Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-06 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A malware jungle

Published: 2006-06-06
Last Updated: 2006-06-07 00:02:23 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Detection

We got an interesting piece of malware from one of our readers, Robert. Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.

He captured some packets (you know that we at ISC love to analyze network traffic) and found an interesting binary that he submitted to us for analysis

Analysis

55e30602f27fa4272c3bd2dd9d701224  extdrvr.exe

Received results for file: extdrvr.exe
==========================
Antivirus               Version            Last update    Result
AntiVir                 6.34.1.37          06.06.2006    no virus found
Authentium              4.93.8             06.06.2006    no virus found
Avast                   4.7.844.0          06.06.2006    no virus found
AVG                     386                06.06.2006    no virus found
BitDefender             7.2                06.06.2006    no virus found
CAT-QuickHeal           8.00               06.06.2006    no virus found
ClamAV                  devel-20060426     06.06.2006    no virus found
DrWeb                    4.33              06.06.2006    no virus found
eTrust-InoculateIT      23.72.29           06.06.2006    no virus found
eTrust-Vet              12.6.2244          06.06.2006    no virus found
Ewido                   3.5                06.06.2006    no virus found
Fortinet                2.77.0.0           06.06.2006    no virus found
F-Prot                  3.16f              06.06.2006    no virus found
Ikarus                  0.2.65.0           06.06.2006    no virus found
Kaspersky               4.0.2.24           06.06.2006    no virus found
McAfee                  4778               06.06.2006    no virus found
Microsoft               1.1441             06.07.2006    no virus found
NOD32v2                 1.1582             06.06.2006    no virus found
Norman                  5.90.17            06.06.2006    no virus found
Panda                   9.0.0.4            06.06.2006    Suspicious file
Sophos                  4.05.0             06.06.2006    no virus found
Symantec                8.0                06.06.2006    no virus found
TheHacker               5.9.8.155          06.05.2006    no virus found
UNA                     1.83               06.06.2006    no virus found
VBA32                   3.11.0             06.06.2006    no virus found


After we analyzed this binary, we discovered a malware jungle. So, this is what's happening:

extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment when we were writing this diary, just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.

But that's not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.

First downloader that the main spam bot downloads is http://69.31.46.144/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://85.255.114.166/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://216.80.7.64/[REMOVED]/getnumtemp.asp?nip=0.

0815205b98f2449de6db9b89cfae6f24  d1.html
3a62b9180ae98b9ad32980d0fbe1aa72  [REMOVED].exe

If this wasn't enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://207.226.177.110/[REMOVED]. We're not completely sure what this downloader does, as it will download about 14kb of data from various sites, but this data seems to be encrypted. When we get more information about this, we'll update the diary.

1083e1401bc49ff8c167e912a3555c20  [REMOVED]

Back to the spam bot. What's interesting is that it will download and replace the machine's hosts file. Big deal, we've seen that a million times. Among all the standard AV vendors' web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.). Trying to eliminate the competition here?

Lessons?

As always learning lessons is the most important part of handling incidents. Anti-virus doesn't do much for you when the malware is not detected obviously. So we should learn not to place all our trust in that channel for detecting malware. Robert detected this piece of malware through an IDS and correlation of logs. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. The blocking of the traditional sites using a hosts file is also a good thing to build monitoring for. If it gets used you know there's something going on and a second look wil be well spent effort.

Removal? Well once you deal with dozens of pieces of malware embedding itself left and right your luck in getting it off painlessly ran out.

Finding all that went wrong is very hard as you might be looking at malware being pulled in that changes in between the machine got it and you go and get it again, potentially changing (thus invalidating) much of the results.

Proactively keeping all systems up to date is good and helps, but making sure the really secret stuff cannot reside or even be consulted from a machine connected somehow to the Internet is a good step as well. A good place to build this is in a data classification (actually handling) policy. Define the most critical information assets and isolate them.

At this point we have not identified the intial infection vector yet.

--
Bojan Zdrnja
Swa Frantzen

Keywords:
0 comment(s)

javascript file upload entry

Published: 2006-06-06
Last Updated: 2006-06-06 20:48:02 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
A full disclosure post today had an exploit that used javascript in browsers to selectively "steal" keystrokes from the user typing and channeling it into the file upload field.  So as long as you type enough they could make you as well type the filename they were after.

