Wednesday, November 12, 2008

Gold VIP Club Casino

On 9 November 2008, a college university web page hosted obfuscated JavaScript that when decoded revealed an iframe to hxxp:// ( The following analysis tracks the redirect results.

<div style="visibility:hidden"><iframe src="hxxp://" width=100 height=80></iframe></div>

The hxxp:// request returned an HTTP 302 redirect to hxxp://

The hxxp:// request returned an HTTP 302 redirect to hxxp://

The hxxp:// request returned advertising content for a Gold Casino promotion.

“Download” and “Play Now!” buttons download hxxp://

<a href="SmartDownload.exe"><img src="images/download.gif" width="271" height="83" alt="" border="0"></a>

<a href="SmartDownload.exe"><img src="images/playnow.gif" width="96" height="124" alt="" border="0"></a&gt;

Domain Analysis: is registered in RU and is registered to NOC4Hosts Inc., US.

Several other malicious domains resolved to at the time of analysis. is registered in RU and is registered in China.

SmartDownload.exe Analysis:

466,752 bytes

Upon execution SmartDownload.exe creates the C:\Program Files\Gold VIP Club Casino directory and opens an installer window.

SmartDownload.exe connects to ( on TCP port 20000 to receive C2. The client sends the string “Gold VIP Club Casino” and receives the string “”. A second connection returns the string hxxp:// The client connects to which uses Akamai caching to download the installation files package_list.ini.crc and

GET /cdn/goldvipclub/package_list.ini.crc HTTP/1.1 Host:
GET /cdn/goldvipclub/ HTTP/1.1 Host:

The domain is registered to RealTime Gaming Holding Company, LLC (Costa Rica).

Reverse lookups for rotate through several casino themed domains.

The following major files are created.

c:\Program Files\Gold VIP Club Casino\casino.dll
745,472 bytes

c:\Program Files\Gold VIP Club Casino\casino.exe
30,720 bytes

The following major registry keys are added to launch Gold VIP Club Casino at statup.

HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816} "(Default)"
Type: REG_SZ
Data: Gold Vip Club Casino
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\LocalServer32 "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_CLASSES_ROOT\CLSID\{0CBAA404-8C7F-4070-8E42-8847E2394816}\ProgID "(Default)"
Type: REG_SZ
Data: rtg.goldvipclub
HKEY_CLASSES_ROOT\rtg.goldvipclub "(Default)"
Type: REG_SZ
Data: URL: Realtime Gaming Protocol
HKEY_CLASSES_ROOT\rtg.goldvipclub "URL Protocol"
Type: REG_SZ
HKEY_CLASSES_ROOT\rtg.goldvipclub\CLSID "(Default)"
Type: REG_SZ
Data: {0CBAA404-8C7F-4070-8E42-8847E2394816}
HKEY_CLASSES_ROOT\rtg.goldvipclub\DefaultIcon "(Default)"
Type: REG_SZ
Data: casino.exe
HKEY_CLASSES_ROOT\rtg.goldvipclub\shell\open\command "(Default)"
Type: REG_SZ
Data: c:\program files\gold vip club casino\casino.exe %1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gold VIP Club Casino "DisplayName"
Type: REG_SZ
Data: Gold VIP Club Casino

The launching of Gold VIP Club Casino initiates a connection to TCP port 22053. The casino game requires an account to be created and personal information provided. Not sure how much I would trust a game that was installed through obfuscated JavaScript, a series of redirects and deceptive advertising :)

No comments: