Archived Blog

Worm With Network Sniffer

01.14.2009 - 2:00 AM

Websense® Security Labs™ ThreatSeeker™ Network noticed that a campaign against Classmates Online, Inc had broken out. We observed that thousands of URLs were registered in one day to spread the worm. The newly-registered URLs were unusually long, had several subdomains, and always contained some specific words such as process, multipart and so on.

Screenshot of the URLs used to spread the worm:

The new campaign was spread by email. The malicious email contained a link to a video invitation to reunite high school classmates and celebrate Classmates Day 2009. When the email recipient viewed the invitation, they downloaded a worm named Adobe_Player10.exe. This could fool a user into thinking they needed the latest version of the Adobe Player, prompting them to run the executable.

Screenshot of the email to lure users:

Simple analysis showed that the main purpose of this worm was to steal user information and send it to a server located in the Ukraine. The address of the server was hardcoded in the worm. The worm did a lot of work, including dropping a driver file to hide itself, injecting itself into every process, downloads and so on. It collected several kinds of information, including details about POP3, IMAP, ICQ, FTP, and certification from the user's MY certificate store, which is used to store trusted sites and personal certificates.

Screenshot of the string used to steal information:

We also found a network sniffer used to monitor the network traffic. The worm searched for special keywords in the network flow such as "RCPT TO:", "MAIL FROM:", the two keywords used for SMTP protocol. When the malware found one of these keywords in the network traffic, it would parse some useful information such as the email address, username, and password, then send the details to the hardcoded server: in this case, hxxp://91.[removed].57/cgi-bin/forms.cgi

Searching for keywords in the network flow:

The worm injected itself in every process. The injected code would enum a module of the process, and then hook some APIs into the module, including:

CreateProcessA
CreateProcessW
InternetReadFile
HttpSendRequestA
HttpSendRequestW
InternetReadFileExA
InternetReadFileExW
InternetCloseHandle
InternetQueryDataAvailable

The purpose of hooking CreateProcessA and CreateProcessW was to inject the new created process. The purpose of hooking other APIs was also to monitor the network traffic to steal usernames and passwords for FTP and HTTP sessions. We found a bug in the hooking process: the writer passed a module handle to SuspendThread API, but the parameter of SuspendThread should be a thread handle.

Hooking InternetReadFile in order to steal information:

Websense will continue to keep an eye on this threat.

Security Researcher: Ulysses Wang

Bookmark This Post: