Friday, November 5, 2004

A story about malware

Wow, this is a crazy read. See the original here as a person at the SANS Internet Storm Center maps out the path of a single users visit to one website on an unpatched workstation.

Please, if you like having a clean system, at *least* do the following...

1: Install AdAware from Lavasoft
   Run it once a week and update it often.

2. Install Spybot S&D
   Update the definition files, turn on the memory resident portion and dont forget to imunize your system. I can't tell you how many times I go to a page and get a "Doubleclick Detected" pop-up. This keeps sooooo much crap off of your machine.

3. Install an anti-virus program on your computer. I recoment AVG Anti-Virus only because it is free and has updates just as good as the comercial ones. If you use a different one fine, just make sure to update the virus definitions AND engine.

4. Install ZoneAlarm from ZoneLabs. I know it is chatty at first but you can't believe how much safer your system is if you do this. If you don't know what a process it, deny it from accessing your network connection.

5. If you have kids using the computer while you are not around... Install something like NetNanny . this one costs money but it is to protect your kids.

Anyway. Just in case you don't want to follow another link, here is the clip from the SANS ICS about malware... Be afraid. Be VERRY afraid!

Follow The Bouncing Malware, Part III

Note: Most of the links in the following are not "clickable" on purpose. Think of it as a warning...

Before we begin our tumble down the rabbit hole once more, just a few brief words:

For those of you who have been following this little excursion: thank you for your patience. It’s probably difficult to completely understand the amount of time that each of these little essays takes to research and write. While I’ve been working on this particular installment, there were also the distractions of family, job, the daily “stuff” coming in at the SANS ISC, MS04-028, GDIScan, turning the ISC into the GDIScan helpdesk (sorry gang!), windsurfing the halls at NS2004 in Vegas, etc..., etc... You have my sincere apologies for the wait, as well as my fervent hope that it was worth it.

With that out of the way, why don’t we “warm up” by quickly retracing the path we’ve already trod? Perhaps now would be a good time to take a bathroom break and grab a fresh container of your favorite adult beverage, ‘cause once this caravan rolls, we ain’t stoppin’. Go on, I’ll wait...

Ready? Good. Let’s go!

In the beginning, there was Joe Average. And Joe didst buy himself a computer and conneceth it to the Internet. And with his computer, Joe did surfeth, and readeth email, and playeth many games. And Joe looked upon the Internet, and it was Good.

But while Joe did possess knowledge of the Internet Good, he did not understand that Evil too lived on the Internet. And he patcheth not.

Then one day, Joe didst unknowingly go to a Bad Place, and much Evil befell his shiny new computer.

How Evil? Very, VERY Evil:

From Follow The Bouncing Malware, Part I
( ):

1) Joe's homepage had been changed. It is now set to:

2) Joe’s default search page has been set to:

3) Search assist has been turned off.

4) "TV Media Display" has been installed on Joe's machine.

5) had graced Joe's machine with a file identified by AV software as Win32/TrojanDownloader.Rameh.C.

And, from Follow The Bouncing Malware, Part II
( ):

6) Joe’s computer, at the behest of the Addictive Technologies malware, downloaded “instructions” from

7) Following those instructions, new “Favorites” were added to Joe’s browser, and two new “gifts” (SplWbr.dll and ezbdlLs.dll) were installed on his computer.

8) The installation of SplWbr.dll dumped an “Ad Destroyer and Virtual Bouncer” from SpyWare Labs, Inc. and “ AutoTrack software” onto Joe’s computer.

9) The installation of ezbdlLs.dll dropped a “Utility for downloading files and upgrading software” from “ABetterInternet”, a utility to “Make Your Internet Browsing Simple, Exciting, and Personal” from the fine folks at “ezULA”, and an affiliate ID hijacker called SAHAgent onto Joe’s PC.

10) Finally, the file hp1.exe was downloaded and executed via a .CHM exploit.

That’s where we stopped last time, with my promise that the file “hp1.exe” was “a real piece of work.”

So... let’s take a look at hp1.exe.