While this attack needs more to become a bit effective (like making the user type the needed letters), it does show the dangers of running javascript once again. Your best choice if you use e.g. FireFox is to use something like Noscript. It allows you to turn javascript off by default and turn it on as needed for selected sites (those where the webmaster doesn't care for users not wanting to expose themselves to randomly downloaded executable content)

Aparently both Firefox and MSIE suffer from this.

--
Swa Frantzen - Section66


Keywords:
0 comment(s)

GD DoS

Published: 2006-06-06
Last Updated: 2006-06-06 20:45:08 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
GD is a graphical library often used to create or manipulate images on the fly in websites.

Details about a vulnerability (and exploit) have been released on full disclosure that claim to cause the library to run an infinite loop while decoding crafted images. It's clear that when used this will lead to severely degraded performance of webservers.

No patch available so far, monitor http://www.boutell.com/gd/ if you use it in a vulnerable fashion.

Thanks Jim!

--
Swa Frantzen - Section 66
Keywords:
0 comment(s)

Spamassassin - upgrade

Published: 2006-06-06
Last Updated: 2006-06-06 20:44:07 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Before you write us: nope, this is unlikely to be related to the "spam spam spam" article I wrote earlier.

Spamassassin has 2 new releases out. They fix vulnerabilities that -given specific command line options- opens up spamassassin to remote command execution as the user spamassassin is running as.

Solution: upgrade to version 3.06 or 3.1.3 as soon as possible or do not use the vulnerable command line combination (aparently both "--vpopmail" and "-P" (paranoid) need to be turned on) as a workaround.

Thanks to fellow handlers Jim and Patrick.

If you do take the time to upgrade, I'd suggest to make sure you run it as a user that has hardly any rights  and/or chroot it.

--
Swa Frantzen - Section 66







Keywords:
0 comment(s)

Windows Alternate Data Streams Revisited

Published: 2006-06-06
Last Updated: 2006-06-06 17:40:06 UTC
by George Bakos (Version: 2)
0 comment(s)
An oldie but goodie has reared its familiar head, this time in the manner of a posting to Bugtraq and Full Disclosure lists. Windows NTFS supports multiple streams of data for any given file (http://support.microsoft.com/kb/105763). While the functions that access ADSs are clearly defined by Microsoft, very few Windows tools can view these alternate data streams (ADS) without some added help. In addition, many third-party software developers ignore the possible presence of ADSs, thus providing a wonderful storage location for malicious code.

The Bugtraq posting http://www.securityfocus.com/archive/1/435962/30/0/threaded mentions a few antivirus tools that fail to detect known malware when stored as ADSs. The Internet Storm Center has not tested any of these claims, but we have no reason to dispute them as we have seen this time and time again.

Ryan Means wrote an excellent paper (GCWN honors) that discusses Alternate Data Streams in depth, presents a number of tools to locate and manipulate ADSs, and presents an extension to Windows Explorer to directly report the presence of ADSs. You can pull it from the SANS Reading Room at: http://www.sans.org/rr/whitepapers/honors/1503.php and the tool he wrote can be found at http://www.giac.org/certs/download.php?w=gcwn_0230_2
Keywords:
0 comment(s)

Spam - spam - spam

Published: 2006-06-06
Last Updated: 2006-06-06 15:49:07 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
A new twist in spammer tactics is being reported, although we're not sure what their goal is at the moment.

Some of our readers report receiving messages apearing to originate from themselves, with only numbers as subject and body.

The body does apears to be HTML encoded, but it's so basic as to not pose a threat so far.

It would be a good idea to investigate if you can drop email that apears to be from your own organization while originating outside of it. If your users do not send such email (e.g. because they use a VPN to connect back to the inside while on the road), dropping that email might cut down on a few spams.

Some fun while on this subject - it's a Tuesday after a 3 day weekend in some countries - :
All relations to the SPAM luncheon meat product are purely accidental, even if it was inspired on a 1975 sketch from Monty Python. Most of us think spam started back in 1994 when two lawyers advertized their green card scam in each and every usenet newsgroup. Some digging around revealed much earlier attempts in 1978 on the precursor to the modern Internet. It just goes to show you're never around for too long to learn something new.

UPDATE

Some guesses as to what the cause of the spam might be have been received by now and I'd like to point out a few:
  • Today's date is the number of the beast, it might attract some old style hackers.
  • There is a possible link to Bagle seeding as it was done in the past and we might need to expect a new variant of it soon.

--
Swa Frantzen - Section 66
Keywords:
0 comment(s)
Diary Archives