|
|
|
|
FEDERAL BUREAU OF INVESTIGATION Jacksonville DivisionComputer Intrusion ProgramAugust 2007
THREE INTRUSION PROGRAMS USED TO TARGET A DoD CONTRACTOR’S COMPUTERS The Jacksonville Division Field Office is releasing information on the identification of three intrusions programs used to target a Department of Defense (DoD) contractor’s computers. Intrusion Program, KT3, was found on several compromised computers used by a DoD contractor. The KT3 malware is a back-door Trojan that is renamed to SVCHOST.EXE or SVHOST.EXE upon installation onto the computer. Prior to the installation, the malware was distributed via a file called PROGRAM.CHM as an attachment to a spoofed electronic mail (email) message. The KT3 malware contains a functionality that permitted the program to exit, download, and launch a new program, or wait for further instructions and ‘sleep’. Variants of the KT3 malware were hard coded with IP address or domain name information that identified an external host. The hard coded address is added to the compromised computer’s registry. Upon the KT3 program connection to an external host, the program begins sending a string of ASCII characters ‘*!Kt+v|’. The intrusion program provides access to the encrypted remote command shell only following a response by the external host to the string of ASCII characters, followed by the letter string ‘DNE’. The KT3 intrusion program is used to download and install a separate program called JOKESWF. Intrusion program, JOKESWF, was also found on several of the compromised computers at the DoD contractor. The JOKESWF malware is a back-door Trojan that is renamed to A.EXE and 1.EXE upon installation into the compromised computer. The JOKESWF malware contains functionality to create command shells, launch processes, encrypt files, delete itself, sleep, re-run itself, hide, create files, write data to files, close files, read files, download files from external addresses, compress files, list processes, kill processes and beacon to an external host. Two variants of the JOKESWF malware were discovered with hard coded IP addresses that identified external hosts. Intrusion program, NPWD.EXE, was also found on several of the compromised computers at the DoD contractor. The NPWD.EXE program is a password hash dumper that is launched by a program called CMD.EXE which is in turn launched by a program called WMISRV.EXE. A password hash dumper can be utilized to collect and compromise account passwords. The NPWD.EXE program utilizes an output file called ‘C:/WINDOWS/TEMP/B’. The NPWD.EXE malware is a modified version of a program called PWDUMP4.EXE, a tool for dumping password hashes on Windows NT and Windows 2000 systems. A user help screen associated with the NPWD.EXE malware provided the following information: ‘PWDUMP4 DUMP WINNT/2000 USER/PASSWORD HASH FOR CRACK.’ ‘BY BINGLE’
The author of the NPWD malware is a computer hacker identified as BINGLE. |
