My next class:

".sys" Directories Delivering Driveby Downloads

Published: 2010-03-24. Last Updated: 2010-03-24 02:42:35 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Our read Paul observed malware being delivered from the ".sys" directory of various web sites. The URL follows the scheme:

http://evilexample.com/.sys/?action=....

In response to clicking on the link, the user is asked to install the software. According to Paul, he observed the link being delivered via Facebook which of course makes the message more plausible and it is likely that users install the software thinking it came from a "Friend". Before adding a specific block for ".sys", Paul's web filter caught about 60% of these exploits.

Once a user follows the link, additional exe files are downloaded from ".sys" directories. The file names Paul observed are p.exe, go.exe and v2captcha21.exe.


------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

7 comment(s)
My next class:

Comments

This is very standard Koobface command and control traffic and has been occurring in the .sys URI format for many months. You'll see commands to generate facebook accounts (fbgen) myspace (msgen) and a host of other miscellaneous commands like the captcha-solving commands Paul saw. A host infected with this version of Koobface will be detected by various Emerging Threats Koobface signatures.
Other iffy links seems to be in this format:

/.sys/?action=fbgen&v=
/.sys/index.html?getexe=fb.101.exe
/.sys/index.html?getexe=fb.75.exe
/.sys/index.html?getexe=fb.84.exe
/.sys/index.html?getexe=fbcheck.exe
/.sys/index.html?getexe=get.exe
/.sys/index.html?getexe=go.exe
/.sys/index.html?getexe=hosts2.exe
/.sys/index.html?getexe=loader.exe
/.sys/index.html?getexe=pp.12.exe
/.sys/index.html?getexe=pp.14.exe
/.sys/index.html?getexe=v2captcha.exe
/.sys/index.html?getexe=v2captcha21.exe
/.sys/index.html?getexe=v2prx.exe
/.sys/index.html?getexe=v2webserver.exe

filenames:

v2captcha21.exe
v2bloggerjs.exe
fb.84.exe
fbcheck.exe
go.exe
v2prx.exe
fb.82.exe
pp.14.exe
v2webserver.exe
hosts2.exe
be.20.exe
tg.16.exe
ms.26.exe
Yes, a bit more digging did show the Koobface connection. What surprised me most was that our web filtering vendor was doing such a bad job of catching what is fairly common malicious traffic.
Is your web filter permitting the exe files to transit? In our shop, restricting access to exe files to trusted users was one of the first things we did when we brought in a web filter.
For those who use the Emerging Threats Snort rules, SID 2010335 (ET TROJAN Koobface Beaconing (action=)) covers GET requests for "/.sys/?action=".
@peter, much as it would nice to block all .exe's via the web filter that's just not workable in this environment...
We saw these sort of downloads on our IDS a week ago:

> 2010-03-16-16:16:34 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/57960 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=p.exe

> 2010-03-16-16:21:57 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/36411 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=v2webserver.exe

> 2010-03-16-16:21:57 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/36411 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=v2captcha21.exe

so the .sys part seems to be consistent, but the latter part may vary. MD5 Hashes are:

cb255ee2f94d5c6ed11eb5c111ea45c1 v2captcha.exe
d5db0c2908d025c792231901deeacf42 v2webserver.exe
7531ab1f4480b80ecb57d0a955d0b7c6 com-p.exe

Diary Archives