ScanSafe

Client Login | International Users
Search


Multi-tiered compromise leads to new Storm variant


Summary:

On October 18, 2007, ScanSafe detected malicious content on the website of www.peoplesrepublicofcork.com. Investigation revealed a multi-site, multi-faceted compromise involving system information gathering, spamdexing, and exploit leading to the installation of malware. Multiple primary sites were involved in the compromise. The malicious redirections eventually led to a new variant of the Zhelatin family of threats, a family commonly referred to as the “Storm worm”.

Technical Details:

Exploits involved in the attack included the following:

If successful in exploiting one of the aforementioned vulnerabilities, the script downloads and executes a dropper Trojan which installs the file "mssrv32.exe" to the Windows system folder (i.e. /system32). The file mssrv32.exe is registered as "musupdate" service:

  • Display name: "Microsoft security update service"
  • Description: "This service downloading and installing Windows security updates"

 
Interestingly, mssrv32.exe drops a copy of asynmac.sys, a valid kernel mode driver installed as part of Windows’ remote access services. This file is dropped again each time the system is restarted.

The file mssrv32.exe makes an outbound connection attempt to a remote IP address, This site was not currently available at the time of analysis.

A second stage of compromise impacting peoplesrepublicofcork.com was also observed. The original scripts were replaced with hidden keywords linking to a series of compromised pages on www.therhinobar.com. This technique, known as ‘spamdexing’, is used to trick search engine crawlers into positioning the compromised site higher in search engine results whenever the keywords are searched upon. A Google search revealed 10,500 such pages resulting from the compromised site.

The compromised pages included an iframe which, through a series of other iframes, led to a malicious page containing multiple Internet Explorer exploits.

Successful exploit results in the download of win32.exe, a variant of the Zhelatin family of malware (aka the “Storm worm”). Detection among antivirus vendors is extremely low – of 31 scanners tested, only six detected something suspicious. This family of related threats generally installs a peer-to-peer communication client, a rootkit, and a mass-mailing component. The file win32.exe is executed on the impacted system, installing the following files to the Windows system folder (generally C:\Windows\System32):

  • kernelwind32.exe
  • kernelw.sys

 

The following registry modifications are made in order to load the malware when Windows is started:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System = "<system>\kernelwind32.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Driver
ImagePath = "<system>\kernelw.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Driver
ImagePath = "<system>\kernelw.sys"

An additional registry modification is made to block user access to Task Manager, which could hamper efforts to manually remove the threat:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = 0x00000001

Prevention
ScanSafe Malware Scanning service detects and prevents exposure to this threat.