When Greyhats turn to Blackhats

Date:01.11.2006

Threat Type: Malicious Websites / Malicious Code

Throughout December, Websense Security Labs™ reported a number of cases where browser and Operating System vulnerabilities were being used to install Potentially Unwanted Software onto end-users machines without user-intervention. In several cases, dozens of pieces of code were installed, and often report false information in order to entice the end-user to clean their machine from spyware.

We are now seeing some of those same entities using their exploit code to install more reprehensible crimeware, such as key loggers and phishing traffic redirectors. This code is designed to steal information in addition to the installation of potentially unwanted software.

Users are typically infected through an IFRAME, loaded silently from a compromised website or an advertisement network pop-up. The exploit code loaded through these IFRAME tags attempts to use several dozen vulnerabilities, including the two recent zero-day vulnerabilities: MS05-054 and MS06-001. Users who are patched against these vulnerabilities are displayed an ActiveX prompt to install the exploit code.

The IFRAME SRC loads a URL similar to these:

   NOTE: The URLs have been removed.

• http:// too1barXXX.biz/dl/xpladv470.wmf
• http:// too1barXXX.biz/dl/fillmemadv470.htm
• http:// too1barXXX.biz/dl/sploitadv470.anr
• http:// too1barXXX.biz/dl/xpladv470.wmf

These exploits function as downloaders, and performing HTTP GET requests to other websites to install their payload. Initially, the primary goal of these downloaders was to install unwanted software, such as counterfeit anti-spyware removal tools, toolbars, adware and other potentially unwanted software.

Recently, we have seen the downloaded files performing additional functions, including:

• Banking keyloggers
• Trojan horses with root-kit functionality
• Traffic redirectors that direct you to fraudulent Paypal websites
• Trojan horse backdoors
• Internet Explorer process injection

Key capturing example
-----------------------

The keylogger is usually retrieved from a URL such as:

http:// too1barXXX.biz/progs/kl.txt

kl.txt is a not a text file; it is a Windows binary Trojan horse that is packed with NSPack.

file output:

file kl.txt
kl.txt: MS-DOS executable (EXE), OS/2 or MS Windows

The dropper includes a number of files. The dropped keylogger files are typically named ibmXXX.exe and ibmXXX.dll. This keylogger monitors for every POST request made by the client computer (such as a logon to a banking website) and sends the captured information to a URL running a script named 'x25.php'. This program also injects itself into the Explorer process and silently redirects attempts to login to specific financial sites.

Screen shot 1: Password captured --> Content of HTTP POST stolen

The malicious code also has additional functionality. If you visit one of a set of predefined websites and attempt to log in, you are redirected to a fraudulent site, which asks for additional credential information. In Screenshot 2, we connected to paypal.com. After entering any user name and password, we were redirected to a fraudulent page and personal information was requested. The toolbar still shows the original site, however the site that is hosting this code is on another server not owned by Paypal.

Screen shot 2: Paypal example --> IE Process injection traffic redirection

Reference websites:

Websense Security Labs
Dec 14th Blog:
http://www.websensesecuritylabs.com/blog
Thousands of sites using the recent IE "zero-day". There is now a patch available.

Dec 19th:  
Spyware Lures to Install Potentially Unwanted Software
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=379

Dec 27th Blog:
http://www.websensesecuritylabs.com/blog
Potential new unpatched IE exploit ?

Dec 28th Blog:
http://www.websensesecuritylabs.com/blog
Windows zero-day exploit update.
http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv

Dec 29th Alert:
Zero-day profiteering
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=387