Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ".sys" Directories Delivering Driveby Downloads - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
".sys" Directories Delivering Driveby Downloads

Our read Paul observed malware being delivered from the ".sys" directory of various web sites. The URL follows the scheme:

http://evilexample.com/.sys/?action=....

In response to clicking on the link, the user is asked to install the software. According to Paul, he observed the link being delivered via Facebook which of course makes the message more plausible and it is likely that users install the software thinking it came from a "Friend". Before adding a specific block for ".sys", Paul's web filter caught about 60% of these exploits.

Once a user follows the link, additional exe files are downloaded from ".sys" directories. The file names Paul observed are p.exe, go.exe and v2captcha21.exe.


------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Johannes

3112 Posts
ISC Handler
This is very standard Koobface command and control traffic and has been occurring in the .sys URI format for many months. You'll see commands to generate facebook accounts (fbgen) myspace (msgen) and a host of other miscellaneous commands like the captcha-solving commands Paul saw. A host infected with this version of Koobface will be detected by various Emerging Threats Koobface signatures.
Anonymous

Posts
Other iffy links seems to be in this format:

/.sys/?action=fbgen&v=
/.sys/index.html?getexe=fb.101.exe
/.sys/index.html?getexe=fb.75.exe
/.sys/index.html?getexe=fb.84.exe
/.sys/index.html?getexe=fbcheck.exe
/.sys/index.html?getexe=get.exe
/.sys/index.html?getexe=go.exe
/.sys/index.html?getexe=hosts2.exe
/.sys/index.html?getexe=loader.exe
/.sys/index.html?getexe=pp.12.exe
/.sys/index.html?getexe=pp.14.exe
/.sys/index.html?getexe=v2captcha.exe
/.sys/index.html?getexe=v2captcha21.exe
/.sys/index.html?getexe=v2prx.exe
/.sys/index.html?getexe=v2webserver.exe

filenames:

v2captcha21.exe
v2bloggerjs.exe
fb.84.exe
fbcheck.exe
go.exe
v2prx.exe
fb.82.exe
pp.14.exe
v2webserver.exe
hosts2.exe
be.20.exe
tg.16.exe
ms.26.exe
Sanesecurity

21 Posts Posts
Yes, a bit more digging did show the Koobface connection. What surprised me most was that our web filtering vendor was doing such a bad job of catching what is fairly common malicious traffic.
Paul

44 Posts Posts
Is your web filter permitting the exe files to transit? In our shop, restricting access to exe files to trusted users was one of the first things we did when we brought in a web filter.
peter

17 Posts Posts
For those who use the Emerging Threats Snort rules, SID 2010335 (ET TROJAN Koobface Beaconing (action=)) covers GET requests for "/.sys/?action=".
Anonymous

Posts
@peter, much as it would nice to block all .exe's via the web filter that's just not workable in this environment...
Paul

44 Posts Posts
We saw these sort of downloads on our IDS a week ago:

> 2010-03-16-16:16:34 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/57960 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=p.exe

> 2010-03-16-16:21:57 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/36411 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=v2webserver.exe

> 2010-03-16-16:21:57 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/36411 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=v2captcha21.exe

so the .sys part seems to be consistent, but the latter part may vary. MD5 Hashes are:

cb255ee2f94d5c6ed11eb5c111ea45c1 v2captcha.exe
d5db0c2908d025c792231901deeacf42 v2webserver.exe
7531ab1f4480b80ecb57d0a955d0b7c6 com-p.exe
beamer

10 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!