- Contents

Transcription

- Contents

NSHC
2014. 04. 01
Malware Analysis Report
assa
[ iSpyware ]
The variant of ‘Outlook Spyware’ is distributed for these days. It steals FTP and Email information like ‘Outlook Spyware’, also, it steals Internet Browser information.
It’s disguised as PDF documents and uses a name that ‘payment receipt’. In the
system that is suspected to be infected, countermeasures according to the action
and treatment through A/V are required.
Information Service about a new vulnerability
Version 1.0 External
© 2014 Red Alert. All Rights Reserved.
Index
1. Malware Stub ............................................................................................3
2. Technical Details .................................................................................... 14
3. Opinion of Red Alert ............................................................................ 22
4. Removal Recommendations ............................................................... 22
5. Reference................................................................................................. 23
facebook.com/nshc.redalert
1
Confidentiality Agreements
This report was written from the Red Alert team. There is no problem user for research purpose,
but we don’t care about Legal responsibility. This code is a living document and will be updated
from time to time. Please refer to the Red Alert SNS Page to download updates.
(https://www.facebook.com/nshc.redalert)
Analysis reports that are updated on Facebook, including other materials and article, sample can
offer premium services the ISAC on the page. (https://isac.nshc.net).
2
1. Malware Stub
Malware Name
File Size
Compiled Date
payment receipt (document 3.03.2104).exe
172,032 bytes
MD5
2014.03.03 21:23:50
etc
5818F3CF9E776C306C71140471F0FE5D
N/A
Table 1. File info–1
Malware Name
File Size
Compiled Date
[loaded module].dll
167,936 bytes
MD5
N/A
etc
6CB12C48A880FA7FF95C341DC2DB2FB3
N/A
Table 2. File info-2
-
http://malwaredb.*******.com/
Index
Description
OS
Windows XP SP3 KR
Browser
Windows Internet Explorer 8
Table 3. Analysis Environment
3
Figure 1. Drop flow
4
Here is an IP information.
Figure 2. IP info-1
Figure 3. IP info-2
5
Attacker runs the below web page.
-
http://****asit.su/
Figure 4. http://****asit.su/
The malware creates a new registry in the below path.
-
Path: HKCU\SOFTWARE

Value Name: 6619057994651728 (Use random name)

Value Data: Data in binary format (Refer to ‘Figure 4. Registry value’)
Figure 5. Registry value
6
It creates a ‘SUSPEND’ state’s thread named ‘wuauclt.exe’.
-
Command Line: C:\WINDOWS\system32\wuauclt.exe
-
Creation Flag: CREATE_SUSPEND
Figure 6. Process creation
Before executing the thread, it drops a DLL after copying a code.
Figure 7. Copy code
The dropped DLL enumerates the specified values in the below path.
-
Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Value Name: UninstallString, DisplayName
Figure 8. RegEnumKeyEx
7
It searches the registry keys or files related on ‘FTP’, ‘E-mail’, and ‘Internet Browser’ using the
below routine.
Figure 9. Search routine
The stolen information is sent to the server.
Figure 10. Send information
8
The stolen information is uploaded the following web page.
-
http://****asit.su/admin/db
Figure 11. List of the infected system
The stored information on this page is classified into the below types.
-
bot
-
email
-
ftp
-
http
-
RDP (Remote Desktop Protocol)
Table 4. Information type
9
There are type of OS, Bit, and country code in “bot”.
Figure 12. Bot info
There are email address, type of mail server, port number, user id, and user password in “email”.
Figure 13. Email info
10
There are ftp id, ftp password, and ftp address in “ftp”.
Figure 14. FTP info
① FTP ID
② FTP PW
③ FTP address
There are user id, user password, and site address in “http”.
Figure 15. HTTP info
11
① User ID
② User PW
③ Web site address
The attacker steals the information of Remote Desktop.
Figure 16. RDP info
① RDP ID
② RDP PW
③ RDP address
12
The attacker sets the country code in ‘geoip.inc; file in order to grasp the source of the collected
information. Korea is set to ‘119’.
Figure 17. Country code
The major cities in each country also are set to the specified code.
Figure 18. City code
13
2. Technical Details
The malware enumerates the user account information such as authority level and login
information using ‘NetUserEnum’ function.
Figure 19. NetUserEnum
Also, it tries to access to the server like mail server, terminal server, and remote shell to set the
‘Logon Type’ to ‘LOGON32_LOGON_INTERACTIVE’ of ‘LogonUserA’ function. It uses user name and
password the following lists.
Figure 20. LogonUser
Administrator
ASPNET
Guest
HelpAssistant
PC
SUPPORT_388945a0
Table 5. User Name list
14
Figure 21. PW List
The malware steals FTP server information and user account information to abuse that Site
Manager information is saved in plain text.
Figure 22. Search registry key
15
It searches the registry for stealing the server name, port number, user id, and password.
Far - Software\far\plugins\ftp\hosts
Far2 - Software\far2\plugins\ftp\hosts
GlobalSCAPE - Software\GlobalSCAPE\
FileZilla- Software\FileZilla\Site Manage
GHISLER – installPath\GHISLER\wcx_ftp.ini
ws_ftp - Software\ipswitch\ws_ftp
SmartFTP - <user name>\Application Data\SmartFTP\Client 2.0\Favorites
TurboFTP - <user name>\Application Data\TurboFTP\addrbk.dat
CoffeeCup Software - Software\CoffeeCup Software\Internet\Profiles
FTP Commander - Software\Microsoft\Windows\CurrentVersion\Uninstall
FTP Navigator - Software\Microsoft\Windows\CurrentVersion\Uninstall
ALFTP - <user name>\Application Data\Estsoft\ALFTP\ESTdb2.dat
FTPRush - Software\FTPRush\DataFolder
UltraFXP - Software\UltraFXP
FTPware - Software\FTPWare\CoreFTP\Sites
SecureFX - Software\VanDyke\SecureFX\Config Path
BlazeFTP – Software\FlashPeak\BlazeFtp\Settings
Robo-FTP 3.7 – Sofware\Robo-FTP 3.7\FTPServers
LinasFTP – Software\LinasFTP\Site Manager
MAS-Soft – Software\MAS-Soft\TRPInfo
Table 6. Path of registry-1
16
The malware enumerates the below registry to steal the information of Internet Explorer, Firefox,
Chrome, and Opera.
HKCU\Software\Opera software
HKCU\Software\Mozilla
HKCU\Software\Microsoft\Internet Explorer
HKCU\Software\Google\Chrome
HKCU\Software\ChromePlus
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Table 7. Registry info
Internet Explorer stores two type of passwords, Autocomplete and HTTP basic authentication
based passwords. Autocomplete passwords are normal website login passwords such as gmail,
Facebook, LinkedIn, etc. HTTP basic authentication passwords are network login passwords for
LANs, etc.
가. Autocomplete password
With version 7 onwards, IE stores all the Autocomplete passwords in the following registry
location in an encrypted format.
-
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Each entry in the registry key corresponds to a hash of the website URL corresponding to the
