--- /dev/null
+---
+layout: note
+---
+
+<p>This is my exploration of a trojan horse sent to open@duckduckgo.com. The email, which claimed to hold "My eTicket", contained a malicious call to action and .zip file.</p>
+
+<p>I began by attempting to locate the origin of the email. The relevant portion of the headers is excerpted below. These headers cannot be relied upon for identification (they are trivially forged). However, the email does not claim to be from delta.com, leading me to suspect the original domain is genuine - why pretend to be from an arbitrary domain?</p>
+
+<pre class="brush: bash">
+Received: from unknown (HELO ) (89.77.209.23)
+ by 0 with SMTP; 5 Mar 2013 22:11:01 -0000
+From: "DELTA" <PFlFnLybzQlsh@lorusso.com>
+To: open@duckduckgo.com
+Message-ID: <20130305231057.D5B526351B50D849E929.5F438C@MARTA-F97BA78A4>
+Subject: Your eTicket
+MIME-Version: 1.0
+Content-Type: multipart/related;
+ boundary="----=_Part_369841052092"
+</pre>
+
+Taking a look at lorusso.com, it seems legitimate. Following with a WHOIS query, it still looks good.
+
+<pre class="brush: bash">
+Domain Name: LORUSSO.COM
+Registrar: TUCOWS DOMAINS INC.
+Whois Server: whois.tucows.com
+Referral URL: http://domainhelp.opensrs.net
+Name Server: NS10.IXWEBHOSTING.COM
+Name Server: NS9.IXWEBHOSTING.COM
+Status: clientTransferProhibited
+Status: clientUpdateProhibited
+Updated Date: 17-oct-2011
+Creation Date: 25-oct-1998
+Expiration Date: 24-oct-2017
+
+Administrative Contact:
+ Lorusso, David dave@lorusso.com
+ 1200 Mahogany Lane
+ Cedar Park, TX 78613
+ US
+ +1.5123319487
+Technical Contact:
+ Lorusso, David dave@lorusso.com
+ 1200 Mahogany Lane
+ Cedar Park, TX 78613
+ US
+ +1.5123319487
+</pre>
+
+<p>Because I do not believe the email was sent by the owner of lorusso.com, this leaves two possibilities: a negligently open mail relay service, or a compromised system. To determine if the former is the case, I attempt to send my own email through his mail provider. To locate the resource, I first query the mail exchange record for the domain and it's corresponding address record.</p>
+
+<pre class="brush: bash;">
+$ dig mx lorusso.com +short
+10 mail909.ixwebhosting.com.
+
+$ dig mail909.ixwebhosting.com +short
+76.162.254.111
+76.162.254.117
+76.162.254.118
+76.162.254.109
+76.162.254.110
+
+$ telnet 76.162.254.111 25
+Trying 76.162.254.117...
+Connected to 76.162.254.117.
+Escape character is '^]'.
+220 ironport4.opentransfer.com ESMTP
+helo dylanstestserver.com
+250 ironport4.opentransfer.com
+mail from: dylansserver.com
+250 sender <dylansserver.com> ok
+rcpt to: dylan@dylansserver.com
+550 #5.1.0 Address rejected dylan@dylansserver.com
+quit
+221 ironport4.opentransfer.com
+Connection closed by foreign host.
