Vulnerable systems with out-of-date Adobe Acrobat installs are the main focus of the attacks involving the Tedroo spambot. The spambot commonly is being distributed via a set of canned attacks using what appears to be a version of the Liberty Exploit kit. The Liberty pack maintains an effective set of Acrobat attacks, and considering the thousands of Acrobat attacks prevented on ThreatFire systems since the beginning of Jan, the attacks themselves are well chosen — vulnerable versions of Acrobat Reader continue to be readily available, even in this new decade. 

Once the malformed pdf’s shellcode is passed control on a victim system, it attempts to download multiple components from another server. In our samples, a system hosted in China. There are several downloads to choose from on the server. The first of the files is a loader, carrying a packing stub somewhat similar to the recent Bredolab packed malware with an outer layer of encryption on top of a UPX packed inner layer. It drops a dll to an alternate data stream of a random file in the windows or system32 directory. It then registers that ADS in the AppInit_DLLs so that the dll is loaded at startup. The dll is loaded, and maintains a long list of paths and executables. Most are related to security solutions (examples are listed below) and system components. It terminates a group of them immediately. It then adds entries for security software to the Restricted Software Policy list in the registry, an AVKill method that we haven’t seen fully described as one elsewhere:  HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\<SID>

C:\Documents and Settings\All Users\Application Data\PC Tools
C:\Program Files\Common Files\PC Tools
C:\Program Files\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
C:\Program Files\ESET
C:\Program Files\Panda Security
C:\Program Files\Avira
C:\Program Files\Norton AntiVirus
C:\Program Files\Alwil Software
C:\Program Files\Agnitum
C:\Program Files\Symantec

With that undetected (on the day of discovery) component loaded and AV processes killed, the Tedroo spambot is loaded. In the latest loader variants associated with the bot, we observe an interesting entry point with anti-debug and anti-emulator tricks that can be vaguely described as an abuse of “Modern” CPU Instructions. In this case, the packer implements an unexpected x86 VMX instruction — VMLAUNCH. Versions of reverser-friendly Ollydbg decode it to “sgdt edx” and cannot handle the instruction at runtime, reporting to the user that it does not know how to step into it, while some vendor emulators also have a difficult time decoding it. 

Windbg, on the other hand, decodes the vmlaunch command properly as specified by the Intel Reference material, seen below…

Following the malware entrypoint, a windbg deadlisting shows “mov ecx, 0×4fffh”, followed by the vmlaunch. On processors we observed, this setup thows an exception for an Illegal Instruction with ecx = 0×4fffh. The writers of this trick, however, took it upon themselves to force the code to trigger this exception 20,479 times (the decimal representation of 0×4fffh). It’s implemented by registering an SEH pointer to code that simply stores the counter, decrements it, and returns back into the ExcecuteHandler2 function within ntdll that’s within the standard flow of Windows exception handling. Each time, the exception “handler” code returns back into RtlDispatchException and eventually NtContinue, where CONTEXT.eip takes control directly back to the Illegal Instruction location, triggering yet another exception. When the counter finally is decremented to zero, the unpacking stub then modifies CONTEXT.eip on the stack so that flow passes out of this exception loop at ntdll.NtContinue and further into its unpacking stub. Tricky stuff indeed.

Decrement ecx value within the process CONTEXT struct

Continuing on its code path, the code first checks if it’s been run before on the victim system, looking for registry values it creates:

HKCU  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKCU  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\Run”
 HKLM  “Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run”
    value: userini path: c:\windows\explorer.exe:userini.exe

It copies itself as an alternate data stream of explorer.exe
     c:\windows\explorer.exe:userini.exe

It sets this ADS to load at startup in the various autorun registry entries listed above, and then runs thru a series of sleeps/gettickcout to delay activity and cloak itself.

 After a long wait, the spambot calls InternetConnectA and HttpOpenRequestA to contact its hardcoded server and retrieves more spam templates. The resulting spam recently has all led to www . pharm directbook .com, another ”Canadian Pharmacy #1 Internet Online Drugstore”. This behavior is similar to that noted in our past post. The sites have been run for years by a group otherwise known as “Glavmed“, selling knockoff, illegal pills with shifty names like “Viagra Professional”…

In spite of the significant shutdowns over the past year, spam like Tedroo’s continues to mess it all up on the net. Don John couldn’t have tried to mess up a good thing any better himself.

