Looking inside a spambot
Bear with me, this is going to be a long post.
The SANS Internet Storm Centre is discussing a nasty malware discovered recently by a reader:
http://isc.sans.org/diary.php?storyid=1388
I have also been dealing with a spambot at the request of Wayne Small, SBS MVP of Correct Solutions. This machine is a desktop box owned by a high ranking official at a big company so, of course, our primary concern was infection of the corporate network when the user VPNed into the network.
When we first started looking at the machine we knew something was wrong because Trend had warned of a single infected file - being system32\uieaucix.exe, reported as troj_galapoper.a
Our goal on this occasion was not to clean and return - we fully intended to reformat the machine before returning it to the victim (sorry, customer). This is the third time the PC has been infected that I know of, and its simply safer for all that it be wiped clean, OS installed afresh, protective software installed and user accounts locked right down. Our plan was run a few scans, monitor the system with a few specialised tools, assess how well the antivirus and antispyware products were working, and try to work out how the infection occurred in the first place (and therefore how to prevent it from happening in the future).
What I thought was going to be pretty standard forensics "ok-the-machine-is-infected (yawn) lets-get-it-cleaned, reduce user permissions and give it back" turned out to be anything but. While I was connected to the PC via VNC something bad on that box woke up. A slew of connections were made to Russia right before my eyes and things suddenly got very very interesting. This was very cool - sure, I've seen many reports of infected PCs, and helped users fix their machines from afar using various automated products and analysis logs, but I've never had the chance to be hands on with a real, live, actively pumping spambot - even if only via VNC.
{Side note: spamcop was the first to blacklist the IP address of the spambot - as of this evening spamcop had removed the listing but two other groups had taken its place}
Like the malware reported to SANS, the malware I was dealing with was *not* hampered by antivirus protection, antispyware protection or the firewall.
Using Plastic Sniffer (thanks Colin for pointing me to that sweet little programme) we grabbed a sample of the spam being sent by the bot:
--------
2 ) JE- P e Received: (qmail 6595 invoked from network); Mon, 5 Jun 2006 17:21:44 +1100 Received: from unknown (HELO wy.vp) (***.***.***.***) by 44-140-222-203.static.techex.net.au with SMTP; Mon, 5 Jun 2006 17:21:44 +1100 Message-ID: <002d01c68868$5158859d$3126decb@wy.vp> From: "Ike Milligan" <ypisjda@*******.com> To: <ybarra@******.com> Subject: falsification baby boomer Date: Mon, 5 Jun 2006 17:12:02 +1100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Trading alert! We pick our companies based on there growth potential. We assume many of you like to "trade the promotion" and may have made some big, fast money doing so. Get A M S N first thing tomorrow, this is going to explode next 2-3 days!!! Looking for a company with some good news? Here's one! We see big things happening everyday, so we say keep your eye on A M S N and watch for a big movement !!! Here is a special company that may be set to make a move in the near future - this could be your opportunity to be ahead of the curve! This stock will explode. Do not wait until it is too late. Trade Date : 05.06.06 Company Name : Amerossi International Group Inc. Ticker : A M S N Price : $0.05 4-7 Day Trading
--------
The process that was sending the spam, and phoning home to Russia, was a file called taskdir.exe - small netstat sample below:
--------
Proto Local Address Foreign Address State PID
TCP HOMEPC:4885 mc3-reserved.hotmail.com:smtp SYN_SENT 2704
[taskdir.exe]
TCP HOMEPC:4887 mail.rediffmail.com:smtp SYN_SENT 2704
[taskdir.exe]
TCP HOMEPC:4889 mail.rediffmail.com:smtp SYN_SENT 2704
[taskdir.exe]
TCP HOMEPC:4893 scanner4.spamcow.com:smtp SYN_SENT 2704
[taskdir.exe]
TCP HOMEPC:4890 cluster-c.mailcontrol.com:smtp ESTABLISHED 2704
[taskdir.exe]
TCP HOMEPC:4892 mta-v24.mail.yahoo.com:smtp ESTABLISHED 2704
[taskdir.exe]
TCP HOMEPC:1059 81.177.26.21:http CLOSE_WAIT 2704
[taskdir.exe]
TCP HOMEPC:1185 81.177.26.21:http CLOSE_WAIT 2704
[taskdir.exe]
TCP HOMEPC:1187 81.177.26.21:http CLOSE_WAIT 2704
[taskdir.exe]
--------
There was a slew of connections to Russia, as well as a multitude of constantly changing Port 25 connections.
