Encrypted javascript on probable virus page

[Roy Carin]

I received a spam e-mail that linked here: http://75.74.217.174/?aabb

(The query string is not literal.)

I've already submitted ecard.exe to the ClamAV, but the encrypted
javascript on that page confuses me.

The script element is a single 27-thousand byte line. I'm not a
javascript programmer, but I'm thinking of ways to get Perl to
interpret/unencrypt that.

If you are more knowledgeable about this, please help crack open that
script block if you can.

 

[Roy Carin]

I received a spam e-mail that linked here: http://75 ... 74 ... 217 ... 174/?aabb

(The query string is not literal.)

I've already submitted ecard.exe to the ClamAV, but the encrypted
javascript on that page confuses me.

The script element is a single 27-thousand byte line. I'm not a
javascript programmer, but I'm thinking of ways to get Perl to
interpret/unencrypt that.

If you are more knowledgeable about this, please help crack open that
script block if you can.

I deeply apologize for posting that link unobfuscated.

The first stage of decoding reveals the javascript to be a Windows
Video/Active X exploit. Somehow Winzip is involved, and there is another
block of encoded or binary text in the script.

 

[Ant]

What do you mean "not literal"?

If I use that string I get the script. If I omit the string I don't.
In both cases I get the "click here" text to manually download
ecard.exe.

The first stage of decoding reveals the javascript to be a Windows
Video/Active X exploit. Somehow Winzip is involved, and there is another
block of encoded or binary text in the script.

It's several exploits designed to automatcally download and run a
small executable (file.php). The encoded binary is executable code
which is injected to take advantage of buffer overflows caused by the
exploits.

file.php will try to download gop.exe from the same site. That file
is giving a 404, but I suspect the end result would be to download
and run ecard.exe and who knows what else.

ecard.exe is packed/encrypted with a method I'm not familiar with, so,
from a static analysis, it's not obvious what it will do.

 

[Roy Carin]

What do you mean "not literal"?

Originally, the query string was longer, and I suspect that it contained
my e-mail address encrypted.

If I use that string I get the script. If I omit the string I don't.
In both cases I get the "click here" text to manually download
ecard.exe.


It's several exploits designed to automatcally download and run a
small executable (file.php). The encoded binary is executable code
which is injected to take advantage of buffer overflows caused by the
exploits.

file.php will try to download gop.exe from the same site. That file
is giving a 404, but I suspect the end result would be to download
and run ecard.exe and who knows what else.

When I downloaded from file.php, I got a file called file.exe which
contained Trojan.Downloader-10773.

ecard.exe is packed/encrypted with a method I'm not familiar with, so,
from a static analysis, it's not obvious what it will do.

My ClamAV (0.90.2) says that ecard.exe is clean, but I know that can't
be true.

Anyway, the site is down right now.

 

[lionel.victor]

Fancy more ???

http://66.117.215.142/

javascript decodes to activex that downloads sony.exe this time...
The link on the page points to video.exe

diff video.exe sony.exe reveals that both files are identical.

dunno how much time the site will remain up... I downloaded binaries
so I can work off line...

cheers

 

[Virus Guy]

Fancy more ???
http://66.117.215.142/

This is storm.

http://isc.sans.org/diary.html?storyid=3298

See also:

http://www.castlecops.com/eCard_malware1642.html

You can download video.exe and sony.exe from the above IP. I did, and
they were different sizes (different by 1 byte).

These will be auto-generated binaries, so it's a moving target.

 

[Virus Guy]

I noticed that the site in question (and this one: http://fncarp.com/)
tries to get you to install an activex component. This component is
called u.exe (about 5kb in size). Yesterday, fncarp.com reversed to
69.133.112.241 (this is an IP address belonging to Road Runner.
Geolocation puts that IP in SPRINGBORO OHIO.

In looking at that file, it contains this:

\anonymous

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)

I believe that the "SV1921" is some sort of browser identifier that
might enable the user to access some command or control functions on
the server in question.

Here's the VT info about u.exe:

File size: 4609 bytes
MD5: 27e27d757e6656b433002826ba202787
SHA1: f256c9978b7635707ed868272243fcc9ce88e380

It's being identified as:

Downloader.Win32.Small.evy
W32/Threat-HLLSI-based!Maximus
Generic Downloader.g
W32/DorfDl.A!tr
Downloader.Generic5.VIQ

Detection rates are only about 72% currently. Not detected by Avast,
NOD, Symantec and Micro$oft (among others).

Today fncarp.com reverses to 216.129.177.83 (Arvig Enterprises Inc /
Detroit Lakes Cable Modems).

It's serving a little "Happy Labor Day" picture, as well as the file
"labor.exe".

VT says this about it:

File size: 134413 bytes
MD5: 3e212e226b54d09678b7f38041fc17f1
SHA1: 549e614d7a05f2704992c58f1488c32f56075e97

It's being id'd as:

Fathom.3-based!Maximus
Tibs-BEL / Tibs.BN!tr / Tibs.7.W / Tibs.gen!B
Zhelatin.Gen / Zhelatin.hi
Sintun.AF
Nuwar.Gen
Dorf-E

Detection rate is 78%.

 

[jen]

[snip]

Today fncarp.com reverses to 216.129.177.83 (Arvig Enterprises Inc /
Detroit Lakes Cable Modems).
It's serving a little "Happy Labor Day" picture, as well as the file
"labor.exe".
VT says this about it:
File size: 134413 bytes
MD5: 3e212e226b54d09678b7f38041fc17f1
SHA1: 549e614d7a05f2704992c58f1488c32f56075e97
It's being id'd as:
Fathom.3-based!Maximus
Tibs-BEL / Tibs.BN!tr / Tibs.7.W / Tibs.gen!B
Zhelatin.Gen / Zhelatin.hi
Sintun.AF
Nuwar.Gen
Dorf-E
Detection rate is 78%.

NUWAR in labor:
http://blog.trendmicro.com/nuwar-in-labor/

-jen

 

[Virus Guy]

NUWAR in labor:
http://blog.trendmicro.com/nuwar-in-labor/

Yep. That's the picture.

"Once the image is clicked, a NUWAR variant detected as
WORM_NUWAR.AQK is downloaded onto an affected machines.
Adding insult to injury is TROJ_TIBS.ANF, which, upon
accessing the said page, is downloaded automatically via
certain browser vulnerabilities. Both malware are already
detected by Trend Micro with the latest pattern file."

What specific browser vulnerability are they talking about?

 

[Virus Guy]

When I access this site:

http://216.129.177.83

(warning - that site will attempt to infect your PC with malware)

The "Happy Labor Day" picture comes up, along with a message window
with the following:

--------------------
Title Bar Text: Microsoft ADO/RDS 2.1

Message: This page accesses data on another domain. Do you want to
allow this? To Avoid this message in IE, you can add a secure web
site to your trusted sites zome on the security tabl of the Internet
Options dialog box.

Buttons: Yes No
----------------------

I can't close the message box.

When I hit no, the message box goes away and comes back. This happens
about 7 or 8 times.

I noticed that each time it generated a small IE cache file that looks
like a log file. It seems that it was trying to download this each
time:

http://activex.microsoft.com/objects/ocget.dll

But each attempt failed.

Not sure what this is all about. I only get this behavior with IE6.
It doesn't do this (display message) with firefox or an old version of
Netscape.

This is probably attempting to exploit a known IE (IE6?) bug - anyone
know which one?

Are there any on-line javascript de-obfuscators?

note: fncarp.com now resolves to

68.43.234.209 (comcast cable - michigan).
75.46.3.130 (SBC global - Southfield Michigan)
76.24.15.130 (comcast cable - boston?)
209.76.82.231 (snowcrest inc - mt. Shasta CA)
69.245.236.195 (comcast)
74.75.226.45 (road runner - somewhere in Maine)

Well - you get the idea. A different IP every time you look it up.

 

[jen]

Yep. That's the picture.
"Once the image is clicked, a NUWAR variant detected as
WORM_NUWAR.AQK is downloaded onto an affected machines.
Adding insult to injury is TROJ_TIBS.ANF, which, upon
accessing the said page, is downloaded automatically via
certain browser vulnerabilities. Both malware are already
detected by Trend Micro with the latest pattern file."
What specific browser vulnerability are they talking about?

Storm, a.k.a. Peacomm, Zhelatin and Nuwar...

The new Peacomm infection techniques:
http://www.symantec.com/enterprise/...g/2007/08/the_new_peacomm_infection_tech.html

Among many others: ANI exploit, QuickTime vulnerability, attack on the
popular WinZip compression utility and the third, dubbed 'the Hail Mary'
by ISC, is an exploit for the WebViewFolderIcon vulnerability in Windows
that Microsoft patched last October.

The malicious code itself seems to be morphing every 30 minutes or so.

You have to assume Storm can compromise anything but the most currently
patched systems.

It's a multistrike exploit package, "Q406 Rollup," a collection that has
made the rounds since late last year. Similar to other hacker kits such
as Mpack, Q406 includes a dozen or more exploits.

an embedded obfuscated JavaScript routine attempts a cocktail of browser
and application exploits. If any of those exploits are successful,
Storm gets dropped on the PC.

-jen

 

[Ant]

Not sure what this is all about. I only get this behavior with IE6.
It doesn't do this (display message) with firefox or an old version of
Netscape.

I believe ActiveX is only supported by MSIE.

This is probably attempting to exploit a known IE (IE6?) bug - anyone
know which one?

Several; most or all of which should be now patched. You're taking a
big risk following these kind of links with IE, or even any other
standard browser. You should use wget or some other utility to fetch
the raw unrendered page.

Are there any on-line javascript de-obfuscators?

The unscrambling routine is in the script so you can do it yourself.

[fncarp.com]

Well - you get the idea. A different IP every time you look it up

It's a fast-flux botnet. The domain has a TTL (time to live) of zero
seconds, the name servers somewhat longer of two days. All the IP
addresses (hosts and name servers) point to compromised machines on
various networks.