The past year showed massive numbers of malware being run on systems across the globe. Behind the malware was an active malware marketplace, often with forums full of services for hire, advice on distributing and maintaining crimeware, and devious ways to hire money-mules.

There is more than meets the eye to these services. Much of the activity was not being discussed in these public forums or was as front and center in the media as the Conficker circus. While bot activity is not new to the party, a recently published study “SBotMiner: Large Scale Search Bot Detection“ brings in the year with a fresh start on identifying and quantifying malicious search bot traffic. The activity is under-studied and significant: the “miner” identified that almost 4% of all query traffic is bot-related (which represents at least hundreds of millions of search queries every couple of months), and that seems to be only the tip of the iceberg. The traffic was collected in Feb and April 2009, the search engine is not specified (google, yahoo!, live, altavista, ask, etc.) and that selection may have impacted the studies’ volumes and results. It is suggested that Live search results were used, so results most likely are much larger when the other engines are considered. The study also includes more forms of bot-based attacker-related traffic, instead of exclusively examining click fraud related bot queries and activity.

The discussion and findings included:

“More importantly, detecting bot-generated search traffic has profound implications for the ongoing arms race of network security. While many bot queries from individual hosts may be legitimate (e.g., academic crawling of specific Web pages), a significant fraction of bot search traffic is associated with malicious attacks at different phases. In addition to the well known click-fraud attacks that can be commonly observed in query logs, attackers also use search engines to find Web sites with vulnerabilities, to harvest email addresses for spamming, or to search well-known blacklists.”

“Attackers are leveraging search engines for exploiting vulnerabilities of Web sites. SBotMiner Identifies 88K searchbot groups searching for various PHP scripts and ASP scripts.”

“Using the entire datasets, SBotMiner detects 8,678 groups searching for PHP scripts in Feb and 79,337 such groups in April; 64 groups searching for ASP scripts in Feb and 301 groups in April. These searches spread all over the world.”

“Initial evidence shows that many of them might be associated with various forms of malicious activities such as phishing attacks, searching for vulnerabilities and spamming targets, or checking blacklists. Interestingly, attacks from different countries and regions do exhibit distinct characteristics, and search bots from countries with high bandwidth Internet access are more likely to be aggressive in submitting more queries.”

“We used sampled query logs collected in two different months and identified 700K bot groups with more than 123 million pageviews involved. The percentage of bot traffic is non-trivial — accounting for 3.8% of total traffic”  

So how might this effect you, dear reader? Well, 2010 already brings with it more publicly available information on the methods being used to harvest information about you, the blackhat Seo that these groups are increasingly relying on and the means in which these groups attempt to identify vulnerable servers to attack and use, in turn, to attack your system. It’s a fine read with some fresh information and an enjoyable way to settle into the New Year.

Two of the kernel hook overwrite attempts abuse straightforward Windows vulnerabilities, and they both have been patched. The other Bredolab hook overwrite attempt targets a mechanism that isn’t officially a vulnerability. When users are not logged in as admin, Bredolab is not effective. Here is the short list of the targeted vulnerabilities, in the order called by the Bredolab code:

1st Bredolab targeted vulnerability – MS07-017 – GDI Local Elevation of Privilege Vulnerability
CVE-2006-5758

2nd Bredolab targeted vulnerability- MS08-025 – Windows Kernel Usermode Callback Local Privilege Escalation Vulnerability
CVE-2008-1084

3rd Bredolab targeted vulnerability- Flaw allows local users with the SeDebugPrivilege privilege to execute arbitrary code as kernel
CVE-2004-2339

Just before exploiting the vulnerabilities to gain access to the kernel, Bredolab copies ntkrnlpa.exe from the drive to a location in virtual memory, examining the code for the addresses of nine kernel APIs that are frequently hooked by security solutions. It finds them and stores the virtual addresses for these api’s in its text section for use in the overwrites:
ZwAllocateVirtualMemory
ZwWriteVirualMemory
ZwProtectVirtuallMemory
ZwCreateThread
ZwAdjustPrivilegesToken
ZwOpenProcess
ZwOpenThread
ZwQueueApcThread
ZwSetValueKey

