Sep
19
Filed Under:
WEEKLY REVIEW
Focused Malicious Activities
19 September 2008
The Orient seems to be the focus of this weeks malicious activities.
The point of having all these exploits into one pack is to maximize the chance of infection.
RELATED INFO:
Weekly Malware Reviews
There are several known vulnerabilities in Chinese online media software that allow attackers to download and execute arbitrary files on a victims computer. It seems, most of these have been packed into on big exploit serving threat. The name? Exploit.SinaDLoader.B
Exploit.SinaDLoader.B
We are starting our weekly review with a big and ugly exploit. It's actually not a real exploit, but more like an exploit serving application. It tries to take advantage of 9 known vulnerabilities in order to download and execute an e-threat detected by BitDefender as Generic.Malware.dld!!.8EC79AB8. Here is a brief description of those exploits:
1. Snapshot Viewer Control.1: This is an exploit of the Microsoft Access Snapshot Viewer ActiveX control. It doesn't have any obvious symptoms, however the exploit allows an attacker to download any file to an arbitrary location on the victims computer. The downloaded file cannot be launched remotely, however the malware can be places in the users startup folder, so it gets executed automatically when the system reboots.
More information availableon BitDefender site and Microsoft Support.
Exploit.SinaDLoader.B
We are starting our weekly review with a big and ugly exploit. It's actually not a real exploit, but more like an exploit serving application. It tries to take advantage of 9 known vulnerabilities in order to download and execute an e-threat detected by BitDefender as Generic.Malware.dld!!.8EC79AB8. Here is a brief description of those exploits:
1. Snapshot Viewer Control.1: This is an exploit of the Microsoft Access Snapshot Viewer ActiveX control. It doesn't have any obvious symptoms, however the exploit allows an attacker to download any file to an arbitrary location on the victims computer. The downloaded file cannot be launched remotely, however the malware can be places in the users startup folder, so it gets executed automatically when the system reboots.
More information availableon BitDefender site and Microsoft Support.
2. DownloadAndInstall is another ActiveX control manufactured by Sina.Inc which they initially used to download their own applications (mostly video chat software). However it is exploited by attackers to download and run arbitrary files on the victims computer.
3. Adodb.Stream is an exploit for the ADODB.Stream object, that offers the access to binary files on the victims computer. It allows an attacker to create an invisible iframe to http://222.213asd??.com/ms06014.js which in turn will download the malware mentioned above.
4. ShockwaveFlash.ShockwaveFlash.9 is an exploit for the Flash Player prior to version 9.0.124.0. The exploit serves different malformed swf files to the user depending on which Player version he has installed. The files take advantage of a vulnerability in the Player that allows an attacker to download and run arbitrary files on the users computer.
5. UUUpgrade ActiveX Control module--update is an exploit for the UUSee player provided by UUSee.com in order to view the media available on their website. The vulnerability allows attackers to download and save files to arbitrary locations on the users computer.6. Lianzhong chat room (GLIEDown.IEDown.1) which includes http://222.213asdas.com/GLWORLD.html in the website that in turn exploits another vulnerability via javascript and downloads the same malware mentioned above.
7. A RealPlayer exploit (IERPCtl.IERPCtl.1 component ) which, for versions lower than 6.0.14.552, pushes this script 222.213asd??.com/real.js that takes a different approach for distinct versions. If the user has a newer version it creates an invisible iframe with http://222.213asd??.com/Real11.html which again downloads the same threat.
8. Baidu Search Bar (BaiduBar.Tool) exploit that is making use of the vulnerable "DloadDS" function that refers to a *.CAB file on http://222.213asd??.com/Baidu.cab which contains a "Baidu.exe" that is obviously our malware
9. Xunlei Thunder exploit (ActiveXObject DPClient.Vod) with another invisible iframe that leads to 222.213asd??.com/Thunder.html which was not available at the time of analysis however it's probably downloading the same file.All these exploits download a file named mas1.css or mas1.exe which is a downloader, packed with FSG, for Generic.Malware.dld!!.8EC79AB8.
3. Adodb.Stream is an exploit for the ADODB.Stream object, that offers the access to binary files on the victims computer. It allows an attacker to create an invisible iframe to http://222.213asd??.com/ms06014.js which in turn will download the malware mentioned above.
