lived on the Internet. And he patcheth not.



Then one day, Joe didst unknowingly go to a Bad Place, and much Evil befell his shiny new computer.



How Evil? Very, VERY Evil:



From Follow The Bouncing Malware, Part I

( http://isc.sans.org/diary.php?date=2004-07-23 ):



1) Joe's homepage had been changed. It is now set to:



http://default-homepage-network.com/start.cgi?new-hkcu



2) Joe?s default search page has been set to:



http://server224.smartbotpro.net/7search/?new-hkcu



3) Search assist has been turned off.



4) "TV Media Display" has been installed on Joe's machine.



5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.



And, from Follow The Bouncing Malware, Part II

( http://isc.sans.org/diary.php?date=2004-08-23 ):



6) Joe?s computer, at the behest of the Addictive Technologies malware, downloaded ?instructions? from F1Organizer.com



7) Following those instructions, new ?Favorites? were added to Joe?s browser, and two new ?gifts? (SplWbr.dll and ezbdlLs.dll) were installed on his computer.



8) The installation of SplWbr.dll dumped an ?Ad Destroyer and Virtual Bouncer? from SpyWare Labs, Inc. and ?TopRebates.com AutoTrack software? onto Joe?s computer.



9) The installation of ezbdlLs.dll dropped a ?Utility for downloading files and upgrading software? from ?ABetterInternet?, a utility to ?Make Your Internet Browsing Simple, Exciting, and Personal? from the fine folks at ?ezULA?, and an affiliate ID hijacker called SAHAgent onto Joe?s PC.



10) Finally, the file hp1.exe was downloaded and executed via a .CHM exploit.



That?s where we stopped last time, with my promise that the file ?hp1.exe? was ?a real piece of work.?



So... let?s take a look at hp1.exe.



The file hp1.exe contains 49,152 bytes o? Visual Basic goodness (guffaw). The file?s version information claims that it was created by a company called ?df?, with an internal name of ?bigs104?. Launching this beastie begins bringing down a veritable rain of malware on a machine. Sit back and try to keep up as we follow the bouncing malware:



First, it contacts "http://mmm.roings.com/bundle.php?aff=bigs104" and downloads 1449 bytes of some sort of data:

388
{}{}{}wrds======ckkcha*gki+waevgl9uxwaevgl*}elkk*gki+waevgl9tx
}elkk*gki+v+w|+.9txv`w*}elkk*gki+9txwaevgl*iwj*gki+vawqhpw*ewt9ux
eqpk*waevgl*iwj*gki+vawqhpw*ewt9uxc*iwj*gki+9ux
ekhwaevgl*gki+ekhgki+waevgl9uqav}xwaevgl*ekh*gki+ekhgki+waevgl9uqav}x
ehhplasaf*gki+waevgl9uxsaf*ewo*gki+saf9uxkravpqva*gki+`+waevgl9Oa}skv`wx
gkjpajp*kravpqva*gki+`+waevgl9Oa}skv`wxiw|ih*mjbkwtega*gki+lkia+`kc9uosx
mjbkwtega*gki+lkia+`kc9uosxwaevgl*japwgeta*gki+jw+waevgl9uqav}x
japwgeta*gki+jw+waevgl9uqav}xehpermwpe*gki+saf+vawqhpw9ux
waevgl*h}gkw*gki+`abeqhp*ewt9uqav}xh}gkw*gki+waevgl*ewt9uqav}x
waevgl*aevplhmjo*jap+pvego9uxwaevgl*hkkowievp*gki+t+waevgl9up
{}{}{}doms======faewp}wtkvpeh*2|*pk9995xxxgavmeh~*gki9996xxx
`vmjoi}*gki9995
{}{}{}ver======17
{}{}{}pay======yes
{}{}{}ip======aa.bbb.cc.dd (note: this was Joe?s machine?s IP address)
{}{}{}phases======`veckjfehh~9995xxxgvegow9996xx
mb$}kq$qwa$plmw$wmpa9995
{}{}{}sewers======wa|$bkv$bvaa9995xxxwa|9996xxxikva$wa|$bkv$ia9995
12
{}{}{}outers======
175
xxxxxi}a|a999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+hke`w+999i}a|a999999EHHx
JQHHxxxxxerepev999lppt>++sss*erepevvawkqvgaw*gki+`mwp+ewp[0[ii*a|a999ewp[0
[ii*a|a999ewp[0[ii*a|a999QWxAFxEQxGExCFxxxxx
a6cmra999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+Ia`meIkpkv61*a|a999Ia`meIkpkv61*
a|a999Ia`meIkpkv61*a|a999QWxGExxxxx
qjwpeh999lppt>++qtw*vkmjcw*gki+wkbp+qjwpehh*a|a999qmjwpehhav999999EHHx
JQHH
f
{}{}{}reg======
5c
xxxxxkg|5<999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+ii64*kg|999ii64*kg|999ii64*kg|
999EHHxQWxGExAF
6
{}{}{}
0

