Filename: my sexy ho0oo0oT ass Big1 .exe
Filesize: 254333
MD5: e695ab1722a3b635c033509607eed93f
SHA1: 968f0555572cad01cb9c1013334b790815117eab
SHA256: 56e4505e0cb406ff1ba5df571477cb5465eda5c992113f69927947a4ab419e10
Was undetected by AVG when this text was first written.
The binary appears to be programmed in Visual Basic 6.0 and contains the strings:
"C:\Documents and Settings\zezoo\УШН ЗбгЯКИ\Bifrost Stub Generator v1.0\Visual Basic 6.0\VB6.OLB"
"C:\Documents and Settings\zezoo\" ... "\Bifrost Stub Generator v1.0\Data\SGen-1\Project1.vbp" (widechar)
"OriginalFilename" ... "Stub.exe" (widechar)
The embedded hexadecimally encoded binary has the following header which indicates the image size is 35168 bytes:
Count of sections 2 Symbol table 00000000[00000000] Size of optional header 00E0 Linker version 6.00 Image version 0.00 Entry point 00007C89 Size of init data 00000A00 Size of image 00008960 Base of code 00001000 Image base 00400000 Section alignment 00001000 Stack 00100000/00001000 Checksum 00010249 Mashine intel386 TimeStamp 47750417 Magic optional header 010B OS version 4.00 Subsystem version 4.00 Size of code 00007000 Size of uninit data 00000000 Size of headers 00000200 Base of data 0000000C Subsystem Windows GUI File alignment 00000200 Heap 00100000/00001000 Number of directories 0It contains the strings:
KERNEL32.DLL ADVAPI32.dll GDI32.dll MSVCRT.dll SHELL32.dll SHLWAPI.dll USER32.dll WININET.dll WS2_32.dll LoadLibraryA GetProcAddress RegCloseKey DeleteDC atoi ShellExecuteA SHDeleteKeyA ToAscii InternetOpenA VirtualAlloc Kernel32.dll VirtualFree LoadLibraryA VirtualProtect GetModuleHandleA GetProcAddress kernel32.dll GetProcAddress GetModuleHandleA GetTickCount KERNEL32.dll MessageBoxA USER32.dll ExitProcess GetStartupInfoA GetCommandLineA HeapAlloc GetProcessHeapServer.exe (254333 bytes) is copied under C:\Program Files\Bifrost\ and tries to establish a reverse connection to 94.97.82.161 on TCP port 81 by injecting code into a newly created suspended iexplore.exe process. The IP is obtained by doing a DNS query for zezo0o.no-ip.biz.
The startup method registry key is found under
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}\stubpath = "C:\Program Files\Bifrost\server.exe s"
TCP packets were sent/received after completing the TCP handshake on port 81 at Thursday 7th of October 8:40:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 9:40:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 10:40:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 11:40:00 (GMT + 1:00).
zezo0o.no-ip.biz was responding to [SYN] with [RST,ACK] on TCP port 81 at Thursday 7th of October 12:50:00 (GMT + 1:00).
TCP packets were sent/received after completing the TCP handshake on TCP port 81 at Thursday 7th of October 13:00:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 13:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 14:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 15:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 16:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 17:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was responding to [SYN] with [RST,ACK] on TCP port 81 at Thursday 7th of October 18:30:00 (GMT + 1:00).
Local time in Saudi Arabia is GMT + 3:00.
http://www.utrace.de/?query=94.97.82.161
Provider: SaudiNet, Saudi Telecom Company
Region: Riyadh (SA)
Friday 8th of October 7:00 (GMT + 1:00) zezo0o.no-ip.biz resolved to 2.91.155.160.
http://www.utrace.de/?query=2.91.155.160
Provider: SaudiNet, Saudi Telecom Company
zezo0o.no-ip.biz was responding to [SYN] with [RST,ACK] on TCP port 81 at Thursday 8th of October 10:30:00 (GMT + 1:00).
TCP packets were sent/received after completing the TCP handshake on TCP port 81 at Thursday 8th of October 11:30:00 (GMT + 1:00).