The first exploit attempt to overwrite security solutions’ hooks involves abusing Windows graphics functionality. After calling MapViewofFile and searching for the api’s listed above in the mapped copy of ntkrnlpa.exe, Bredolab maliciously initializes a Palette object:

Hook overwriting shellcode is delivered via a carefully crafted GetNearestPaletteIndex call:

cr0 manipulation in the shellcode to obtain write permissions on kernel memory here:

The first method will fail for Bredolab if the system is MS07-017 patched (patch your systems!). To account for that issue, Bredolab will check for the patch, and if present, deliver its next exploit.

First, it calls GetDesktopWindow to retrieve a handle to the desktop. Next, it sets up the first of two interrupt trampolines to NtUserMessageCall

After the two are setup, it then tricks ZwSetIntervalProfile to call user mode code from the kernel, passing a pointer to its hook overwrite function

Sometimes these first two exploits do not work on a system for the malware. But Bredolab arrives with a solution for that situation. When the first two are patched, Bredolab checks that its calling user has SeDebugPrivilege privilege

If SeDebugPrivilege is present, Bredolab calls ZwSystemDebugControl with two interesting parameters: Debug_Control_Code=9 and SysDbgCopyMemoryChunks_1. Providing that debug code to the call, Bredolab copies arbitrary code from user space to kernel space:

Using a bug in the read I/O sub-function of NtSystemDebugControl, not shown here, Bredolab writes to kernel memory. It modifies an IDT entry with a pointer to its malicious code, and provides control to the code by again calling ZwSetIntervalProfile.

While the bulk of the attacks appear in the U.S., outbreaks of this stuff occured the past year throughout Italy, England, Germany and Russia as well. Unfortunately, there remains large enough numbers of unpatched systems in these countries to gain these attackers’ attention.

Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to rip across the Russian Federation and the Ukraine by attacking a several-year-old vulnerability in srvsvc.dll, the server service hosted within one of the several svchost.exe processes running on Windows systems. (Why rush development of a new stack overflow exploit when users don’t patch systems for various reasons for years?) The worm itself attempts to exploit the aged vulnerability and deliver download and execute shellcode, pulling down and running more malware on the compromised host. That shellcode has been downloading an incremented-daily URL from a server hosted in England since August 2nd. Today it is 94.76.194 .116/ 37.exe. Threatexpert report for the payload here.

First, let’s talk about the distribution over the past year. Most of the Clampi executables appear to be unique, and appear to have been run on no more than one machine. The bulk of these executables are repacked and re-obfuscated to evade AV solutions, so only a quarter of the Clampi malware prevented in the ThreatFire community over the past year showed up on more than one system. Mostly all of the Clampi variants seen on multiple user desktops appear to have been delivered via an Adobe Acrobat client-side exploit. As posted previously about mainstream Windows pdf readers, be sure to update the software on your system, especially popular web browser third party plugins. A high number of these Clampi-delivering exploits successfully attacked Acrobat 7.0. Unfortunately, while the message may be getting out that third party plugins need to be updated on a regular basis, the advice does not seem to be followed reliably.

The trojan runs a new instance of Internet Explorer and injects it with executable code of its own, accesses the personal store of saved passwords, and phones the data off of the system to multiple web sites. It’s not a set of new malicious techniques, but highly problematic nonetheless. ThreatFire prevents these behaviors reliably, and PC Tools AV reliably detects the malware with one of several heuristic routines: Trojan.DL.Ilomo.Gen!Pac, Trojan.DR.Ilomo.Gen!Pac.2, Trojan.DL.Ilomo.Gen!Pac .

Symantec named this malware Trojan.Clampi, and it has been labelled inconsistently by other groups with a handful of other names, including Clomp, Downloader, Inject, Rscan, Small, Ilomo, Agent2, Agent, and often it is detected by its packer’s characteristics. Unfortunately, its packer changes and old signatures can become ineffective against this malware as it appears on systems around the world over time. PCTAV heuristics were effective over time, however.

Update: Please see post with a bit of technical information regarding Clampi variant’s injection technique.