(Note: the data has been reformatted to display better in the Diary.)



Well, what the heck does all of that mean? Hmmm... it?s obviously a ?generated on the fly? data file, because the file contained, in plain-text, the IP address of the NAT firewall that Joe?s machine was behind. It also appears to have been ?encrypted? in some manner.



Given some time, and several pieces of paper wadded up and thrown at the cat in frustration, your intrepid author cracked the code, and wrote the following program to decrypt the data:



#include <stdio.h>

int main(int ac, char **av) {
FILE *in, * out;
char buffer[80], *c, val;
int cont = 1;

if(ac != 2){puts("Usage: df_decrypt filename"); return 1;}
if((in = fopen(av[1], "r")) == NULL){puts("Cannot open input file."); return 2;}
if(!(out = fopen("output.txt", "w"))){puts("Cannot open output file."); return 3;}
while(cont){
if(fgets(buffer, sizeof(buffer), in)){
c = buffer;
while(*c){
if(*c != '\n'){
val = *c & 7;
if(val < 4) *c = *c + 4;
else *c = *c - 4;
}
c++;
}
fputs(buffer, out);
} else cont = 0;
}
fclose(in); fclose(out);
return 0;
}

Filling the decrypted data back into the file alongside any original data that is obviously ?keywords? results in the following unencrypted file:

388
{}{}{}wrds======google.com/search=q|search.yahoo.com/search=p|
yahoo.com/r/sx/*=p|rds.yahoo.com/=p|search.msn.com/results.asp=q|
auto.search.msn.com/results.asp=q|g.msn.com/=q|aolsearch.com/aolcom/search=query|
search.aol.com/aolcom/search=query|alltheweb.com/search=q|web.ask.com/web=q|
overture.com/d/search=Keywords|content.overture.com/d/search=Keywords|
msxml.infospace.com/home/dog=qkw|infospace.com/home/dog=qkw|
search.netscape.com/ns/search=query|netscape.com/ns/search=query|
altavista.com/web/results=q|search.lycos.com/default.asp=query|
lycos.com/search.asp=query|search.earthlink.net/track=q|
search.looksmart.com/p/search=qt
{}{}{}doms====== beastysportal.6x.to===1|||cerialz.com===2|||drinkmy.com===1
{}{}{}ver======17
{}{}{}pay======yes
{}{}{}ip======aa.bbb.cc.dd (note: this was Joe?s machine?s IP address)
{}{}{}phases====== dragonballz===1|||cracks===2||if you use this site===1
{}{}{}sewers====== sex for free===1|||sex===2|||more sex for me===1
12
{}{}{}outers======
175
|||||myexe===http://bins2.media-motor.net/soft/loads/
===myexe======ALL|NULL
|||||avatar===http://www.avatarresources.com/dist/ast_4_mm.exe
===ast_4_mm.exe===ast_4_mm.exe===US|EB|AU|CA|GB
|||||e2give===http://bins2.media-motor.net/soft/MediaMotor25.exe
===MediaMotor25.exe===MediaMotor25.exe===US|CA
|||||unstal===http://ups.roings.com/soft/unstall.exe
===uinstaller======ALL|NULL
f
{}{}{}reg======
5c
|||||ocx18===http://bins2.media-motor.net/soft/mm20.ocx
===mm20.ocx===mm20.ocx===ALL|US|CA|EB
6
{}{}{}
0

After downloading this ?control data? file, Joe?s computer then contacts "http://www.mastermind.com/a?l=PeAyF1sgrZYw&i=aaa.bbb.ccc.ddd" on TCP port 8010 (where aaa.bbb.ccc.ddd is Joe?s computer?s IP address) and has three lines of data returned: ?2?, ?US?, ?0?.



