Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Ch10: Remote Access Trojans and Zombie Networks

Win32:Sirefef.AG

News Strategies of Defending Windows against Viruses, Worms and other Malware Recommended Links Softpanorama Malware Defense Strategy Backup process Three phases of the image restore process Backup your infected partition from recovery CD or separate bootable USB drive
Create a Delta Tree of data that Restore the image from backup and merge your Delta Tree with it Conclusions Webliography Humor History Etc

See also Win32:Sirefef.A  -- an earlier version that was distributed with Data Recovery scareware

This is a a recent strain of a malware family, that were infecting user PCs with IE8 browser (along with Win32/Tracur.AV  which disables several AV programs including Microsoft Security Essentials) when Foreign Affairs magazine website was compromised in December 2012 (see Foreign Policy Group Gets Hacker Happy New Year ).  While I wish that all neocons (for whom this site is a watering hole)  got this nasty malware ;-), innocent visitors with Windows XP and IE 8 browser were hurt too...

Hackers said a big Happy New Year to the Council on Foreign Relations, using the organization's own website to attack unsuspecting visitors.

The CFR is a non-partisan policy group (tell this anybody -- NNB ;-), known mostly for publishing Foreign Affairs, an influential journal on the subject. The group's website was infected with malware that uses a "watering hole" attack -– waiting for users to visit the site before downloading the malware to their machines. The malware involved allows a hacker to execute code remotely on the target computer

... ... ...

The malware only works on Internet Explorer 8 or earlier versions. The hackers altered the HTML code on the CFR's website itself and were able to remotely execute a program on any computer that accessed the site. The malware was hidden in several pieces and stored in areas that the web page needed to go to in order to retrieve stored content such as text and pictures. "The JavaScript is hidden in a file on the system that is usually used for a completely different purpose," he said.

Microsoft is reportedly working on a permanent fix, and issued a security advisory on Dec. 29. In the meantime there is an automatic work-around here. The simplest way to protect oneself is to disable Javascript and Flash, according to Microsoft, but sometimes turning those two features on an off for different sites can be inconvenient.

Users of Internet Explorer 9 and later aren't vulnerable.

While the particular attack on the CFR website used a previously unknown vulnerability in Internet Explorer, the "watering hole" attack is nothing new: a local government site in Maryland and a bank in Boston were hit by one called VOHO in July, which infected targeted computers with code that sent information such as keystrokes back to a server.

SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
MD5: d41d8cd98f00b204e9800998ecf8427e
File size: 0 bytes ( 0 bytes )
File name: Whisky Bible Pro 2012_v1.1crk.apk
File type: unknown
Tags: zero-filled nsrl hash-collision software-collection
Detection ratio: 0 / 46
Analysis date: 2013-01-05 20:16:56 UTC ( 1 minute ago )

The following is a condensed report of the behavior of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

File system activity

Opened files...
C:\WINDOWS\system32\V3Medic.exe (failed)
C:\6c6bc20dc36e2b9b6a0280cc7e1a8a291e2e6bb7221210d497939a80da43a7cd (successful)
C:\WINDOWS\system32\V3Medic.exe (successful)
C:\WINDOWS\system32\reg.exe (successful)
\\.\PIPE\lsarpc (successful)
c:\autoexec.bat (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\5DC8A.exe (successful)
C:\WINDOWS\system32\rsaenh.dll (successful)
C:\WINDOWS\system32\drivers\etc\hosts (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful)
\\.\SICE (failed)
\\.\SIWVID (failed)
\\.\NTICE (failed)
\\.\REGSYS (failed)
\\.\REGVXG (failed)
\\.\FILEVXG (failed)
\\.\FILEM (failed)
\\.\TRW (failed)
\\.\ICEEXT (failed)
\\.\PIPE\SfcApi (successful)
C:\WINDOWS\system32\ws2help.dll (successful)
C:\WINDOWS\IRIMGV3.bmp (successful)
Read files...
c:\autoexec.bat (successful)
C:\WINDOWS\system32\rsaenh.dll (successful)
C:\WINDOWS\system32\drivers\etc\hosts (successful)
Written files...
C:\WINDOWS\system32\V3Medic.exe (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\5DC8A.exe (successful)
C:\WINDOWS\system32\drivers\etc\hosts (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful)
C:\WINDOWS\IRIMGV3.bmp (successful)
Copied files...
SRC: C:\6c6bc20dc36e2b9b6a0280cc7e1a8a291e2e6bb7221210d497939a80da43a7cd
DST: C:\WINDOWS\system32\V3Medic.exe (successful)

SRC: C:\WINDOWS\system32\ws2help.dll
DST: C:\WINDOWS\system32\ws2helpXP.dll (successful)
Moved files...
SRC: C:\WINDOWS\system32\ws2help.dll
DST: C:\WINDOWS\system32\ws2help.dll.byM.tmp (successful)

SRC: C:\WINDOWS\IRIMGV3.bmp
DST: C:\WINDOWS\system32\ws2help.dll (successful)
Deleted files...
C:\WINDOWS\system32\dia3.ini (failed)

Registry activity

Set keys...
KEY:   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7}\stubpath
TYPE:  REG_EXPAND_SZ
VALUE: %SystemRoot%\system32\V3Medic.exe (successful)

KEY:   HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy
TYPE:  REG_DWORD
VALUE: 1 (successful)

KEY:   HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
TYPE:  REG_DWORD
VALUE: 0 (successful)

KEY:   HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
TYPE:  REG_DWORD
VALUE: 0 (successful)

KEY:   HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
TYPE:  REG_BINARY
VALUE:  (successful)

KEY:   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass
TYPE:  REG_DWORD
VALUE: 1 (successful)

KEY:   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName
TYPE:  REG_DWORD
VALUE: 1 (successful)

KEY:   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet
TYPE:  REG_DWORD
VALUE: 1 (successful)

KEY:   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\Version
TYPE:  REG_DWORD
VALUE: 8 (successful)

KEY:   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
TYPE:  REG_SZ
VALUE: ws2help.dll (successful)
Deleted keys...
0x00000000\Identity (failed)
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7} (failed)

Process activity

Created processes...
reg delete HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7}" /f" (successful)
C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful)

Mutex activity

Created mutexes...
RasPbFile (failed)
Opened mutexes...
ShimCacheMutex (successful)
RasPbFile (successful)

Application windows activity

Searched windows...
CLASS: FileMonClass
NAME:  (null)

CLASS: 18467-41
NAME:  (null)

CLASS: OLLYDBG
NAME:  (null)

Windows service activity

Opened service managers...
MACHINE:  localhost
DATABASE: SERVICES_ACTIVE_DATABASE (successful)
Opened services...
RASMAN (successful)

Runtime DLLs

advapi32.dll (successful)
wininet.dll (successful)
kernel32.dll (successful)
version.dll (successful)
secur32.dll (successful)
shell32.dll (successful)
wsock32 (successful)
ws2_32 (successful)
comctl32.dll (successful)
rasapi32.dll (successful)
rtutils.dll (successful)
rpcrt4.dll (successful)
sensapi.dll (successful)
ntdll.dll (successful)
userenv.dll (successful)
netapi32.dll (successful)
urlmon.dll (successful)
c:\windows\system32\mswsock.dll (successful)
dnsapi.dll (successful)
rasadhlp.dll (successful)
hnetcfg.dll (successful)
c:\windows\system32\wshtcpip.dll (successful)
msvcrt.dll (successful)
user32.dll (successful)
rsaenh.dll (successful)
msvcp60.dll (successful)
psapi.dll (successful)
c:\windows\system32\sfc_os.dll (successful)

Additional details

  • The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
  • The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

Network activity

HTTP requests...
URL:  http://blog.sina.com.cn/s/blog_af5f75a301015gge.html
TYPE: GET
UA:   Testing

URL:  http://www.ezyeconomy.com/xml/20121009/c4.gif
TYPE: GET
UA:   Testing
DNS requests...
blog.sina.com.cn (218.30.115.254)
www.ezyeconomy.com (121.78.127.93)
TCP connections...
218.30.115.254:80
121.78.127.93:80
UDP communications...
<MACHINE_DNS_SERVER>:53

Trend Micro warns.

"During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware," the researchers shared.

As it turned out, the patched file was component of the Sirefef/Zaccess malware family, and was used to run the malware's other malicious components upon reboot.

"This proved to be a new variant of Sirefef/Zaccess, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques," they said.

This infection with this new variant was traced back to the execution of K-Lite Codec Pack.exe, and it has more than likely been downloaded by the users themselves from the Internet in order to play movies downloaded via P2P applications.

To keep up the illusion that the offered codec is legitimate and to up the likelihood of it being used, the file names are also often modified to include the titles of popular movies.

According to Trend Micro numbers, Sirefef/Zaccess infections have hugely increased in July, going from some 1,000 infected computers on the first of the month to over 11,000 on the 27th.

The great majority of infected computers is located in the US. Nevertheless, all users are advised to be cautious when downloading files from untrusted sources such as P2P network

IE zero-day used in targeted watering hole attacks

he exploited website was that of the Council on Foreign Relations, an organization, publisher, and think tank specializing in U.S. foreign policy and international affairs, among whose members are a number of high-profile U.S. government and political figures such as former secretary of state Madeleine Albright, former treasury secretary Robert Rubin, and many others.

According to security researcher Eric Romang, the website seems to have been compromised as early as December 7, and possibly even earlier.

FireEye's researchers have been alerted to the compromise on December 27 and proceeded to analyze the attack and discover its use of a previously unknown Microsoft Internet Explorer vulnerability.

Visitors to the website who used IE 6,7, or 8, had Flash and Java 6 installed, and had the OS language set on U.S. English, Chinese, Taiwan Chinese, Russian, Korean or Japanese were unknowingly redirected to a page serving a malicious Shockwave Flash File (today.swf) that would trigger the vulnerability. Others were redirected to a blank page.

"When the Flash object was loaded, it performed a heap-spray and injected the shellcode used to locate the xsainfo.jpg file, decode it, and store it in the %Temp%/flowertep.jpg file, Symantec's researchers explained. "Next, a request was sent for the robots.txtfile which gets de-obfuscated and then used to load the malicious payload (flowertep.jpg) using techniques to by-pass DEP and ASLR on Windows 7."

All this was performed to ultimately allow a secret download of a variant of the Bifrose backdoor, which would give the attackers access to the targeted machines, which largely belong to U.S. users.

Upon the discovery of the attack, Microsoft began working on a patch. They issued a security advisory warning the public about this zero-day 'CDwnBindInfo' use-after-free remote code execution vulnerability.

The flaw affects only IE versions 6, 7 and 8, so users are advised to update to IE 9 or 10 in order to avoid being compromised, or to install Microsoft's "Fix it" solution that reduces the attack surface of the flaw by applying workaround configuration changes.

"Applying this workaround will not interfere with the installation of the final security update that will address this issue," stated Microsoft's Cristian Craioveanu, but advised on uninstalling the workaround once the final security update is installed because it has a small effect on the startup time of Internet Explorer. There's no word yet on when we can expect the security update.

In the meantime, Sophos researchers have also begun analyzing the attack and are claiming that the same exploit was spotted being used on at least five additional websites.



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2020 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019