Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Microsoft Security Bulletins / You got a Postcard! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Security Bulletins / You got a Postcard!
Microsoft Security Bulletins

Time for new round of Microsoft Patches!




-->Microsoft Security Bulletin MS04-041


Two vulnerabilities exist in WordPad that could allow remote code
execution on an affected system. User interaction is required to
exploit these vulnerabilities.


Comments: Microsoft Rates is as Important. No problems with that one...



-->Microsoft Security Bulletin MS04-042
Two vulnerabilities exist in the DHCP Server service, of which the
most severe could allow remote code execution on an affected system.
The DHCP Server service is not installed by default. Only the DHCP
Server service on Windows NT 4.0 Server is affected.


Comments: Microsoft Rates is as Important. Disagree. Ok, it will only
affect NT 4.0, but I do believe that there is a lot of NT 4.0 running
dhcp servers on companies...



-->Microsoft Security Bulletin MS04-043
A vulnerability exists in HyperTerminal that could allow remote code
execution on an affected system. User interaction is required to
exploit this vulnerability.


Comments: Microsoft Rates is as Important. No problems with that one...



-->Microsoft Security Bulletin MS04-044
Two vulnerabilities exist in the Windows Kernel and the Local Security
Authority Subsystem Service (LSASS) that could allow privilege
elevation on an affected system. An attacker must have valid logon
credentials and be able to log on locally to exploit this
vulnerability.


Comments: Microsoft Rates is as Important. LSASS again...elevation of
privilege...No problems with that one...



-->Microsoft Security Bulletin MS04-045
Two vulnerabilities exist in Windows Internet Naming Service (WINS)
that could allow remote code execution on an affected system. The WINS
Server service is not installed by default.


Comments: Microsoft rates is as Important. This is the issue with
WINS...we are seeing some spikes on port 42 probes on our reports...remember to apply the patches...


References:

http://www.microsoft.com/technet/security/bulletin/ms04-dec.mspx

You got a Postcard!

Below is a simple malware analysis of a password stealer. This is becoming really common these days on Brazil. The miscreants are sending phishings of Brazilian Postcards websites and delivering thousands of them on users mailboxes.
This one came to mine as a warning "Your partner is cheating you, see the pictures below!"...This simple analysis was done with the free tools available for Linux and Windows.

On Linux: Strings, UPX, Unrar

On Windows: Sysinternals tool / ZoneAlarm Free




Introduction:



A suspicious file was received on Nov 30 though a spam mail with a subject of ´Your partner is cheating you - see the pictures!' (in portuguese).
Sending it to VirusTotal, showed that none of the 13 AV vendors were recognizing it as a malware.

So, I decided to analyze it to see what I could find on that one.
The purpose of this analysis is to show how you can use simple unix/linux tools to make a basic analysis.


#####################

Phase 1: The Binary

#####################<Br>
<Br>
Binary: fotos.sfx.exe

#strings -a:

-------------SNIP!------------------------<Br>
This program must be run under Win32

UPX0

UPX1

.rsrc

1.20

UPX!

W!jfVB!

-------------SNIP!------------------------<Br>

The first lines show interesting information: UPX.
UPX is a very common Packer used to compact the PE´s.
You can use UPX to pack and unpack files.


#upx -d fotos.sfx.exe -o fotos.sfx.unp.exe



#strings -a fotos.sfx.unp.exe -e -l |more


-------------SNIP!------------------------

No to A&ll

&Cancel

WinRAR self-extracting archive

-------------SNIP!------------------------


--> So, it is compressed with WinRAR
To decompress you can use Unrar:

$ unrar x -v fotos.sfx.unp.exe


-------------SNIP!------------------------

UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal





Extracting from fotos.sfx.unp.exe



Unknown method in fotos.exe

Skipping fotos.exe

No files to extract

-------------SNIP!------------------------


--> One problem...Version 2.71 does not support sfx scripts

SFX = Self eXtracting Files



So, I had to upgraded to 3.40

# ./unrar x -v ../fotos.sfx.unp.exe


-------------SNIP!------------------------

UNRAR 3.41 freeware Copyright (c) 1993-2004 Alexander Roshal





Extracting from ../fotos.sfx.unp.exe



;The comment below contains SFX script commands



Path=C:\Windows\system32

SavePath

Setup=fotos.exe

Silent=2 (Hide start dialog)

Overwrite=2 (skip existing files)





Extracting fotos.exe OK

All OK

-------------SNIP!------------------------


About the comments above, those are parameters that you set when creating RAR files with sfx.In this case:

Silent=2 means the option 'Hide start dialog'

Overwrite=2 means the option 'skip existing files'






#####################<bR>
Phase 1: Results

#####################



- There are NO pictures on that file...:)

- It is an application

- It was packed with UPX

- It was compressed with WinRar with SFX commands




#####################

Phase 2: Analysis

#####################


Strings now shows some more interesting stuff...



Network Information:


-------------SNIP!------------------------

Network unreachable.

Host unreachable.

