Dangerous trojans on the loose

I constantly submitted them to Kaspersky, NSClean, Ewido. I occasionally submitted them to others, but gave the samples to people who were interested in submitting them to their own personal AVs.

 

New undetected variant today.

This seems like it's going to be another Zlob-like nightmare.

 

TD8EAU9TD.COM

 

Yeah, it's CWS. Unsurprising, to say the least.

 

Frankly, what I suggest you all do right now, is to block at firewall level all the class 195.225.176.0 - 195.225.179.255 (195.225.176.0/22), netcathost. There is nothing but trojans, exploits, and overall garbage on there. Seriously.

 

If they are being tested using Virus Total or Jotti then all AVs should receive the samples

 

Yet another new undetected version appearing today. Seriously people, block the whole netcathost IP class. In Italy (where this group is evidently targeting) it's getting at epidemic level.

 

Nice find's TNT and good work.

Their whole netblock should definitely be considered a no go zone and blocked as you advised. Even if not visited directly they could still be called by other hijacks to download more files.

 

newvirus@kaspersky.com
I always like to make double sure.

 

Well, ESET has something in common with Itlay: Paolo Monti, etc but it's strange their reaction to this is not so fast.

 

I emailed them (at samples@) telling them about this thread, though I've noticed that Marcos has already posted in this thread so they will already know about it. I don't know if NOD32s site blocking list can block IP ranges though(?), if it could then that would be a quick way of blocking these dangers.

 

well, I entered that infected page (don't do this at home ) and NOD32 doesn't block it even though I had "Block malicous websites ..." option enabled. Also malwares seemed to be removed from the website. Everything is clean there now.

 

pykko, I just entered the address I gave you and the malware is still there. Did you turn javascript off? It doesn't work without javascript.

There's a more worrying perspective, though: that the exploit page only loads if the client's IP is from Italy, as they are targeting Italy right now. I don't even want to think of the implications of that, as it makes my head hurt.

 

Well, my IP is definetly not from Italy so this may be the clue. I tried it with Java on.
Perhaps NOD32 actually blocked it, even though the main page loaded properly...

 

It might be. Do "gromozon(dot)com", "td8eau9td(dot)com", and "js(dot)gbeb(dot)cc" open if you just type them in the address bar? If not, they're definitely blocked by IMON. The address I gave you is the "jump page" that loads the exploits from a subdirectory of the first two domains (through a javascript on the third domain).

 

on the first one I get: FF is unable to find this webpage, etc. (perhaps IMON blocked it), the second one: "Site closed" and the third one:a white screen with the webpage address printed in black.
That's all.

 

Not sure about the first one, but the other two appear the same to me (please note that the actual malware and trojans are loaded from a subdirectory, not from the "front page", so it shouldn't come as a surprise that those appear like that... the "site closed" is, of course, fake).

 

I'm sending you a private message with the actual url of the trojan (don't open the executable!).

 

They've switched the domains again:
the exploit page now loads from mioctad(dot)com; I dowloaded all the exploit pages. I'll post a picture and an analysis of each today.

 

I'm from Italy

We have a detailed analysis of this threat

Working on a automatic removal tool

 

Great. You have an analysis of just the malware or the actual exploit pages too? In any case, I'm posting them here.

By the way, no, the exploit pages load even without an italian IP address: I used tor as a proxy and they loaded the same.

 

This is what I actually know about this threat and after some nights spent analyzing and scratching head

Since early May 2006 some users reported about strange symptoms caused by an infection of LinkOptimizer adware. This infection however had something strange: for the first time LinkOptimizer had a rootkit feature too.
Soem months are passed now but still no antimalwares have a function to detect this rootkit active in the system. It exists only a manual guide that users should follow to remove this infection, that's pretty difficult for every average user.

Everything starts from some italian websites that contains in their sources a link to a script, like this page: <censored>

This is a crappy script that connect to a Gromozon webpage, where users download a file called "www.google.com". A normal user will understand that the file is coming from google, instead of see that is a .com executable.

www.google.com is a dropper that download 2 files: one into C:\Windows\temp\<random>1.exe and one into C:\documents and settings\<actual user>\local data\temp\<random>.tmp. It looks like these two files are downloaders too that installs rootkit, adware linkoptimizer and a service.

