Worthy (and easy) Read re: dissection, functionality of malware w/exploits [Archive] - Glock Talk


View Full Version : Worthy (and easy) Read re: dissection, functionality of malware w/exploits

11-05-2004, 02:54
No, I mean 'my' in the general sense.

Below are excerpts (hopefully sufficiently inticing) from an informative, *and* entertainingly-written, step-by-step accounting by one of the SANS gurus who tracked, 'reverse engineered' (including decrypting) etc. some malware after it ended up on some poor smoe's brandy new computer (which was behind a NAT firewall, btw) after an ill-fated visit to just *one* malware-gifting website. The write-up takes the reader from infection inception through all the 'hows, whos, wheres, and whys'.

IMHO, the documentation is well worth the read. 'Especially for anyone with either curiosity or occasion to wonder HOW something ended up on their machine, HOW & WHY hitherto-unknown malware independantly increases & seeks out and installs yet MORE malware, HOW the malware phones a variety of 'homes', WHAT can be behind things like homepage hijacks, browser hijacks, and so on.

The scheme and functionality of the malware and its actions are all explained in perfectly plain English rather than eye-glazing geekspeak. I just came across it today, but the earlier "Parts" are linked to the text excerpted below and thus available for anyone that wants to start at the saga's beginning. I mungedfrom the original text, website & domain names, and IP numbers, liberally and intentionally. If nothing else, and IE user might want to review the original write-up and harvest the malware domains into the "Restricted" zone (assuming the settings in that zone are correctly neutered.)

Handler's Diary November 4th 2004
Updated November 4th 2004 23:46 UTC

Follow The Bouncing Malware, Part III

With that out of the way, why don’t we "warm up" by quickly retracing the path we’ve already trod? Perhaps now would be a good time to take a bathroom break and grab a fresh container of your favorite adult beverage, ‘cause once this caravan rolls, we ain’t stoppin’. Go on, I’ll wait...

Ready? Good. Let’s go!

In the beginning, there was Joe Average. And Joe didst buy himself a computer and conneceth it to the Internet. And with his computer, Joe did surfeth, and readeth email, and playeth many games. And Joe looked upon the Internet, and it was Good.

But while Joe did possess knowledge of the Internet Good, he did not understand that Evil too lived on the Internet. And he patcheth not.

Then one day, Joe didst unknowingly go to a Bad Place, and much Evil befell his shiny new computer.

How Evil? Very, VERY Evil:

From Follow The Bouncing Malware, Part I (http://isc.sans.org/diary.php?date=2004-07-23)

1) Joe's homepage had been changed. It is now set to: ...
2) Joe’s default search page has been set to: ...
3) Search assist has been turned off.

4) "TV Media Display" has been installed on Joe's machine.

5) addictivetechnologiesDOTnet had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.

And, from Follow The Bouncing Malware, Part II

6) Joe’s computer, at the behest of the Addictive Technologies malware, downloaded "instructions" from F1OrganizerDOTcom

7) Following those instructions, new “Favorites” were added to Joe’s browser, and two new “gifts” {BHOs/browser hijackers} (SplWbr.dll and ezbdlLs.dll) were installed on his computer.

8) The installation of SplWbr.dll dumped an "Ad Destroyer and Virtual Bouncer" from SpyWare Labs, Inc. and "TopRebatesDOTcom AutoTrack software" onto Joe’s computer.

9) The installation of ezbdlLs.dll dropped a "Utility for downloading files and upgrading software" from "ABetterInternet", a utility to "Make Your Internet Browsing Simple, Exciting, and Personal" from the fine folks at "ezULA", and an affiliate ID hijacker called SAHAgent onto Joe’s PC.

10) Finally, the file hp1.exe was downloaded and executed via a .CHM exploit.

That’s where we stopped last time, with my promise that the file “hp1.exe” was “a real piece of work.”

So... let’s take a look at hp1.exe. ...

Well, what the heck does all of that mean? Hmmm... it’s obviously a "generated on the fly" data file, because the file contained, in plain-text, the IP address of the NAT firewall that Joe’s machine was behind. It also appears to have been "encrypted" in some manner.

Given some time, and several pieces of paper wadded up and thrown at the cat in frustration, your intrepid author cracked the code, and wrote the following program to decrypt the data: ...

Filling the decrypted data back into the file alongside any original data that is obviously "keywords" results in the following unencrypted file: ...

After downloading this "control data" file, Joe’s computer then contacts {malware website URL}... This ties in with what appear to be "country codes" found within various portions of the unencrypted data file. It appears that the malware will react differently depending on the country where the infected machine is located. ...

Immediately upon receiving the "US" country code from mastermindDOTcom, Joe’s computer contacts {malware website URL}...

Next, {the secretly downloaded malware file named} hp1.exe contacts "http://{URL deleted by ME} ... loads/8-24.exe" and downloads a 40,960 byte executable. ... Based upon the "marching orders" within the unencrypted datafile, Joe’s computer now contacts "http://wwwDOT{ANOTHER MALWARE URL}/ast_4_mm.exe" and downloads a 129,152 byte executable. It then contacts "http://{MALWARE URL}/MediaMotor25.exe" and downloads a 9,056 byte executable.

