Anatomy of a Drive-by Part 2
Wednesday, October 6, 2010
Anatomy of a Drive-by Part 1 was the first part of this post and it provided some background information about the system under examination. Part 1 also covered the first two examination steps which were the examination of the auto-start locations and the examination of the files of interest. This post is the second half of the examination where the question of what happened on the computer will tried to be answered.
As a reminder, the examination so far has located the following: five copies of the SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d), two copies of Hiloti (MD5 5170e6923859a70ede3b2685ccd5ba04), and one copy of Hiloti (MD5 30fd84f3c0e0dc7666658dc52c216a2a). The first piece of malware was created on the system at 09/12/10 06:38:42PM.
***Caution: The URLs and domains I reference in this post were hosting malicious content at some point in time. I haven’t sanitized these URLs or domains (besides making them un-clickable) in order to allow people to conduct their own research if they choose to. With that said, please use caution if you are going to research any of the URLs or domains since they still may be hosting malicious content.****
Timeline Analysis
The previous steps indicated the timeframe I was interested in was on the evening of 09/12/2010. To reduce the amount of data in my timeline I applied an Excel filter to only show entries from this day since my focus was determining how the malware was created on the system. I recommended to my friend that he turn off his computer and the timeline showed the computer has been powered off since my recommendation was made. The last entry in the timeline occurred at Sun 09/12/2010 20:13:08 which was approximately 95 minutes after the malware appeared on the system.
I started my timeline review at Sun 09/12/2010 20:13:08 and worked my way backwards. Whenever the timeline showed a file of potential interest I would examine the file closer using other tools such as Encase. I will be providing multiple updates throughout the timeline analysis section in order to summarize how certain artifacts tie together before I move on to the next set of artifacts.
Before I asked my friend to turn off his computer I tried to help him identify the rogue security program by using the task manager. This approach didn’t work because the security program blocked any new process, including the task manager, from running. In addition to blocking the new process, a fake security alert would appear indicating the process was virus. The timeline entries below show the task manager being accessed.
Working through this portion of the timeline I had to go through a lot of files that were accessed. The amount of files accessed in such a short period of time made it appear like the computer was shutting down and/or a scan was occurring on the system. The next timeline entry of interest occurred at 19:05:45 which involved one of the copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d).
The image below shows the next timeline entries of interest.
The files arezires.dll and get2[1].php were created on the system at the same time which was 19:03:12. Both of the files were examined and it was determined the files were the same since the MD5 hashes matched each other. The following is the additional information about the files:
arezires.dll and get2[1].php
* File path: \WINDOWS\arezires.dll and \Documents and Settings\*****\Local Settings\Temporary Internet Files\Content.IE5\M95YKOXS\get2[1].php
* VT result: malicious and hash search identified the file as FakeWarn and FakeAlert
* MD5 hash: ef3501a3a215949bd61142139f631406
* Creation date: 09/12/10 07:03:12PM
* Last written date: 09/12/10 07:03:12PM
* MFT last modification date : 09/12/10 07:03:12PM
The content of the arezires.dll file contained script which appeared to force a person to a certain website as can be seen below.
I ran the arezies.dll file through the online scanner Jsunpack, and the following paths were being accessed on the domain: logotarget.jpg, images/point.png, and images/downbutton.png. A Google search for the domain antivirpwr[dot]com was performed and the top four hits are shown below.
As shown in the picture, the antivirpwr[dot]com domain is advertising security software and my theory is this would have been the website my friend would have been directed to if he tried to purchase the SpyPro software. McAfee’s description write-up on FakeAlert-SpyPro.gen.ai strengthens this theory since the sample analyzed tried to access the same website listed in the arezires.dll file. I never confirmed this theory because I didn’t examine the SpyPro Trojan I located.
Continuing on with the timeline there was another entry that occurred at 19:03:12 and is shown below.
The entry shows that the get2[1].php (MD5 ef3501a3a215949bd61142139f631406) file came from the 231207da0903[dot]deanard[dot]com domain. I queried the domain using Robtex and the domain mapped to an IP address which is shared with over 40 other hosts. The picture below shows a few of these hosts.
Looking further into the 231207da0903[dot]deanard[dot]com domain I reviewed the records section of Robtex and the picture below shows the IP address for this domain mapped to *[dot]deanard[dot]com.
231207da0903[dot]deanard[dot]com was mapping back to the parent domain so I performed a Google search on the domain which lead me to a Malware Intelligence blog post titled Pirated Edition Affiliate program Pay-per-Install. The post discusses the business model of affiliate programs paying customers for spreading their malware. The following are the interesting connections between the post and the system I was examining:
* The file being referenced in the post was named get[2].php which has the same name as the file brought down by deanard[dot]com domain.
* The host assiocated with the get[2].php file was husseta[dot]com which is also one of the hosts that is mapped to the 94.75.221.77.
* The deanard[dot]com domain also maps to the IP address discussed in the blog post.
* The IP address in the post 95.221.98.246 and the IP address 94.75.221.77 both have the same Autonomous System number which is AS16265 “LeaseWeb AS Amsterdam, Netherlands”.
I found this to be a fascinating connection and it makes me wonder if this affiliate program is involved with the malware present on my friend’s system, and if so how would you go about to confirm this link.
Timeline Examination Summary Update:
**** So far, the analysis determined the computer has been powered off since Sunday night and there is activity involving the domain deanard[dot]com. This domain has links to an affiliate program which pays customers to spread their malware. There were two copies of the FakeAlert (MD5 ef3501a3a215949bd61142139f631406) downloaded from deanard[dot]com at 09/12/10 07:03:12PM. The FakeAlert made references to the antivirpwr[dot]com website which was advertising security software. There were indications this website is not advertising legitimate software. ****
The next few entries of interest are associated with the SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d). The entry below shows one of the copies of the program is referencing htmlMain.htm at 19:02:56.
Just before this entry the timeline showed the SpyPro program being accessed.
My friend had MacAfee antivirus installed on his system at the time of the attack and the entry below shows a scan was started at 19:01:26. There were other event log entries around this time reflecting services being started in addition to the McAfee scanner.
The 19:01:12 entry showed another copy of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) was accessed.
The next portion of the timeline had a lot of activity involving the Temporary Internet Files folder and a lot of the files were images. The picture below shows a couple of these files.
The entry right before these image started appearing on the system shows my friend visited Facebook at 18:50:29.
Continuing to work backwards in the timeline the next entries of interest occurred at 18:41:52, which is just under two minutes of when the last piece of the identified malware was created on the system (this last creation time was 18:39:04). This was when cookies from Yahoo were created on the system.
At 18:40:58 my friend accessed his email.
Timeline Examination Summary Update:
**** The examination at this point is closer to the timeframe of interest which is 09/12/10 06:38:42PM since this is when the first piece of identified malware was created on the system. The significant piece of information from this portion of the timeline indicates my friend was already infected when he went to Facebook and he might have been using Yahoo’s email around the time the computer was infected. The other activity in this portion of the timeline involved SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d). ****
The next entries of interest occurred at 18:40:42 which is shown in the image below.
The files Gwomiliyojoqo.dat and get2[1].htm were created on the system at the same time and both files had the same MD5 hash. The content of this file was a string of 120 characters that started with 3C3E7A6E68. The hash search at VT had 0 out of 42 dections and the Google search only had two hits with one of the hits being a July 21, 2010 file submission at Jsunpack.
At 18:40:40 the Hiloti Trojan (MD5 30fd84f3c0e0dc7666658dc52c216a2a) appeared on the system. This malware was first identified reviewing the autoruns output. The image below shows that a .htm file was modified at the same time but the examination of this file didn’t reveal any additional information.
Also at 18:40:40 a software run key was also modified.
The following are modifications made to this key and the output is from Harlan Carvey’s Regripper:
* Prehoherajoza -> rundll32.exe "C:\WINDOWS\egugehudafu.dll",Startup
* cepijgkk -> C:\Documents and Settings\****\Application Data\oexrvilnf\hdwhvqmuqiw.exe
* anyplcer -> C:\Documents and Settings\****\Local Settings\Application Data\bfuqvjmoj\hcdrsjbuqiw.exe
The Internet history shows my friend was on Yahoo’s website at 18:39:31 and this is shown in the image below.
The next few entries in the timeline indicated Adobe Reader was running and there was a modification to a log file used by Adobe at 18:39:19.
The content of this log file provided some useful information. First was that the Adobe ARM 1.4.5.0 logging was started at 18:39:18 and ended one second later. Second the log showed the version of Adobe Reader on the computer was 8.2 which is outdated since the latest version (at the time of this post) is 9.3.4.
The timeline showed there were modifications to Adobe ARM prefetch files further collaborating the ARM logging was running. At 18:39:14, a copy of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) executed.
The remaining timeline entries leading up to when the last piece of identified malware was created on the system shows another copy of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) executed, and there was a modification to a run key in my friend’s user account ntuser.dat. both of these are illustrated in the images below.
The following were modifications made to the ntuser.dat run key and the output is from Harlan Carvey’s Regripper:
* cepijgkk -> C:\Documents and Settings\****\Application Data\oexrvilnf\hdwhvqmuqiw.exe
* anyplcer -> C:\Documents and Settings\****\Local Settings\Application Data\bfuqvjmoj\hcdrsjbuqiw.exe
* Fnanaha -> rundll32.exe "C:\WINDOWS\qdfnst.dll",Startup
These registry modifications are a redundant persistence mechanism to the copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) because the same modification was made to the Software Currentversion\Run key. However, the Software run key referenced egugehudafu.dll instead of qdfnst.dll. The qdfnst.dll is a different copy of the Hiloti Trojan and this file will be discussed later in this post.
Timeline Examination Summary Update:
**** The examination at this point brought us closer to the time period of interest which is 09/12/10 06:38:42PM. The examination identified two persistence mechanisms using a Run key in the Software registry hive and a user account’s ntuser.dat. Both of these mechanisms were configured to launch two copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) and a copy of the Hiloti Trojan. The other activity in this portion of the timeline that could be meaningful was the Adobe ARM logging service was started.
Hopefully at this point of the examination I haven’t lost too many readers because the next portion of the timeline brings us to the time period of interest. At 18:38:58 two copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) were created and executed on the system.
A registry modification occurred at the same time a copy of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) executed on the system. The keys modified are illustrated below.
As can be seen in the picture two modifications occurred to the HCU\Software\Microsoft\Windows\Currentversion\Policies key. This key is associated with the attachment manager which attempts to protect your computer from unsafe attachments in emails or unsafe files from the Internet. For additional information refer to Microsoft’s support article 883260. The Policies\Attachments key was changed by adding "savezoneinformation" with the data of 1. According to the support article, this change makes Windows to not mark file attachments by using their zone information causing Windows to not make appropriate risk assessments.
The Policies\Associations key was changed by adding "LowRiskFileTypes" with a value of .exe. According to the support article, this change results in the user not being prompted when accessing .exe files regardless of the zone including Internet restricted zones.
I am not sure how these registry modifications fit into the attack since the majority of the malware was already present on the system. It leads me to believe the change was made in anticipation of downloading addition malware in the future. The next portion of the timeline is shown below.
Most of the activity between 18:38:53 to 18:38:51 involved copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) and Hiloti (MD5 5170e6923859a70ede3b2685ccd5ba04) which were identified during the examination of the files of interest step. However, at 18:38:49 an executable named google.exe was created on the system (line 4955 in the above picture). The examination of this file determined it was a new piece of malware and the additional details are below.
google.exe
* File path: \Documents and Settings\****\Local Settings\Temp\google.exe
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: a06e417b9743e65bbb9ace16d6d3a65f
* Creation date: 09/12/10 06:38:49PM
* Last written date: 09/12/10 06:38:51PM
* MFT last modification date : 09/12/10 06:38:51PM
The next few entries in the timeline showed a copy of a SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) and an unknown program (0.8503427712213907.exe) executed.
The next entries in the timeline finally bring us to 09/12/10 06:38:42PM which is the point of time when the first piece of identified malware identified was created on the system.
As you can see in the image copies of SpyBot (lines 4927 and 4928) was created on the system, one copy of SpyBot executed (line 4930), and the previously mentioned file qdfnst.dll on line 4929 had its MFT entry modified. The qdfnst.dll file was identified as a new copy of Hiloti and the following is the additional information about this file.
qdfnst.dll
* File path: \WINDOWS\qdfnst.dll
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: f1abef9bd8240815ceaf97a7527318b2
* Creation date: 08/16/05 06:18:42AM (note: this file’s timestamp was modified)
* Last written date: 04/13/08 08:12:08PM
* MFT last modification date : 09/12/10 06:38:42PM
Timeline Examination Summary Update:
**** The examination has identified two new variants of Hiloti (MD5 a06e417b9743e65bbb9ace16d6d3a65f and MD5 f1abef9bd8240815ceaf97a7527318b2) on the system. Finally, we are at the point in time when the first piece of identified malware was created on the system. The examination up to this point has been looking for artifacts associated with the payload of the attack such as the numerous pieces of malware identified. However, the examination will now start to focus on trying to identify the initial infection vector which resulted in the first piece of malware being dropped to the system.****
At 06:38:41PM acrord32.exe prefetch file was modified and the unknown program (0.8503427712213907.exe) was executed. This is the second reference so far regarding this unknown program.
The picture below shows the next entries in the timeline which involve the Java deployment cache folder.
The entries of interest are on lines 4918 and 4919 because it showed 781da39f-6b6c0267.idx and 781da39f-6b6c0267 being created on the system at 18:38:39. The signature analysis identified the file 781da39f-6b6c0267 has having the zip file format. I first reviewed the content of the 781da39f-6b6c0267.idx file and this is shown below.
As you can see in the picture, there are two items of interest which are the IP address 91.213.217.31 and the rox[dot]jar file being accessed from the domain xhaito[dot]com. The IP address was queried and there were five hosts sharing this address.
The xhaito[dot]com mapped to the IP address so next I queried the domain in order to view the Whois record. The whois information is listed below and the contact information could be false.
Did you notice the xhaito[dot]com domain was created on 09/12/2010 which is the same day my friend’s system was infected? The time listed is 04:33:54 but I am not sure what timezone is used when a domain is registered. I performed a Google search for the domain and the domain was present in the MalwareURL database.
The URLs listed in the database don’t match the URL in the .idx file but the URLs still involve the same domain. The picture below was the other information found on MalwareURL about this domain.
Xhaito[dot]com domain was first listed in the database on 09/15/2010 with the description of the Siberia Exploit Pack sitting on this IP address with the Hiloti Trojan as the payload. The examination has already found a few different copies of the Hiloti Trojan so the information in this database seems to match up to the artifacts on the system. The research I did on the exploit pack indicates the tool only has exploits for Adobe Reader and Java.
The 781da39f-6b6c0267.idx file provided valuable information including a jar file being referenced from a domain that is hosting an exploit pack and the Hiloti Trojan. The 781da39f-6b6c0267 file was the jar file downloaded from this domain. The content of this file contained eight class files.
I have been using online scanners to help me examine Java files but I have never encountered a jar file before. I reached out to the Yahoo Win4n6 group for feedback on how to review these files and the answer I received was to examine the jar file with a Java decompiler in order to see the code. I tried this using one of the suggested decompilers which was the JD-GUI. I didn’t make much progress on this and this is an area I have added to my list to improve my knowledge on. However, a member in the Win4n6 group provided me with a hint to look for file names and I saw the reference below.
The jar file had a reference to the file google.exe. Google.exe has already been located and it was confirmed this was a copy of the Hilot Trojan (MD5 a06e417b9743e65bbb9ace16d6d3a65f).
The 781da39f-6b6c0267.idx and 781da39f-6b6c0267 files are good candidates to be involved with the initial infection vector because the files appeared on the system one second before 18:38:42 (this is when the first piece of identified malware was created on the system). Plus whatever the purpose was of these files it appeared to succeed since the google.exe executable ended up on the system. However, I didn’t reach the point in the examination where there was no longer a trail of artifacts so the examination continued. The timeline showed that one second before the idx and jar files were downloaded a different copy of the Hiloti Trojan with the name of qdfnst.dll was accessed. This means the idx and jar files are not the initial infection because the system was already infected before these files appeared on the computer.
The next area of the timeline showed more activity of an infection before the 781da39f-6b6c0267.idx and 781da39f-6b6c0267 files were dropped on the system. The picture below shows the entries.
At 18:38:38 the command prompt was accessed which was one second after a Java prefetch file was modified. Previously I referenced an unknown program named 0.8503427712213907.exe executing on the system and this file was created on the system at 18:38:35. This executable was examined and it was the same file as google.exe since the MD5 hashes were the same. Here is some additional information about the file:
0.8503427712213907.exe
* File path: \Documents and Settings\****\Local Settings\Temp\0.8503427712213907.exe
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: a06e417b9743e65bbb9ace16d6d3a65f
* Creation date: 09/12/10 06:38:35PM
* Last written date: 09/12/10 06:38:36PM
* MFT last modification date: 09/12/10 06:38:36PM
At 18:38:35 another file was created on the system at the same time as the Hiloti Trojan (MD5 a06e417b9743e65bbb9ace16d6d3a65f). The content of this file is shown below.
I started performing searches using various strings of characters from this file and this activity lead me to a full discloser archive about the Microsoft Windows Help Center vulnerability. The exploitation of this vulnerability allows an attacker to bypass the trusted documents whitelist and execute arbitrary commands. According to the full disclosure archive, the attack against this vulnerability would look like the following (I am only including the information that provides context to a few of the next artifacts on the system).
* A user would be forced to fetch an .asx file with the htmlview element
* From the htmlview element the hcp protocol gets called in order to exploit the vulnerability to bypass the whitelist
* After the whitelist is bypassed then arbitrary commands can be executed in the context of the user’s privileges
The contents of the hcp[1].htm is the exact same as the code used to defeat the whitelist. A section in the archive mentions accessing a hcp:// URL in Internet Explorer version 8, Firefox, or Chrome results in a command prompt. The system under examination had Internet Explorer 8 installed and Line 4911 shows the command prompt being accessed. The presence of the hcp[1].htm file, the command prompt being accessed, the Hiloti Trojan (MD5 a06e417b9743e65bbb9ace16d6d3a65f ) named 0.8503427712213907 on the system, and the system not having this patch installed leads me to believe this exploit was successful.
The next group of entries in the timeline involved Java running on the system as illustrated below.
The next significant entry in the timeline was a file being created in the Temporary Internet Files folder at 18:38:25.
The content of this file was examined and it showed there was not only a reference to the jar file that was downloaded to the system but there was a reference to the xhaito[dot]com domain as well (note: this was one of the URLs listed in the MalwareURL database). At this point I definitely realized I need a better understanding of examining artifacts.
I uploaded the file to jsunpack to be scanned and the results provide context for a few of the files located on the system. The picture below indicates there was an .asx file located on the xhaito[dot]com which is one required component for the help center vulnerability.
The URLs section of jsunpack shows the URLs requested. Notice the call for the hcp URL which was present in the hcp[1].htm file and the reference to the jar file. I saw the reference for a pdf but there was not one present on the system even though Adobe was running at some point.
Continuing on with the review of the timeline the last significant entry related to the initial infection vector occurred at 18:38:24 which was one second before the show[1].htm file appeared on the system.
I am not sure if you remember when I mentioned in Part 1 the entries from the PrivacIE folder’s index.dat file are from third-parties hosting content on websites. At 18:38:24 a PrivacIE entry shows that the show.php was accessed from the xhaito[dot]com domain.
Timeline Examination Summary Update:
**** The trail of artifacts including malware and the xhaito[dot]com domain stopped after this point in the examination. The antivirus scans I conducted after I cleaned the system confirmed the first piece of malware was the 0.8503427712213907 file (the scans found copies of malware in the restore points). This malware appeared on the system at the same time of an artifact from the exploit of the Windows Help Center vulnerability. This doesn’t have a bearing on my examination but I wanted to mention through my research the Siberia Exploit pack referenced in the MalwareURL database doesn’t have the hcp exploit. A different exploit pack or an updated version of Siberia was used in this attack. The initial infection vector for this system appeared to be that third party content was hosted on a website which redirected users to the xhaito[dot]com domain for a drive-by attack. One of the vulnerabilities targeted in this drive-by was the Windows Help Center vulnerability.****
At this point I wanted to go further down the rabbit hole to see if I could locate the malicious third-party content and to find out what website was hosting the content. Unfortunately, I couldn’t find the malicious content referencing the xhaito[dot]com domain but as I stated previously I need a better understanding of examining artifacts. The bright side was I had another lead to pursue because there were two PrivacIE entries at 18:38:24 as illustrated below.
The other PrivacIE entry was from the batfior[dot]co[dot]cc domain. I tried to research this domain and I was unable to locate any information on it. The other artifacts before these timeline entries seemed to be associated with ads being displayed. The next file of interest was created on the system at 18:38:22 which is one second before the two PrivacIE entries.
The picture below shows the contents of this file.
I performed a few Google searches using different characters from the file’s contents that didn’t result in anything fruitful. I uploaded the file to jsunpack and received the following:
I am not sure what this file is and the function it performs so I continued reviewing the timeline. The next lead I found also involved a file being created on the system at 18:38:22.
This file was uploaded to jsunpack and the first interesting item was the URLs.
The URLs were listed as iframes as can be seen below.
The first URL listed is for the batfior[dot]co[dot]cc domain which appeared at the same time as the PrivacIE entry for the xhaito[dot]com domain. This file was the last reference I found for the batfior[dot]co[dot]cc domain on the system so I started to research the trueffects[dot]net domain. The domain mapped to IP address 72.9.236.172 which was shared with two other domains.
To learn more information I performed a few Google searches for the trueffects[dot]net domain. One of the first hits I found was a post on a blog called Spyware Sucks. There were multiple posts from 09/01/2010 to 09/03/2010 mentioning how the facilitatedigital[dot]net domain was spreading malvertizing. At the time the author suggested to be careful with content from trueffects[dot]net as well since it shared the same IP address. I thought this was interesting and then I saw the next entry in the timeline.
Back to Google I went to search for this URL and the first hit was a thread in the Kaspersky forums. A user posted on 09/18/2010 there was a message indicating something was blocked from the trueffects[dot]net/www/cmd URL. Keep in mind this user’s post was six days after my friend’s computer was infected. I posted a few of the Google search hits below involving this domain (I edited the hits’ URLs). As you can see there is indications this may be a risky domain and there was even a hit for a comment made on 09/14/2010 about one of Yahoo’s advertisers supplying a URL from trueffects[dot]net which tried to infect their computer.
Continuing on with the timeline there was another file created at 18:38:22. This file was a cookie shown below.
Here is the content of this file.
The domain in the cookie mapped to the IP address 168.75.207.20. The few Google searches I performed both resulted in hits on ThreatExpert for the domain and IP address. The picture below shows the search I performed on ThreatExpert in order to show the hits I saw through Google (I only did this for this post because the screenshot of the Google search was too large).
All of the artifacts I have been discussing occurred at 18:38:22 which was one second before the xhaito[dot]com domain PrivacIE entry. You may be asking yourself what occurred before 18:38:22 and the timeline entry below answers that question.
This entry is for the yimg[dot]com domain and the brief research I did on this domain indicates the domain is controlled by Yahoo. The timeline showed there was no activity at all on the system between 18:38:05 and 18:38:21. This means the trail of artifacts on the system ended at 18:38:21 and the last activity on the system initiated by my friend is shown below.
My friend was at his Yahoo email at 18:36:06 but there was a PrivacIE entry from a local newspaper in my area indicating he may also have been at that website as well.
Timeline Examination Summary Update:
**** The trail of artifacts including malware and the xhaito[dot]com domain may have stopped but there was other activity on the system that provided an additional lead. By following this lead it resulted in the trueffects[dot]net domain being discovered and this domain is associated with malvertizing. I wasn’t able to identify the website whose advertiser provided the malicious content that caused this redirect but I was able to narrow it down to two websites. This was the point in the rabbit hole where my journey of trying to find the answer of what on my friend’s system caused the malware to be downloaded ends.****
Overview of the Attack
I don’t want to give the impression my examination was completed because I didn’t complete one important step. This is the examination of the artifacts located including the malware, jar file, and the files associated with third-party content. I think some of these files would have to be analyzed in order to fully understand how the attack occurred. I presented a lot of information involving the examination of my friend’s computer. The sheer amount of information may have made it difficult to see what happened on the system so the following timeline highlights the significant events of this attack.
* 09/01/10 to 09/03/10 Spyware Sucks blog had a few posts mentioning facilitatedigital[dot]net domain was spreading malvertizing. The author warned about the trueffects[dot]net domain since it shared the same IP address
* 09/12/10 McAfee's description write-up on FakeAlert-SpyPro.gen.ai was discovered. This was referenced in the 09/13/10 blog post.
* 09/12/10 Google search hit located a person posting a comment about trueffects[dot]net is connected to malware
* 09/12/10 04:33:54 The xhaito[dot]com domain Whois record was created. This domain was hosting an exploit pack and the Hiloti Trojan.
* 09/12/10 06:36:06PM User accessed Yahoo email and there was activity involving timesunion.com which is a local newspaper.
* 09/12/10 06:38:05PM to 06:38:21PM There was no activity on the system.
* 09/12/10 06:38:21PM PrivacIE entry for a domain controlled by Yahoo.
* 09/12/10 06:38:22PM Cookie from this[dot]content[dot]served[dot]by[dot]adshuffle[dot]com was created on the system. This domain was associated with malware.
* 09/12/10 06:38:22PM asrefinc11[1].js was created. Jsunpack identified this file as suspicious.
* 09/12/10 06:38:22PM l[1].htm was created. This file had references to the batfior[dot]co[dot]cc and trueffects[dot]net domains. The trueffects[dot]net domain was associated with malware and maps to a IP address shared by another domain associated with malware.
* 09/12/10 06:38:22PM PrivacIE entry for the trueffects[dot]net domain.
* 09/12/10 06:38:24PM PrivacIE entries for the batfior[dot]co[dot]cc and xhaito[dot]com domain. This means these domains were hosting content on a website the user visited. the xhaito[dot]com domain was hosting malicious content.
* 09/12/10 06:38:25PM show[1].htm file was created on the system. This file had references to a few of the artifacts (jar file and the Windows Help Center vulnerability). Also, this file was associated with the xhaito[dot]com domain.
* 09/12/10 06:38:35PM The hcp[1].htm file was created on the system. The content of this file is associated with the Windows Help Center vulnerability.
* 09/12/10 06:38:35PM 0.8503427712213907.exe (Hiloti MD5 a06e417b9743e65bbb9ace16d6d3a65f) was created.
* 09/12/10 06:38:38PM Command prompt was accessed. This might have been due to the windows help Center vulnerability being exploited.
* 09/12/10 06:38:38PM Qdfnst.dll (Hiloti MD5 f1abef9bd8240815ceaf97a7527318b2) was accessed.
* 09/12/10 06:38:41PM 781da39f-6b6c0267.idx and 781da39f-6b6c0267 were created on the system. The files were associated with the xhaito[dot]com domain and the 781da39f-6b6c0267 was a jar file with a reference to google.exe.
* 09/12/10 06:38:41PM 0.8503427712213907.exe (Hiloti MD5 a06e417b9743e65bbb9ace16d6d3a65f) was executed.
* 09/12/10 06:38:42PM Qdfnst.dll (Hiloti MD5 f1abef9bd8240815ceaf97a7527318b2) MFT record was modified.
* 09/12/10 06:38:42PM 176572328.exe (Hiloti MD5 5170e6923859a70ede3b2685ccd5ba04) and 176572329.exe (SpyPro MD5 ce5806f3f3a2afa8efe0272440ae6b2d) were created.
* 09/12/10 06:38:49PM Google.exe (Hiloti MD5 a06e417b9743e65bbb9ace16d6d3a65f) was created.
* 09/12/10 06:38:51PM 176581812.exe (Hiloti MD5 5170e6923859a70ede3b2685ccd5ba04) and 176581813.exe (SpyPro MD5 ce5806f3f3a2afa8efe0272440ae6b2d) were created.
* 09/12/10 06:38:58PM hdwhvqmuqiw.exe (SpyPro MD5 ce5806f3f3a2afa8efe0272440ae6b2d) was created on the system in two locations. One was the user profile\Local Settings\Application Data\ while the other was the user profile\Application Data\.
* 09/12/10 06:38:58PM Registry modification was made to HKCU\Software\Microsoft\Windows\CyrrentVersion\Policies. Two keys were modified to make Windows not to make appropriate risk assessments and to not prompt the user when accessing files with the .exe extension.
* 09/12/10 06:39:04PM hcdrsjbuqiw.exe (SpyPro MD5 ce5806f3f3a2afa8efe0272440ae6b2d) was created.
* 09/12/10 06:39:04PM Registry modification was made to HKCU\Software\Microsoft\Windows\Currentversion\Run. There were values here to launch two copies of SpyPro and one copy of Hiloti.
* 09/12/10 06:39:19PM Vulnerable version of Adobe was running (Adobe reader v8.2.0)
* 09/12/10 06:39:31PM The user was accessing Yahoo email.
* 09/12/10 06:40:40PM egugehudafu.dll (Hiloti MD5 30fd84f3c0e0dc7666658dc52c216a2a) MFT record was modified.
* 09/12/10 06:40:40PM Registry modification was made to HKLM\Software\Microsoft\Windows\Currentversion\Run. There were values here to launch two copies of SpyPro and one copy of Hiloti.
* 09/12/10 06:41:52PM Yahoo cookies were created in the user profile.
* 09/12/10 06:50:29PM The user visited FaceBook.
* 09/12/10 07:03:12PM get2[1].php (MD5 ef3501a3a215949bd61142139f631406) was created and this file came from the 231207da0903[dot]deanard[dot]com domain. The parent domain had links to an affiliate program which pays customers for spreading malware.
* 09/12/10 07:03:12PM arezires.dll and get2[1].php (FakeAlert MD5 ef3501a3a215949bd61142139f631406) were created on the system in two locations. One location was \WINDOWS\ while the other was user profile\\Local Settings\Temporary Internet Files\Content.IE5\. The content of this file had a reference to antivirpwr[dot]com domain which was advertising security software.
* 09/12/10 08:13:08PM The system was completely powered down.
* 09/13/10 McAfee Avert Labs blog had a post about an increase of submissions from customers for a variant of FakeAlert-SpyPro.gen.ai.
* 09/14/10 Google search hit identified a person who mentioned that one of Yahoo’s advertisers supplying a URL from trueffects[dot]net which tried to infect their computer.
* 09/15/10 xhaito[dot]com domain was entered into the MalwareURL database as being malicious.
* 09/15/10 Two co-workers mentioned they both knew about someone being infected on Sunday.
* 09/18/10 Google search hit identified a person posted in the Kaspersky forums that the software blocked something coming from the trueffects[dot]net/www/cmd URL.
As I mentioned previously, I haven’t completed the entire examination but I have started to form my hypothesis about what happened. The hypothesis is the computer was infected with SpyPro because my friend visited a website at the time third party content was displayed which resulted in his browser being redirected to a malicious domain. My reasoning behind this hypothesis is because it appears the malicious content (an advertisement) started a chain reaction with the computer visiting the xhaito[dot]com domain which was hosting an unknown exploit pack performing drive-by attacks. This exploit pack attempted to exploit at least two vulnerabilities present on the system (the windows help center vulnerability and an unknown vulnerability the jar file targetted) and at least one exploit was successful since the payload of the Hiloti Trojan was installed on the system. There were no artifacts of another exploit or of another attack when the first SpyPro was created on the system. Plus Microsoft stated the Hiloti Trojan is a downloader. Therefore, I am thinking SpyPro was downloaded to the system by one of the copies of the Hiloti Trojan.
At this point I was able to clean my friend’s computer and I identified a few areas of the investigation process I want to learn more about. My next steps in the examination would have been to complete the examination, develop my hypothesis about what happened, and then test this hypothesis to determine if it is valid.
Lessons Learned
When my friend asked me for assistance I could have just wiped and rebuilt his system for him. This is a practice I have seen back in my IT days, it’s a practice I read about on the Internet, and it’s a practice still occurring at a lot of organizations judging by the discussions I have had with people. If I would have followed this practice then you wouldn’t be reading this blog nor would there have been any lessons learned. My friend eventually would have been re-infected once his programs became out of date again since the lack of software updates contributed to his system getting infected. Plus I wouldn’t have had this opportunity to learn some new things as well as identifying some areas I would like to get a better understanding about.
I was able to explain the significance of regularly updating the software on a computer to my friend since this was what caused his system to become infected. If the cause was opening a malicious email or his children downloading something then my advice would have been different but it still would have focused on the root cause of the infection. As I was thinking about this, a question keeps running through my mind. How can you provide sufficient advice on the security controls that could help mitigate an incident from reoccurring without knowledge of the incident’s root cause? I think this question would apply whether if the recommendations are for a friend, a customer, or an organization you are employed with.
In closing, I wanted to thank my friend for allowing me to share this examination through my blog. I think this information could be useful to a range of people, and comments from readers could help me understand what I missed or what I could do differently. None of this would have been possible without my friend’s willingness to share even if he got free tech support. ;)
As a reminder, the examination so far has located the following: five copies of the SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d), two copies of Hiloti (MD5 5170e6923859a70ede3b2685ccd5ba04), and one copy of Hiloti (MD5 30fd84f3c0e0dc7666658dc52c216a2a). The first piece of malware was created on the system at 09/12/10 06:38:42PM.
***Caution: The URLs and domains I reference in this post were hosting malicious content at some point in time. I haven’t sanitized these URLs or domains (besides making them un-clickable) in order to allow people to conduct their own research if they choose to. With that said, please use caution if you are going to research any of the URLs or domains since they still may be hosting malicious content.****
Timeline Analysis
The previous steps indicated the timeframe I was interested in was on the evening of 09/12/2010. To reduce the amount of data in my timeline I applied an Excel filter to only show entries from this day since my focus was determining how the malware was created on the system. I recommended to my friend that he turn off his computer and the timeline showed the computer has been powered off since my recommendation was made. The last entry in the timeline occurred at Sun 09/12/2010 20:13:08 which was approximately 95 minutes after the malware appeared on the system.
I started my timeline review at Sun 09/12/2010 20:13:08 and worked my way backwards. Whenever the timeline showed a file of potential interest I would examine the file closer using other tools such as Encase. I will be providing multiple updates throughout the timeline analysis section in order to summarize how certain artifacts tie together before I move on to the next set of artifacts.
Before I asked my friend to turn off his computer I tried to help him identify the rogue security program by using the task manager. This approach didn’t work because the security program blocked any new process, including the task manager, from running. In addition to blocking the new process, a fake security alert would appear indicating the process was virus. The timeline entries below show the task manager being accessed.
Working through this portion of the timeline I had to go through a lot of files that were accessed. The amount of files accessed in such a short period of time made it appear like the computer was shutting down and/or a scan was occurring on the system. The next timeline entry of interest occurred at 19:05:45 which involved one of the copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d).
The image below shows the next timeline entries of interest.
The files arezires.dll and get2[1].php were created on the system at the same time which was 19:03:12. Both of the files were examined and it was determined the files were the same since the MD5 hashes matched each other. The following is the additional information about the files:
arezires.dll and get2[1].php
* File path: \WINDOWS\arezires.dll and \Documents and Settings\*****\Local Settings\Temporary Internet Files\Content.IE5\M95YKOXS\get2[1].php
* VT result: malicious and hash search identified the file as FakeWarn and FakeAlert
* MD5 hash: ef3501a3a215949bd61142139f631406
* Creation date: 09/12/10 07:03:12PM
* Last written date: 09/12/10 07:03:12PM
* MFT last modification date : 09/12/10 07:03:12PM
The content of the arezires.dll file contained script which appeared to force a person to a certain website as can be seen below.
I ran the arezies.dll file through the online scanner Jsunpack, and the following paths were being accessed on the domain: logotarget.jpg, images/point.png, and images/downbutton.png. A Google search for the domain antivirpwr[dot]com was performed and the top four hits are shown below.
As shown in the picture, the antivirpwr[dot]com domain is advertising security software and my theory is this would have been the website my friend would have been directed to if he tried to purchase the SpyPro software. McAfee’s description write-up on FakeAlert-SpyPro.gen.ai strengthens this theory since the sample analyzed tried to access the same website listed in the arezires.dll file. I never confirmed this theory because I didn’t examine the SpyPro Trojan I located.
Continuing on with the timeline there was another entry that occurred at 19:03:12 and is shown below.
The entry shows that the get2[1].php (MD5 ef3501a3a215949bd61142139f631406) file came from the 231207da0903[dot]deanard[dot]com domain. I queried the domain using Robtex and the domain mapped to an IP address which is shared with over 40 other hosts. The picture below shows a few of these hosts.
Looking further into the 231207da0903[dot]deanard[dot]com domain I reviewed the records section of Robtex and the picture below shows the IP address for this domain mapped to *[dot]deanard[dot]com.
231207da0903[dot]deanard[dot]com was mapping back to the parent domain so I performed a Google search on the domain which lead me to a Malware Intelligence blog post titled Pirated Edition Affiliate program Pay-per-Install. The post discusses the business model of affiliate programs paying customers for spreading their malware. The following are the interesting connections between the post and the system I was examining:
* The file being referenced in the post was named get[2].php which has the same name as the file brought down by deanard[dot]com domain.
* The host assiocated with the get[2].php file was husseta[dot]com which is also one of the hosts that is mapped to the 94.75.221.77.
* The deanard[dot]com domain also maps to the IP address discussed in the blog post.
* The IP address in the post 95.221.98.246 and the IP address 94.75.221.77 both have the same Autonomous System number which is AS16265 “LeaseWeb AS Amsterdam, Netherlands”.
I found this to be a fascinating connection and it makes me wonder if this affiliate program is involved with the malware present on my friend’s system, and if so how would you go about to confirm this link.
Timeline Examination Summary Update:
**** So far, the analysis determined the computer has been powered off since Sunday night and there is activity involving the domain deanard[dot]com. This domain has links to an affiliate program which pays customers to spread their malware. There were two copies of the FakeAlert (MD5 ef3501a3a215949bd61142139f631406) downloaded from deanard[dot]com at 09/12/10 07:03:12PM. The FakeAlert made references to the antivirpwr[dot]com website which was advertising security software. There were indications this website is not advertising legitimate software. ****
The next few entries of interest are associated with the SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d). The entry below shows one of the copies of the program is referencing htmlMain.htm at 19:02:56.
Just before this entry the timeline showed the SpyPro program being accessed.
My friend had MacAfee antivirus installed on his system at the time of the attack and the entry below shows a scan was started at 19:01:26. There were other event log entries around this time reflecting services being started in addition to the McAfee scanner.
The 19:01:12 entry showed another copy of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) was accessed.
The next portion of the timeline had a lot of activity involving the Temporary Internet Files folder and a lot of the files were images. The picture below shows a couple of these files.
The entry right before these image started appearing on the system shows my friend visited Facebook at 18:50:29.
Continuing to work backwards in the timeline the next entries of interest occurred at 18:41:52, which is just under two minutes of when the last piece of the identified malware was created on the system (this last creation time was 18:39:04). This was when cookies from Yahoo were created on the system.
At 18:40:58 my friend accessed his email.
Timeline Examination Summary Update:
**** The examination at this point is closer to the timeframe of interest which is 09/12/10 06:38:42PM since this is when the first piece of identified malware was created on the system. The significant piece of information from this portion of the timeline indicates my friend was already infected when he went to Facebook and he might have been using Yahoo’s email around the time the computer was infected. The other activity in this portion of the timeline involved SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d). ****
The next entries of interest occurred at 18:40:42 which is shown in the image below.
The files Gwomiliyojoqo.dat and get2[1].htm were created on the system at the same time and both files had the same MD5 hash. The content of this file was a string of 120 characters that started with 3C3E7A6E68. The hash search at VT had 0 out of 42 dections and the Google search only had two hits with one of the hits being a July 21, 2010 file submission at Jsunpack.
At 18:40:40 the Hiloti Trojan (MD5 30fd84f3c0e0dc7666658dc52c216a2a) appeared on the system. This malware was first identified reviewing the autoruns output. The image below shows that a .htm file was modified at the same time but the examination of this file didn’t reveal any additional information.
Also at 18:40:40 a software run key was also modified.
The following are modifications made to this key and the output is from Harlan Carvey’s Regripper:
* Prehoherajoza -> rundll32.exe "C:\WINDOWS\egugehudafu.dll",Startup
* cepijgkk -> C:\Documents and Settings\****\Application Data\oexrvilnf\hdwhvqmuqiw.exe
* anyplcer -> C:\Documents and Settings\****\Local Settings\Application Data\bfuqvjmoj\hcdrsjbuqiw.exe
The Internet history shows my friend was on Yahoo’s website at 18:39:31 and this is shown in the image below.
The next few entries in the timeline indicated Adobe Reader was running and there was a modification to a log file used by Adobe at 18:39:19.
The content of this log file provided some useful information. First was that the Adobe ARM 1.4.5.0 logging was started at 18:39:18 and ended one second later. Second the log showed the version of Adobe Reader on the computer was 8.2 which is outdated since the latest version (at the time of this post) is 9.3.4.
The timeline showed there were modifications to Adobe ARM prefetch files further collaborating the ARM logging was running. At 18:39:14, a copy of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) executed.
The remaining timeline entries leading up to when the last piece of identified malware was created on the system shows another copy of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) executed, and there was a modification to a run key in my friend’s user account ntuser.dat. both of these are illustrated in the images below.
The following were modifications made to the ntuser.dat run key and the output is from Harlan Carvey’s Regripper:
* cepijgkk -> C:\Documents and Settings\****\Application Data\oexrvilnf\hdwhvqmuqiw.exe
* anyplcer -> C:\Documents and Settings\****\Local Settings\Application Data\bfuqvjmoj\hcdrsjbuqiw.exe
* Fnanaha -> rundll32.exe "C:\WINDOWS\qdfnst.dll",Startup
These registry modifications are a redundant persistence mechanism to the copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) because the same modification was made to the Software Currentversion\Run key. However, the Software run key referenced egugehudafu.dll instead of qdfnst.dll. The qdfnst.dll is a different copy of the Hiloti Trojan and this file will be discussed later in this post.
Timeline Examination Summary Update:
**** The examination at this point brought us closer to the time period of interest which is 09/12/10 06:38:42PM. The examination identified two persistence mechanisms using a Run key in the Software registry hive and a user account’s ntuser.dat. Both of these mechanisms were configured to launch two copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) and a copy of the Hiloti Trojan. The other activity in this portion of the timeline that could be meaningful was the Adobe ARM logging service was started.
Hopefully at this point of the examination I haven’t lost too many readers because the next portion of the timeline brings us to the time period of interest. At 18:38:58 two copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) were created and executed on the system.
A registry modification occurred at the same time a copy of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) executed on the system. The keys modified are illustrated below.
As can be seen in the picture two modifications occurred to the HCU\Software\Microsoft\Windows\Currentversion\Policies key. This key is associated with the attachment manager which attempts to protect your computer from unsafe attachments in emails or unsafe files from the Internet. For additional information refer to Microsoft’s support article 883260. The Policies\Attachments key was changed by adding "savezoneinformation" with the data of 1. According to the support article, this change makes Windows to not mark file attachments by using their zone information causing Windows to not make appropriate risk assessments.
The Policies\Associations key was changed by adding "LowRiskFileTypes" with a value of .exe. According to the support article, this change results in the user not being prompted when accessing .exe files regardless of the zone including Internet restricted zones.
I am not sure how these registry modifications fit into the attack since the majority of the malware was already present on the system. It leads me to believe the change was made in anticipation of downloading addition malware in the future. The next portion of the timeline is shown below.
Most of the activity between 18:38:53 to 18:38:51 involved copies of SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) and Hiloti (MD5 5170e6923859a70ede3b2685ccd5ba04) which were identified during the examination of the files of interest step. However, at 18:38:49 an executable named google.exe was created on the system (line 4955 in the above picture). The examination of this file determined it was a new piece of malware and the additional details are below.
google.exe
* File path: \Documents and Settings\****\Local Settings\Temp\google.exe
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: a06e417b9743e65bbb9ace16d6d3a65f
* Creation date: 09/12/10 06:38:49PM
* Last written date: 09/12/10 06:38:51PM
* MFT last modification date : 09/12/10 06:38:51PM
The next few entries in the timeline showed a copy of a SpyPro (MD5 ce5806f3f3a2afa8efe0272440ae6b2d) and an unknown program (0.8503427712213907.exe) executed.
The next entries in the timeline finally bring us to 09/12/10 06:38:42PM which is the point of time when the first piece of identified malware identified was created on the system.
As you can see in the image copies of SpyBot (lines 4927 and 4928) was created on the system, one copy of SpyBot executed (line 4930), and the previously mentioned file qdfnst.dll on line 4929 had its MFT entry modified. The qdfnst.dll file was identified as a new copy of Hiloti and the following is the additional information about this file.
qdfnst.dll
* File path: \WINDOWS\qdfnst.dll
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: f1abef9bd8240815ceaf97a7527318b2
* Creation date: 08/16/05 06:18:42AM (note: this file’s timestamp was modified)
* Last written date: 04/13/08 08:12:08PM
* MFT last modification date : 09/12/10 06:38:42PM
Timeline Examination Summary Update:
**** The examination has identified two new variants of Hiloti (MD5 a06e417b9743e65bbb9ace16d6d3a65f and MD5 f1abef9bd8240815ceaf97a7527318b2) on the system. Finally, we are at the point in time when the first piece of identified malware was created on the system. The examination up to this point has been looking for artifacts associated with the payload of the attack such as the numerous pieces of malware identified. However, the examination will now start to focus on trying to identify the initial infection vector which resulted in the first piece of malware being dropped to the system.****
At 06:38:41PM acrord32.exe prefetch file was modified and the unknown program (0.8503427712213907.exe) was executed. This is the second reference so far regarding this unknown program.
The picture below shows the next entries in the timeline which involve the Java deployment cache folder.
The entries of interest are on lines 4918 and 4919 because it showed 781da39f-6b6c0267.idx and 781da39f-6b6c0267 being created on the system at 18:38:39. The signature analysis identified the file 781da39f-6b6c0267 has having the zip file format. I first reviewed the content of the 781da39f-6b6c0267.idx file and this is shown below.
As you can see in the picture, there are two items of interest which are the IP address 91.213.217.31 and the rox[dot]jar file being accessed from the domain xhaito[dot]com. The IP address was queried and there were five hosts sharing this address.
The xhaito[dot]com mapped to the IP address so next I queried the domain in order to view the Whois record. The whois information is listed below and the contact information could be false.
Did you notice the xhaito[dot]com domain was created on 09/12/2010 which is the same day my friend’s system was infected? The time listed is 04:33:54 but I am not sure what timezone is used when a domain is registered. I performed a Google search for the domain and the domain was present in the MalwareURL database.
The URLs listed in the database don’t match the URL in the .idx file but the URLs still involve the same domain. The picture below was the other information found on MalwareURL about this domain.
Xhaito[dot]com domain was first listed in the database on 09/15/2010 with the description of the Siberia Exploit Pack sitting on this IP address with the Hiloti Trojan as the payload. The examination has already found a few different copies of the Hiloti Trojan so the information in this database seems to match up to the artifacts on the system. The research I did on the exploit pack indicates the tool only has exploits for Adobe Reader and Java.
The 781da39f-6b6c0267.idx file provided valuable information including a jar file being referenced from a domain that is hosting an exploit pack and the Hiloti Trojan. The 781da39f-6b6c0267 file was the jar file downloaded from this domain. The content of this file contained eight class files.
I have been using online scanners to help me examine Java files but I have never encountered a jar file before. I reached out to the Yahoo Win4n6 group for feedback on how to review these files and the answer I received was to examine the jar file with a Java decompiler in order to see the code. I tried this using one of the suggested decompilers which was the JD-GUI. I didn’t make much progress on this and this is an area I have added to my list to improve my knowledge on. However, a member in the Win4n6 group provided me with a hint to look for file names and I saw the reference below.
The jar file had a reference to the file google.exe. Google.exe has already been located and it was confirmed this was a copy of the Hilot Trojan (MD5 a06e417b9743e65bbb9ace16d6d3a65f).
The 781da39f-6b6c0267.idx and 781da39f-6b6c0267 files are good candidates to be involved with the initial infection vector because the files appeared on the system one second before 18:38:42 (this is when the first piece of identified malware was created on the system). Plus whatever the purpose was of these files it appeared to succeed since the google.exe executable ended up on the system. However, I didn’t reach the point in the examination where there was no longer a trail of artifacts so the examination continued. The timeline showed that one second before the idx and jar files were downloaded a different copy of the Hiloti Trojan with the name of qdfnst.dll was accessed. This means the idx and jar files are not the initial infection because the system was already infected before these files appeared on the computer.
The next area of the timeline showed more activity of an infection before the 781da39f-6b6c0267.idx and 781da39f-6b6c0267 files were dropped on the system. The picture below shows the entries.
At 18:38:38 the command prompt was accessed which was one second after a Java prefetch file was modified. Previously I referenced an unknown program named 0.8503427712213907.exe executing on the system and this file was created on the system at 18:38:35. This executable was examined and it was the same file as google.exe since the MD5 hashes were the same. Here is some additional information about the file:
0.8503427712213907.exe
* File path: \Documents and Settings\****\Local Settings\Temp\0.8503427712213907.exe
* VT result: malicious and hash search identified the file as Hiloti
* MD5 hash: a06e417b9743e65bbb9ace16d6d3a65f
* Creation date: 09/12/10 06:38:35PM
* Last written date: 09/12/10 06:38:36PM
* MFT last modification date: 09/12/10 06:38:36PM
At 18:38:35 another file was created on the system at the same time as the Hiloti Trojan (MD5 a06e417b9743e65bbb9ace16d6d3a65f). The content of this file is shown below.
I started performing searches using various strings of characters from this file and this activity lead me to a full discloser archive about the Microsoft Windows Help Center vulnerability. The exploitation of this vulnerability allows an attacker to bypass the trusted documents whitelist and execute arbitrary commands. According to the full disclosure archive, the attack against this vulnerability would look like the following (I am only including the information that provides context to a few of the next artifacts on the system).
* A user would be forced to fetch an .asx file with the htmlview element
* From the htmlview element the hcp protocol gets called in order to exploit the vulnerability to bypass the whitelist
* After the whitelist is bypassed then arbitrary commands can be executed in the context of the user’s privileges
The contents of the hcp[1].htm is the exact same as the code used to defeat the whitelist. A section in the archive mentions accessing a hcp:// URL in Internet Explorer version 8, Firefox, or Chrome results in a command prompt. The system under examination had Internet Explorer 8 installed and Line 4911 shows the command prompt being accessed. The presence of the hcp[1].htm file, the command prompt being accessed, the Hiloti Trojan (MD5 a06e417b9743e65bbb9ace16d6d3a65f ) named 0.8503427712213907 on the system, and the system not having this patch installed leads me to believe this exploit was successful.
The next group of entries in the timeline involved Java running on the system as illustrated below.
The next significant entry in the timeline was a file being created in the Temporary Internet Files folder at 18:38:25.
The content of this file was examined and it showed there was not only a reference to the jar file that was downloaded to the system but there was a reference to the xhaito[dot]com domain as well (note: this was one of the URLs listed in the MalwareURL database). At this point I definitely realized I need a better understanding of examining artifacts.
I uploaded the file to jsunpack to be scanned and the results provide context for a few of the files located on the system. The picture below indicates there was an .asx file located on the xhaito[dot]com which is one required component for the help center vulnerability.
The URLs section of jsunpack shows the URLs requested. Notice the call for the hcp URL which was present in the hcp[1].htm file and the reference to the jar file. I saw the reference for a pdf but there was not one present on the system even though Adobe was running at some point.
Continuing on with the review of the timeline the last significant entry related to the initial infection vector occurred at 18:38:24 which was one second before the show[1].htm file appeared on the system.
I am not sure if you remember when I mentioned in Part 1 the entries from the PrivacIE folder’s index.dat file are from third-parties hosting content on websites. At 18:38:24 a PrivacIE entry shows that the show.php was accessed from the xhaito[dot]com domain.
Timeline Examination Summary Update:
**** The trail of artifacts including malware and the xhaito[dot]com domain stopped after this point in the examination. The antivirus scans I conducted after I cleaned the system confirmed the first piece of malware was the 0.8503427712213907 file (the scans found copies of malware in the restore points). This malware appeared on the system at the same time of an artifact from the exploit of the Windows Help Center vulnerability. This doesn’t have a bearing on my examination but I wanted to mention through my research the Siberia Exploit pack referenced in the MalwareURL database doesn’t have the hcp exploit. A different exploit pack or an updated version of Siberia was used in this attack. The initial infection vector for this system appeared to be that third party content was hosted on a website which redirected users to the xhaito[dot]com domain for a drive-by attack. One of the vulnerabilities targeted in this drive-by was the Windows Help Center vulnerability.****
At this point I wanted to go further down the rabbit hole to see if I could locate the malicious third-party content and to find out what website was hosting the content. Unfortunately, I couldn’t find the malicious content referencing the xhaito[dot]com domain but as I stated previously I need a better understanding of examining artifacts. The bright side was I had another lead to pursue because there were two PrivacIE entries at 18:38:24 as illustrated below.
The other PrivacIE entry was from the batfior[dot]co[dot]cc domain. I tried to research this domain and I was unable to locate any information on it. The other artifacts before these timeline entries seemed to be associated with ads being displayed. The next file of interest was created on the system at 18:38:22 which is one second before the two PrivacIE entries.
The picture below shows the contents of this file.
I performed a few Google searches using different characters from the file’s contents that didn’t result in anything fruitful. I uploaded the file to jsunpack and received the following:
I am not sure what this file is and the function it performs so I continued reviewing the timeline. The next lead I found also involved a file being created on the system at 18:38:22.
This file was uploaded to jsunpack and the first interesting item was the URLs.
The URLs were listed as iframes as can be seen below.
The first URL listed is for the batfior[dot]co[dot]cc domain which appeared at the same time as the PrivacIE entry for the xhaito[dot]com domain. This file was the last reference I found for the batfior[dot]co[dot]cc domain on the system so I started to research the trueffects[dot]net domain. The domain mapped to IP address 72.9.236.172 which was shared with two other domains.
To learn more information I performed a few Google searches for the trueffects[dot]net domain. One of the first hits I found was a post on a blog called Spyware Sucks. There were multiple posts from 09/01/2010 to 09/03/2010 mentioning how the facilitatedigital[dot]net domain was spreading malvertizing. At the time the author suggested to be careful with content from trueffects[dot]net as well since it shared the same IP address. I thought this was interesting and then I saw the next entry in the timeline.
Back to Google I went to search for this URL and the first hit was a thread in the Kaspersky forums. A user posted on 09/18/2010 there was a message indicating something was blocked from the trueffects[dot]net/www/cmd URL. Keep in mind this user’s post was six days after my friend’s computer was infected. I posted a few of the Google search hits below involving this domain (I edited the hits’ URLs). As you can see there is indications this may be a risky domain and there was even a hit for a comment made on 09/14/2010 about one of Yahoo’s advertisers supplying a URL from trueffects[dot]net which tried to infect their computer.
Continuing on with the timeline there was another file created at 18:38:22. This file was a cookie shown below.
Here is the content of this file.
The domain in the cookie mapped to the IP address 168.75.207.20. The few Google searches I performed both resulted in hits on ThreatExpert for the domain and IP address. The picture below shows the search I performed on ThreatExpert in order to show the hits I saw through Google (I only did this for this post because the screenshot of the Google search was too large).
All of the artifacts I have been discussing occurred at 18:38:22 which was one second before the xhaito[dot]com domain PrivacIE entry. You may be asking yourself what occurred before 18:38:22 and the timeline entry below answers that question.
This entry is for the yimg[dot]com domain and the brief research I did on this domain indicates the domain is controlled by Yahoo. The timeline showed there was no activity at all on the system between 18:38:05 and 18:38:21. This means the trail of artifacts on the system ended at 18:38:21 and the last activity on the system initiated by my friend is shown below.
My friend was at his Yahoo email at 18:36:06 but there was a PrivacIE entry from a local newspaper in my area indicating he may also have been at that website as well.
Timeline Examination Summary Update:
**** The trail of artifacts including malware and the xhaito[dot]com domain may have stopped but there was other activity on the system that provided an additional lead. By following this lead it resulted in the trueffects[dot]net domain being discovered and this domain is associated with malvertizing. I wasn’t able to identify the website whose advertiser provided the malicious content that caused this redirect but I was able to narrow it down to two websites. This was the point in the rabbit hole where my journey of trying to find the answer of what on my friend’s system caused the malware to be downloaded ends.****
Overview of the Attack
I don’t want to give the impression my examination was completed because I didn’t complete one important step. This is the examination of the artifacts located including the malware, jar file, and the files associated with third-party content. I think some of these files would have to be analyzed in order to fully understand how the attack occurred. I presented a lot of information involving the examination of my friend’s computer. The sheer amount of information may have made it difficult to see what happened on the system so the following timeline highlights the significant events of this attack.
* 09/01/10 to 09/03/10 Spyware Sucks blog had a few posts mentioning facilitatedigital[dot]net domain was spreading malvertizing. The author warned about the trueffects[dot]net domain since it shared the same IP address
* 09/12/10 McAfee's description write-up on FakeAlert-SpyPro.gen.ai was discovered. This was referenced in the 09/13/10 blog post.
* 09/12/10 Google search hit located a person posting a comment about trueffects[dot]net is connected to malware
* 09/12/10 04:33:54 The xhaito[dot]com domain Whois record was created. This domain was hosting an exploit pack and the Hiloti Trojan.
* 09/12/10 06:36:06PM User accessed Yahoo email and there was activity involving timesunion.com which is a local newspaper.
* 09/12/10 06:38:05PM to 06:38:21PM There was no activity on the system.
* 09/12/10 06:38:21PM PrivacIE entry for a domain controlled by Yahoo.
* 09/12/10 06:38:22PM Cookie from this[dot]content[dot]served[dot]by[dot]adshuffle[dot]com was created on the system. This domain was associated with malware.
* 09/12/10 06:38:22PM asrefinc11[1].js was created. Jsunpack identified this file as suspicious.
* 09/12/10 06:38:22PM l[1].htm was created. This file had references to the batfior[dot]co[dot]cc and trueffects[dot]net domains. The trueffects[dot]net domain was associated with malware and maps to a IP address shared by another domain associated with malware.
* 09/12/10 06:38:22PM PrivacIE entry for the trueffects[dot]net domain.
* 09/12/10 06:38:24PM PrivacIE entries for the batfior[dot]co[dot]cc and xhaito[dot]com domain. This means these domains were hosting content on a website the user visited. the xhaito[dot]com domain was hosting malicious content.
* 09/12/10 06:38:25PM show[1].htm file was created on the system. This file had references to a few of the artifacts (jar file and the Windows Help Center vulnerability). Also, this file was associated with the xhaito[dot]com domain.
* 09/12/10 06:38:35PM The hcp[1].htm file was created on the system. The content of this file is associated with the Windows Help Center vulnerability.
* 09/12/10 06:38:35PM 0.8503427712213907.exe (Hiloti MD5 a06e417b9743e65bbb9ace16d6d3a65f) was created.
* 09/12/10 06:38:38PM Command prompt was accessed. This might have been due to the windows help Center vulnerability being exploited.
* 09/12/10 06:38:38PM Qdfnst.dll (Hiloti MD5 f1abef9bd8240815ceaf97a7527318b2) was accessed.
* 09/12/10 06:38:41PM 781da39f-6b6c0267.idx and 781da39f-6b6c0267 were created on the system. The files were associated with the xhaito[dot]com domain and the 781da39f-6b6c0267 was a jar file with a reference to google.exe.
* 09/12/10 06:38:41PM 0.8503427712213907.exe (Hiloti MD5 a06e417b9743e65bbb9ace16d6d3a65f) was executed.
* 09/12/10 06:38:42PM Qdfnst.dll (Hiloti MD5 f1abef9bd8240815ceaf97a7527318b2) MFT record was modified.
* 09/12/10 06:38:42PM 176572328.exe (Hiloti MD5 5170e6923859a70ede3b2685ccd5ba04) and 176572329.exe (SpyPro MD5 ce5806f3f3a2afa8efe0272440ae6b2d) were created.
* 09/12/10 06:38:49PM Google.exe (Hiloti MD5 a06e417b9743e65bbb9ace16d6d3a65f) was created.
* 09/12/10 06:38:51PM 176581812.exe (Hiloti MD5 5170e6923859a70ede3b2685ccd5ba04) and 176581813.exe (SpyPro MD5 ce5806f3f3a2afa8efe0272440ae6b2d) were created.
* 09/12/10 06:38:58PM hdwhvqmuqiw.exe (SpyPro MD5 ce5806f3f3a2afa8efe0272440ae6b2d) was created on the system in two locations. One was the user profile\Local Settings\Application Data\ while the other was the user profile\Application Data\.
* 09/12/10 06:38:58PM Registry modification was made to HKCU\Software\Microsoft\Windows\CyrrentVersion\Policies. Two keys were modified to make Windows not to make appropriate risk assessments and to not prompt the user when accessing files with the .exe extension.
* 09/12/10 06:39:04PM hcdrsjbuqiw.exe (SpyPro MD5 ce5806f3f3a2afa8efe0272440ae6b2d) was created.
* 09/12/10 06:39:04PM Registry modification was made to HKCU\Software\Microsoft\Windows\Currentversion\Run. There were values here to launch two copies of SpyPro and one copy of Hiloti.
* 09/12/10 06:39:19PM Vulnerable version of Adobe was running (Adobe reader v8.2.0)
* 09/12/10 06:39:31PM The user was accessing Yahoo email.
* 09/12/10 06:40:40PM egugehudafu.dll (Hiloti MD5 30fd84f3c0e0dc7666658dc52c216a2a) MFT record was modified.
* 09/12/10 06:40:40PM Registry modification was made to HKLM\Software\Microsoft\Windows\Currentversion\Run. There were values here to launch two copies of SpyPro and one copy of Hiloti.
* 09/12/10 06:41:52PM Yahoo cookies were created in the user profile.
* 09/12/10 06:50:29PM The user visited FaceBook.
* 09/12/10 07:03:12PM get2[1].php (MD5 ef3501a3a215949bd61142139f631406) was created and this file came from the 231207da0903[dot]deanard[dot]com domain. The parent domain had links to an affiliate program which pays customers for spreading malware.
* 09/12/10 07:03:12PM arezires.dll and get2[1].php (FakeAlert MD5 ef3501a3a215949bd61142139f631406) were created on the system in two locations. One location was \WINDOWS\ while the other was user profile\\Local Settings\Temporary Internet Files\Content.IE5\. The content of this file had a reference to antivirpwr[dot]com domain which was advertising security software.
* 09/12/10 08:13:08PM The system was completely powered down.
* 09/13/10 McAfee Avert Labs blog had a post about an increase of submissions from customers for a variant of FakeAlert-SpyPro.gen.ai.
* 09/14/10 Google search hit identified a person who mentioned that one of Yahoo’s advertisers supplying a URL from trueffects[dot]net which tried to infect their computer.
* 09/15/10 xhaito[dot]com domain was entered into the MalwareURL database as being malicious.
* 09/15/10 Two co-workers mentioned they both knew about someone being infected on Sunday.
* 09/18/10 Google search hit identified a person posted in the Kaspersky forums that the software blocked something coming from the trueffects[dot]net/www/cmd URL.
As I mentioned previously, I haven’t completed the entire examination but I have started to form my hypothesis about what happened. The hypothesis is the computer was infected with SpyPro because my friend visited a website at the time third party content was displayed which resulted in his browser being redirected to a malicious domain. My reasoning behind this hypothesis is because it appears the malicious content (an advertisement) started a chain reaction with the computer visiting the xhaito[dot]com domain which was hosting an unknown exploit pack performing drive-by attacks. This exploit pack attempted to exploit at least two vulnerabilities present on the system (the windows help center vulnerability and an unknown vulnerability the jar file targetted) and at least one exploit was successful since the payload of the Hiloti Trojan was installed on the system. There were no artifacts of another exploit or of another attack when the first SpyPro was created on the system. Plus Microsoft stated the Hiloti Trojan is a downloader. Therefore, I am thinking SpyPro was downloaded to the system by one of the copies of the Hiloti Trojan.
At this point I was able to clean my friend’s computer and I identified a few areas of the investigation process I want to learn more about. My next steps in the examination would have been to complete the examination, develop my hypothesis about what happened, and then test this hypothesis to determine if it is valid.
Lessons Learned
When my friend asked me for assistance I could have just wiped and rebuilt his system for him. This is a practice I have seen back in my IT days, it’s a practice I read about on the Internet, and it’s a practice still occurring at a lot of organizations judging by the discussions I have had with people. If I would have followed this practice then you wouldn’t be reading this blog nor would there have been any lessons learned. My friend eventually would have been re-infected once his programs became out of date again since the lack of software updates contributed to his system getting infected. Plus I wouldn’t have had this opportunity to learn some new things as well as identifying some areas I would like to get a better understanding about.
I was able to explain the significance of regularly updating the software on a computer to my friend since this was what caused his system to become infected. If the cause was opening a malicious email or his children downloading something then my advice would have been different but it still would have focused on the root cause of the infection. As I was thinking about this, a question keeps running through my mind. How can you provide sufficient advice on the security controls that could help mitigate an incident from reoccurring without knowledge of the incident’s root cause? I think this question would apply whether if the recommendations are for a friend, a customer, or an organization you are employed with.
In closing, I wanted to thank my friend for allowing me to share this examination through my blog. I think this information could be useful to a range of people, and comments from readers could help me understand what I missed or what I could do differently. None of this would have been possible without my friend’s willingness to share even if he got free tech support. ;)
Labels:
adobe,
drive-by,
examination steps,
hcp,
java,
malvertizing,
malware,
malware analysis,
timeline
Nice write up, and useful to me because I'm just starting to work with a more organized timeline approach.
The Javascript asrefinc11.js that you mentioned is used to deliver ads - you can find it at hxxp://media2(dot)adshuffle.com/asrefinc11(dot)js and it looks similar to what malware often does. I've not tried to specifically anayze this javascript and am not certain why it's obfuscated in such a manner.
Certainly, if malvertising is obtained via an "ad shuffle" this script could be something that helps deliver it.
Curt Wilson, http://perpetualhorizon.blogspot.com
Cw,
I reposted your comment in order to sanitize the URL you referenced. I didn’t modify anything else from your comment.
I was wondering, what do you mean by a more organized timeline approach?
nice write up.. i will try to work on this asrefinc11.js file and will get you some updates..