Are these spyware???

Hello,

two days ago my IE6 browser with the latest patches managed to download without me being informed a few binaries to my machine and this although I have a toolbar that blocks popups and spyblaster installed on my pc. Since I'm not exactly a newbie to these things I managed to soon identify the different copies of the binaries (an exe and a dll) and all associated registry keys.

Both of the binaries where packed with upx and were copied in multiple copies inside the root of my system partition, inside the Microsoft folder of the Application Data dir under Documents and Settings and inside the system32 directory.
Both of them where packed with UPX probably to reduce their size. I have also seen that one of them has a resource that ollydbg identifies having russian locale.

They created 3 empty files inside a few of the folders where they were copied and also on my desktop (why????). I've been able to understand that the purpose of the exe is to load the dll using rundll32 which should be able to communicate via sockets. Apart this I have not been able to understand what is their purpose. If anyone is interested in taking a look I zipped an unpacked copy of them here:

h**p://utenti.lycos.it/lucevirtuale/spyware_exe_and_dll_unpacked.zip


yaa

[Polaris]

I'll have a look...

Stay tuned for more...

[Polaris]

Quote:

Originally posted by yaa
Hello,

two days ago my IE6 browser with the latest patches managed to download without me being informed a few binaries to my machine and this although I have a toolbar that blocks popups and spyblaster installed on my pc. Since I'm not exactly a newbie to these things I managed to soon identify the different copies of the binaries (an exe and a dll) and all associated registry keys.

Both of the binaries where packed with upx and were copied in multiple copies inside the root of my system partition, inside the Microsoft folder of the Application Data dir under Documents and Settings and inside the system32 directory.
Both of them where packed with UPX probably to reduce their size. I have also seen that one of them has a resource that ollydbg identifies having russian locale.

They created 3 empty files inside a few of the folders where they were copied and also on my desktop (why????). I've been able to understand that the purpose of the exe is to load the dll using rundll32 which should be able to communicate via sockets. Apart this I have not been able to understand what is their purpose. If anyone is interested in taking a look I zipped an unpacked copy of them here:

h**p://utenti.lycos.it/lucevirtuale/spyware_exe_and_dll_unpacked.zip


yaa

Ohhh..

It seems that yaa had a good eye A superficial analisys reveals that those files are not part of spyware, but part of a more dangerous tool for remote management (malware). A quick look at bintext results for the child.dll is quite explicative of this:

...
0000371E 1000371E 0 Sleep
...
000038A2 100038A2 0 InternetReadFile
000038B4 100038B4 0 InternetOpenUrlA
000038C6 100038C6 0 InternetOpenA
000038D6 100038D6 0 InternetCloseHandle
00003962 10003962 0 child.dll
00004010 10004010 0 127.0.0.1
00004114 10004114 0 127.0.0.1
00004214 10004214 0 localhost
00004334 10004334 0 megabeestation.biz
00004348 10004348 0 beemafiozo.info
00004358 10004358 0 cryptoyakudzo.ru
0000436C 1000436C 0 mycatiriska.biz
0000437C 1000437C 0 cryptomafia.biz
0000438C 1000438C 0 cryptomafia.com
0000439C 1000439C 0 bugsstation.biz
000043AC 100043AC 0 bla8623ink783mag97571.com
000043C8 100043C8 0 Client Kicked, max=[%d]
...
000043F4 100043F4 0 access
000043FC 100043FC 0 cannot accept... continue
00004418 10004418 0 [%d] - [%s:%d]
00004428 10004428 0 Waiting...
0000443C 1000443C 0 map.txt
00004454 10004454 0 domains
00004464 10004464 0 geturl ok
00004470 10004470 0 using dynamic domains
00004488 10004488 0 127.0.0.1
00004494 10004494 0 using static domains
000044AC 100044AC 0 %s:%ld:%s:%s:%d
000044C0 100044C0 0 count_mutex
000044CC 100044CC 0 Cannot init winsock
000044E0 100044E0 0 netlog.exe
000044EC 100044EC 0 id: %s
000044F4 100044F4 0 %s-%ld
00004508 10004508 0 Bytes received: %d
0000451C 1000451C 0 Cannot create file: %s
00004538 10004538 0 Get from server %s
00004558 10004558 0 Checking version...
00004570 10004570 0 exit now
0000457C 1000457C 0 ver_num: %s
0000458C 1000458C 0 file: %s
00004598 10004598 0 url: %s
000045A8 100045A8 0 version: %s
000045BC 100045BC 0 --> %s
000045C4 100045C4 0 WARNING: %s
000045D0 100045D0 0 !!! ACHTUNG: %s
000045E0 100045E0 0 Winsock startup error
000045F8 100045F8 0 Closing socket [%d] with status [%d]
00004620 10004620 0 [%s:%d] - Socket [%d] - [%d]
00004640 10004640 0 Connect Error to [%s:%d] - [%d]
00004664 10004664 0 Cannot create Socket [%d]
00004680 10004680 0 Make socket
00004690 10004690 0 %d.%d.%d.%d
0000469C 1000469C 0 %d.%d.%d.%d:%d
000046B0 100046B0 0 Cannot open %s
000046C0 100046C0 0 version 4
000046CC 100046CC 0 cmd connect
000046DC 100046DC 0 USERNAME
000046E8 100046E8 0 version 5

Skimming through these can provide a good overview of this program's capabilities (but these are only hypothesis ):

/* Probably the tool sometimes sets to sleep to avoid detection
by netmonitoring tools */
0000371E 1000371E 0 Sleep

/* Probably the tools allow remote control */
00004508 10004508 0 Bytes received: %d
00004428 10004428 0 Waiting...


/* These are the servers target for connection... I don't
think Microsoft will use these... */
00004334 10004334 0 megabeestation.biz
00004348 10004348 0 beemafiozo.info
00004358 10004358 0 cryptoyakudzo.ru
0000436C 1000436C 0 mycatiriska.biz
0000437C 1000437C 0 cryptomafia.biz
0000438C 1000438C 0 cryptomafia.com
0000439C 1000439C 0 bugsstation.biz
000043AC 100043AC 0 bla8623ink783mag97571.com

/* More... */

I will start a full analisys asap, it will be a lot of fun!

Byyyezzzz

Polaris

Polaris,

I also had seen the strings you are reporting ... in fact I tried seeing if those domains have web sites (they don't) .... on my machine as soon as those files where downloaded and I identified them I renamed them all and tried deleting them .... child.dll was locked so looking among the running processes I found 3 suspicious instances of rundll32. As soon as I killed them I was able to delete the dll.

What I don't understand is why this dll creates files on the "infected" machine's desktop ... it gives away its presence too easily.

Anyhow, all my compliments to Microsoft ... even having set medium or high levels of security on all areas (internet, local internet, trusted sites and restricted sites) in my browser and having applications that should further protect me from downloading unwanted binaries (popup blocker and spyware blaster) my great Microsoft browser downloaded what could have well been viruses.

This is not the first time I find dlls somehow downloaded on my machine by the browser and I think I have identified the exploit that is being used: if you brutally kill a browser instance terminating its process while there is an activex download request dialog box open the said activex GETS downloaded. This exploit is utilized on those sites where suddendly tens of browser windows get opened in a few seconds. That is why I got myself a popup blocker .... which is clearly not enough.

One other thing that surprised me is that I found no registry entries under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ or HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ keys ... these kinds of applications usually register themselves to be restarted at next machine boot.


yaa

[Polaris]

Quote:

Originally posted by yaa
Polaris,

I also had seen the strings you are reporting ... in fact I tried seeing if those domains have web sites (they don't) .... on my machine as soon as those files where downloaded and I identified them I renamed them all and tried deleting them .... child.dll was locked so looking among the running processes I found 3 suspicious instances of rundll32. As soon as I killed them I was able to delete the dll.

What I don't understand is why this dll creates files on the "infected" machine's desktop ... it gives away its presence too easily.

Anyhow, all my compliments to Microsoft ... even having set medium or high levels of security on all areas (internet, local internet, trusted sites and restricted sites) in my browser and having applications that should further protect me from downloading unwanted binaries (popup blocker and spyware blaster) my great Microsoft browser downloaded what could have well been viruses.

This is not the first time I find dlls somehow downloaded on my machine by the browser and I think I have identified the exploit that is being used: if you brutally kill a browser instance terminating its process while there is an activex download request dialog box open the said activex GETS downloaded. This exploit is utilized on those sites where suddendly tens of browser windows get opened in a few seconds. That is why I got myself a popup blocker .... which is clearly not enough.

One other thing that surprised me is that I found no registry entries under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ or HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ keys ... these kinds of applications usually register themselves to be restarted at next machine boot.


yaa

yaa,

you are right... "Microsoft" and "security" are not words to be used together By the way, the purpose of the malware could be only revealed by full analisys.

I will full analize it, and then public a small tut... Also, it is the right chance to test my forthcoming INQUISITION v4.0

Byyezzz

Polaris

I will await to read your tutorial.

yaa