Previous Thread
Next Thread
Print Thread
Rate Thread
Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
The story of how SilentRage was owned at 10:00 AM friday morning on August 15th, and how to prevent getting owned yourself.

Today I was checking my nettaxi account email when I noticed an email supposedly from "[email protected]". Being the suspicious type, I had my doubts, but found no harm in checking it out anyway. I downloaded the email with a POP3 client I had written myself. The moment I viewed the email I was presented with a ZIP file with no message. Knowing how buggy my POP3 client was, I pressed the "View Raw" menu button to see the email in the raw. There was a brief message and an attachment as shown below:

- BEGIN Email ------------------------------------
Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
qccqfckf

[Attachment: message.zip]
- END Email --------------------------------------

Not very descriptive, and I still had my doubts. However, it was getting more believable cause my nettaxi account is very old, and nettaxi very sucked, and I never used the nettaxi website to check my mail... and I saw no harm in opening the zip file.

Opening the 14KB zip file I was presented with an HTML file called "message.html". This is where I made my mistake. Instead of right-clicking and saying "View in Notepad" I double clicked it to execute the HTML page. I was presented with a webpage which only had 2 words "no message", and an embedded object that appeared to not work. I viewed the source, it went something like this:

Code
<title>Message</title>
<body scroll=no bgcolor=white>
<FONT face="Arial" color=black 
style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">
No message</center>
<OBJECT style="cursor:cross-hair" alt="moo ha ha" 
CLASSID="CLSID:11111111-1111-1111-1111-111111111111" 
 CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe">
</OBJECT>
I looked for "foo.exe" in the root directory and it did not exist. I frowned thinking maybe it was a botched attempt to infect me with a trojan or something. It was soon after this that I was presented with a blue screen saying something about a driver IRQ error and that I needed to reboot, and if the problem persists I can do "this and this and blah blah blah". Since this error occured at exactly the same time I tried to view a file created by a recent putty install, I thought maybe it was just a one-time thing. So I rebooted, starting everything back up, and just as I was getting settled in BANG, I got the same blue screen.

I was 0wned

Mildly amused that I actually fell for a lamer trick, and mildly pissed at the same time... I rolled up my metaphorical sleeves and went to work. Hoping that the trojan or virus or whatever it was didn't corrupt something with the drivers, I immediately acted on the assumption that there was a program in startup that was causing a delayed crash (cause I did NOTHING that second time to trigger a crash). I rebooted once again, but this time into safemode waiting ages and ages for it to get through the safe mode OS loading process. I waited a bit... 1... 2... 3... no crash. Good, I'm about to kiiiiiiick some [censored]! I opened up regedit and looked under the CURRENT_USERS startup key, and found nothing at all in the list. I then went into the LOCAL_MACHINE startup list where I knew several things were there. I immediately spied a "VideoDriver" entry pointing to a program in the WINNT directory called "videodrv.exe". I laughed aloud mocking the lamer who thought they were so smart. Why the heck would I need a "video driver" executeable in startup? GAY I tell ya! I deleted the entry, and moved the file to a quantined location.

I was not satisifed with that... oh no. Where there's a little mess, there's a big mess swept under the carpet. SOME how that innocent looking HTML file got that damn program executed, and it was done SOME how by a temporary program called "foo.exe". I then did a search for all files created in the last day and came up with the following:

/WINNT/exe.tmp (foo.exe I presume?)
/WINNT/zip.tmp (contained message.html)
../temp/message.zip (the file that smacked me)

I then looked in the registry to see if the CLSID "11111111-1111-1111-1111-111111111111" existed, and as sure as cold makes perky nipples, I found it under CODEBASE. I exported and deleted the following from the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\Contains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\DownloadInformation]
"CODEBASE"="mhtml:file://C:\\Documents%20and%20Settings\\Dave\\Local%20Settings\\Temp\\message.html!File://foo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\InstalledVersion]
@="0,0,0,1"

I had ripped the malware program out of my system by the roots - and a little bit more besides just to be on the safe side. After I analyzed the files, this is how it worked:

message.html contained HTML, and an entire EXE within it. When I executed message.html, it extracted the EXE from itself into a file called "foo.exe" in my root directory. It then used the OBJECT tag to write to the registry and execute the program it extracted. The rest of the HTML overwrote it's own document so as to hide part of its code.

foo.exe copied itself to "exe.tmp" to be used perhaps in sending itself to other people, it also created the zip.tmp file as well. The foo.exe had some HTML appended to it, so it extracted all of itself minus that HTML into the program videodrv.exe. notepad viewing of videodrv.exe reveals no html at all - further enhancing its innocent appearance. Then it executed videodrv.exe and terminated.

videodrv.exe deletes foo.exe and does whatever it does in sending itself out to other people. It also waits 150 seconds before crashing the computer.

Keep all this in mind, and the techniques used to cleanse yourself if you should fall for a different lamer trick.


Domain Registration, Hosting, Management
http://www.dollardns.net
Sponsored Links
▼ Sponsored Links ▼ ▲ Sponsored Links ▲
Joined: Mar 2002
Posts: 508
Likes: 1
UGN Super Poster
UGN Super Poster
Joined: Mar 2002
Posts: 508
Likes: 1
stupid

as nelson would say, "Ha Ha!"

Joined: Mar 2002
Posts: 201
I
Member
Member
I Offline
Joined: Mar 2002
Posts: 201
I wish you were witty crime...


I am the Lizard King
I can do anything
Joined: Oct 2002
Posts: 364
C
UGN News Staff
UGN News Staff
C Offline
Joined: Oct 2002
Posts: 364
Any hope of tracing the email?
Im guessing they used an email spoofing program?
VisualRoute has a built in email tracer?


C++ Should Have Been Called "D"
Joined: Mar 2002
Posts: 508
Likes: 1
UGN Super Poster
UGN Super Poster
Joined: Mar 2002
Posts: 508
Likes: 1
Quote:
Originally posted by Imperial:
I wish you were witty crime...
na

Joined: Mar 2002
Posts: 599
UGN's Resident Homo
UGN's Resident Homo
Joined: Mar 2002
Posts: 599
it was me, i did it


"It's better to burn out, than to fade away."
Joined: Feb 2002
Posts: 7,203
Likes: 11
Community Owner
Community Owner
Joined: Feb 2002
Posts: 7,203
Likes: 11
Rage, stop your obsession with thinking you're elite and safe from all viruses and install a [censored] virus scanner...


Donate to UGN Security here.
UGN Security, Back of the Web, and VNC Web Services Owner
Joined: Mar 2002
Posts: 270
H
UGN Member
UGN Member
H Offline
Joined: Mar 2002
Posts: 270
Well quite the story SR, Kuotos to you......
That is the story you mentioned last night on the IRC Chat I presume..........


Unless you try something to which you have not already succeeded ~ Then you shall NEVER grow
Joined: Jun 2003
Posts: 14
V
Junior Member
Junior Member
V Offline
Joined: Jun 2003
Posts: 14
The random string of letters at the end of the email should have been the dead give-away SR. A lot of spam and fake e-mails contain a random string of characters at the end of the letter.


For more info on the actual exploit, here it is:
http://www.securityfocus.com/archive/1/259018/2003-04-13/2003-04-19/0


Applause on doing that all SR. I don't think I wouldabeen able to get rid of the entire thing.

Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
Quote:
Originally posted by Gizmo:
Rage, stop your obsession with thinking you're elite and safe from all viruses and install a [censored] virus scanner...
I don't know if I'm elite. Tell me what elite means and I'll tell you if I fit the bill.

And virus scanners annoy me. They're about as bad as AOL - they get into everything and slows certain file accessing activities down. A periodic remote virus scan from my roommate's computer is all I need.


Domain Registration, Hosting, Management
http://www.dollardns.net
Joined: Mar 2002
Posts: 860
Likes: 1
Der �belt�ter
Der �belt�ter
Joined: Mar 2002
Posts: 860
Likes: 1
I don't think I've had a virus scanner on my system for 2-3 years now...

Joined: Oct 2002
Posts: 955
UGN Super Poster
UGN Super Poster
Joined: Oct 2002
Posts: 955
I have no scanner either. Its all about habits. I don't view attachments, don't allow html emails, don't go to questionable sites, don't download fake/infected files.

Plus most times when I go to fix someone elses computer I prefer to manually remove virus/trojan/adware myself. The scanners have problems or simply say they cannot do it, and I don't trust them to get it clean.

Windows fortunately has a few limited areas where these things can be triggered and hide, so its not too hard to see when something is going on and fixing it. Usually...

Joined: Aug 2002
Posts: 68
S
Junior Member
Junior Member
S Offline
Joined: Aug 2002
Posts: 68
I fixed this problem long ago by installing linux.

Joined: Aug 2003
Posts: 68
M
Junior Member
Junior Member
M Offline
Joined: Aug 2003
Posts: 68
actually...its not exactly a LAMER trick as you say. its one of the top threats as far as 'viruses' go. this ones technically a worm.

Quote from grisoft.com

I-Worm/Mimail
I-Worm/Mimail is a virus which is sending itself via e-mails with following text:

Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

---
Best regards, Administrator

The virus uses MESSAGE.ZIP file as an attachment, this archive file contains MESSAGE.HTML file, which is if fact its own EXE version of the virus, and a short script designed to copy the virus on the hard disk of infected computer, and to launch this file.
When computer is infected, virus creates the VIDEODRV.EXE file in Windows folder, where it also creates some temporary files (eml.tmp, exe.tmp and zip.tmp).
Virus is launched every time computer is started due to virus's key VideoDriver in ...\CurrentVersion\Run.
2003-08-01


End Quote

Joined: Jan 2003
Posts: 217
Ntd Offline
Member
Member
Joined: Jan 2003
Posts: 217
How do you put an exe inside an HTML file?

Joined: Mar 2002
Posts: 860
Likes: 1
Der �belt�ter
Der �belt�ter
Joined: Mar 2002
Posts: 860
Likes: 1
You hax0r it.

Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
The lamer I spoke of is the person who wrote the worm. I figured I was not specifically targetted.


Domain Registration, Hosting, Management
http://www.dollardns.net
Joined: Mar 1983
Posts: 55
S
UGN Elder
UGN Elder
S Offline
Joined: Mar 1983
Posts: 55
Mr. Rage,

Owned, who would have know. Though i am impressed on your skills to detect and remove it manually. Bravo

Regards,

Skull


Trust me, if i started killing people, there'd None of you left
Joined: Aug 2003
Posts: 68
M
Junior Member
Junior Member
M Offline
Joined: Aug 2003
Posts: 68
Ah...yes the person who wrote it was definitely somebody with a pretty f**cked up life. lol

Joined: Mar 2002
Posts: 524
D
Member
Member
D Offline
Joined: Mar 2002
Posts: 524
NTD, read more carefully. Rage explained how the attack worked: The .EXE code was extracted from the HTML file, written to its own file, and then executed with the OBJECT tag.

Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
it is a shame I deleted it, so I do not remember. But the way they had it was a mime-type header in the file with a file location. It is an extension to HTML I believe. The file itself was embeded in the HTML file in the raw. The result was that IE saved the file to the specified location and afterward executed via the object tag.


Domain Registration, Hosting, Management
http://www.dollardns.net
Joined: Jan 2003
Posts: 217
Ntd Offline
Member
Member
Joined: Jan 2003
Posts: 217
So if i open an EXE in notepad and copy it's code to an HTML file and do what the "Lammer" did i could excute it through a HTML file?

Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
no because notepad converts some of the characters (most notably the null characters) to space characters for readability. You can not do it by hand. For instance, if you opened a EXE in notepad, and immediately saved as to another location the new exe won't work.

And no again cause the HTML mime trick does not execute the file. It just saves it. It is later that the object tag was used to execute it.


Domain Registration, Hosting, Management
http://www.dollardns.net
Joined: Jan 2003
Posts: 217
Ntd Offline
Member
Member
Joined: Jan 2003
Posts: 217
ok?, so how do you get the code? if it is just source code for lets say vb u would need to complie it before it was a exe? so how do u make a program then run it from an HTML file?

Joined: Mar 2002
Posts: 1,273
DollarDNS Owner
DollarDNS Owner
Joined: Mar 2002
Posts: 1,273
I'd give you nitty gritty details if I had bothered to keep the thing. I just looked at it long enough to understand the technique - not so closely that I'd be able to do it myself.


Domain Registration, Hosting, Management
http://www.dollardns.net

Link Copied to Clipboard
Member Spotlight
None yet
Forum Statistics
Forums41
Topics33,840
Posts68,858
Members2,176
Most Online3,253
Jan 13th, 2020
Latest Postings
Top Posters
UGN Security 41,392
Gremelin 7,203
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Likes Received
Ghost 2
Dartur 1
Cyrez 1
Girlie 1
unreal 1
Powered by UBB.threads™ PHP Forum Software 8.0.0