Results matching “Download Plus” from SpywareGuide Greynets Blog

There has been a large steady stream of new Trojans coming out of China lately. Now it seems like its starting to look more drastic than that. It all begins with Downloader-Arun. Like most other downloaders, its purpose is to download as many Trojans as possible. This is just how bad it can get:

Breakdown of what Downloader-Arun installs on the victim PC.

While Downloader-Arun is installing, it contacts another Chinese site to download sercer.exe onto the victim's PC. Sercer.exe is immediately ran and moved to C:\Program Files\Internet Explorer as SPLOAE.exe.

Sercer.exe has the same file size and MD5 hash as C:\Program Files\Internet Explorer\SPLOAE.exe.

Once SPLOAE.exe is running, it gets information that is stored in SPLOAE.dat.

This is the same information that is stored in SPLOAE.dat.

Since the infection is in the Internet Explorer directory, it's probably a good idea to check out what kinds of connections are taking place. Looking closer at the connection you'll see that someone is attempting exploit your computer! You may recognize this type of attack if you were a playboy customer in '98.

A connection has been made at port 1524. Foul play is sure to follow.

Now would be a good time to check and see what kinds of connections are currently active on the infected PC.

You can tell if there is a connection to your computer by using the netstat -a -n command.

There is a connection established to the same IP address that was seen during the installation. Taking a closer look at the domain brings you to *dramatic pause* his blog!

The established connection redirects to a blog of questionable safety.

Fortunately for the victim, there is a very easy way to tell if you are being exploited by this threat. If you are infected by this particular threat, there will be an autostarter value called "MrXiaokan".

This threat auto starts using the value "Mrxiaokan"

This was just 1 of the files that was installed from the original Trojan Downloader-Arun. Other threats are out there just waiting to be clicked. My advice to you is this: Mind your clicks.

It's been an interesting few weeks for Myspace - there's been a number of scams and dubious programs making their way across countless user profiles. The "fun" clearly isn't over yet, because check out the latest piece of scammery doing the rounds on everybody's favourite social networking site...

Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

IMPORTANT UPDATE: Google has reacted very quickly to our concerns, and we have been in discussions with their top engineers. As netizens we are encouraged by their quick reaction to our concerns, and willingness to listen thoughtfully to our feedback. Successful companies like Google understand that one must be a part of the conversation, not stand outside the conversation or try to obscure it. Our hats are off!
Stay tuned for more news...(See Addendum At Bottom)

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications

Back to the entry and analysis from Paperghost....

The idea of problems behind "gated" communities is a pretty interesting one, even more so when the idea regularly rolls around that segregating various parts of the Internet to "keep the bad guys out" would be a great idea. But what happens when those bad-guys are already inside the gates?

From Wikipedia:

(Orkut is) run by Google and named after its creator, Google employee Orkut Buyukkokten. It claims to be designed to help users meet new friends and maintain existing relationships. Similar to Friendster and MySpace, orkut goes a step further by permitting "communities" of users. It is also invitation-only: users must be invited to join the community by someone already there.

So, an interesting concept. But as we saw with Myspace not so long ago, people can (and will) game the system. In this case, the targets are (primarily) Brazilian users of Orkut - because for some reason, something like 70% of all users are from Brazil, and Portuguese is the language of choice right now. Of course, Orkut are not to blame here - nor are social networking sites in general. The sad fact is, large concentrations of end-users in a confined space are like the world's biggest honeypot to a social engineer.

It figures, then, that this particular infection - a variant of an older password stealer, which we dubbed Orc.Malware - should contain a message in Portuguese. Following up a hot tip from this guy (FallenHawk, an extremely resourceful Security Researcher), I was able to get a look at something rather nasty. Something that has apparently been nailing Orkut users for at least a month or so, but (until now) has been ultra-elusive with regards trying to pin it down. The early variants (one or two of which I've since obtained) didn't do very much, and there was no direct tie to Orkut, other than this was where the bad-guys were pushing it. Now, however, the infection will pop up a message telling you your data is being mailed off someplace, before sending you to the Orkut site (as you'll see from the video later on. Bring some popcorn).

The source of the problem are these two nasties (disguised as images), created in the System32 folder by a rogue executable file:

Let's have a look at how these things get on board in the first place. We'll start off with the method of delivery...the infection message. The most common one we've seen so far is this:

"Oi... tudo bom? Como o orkut limita a quantidade de fotos que podem ser publicadas na minha conta, eu criei um slide com algumas fotos minhas, pra ver e so clicar clicar no link!!! [link removed] - Sei que vai gostar"

A (very rough!) translation: "As Orkut limits the amount of photos that can be published in my account, I created a slideshow with some photos of mine, please click to see!"

This message is deposited in an Orkut user's "Scrapbook" (similar to a guestbook), and as the Scrapbooks are public, anyone visiting can see the link and click it. As you probably guessed, that's a real bad idea in this case.

The end-user is presented with what looks like an image file - open it up, and covert ops of the nastiest kind are instigated against the PC. Two more files are installed.

They don't look like much, but they're busy trying to drain your pockets of cash and anything else they can get their hands on. One of the files contains references to a pile of specific login pages for Brazilian banks, as well as a whole section devoted to Orkut and its Friends and Scrapbook pages. On the Orkut help site, they mention how automated Scrap sending isn't allowed:

"If you use other sites to log into orkut or send your friends scraps, you will likely be blocked from performing any actions on orkut.com for about 15 minutes and you'll see the message "We're sorry...but your query looks similar to automated requests."

However, there are many examples of people abusing the system - Orkut has had lots of problems previously with people creating Spam scripts. And this particular infection does seem to have at least a (very) basic automated functionality. I first tested this on the Eighth of June, and was more interested in the data-theft aspect at that point. I didn't see anything particularly unusual going on (beyond the keylogging, of course!) and yet when I logged in a few days later, I saw this:

...and this:

During testing, I had two contacts in my "Friends" network. To my surprise, both of those users now had the infection message sitting in their scrapbooks. As you can see, the time / date of both messages is identical: 09:54 AM, 08/06/2006.

Now that's pretty freaky.

Worse still, this infection seems to be amazingly random. During one round of testing, it even deposited me into an XDCC Botnet:

Yay, I'm file-sharing pirated content!

As for how the data is actually sent back to the hacker guy, you'll probably want to check this short movie clip out:

Click here to download movie (2.90 MB)

00:00 to 00:09 seconds: End-user is going about their daily business, logging into Orkut. Note that you could be performing any web-based activity here; it's just a little thing I like to call context. Plus, I don't actually have any Brazilian bank accounts so you'll just have to make do with Orkut.

00:10 to 00:14 seconds: The end-user clicks into "My Computer". Oh dear - an "error message", warning that you have insufficient virtual memory and the application will now close (or words to that effect. I never was very good with Babelfish).

00:17 to 00:27: At this point, the end-user is probably wondering what on Earth is going on, as they see a message telling them their "form has been submitted", and that they will be redirected somewhere in 5 seconds. Can you guess where?

00:28 to 00:34: That's right, Orkut! I mean, he stole all your bank details and website logins, but at least he gives you a chance to get back into Orkut and change your password before he steals that too!

Make no mistake about it - this infection is a real nasty one. And worse still, it looks like the tip of a very ugly iceberg. I'd insert a really rubbish comment at this point about "how I hope we're not too late to avoid a Spyware-Titanic", but you'd probably hate me for it. Even if it was a nice tie in to the whole iceberg thing. So I'll just leave you with the advice that randomly clicking links to check out pictures, especially when those pictures are from some magical party you've never heard of, is probably not a very good idea.

Many thanks to Peter in our Bangalore office for his incredible sleuth work and the entire team for assisting in pulling this complex case to pieces. Special thanks to Wayne Porter for all night monitoring and revisions.

ADDENDUM: A startling event was discovered during extended testing on an infected machine, which was infected in a lab setting on the 13th of June. The link to the dangerous payload was propogated on the 16th...however the infection message is timestamped as having been sent on the 14th of June:

ADDENDUM Saturday, 17 2006 Happy Endings for Orkut

From CNET:

Google confirmed the worm. "We are aware of this issue and will have a temporary fix in place within the hour," a company representative said in an e-mailed statement. "We are working on a more permanent solution for users to guard against these malicious efforts."

For their protection, Orkut users, just as users of all online services and applications, should always be careful when opening or clicking on anything suspicious, the Google representative said.

-Wayne Porter
Sr. Dir. Greynets Research, FaceTime Communications