Australia's Leading Computer Emergency Response Team

Following the rabbit hole
Date: 07 February 2008
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8763

G'day AusCERT Members,

An interesting incident from yesterday that i thought I'd share which highlights the damage a user can do by clicking on one link in an email.

We received an email of the usual kind - subject line of "Crazy Britney does it again!", click on the link to see the video...

So I dutifully followed the link, to what appeared to be a Taiwanese version of tinyurl redirecting back to an Australian site... hello.

The "Video" in this case was actually an executable called "play.exe" which if run would go and download a series of other malicious samples.

Being a curious soul, I checked out the front page of this site and found a series of exploits hidden within some obfuscated javascript, actually a lot of obfuscated javascript. Some single level stuff and a few more multilevel ones.

The rest of the content on this page was links to online "pharmacy" websites. So this was kind of interesting because of some of the tags on the site:

[spam style=display:none][a href='h**p://xxxxxxxxx-xxx.com/' title='mp3 download']mp3 download[/a]

Ok, so it looks like maybe this site is used as a spam template. Or is the spam tag in the HTML spec now?

So wondering what would happen (like I didn't already have some idea) if I visited this site using IE, I pointed a VM at it.

With my tools running and ready to observe the changes I waited for about 5 seconds with baited breath as IE froze, and then a file called update.exe appeared on my desktop then disappeared.

Moments later I was being warned by an "Anti-Spyware" tool I never knew I had that I was infected with malware.

Surely not.

So I said yes to the offer of removing the threats and was informed that I would have to pay for the removal feature... Hmm, harkens back to the days when you'd pay to have your shop "protected".

This "product" calls itself Brave Sentry you can find more information out about it here . Apparently this is BS version 2.0.

Naturally you cannot uninstall this product (easily) - and either this or another one of the other samples conveniently disables task manager.

Back to the informative stuff. From this single "click" on an email, I ended up with a little over 50 artifacts on the system (that I could find at short notice). Some were easy to grab, others required making changes to the SSDT entries to remove rootkit hooks and unhide files.

On the upside, they weren't all unique. On the downside together they performed almost every malicious function conceivable.

For a short rundown of functionality, we had:

Several variants of credential stealing trojans, some spam generation tools, ddos capable agents, a rogue antispyware application, 11 copies of Tibs, several kernel mode and user mode rootkits... and I'm sure I've left something out there.

Here's how one AV vendor detected the samples (some new some old):

Trojan-PSW.Win32.Delf.aox
Trojan-Downloader.Win32.Tibs.ut
Trojan-Downloader.Win32.Agent.iug
Trojan-Downloader.Win32.Agent.iue
Trojan-Spy.Win32.Bancos.arg
Backdoor.Win32.Agent.ejv
Email-Worm.Win32.Zhelatin.sd
Trojan-Downloader.Win32.Small.fyn
Packed.Win32.Tibs.ib
Trojan-Downloader.Win32.Obfuscated.n
Trojan-Spy.Win32.BZub.bxp
Email-Worm.Win32.Zhelatin.uq
Trojan-Spy.Win32.Banker.hyz
Trojan-Proxy.Win32.Saturn.ag
Trojan-Downloader.Win32.VB.cga
Trojan-Downloader.Win32.Small.cxx
Trojan.Win32.Agent.fbl
Trojan-Spy.Win32.Banker.hyy
Trojan-Downloader.Win32.Agent.haq

Ok now back to the website..

One of my initial thoughts was that the Australian site was setup for the sole purpose of malicious code distribution. Fortunately that turns out not to be the case.

This is yet another site that has been the victim of a compromise and used as a seeding/distribution point for additional malware. This site is currently not available.

These sites however may still be available, and they were all contacted by my VM after it got hosed. You'd do well to consider blocking these at your gateway or otherwise preventing access in a way that works for you, and checking for traces of them in your logs.

datasearch,in
ramoneymayker,cn
google-analyse,com
www,pharmacy-store-online,com
juno,sweb,ru
a,mx,one-easy-click-only,com
203,117,111,102
58,65,239,28
3duraka,info
takitanakata,cn
194,1,152,159
203,117,111,109
77,91,229,42
pay-per-traff,in
megaprojekt,leaderhost,ru
58,65,236,10
88,255,90,178
91,195,124,20
perosanala,cn
weberror,cn

Please don't visit the above sites with a browser - very bad things are likely to happen.

I've got some additional screenshots and content to add to this a little later but here's what the BS scanner looked like:



Have a great weekend.

MacLeonard