Instead, ThreatFire continues to prevent prevalent attacks from malicious pages like those currently hosted on cxim-way. cn, where javascript identifies third party plugins on the system and attacks the user’s system accordingly. Pseudocode here:

while name = navigator.plugins[i].name

if((name.indexOf(”Adobe Acrobat”) != -1) || (name.indexOf(”Adobe PDF”) != -1))
then iframe src=”cache/readme.pdf
if(name.indexOf(”Foxit Reader”) != -1) then iframe src=”cache/update.pdf
if(name.indexOf(”Flash”) != -1) then iframe src=”cache/flash.swf

The resulting malicious payload is prevented by ThreatFire. “Load.exe” is pulled down from the site on a successfully compromised system, renamed to “pdfupd.exe”, and run. This malicious downloader/dropper currently evades most AV scanners. It drops a couple of drivers, and possibly may be a rustock bot variant, which we are looking further into:

ThreatFire users are protected from multiple layers of the attacks. In addition to patching your system, install a behavioral-based layer of protection on your system.

The ThreatFire community is safe from pav.exe, and there have been a number of triggers on various versions of the file early this morning. Detection by the major AV vendors is very low to non-existent for the current variants.

Surprisingly, the Waledac and Zbot groups have been quiet on this news story so far. We’ll monitor the situation closely.

In light of the issues, the installation mandate seems to have been delayed indefinitely. We’ll add more info as it comes to light and wikileaks comes back up.

Subject: Dan Shmoo sent you a message on Facebook…
Dan sent you a message.

Subject: Hello
“Check brunga.at”

Screenshot of the site here, notice the blue banner missing the logo:

After filling out authentication details that are then stolen, the user is then redirected to the real Facebook site.
Use your head and always be aware of the site’s url when entering authentication/login info. Careful of phishing attacks.

Sorry, folks, ThreatFire doesn’t protect you from phishing attempts like this one — it wasn’t designed to stop phish, and nothing at the software behavioral level looks malicious here. The times that we visited the active site, there was no malware delivered from brunga. However, there was an iframe at the bottom of the page redirecting the browser to a site that has been known to deliver LuckySploit exploit pages (updateserver. com, another site to avoid for now). Any successful LuckySploit attack is bound to deliver a barrage of various malware, recently including banking password-stealer Zbot, sophisticated spambots like Rustock, and various other custom-made keyloggers. This specific server is busy, malicious, and it has been involved in Live.com poisoning too. On a daily basis, ThreatFire is preventing these malformed-pdf based LuckySploit attacks in high numbers.

The large numbers in the news refer not to the trojan, or the malware that was hosted on gumblar and martuz. The large numbers are detections of web pages that, however accurate the volume reporting may be, most likely are a part of hijacked web sites redirecting browsers to the exploits and trojans on the gumblar.cn and trojans on the martuz.cn domains.

When a user doesn’t patch their system for whatever reason, they may be maintaining known vulnerabilities in their software, which in turn is exploited when visiting a hijacked web presence. Following successful third party plugin exploitation, the delivered dropper is executed. The dropper uses an interesting technique to register loaded components for auto start on an unsuspecting user’s system. Instead of the usual run key and service locations, this writer decided to abuse a user-mode auxiliary audio driver location that is loaded when Internet Explorer is started. This ThreatExpert report and here shows a “Infostealer.Daonol/Trojan-Dropper.Win32.Agent.apfn/Troj/Daonol-Fam” trojan abusing the “Drivers32″ key, much like the original gumblar variant:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
aux = “%Temp%\..\doo.val”

The group is not using any 0day attacks. Instead, they are sending down malformed .pdf and .swf files. It seems that enough reminders cannot be sent out about updating third party software:
Antivirus 360 Distribution – Update Third Party Plugins
PDF Reader Exploitation 2009
Pdf Reader Exploitation 2009 (cont)
Rigged pdf files
browser-security.microsoft.com Hosts File Modification

We will post more data as it is gathered, the trojan itself is not in high prevalence in the ThreatFire community — the attack has gotten far enough to launch the trojan on only a couple of systems and is prevented as “Spyware.Grumbler”.

In the meantime, be sure to update your favorite third party plugins, applications and your system software.