Last Updated: 2007-11-30 02:29:48 UTC
by Bojan Zdrnja (Version: 2)
Recently I spent some time analyzing a relatively simple BHO (Browser Helper Object) just to see what the bad guys were really doing with it.
The BHO was dropped by an executable, which was part of a bigger adware package pretending to be an anti-virus program (of course). The only dropped file by this dropper was actually the DLL used by the BHO which the dropper registered with the system.
After quick analysis I found out that the BHO captured queries for various search engines and other commonly visited web sites and submitted them to a third web site. That web site had a possibility of displaying various ads on the infected machine (when I tested the BHO that component did not work).
The list of sites that the BHO stole information from was impressive – there were almost 140 sites monitored. For every site, the BHO had information about exactly what to extract, so only the user’s query was sent and not the whole URL.
For example, for wikipedia.org, the BHO extracted the search= parameter, while for search.yahoo.com it extracted the p= parameter.
The extracted parameters where then submitted to a third site (which is not working any more) with the following request:
Two most interesting things in this request are the svPOPUP and svKEYWORDS arguments. The svPOPUP tells the ad site to display targeted ads, related to the keywords submitted in the svKEYWORDS argument. As you can probably guess, those are the search terms that the user entered.
This was all more or less standard, only the number of monitored web sites seemed pretty high – this BHO certainly had a serious impact on a user’s privacy.
After I searched the web a bit, I found out that Elia Florio from Symantec already described another variant of this same BHO which they called Trojan.Advatrix (Symantec's description is here). Besides the information I already had, that particular variant did something else to the machine. Something very, very mean.
Elia found out that the BHO modifies Internet Explorer so that it becomes vulnerable to two security vulnerabilities: MS06-014 known as the MDAC vulnerability and MS07-017, known as the ANI vulnerability.
These two vulnerabilities are probably the most exploited vulnerabilities in Internet Explorer today. The MS06-014 vulnerability is practically a part of every exploit pack today (and is certainly in MPACK, which is the most popular one). Exploits for the ANI vulnerability can also still be found almost everywhere.
What makes me extremely worried is how hidden this whole thing is. The BHO just modifies Internet Explorer’s image which means that no files are written to the disk. In other words, such a machine will look completely patched to Windows Update or any other patch checking system. However, while the BHO is active, the machine will be vulnerable to two most exploited client side vulnerabilities in last couple of years.
The last line of defense, the anti-virus program, is not particularly helpful here either. The dropper I had was detected by only 13 out of 32 AV programs on VirusTotal and the DLL detection was even worse with only 7 AV programs detecting it.
While there are many lessons to learn from this malware, I would like to stress out one really important thing: when a machine gets infected, your only option is to reinstall it from scratch. With today’s malware phoning home and installing stealth, updated modules, this is really a no brainer.
We got couple of questions about this "memory modification" that causes Internet Explorer to be vulnerable to old vulnerabilities, so here's a short explanation about this.
When you patch your system, the patching utility basically just replaces old files - OS files, libraries (DLLs) and similar files on your system with new revisions which fix vulnerabilities. Complex software, such as Internet Explorer, loads tens of different libraries and other files. Some of these libraries were previously affected with vulnerabilities that have been patched. Those files are generally the same as before, just the vulnerable part has been modified.
So, once Internet Explorer loads such libraries in memory in order to use them, Advatrix finds them and modifies patched parts of the code (just overwrites the fixed code with the code from the previous (unpatched) library). This way the current instance of Internet Explorer is vulnerable to those two vulnerabilities even though the libraries that are saved on the disk are current and patched.
The point of patching is to prevent your machine to be exploited through old vulnerabilities - keep in mind that in this case the machine has already been infected with something (through some other infection vectors).
One of the key points here is that until you remove the BHO, the machine stays vulnerable to those two vulnerabilities (and this will inevitably lead to other infections, no matter how good your AV software is). And the worst thing is that patch checking software will report machine as being up to date with all released patches.