Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Note: Click on the pictures to see the full image. Last week I received a malicious file detected as TROJ_LOWZONES.CO which is a component of the Gromozon chain malware.

    After having analyzed and executed the file, I noticed that the malware modifies IE start page (not really surprising) to h_ttp://www.gooogle.bz (where bz stands for Belize country from Central America) as below:

    google.JPG

    The peculiar thing here is that it shows up a fake Google Italian main page. The malware also modifies the IE registry in order to register several websites in IE trusted sites in order to avoid IE Active X checking security:
    HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsscalalap.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainscywanstorage.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsforteforte.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsgooogle.bzwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsricercadoppia.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsplaymore.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsciritorno.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsmelagodo.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet
    SettingsZoneMapDomainswhat-you-want.bizwww
    HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet
    SettingsZoneMapDomainstuttaqualita.comwww

    IE.JPG

    These websites are now blocked by IWSS, Pc-Cillin. Another thing to point out here, once you are connected to w_ww.gooogle.bz the search engine is working the same way as the Italian one, see below:

    search2.JPG

    So, I started to dig further and here is what I could see when I did a snap using ethereal on the infected:

    snap.JPG

    Here, you can see the connection to h_ttp://what-you-want.biz, this is done when you execute the infected file. On line 9, you see the connection on h_ttp://www.gooogle.bz. This website is composed of 3 files: – Index.htm:

    index2.JPG

    This file is calling for up.asp.htm and index-1.htm. – up.asp (line 19) is called and here is its content:

    asp1.JPG

    We can see here that gooogle.bz initiate the downloading for cip.exe. The file cip.exe is now detected as DIAL_PORN.BCB. – Index-1.htm

    google2.JPG

    In detailed: href=”https://www.google.com/accounts/Login?continue=http://www.google.it/&hl=fr”> After I found out this, everything starts to be in relation, now I knew why the malware connected to google.com and google.it. But another question came, why it is using https? On line 20 you see that some queries are made on h_ttp://www.google.it then on line 26 it starts downloading the file cip.exe. The file cip.exe is then executed and starts its routine as shown below:

    snap2.JPG

    You can see on line 306 that cip.exe connects to a site crl.thawte.com which is a company who delivers certificates such as Verisign. The file cip.exe starts downloading a certificate named ThawtePremiumServerCA.crl and also ThawteCodeSigningCA.crl which enable the file to execute its routine without user consent. The certificates by themselves are normal files. I had a look on google and I may assume that it is using AJAX API (http://code.google.com/apis/ajaxsearch/) from google where you need to login and it may explain why the search engine is really working as the Italian one. A whois search shows up that these 2 people are the contacts for all the websites listed above:


    Tanzania Import
    sa Silvano Mammola (john@mrcallaghan.com)
    +1.55565659998
    Fax: +1.55565659998
    123 Wilson Rd
    Santaclaus, ST 92115
    CX
    La Lapide Inc.
    Rigor Morto (rigor@acquadirose.com)
    +55.333666225
    Fax: +55.333666225
    235 Gustav Av.
    Buffalu, BU 55220 EC

    The registrar company is ENOM and the websites are hosted by Zipservers which is a company where your websites can be stored.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice