I’ve stopped dissecting malware for a while (no time– I’ve got a life now), but this one has been running wild for about a week and infecting many of my friends. It seems to run in my social circle (this would make an interesting study; how do bots perpetuate in online social circles?)
C’mon. This is proof I’d do really well working at Symantec, you know? Read more of this post to see how I reverse engineered the bot in under 30 minutes.
To Clean
- Boot Windows into safe mode and do not run anything.
- Carefully go into “C:\Windows” and remove the “tmpie” folder which contains the payload.
- Optionally remove the registry key “HKLM,”Software\Microsoft\Windows\CurrentVersion\Run”,”iexplorer”,0,”%10%\tmpie\iexplorer.exe”"
- Reboot into normal mode.
- Change AIM password as well as all social networking passwords.
- Stop downloading shit like this. Check to make sure the domain is real before you click. Yep, take a second or two to actually look at the URL bar in your browser. Won’t hurt you.
Detective Work
The bot is pretty straight forward with one new feature I’ve never personally seen before; it doesn’t use IRC. You execute the payload, it creates a registry key to start its self up on each boot, hooks a few programs to capture usernames and passwords, and at a set interval IMs all your buddies with the following message:
Did you see this yet? you have to download the flash thing for it to work http://www.liveleak.com.a.llli.**/?video=XqJ8CIaZiEXqJ8CIaZiE
Some victims report variations of the above message that use YouTube and other video sharing websites as lure. All use subdomains of llli.** (The TLD is an abbreviation of a country. WARNING: If you do go have a look for yourself, use caution. Do not execute anything. )
Nice little social engineering there. The page looks very realistic and potential victims of the worm are used to getting that “Update Your Flash Player” notification, so it seems only natural to run the payload. I award a 9/10 for the payload deceptiveness of this one.
First off, let’s start with the domain. A quick WHOIS query shows us some information about the owner of it:
Domain Name: LLLI.** Domain ID: D18235149-US Sponsoring Registrar: ENOM, INC. Registrar URL (registration services): whois.enom.com Domain Status: clientTransferProhibited Registrant ID: C5795F921E0 Registrant Name: aaron stevens Registrant Organization: just1 Registrant Address1: 156 belmont ave Registrant City: belair Registrant State/Province: CA Registrant Postal Code: 90210 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.8848828383 Registrant Email: lstalent1@aim.com Registrant Application Purpose: P1 Registrant Nexus Category: C11 Administrative Contact ID: C5795F921E0 Administrative Contact Name: aaron stevens Administrative Contact Organization: just1 Administrative Contact Address1: 156 belmont ave Administrative Contact City: belair Administrative Contact State/Province: CA Administrative Contact Postal Code: 90210 Administrative Contact Country: United States Administrative Contact Country Code: US Administrative Contact Phone Number: +1.8848828383 Administrative Contact Email: lstalent1@aim.com Administrative Application Purpose: P1 Administrative Nexus Category: C11 Billing Contact ID: C5795F921E0 Billing Contact Name: aaron stevens Billing Contact Organization: just1 Billing Contact Address1: 156 belmont ave Billing Contact City: belair Billing Contact State/Province: CA Billing Contact Postal Code: 90210 Billing Contact Country: United States Billing Contact Country Code: US Billing Contact Phone Number: +1.8848828383 Billing Contact Email: lstalent1@aim.com Billing Application Purpose: P1 Billing Nexus Category: C11 Technical Contact ID: C5795F921E0 Technical Contact Name: aaron stevens Technical Contact Organization: just1 Technical Contact Address1: 156 belmont ave Technical Contact City: belair Technical Contact State/Province: CA Technical Contact Postal Code: 90210 Technical Contact Country: United States Technical Contact Country Code: US Technical Contact Phone Number: +1.8848828383 Technical Contact Email: lstalent1@aim.com Technical Application Purpose: P1 Technical Nexus Category: C11 Name Server: NS1.ANEWGIRLSBOX.COM Name Server: NS2.ANEWGIRLSBOX.COM Created by Registrar: ENOM, INC. Last Updated by Registrar: ENOM, INC. Domain Registration Date: Thu Dec 11 22:13:08 GMT 2008 Domain Expiration Date: Thu Dec 10 23:59:59 GMT 2009 Domain Last Updated Date: Thu Dec 11 22:14:05 GMT 2008 >>>> Whois database was last updated on: Fri Dec 26 23:22:50 GMT 2008 <<<
Obviously all fake info, which is a violation of eNom’s terms of services. Their account will be terminated. Going to the domain alone urges the visitor to download the payload, so we can confirm that the owner of the domain is the person spreading the bot.
