IE hangs or The anatomy of an Adobe exploit trojan
I pride myself on being pretty knowledgeable in computer security and protecting my systems.
I do all the things they say you should do, protect systems with a firewall, run antivirus, don’t click on attachments in emails and install patches from Microsoft as soon as they come out.
I knew something was wrong soon after I started using the tab feature in IE 7 on Windows XP SP3. Everything was fine as long as I only opened one site in each IE window. Opening multiple sites with tabs would cause IE hangs that required me to kill iexplore.exe with task manager. When I closed IE normally, I would often see instances of iexplore.exe still running in task manager. In general, IE was so slow that I preferred to use Firefox.
The problem took a strange turn when I tried to run a DOS command shell(cmd.exe) using the XP command function (the Run option on the Start menu) and saw the entire screen flash and watched the Windows screen reload like I had just logged into Windows.
I had also been running some scheduled tasks on my computer that used the command shell that were no longer working AND I NEEDED THEM TO WORK! Now it was getting in the way of my work and I knew I had a serious problem!
I spent the next several hours in Google searching for:
cmd not working
command prompt disabled
cmd problems
cmd flash
Most of the pages suggested reinstalling cmd.exe (the command interpreter) or using command.com instead. I tried the re-install. No joy.
I finally hit paydirt when I found this page:
This exactly described my symptoms.
And I also found another symptom when I tried to investigate the problem:
A regedit problem. Regedit not working confirmed the fact that I was infected with a Trojan.
I copied regedit.exe to my desktop and renamed it to reg.exe.
I went to [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
Looking at the entries I found this
“aux2″=”C:\\WINDOWS\\system32\\..\\owco.edj”
These pages gave me more help:
http://www.bleepingcomputer.com/forums/topic222460.html
See Update2 on this page:
http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html
The “C:\\WINDOWS\\system32\\..\\” at the beginning was yet another attempt by the trojan writer to hide his work, and actually pointed to c:\windows, not c:\windows\system32.
And there it was in the Windows directory, the actual trojan “owco.edj” was an executable file. It hadn’t been detected by my antivirus or ANY spyware scanner I used on my system.
Another interesting thing is that the filename appears to be randomly generated and it won’t be the same on your system.
The clue is the odd file specification.
I removed the entire “aux2″ entry from the registry and rebooted my system.
All the symptoms disappeared and cmd.exe and regedit.exe were working again.
Since I’m a paranoid individual, I decided to make sure and downloaded and ran the following Great(recommended) free tools:
SuperAntispyware
Malwarebytes’ Anti-malware
I also recommend the following tools to “clean up” your system (removing temp files and other junk) before running the scan.
CCleaner
ATF-Cleaner
The short of it is that none of these tools found anything wrong with my system.
So how had this Trojan gotten on my system?
Just one word: Adobe reader.
http://isc.sans.org/diary.html?storyid=3958
A vulnerability in all Adobe reader versions prior to the latest 9.1.1 version released in Mid May 2009 allows attackers to take over a users system.
The most active Trojan exploiting this vulnerability is called JS downloader.Agent/TrojanGumblar:
http://www.phpbb.com/blog/2009/05/22/dealing-with-gumblar-and-martuz/
http://news.cnet.com/8301-1009_3-10251779-83.html
It consists of two parts:
(a)The Trojan I’d detected on my machine that sits and listens for FTP logins and captures usernames and passwords.
In addition, it modifies Google search results to point to sites infected with OTHER trojans.
(b)Other compromised machines use the FTP login information to modify web pages (.html, .js, .php ) on legit websites and insert javascript code to infect all visitors with vulnerable Adobe Readers with the Trojan.
The mode of attack is very effective because:
(1)A fully patched and “secure” website can be attacked and used because valid FTP credentials are used to gain access.
(2)The Adobe reader is one of the most common pieces of software on PCs.
(3)It works on almost any browser.
(4)It isn’t detected by most Antivirus packages
(5)Adobe waited too long to patch the problem
So what are the lessons here?
(1)You need to keep EVERY piece of software updated with the latest patches.
(2)Don’t use FTP (use SCP or SFTP instead)
(3)Only visit sites you can trust.
(4)Pay attention to the “This site may harm your computer” alerts in google search results.
(5)Consider disabling the Adobe plugin until this issue dies down