Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: A malware jungle - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A malware jungle

Detection

We got an interesting piece of malware from one of our readers, Robert. Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.

He captured some packets (you know that we at ISC love to analyze network traffic) and found an interesting binary that he submitted to us for analysis

Analysis

55e30602f27fa4272c3bd2dd9d701224  extdrvr.exe

Received results for file: extdrvr.exe
==========================
Antivirus               Version            Last update    Result
AntiVir                 6.34.1.37          06.06.2006    no virus found
Authentium              4.93.8             06.06.2006    no virus found
Avast                   4.7.844.0          06.06.2006    no virus found
AVG                     386                06.06.2006    no virus found
BitDefender             7.2                06.06.2006    no virus found
CAT-QuickHeal           8.00               06.06.2006    no virus found
ClamAV                  devel-20060426     06.06.2006    no virus found
DrWeb                    4.33              06.06.2006    no virus found
eTrust-InoculateIT      23.72.29           06.06.2006    no virus found
eTrust-Vet              12.6.2244          06.06.2006    no virus found
Ewido                   3.5                06.06.2006    no virus found
Fortinet                2.77.0.0           06.06.2006    no virus found
F-Prot                  3.16f              06.06.2006    no virus found
Ikarus                  0.2.65.0           06.06.2006    no virus found
Kaspersky               4.0.2.24           06.06.2006    no virus found
McAfee                  4778               06.06.2006    no virus found
Microsoft               1.1441             06.07.2006    no virus found
NOD32v2                 1.1582             06.06.2006    no virus found
Norman                  5.90.17            06.06.2006    no virus found
Panda                   9.0.0.4            06.06.2006    Suspicious file
Sophos                  4.05.0             06.06.2006    no virus found
Symantec                8.0                06.06.2006    no virus found
TheHacker               5.9.8.155          06.05.2006    no virus found
UNA                     1.83               06.06.2006    no virus found
VBA32                   3.11.0             06.06.2006    no virus found


After we analyzed this binary, we discovered a malware jungle. So, this is what's happening:

extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment when we were writing this diary, just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.

But that's not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.

First downloader that the main spam bot downloads is http://69.31.46.144/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://85.255.114.166/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://216.80.7.64/[REMOVED]/getnumtemp.asp?nip=0.

0815205b98f2449de6db9b89cfae6f24  d1.html
3a62b9180ae98b9ad32980d0fbe1aa72  [REMOVED].exe

If this wasn't enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://207.226.177.110/[REMOVED]. We're not completely sure what this downloader does, as it will download about 14kb of data from various sites, but this data seems to be encrypted. When we get more information about this, we'll update the diary.

1083e1401bc49ff8c167e912a3555c20  [REMOVED]

Back to the spam bot. What's interesting is that it will download and replace the machine's hosts file. Big deal, we've seen that a million times. Among all the standard AV vendors' web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.). Trying to eliminate the competition here?

Lessons?

As always learning lessons is the most important part of handling incidents. Anti-virus doesn't do much for you when the malware is not detected obviously. So we should learn not to place all our trust in that channel for detecting malware. Robert detected this piece of malware through an IDS and correlation of logs. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. The blocking of the traditional sites using a hosts file is also a good thing to build monitoring for. If it gets used you know there's something going on and a second look wil be well spent effort.

Removal? Well once you deal with dozens of pieces of malware embedding itself left and right your luck in getting it off painlessly ran out.

Finding all that went wrong is very hard as you might be looking at malware being pulled in that changes in between the machine got it and you go and get it again, potentially changing (thus invalidating) much of the results.

Proactively keeping all systems up to date is good and helps, but making sure the really secret stuff cannot reside or even be consulted from a machine connected somehow to the Internet is a good step as well. A good place to build this is in a data classification (actually handling) policy. Define the most critical information assets and isolate them.

At this point we have not identified the intial infection vector yet.

--
Bojan Zdrnja
Swa Frantzen

Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!