Microsoft Security Bulletins / You got a Postcard!
Microsoft Security Bulletins
Time for new round of Microsoft Patches!
-->Microsoft Security Bulletin MS04-041
Two vulnerabilities exist in WordPad that could allow remote code
execution on an affected system. User interaction is required to
exploit these vulnerabilities.
Comments: Microsoft Rates is as Important. No problems with that one...
-->Microsoft Security Bulletin MS04-042
Two vulnerabilities exist in the DHCP Server service, of which the
most severe could allow remote code execution on an affected system.
The DHCP Server service is not installed by default. Only the DHCP
Server service on Windows NT 4.0 Server is affected.
Comments: Microsoft Rates is as Important. Disagree. Ok, it will only
affect NT 4.0, but I do believe that there is a lot of NT 4.0 running
dhcp servers on companies...
-->Microsoft Security Bulletin MS04-043
A vulnerability exists in HyperTerminal that could allow remote code
execution on an affected system. User interaction is required to
exploit this vulnerability.
Comments: Microsoft Rates is as Important. No problems with that one...
-->Microsoft Security Bulletin MS04-044
Two vulnerabilities exist in the Windows Kernel and the Local Security
Authority Subsystem Service (LSASS) that could allow privilege
elevation on an affected system. An attacker must have valid logon
credentials and be able to log on locally to exploit this
vulnerability.
Comments: Microsoft Rates is as Important. LSASS again...elevation of
privilege...No problems with that one...
-->Microsoft Security Bulletin MS04-045
Two vulnerabilities exist in Windows Internet Naming Service (WINS)
that could allow remote code execution on an affected system. The WINS
Server service is not installed by default.
Comments: Microsoft rates is as Important. This is the issue with
WINS...we are seeing some spikes on port 42 probes on our reports...remember to apply the patches...
References:
http://www.microsoft.com/technet/security/bulletin/ms04-dec.mspx
You got a Postcard!
Below is a simple malware analysis of a password stealer. This is becoming really common these days on Brazil. The miscreants are sending phishings of Brazilian Postcards websites and delivering thousands of them on users mailboxes.
This one came to mine as a warning "Your partner is cheating you, see the pictures below!"...This simple analysis was done with the free tools available for Linux and Windows.
On Linux: Strings, UPX, Unrar
On Windows: Sysinternals tool / ZoneAlarm Free
Introduction:
A suspicious file was received on Nov 30 though a spam mail with a subject of ´Your partner is cheating you - see the pictures!' (in portuguese).
Sending it to VirusTotal, showed that none of the 13 AV vendors were recognizing it as a malware.
So, I decided to analyze it to see what I could find on that one.
The purpose of this analysis is to show how you can use simple unix/linux tools to make a basic analysis.
#####################
Phase 1: The Binary
#####################<Br>
<Br>
Binary: fotos.sfx.exe
#strings -a:
-------------SNIP!------------------------<Br>
This program must be run under Win32
UPX0
UPX1
.rsrc
1.20
UPX!
W!jfVB!
-------------SNIP!------------------------<Br>
The first lines show interesting information: UPX.
UPX is a very common Packer used to compact the PE´s.
You can use UPX to pack and unpack files.
#upx -d fotos.sfx.exe -o fotos.sfx.unp.exe
#strings -a fotos.sfx.unp.exe -e -l |more
-------------SNIP!------------------------
No to A&ll
&Cancel
WinRAR self-extracting archive
-------------SNIP!------------------------
--> So, it is compressed with WinRAR
To decompress you can use Unrar:
$ unrar x -v fotos.sfx.unp.exe
-------------SNIP!------------------------
UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal
Extracting from fotos.sfx.unp.exe
Unknown method in fotos.exe
Skipping fotos.exe
No files to extract
-------------SNIP!------------------------
--> One problem...Version 2.71 does not support sfx scripts
SFX = Self eXtracting Files
So, I had to upgraded to 3.40
# ./unrar x -v ../fotos.sfx.unp.exe
-------------SNIP!------------------------
UNRAR 3.41 freeware Copyright (c) 1993-2004 Alexander Roshal
Extracting from ../fotos.sfx.unp.exe
;The comment below contains SFX script commands
Path=C:\Windows\system32
SavePath
Setup=fotos.exe
Silent=2 (Hide start dialog)
Overwrite=2 (skip existing files)
Extracting fotos.exe OK
All OK
-------------SNIP!------------------------
About the comments above, those are parameters that you set when creating RAR files with sfx.In this case:
Silent=2 means the option 'Hide start dialog'
Overwrite=2 means the option 'skip existing files'
#####################<bR>
Phase 1: Results
#####################
- There are NO pictures on that file...:)
- It is an application
- It was packed with UPX
- It was compressed with WinRar with SFX commands
#####################
Phase 2: Analysis
#####################
Strings now shows some more interesting stuff...
Network Information:
-------------SNIP!------------------------
Network unreachable.
Host unreachable.
Connection refused.
TTL expired.
Network is down.
Network is unreachable. Net dropped connection or reset.!Software caused connect
ion abort.
Connection reset by peer.
-------------SNIP!------------------------
Registry Information:
-------------SNIP!------------------------
\Software\Microsoft\Windows\CurrentVersion\Run
-------------SNIP!------------------------
-->So, looks like it will put itself at that registry key...
Application information:
-------------SNIP!------------------------
SOFTWARE\Borland\Delphi\RTL
-------------SNIP!------------------------
-->Delphi Run Time Library...a delphi application...
Mail strings:
-------------SNIP!------------------------
This is a multi-part message in MIME format
=_NextPart_2relrfksadvnqindyw3nerasdf
=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: multipart/alternative;
boundary="=_NextPart_2altrfkindysadvnqw3nerasdf"
--=_NextPart_2altrfkindysadvnqw3nerasdf
--=_NextPart_2altrfkindysadvnqw3nerasdf--
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
base64
attachment
application/octet-stream
Content-Type:
-------------SNIP!------------------------
--> So, this application will send email...?
And some others strings of interest:
-------------SNIP!------------------------
=============Banco do Brasil======================
==================================================
BB Tit.=
BB Ag
nc.=<Br>
BB Cont.=
BB Senha A.=Atendimento=
BB Senha C.=
=============Banco Bradesco=======================
Bradesco Agencia=
Bradesco Conta=
Bradesco Digito=
Bradesco 4 digitos=
Bradesco Cartao=
Bradesco Resposta s.=
==============Caixa Economica=====================
Caixa Tipo=
Caixa Agencia=
Caixa Conta=
Caixa S. Intermet=
Caixa Ass. Eletronica=
=============Unibanco===========================
Unibanco 30 horas=
Unibanco Agencia=
Unibanco Conta=
Unibanco Digito=
Unibanco Senha=
Unibanco Assinatura=
Unibanco Cond. Alfanumerica=
=============Banco ITAU===========================
ITAU Conta=
ITAU Agencia=
ITAU Digito=
ITAU Senha Eletronica=
ITAU Senha do cartao=
ITAU % digitos do cartao=
ITAU Data dia=
ITAU Data mes=
ITAU Data ano=
ITAU Numero do portador=
-------------SNIP!------------------------
--> These are names of some brazilian banks. Basic portuguese: Agencia means Branch, Conta means Account and Senha means Password.
and also:
-------------SNIP!------------------------
Conta em braco!
Senha em braco!
Senha do Auto-Atendimento
-------------SNIP!------------------------
--> More portuguese lessons:
-Blank Account field!
-Blank Password field!
-ATM Password
--> and this is still funny because they wrote it wrong...the correct would be ´branco´ and not ´braco´...
And finally, some email address:
- xxxxx1@yahoo.com.br
- xxxxx2@yahoo.com.br
- xxxxx3@yahoo.com.br
- xxxxx1@bol.com.br
- xxxxx1@tugamail.com
- xxxxxx@xxxxxx
and an IP address:
- xx.xx.80.21
#####################
Phase 2: Results
#####################
- This application will try to use the network resources
- Will use something on \Software\Microsoft\Windows\CurrentVersion\Run
- Was created with Delphi
- Is related in some way to email...
- Has some string with names of Brazilian Banks and strings that asks for passwords in a format of report.
