Fake Microsoft Security Bulletin -> Malicious Browser Add-On

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Johannes Ullrich

Threat Level: green

Fake Microsoft Security Bulletin -> Malicious Browser Add-On
Dave Edwards let us know about an email message that claims to be a Microsoft Security Bulletin: Microsoft Security Bulletin MS06-4 Cumulative Security Update for Internet Explorer (113742734) Published: June 3, 2007 Version: 1.0 Summary Who should read this document: Customers who use Microsoft Windows Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Of course, the proper format for the bulletin number would be "MS06-004", not "MS06-4". Second, the number of a bulletin released in 2007 would start with "MS07", not "MS06". The scheme is what you would expect: the message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called "updatems06.exe". It is a UPX-packed executable that is recognized as being malicious by half of the anti-virus engines available to VirusTotal. The executable installs a malicious browser add-on (BHO) "down.dll" on the victim's system in C:\WINDOWS\system32. Anti-virus engines that recognize the BHO as malware identify it as Agent.avk. This seems to be a downloader that ~~is also~~ may be capable of spying on the user's interactions with certain sites. Update 1: After analyzing down.dll, Symantec Security Response let us know that the program attempts contacting 3 servers via URLs that look like: http://[server_name]/command.php?userid[REMOVED] The remote command.php script seems to assist the program in creating a local configuration file that gets saved in %System%\commands.xml. The program uses the XML file to determine how to download and execute other programs from remote locations, saving them as %System%\file.exe. None of the 3 servers where the program attempts to download the XML file are available at the moment. I find it interesting that 2 of the servers are expected to reside in domains that have not even been registered yet. It is possible that the attacker is still in the process of setting up his or her attack network. The other server is part of a domain that has been registered for a while; however, the server is not currently accessible. Google cache suggests that when the server was up, it was being used to record user passwords, probably as part of another attack campaign. Update 2: Please keep in mind that Microsoft never sends out updates as attachments (Thanks, Zot!) They have a page to explain the issue: http://www.microsoft.com/canada/athome/security/email/ms_genuine_mail.mspx Update 3: Upon our request, the ISP controlling the system that was distributing updatems06.exe removed the offending file from the server. -- Lenny Lenny Zeltser InfoSec Practice Leader Gemini Systems, LLC www.zeltser.com	Lenny 216 Posts Jun 11th 2007
Thread locked Subscribe	Jun 11th 2007 1 decade ago