Saturday, August 25, 2007

Malware Hunt: Followup Post

Just a quick follow-up post from the previous one: Hunting Me up a Malware File.

I want to share some new details over the past week.

I also have some additional thoughts, but those must wait for an afternoon post. Mom is having some driver issues on her pc and I need to drop over to look at them.

Recap

Earlier this week AVG-Free alerted on a suspicious file after Alvis had been browsing the Web looking for some new MySpace templates.

The file was "superhidden" (non-viewable in Windows Explorer even will the display hidden files option enabled) and did not have a file extension.

The file was found in the Firefox cache and did not appear to have been executed on my system, just downloaded. This may be because it was not set for Firefox or because I was running the NoScript extension for Firefox (which I highly recommend).

The file itself was actually a Java-script file that contained a section of obfuscated code.

Only two virus scanners were able to identify it as hostile.

A search on my other systems found that it was also present in the the Firefox cache of our XP Home laptop system (again not executed) but was not present on the Vista Premium laptop.

I determined which website was downloading the file and blocked it at my home router level.

Finally, I sent it off to the ISC-SANS Handler's Diary team to see if maybe someone there could tell me more about what the obfuscated code section might contain.

I've slightly reworked the content of several of our back and forth emails in the sections below.

ISC Response

A great ISC-SANS handler, Bojan, responded the next day:

The file you submitted is part of an exploit pack. It contains obfuscated JavaScript that, when run, tries to exploit several (old) vulnerabilities: MS06-040, QuickTime, WinZIP and WebViewFolderIcon). If successful, it will download a file and execute it. I wasn't able to download the file as we are missing part of the information. The URL is constructed dynamically, depending on the current location: var arg="ephczuwc"; var MU = "http://" + window.location.hostname + "/" + arg; As we don't know from which site exactly this was downloaded we can reconstruct the MU variable that defines the file that will be downloaded. If your system is up to date with MS patches and you're not running any vulnerable applications it should be fine. If you manage to find the original site let us know - we can download the file and see what exactly it does (I presume it's another downloader for a second piece of malware).

Going Back for Seconds

Grateful for the feedback, I created a fresh virtual machine with XP.

I opened up the virtual session, loaded Firefox 2.0.0.6 as a clean install, verified I had an empty cache, then opened up the suspect website address I had noted for the .js file in my previous Firefox cache investigations.

I got a "404 error: Page not found" which I expected.

I then checked the cache for Firefox (about:cache) and found that several files had downloaded, all ending with the same bits of filename as that I mentioned previously.

The files were "superhidden" and visible in DOS only (not Windows Explorer).

One of the files in the cache was the same 21335 bytes size as my suspect file.

When I checked its "strings" it had the same obfuscated Java-script code.

This time, however the Firefox cache reported it got the file from http:// <snip>.com/sfruy.js even thought I didn't enter that into the address bar at all and had only gotten the page not found error.

So I dumped and cleaned out the cache along with the history and cookie files and tried again.

Nada. No download of the file, no funny .js entries. Nothing.

So I uninstalled Firefox and reinstalled completely, even dumping the Mozilla folders in the profile directory.

Nothing. No more .js entries.

I next created a new virtual machine and tried again.

I went to http://www. <snip> .com/jjebb.js and http:// <snip> .com/sfruy.js .

When I checked the cache the file was back again, same file size, different name and the link showing that it came from was http://www. <snip> .com/cnqio.js.

The strings appear to the the same in the file.

I'm not sure how it's pulling it off, dishing up a new <name>.js file each time it loads a "404 error: page not found" message.

Also, it seems to be clever enough to know which workstation it served it up to before, and then won't serve it again, even in a 100% new/clean browser. Maybe it's tracking the IP's or MAC addresses? This is interesting and may be why repeated requests for the file fail when repeated a 2nd and ongoing times from the site from the same pc.

Bojan responded to this pondering of mine:

It's possible - there are some scripts that track IP addresses and prevent you from downloading the exploit more than once - I've seen such scripts before.

Aftermath and Thoughts

It appears at this point that the website owner has removed the script triggering the malicious file download.

As such, I really can't say if it was done purposefully or if the website had been compromised against their will. Because of this I am choosing to give the benefit of the doubt to the website and not name it specifically.

But my concern about young kiddos falling into malicious websites looking for cool templates and such for their MySpace pages still stands. The problem isn't obviously limited to such sites, but does illustrate the challenges of trying to keep PC's safe while browsing the web, even when trying to surf across innocuous-appearing websites.

There are some basic precautions that should be followed for Window's OS users. (And I'm staying away from Linux/Apple OS switch recommendations for the sake of this post.)

  1. Ensure that your Windows system is fully current with all available Windows Critical Updates.

  2. Ensure that your Windows systems applications are up to date and at a current patch level. Two fantastic products (both free) to help you with this are the Web-based Secunia Software Inspector as well as the downloadable Secunia Personal Software Inspector (BETA). Both run scans on your system and provide an easy to understand report of any programs that are found that need to be updated or are no longer "current" versions.

  3. Surf the Net with a Web-browser other than Internet Explorer; I prefer Mozilla Firefox but Opera is also a really great browser. Heck, if your system can support it you can even try using Apple's Safari browser on Windows (still beta) now.

  4. If you use Firefox, I highly-recommend several great Add-ons to help add additional layers of protection: the NoScript blocker, the Firekeeper malicious site blocker, and the Dr.Web anti-virus link checker.

  5. Use a anti-virus product and keep it current. There are lots of free-ones out there: see my post Anti-Virus Tools for a lineup of offerings.

  6. Consider using a Anti-Malware scanner that runs a service to protect against malicious file behavior.

  7. Firewalls (router based or software based) are a great line of protection as well. If you select a software firewall that supports "leak-protection" for unauthorized outbound connections, you may prevent some trojans and other malware from accessing the Net once downloaded and bringing down a flood of even more ilk to your system; see my previous posts My Firewall Choices and Firewall Considerations for suggestions.

Most of all, if you have kids or guests who use your computers, establish clear appropriate usage policies, set up a limited rights "guest" account for them to use, and maintain a healthy and honest dialog about computer usage expectations.

Hopefully, if something goes wrong they will talk you you about it and you can respond quickly and in a targeted manner to assess and fix the problem.

Next post....

I'll offer you some additional "cool tools" I found while working on this issue (after the initial assessment) that might be helpful for readers investigating just such a scenario and trying to track down history and cache files in Firefox (or that Other web-browser).

Cheers and a BIG Thanks of Gratitude to SANS-ISC handler Bojan for time invested in taking a second look at what I encountered with this file.

--Claus

2 comments:

The Guru said...

How can a file only be seen in DOS? I thought Windows Exploiter pulled everything from DOS?

Claus said...

Good question, feGuru!

Nope! Windows Explorer doesn't necessarily display everything on a drive in some particular cases and situations...even with the "show all hidden/system files" option enabled.

I'm working on a post/response to this question. Hope to have it up in a few days.

It's pretty interesting and good information to keep in mind when working with malware/etc. on Windows systems.