NAPI Worm

Okay, it isn't really called NAPI (yet), but since it affects NetAPI, I figured it was a good name. Everyone is already blogging on this, so I'll make it short.

I'm, of course, talking about MS08-067 (CVE-2008-4250), reportedly the next big vulnerability that will take down the internet.


ISC even raised the threat level to yellow.

Thankfully I still have some friends in the botnet community and I was provided with a copy of the binary. I even put my hands on two different versions of pcap files from other sandboxes.

From what I can tell, the vulnerability was reported to Microsoft on Sept 25th, 2008. Its reportedly related to MS06-040, and some tell me that just a few minor modifications to the Metasploit module that already exists for MS06-040 will allow any script kiddy to exploit this vulnerability.

At least one proof of concept virus exists for the malware. The binaries are available on a website, meaning any "drive by" infection could force a user to download the malware, which could then turn on the internal networks.

I worked the binary for a few hours this afternoon, and found it communicating with the following domains:

doradora.atzend.com (69.162.76.42)
perlbody.t35.com (66.45.237.219)
summertime.1gokurimu.com (59.106.116.229) (UPDATE: Thanks to Sandi for pointing out a typo in the domain name)
and IP 59.106.145.58.

The binarys are named n1.exe through n9.exe. The samples I have are:

dc3fdfde66fffb6cfbec946a237787d8 n1.exe
ccbb73c5f137335fa2a49d7f79722a6c n2.exe
3ee354cc8b63b8849b28e6f376f2b263 n3.exe
6c3e53864541bb13fa7853f7b580b807 n4.exe
24cd978da62cff8370b83c26e134ff4c n5.exe
86d75ae361637a8f9114bb3a40f710d3 n6.exe
ee70f981514803e1fb4e6b65f492a56d n7.exe
8d66f28d028a4838d09ce4b91d35b7cb n8.exe
477aac8d472a7bea8b906718a2f50c67 n9.exe

We see the binary starts a service and creates the file %system32%\esobs.dat, which appears to be encrypted.
It also starts the service "Windows NT Baseline". Since its a service, the malware hides under svchost, so identifying the binary from the task manager is difficult.

Users who do not run as admin have a level of protection from the botnet side of the infection - though an admin user on your network could still become infected and using the exploit, infect other systems on a local network. I'd worry most about coffee shops and public internet locations.

Emerging Threats has released some publicly available signatures here.

It remains to be seen how bad this wormable code will get, but its sure to have an impact. A much better technical article than I could ever dream of writing is available here: http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx.

Microsoft reports that users with host based firewalls are not at risk - but its still a good idea to download the patch quickly. Microsoft rarely releases a patch out of band, which goes to show how important this really is.

Virustotal reports that only 1/3 of the vendors have signatures for the trojan.

Your Internet access is going to get suspended. - Once you install that rootkit.

Many people have received an email:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

Attached is a zip file, in my case user-EA49943X-activities.zip.

MD5's:

6ba40e29db8fb6f9145fde7a45708875 user-EA49943X-activities.exe
92d9f920d470e3bc12a33768893fd734 user-EA49943X-activities.zip

Once opened the victim machine is infected with a rootkit and two seemingly random high TCP ports are opened.
The rootkit hides the presence of %system32%\cabpck.dll and %system32%\krnlcab.sys. You can identify if your infected by opening a command prompt and typing: type c:\windows\system32\krnlcab.sys Unless your infected, the response will be "The system cannot find the file specified."

Currently VirusTotal shows 22/36 AV Vendors have signatures out to detect the binary. The most common signature is Goldun (Spyware/Rookit/Password Stealer)

The Anubis results are here.

The following registry keys are created/modified to start the rootkit on reboot:

HKLM\​System\​CurrentControlSet\​Services\​krnlcab
HKLM\​SYSTEM\​CurrentControlSet\​Control\​SafeBoot\​Minimal\​krnlcab.sys

Contact is made with either social-bos.biz or osliki.net. Snort signatures that watch for URI Content "data.php?trackid=" should catch infected hosts.

the "trackid" contains a hex encoded string like:

706172616D3D636D64266C616E673D454E552669643D30267368656C6C3D3026736F636B73706F72
743D3439303532267665723D39412668747470706F72743D323638303626757074696D656D3D372675
7074696D65683D30267569643D5B43374132393038313039413641363141395D

Which translates to:

param=cmd&lang=ENU&id=0&shell=0&socksport=49052&ver=9A&httpport=26806&uptimem=7&uptimeh=0&uid=[C7A2908109A6A61A9]

My good friend Joel Esler from Sans ISC reported on something like this a couple weeks ago: http://isc.sans.org/diary.html?storyid=4927.