username / password for that URL. The malware steals those information after searching the value
of registry.
Figure 23. Search registry
17
나. HTTP basic authentication password
The HTTP basic authentication passwords are stored in the ‘Credentials Store’. The ‘Credentials
Store’ is in the following location:
Windows XP:
-
C:\Documents and Setting\[user name]\Application Data\Microsoft\Credentials
Over Windows Vista:
-
C:\Users\[user name]\AppData\Roaming\Microsoft\Credentials
The HTTP basic authentication passwords are encrypted using built in Windows Cryptography
functions. For enumerating contents of ‘Credentials Store’, the malware uses ‘CredEnumerate’
function. Also it uses ‘CryptUnprotectData’ function for decrypting.
Figure 24. Steal pwd
18
Chrome stores usernames and passwords in a SQLite database called Login Data located in the
following locations:
Windows XP:
-
C:\DocumentsandSetting\[username]\LocalSettings\ApplicationData\Google\Chro
me\User Data\Default
Over Windows Vista:
-
C:\Users\[user name]\AppData\Local\Google\Chrome\User Data\Default
For stealing user names and password, it enumerates the directory.
Figure 25. Search file
19
Firefox stores usernames and passwords in a SQLite database called signons.sqlite which can be
found in the following folders:
Windows XP:
-
C:\DocumentsandSetting\[username]\ApplicationData\Mozilla\Firefox\Profiles\[ra
ndom_name].default
Over Windows Vista:
-
C:\Users\[username]\AppData\Roaming\Mozilla\Firefox\Profiles\[random_name].
default
The malware uses the below query for stealing information.
Figure 26. DB query
Opera stores the following information in an encrypted file called wand.dat:
-
Login URL
-
Main website URL
-
Username filed ID
-
Username
-
Password filed ID
-
Password
Wand.dat is stored locally on your computer in the following locations:
Windows XP:
-
C:\Documents and Settings\[username]\Application Data\Opera\Opera\wand.dat
Over Windows Vista:
-
C:\users\[username]\AppData\Roaming\Opera\Opera\wand.dat
The malware finds the information and sends it to the server.
20
Figure 27. Search info
It searches the registry for stealing account info of E-mail.
Figure 28. Search registry key
The registry path is as follows:
HKCU\Software\Microsoft\Windows Live Mail
HKCU\Software\Microsoft\Windows Mail
HKCU\Software\Poco Systems Inc\accounts.ini
HKCU\Software\IncrediMail\account.cfg
HKCU\Software\Microsoft\Internet Account Manager\Accounts
HKCU \Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
HKCU \Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem
\Profiles\Microsoft Outlook Internet Settings
HKCU \Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem
\Profiles\Outlook
Table 8. Path of registry-3
21
3. Opinion of Red Alert
The variant of ‘Outlook Spyware’ is distributed for these days. It steals FTP and E-mail information
like ‘Outlook Spyware’, also, it steals Internet Browser information. If the system is infected with
the malware, the malware steals user information and sends it to the server. The stolen
information can be occurred the secondary damage. Please change your password regularly and
encrypt main files or directories.
4. Removal Recommendations
Delete the file referring to the below path.
-
C:\payment receipt.exe
-
%Desktop%payment receipt(document 3.03.2104).exe
Delete the registry related on the malware.
-
Subkey of HKCU\Software (Refer to ‘Figure 4. Registry value’)
Change your password regularly.
Set a password for protecting main documents and directories.
Please get a thorough system examination by referring ‘Reference. [1] Virus Total’ and treat the
malware through A/V.
22
5. Reference
[1] Virus Total
https://www.virustotal.com/ko/file/942b5bff64bb44223be4956415f9b70b7022f220dd02b5894
a90a2841f646a9e/analysis/
[2] File Analyzer
http://file-analyzer.net/analysis/2555/8663/0/html
[3] Microsoft
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS:Win32
/Fareit#tab=2
[4] Browser security
http://excellenttips.wordpress.com/2012/07/12/browser-security-how-firefox-ms-internetexplorer-chrome-opera-safari-store-usernames-passwords-part-1-of-5/
23

- Contents

Transcription

Similar documents

Please join us on Facebook: www.facebook.com/einsteinaward

How to Join Facebook

Kaity Conner – Jacob Corrigan – Isaiah Griffin Kaitor Kposowa

How to go from 50 to 500 Facebook Likes

Social Media Evaluation For Joe Bologna`s Restaurant

HomeAware - Sonic Alert

SPELLETJES

Ad, 8.625x11.125, Laverson, RanchandCoast

facebook.com/wemattractions | facebook.com/westedmall

(c) 2010 Facebook, Inc. or its licensors. "Facebook"