Symantec researcher delves into the technology of a backdoor attack

According to John McDonald, a security analyst with Symantec's Ireland-based R&D operation, after analysing one of the latest Microsoft Tuesday exploits through a honeypot computer, he and his team found that the offending emails had come from a webmail service – either asking for advice or thanking the recipient for his/her assistance.

The emails, he noted, included a link to a Chinese restaurant and the destination web page contained the exploit for an Internet Explorer 8 vulnerability.

"Although the scenario in question might be referred to as a 'targeted attack,' there are of course degrees of sophistication involved in every attack, and definitions of what is and is not a targeted attack tend to vary somewhat", he says in his latest security posting.

McDonald – with the assistance of fellow researcher Henry Bell – goes on to say that the email seen did not target the recipient well, and in the environment in which they were presented, they stuck out like a sore thumb, which begs the question of whether this was indeed a targeted attack or just a random phishing expedition.

"Either way, given that the exploit was hosted on a web page belonging to the Chinese restaurant, the easiest way to force the compromise of one of our honeypot computers was to simply browse to that page using a vulnerable version of Internet Explorer", he said.

"We braced ourselves for the impact, and with one seemingly innocent click of the mouse, the exploit triggered and our honeypot computer was duly compromised", he added.

And here's where it gets interesting, Infosecurity notes, as the exploit used shell code to download and install a back door that then contacts 323332.3322.org – a dynamic DNS service based in China – on TCP port 80 and awaits further commands.

It is, says McDonald, interesting to note that the attacker used a brand-new exploit to compromise the computer, but then relied on a very old back door – detected by Symantec in January 2010 – to set up remote access.

Just a few minutes after the back door was installed, the attacker started their discovery of the compromised computer, with some interesting commands that looked at the running processes on the infected computer – something that the researcher says is an indication of a human looking at the data, rather than a bot.

"You can also see the attacker tried to connect to one of the networked devices using the administrator account. They failed, by design", he noted.

After a complex series of interrogations, it seems that the remote human was able to install the Gh0st Rat utility, meaning that the majority of hacker monitoring traffic to China was now encrypted using SSL, with the sessions jumping between the original host at 323332.3322.org and a second back door command-and-control server at honeywells.tk.

After this, the hacker started uploading the PC's Outlook Express file to their servers, as well as the default browser bookmarks.

"During the short period we monitored the attack before disconnecting the honeypot computer from the internet, we observed intermittent bursts of activity, but the majority of it took place soon after the honeypot computer was compromised", he said.

"In total, there were approximately 2.5 megabytes of traffic to our honeypot computer originating from the attacker’s two computers, and about 9 megabytes of traffic outbound", he added.

"So, be aware that the next time you click a URL in an email; you might get a lot more than you bargained for. Keep your security software up to date, and when Microsoft releases those patches, get 'em quick. Believe me, the bad guys are counting on you not doing so."

What’s hot on Infosecurity Magazine?