Another Identity Theft Story

(Updated on May 29. See note at end.)

Last Friday, we received various suspicious HTML files that contain malicious JavaScript routines. These contact a remote Web site and silently download an EXE file, which in turn downloads various unknown but suspicious programs. In France we decided to press the matter for several reasons: French or francophone people appeared specially targeted; not only banking and e-commerce data were stolen, but also more critical information linked to the private lives of our fellow citizens. So we contacted the French authorities.

We were able to fit together the pieces of the puzzle and understand the attack architecture.

The attacks started each time a victim reached an initiator site (1) hosting one of these scripts. One used an adodb.stream exploit; others exploited vulnerabilities referenced as MS06-006 and MS06-024.

While browsing that page, an EXE file, located in an intermediate site, was silently dropped on the victim’s computer (2). If this downloader was not detected by up-to-date antivirus software, it turned off Microsoft Security Center, modified some registry keys, and downloaded and installed another Trojan (3). When this work was done, the downloader self-destructed and passed control to the Trojan. Using the victim’s IP address as parameter, the Trojan ran a JavaScript query to localize the infected machine (4). It used this site:

http://fresh-news.info/geoip/ip.php

Later the returned data were saved in the local registry as :
HKLM\System\CurrentControlSet\Control\InitRegKey\geoinfo

• iso
• country
• region
• city
• latitude
• longitude
• ip

This information was sent to the collector site found at the top of some TXT files (more on those later). Here’s a fake example:

PC Name = JOHN-3GR6524FRHN
PC IP = 82.22.97.32
PC Country/ISO/Region/City = france/fr/a3/paris
PC Location longitude/latitude = 2.3333/48.8667
Log Creation = 2007/05/21 13:22:05

Before this Trojan disappeared, it downloaded two new files (5). The first deactivated various antivirus software and modified the system’s host file to prevent security updates from happening. But its main purpose was to take screenshots each time the victim clicked on a mouse button while inside a remote authentication window. Depending on which mouse button the user clicked, the following image file was created:

date_time_snapshot-number_LMB_input-form-URL.jpg
date_time_snapshot-number_RMB_input-form-URL.jpg

The images files were sent to a collector site (6). That site’s address, login, and password, as well as links to download other malware were accessible via an admin site driven by the hackers (7).

The second file was a Browser Helper Object/password stealer. It especially monitored transactions with these financial sites:

• e-gold.com,
• meine.deutsche-bank.de,
• banking.postbank.de

However, the BHO watched many other authentication forms and sent data to the collector site (6) using TXT files:

ISO-country-code_computername_IP_Date_time.txt

Other malware were downloaded according to instructions found on the collector site (8). These created a local web server (9) and implemented a PHP backdoor on the compromised machine. A proxy (9) was also created with various services:

• SSL proxy
• HTTP proxy
• Socks server
• Telnet gateway
• SMTP server
• FTP server
• Remote administration server
• Port mapping

After all this preparation these machines were able to act as zombies.

But that’s not all: A keylogger (10) was also downloaded. It collected the victim’s keystrokes and created this file:

keylog_ISO-country-code_computername_IP_date_time.txt

This Trojan also extracted all the URLs and the associated usernames/passwords saved by Internet Explorer via the AutoComplete facility, and created this file:

pstore_date_time.txt

The Trojan regularly sent all the TXT files to the collector site (6), where they were automatically saved by country and by computer. Here’s a view taken before the site was closed:

Today we have all the pieces of this puzzle.

As I said in introducing this blog, I found the geographical distribution unusual. France had the second highest number of victims, and the collected data were also very sensitive.

The stick-pin maps show the distribution.

 

We often hear of IT threats targeting the Anglo-American countries. This matter shows that no country is safe from cybercriminals.
——
Updated May 29:
I made two typos when I discussed the analysis of Elodie Grandjean. The first concerns one vulnerability used in this attack (it is MS06-024 and not MS06-026). The other regards the password stealer functionality. Both have been corrected in the text.