Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - An Israeli patriot program or a trojan InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

An Israeli patriot program or a trojan

Published: 2009-01-07
Last Updated: 2009-01-07 18:40:22 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

Recently we have been witnessing a rise of politically motivated hacking attacks by supporters both sides involved in military actions in Gaza. This was more or less expected, whenever two sides collide there will be people supporting them, even through various attacks on the Internet.

Over the weekend another site popped up, www.help-israel-win.com which is down at the moment. According to what was posted on the site, it was built by "a group of students who are tired of sitting around doing nothing".

The site asked visitors supporting Israel to download and install a file from the site (called PatriotInstaller.exe) that will help disrupt their enemy's efforts.

Obviously, the file looks suspicious so I went to analyze it. The installer is an NSIS packed .NET executable that has been subsequently obfuscated with Dotfuscator. Dotfuscator is a commercial .NET obfuscation tool that stops you from easily analyzing .NET executables since they can be normally (relatively) easy decompiled as they are stored as CIL (Common Language Infrastructure), something similar to Java bytecode.

So, no text strings are visible in the code and it can be (again, relatively) difficult to analyze, but not impossible, of course:

Trojan

After playing with it a bit (and executing it in a safe environment), the program just connects to an IRC C&C server running on port 80. It has a hardcoded list of C&C servers containing IP addresses and DNS names, probably if some of those hardcoded IP addresses go down. Here's the list extracted and deobfuscated from the binary:

74.200.82.243:80
74.204.170.92:80
213.175.205.254:80
94.76.212.76:80
94.76.212.77:80
74.204.188.161:80
74.204.188.180:80
pati.dyndns.info
defend.is-a-geek.net
pati.servebeer.com
rocker.redirectme.net
pati.chickenkiller.com
takemeout.jumpingcrab.com

The embedded IRC client uses a well known (and legitimate) IRC client library SmartIrc4net. The binary has some commands embedded as well, which can help distinguish what it can do:

.connect
.close
.stop
.hide
.show
.update
.version
.refresh
.platform
.memory
.cpu
.login


Finally, it can retrieve a remote file and save it on the local machine as TmpUpdateFile.exe – certainly sounds fishy.
While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there – there also appeared to be around 1000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this.

The uninstall process seems to be correct, as the author(s) say on the web page, but it is questionable if the binary will download something else.

In any case, and as always – be careful what you download and run on your machine, especially if it's coming from unknown sources that you can't trust.

--
Bojan
 

0 comment(s)
Diary Archives