+</pre>
+
+<p>My request to forward mail through the server is denied appropriately. Without running an intrusive network scan of lorusso.com, at this point there is nothing left to do except to alert the technical contact of the domain.</p>
+
+<p>Now to the payload. Inside a GNU/Linux VM I identify the file type, log a checksum, and unpack, recursively. I'm lucky - it's packed, but there is no obfuscation of the executable by its format.</p>
+
+
+<pre class="brush: bash;">
+$ file eTicket.zip
+eTicket.zip: Zip archive data, at least v2.0 to extract
+
+$ md5sum eTicket.zip
+5f3aeef467f263e56b7a53f28497523c eTicket.zip
+
+$ unzip eTicket.zip
+Archive: eTicket.zip
+ inflating: eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+
+$ file eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
+
+$ md5sum eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+a98d8bf1d8b68477867ebae47f0d5086 eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+
+$ upx -d eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+
+$ file eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe: PE32 executable (GUI) Intel 80386, for MS Windows
+
+$ md5sum eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+82c3c81779564d999787a3a15203fb33 eTicket and Receipt for ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+</pre>
+
+<p>Seeing the portable executable, I know the honeypot system I need. Before preparing it, I take quick peek inside the file:</p>
+
+<div style="height:200px;overflow:auto">
+<pre class="brush: bash;">
+$ strings eTicket\ and\ Receipt\ for\ ID5376594563456459762374628734628769348628756826398467263596245663284682369498268354892634986234876248528374698137404568798057347573204312462656.pdf.exe
+...
+KERNEL32.DLL
+gdi32.dll
+user32.dll
+UnregisterWaitEx
+GetEnvironmentStringsA
+GetCommandLineW
+CreateDirectoryExA
+ExitProcess
+GetNumberFormatW
+GetCommandLineA
+EnumTimeFormatsA
+GetPrivateProfileStructW
+GetTextExtentPoint32W
+GetRgnBox
+SetColorSpace
+DeviceCapabilitiesExW
+DeleteDC
+PolyTextOutA
+GetBkColor
+GetFontLanguageInfo
+CreateFontW
+GetKerningPairsA
+GdiDeleteSpoolFileHandle
+GetMapMode
+GdiArtificialDecrementDriver
+CreateFontIndirectExA
+StartDocW
+SetROP2
+UpdateColors
+OffsetViewportOrgEx
+GetOutlineTextMetricsA
+DeviceCapabilitiesExA
+CopyEnhMetaFileA
+Polyline
+SetAbortProc
+ExtEscape
+SetBrushOrgEx
+GetFontResourceInfoW
+StartPage
+GetDIBColorTable
+EudcUnloadLinkW
+OffsetWindowOrgEx
+IntersectClipRect
+SetMapMode
+CreateFontIndirectW
+GetTextFaceA
+GetRelAbs
+DescribePixelFormat
+GetLogColorSpaceW
+BeginPath
+GetPath
+GetCharacterPlacementW
+GdiPlayPrivatePageEMF
+SelectPalette
+CloseMetaFile
+CreateRectRgn
+EnumFontsA
+SetLayout
+EudcLoadLinkW
+InvertRgn
+EnumFontFamiliesExW
+SetRelAbs
+EnumFontFamiliesExA
+GetStretchBltMode
+GetCharacterPlacementA
+CreateFontIndirectA
+GdiPlayScript
+CreateDCA
+ExcludeClipRect
+SetMetaFileBitsEx
+GetDeviceCaps
+StartFormPage
+GetWorldTransform
+CombineTransform
+FlattenPath
+GdiPlayPageEMF
+CreatePolyPolygonRgn
+GetBkMode
+SelectFontLocal
+PolyPolyline
+CreateDCW
+GetTextExtentPoint32A
+SelectObject
+EnumFontFamiliesA
+RemoveFontResourceExW
+SetSystemPaletteUse
+GetPaletteEntries
+GetCharWidthFloatA
+Escape
+DeleteObject
+UpdateICMRegKeyA
+GetFontUnicodeRanges
+CreateCompatibleBitmap
+ExtCreatePen
+GetObjectW
+GetTextExtentPointI
+GdiComment
+GetWindowExtEx
+SelectBrushLocal
+GetCharWidthFloatW
+FloodFill
+EndPath
+LPtoDP
+WidenPath
+RemoveFontResourceW
+CopyEnhMetaFileW
+GetMetaFileA
+PolyPolygon
+PaintRgn
+CreatePalette
+GetGlyphIndicesA
+GdiGetSpoolFileHandle
+GetDIBits
+SetTextCharacterExtra
+PolylineTo
+SetMetaRgn
+GetKerningPairsW
+ExtCreateRegion
+GetCharWidthA
+SetColorAdjustment
+GetLayout
+SetMagicColors
+SetICMProfileW
+GetSystemPaletteEntries