Saturday 9th of October 16:50 (GMT + 1:00) zezo0o.no-ip.biz resolved to 94.96.15.154.
http://www.utrace.de/?query=94.96.15.154
Provider: SaudiNet, Saudi Telecom Company
Saturday 9th of October 17:40 (GMT + 1:00) zezo0o.no-ip.biz resolved to 188.54.60.206.
http://www.utrace.de/?query=188.54.60.206
Provider: SaudiNet, Saudi Telecom Company
Region: Jiddah (SA)
Sunday 10th of October 9:20 (GMT + 1:00) zezo0o.no-ip.biz resolved to 188.55.1.119.
http://www.utrace.de/?query=188.55.1.119
Provider: SaudiNet, Saudi Telecom Company
Region: Jiddah (SA)
Sunday 10th of October 13:05 (GMT + 1:00) zezo0o.no-ip.biz resolved to 94.99.31.233.
http://www.utrace.de/?query=94.99.31.233
Provider: SaudiNet, Saudi Telecom Company
Sunday 10th of October 15:45 (GMT + 1:00) zezo0o.no-ip.biz resolved to 94.99.65.144.
http://www.utrace.de/?query=94.99.65.144
Provider: SaudiNet, Saudi Telecom Company
Monday 11th of October 22:00 (GMT + 1:00) zezo0o.no-ip.biz resolved to 77.30.52.1.
http://www.utrace.de/?query=77.30.52.1
Provider: SaudiNet, Saudi Telecom Company
Region: Riyadh (SA)
Tuesday 12th of October 14:20 (GMT + 1:00) zezo0o.no-ip.biz resolved to 77.31.108.73.
http://www.utrace.de/?query=77.31.108.73
Provider: SaudiNet, Saudi Telecom Company
Monday 18th of October 13:30 (GMT + 1:00) zezo0o.no-ip.biz resolved to 188.48.61.254.
http://www.utrace.de/?query=188.48.61.254
Provider: SaudiNet, Saudi Telecom Company
Region: Jiddah (SA)
The network packets contain 2 bytes indicating the length of the encrypted data, 2 other bytes, followed by RC4 encrypted data. The RC4 key appears to be 16 bytes long and to correspond to: A3 78 26 35 57 32 2D 60 B4 3C 2A 5E 33 34 72 00, thus adapted C code from wikipedia for generating the default keystream every packet is XORed with looks as follows:
#include <stdio.h>
unsigned char S[256];
unsigned int i, j;
void swap(unsigned char *s, unsigned int i, unsigned int j) {
unsigned char temp = s[i];
s[i] = s[j];
s[j] = temp;
}
/* KSA */
void rc4_init(unsigned char *key, unsigned int key_length) {
for (i = 0; i < 256; i++)
S[i] = i;
for (i = j = 0; i < 256; i++) {
j = (j + key[i % key_length] + S[i]) & 255;
swap(S, i, j);
}
i = j = 0;
}
/* PRGA */
unsigned char rc4_output() {
i = (i + 1) & 255;
j = (j + S[i]) & 255;
swap(S, i, j);
return S[(S[i] + S[j]) & 255];
}
int main() {
int k = 0, output_length;
unsigned char key[] = "\xA3\x78\x26\x35\x57\x32\x2D\x60\xB4\x3C\x2A\x5E\x33\x34\x72\x00";
output_length = 65536;
rc4_init(key, 16);
while (k < output_length) {
printf("%02X", rc4_output());
k++;
}
printf("\n");
}
The captured network traffic between victim and attacker begins like this:victim: send( e5000000994fb068fc6a901c45f6b1309ff53a126612976f5b564dc79696455a 310b90e9873164aed9e4bcbd3cac00aa48ac2b97e97448208dc54001da244b26 1d0b2f4a9c9b9ae85c0917628b234ef8ea8941b2036a540fa6e204e00c9746a1 d78cb982392dd16561dc26b1908a7f93504f5c8eb2af821f0794493cf5dd1435 67ef16af66b364b311c00d4a884601b607f8bc287ff81ef3046293e477e5add4 1c5900d580941efc839a6ec98404d3e49098f32ace208f4bb49f34b50f920dc3 4c44f62b12487fcb86c77ce085fbb9df0fe2fb92634375a4924a4ce57e48686e 7d37bb404402e956cf) decrypted: "010.0.2.15|Default|C41241386E4F480|admin|p1.2d||0|-1|0|156|0|1|0|0|c411476c|" "C:\Documents and Settings\admin\Recent|C:\Documents and Settings\admin\Desktop|" "C:\Documents and Settings\admin\My Documents|US|00000409|Program Manager|?"After which the attacker machine polls for the title of the active window:
