Say you are a new hire for any company. Your boss asks you to develop a well-researched and well-documented company policy on, say for example, company employee travels. Most often than not, you will have to start of with a Google search. And that is exactly what you do. Open Google and type in “travelpolicy”. This will be the result:
You don’t choose the first hit simply because you see it’s a .GOV site and information found in .GOV sites may seem too lengthy for your objectives. You just need a simple do-it-yourself tutorial in how to create and implement a travel policy guide for your business – which is exactly the description for the second hit encircled in the above image. So you click on it.
And then the site opens…
Seems like the site is pretty much taking more time in downloading images and content. So you wait… And wait… And when you observe that it’s been taking forever for the site to complete, you close the window and move on to other sites that can offer the information that you need.
End of story?
Not quite.
As you waited for the site to completely show up, something was already happening in the background that goes unobserved…
The site, www.travelpolicy.com, has an IFRAME at the very top which leads you to the 81.95.146.98/index.html. The index.html file actually has a script that exploits the MS Internet Explorer (MDAC) Remote Code Execution Exploitdescribed in MS06-014. The original exploit code is also modified in an attempt to bypass AV scanners that detect the original code.
It sure is nasty! An executable file, win.exe, is downloaded to your system and executed. This file is actually a backdoor with rootkit features, and is a variant of the notorious family of backdoor rootkits known as Haxdoor!
So what happens next? Well… you can actually see the following files suddenly added to your System32 directory in Windows:
kgctini.dat
klo5.sys
lps.dat
yvpp01.dll
yvpp02.sys
You’ll also see a newly-added Registry key with numerous data perverting WinLogon:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvbb01
The following services will also be added:
NAME: yvbb01
DISPLAY: Miniport FT32
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\yvbb01.sys
NAME: yvbb02
DISPLAY: Miniport FT
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\yvbb02.sys
If you have all of these in your system, then it will surely be hell cleaning these all up – especially with rootkits! But it’s a good thing you don’t have these tell-tale signs of a drive-by-download-backdoor-rootkit infection. It’s a good thing that your system is not compromised with a stealthy backdoor installed in your machine that can allow remote malicious hackers to do at most anything with your computer and with your files…
You simply don’t have to worry because these things haven’t happened at all. At the first click on the travelpolicy.com site, Trend Micro already flagged a detection of HTML_DLOADER.BHF so the downloading and execution of the backdoor rootkit as well as its other malicious components, which by the way are detected by Trend as BKDR_HAXDOOR.JG, will not occur. You were actually protected from this threat. It was just a bad dream – a nightmare. You were actually safe.
Everything is secure. It’s a good thing you are using Trend Micro.
NOTE: The above malicious URL is still alive at the time of this posting. Google has already been notified of this and we’re hoping that the site will be taken down immediately. In the meantime, we strongly advise users to stay clear away from this site.