+SetDIBits
+DeleteEnhMetaFile
+CreatePatternBrush
+SetWindowOrgEx
+GetTextExtentPointA
+UnrealizeObject
+PolyTextOutW
+ResetDCW
+CreateFontIndirectExW
+GetTextExtentExPointW
+CreateCompatibleDC
+GetLogColorSpaceA
+GetTextExtentPointW
+CreateDIBPatternBrushPt
+CreatePolygonRgn
+GdiPlayJournal
+ColorCorrectPalette
+RemoveFontMemResourceEx
+GetStockObject
+PatBlt
+FrameRgn
+UpdateICMRegKeyW
+GetCharABCWidthsA
+CreatePen
+CombineRgn
+GetEnhMetaFileW
+GetDCOrgEx
+GetBoundsRect
+LineDDA
+PlayEnhMetaFile
+RemoveFontResourceA
+GetSystemPaletteUse
+GdiPlayDCScript
+CreateColorSpaceW
+GetBitmapBits
+GetDCPenColor
+GetBrushOrgEx
+GetCharWidthI
+GetBitmapDimensionEx
+GetObjectType
+RemoveFontResourceExA
+SelectClipRgn
+TranslateCharsetInfo
+CreateEnhMetaFileW
+GetObjectA
+SetStretchBltMode
+GetFontAssocStatus
+SetDCBrushColor
+SetRectRgn
+Polygon
+SetMapperFlags
+EnumEnhMetaFile
+SetDIBColorTable
+GetDeviceGammaRamp
+StartDocA
+CreatePenIndirect
+StretchBlt
+VkKeyScanExA
+InvalidateRect
+ToUnicodeEx
+GetMenuDefaultItem
+AdjustWindowRect
+ReleaseCapture
+EnumDisplayDevicesW
+DdeDisconnect
+TranslateMDISysAccel
+SetClipboardViewer
+DrawTextA
+LoadMenuW
+CharNextW
+GetLastActivePopup
+CopyRect
+PrivateExtractIconsW
+IsWindow
+GetTabbedTextExtentA
+InvalidateRgn
+GetClipboardFormatNameA
+IMPQueryIMEW
+TranslateMessage
+CreateMenu
+SetWindowsHookExA
+DefWindowProcA
+GetDialogBaseUnits
+GetWindowRgn
+OpenDesktopW
+LockWindowUpdate
+...
+</pre>
+</div>
+
+<p>There are some interesting calls made, but I don't know enough about Windows internals to tell much from it. Instead, I'll move on to dynamic analysis. To create a safe, monitored environment, I will use another guest operating system, loaded with the following utilities:</p>
+
+<ul style="margin-top:10px">
+ <li style="margin-left:60px;list-style:disc;display:list-item;">VirtualBox appliance, Windows XP SP3</li>
+ <li style="margin-left:60px;list-style:disc;display:list-item;">Internet Explorer 8 (updated)</li>
+ <li style="margin-left:60px;list-style:disc;display:list-item;">Windows Security Essentials (updated)</li>
+ <li style="margin-left:60px;list-style:disc;display:list-item;">RegShot (for registry and filesystem snapshots)</li>
+ <li style="margin-left:60px;list-style:disc;display:list-item;">Windows Process Monitor (for live monitoring of system calls)</li>
+</ul>
+
+<p>The host also requires configuration. I create a virtual network device (and an ethernet bridge) that can be attached to the virtual machine, watched and firewalled.</p>
+
+<pre class="brush: bash;">
+sudo modprobe vboxnetflt
+
+sudo brctl addbr br0
+sudo brctl addif br0 eth0
+
+sudo modprobe tun
+sudo ip tuntap mode tap
+sudo link set up tap0
+sudo brctl addif br0 tap0
+
+mkdir monitor && cd monitor
+sudo tcpdump -itap0 -vvvA -s0 -G 60 -W 1 -Uw baseline_
+tcpdump -vvvA -r baseline_00
+</pre>
+
+<p>With a distinct, tapped interface, I listen for baseline network connections including ARP and UDP inside the LAN. This will help me eliminate noise from the network I/O of the infected system. Simultaneously, I create a new virtual machine snapshot to return to later. Meanwhile, inside the guest I take registry and filesystem snapshots with RegShot, as well as open the Process Monitor, filtering out friendly services. With a healthy signature obtained, I start a new listening process:</p>
+
+<pre class="brush: bash;">
+sudo tcpdump -itap0 -vvvA -s0 -C 128 -W 10 -Uw capture_
+</pre>
+
+<p>Environment prepared, I download and execute the trojan. The file disappears after triggering, and the process and network monitors flood with calls and packets. After about 3 minutes, I pause the VM, and begin the log analysis.</p>
+