The file hp1.exe contains 49,152 bytes o’ Visual Basic goodness (guffaw). The file’s version information claims that it was created by a company called “df”, with an internal name of “bigs104”. Launching this beastie begins bringing down a veritable rain of malware on a machine. Sit back and try to keep up as we follow the bouncing malware:

First, it contacts "" and downloads 1449 bytes of some sort of data:

{}{}{} (note: this was Joe’s machine’s IP address)
(Note: the data has been reformatted to display better in the Diary.)

Well, what the heck does all of that mean? Hmmm... it’s obviously a “generated on the fly” data file, because the file contained, in plain-text, the IP address of the NAT firewall that Joe’s machine was behind. It also appears to have been “encrypted” in some manner.

Given some time, and several pieces of paper wadded up and thrown at the cat in frustration, your intrepid author cracked the code, and wrote the following program to decrypt the data:


int main(int ac, char **av) {
FILE *in, * out;
char buffer[80], *c, val;
int cont = 1;

if(ac != 2){puts("Usage: df_decrypt filename"); return 1;}
if((in = fopen(av[1], "r")) == NULL){puts("Cannot open input file."); return 2;}
if(!(out = fopen("output.txt", "w"))){puts("Cannot open output file."); return 3;}
if(fgets(buffer, sizeof(buffer), in)){
c = buffer;
if(*c != '\n'){
val = *c & 7;
if(val < 4) *c = *c + 4;
else *c = *c - 4;
fputs(buffer, out);
} else cont = 0;
fclose(in); fclose(out);
return 0;
Filling the decrypted data back into the file alongside any original data that is obviously “keywords” results in the following unencrypted file:

{}{}{} (note: this was Joe’s machine’s IP address)
{}{}{}phases====== dragonballz===1|||cracks===2||if you use this site===1
{}{}{}sewers====== sex for free===1|||sex===2|||more sex for me===1
After downloading this “control data” file, Joe’s computer then contacts "" on TCP port 8010 (where aaa.bbb.ccc.ddd is Joe’s computer’s IP address) and has three lines of data returned: “2”, “US”, “0”.

This ties in with what appear to be “country codes” found within various portions of the unencrypted data file. It appears that the malware will react differently depending on the country where the infected machine is located. The script at takes the IP address and returns a country code. The other two codes (“2” and “0”) appear to control different aspects of the malware’s behavior.

Immediately upon receiving the “US” country code from, Joe’s computer contacts "" and downloads, installs, and registers this 61,440 byte OCX. Examining this file, it appears to be an OCX version of hp1.exe. It contains many of the same strings, and appears to offer the same functionality. I would assume that it acts as a resident version of hp1.exe.

Next, hp1.exe contacts "" and downloads a 40,960 byte executable. The “8-24” name is derived from the date at the time of the download (August 24th).

Based upon the “marching orders” within the unencrypted datafile, Joe’s computer now contacts "" and downloads a 129,152 byte executable. It then contacts "" and downloads a 9,056 byte executable.

Both of these files are launched, and MediaMotor25.exe immediately initiates a download from "" which is a 129,536 byte long BHO (Browser Helper Object) that is installed into (duh) IE (Internet Explorer). IeBHOs.dll is a known component of adware from “e2give.” Because it is installed into IE and becomes, essentially, part of the browser, it is in the perfect position to monitor the URLs being “surfed” and to change Joe's browser's requests when going to specific sites in order to “direct” affiliate commissions to e2give. According to the website, “e2give will donate a portion of each qualifying purchase to the e2give charities network.” This, of course, makes it perfectly fine for them to install their software onto Joe’s machine without his permission. (Yes, that was sarcasm.)

The ast_4_mm.exe file from is a Wise installation executable. As it installs, it phones home to let the fine folks at avatarresources know that it has found a new place to live:


The Wise installation has it’s own downloading engine which contacts the interestingly named “” and accesses the URL “http://” which, despite the fact that it generates errors, sends back more configuration information (sheesh guys, if you’re going to go through all the trouble to set this stuff up, at least set the permissions correctly on your scripts...)