--------
TCP HOMEPC:1059 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1185 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1187 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1216 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1218 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1229 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1308 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1317 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1319 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1328 mail.heifer.org:smtp FIN_WAIT_2
TCP HOMEPC:1531 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1601 ff-mx-vip1.prodigy.net:smtp ESTABLISHED
TCP HOMEPC:1604 uklon01sd01.lendlease.com:smtp FIN_WAIT_1
TCP HOMEPC:1609 202.175.129.154:smtp SYN_SENT
TCP HOMEPC:1611 xa.mx.aol.com:smtp ESTABLISHED
TCP HOMEPC:1665 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:1921 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2068 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2226 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2228 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2231 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2233 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2316 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2546 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2666 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:2945 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3128 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3210 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3218 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3220 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3308 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3310 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3458 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3601 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:3703 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4086 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4090 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4092 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4100 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4143 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4145 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4380 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4590 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4657 81.177.26.21:http CLOSE_WAIT
TCP HOMEPC:4934 81.177.26.21:http CLOSE_WAIT
--------
Ok, so we know that the machine is definitely infected and is pumping out spam as we watch. But, this machine has Windows Defender installed - it also has the Trend Micro Client/Server Security Agent installed. It also has a firewall installed that is part of the Trend product and which is managed by the "big company" IT Department.
I sat there and watched all this activity using a few different programs - Process Explorer, Plastic Sniffer and APM. None of the resident protective software was showing any sort of alarm, despite there being infection and active malware processes on the machine. The firewall that is part of the Trend software was letting everything through unimpeded.
We know that taskdir.exe is a primary baddy - I submitted the file to virustotal - three scanners reported the file was "trojan.w32.abwiz" so why was Trend silent?
I eyeballed the machine and found some files that I knew were suspicious even without the benefit of scans.
Let's do a smitfraud scan and see what else it finds:
C:\WINDOWS\adware-sheriff-box.gif FOUND !
C:\WINDOWS\adware-sheriff-header.gif FOUND !
C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\antispylab-logo.gif FOUND !
C:\WINDOWS\blue-bg.gif FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\buy-now-btn.gif FOUND !
C:\WINDOWS\close-bar.gif FOUND !
C:\WINDOWS\corner-left.gif FOUND !
C:\WINDOWS\corner-right.gif FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\facts.gif FOUND !
C:\WINDOWS\footer.giff FOUND !
C:\WINDOWS\free-scan-btn.gif FOUND !
C:\WINDOWS\h-line-gradient.gif FOUND !
C:\WINDOWS\header-bg.gif FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\info.gif FOUND !
C:\WINDOWS\no-icon.gif FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\reg-freeze-box.gif FOUND !
C:\WINDOWS\reg-freeze-header.gif FOUND !
C:\WINDOWS\remove-spyware-btn.gif FOUND !
C:\WINDOWS\true-stories.gif FOUND !
C:\WINDOWS\spyware-sheriff-header.gif FOUND !
C:\WINDOWS\spyware-sheriff-box.gif FOUND !
C:\WINDOWS\star.gif FOUND !
C:\WINDOWS\star-grey.gif FOUND !
C:\WINDOWS\warning-bar-ico.gif FOUND !
C:\WINDOWS\win-sec-center-logo.gif FOUND !
C:\WINDOWS\windows-compatible.gif FOUND !
C:\WINDOWS\yes-icon.gif FOUND !
C:\WINDOWS\ZServ.dll FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\CWS_iestart.exe FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\exuc32.tmp FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\mirarsearch_toolbar.exe FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\shellgui32.dll FOUND !
C:\WINDOWS\system32\taskdir.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !
C:\WINDOWS\system32\zlbw.dll FOUND !
But... and this is a worry... the HijackThis log was clean.
The smitfraud test missed a few malware files being ipod.raw.exe, winsub.xml and svcp.csv.
I also found a other few scattered malware files not featured above, including winapi32.exe and bbbxvhcr.kvx.
--------
Let's see what the online/installed antivirus and antispyware applications have to say - remember, I did not clean *anything* before running these scans.
A full scan of C drive using the resident Trend Micro Client/Server Security Agent reported **zero infection**.
Ewido detected only Adware.SpySheriff (HKLM\Classes\TypeLib\{31F9B5A7-5B94-445D-922C-E97BF52F5FD7) and Adware.VX2 (HKLM\SOFTWARE\RespondMiter)
Trend Housecall online scan failed to run.
Trend Micro Antispyware for the Web detected only Adware_PopsStop (HKLM\SOFTWARE\RespondMiter)
There are a *lot* of files being missed by the scanners.
--------
We should think about why creating a limited user account did not protect this machine. Its history makes things kind of blurry. The user ran as admin, and therefore was infected as admin, before I created the limited user account. We *thought* the machine was clean the last time we worked on it - all scans were fine and I pulled out some pretty big guns. Nothing untoward in running processes, multiple reboots didn't trigger a resurrection of malware, the rootkit scans were fine as well. HJT logs were great, all online scans were clean. Great, I thought, good to go.
But something remained. The smitfraud infection was simply too new for all files to be detectable using the automated tools at the time of the cleanup. I see in the old logs that *some* files were detected, but others weren't. Files that appear in smitfraud/smitrem scans *now* didn't appear in the scans back in early May. What's the lesson I learn from that? I don't trust automated cleaners. I detect first, then I get in there and search for anything else that may be related to that infection by hand, then I clean using something like killbox so that I can get *all* the files at the same time, not just those spotted by automated scans.
We're not sure exactly how the reinfection occurred. Trend alerted about *one* infected file (troj_galapoper.a) weeks after the apparently successful cleanup. My hypothesis is that the infection remained dormant for as long as the limited user account was the only one used; then the user may have swapped over to his admin account to do something that couldn't be done in his limited user account and WHAMMO - the system got reinfected. He then swaps back to limited user account, but its too late. The damage is done.
Then, when I logged in as admin to do some poking around before the reformatting - DOUBLE WHAMMO - something phones home, new files are downloaded, and the PC transmutes into a spambot.
Its obvious the automated tools let us down. That leaves us with a state of play where, if there are signs of infection, our only choice may be to manually comb through the computer and eyeball installed files if *anything* else is detected to make sure nothing is missed - that makes cleanup extremely labour and time intensive, and to be honest, simply not practical - there are only so many hours in a day - but at the same time, names like "dailytoolbar.dll" and "CWS_iestart.exe" are so obvious I would *not* have missed the vectors if I had eyeballed all files. I may have to start charging for direct 'Sandi can you please help' requests if I'm going to have to spend a day or so of intense digging to make sure we're not missing anything.
--------
The firewall
There has been a lot of discussion about stateful firewall protection versus "full" protection. Many things have been said to me about why tight firewalls don't work, including that users will simply say yes to every prompt because they want to see the dancing pigs, or that they will say no and break their systems, or they will say yes because they don't understand what is being asked of them and they are worried they will break their systems if they say no. That's all well and good, but the fact remains - the infected machine would not have failed the leak test, and taskdir.exe would not have been able to send all that spam (or connect to Russia to download even more bad stuff) if the firewall had alerted the user and asked for permission to send the data. It really bothers me that these things can happen, in the background, and the user receives no warning at all until they're suddenly lumped with a massive ISP bill, or they are cut off by their ISP because the ISP has spotted the viral traffic. A user should not have to go digging through their system folders or use specialised programs like Plastic Sniffer and Process Explorer to find out if there are nefarious activities occurring on their machines.
I'm preparing to test a new firewall called Comodo firewall that may make a difference:
http://www.personalfirewall.comodo.com/whats_new.html?currency=USD®ion=Australasia&country=AU
If Comodo really does detect "DLL/Code injections" etc, that is one hell of a big step forward. We need to assess it from the point of view of the home user. Its all well and good to say that iexplore.exe wants to act as a server, that it is a 'safe' application and that it wants to listen on port 1609UDP but that means nothing to the home user. Hopefully the 'more details' button in the screenshot provides more useful information.