+<p>My first step now is to peek inside with my editor. There are a lot of HTTP requests, furthermore, a lot of requests that seem to passing parameters used for ad tracking.</p>
+
+<pre class="brush: bash;">
+$ strings capture_00 | grep http | wc -l
+281
+$ strings capture_00 | grep http | grep CLICK | wc -l
+137
+$ strings capture_00 | grep http | grep -v CLICK | grep impression | wc -l
+73
+$ strings capture_00 | grep Host | sort -u
+Host: 113594url.directdisplayad.com
+Host:239.255.255.250:1900
+Host: 88.198.7.221
+Host: ajax.googleapis.com
+Host: cache.adfeedstrk.com
+Host: cds.q2q3h3t3.hwcdn.net
+Host: connect.facebook.net
+Host: edge.sharethis.com
+Host: fonts.googleapis.com
+Host: html5shiv.googlecode.com
+Host: j.maxmind.com
+Host: redirect.ad-feeds.net
+Host: vjlvchretllifcsgynuq.com
+Host: wd.sharethis.com
+Host: w.sharethis.com
+Host: www.directorslive.com
+Host: xlotxdxtorwfmvuzfuvtspel.com
+</pre>
+
+<p>A bit more searching and it's clear that the malware is using my computer to send out hundreds of forged ad impressions every minute. It's also hitting something else interesting - j.maxmind.com is a geolocation service. It's possible that it's fetching this information to send back to a command and control sever. This of course points towards the next concern - that the program has also installed additional hooks such as a keylogger, which it could use to send keystrokes (including financial information) to its owner.</p>
+
+<p>None of the outgoing packets look very interesting, but there's no way of predicting when it might try to make contact. Instead, I'll try to look for evidence of additional tampering locally. To do this, I look at the registry and file system diff, alongside the process monitor.</p>
+
+<pre class="brush: bash;">
+----------------------------------
+Files deleted: 2
+----------------------------------
+C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
+C:\WINDOWS\Tasks\MpIdleTask.job
+</pre>
+
+<div style="height:200px;overflow:auto">
+<pre class="brush: bash;">
+$ egrep -i 'Control.*firewall' registry.changes
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
+HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)"
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000001
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000000
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
+HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
+HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\DeviceDesc: "Windows Firewall/Internet Connection Sharing (ICS)"
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0x00000001
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0x00000000
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0x00000000
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall: 0x00000001
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0x00000000
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\Network Diagnostic\xpnetdiag.exe: "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe: "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
+HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All: 0x00000001
+</pre>
+</div>
+
+<p>No more security scans! These deleted files ensure that the automatic malware scans will no longer run. Also modified and removed are firewall control settings. There don't seem to be any obvious changes to core system code such as DLLs that would be used by a keylogger - but I could easily be missing something. With the process monitor I see the file and registry modifications in real time, but nothing else jumps out at me.</p>
+
+<p>Here is the <a href="/share/baseline_00">baseline tcpdump</a>, the <a href="/share/capture_00">capture tcpdump</a> and the full <a href="/share/registry.changes.txt">filesystem and registry diff</a>.</p>
disinclined.org / git / disinclined.org.git / blobdiff