|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix |
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Ch10: Remote Access Trojans and Zombie Networks
|
See also Win32:Sirefef.A -- an earlier version that was distributed with Data Recovery scareware
This is a a recent strain of a malware family, that were infecting user PCs with IE8 browser (along with Win32/Tracur.AV which disables several AV programs including Microsoft Security Essentials) when Foreign Affairs magazine website was compromised in December 2012 (see Foreign Policy Group Gets Hacker Happy New Year ). While I wish that all neocons (for whom this site is a watering hole) got this nasty malware ;-), innocent visitors with Windows XP and IE 8 browser were hurt too...
Hackers said a big Happy New Year to the Council on Foreign Relations, using the organization's own website to attack unsuspecting visitors.The CFR is a non-partisan policy group (tell this anybody -- NNB ;-), known mostly for publishing Foreign Affairs, an influential journal on the subject. The group's website was infected with malware that uses a "watering hole" attack -– waiting for users to visit the site before downloading the malware to their machines. The malware involved allows a hacker to execute code remotely on the target computer.
... ... ...
The malware only works on Internet Explorer 8 or earlier versions. The hackers altered the HTML code on the CFR's website itself and were able to remotely execute a program on any computer that accessed the site. The malware was hidden in several pieces and stored in areas that the web page needed to go to in order to retrieve stored content such as text and pictures. "The JavaScript is hidden in a file on the system that is usually used for a completely different purpose," he said.
Microsoft is reportedly working on a permanent fix, and issued a security advisory on Dec. 29. In the meantime there is an automatic work-around here. The simplest way to protect oneself is to disable Javascript and Flash, according to Microsoft, but sometimes turning those two features on an off for different sites can be inconvenient.Users of Internet Explorer 9 and later aren't vulnerable.
While the particular attack on the CFR website used a previously unknown vulnerability in Internet Explorer, the "watering hole" attack is nothing new: a local government site in Maryland and a bank in Boston were hit by one called VOHO in July, which infected targeted computers with code that sent information such as keystrokes back to a server.
SHA256: | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
SHA1: | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
MD5: | d41d8cd98f00b204e9800998ecf8427e |
File size: | 0 bytes ( 0 bytes ) |
File name: | Whisky Bible Pro 2012_v1.1crk.apk |
File type: | unknown |
Tags: | zero-filled nsrl hash-collision software-collection |
Detection ratio: | 0 / 46 |
Analysis date: | 2013-01-05 20:16:56 UTC ( 1 minute ago ) |
The following is a condensed report of the behavior of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
File system activity |
Opened files...C:\WINDOWS\system32\V3Medic.exe (failed) C:\6c6bc20dc36e2b9b6a0280cc7e1a8a291e2e6bb7221210d497939a80da43a7cd (successful) C:\WINDOWS\system32\V3Medic.exe (successful) C:\WINDOWS\system32\reg.exe (successful) \\.\PIPE\lsarpc (successful) c:\autoexec.bat (successful) C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\5DC8A.exe (successful) C:\WINDOWS\system32\rsaenh.dll (successful) C:\WINDOWS\system32\drivers\etc\hosts (successful) C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful) \\.\SICE (failed) \\.\SIWVID (failed) \\.\NTICE (failed) \\.\REGSYS (failed) \\.\REGVXG (failed) \\.\FILEVXG (failed) \\.\FILEM (failed) \\.\TRW (failed) \\.\ICEEXT (failed) \\.\PIPE\SfcApi (successful) C:\WINDOWS\system32\ws2help.dll (successful) C:\WINDOWS\IRIMGV3.bmp (successful) |
Read files...c:\autoexec.bat (successful) C:\WINDOWS\system32\rsaenh.dll (successful) C:\WINDOWS\system32\drivers\etc\hosts (successful) |
Written files...C:\WINDOWS\system32\V3Medic.exe (successful) C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\5DC8A.exe (successful) C:\WINDOWS\system32\drivers\etc\hosts (successful) C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful) C:\WINDOWS\IRIMGV3.bmp (successful) |
Copied files...SRC: C:\6c6bc20dc36e2b9b6a0280cc7e1a8a291e2e6bb7221210d497939a80da43a7cd DST: C:\WINDOWS\system32\V3Medic.exe (successful) SRC: C:\WINDOWS\system32\ws2help.dll DST: C:\WINDOWS\system32\ws2helpXP.dll (successful) |
Moved files...SRC: C:\WINDOWS\system32\ws2help.dll DST: C:\WINDOWS\system32\ws2help.dll.byM.tmp (successful) SRC: C:\WINDOWS\IRIMGV3.bmp DST: C:\WINDOWS\system32\ws2help.dll (successful) |
Deleted files...C:\WINDOWS\system32\dia3.ini (failed) |
Registry activity |
Set keys...KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7}\stubpath TYPE: REG_EXPAND_SZ VALUE: %SystemRoot%\system32\V3Medic.exe (successful) KEY: HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy TYPE: REG_DWORD VALUE: 1 (successful) KEY: HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable TYPE: REG_DWORD VALUE: 0 (successful) KEY: HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable TYPE: REG_DWORD VALUE: 0 (successful) KEY: HKEY_USERS\S-1-5-21-1275210071-920026266-1060284298-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings TYPE: REG_BINARY VALUE: (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass TYPE: REG_DWORD VALUE: 1 (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName TYPE: REG_DWORD VALUE: 1 (successful) KEY: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet TYPE: REG_DWORD VALUE: 1 (successful) KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\Version TYPE: REG_DWORD VALUE: 8 (successful) KEY: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs TYPE: REG_SZ VALUE: ws2help.dll (successful) |
