http://isc.sans.org/diary.php?n&storyid=1862
Malware with new features (NEW)
Published: 2006-11-15,
Last Updated: 2006-11-15 10:16:22 UTC by Bojan Zdrnja (Version: 1)
One of our readers, Jerry Askew, sent us an interesting downloader
today. The malware was spammed in e-mail (of course) and it was an
executable file disguised as a jpeg, inside a ZIP archive.
Various AV tools at that point in time did not detect this particular
sample, so we decided to spend some time analyzing what it does.
Downloader after downloader
The sample is a downloader, which is typical for a vast majority of
malware that is spammed today. The downloader connects to a web site and
downloads the second stage payload, which is another downloader.
This second stage downloader downloads and installs a small zoo of
malware. Besides the usual culprits, such as keyloggers and BHOs
(Browser Helper Objects), what's interesting is that it downloads
multiple versions of the same Trojan. Brief analysis of these files
showed that they all behave absolutely the same, but look different and
have different checksums. When we tested them against AV programs, they
had different detection depending on the file scanned (although some AV
programs detected all of them as being the same family, but different
minor versions). Why the authors decided to do this is not clear, but I
suspect that they were just trying to increase their chance of getting
the malware onto a machine - even if your AV program detected and
blocked couple of samples, there might be one which is not detected.
After this third stage executable has been downloaded, it will turn off
the host based firewall that comes with Windows XP SP2. It actually
completely disables the Windows Security Center Service (wscsvc).
Malware then connects to its control and command center, which is a
plain web server this time (no IRC). The web server produces a nice HTML
page which has three different forms: ftpstaticdata, softstaticdata and
softvardata. These will instruct malware to download additional modules.
Of special interest was the ftpstaticdata section. This section
contained an FTP server IP address and a username/password pair that
malware used to upload keylogger logs.
Google Maps at your service
Now comes the interesting part. The authors actually went a step
further. Before uploading the data to the FTP server, the malware
connects to detectlocation.ru, which seems to be another compromised
site setup just for this, and executes a perl script on that site. The
perl script takes the IP address of the infected machine as input (this
is passed as a parameter in the URL) and detects the geographical
location of the IP address. What's interesting is that it even passes
back valid coordinates that can be used in Google Maps!
Now when uploading data captured by the keylogger malware also
automatically sorts it into directories, depending on the location of
the IP address.
While at this moment malware only seems to be capturing information on
infected machines, it will be interesting to monitor it to see whether
it is related to the latest spam increase.
Lessons learned
In any case, it looks like malware authors got a little bit creative
when they decided to use Google Maps. Also, the huge number of installed
Trojans and other malicious programs once again show that when you
encounter an infection like this one, reinstallation is the only option.
previous -