QQ Password Stealing via ActiveX Office Web Component 0day
We have been monitoring and examining the second of the fairly prevalent ActiveX 0day in the past couple of weeks, this one targeting Microsoft Office Web components for Internet Explorer. The exploits have been distributed mostly on servers in China. Accordingly, the payloads that we have examined target a massive audience.
The final payload that is downloaded and executed after visiting one of these sites is an executable that drops a dll to disk and runs it. The dll in turn attempts to steal info from the hugely popular Tencent QQ components. It does so by using hooks and capturing screenshots of the entire desktop. These hooks steal QQ usernames and passwords, in particular QQ Game’s Dungeon and Fighter. To give you an idea of the size of the target audience, QQ Game reports that it has over 200 million registered accounts.
Following successful 0day exploitation, the malware copies out a dll, and as an evasion technique, copies rundll32 (normally used to load dlls) to myInsDll.exe in system32. The malware calls ShellExecute on this renamed rundll32 component, which loads the dropped dll. Depending on the command line argument, the dll code will delete components or start the heist.First, the dll begins to disable Windows File Protection with a well-worn technique:
On a successful WFP disable, it deletes Comres.dll from dllcache and replaces Comres.dll with a copy of itself. When c:\Program Files\Tencent\DNF\DNF.exe is started, it normally loads Comres.dll. This code illustrates the switch:
When the new Comres.dll is loaded into DNF.exe, the dll steals the QQ user name, password, serial, total money and more from unsuspecting users. To do so, it first places several hooks within TenQQAccount.dll and QQAccount.dll:
The jump hooks are written directly to the dll text segments:
All data, including captured usernames, passwords, and entire desktop screenshots were being uploaded to 080506.8866.org.
ThreatFire has been containing this threat within our global community, including our local Chinese user base.
This entry was posted
on Wednesday, July 15th, 2009 at 1:15 pm and is filed under 0day, Password stealing.
You can follow any responses to this entry through the RSS 2.0 feed.
You can skip to the end and leave a response. Pinging is currently not allowed.
Leave a Reply
When the new Comres.dll is loaded into DNF.exe, the dll steals the QQ user name, password, serial, total money and more from unsuspecting users. To do so, it first places several hooks within TenQQAccount.dll and QQAccount.dll:
