DistTrack

New Threat: DistTrack

Sourcefire is aware of at least one ongoing incident in the energy vertical involving a threat named "DistTrack".  This is a new, destructive threat that has not perviously been seen in the wild.  At this time, the earliest known sightings were on 8/14.  Preliminary indications are that this malware is currently targetted in nature as no wide-spread activity has been detected.

This threat involves several files that perform different functions.  The core of the malware set is a 32-bit executable named trksvr.exe and is internally identified as "Distributed Link Tracking Server".  This file purports to be from Microsoft Corporation with a version number of 5.2.3790.0.  This file is responsible for dropping additional files involved in the malware set.  In some cases this file has been reported as str.exe.

The trkssvr.exe file drops three files: a reporter executable, a data destruction executable and 64-bit executable, also named tsksvr.exe that runs as a service.  The reporter executable is responsible for communicating with a C&C server.  An interesting part of this executable is that its hard-coded with the C&C address in the .rdata block, as well as a URL for communicating.  The URL in .rdata is /ajax_modal/modal/data.asp and the construct for reporting is http://%s%s?%s=%s&%s=%s&state=%d (you'll see the parameter names mydata and uid as separate unicode strings in .rdata as well).  While communicating with the C&C server, it uses "you" as the user-agent string.  The request appears on the wire as:

GET /ajax_modal/modal/data.asp?mydata=AA==&uid=aaa.bbb.ccc.ddd&state=3067203 HTTP/1.0
User-Agent: you

The danger from this malware comes from the data destruction component.  In short, this application does not pull any punches.  Four hours after infection, it overwrites data files with a portion of a jpeg file, targetting files in "Documents and Settings", "Users", "Windows\System32\Drivers and "Windows\System32\Config".  Once this is done the file overwrites the MBR of the machine, rendering it unable to boot.  Any analysis of this malware should occur only on virtual machines or on computers you are ready to completely rebuild.

已经处理!