Anatomy of an adware install

By SysAdmin1138 on
A bit of analysis I had to do in the past couple days. I'm sharing because I don't do this all that often. I'm pretty handy with wireshark, so I got asked to interpret a capture of an infection process.

The sequence of events, as near as I can figure:
  • User runs the bad file
  • postcard.exe checks http://whatismyip.com/autmation/n09230945.asp to get the local IP address
  • File throws them at Hallmark.com displaying the ecard. Awww.
  • Hallmark throws the user some advertising from a bunch of places.
  • 5 minutes pass where nothing happens
  • Postcard.exe does an HTTP POST to 85.12.43.102 (Netherlands) with encrypted data
  • 85.12.43.102 replies with a bunch of encrypted data. Presumably, this is the command file.
  • Postcard.exe opens three connections to 82.98.235.205 (Belgium), getting a trio of windows files of some kind. I think they're DLL files that compliment postcard.exe. That or the chopped up pieces of javawm.exe.
  • Postcard.exe does an HTTP POST to 85.17.169.56 (Netherlands) with a bunch of HTTP headers populated with crypted data.
  • 85.17.169.56 replies with an HTTP 200/OK, a bunch of HTTP headers that contain redirection servers, stats servers, and other information useful for adware, as well as a 143KB file of some kind.
  • Infected computer connects to 83.149.75.33 (Netherlands) and does an HTTP GET with a series of parameters. This is probably a status message of some kind. Remote side returns 404-not-found.
  • 5 minutes pass where nothing happens on the network, but the local machine falls deeper into the clutches of the adware czars.
  • Someone launches IE, and it goes to http://runonce.msn.com/, the default XP home page. Probably just to see what happens.
  • HTTP connection to Key Bank, redirected to https://www.key.com/, where I can't see squat. SSL doing its job.
  • Parallel to the KeyBank connection, an SSL connection to 216.236.233.68, an iP hosted in Denmark. This resolves to "key.tcliveus.com", which is very probably legitimate traffic directed by www.key.com.
  • Connection to 83.149.115.156 (Netherlands), almost definitely the adware. Phoning in that IE went to http://runonce.msn.com/. The reply directs the client to connect to 82.98.235.58. Meanwhile, keybank session continues.
  • SSL Connection to 66.235.132.62, a host in the 2o7.net advertising network. Very probably legitimate from Key Bank.
  • HTTP connection to 82.98.235.58 (Netherlands), as directed. Supplies URL given to it by 83.149.115.156. Server returns the URL http://privacyscanner15.com/sysgd09_2/3/10232 (don't go there). Meanwhile, Keybank session continues.
  • HTTP connection to 209.249.222.48, which is privacyscanner15.com, with the supplied URL.
  • Key Bank session finishes cleanly.
  • HTTP connections to privacyscanner15.com, clearly rendering the page, pulling graphics and the evil javascripts.
  • Key Back session resumes. SSLed, so I have no idea what's going on.
  • HTTP connection to 83.149.75.33, but I can't tell what it does because…
  • End of capture.
Ripping into the javascript with a very, very handy Firefox plugin called "JavaScript Deobfuscator", I hit the page from my Linux machine to see what those scripts did. If you click "yes", it forces the download of an executable file that contains a Trojan. I haven’t unpacked it to see what it does.

This is pretty clearly the trace of an adware installer. However, the adware points the user to a site where they'll get further infected first thing. Depending on how gullible the user is, they may or may not fall for it.

All the Netherlands addresses come from the same netblock owner, a place called “LeaseWeb”.

Categories: