Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 12/24/07

Monday, December 24, 2007

Spreading Malware Around the Christmas Tree

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain merrychristmasdude.com is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @ yahoo.com

Name Server: NS.MERRYCHRISTMASDUDE.COM
Name Server: NS10.MERRYCHRISTMASDUDE.COM
Name Server: NS13.MERRYCHRISTMASDUDE.COM
Name Server: NS9.MERRYCHRISTMASDUDE.COM
Name Server: NS11.MERRYCHRISTMASDUDE.COM
Name Server: NS3.MERRYCHRISTMASDUDE.COM
Name Server: NS4.MERRYCHRISTMASDUDE.COM
Name Server: NS6.MERRYCHRISTMASDUDE.COM
Name Server: NS2.MERRYCHRISTMASDUDE.COM
Name Server: NS5.MERRYCHRISTMASDUDE.COM
Name Server: NS7.MERRYCHRISTMASDUDE.COM
Name Server: NS8.MERRYCHRISTMASDUDE.COM
Name Server: NS12.MERRYCHRISTMASDUDE.COM

The domain also has an embedded IFRAME pointing to merrychristmasdude.com/cgi-bin/in.cgi?p=100 where two javascipt obfuscations, courtesy of the Neosploit attack kit attempt to load. Current binary (stripshow.exe) has an over 50% detection rate 17/32 (53.13%). Stay tuned, AV vendors will reach another milestone on the number of malware variants detected, despite that compared to the real, massive Storm Worm campaign this one is fairly easy to prevent on a large scale.

Related info - SANS, ASERT, TEMERC, DISOG.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Pinch Variant Embedded Within RussianNews.ru

This is a perfect and currently live example demonstrating how a once compromised site can also be used as a web dropper compared to the default infection vector mentality we've been witnessing on pretty much each and every related case of malware embedded sites during 2007. The URL at a popular news portal for Russian/Iranian related news at : russiannews.ru/arabic/data/news/upload/exp is serving a Pinch variant thought an MDAC ActiveX code execution exploit - CVE-2006-0003, the type of virtual Keep it Simple Stupid strategy of using outdated vulnerabilities I discussed before. Deobfuscation leads us to : russiannews.ru/arabic/data/news/upload/exp/exe.php

Trojan-PSW.Win32.LdPinch.dzr
File Size: 22016 bytes
MD5 : cb0a480fd845632b9c4df0400f512bb3
SHA1 : 83bb4132d1df8a42603977bd2b1f9c4de07463ab

What's important to point out in this case, is that the main index and the pages within the site are clean, so instead of trying to infect the visitors, the malicious parties are basically using it as a web dropper. Moreover, in the wake of Pinch-ing the Pinch authors, this variant generated on the fly courtesy of their tool fully confirms the simple logic that once released in the wild, DIY malware builders and open source malware greatly extend their lifecycles and possibility for added innovation on behalf of the community behind them.

Dancho Danchev