Connection refused.

TTL expired.

Network is down.

Network is unreachable. Net dropped connection or reset.!Software caused connect
ion abort.

Connection reset by peer.

-------------SNIP!------------------------


Registry Information:


-------------SNIP!------------------------

\Software\Microsoft\Windows\CurrentVersion\Run

-------------SNIP!------------------------


-->So, looks like it will put itself at that registry key...



Application information:


-------------SNIP!------------------------

SOFTWARE\Borland\Delphi\RTL

-------------SNIP!------------------------


-->Delphi Run Time Library...a delphi application...



Mail strings:


-------------SNIP!------------------------

This is a multi-part message in MIME format

=_NextPart_2relrfksadvnqindyw3nerasdf

=_NextPart_2rfkindysadvnqw3nerasdf

Content-Type: multipart/alternative;

boundary="=_NextPart_2altrfkindysadvnqw3nerasdf"

--=_NextPart_2altrfkindysadvnqw3nerasdf

--=_NextPart_2altrfkindysadvnqw3nerasdf--

Content-Type: text/plain

Content-Transfer-Encoding: 7bit

base64

attachment

application/octet-stream

Content-Type:

-------------SNIP!------------------------


--> So, this application will send email...?



And some others strings of interest:


-------------SNIP!------------------------

=============Banco do Brasil======================
==================================================

BB Tit.=

BB Ag

nc.=<Br>
BB Cont.=

BB Senha A.=Atendimento=

BB Senha C.=

=============Banco Bradesco=======================

Bradesco Agencia=

Bradesco Conta=

Bradesco Digito=

Bradesco 4 digitos=

Bradesco Cartao=

Bradesco Resposta s.=

==============Caixa Economica=====================

Caixa Tipo=

Caixa Agencia=

Caixa Conta=

Caixa S. Intermet=

Caixa Ass. Eletronica=

=============Unibanco===========================

Unibanco 30 horas=

Unibanco Agencia=

Unibanco Conta=

Unibanco Digito=

Unibanco Senha=

Unibanco Assinatura=

Unibanco Cond. Alfanumerica=

=============Banco ITAU===========================

ITAU Conta=

ITAU Agencia=

ITAU Digito=

ITAU Senha Eletronica=

ITAU Senha do cartao=

ITAU % digitos do cartao=

ITAU Data dia=

ITAU Data mes=

ITAU Data ano=

ITAU Numero do portador=

-------------SNIP!------------------------



--> These are names of some brazilian banks. Basic portuguese: Agencia means Branch, Conta means Account and Senha means Password.


and also:


-------------SNIP!------------------------

Conta em braco!

Senha em braco!

Senha do Auto-Atendimento

-------------SNIP!------------------------


--> More portuguese lessons:

-Blank Account field!

-Blank Password field!

-ATM Password

--> and this is still funny because they wrote it wrong...the correct would be ´branco´ and not ´braco´...



And finally, some email address:

- xxxxx1@yahoo.com.br

- xxxxx2@yahoo.com.br

- xxxxx3@yahoo.com.br

- xxxxx1@bol.com.br

- xxxxx1@tugamail.com

- xxxxxx@xxxxxx

and an IP address:

- xx.xx.80.21




#####################

Phase 2: Results

#####################



- This application will try to use the network resources

- Will use something on \Software\Microsoft\Windows\CurrentVersion\Run

- Was created with Delphi

- Is related in some way to email...

- Has some string with names of Brazilian Banks and strings that asks for passwords in a format of report.

- Has a list of 7 email addresses and one IP address



Putting all together we can assume that it is one password stealer, which will send passwords to some email addresses...correct?




#####################

Phase 3: Running...

#####################



To confirm my assumptions, I decided to run this malware onto a Win2k machine. And, besides the fact that we didnt find any references of VM detection, it will be running in a real Win2k machine.


-------------SNIP!------------------------

D:\virus\fotos.sfx.unp.unr.exe>fotos.exe



D:\virus\fotos.sfx.unp.unr.exe>

-------------SNIP!------------------------




Our good friend Regmon, shows this:


-------------SNIP!------------------------

fotos.exe:1888 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS

fotos.exe:1888 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos SUCCESS "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"

fotos.exe:1888 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS

-------------SNIP!------------------------




That means that our process fotos.exe, used the method createKey() to create a new key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run, also the method setValue() to create the values of the name and value of the new key, like the value "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe" at HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos


Another friend, Process Explorer, shows also good information:


-------------SNIP!------------------------

HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9

HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5

-------------SNIP!------------------------




Winsock...interesting. We knew that this application would try to use the network resources and this confirmed...



So, lets try to browse to any of those banks websites...

Navigating to one of those bank websites using IE was kind of funny...

I dont know if it was because of the IE google bar, but The real website loaded almost perfectly, except because there was another pair of branch and account overlapping the real one...

Putting fake data on the fields or just not putting anything at all, and pressing OK, made it open another window, requesting more data, more passwords and personal information. After filling everything with some ´good data´ and pressing ok,
my ZoneAlarm came out with an alert:


-------------SNIP!------------------------

Do you want to allow fotos.exe to access the internet?


