Contact Us
Berbew/Webber/Padodor Trojan Analysis
- URL: http://www.secureworks.com/research/threats/berbew
- Date: June 25, 2004
- Author: Joe Stewart
A number of sites are reporting malicious javascript code being appended to every page served by their IIS server. Some in the press are speculating that there is a new "zero-day" IIS vulnerability circulating. At this time SecureWorks has seen no evidence for a new vulnerability or worm. We have seen a relatively small number of sites reporting the infections of IIS servers, so it is possible the sites were hacked manually or by the webmaster surfing using IE on the webserver box itself. There has been no notable increase in scanning for port 80 and there is no new exploit code being picked up by SecureWorks honeypots at this time.
The main exposure to this attack comes from users who surf to one of the infected sites using Internet Explorer. The malicious javascript surreptitiously installs a variant of the Berbew/Webber/Padodor trojan.
Analysis
Name: msits.exe, renamed on install Size: 51,712 bytes MD5 Sum: Varies, the download site appears to employ some psuedo-polymorphism in the delivery mechanism, so the file is altered frequently to evade anti-virus signatures
The trojan is installed via the ADODB/javascript redirection exploit for Internet Explorer for which there is no current patch. When a user visits an infected IIS server using IE, the trojan will be downloaded from a Russian webserver and executed in the background. It copies itself to the system directory using a random name, and also extracts a DLL file which acts as a loader for the EXE at boot time using the ShellServiceObjectDelayLoad registry key.
The trojan appears to be designed for the purposes of "phishing", that is, stealing financial and other account details from the infected user. While most phishing is done via email, this trojan directly captures password and logins if the infected user attempts to log in to Ebay or Paypal and also Earthlink, Juno and Yahoo webmail accounts. It also appears designed to create fake popup windows when the user visits certain sites in an attempt to coerce credit card and PIN numbers from the user, although this functionality may not work on all platforms.
There are reports that this variant sets up a spam proxy or backdoor listener on the infected system. This is incorrect; there is no remote communication with the trojan except the periodic upload of stolen passwords which is accomplished through the use of hidden IE windows using HTML forms and javascript to autosubmit.
The trojan has some rudimentary rootkit functionality; by patching in-memory DLLs using the PhysicalMemory device it will not show up in the Windows task manager list. It will also crash some third-party process-listers.
More information and remediation steps can be found on Microsoft's site: http://www.microsoft.com/security/incident/download_ject.mspx
Removal
Manual removal is as follows. Do not attempt this procedure if you are not comfortable editing your registry, as you can render your system unbootable if you make a mistake.
Search the registry for the key HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad and remove the entry:
-
"Web Event Logger" = "{79FB9088-19CE-715E-D900-216290C5B738}"
Also remove in HKCR\CLSID\{79FB9088-19CE-715E-D900-216290C5B738}\InProcServer32:
-
"(Default)" = "%sysdir%/xxxxxx32.dll"
"ThreadingModel" = "Apartment"
where xxxxxx is a random string of lowercase characters.
Reboot the machine and remove the dll file from the system directory. The trojan exe file also has a random name, but can be spotted by looking for files with the same timestamp as the dll. Remove surf.dat from the system directory - this file contains captured logins and passwords.
Snort Signatures
The following Snort signature can detect infections of this trojan on your network:
alert tcp any any -> any 80 (msg:"Webber/Berbew trojan keystroke log upload"; flow:established; content:"id=crutop|26|vvpupkin0="; depth:20; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/berbew; sid:1000108; rev:1;)
