I am slowly going through the malicious files in order to better understand what they are attempting to do. The work primarily involves extracting Visual Basic macros and OBE structures from documents, disassembling executables that are thus scraped from the payload document. Even for files using well documented exploits, as many of these files are, this is slow-going and tedious work that I invite readers experienced in security research to contact me about to offer assistance.
One such executable retrieved from the Stratfor files is gifiles-2014\gifiles\attach\151\151784_Command.com. As with the files reviewed yesterday, this was retrieved from the gifiles-2014.tar.gz.torrent file downloaded from wlstorage.net, which resides on the same servers as wikileaks.org. I have disassembled this executable using Heaven Tools' PE Explorer and Hex-Rays IDA. Accordingly I have determined that the file contains a variant of the Magistr worm. However, this version seems to have a number of unique features that I have not seen in the literature concerning Magistr (NOTE there are numerous versions of this worm, and this one has likely been seen before by someone).
The program makes use of the following DLL's to call its various functions:
KERNEL32.dll
USER32.dll
COMCTL32.dll
WININET.dll
cmpbk32.dll
cmutil.dll
The program adds an entry for itself in the Microsoft Connection Manager Phone Books and uses that entry to establish both FTP and HTTP connections. I am still working on where the connections head to.
The program loads the MSCM Phone Book |
Connection Manager is used to establish an FTP connection and transfer files |
HTTP connections are established as well |
PBUPDATE.PBD
PBUPDATE.EXE
PBUPDATE.INF
PBUPDATE.VER
PBUPDATE.EXE is associated with iPassConnect |
I am more than happy to share more comprehensive information concerning my research, so feel free to email me if you would like to help out.
I have also contacted Wikileaks (to the best of my ability) to warn them of the dangerous files being distributed on wlstorage.net. For a number of reasons they are not the easiest people to get ahold of, particularly in relation to technical issues, and I do not know anyone directly affiliated with the group. If someone reading this post does have a more direct means of communication with Wikileaks, please provide them with this information ASAP!
No comments:
Post a Comment