Technical Stuff
Upon “getting the latest Flash Player”, the victim actually downloads an archive with the payload inside. The archive is configured to automatically run it upon execution.
The archive is made up of the following contents:
- iexplorer1.exe (payload)
- msado25.tlb
- MSVBVM60.DLL
- MSWINSCK.OCX
- RICHTX32.OCX
- setup.inf
- urlmon.dll
- wbemdisp.tlb
- wininet.dll
All VB, ActiveX, and DLL.
The payload executable has a file description that reads “Product name: bot”. No surprise there. It was last modified on 10/12/2008 7:28 PM, which is most likely the creation time of the client.
Here we can see a “setup.inf”, which tells the archive how to install the contents. setup.inf includes:
[version]
signature=”$CHICAGO$”; #### INSTALLER ####
[DefaultInstall]
CopyFiles=install.files
RegisterOCXs=RegDLL.register
AddReg=add-registry-section[DestinationDirs]
install.files=10,”tmpie”[install.files]
MSWINSCK.OCX
RICHTX32.OCX
MSVBVM60.DLL
wininet.dll
msado25.tlb
urlmon.dll
wbemdisp.tlb[RegDLL.register]
“%10%\tmpie\MSWINSCK.OCX”
“%10%\tmpie\RICHTX32.OCX”
“%10%\tmpie\MSVBVM60.DLL”
“%10%\tmpie\msado25.tlb”
“%10%\tmpie\wininet.dll”
“%10%\tmpie\urlmon.dll”
“%10%\tmpie\wbemdisp.tlb”[add-registry-section]
HKLM,”Software\Microsoft\Windows\CurrentVersion\Run”,”iexplorer”,0,”%10%\tmpie\iexplorer.exe”
This explains its self quite well. The %10% variable equals your system folder. Everything gets stored in the “tmpie” folder and “iexplorer.exe” gets run on every boot. This too is quite deceptive, as iexplorer.exe looks like a legit Windows system file. Props.
The payload includes comments that reference a “Larry”. Perhaps Larry is the writer of this bot? Again, props my main man! We can also decompile his payload, since it’s written in VB.
Symptoms
It’s probably based off of someone else’s work. The bot seems to have been written in VB and uses a commercial DLL file to hook into AIM and Internet Explorer. This, in return, allows the bot to sniff for AIM, Facebook, MySpace, Frienster, and other website credentials, and of course forces the victim to send IMs with a link to the payload. Victims may also experience additional IE pop-ups with revenue-generating ads.
Calling Home
As for control over the botnet, PHP seems to be used and every set interval the bot will call home via an HTTP GET to “http://easyprofiles.****/login.php”. Neat, huh? No more messy IRC nets. Just a website.
Another WHOIS query of easyprofiles.**** gives us:
Domain ID:D19901248-LRMS Domain Name:EASYPROFILES.INFO Created On:15-Sep-2007 19:19:24 UTC Last Updated On:03-Sep-2008 05:07:51 UTC Expiration Date:15-Sep-2009 19:19:24 UTC Sponsoring Registrar:eNom, Inc. (R126-LRMS) Status:OK Registrant ID:8FFBFEAEF102D2EE Registrant Name:aaron stevens Registrant Organization:just1 Registrant Street1:156 belmont ave Registrant Street2: Registrant Street3: Registrant City:belair Registrant State/Province:ca Registrant Postal Code:90210 Registrant Country:US Registrant Phone:+1.8848828383 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:lstalent1@aim.com Admin ID:8FFBFEAEF102D2EE Admin Name:aaron stevens Admin Organization:just1 Admin Street1:156 belmont ave Admin Street2: Admin Street3: Admin City:belair Admin State/Province:ca Admin Postal Code:90210 Admin Country:US Admin Phone:+1.8848828383 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:lstalent1@aim.com Billing ID:8FFBFEAEF102D2EE Billing Name:aaron stevens Billing Organization:just1 Billing Street1:156 belmont ave Billing Street2: Billing Street3: Billing City:belair Billing State/Province:ca Billing Postal Code:90210 Billing Country:US Billing Phone:+1.8848828383 Billing Phone Ext.: Billing FAX: Billing FAX Ext.: Billing Email:lstalent1@aim.com Tech ID:8FFBFEAEF102D2EE Tech Name:aaron stevens Tech Organization:just1 Tech Street1:156 belmont ave Tech Street2: Tech Street3: Tech City:belair Tech State/Province:ca Tech Postal Code:90210 Tech Country:US Tech Phone:+1.8848828383 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:lstalent1@aim.com Name Server:NS1.ANEWGIRLSBOX.COM Name Server:NS2.ANEWGIRLSBOX.COM Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server:
Looks familiar, no?
No comments yet
Comments feed for this article