Part ONE: ROOTKIT

Rootkit installed can be installed in two ways : under ADS stream (Like C:\:<random>.<random> or C:\Windows\System32:<random>.<random>) or with RESERVED names, like C:\Windows\COM4.gip or C:\WINDOWS\lpt2.nhm. If the second way is applied, rootkit can't be directly managed because of DOS reserved prefix (COM#, LPT#, ecc...ecc....) so they can only be managed using the prefix \\.\ or \\?\ so you can access to \\DOSDEVICE. However in both cases rootkit is loaded from APPInit_DLLs key (the first case normally loaded, the second case loaded like "\\?\C:\WINDOWS\com4.gip"). Once rootkit is loaded it hides APPInit_DLLs registry key, hides itself and hides the LinkOptimizer dll dropped into Windows dir. After rootkit is installed into the system, SeDebugPrivilege permission is removed to all windows user accounts.
Rootkit can hide files hooking some Windows APIs:

Code:

[B]Kernel32.dll:[/B]
  GetBinaryTypeW
  MoveFileWithProgressW
  OpenFile

[B]Advapi32.dll:[/B]
  CreateProcessWithLogonW

[B]Psapi.dll:[/B]
  EnumProcessModules

[B]Ntdll.dll[/B]
  LdrLoadDll
  LdrUnloadDll
  NtQueryDirectoryFile
  NtQueryInformationFile
  NtQuerySystemInformation
  NtReadVirtualMemory
  NtVdmControl
  NtWriteVirtualMemory
  RtlGetNativeSystemInformation
  ZwQueryDirectoryFile
  ZwQueryInformationFile
  ZwQuerySystemInformation
  ZwReadVirtualMemory
  ZwVdmControl
  ZwWriteVirtualMemory 

Part TWO: ADWARE LINKOPTIMIZER

As I said before, dropper installs a linkoptimizer dll into Windows directory. Seems like that the dll is always the same, except for 4/5 stupid changes inside the file. However the file size is always the same: 64671 bytes. This dll is hidden by the rootkit.

Part THREE: INSTALLED SERVICE

Dropper adds a fake user account to Windows system. This local account has a random name and, obviously, a directory under Documents and Settings is created with the random fake user account name. Then a Windows Service is started, with random name and linked to that account. You can easily see it because if you scroll the list, under Connection tab you'll see a strange name, that's the random account name.
This service is related to a file dropped under Program Files directory. Often under Common Files/System/ or Common Files/Microsoft Shared/ subdirs.

Both rootkit (if it's the "reserved-name" version) and service are launched under fake user permissions and the service file is crypted with Windows feature so anyone, except with fake user account, can't read inside it. It's however "easy" to delete.


---------------------------------

This is actually what I know about this threat, more or less I haven't written something about website gromozon, about their server side jobs.

 

Just make it clear: DO NOT TRY TO VISIT THE LINKS MARKED IN RED IF YOU DO NOT KNOW WHAT YOU'RE DOING. These sites use a very, very nasty infection method, one of the worst and most complex I've seen.

hxxp://js.gbeb.cc/advertizing is an obfuscated javascript; the obfuscation method is indeed quite impressive on this one, but the result isn't really; all it does it call hxxp://td8eau9td.com/page_new.php. Anyway, if any of you is interested, there's a page on isc.sans.org that describes the method this group used and how to defeat it.

hxxp://td8eau9td.com/page_new.php:
http://img444.imageshack.us/img444/4880/pagenewphpuc6.gif

hxxp://mioctad.com/get_st.php?50000
pages load only if the user-agent is acceptable; comes out empty with wget, but doesn't by giving to wget the parameter --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)":
http://img415.imageshack.us/img415/6092/getstphpxx7.gif.

Please note that the iframes it calls might or might not be still present on the server at the time I'm writing this: I've see this infection vector regularly changing the actual location of the exploits and trojans, through what seems to be most definitely an automated job on the server.

hxxp://mioctad.com/605316cd/50000/11/co.htm, this uses javascript obfuscation:
http://img102.imageshack.us/img102/7316/cohtmik1.gif

I manually "deobfuscated" it:
http://img223.imageshack.us/img223/9032/codeobfuscatedhtmlnk4.gif

It's interesting to notice that KAV, once the code was deobfuscated, picket it up as "Trojan-Downloader.JS.gen", but didn't when the code was obfuscated. I'm not sure what vulnerability is being used here, but it's likely this one http://securityreason.com/exploitalert/975.

hxxp://mioctad.com/e.php?50000_11 referenced in the exploit/downloader above is AN EXECUTABLE! It's the "GOOGLE.COM11" trojan according to BOClean. So after all, the download of "www.google.com" (the executable) is only prompted in Firefox, but there is an attempt to execute it with IE.

