Last Updated: 2006-06-07 00:02:23 UTC
by Swa Frantzen (Version: 1)
DetectionWe got an interesting piece of malware from one of our readers, Robert. Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.
He captured some packets (you know that we at ISC love to analyze network traffic) and found an interesting binary that he submitted to us for analysis
Received results for file: extdrvr.exe
Antivirus Version Last update Result
AntiVir 220.127.116.11 06.06.2006 no virus found
Authentium 4.93.8 06.06.2006 no virus found
Avast 4.7.844.0 06.06.2006 no virus found
AVG 386 06.06.2006 no virus found
BitDefender 7.2 06.06.2006 no virus found
CAT-QuickHeal 8.00 06.06.2006 no virus found
ClamAV devel-20060426 06.06.2006 no virus found
DrWeb 4.33 06.06.2006 no virus found
eTrust-InoculateIT 23.72.29 06.06.2006 no virus found
eTrust-Vet 12.6.2244 06.06.2006 no virus found
Ewido 3.5 06.06.2006 no virus found
Fortinet 18.104.22.168 06.06.2006 no virus found
F-Prot 3.16f 06.06.2006 no virus found
Ikarus 0.2.65.0 06.06.2006 no virus found
Kaspersky 22.214.171.124 06.06.2006 no virus found
McAfee 4778 06.06.2006 no virus found
Microsoft 1.1441 06.07.2006 no virus found
NOD32v2 1.1582 06.06.2006 no virus found
Norman 5.90.17 06.06.2006 no virus found
Panda 126.96.36.199 06.06.2006 Suspicious file
Sophos 4.05.0 06.06.2006 no virus found
Symantec 8.0 06.06.2006 no virus found
TheHacker 188.8.131.52 06.05.2006 no virus found
UNA 1.83 06.06.2006 no virus found
VBA32 3.11.0 06.06.2006 no virus found
After we analyzed this binary, we discovered a malware jungle. So, this is what's happening:
extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment when we were writing this diary, just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.
But that's not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.
First downloader that the main spam bot downloads is http://184.108.40.206/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://220.127.116.11/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://18.104.22.168/[REMOVED]/getnumtemp.asp?nip=0.
If this wasn't enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://22.214.171.124/[REMOVED]. We're not completely sure what this downloader does, as it will download about 14kb of data from various sites, but this data seems to be encrypted. When we get more information about this, we'll update the diary.
Back to the spam bot. What's interesting is that it will download and replace the machine's hosts file. Big deal, we've seen that a million times. Among all the standard AV vendors' web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.). Trying to eliminate the competition here?
As always learning lessons is the most important part of handling incidents. Anti-virus doesn't do much for you when the malware is not detected obviously. So we should learn not to place all our trust in that channel for detecting malware. Robert detected this piece of malware through an IDS and correlation of logs. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. The blocking of the traditional sites using a hosts file is also a good thing to build monitoring for. If it gets used you know there's something going on and a second look wil be well spent effort.
Removal? Well once you deal with dozens of pieces of malware embedding itself left and right your luck in getting it off painlessly ran out.
Finding all that went wrong is very hard as you might be looking at malware being pulled in that changes in between the machine got it and you go and get it again, potentially changing (thus invalidating) much of the results.
Proactively keeping all systems up to date is good and helps, but making sure the really secret stuff cannot reside or even be consulted from a machine connected somehow to the Internet is a good step as well. A good place to build this is in a data classification (actually handling) policy. Define the most critical information assets and isolate them.
At this point we have not identified the intial infection vector yet.