SANS ISC: Its been a malware kind of Day

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Well, when it rains it pours and today it seems it has been raining malware.  Although, I can't say I'm sad since I enjoy playing with malware so much.   We have been busy doing to analysis on three different pieces of malware that had been submitted to us.  Due to space constraints, I'm only going to post information on one of them below that was the most interesting.  We also looked at malware that appeared to be a more targeted attack on a group and the latest RINBOT/DELBOT or whatever you want to call that bot variant. 

One of the is the first things I'd like to highlight is the recent news media attention to that has been generated over the latest version of RINBOT/DELBOT/SDBOT (depending on the AV folks your talking to).  I only bring this up since we've had many people writing in and wanting to know if we were going to post a diary on this.  I'm only going to post a few thoughts and then move on.  We already covered this malware in a previous diary entry.  The only that that seems to have changed is maybe an update to the vulnerabilities it can use to spread and the latest rant at whoever the author is mad at now.  In this case, Symantec seems to be the target now.  With that in mind, its surprising that its getting so much publicity when its just another bot variant.  It is sad, but bots are very common place on the internet today.

Now, on to some other interesting pieces of malware that are new.  We received an email from a reader named Chris who had a user report their system attempted to connect to a remote network.  The firewall alert ed the user to the outbound traffic.  The file that requested the outbound traffic was a file called ~.exe.  A few of us looked at the file, but saw nothing malicious about the file itself.  It opened a message box with a title of OK.  No outbound traffic occurred.  After a few more email exchanges, we got some more critical information: 

"The user states that their Firewall (COMODO Firewall Pro) alerted to it after visiting hxxp://www.owned.com/Owned_Pictures - they checked the site again and NOD32
alerted to the webpage containing an unknown PE virus."

Nice, now we have a good starting point.  Several of us did some analysis on how the site was doing the exploit.  I would like to post the results from fellow handler Bojan Zdrnja who did an outstanding job with this, especially the de-obfuscation of the javascript.   For those wanting to try their hand at it, Bojan used the SpiderMonkey technique described here.  Now for his analysis of what was found:

The initial infection site is definitely http:// www [dot]
owned.com/Owned_Pictures (oh irony, looks like they've been owned).

On that web page there is an iframe which points to http://www [dot]
trudomain.com/hello.html. That is an obfuscated JavaScript which isn't
completely trivial to deobfuscate.
However, once you manage to do that, you will see that it is just
another iframe that will send your browser to http://www [dot]
porcosnet.com/cgi-bin/e/neo/neosploit?p=alert.

This page contains a bigger obfuscated JavaScript which attempts to
exploit a bunch of vulnerabilities. Among the usual MSXML2 and
ADODB.Stream exploits, it also contains exploit for the
WebViewFolderIcon vulnerability, for the WinZIP vulnerability and for
a QuickTime vulnerability.

Finally, if the exploit ran successfully, it will download an
executable from the same sie (www [dot] porcosnet.com). I haven't seen
the ~.exe file, but this is definitely malicious so I would suggest
that you thoroughly check the infected machine (and rebuild, if
possible).

So, check your logs.  And remember its not a very nice site if you decide to play:>)