Malware from dot-CN

Published: 2007-05-10
Last Updated: 2007-05-10 21:50:55 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Disclaimer: Visiting any of the URLs listed might turn the hard drive of your PC into a peanut butter sandwich or do any other evil thing that will painfully remind you that you didn't do any backups for a while. You have been warned.

Nothing happened in the particular case when a reader stumbled by accident over the evil IFRAMEs amended - most probably without the firm's knowledge - to the home page of murraysz.cn, but only because the reader's anti-virus already stopped the very first stage of the exploits. The Malware buffs that some of us are, we of course couldn't resist to start pulling on that thread to see where it would lead us.

Step #1:
murraysz.cn includes malicious IFRAMES from cqcqcqcq.com  (which is currently not reachable),  user.free.77169.net and www.haogs.cn. 

Step #2:
The 77169.net site uses an old exploit to download vq.exe off the same site. The file is packed with UPX and reliably recognized as Password Stealer (PWS-QQPass) by most AV software. The haogs.cn only returns 76 bytes, another IFRAME that downloads more code from www.h148.cn.

Step #3:
h148.cn .. now we're talking ... opens three IFRAMES coming from qq.520sf.org: 
- 588.htm opens xjz2007.js off the same site, which in turn opens xjz2007.htm and xjz2007.bmp. Both (the latter is an ANI exploit) try to download and run 8xz.exe.
- 06014.htm tries to download and run 8xz.exe as well. This file did not have AV coverage. When run, it downloads another bunch of EXEs off the same site, again with little to nonexistent AV coverage, but identified as more password stealers of the QQPass family
- ok.htm opens an IFRAME from www.down988.cn

Step #4:
Coming from down988.cn, we have 0614.js. This file was using a Javascript encoding technique that I hadn't seen before, but of course no matter what the bad guys try to do, JavaScript is an interpreted language and no amount of obfuscation can really hide the code. I have added this JavaScript as an example to the "Decoding Javascript" series that we maintain to accompany an earlier diary entry on the subject. The exploit downloads a file "down.exe", which in turn goes and fetches another couple of hostile EXE files.

Bottom line: The exploits used are rather old and none too worrying, but if someone with a vulnerable PC surfs to any of these pages, the PC will end up completely infested with password stealing keyloggers.  And this is only the point where we stopped digging further -- each of the keyloggers has an auto-update function, and also contains one or more addresses to where the more interesting captured keystrokes are sent.  In other words: Patch early, patch often -- or use an operating system with better survival skills when visiting the haunted realms of the 'net.
Keywords:
0 comment(s)

Comments


Diary Archives