This ties in with what appear to be ?country codes? found within various portions of the unencrypted data file. It appears that the malware will react differently depending on the country where the infected machine is located. The script at www.mastermind.com takes the IP address and returns a country code. The other two codes (?2? and ?0?) appear to control different aspects of the malware?s behavior.



Immediately upon receiving the ?US? country code from mastermind.com, Joe?s computer contacts "http://bins2.media-motor.net/soft/mm20.ocx" and downloads, installs, and registers this 61,440 byte OCX. Examining this file, it appears to be an OCX version of hp1.exe. It contains many of the same strings, and appears to offer the same functionality. I would assume that it acts as a resident version of hp1.exe.



Next, hp1.exe contacts "http://bins2.media-motor.net/soft/loads/8-24.exe" and downloads a 40,960 byte executable. The ?8-24? name is derived from the date at the time of the download (August 24th).



Based upon the ?marching orders? within the unencrypted datafile, Joe?s computer now contacts "http://www.avatarresources.com/dist/ast_4_mm.exe" and downloads a 129,152 byte executable. It then contacts "http://bins2.media-motor.net/soft/MediaMotor25.exe" and downloads a 9,056 byte executable.



Both of these files are launched, and MediaMotor25.exe immediately initiates a download from "http://64.7.220.98/downloads/IeBHOs.dll" which is a 129,536 byte long BHO (Browser Helper Object) that is installed into (duh) IE (Internet Explorer). IeBHOs.dll is a known component of adware from ?e2give.? Because it is installed into IE and becomes, essentially, part of the browser, it is in the perfect position to monitor the URLs being ?surfed? and to change Joe's browser's requests when going to specific sites in order to ?direct? affiliate commissions to e2give. According to the e2give.com website, ?e2give will donate a portion of each qualifying purchase to the e2give charities network.? This, of course, makes it perfectly fine for them to install their software onto Joe?s machine without his permission. (Yes, that was sarcasm.)



The ast_4_mm.exe file from avatarresources.com is a Wise installation executable. As it installs, it phones home to let the fine folks at avatarresources know that it has found a new place to live:



"http://www.avatarresources.com/count/count.php?&mm2_us&mm2_new_nocpr"



The Wise installation has it?s own downloading engine which contacts the interestingly named ?www.wenksdisdkjeilsow.com? and accesses the URL ?http:// www.wenksdisdkjeilsow.com/config/?v=5&n=mm2&i=? which, despite the fact that it generates errors, sends back more configuration information (sheesh guys, if you?re going to go through all the trouble to set this stuff up, at least set the permissions correctly on your scripts...)



566
<br />
Warning: SAFE MODE Restriction in effect.
The script whose uid is 500 is not allowed to access
/usr/local/psa/home/vhosts/wenksdisdkjeilsow.com/httpdocs
/config/log owned by uid 10011 in/usr/local/psa/home
/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php

on line 24<br /><br />
Warning: fopen("/usr/local/psa/home/vhosts
/wenksdisdkjeilsow.com/httpdocs/config/log", "a") -
Inappropriate ioctl for device in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs
/config/index.php
on line 24<br />
<br />
Warning: fputs(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php

on line 25<br />
<br />
Warning: fclose(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php

on line 26<br />
[URLS]
2,http://tt2.avres.net/tt/remove_spyware.exe
2,http://tt2.avres.net/tt/curgsi.exe
3,http://searchlocate.com/toolbar/searchlocate.exe

[VERSION]
5

[PROGRAM URL]
http://www.wenksdisdkjeilsow.com/files/ast_5_main.exe

[ID]
ArKJ9t9HzRnbf0GineJhq

[PRIORITY]
1,http://tt2.avres.net/tt/cpr_mm2.exe
2,http://tt2.avres.net/tt/ab1.exe
3,http://tt2.avres.net/tt/tvm_bundle.exe
4,http://tt2.avres.net/tt/cpr_mm2.exe

0

That?s just really BAD programming: you MUST check that those handles returned are valid when you open a file... dang... that?s Programming 101 Stuff. But I digress...



