Wednesday, December 24, 2008

SO Common and yet EVIL goes free :)

Before I start this one, I must say I never thought of myself as a blogger.
I was always reading other people's blog thinking they try to be "I am cool I have a blog" kind of people. Well, I just think the malicious stuff I see everyday should be shared with YOU :)

At these times, torrents are currently the world's most active network for file sharing. The current windows version is always One of the most shared files and therefore crime follows there :)

I recently decided to put it to the test and downloade the most "seeded" file I found, which was "Windows XP Pro.Corp. Edition SP3 June 2008 Update + SATA Driver", this is still one of the most shared files. Of course I scanned it using the latest fully updated version of Kaspersky 2009 and Dr.Web which according to my test, are currently the best detectors on the market. Well, nothing was found...

So I load the iso, the AutoRun executes and I just "feel" something is wrong!! I look at Process Explorer and I see a process called "file.exe"...hmmmmm....
I figured out that the bad guys replaced the original "setup.exe" with a silent self extract WinRar installation with the original setup icon, it extracts a Trojan Downloader called file.exe and the original setup.exe to the temp directory and executes both the Trojan and the original setup (with CurrentDirectory as the winrar install path).

Here is a scan of the malicious "setup.exe" (today, 2 month after I found this) installer:















I said O.K maby they didn't go through the trouble marking the "Installer", but they did all detect the Trojan Downloader, right?
















Well, they didn't :)
This is really funny to see that all you need to be "a top notch" malicious software is to just download WinRar and NIST (NullSoft Installation System) and create a windows xp sp3 installation torrent, this is after 20 years of Anti-Virus security techonology by 7 billion dollar a year market.

More funny stuff! the author of this virus was so lazy he just put a list the relative path to the real setup executable of all the software he will infect and share in the internet so the "setup.exe" he made will now try to execute a list of files which only one should exist on your infected download :)
Some Examples:
\Game\wws98.exe
\WinRoute.exe
\GAME\LBWIN.EXE
\vs.exe
\Pandora.exe

Be aware of what you download! it seems the best way to tell if its an infected setup is to right click setup.exe and see if WinRar suggests "Extract To" (I am joking of course)

The executed "file.exe" downloaded http://www.cxgr.com/3913574.exe which is also a NIST file and also a Trojan Downloader and my upload was the first time it was scanned in virustotal and you can guess the results:















Whats really annoying me in this result is that the 3-4 Anti-Viruses that "supply a solution" above and detect the downloader DOES NOT DETECT THE CONSTANT FILE IT DOWNLOADS which means all the malware creator needs to do is modify the downloader or use a new one and there he goes again infecting the entire planet and getting away with it!

Now "3913574.exe" downloaded http://www.cxgr.com/Setup_ver1.1400.0.exe
Which is not packed by a known packer and even isn't identified as having a "packed entropy" by PEiD. Its a small application compiled by ms vc++ 7/8, 72kb.
Its import table it quite limited and it calls GetProcAddress to get:
SetProcessPriorityBoost, WriteFile, GetEnvironmentVariableA, InternetOpenA, ExitProcess, GetTempPathA, InternetCloseHandle, CloseHandle, TerminateProcess, CreateFileA, DeleteFileA,SHChangeNotify, lstrcpyA, lstrcpyn, InternetGetConnectedState, GetAdaptersInfo
SetThreadPriority, GetModuleFileNameA, Sleep, ShellExecuteEx, InternetOpenUrlA

Of course the strings are not plaintext and its also not XOR, how refreshing!!! its a nice code that identified a header byte and multiples the bytes with a word per this header, may be it is some kind of little compression.

Now more then 10 executables are downloaded into your system, some are detected by some AV's and some are not, they are packed with Armadillo v1.71 and some with ASPack v2.12
http://www.virustotal.com/he/analisis/7e8af73b605c1c82d0d990d204e12559
http://www.virustotal.com/he/analisis/f60edd90989cd53b73dfedd4df4d3aec
http://www.virustotal.com/he/analisis/6f0ab356e2bd80d4845fdb5ebbe619e1
http://www.virustotal.com/he/analisis/11232e1cf52a2c68b4f28815e7eedb60

These executables are saved in:
%programfiles%\MicroAV

  • MicroAV.exe

%windir%\PCHealthCenter

  • 1.exe, 2.exe, 3.exe, 4.exe, 5.exe, 7.exe

and of course to %windir%\system32

  • MicroAV.cpl, apgambly.dll, biqwetjd.dll and three dlls with names of a 8 random [a-zA-Z0-9] string
About 5-6 entries are added to registry->Run to load the processes that bug you in the system tray. This home made looking trojan is much more advanced then it appears to be...
Clearly these evil guys are advancing and they don't stop at loading from registry->Run
they start using advanced loading methods such as registering as Authentication Packages to be loaded inside LSA and as logon notification dlls to be loaded inside winlogon.exe(which is one of the best places to be in since it cannot be terminated)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxuSIb]
"Asynchronous"=dword:00000001
"DllName"="yayxuSIb.dll"
"Impersonate"=dword:00000000
"Logon"="o"
"Logoff"="f"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,43,\
00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,\
73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6c,00,6a,00,4a,00,44,00,57,00,4d,\
00,64,00,41,00,00,00,00,00

No comments: