Virus Spam Schawacker by a74QIjce

VIEWS: 41 PAGES: 20

									                            Confidential   11/3/2012




Today’s Malicious Code Threat ~
JS.Scob.Trojan Analysis
Peter Schawacker, CISSP
                         Confidential   11/3/2012   Page 2




Overview
 The JS.Scob.Trojan
 Timeline
 IE Security Overview
 How the attacks work
 Effects
 Solutions
                          Confidential   11/3/2012   Page 3




Scob
 AKA
  –   Download.Ject
  –   JS.Scob.Trojan
  –   JS.Toofeer
  –   Backdoor.Berbew.F
  –   JS.Toofeer
             Confidential   11/3/2012   Page 4




MS04-011??




             Scob
                                                Confidential   11/3/2012   Page 5




Internet Explorer Security
 Cross    Domain Model
  –   Local Machine Zone
  –   "...an implicit zone for content that exists on the local
      computer. The content found on the user's computer,
      except for content that Internet Explorer caches on the
      local system, is treated with a high level of trust."
                                                    Confidential   11/3/2012   Page 6




Timeline: ADODB.Stream Object Bug
 FullDisclosurePost August 26, 2003!!
 IE Bug allows client-side code execution
 Detailed Analysis
  –   http://archives.neohapsis.com/archives/fulldisclosure/200
      4-06/0104.html
  –   Harmless example:
      http://62.131.86.111/security/idiots/repro/installer.htm
                                          Confidential   11/3/2012   Page 7




Scob Discovered June 24
 The original post is available in the June 24
 Internet Storm Center Handlers Diary
  –   http://isc.sans.org/diary.php?date=2004-06-
      24&isc=400aeeda81e747d8889dacd941b7ebf6
                                  Confidential   11/3/2012   Page 8




Effects
 Trojan  horse installation – Scob
 Purpose of trojan to steal accounts
 An account is an identity!!
 First time web servers used since Nimda
                                                         Confidential   11/3/2012   Page 9




Compromised IIS Servers
   A file is dropped on an IIS Server and subsequently
    executed to prepare the server. The relevant actions
    are:
    –   File is dropped on IIS Server
    –   Create ads.vbs
    –   Drop files in C:\winnt\system32\inetsrv/iis###.dll
    –   Server configured to use this file as a footer
   Modify the configuration of the IIS Server such that
    served web pages are appended by a footer that
    contains malicious Java code
                                           Confidential   11/3/2012   Page 10




What Scob does
 Redirects  IE to http://217.107.218.147/dot.php
 Visitor redirected to a file called new.html
 Exploit code redirects the visitor to
  Shellscript_loader.js
 In turn, downloads and installs msits.exe
  –   (ADODB.Stream Object File Installation Weakness
      vulnerability)
                                            Confidential   11/3/2012   Page 11




What Scob does (continued)
   msits.exe application writes itself to a random
    executable file in c:/winnt/system32
    –   Windows Media Player?
 Reruns the process from the system directory.
 Copies two HTML forms, crude login templates and a
  log file (surf.dat) to the system directory
 msits.exe attempts to record authentication
  credentials and their corresponding URLs
 Quasi-rootkit patches “PhysicalMemory” device
    –   Doesn’t appear in Task List
                                                     Confidential   11/3/2012   Page 12




Sites of Interest to Scob/msits.exe
Paypal.com                        http://lovingod.host.sk/index.ph
Signin.ebay                       http://www.redline.ru/index.php
.earthlink.                       http://cvv.ru/index.php
juno.com                          http://hackers.lv/index.php
my.juno.com/s                     http://fethard.biz/index.php
webmail.juno.com                  http://ldark.nm.ru/index.htm
yahoo.com                         http://gaz-prom.ru/index.htm
http://crutop.nu/index.php        http://promo.ru/index.htm
http://crutop.ru/index.php        http://potleaf.chat.ru/index.htm
http://mazafaka.ru/index.php      http://kadet.ru/index.htm
http://color-bank.ru/index.php    http://cvv.ru/index.htm
http://asechka.ru/index.php       http://crutop.nu/index.htm
http://trojan.ru/index.php        http://crutop.ru/index.htm
http://fuck.ru/index.php          http://mazafaka.ru/index.htm
http://goldensand.ru/index.php    http://xware.cjb.net/index.htm
http://filesearch.ru/index.php    http://konfiskat.org/index.htm
http://devx.nm.ru/index.php       http://parex-bank.ru/index.htm
http://ros-neftbank.ru/index.ph
                                         Confidential   11/3/2012   Page 13




Workarounds
 Setthe “Kill Bit” on the ADODB.Stream Object
 (no patch from MS)
  –   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Inter
      net Explorer\ActiveXCompatibility\{00000566-0000-
      0010-8000-00AA006D2EA4}]
      "CompatibilityFlags"=dword:00000400
 Make  Local Zone/My Computer Zone visible
  from the Internet Options Security tab
 Don’t use IE (USCERT) (!!)
                                      Confidential   11/3/2012   Page 14




Host IPS Countermeasures (IIS Server)
 Triggers  event “IIS Shielding - File Mod. in
  System folder”
 Triggers event “IIS Shielding - Conf. File
  Activity (ADMCOMConnect)”
                                               Confidential   11/3/2012   Page 15




Network IPS Countermeasures (IIS)
   SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs
   KERBEROS: Microsoft Kerberos ASN.1 Double Free Encoding
    Error
   LDAP: Active Directory BO
   SSL: Invalid Client Hell Cipher Suite Value
   SSL: Overly Long PCT Client Hello Challenge
   SSL: Microsoft ASN.1 Double Free Code Execution
   SSL: PCT THCLame Challenge Buffer Overflow
   DCERPC: Microsoft Windows LSASS Buffer Overflow
   DCERPC: Microsoft RPC DCOM Buffer Overflow
   DCERPC: Microsoft RPCSS Heap Overflow
   DCERPC: Microsoft Message Queue Service Heap Overflow
   DCERPC: Microsoft Messenger Service Buffer Overflow
   DCERPC: Microsoft Workstation Service Buffer Overflow
   DCERPC: W32/Gaobot.worm Detected
                                Confidential   11/3/2012   Page 16




IPS Countermeasures (IE Client)
 Triggers
         event "IE Envelope Suspicious
 Executable Modification”
                                     Confidential   11/3/2012   Page 17




Anti-virus
 Detected     by McAfee VirusScan
  –   BackDoor-AXJ.gen
  –   VBS/Psyme
  –   Exploit-MhtRedir.gen
  –   BackDoor-AXJ.dll
                                   Confidential   11/3/2012   Page 18




Why is this important?
 What if your web server is trojaned?
 What if your desktop is trojaned?
 Who is doing this?
 What’s next?
 What should be done?
                                   Confidential   11/3/2012   Page 19




Sources
 http://www.microsoft.com/security/incident/do
  wnload_ject.mspx
 http://www.microsoft.com/technet/security/bull
  etin/MS04-011.mspx
 http://62.131.86.111/analysis.htm
 http://www.incidents.org/
                    Confidential   11/3/2012   Page 20




Questions
 PeterSchawacker
 ps@nai.com
 760-880-4258

								
To top