Berbew Trojan: Major Security Hole in MS Internet Explorer & Outlook

Folks,

This one couldn't wait!
I just hope either the ProcessGuard or TDS can defend against it.
The following is an excerpt from an e-mail received from "radsoft.net"
------------------------------------------------------------------

A new exploit is out there, and what it's doing is not completely
original, but the devastating effect is - and let's hope it's unique.

What it does is infect very well known web sites - mostly Microsoft IIS
sites, but Yahoo have also been reported to be infected.

That's stage one. The web server software then waits for connection
attempts from Windows Internet Explorer clients. Through two faults in
this Microsoft browser, it then downloads a keystroke logger onto your
machine without your knowing it. And it cannot be stopped by IDS or
firewall what they know, because it places its payload in the so-called
'footer' of the HTML pages your browser requests.

The payload - unseen by you - is an executable (EXE) that automatically
installs itself, changes its name, and extracts a DLL as well. When it
runs, it injects its code into an existing kernel process so even a
process manager cannot detect it. In short, no one can know they have
it on their system by using any known system check tools.

The keystroke logger will of course go for your credit card numbers,
bank account numbers, online banking passwords - the works.

The site responsible for this is well-known and duly registered in
Russia.

What makes this attack so special is that the people behind it have
succeeded in infecting the web servers not of out of the way sites but
of really major companies including but not limited to eBay, Yahoo, and
many a major bank.

This is the scenario: you visit your online banking site. That site is
infected and your computer downloads the keystroke logger in stealth.
You now log into your bank account - care to guess what happens?

It's that bad. Worse still, only LURHQ have any handle on what's going
on. ZD, CNN, and even the Internet Storm Center at SANS admit they know
next to nothing.

OK, some headlines so it's easier to see.

What Web Sites Are Affected
---------------------------
At least Microsoft IIS sites (could be a good idea to use a tool like
Spike to get HEAD information before visiting) but some are reporting
Yahoo was also infected - and Yahoo are hardly a Microsoft IIS site.

What Operating Systems Are Affected
-----------------------------------
Only Microsoft Windows. The payload is a file named 'msits.exe' - it's
a Windows file.

What Web Browsers Are Affected
------------------------------
Only Microsoft Internet Explorer - AND THERE IS NO PATCH. Also, any
product using Microsoft Internet Explorer rendering must be considered
an equal risk - including but not limited to Microsoft Outlook,
Microsoft Outlook Express, and Eudora [sic].

What Actions Should I Take And When?
------------------------------------
Act immediately. Do not under any circumstances use Internet Explorer
again until further notice (and do not trust Microsoft on this one).
Immediately go and get a different browser - our suggestion is Firefox.

http://www.mozilla.org

Do not use any of the above-mentioned email clients. Rather than
assemble a list of which clients are 'OK' for the time being, and if
you don't know yourself, use your webmail accounts - BUT NOT WITH
MICROSOFT INTERNET EXPLORER.

Further Action I Should Take?
-----------------------------
Keep an eye on the security sites. The Internet Storm Center is a good
bet.

http://isc.sans.org

And LURHQ is a very good bet - they are better informed than anyone at
this stage.

http://www.lurhq.com

Further: inform your friends - their welfare is at stake. Do your best
to see they take this seriously. Remember: this is organised crime gone
after major bank sites, eBay, Yahoo, and many other well-known
financial institutions (auction sites too).

Best of all: stay away for now. Do your banking in person or by phone.
If these gangs could compromise your bank's web server, just imagine
what new trick they may have up their sleeve. Be safe rather than sorry.

In The Long Run
---------------
Microsoft also have some rather lame suggestions posted, but
conveniently do not address the issue of what is going on and what
measures they themselves should be taking - and yet their admonition
that you ONLY RECEIVE PLAIN TEXT EMAIL, albeit long overdue, is very
very welcome.

You must therefore make sure yourself your email client and your
browser (for now) unconditionally observe all of the following:

1. Email client: must NOT resolve Internet web links.
2. Email client: must NEVER enable any scripting whatsoever.
3. Email client: must ABSOLUTELY regard all message content as plain
text.

4. Web browser: must NOT be Microsoft Internet Explorer.
5. Web browser: should NOT allow any scripting (MS recommends this too).

Links to articles dealing with and explaining this crisis follow.


----------------------------------------
FURTHER READING
----------------------------------------
[ff] Links

Berbew/Webber/Padodor Trojan Analysis
http://www.lurhq.com/berbew.html
The definitive story on the attack.

'A number of sites are reporting malicious javascript code being
appended to every page served by their IIS server. Some in the press
are speculating that there is a new 'zero-day' IIS vulnerability
circulating.

