UPDATE: This is the second attempt to hack into my computer by someone claiming to be a journalist. It is similar to the first attack but this time there is no PDF, just a link to a hostile server:
Dear Curtis Melvin,
My name is Ichikawa Hayami, from Nihon TV
Would you have some time to do a short
interview on the foreign direct investment in NK by letter?
If possible, prefer to below please.
documents
Best regards.
Ichikawa Hayami
Producer
Nihon TV World View
If you click on “documents” you are routed to a hostile server.
Here is the email header:
Delivered-To: [email protected]
Received: by 10.224.28.208 with SMTP id n16cs123243qac;
Tue, 6 Apr 2010 00:20:31 -0700 (PDT)
Received: by 10.220.107.227 with SMTP id c35mr3152197vcp.42.1270538430714;
Tue, 06 Apr 2010 00:20:30 -0700 (PDT)
Return-Path: <[email protected]>
Received: from imr-da03.mx.aol.com (imr-da03.mx.aol.com [205.188.105.145])
by mx.google.com with ESMTP id 26si25578441vws.46.2010.04.06.00.20.30;
Tue, 06 Apr 2010 00:20:30 -0700 (PDT)
Received-SPF: neutral (google.com: 205.188.105.145 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=205.188.105.145;
Authentication-Results: mx.google.com; spf=neutral (google.com: 205.188.105.145 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from imo-da04.mx.aol.com (imo-da04.mx.aol.com [205.188.169.202])
by imr-da03.mx.aol.com (8.14.1/8.14.1) with ESMTP id o367KUP1027363
for <[email protected]>; Tue, 6 Apr 2010 03:20:30 -0400
Received: from [email protected]
by imo-da04.mx.aol.com (mail_out_v42.9.) id o.c35.7794a375 (44225)
for <[email protected]>; Tue, 6 Apr 2010 03:20:25 -0400 (EDT)
Received: from smtprly-mb03.mx.aol.com (smtprly-mb03.mx.aol.com [64.12.207.150]) by cia-dd08.mx.aol.com (v127_r1.2) with ESMTP id MAILCIADD083-5c6c4bbae0b8112; Tue, 06 Apr 2010 03:20:25 -0400
Received: from web-mmc-d04 (web-mmc-d04.sim.aol.com [205.188.103.94]) by smtprly-mb03.mx.aol.com (v127_r1.2) with ESMTP id MAILSMTPRLYMB032-5c6c4bbae0b8112; Tue, 06 Apr 2010 03:20:24 -0400
To: [email protected]
Subject: interview request
Date: Tue, 06 Apr 2010 03:20:24 -0400
X-MB-Message-Source: WebUI
X-AOL-IP: 211.103.134.39
X-MB-Message-Type: User
MIME-Version: 1.0
From: [email protected]
Content-Type: multipart/alternative;
boundary=”——–MB_8CCA370C27E93F1_136C_1AF_web-mmc-d04.sysops.aol.com”
X-Mailer: Mail.com Webmail 31226-STANDARD
Received: from 211.103.134.39 by web-mmc-d04.sysops.aol.com (205.188.103.94) with HTTP (WebMailUI); Tue, 06 Apr 2010 03:20:24 -0400
Message-Id: <[email protected]>
X-Spam-Flag:NO
X-AOL-SENDER: [email protected]
ORIGINAL POST: A week ago I received a personal email from someone requesting an interview. However, this person was not who he/she claimed. This person (unsuccessfully) tried to hack into my computer. Details below:
——————————————————
From: [email protected]
To:
Date: Wed, Mar 10, 2010 at 2:05 AM
Subject: interview request
Dear Curtis Melvin,
My name is Greg Fayle, from SBS Radio
Australia’s program World View.
Would you have some time to do a short
interview on the latest developments regarding
Northeast asia and NK situation please?
I’m looking forward to hearing from you
Paper for Interview
Warm
regards,
Greg Fayle
Greg Fayle
Producer
SBS Radio World View
PO Box 290
South Melbourne VIC 3211
Tel: (03) 9749 2421
——————————————————
The “Paper for interview” was an attached PDF document that hid a virus. Luckily it did not infect my computer.
