Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Ch10: Remote Access Trojans and Zombie Networks

Win32:Sirefef.AG

News Strategies of Defending Windows against Viruses, Worms and other Malware Recommended Links Softpanorama Malware Defense Strategy Backup process Three phases of the image restore process Backup your infected partition from recovery CD or separate bootable USB drive
Create a Delta Tree of data that Restore the image from backup and merge your Delta Tree with it Conclusions Webliography Humor History Etc

See also Win32:Sirefef.A  -- an earlier version that was distributed with Data Recovery scareware

This is a a recent strain of a malware family, that were infecting user PCs with IE8 browser (along with Win32/Tracur.AV  which disables several AV programs including Microsoft Security Essentials) when Foreign Affairs magazine website was compromised in December 2012 (see Foreign Policy Group Gets Hacker Happy New Year ).  While I wish that all neocons (for whom this site is a watering hole)  got this nasty malware ;-), innocent visitors with Windows XP and IE 8 browser were hurt too...

Hackers said a big Happy New Year to the Council on Foreign Relations, using the organization's own website to attack unsuspecting visitors.

The CFR is a non-partisan policy group (tell this anybody -- NNB ;-), known mostly for publishing Foreign Affairs, an influential journal on the subject. The group's website was infected with malware that uses a "watering hole" attack - waiting for users to visit the site before downloading the malware to their machines. The malware involved allows a hacker to execute code remotely on the target computer

... ... ...

The malware only works on Internet Explorer 8 or earlier versions. The hackers altered the HTML code on the CFR's website itself and were able to remotely execute a program on any computer that accessed the site. The malware was hidden in several pieces and stored in areas that the web page needed to go to in order to retrieve stored content such as text and pictures. "The JavaScript is hidden in a file on the system that is usually used for a completely different purpose," he said.

Microsoft is reportedly working on a permanent fix, and issued a security advisory on Dec. 29. In the meantime there is an automatic work-around here. The simplest way to protect oneself is to disable Javascript and Flash, according to Microsoft, but sometimes turning those two features on an off for different sites can be inconvenient.

Users of Internet Explorer 9 and later aren't vulnerable.

While the particular attack on the CFR website used a previously unknown vulnerability in Internet Explorer, the "watering hole" attack is nothing new: a local government site in Maryland and a bank in Boston were hit by one called VOHO in July, which infected targeted computers with code that sent information such as keystrokes back to a server.

SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
MD5: d41d8cd98f00b204e9800998ecf8427e
File size: 0 bytes ( 0 bytes )
File name: Whisky Bible Pro 2012_v1.1crk.apk
File type: unknown
Tags: zero-filled nsrl hash-collision software-collection
Detection ratio: 0 / 46
Analysis date: 2013-01-05 20:16:56 UTC ( 1 minute ago )

The following is a condensed report of the behavior of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

File system activity

Opened files...
C:\WINDOWS\system32\V3Medic.exe (failed)
C:\6c6bc20dc36e2b9b6a0280cc7e1a8a291e2e6bb7221210d497939a80da43a7cd (successful)
C:\WINDOWS\system32\V3Medic.exe (successful)
C:\WINDOWS\system32\reg.exe (successful)
\\.\PIPE\lsarpc (successful)
c:\autoexec.bat (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\5DC8A.exe (successful)
C:\WINDOWS\system32\rsaenh.dll (successful)
C:\WINDOWS\system32\drivers\etc\hosts (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful)
\\.\SICE (failed)
\\.\SIWVID (failed)
\\.\NTICE (failed)
\\.\REGSYS (failed)
\\.\REGVXG (failed)
\\.\FILEVXG (failed)
\\.\FILEM (failed)
\\.\TRW (failed)
\\.\ICEEXT (failed)
\\.\PIPE\SfcApi (successful)
C:\WINDOWS\system32\ws2help.dll (successful)
C:\WINDOWS\IRIMGV3.bmp (successful)
Read files...
c:\autoexec.bat (successful)
C:\WINDOWS\system32\rsaenh.dll (successful)
C:\WINDOWS\system32\drivers\etc\hosts (successful)
Written files...
C:\WINDOWS\system32\V3Medic.exe (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\5DC8A.exe (successful)
C:\WINDOWS\system32\drivers\etc\hosts (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful)
C:\WINDOWS\IRIMGV3.bmp (successful)
Copied files...
SRC: C:\6c6bc20dc36e2b9b6a0280cc7e1a8a291e2e6bb7221210d497939a80da43a7cd
DST: C:\WINDOWS\system32\V3Medic.exe (successful)

SRC: C:\WINDOWS\system32\ws2help.dll
DST: C:\WINDOWS\system32\ws2helpXP.dll (successful)
Moved files...
SRC: C:\WINDOWS\system32\ws2help.dll
DST: C:\WINDOWS\system32\ws2help.dll.byM.tmp (successful)

SRC: C:\WINDOWS\IRIMGV3.bmp
DST: C:\WINDOWS\system32\ws2help.dll (successful)
Deleted files...
C:\WINDOWS\system32\dia3.ini (failed)

Registry activity

Set keys...
KEY:   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7}\stubpath
TYPE:  REG_EXPAND_SZ
VALUE: %SystemRoot%\system32\V3Medic.exe (successful)

KEY:   HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy
TYPE:  REG_DWORD
VALUE: 1 (successful)

KEY:   HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
TYPE:  REG_DWORD
VALUE: 0 (successful)

KEY:   HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
TYPE:  REG_DWORD
VALUE: 0 (successful)

KEY:   HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
TYPE:  REG_BINARY
VALUE:  (successful)

KEY:   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass
TYPE:  REG_DWORD
VALUE: 1 (successful)

KEY:   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName
TYPE:  REG_DWORD
VALUE: 1 (successful)

KEY:   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet
TYPE:  REG_DWORD
VALUE: 1 (successful)

KEY:   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\Version
TYPE:  REG_DWORD
VALUE: 8 (successful)

KEY:   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
TYPE:  REG_SZ
VALUE: ws2help.dll (successful)
Deleted keys...
0x00000000\Identity (failed)
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7} (failed)

Process activity

Created processes...
reg delete HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7}" /f" (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful)

Mutex activity

Created mutexes...
RasPbFile (failed)
Opened mutexes...
ShimCacheMutex (successful)
RasPbFile (successful)

Application windows activity

Searched windows...
CLASS: FileMonClass
NAME:  (null)

CLASS: 18467-41
NAME:  (null)

CLASS: OLLYDBG
NAME:  (null)

Windows service activity

Opened service managers...
MACHINE:  localhost
DATABASE: SERVICES_ACTIVE_DATABASE (successful)
Opened services...
RASMAN (successful)

Runtime DLLs

advapi32.dll (successful)
wininet.dll (successful)
kernel32.dll (successful)
version.dll (successful)
secur32.dll (successful)
shell32.dll (successful)
wsock32 (successful)
ws2_32 (successful)
comctl32.dll (successful)
rasapi32.dll (successful)
rtutils.dll (successful)
rpcrt4.dll (successful)
sensapi.dll (successful)
ntdll.dll (successful)
userenv.dll (successful)
netapi32.dll (successful)
urlmon.dll (successful)
c:\windows\system32\mswsock.dll (successful)
dnsapi.dll (successful)
rasadhlp.dll (successful)
hnetcfg.dll (successful)
c:\windows\system32\wshtcpip.dll (successful)
msvcrt.dll (successful)
user32.dll (successful)
rsaenh.dll (successful)
msvcp60.dll (successful)
psapi.dll (successful)
c:\windows\system32\sfc_os.dll (successful)

Additional details

  • The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
  • The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

Network activity

HTTP requests...
URL:  http://blog.sina.com.cn/s/blog_af5f75a301015gge.html
TYPE: GET
UA:   Testing

URL:  http://www.ezyeconomy.com/xml/20121009/c4.gif
TYPE: GET
UA:   Testing
DNS requests...
blog.sina.com.cn (218.30.115.254)
www.ezyeconomy.com (121.78.127.93)
TCP connections...
218.30.115.254:80
121.78.127.93:80
UDP communications...
<MACHINE_DNS_SERVER>:53

Trend Micro warns.

"During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware," the researchers shared.

As it turned out, the patched file was component of the Sirefef/Zaccess malware family, and was used to run the malware's other malicious components upon reboot.

"This proved to be a new variant of Sirefef/Zaccess, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques," they said.

This infection with this new variant was traced back to the execution of K-Lite Codec Pack.exe, and it has more than likely been downloaded by the users themselves from the Internet in order to play movies downloaded via P2P applications.

To keep up the illusion that the offered codec is legitimate and to up the likelihood of it being used, the file names are also often modified to include the titles of popular movies.

According to Trend Micro numbers, Sirefef/Zaccess infections have hugely increased in July, going from some 1,000 infected computers on the first of the month to over 11,000 on the 27th.

The great majority of infected computers is located in the US. Nevertheless, all users are advised to be cautious when downloading files from untrusted sources such as P2P network

IE zero-day used in targeted watering hole attacks

he exploited website was that of the Council on Foreign Relations, an organization, publisher, and think tank specializing in U.S. foreign policy and international affairs, among whose members are a number of high-profile U.S. government and political figures such as former secretary of state Madeleine Albright, former treasury secretary Robert Rubin, and many others.

According to security researcher Eric Romang, the website seems to have been compromised as early as December 7, and possibly even earlier.

FireEye's researchers have been alerted to the compromise on December 27 and proceeded to analyze the attack and discover its use of a previously unknown Microsoft Internet Explorer vulnerability.

Visitors to the website who used IE 6,7, or 8, had Flash and Java 6 installed, and had the OS language set on U.S. English, Chinese, Taiwan Chinese, Russian, Korean or Japanese were unknowingly redirected to a page serving a malicious Shockwave Flash File (today.swf) that would trigger the vulnerability. Others were redirected to a blank page.

"When the Flash object was loaded, it performed a heap-spray and injected the shellcode used to locate the xsainfo.jpg file, decode it, and store it in the %Temp%/flowertep.jpg file, Symantec's researchers explained. "Next, a request was sent for the robots.txtfile which gets de-obfuscated and then used to load the malicious payload (flowertep.jpg) using techniques to by-pass DEP and ASLR on Windows 7."

All this was performed to ultimately allow a secret download of a variant of the Bifrose backdoor, which would give the attackers access to the targeted machines, which largely belong to U.S. users.

Upon the discovery of the attack, Microsoft began working on a patch. They issued a security advisory warning the public about this zero-day 'CDwnBindInfo' use-after-free remote code execution vulnerability.

The flaw affects only IE versions 6, 7 and 8, so users are advised to update to IE 9 or 10 in order to avoid being compromised, or to install Microsoft's "Fix it" solution that reduces the attack surface of the flaw by applying workaround configuration changes.

"Applying this workaround will not interfere with the installation of the final security update that will address this issue," stated Microsoft's Cristian Craioveanu, but advised on uninstalling the workaround once the final security update is installed because it has a small effect on the startup time of Internet Explorer. There's no word yet on when we can expect the security update.

In the meantime, Sophos researchers have also begun analyzing the attack and are claiming that the same exploit was spotted being used on at least five additional websites.



Etc

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019