Another Identity Theft Story
Friday May 25, 2007 at 9:22 am CST
Posted by Francois Paget
(Updated on May 29. See note at end.)
Last Friday, we received various suspicious HTML files that contain malicious JavaScript routines. These contact a remote Web site and silently download an EXE file, which in turn downloads various unknown but suspicious programs. In France we decided to press the matter for several reasons: French or francophone people appeared specially targeted; not only banking and e-commerce data were stolen, but also more critical information linked to the private lives of our fellow citizens. So we contacted the French authorities.
We were able to fit together the pieces of the puzzle and understand the attack architecture.
The attacks started each time a victim reached an initiator site (1) hosting one of these scripts. One used an adodb.stream exploit; others exploited vulnerabilities referenced as MS06-006 and MS06-024.
While browsing that page, an EXE file, located in an intermediate site, was silently dropped on the victim’s computer (2). If this downloader was not detected by up-to-date antivirus software, it turned off Microsoft Security Center, modified some registry keys, and downloaded and installed another Trojan (3). When this work was done, the downloader self-destructed and passed control to the Trojan. Using the victim’s IP address as parameter, the Trojan ran a JavaScript query to localize the infected machine (4). It used this site:
http://fresh-news.info/geoip/ip.php
Later the returned data were saved in the local registry as :
HKLM\System\CurrentControlSet\Control\InitRegKey\geoinfo
- iso
- country
- region
- city
- latitude
- longitude
- ip
This information was sent to the collector site found at the top of some TXT files (more on those later). Here’s a fake example:
PC Name = JOHN-3GR6524FRHN
PC IP = 82.22.97.32
PC Country/ISO/Region/City = france/fr/a3/paris
PC Location longitude/latitude = 2.3333/48.8667
Log Creation = 2007/05/21 13:22:05
Before this Trojan disappeared, it downloaded two new files (5). The first deactivated various antivirus software and modified the system’s host file to prevent security updates from happening. But its main purpose was to take screenshots each time the victim clicked on a mouse button while inside a remote authentication window. Depending on which mouse button the user clicked, the following image file was created:
date_time_snapshot-number_LMB_input-form-URL.jpg
date_time_snapshot-number_RMB_input-form-URL.jpg
The images files were sent to a collector site (6). That site’s address, login, and password, as well as links to download other malware were accessible via an admin site driven by the hackers (7).
The second file was a Browser Helper Object/password stealer. It especially monitored transactions with these financial sites:
- e-gold.com,
- meine.deutsche-bank.de,
- banking.postbank.de
However, the BHO watched many other authentication forms and sent data to the collector site (6) using TXT files:
ISO-country-code_computername_IP_Date_time.txt
Other malware were downloaded according to instructions found on the collector site (8). These created a local web server (9) and implemented a PHP backdoor on the compromised machine. A proxy (9) was also created with various services:
- SSL proxy
- HTTP proxy
- Socks server
- Telnet gateway
- SMTP server
- FTP server
- Remote administration server
- Port mapping
After all this preparation these machines were able to act as zombies.
But that’s not all: A keylogger (10) was also downloaded. It collected the victim’s keystrokes and created this file:
keylog_ISO-country-code_computername_IP_date_time.txt
This Trojan also extracted all the URLs and the associated usernames/passwords saved by Internet Explorer via the AutoComplete facility, and created this file:
pstore_date_time.txt
The Trojan regularly sent all the TXT files to the collector site (6), where they were automatically saved by country and by computer. Here’s a view taken before the site was closed:
Today we have all the pieces of this puzzle.