Here is what my friend tells me about the email itself — it did not come from Australia:
inetnum: 222.96.0.0 – 222.122.255.255
netname: KORNET
descr: KOREA TELECOM
descr: Network Management Center
country: KR
admin-c: DL248-AP
tech-c: GK40-AP
remarks: ***********************************************
remarks: KRNIC of NIDA is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the NIDA Whois DB
remarks: http://whois.nida.or.kr/english/index.html
remarks: ***********************************************
status: Allocated Portable
mnt-by: MNT-KRNIC-AP
changed: [email protected] 20031027
changed: [email protected] 20041007
source: APNIC
person: Dong-Joo Lee
address: 128-9 Yeong-Dong Jongro-Ku Seoul
address: Network Management Center
country: KR
phone: +82-2-766-1407
fax-no: +82-2-766-6008
e-mail: [email protected]
e-mail: [email protected]
nic-hdl: DL248-AP
mnt-by: MAINT-NEW
changed: [email protected] 20061010
source: APNIC
person: Gyung-Jun Kim
address: KORNET
address: 128-9, Yeong-Dong, Jongro-Ku
address: SEOUL
address: 110-763
country: KR
phone: +82-2-747-9213
fax-no: +82-2-3673-5452
e-mail: [email protected]
e-mail: [email protected]
nic-hdl: GK40-AP
mnt-by: MNT-KRNIC-AP
changed: [email protected] 20061009
source: APNIC
inetnum: 222.96.0.0 – 222.122.255.255
netname: KORNET-KR
descr: Korea Telecom
country: KR
admin-c: IA9-KR
tech-c: IM9-KR
status: ALLOCATED PORTABLE
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: [email protected]
source: KRNIC
person: ijeksolrusyun a
descr: aijeksolrusyun
descr: 4cheung jaehyunbilding 230beonji jongro6ka jongroku
descr: 110-126
country: KR
phone: +82-2-3676-7100
e-mail: [email protected]
nic-hdl: IA9-KR
mnt-by: MNT-KRNIC-AP
changed: [email protected]
source: KRNIC
person: IP Manager
descr: DACOM Corporation
descr: Hangangno1Ga, Yongsan-gu, Seoul
descr: 65-228DACOM Bldg.
descr: 135-987
country: KR
phone: +82-2-2089-7755
fax-no: +82-505-888-0706
e-mail: [email protected]
nic-hdl: IM9-KR
mnt-by: MNT-KRNIC-AP
changed: [email protected]
source: KRNIC
Here is what my friend tells me about the virus–it was pretty sophisticated:
To analyze the PDF file (which contained the virus), we used scripts to parse through and pick out sections of the code that had Javascript (the virus) embedded in it. We received an error parsing the /FlateDecode filter sections of the PDF. This section of the document is where the compressed Javascript (virus) and other embedded objects would live, and it has different object and reference pointers. We found that the text section of the code instead of starting with /FlateDecode started with [null character] latedecode. We believe this was done intentionally to make de-obfuscation and analysis by a novice more difficult. We used a Hex Editor to correct the null character byte and make it an ASCII F. Once this was done we were able to see heavily obfuscated javascript and pull it out of the document.
The javascript code contained two well known PDF exploits, one for Reader version 8 and another for Reader version 9. The virus was structured this way because most people use one of these versions of Reader to view PDF documents. One other interesting thing to note was that the PDF document itself was blank.
Here is what we know about the payload from behavioral analysis. Once the PDF runs, it will execute the payload and instruct Adobe’s internal updater (update.exe) to download a file from a non-Adobe owned DNS name which resolves to an IP address in Malaysia. All of the attacking code references the same DNS names. Once downloaded this file will sit on the system and acts as a second stage (or stager) for the additional files to be downloaded. So in summary, the first stage was the initial payload in the PDF shellcode. This first stage downloads a secod stage program which in turn downloads (we believe) a ‘rootkit’ before deleting itself. This leftover ‘rootkit’ is how the attackers would maintain full command and control of the system.
We visited the website from which the files were to come and found a default instance of Apache and cPanel–so we can assume one of two things: First, whoever administers this server probably doesn’t realize it is being used in this fashion (it was probably compromised by the attackers). Second, perhaps this is the attacker’s server and they want to throw us off by throwing up a cPanel install so we’ll think it’s a compromised host. We think the first scenario is more likely.
The files themselves that come after do behave in a ‘rootkit’ like fashion. What we have observed is that they install themselves in the %WINDOWS%\System32 directory. They modify the registry to allow themselves to be used as a system service (this is done through the second stage payload); they hide their existence from view once they are installed (total rootkit behavior); and they start to call out to the server for additional commands. We noticed that these additional commands were not actually coming back as 200 OK status messages, but instead where coming back as 404 NOT FOUND HTTP messages. This could mean that the reference files have been removed, or it could mean that the 404’s are acting as a beacon. We are not sure which scenario is the case here at this time.
Also worth noting, the second stage payload prevented hooking with a debugger for analysis during runtime and also prevented analysis through virtual machines. The file also leveraged potential DLL Injection to make other executables run commands on its behalf. This means that it would be obscured from routine detection. We ran the final rootkit executable through a debugger for static analysis and noticed code sections that contained messages within the application stack like “installation as a system service”, “calls to winspool (which is the library for printing and potentially document creation?)”, “calls to imm32.dll (which could be used for keylogging)”, and some very interesting UNICODE characters that we are still deciphering.
As you can tell, we are still conducting additional research and do not want to reveal the exact location of where we have seen this code before. What we can say is that a quick Google search for this code snippet revealed few results with the same region of the world. In conclusion, I must say that this was not an amateuristic attack–these people were good. But certain things don’t make sense and we are still looking at the file.