Syrian Government is Spreading malware or They have been pwned

Posted: June 14, 2013 in Information Security

I Was browsing my FBaccount and i sow my self reading this comment posted by Mohammad Hammada about the last post of https://www.facebook.com/WWW.RTV.GOV.SY?

خاص بلفضائية السورية means “Private to the general organization of radio and TV in Syria” ,

the post claimed to disclose a list of killers names related to massacre in Syria and bunch of pictures , ( I don’t use to follow such posts neither enter in political debates ) but the interesting part was ,the replay of the people “ Be careful there is a malware inside ” , I downloaded the file from http://www.mediafire.com it was 239.29 KB !! ( First thought how many pictures are there ? )

Screenshot from 2013-06-14 03:24:02

In the RAR there was 5 JPG ( Real Pictures , I will not post theme here due to strong content  ) and one file called _1194cds62rcs.txt it was easy to notice that the .txt it wasn’t a real text file , if you take a look at the TYPE column in the RAR you will see written “unknown” , i  extracted all of them after making sure there is no autorun   after extraction ,

Screenshot from 2013-06-14 03:24:16

so as we knew from the beginning is not text file , its an executable developed in .Net targeting MS Windows OS , lets go further and try to see what else we can get about this file ,

1- Using http://www.virustotal.com /

The file is detected as virus from 7 major AV solutions , so lets make an static and dynamic analysis

Screenshot from 2013-06-14 03:43:52

Screenshot from 2013-06-14 03:44:18 Screenshot from 2013-06-14 03:44:24 Screenshot from 2013-06-14 03:44:37

+ Result of static analysis

1- We got the real entry point and the version of the .Net Framework used to develop the maleware .

// Entry point: mc.Main

// Architecture: x86

// Runtime: .NET 2.0

2- The dependency

// dmcl40 // kernel32.dll // rpcrt4 // urlmon // netapi32 // difxapi // opengl32 // odbc32 // ole32

// crypt32 // hhctrl // winfax // odbccp32 // iprop // faultrep // mpr // winusb // irprops // dbghelp

// credui // mscorsn // comctl32 // hid // dnsapi

3- The malware is obfuscated and encrypted , it detects the presence of a debuggers and task managers

Screenshot from 2013-06-14 03:59:03 Screenshot from 2013-06-14 03:59:15

I reversed the code and made small script to decrypt and pull out more information

Screenshot from 2013-06-14 03:59:47

Screenshot from 2013-06-14 04:06:49

As result from the script

– It detects the presence of

  • OllyDBg
  • SbieCtrl
  • mbam
  • taskmgr
  • HijackThis
  • Virtual PC
  • TEMemoryScanner

– Store his self as cvtres.exe

– Use Kernel32 and ntdll to create a new process

– Query and manipulate a dozens of register key

– Query a name server and communicate (  i will soon disclose the information i can gather from the command center  )

– Put its self at Start-up

The creator putted a lots of effort in the process of obfuscating and encryption .

This group is the official Facebook group of http://www.rtv.gov.sy/ .

Screenshot from 2013-06-14 04:32:10

 Screenshot from 2013-06-14 06:10:23

Site

http://www.rtv.gov.sy

Netblock Owner

190 Internet Service Provider

Domain

gov.sy

Nameserver

ns1.tld.sy

IP address

82.137.248.19

DNS admin

dns@tld.sy

IPv6 address

Not Present

Reverse DNS

unknown

Domain registrar

unknown

Nameserver organisation

unknown

Organisation

unknown

Hosting company

net.sy

Top Level Domain

Syria (.sy)

DNS Security Extensions

unknown

Hosting country

 SY

Netblock owner

IP address

OS

Web server

Last changed

190 Internet Service Provider 82.137.248.19 Windows Server 2008 Microsoft-IIS/7.5 2-May-2013

A governmental page with high page rank on google

Screenshot from 2013-06-14 04:40:19

there is tow hypothesis

1- this is really done by the government

2- some one hacked to the account and did it

but if the Syrian gov is  spreading maleware using facebook pages I couldn’t imagine how many exploits they are lunching throw the web site it self ,this looks like since fiction  movie but the reality is that we are facing a time where cyber space is the battle field . i hope this can serve as an alert message  to everyone , be careful when you are wired , don’t trust on AV solutions only .

===== Update 14,2013 at 4:51

The Syrian Official web site http://www.rtv.gov.sy/ recognized losing the facebook page http://www.rtv.gov.sy/index.php?d=21&id=122915

Screenshot from 2013-06-14 12:45:31

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s