FireEye Malware Intelligence Lab: Anatomy of an MS08-078 exploit, part 2

This is part 2 of the article on MS08-078.

Below I'll talk about what this particular invocation of the exploit carried in terms of payloads.

So after the exploit succeeds, the first thing is does is download and execute a binary. To do that, it needs to do a DNS lookup for the hostname of the server serving the malicious exe (often not on the same server as the exploit page). I run a version of our FireEye appliance in my malware analysis rig, so that I can use our OS monitor to track system and network changes. The real implementation tracks a whole lot more, but I stripped out the uninteresting data points.

Interestingly, before the malware is run, you can see the exploit creates two copies of itself - one in c:\windows, one in the local settings\temp directory in the user account. It then runs the copy from the user's directory.

        <file mode="created">
        C:\Documents and Settings\Administrator.WIN\Local Settings\Temporary Internet Files\Content.IE5         \YRRSDX95\pp[1].exe
        <filesize>130307</filesize>
        <md5sum>a92e98e9d7090ebc058521b07e6f4557</md5sum>
      </file>
      <file mode="created">
        C:\DOCUME~1\ADMINI~1.WIN\LOCALS~1\Temp\svchoost.exe
        <filesize>130307</filesize>
        <md5sum>a92e98e9d7090ebc058521b07e6f4557</md5sum>
      </file>
      <file mode="created">
        C:\WINDOWS\quit.exe
        <filesize>130307</filesize>
        <md5sum>a92e98e9d7090ebc058521b07e6f4557</md5sum>
      </file>
      <process mode="started">
        C:\DOCUME~1\ADMINI~1.WIN\LOCALS~1\Temp\svchoost.exe
        <pid>2480</pid>
        <ppid>2364</ppid>
        <filesize>130307</filesize>
        <md5sum>a92e98e9d7090ebc058521b07e6f4557</md5sum>
        <sha1sum>15361d276f64f0a628605cc5e963d3a529df9727</sha1sum>
      </process>

ThreatExpert has seen this malware, as has VirusTotal. There doesn't seem to be much consensus in the AV folks regarding a name - most just recognize the packing method as malicious - but this is just a simple dropper that will further download malware.

The malware deletes itself, and downloads and runs another piece of malware:

      <file mode="delete">
        C:\DOCUME~1\ADMINI~1.WIN\LOCALS~1\Temp\svchoost.exe
      </file>
       <file mode="delete">
        C:\WINDOWS\system32\Deledomn.bat
      </file>
      <network mode="dns_query">
        <port>53</port>
        <protocol_type>udp</protocol_type>
        <hostname>dns5.8866.org</hostname>
      </network>
      <file mode="created">
        C:\WINDOWS\system32\200512.exe
        <filesize>237815</filesize>
        <md5sum>c7b12cc8fda01ea3d8e3d676fc25d3b6</md5sum>
      </file>
      <process mode="started">
        C:\WINDOWS\system32\200512.exe
        <filesize>237815</filesize>
        <md5sum>c7b12cc8fda01ea3d8e3d676fc25d3b6</md5sum>
      </process>

Although not many of the AVs on VirusTotal detect it properly, this is definitely Hupigon. Microsoft has a nice writeup on this.

"The Trojan dropper may also install PWS:Win32/Hupigon, a plugin that logs keystrokes and steals passwords. Win32/Hupigon may support other malicious plugins as well."

As we can see below, a configuration file for the malware is created, and more malware is downloaded and run

      <file mode="created">
        C:\WINDOWS\mywinsys.ini
        <filesize>27</filesize>
        <md5sum>6517ab509abe73d01fda7adeb3778e11</md5sum>
      </file>

The next two files are the same as the dropper malware above. It appears to simply be making backup copies of itself

<file mode="created">
C:\WINDOWS\system32\AlxRes061230.exe

        <filesize>237815</filesize>
        <md5sum>c7b12cc8fda01ea3d8e3d676fc25d3b6</md5sum>
     </file>
      <file mode="created">
        C:\WINDOWS\system32\scrsys061230.scr
        <filesize>237815</filesize>
        <md5sum>c7b12cc8fda01ea3d8e3d676fc25d3b6</md5sum>
       </file>

This file is another password stealer/key logger. ThreatExpert says:
"Trojan-Spy.Agent!sd6 is a malicious application that attempts to steal passwords, login details, and other confidential information."
"Trojan-Downloader.Agent.BNZ downloads and executes malicious malware on infected machines. It injects malicious code into Internet Explorer to masquerade its downloading activities. It also opens random ports."

      <file mode="created">
        C:\WINDOWS\system32\winsys32_061230.dll
        <filesize>86016</filesize>
        <md5sum>a8d196ffe40607bde5e9b26719b790e2</md5sum>
       </file>

The next two files are Trojan.Pakes. Pakes steals your game passwords specifically, and has callhome/bot functionality.

      <file mode="created">
        C:\WINDOWS\system32\scrsys16_061230.scr
        <filesize>30720</filesize>
        <md5sum>49940b40ae39bc1d115c7d12666218d5</md5sum>
       </file>
      <file mode="created">
        C:\WINDOWS\system32\winsys16_061230.dll
        <filesize>30720</filesize>
        <md5sum>49940b40ae39bc1d115c7d12666218d5</md5sum>
       </file>

And lastly the malware makes itself run at startup time.

      <regkey mode="setval">
        \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Userinit = C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_061230.dll start
        <pid>2348</pid>
      </regkey>

So to wrap it up, what happens when your web browser gets exploited? Your keystrokes get logged, your saved passwords get stolen, backdoors are opened, more malware can (and will) be installed at a later date, and your computer becomes a bot.

Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research @t fireeye dot com

FireEye Malware Intelligence Lab

Threat research, analysis, and mitigation | www.fireeye.com

2008.12.19

Anatomy of an MS08-078 exploit, part 2

TrackBack

Comments

Twitter Updates

Archives

Categories

Blogroll