Archief - De topics van lang geleden

SANS - Internet Storm Center: spyware voorbeeld...

06-05-2005, 12:53 door Anoniem, 1 reacties
Bron: http://isc.sans.org/

Diary van 6 mei - Catch of the day: smelly malware

With the suspicious nature common to malware survivors, ISC
reader Phil "got a bit worried" when he noticed that a web
site was opening a zero-width frame that seemed to hide
something. After digging around some, he found his hunches
confirmed, and also two files that none of the AV vendors on
virustotal.com seemed to recognize as hostile. Here's a
write-up of what we found, to sharpen your malware survivor
senses. Some of the original HTML off the hostile site had
to be heavily modified for this write-up, mainly by cutting
out sections or converting characters to "X". We woudln't
want a SANS ISC diary to trigger your workstation or
perimeter antivirus...

The base exploit page

IFRAME ID=e1 SRC='/e1/' WIDTH=0 HEIGHT=0
IFRAME ID=e2 SRC='/e2/' WIDTH=0 HEIGHT=0
IFRAME ID=e3 SRC='/e3/' WIDTH=0 HEIGHT=0

Exploit #1 - Java Classloader Vulnerability
The first exploit, hidden behind the "e1" frame, is a Java
based privilege escalation, a variant of the Java
Bytever/Classloader family of exploits. The corresponding
vulnerability is pretty old (MS03-011), making "success" of
this exploit highly doubtful.
...
Exploit #2 - IE Vulnerabilities
The second exploit, hidden behind the /e2/ frame, is
nastier. It starts with checking the browser version of the
user, and then supplies the correct exploit to match. For
older versions of Windows, the following encoded script is
returned (heavily modified - Antivirus tools seem to love
this exploit)
...
we finally reveal the exploit hidden under this double layer
of encoding.

hxxp://malwaresite.url//index.cXm :: /index.html

Yes - it's the oldie but goldie Microsoft Compiled Helpfile
(CHM) exploit, MS02-055. Unlikely to work on a current OS.
Which is why the /e2/ exploit started with a browser
detection routine - for users surfing to the hostile page
with XP SP2, the attacker doesn't even try the CHM
vulnerability, but right away launches an exploit known as
"HijackClick3", a variant of the infamous "Drag and Drop"
vulnerability in Internet Explorer (MS04-38 /
CAN-2004-0841). This exploit is too complicated and too
impossible to render harmless to include it here in the diary.
...
Exploit #3 - More Internet Explorer Vulnerabilities
Lurking behind the /e3/ frame is an exploit for a pretty
recent vulnerability, MS05-001. The exploit, similar to the
one documented by FRSIRT, downloads a file called
"cmdexe.txt", which in turn fetches and starts a file
"cmdexe.exe", all without requiring user interaction of
course. cmdexe.exe is the same downloader trojan that we
have already encountered earlier in the disguise of
"javautil.zip", and it also fetches "update.exe" from the
malware site.

The payload
At the time of writing, update.exe is not yet recognized by
any of the Antivirus softwares we could test it with. The
file is packed with FSG, and after unpacking almost 400kB of
size. Lots of nasty things can be done in 400k of code...
What we know so far from analyzing the binary, it contains a
component used to gather information on the system and to
submit this bounty via HTTP POST to a webserver in Europe.
It also installs a multifunctional proxy
(HTTP/Socks/POP3/etc). What else it does we dont know yet.
Update 2015UTC:McAfee/NAI have dubbed this file "Backdoor-CRR".
Reacties (1)
06-05-2005, 18:09 door Anoniem
wow....
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.