Blackhole Exploit kit serving Glupteba Trojan in the wild (Aug 9, 2013)

/in /by

The Dell SonicWall Threats Research team has observed incidents of a new variant of Glupteba Trojan being delivered by Blackhole Exploit kits in the wild. Glupteba malware family is known to generate revenue for cyber criminals by using BlackHat SEO poisoning technique to push contextual advertisements onto infected machines and generating hits by click-jacking the end-user. The Trojan is a UPX packed NSIS installer executable and arrives via drive-by download from a malicious exploit site.

Infection Cycle:

Upon execution, the Trojan drops copy of itself at multiple locations:

  • %AppData%NVIDIA CorporationUpdatedaemonupd.exe
  • %AppData%MicrosoftWindowswinupdate.exe
  • %AppData%GoogleUpdategupdate.exe
  • %Start Menu%ProgramsStartupwinupdate.lnk [shortcut to ensure file runs on system reboot]

The Trojan adds following registry entries to ensure that it runs on system reboot:

  • HKCUUSERIDSoftwareMicrosoftWindowsCurrentVersionRunNvUpdService: “%AppData%NVIDIA CorporationUpdatedaemonupd.exe /app (MD5HASH)”
  • HKCUUSERIDSoftwareMicrosoftWindowsCurrentVersionRunGoogle Update: “%AppData%GoogleUpdategupdate.exe /app (MD5HASH)”

It then runs the dropped copy daemonupd.exe with arguments /app (MD5HASH) before terminating itself, beginning the post-infection cycle.

The daemonupd.exe attempts to resolve the following domains in order to establish connection with the Command and Control server:

  • server-%s.reportgoogle.com
  • server-%s.microsoft-report.com
  • server-%s.reportalexa.com
  • server-%s.192-168-0-255.com

The Trojan issues DNS queries every 5 seconds and %s is a random number from 1 to 30. Below is an example of the DNS queries seen from an infected system:

The first stage of the post infection cycle involves establishing a connection with Command and Control server and waiting for commands as shown below:

Once the Trojan receives a session command, it will connect to the Command and Control server and receives additional instructions/data which is encrypted. It acts as a proxy in performing BlackHat SEO poisoning, click-fraud activity and relaying the results back to the server in encrypted form.

The samples that were analyzed for this alert were installed using drive-by download via Blackhole Exploit Kit. Both these samples are hosted on the same server located in Russia (Screenshot courtesy DomainTools.com) and that has been flagged multiple times by SonicWALL Gateway AV for serving malicious executables.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Glupteba.AC (Trojan)
  • GAV: Glupteba.AC_2 (Trojan)
  • GAV: Blacole.gen (Exploit)

Madangel infects executable files on the system (August 2, 2013)

/in /by

Dell SonicWall Threats Research Team observed reports of a File Infector Virus family – Madangel that infects the executables present on the system. The infected executable will then run the malicious code to propagate it further. The injected code contains hardcoded URL’s which it may use to report infection and/or for updating itself. Madangel virus family has been around for many years, and the last variant spotted in year 2011 is still active in the wild.

Infection Cycle:

Upon execution the Virus drops the following file on the system:

  • %WINDOWS%system32Serverx.exe [Detected as GAV: Madang.A (Virus)]

In order to start after reboot the Virus adds the following key to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Serverx “%WINDOWS%system32Serverx.exe”

It creates the following Mutex on the system to mark its presence :

  • Angry Angel v3.0

The Virus then starts searching for files ending with .exe in the entire system and also in any attached drives. Once found it appends a 4495 Bytes code to this executable at the end of the original code. We observed that the files present in the C:Windows directory are not modified.

We compared an original .exe file with the same file post-infection side-by-side as seen in the image below. We can clearly see that malicious code is appended to it.

Execution of any executable henceforth will also invoke the malicious code. Below we see an instance of calculator.exe executed post-infection. The malicious code can be clearly seen present in it.

We observed two hardcoded URL’s present in the code:

  • http://vguarder.91i.net/user.htm
  • http://vguarder.bravehost.com/user.htm

At the time of writing this post both URL’s seem to have been cleaned/down, however there are reports that these links were hosting malicious content in the past. We also observed a component by the name updatex.exe in the code. Based on the name we can fairly assume that this code updates the Virus with additional components. We did not observe any network activity from this Malware during our analysis.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signature:

  • GAV: Madang.A (Virus)

Trimble SketchUp Heap Buffer Overflow (Aug 2, 2013)

/in /by

Trimble SketchUp is a 3D modeling program for a broad range of applications such as architectural, civil, mechanical, film as well as video game design – and available as Sketchup Make, a free version, and Sketchup Pro, a paid version. The company ownership has transitioned through an initial independent stage (2000-2006), a second phase under Google ownership (2006-2012), to its current ownership under Trimble Navigation, a mapping, surveying, and navigation equipment company.

The free version of Sketchup can export 3D to .dae and Google Earth’s .kmz file format. The Pro version extends exporting support to include the .3ds, .dwg, .dxf, .fbx, .obj, .xsi, and .wrl file formats. SketchUp can also save elevations or renderings of the model, called “screenshots”, as .bmp, .png, .jpg, .tif, with the Pro version also supporting .pdf, .eps, .epx, .dwg, and .dxf.

The BMP file format (.bmp), also known as bitmap image file or device independent bitmap (DIB) file format or simply a bitmap, is a raster graphics image file format used to store bitmap digital images, independently of the display device (such as a graphics adapter), especially on Microsoft Windows and OS/2 operating systems. The BMP file format is capable of storing 2D digital images of arbitrary width, height, and resolution, both monochrome and color, in various color depths, and optionally with data compression, alpha channels, and color profiles.

Each BMP file starts with two consecutive headers, the File Header and the Image Header. The Image Header has the following structure:

 offset  field name      type    description ------  --------------- ------- ----------------------------- 0x000E  biSize          int32   Header Size 0x0012  biWidth         int32   Image width in pixels 0x0016  biHeight        int32   Image height in pixels 0x001A  biPlanes        int16   Number of planes - usually 1 0x001C  biBitCount      int16   Number of bits per pixel - 1, 4, 8, 16, 24, or 32 0x001E  biCompression   int32   Compression type 0x0022  biSizeImage     int32   Image Size 0x0026  biXPelsPerMeter int32   Preferred resolution in pixels per meter 0x002A  biYPelsPerMeter int32   Preferred resolution in pixels per meter 0x002E  biClrUsed       int32   Number color map entries used 0x0032  biClrImportant  int32   Number of significant colors

A heap buffer overflow exists in Trimble Navigation’s SketchUp. The vulnerability is due to insufficient validation of the size of a buffer before copying the data into the buffer. Remote attackers may exploit this vulnerability by persuading a target user to open a specially crafted BMP or SKP file on a system that has Trimble SketchUp installed. Successful exploitation may possibly lead to arbitrary code execution in the security context of the logged in user.

Dell SonicWALL Threat Research team has investigated this vulnerability and released the following signatures addressing the issue:

  • IPS 5945: Client Application Shellcode Exploit 18
  • SPY 4668: Malformed-File skp.TL.1

This vulnerability has been assigned by CVE as CVE-2013-3663.

Adobe Flash Player Integer Overflow Vulnerability (July 26, 2013)

/in /by

Adobe Flash is a multimedia platform that allows executing rich internet applications. Adobe Flash Player can also stream audio and video while functioning either from Web Browser or as a Standalone Application. It supports various data and multimedia formats like XML, JSON, SWF, MP3, FLV, GIF, etc. along with streaming protocols like HTTP, RTMP, etc.

SWF file format is a binary format that adheres to an Adobe Flash Specification. The SWF file starts with a Header that contains bytes to distinguish the SWF file format from others. This is followed by a number of tags and their respective tag related data. An SWF file may also contain ActionScript code which is executed by ActionScript Virtual Machine. A developer can embed object-oriented ActionScript code in an SWF file which gets compiled into an ActionScript Byte Code.