Both of these files are launched, and MediaMotor25.exe immediately initiates a download from "http://{MALWARE IP NUMBER}/downloads/IeBHOs.dll" which is a 129,536 byte long BHO (Browser Helper Object) that is installed into (duh) IE (Internet Explorer). IeBHOs.dll is a known component of adware from "e2give." Because it is installed into IE and becomes, essentially, part of the browser, it is in the perfect position to monitor the URLs being "surfed" and to change Joe's browser's requests when going to specific sites in order to "direct" affiliate commissions to e2give. According to the e2giveDOTcom website, "e2give will donate a portion of each qualifying purchase to the e2give charities network." This, of course, makes it perfectly fine for them to install their software onto Joe’s machine without his permission. (Yes, that was sarcasm.)

The ast_4_mm.exe file from {DOMAINNAME}dotcom is a Wise installation executable. As it installs, it phones home to let the fine folks at avatarresources know that it has found a new place to live {on Joe's infected machine}: ... The Wise installation has its own downloading engine which contacts the interestingly named "www.{MALWARE DOMAIN NAME}DOT com" and accesses the URL "http:// www.{MALWARE DOMAIN NAME IMMEDIATELY ABOVE}DOT com/config/?v=5&n=mm2&i=” ...

Hey! Look there! I see more URLs pointing to executable files. Gee, I wonder what’ll happen...?

Anyway... we now manage to round out the list of files that was in our original encrypted configuration data, and Joe’s machine goes out and grabs a file from "http://{YET ANOTHER MALWARE DOMAIN NAME}DOT com/soft/unstall.exe." This actually does appear to be some sort of uninstall program, written in Visual Basic, and weighing in at 45,056 bytes. It only seems targeted at the files directly installed by the hp1.exe file, though.

But, lest we forget, we still have a Wise install running in the background. And, you guessed it, in "PRIORITY" order, it downloads:

"http: // tt2DOTavresDOTnet/tt/cpr_mm2.exe" (270,415 bytes)
"http: // tt2DOTavresDOTnet/tt/ab1.exe" (500,869 bytes)
"http: // tt2DOTavresDOTnet/tt/tvm_bundle.exe" (53,738 bytes)
"http:// tt2DOTavresDOTnet/tt/cpr_mm2.exe" (270,415 bytes - ????????)

Yes, you read that correctly. It DID download the exact same file twice. (It must be a personality trait of the morally bankrupt that they can be both clever and inane at the same time. ...

While all of that is happening, hp1.exe (Remember that file? It’s the one we started this installment with...) phones home to tell the folks at {MALWARE DOMAIN NAME}.com that all is well in malware-land, that it has done everything it was supposed to do ...

Not to be outdone, our Wise installer needs to phone home and let everyone know what a good job it did too:

"http: // www DOT avatarresources DOT com/count/count.php?&mm2cpr_new"

So where does this leave us?

Well, Joe’s computer now has had so many fun and exciting “additions” installed I’m beginning to lose track. Let’s see: Joe’s computer now has two "affiliate buck" redirectors (SAHAgent and e2give), it’s had stuff from avatarresourcesDOT com installed, as well as all of those files from tt2DOT avres DOT net. And there’s more... trust me, there’s more.

Remember: [i]this is all the result of visiting a SINGLE website with an unpatched machine.

If you ever need to explain to someone the pitfalls involved in not patching, all you need to do is point them to this listing:

The score card thus far (and I’m only counting executable content):

hp2.exe (16,384 bytes)
tvmupdater4bp5.exe (195,072 bytes)
AtPartners.dll (96,256 bytes)
SplWbr.dll (454,656 bytes – expands out to 3 files making up 892,288 bytes)
ezbdlLs.dll (151,040 bytes – expands out to 4 files making up 314,880 bytes)
hp1.exe (49,152 bytes)
mm20.ocx (61,440 bytes)
8-24.exe (40,960 bytes)
MediaMotor25.exe (9,056 bytes)
ast_4_mm.exe (129,152 bytes)
IeBHOs.dll (129,536 bytes)
cpr_mm2.exe (270,415 bytes)
ab1.exe (500,869 bytes)
tvm_bundle.exe (53,738 bytes)
and of course cpr_mm2.exe (270,415 bytes) again...

The shameful total (thus far... there’s more to come):
15 files – 2,428,141 bytes downloaded
20 files – 3,029,613 bytes on disk

And, no doubt, I missed a few...

I started Part II of “Bouncing Malware” by saying that Joe’s PC was no longer his own. With over 2 MB of software downloaded, installed, and executed without his permission, I would say that there is little doubt that Joe ISN’T the guy running the show. But who is?

In the next installment, I want to finish up looking at some of the software installed on Joe’s PC and then turn my sights to finding out a little more about the folks responsible for the deluge of spyware and adware that assault our machines and networks on a daily basis. Stay tuned... it’s gonna be fun.

Handler on Duty: Tom Liston (http://www.labreatechnologies.com )

PS. IMO, the documented malware experience of 'Joe' ought to nudge in the ribs any computer user that (a) disregards the need to appropriately patch, (b) disregards the need to have the security settings in IE appropriately adjusted to DISallow things like "install on demand" and so on, and/or (c) takes at face value the actual intent behind some piece of software that claims to or implies that it is actually an "anti" spyware application - just 'cause it 'says so' or is misleadingly named.