| Origin | Suspicious files | VirusScan name | |
| (1) | Initiator site (exploit) |
1.html | Generic Downloader.z |
| 2.html | Exploit-MS06-006.gen | ||
| 3.html | Generic Downloader.z | ||
| (2) | Intermediate site | autoexec.exe (or iexplore.exe) | BackDoor-CWW.dldr |
| (3) | Malware site | ieschedule.exe | BackDoor-CWW |
| (5) |
Malware site | smss.exe | BackDoor-CWW |
| ib15.dll | PWS-Snap | ||
| (8) | Malware site | ieserver.exe | BackDoor-CWW |
| (9) | Malware site | php_sockets.dll readme.txt php.exe php.ini php4ts.dll !hdd by http.html download phpmyadmin from SourceForge into this dir.txt phpinfo.php back.gif blank.gif compressed.gif dnserror.htm dnserror_de.htm file.gif folder.gif html.gif pagerror.gif php.gif picture.gif refresh.gif upfolder.gif mscreate.dir htaccess.txt test.htm map.txt |
Innocent files |
| remview.php | PHP/BackDoor-DLR | ||
| (10) | Malware site | winlogon.exe | BackDoor-CWW |
| (11) | Malware site | dsrss.exe | Keylog-Dta |
As I said in introducing this blog, I found the geographical distribution unusual. France had the second highest number of victims, and the collected data were also very sensitive.
| Country | Victims (approx.) |
| USA | 650 |
| France | 400 |
| Turkey | 150 |
| Netherlands | 140 |
| Italy | 130 |
| Poland | 100 |
| Germany | 60 |
| Taiwan | 50 |
| Others | 700 |
The stick-pin maps show the distribution.
We often hear of IT threats targeting the Anglo-American countries. This matter shows that no country is safe from cybercriminals.
——
Updated May 29:
I made two typos when I discussed the analysis of Elodie Grandjean. The first concerns one vulnerability used in this attack (it is MS06-024 and not MS06-026). The other regards the password stealer functionality. Both have been corrected in the text.
May 26th, 2007 at 18:18
Wow! The research, that you have done guys is really fascinating, but please make it clear for me. If I had any of the anti-keylogging software listed here(http://anti-keylogger.org/) installed(the most popular and giving the most strong protection from keylogging as I can understand) would this site pose a threat fro me? Or not?
May 29th, 2007 at 22:51
When we discovered this threat, some files involved in this attack were not detected. Submissions to websites like AVcomparatives.org showed some dangerous misses. Now – and for these files – the situation is improving. But, as you could read in our topic, an administrator web site existed. It disappeared after our investigations, but no doubt he is now running under a new IP address. To prove this, please note the collector web size is up again; it doubled between last Saturday and now. No doult also it distributes updated malware in order to impede our progress. Consequently, up-to-date anti-viruses with a large detection spectrum is more than ever essential face to such attacks which use downloaders, keylogger, PWS, bot and others kind of malware. I cannot confirm the security tools you quoted detects all the elements involved in this threat but I also cannot assert the opposite.
May 31st, 2007 at 09:00
I did the forensics on one of these back in October… The version I was looking at did a very good job of cleaning up after itself. The only reason I got half of what I did was yanking the power out of the back of the computer, leaving stuff in the pagefile, some random stuff in freespace, etc…
Scary stuff.
November 23rd, 2007 at 18:44
Amazing very details analysis. I was looking for “JS/Exploit.ADODB.Stream NAP Trojan” when i found this blog.
Anyway I found a website that distribute part of this trojan – 72.232.214.18
thanks
April 7th, 2008 at 20:58
well congrats to you for such a nice research but I am happy to say that My antivirus had successfully detected this virus and I am safe …
I am using Eset Smart Security ..:)
August 20th, 2008 at 12:49
Hi,
I am new to all of this computer stuff. I run McAfee virus software. I have found the downloader.z virus on my computer. It won’t allow me to move, delete or clean the file. Can you please advise me how to proceed as I don’t want to be a part of identity scams.
Thanks,
Jennifer
August 28th, 2008 at 15:32
Hi,
I ran into the downloader.z virus today on one of my client’s workstations. This blog definitely drove the concept of safe computing home to him. I found that I was able to remove it by first identifying the name of the .dat file created in the windows\system32 directory. Look for any .dat files starting with two underscores. Once identified,boot the workstation with the WinXP CD and start Recovery Mode. From the DOS prompt, changed to the system32 folder (cd \windows\system32) then removed the .dat file (del __*.dat). Once this is gone, reboot from the hard drive and start regedit. Navigate to the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Delete the key with the same name as the .dat file (will start with two underscores). If downloader.z was the only infection on the workstation, this completes the removal as far as I can determine on initial examination.