Watch Out For GIF Images Containing Hidden Malicious Code

[KRL]

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer.

A "Browser Helper Object" is a DLL that allows developers to customize and control Internet Explorer. When IE 4.x and higher starts, it reads the registry to locate installed BHO's and then loads them into the memory space for IE. Created BHO's then have access to all the events and properties of that browsing session. This particular BHO watches for HTTPS (secure) access to URLs of several dozen banking and financial sites in multiple countries.

When an outbound HTTPS connection is made to such a URL, the BHO then grabs any outbound POST/GET data from within IE before it is encrypted by SSL. When it captures data, it creates an outbound HTTP connection to http://www.refestltd.com/cgi-bin/yes.pl and feeds the captured data to the script found at that location.

[Spunky]

Actually that has been happening for awhile...fucking weasels are really up on this...hope they all rot in hell

[Fletch XXX]

"You can point your gun at me
And hope it will go away
But if God was alive,
He would hate you anyway."

Cheers!

just checking in on vacation

[StuartD]

I love using Mozilla

Great, how long before we will have to make our sigs static jpegs on gfy?

[iwantchixx]

man this shit is getting more and more sinister with each exploit/hack/trojan that comes to light,

[gornyhuy]

Anybody want me to write them a BHO?
Its gonna cost ya.

[webair]

any protection out on this one yet?

[brizzad]

if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

[pimplink]

Thanks for the info.

[Groove]

Quote:

Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

[brizzad]

Quote:

Originally posted by Groove

get over it

money is money

people can download ad-aware if it bothers them

[kenny]

The surpreme court needs to stop wasting time with the porn sites and focus on shit like this

[KRL]

Quote:

Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

I don't even believe I'm seeing this.

[pxxx]

Quote:

Originally posted by KRL
I don't even believe I'm seeing this.

Must be a dream

[KRL]

Quote:

Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

Yeh, one hot gallery on The Hun and you'd be a millionaire in a week.

[V_RocKs]

Back in my trojanning days I met a chick who did a similar job in GIF's and when I tried to discuss it with a professor or two they'd always laugh me out of the room. You can't execute code from inside of a gif, there is no compiler (blah blah blah) and yada yada... So finally someone has probably paired it with IRC bots to infect hundreds a day and now all of a sudden it IS possible... funny how shit turns out.

[Snake Doctor]

Quote:

Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

Any coders want to hook me up on how to send this fucker a virus through his AIM?

[Tuna]

Quote:

Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

you must be kidding

[StuartD]

Quote:

Originally posted by KRL
Yeh, one hot gallery on The Hun and you'd be a millionaire in a week.

tough to spend a million from prison, unless it was offered as an alternative to his hairy ass

[Shoehorn!]

Fuck, pretty soon they'll have to just abandon this internet as we know it and start all over again from scratch. Mark my words, it'll happen.

[brizzad]

Quote:

Originally posted by MaskedMan
tough to spend a million from prison, unless it was offered as an alternative to his hairy ass

i'd set it up outside the u.s. lol

[FilthyRob]

I have been battling fucked up spyware all week and I know it came from some TGP sites.

Fucking auto intalling mother fuckers. I can't see how screwing up my machine is making anyone money. I couldn't even buy something from them if I wanted to. It fucks the browser up so bad that even when you click on the search listings from the auto intalled hacked homepage, you just get ads to remove spyware.

The pay per click search engine traffic will become worthless at this rate really.

[KRL]

Quote:

Originally posted by FilthyRob
I have been battling fucked up spyware all week and I know it came from some TGP sites.

Fucking auto intalling mother fuckers. I can't see how screwing up my machine is making anyone money. I couldn't even buy something from them if I wanted to. It fucks the browser up so bad that even when you click on the search listings from the auto intalled hacked homepage, you just get ads to remove spyware.

The pay per click search engine traffic will become worthless at this rate really.

Lose IE and use one of the more secure browsers.

[spywareboard com]

This is evil.

[AMADude]

Quote:

Originally posted by MaskedMan
I love using Mozilla

[baddog]

Quote:

Originally posted by KRL
Lose IE and use one of the more secure browsers.

I don't think this is a viable option for someone that reviews sites. . . you have to see what your surfer/member is going to see, and they are using MSIE

[Snake Doctor]

Quote:

Originally posted by KRL
Lose IE and use one of the more secure browsers.

That doesn't really help us from a business standpoint though.
Most surfers barely know how to open internet explorer, much less install and use opera or mozilla.
If this stuff keeps up surfers will be afraid to go to adult sites period.

[gazool]

Mozilla Mozilla Mozilla Mozilla Mozilla

[SmokeyTheBear]

mozilla stopped using gif's ?? news to me hahah

mozilla has more holes than a golf course

[EviLGuY]

Hey Smokey did you even read the post?

"The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer. "

Does nothing at all to people on Mozilla . Mozilla is secure because not many people use it.. so who is going to bother wasting time trying to exploit it? That being said.. I am sure any holes that people do find will be patched with alacrity.

[chemicaleyes]

Quote:

Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

[AgentCash]

Actually if you read the write-up at
http://isc.sans.org/presentations/banking_malware.pdf
you'll find that the image file needs to be renamed to install itself. They theorize that a .chm exploit is used to rename the GIF and run it. So the fact that it's a GIF file isn't really important, it could have any file extension the attacker would like. JPG would work just as well.

[strobi]

woa! Imagine the data that "listener" server gets! Thousands and thousands of CC numbers/passwords...

[Mr. Marks]

Thanks for the information!

[grumpy]

Quote:

Originally posted by brizzad
if any coders want to hook me up on how to execute spyware using GIFs, contact me, my aim info is in my profile

Show you how elite that 420-4-L thing is. Now you know. Stay away.

[chemicaleyes]

Quote:

Originally posted by grumpy
Show you how elite that 420-4-L thing is. Now you know. Stay away.

1. It's not about being elite.
2. Don't be so quick to open your mouth.

[pudcat]

Quote:

Originally posted by SmokeyTheBear
mozilla stopped using gif's ?? news to me hahah

mozilla has more holes than a golf course

GFY getting thicker and thicker by the day.

If you actually read the post you'd see that it uses the BHO... now my guess is telling me that Mozilla doesn't have this BHO.

I'm glad I use Linux and Mozilla

[SmokeyTheBear]

Quote:

Originally posted by pudcat
GFY getting thicker and thicker by the day.

If you actually read the post you'd see that it uses the BHO... now my guess is telling me that Mozilla doesn't have this BHO.

I'm glad I use Linux and Mozilla

slip of the tongue , the argument is moot , the statement stands.