The story of how SilentRage was owned at 10:00 AM friday morning on August 15th, and how to prevent getting owned yourself.
Today I was checking my nettaxi account email when I noticed an email supposedly from "
[email protected]". Being the suspicious type, I had my doubts, but found no harm in checking it out anyway. I downloaded the email with a POP3 client I had written myself. The moment I viewed the email I was presented with a ZIP file with no message. Knowing how buggy my POP3 client was, I pressed the "View Raw" menu button to see the email in the raw. There was a brief message and an attachment as shown below:
- BEGIN Email ------------------------------------
Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring.
Please read attachment for details.
---
Best regards, Administrator
qccqfckf
[Attachment: message.zip]
- END Email --------------------------------------
Not very descriptive, and I still had my doubts. However, it was getting more believable cause my nettaxi account is very old, and nettaxi very sucked, and I never used the nettaxi website to check my mail... and I saw no harm in opening the zip file.
Opening the 14KB zip file I was presented with an HTML file called "message.html". This is where I made my mistake. Instead of right-clicking and saying "View in Notepad" I double clicked it to execute the HTML page. I was presented with a webpage which only had 2 words "no message", and an embedded object that appeared to not work. I viewed the source, it went something like this:
<title>Message</title>
<body scroll=no bgcolor=white>
<FONT face="Arial" color=black
style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">
No message</center>
<OBJECT style="cursor:cross-hair" alt="moo ha ha"
CLASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe">
</OBJECT>
I looked for "foo.exe" in the root directory and it did not exist. I frowned thinking maybe it was a botched attempt to infect me with a trojan or something. It was soon after this that I was presented with a blue screen saying something about a driver IRQ error and that I needed to reboot, and if the problem persists I can do "this and this and blah blah blah". Since this error occured at exactly the same time I tried to view a file created by a recent putty install, I thought maybe it was just a one-time thing. So I rebooted, starting everything back up, and just as I was getting settled in BANG, I got the same blue screen.
I was 0wned
Mildly amused that I actually fell for a lamer trick, and mildly pissed at the same time... I rolled up my metaphorical sleeves and went to work. Hoping that the trojan or virus or whatever it was didn't corrupt something with the drivers, I immediately acted on the assumption that there was a program in startup that was causing a delayed crash (cause I did NOTHING that second time to trigger a crash). I rebooted once again, but this time into safemode waiting ages and ages for it to get through the safe mode OS loading process. I waited a bit... 1... 2... 3... no crash. Good, I'm about to kiiiiiiick some [censored]! I opened up regedit and looked under the CURRENT_USERS startup key, and found nothing at all in the list. I then went into the LOCAL_MACHINE startup list where I knew several things were there. I immediately spied a "VideoDriver" entry pointing to a program in the WINNT directory called "videodrv.exe". I laughed aloud mocking the lamer who thought they were so smart. Why the heck would I need a "video driver" executeable in startup? GAY I tell ya! I deleted the entry, and moved the file to a quantined location.
I was not satisifed with that... oh no. Where there's a little mess, there's a big mess swept under the carpet. SOME how that innocent looking HTML file got that damn program executed, and it was done SOME how by a temporary program called "foo.exe". I then did a search for all files created in the last day and came up with the following:
/WINNT/exe.tmp (foo.exe I presume?)
/WINNT/zip.tmp (contained message.html)
../temp/message.zip (the file that smacked me)
I then looked in the registry to see if the CLSID "11111111-1111-1111-1111-111111111111" existed, and as sure as cold makes perky nipples, I found it under CODEBASE. I exported and deleted the following from the registry:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\Contains]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\DownloadInformation]
"CODEBASE"="mhtml:file://C:\\Documents%20and%20Settings\\Dave\\Local%20Settings\\Temp\\message.html!File://foo.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\InstalledVersion]
@="0,0,0,1"
I had ripped the malware program out of my system by the roots - and a little bit more besides just to be on the safe side. After I analyzed the files, this is how it worked:
message.html contained HTML, and an entire EXE within it. When I executed message.html, it extracted the EXE from itself into a file called "foo.exe" in my root directory. It then used the OBJECT tag to write to the registry and execute the program it extracted. The rest of the HTML overwrote it's own document so as to hide part of its code.
foo.exe copied itself to "exe.tmp" to be used perhaps in sending itself to other people, it also created the zip.tmp file as well. The foo.exe had some HTML appended to it, so it extracted all of itself minus that HTML into the program videodrv.exe. notepad viewing of videodrv.exe reveals no html at all - further enhancing its innocent appearance. Then it executed videodrv.exe and terminated.
videodrv.exe deletes foo.exe and does whatever it does in sending itself out to other people. It also waits 150 seconds before crashing the computer.
Keep all this in mind, and the techniques used to cleanse yourself if you should fall for a different lamer trick.