Technical Information


Destination IP: xx.xx.80.21:SMTP

Application: fotos.exe

-------------SNIP!------------------------




hummm...so that?s the why we had this IP address on that list...SMTP, email addresses...now it is starting to make sense...:)

But the xx.xx.80.21 resolves to a hosting providers...not any of the emails domains that we found...Maybe an Open relay??




#####################

Phase 3: Results

#####################



So, thats what we got so far:



- It will create a key with the name and value of HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos , "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"

- It will use Winsock for network resources

- It will put create fake fields for passwords, account, branch and some personal information, overlapping the real fields of the bank websites

- It will try to access an smtp server at the IP that we found some steps ago...


For now on, we should think about this application much like as a Spyware. As we could notice, this application uses Winsock. There is a lot of advantages to hook itself to WinSock. In Microsoft Windows Operating Systems, Winsock is the way that it implements TCP/IP. This is wonderful of the hacker, because in this way his/hers application will be able to monitor all Internet traffic! And thats exactly what he wants! He wants to know when you will access the Banks websites!



############################

Phase 4: Final experiments

############################



So, lets setup a mail server and see what this application is trying to send to that IP.

On another machine in the same lab network, I brought up a virtual interface with the same IP address of machine that ZoneAlarm detected, and repeated the steps of phase 2, visiting the websites and filling the fake forms. After pressing the last OK, ZoneAlarm alerted me again, and this time I Allowed it to connect to the port 25 of the IP address.

My mail server made all the transaction, which was reproduced bellow with the help of another friend, Ethereal:




-------------SNIP!------------------------------------------------------<Br>
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.10; Tue, 30 Nov 2004
17:32:53 -0200

EHLO starinfo

250-localhost.localdomain Hello starinfo [10.0.0.2], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE

250-DSN

250-ETRN

250-AUTH DIGEST-MD5 CRAM-MD5

250-DELIVERBY

250 HELP

RSET

250 2.0.0 Reset state



MAIL FROM:<xxxxxx1@bol.com.br>

250 2.1.0 <xxxxxx1@bol.com.br>... Sender ok

RCPT TO:<xxxxxx1@yahoo.com.br>

250 2.1.5 <xxxxxx1@yahoo.com.br>... Recipient ok

DATA

354 Enter mail, end with "." on a line by itself

From: xxxxxx1@bol.com.br

Subject: xxxxxx1

To: xxxxxx1@yahoo.com.br

Content-Type: text/plain

Date: Tue, 30 Nov 2004 17:33:02 -0200

X-Priority: 3

X-Library: Indy 9.00.10

=============Banco do Brasil======================
==================================================

BB Tit.= 1. Titular

BB Ag.nc.=

BB Cont.=

BB Senha A.=Atendimento=

BB Senha C.=

==================================================
=============Banco Bradesco=======================

Bradesco Agencia=

Bradesco Conta=

Bradesco Digito=

Bradesco 4 digitos=

Bradesco Cartao=

Bradesco Resposta s.=

==================================================
==============Caixa Economica=====================

Caixa Tipo= 001-Cta. Corrente - P.F.sica

Caixa Agencia=

Caixa Conta=

Caixa S. Intermet=

Caixa Ass. Eletronica=

==================================================
=============Unibanco===========================

Unibanco 30 horas=Internet 30 Horas

Unibanco Agencia=3333

Unibanco Conta=333333

Unibanco Digito=1

Unibanco Senha=1111

Unibanco Assinatura=123123123123123123123

Unibanco Cond. Alfanumerica=zaqxsw

==================================================
=============Banco ITAU===========================

ITAU Conta=

ITAU Agencia=

ITAU Digito=

ITAU Senha Eletronica=

ITAU Senha do cartao=

ITAU % digitos do cartao=

ITAU Data dia=

ITAU Data mes=

ITAU Data ano=

ITAU Numero do portador=

==================================================
=============GErenciador Financeiro===============

Gerenciador Chave=

Gerenciador Senha Acesso=

Gerenciador Senha Conta=

=================================================
============ufaaa acabo :D=======================

.

250 2.0.0 iAUJWrLK000991 Message accepted for delivery

QUIT

221 2.0.0 localhost.localdomain closing connection

-------------SNIP!--------------------------------------------------


Yep...it was sending a report with all the info gathered...

Interesting stuff...in the last line of his/hers report, it is ´ufaaa acabo´.
This means: "finally, the end"...




########################

Phase 4: Final Results

########################



- Our assumptions had been proven to be right, and this piece of malware was sending the results, through a relay, to those email addresses with all user information, as account, branch, passwords...


And finally, after sending this malware to a list of AV vendors, on the end of today, according to Virustotal, 3 AV were already detecting it!




--------------------------------------------------------------------

Handler on Duty for the last time this year: Pedro Bueno (pbueno /AT/ isc.sans.org)

Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!