victim: recv(): 05000000bc548860cf decrypted: 152A082603 victim: send(190000009a548860cf42ae327493bf1b9de13a0a2a2b8a420e001a81a7) decrypted: 332A082603060C000050726F6772616D204D616E6167657200 ... "Program Manager" victim recv(): 05000000bca99460cf decrypted: 15D7142603 victim send(190000009aa99460cf58ba327493bf1b9de13a0a2a2b8a420e001a81a7) decrypted: 33D71426031C18000050726F6772616D204D616E6167657200 ... "Program Manager" victim recv(): 05000000bc198161cf decrypted: 1567012703 victim send(0a0000009a198161cf08523274c3) decrypted: 33670127034CF0000000 ... (null) ...The attacker also sent:
victim recv(): 100000006eeae346cc25c6561badbe5a9ef22f67 decrypted: C7946300006164646F6E732E64617400 ... "addons.dat" victim send(02000000ef7e) decrypted: 4600Followed by the contents of the file, which created a new file:
Filename: %APPDATA%/addons.dat
Filesize: 25492
MD5: bdfc2a647a91c79e6e85378d48a91c61
SHA1: ff9832c0743d7f29bf1b9145fe73fedc0e045e42
SHA256: a6fa12bedcebc16a70cf443a7d907cafed2b855af12df41f97eacf0dbaf11248
The file is compressed and RC4 encrypted and in decrypted/decompressed form contains binary code for extracting license keys and passwords, it contains the strings:
KSV! The Sims Software\Electronic Arts\Maxis\The Sims\ergc Call of Duty Software\Activision\Call of Duty Hidden & Dangerous 2 key Software\Illusion Softworks\Hidden & Dangerous 2 Chrome SerialNumber Software\Techland\Chrome NOX Software\Westwood\NOX Command and Conquer: Red Alert 2 Software\Westwood\Red Alert 2 Command and Conquer: Red Alert Software\Westwood\Red Alert Command and Conquer: Tiberian Sun Serial Software\Westwood\Tiberian Sun Rainbow Six III RavenShield Software\Red Storm Entertainment\RAVENSHIELD NASCAR Thunder TM 2004 Software\Electronic Arts\EA Sports\NASCAR Thunder TM 2004\ergc Command and Conquer 3 Software\Electronic Arts\Electronic Arts\Command and Conquer 3\ergc F1 Challenge 99-02 Software\Electronic Arts\EA Sports\F1 Challenge 99-02\ergc Nascar Racing 2003 Software\Electronic Arts\EA Sports\Nascar Racing 2003\ergc Nascar Racing 2002 Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc NHL 2003 Software\Electronic Arts\EA Sports\NHL 2003\ergc NHL 2002 Software\Electronic Arts\EA Sports\NHL 2002\ergc FIFA 2003 Software\Electronic Arts\EA Sports\FIFA 2003\ergc FIFA 2002 Software\Electronic Arts\EA Sports\FIFA 2002\ergc The Battle for Middle-earth Software\Electronic Arts\EA GAMES\The Battle for Middle-earth\ergc Shogun: Total War: Warlord Edition Software\Electronic Arts\EA GAMES\Shogun Total War - Warlord Edition\ergc Need For Speed: Underground Software\Electronic Arts\EA GAMES\Need For Speed Underground\ergc Need For Speed Hot Pursuit 2 ergc Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit 2 Medal of Honor: Allied Assault: Spearhead Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Spearhead\ergc Medal of Honor: Allied Assault: Breakthrough Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Breakthrough\ergc Medal of Honor: Allied Assault Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault\ergc Global Operations Software\Electronic Arts\EA GAMES\Global Operations\ergc Command and Conquer: Generals Software\Electronic Arts\EA GAMES\Generals\ergc James Bond 007: Nightfire Software\Electronic Arts\EA GAMES\James Bond 007 Nightfire\ergc Command and Conquer: Generals (Zero Hour) Software\Electronic Arts\EA GAMES\Command and Conquer Generals Zero Hour\ergc Black and White Software\Electronic Arts\EA GAMES\Black and White\ergc Battlefield Vietnam Software\Electronic Arts\EA GAMES\Battlefield Vietnam\ergc Battlefield 1942 (Secret Weapons of WWII) Software\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of WWII\ergc Battlefield 1942 (Road To Rome) Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome\ergc Battlefield 1942 Software\Electronic Arts\EA GAMES\Battlefield 1942\ergc Freedom Force Software\Electronic Arts\EA Distribution\Freedom Force\ergc IGI 2: Covert Strike Software\IGI 2 Retail Unreal Tournament 2004 Software\Unreal Technology\Installed Apps\UT2004 Unreal Tournament 2003 Software\Unreal Technology\Installed Apps\UT2003 Microsoft Windows Product ID ProductId Software\Microsoft\Windows\CurrentVersion Soldiers Of Anarchy Software\Silver Style Entertainment\Soldiers Of Anarchy\Settings Legends of Might and Magic CustomerNumber Software\3d0\Status Industry Giant 2 prvkey Software\JoWooD\InstalledGames\IG2 Half-Life Software\Valve\Half-Life\Settings Gunman Chronicles Key Software\Valve\Gunman\Settings The Gladiators RegNumber Software\Eugen Systems\The Gladiators Counter-Strike (Retail) CDKey Software\Valve\CounterStrike\Settings POP3 Password2 POP3 Server POP3 User Name HTTPMail Password2 Hotmail HTTPMail User Name \ Software\Microsoft\Internet Account Manager\Accounts kPStoreCreateInstance pstorec.dll WNetEnumCachedPasswords MPR.DLL MainLocation Software\Mirabilis\ICQ\NewOwners\%s Software\Mirabilis\ICQ\NewOwners\ CryptUnprotectData Crypt32.dll Passport.Net\* CredFree CredReadA advapi32.dll User.NET Messenger Service Password.NET Messenger Service %s\Mozilla\Firefox\%s %s\Mozilla\Firefox\%s\signons2.txt %s\Mozilla\Firefox\%s\signons.txt Profile0 %s\Mozilla\Firefox\profiles.ini PK11_FreeSlot NSS_Shutdown PK11SDR_Decrypt PK11_Authenticate PK11_GetInternalKeySlot NSSBase64_DecodeBuffer NSS_Init %snss3.dll %ssoftokn3.dll %splds4.dll %splc4.dll %snspr4.dll Path SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe Software\Microsoft\MessengerService Software\Microsoft\MSNMessenger ComSpec WNetEnumResourceA WNetCloseEnum WNetOpenEnumA \Mpr.dll NetShareEnum NetApiBufferFree \Netapi32.dll ...RC4 keys used were:
50 65 C5 00,
A3 78 26 35 57 32 2D 60 B4 3C 2A 5E 33 34 72 00
and
0A 99 43 F3 46 DD A7 C9 A0 F6 2F 61 77 0A 70 73
To decrypt 16 bytes, 4 bytes, 4 bytes and 24567 bytes of the sent file.
After the file was removed, the attacker sent:
Filename: %APPDATA%/addons.dat
Filesize: 25265
MD5: c37c79380b56ae2c94b117ad17b3e27e
SHA1: 6a75567bb063946fd3055370372e8861b4ddf3e4
SHA256: 9de1469571b6c27c9424cdaf66c99e3e6701f1a9cdc3bca8adb74529c343cc6f
With similar content. The file timestamp appears to be modified.
When the file was removed, another version was sent:
Filename: %APPDATA%/addons.dat
Filesize: 25706
MD5: 4ee060ea3753c895f77adaeb90371b98
SHA1: 03550e5057ab902a58fc42f844d138af5f64f905
SHA256: f5fbe65a324d6a152f385d0417011da6de4333bd97ccb0bd31fe1c6f237ce3f0
More information about zezo0o could be found at:
http://ejabat.google.com/ejabat/user?userid=17606009952881274630
http://www.tanta-eng.com/member.php?u=1149
http://forum.nesma.net.sa/member.php?u=9091
http://www.absba.org/archive/index.php/t-808938.html
http://www.dev-point.com
...
Wikipedia: Bifrost (trojan horse)
Bifrost (deel 1)