The following is a security briefing of a targeted attack that was first discovered on June 14, 2007.
Summary
An email attack using an attached Word document. The document is delivered in an email from a well-known company. The first instance of this email was spoofed from Beckman Corporation, a testing and diagnostics company based in California. It appears to be an invoice that is sent from the accounting department, and contains the document Proforma_Invoice.doc. The document contains an embedded executable that appears as a small icon. The executable is a small Trojan that downloads additional executable content from the internet. The malware eventually installs a rootkit to make removal difficult, scans the local network for additional hosts to infect, adds itself as a browser helper object (BHO) and uses the BHO to send username and password information to remote hosts.
Description This malware relies on social engineering and a simple office document to gain execution. This document arrives as an email attachment with some instruction from the email to view the attachment. The document is very simple with a small icon and instruction to click in order to view the content. When the executable is run it downloads a new .exe and .dll from multiple hosts. The malware appears to be hosted on many machines, as the IP addresses are always different and are located in several countries, including the United States, China, Canada, and Romania. The downloaded malware attempts to find shares on the local network in order to create files. The process registers itself with the system to guarantee future runtime as well as getting hooked into standard operating system files. This includes rootkit functionality that "watches" its processes so that if they are removed it will recreate them. The main function of the malware is a browser helper object that is installed. This BHO will get loaded every time Internet Explorer is started. It will track URLs that the user visits on the Web and relay information input into the browser such as usernames and passwords that it sends to several remote hosts.
Interesting Detail about the Attackers
This appears to be a well funded attack. All the hosts that are reported to during browsing are part of a well known distributed global internet content and delivery system. The URLs are very obfuscated and have no whois data, but the user will eventually land on IP addresses in the global content network. Most of the initial internet requests start at IP addresses in Canada although there have been hits in Romania, China, and the US.
Technical Malware Details
The delivery mechanism for the malware is quite simple. Microsoft Word allows the dragging and dropping of executable files into Word documents. Upon placing the executable in the document, the executable is compressed into a Windows prefetch document. If the executable is double clicked (as the malware document demands), the executable is unpacked and executed. The executable in question seemingly acts only to download the actual trojan. The trojan, .EXE and .DLL are downloaded and executed. The execution of the .exe represents the blunt of the actual attack. It begins by modifying the registry, copying itself into all of the system startup registry values to ensure its re-execution. The .exe process itself, and when running, periodically issues an "advertisement" GET request to one of their master servers (or perhaps another infected host). It is conceivable that this is a method by which they can execute commands on the infected machine, update their malware, or force popups. However, we have not received any such commands or had time for a full disassembly of the binary, so this is just conjecture. The other function of the malware allows the .dll to help Internet Explorer become spyware. This dll hooks a myriad of functions (InternetConnectA, HttpSendRequest, HttpOpenRequest, etc) in order to spy on the system's user as he browses. The exact URLs the user visits are sent to one of the machines they control (interchangeably and seemingly at random). As well, if the user POSTs a form, the post data is sent as well. The data is sent via a POST request to a PHP. The modification that allows the .dll access, and causes it to be loaded by IExplore every time it runs is a registry modification. The .dll, once loaded, is a classical hook configuration. It runs the code to POST the information to its sites and then connects to the actual website for the user. The malware seemingly makes no attempt to infect other browsers (Firefox, Opera, etc).
Note: Some of the names of files, IP addresses, and URLs have been intentionally left out of this document. Beckman has been notified that an attack has been released using their corporate identity. Please do not contact them unnecessarily as they are not responsible for the email.
Description