4. ShockwaveFlash.ShockwaveFlash.9 is an exploit for the Flash Player prior to version 9.0.124.0. The exploit serves different malformed swf files to the user depending on which Player version he has installed. The files take advantage of a vulnerability in the Player that allows an attacker to download and run arbitrary files on the users computer.
5. UUUpgrade ActiveX Control module--update is an exploit for the UUSee player provided by UUSee.com in order to view the media available on their website. The vulnerability allows attackers to download and save files to arbitrary locations on the users computer.6. Lianzhong chat room (GLIEDown.IEDown.1) which includes http://222.213asdas.com/GLWORLD.html in the website that in turn exploits another vulnerability via javascript and downloads the same malware mentioned above.
7. A RealPlayer exploit (IERPCtl.IERPCtl.1 component ) which, for versions lower than 6.0.14.552, pushes this script 222.213asd??.com/real.js that takes a different approach for distinct versions. If the user has a newer version it creates an invisible iframe with http://222.213asd??.com/Real11.html which again downloads the same threat.
8. Baidu Search Bar (BaiduBar.Tool) exploit that is making use of the vulnerable "DloadDS" function that refers to a *.CAB file on http://222.213asd??.com/Baidu.cab which contains a "Baidu.exe" that is obviously our malware
9. Xunlei Thunder exploit (ActiveXObject DPClient.Vod) with another invisible iframe that leads to 222.213asd??.com/Thunder.html which was not available at the time of analysis however it's probably downloading the same file.All these exploits download a file named mas1.css or mas1.exe which is a downloader, packed with FSG, for Generic.Malware.dld!!.8EC79AB8.
The point of having all these exploits into one pack is to maximize the chance of infection.
Next on the list is Trojan.Fakeav.BC which is yet another rogue antivirus tool, designed to pickpocket unaware users. It warns of fake infections and asks the victim to buy the product to remove them. The main screen looks like the image below:
If the user decides not to pay for it, he will be “taken care of” with annoying popups that won't let him do his work on the PC. This application creates only one file in C:\Program files\Aav called aav.exe which can be easily deleted if the task is killed.
Trojan.Injector.CH
This threat creates copies itself to C:\Program Files\Microsoft Common\wuauclt.exe and tries to connect to 91.203.[hidden]. It will add an exception to the Windows Firewall so the user doesn't notice a thing when this happens. It inject some part of it's code into svchost.exe and send information about the system (like operating system name, version and port on which it accepts connections). It receives commands from the host based on the data it sent that tell it to download an update. The file on our test machine was %SYSTEM%\cpl32ver.exe.
Trojan.Injector.CH
This threat creates copies itself to C:\Program Files\Microsoft Common\wuauclt.exe and tries to connect to 91.203.[hidden]. It will add an exception to the Windows Firewall so the user doesn't notice a thing when this happens. It inject some part of it's code into svchost.exe and send information about the system (like operating system name, version and port on which it accepts connections). It receives commands from the host based on the data it sent that tell it to download an update. The file on our test machine was %SYSTEM%\cpl32ver.exe.
The malware has it's own SMPT server and will attempt to send out spam through: mxs.mail.ru, fk-in-f114.google.com, gsmtp183.google.com, smtp.messagingengine.com.
It drops a rootkit component with random name under %SYSTEM%\drivers\ that hooks to the System Service Descriptor Table in order to hide the registry keys it creates.
For the process to start in safe mode, it creates the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[random].sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[random].sys
So that the application can start with the operating system the folowing keys are added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cpl32ver ( on the test machine )
HKLM\System\CurrentControlSet\Services\[random]
HKLM\System\CurrentControlSet\Services\tcpsr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Trojan.Disabler.N
This little bugger is probably part of a bigger malware collection. What it does is disable the Windows Firewall and Update services.
Information in this article is available courtesy of BitDefender virus researchers: Daniel Chipiristeanu,Boeriu Laura, Stefan Catalin Hanu, Suiu Andrei.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cpl32ver ( on the test machine )
HKLM\System\CurrentControlSet\Services\[random]
HKLM\System\CurrentControlSet\Services\tcpsr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Trojan.Disabler.N
This little bugger is probably part of a bigger malware collection. What it does is disable the Windows Firewall and Update services.
Information in this article is available courtesy of BitDefender virus researchers: Daniel Chipiristeanu,Boeriu Laura, Stefan Catalin Hanu, Suiu Andrei.
RELATED INFO:
Weekly Malware Reviews
Copyright 2011. Site powered by Bitdefender