Deleted keys...0x00000000\Identity (failed) HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7} (failed) |
Process activity |
Created processes...reg delete HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{BB5624C0-5C5C-70B6-9431-ADF537E08AA7}" /f" (successful) C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\VnrYne173.exe (successful) |
Mutex activity |
Created mutexes...RasPbFile (failed) |
Opened mutexes...ShimCacheMutex (successful) RasPbFile (successful) |
Application windows activity |
Searched windows...CLASS: FileMonClass NAME: (null) CLASS: 18467-41 NAME: (null) CLASS: OLLYDBG NAME: (null) |
Windows service activity |
Opened service managers...MACHINE: localhost DATABASE: SERVICES_ACTIVE_DATABASE (successful) |
Opened services...RASMAN (successful) |
Runtime DLLsadvapi32.dll (successful) wininet.dll (successful) kernel32.dll (successful) version.dll (successful) secur32.dll (successful) shell32.dll (successful) wsock32 (successful) ws2_32 (successful) comctl32.dll (successful) rasapi32.dll (successful) rtutils.dll (successful) rpcrt4.dll (successful) sensapi.dll (successful) ntdll.dll (successful) userenv.dll (successful) netapi32.dll (successful) urlmon.dll (successful) c:\windows\system32\mswsock.dll (successful) dnsapi.dll (successful) rasadhlp.dll (successful) hnetcfg.dll (successful) c:\windows\system32\wshtcpip.dll (successful) msvcrt.dll (successful) user32.dll (successful) rsaenh.dll (successful) msvcp60.dll (successful) psapi.dll (successful) c:\windows\system32\sfc_os.dll (successful) |
Additional details
|
Network activity |
HTTP requests...URL: http://blog.sina.com.cn/s/blog_af5f75a301015gge.html TYPE: GET UA: Testing URL: http://www.ezyeconomy.com/xml/20121009/c4.gif TYPE: GET UA: Testing |
DNS requests...blog.sina.com.cn (218.30.115.254) www.ezyeconomy.com (121.78.127.93) |
TCP connections...218.30.115.254:80 121.78.127.93:80 |
UDP communications...<MACHINE_DNS_SERVER>:53 |
Trend Micro warns.
"During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware," the researchers shared.
As it turned out, the patched file was component of the Sirefef/Zaccess malware family, and was used to run the malware's other malicious components upon reboot.
"This proved to be a new variant of Sirefef/Zaccess, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques," they said.
This infection with this new variant was traced back to the execution of K-Lite Codec Pack.exe, and it has more than likely been downloaded by the users themselves from the Internet in order to play movies downloaded via P2P applications.
To keep up the illusion that the offered codec is legitimate and to up the likelihood of it being used, the file names are also often modified to include the titles of popular movies.
According to Trend Micro numbers, Sirefef/Zaccess infections have hugely increased in July, going from some 1,000 infected computers on the first of the month to over 11,000 on the 27th.
The great majority of infected computers is located in the US. Nevertheless, all users are advised to be cautious when downloading files from untrusted sources such as P2P network
IE zero-day used in targeted watering hole attacks
he exploited website was that of the Council on Foreign Relations, an organization, publisher, and think tank specializing in U.S. foreign policy and international affairs, among whose members are a number of high-profile U.S. government and political figures such as former secretary of state Madeleine Albright, former treasury secretary Robert Rubin, and many others.
According to security researcher Eric Romang, the website seems to have been compromised as early as December 7, and possibly even earlier.
FireEye's researchers have been alerted to the compromise on December 27 and proceeded to analyze the attack and discover its use of a previously unknown Microsoft Internet Explorer vulnerability.
Visitors to the website who used IE 6,7, or 8, had Flash and Java 6 installed, and had the OS language set on U.S. English, Chinese, Taiwan Chinese, Russian, Korean or Japanese were unknowingly redirected to a page serving a malicious Shockwave Flash File (today.swf) that would trigger the vulnerability. Others were redirected to a blank page.
"When the Flash object was loaded, it performed a heap-spray and injected the shellcode used to locate the xsainfo.jpg file, decode it, and store it in the %Temp%/flowertep.jpg file, Symantec's researchers explained. "Next, a request was sent for the robots.txtfile which gets de-obfuscated and then used to load the malicious payload (flowertep.jpg) using techniques to by-pass DEP and ASLR on Windows 7."
All this was performed to ultimately allow a secret download of a variant of the Bifrose backdoor, which would give the attackers access to the targeted machines, which largely belong to U.S. users.
Upon the discovery of the attack, Microsoft began working on a patch. They issued a security advisory warning the public about this zero-day 'CDwnBindInfo' use-after-free remote code execution vulnerability.
The flaw affects only IE versions 6, 7 and 8, so users are advised to update to IE 9 or 10 in order to avoid being compromised, or to install Microsoft's "Fix it" solution that reduces the attack surface of the flaw by applying workaround configuration changes.
"Applying this workaround will not interfere with the installation of the final security update that will address this issue," stated Microsoft's Cristian Craioveanu, but advised on uninstalling the workaround once the final security update is installed because it has a small effect on the startup time of Internet Explorer. There's no word yet on when we can expect the security update.
In the meantime, Sophos researchers have also begun analyzing the attack and are claiming that the same exploit was spotted being used on at least five additional websites.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019