Note: Viewing this diary may very well set off your antivirus software. If it does: tough. Nothing in here is Evil (at least in the incarnation that it appears here.) If you write me to tell me that it set off your AV, I?ll quite possibly write back and make fun of you. You?ve been warned.
SANS/ISC Webcast Today
Be there... Aloha.
An exploit for MS05-017 (that place-holder "0" in front of the 17 inspires confidence, doesn't it?) is now available as part of the Metasploit Framework, so if you aren't patched... well, why aren't you?
MS05-017 (Vulnerability in Message Queuing Could Allow Code Execution / CAN-2005-0059 / KB892944) was part of Microsoft's April 2005 release and more information can be found here;.
I've not had a chance to test this yet, but H.D. is pretty amazing, so I don't have much question that it works.
Rumor has it that Microsoft will re-release the MS05-019 security update in June, 2005 correcting their removal of raw sockets...
Follow the Bouncing Malware: A Fresh Bounce
Well, some people have pointed out that it?s been quite some time since I last posted a ?Follow the Bouncing Malware? installment and... well... due to the overwhelming demand (thanks Mom...) here we are.
I thought I would take a look at something more recent - something that might have landed in your inbox sometime over the past couple of weeks, and so I?ve subtitled this journey: A Fresh Bounce.
Disclaimer: None of the links in the following account are ?clickable?. There is a very good reason for that. If I make the links clickable, some yahoo out there will click them. If you insist on playing with these sites you?ll need to at the very least, cut and paste to do it. If you infect your machine, don?t even think of blaming me. If you write me to tell me that you infected yourself, I?ll quite possibly write back and make fun of you. You?ve been warned.
Just the other day, I received the following urgent message via a mailing list address at incidents.org. Poor li?l Sasha was obviously in need of some help:
Ok... Maybe it was Jude who was in need of help... Or Lucas.... or Norman... or Marlin... or... Jabari...
But I digress...
Suffice to say that someone, somewhere, was in urgent need of my help. And a grammar checker.
How could I possibly ignore their plea?
Well, if I were like most of the rest of you heartless swine, I would simply click the ?delete? button on Outlook. But, to quote the Kink^Hg of Pop in a distant yet eerily prescient incarnation of himself, ?I?m not like the other guys...? and so I started to click the delete button in Thunderbird.
But I couldn?t bring myself to do it.
The dang batteries on my cordless mouse chose that moment to go dead.
Having had far too little sleep, and far too much caffeine, I seized on this as some sort of sign, (I have a tendency to do that... sometime I?ll tell you the story of the Twinkie that, for several months, I believed was the reincarnation of my recently deceased cat...) and decided to swap in some fresh double-A?s and investigate what might be troubling Sasha/Jude/Lucas/Norman/Marlin/Jabari (hereinafter referred to as SJLNMJ).
Disjointed thoughts and poor punctuation were the least of SJLNMJ?s issues. There was Evil lurking in this message: HTML.
Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>.
But, I digress...
While the text portion of SJLNMJ?s message reads like James Joyce on crack, perhaps a review of the HTML portion of SJLNMJ?s message would make things clearer:
Ah! That?s so much clearer. (Okay... I lied. It?s still gibberish.)
Hey! What?s that at the end? An OBJECT tag! Oooo! How fun!
Let?s see where it leads!
(Note: I said ?let?s,? but face it, I really didn?t mean it. Remember: Don?t even think about trying this yourself, boys and girls. You stay here... I?ll go in first...)
(Note #2: I?m talking to you, Mr. ?I Know What I?m Doing.? Don?t try it.)
Grabbing the results of that PHP script with the parameter ?action=click,? gives us the following:
And so, with reckless abandon, complete disregard for personal safety, and a 20 oz Mountain Dew, I returned to the Russian oil bank, lookin? for a little action... uh... equals install:
(Remember... I?m 10? tall and bulletproof. You?re not. Don?t try this at home.)
<HTML><HEAD><TITLE>Universal Plugin pre-Installer</TITLE>
Dang... It looks like a dictionary threw up. (Note: The above is an inexact replica of the actual file that I downloaded. Some of the characters in the original can?t be displayed properly in the diary. Sorry ?bout that.)
And now, dear reader, I?m going to let you in on a little secret. Please understand though that what I?m about to tell you must remain absolutely confidential... it?s super top secret: All of that stuff up there...
Somebody has written some stuff that THEY DON?T WANT US TO SEE.
Shhhh... don?t tell anyone.
Ok. So perhaps that was... well... blatantly obvious.
But what isn?t obvious is how we?re going to deal with this stuff. Get ready boys and girls, ?cause kindly ol? Dr. Tom is gonna take you on a trip down Reverse Engineering Lane and hopefully teach you a thing or three about how to deal with this kind of code obfuscation all on your own.
