[Analisis] Berbew/Webber/Padodor Trojan

Berbew/Webber/Padodor Trojan Analysis
by LURHQ Threat Intelligence Group
Fuente: http://www.lurhq.com/berbew.html

Release Date
June 25, 2004

A number of sites are reporting malicious javascript code being
appended to every page served by their IIS server. Some in the press
are speculating that there is a new "zero-day" IIS vulnerability
circulating. At this time LURHQ has seen no evidence for a new
vulnerability or worm. We have seen a relatively small number of sites
reporting the infections of IIS servers, so it is possible the sites
were hacked manually or by the webmaster surfing using IE on the
webserver box itself. There has been no notable increase in scanning
for port 80 and there is no new exploit code being picked up by LURHQ
honeypots at this time.

The main exposure to this attack comes from users who surf to one of
the infected sites using Internet Explorer. The malicious javascript
surreptitiously installs a variant of the Berbew/Webber/Padodor
trojan.

Analysis

Name: msits.exe, renamed on install
Size: 51,712 bytes
MD5 Sum: Varies, the download site appears to employ some
psuedo-polymorphism in the delivery mechanism, so the file is altered
frequently to evade anti-virus signatures

The trojan is installed via the ADODB/javascript redirection exploit
for Internet Explorer for which there is no current patch. When a user
visits an infected IIS server using IE, the trojan will be downloaded
from a Russian webserver and executed in the background. It copies
itself to the system directory using a random name, and also extracts
a DLL file which acts as a loader for the EXE at boot time using the
ShellServiceObjectDelayLoad registry key.

The trojan appears to be designed for the purposes of "phishing", that
is, stealing financial and other account details from the infected
user. While most phishing is done via email, this trojan directly
captures password and logins if the infected user attempts to log in
to Ebay or Paypal and also Earthlink, Juno and Yahoo webmail accounts.
It also appears designed to create fake popup windows when the user
visits certain sites in an attempt to coerce credit card and PIN
numbers from the user, although this functionality may not work on all
platforms.

There are reports that this variant sets up a spam proxy or backdoor
listener on the infected system. This is incorrect; there is no remote
communication with the trojan except the periodic upload of stolen
passwords which is accomplished through the use of hidden IE windows
using HTML forms and javascript to autosubmit.

The trojan has some rudimentary rootkit functionality; by patching
in-memory DLLs using the PhysicalMemory device it will not show up in
the Windows task manager list. It will also crash some third-party
process-listers.

More information and remediation steps can be found on Microsoft's
site: http://www.microsoft.com/security/i..._ject.mspx

Removal

Manual removal is as follows. Do not attempt this procedure if you are
not comfortable editing your registry, as you can render your system
unbootable if you make a mistake.

Search the registry for the key
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
and remove the entry:

"Web Event Logger" = "{79FB9088-19CE-715E-D900-216290C5B738}"

Also remove in
HKCR\CLSID\{79FB9088-19CE-715E-D900-216290C5B738}\InProcServer32:

"(Default)" = "%sysdir%/xxxxxx32.dll"
"ThreadingModel" = "Apartment"

where xxxxxx is a random string of lowercase characters. Reboot the
machine and remove the dll file from the system directory. The trojan
exe file also has a random name, but can be spotted by looking for
files with the same timestamp as the dll. Remove surf.dat from the
system directory - this file contains captured logins and passwords.

Snort Signatures
The following Snort signature can detect infections of this trojan on
your network:

alert tcp any any -> any 80 (msg:"Webber/Berbew trojan keystroke log
upload"; flow:established; content:"id=crutop|26|vvpupkin0=";
depth:20; classtype:trojan-activity;
reference:url,www.lurhq.com/berbew.html; sid:1000108; rev:1;)



About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security
Services. Founded in 1996, LURHQ has built a strong business
protecting the critical information assets of more than 400 customers
by offering managed intrusion prevention and protection services.
LURHQ's 24X7 Incident Handling capabilities enable customers to
enhance their security posture while reducing the costs of managing
their security environments. LURHQ's OPEN Service Delivery™
methodology facilitates a true partnership with customers by providing
a real time view of the organization's security status via the
Sherlock Enterprise Security Portal. For more information visit
http://www.lurhq.com.

Copyright (c) 2004 LURHQ Corporation Permission is hereby granted for
the redistribution of this document electronically. It is not to be
altered or edited in any way without the express written consent of
LURHQ Corporation. If you wish to reprint the whole or any part of
this document in any other medium excluding electronic media, please
e-mail advisories@lurhq.com for permission.

Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties implied or otherwise with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information.


Meritorios de Filtrado (Kill-File Global):
tella llop, jm (N.B. 2003.10.25)


«Prefiero molestar con la verdad que complacer con adulaciones (Lucio Anneo Seneca)»