Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Evil Google Ads InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Evil Google Ads

Published: 2007-07-08
Last Updated: 2007-07-08 22:26:18 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Robert sent us some nice analysis earlier today about some hostile ads he discovered at Google.  As best we can tell they are gone now, but here are his findings.

Searching for some free templates at google may bring you nasty things you wont have:

http://www.google.com/search?hl=en&q=kostenlose+vorlagen&btnG=Google+Search

Have a look at the first advertising link "Kostenlos-Vorlagen.info"

All files there (all the same) are detected as:
AntiVir 7.4.0.39 07.07.2007 TR/Spy.BZub.JD.1
F-Secure 6.70.13260.0 07.07.2007 W32/Malware
Ikarus T3.1.1.8 07.07.2007 Trojan-Spy.Win32.Goldun.lw
Kaspersky 4.0.2.24 07.07.2007 Trojan-Spy.Win32.BZub.jd
Microsoft 1.2704 07.07.2007 TrojanDropper:Win32/Small.OT
Norman 5.80.02 07.06.2007 W32/Malware
Sophos 4.19.0 07.06.2007 Mal/Binder-C
Webwasher-Gateway 6.0.1 07.07.2007 Trojan.Spy.BZub.JD.1
After executing, the malware drops a file named:
C:\WINDOWS\System32\ipv6monl.dll
It hooks as a BHO under CLSID:
HKEY_CLASSES_ROOT\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87} 
\InprocServer32
To do so it looks for activated Brwoser extensions:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main 
"Enable Browser Extensions" = yes
It also ensure that the IE could bypass Windows Firewall:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess 
\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
\List "C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program
Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer
The Keylogger function checks for banking logins end if recognized it logs this information and send it to a server.

Thanks, Robert!  Great job of analysis.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives