Malware Attacks on Solid Oak After Dispute with Greendam



A while back I posted an analysis of attacks on Solid Oak (the makers of CyberSitter) after a dispute with a Chinese firm that produced GreenDam over stolen code. Rob Lemos covered the story and also revealed that the law firm representing Solid Oak subsequently came under a similar targeted malware attack. The story has surfaced again, this time in connection with APT. I’ve reposted the original from malwarelab.org below.

Malware Attacks on Solid Oak After Dispute with Greendam

By Nart Villeneuve

After researchers discovered that portions of China’s Greendam filtering software were stolen from an American filtering company’s software, Cybersitter, the company that produces the software, Solid Oak, same under a targeted malware attack. This short post from the Malware Lab (www.malwarelab.org) analyzes two samples from the attacks.

Findings:

  • The delivery component of the attacks specifically targeted Solid Oak. In one case the attackers registered and used a Gmail account that was a misspelling of of a Solid Oak employees name and used it to send an email about a contextually relevant topic.
  • These targeted emails contained (or linked to) malicious files that, if opened, caused the targets computer to become infected with a Trojan Horse program.
  • In both cases the Trojan connects to (related) web servers but requests seemingly legitimate files. However, at certain times the attackers insert HTML command tags into these files with commands.

Background

In June 2009, it was reported that the Chinese government was requiring the installation of filtering software, known as Green Dam, on all personal computers sold in China.1 Researchers from the University of Michigan analyzed Green Dam and discovered security vulnerabilities that would allow malicious attackers to take control of any computer running Green Dam.

In addition, they found that portions of Green Dam’s block lists were taken from a U.S. Company, Solid Oak, that produces a filtering product called CyberSitter, and that the image filtering component was taken from OpenCV, an open source project.2 Bryan Zhang, the founder of Jin Hui, the company that created Green Dam, denied that Green Dam contained stolen code and stated that it was “impossible”.3 Solid Oak released a report detailing the incident and is reportedly seeking legal action against PC manufacturers that are shipping computers with Green Dam installed.4

On June 25, 2009 reports emerged stating that Solid Oak was under attack. In addition to “server problems” company executives began receiving suspicious emails.5

The following is an analysis of samples of malware sent to Solid Oak.

Sample 1

On June 25, 2009 an email message was sent to Brian Milburn, the CEO of Solid Oak, from “jenna.dipaquale@gmail.com”; Jenna DiPasquale (note the missing “s”) is the head of public relations for Solid Oak.

Date: Thu, 25 Jun 2009 05:49:18 -0400
Subject: This is the Jinhui Computer System Engineering Inc’s report about China’s Green Dam Youth Escort screening software.
From: Jenna DiPaquale
To: bmilburn@solidoak.com

This is This is the Jinhui Computer System Engineering Inc’s report about
China’s Green Dam Youth Escort screening software.
www.civis.com/jinhui_report.zipabout China’s Green Dam Youth Escort
screening software.
www.civis.com/jinhui_report.zip

The file, jinhui_report.zip, was no longer available at www.civis.com at the time of analysis so sample that Solid Oak provided was used. The zip file contains an executable:

Jinhui_Computer_System_Engineering_Inc_the_Chinese_government_officials_report.exe

However, Windows computers have a “feature” enabled by default that hides file extension cause the malicious executable to appear as if it is a directory/folder.6

When the malicious file is run (the user thinks he or she is opening a directory), a directory with the same name is created and the contents of that directory (a Word document, Jinhuisays.doc) is displayed to the user while malicious software is dropped on the system. The malicious file issues a connect to http://www.chuckfaganco.com/docs/rmscpt5.htm (76.76.146.89) (See Threat Expert for an automated report.7)

The User-Agent contains some interesting characters:

GET /docs/rmscpt5.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) z3?xwc.InfoPath.so
Host: www.chuckfaganco.com

The response contains a “command” in a HTML comment tag:

<!– {/*jgJ-.J} –>

This command has since been removed from the requested page.

After opening the malware, a document is displayed, Jinhuisays.doc, but it does not contain malware.8

Sample 2

The second sample is a Power Point file, “Solid Oak seteps up China’net nappy.ppt” that exploits a vulnerability in Power Point to drop a malicious file. (For automated reports see Threat Expert and Virus Total.) 9

The malware drops a file “Net110..exe” which issues a connection to http://www.parkerwood.com/help/403-3.htm. (69.20.4.85) (For an automated report see Threat Expert.)10

Unlike Sample 1, the User-Agent does not contain interesting characters:

GET /help/403-3.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;)
Host: www.parkerwood.com

This command appears as a html comment in the response:

<!– czox –>

base64 decode = s:1

It eventually changed to:

<!– czozMDA= –>

base64 decode = s:300

Other commands seen on www.parkerwood.com by accessing a variety of other pages throughout the site, such as /help/403-1.htm, /help/403-2.htm, /help/403-4.htm, /help/403-7.htm.

<!– czo0 –>

base64 decode = s:4

<!– czoyNDA= –>

base64 decode = s:240

<!– ZDpodHRwOi8vd3d3LnBhcmtlcndvb2QuY29tL2ltYWdlcy90b3AuZ2lm –>

base64 decode = d:http://www.parkerwood.com/images/top.gif

<!– {/*jgJ-nJ} –>

After dropping the Trojan, a Power Point presentation opens.

One interesting behaviour of this particular case is that the page(s) that the malware connects to change quite frequently. At times, command are inserted into the page in HTML comment tags only to be completely removed at a later time, sometimes within several hours of first appearing. These commands also change over time. In addition, sometimes pages are no longer present (404) but re-appear at a later time. At other times, all the pages are restricted (403).

Sample 2 connected to http://www.parkerwood.com/help/403-3.htm every 10 minutes. These connections were monitored starting at Fri Jul 10 14:50:01 2009 and after finally receiving a command Sat Jul 11 22:20:47 2009 the malware did not issue any further connections (the monitoring stopped at Wed Jul 15 08:11:44 2009).

Fri Jul 10 14:50:01 2009 – 403 Forbidden No Command
Fri Jul 10 23:10:16 2009 – 404 Not Found No Command
Sat Jul 11 22:10:46 2009 – 403 Forbidden No Command
Sat Jul 11 22:20:47 2009 200 OK <!– czozMDA= –> (base64 decode = s:300)

About Malware Lab

The Malware Lab (www.malwarelab.org) is an independent research collective comprised of volunteers that investigates and reports on politically motivated malware attacks, primarily against civil society organizations. The Malware Lab combines technical data with socio-political contextual analysis in order to better understand the capabilities and motivations of the attackers as well as the overall effects and broader implications of targeted attacks.

Notes

[1] http://www.nytimes.com/2009/06/09/world/asia/09china.html
[2] http://www.cse.umich.edu/~jhalderm/pub/gd/
[3] http://online.wsj.com/article/SB124486910756712249.html
[4] http://www.cybersitter.com/gdcs.pdf and
http://www.pcworld.com/businesscenter/article/167842/suit_over_chinas_web_filter_to_target_lenovo_acer_sony.html
[5] http://government.zdnet.com/?p=5034, http://government.zdnet.com/?p=5049,
http://www.informationweek.com/story/showArticle.jhtml?articleID=218101882
[6] http://www.f-secure.com/weblog/archives/00001675.html
[7] http://threatexpert.com/report.aspx?md5=783c50f221c339f244ac68b38fcd30af
[8] http://www.virustotal.com/analisis/33e5495969fd497c439d18e7ea3976845c5454b378764a7b5dd887eef6bc8a9e-
1247083107

[9] http://www.threatexpert.com/report.aspx?md5=86f7cc8f65522a9d7eed8adf22bb9772 ,
http://www.virustotal.com/analisis/d1a5e159bfcdf3a22abf521d91bc83dd70ac3b1155c46eac5106450df17eb56b-
1247073429

[10] http://www.threatexpert.com/report.aspx?md5=1778671314196147402789eeb0c6d89c

Post a comment.