Live.it Poisoned

03.26.2007 - 1:28 PM
Search Engine Poisoning is a topic that we have have researched at some length. We discussed the topic briefly in an October blog post: Search Engine Typosquatting. Our previous research focused on malicious URLs in search engine results from misspelled search terms; it was far less common to discover malicious content for legitimate search terms. In early March, a report from Sunbelt demonstrated Microsoft Windows Live Search™ Italy returning exploit sites for extremely common search terms. Doing some additional research of our own, we performed searches for the names of financial companies, well-known banks, and lenders. The results were alarming. Many of the URLs in the search results linked to malicious sites capable of silently compromising the visitor. In one simple example, I searched for the name of an Italian bank without making any typographical errors. Terms like "Banca (name of bank) Roma" and "Banca (name of bank) Milano" produced a series of malicious results that, when visited, could result in a complete compromise of my machine. The official website of the bank we were searching for (a well-known Italian bank) does not appear in any of the results. Many of the results are malicious, but we're going to pick a single example to focus on. A visit to the fifth link returned loaded the following page: This looks like it might be an official Lycos page, but it is actually a fake. The page actually contains an IFRAME that takes the user without his or her knowledge to another website that contains obfuscated exploit code. On an unpatched machine, this exploit code will silently download and install a malicious file. However, because my OS is patched, I am prompted for permission to let the ActiveX installation continue. Many additional Italian keywords lead to pages that look like this: Almost all of the pages we came across use the nearly identical JavaScript obfuscation, possibly indicating that the same group is behind all of these results. This specific JavaScript obfuscation uses the arguments.callee() function to produce "Code Length Dependent Obfuscation", as discussed in these articles: http://blogs.msdn.com/dross/archive/2006/09/28/776208.aspx http://isc.sans.org/diary.html?storyid=2358 The problem appears to be most apparent with Live Search, but similar results are returned with both Google and Yahoo! (often further down the page). The malicious code grabbed in the form of various .cab files is a Trojan Downloader that attempts to connect to a specific IP to download another FSG2 packed file. The IPs involved are based in either the Ukraine or Moldavia and have been known in the past to be hosting malcode. Here comes the Malcode The cab files host an executable as well as an ini file that basically tells how to run the application. Contents of ini: --------------------------------- [Setup Hooks] hook1=hook1 [hook1] run=%EXTRACT_DIR%\plh.exe [Version] Signature="$CHICAGO$" AdvancedInf=2.0 --------------------------------- The executable and ini files have randomly generated names and lengths. They are all packed with FSG2 and are all identical except for two bytes after the "MZ" letters, in the executable headers. The files are very small, 3489 bytes. Nowadays, a very small file size is usually a sign of downloaded malwares, and that's indeed what those files are. The file is written in Visual C++ and is compiled to take very little space. The very first subroutine (shown below) is a little confusing, even if the code seems crystal clear: We can see code looki...
Read more »

The Perfect Keylogger

03.26.2007 - 10:24 AM
Websense Security Labs has recently encountered another example from a class of malware that has become rather familiar. Depending on the source, this malware can appear with various names (the naming problem never seems to end), but it is generally known as the Perfect Keylogger. The Perfect Keylogger attempts to capture every keystroke occurring on the keyboard of the computer where it is installed. The information it gathers is then sent to the person attempting to spy on the system. Let&rsquo;s see how the story unfolds. Everything starts with a very kind email, offering us a unique opportunity for investment, where we can make a minimum of 15% profit per day for a period of 10 days. When we visit the web page, we find something like this: <...
Read more »

Viral Video, Redneck Slingshots ?

03.15.2007 - 7:13 PM
This is a follow up post on our alert we added earlier today (see: http://www.websense.com/securitylabs/alerts/alert.php?AlertID=751). We have since discovered a di...
Read more »

Norwegian Bank Malware Analysis

03.12.2007 - 10:27 AM
Websense has been made aware of a malware affecting a bank in Norway. The original file is called "Logo_1.exe" and its MD5 is: FDA9408A56D97019DCEE36302CCEB6D1 The Custom Protector The file is packed with a custom packer/protector, which we had never encountered before. Here is a brief description of the packer and what it does to prevent analysis. The protected application doesn't run in a Virtual Machine (default configuration). Once this problem is fixed, it generates 1372 (!) exceptions in the loader to thwart debuggers, tracers, emulators, and so forth. Three different exceptions occur: 1 occurrence of EXCEPTION_BREAKPOINT 2 occurrences of EXCEPTION_SINGLE_STEP 1369 occurrences of EXCEPTION_ACCESS_VIOLATION After those anti-debugging tricks, the protector executes code from the Heap (Allocated with VirtualAlloc), to decrypt/decompress the malware sections in memory. After that, it loads the import of the malware, using a custom GetProcAddress. Once the Import Address Table has been filled with the Windows function addresses, it encrypts the imported function strings, to prevent easy rebuilding of the import table. There is a CRC to prevent patching of the protection code; therefore, the protector will never call the original entry point if the code has been patched, or if a software breakpoint is found in the routine. Parts of the import handling code are similar to the original Yoda Cryptor source code, but overall the packer is very different. Eventually, the packer uses a jump to the original entry point, and the malware starts executing. Note: There is an embedded dll in the executable, and it's also protected by the same packer. After creating an unpacker for the executable, we used it to handle that embedded dll file automatically. The Malware Both the executable and the embedded dll file were written in Delphi, resulting in a rather bloated executable. There are no useful strings in the binaries in the first place, because they are encoded and will only be decoded onto the Heap. (Therefore, dumping the malware won't provide a binary with all strings decrypted.) A better approach is to use an IDC script (for instance) and decrypt the strings, and you get interesting results. Antivirus killing One of the first things the malware does is to scan for security applications in memory. It uses a few different techniques, including looking for Windows Name, Process Name: zjtr0:00407258 mov eax, offset aRavmon_exe ; "RavMon.exe" zjtr0:0040725D call Decrypt_Strings zjtr0:00407262 mov eax, [ebp+var_4] zjtr0:00407265 call @@LStrToPChar ; __linkproc__ LStrToPChar zjtr0:0040726A push eax ; lpWindowName zjtr0:0040726B lea edx, [ebp+var_8] zjtr0:0040726E mov eax, offset aRavmonclass ; "RavMonClass" zjtr0:00407273 call Decrypt_Strings zjtr0:00407278 mov eax, [ebp+var_8] zjtr0:0040727B call @@LStrToPChar ; __linkproc__ LStrToPChar zjtr0:00407280 push eax ; lpClassName zjtr0:00407281 call FindWindowA zjtr0:00407286 push 0 ; lParam zjtr0:00407288 push 0 ; wParam zjtr0:0040728A push WM_CLOSE ; Close Window zjtr0:0040728C push eax ; hWnd zjtr0:0040728D call SendMessageA ; Kill Some monitor zjtr0:00407292 lea edx, [ebp+var_C] zjtr0:00407295 mov eax, offset aEghost_exe ; "EGHOST.EXE" zjtr0:0040729A call Decrypt_Strings zjtr0:0040729F mov eax, [ebp+var_C] zjtr0:004072A2 call Scan_process_and_kill zjtr0:004072A7 lea edx, [ebp+var_10] zjtr0:004072AA ...
Read more »