Vulnerable systems with out-of-date Adobe Acrobat installs are the main focus of the attacks involving the Tedroo spambot. The spambot commonly is being distributed via a set of canned attacks using what appears to be a version of the Liberty Exploit kit. The Liberty pack maintains an effective set of Acrobat attacks, and considering the thousands of Acrobat attacks prevented on ThreatFire systems since the beginning of Jan, the attacks themselves are well chosen — vulnerable versions of Acrobat Reader continue to be readily available, even in this new decade. 

Once the malformed pdf’s shellcode is passed control on a victim system, it attempts to download multiple components from another server. In our samples, a system hosted in China. There are several downloads to choose from on the server. The first of the files is a loader, carrying a packing stub somewhat similar to the recent Bredolab packed malware with an outer layer of encryption on top of a UPX packed inner layer. It drops a dll to an alternate data stream of a random file in the windows or system32 directory. It then registers that ADS in the AppInit_DLLs so that the dll is loaded at startup. The dll is loaded, and maintains a long list of paths and executables. Most are related to security solutions (examples are listed below) and system components. It terminates a group of them immediately. It then adds entries for security software to the Restricted Software Policy list in the registry, an AVKill method that we haven’t seen fully described as one elsewhere:  HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\<SID>

C:\Documents and Settings\All Users\Application Data\PC Tools
C:\Program Files\Common Files\PC Tools
C:\Program Files\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
C:\Program Files\ESET
C:\Program Files\Panda Security
C:\Program Files\Avira
C:\Program Files\Norton AntiVirus
C:\Program Files\Alwil Software
C:\Program Files\Agnitum
C:\Program Files\Symantec

With that undetected (on the day of discovery) component loaded and AV processes killed, the Tedroo spambot is loaded. In the latest loader variants associated with the bot, we observe an interesting entry point with anti-debug and anti-emulator tricks that can be vaguely described as an abuse of “Modern” CPU Instructions. In this case, the packer implements an unexpected x86 VMX instruction — VMLAUNCH. Versions of reverser-friendly Ollydbg decode it to “sgdt edx” and cannot handle the instruction at runtime, reporting to the user that it does not know how to step into it, while some vendor emulators also have a difficult time decoding it. 

Windbg, on the other hand, decodes the vmlaunch command properly as specified by the Intel Reference material, seen below…

Following the malware entrypoint, a windbg deadlisting shows “mov ecx, 0×4fffh”, followed by the vmlaunch. On processors we observed, this setup thows an exception for an Illegal Instruction with ecx = 0×4fffh. The writers of this trick, however, took it upon themselves to force the code to trigger this exception 20,479 times (the decimal representation of 0×4fffh). It’s implemented by registering an SEH pointer to code that simply stores the counter, decrements it, and returns back into the ExcecuteHandler2 function within ntdll that’s within the standard flow of Windows exception handling. Each time, the exception “handler” code returns back into RtlDispatchException and eventually NtContinue, where CONTEXT.eip takes control directly back to the Illegal Instruction location, triggering yet another exception. When the counter finally is decremented to zero, the unpacking stub then modifies CONTEXT.eip on the stack so that flow passes out of this exception loop at ntdll.NtContinue and further into its unpacking stub. Tricky stuff indeed.

Decrement ecx value within the process CONTEXT struct

Continuing on its code path, the code first checks if it’s been run before on the victim system, looking for registry values it creates:

HKCU  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKCU  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
    value: userini path: c:\windows\explorer.exe:userini.exe

It copies itself as an alternate data stream of explorer.exe
     c:\windows\explorer.exe:userini.exe

It sets this ADS to load at startup in the various autorun registry entries listed above, and then runs thru a series of sleeps/gettickcout to delay activity and cloak itself.

 After a long wait, the spambot calls InternetConnectA and HttpOpenRequestA to contact its hardcoded server and retrieves more spam templates. The resulting spam recently has all led to www . pharm directbook .com, another ”Canadian Pharmacy #1 Internet Online Drugstore”. This behavior is similar to that noted in our past post. The sites have been run for years by a group otherwise known as “Glavmed“, selling knockoff, illegal pills with shifty names like “Viagra Professional”…

In spite of the significant shutdowns over the past year, spam like Tedroo’s continues to mess it all up on the net. Don John couldn’t have tried to mess up a good thing any better himself.

Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.

Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):

Reader v9 less than 1%
Reader v8 48%
Reader v7 50%

A recent perusal through prices offered various services shows that a user can obtain a private spambot kit for just under $5000, an exploit kit for another ~$400 complete with the newest pdf, flash, and browser exploits (Internet Explorer, Firefox, and Opera covered here), subscribe to an AV-detection/evasion service for under $100/month, and subscribe to an email address harvesting service that boasts almost a billion verified private addresses all for a low price of under $100 per 1 million sorted addresses. These marketplaces are currently very active.
The technologies being peddled are slowly adapting as the defenses in the field change, with promises of multi-platform effectiveness (XP, Vista, etc) in feature lists and pro-active/heuristic detection functionality addressed by evasion services.
Based on a walk through the market like this one, it’s easy to predict that client side attacks, delivering spambots and DdoSbots will continue with high levels of activity, regardless of the recession.

Currently, the service is set up to host 30 customer sites, and since November, the group has taken on a measly seven. For this market, that is not much momentum. At 50 bucks a month for hosting, the group is taking on a petty 350 U.S. dollars for the service. The global recession seems to be hitting every market.

This malicious dropper executable is being distributed from web sites via a set of exploits targeting a vulnerability patched in 2003, the common Microsoft MDAC (MS06-014) vulnerabilities that we see targeted on a daily basis, along with the somewhat more recent VML and XML CoreServices BoF.

He just happened to be flying back from jfk when a few deep thoughts came to mind about evading the holy grail of automatic malware classification that he posted on DailyDave:
“Given that avoiding “behavioral signatures” is a matter of calling random NOP-like API calls (i.e. CreateFile + CloseHandle == 1 NOP), Halvar’s program classification techniques involve a structural differencing engine. This has advantages (see his talk for details) in that program structure closely reflects the semantic meaning of a program, as interpreted by a compiler.
So the obvious way, from what I can tell, to defeat a structural differencing algorithm would be to do a static or dynamic analysis of your target program, and for each CALL opcode, change the destination to a dispatcher function. This dispatcher function can then be built to do a O(1) table lookup to find the true destination of the call.”

I like the way Dave thinks. Unfortunately, other folks do too, and all sorts of evasive techniques are commercially available. That means the techniques are available to the bot herders, and it appears in our labs that the herders are distributing most of their bots packed with this stuff now.

It’s a pretty complicated attack. Basically, when visiting one of these google results, the malicious server will prompt you to download a malicious executable, at the same time while analysing your system for vulnerabilities and attempting to attack them. All this work in an effort to install lots of “rogue security software” that will scan your system, attempt to intimidate the user with fraudulent scan results into purchasing the product. Complete with pop-ups for pharaceuticals sprouting up on the screen.

Yesterday afternoon, we installed their executable manually (displayed at the Sunbelt blog as “VideoAccessCodecInstall.exe”). It runs on a user’s system and then attempts to connect to a website and perform more downloads. The server at that destination was up, but the malicious download was not available.
However, the servers that the “video codec” connects to came back up overnight. Around 55 Internet Explorer windows and various screen prompts on one of our infected lab systems now tell me that malware and porn has been found all over the system (which were not when we started), and we need to buy their products to clean it up and keep my kids away from porn. What garbage.
Some of the product names look like this:
YourPrivacyGuard, ABSSearch, SecurePCCleaner, UltimateDefender, ADWare Remover2007, XPAntivirus, UltimateCleaner

So we’ve been visiting these malicious web sites in the lab, and they appear to prompt you to install a video codec, enticing you to check out the video that is about to play onscreen. But, in the background, the web page’s javascript identifies the OS, browser and JavaVM version of the visiting user and attacks the browser accordingly. Based on this information, it attacks multiple Microsoft vulnerabilities: MS06-014, MS06-006, MS05-001, MS03-011. It also can attack a couple of old Firefox vulnerabilities: first MFSA 2005-50, and if that attack fails on your firefox browser, it resorts to attacking MS06-006, which overflows a buffer in unpatched versions of Firefox.

Simply put, the best way to deal with this threat is to update your Windows operating system and application components and keep your system’s third party utilities patched, and maintain effective security products on your system.
We’ll keep you updated on the situation.

If you see this on your system while you are browsing the web with Firefox, do NOT download and execute the executable:

If you see this on your system while you are browsing the web with Internet Explorer, do NOT allow the executable to run:

Here is an example of ThreatFire identifying one of the downloaders, running on a lab system:

“Life as we know it is back, NFL season is open.
Know all the games, what time, what channel and the stats.
Never be in the dark again with this online game tracker:
http: // ip.address.he .re”

Here is a snapshot of the site offering the “tracker.exe” file that potential victims will reach by clicking on the email message’s link. DO NOT visit the site if you receive the email, and DO NOT download and run this “tracker.exe” file:

Every link on the page, including the “Peyton Manning” link, will fail to download a couple of times, frustrating and confusing the user. Three’s a charm, and the tracker.exe file will download to your machine. Again, do not download and run the file. It installs all sorts of rootkit components and executables that you do not want on your system.

The authors have been somewhat inconsistent with this version of the multi-layered threat. They haven’t incorporated the commoditized exploits that attack Internet Explorer, Firefox and third party components like the Yahoo! Messenger into this web page, like they have on all of their other recent attack sites. The tracker.exe executable doesn’t change with every download, either. Maybe we are very early on in this stage of the spam/website setup, or a different part of the group set this server up.
The location of this server, most likely another Mac OSX server, is somewhat unusual for this group as well. Geobytes tells us that it is located in Tujunga, CA:

Peyton Manning? They probably could have pwned my system with a Brett Favre link.

In our previous post, we examined a commoditized third party plugin exploit being used in the wild now and its “proactive-solution” evading shellcode. This post will take a look at another effective attack method being used right now, often as another layer in a web based attack, with the end result of rendering a majority of real time av scanners ineffective on the system. Why do malware writers go to these lengths? Usually, in order to obtain and maintain presence on the system.

This added technique relies on a driver installer (often downloaded and executed by an attacker’s shellcode), and a driver component to perform the malicious activity. The samples that we have analyzed also will download a spambot and proxies following the driver component’s successful modification/destruction of the av solution’s real-time scanning capabilities.

I’ll try to describe the activity and environment in fairly plain terms, so readers don’t have to be a device driver writer to understand what is going on.

The driver somehow has to be copied to the system and its service installed. This action can be done in a number of ways. The executable component that creates the driver file and installs the service can be launched on a victim’s system by attacking a web browser plugin as detailed in the last post, binding it to another exe and spamming it out to harvested email accounts, or any number of other well known methods already effectively used in the wild.

This downloaded executable copies out the .sys file to c:\windows\system32\drivers and makes a common win32 api call to install this driver as a file system object. Here’s a quick snapshot of the thread stack when the call is made:

The dropper’s work is almost done. Next, it starts the service and exits.

Once the driver is started by its installer, it maliciously modifies the file system stack. “Real-time” file scan functionality is then disabled, even for major av products.

Here are a couple of screenshots of the system’s device tree prior to the attack – 1. a device tree representation of the Ntfs and raw filesystem drivers following a default install, and 2. a device tree representation of the Ntfs and raw filesystem drivers following the installation of a major anti-virus product. Keep in mind this kernel layout is what the malware writers are looking at when choosing their targets. The visualization is meant to help understand what is being attacked…

This screenshot presents the filesystem stack prior to the installation of the AV product. Notice that the ntfs driver (labelled DRV  \FileSystem\Ntfs) has a named device (labelled DEV \Ntfs), and also in its stack is the system volume (labeled MED \Device\HarddiskVolume1), which represents the underlying disk volume/partition. The XP SP2 operating system device tree normally looks like this following a default install:

This screenshot presents the device tree representation of the file system stack after the installation of a major vendor’s anti-virus product. The Ntfs driver stack has been changed altogether. These changes are indicate that the anti-virus scanner has installed a set of mini-filter drivers, shown by the additions of multiple new attachments labeled “ATT Attached: (Unnamed) – \Filesystem\FltMgr”:

After observing and recording the state of the filesystem stack in a normal state and in a av solution modified state, we run the malware on this goat system in our lab, and it runs unhindered by the antivirus product — signatures for the binary have not been added yet by this av vendor, even though the malware has been circulating in the wild for over a couple of weeks now. At least a couple other vendors are detecting the dropper and its driver.

Here is a screenshot of the filesystem stack after the malware has been run. Notice that all of the mini-filter attachments that were attached by the AV solution to the Ntfs device object have now been detached from the stack:

This modification effectively chokes off any real-time functionality of the AV solution’s filesystem scanner. We expected the system to crash and throw off a BSOD, but it kept running in this state in our labs for hours without any blue screen.

The AV security application continues to run, without presenting any warning to the user that it has been hacked, so the user thinks everything is ok. But their system is left unprotected at this level.

At last we confirm the inability of the real-time AV filesystem scanner to detect malware copied to disk in real-time. We copy three year old malware binaries (variants of the bagle Trojan) from a server we maintain in the labs to this attacked system. Normally they are caught by this AV scanner’s real-time protection: 

The files are copied to the system’s hard drive without any detection, while the Auto-protect feature of the scanner quietly reports its “On” status. The AV solution clearly has been rendered useless and misleads the user into thinking that their drive is protected. This last confirmation in the AV gui’s status page reinforces that this host compromise is unexpected, effective and stealthy:

Now, not only are these packages delivering repacked and crypted binaries via harmless looking but malicious web pages, but they are re-obfuscating the malicious content hidden on the web pages at very small intervals. The threats, at every level, are constantly changing.

We collected up these changing pages from multiple malicious web sites, de-obfuscated their code, and isolated each exploit with its shellcode to analyze them, and to identify any problems they might cause for security products. Here are some notes from our research on in-the-wild web exploits:

The code across malicious groups is becoming more and more similar. There most definitely is code sharing between the groups writing the exploits. Some of them are the exact same techniques for identical exploits.

One recent addition to the commoditized exploit packages that are bought and sold online that has not been much discussed is exploitation of a recently disclosed Yahoo Messenger vulnerability, with shellcode that evades some of the major av vendors’ security software.

The vulnerability effects a version of a component called the “Webcam Viewer Networking and Imaging” ActiveX component (ywcvwr.dll v2.0.1.4). Basically, an old-fashioned stack-based buffer overflow occurs because a 1023 byte buffer is set aside to store input for webcam functionality, but the input is not properly checked, allowing for maliciously crafted webcam objects to run arbitrary code of the attacker’s choosing.

We examined the attacker’s approach. They use a reliable method of delivering control to their shellcode on XP Sp2 and Vista systems over IE6 and IE7 with default settings: they spray the heap with shellcode of their choosing simply by creating a dozen or so variables in their javascript, and stuffing them with lots of NOP followed by shellcode. They then deliver a large amount of data (5000 bytes) to this unchecked 1023 byte buffer and overrun values on the stack, including the exception handler. An exception occurs, and because the exception handler is overwritten with an address on the heap, control is passed to their download and execute shellcode.

By default, this exploit works on Vista systems when IE6 and IE7 do not have the “Data Execution Prevention” feature enabled. But techniques to disable the DEP check even when it is enabled have been published as well.

This image shows the thread stack as it is overflowed. An exception has been caused at this point, and we break on it to notice that the stack is covered with “\x0a\x0a\x0a\x0a”.

When this exception occurs, we can take a peek at the exception handler, which also is stored on the stack. It has been overwritten with “\x0a\x0a\x0a\x0a” as well. Because the exception has been thrown, our goat system tries to provide control to the first handler in the list, which happens to be at the craftily overwritten “0a0a0a0a”.

Interestingly, the heap has been sprayed with shellcode because the javascript sets up multiple variables full of shellcode. Due to this spray, the location “0a0a0a0a” now points to “0c0c0c0c”, which also is located on the heap. This heap contains two things – a nop sled of “0c0c0c0c” and “download and execute” shellcode.

Control will slide down the sled to our shellcode, and the attackers will effectively download and execute a set of binaries stored on another web server. These binaries download and execute even more malware, including bots, rootkits, password stealers, adware and other problematic software.

And whoa, they keep coming as this post is written! Another Yahoo webcam viewer vulnerability has been discovered and its exploit posted by a Chinese security group without having notified Yahoo, so we’ll keep an eye on this 0day as well and probably post on attacking activity abusing this new vulnerability. We’ve looked through the code, and it attacks a heap overflow instead of a stack overflow like this one, but methods to effectively defend against it remain the same.

Beware web sites and links that you have not visited before, especially if they are sent to you via email, and update your security software. Buffer overflow exploits like this one can turn an unwitting user into a victim.