Thursday, November 8, 2012

PIXSTEAL.A – Additional Information

On November 2nd, 2012, Trend Micro published a blog post  [1] on a newly discovered family of malware that exfiltrates pictures and crash dump files from an infected system. This is accomplished by recursively scanning the system for files having .jpg, .jpeg, and .dmp extensions and then uploading them to a compromised FTP server located in Germany. This server was taken offline on November 5th, 2012 and appears to have been recently brought back online. Initial analysis of this server indicates that files had been extracted from a machine of English-speaking origin. [2]

While it may seem peculiar that PIXSTEAL.A discriminates against a specific contingent of files, its utility in supporting information gathering operations becomes obvious when considering the amount of information commonly stored within these data formats. Image files (.jpg and .jpeg) intuitively yield intelligence on assets and individuals when treated as a visual medium, but can also reveal specific geolocational data derived from embedded metadata.  Crash dump files (commonly Windows BSOD by-products), in this case, are most likely used to identify specific information regarding the system or targeted application.  While the purpose of retrieving .dmp files is unclear at this time due to the lack of information regarding infected hosts, presumably, its author sought an easy method to gather information on its target without leveraging Windows APIs and potentially flag heuristic-based anti-virus.

PIXSTEAL.A has no persistence mechanisms and appears to be a single-shot operation. Upon execution, the malware spawns a child cmd.exe process that enumerates files, copies them to the root drive, exits the child process and then uploads the appropriate files to the FTP server, then terminates.

Additional analysis of PIXSTEAL.A suggests that this malware is Chinese in origin and likely authored by a student within the Habei province based on conventions observed in the Visual C++ program debug path (although, this is not 100% conclusive at this time):

C:\c++\MSDev98\MyProjects\good\Debug\good.pdb

As many articles are spurring up on the internet, construing this threat as the means to blackmail targeted individuals, it is important to make mention of the unlikelihood of this being a primary objective based on its current stage of development .

Based on the reports of other researchers, the sample discussed in this blog post is the only known sample that has been reported circulating in the wild. As the malware uploads files to the FTP server, it does so in an unorganized fashion in that it makes no effort to uniquely identify groups of data for later correlation. This lack of organization inherently makes it difficult to carry out large scale espionage operations and alludes to a threat that either highly customized in that custom servers are hard coded relative to their target or that this is a project in early stages of development (beta). 

As always, remain vigilant: Update your anti-virus and don’t click on weird links in your e-mail.

Details regarding this threat are provided below.

Sample Characteristics:

MD5: b9db4cb77654c9b70a2bc447c1f686de
Compilation Date:
2012/10/29 14:23:06 UTC
Ssdeep:  
3072:dWmh58R8SB40f5n5MLhPEg+mediZo2jv/0UoRjw:1hCfd2VPEgBEiZo2jv/yjw

System Interactions:

Files Created: None.
Persistence Mechanism: None.

Network Interactions:

FTP Server: 176.9.208.90 (Host is a web server for multiple sites)

Historically Associated Host Names: 
haideralwaili.org
www.iraq-al3z.com
basragov.net
ammar-yousif.com
Al-garam.net
ql-love.com
Wasitic.com
itehad-bc.com
iraqeon-host.net

Additional Information:
176.9.208.90 has had a history of compromise and more than likely has a longstanding vulnerability that has allowed for authentication bypass/code execution.

On March 12th, 2012, al-garam.net was reported to zone-H for defacement:


On September 30th, 2012 ammar-yousif.com (176.9.208.90) was reported to Zone-H for defacement:



Analysis of other websites hosted on this server demonstrate another longstanding defacement:




References:
[1] - http://about-threats.trendmicro.com/us/malware/TSPY_PIXSTEAL.A
[2]- http://www.xylibox.com/2012/11/w32pixsteala.html