 

[Virus Guy]

Several; most or all of which should be now patched. You're taking
a big risk following these kind of links with IE, or even any
other standard browser. You should use wget or some other utility
to fetch the raw unrendered page.

Question:

According to Symantec's writeup for Trojan.Peacomm:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99&tabid=2

They say this:

"Once loaded the device driver searches for the services.exe process
and injects a module into it."

But they also say this:

"Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows XP"

But win-9x does not have services.exe, so it's not clear to me why 9x
and ME are lumpted into the list of vulnerable OS's.

According the the description for Trojan.Peacomm.C:

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-082212-2341-99&tabid=2

They say this:

"... It then attempts to infect the following legitimate Windows
driver with a copy of Trojan.Peacomm!inf:
%System%\drivers\kbdclass.sys"

Again, win-9x systems (and probably Me as well) do not have the file
"kbdclass.sys".

There is mention that the web-exploit takes advantage of a windows
media player vulnerability, but I can't find many instances where the
particular WMP vulnerability is given.

One reference says this:

----------------------
There are no attachments to this email; instead the creators have
opted for the link approach. If you should follow the link in the
email, the resulting page served up may contain an old and patched
exploit for the Windows Media Player BID 16644. Successful
exploitation may cause the file to be downloaded and executed. Just in
case the exploit does not work as intended they have also provided a
link that goes to a file named "APPLET.EXE" so you can do it yourself.
----------------------

BID 16644 is linked to this:

http://www.securityfocus.com/bid/16644

Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability

Bugtraq ID: 16644
Class: Boundary Condition Error
CVE: CVE-2006-0005
Remote: Yes
Published: Feb 14 2006 12:00AM
Updated: May 15 2007 08:48PM

Note these:

http://www.securityfocus.com/bid/16644/discuss
http://www.securityfocus.com/bid/16644/exploit

Secunia has this:

http://secunia.com/advisories/18852/

Basically, win-9x is not listed as affected by this vulnerability.

Does anyone know if the exploit vector being hosted on the various
sites in this thread are using something other than the
above-mentioned WMP vulnerability?

 

[Ant]

But win-9x does not have services.exe, so it's not clear to me why 9x
and ME are lumpted into the list of vulnerable OS's.

Again, win-9x systems (and probably Me as well) do not have the file
"kbdclass.sys".

It's possible that although it can't infect files on 9x it may still
modify registry keys and perform its function as a spam engine when
run. It's also possible that Symantec are mistaken or erring on the
safe side.

There is mention that the web-exploit takes advantage of a windows
media player vulnerability, but I can't find many instances where the
particular WMP vulnerability is given.

That sploit is invoked if you go there with Firefox. It seems to have
worked on your system since earlier you reported a file as "u.exe".
That's the name the downloader (file.php) gets saved as. If you allow
it to be run it will download and run sony.exe (the main malware) or
whatever the current file is named. You'd better check your system.

Does anyone know if the exploit vector being hosted on the various
sites in this thread are using something other than the
above-mentioned WMP vulnerability?

One for non-Microsoft browsers (using the WMP plug-in) and those that
Jen mentioned for IE, although I don't see an ani exploit. I see a few
others in the code that I'm not sure about, but one uses the function
createControlRange() which I recall hearing about.

 

[Virus Guy]

It's possible that although it can't infect files on 9x it may
still modify registry keys and perform its function as a spam
engine when run.

Since I'm running a real-time registry monitoring tool (The Cleaner) I
got no alerts that any of my several-dozen run-entries in my registry
or any of my .ini files, config.sys or autoexec.bat were attempted to
be changed.

One for non-Microsoft browsers (using the WMP plug-in) and those
that Jen mentioned for IE, although I don't see an ani exploit.

Just to be clear, we are still talking about CVE-2006-0005, for which
Secunia says did not pertain to win-98 (and if it did, I believe that
MS would have released a patch since it dates from before the July
11/2006 cutoff date for win-98 support).

 

[Ant]

Just to be clear, we are still talking about CVE-2006-0005,

The CVE is about the WMP vulnerability but you asked about others.

For reference, here is the CVE info:

"Buffer overflow in the plug-in for Microsoft Windows Media Player
(WMP) 9 and 10, when used in browsers other than Internet Explorer
and set as the default application to handle media files, allows
remote attackers to execute arbitrary code via HTML with an EMBED
element containing a long src attribute".

That exploit, and that exploit only, is tried if you visit the link
with Firefox (which I tested) and probably other non-MSIE browsers.
If you go there with IE (which I also tested) you get a different
script with a whole bunch of different exploits. Note, I didn't
actually browse the link but used a command-line tool sending
appropriate user-agent headers to make the site believe I was using
either IE or Firefox.

for which
Secunia says did not pertain to win-98 (and if it did, I believe that
MS would have released a patch since it dates from before the July
11/2006 cutoff date for win-98 support).

Whatever Secunia say, and as I said in my previus post, the exploit
appears to have worked on your system because the "arbitrary code"
got executed. The injected shell code attempts to download and run
"file.php" which it names "u.exe". Fortunately, you were prompted
about it and presumably didn't allow u.exe to be run.