blog.sat0ri.com

The other day I was looking at a friend’s computer. I was browsing his user profile directory in search of something intersting to show him and came across something that I had never seen before; the Default User’s Temporary Internet Files directory was filled with temporary Internet files (hence its name ) as though this user had been using Internet Explorer to browse the Internet, which is not possible when using Windows normally. Furthermore, he mentioned that his anti-virus (Trend Micro Officescan: TM) identified the file “C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\SN8PI1DA\raedwev[1].jpg” as WORM_DOWNAD.DAM. According to the file extension it was an image (JPG), but the content of the file appeared to be binary in nature. I uploaded the file to VirusTotal but the results came back blank.

A couple of hours later I came to the conclusion that another computer had probably attempted to infect his computer with the Conficker worm by exploiting the vulnerability described in MS08-067. This assumption was based on the presence of the mentioned file in the default user’s (Default User) Temporary Internet Files directory.
The default user is used as a template for new users and it is not possible to log on as this user. If the temporary Internet files directory does become populated with cache files, it may be because Internet Explorer had, at some point, been executed with SYSTEM user privileges (browse the Internet using Internet Explorer with SYSTEM privileges and you’ll see what I mean, which is a really bad idea). Usually, when a user uses Internet Explorer, it will run with the same privileges as that user. That is, if Internet Explorer is running with SYSTEM rights, it is somewhat unusual and therefore probably malicious.

Assuming that my friend’s computer is vulnerable to the MS08-067 vulnerability (it was), if an attempt to exploit this vulnerability is successful, this could (depending on the exploit payload) result in a new process with SYSTEM privileges. The Conficker worm (WORM_DOWNAD) spreads by exploiting MS08-067, which results in the UrlDownloadToFileA() API in Urlmon.dll being called with SYSTEM privileges in order to download additional files (configurations, payloads, etc.). When this newly created SYSTEM process calls the UrlDownloadToFileA() API in the Urlmon.dll, which can be said to be one of Internet Explorer’s core components, it is as if Internet Explorer itself is being used to retrieve the file. This means that any files downloaded in this way will be written to Internet Explorer’s Temporary Internet Files directory before reaching their final destination (typically the currently logged on user’s desktop).

While the Conficker payload was being downloaded, my friend’s anti-virus was able to identify the malicious payload and thus interrupt the download process prior to its completion, which is what caused TM to issue the initial alert. Additionally, the reason TM identified the file as WORM_DOWNAD.DAM is due to the fact that the payload had not successfully/completely been downloaded and was thus damaged, hence the name issued by TM: WORM_DOWNAD.DAM (DAM for damaged).

If you see temporary internet files in the Default User’s Temporary Internet Files directory, you may want to have a closer look. Hiding malicious payloads in TMP and JPG files (among others) is common play for malware, so keep an eye out for these. Check out NASTI (below), which will help you identify the presence of such files.

I hope you found this interesting.

Special anniversary greets to divine dinne.