Now, many years ago, back when I was younger, dumber, and more energetic, I would have banged together some perl code to try to make some sense out of that wad of characters. Time has mellowed me, however, and I?ve come to understand that youthful energy and enthusiasm can nearly always get the daylights kicked out of it by the lazy deviousness that comes with age. ?Why work harder when you can work smarter?? and several other clichés of that ilk come to mind. I?ve come to a place in my life now, where I can cause my adversary to use his own skills against himself, much like Road Runner always does to Wiley Coyote. (I bet you thought I was going to go for some Zen/Kung Fu reference, didn?t you...)
It turns out that it?s not too difficult to accomplish that.
Whoa... it almost sounds like I know what I?m talking about, doesn?t it?
Before I continue, please note: Never, EVER do this on a production machine. Never do this on a machine that will be used for anything else. Never do this on any machine connected to the network. Never do this on a machine you?re not prepared to format and reinstall. Never, EVER, spit into the wind.
var fso, output;
Then, we?re going to change the ?document.writeln()? function call at the end of the code to be a call to ?output.write()?
Why? Well, that first snippet will create a FileSystemObject which it then uses to open a file called ?test.txt? on the root of our C: drive. The ?handle? to the output file is called, conveniently enough, ?output.? We then change the call from document.writeln() to a call to output.write() and anything that was going to be written into the live HTML document will now go into our output file.
We then fire the newly edited script off in InternetExplorer on a convenient sacrificial box and lo! We find the decoded output in C:\test.txt.
Now someone, somewhere, spent a great deal of time thinking up that whole ?encoding? scheme. Several hours were spent, huddled over a keyboard creating the functions to both encode and decode that gibberish, and we just blew it all away with about two minutes work. As you can see, it didn?t really ?hide? much of anything from us... Perhaps that anonymous programmer?s time would have been better spent taking... say... an ethics class...
Looking for a real job...
Learning to program in a real language...
But I digress...
The output in my ?test.txt? file looked like this:
Well now. Ain?t that purty? I really do appreciate the way that they?re not even attempting to rationalize what they?re doing... with variable names like ?Trojan_Path,? staring you in the face, it?s sorta? hard to keep up the charade that you?re writing an app for ?market research.?
Speaking of ?Trojan_Path? let?s see what we find at the other end...
The file divx.exe is a Win32 executable, 21,536 bytes long. Taking a quick look at the file reveals that it has been packed with FSG and has a really mangled PE header and a tiny, really whacked MZ header. Once again, someone is trying to hide something...
Packed / obfuscated executables are nothing more than an annoyance. They don?t stand up to a determined effort to unpack them because, like the ?encoding? we just blew away, packed executables always carry the keys to the kingdom along with them. Generally with a little coaxing, they give up their secrets. FSG is no exception, and with a bit of effort, I was able to unpack the divx.exe executable. When I did, I found all sorts of interesting stuff...
When executed, divx.exe copies itself to the windows\system32 folder under the name winldra.exe installs a key to launch itself in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and dumps several DLL files in the system32 folder. These DLL files are used by the executable to latch itself into the Windows CBTProc hook, a rather dubious ?feature? of the operating system that was intended to be used by Computer Based Training programs to monitor what?s going on in the active window. According to Microsoft, ?The system calls this function before activating, creating, destroying, minimizing, maximizing, moving, or sizing a window; before completing a system command; before removing a mouse or keyboard event from the system message queue; before setting the keyboard focus; or before synchronizing with the system message queue. A computer-based training (CBT) application uses this hook procedure to receive useful notifications from the system.?
Pretty darned useful, if you?re a virus.
With that viewpoint, the program watches for access to several banking sites:
There are also some shenanigans done with several citibank.de hosts, but I?m not entirely sure how that works...
Ever helpful, the program then corrects any math errors the user may make while using the site.
(Just checking to see if you were still paying attention...)
It actually captures text within any browser session associated with one of those sites saving it in a file and sending it off via email. Then, in a fit of pique and poor grammar, it commemorates the occasion with a registry entry:
HKCU\Software\SARS\mailsended = 1
Really nice, eh?
It also takes the, now passé, step of diddling with the user?s hosts file and routing a large list of antivirus vendor sites to the loopback address.
FYI: When I first started playing with this chunk o' malware I sent it off to all of the major AV vendors and it should currently be identified by their signature files. Attempts were made to get the offending sites shut down as well.
So after all of that, I suddenly find myself re-thinking the whole ?good Samaritan? thing where ol? SJLNMJ is concerned. Yes, SJLNMJ needed help alright... he/she/they/it needed help to the funds in my online bank account (of which I have none...)
I?ve learned my lesson - helping others is bad. The crooks and thieves of this world rely on and use our better natures against us. You won?t catch me making THAT mistake again...
Hey! Lookie here! There?s this dude in Nigeria that has to find a way to get $50,000,000 US out of the country... all he needs is a little help.
Handler on Duty
Tom Liston - Intelguardians Network Intelligence, LLC - tom at intelguardians dot com
Sep 7th 2005
1 decade ago