Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mailbag: MS Patches / Symantec Vuln

Published: 2007-05-10
Last Updated: 2007-05-11 13:03:24 UTC
by Daniel Wesemann (Version: 2)
0 comment(s)
Some readers reported 99% CPU eaten up by svchost.exe after they had applied the recent batch of MS updates. Cause and effect are not quite clear, but a common thread seems to be that MS recommend a look at KBID 927891 and some readers have also pointed us to the WSUS Blog where the same issue is mentioned. According to another ISC reader, to resolve the issue it is necessary to first apply 927891, and then to do the WU client upgrade.

David from the UK (thanks David) writes the following on the svchost.exe issue.
"The problem is due to the Automatic Update Service which uses the Generic Host Service which runs a svchost.exe process. If you switch off the Automatic Update Service the problem with svchost.exe using 100% of the CPU cycles stops. Once you have done all of the updates you can switch the Automatic Updates Service back on."
Some of the retail user versions of Symantec AV come with an ActiveX component that can be exploited to allow remote code execution. More on Symantec's Website . According to the advisory, running the built-in "LiveUpdate" of the product should be sufficient to fix the vulnerability.
Keywords:
0 comment(s)

Malware from dot-CN

Published: 2007-05-10
Last Updated: 2007-05-10 21:50:55 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Disclaimer: Visiting any of the URLs listed might turn the hard drive of your PC into a peanut butter sandwich or do any other evil thing that will painfully remind you that you didn't do any backups for a while. You have been warned.

Nothing happened in the particular case when a reader stumbled by accident over the evil IFRAMEs amended - most probably without the firm's knowledge - to the home page of murraysz.cn, but only because the reader's anti-virus already stopped the very first stage of the exploits. The Malware buffs that some of us are, we of course couldn't resist to start pulling on that thread to see where it would lead us.

Step #1:
murraysz.cn includes malicious IFRAMES from cqcqcqcq.com  (which is currently not reachable),  user.free.77169.net and www.haogs.cn. 

Step #2:
The 77169.net site uses an old exploit to download vq.exe off the same site. The file is packed with UPX and reliably recognized as Password Stealer (PWS-QQPass) by most AV software. The haogs.cn only returns 76 bytes, another IFRAME that downloads more code from www.h148.cn.

Step #3:
h148.cn .. now we're talking ... opens three IFRAMES coming from qq.520sf.org: 
- 588.htm opens xjz2007.js off the same site, which in turn opens xjz2007.htm and xjz2007.bmp. Both (the latter is an ANI exploit) try to download and run 8xz.exe.
- 06014.htm tries to download and run 8xz.exe as well. This file did not have AV coverage. When run, it downloads another bunch of EXEs off the same site, again with little to nonexistent AV coverage, but identified as more password stealers of the QQPass family
- ok.htm opens an IFRAME from www.down988.cn

Step #4:
Coming from down988.cn, we have 0614.js. This file was using a Javascript encoding technique that I hadn't seen before, but of course no matter what the bad guys try to do, JavaScript is an interpreted language and no amount of obfuscation can really hide the code. I have added this JavaScript as an example to the "Decoding Javascript" series that we maintain to accompany an earlier diary entry on the subject. The exploit downloads a file "down.exe", which in turn goes and fetches another couple of hostile EXE files.

Bottom line: The exploits used are rather old and none too worrying, but if someone with a vulnerable PC surfs to any of these pages, the PC will end up completely infested with password stealing keyloggers.  And this is only the point where we stopped digging further -- each of the keyloggers has an auto-update function, and also contains one or more addresses to where the more interesting captured keystrokes are sent.  In other words: Patch early, patch often -- or use an operating system with better survival skills when visiting the haunted realms of the 'net.
Keywords:
0 comment(s)
Diary Archives