'Name: msits.exe, renamed on install
'Size: 51,712 bytes

'The trojan is installed via the ADODB/javascript redirection exploit
for Internet Explorer FOR WHICH THERE IS NO CURRENT PATCH (thanks Bill,
you two-bit ****). When a user visits an infected IIS server using IE,
the trojan will be downloaded from a Russian webserver and executed in
the background. It copies itself to the system directory using a random
name, and also extracts a DLL file which acts as a loader for the EXE
at boot time using the ShellServiceObjectDelayLoad Registry key.

'The trojan appears to be designed for the purposes of 'phishing', that
is, stealing financial and other account details from the infected
user. While most phishing is done via email, this trojan directly
captures password and logins if the infected user attempts to log in to
Ebay or Paypal and also Earthlink, Juno and Yahoo webmail accounts.

'The trojan has some rudimentary rootkit functionality; by patching
in-memory DLLs using the PhysicalMemory device it will not show up in
the Windows task manager list.'

[If you didn't get that last bit, get it now: this is serious. Very
serious. These guys are running rings around Microsoft.]

Where The Payload Comes From
http://217.107.218.147:80
And this is a duly registered, fully legit site in Russia. Needless to
say, be on the lookout for any traffic with this IP block.

inetnum: 217.107.218.0 - 217.107.218.255
netname: E-NEVERLAND-NETWORK-1
descr: E-Neverland Network Company
descr: Malaya Dmitrovka st., 12/1
country: RU

Researchers warn of infectious Web sites
http://zdnet.com.com/2100-1105_2-5247187.html
Security researchers warned Web surfers on Thursday to be on guard
after uncovering evidence that widespread Web server compromises have
turned corporate home pages into points of digital infection.

Increase Your Browsing and E-Mail Safety
http://www.microsoft.com/security/incident/settings.mspx
Be careful here: Microsoft are guarding their backsides.

What You Should Know About Download.Ject
http://www.microsoft.com/security/incident/download_ject.mspx
Likewise: note MS don't even use the same name. That's because no
matter what they attempt to imply, THEY DO NOT HAVE A PATCH.

Pop-up toolbar spreads via IE flaws
http://zdnet.com.com/2100-1105_2-5229707.html
Earlier story on same topic.

Two Domains To Boycott Completely (DO NOT CLICK)
i-lookup.com * iclicks.net
These sites are suspected of being involved in this attack.

Web hosting company confirms hack attack
http://zdnet.com.com/2100-1105_2-5076050.html
Another related story - experts are still trying to put the pieces
together.

Berbew Report At The Internet Storm Center
http://isc.sans.org/
http://isc.sans.org/diary.php?date=2004-06-24
For once they don't have all the information, but they're an important
resource.


==============================================================
Copyright (c) 2004 radsoft.net. All rights reserved.
Online < http://radsoft.net/news/0 > Subscriber/X-news
Subscribe/unsubscribe < http://radsoft.net/news/x-news.html >
==============================================================

 

Hi godzillex, I am pretty sure Process guard will protect you

This is exactly the kind of exploit that PG was designed to stop.
No .exe can run without the checksum being accepted by the user.
.dll injection would then not occurr.

Regarding TDS3 and other AV - AT I am sure that these will be updated to protect against this threat as soon as possible. I do not know if the latest radius file does include protection against this exploit as yet though TDS3 does protect against many key loggers.

Here is a little more data about the exploit.

Click the Start button and then click on Search
Make sure you choose the option to look through all files and folders
Search for files called Kk32.dll and Surf.dat
If infected use up to date anti-virus software to remove the malicious code

Pilli

 

Hi Pilli,

I also thought the same thing, but was not quite sure. Apparently, what makes this trojan particularly insidious is the way that it patches itself to running processes without showing up in any of the process listing programs. Worse yet, if a user has been working all day (i.e., he is tired and not paying 100% attention to what he should be doing), he may inadvertantely 'allow' the trojan to run!
I think that TDS should be the primary means of catching this trojan.

1. Does anyone know if TDS is capable of identifying this trojan yet?
2. If so, since when?

Thanks.
godzillex

 

Hi,

even if you allow the executable to run (or that if it's IE itself which is already running which try to inject into something) then Process Guard will simply
prevent the code injection, with a warning in addition on the log window.

So I think this exploit is prevented by Process Guard.

regards,

gkweb.

 

Thanks guys.
Just for your information, the only two items that I had enabled in the Process Guard were the "Program Checksum Protection", and the "Protection Enabled". Nothing else in the "General Protection Options" was enabled!!!
Would this type of settings have still protected me from the Berbew trojan?

 

If the backdoor is loaded:

Attachment: web.da.us.citi.heloc.pif (5,664 bytes)

The attachment is Trojan.Download.Berbew. When it is run, it downloads Backdoor.Berbew (39,140 bytes) from the Internet and saves it into the %System% folder as Rtdx32.exe and then runs it.[i/]

Process Guard's checksum list would alert you that the .exe was trying to load so in that way you could stop this Trojan.

If you are also runnng Worm Guard this would stop the .pif from running and alert you that it could be dodgy.

HTH Pilli