<![CDATA[[SecurityRatty] tag: zhelatin]]>

<![CDATA[[SecurityRatty] tag: zhelatin]]> http://securityratty.com/tag/zhelatin Sun, 23 Dec 2007 19:06:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[The Template-ization of Malware Serving Sites]]> http://securityratty.com/article/ae9fa7925137e6a71a690ef3b705294d http://securityratty.com/article/ae9fa7925137e6a71a690ef3b705294d

Just like web malware exploitation kits and phishing pages turned into a commodity underground good, allowing easy localization to different languages, and of course, the natural lowering of entry barriers into web malware and phishing in general, the very same thing is happening with fake ActiveX templates like the ones used on the majority of fake porn and celebrity sites I've been assessing recently.

The increase of these bogus ActiveX templates is due to the fact that despite they are currently available for sale, buyers appear to be leaking them for everyone to use so that they can continue maintaining their current business models, namely, the services they offer with the ActiveX templates. Unethical competitive practices among cybercriminals and scammers are only to starting to take place with one another trying to ruin or extend the lifecycle of their services.

Talking about prevalence, the TonsOfPorn ActiveX remains the most widely used rogue ActiveX in the majority of fake codec campaigns for the last couple of months. The ActiveX is largely abused by using another fake porn site template for PornTube, which in combination result in nothing more than huge domain portfolios with no content at all if we exclude the Zlob variants.

And while template-tization means more efficient malware campaigns, it also results in a common pattern for generic detection of such sites. For instance, the folks at Finjan did an experiment by verifying the signature based detection of the common javascript file that was used in the ongoing waves of SQL injection attacks. Their conclusion :

"Can it be that Anti-virus products are now holding more signatures for domains and URLs rather than trying to identify a malicious code they never inspected before? As my research found, just by changing the domain names, some AVs did not find this code as malicious...... surprisingly enough."

When assessing malware campaigns in general, I usually do the same for the record. Storm Worm's use of ind.php for executing its set of exploits has the same detection rate - scanners result: 10/33 (30.30%) and is detected as JS.Zhelatin.zb.

Getting back to the TonsOfPorn ActiveX, it's structure is more static than a Red Army statue in Estonia, making it easy to proactively protect against, no matter the domain, no matter the exploits served. It's detection rate is close to the javascript from the SQL injection attacks - Scanners Result: 9/33 (27.28%) and is detected as Trojan.HTML.Zlob.L.

From my personal experience, blocking an IP address where a couple of hundred malicious domains remain parked, is just as useful as blocking a single domain acting as the main redirector behind a huge domains portfolio of malicious domains. However, the most beneficial approach on a large scale remains the practice of taking care of the most obvious patterns that still remain faily easy to detect, at least for the time being, due to the efficiency the people behind them aim to achieve, making them easily susceptible to generic detection approaches.

]]> Thu, 10 Jul 2008 12:59:13 +0000 malicious domains remain malicious domains tonsofporn activex remains tonsofporn activex domains generic detection approaches generic detection activex fake activex The Template-ization of Malware Serving Sites <![CDATA[BlackEnergy DDoS Bot Web Based C&Cs]]> http://securityratty.com/article/bb39e472b3fe7e100eb0f9e30e676541 http://securityratty.com/article/bb39e472b3fe7e100eb0f9e30e676541

Remember the Google Hacking for MPacks, Zunkers and WebAttackers experiment, proving that malicious parties don't even take the basic precautions to camouflage their ongoing migration to the web for the purpose of botnet and malware kits C&Cs? Let's experiment wi the BlackEnergy DDoS bot, and prove it's the same situation. What's the BlackEnergy DDoS bot anyway :

"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcommon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) binary for the Windows platform that uses a simple grammar tocommunicate. Most of the botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP address space and have targeted Russian sites with theirDDoS attacks."

The following are currently live botnet C&Cs administration panels, and with BlackEnergy's only functionality in the form of DDOS attacks, it's a good example of how DDoS on demand or DDoS extortion get orchestrated through such interfaces :

httpdoc.info/black/auth.php (66.29.71.16)
wmstore.info/hello/auth.php (216.241.21.62)
lunaroverlord.awardspace.com/auth.php (82.197.131.52)
333prn.com/xxx/auth.php (64.247.18.208)

It's getting even more interesting to see different campaigns within, that in between serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there's also an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also the fact that all the malware binaries that you see in the attached screenshot use one of these hosts as both the C&C and the main binary update/download location.

]]> Tue, 12 Feb 2008 15:46:35 +0000 ddos bot blackenergy ddos bot blackenergy ddos extortion ddos attacks traditional irc bot irc botnet master BlackEnergy DDoS Bot Web Based C&Cs <![CDATA[Storm keeps coming (4th variant)]]> http://securityratty.com/article/57da5e3aa95b0d83d00fe820a926a246 http://securityratty.com/article/57da5e3aa95b0d83d00fe820a926a246 1) Hash: 1f362ad74d62262bff6bcb1d078cbf7d
2) Aside from yet again changing the domain and binary, the hidden files written upon execution are as follows:

Helios Rootkit Detector
Scanning File System For Hidden Files

[*] Scanning Drive C
1 C:\WINDOWS\system32\bldy.config Hidden From API
2 C:\WINDOWS\system32\bldy3a80-61.sys Hidden From API
Execute Duration (in seconds)=18

Loaded Drivers:
Driver File Company Name Description
C:\WINDOWS\System32\bldy3a80-61.sys

Kernel31 Api Log
***** Installing Hooks *****
4012d8 CreateFileA(C:\WINDOWS\System32\bldy.config)
40117f CreateFileA(C:\WINDOWS\System32\bldy3a80-61.sys)

DirwatchData
WatchDir Initilized OK
Watching C:\WINDOWS
Created: C:\WINDOWS\system32\bldy.config
Modifed: C:\WINDOWS\system32\bldy.config
Modifed: C:\WINDOWS\system32
Created: C:\WINDOWS\system32\bldy3a80-61.sys
Modifed: C:\WINDOWS\system32\bldy3a80-61.sys

Better AV coverage again:

AntiVir - TR/Crypt.XDR.Gen
Authentium - W32/Dropper.gen6
Avast - Win32:Zhelatin-ASX
AVG - Dropper.Generic.TLX
BitDefender - Trojan.Peed.IRG
ClamAV - Trojan.Peed-66
DrWeb - Trojan.Spambot.2386
Fortinet - W32/Tibs.G@mm
F-Prot - W32/Dropper.gen6
F-Secure - Email-Worm.Win32.Zhelatin.pr
Kaspersky - Email-Worm.Win32.Zhelatin.pr
NOD32v2 - Win32/Nuwar.BA
Panda - Suspicious file
Prevx1 - Stormy:Worm-All Variants
Sophos - Mal/Dorf-H
Symantec - Trojan.Peacomm
VirusBuster - Trojan.DR.Zhelatin.AS
Webwasher-Gateway - Trojan.Crypt.XDR.Gen

Aside from the inherent value of keeping an eye on the ISC Diary, please refer to the US-CERT alert.
They'll keep coming, we'll keep watching.

Storm keep coming (4th variant) at del.icio.us

]]> Thu, 27 Dec 2007 07:43:00 +0000 trojan sys kernel31 api log api zhelatin-asx zhelatin config helios rootkit detector driver file company Storm keeps coming (4th variant) <![CDATA[Holiday Storm Part 3]]> http://securityratty.com/article/e6a27c1d60751f69f7d261f1397817fd http://securityratty.com/article/e6a27c1d60751f69f7d261f1397817fd ISC Diary, in particular Update 3. The changed domain and binary name led me to ponder what else has changed. So...
1) New hash: BE22F894AC662C905C37CEFDE66DE065
2) Better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?). No more hanging out in the open, easily seen.
The Helios Rootkit Detector, now included in RAPIER, discovered darker voodoo than the last two versions:

Scanning File System For Hidden Files
[*] Scanning Drive C
1 C:\WINDOWS\system32\cleanmgr.exe Hidden From API
2 C:\WINDOWS\system32\clean.config Hidden From API
3 C:\WINDOWS\system32\clean6c9-3320.sys Hidden From API
4 C:\WINDOWS\system32\dllcache\cleanmgr.exe Hidden From API

