Friday, June 25, 2004

VIRUS: Berbew/Webber/Padodor Trojan Analysis

Berbew Trojan Analysis - LURHQ

Berbew/Webber/Padodor Trojan Analysis
by LURHQ Threat Intelligence Group


Release Date
June 25, 2004

A number of sites are reporting malicious javascript code being appended to every page served by their IIS server. Some in the press are speculating that there is a new "zero-day" IIS vulnerability circulating. At this time LURHQ has seen no evidence for a new vulnerability or worm. We have seen a relatively small number of sites reporting the infections of IIS servers, so it is possible the sites were hacked manually or by the webmaster surfing using IE on the webserver box itself. There has been no notable increase in scanning for port 80 and there is no new exploit code being picked up by LURHQ honeypots at this time.

The main exposure to this attack comes from users who surf to one of the infected sites using Internet Explorer. The malicious javascript surreptitiously installs a variant of the Berbew/Webber/Padodor trojan.


Name: msits.exe, renamed on install
Size: 51,712 bytes
MD5 Sum: Varies, the download site appears to employ some psuedo-polymorphism in the delivery mechanism, so the file is altered frequently to evade anti-virus signatures

The trojan is installed via the ADODB/javascript redirection exploit for Internet Explorer for which there is no current patch. When a user visits an infected IIS server using IE, the trojan will be downloaded from a Russian webserver and executed in the background. It copies itself to the system directory using a random name, and also extracts a DLL file which acts as a loader for the EXE at boot time using the ShellServiceObjectDelayLoad registry key.

The trojan appears to be designed for the purposes of "phishing", that is, stealing financial and other account details from the infected user. While most phishing is done via email, this trojan directly captures password and logins if the infected user attempts to log in to Ebay or Paypal and also Earthlink, Juno and Yahoo webmail accounts. It also appears designed to create fake popup windows when the user visits certain sites in an attempt to coerce credit card and PIN numbers from the user, although this functionality may not work on all platforms.

There are reports that this variant sets up a spam proxy or backdoor listener on the infected system. This is incorrect; there is no remote communication with the trojan except the periodic upload of stolen passwords which is accomplished through the use of hidden IE windows using HTML forms and javascript to autosubmit.

The trojan has some rudimentary rootkit functionality; by patching in-memory DLLs using the PhysicalMemory device it will not show up in the Windows task manager list. It will also crash some third-party process-listers.

More information and remediation steps can be found on Microsoft's site: http://www.microsoft.com/security/incident/download_ject.mspx


Manual removal is as follows. Do not attempt this procedure if you are not comfortable editing your registry, as you can render your system unbootable if you make a mistake.

Search the registry for the key HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad and remove the entry:

"Web Event Logger" = "{79FB9088-19CE-715E-D900-216290C5B738}"

Also remove in HKCR\CLSID\{79FB9088-19CE-715E-D900-216290C5B738}\InProcServer32:

"(Default)" = "%sysdir%/xxxxxx32.dll"
"ThreadingModel" = "Apartment"

where xxxxxx is a random string of lowercase characters. Reboot the machine and remove the dll file from the system directory. The trojan exe file also has a random name, but can be spotted by looking for files with the same timestamp as the dll. Remove surf.dat from the system directory - this file contains captured logins and passwords.

Snort Signatures
The following Snort signature can detect infections of this trojan on your network:

alert tcp any any -> any 80 (msg:"Webber/Berbew trojan keystroke log upload"; flow:established; content:"id=crutop|26|vvpupkin0="; depth:20; classtype:trojan-activity; reference:url,www.lurhq.com/berbew.html; sid:1000108; rev:1;)

About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security Services. Founded in 1996, LURHQ has built a strong business protecting the critical information assets of more than 400 customers by offering managed intrusion prevention and protection services. LURHQ's 24X7 Incident Handling capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ's OPEN Service Delivery™ methodology facilitates a true partnership with customers by providing a real time view of the organization's security status via the Sherlock Enterprise Security Portal. For more information visit http://www.lurhq.com.

Copyright (c) 2004 LURHQ Corporation Permission is hereby granted for the redistribution of this document electronically. It is not to be altered or edited in any way without the express written consent of LURHQ Corporation. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please e-mail advisories@lurhq.com for permission.

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties implied or otherwise with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Updates and/or comments to:
LURHQ Corporation


Post a Comment

<< Home

Get Firefox!