Websense.com / Security Labs / Blogs / Dolphin Stadium Malware Analysis

Blog

02.10.2007 - 10:32 AM

SEARCH BLOG

Subscribe to this feed »

February 2007

02/23/2007	Polymorphic Protector »
02/13/2007	It’s good to be an information miser »
02/13/2007	Chinese alliance against Google spreading malicious code »
02/12/2007	Defacing -> A Malicious Trifecta »
02/10/2007	Dolphin Stadium Malware Analysis »
02/05/2007	Bot War? »

Archive
+ January 2007
+ December 2006
+ November 2006
+ October 2006
+ September 2006

Last Friday, we discovered malicious code on the official website of Dolphin Stadium. A malicious attacker had successfully compromised the site, placing a link to a malicious javascript file in the front-page header of the site. Visitors to the site execute the script, which attempts to exploit two vulnerabilities: MS06-014 and MS07-004. If either of these exploit attempts are successful, the computer becomes infected with a malicious file. This post is going to focus on those downloaded malicious files.

Last Friday’s Alert:http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733

The first downloaded file, "w1c.exe", is a dropper written in Visual Basic and packed with NSPack. The author compiled the binary to P-Code, which means that it uses the Visual Basic Virtual Machine to execute. Malicious authors often use this kind of compilation to slow down analysis, since it prevents direct viewing of the Assembly code. We get around this by using one of the few Visual Basic P-Code decompilers out there, making it rather easy to see what the file is doing.

The "w1c.exe" dropper will drop two binaries and execute them. The programming language used to write both of these new binaries was Visual Basic once again. However, this time they are both compiled as native Visual Basic applications (Go figure). The author used UPX and NSPack to pack these files.

The first dropped file names itself "msmgs.exe" and sets the registry value "UserInit=", allowing it to survive a reboot. The malicious file sends information back to the author by using a script hosted on the malicious website. It has many additional features, such as self-deletion using an external .batch script (created at runtime), computer information gathering (MAC, Version etc), and log creation. Interestingly, it is also looking every 500ms for dialogs from the Kaspersky Anti Virus, such as AVP.ADetectionDialog, AVP.AlertDialog, and AVP.Product_Notification. If it detects one of these dialogs, it attempts to the immediately close the window by using mouse_event and SendMessageA (BM_CLICK) functions.

The second dropped file creates a copy of itself as "winwork.exe" and then mimics the first file by also setting "UserInit=" in the registry. This malicious file looks for a running instance of the "World of Warcraft" video game and attempts to patch various memory locations. We did not fully investigate the goal of these modifications (we do not own the game), but it is safe to assume that the intent is to capture the login and password used to access the game. (The author stands to make a lot of money from the theft of these accounts, see one of our previous posts: http://www.websense.com/securitylabs/blog/blog.php?BlogID=89 ). It is also interesting to note that this malcode uses Anti Virtual Machine techniques. Specifically, the VMware "IN" instruction and the Virtual PC "Invalid Opcode" detection tricks.

Bookmark This Post:

Post a Comment:

Security Labs

STAY ALERT!

Blog

SEARCH BLOG