Tencent Computer Butler · 2015/10/18 15:08
0 x01 overview
Recently, Tencent anti-virus laboratory intercept to a malicious promotion Trojan spread, the total spread of millions, after analysis and investigation found that the Trojan has the following characteristics:
1) This Trojan is spread through a webpage by hanging horses. According to analysis, the vulnerability used by hackers to hang horses is the Flash vulnerability CVE-2015-5122 revealed by Hacking Team some time ago. A new version of Flash Player has fixed the vulnerability, but there are still a large number of computers in China that have not been updated, allowing the Trojan to spread.
2) After analysis and tracking, it is found that the main body of horse hanging is an advertisement flash, which exists in a large number of gambling websites, pornography websites, plug-in private server websites, small and medium-sized download stations, as well as some rogue software pop-ups, with extensive influence.
3) the mount vulnerability affects mainstream browsers such as Internet explorer and Chrome on Windows, MacOSX and Linux platforms. After testing, unpatched computers can trigger the behavior of horse hanging, domestic mainstream browsers are not effective interception and reminder.
4) Trojan update variant speed is fast, the average 2-3 hours to replace a new variant, in order to avoid the detection of security software, and can reduce the breadth of a single file, escaped the breadth of security software monitoring.
5) The main function of this Trojan is to silently install a number of rogue software, some rogue software installed has the function of silently installing applications to Android phones, serious harm. At the same time this Trojan still plays “black eat black” — can clear already in this machine install common other rogue software, achieve exclusive computer purpose.
Figure 1. Schematic diagram of Flash vulnerability hanging horse
0x02 Horse Mount Website Analysis
After analysis and tracking, it is found that the main body of horse hanging is an advertisement flash. When visiting horse hanging website, the flash file will be downloaded and played automatically, thus triggering the vulnerability and leading to infection of Trojan horse. See Figure 2.
Figure 2. One of the sites where horses are hung
Figure 3 shows the Flash file with Trojan horse. Interestingly, if the Flash of the current computer has been patched, the normal advertisement will be displayed. If the Flash has not been patched, the vulnerability will be triggered and ShellCode will be executed in the browser process.
Figure 3. Mount flash file
A decompile of the flash file reveals that the flash was modified from Hacking Team’s leaked code, encrypted and obfuscated using DoSWF to make it harder for security personnel to analyze. Figure 4 shows the mount Flash code.
Figure 4. Decompile code for mount flash file
When triggered, directly in the browser process execution ShellCode code, the function of the ShellCode is download HXXP: / / 222.186.10.210:8861 / calc. Exe to local, deposit to the current directory browser, file called explorer. Exe and executed.
Figure 5. ShellCode is obfuscated and its main function is download execution
Explorer. Exe in order to avoid the killing of soft kill, its update speed is very block, the average 2-3 hours to update a variant, its variant in addition to modify the code to escape features, its icon is often changed, the following is collected Explorer.
Figure 6. List of camouflage ICONS used by trojans
In order to prevent security vendors from finding out that the sample breadth is too high, the Trojan has been spreading since the middle of October. The MD5 statistics of the variants with a total spread of tens of thousands are as follows:
Figure 7. List of MD5 variants with tens of thousands of transmissions so far
0x03 Trojan Behavior Analysis
After Trojan running, it will judge whether there is c:\okokkk. TXT file through detection, if there is said to have been infected no longer infected, Trojan exit, if there is no then create the file, and then create two threads, respectively for the installation and promotion of rogue software and cleaning not their own promotion of rogue software.
Figure 8. Prevent re-infection by judging the “C:\okokkk.txt” file
“Black eat black” is one of the features of the Trojan horse, horse run after specially created a thread, used to detect and remove other software desktop shortcuts and start menu item in the catalog, etc., to remove most of the projects for the rogue software, its built-in list is a rogue software, covers a lot of rogue software, the following is just a part of the list.
Figure 9. Partially deleted desktop shortcuts
Figure 10. List of partial menu items to be removed by Trojan
The loop ends with the specified process, including the installation program of various software such as TaskMgr (Task manager), QQPCDownload (Online installation of housekeeper) and so on.
Figure 11. Loop end specified process
Send information to the statistics page, count the number of installs, and then download and silently install the following software (a total of 11), among which HBSetup64.exe is a rogue software, which can silently install mobile applications to android phones connected to computers, causing serious harm
Figure 12. Software list and installation statistics address of the Trojan silent promotion
0 x04 afterword.
Hacking Team data breaches have lowered the threshold for Hacking and brought the entire industrial chain to a new level of technology. Attackers only need to make small changes to thread code to generate powerful “weapons” that pose a serious threat to Internet security. We also hope that Internet users can install relevant security patches in a timely manner.