As of 16:08 UTC 2008/9/12:

social-bos.biz has address 91.200.144.8
osliki.net has address 195.93.219.207

Technical contact for social-bos.biz:

Name: Denis Klinov
Organization: Denis LTD
Address1: Ne dom i Ne uica
City: Big city
Postal Code: 239932
Country: Russian Federation
Country Code: RU
Phone Number: +7.4955123456
Email: pavelzosimov@yandex.ru

Technical Contact for osliki.net:

Name: Anton Butov
Email: buhalovvasya@yandex.ru
Organization: Inner Tec
Address: Stroitelnaya 77 15
City: Moscow
State: Moskovskaya
ZIP: 676437
Country: RU
Phone: +7.4952176185

UPDATE: Emerging Threats has posted Snort signatures to detect infected hosts:

http://doc.emergingthreats.net/2008545

I will continue to monitor this run and report any findings.

RFI List

Some remote file includes (RFI's) for your enjoyment:

hxxp://christiansongwriters . org/evanescence/cid . txt
hxxp://gabifir . yourfreehosting . net/z6id . txt
hxxp://h1 . ripway . com/jembutz/idbaru . txt
hxxp://home . bellavillapattaya . com/modul/mic . txt
hxxp://injek . by . ru/download/source/klr-id . txt
hxxp://katsioulis . com/idd . txt
hxxp://kihineh . net/tmp/id . txt
hxxp://kiliclub . com/e-com/cid . txt
hxxp://secret-admirer . info/scan/id . txt
hxxp://septimamaipu . cl/septima/mambots/idxx . txt
hxxp://thepornhandbook . com/templates/id . txt
hxxp://utilz . info/a4
hxxp://verinet . com . tr/id . txt
hxxp://wtv . mathiaskarge . de//marthabotid . txt
hxxp://wtv . mathiaskarge . de//v6id . txt
hxxp://www . 21stcenturywoman . com/pics/echo
hxxp://www . chilecapacita . cl/nweb_portal/uploads/spypsy/help/id . txt
hxxp://www . computercreationscorp . com/dmdocuments/z6id . txt
hxxp://www . cookaround . com/yabbse1/impex/log/id . txt
hxxp://www . desperate-souls . com/templates/portax/images/media/ida . txt
hxxp://www . desperate-souls . com/templates/portax/images/media/maxid . txt
hxxp://www . djaviboss . com/install/idmia . txt
hxxp://www . geocities . com/jembutzmu/albania . txt
hxxp://www . hotelsunflower . it/images/zoom/splash . me . gif
hxxp://www . loblab . com/mgm/vote/include/iddc9 . txt
hxxp://www . ordconstruction . com/skins/default_blue/mail/common_templates/index . php/echo
hxxp://www . saren-first . com/images/n . txt
hxxp://www . secondlive24 . de/help/sql . txt
hxxp://www . tsw . ru/ips . txt

(Fixup: sed 's/hxxp/http/g;s/ //g')

Paris Hilton Returned By Aliens (damn!)

Occasionally my spam folder gets some really exciting messages. However, the subject of is one left me a bit disappointed.

Poor Paris - it must be really bad when even the little green men aren't interested in her.

From: "Magnus Bonnel"
To: [REDACTED]
Subject: Paris Hilton Returned By Aliens
Date: Thu, 21 Aug 2008 22:02:07 -0400
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198


PLAY NOW

The image would have displayed for any of you who had HTML parsing enabled within your email client. I cropped it at the chest for a "G" rating. The nipples were blurred already. If you clicked that image, you'd happily download player.exe from roskiman.com. Similar spam points to merk2web.com.ar offering stream.exe. The second version wasn't censored. An unsuspecting individual would get an eye full of this womans breasts (cropped for worksafe rating):



a3aec9130af6f69c715dc6eb89949079 stream.exe
a3aec9130af6f69c715dc6eb89949079 player.exe

Anubis results for the binary are available here.

Mailbag

I had some time today, so I thought I'd post this mornings mailbag:

Compromised website (Javascript Compromise):

http://emergency [dot] charlestoncounty [dot] org/index2.asp?p=/ElectedO.htm

PayPal/City Credit Union Phish - with kits:

http://85.45.179.9/icons/small/Secure/home/management/

Kits located at:

http://85.45.179.9/icons/small/www.citycu.org.tar.gz (info goes to alvin.thecrazy@gmail.com)
http://85.45.179.9/icons/small/citycu.org.tar.gz -> (info goes to pep.xxl@gmail.com)
http://85.45.179.9/icons/small/paypal.tar.gz -> (info goes to pep.xxl@gmail.com)

Todays "Breaking News" spam:

From: Tinney
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: [REDACTED]
Subject: BREAKING news
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Did Bill Clinton Cross the Line? http://www[dot]sakapfet[dot]com/1.html

Attempts to trick users into downloading a fake AV client called Antivirus XP 2008 from antivirusxp-08.com.
Trys to convince users they need to download and run "install.exe" which of course is a trojan. (VirusTotal Output)

Reported malicious domains:

fbcel.org
www.jewelryboxes.net
sakapfet.net
tvmonitoringservice.com
cheahahs.com (msn_video.html)

Bots/Malware:

http://www [dot] 1rc-chat [dot] net/a.exe
http://members [dot] lycos [dot] co [dot] uk/dbrowny/server.exe