MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

21.1.09

Schematic analysis of an attack from Web-based malware

Internet has become an ally attack platform for malware writers, where techniques such as Drive-by-Download, scripting, exploit, and the combination of them, are increasingly common and execute its payload directly into the victim system , almost instantly and transparently to the less experienced user perspective, becoming a potential danger for the simple act of accessing a website.

A concrete example is the next attack by which different components are used to exploit and infect the victim system, although common these days, have several extra features that enhance their damage.


By accessing the malicious page, a script runs transparently several iframes and an exploit for the vulnerability resolved and explained in bulletin MS08-067. Currently, this vulnerability is actively exploited by the worm Downadup / Conficker with a high infection rate.

The file sina.css is not what appears to be (a style sheet encascada) but it is an executable file that is responsible for executing the exploit for the vulnerability mentioned by injecting malicious code into processes winlogon.exe, explorer.exe and services.exe. Make a copy of itself in C:\PROGRA~1\user\LOCALS~1\Temp\ under the name svchost.exe creating its associated process. In addition, it also creates the file Beep.sys in C:\WINDOWS\system32\drivers\ running it as service and hiding the operating system with rootkit capabilities.

At the same time, manipulate the system registry to prevent the execution of processes corresponding to the following security tools:

RStray.exe, ProcessSafe.exe, DrvAnti.exe, safeboxTray.exe, 360tray.exe, 360safebox.exe, 360Safe.exe, 360rpt.exe, adam.exe, AgentSvr.exe, ANTIARP.exe, AppSvc32.exe, arswp. exe, Ast.EXE, autoruns.exe, AVCONSOL.EXE, avgrssvc.exe, AvMonitor.exe, avp.com, avp.exe, ccenter.exe, ccSvcHst.exe, EGHOST.EXE, FileDsty.exe, filemon.exe, FTCleanerShell.exe, FYFireWall.exe, GFRing3.exe, GFUpd.exe, HijackThis.exe, IceSword.exe, iparmo.exe, IPARMOR.EXE, isPwdSvc.exe, kabaload.exe, KASMain.exe, KASTask.exe, KAV32. exe, KAVDX.exe, KAVPF.EXE, KAVPFW.EXE, KAVSetup.exe, kavstart.exe, KISLnchr.exe, kmailmon.exe, KMFilter.exe, kpfw32.exe, kpfw32x.exe, KPfwSvc.exe, KRegEx.exe, KRepair.com, KsLoader.exe, KvDetect.exe, KvfwMcl.exe, kvol.exe, kvolself.exe, kvsrvxp.exe, kvupload.exe, kvwsc.exe, KvXP.kxp, kwatch.exe, KWatch9x.exe, KWatchX. exe, MagicSet.exe, mcconsol.exe, mmqczj.exe, mmsk.exe, Navapsvc.exe, Navapw32.exe, NAVSetup.exe, nod32.exe, nod32krn.exe, nod32kui.exe, NPFMntor.exe, PFW.exe, PFWLiveUpdate.exe, procexp.exe, QHSET.exe, QQDoctor.exe, QQDoctorMain.exe, QQKav.exe, Ras.exe, rav.exe, RavMon.exe, RavmonD.exe, RavStub.exe, RavTask.exe, RawCopy. exe, RegClean.exe, Regmon.exe, RegTool.exe, rfwcfg.exe, rfwmain.exe, rfwProxy.exe, rfwsrv.exe, rfwstub.exe, RsAgent.exe, Rsaupd.exe, rstrui.exe, Runiep.EXE, safelive.exe, scan32.exe, SelfUpdate.exe, shcfg32.exe, SmartUp.exe, SREng.exe, SuperKiller.exe, symlcsvc.exe, SysSafe.exe, taskmgr.exe, TrojanDetector.exe, Trojanwall.exe, TrojDie. exe, UIHost.exe, UmxAgent.exe, UmxAttachment.exe, UmxCfg.exe, UmxFwHlp.exe.

Other harmful actions of this malware made in the register, is the elimination of the subkeys contained in HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ and HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ to avoid the boot the system in Safe Mode (MPF).

On the other hand, establishes a connection with the IP 60.161.34.251, corresponding to the domain hfdy2929 com (hosted in Beijing, China - Yunnan Province Network CHINANET) and performs a DNS query.


It also establishes connection with 999.hfdy2828com, also hosted in China (Chongqing Province Network CHINANET Chongqing) through HTTP on the default port.


By establishing this connection, see the file bak.txt which contains a list of malware to download. A total of 35 executable files that correspond to the following malicious code:
  • Win32/TrojanDropper.Agent.NPO
  • Win32/PSW.Legendmir.NGG
  • Win32/PSW.OnLineGames.NRD
  • Win32/PSW.OnLineGames.NRF
  • Win32/PSW.OnLineGames.NTM
  • Win32/PSW.OnLineGames.NTN
  • Win32/PSW.OnLineGames.NTP
  • Win32/PSW.WOW.DZI
The nomenclature used in the name of each malware corresponds to that provided by the signature engine of NOD32 3.0.672.0.

In the main code (first image), several labels iframe that hold the same methodology explained, checking on the victim machine the existence of vulnerabilities.
  • http://sss.2010wyt net / achtml: download the file css.css from http://xxx.2009wytcom. It is a copy of sina.css and exploits the MS08-067 vulnerability.
  • js http://sss.2010wytnet/614: download the file bak.css from http://xxx.2009wytnet. It is a copy of sina.css. Vulnerabilities Exploits MS08-067 and MS06-014.
  • http://sss.2010wyt net / rjs, http://sss.2010wyt net / rhtml, http://sss.2010wyt net / htm fzl and http://sss.2010wyt net / asdhtm: unloaded files versionie.swf and versionff.swf from http://sss.2010wytnet. Both exploit a vulnerability in Flash Player.
However, not all ends here, but it appears another domain from which you downloaded some malicious code listed above and whose reference is in the file bak.txt, the relationship between this domain is:


Malware attacks have become more sophisticated due to the combination of different technologies with different methodologies malicious trying to achieve its aims in any way.

What is stated in this text is not nothing but a clear reflection of what is happening or may happen, when accessing vulnerable sites to spread malware, or created entirely for this purpose and damaging capabilities that each day more common in malicious code.

Jorge Mieres

0 comentarios:

Post a Comment