SANS ISC: Modified Malware for the IE Expoit

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Its always interesting around the ISC and you'll never know what you'll be handed on any given day.  Its even more interesting when there is an unpatched IE vulnerability and an exploit available for it.  That is where we find ourselves now.  There are several sites that have been compromised and now contain the exploit code.  These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it.  It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process.  The malware creates the following on install:

C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636

It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get from the  Let's look at what is in the files.  The information I'm about to show is from my VM box, so it won't get you anywhere:>)

File: ipcfg636

Windows 2000 IP Configuration
    Host Name . . . . . . . . . . . . : vmwindows2k
    Primary DNS Suffix  . . . . . . . :
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
    Physical Address. . . . . . . . . : 00-0C-29-16-36-AB
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.227.128
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :

File:  start636

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    192.168.227.128:139    0.0.0.0:0       LISTENING
  UDP    0.0.0.0:135            *:*                   
  UDP    0.0.0.0:445            *:*                   
  UDP    0.0.0.0:1026           *:*                   
  UDP    192.168.227.128:137    *:*                   
  UDP    192.168.227.128:138    *:*                   
  UDP    192.168.227.128:500    *:*                   


File:  tmp636

    Protected Storage settings / PWL:
InfoDelivery
IdentityMgr
        IdentitiesPass    ::::?:ϻb[
    HASH values:
Administrator:500:AF6E956C6F6836C4F3F9505A2D0958A7:0B14980C258F0D7178186CE65030A4A6:Built-in account for administering the computer/domain::
Guest:501:********************************:********************************:Built-in account for guest access to the computer/domain::
    RAS:
Total 0 entries
    Network settings:

File:  view636

Server Name            Remark

-------------------------------------------------------------------------------
\\VMWINDOWS2K                                                                 
The command completed successfully.

File:  Sub.txt

res://C:\WINNT\system32\shdoclc.dll/dnserror.htm#http://www.msn.com/
http://winxphome/index.html
http://winxphome/index.html
http://winxphome/index.html
email=lorna.hutcheson@somewhere.com
pw=password
pw-conf=password


The malware FTP's all the information out to a location.  It also has email capability.  The location given by McAfee in their writeup found here was as follows:  "The trojan attempts to upload harvested information to an FTP server (66.242.129.251)."  However, when I downloaded the malware and looked at it that was not the location I found in the strings.  I found:

0040F530   ASCII "200.182.57.13",0
0040F630   ASCII "21",0

So its seems that the malware has been swapped for a new version with the FTP server portion being changed.  I have not observed it attempting to FTP yet, still waiting with a sniffer running.  The strings also contained the username and password for the new site.  The file on the new IP  is now encrypted and the file wasn't before on the first FTP site.  So the individual seems to realize that folks are on to them.  I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites.

Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability!  As always, be careful its a jungle out there!

Lorna J. Hutcheson
CACI