EL.FIESTA Exploit Kit

This time Steve has found another website that is distributing malware through exploits and it seems like a new exploit kit named EL.FIESTA that shows to the attackers various basic statistics of the exploitation status. It seems that this exploit kit utilizes PHP and SQL as most exploit kits and from the image we can see the included exploits:

  • Internet Explorer WebViewFolderIcon setSlice() DL&EXEC
  • Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability
  • Microsoft Data Access Components Could Allow RCE
  • MySpace Uploader Buffer Overflow Exploit
  • Yahoo! JukeBox datagrid.dll AddButton() BOF Exploit

This is a screenshot of the control panel of EL.FIESTA:

Screenshot of EL.FIESTA

The encoded script that was found in one of the infected pages of a web site has been immediately decoded by Steve and we can see a function named ms() that loads the payload.

From the image of the decoded script we can see a text:

1
var eurl=url+"&spl=2";

The variable spl has a value of 2 and this means the loaded payload is the number 2 that should be assigned to a specific exploit. Taking a look at this function:

1
Go(a){}

We can see it will download the URL with the malware and it will execute the .EXE in our system with the function:

1
sap.ShellExecute(fname);

The script will redirect the user to the file load.php that will load the .EXE:

1
/load.php?id=140883

After I browsed the infected link of the web site, a file was downloaded and executed, hidden, in my system:

Screenshot of the file

Report Generated 6.12.2008 at 19.42.39 (GMT 1)
Filename: load.exe
File size: 52 KB
MD5 Hash: CB8D6FB6C1E9B5919AFAAEAFDFD75533
SHA1 Hash: 910960FF6A69A99A7D3C2F6A44176B9529D41C9F
CRC32: 1789398201
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 16 on 24

Antivirus Result
a-squared PWS.Win32.Zbot!IK
Avira AntiVir TR/Spy.ZBot.hga
Avast Win32:Oliga [Trj] (0)
AVG Trojan horse SHeur2.EWQ
BitDefender –
ClamAV –
Comodo TrojWare.Win32.Spy.Zbot.~JC
Dr.Web Trojan.Proxy.4002
Ewido –
F-PROT 6 –
G DATA Trojan-Spy.Win32.Zbot.hga A
IkarusT3 Trojan-Spy.Win32.Zbot
Kaspersky Trojan-Spy.Win32.Zbot.hga
McAfee Generic PWS.y trojan
MHR (Malware Hash Registry) –
NOD32 v3 Win32/Spy.Zbot.AE trojan
Norman Trojan W32/Zbot.BSN ()
Panda –
QuickHeal TrojanSpy.Zbot.hga
Solo Antivirus –
Sophos Mal/EncPk-FS
TrendMicro –
VBA32 Trojan-Spy.Win32.Zbot.hga
VirusBuster TrojanSpy.Zbot.AUT

The file load.exe created a new file in the system folder C:\WINDOWS\system32 named ntos.exe that is hidden from the regular explorer search because of some usermode hooks. The newly created file ntos.exe added a new startup entry in the registry key userinit:

1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

We have noticed that ntos.exe injected code in two system processes, respectively winlogon.exe and svchost.exe and disappeared from the task manager.

This is a summary of all the created files after the execution of the file load.exe:

1
2
3
4
5
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\wsnpoem\audio.dll
%DocumentsAndSettings%\LocalService\Application Data\wsnpoem\audio.dll
%DocumentsAndSettings%\NetworkService\Application Data\wsnpoem\audio.dll

All the above files have the +H (hidden) attribute and we can see that are all related to the famous -wsnpoem- Zeus Trojan that is used by cybercriminals to steal bank accounts, credit cards details, and other senstitive data from the victim’s computer.

Random Posts

Previous Posts