Note: Click on the pictures to see the full image. Last week I received a malicious file detected as TROJ_LOWZONES.CO which is a component of the Gromozon chain malware.
After having analyzed and executed the file, I noticed that the malware modifies IE start page (not really surprising) to h_ttp://www.gooogle.bz (where bz stands for Belize country from Central America) as below:
The peculiar thing here is that it shows up a fake Google Italian main page. The malware also modifies the IE registry in order to register several websites in IE trusted sites in order to avoid IE Active X checking security:
HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsscalalap.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainscywanstorage.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsforteforte.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsgooogle.bzwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsricercadoppia.comwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsplaymore.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsciritorno.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet SettingsZoneMapDomainsmelagodo.bizwww HKEY_CURRENT_USERSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet
These websites are now blocked by IWSS, Pc-Cillin. Another thing to point out here, once you are connected to w_ww.gooogle.bz the search engine is working the same way as the Italian one, see below:
So, I started to dig further and here is what I could see when I did a snap using ethereal on the infected:
Here, you can see the connection to h_ttp://what-you-want.biz, this is done when you execute the infected file. On line 9, you see the connection on h_ttp://www.gooogle.bz. This website is composed of 3 files: – Index.htm:
This file is calling for up.asp.htm and index-1.htm. – up.asp (line 19) is called and here is its content:
We can see here that gooogle.bz initiate the downloading for cip.exe. The file cip.exe is now detected as DIAL_PORN.BCB. – Index-1.htm
In detailed: href=”https://www.google.com/accounts/Login?continue=http://www.google.it/&hl=fr”> After I found out this, everything starts to be in relation, now I knew why the malware connected to google.com and google.it. But another question came, why it is using https? On line 20 you see that some queries are made on h_ttp://www.google.it then on line 26 it starts downloading the file cip.exe. The file cip.exe is then executed and starts its routine as shown below:
You can see on line 306 that cip.exe connects to a site crl.thawte.com which is a company who delivers certificates such as Verisign. The file cip.exe starts downloading a certificate named ThawtePremiumServerCA.crl and also ThawteCodeSigningCA.crl which enable the file to execute its routine without user consent. The certificates by themselves are normal files. I had a look on google and I may assume that it is using AJAX API (http://code.google.com/apis/ajaxsearch/) from google where you need to login and it may explain why the search engine is really working as the Italian one. A whois search shows up that these 2 people are the contacts for all the websites listed above:
sa Silvano Mammola (firstname.lastname@example.org)
123 Wilson Rd
Santaclaus, ST 92115
La Lapide Inc.
Rigor Morto (email@example.com)
235 Gustav Av.
Buffalu, BU 55220 EC
The registrar company is ENOM and the websites are hosted by Zipservers which is a company where your websites can be stored.