- Has a list of 7 email addresses and one IP address
Putting all together we can assume that it is one password stealer, which will send passwords to some email addresses...correct?
#####################
Phase 3: Running...
#####################
To confirm my assumptions, I decided to run this malware onto a Win2k machine. And, besides the fact that we didnt find any references of VM detection, it will be running in a real Win2k machine.
-------------SNIP!------------------------
D:\virus\fotos.sfx.unp.unr.exe>fotos.exe
D:\virus\fotos.sfx.unp.unr.exe>
-------------SNIP!------------------------
Our good friend Regmon, shows this:
-------------SNIP!------------------------
fotos.exe:1888 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS
fotos.exe:1888 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos SUCCESS "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"
fotos.exe:1888 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS
-------------SNIP!------------------------
That means that our process fotos.exe, used the method createKey() to create a new key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run, also the method setValue() to create the values of the name and value of the new key, like the value "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe" at HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos
Another friend, Process Explorer, shows also good information:
-------------SNIP!------------------------
HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
-------------SNIP!------------------------
Winsock...interesting. We knew that this application would try to use the network resources and this confirmed...
So, lets try to browse to any of those banks websites...
Navigating to one of those bank websites using IE was kind of funny...
I dont know if it was because of the IE google bar, but The real website loaded almost perfectly, except because there was another pair of branch and account overlapping the real one...
Putting fake data on the fields or just not putting anything at all, and pressing OK, made it open another window, requesting more data, more passwords and personal information. After filling everything with some ´good data´ and pressing ok,
my ZoneAlarm came out with an alert:
-------------SNIP!------------------------
Do you want to allow fotos.exe to access the internet?
Technical Information
Destination IP: xx.xx.80.21:SMTP
Application: fotos.exe
-------------SNIP!------------------------
hummm...so that?s the why we had this IP address on that list...SMTP, email addresses...now it is starting to make sense...:)
But the xx.xx.80.21 resolves to a hosting providers...not any of the emails domains that we found...Maybe an Open relay??
#####################
Phase 3: Results
#####################
So, thats what we got so far:
- It will create a key with the name and value of HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos , "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"
- It will use Winsock for network resources
- It will put create fake fields for passwords, account, branch and some personal information, overlapping the real fields of the bank websites
- It will try to access an smtp server at the IP that we found some steps ago...
For now on, we should think about this application much like as a Spyware. As we could notice, this application uses Winsock. There is a lot of advantages to hook itself to WinSock. In Microsoft Windows Operating Systems, Winsock is the way that it implements TCP/IP. This is wonderful of the hacker, because in this way his/hers application will be able to monitor all Internet traffic! And thats exactly what he wants! He wants to know when you will access the Banks websites!
############################
Phase 4: Final experiments
############################
So, lets setup a mail server and see what this application is trying to send to that IP.
On another machine in the same lab network, I brought up a virtual interface with the same IP address of machine that ZoneAlarm detected, and repeated the steps of phase 2, visiting the websites and filling the fake forms. After pressing the last OK, ZoneAlarm alerted me again, and this time I Allowed it to connect to the port 25 of the IP address.