ActionScript provides a functionality to handle PCM which is a method used to digitally represent sampled analog data. An integer overflow can get triggered while re-sampling a user provided PCM buffer. Remote attackers can exploit this vulnerability in order to take control of the affected system.

The vulnerability has been assigned a CVE-2013-3347.

Dell SonicWALL has researched the vulnerability and released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. Following are signature details:

  • 9991 “Adobe Flash Player Integer Overflow”

Recslurp Trojan steals FTP and Email credentials (July 26, 2013)

/in /by

The Dell SonicWall Threats Research team has received reports of a Trojan that steals FTP and Email credentials. If certain configuration files are present on the system it will extract the contained account information and send it in encrypted form to a remote server. We have observed threats of this nature before such as one from a different malware family in a previous SonicALERT.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %APPDATA%svchost.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
  • %APPDATA%System32csrss.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]
  • %APPDATA%System32rundll32.exe (copy of original, marked hidden) [Detected as GAV: Recslurp.A_4 (Trojan)]

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Client Server Runtime Process “%APPDATA%System32csrss.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Service Host Process for Windows “%APPDATA%svchost.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Process “%APPDATA%System32csrss.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Service Host Process for Windows %APPDATA%svchost.exe”

The Trojan adds the following keys to the Windows registry to allow network data from the dropped executables to pass through the Windows Firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Client Server Runtime Process “%APPDATA%System32csrss.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Host-process Windows (Rundll32.exe) “%APPDATA%System32csrss.exe”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Service Host Process for Windows “%APPDATA%svchost.exe”

The Trojan makes the following DNS queries although it did not interact with any mail servers during our analysis:

Below is a sample of the FTP and Email configuration files from which it steals credentials if present:

      %APPDATA%Opera 10 Betawand.dat
      %APPDATA%Apple ComputerSafariPreferenceskeychain.plist
      %APPDATA%MozillaFirefoxProfiles53iioyks.defaultsignons.txt
      %ALLUSERSPROFILE%Application DataGPSoftwareDirectory OpusConfigFilesftp.oxc
      %USERPROFILE%Local SettingsApplication DataFTP Explorerprofiles.xml
      %APPDATA%Frigate3FtpSite.XML
      %APPDATA%FTPRushRushSite.xml
      %APPDATA%BitKinexbitkinex.ds
      %ALLUSERSPROFILE%Application DataSmartFTPHistory.dat
      %ALLUSERSPROFILE%Application DataBulletProof SoftwareBulletProof FTP Client2010Default.bps
      %ALLUSERSPROFILE%Application DataFlashFXP4Sites.dat
      %USERPROFILE%Local SettingsApplication DataIpswitchWS_FTP HomeSites*.*
      %USERPROFILE%Local SettingsApplication DataMicrosoftWindows Live Mail*.*
      %APPDATA%PocoMailaccounts.ini

The Trojan downloads a malicious executable from a remote server. The file [Detected as GAV: Delf.OAS (Trojan)] is encrypted. We were able to identify and observe the decryption routine in action:

Upon installing WS_FTP on our analysis system and entering fake FTP account data we observed the following data being sent out to a remote server as a result:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Recslurp.A_4 (Trojan)
  • GAV: Delf.OAS (Trojan)
  • GAV: Delf.OAS#enc (Trojan)

Chinese Online Game Password Stealing Trojan with Proxy Server (July 19, 2013)

/in /by

The Dell SonicWall Threats Research team has received reports of a C++ based online game password-stealing Trojan that uses a legitimate proxy server software in its installation. This Trojan appears to have originated from China and is being distributed through compromised legitimate websites. The main installer uses the following icon:

Infection Cycle:

Upon execution the Trojan drops the components of a proxy server program called CCProxy by Youngzsoft along with its configuration files:

  • %temp%ctfm00.exe [Detected as GAV: CCProxy (HackTool)]
  • %temp%CCProxy.dll [Detected as GAV: CCProxy_2 (HackTool)]
  • %temp%CCProxy.ini
  • %temp%AccInfo.ini
  • %temp%LanguageChineseGB.ini

It then drops the following files whose main purpose is to steal data related to an online game called Dungeon and Fighter (DNF) by Tencent:

  • %system%gametohw.exe [Detected as GAV: Trojan.DNF (Trojan)]
  • %windir%cklisten.exe [Detected as GAV: Trojan.DNF_2 (Trojan)]

In order to start after reboot the Trojan adds the following key to the registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun CCProxy %temp%ctfm00.exe

The Trojan also adds the following registry key to bypass the Windows firewall:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList %temp%ctfm00.exe %temp%ctfm00.exe

It then makes the following DNS queries:

And performs a whois lookup on the victim machine’s IP:

The data is then sent back to a remote server in parts:

During our analysis we only observed this Trojan listening on port 8001, possibly waiting to receive additional commands from a remote server. This was also apparent in an event log that was created in the %temp% directory.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Trojan.LSW (Trojan)

  • GAV: Trojan.DNF (Trojan)

  • GAV: Trojan.DNF_2 (Trojan)

  • GAV: CCProxy (HackTool)

  • GAV: CCProxy_2 (HackTool)

Corel PDF Fusion Stack Buffer Overflow in XPS Parsing (July 19, 2013)

/in /by

Corel PDF Fusion is a Microsoft Windows based PDF creator software which lets users view more than 100 different file types along with assembling, editing and generating PDFs. It provides an easy to use drag and drop functionality to combine multiple file types to one PDF package. It also enables file conversion to PDF, DOC and XPS file types.

An XPS file is a Zip archive and is made up of files that constitute the XPS document. As per ZIP format specification, every file that is a part of the archive has a corresponding Local File Header followed by File Data. Local File Header structure stores file-specific information like File Size, File Name Length, File Name, etc.

A stack overflow vulnerability exists in Corel PDF Fusion due to insufficient bounds check which can be triggered when it tries to parse the File Name Length and File Name fields. Successful exploitation could enable arbitrary code execution in the security context of the logged-in user.

The vulnerability has been assigned a CVE-2013-3248.

Dell SonicWALL has researched the vulnerability and released a GAV signature to detect and block specific exploitation attempts targeting this vulnerability. Following are signature details:

  • 20816 Malformed.xps.TL.1

New Spambot Trojan with Backdoor functionality (July 12, 2013)

/in /by

The Dell SonicWALL Threats Research team has come across a new family of spam bot Trojan with backdoor functionality. The spambot checks the reputation of the victim machine’s public IP address on various Real-time Blacklists (RBLs) before sending out the spam e-mails.

Infection Cycle:

Upon execution, the Trojan first attempts to start itself like a normal service executable. However, this fails for the first time as the service is not yet registered. It then proceeds to register itself as a service named as Sshdaemon. If the service installation fails then it will create a Registry run key with ValueName as falcon. If the service installation is successful it starts the service by executing the command cmd.exe /c net start Sshdaemon.

screenshot

Once the Malware_Main is reached, it opens a backdoor on TCP port 1024 on the victim machine. It also uses the SSDP protocol to discover any available UPNP rootdevice. If a device of Internet Gateway Device UPNP profile is found it attempts to open the port through that device via WANIPConnection or WANPPPConnection subprofile whichever is supported.

screenshot

It creates a registry entry to save a unique id hard coded within the malware code:

screenshot

Below is the list of the C&C servers that the Trojan attempts to contact:

  • 124.217.229.121
  • despicableu.com
  • basaltblock.com
  • donfinale.com
  • soulpick.org
  • eldivision.net

The Trojan encrypts the following data and sends it to the servers listed above until one of them responds:

screenshot

The C&C server responds back with the configuration for connecting to a spam server:

screenshot

The Trojan checks the victim’s public IP address against popular Real-time Blacklists (RBLs) and if clean, it subsequently connects to the spam server to obtain a list of hosts and spam e-mail templates. It then proceeds to send out the spam e-mails.

screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Kryptik.BEWH (Trojan)

Microsoft Security Bulletin Coverage (July 9, 2013)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-052 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)

  • CVE-2013-3129 TrueType Font Parsing Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3131 Array Access Violation Vulnerability
    IPS: 9974 “Windows .Net Framework Access Violation Vulnerability (MS13-052)”
  • CVE-2013-3132 Delegate Reflection Bypass Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-3133 Anonymous Method Injection Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-3134 Array Allocation Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3171 Delegate Serialization Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-3178 Null Pointer Vulnerability
    There are no known exploits in the wild.

