Contact Us
Submithook BHO Analysis
- URL: http://www.secureworks.com/research/threats/submithook
- Date: July 21, 2004
- Author: Joe Stewart
Submithook is an Internet Explorer browser helper object (BHO) that attempts to advertise porn sites by inserting URLs into web forms where a homepage entry is requested, such as a guestbook or web forum. The insertion is done in such a way that the user does not realize it has happened until they see their profile with a link to a porn site that they did not put there.
Filename: submithook.dll Aliases: LizardBar, Adware.FreeComm, Free Community Toolbar, Submit URL, TrojanDownloader.Win32.Agent.az File size: 139,264 bytes Compiled: Mon Dec 22 11:40:52 2003 MD5 sum: 6398654670902d2820c4e7e1fbeffbb6
Analysis
Submithook uses OLE methods to control the content of the form being submitted. When a page with an HTML form is loaded, Submithook replaces the internal "onsubmit" handler with its own subroutine. When the form is submitted, the Submithook subroutine enumerates all the form fields, looking for any with the name "url", "homepage", "page", "www", ".cl1" or "site". If it finds any of these fields AND the field is left blank, it will retrieve a single URL from a remote server and insert the URL into the form field. Additionally it will perform the same function if a form field with ANY name contains only the text "http://".
The remote server where the porn site URL is obtained is contacted via http. The variant analyzed here uses the following URL:
http://www.fdadfswr.com/?r=[URL]&i=[NID]
The text [URL] is replaced with the URL of the form being submitted. The text [NID] is replaced with a unique GUID assigned to the infected computer at the time Submithook is installed, using the CoCreateGuid API call. When this URL is accessed, it sends back only a single URL as output, which is then added to the form field.
In order to conceal the newly added text while the submission is in progress, the subroutine sets the text color in the form field to match the background color, rendering the text invisible. The added text can be seen if it is highlighted with the mouse during the submit phase. If the user hits the "back" button on the browser after the submission, the text of the added URL will be the normal color and fully visible.
Submithook is usually bundled with the trojan family known as IEFeat/WinShow. It is dropped by the file submit2.exe, which is downloaded and executed during subsequent stages of an IEFeat infection. The installer is deleted on the next system boot by a command added to the "Runonce" registry key.
Submithook and its installer create the following registry keys:
HKEY_CLASSES_ROOT\ae23.ae23Obj\CLSID
(Default) = '{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}'
HKEY_CLASSES_ROOT\ae23.ae23Obj\CurVer
HKEY_CLASSES_ROOT\ae23.ae23Obj.1\CLSID
(Default) = '{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}'
HKEY_CLASSES_ROOT\CLSID\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}\InprocServer32
(Default) = 'C:\Program Files\Submit\submithook.dll'
ThreadingModel = 'Apartment'
HKEY_CLASSES_ROOT\CLSID\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}\ProgID
HKEY_CLASSES_ROOT\CLSID\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}\Programmable
HKEY_CLASSES_ROOT\CLSID\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}\TypeLib
(Default) = '{ED7A0B22-11D9-4f74-8C1D-0936EFA66B3D}'
HKEY_CLASSES_ROOT\CLSID\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}\VersionIndependentProgID
HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
(Default) = 'IPugiObj'
HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\ProxyStubClsid
(Default) = '{00020424-0000-0000-C000-000000000046}'
HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\ProxyStubClsid32
(Default) = '{00020424-0000-0000-C000-000000000046}'
HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}\TypeLib
(Default) = '{ED7A0B22-11D9-4F74-8C1D-0936EFA66B3D}'
Version = '1.0'
HKEY_CLASSES_ROOT\TypeLib\{ED7A0B22-11D9-4F74-8C1D-0936EFA66B3D}
HKEY_CLASSES_ROOT\TypeLib\{ED7A0B22-11D9-4F74-8C1D-0936EFA66B3D}\1.0
(Default) = 'Pugi 1.0 Type Library'
HKEY_CLASSES_ROOT\TypeLib\{ED7A0B22-11D9-4F74-8C1D-0936EFA66B3D}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{ED7A0B22-11D9-4F74-8C1D-0936EFA66B3D}\1.0\0\win32
(Default) = 'C:\Program Files\Submit\submithook.dll'
HKEY_CLASSES_ROOT\TypeLib\{ED7A0B22-11D9-4F74-8C1D-0936EFA66B3D}\1.0\FLAGS
(Default) = '0'
HKEY_CLASSES_ROOT\TypeLib\{ED7A0B22-11D9-4F74-8C1D-0936EFA66B3D}\1.0\HELPDIR
(Default) = 'C:\Program Files\Submit\'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
delsubmit = 'rundll32.exe advpack.dll,DelNodeRunDLL32
"C:\Documents and Settings\Administrator\Desktop\submit.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Submit URL
DisplayName = 'Submit URL'
UninstallString = 'C:\Program Files\Submit\uninstall.exe'
HKEY_USERS\{user id}\Software\d78ffc13\red81542
NID = '{generated GUID}'
HKEY_CURRENT_USER\Software\d78ffc13\red81542
NID = '{generated GUID}'
The installer package creates the following files:
C:\Program Files\Submit\submithook.dll (139264 bytes) C:\Program Files\Submit\uninstall.exe (21019 bytes) C:\Program Files\Submit\uninstall.ini (1283 bytes)
Removal
The uninstall.exe program is part of the freeware installer package used to install Submithook, and can safely be used to uninstall the program. Note that it will not uninstall the other trojan components Submithook is usually bundled with, so an anti-trojan or anti-virus scanner should be used to detect and clean any other malicious files from the system.
Snort Signatures
The following Snort signature will detect the communication between the Submithook BHO and the server that delivers the porn site URLs:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Submithook BHO URL retrieval"; content:"GET /?r="; depth:8; pcre:"m/&i=[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12} HTTP/"; flow:established,to_server; reference:url,www.secureworks.com/research/threats/submithook; sid:1000111; rev:1;)