Warning: SAFE MODE Restriction in effect.
The script whose uid is 500 is not allowed to access
/config/log owned by uid 10011 in/usr/local/psa/home
on line 24

Warning: fopen("/usr/local/psa/home/vhosts
/", "a") -
Inappropriate ioctl for device in /usr/local/psa
/config/index.php on line 24

Warning: fputs(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
on line 25

Warning: fclose(): supplied argument is not a
valid File-Handle resource in /usr/local/psa
on line 26





That’s just really BAD programming: you MUST check that those handles returned are valid when you open a file... dang... that’s Programming 101 Stuff. But I digress...

Hey! Look there! I see more URLs pointing to executable files. Gee, I wonder what’ll happen...?

Anyway... we now manage to round out the list of files that was in our original encrypted configuration data, and Joe’s machine goes out and grabs a file from "" This actually does appear to be some sort of uninstall program, written in Visual Basic, and weighing in at 45,056 bytes. It only seems targeted at the files directly installed by the hp1.exe file, though.

But, lest we forget, we still have a Wise install running in the background. And, you guessed it, in “PRIORITY” order, it downloads:

"" (270,415 bytes)
"" (500,869 bytes)
"" (53,738 bytes)
"" (270,415 bytes - ????????)

Yes, you read that correctly. It DID download the exact same file twice. (It must be a personality trait of the morally bankrupt that they can be both clever and inane at the same time. The authors of these programs really do pull off some amazing stuff... but then they follow that up almost immediately by doing some amazingly STUPID stuff. Consistency guys, consistency...)

While all of that is happening, hp1.exe (Remember that file? It’s the one we started this installment with...) phones home to tell the folks at that all is well in malware-land, that it has done everything it was supposed to do, and that it deserves a big ol’ digital pat on the back:

"http://{D358D17F-0D1A-4A98-A98D-810B01216183} &what=newinstall&aff=bigs104&country=US&ocx18=1&myexe=1&avatar=1&e2give=1"

“See! Look what I did! I installed ‘ocx18’ (mm20.ocx), ‘myexe’ (8-24.exe), ‘avatar’ (ast_4_mm.exe), and ‘e2give’ (MediaMotor25.exe) on this poor schmoe’s computer! Aren’t you proud of me?”

Not to be outdone, our Wise installer needs to phone home and let everyone know what a good job it did too:


So where does this leave us?

Well, Joe’s computer now has had so many fun and exciting “additions” installed I’m beginning to lose track. Let’s see: Joe’s computer now has two “affiliate buck” redirectors (SAHAgent and e2give), it’s had stuff from installed, as well as all of those files from And there’s more... trust me, there’s more.

Remember: this is all the result of visiting a SINGLE website with an unpatched machine.

If you ever need to explain to someone the pitfalls involved in not patching, all you need to do is point them to this listing:

The score card thus far (and I’m only counting executable content):

hp2.exe (16,384 bytes)
tvmupdater4bp5.exe (195,072 bytes)
AtPartners.dll (96,256 bytes)
SplWbr.dll (454,656 bytes – expands out to 3 files making up 892,288 bytes)
ezbdlLs.dll (151,040 bytes – expands out to 4 files making up 314,880 bytes)
hp1.exe (49,152 bytes)
mm20.ocx (61,440 bytes)
8-24.exe (40,960 bytes)
MediaMotor25.exe (9,056 bytes)
ast_4_mm.exe (129,152 bytes)
IeBHOs.dll (129,536 bytes)
cpr_mm2.exe (270,415 bytes)
ab1.exe (500,869 bytes)
tvm_bundle.exe (53,738 bytes)
and of course cpr_mm2.exe (270,415 bytes) again...

The shameful total (thus far... there’s more to come):
15 files – 2,428,141 bytes downloaded
20 files – 3,029,613 bytes on disk

And, no doubt, I missed a few...
I started Part II of “Bouncing Malware” by saying that Joe’s PC was no longer his own. With over 2 MB of software downloaded, installed, and executed without his permission, I would say that there is little doubt that Joe ISN’T the guy running the show. But who is?

In the next installment, I want to finish up looking at some of the software installed on Joe’s PC and then turn my sights to finding out a little more about the folks responsible for the deluge of spyware and adware that assault our machines and networks on a daily basis. Stay tuned... it’s gonna be fun.

No comments:

Post a Comment