Hey! Look there! I see more URLs pointing to executable files. Gee, I wonder what?ll happen...?



Anyway... we now manage to round out the list of files that was in our original encrypted configuration data, and Joe?s machine goes out and grabs a file from "http://ups.roings.com/soft/unstall.exe." This actually does appear to be some sort of uninstall program, written in Visual Basic, and weighing in at 45,056 bytes. It only seems targeted at the files directly installed by the hp1.exe file, though.



But, lest we forget, we still have a Wise install running in the background. And, you guessed it, in ?PRIORITY? order, it downloads:



"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes)

"http://tt2.avres.net/tt/ab1.exe" (500,869 bytes)

"http://tt2.avres.net/tt/tvm_bundle.exe" (53,738 bytes)

"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes - ????????)



Yes, you read that correctly. It DID download the exact same file twice. (It must be a personality trait of the morally bankrupt that they can be both clever and inane at the same time. The authors of these programs really do pull off some amazing stuff... but then they follow that up almost immediately by doing some amazingly STUPID stuff. Consistency guys, consistency...)



While all of that is happening, hp1.exe (Remember that file? It?s the one we started this installment with...) phones home to tell the folks at roing.com that all is well in malware-land, that it has done everything it was supposed to do, and that it deserves a big ol? digital pat on the back:



"http:// logs.roings.com/log3.php?c={D358D17F-0D1A-4A98-A98D-810B01216183}
&what=newinstall&aff=bigs104&country=US&ocx18=1&myexe=1&avatar=1&e2give=1"



?See! Look what I did! I installed ?ocx18? (mm20.ocx), ?myexe? (8-24.exe), ?avatar? (ast_4_mm.exe), and ?e2give? (MediaMotor25.exe) on this poor schmoe?s computer! Aren?t you proud of me??



Not to be outdone, our Wise installer needs to phone home and let everyone know what a good job it did too:



"http://www.avatarresources.com/count/count.php?&mm2cpr_new"



So where does this leave us?



Well, Joe?s computer now has had so many fun and exciting ?additions? installed I?m beginning to lose track. Let?s see: Joe?s computer now has two ?affiliate buck? redirectors (SAHAgent and e2give), it?s had stuff from avatarresources.com installed, as well as all of those files from tt2.avres.net. And there?s more... trust me, there?s more.



Remember: this is all the result of visiting a SINGLE website with an unpatched machine.



If you ever need to explain to someone the pitfalls involved in not patching, all you need to do is point them to this listing:



The score card thus far (and I?m only counting executable content):



hp2.exe (16,384 bytes)

tvmupdater4bp5.exe (195,072 bytes)

AtPartners.dll (96,256 bytes)

SplWbr.dll (454,656 bytes ? expands out to 3 files making up 892,288 bytes)

ezbdlLs.dll (151,040 bytes ? expands out to 4 files making up 314,880 bytes)

hp1.exe (49,152 bytes)

mm20.ocx (61,440 bytes)

8-24.exe (40,960 bytes)

MediaMotor25.exe (9,056 bytes)

ast_4_mm.exe (129,152 bytes)

IeBHOs.dll (129,536 bytes)

cpr_mm2.exe (270,415 bytes)

ab1.exe (500,869 bytes)

tvm_bundle.exe (53,738 bytes)

and of course cpr_mm2.exe (270,415 bytes) again...



The shameful total (thus far... there?s more to come):

15 files ? 2,428,141 bytes downloaded

20 files ? 3,029,613 bytes on disk



And, no doubt, I missed a few...


I started Part II of ?Bouncing Malware? by saying that Joe?s PC was no longer his own. With over 2 MB of software downloaded, installed, and executed without his permission, I would say that there is little doubt that Joe ISN?T the guy running the show. But who is?



In the next installment, I want to finish up looking at some of the software installed on Joe?s PC and then turn my sights to finding out a little more about the folks responsible for the deluge of spyware and adware that assault our machines and networks on a daily basis. Stay tuned... it?s gonna be fun.





------------------------------------------------------------------------

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)
Diary Archives