My mail server made all the transaction, which was reproduced bellow with the help of another friend, Ethereal:
-------------SNIP!------------------------------------------------------<Br>
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.10; Tue, 30 Nov 2004
17:32:53 -0200
EHLO starinfo
250-localhost.localdomain Hello starinfo [10.0.0.2], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
RSET
250 2.0.0 Reset state
MAIL FROM:<xxxxxx1@bol.com.br>
250 2.1.0 <xxxxxx1@bol.com.br>... Sender ok
RCPT TO:<xxxxxx1@yahoo.com.br>
250 2.1.5 <xxxxxx1@yahoo.com.br>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
From: xxxxxx1@bol.com.br
Subject: xxxxxx1
To: xxxxxx1@yahoo.com.br
Content-Type: text/plain
Date: Tue, 30 Nov 2004 17:33:02 -0200
X-Priority: 3
X-Library: Indy 9.00.10
=============Banco do Brasil======================
==================================================
BB Tit.= 1. Titular
BB Ag.nc.=
BB Cont.=
BB Senha A.=Atendimento=
BB Senha C.=
==================================================
=============Banco Bradesco=======================
Bradesco Agencia=
Bradesco Conta=
Bradesco Digito=
Bradesco 4 digitos=
Bradesco Cartao=
Bradesco Resposta s.=
==================================================
==============Caixa Economica=====================
Caixa Tipo= 001-Cta. Corrente - P.F.sica
Caixa Agencia=
Caixa Conta=
Caixa S. Intermet=
Caixa Ass. Eletronica=
==================================================
=============Unibanco===========================
Unibanco 30 horas=Internet 30 Horas
Unibanco Agencia=3333
Unibanco Conta=333333
Unibanco Digito=1
Unibanco Senha=1111
Unibanco Assinatura=123123123123123123123
Unibanco Cond. Alfanumerica=zaqxsw
==================================================
=============Banco ITAU===========================
ITAU Conta=
ITAU Agencia=
ITAU Digito=
ITAU Senha Eletronica=
ITAU Senha do cartao=
ITAU % digitos do cartao=
ITAU Data dia=
ITAU Data mes=
ITAU Data ano=
ITAU Numero do portador=
==================================================
=============GErenciador Financeiro===============
Gerenciador Chave=
Gerenciador Senha Acesso=
Gerenciador Senha Conta=
=================================================
============ufaaa acabo :D=======================
.
250 2.0.0 iAUJWrLK000991 Message accepted for delivery
QUIT
221 2.0.0 localhost.localdomain closing connection
-------------SNIP!--------------------------------------------------
Yep...it was sending a report with all the info gathered...
Interesting stuff...in the last line of his/hers report, it is ´ufaaa acabo´.
This means: "finally, the end"...
########################
Phase 4: Final Results
########################
- Our assumptions had been proven to be right, and this piece of malware was sending the results, through a relay, to those email addresses with all user information, as account, branch, passwords...
And finally, after sending this malware to a list of AV vendors, on the end of today, according to Virustotal, 3 AV were already detecting it!
--------------------------------------------------------------------
Handler on Duty for the last time this year: Pedro Bueno (pbueno /AT/ isc.sans.org)
Time for new round of Microsoft Patches!
-->Microsoft Security Bulletin MS04-041
Two vulnerabilities exist in WordPad that could allow remote code
execution on an affected system. User interaction is required to
exploit these vulnerabilities.
Comments: Microsoft Rates is as Important. No problems with that one...
-->Microsoft Security Bulletin MS04-042
Two vulnerabilities exist in the DHCP Server service, of which the
most severe could allow remote code execution on an affected system.
The DHCP Server service is not installed by default. Only the DHCP
Server service on Windows NT 4.0 Server is affected.
Comments: Microsoft Rates is as Important. Disagree. Ok, it will only
affect NT 4.0, but I do believe that there is a lot of NT 4.0 running
dhcp servers on companies...
-->Microsoft Security Bulletin MS04-043
A vulnerability exists in HyperTerminal that could allow remote code
execution on an affected system. User interaction is required to
exploit this vulnerability.
Comments: Microsoft Rates is as Important. No problems with that one...
-->Microsoft Security Bulletin MS04-044
Two vulnerabilities exist in the Windows Kernel and the Local Security
Authority Subsystem Service (LSASS) that could allow privilege
elevation on an affected system. An attacker must have valid logon
credentials and be able to log on locally to exploit this
vulnerability.
Comments: Microsoft Rates is as Important. LSASS again...elevation of
privilege...No problems with that one...
-->Microsoft Security Bulletin MS04-045
Two vulnerabilities exist in Windows Internet Naming Service (WINS)
that could allow remote code execution on an affected system. The WINS
Server service is not installed by default.
Comments: Microsoft rates is as Important. This is the issue with
WINS...we are seeing some spikes on port 42 probes on our reports...remember to apply the patches...
References:
http://www.microsoft.com/technet/security/bulletin/ms04-dec.mspx
You got a Postcard!
Below is a simple malware analysis of a password stealer. This is becoming really common these days on Brazil. The miscreants are sending phishings of Brazilian Postcards websites and delivering thousands of them on users mailboxes.
This one came to mine as a warning "Your partner is cheating you, see the pictures below!"...This simple analysis was done with the free tools available for Linux and Windows.
On Linux: Strings, UPX, Unrar
On Windows: Sysinternals tool / ZoneAlarm Free
Introduction:
A suspicious file was received on Nov 30 though a spam mail with a subject of ´Your partner is cheating you - see the pictures!' (in portuguese).
Sending it to VirusTotal, showed that none of the 13 AV vendors were recognizing it as a malware.
So, I decided to analyze it to see what I could find on that one.
The purpose of this analysis is to show how you can use simple unix/linux tools to make a basic analysis.
#####################
Phase 1: The Binary
#####################<Br>
<Br>
Binary: fotos.sfx.exe
#strings -a:
-------------SNIP!------------------------<Br>
This program must be run under Win32
UPX0
UPX1
.rsrc
1.20
UPX!
W!jfVB!
-------------SNIP!------------------------<Br>
The first lines show interesting information: UPX.
UPX is a very common Packer used to compact the PE´s.
You can use UPX to pack and unpack files.
#upx -d fotos.sfx.exe -o fotos.sfx.unp.exe
#strings -a fotos.sfx.unp.exe -e -l |more
-------------SNIP!------------------------
No to A&ll
&Cancel
WinRAR self-extracting archive
-------------SNIP!------------------------
--> So, it is compressed with WinRAR
To decompress you can use Unrar:
$ unrar x -v fotos.sfx.unp.exe
-------------SNIP!------------------------
UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal
Extracting from fotos.sfx.unp.exe
Unknown method in fotos.exe
Skipping fotos.exe
No files to extract
-------------SNIP!------------------------
--> One problem...Version 2.71 does not support sfx scripts
SFX = Self eXtracting Files
So, I had to upgraded to 3.40
# ./unrar x -v ../fotos.sfx.unp.exe
-------------SNIP!------------------------
UNRAR 3.41 freeware Copyright (c) 1993-2004 Alexander Roshal
Extracting from ../fotos.sfx.unp.exe
;The comment below contains SFX script commands
Path=C:\Windows\system32
SavePath
Setup=fotos.exe
Silent=2 (Hide start dialog)
Overwrite=2 (skip existing files)
Extracting fotos.exe OK
All OK
-------------SNIP!------------------------
About the comments above, those are parameters that you set when creating RAR files with sfx.In this case:
Silent=2 means the option 'Hide start dialog'
Overwrite=2 means the option 'skip existing files'
#####################<bR>
Phase 1: Results
#####################
- There are NO pictures on that file...:)
- It is an application
- It was packed with UPX
- It was compressed with WinRar with SFX commands
#####################
Phase 2: Analysis
#####################
Strings now shows some more interesting stuff...
Network Information:
-------------SNIP!------------------------
Network unreachable.
Host unreachable.
Connection refused.
TTL expired.
Network is down.
Network is unreachable. Net dropped connection or reset.!Software caused connect
ion abort.
Connection reset by peer.
-------------SNIP!------------------------
Registry Information:
-------------SNIP!------------------------
\Software\Microsoft\Windows\CurrentVersion\Run
-------------SNIP!------------------------
-->So, looks like it will put itself at that registry key...
Application information:
-------------SNIP!------------------------
SOFTWARE\Borland\Delphi\RTL
-------------SNIP!------------------------
-->Delphi Run Time Library...a delphi application...
Mail strings:
-------------SNIP!------------------------
This is a multi-part message in MIME format
=_NextPart_2relrfksadvnqindyw3nerasdf
=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: multipart/alternative;
boundary="=_NextPart_2altrfkindysadvnqw3nerasdf"
--=_NextPart_2altrfkindysadvnqw3nerasdf
--=_NextPart_2altrfkindysadvnqw3nerasdf--
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
base64
attachment
application/octet-stream
Content-Type:
-------------SNIP!------------------------
--> So, this application will send email...?
