Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-12-29 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

postcard.exe

Published: 2006-12-29
Last Updated: 2006-12-30 14:19:41 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
We've received word from a number of readers that "postcard.exe" is currently being spammed in EMails with the subject "Happy New Year". AV coverage is still thin. MD5: 4adf7a3719c485a4e482498874b6695f

Update 1530UTC:  AV protection coming online, Trojan-Downloader.Win32.Tibs.jy (Kaspersky), W32/Dref-U (Sophos) W32.Nuwar.AY (TrendMicro). ClamAV was one of the first AVs to have protection available when the wave started last night, they are calling it Downloader-388.

There is also a set of BleedingSnort Sigs available which helps in detecting an existing infection (systems reporting to C&C).

Update 1400UTC: Symantec has thrown their hat in the ring with W32.Mixor.Q@mm.
Keywords:
0 comment(s)

Pain reliever with serious side effects

Published: 2006-12-29
Last Updated: 2006-12-29 13:59:38 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Relax, you pundits of the pristine ISC blog, we are not going off-topic again. This story is about what can happen when you use a popular search engine in an attempt to look up side effects of a prescription drug. Thus happened, when Louis entered "Percocet" (a pain medication) and made the mistake to click onto the least sensible search result: http://www. pharmacy. topsearch20.net/search.php?q=percocet
I recommend you continue reading before you do like Louis and click on the above. Because the page returned, in addition to peddling cheap drugs, also includes two nifty IFRAMEs:


Again, these are - at the time of writing - live URLs, hosting bad stuff. Dont go there. Or, if you must, at least don't complain to us if you turn your PC into a brick while "investigating" the site.

statrafongon[dot]biz resolves to 81.95.148.35, which in itself already is an indication that something fishy could be waiting there - this IP range (81.95.148.0/20) is one of the address segments used by the CoolWebSearch gang in Russia to propagate their toys. Let's look at what they serve this time:

new.php?adv=8 contains a copy of the MS06-014 (MDAC/RDS.Dataspace) exploit. The exploit used is lifted pretty much in verbatim from the Metasploit framework, in fact the successful exploit would even write the downloaded malware as "metasploit.exe" to the disk.

strong/08/index.html contains obfuscated Javascript:



While the Tom Liston Method(tm) to unravel such scripts is highly effective, I still prefer to do my unstuffing in Perl under Unix: $cat index.html | perl -pe 's/\%(..)/chr(hex($1))/ge' does the trick easily, and shows us that the page includes no less than five IFRAMEs, named exp1.htm to exp5.htm. Downloading and looking at each of these files individually, we found the following:

exp1.htm contains a different exploit for the same MS06-014 (RDS) vulnerability already seen above.
exp2.htm contains yet another stab at MS06-014.
exp3.htm goes after the WebViewFolderIcon (MS06-057) hole, again borrowing the code practically unchanged from Metasploit
exp4.htm contains an exploit of the VML vulnerability (MS06-055).
exp5.htm goes after the recent XML core services bug (MS06-071), and is using a copy of the PoC code posted at milw0rm.

The strategy to use five exploit variants seems to work - when I tested these files with some AV products, none was able to spot all five attempts. When successful, all five exploits would try to download and run a "win32.exe" off the same site. At the time of discovery (when Louis stumbled onto the site), win32.exe brought back a blank screen at Virustotal. By now, the situation has improved a bit.

The lesson learned? As far as we could determine, nothing happened to Louis' PC. Not because of his Antivirus, only because his PC was diligently patched. Otherwise, this pain reliever could have had serious side effects.

Update 29DEC 1025 UTC:  When I hacked in this diary late yesterday night, little did I know that the next day would bring a surprise. The surprise being that the "win32.exe" of this exploit is called Trojan-Downloader.Win32.Tibs.jy by Kaspersky. Same malware, apparently, that is currently being spammed as "postcard.exe", even though the file sizes and MD5 checksums differ.
Keywords:
0 comment(s)
Diary Archives