SysAnalyzer says:

Loaded Drivers:
Driver File Company Name Description
C:\WINDOWS\System32\clean6c9-3320.sys

Kernel31 Api Log
***** Installing Hooks *****
4012c1 CreateFileA(C:\WINDOWS\System32\clean.config)
40117f CreateFileA(C:\WINDOWS\System32\clean6c9-3320.sys)

DirwatchData
WatchDir Initilized OK
Watching C:\WINDOWS
Created: C:\WINDOWS\system32\clean.config
Modifed: C:\WINDOWS\system32\clean.config
Modifed: C:\WINDOWS\system32\config\system.LOG
Modifed: C:\WINDOWS\system32
Created: C:\WINDOWS\system32\clean6c9-3320.sys
Modifed: C:\WINDOWS\system32\clean6c9-3320.sys

3) AV coverage is further improved for this version:

AntiVir 7.6.0.46 - TR/Rootkit.Gen
Authentium - W32/StormWorm.R
Avast - Win32:Zhelatin-ASX
AVG - Dropper.Generic.TLF
BitDefender - DeepScan:Generic.Malware.FMH@mmign.55A134E9
ClamAV - Trojan.Zhelatin
DrWeb - Trojan.Spambot.2387
Fortinet - W32/Tibs.G@mm
F-Prot - W32/StormWorm.R
F-Secure - Email-Worm.Win32.Zhelatin.pl
Ikarus - Virus.Win32.Zhelatin.ASX
Kaspersky - Email-Worm.Win32.Zhelatin.pl
Microsoft - Backdoor:WinNT/Nuwar.B!sys
NOD32v2 - Win32/Fuclip.AW
Panda - Suspicious file
Prevx1 - Stormy:Worm-All Variants
Sophos - Mal/Dorf-H
Webwasher-Gateway - Trojan.Rootkit.Gen

How perfectly unpleasant, making things more difficult to spot. Here's my New Years wish for the Storm lamers. Bugger off (kept pleasant for the kids).

]]> Wed, 26 Dec 2007 20:43:00 +0000 kernel31 api log log api zhelatin-asx sys asx rootkit helios rootkit detector zhelatin Holiday Storm Part 3 <![CDATA[New Years Storm deja vu]]> http://securityratty.com/article/e76ca116931b91c890f5becc495be51c http://securityratty.com/article/e76ca116931b91c890f5becc495be51c New hash, 5bb3606d36019142507043f30401c5d2, same malware as that we received when we fell for the Christmas strip show they offered us ;-).
Again, it copies itself to C:\WINDOWS as disnisa.exe, writes the same registry keys and config file, and follows the same network attributes as mentioned in previous post, but better AV coverage now that this variant's been around for a few days:

AntiVir - Worm/Zhelatin.ob
Authentium - W32/StormWorm.P
BitDefender - Trojan.Peed.IRE
CAT-QuickHeal - (Suspicious) - DNAScan
DrWeb - Trojan.Packed.263
eSafe - Suspicious File
eTrust-Vet - Win32/Sintun.AT
F-Prot - W32/StormWorm.P
F-Secure - Packed.Win32.Tibs.gu
Kaspersky - Packed.Win32.Tibs.gu
Microsoft - Trojan:Win32/Tibs.gen!ldr
Prevx1 - Stormy:Worm-All Variants
Symantec - Trojan.Peacomm.D
Webwasher-Gateway - Worm.Zhelatin.ob

I was further intrigued by the name they chose for the .exe, in particular, disnisa. Appears it was or is the name of a wine and spirits import company in Nicaragua, importers of Heineken, Chivas Reagal, Cuervo, Concha y Toro, and Moet & Chandon. Is there correlation given the time of year? Who knows.
Happy New Years from disnisa. Drink the product (responsibly), but don't open the ecard. ;-)

]]> Tue, 25 Dec 2007 07:36:00 +0000 trojan spirits import company disnisa suspicious christmas strip worm-all variants worm exe suspicious file New Years Storm deja vu <![CDATA[Storm-Bot stripshow analysis]]> http://securityratty.com/article/f93548291cc0e5f1e9e6da2a0c5fafe8 http://securityratty.com/article/f93548291cc0e5f1e9e6da2a0c5fafe8 The ISC reported the expected Storm surge Christmas eve at 0000 GMT.
hxxp://merrychristmas.com/stripshow.exe (modified to protect the innocent) yields a hash of 2BBA62FBC3B9AF85C3C7D64A82E1237C. Once executed it immediately copies itself as disnisa.exe to C:\WINDOWS and adds a startup registry key for the same.

