Website to website malware scanning

[Aspman]

I was checking out the NISCC (UNIRAS) website. Looking at their latest alert which was a standard email trying to get you to click on a link to go to a website(s) which would then try to infect you PC with some sort of malware.

The alert lists the domains that could be referenced by the email

Details:

AusCERT has seen several different types of e-mail messages, attempting to
entice the reader to a variety of domains including:

http: // compaqhea.shrink.com/info.html
http: // friendsortheenemy.net
http: // healthcentretoronto.com
http: // uh.gameage.co.uk
http: // chamas.cl/info.html
http: // abomagd.com/info.html
http: // belgiumlive.hostmatrix.org/info.html
http: // bluecalf.com/info.html
http: // buenconsejo.cl/info.html
http: // fondby.com/info.html
http: // 6abari.net/info.html
http: // al-barakah.org/info.html
http: // megacontable.com/info.html
http: // ohiohsfootball.net/info.html
http: // wakeee.hostmatrix.org/info.html

All of which are redirected back to:

http: // friendsoftheenemy.net

This site, installs additional malware which may also contact the hosts:

khaliun.phpwebhosting.com
domestictargetmarket.com
xtrixasf.com
palac-below.de

Administrators may wish to actively block or monitor access to these domain
names and URLs.

If I stick any of the domains (friendsoftheenemy.net and lower) into surfcontrol to see if they are blocked none of them are on the surfcontrol list.

Now I could block them manually on surfcontrol but I'd rather know what they are before I start randomly blocking websites.

BUT how do I check out a potentially dangerous website without becoming compromised. And if I am running a locked down machine that would not be affected by the malware how would I know that the site is trying to infect my machine.

I don't have access to a 'victim' machine which I could allow to become infected and then analyse and I don't have a route out of the network which doesn't go through a firewall.

Is there such a thing as a website which I can point to the 'infecting' website which will pose as an unprotected browser and give me a report as to whether that website does indeed attempt to infect a passing browser?

[nihil]

Is there such a thing as a website which I can point to the 'infecting' website which will pose as an unprotected browser and give me a report as to whether that website does indeed attempt to infect a passing browser?

I haven't heard of one. I believe Microsoft have a project doing this sort of thing "honey monkey"?

Most of this stuff is geared to attack Windows and Internet Explorer. Maybe using a scanning tool like Black Widow would show you the redirects?

And if I am running a locked down machine that would not be affected by the malware how would I know that the site is trying to infect my machine.

If your policies and patches are protecting you, you won't. If it is security software it will probably give you a message.

BUT how do I check out a potentially dangerous website without becoming compromised.

Well I would probably go for a Virtual Machine and Linux, not a perfect solution by any means but a bit safer at the moment?

[Aspman]

VM was one thing that came to mind. I doubt I could blag it though.

I'll check out Black Widow though, just downloaded the demo.

Cheers Nihil.

[SouthernWolf]

You could try Spade for Windows from samspade.org

http://samspade.org/ssw/

It allows you to view exactly what a website has in its coding without actually getting it on your box.

[cabby80]

ASPMAN - I know your question was probably more about how YOU could do an analysis of malware safely and not the one you mentioned in particular but.....

The Aus Govt IT security organisation got concerned about this specific threat and sent out a number of alerts about this to Govt departments. My govt department actually received one of the email messages, I did a bit of investigation - and ran the page in our test lab (isolated environment). We are running XP SP2 and latest definitions and patches etc and it had no effect.

The organisation did a pretty indepth analysis of the alert, I don't think I can post the PDF as it is only available through logging in to the organisations members area (even though looking at the PDF I can't see any classified information) but below is the relevent information you may need for this particular alert.

Attack methodology

The first instance of this attack consisted of an email with the subject heading
“SecuryTeam Order #117457 will be processed manually by our staff.txt” that
downloaded exploits from !!removeme!!http://friendsoftheenemy.net (IP 66.235.192.219)
and beaconed for updates to !!removeme!!www.inosys.pt(IP 207.58.141.126). This
attack was first noticed on Saturday 22 October 2005.

The second instance of this attack used a different email subject header “Jools Web
Hosting - Receipt of you Payment!”. The address contained within the email did not
resolve, however a new exploit server came into operation at “hi****upport.com”
(IP 64.156.24.17) and a beacon address of “milanodvd.com” (IP 64.34.91.142).

Results of investigation

Exploit explanation

The exploit is an executable that has been compressed with the “FSG” compression
utility, downloaded after one of five possible exploits is identified and run. Following is
a detailed description of how it operates.

The malicious email infects a user’s computer in 5 steps.

