-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
.---------------.
/ NtWaK0 Advisory \
+---------------------------------------------------------------------------
.
:
Affected : All windows system with IE with kernell32.cab installed
:
Type : Connection made to 64.240.175.18 every time you use IE
:
Type : Trojan / Spyware
:
Date : 02-02-2002
:
Author : NtWaK0 @ www.SafeHack.com
:
+---------------------------------------------------------------------------
.
+-----------------.
Trojan / Spywere \
+-------------------`-------------------------------------------------------
.
:
+-----------. * * * www.SafeHack.com * * *
:
Disclaimer \
:
+-------------`-------------------------------------------------------------
.
:
This material is presented for informational and entertainment purposes
:
only, and to satisfy the curious. Any activities described in this file
:
which involve vandalism, theft, or any other illegal activities are
:
recounted from third-party conversations. I do not condone or encourage
:
vandalism or theft. I do not accept any liability for anything anyone
:
does with this information. So, don't shoot the messenger.
:
Remember: Use a computer in ways that ensure respect for your fellows.
:
:
+-------.
:
T.O.C. \
:
+---------`-----------------------------------------------------------------
.
:
:
[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 42 ]
:
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 47 ]
:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 128 ]
:
:
+-------------.
:
Brief History \
:
+----------------`----------------------------------------------------------
.
A friend mentioned the other day that he is seeing a connection is being
:
made to 64.240.175.18 on port 8989, every time he use Internet Explorer.
:
See detail below.
:
:
+-----------.
:
The Problem \
:
+-------------`-------------------------------------------------------------
.
After I did work on the issue for some time I found a sypware kernel32 on
:
his machine.
:
:
How did I find the spyware?
:
+--------------------------+
:
I did run a port monitor application and Lunched Internet Explore and went
:
to google.com, sure enough when IE connected to google I saw two connection
:
one to google and one to 64.240.175.18 on port 8989 when I saw that I hmmed
:
:
Next I opened again IE but I did not connect to any site. (blank page).
Sure:
enough No connection to any site.As soon as I connect to any site I will
see:
a connection to 64.240.175.18 on port 8989.
:
:
After mapping the port to application running on these ports, I found that
:
IE is using port 8989 that is normal since a connection was made
:
to 64.240.175.18
:
:
Since i need seen that IP befor I decided to investigate more this issue.
:
:
I tried to search the registry for 64.240.175.18 but I was not lucky.
:
I tried to search all file on the hard drive for a string 64.240.175.18 but
:
still no luck.
:
:
:
Next I jumped to a hardcore methode :) using regmonitor and file monitor.
:
After running Regmonitor and filemonitor I lunched IE and connected to
:
www.google.com. Now I have a big log to go over... I made another coffee
:
and sat down and stat looking into regmonior/filemonitor.
:
:
Something got my attension kernell32.dll reference.
:
HKCR\CLSID\{C7ADE150-743D-11D4-8141-00E029626F6A}\InprocServer32\(Default)
:
"C:\WINNT\Downloaded Program Files\kernell32.dll" :
:
I search for that file in C:\WINNT\Downloaded Program Files but did not
:
find it. I continued looking at the regmonitor log and found something else
:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
:
Browser Helper Objects\{C7ADE150-743D-11D4-8141-00E029626F6A}]
:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
:
Browser Helper Objects\{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}]
:
:
One of these key was used to lunch the trojan everytime you run IE.
:
:
:
At this point I run wget http://64.240.175.18/kernell32.cab
:
To my surprise the file was their So i got the file and loocked at it.
:
The kernell32.cab contain two files: kernell32.dll, kernell32.inf
:
:
Currently [2-2-2002] the file still exist on their site if you like to
:
grab it here is the url http://64.240.175.18/kernell32.cab
:
:
NOTE: The interresting issue is NORTON antivurs and the cleaner did not
:
delect any trojan in the kernell32.dll. But the file is acting like
:
Win32.Destiny trojan
:
:
If you search google for Win32.Destiny you will find the desciption
:
of Win32.destiny trojan. The same behavior apply to the file
:
located at http://64.240.175.18/kernell32.cab
:
:
:
[Extracted From
:
http://www.vet.com.au/html/zoo/local/zoo_descriptions/destiny.htm ]
:
:
Win32.Destiny
:
:
Win32.Destiny trojan is a Dynamic Link Library (DLL) usually called
:
"kernell32.dll". The use of this filename is probably an attempt to hide
the:
trojan, as users may confuse it with the Windows system file "kernel32.dll"
:
:
kernell32.dll c'est le PUTAIN de fichier qui'il telecarge
:
:
The trojan registers itself as a "Browser Helper Object", a DLL which
:
attaches itself to every instance of Internet Explorer. Because of this,
:
the trojan is loaded whenever a new Internet Explorer session is started.
:
:
The trojan connects to a machine on the internet on port 8989 and sends
:
some information about the local system, including the IP address and the
:
user's e-mail address. It also changes the following Internet Explorer
:
security settings for the "Internet Zone":
:
:
+------------.
:
The Solution \
:
+--------------`------------------------------------------------------------
.
Someone must contact the administrator of the site 64.240.175.18 and tell
:
him/her to rm the kernell32.cab of his/her site.
:
:
Second you can apply these suggestions:
:
:
[Extracted From www.vet.com.au ]
:
Download signed ActiveX controls: Prompt.
:
Download unsigned ActiveX controls: Disable.
:
Run ActiveX controls and plugins: Enable.
:
Initialize and script ActiveX controls not marked as safe: Disable.
:
Script ActiveX controls marked safe for scripting: Enable
:
+---------------------------------------------------------------------------
.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPF/XJfPoW9fFNsN8EQJJmACePMAmOe7P4UEHUD3P7Nzbcgyf0gMAn0j0
Uq0kFGNuCUnvRjJzJDdxeRHw
=1lr1
-----END PGP SIGNATURE-----
________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good www.SafeHack.com |
Je Pense, Donc Je Suis \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :) --(")--
RFCs are meant to be read and followed…:) /`\ NtWaK0
________________________________________________________________________
Connect yourself to the main computer and let me take you to a
cybernetic ride. Are you connected to the right cybernet? If you are,
finally you are connected to my brain.
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow -=-
This archive was generated by hypermail 2b30 : Tue Feb 05 2002 - 13:14:19 PST