MS13-053 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)

  • CVE-2013-1300 Win32k Memory Allocation Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-1340 Win32k Dereference Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-1345 Win32k Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-3129 TrueType Font Parsing Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3167 Win32k Information Disclosure Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-3172 Win32k Buffer Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3173 Win32k Buffer Overwrite Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.
  • CVE-2013-3660 Win32k Read AV Vulnerability
    There are no known exploits in the wild.

MS13-054 Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)

  • CVE-2013-3129 TrueType Font Parsing Vulnerability
    There are no known exploits in the wild.

MS13-055 Cumulative Security Update for Internet Explorer (2846071)

  • CVE-2013-3115 Internet Explorer Memory Corruption Vulnerability
    IPS: 9962 “Windows IE Use-After-Free Vulnerability (MS13-055) 1”
  • CVE-2013-3143 Internet Explorer Memory Corruption Vulnerability
    IPS: 9963 “Windows IE Use-After-Free Vulnerability (MS13-055) 2”
  • CVE-2013-3144 Internet Explorer Memory Corruption Vulnerability
    IPS: 9964 “Windows IE Use-After-Free Vulnerability (MS13-055) 3”
  • CVE-2013-3145 Internet Explorer Memory Corruption Vulnerability
    IPS: 9965 “Windows IE Use-After-Free Vulnerability (MS13-055) 4”
  • CVE-2013-3146 Internet Explorer Memory Corruption Vulnerability
    IPS: 9967 “Windows IE Memory Corruption Vulnerability (MS13-055)”
  • CVE-2013-3147 Internet Explorer Memory Corruption Vulnerability
    IPS: 9971 “Windows IE Use-After-Free Vulnerability (MS13-055) 8”
  • CVE-2013-3148 Internet Explorer Memory Corruption Vulnerability
    IPS: 9973 “Windows IE Use-After-Free Vulnerability (MS13-055) 10”
  • CVE-2013-3149 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3150 Internet Explorer Memory Corruption Vulnerability
    IPS: 9966 “Windows IE Use-After-Free Vulnerability (MS13-055) 5”
  • CVE-2013-3151 Internet Explorer Memory Corruption Vulnerability
    IPS: 7454 “HTTP Client Shellcode Exploit 35a”
  • CVE-2013-3152 Internet Explorer Memory Corruption Vulnerability
    IPS: 9968 “Windows IE Use-After-Free Vulnerability (MS13-055) 6”
  • CVE-2013-3153 Internet Explorer Memory Corruption Vulnerability
    IPS: 9969 “Windows IE Use-After-Free Vulnerability (MS13-055) 7”
  • CVE-2013-3161 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3162 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3163 Internet Explorer Memory Corruption Vulnerability
    IPS: 9970 “Windows IE Memory Corruption Vulnerability (MS13-055) 2”
  • CVE-2013-3164 Internet Explorer Memory Corruption Vulnerability
    IPS: 9972 “Windows IE Use-After-Free Vulnerability (MS13-055) 9”
  • CVE-2013-3166 Shift JIS Character Encoding Vulnerability
    There are no known exploits in the wild.

MS13-056 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)

  • CVE-2013-3174 DirectShow Arbitrary Memory Overwrite Vulnerability
    IPS: 9982 “Windows DirectShow Memory Corruption Vulnerability (MS13-056)”

MS13-057 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)

  • CVE-2013-3127 WMV Video Decoder Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS13-058 Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)

  • CVE-2013-3154 Microsoft Windows 7 Defender Improper Pathname Vulnerability
    This is a local vulnerability. Detection of attack over the wire is not feasible.

Mail and Browser password stealing Malware (July 5, 2013)

/in /by

Dell SonicWALL Threats Research Team received reports of a password stealing Malware capable of collecting stored passwords from Email, IM and Internet Browsers using third party programs. Once stolen, the passwords are sent to the attacker.

Infection Cycle

Upon execution the Malware drops the following files in %SystemDrive%userspublicPublic Document folder

  • Picture Viewer.exe [Detected as GAV: Hacktool.BrowserPassRec (HackTool)]
  • keeprun.ini
  • image.exe [Detected as GAV: Hacktool.MailPassRec (HackTool)]
  • bms.klm
  • sad.vbs
  • pid.PDF
  • msnd.exe [Detected as GAV: Agent.KPRN (Trojan)]
  • iewed.bat [Detected as GAV: Fotip.BTH (Trojan)]
  • ied.bat
  • ictd.bat
  • icd.bat [Detected as GAV: Fotip.BTH (Trojan)]
  • dd.vbs
  • cond.reg
  • aatd.bat

It makes the following changes to the registry to ensure execution upon reboot:

  • HKCUsoftwareMicrosoftWindowscurrentversionRun “stat”=”%USERPROFILE%All UsersMsnMsn2aatd.bat”
  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun “stat2″=”%USERPROFILE%All UsersMsnMsn2aatd.bat”

The Malware begins execution in the following order:

  • sad.vbs invokes ictd.bat which in turn invokes icd.bat
  • icd.bat performs a number of tasks:
    • Regedit /s “cond.reg” – Adds aatd.bat to the Registry Run key so that it starts each time the system reboots
    • Start pid.PDF – No malicious activity observed
    • Creates “%systemdrive%Documents and SettingsAll UsersMsnMsn2” folder which contain the same dropped files
    • start image.exe – This is Mail Password Decryptor program
    • start picture.exe – This is Browser Password Recovery program
    • disable windows firewall using netsh firewall set opmode disable and advfirewall set currentprofile state off
    • start msmd.exe – Tracks keeprun.ini to ensure some files are always running on the system
    • start ftp and transfer password files from image.exe and picture.exe to the server

The next time system reboots the flow will begin from aatd.bat which is triggered into execution from the Registry Run key:

  • aatd.bat starts msnd.exe
  • msnd.exe tracks keeprun.ini and ensures ied.bat is running
  • ied.bat invokes dd.vbs which in turn invokes iewed.bat that has the same functionality as icd.bat thereby ensuring that the password stealing functionality is triggered

Mail Password Decryptor is a free tool to recover passwords from email clients. As listed by the author it supports password recovery from:

  • Gmail
  • Yahoo Mail
  • Hotmail
  • Windows Live Mail
  • Microsoft Outlook
  • Thunderbird
  • IncrediMail
  • GTalk

Browser Password Decryptor is a free tool to recover website login passwords from Web Browsers. As listed by the author it supports password recovery from:

  • Firefox
  • Internet Explorer
  • Google Chrome
  • Apple Safari
  • Opera
  • Sea Monkey
  • Comodo Dragon
  • Flock

The followiing passwords were captured from our Browsers and Mail Clients when the sample was being analyzed, this file would then be sent to the attacker:

The passwords stored by the Malware are transferred to the attacker via ftp to ftp.freehostia.com. Credentials and commands for the ftp file transfer are stored in the bms.klm file but during our analysis they did not work indicating that they have been changed.

Both Mail Password Decryptor and Browser Password Decryptor are freely available on a reputed security forum. This Malware is a classic example illustrating misuse of Security Tools developed for non-malicious purposes. Using freely available tools it tries to steal passwords from the victim’s system and sends them to the attacker without the victim’s knowledge.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

  • GAV: ZBot.EB_3 (Trojan)

  • GAV: Hacktool.MailPassRec (HackTool)

  • GAV: Hacktool.BrowserPassRec (HackTool)

  • GAV: Agent.KPRN (Trojan)

  • GAV: Fotip.BTH (Trojan)