Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

exe malware spammed under "Missile War" subjects

Published: 2007-04-08
Last Updated: 2007-04-09 07:29:17 UTC
by Daniel Wesemann (Version: 5)
0 comment(s)
If you're still not blocking EXEs on your email gateway, chances are your users are getting flooded by the latest scam at the moment. We're receiving reports of a "movie.exe" 95c563731b7828d6e98eae81ee08869f making the rounds, attached to emails with very "clickable" subject lines like "USA Just Have Started World War III" / "Missle Strike: The USA kills more then 20000 Iranian citizens" / "Israel Just Have Started World War III" / "USA Missile Strike: Iran War just have started".  You get the drift - the kind of friendly headlines you would expect to get on a peaceful Easter sunday.   AV coverage is nonexistent at this time, so be careful. Thanks to Mike for submitting the first sample of this critter!

Update 2000 UTC: Filenames "video.exe", "click here.exe", "clickme.exe", "readme.exe" and "read more.exe" are also used, and occasionally it is neither the USA nor Israel, but Iran who has started World War III. Lovely.
Other MD5: 4a32764f9165980e255a80ee63edf402 (Thanks, Ariel!)  and several other MD5 sums (19 and counting as of 0500 UTC)

Update 0500 UTC: AV coverage starting to become available:  W32/Tibs.ET@mm (Fortinet), Email-Worm.W32.Zhelatin.cq , (Kaspersky/F-Secure), W32.Dref.AF (Sophos), and Trojan.Small-1604(Clamav).  Of course also worth mentioning is Symantec, who (likely by sheer luck :) caught it early on, by detecting the packer: Trojan.Packed.13.
0 comment(s)

Not so funny.php

Published: 2007-04-08
Last Updated: 2007-04-08 16:29:01 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
With all the malware and exploit files around, I find it frequently hard to remember some specific attack. But when today while analyzing a suspicious site I came across an exploit which tried to download a binary called "funny.php", it sure felt enough like a glitch in the matrix to make me look back through my logs. And indeed, there's been another funny.php, from the same server in Malaysia, almost a month ago. And another, five days ago from a server in Germany. The EXEs the exploit tries to retrieve varies (of course) but the exploit pattern is always the same.

The first file, commonly included per IFRAME, contains a file part named "in.php?adv=1". This file contains an encoded blob of JavaScript, which is not reliably detected by AV (from the scanners I have at hand to verify, only Kaspersky, FSecure and McAfee seem to recognize it at all). Once manually decoded, AV detection improves somewhat, but is still leaky. The decoded blob reveals a bunch of "friendly" little code snippets:

1. Exploit-Byteverify (a quite wizened Java exploit)
2. An Exploit for MS06-014, with the code lifted almost in verbatim off the corresponding Metasploit Module
3. A copy of the MS06-057 WebViewFolderIcon.SetSlice exploit, artfully rendered to avoid detection

If either of these is successful, the exploit downloads and runs the mentioned "funny.php?adv=1" files, which invariably turn out to be Trojan Downloaders or worse. The funny.php thingies are apparently refreshed frequently enough to keep AV coverage low to nonexistent.

While the three exploits are not at all lethal on a well patched PC, the prevalence and endurance of these not-so-funny PHPs suggests that there are still far too many PCs out there that fall for this sort of attack. We have informed the two affected ISPs in Germany and Malaysia, lets see who has staff on duty on an Easter weekend...
0 comment(s)
Diary Archives