This is the one trojan that starts the whole infection. This is how it's "detected" on VirusTotal:

http://img187.imageshack.us/img187/6685/undetectedwj2.gif

Terrible.
Needless to say, I'm going to send this item to the ones interested.

Anyway, next is another obfuscated javascript, hxxp://mioctad.com/605316cd/50000/8/java.htm:
http://img160.imageshack.us/img160/8799/javahtmyn4.gif

I manually deobfuscated this one too:
http://img111.imageshack.us/img111/8854/javahtmcf0.gif

This one apparently checks the presence in order the presence of (most codes easily found on Google):
- Norton Antivirus (NAVCfgWizDll.NAVCfgWizMgr)
- Windows Defender (091EB208-39DD-417D-A5DD-7E2C2D8FB9CB)
- BitDefender Antivirus (D653647D-D607-4DF6-A5B8-48D2BA195F7B)
- AVG7 (9F97547E-4609-42C5-AE0C-81C61FFAEBC3)
- Panda Antivirus (65756541-C65C-11CD-0000-4B656E696100)
- F-Prot (1474F601-9B4B-4EB0-81FA-20F753C0E1A4)
- Norman Virus Control (D5507020-DB45-11d1-A5F0-00600872F78D)
- Kaspersky (DD230880-495A-11D1-B064-008048EC2FC5)
- Nod32 (B089FE88-FB52-11D3-BDF1-0050DA34150D)
- Avast (472083B0-C522-11CF-8763-00608CC02F24)
- Antivir (45AC2688-0253-4ED8-97DE-B5370FA7D48A)
- Ewido (8934FCEF-F5B8-468F-951F-78A921CD3920)
- ?? I have no idea (1EB2409C-6E28-4066-9738-97A1B8F5639C)
- Dr Web (E7593602-124B-47C9-9F73-A69308EDC973)
- VBA32 (B43CB0C0-84F2-11D6-A18E-00C0DF043BA4)
- NAV again (?) (49BB73EE-2C2F-445E-82E3-E6E3380285BF)

What is it actually doing here? It tries to see if the above programs are present and loads the java exploit accordingly (meaning, if they are detected, it doesn't load the java exploit). As a matter of fact, it seems to make sense since the java exploit, contrary to the actual malware, is well detected:

http://img84.imageshack.us/img84/3677/detectedxe0.gif

Then comes hxxp://mioctad.com/605316cd/50000/5/ccr.htm, obfuscated too:
http://img53.imageshack.us/img53/1561/ccrhtmsg9.gif

which turns to be a createControlRange() Javascript buffer overflow exploit (the name kind of gave it away):

http://img236.imageshack.us/img236/2300/ccrdeobfuscatedfk0.gif

Next is hxxp://mioctad.com/605316cd/50000/1/xp/activex.htm, also obfuscated:
http://img118.imageshack.us/img118/9223/activexhtmuc6.gif

which turns to be this:
http://img228.imageshack.us/img228/6537/activexdeobfuscatedlp9.gif.

Let's see what FreeAccess.ocx is. BOClean says:

http://img105.imageshack.us/img105/3370/linkoptimizeyi1.gif

And VirusTotal says:

http://img76.imageshack.us/img76/6822/patheticuj2.gif

Now... before this turns into a BOClean commercial... ... I must say I always communicated my findings about this threat to Kevin (and Kaspersky). Still, Kevins' support and accuracy in including theese threats (and discovering himself others by this same infection vector) has clearly been excellent.

Last comes:
hxxp://mioctad.com/605316cd/50000/1/wxp.php:
http://img100.imageshack.us/img100/8274/wxpphpvz4.gif

Which sends us to:
hxxp://mioctad.com/605316cd/50000/1/google.htm:

And really, all this does (when deobfuscated) is is send us to "www.google.com" back again. Only this time it might even be that "www.google.com" is a file on your computer, and because of this IE will ask you if you want to execute it (you can try this at home, create an empty file on your desktop and call it "www.google.com", then try to type that address in IE).

And so our story ends, after having seen these 'nice' people try numerous exploits, and tried to install spyware and a rootkit. Refer to the post above by EraserHW to know more about the malware itself rather than its propagation method.

 

Yes, that's almost what I discovered, you filled some empty parts. Congratulations for your research

 

There's still some blanks to fill in, like in when actually the "www.google.com" is created. Is related only to visiting with Firefox? Maybe. It seems likely that the actual exploit code gets loaded accordingly to the user agent detected.