Today

1
Todays Malicious Code Threat JS.Scob.Trojan
Analysis

• Peter Schawacker CISSP

2
Overview

• The JS.Scob.Trojan
• Timeline
• IE Security Overview
• How the attacks work
• Effects
• Solutions

3
Scob

• AKA
• Download.Ject
• JS.Scob.Trojan
• JS.Toofeer
• Backdoor.Berbew.F
• JS.Toofeer

4
MS04-011
Scob
5
Internet Explorer Security

• Cross Domain Model
• Local Machine Zone
• ...an implicit zone for content that exists on
  the local computer. The content found on the
  users computer except for content that Internet
  Explorer caches on the local system is treated
  with a high level of trust.

6
Timeline ADODB.Stream Object Bug

• FullDisclosure Post August 26 2003!!
• IE Bug allows client-side code execution
• Detailed Analysis
• http//archives.neohapsis.com/archives/fulldisclos
  ure/2004-06/0104.html
• Harmless example http//62.131.86.111/security/id
  iots/repro/installer.htm

7
Scob Discovered June 24

• The original post is available in the June 24
  Internet Storm Center Handlers Diary
• http//isc.sans.org/diary.phpdate2004-06-24isc
  400aeeda81e747d8889dacd941b7ebf6

8
Effects

• Trojan horse installation Scob
• Purpose of trojan to steal accounts
• An account is an identity!!
• First time web servers used since Nimda

9
Compromised IIS Servers

• A file is dropped on an IIS Server and
  subsequently executed to prepare the server. The
  relevant actions are
• File is dropped on IIS Server
• Create ads.vbs
• Drop files in C\winnt\system32\inetsrv/iis.dll
  
• Server configured to use this file as a footer
• Modify the configuration of the IIS Server such
  that served web pages are appended by a footer
  that contains malicious Java code

10
What Scob does

• Redirects IE to http//217.107.218.147/dot.php
• Visitor redirected to a file called new.html
• Exploit code redirects the visitor to
  Shellscript_loader.js
• In turn downloads and installs msits.exe
• (ADODB.Stream Object File Installation Weakness
  vulnerability)

11
What Scob does (continued)

• msits.exe application writes itself to a random
  executable file in c/winnt/system32
• Windows Media Player
• Reruns the process from the system directory.
• Copies two HTML forms crude login templates and
  a log file (surf.dat) to the system directory
• msits.exe attempts to record authentication
  credentials and their corresponding URLs
• Quasi-rootkit patches PhysicalMemory device
• Doesnt appear in Task List

12
Sites of Interest to Scob/msits.exe

• Paypal.com
• Signin.ebay
• .earthlink.
• juno.com
• my.juno.com/s
• webmail.juno.com
• yahoo.com
• http//crutop.nu/index.php
• http//crutop.ru/index.php
• http//mazafaka.ru/index.php
• http//color-bank.ru/index.php
• http//asechka.ru/index.php
• http//trojan.ru/index.php
• http//fuck.ru/index.php
• http//goldensand.ru/index.php
• http//filesearch.ru/index.php
• http//devx.nm.ru/index.php
• http//ros-neftbank.ru/index.ph

• http//lovingod.host.sk/index.ph
• http//www.redline.ru/index.php
• http//cvv.ru/index.php
• http//hackers.lv/index.php
• http//fethard.biz/index.php
• http//ldark.nm.ru/index.htm
• http//gaz-prom.ru/index.htm
• http//promo.ru/index.htm
• http//potleaf.chat.ru/index.htm
• http//kadet.ru/index.htm
• http//cvv.ru/index.htm
• http//crutop.nu/index.htm
• http//crutop.ru/index.htm
• http//mazafaka.ru/index.htm
• http//xware.cjb.net/index.htm
• http//konfiskat.org/index.htm
• http//parex-bank.ru/index.htm

13
Workarounds

• Set the Kill Bit on the ADODB.Stream Object (no
  patch from MS)
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
  Explorer\ActiveXCompatibility\00000566-0000-0010-
  8000-00AA006D2EA4 CompatibilityFlagsdword000
  00400
• Make Local Zone/My Computer Zone visible from the
  Internet Options Security tab
• Dont use IE (USCERT) (!!)

14
Host IPS Countermeasures (IIS Server)

• Triggers event IIS Shielding - File Mod. in
  System folder
• Triggers event IIS Shielding - Conf. File
  Activity (ADMCOMConnect)

15
Network IPS Countermeasures (IIS)

• SHELLCODE Shellcode Exploit Detected for i386
  Family CPUs
• KERBEROS Microsoft Kerberos ASN.1 Double Free
  Encoding Error
• LDAP Active Directory BO
• SSL Invalid Client Hell Cipher Suite Value
• SSL Overly Long PCT Client Hello Challenge
• SSL Microsoft ASN.1 Double Free Code Execution
• SSL PCT THCLame Challenge Buffer Overflow
• DCERPC Microsoft Windows LSASS Buffer Overflow
• DCERPC Microsoft RPC DCOM Buffer Overflow
• DCERPC Microsoft RPCSS Heap Overflow
• DCERPC Microsoft Message Queue Service Heap
  Overflow
• DCERPC Microsoft Messenger Service Buffer
  Overflow
• DCERPC Microsoft Workstation Service Buffer
  Overflow
• DCERPC W32/Gaobot.worm Detected

16
IPS Countermeasures (IE Client)

• Triggers event IE Envelope Suspicious Executable
  Modification

17
Anti-virus

• Detected by McAfee VirusScan
• BackDoor-AXJ.gen
• VBS/Psyme
• Exploit-MhtRedir.gen
• BackDoor-AXJ.dll

18
Why is this important

• What if your web server is trojaned
• What if your desktop is trojaned
• Who is doing this
• Whats next
• What should be done

19
Sources

• http//www.microsoft.com/security/incident/downloa
  d_ject.mspx
• http//www.microsoft.com/technet/security/bulletin
  /MS04-011.mspx
• http//62.131.86.111/analysis.htm
• http//www.incidents.org/

20
Questions

• Peter Schawacker
• ps_at_nai.com
• 760-880-4258