Current AV detection includes:
Kaspersky stripshow.exe - Email-Worm.Win32.Zhelatin.pd.
eTrust-Vet - Win32/Sintun.AT
Microsoft - Trojan:Win32/Tibs.gen!ldr
Symantec - Trojan.Peacomm.D

After a quick time check to Microsoft's time server, this variant switches immediately to very noisy P2P on a variety of ports. In addition to the ISC-recommended HTTP and email blocks for outbound to merrychristmasdude.com, you have to consider if you really need outbound UDP traffic above 1024. I'm a firm believer in deny all and make exceptions only via legitimate business case. If you can achieve such lockdown, even though your hosts may suffer infection, they won't be communicating with their friends and neighbors.
From API analysis we see a few interesting tidbits:

w32tm /config /update
403014 Copy(c:\malware\stripshow.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
402ba0 WinExec(w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov,100)
77e7d0b7 WaitForSingleObject(788,64)
402ba8 WinExec(w32tm /config /update,100)
40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)
71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71a5716a LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71aa14eb GlobalAlloc()
40da1b bind(8c, port=26790)
77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)

Nice, do a little time sync, allow ourselves through the firewall, then bind, listen, and wait.
First, add another registry entry,

0cd2d RegCreateKeyExA (HKLM\Software\Microsoft\Windows\ITStorage\Finders,)

then start connecting:

71a54cee LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
77e7ac53 CreateRemoteThread(h=ffffffff, start=71a519c4)
40d9f1 connect( 193.33.146.178:24714 )
40d9f1 connect( 74.60.173.98:3887 )
40d9f1 connect( 58.74.135.13:30843 )
40d9f1 connect( 222.119.113.135:22295 )
40d9f1 connect( 71.234.220.147:20232 )
40d9f1 connect( 76.84.231.43:14172 )
40d9f1 connect( 124.5.147.194:16544 )
40d9f1 connect( 58.8.236.130:13224 )
40d9f1 connect( 190.79.151.75:2952 )
40d9f1 connect( 58.8.122.191:29646 )

Once this little bugger hits the network, expect flood-like traffic.
My infected sandbox victim exhausted my 1.5mb DSL connection instantly, in part from a ton of inbound responses from peers being logged at my firewall:

SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=59178 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=60978 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=4987 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=6619 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=13762 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=18384 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=19891 PROTO=UDP SPT=24045 DPT=26790 LEN=33

At last, the peer list referred to by the ISC, written to C:\WINDOWS (many more entries not included):

[config]
[local]
uport=20142
[peers]
00003D6C8F338A3FDD3DF3648666F55C=0CCE03EE2BD100
0100A634122F3553A046EC451061927C=0CCEEF9C5BF700
02007E238D780D25FD5511285E2E596E=0CD9D73081A500
03001E62DC533E7AF6161729A953891B=180BB9671B4800
0400EB5EC13599373A3D544A2D6AF94F=180FAC024F7300
05004710B3440F5D2117CE555A62D04A=1810D0AE22DA00
06001471521206296D099433C93EC427=1813911C2E6100
07002D6D5B0FE3019C56B1290A564E59=1820B08043D700
0800A2417153943DC23C6C5C817C4159=18257B254F2600

There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes.
User awareness, as always, is your strongest defense.
Cheers and happy holidays, except for you RBN a$$h0735.

Storm-Bot stripshow analysis at del.icio.us

]]> Sun, 23 Dec 2007 19:06:00 +0000 40d9f1 connect w32tm config syncfromflags config time quick time check w32tm config exe src78 dst192 Storm-Bot stripshow analysis