SANS ISC: Attack involving .hk domains

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Eric, one of our many valued contributors wrote in yesterday with various spam messages that contained nothing but a short piece of text and a link to a very simple HK domain. Different domains were used in each message.

Subject line: Hello, Pal
Body: look

http://[domain].hk

When investigating this, we noticed that these domains have no less than 10 authorative nameservers. Most interesting is that each of these appear to be located within an ISPs dynamic IP address range. This is naturally highly suspicious. Random querying for A records shows that a large number of other compromised hosts are being used to host the actual website.

On each of these servers, the index.html page contains nastiness:

• One piece of obfuscated javascript code, that once decoded appears to exploit a known vulnerability in msdss.dll;
• One piece of obfuscated javascript which contains iframe inclusion of three other files, exp1.htm, exp2.htm and exp3.htm and a link to an icon file 123.htm. The three HTM files attempt to exploit three vulnerabilities in Internet Explorer, the 123.htm file in fact turns out to be a malicious ANI file.
• A final piece of human readable text that invites a user to click on a link, should the ‘download not start automatically’. Once you click on this link, a file ‘fun.exe’ will be downloaded from this same web server.

The resulting file ‘fun.exe’ appears to be different on each single server. We have currently seen the following SHA1 hashes:

810cac98916a018162792494bb1029cd52136431
64d4d736dd973bdee2be325560d2e2896992838c
9399cdd56e92c492dff1430de2da98dbbec60af8

Detection of the code by regular Anti-virus is very spotty, shown by the following output of Virustotal. These were the only solutions that detected malicious code. As you can see, even these are mostly generic detections:

BitDefender 7.2 06.16.2007 GenPack:Trojan.Peed.NG
CAT-QuickHeal 9.00 06.15.2007 (Suspicious) - DNAScan
DrWeb 4.33 06.16.2007 Trojan.Packed.138
eSafe 7.0.15.0 06.14.2007 Suspicious Trojan/Worm
Fortinet 2.85.0.0 06.16.2007 suspicious
F-Secure 6.70.13030.0 06.15.2007 Tibs.gen111
Kaspersky 4.0.2.24 06.16.2007 Email-Worm.Win32.Zhelatin.eu
Norman 5.80.02 06.15.2007 Tibs.gen111
Sophos 4.18.0 06.12.2007 Mal/EncPk-E
Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 06.16.2007 Worm.Win32.Malware.gen (suspicious)

This type of well-prepared and extensive attack is very difficult to shut down, mostly due to the amount of servers and authorities involved. As such, the most effective way of responding would be to have the domain itself taken down. This issue has been reported to the HKCERT as well as the administrators of the .hk TLD. In addition, we’re working with anti virus vendors to improve coverage of both the resulting file and the trojan droppers being used on the malicious site.

Cheers,
Maarten Van Horenbeeck