1. The user clicks on the link in the email. This link is very dynamic - different for
almost every email we have seen, resolving to multiple IP addresses. An
example is shown below (with !!removeme!! inserted for your protection):
!!removeme!!http://uh.gameage.co.uk/info.html.

This link is an obfuscated javascript file that forwards the user to the following
address !!removeme!!http://friendsoftheenemy.net/cgi-bin/ie0509.html.
(IP 66.235.192.219)

2. This site runs another script that determines which OS, service pack, AntiVirus
(Norton or McAfee), and the Microsoft Java Virtual Machine (JVM) version that
the target computer is running. It then selects an exploit based on this
information. A copy of this information is forwarded to the following URL:
!!removeme!!http://tsl.promotion-city.com/fullstat.htm. (IP 81.209.184.142)

3. Based on the information gained above, an exploit will be selected.
There are 5 different types of exploits available from the URL
!!removeme!!http://friendsoftheenemy.net/cgi-bin...cgi?exploit=XX (where
XX depends on the exploit selected). The exploits are:
ie0509a.chm
ie0509b.jar
pluginst.hta
pluginst.anr
ie0509d.html

Note that this site is no longer serving exploits.
Requests to the above address are now (as of 26/10/2005) redirected to URL
!!removeme!!http://host135.ipowerweb.com/suspended.html?exploit=
(IP 66.235.192.212)

4. After an exploit is chosen, it is used to install a program on the target computer.
A get request is sent for !!removeme!!http://friendsoftheenemy.net/cgibin/
ie0509.cgi?exploit=XX which downloads the FSG packed executable (XX
again depends upon the chosen exploit).
When this executable is unpacked and run it drops:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WIN32HOST.EXE
(hidden)
C:\WINDOWS\system32\iedld32.dll

It uses cmd.exe to delete the unpacked version of itself and appears to use
simple rootkit techniques to hide the win32host.exe file and process (see
identifying infection for how to circumvent the rootkit).

The program then downloads the next part of the Trojan (providing IE is running)
called update.exe from !!removeme!!http://friendsoftheenemy.net/cgibin/
ie0509.cgi?exploit=1
Or, in the second instance of the email, from:
!!removeme!!http://milanodvd.com/cgi-bin/dloader.cgi?userid=**
Where ** is an 8 character hex id.

This program then goes on to create further files as shown below (tested on a
Windows XP machine with no service pack)

Files installed on the infected computer:
C:\Windows\System32\iedld.dll (Hidden)
C:\Windows\System32\phffg.dll
C:\Windows\System32\svshotc.exe
C:\Windows\WindowsShell\manifest.dll
win32host.exe appears to write its results to a file called nul in the same
directory as win32host.exe.

The second email and executable installs the following (tested on a Windows XP
SP2 machine):
C:\Windows\System32\phffg.dll
C:\Windows\System32\svvhost.exe

5. An analysis of the network traffic post-infection shows that this executable
(Win32Host.exe) makes a get request (providing IE is running) to
!!removeme!!www.inosys.pt\cgi-bin\dloader.cgi?userid=** approximately every
hour for an update. The second email uses
!!removeme!!http://milanodvd.com/cgi-bin/dloader.cgi?userid=** in the same way.
where ** is an 8 character hex string that is probably unique to the
compromised machine.

If there is no update, the website responds with:

"
20
There is no update for **
0
"
Again, ** refers to the hex userid.

It appears that this program is being used to control the computer and use it like
a “bot” waiting for commands to come from the download of the update file.
Identifying the infection
To identify the trojan process (Win32HOST.exe):
Click on the start menu
Navigate to All Programs
Navigate to Accessories
Click on System Information
Once the System Information program is open
Click Software Environment
Click on Running Tasks
To find the win32host.exe file, use the command prompt and navigate to
C:\WINDOWS\System32

If a computer is infected one of the running tasks will be:
Name - Win32host.exe
Path - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Win32host.exe
Look for any of the following files:
C:\Windows\System32\iedld32.dll
C:\Windows\System32\iedld.dll (Hidden)
C:\Windows\System32\phffg.dll
C:\Windows\System32\svshotc.exe
C:\Windows\WindowsShell\manifest.dll
C:\Windows\System32\svvhost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Win32host.exe (Hidden)
update.exe
ie0509a.chm
ie0509b.jar
pluginst.hta
pluginst.anr
ie0509d.html
msits.exe

Look in proxy logs for instances of:
friendsoftheenemy.net (indicates email delivered and user clicked on it) !"
hi****upport.com (indicates possible compromise)
inosys.pt (indicates possible compromise)
tsl.promotion-city.com (indicates possible compromise)
milanodvd.com (indicates possible compromise)

Look in mail server logs for emails with subjects “SecuryTeam Order #117457 will be
processed manually by our staff.txt” and “Jools Web Hosting - Receipt of you
Payment!”.

Vulnerabilities exploited
There are 5 different exploits that can be downloaded/executed depending on the
operating system version, browser and/or Microsoft Java Virtual Machine (JVM) build.
Security bulletins/patches, if available, are also listed.
ie0509a.chm
Takes advantage of known vulnerability in HTML help ActiveX control. Allows code
execution. (See Microsoft Security Bulletin MS03-011 for further details,
recommendations, and mitigation strategies.)
URL: http://www.microsoft.com/technet/sec...1.mspx?pf=true

ie0509b.jar
Takes advantage of known vulnerability in older versions of Microsoft VM (build 3809 or
earlier) to execute arbitrary code. Attacker would gain privileges of the user who follows
the link. (See Microsoft Security Bulletin MS03-011 for further details,
recommendations, and mitigation strategies.)
URL: http://www.microsoft.com/technet/sec...1.mspx?pf=true
pluginst.hta
This is a HTML application. The code looks to have been taken from exploit code
posted in April 2005 at http://seclists.org/lists/bugtraq/2005/Apr/0446.html

ie0509c.htm (pluginst.anr)
Takes advantage of known vulnerability in cursor and Icon format handling. Allows
remote code execution and control of the system. (See Microsoft Security Bulletin
MS05-002 for further details and recommendations on mitigation strategies.)
URL: http://www.microsoft.com/technet/sec...2.mspx?pf=true

ie0509d.html
Take advantage of known vulnerability in Internet Explorer that allows remote code
execution and control of the system. (See Microsoft Security Bulletin MS04-040 for
further details and recommendations on mitigation strategies.)
URL: http://www.microsoft.com/technet/sec.../MS04-040.mspx

Mitigation action
1. Block and log requests/responses for all the URLs and IPs mentioned above -
remove the text !!removeme!! from the URLs given below:
!!removeme!!http://friendsoftheenemy.net (IP 66.235.192.219)
!!removeme!!http://tsl.promotion-city.com (IP 81.209.184.142)
!!removeme!!http://host135.ipowerweb.com (IP 66.235.192.212)
!!removeme!!www.inosys.pt (IP 207.58.141.126)
!!removeme!!hi****upport.com (IP 64.156.24.17)
!!removeme!!milanodvd.com (IP 64.34.91.142)

2. Other mitigating factors for this attack
Using a browser other than IE (or an OS other than Windows).
Using a re-writing web proxy to sanitise active content on incoming web
pages.
Using a SOE with patches applied for each exploit as detailed in the
Vulnerabilities Exploited section.
Using a SOE with no user write privileges to system32 (i.e. no
administration privileges).

[Aspman]

Thanks cabby80, but the alert just got me thinking about this sort of thing in general rather than this specific threat.

I ordered a copy of VMWare from Ebay yesterday. I have an inkling is was being sold by a guy with one leg and a parrot but I'll wait and see.

[nihil]

I ordered a copy of VMWare from Ebay yesterday. I have an inkling is was being sold by a guy with one leg and a parrot but I'll wait and see.

Just take him down "The Admiral Benbow" and give him the "black spot"?

[thehorse13]

If I stick any of the domains (friendsoftheenemy.net and lower) into surfcontrol to see if they are blocked none of them are on the surfcontrol list.

Now I could block them manually on surfcontrol but I'd rather know what they are before I start randomly blocking websites.

This may be a little off topic but your response is exactly what drives my belief that white/black list technologies are no longer viable solutions. Why? Because when they were introduced, the number of malware sites were minimal. Today, there are oodles of sites cropping up by the minute which are aimed solely at your wallet. White/Black lists are no longer effective as they once were.

How do you solve this issue? Well, in my case, I've been running a research project that basically runs a network like your immune system. I only allow what I know is good and disallow everything else.

How is it going? Administrative overhead has certainly gone up. However, I have a 100% success rate and with the money saved by not having to remediate issues, it appears that I can ring up a cost savings to IT of nearly 60%. Some of my critics don't think I can scale this out to the enterprise but so far, I have already done what they considered impossible by rolling out my model to two large departments.

I'm trying to think of a way to market it but Don Lapre and Carton Sheets seem busy at the moment.

Anyway, rant over.

--Th13

[Aspman]

This may be of interest:

http://www.securityfocus.com/columnists/367

In this new model, new application files are detected in real time as soon they appear on systems and are automatically added to the automatic graylist. They can be easily approved or banned, based on current security policy.

[thehorse13]

This is basically what I'm attempting without having a black list. I simply say, X,Y and Z are ok, everything else is bad.

This is simply revisiting the basics of explicit deny models but when something works....



--TH13