And some others strings of interest:
-------------SNIP!------------------------
=============Banco do Brasil======================
==================================================
BB Tit.=
BB Ag
nc.=<Br>
BB Cont.=
BB Senha A.=Atendimento=
BB Senha C.=
=============Banco Bradesco=======================
Bradesco Agencia=
Bradesco Conta=
Bradesco Digito=
Bradesco 4 digitos=
Bradesco Cartao=
Bradesco Resposta s.=
==============Caixa Economica=====================
Caixa Tipo=
Caixa Agencia=
Caixa Conta=
Caixa S. Intermet=
Caixa Ass. Eletronica=
=============Unibanco===========================
Unibanco 30 horas=
Unibanco Agencia=
Unibanco Conta=
Unibanco Digito=
Unibanco Senha=
Unibanco Assinatura=
Unibanco Cond. Alfanumerica=
=============Banco ITAU===========================
ITAU Conta=
ITAU Agencia=
ITAU Digito=
ITAU Senha Eletronica=
ITAU Senha do cartao=
ITAU % digitos do cartao=
ITAU Data dia=
ITAU Data mes=
ITAU Data ano=
ITAU Numero do portador=
-------------SNIP!------------------------
--> These are names of some brazilian banks. Basic portuguese: Agencia means Branch, Conta means Account and Senha means Password.
and also:
-------------SNIP!------------------------
Conta em braco!
Senha em braco!
Senha do Auto-Atendimento
-------------SNIP!------------------------
--> More portuguese lessons:
-Blank Account field!
-Blank Password field!
-ATM Password
--> and this is still funny because they wrote it wrong...the correct would be ´branco´ and not ´braco´...
And finally, some email address:
- xxxxx1@yahoo.com.br
- xxxxx2@yahoo.com.br
- xxxxx3@yahoo.com.br
- xxxxx1@bol.com.br
- xxxxx1@tugamail.com
- xxxxxx@xxxxxx
and an IP address:
- xx.xx.80.21
#####################
Phase 2: Results
#####################
- This application will try to use the network resources
- Will use something on \Software\Microsoft\Windows\CurrentVersion\Run
- Was created with Delphi
- Is related in some way to email...
- Has some string with names of Brazilian Banks and strings that asks for passwords in a format of report.
- Has a list of 7 email addresses and one IP address
Putting all together we can assume that it is one password stealer, which will send passwords to some email addresses...correct?
#####################
Phase 3: Running...
#####################
To confirm my assumptions, I decided to run this malware onto a Win2k machine. And, besides the fact that we didnt find any references of VM detection, it will be running in a real Win2k machine.
-------------SNIP!------------------------
D:\virus\fotos.sfx.unp.unr.exe>fotos.exe
D:\virus\fotos.sfx.unp.unr.exe>
-------------SNIP!------------------------
Our good friend Regmon, shows this:
-------------SNIP!------------------------
fotos.exe:1888 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS
fotos.exe:1888 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos SUCCESS "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"
fotos.exe:1888 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS
-------------SNIP!------------------------
That means that our process fotos.exe, used the method createKey() to create a new key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run, also the method setValue() to create the values of the name and value of the new key, like the value "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe" at HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos
Another friend, Process Explorer, shows also good information:
-------------SNIP!------------------------
HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
-------------SNIP!------------------------
Winsock...interesting. We knew that this application would try to use the network resources and this confirmed...
So, lets try to browse to any of those banks websites...
Navigating to one of those bank websites using IE was kind of funny...
I dont know if it was because of the IE google bar, but The real website loaded almost perfectly, except because there was another pair of branch and account overlapping the real one...
Putting fake data on the fields or just not putting anything at all, and pressing OK, made it open another window, requesting more data, more passwords and personal information. After filling everything with some ´good data´ and pressing ok,
my ZoneAlarm came out with an alert:
-------------SNIP!------------------------
Do you want to allow fotos.exe to access the internet?
Technical Information
Destination IP: xx.xx.80.21:SMTP
Application: fotos.exe
-------------SNIP!------------------------
hummm...so that?s the why we had this IP address on that list...SMTP, email addresses...now it is starting to make sense...:)
But the xx.xx.80.21 resolves to a hosting providers...not any of the emails domains that we found...Maybe an Open relay??
