An inside look at a targeted attack
With targeted attacks becoming regular news items, it might be a good time to have a closer look at a sample of a somewhat older one. Recently I received a potentially malicious e-mail that was originally distributed early 2006. After one year, the dropper, a Word document exploiting MS05-035 was recognized by only 9 out of VirusTotal’s 36 AVs as malicious.
This attack was clearly targeted through the scope of its distribution, limited to members of a specific organization, and the purported/spoofed source and content of the e-mail message. Each of these taken together created a valid context in which the message was interpreted by the recipient.
A hex dump of the file indicated an embedded executable at the end:
00010200 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|
00010240 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|
00010250 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|
00010260 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |
00010270 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|
By removing everything in front of the magic ‘MZ’ signature using a hex editor, the executable was easily extracted. 15 of the AVs detected the binary as a Troj/Riler.J variant. Interesting, as Riler.J was listed in the then-NISCC's 2005 warning.
The file was packed with UPX. It turned out to be an installer which created the following files:
C:\WINNT\system32\SNootern.dll
C:\WINNT\system32\uidmngr.ini
The latter file contains the filename from which installation originally took place, while the former contains the bulk of this Trojan. The executable also registers a new instance of the Non-IFS service provider support environment (WS2IFSL) and installs the Trojan as a layered service provider. The following key gets added:
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem: 43 3A 5C 57 49 4E 4E 54 5C 53 79 73 74 65 6D 33 32 5C 53 4E 6F 6F 74 65 72 6E 2E 64 6C 6C 00 00 00 00 67 00 6E 00 61 00 74 00 75 00 72 00 65 00 3D 00 22 00 24 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 20 00 4E 00 54 00 24 00 22 00 0D 00 0A 00 43 00 6C 00 61 00 73 …
The first few HEX values decode to:
C:\WINNT\System32\SNootern.dll (…)
Upon a reboot, the host performs a DNS lookup for a host registered on 3322.org (a Chinese dynamic DNS provider). It then makes a TCP connection to this server on a hard coded port number.
As grand finale… it appears that more than one year after the initial attacks, the hostname is still successfully resolving and the box on the other end is actively picking up the phone.
It would prove quite interesting to know what someone infected with this piece of malicious code could expect. Running the tool using a debugger such as Ollydbg quickly shows a number of decision trees similar to the following:
Closer review shows that commands exist to allow the remote host to create files, search for files, and more importantly, gain a command line shell on the box (“LIKE”).
After a bit more testing with the malware, the connection protocol appeared fairly obvious as well. The infected host makes an outbound connection to the US based server, both parties identify, open a log and go dormant. Until, that is, the control server issues a command supported by the Trojan.
NAME
NAME: DIMASHK.VER: Stealth 2.6.MARK: fl510 .OS: NT 5.0.L_IP: 10.3.5.26.ID: NoID
LONG:0531_LOG.txt
NULL
AUTH
ERR code = 0
SNIF
ERR code = 0
WAKE
When the file was first received, we distributed it to the major anti virus vendors, and coverage has much improved since. What this example shows best, though, is that information sharing is vital in identifying these types of attacks. Only when information on them is shared and patterns are identified can detection and response improve.
Cheers,
Maarten Van Horenbeeck
New Firefox releases fix security vulnerabilities
Firefox 2.0.0.4 and 1.5.0.12 were released yesterday, fixing six security vulnerabilities. While not confirmed, the most significant of these could potentially allow arbitrary code execution:
MFSA-2007-17 Parts of the browser chrome could be spoofed or hidden
MFSA-2007-16 Script injection (High impact)
MFSA-2007-14 Two issues with cookie handling
MFSA-2007-13 Denial of service against 'form autocomplete'
MFSA-2007-12 Crash with potential memory corruption (High impact - two CVEs)
Symantec pattern fires on Spybot Search & Destroy 1.3
We have received a couple of reports that Symantec Antivirus triggers on the file 'blindman.exe', part of the SpyBot Search & Destroy package. Apparently only the file included with version 1.3 was detected as a trojan, not the one included with the more recent version 1.4
Symantec has confirmed this issue occurred in the 05/30/2007 rev.020 Intelligence Update and LiveUpdate definitions. They've made available Rapid Release definition build 69173 (extended version 05/30/2007 rev. 035) to resolve the issue. LiveUpdate definitions that correct the issue were also published, version 90530ao (Sequence number: 69179; extended version 05/30/2007 rev.041).
Thanks to Matt and Scott for reporting the issue, and Symantec for their fast response.
Comments