It need not always be a plain and simple Word attachment.
April 2007. A small group of about 20 people receives an e-mail on a topic that is of great interest to them, and which invites them to sign an attached petition. The petition is a rather benign looking HTML file. Their anti virus had not indicated anything was amiss, and they click away.
They did not realize that the file in fact consisted of a targeted malicious code attack. In fact, the file contained several routines to download and drop an executable from a remote web site on the local system.
evilObject.push( evilString );
Further down the execution path, resulting data is loaded into CLSID: 0002E510-0000-0000-C000-000000000046, better known as the Microsoft Spreadsheet Object aka Microsoft Excel on Office systems. The target is an old Office vulnerability.
We humans are not capable of looking at every file we open in great depth. We lack both scale as well as in-depth protocol knowledge. We outsource this function to our anti virus solutions:
AhnLab-V3 2007.4.12.0 04.12.2007 no virus found
While these solutions generally do a great job, and are continuously improving the way they deal with such droppers, at the time of the attack, they were of little use. Once the final binary was downloaded and executed, users of most security applications were still not quite protected:
AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
The file installed itself in the registry, and then connected to the host ding.pc-officer.com, as well to ihe1979.3322.org. At that point in time, both resolved to 127.0.0.1.
This is a common but rarely discussed trick in targeted attacks, the parking of attack hosts – when the control server resolves to 127.0.0.1, the only way an infected client could be identified is through DNS queries. Traffic will no longer be leaving the machine, and network detection/firewall log analysis wouldn’t result in detection at all. An attacker can ‘switch off’ the compromise when he no longer requires access to information, enabling it at will when a new need exists. All he needs to do is change the DNS resource record to point to a host under his control.
The code itself was a modified version of the Protux backdoor, which provides virtually unrestricted user level access to a compromised client: adding services, command execution, whichever the attacker requires.
September 2007. Five months later, a new HTML file appears attached to a seemingly benign looking e-mail. This time, the entire mail is in Chinese. Clicking on the attachment doesn’t actually do anything – while it contains some dropper code, it appears to have been corrupted, or does not load correctly on our UK English test systems.
It does once again contain an obfuscated download URL pointing to the same North Carolina based web server as in the April attacks. Once downloaded, the binary hosted there points to ding.pc-officer.com. It appears to be a modified version of the PCClient backdoor series, which contains key logging code. This time the host name resolves, but to a false and unused address. Further research shows that over the last few months, the control host had been moved several times, from Taiwan over 127.0.0.1 to South Korea.
In case you’re interested: all recipients of these e-mails were members of the Falun Gong, a large originally Chinese spiritual movement which has been banned by the People’s Republic of China since July 20th, 1999. The first e-mail originated from the systems of FastMail.FM, but was sent by a Taiwanese host. The e-mail attachment posed to be a petition to the International Olympic Committee on Chinese human rights violations and appeared very trustworthy and within context.
There’s plenty we can learn of just this single sample to better protect our organization against targeted attack:
The privacy problem posed by trojans increases significantly when the attackers actually have a goal of gathering information about us, and it isn’t just a random infection. This type of behavior is something we as security teams should never tolerate towards our users.
By request, here are the MD5 hashes for each of the affected files:
Sep 19th 2007
1 decade ago