Tracking Down Bifrose Infection Attempt (part 2) | Joachim De Zutter
File sent from compromised Skype account (Skype ID: almosthuman, 05/10/2010).
Filename: my sexy ho0oo0oT ass Big1 .exe
Filesize: 254333
MD5: e695ab1722a3b635c033509607eed93f
SHA1: 968f0555572cad01cb9c1013334b790815117eab
SHA256: 56e4505e0cb406ff1ba5df571477cb5465eda5c992113f69927947a4ab419e10
Was undetected by AVG when this text was first written.
The binary appears to be programmed in Visual Basic 6.0 and contains the strings:
"C:\Documents and Settings\zezoo\УШН ЗбгЯКИ\Bifrost Stub Generator v1.0\Visual Basic 6.0\VB6.OLB"
"C:\Documents and Settings\zezoo\" ... "\Bifrost Stub Generator v1.0\Data\SGen-1\Project1.vbp" (widechar)
"OriginalFilename" ... "Stub.exe" (widechar)

The embedded hexadecimally encoded binary has the following header which indicates the image size is 35168 bytes:
Count of sections              2
Symbol table  00000000[00000000]
Size of optional header     00E0
Linker version              6.00
Image version               0.00
Entry point             00007C89
Size of init data       00000A00
Size of image           00008960
Base of code            00001000
Image base              00400000
Section alignment       00001000
Stack          00100000/00001000
Checksum                00010249
Mashine                 intel386
TimeStamp               47750417
Magic optional header       010B
OS version                  4.00
Subsystem version           4.00
Size of code            00007000
Size of uninit data     00000000
Size of headers         00000200
Base of data            0000000C
Subsystem            Windows GUI
File alignment          00000200
Heap           00100000/00001000
Number of directories          0
It contains the strings:
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
MSVCRT.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
RegCloseKey
DeleteDC
atoi
ShellExecuteA
SHDeleteKeyA
ToAscii
InternetOpenA
VirtualAlloc
Kernel32.dll
VirtualFree
LoadLibraryA
VirtualProtect
GetModuleHandleA
GetProcAddress
kernel32.dll
GetProcAddress
GetModuleHandleA
GetTickCount
KERNEL32.dll
MessageBoxA
USER32.dll
ExitProcess
GetStartupInfoA
GetCommandLineA
HeapAlloc
GetProcessHeap
Server.exe (254333 bytes) is copied under C:\Program Files\Bifrost\ and tries to establish a reverse connection to 94.97.82.161 on TCP port 81 by injecting code into a newly created suspended iexplore.exe process. The IP is obtained by doing a DNS query for zezo0o.no-ip.biz.



The startup method registry key is found under
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}\stubpath = "C:\Program Files\Bifrost\server.exe s"

TCP packets were sent/received after completing the TCP handshake on port 81 at Thursday 7th of October 8:40:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 9:40:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 10:40:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 11:40:00 (GMT + 1:00).
zezo0o.no-ip.biz was responding to [SYN] with [RST,ACK] on TCP port 81 at Thursday 7th of October 12:50:00 (GMT + 1:00).
TCP packets were sent/received after completing the TCP handshake on TCP port 81 at Thursday 7th of October 13:00:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 13:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 14:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 15:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 16:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was not responding to [SYN] on TCP port 81 at Thursday 7th of October 17:30:00 (GMT + 1:00).
zezo0o.no-ip.biz was responding to [SYN] with [RST,ACK] on TCP port 81 at Thursday 7th of October 18:30:00 (GMT + 1:00).

Local time in Saudi Arabia is GMT + 3:00.

http://www.utrace.de/?query=94.97.82.161
Provider: SaudiNet, Saudi Telecom Company
Region: Riyadh (SA)


Friday 8th of October 7:00 (GMT + 1:00) zezo0o.no-ip.biz resolved to 2.91.155.160.

http://www.utrace.de/?query=2.91.155.160
Provider: SaudiNet, Saudi Telecom Company

zezo0o.no-ip.biz was responding to [SYN] with [RST,ACK] on TCP port 81 at Thursday 8th of October 10:30:00 (GMT + 1:00).
TCP packets were sent/received after completing the TCP handshake on TCP port 81 at Thursday 8th of October 11:30:00 (GMT + 1:00).

Saturday 9th of October 16:50 (GMT + 1:00) zezo0o.no-ip.biz resolved to 94.96.15.154.

http://www.utrace.de/?query=94.96.15.154
Provider: SaudiNet, Saudi Telecom Company

Saturday 9th of October 17:40 (GMT + 1:00) zezo0o.no-ip.biz resolved to 188.54.60.206.
http://www.utrace.de/?query=188.54.60.206
Provider: SaudiNet, Saudi Telecom Company
Region: Jiddah (SA)


Sunday 10th of October 9:20 (GMT + 1:00) zezo0o.no-ip.biz resolved to 188.55.1.119.
http://www.utrace.de/?query=188.55.1.119
Provider: SaudiNet, Saudi Telecom Company
Region: Jiddah (SA)


Sunday 10th of October 13:05 (GMT + 1:00) zezo0o.no-ip.biz resolved to 94.99.31.233.
http://www.utrace.de/?query=94.99.31.233
Provider: SaudiNet, Saudi Telecom Company

Sunday 10th of October 15:45 (GMT + 1:00) zezo0o.no-ip.biz resolved to 94.99.65.144.
http://www.utrace.de/?query=94.99.65.144
Provider: SaudiNet, Saudi Telecom Company

Monday 11th of October 22:00 (GMT + 1:00) zezo0o.no-ip.biz resolved to 77.30.52.1.
http://www.utrace.de/?query=77.30.52.1
Provider: SaudiNet, Saudi Telecom Company
Region: Riyadh (SA)


Tuesday 12th of October 14:20 (GMT + 1:00) zezo0o.no-ip.biz resolved to 77.31.108.73.
http://www.utrace.de/?query=77.31.108.73
Provider: SaudiNet, Saudi Telecom Company

Monday 18th of October 13:30 (GMT + 1:00) zezo0o.no-ip.biz resolved to 188.48.61.254.
http://www.utrace.de/?query=188.48.61.254
Provider: SaudiNet, Saudi Telecom Company
Region: Jiddah (SA)


The network packets contain 2 bytes indicating the length of the encrypted data, 2 other bytes, followed by RC4 encrypted data. The RC4 key appears to be 16 bytes long and to correspond to: A3 78 26 35 57 32 2D 60 B4 3C 2A 5E 33 34 72 00, thus adapted C code from wikipedia for generating the default keystream every packet is XORed with looks as follows:
#include <stdio.h>

unsigned char S[256];
unsigned int i, j;

void swap(unsigned char *s, unsigned int i, unsigned int j) {
    unsigned char temp = s[i];
    s[i] = s[j];
    s[j] = temp;
}

/* KSA */
void rc4_init(unsigned char *key, unsigned int key_length) {
    for (i = 0; i < 256; i++)
        S[i] = i;
    for (i = j = 0; i < 256; i++) {
        j = (j + key[i % key_length] + S[i]) & 255;
        swap(S, i, j);
    }
    i = j = 0;
}

/* PRGA */
unsigned char rc4_output() {
    i = (i + 1) & 255;
    j = (j + S[i]) & 255;
    swap(S, i, j);
    return S[(S[i] + S[j]) & 255];
}

int main() {
    int k = 0, output_length;
    unsigned char key[] = "\xA3\x78\x26\x35\x57\x32\x2D\x60\xB4\x3C\x2A\x5E\x33\x34\x72\x00";
    output_length = 65536;
    rc4_init(key, 16);
    while (k < output_length) {
      printf("%02X", rc4_output());
      k++;
    }
    printf("\n");
}
The captured network traffic between victim and attacker begins like this:
victim: 
send(
e5000000994fb068fc6a901c45f6b1309ff53a126612976f5b564dc79696455a
310b90e9873164aed9e4bcbd3cac00aa48ac2b97e97448208dc54001da244b26
1d0b2f4a9c9b9ae85c0917628b234ef8ea8941b2036a540fa6e204e00c9746a1
d78cb982392dd16561dc26b1908a7f93504f5c8eb2af821f0794493cf5dd1435
67ef16af66b364b311c00d4a884601b607f8bc287ff81ef3046293e477e5add4
1c5900d580941efc839a6ec98404d3e49098f32ace208f4bb49f34b50f920dc3
4c44f62b12487fcb86c77ce085fbb9df0fe2fb92634375a4924a4ce57e48686e
7d37bb404402e956cf)
decrypted:
"010.0.2.15|Default|C41241386E4F480|admin|p1.2d||0|-1|0|156|0|1|0|0|c411476c|"
"C:\Documents and Settings\admin\Recent|C:\Documents and Settings\admin\Desktop|"
"C:\Documents and Settings\admin\My Documents|US|00000409|Program Manager|?"
After which the attacker machine polls for the title of the active window:
victim: recv(): 05000000bc548860cf
decrypted: 152A082603

victim: send(190000009a548860cf42ae327493bf1b9de13a0a2a2b8a420e001a81a7)
decrypted: 332A082603060C000050726F6772616D204D616E6167657200
... "Program Manager"

victim recv(): 05000000bca99460cf
decrypted: 15D7142603

victim send(190000009aa99460cf58ba327493bf1b9de13a0a2a2b8a420e001a81a7)
decrypted: 33D71426031C18000050726F6772616D204D616E6167657200
... "Program Manager"

victim recv(): 05000000bc198161cf
decrypted: 1567012703

victim send(0a0000009a198161cf08523274c3)
decrypted: 33670127034CF0000000
... (null)

...
The attacker also sent:
victim recv(): 100000006eeae346cc25c6561badbe5a9ef22f67
decrypted: C7946300006164646F6E732E64617400
... "addons.dat"

victim send(02000000ef7e)
decrypted: 4600
Followed by the contents of the file, which created a new file:
Filename: %APPDATA%/addons.dat
Filesize: 25492
MD5: bdfc2a647a91c79e6e85378d48a91c61
SHA1: ff9832c0743d7f29bf1b9145fe73fedc0e045e42
SHA256: a6fa12bedcebc16a70cf443a7d907cafed2b855af12df41f97eacf0dbaf11248

The file is compressed and RC4 encrypted and in decrypted/decompressed form contains binary code for extracting license keys and passwords, it contains the strings:
KSV!
The Sims    Software\Electronic Arts\Maxis\The Sims\ergc    Call of Duty    
Software\Activision\Call of Duty    Hidden & Dangerous 2    key 
Software\Illusion Softworks\Hidden & Dangerous 2    Chrome  SerialNumber    
Software\Techland\Chrome    NOX Software\Westwood\NOX   Command and 
Conquer: Red Alert 2    Software\Westwood\Red Alert 2   Command and 
Conquer: Red Alert  Software\Westwood\Red Alert Command and Conquer: 
Tiberian Sun   Serial  Software\Westwood\Tiberian Sun  Rainbow Six III 
RavenShield Software\Red Storm Entertainment\RAVENSHIELD    NASCAR Thunder 
TM 2004  Software\Electronic Arts\EA Sports\NASCAR Thunder TM 2004\ergc  
Command and Conquer 3   Software\Electronic Arts\Electronic Arts\Command 
and Conquer 3\ergc F1 Challenge 99-02  Software\Electronic Arts\EA 
Sports\F1 Challenge 99-02\ergc  Nascar Racing 2003  Software\Electronic 
Arts\EA Sports\Nascar Racing 2003\ergc  Nascar Racing 2002  
Software\Electronic Arts\EA Sports\Nascar Racing 2002\ergc  NHL 2003    
Software\Electronic Arts\EA Sports\NHL 2003\ergc    NHL 2002    
Software\Electronic Arts\EA Sports\NHL 2002\ergc    FIFA 2003   
Software\Electronic Arts\EA Sports\FIFA 2003\ergc   FIFA 2002   
Software\Electronic Arts\EA Sports\FIFA 2002\ergc   The Battle for 
Middle-earth Software\Electronic Arts\EA GAMES\The Battle for 
Middle-earth\ergc  Shogun: Total War: Warlord Edition  Software\Electronic 
Arts\EA GAMES\Shogun Total War - Warlord Edition\ergc   Need For Speed: 
Underground Software\Electronic Arts\EA GAMES\Need For Speed 
Underground\ergc   Need For Speed Hot Pursuit 2    ergc    
Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit 2  Medal of 
Honor: Allied Assault: Spearhead   Software\Electronic Arts\EA GAMES\Medal 
of Honor Allied Assault Spearhead\ergc  Medal of Honor: Allied Assault: 
Breakthrough    Software\Electronic Arts\EA GAMES\Medal of Honor Allied 
Assault Breakthrough\ergc   Medal of Honor: Allied Assault  
Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault\ergc    
Global Operations   Software\Electronic Arts\EA GAMES\Global 
Operations\ergc    Command and Conquer: Generals   Software\Electronic 
Arts\EA GAMES\Generals\ergc James Bond 007: Nightfire   
Software\Electronic Arts\EA GAMES\James Bond 007 Nightfire\ergc Command 
and Conquer: Generals (Zero Hour)   Software\Electronic Arts\EA 
GAMES\Command and Conquer Generals Zero Hour\ergc   Black and White 
Software\Electronic Arts\EA GAMES\Black and White\ergc  Battlefield 
Vietnam Software\Electronic Arts\EA GAMES\Battlefield Vietnam\ergc  
Battlefield 1942 (Secret Weapons of WWII)   Software\Electronic Arts\EA 
GAMES\Battlefield 1942 Secret Weapons of WWII\ergc  Battlefield 1942 (Road 
To Rome) Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to 
Rome\ergc    Battlefield 1942    Software\Electronic Arts\EA 
GAMES\Battlefield 1942\ergc Freedom Force   Software\Electronic Arts\EA 
Distribution\Freedom Force\ergc IGI 2: Covert Strike    Software\IGI 2 
Retail   Unreal Tournament 2004  Software\Unreal Technology\Installed 
Apps\UT2004    Unreal Tournament 2003  Software\Unreal 
Technology\Installed Apps\UT2003    Microsoft Windows Product ID    
ProductId   Software\Microsoft\Windows\CurrentVersion   Soldiers Of 
Anarchy Software\Silver Style Entertainment\Soldiers Of Anarchy\Settings    
Legends of Might and Magic  CustomerNumber  Software\3d0\Status Industry 
Giant 2    prvkey  Software\JoWooD\InstalledGames\IG2  Half-Life   
Software\Valve\Half-Life\Settings   Gunman Chronicles   Key 
Software\Valve\Gunman\Settings  The Gladiators  RegNumber   Software\Eugen 
Systems\The Gladiators   Counter-Strike (Retail) CDKey   
Software\Valve\CounterStrike\Settings   POP3 Password2  POP3 Server POP3 
User Name  HTTPMail Password2  Hotmail HTTPMail User Name  \   
Software\Microsoft\Internet Account Manager\Accounts  kPStoreCreateInstance    
pstorec.dll WNetEnumCachedPasswords MPR.DLL MainLocation    
Software\Mirabilis\ICQ\NewOwners\%s Software\Mirabilis\ICQ\NewOwners\   
CryptUnprotectData  Crypt32.dll Passport.Net\*  CredFree    CredReadA   
advapi32.dll    User.NET Messenger Service  Password.NET Messenger Service  
%s\Mozilla\Firefox\%s %s\Mozilla\Firefox\%s\signons2.txt  
%s\Mozilla\Firefox\%s\signons.txt   
Profile0    %s\Mozilla\Firefox\profiles.ini PK11_FreeSlot   NSS_Shutdown    
PK11SDR_Decrypt PK11_Authenticate   PK11_GetInternalKeySlot 
NSSBase64_DecodeBuffer  NSS_Init    %snss3.dll  %ssoftokn3.dll  
%splds4.dll %splc4.dll  %snspr4.dll Path    
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe 
Software\Microsoft\MessengerService 
Software\Microsoft\MSNMessenger ComSpec 
WNetEnumResourceA   WNetCloseEnum   WNetOpenEnumA   \Mpr.dll    
NetShareEnum    NetApiBufferFree    \Netapi32.dll
...
RC4 keys used were:

50 65 C5 00,
A3 78 26 35 57 32 2D 60 B4 3C 2A 5E 33 34 72 00

and

0A 99 43 F3 46 DD A7 C9 A0 F6 2F 61 77 0A 70 73

To decrypt 16 bytes, 4 bytes, 4 bytes and 24567 bytes of the sent file.

After the file was removed, the attacker sent:

Filename: %APPDATA%/addons.dat
Filesize: 25265
MD5: c37c79380b56ae2c94b117ad17b3e27e
SHA1: 6a75567bb063946fd3055370372e8861b4ddf3e4
SHA256: 9de1469571b6c27c9424cdaf66c99e3e6701f1a9cdc3bca8adb74529c343cc6f

With similar content. The file timestamp appears to be modified.
When the file was removed, another version was sent:

Filename: %APPDATA%/addons.dat
Filesize: 25706
MD5: 4ee060ea3753c895f77adaeb90371b98
SHA1: 03550e5057ab902a58fc42f844d138af5f64f905
SHA256: f5fbe65a324d6a152f385d0417011da6de4333bd97ccb0bd31fe1c6f237ce3f0

More information about zezo0o could be found at:

http://ejabat.google.com/ejabat/user?userid=17606009952881274630
http://www.tanta-eng.com/member.php?u=1149
http://forum.nesma.net.sa/member.php?u=9091
http://www.absba.org/archive/index.php/t-808938.html
http://www.dev-point.com
...

Wikipedia: Bifrost (trojan horse)