#####################
Phase 3: Results
#####################
So, thats what we got so far:
- It will create a key with the name and value of HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos , "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"
- It will use Winsock for network resources
- It will put create fake fields for passwords, account, branch and some personal information, overlapping the real fields of the bank websites
- It will try to access an smtp server at the IP that we found some steps ago...
For now on, we should think about this application much like as a Spyware. As we could notice, this application uses Winsock. There is a lot of advantages to hook itself to WinSock. In Microsoft Windows Operating Systems, Winsock is the way that it implements TCP/IP. This is wonderful of the hacker, because in this way his/hers application will be able to monitor all Internet traffic! And thats exactly what he wants! He wants to know when you will access the Banks websites!
############################
Phase 4: Final experiments
############################
So, lets setup a mail server and see what this application is trying to send to that IP.
On another machine in the same lab network, I brought up a virtual interface with the same IP address of machine that ZoneAlarm detected, and repeated the steps of phase 2, visiting the websites and filling the fake forms. After pressing the last OK, ZoneAlarm alerted me again, and this time I Allowed it to connect to the port 25 of the IP address.
My mail server made all the transaction, which was reproduced bellow with the help of another friend, Ethereal:
-------------SNIP!------------------------------------------------------<Br>
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.10; Tue, 30 Nov 2004
17:32:53 -0200
EHLO starinfo
250-localhost.localdomain Hello starinfo [10.0.0.2], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
RSET
250 2.0.0 Reset state
MAIL FROM:<xxxxxx1@bol.com.br>
250 2.1.0 <xxxxxx1@bol.com.br>... Sender ok
RCPT TO:<xxxxxx1@yahoo.com.br>
250 2.1.5 <xxxxxx1@yahoo.com.br>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
From: xxxxxx1@bol.com.br
Subject: xxxxxx1
To: xxxxxx1@yahoo.com.br
Content-Type: text/plain
Date: Tue, 30 Nov 2004 17:33:02 -0200
X-Priority: 3
X-Library: Indy 9.00.10
=============Banco do Brasil======================
==================================================
BB Tit.= 1. Titular
BB Ag.nc.=
BB Cont.=
BB Senha A.=Atendimento=
BB Senha C.=
==================================================
=============Banco Bradesco=======================
Bradesco Agencia=
Bradesco Conta=
Bradesco Digito=
Bradesco 4 digitos=
Bradesco Cartao=
Bradesco Resposta s.=
==================================================
==============Caixa Economica=====================
Caixa Tipo= 001-Cta. Corrente - P.F.sica
Caixa Agencia=
Caixa Conta=
Caixa S. Intermet=
Caixa Ass. Eletronica=
==================================================
=============Unibanco===========================
Unibanco 30 horas=Internet 30 Horas
Unibanco Agencia=3333
Unibanco Conta=333333
Unibanco Digito=1
Unibanco Senha=1111
Unibanco Assinatura=123123123123123123123
Unibanco Cond. Alfanumerica=zaqxsw
==================================================
=============Banco ITAU===========================
ITAU Conta=
ITAU Agencia=
ITAU Digito=
ITAU Senha Eletronica=
ITAU Senha do cartao=
ITAU % digitos do cartao=
ITAU Data dia=
ITAU Data mes=
ITAU Data ano=
ITAU Numero do portador=
==================================================
=============GErenciador Financeiro===============
Gerenciador Chave=
Gerenciador Senha Acesso=
Gerenciador Senha Conta=
=================================================
============ufaaa acabo :D=======================
.
250 2.0.0 iAUJWrLK000991 Message accepted for delivery
QUIT
221 2.0.0 localhost.localdomain closing connection
-------------SNIP!--------------------------------------------------
Yep...it was sending a report with all the info gathered...
Interesting stuff...in the last line of his/hers report, it is ´ufaaa acabo´.
This means: "finally, the end"...
########################
Phase 4: Final Results
########################
- Our assumptions had been proven to be right, and this piece of malware was sending the results, through a relay, to those email addresses with all user information, as account, branch, passwords...
And finally, after sending this malware to a list of AV vendors, on the end of today, according to Virustotal, 3 AV were already detecting it!
--------------------------------------------------------------------
Handler on Duty for the last time this year: Pedro Bueno (pbueno /AT/ isc.sans.org)
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments