Archive for 2008

27
Nov

Fake antivirus site features drive-by install of PDF exploits

By mwdisector Comments
Categories: Malicious Domains and Rogue Security Software

Here’s a fake antivirus site that has a special *gift* for you when you visit: PDF exploits! When visiting site it will attempt a drive-by install using a exploit-embedded PDF file.

Bad Site:
hxxp://2008-noadware-antivirus.com (68.180.151.74)
AS36752 | 68.180.151.74 | YAHOO-SP1 - Yahoo

Goes to:
hxxp://abb192.cn/exp/index.php
hxxp://abb192.cn/exp/load.php?id=2926
abb192.cn (82.192.88.2)
AS16265 | 82.192.88.2 | LEASEWEB LEASEWEB AS

Launches a process called AcroRd32.exe (Acrobat Reader) and slows your machine down to a crawl.

Pulls down a PDF file. VT coverage is 10/37.
http://www.virustotal.com/analisis/28d3a59…f1ac43bd00fe253

Found a load.exe file from hxxp://abb192.cn/exp/load.php?id=2926
VT coverage is low 4/37.
http://www.virustotal.com/analisis/e22e2de…830413b3d949441

See a connection to:
hxxp://sp2.information.com/?epl=03220029R1UMXGYWVlEFDVFTDVBfA1MMUgBFUVgMAFxb
VllZVFgHBFIBWAtHXRdZEBZLSwVcDBIBWAxqRQQHUEddSglZEUFEWBcWVwMEWFEMF1ETD0EUR0hU
DFgYRxFaRU1WUFQXCFsEXh8BVkcIVww8UQFbB1MSFl8CRlJcDVpUXB5XUBFQUw1KQFhUUQ9VEApb
QwpcAlUKaAtaQhNcABNbV0FfEUdNX21yQ11bFW8AD1cGDVYFCVcRBlNRBAJBXE5da10EW1MXWV4A
DlEPFgM8UQFbB1AGXwdFVEIVDkFQS0xrXhVBXQ1WZgxXCVQAWlcBXV4GVg

abb192.cn was registered on 10/29 and hosted on a Leaseweb box in Amsterdam.
Other domains on that IP 82.192.88.2:
abbcp.cn
abc801.cn
bmanager.shadypart.net
shadypart.net

-mwdisector

27
Nov

More mailing list unsubscription phishing websites

By mwdisector Comments
Categories: E-mail, Phishing and Rogue

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns.  I also suspect these domains are part of a current fake XP activation SPAM campaign.

DOMAINS:
campingchip.com
daily–movie-code.info
daily–movie-code.net
daily–movie-code.org
daily-movie–code.info
daily-movie–code.net
daily-movie-code.info
get–activation-code1.com
movie–code–online.info
movie–online-promo.info
movie-code-online.com
movie-code-online.info
movie-code-online.net
movie-code-online.org
movie-online-promo.info
movie-online-promo.org
net–activation–code1.com
net–activation–code1.net
net–activation-code1.info
net–activation-code1.net
net–activation-code1.org
net–code–activation.com
net–code–activation.info
net–code–activation.net
net–code-activation.com
net–code-activation.info
net–code-activation.net
net–code-activation.org
net–movie–promo.net
net–online–product.info
net–online–product.org
net–online-product.info
net–online-product.org
net–pdf–promo.info
net–pdf–promo.net
net–pdf-promo.com
net–pdf-promo.info
net–pdf-promo.net
net–pdf-promo.org
net-activation–code1.info
net-activation–code1.net
net-activation-code.com
net-activation-code1.info
net-activation-code1.net
net-activation-code1.org
net-online–product.info
net-online–promos.info
net-online-product.info
net-online-product.org
net-pdf–promo.info
net-pdf–promo.net
net-pdf-promo.com
net-pdf-promo.info
net-pdf-promo.net
net-pdf-promo.org
new–movie–code.net
new–product–offer.com
new–product–offers.com
new-movie–code.info
new-movie–code.net
new-movie–code.org
online–activation–code.net
online–activation-code.org
online–movie–promo.info
online–movie-promo.info
online–product-promos.info
online–promo–products.info
online–promo–products.org
online–promo-products.info
online–promo-products.org
online-activation–code.org
online-activation-code.com
online-activation-code.org
online-movie–promo.info
online-movie-promo.info
online-product–promo.net
online-product-promo.com
online-promo–products.info
online-promo-products.info
online-tv–promo.info
pdf–online–promo.org
pdf–online-promo.info
pdf–online-promo.org
pdf–promo-info1.net
pdf-online–promo.info
pdf-online–promo.org
pdf-online-promo.info
pdf-promo–code.org
pdf-promo–info1.net
pdf-promo-info.net
pdf-promo-info1.net
superiway.com
tv-new-promo.info

IPs INVOLVED:
27645 | 66.79.162.82 | ASN-NA-MSG-01 - Managed Solutions Group, Inc.
33314 | 66.79.162.82 | ASN-AKANOC-SJC-01 - AKANOC Solutions Inc.
16131 | 91.199.50.101 | GRAFIX-IS GrafiX Internet B.V.

–mwdisector

24
Nov

New fake security software called Micro Antivirus 2008

By mwdisector Comments
Categories: Database Update and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Product named 2008 yet website is 2009. I see that microav2008.com is available, maybe they should register that too.  ;-)

Fake Product Name:microav2009-website
Micro Antivirus 2008

Site: microav2009.com

IP: 91.208.0.223
Location: Russia
Registration:
ICANN Registrar:  IN

TERNET.BS CORP.
Created:  2008-09-24

File:
MicroAVSetup.exe
VirusTotal coverage: 27/37
http://www.virustotal.com/analisis

/38e2f2bc89e9803b8d313424f21957cd

20
Nov

Antivirus 2009

By stingner Comments
Categories: Antivirus 2009 and Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Very low detection.
Site:
hxxp://antivirus-premium-scan.com/2009/1/en/_freescan.php?nu=77025304

File: A9installertest_77025304.exe
Virustotal: Result 1/36 (2.78%)

Additional information
File size: 163840 bytes
MD5…: ccdfcdcea179cf0ecf12035d5ee8b821
SHA1..: e85dd4eebb5ae4d61f36385281922637712a56bd
SHA256: 6ffe5e74108fce512aa3c2de39e13ea9aebdda9606a7966d424254282679c03c
SHA512: 4de947fd4bf09f6ac2ef6dc34fafdf471555fe6e37dc0f8722cd4e726b5d6dc5
3c76a98f2786df5af5527f0356715bf5787f2b6b44a15eeffea5ff7aed4b6d37
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)

19
Nov

Fake Activation and Mailing List Unsubscribe Websites

By mwdisector Comments
Categories: MalSpam and Phishing

In the past few days I’ve seen many websites pop up pretending to be mailing list unsubscription sites.  And per usual, these sites feature legit sounding names like antivirus-activation-code1.org or online-activation-code.info.

Fake unsubscribe

Example screenshot.

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns.  I also suspect these domains are part of a current fake XP activation SPAM campaign.

Domains involved:

antivirus–activation–code1.org
antivirus–activation-code2.org
antivirus-activation–code1.org
antivirus-activation-code1.org
antivirus-activation-code2.org
antivirus-activation–code.info
antivirus–activation–code.info
new-activation-code.info
new–activation-code.info
online-activation-code.info
online–activation-code.info
online-activation–code.info
online–activation–code.info
pdf-activation-code.info
pdf–activation-code.info
pdf-activation–code.info

IPs associated with these:
66.79.162.82
67.209.140.130

antivirus-activation–code2.org
91.199.50.101

BE ADVISED: These sites may still be active, be careful!

–mwdisector

15
Nov

Database Update - 19 Files (Low Detection)

By djpnuemo Comments
Categories: Antivirus 2009, Codec, Database Update, Low Detection, Malicious Domains and Malware

Quite a few files added to the database today. As you can see below, these aren’t detected by many AV’s out there.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

A9installer_77024202.exe
Result: 0/36 (0%)
MD5: fd6c1b0cec99796c72213ee330eb7b58
VirusTotal
ThreatExpert Analysis
hxxp://allinone-scanner.com/2009

av_2009.exe
Result: 1/36 (2.78%)
MD5: 4c68e58e317f7111ac147d5279ef23e0
VirusTotal
ThreatExpert Analysis

zcodec.1482.exe
Result: 3/36 (8.34%)
MD5: 9acea07175a11ae690263f9be7828467
VirusTotal
ThreatExpert Analysis
hxxp://codecdownload.pc-storesoft.com

doc.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://chanchoi.cn

default.exe
Result: 13/36 (36.12%)
MD5: 58e3a60289854bb435570a14ac3c616e
VirusTotal
ThreatExpert Analysis
hxxp://chanchoi.cn

kryostm.dll
Result: 21/36 (58.34%)
MD5: b8d72237913a95b597583f8f91181ed8
VirusTotal
ThreatExpert Analysis

kryo2.sys & pavtpk.sys
Result: 20/36 (55.56%)
MD5: abbce53fa9411adbd8a870ae9c27a92e
VirusTotal
ThreatExpert Analysis

test.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://onlinestat.cn

file1.exe & U.exe
Result: 4/36 (11.12%)
MD5: 0fe5b393bef43d95f5e86c820097491e
VirusTotal
ThreatExpert Analysis
hxxp://onlinestat.cn

ntos.exe
Result: 4/36 (11.12%)
MD5: fbe5869d3f03108296e10a81e9b7d160
VirusTotal
ThreatExpert Analysis

After multiple runs through a sandbox, these different binaries were downloaded

ntos.exe
Result: 4/36 (11.12%)
MD5: df4f605f59823324cceaf359d46a5d27
VirusTotal
ThreatExpert Analysis

ntos.exe
Result: 5/36 (13.89%)
MD5: fa736d7136176eebfcefd109b33f2e90
VirusTotal
ThreatExpert Analysis

soft.exe
Result: 9/36 (25%)
MD5: dcdd783dd8f84ef8b9a0c8233d152540
VirusTotal
ThreatExpert Analysis

csrss7.dll
Result: 3/36 (8.34%)
MD5: e87c0ab9c96b000f86199118d38539c1
VirusTotal
ThreatExpert Analysis

This also modified the hosts file to block international search engines (AOL, Google, & MSN)

doc.pdf
Result: 12/36 (33.34%)
MD5: 9b3822a11c9e94763150282f0c9b1d01
VirusTotal

default.exe & ~.exe
Result: 8/36 (22.23%)
MD5: 4dcc389638a9cf14972752df79ed0dd6
VirusTotal
ThreatExpert Analysis

nvaux32.exe
Result: 8/36 (22.23%)
MD5: 94d724d0740a3f6a26b624051950b053
VirusTotal
ThreatExpert Analysis

user32.dll
Result: 8/35 (22.86%)
MD5: 5f24060f06fd415314485a66a0be8726
VirusTotal
ThreatExpert Analysis

flash_update.exe (Koobface Facebook Worm)
Result: 7/36 (19.45%)
MD5: f47a95dc8003bb0f206d836b757fa9f3
VirusTotal
ThreatExpert Analysis
hxxp://youtube-cam.com

13
Nov

Database Update - 16 Files (Low-Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Infection, Low Detection, Malicious Domains, Malicious Links, Malware, Malware Distribution, Rogue Anti-Malware, Rogue Security Software, Rogue Software and Rootkit

Another update for tonight. Should have more over the weekend. Find them in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active.  Proceed at your own risk!

services.exe
Result: 19/36 (52.78%)
MD5: c629db60a9a5d7303419b5153d3e9b0b
VirusTotal
ThreatExpert Analysis

nd82m0.dll
Result: 5/36 (13.89%)
MD5: d6f2135dc562c7d4992cf2cea2166707
VirusTotal
ThreatExpert Analysis
hxxp://85.17.166.182

kb600179.dll
Result: 5/36 (13.89%)
MD5: f946f8c3de445d45c7eb34591bee037b
VirusTotal
ThreatExpert Analysis
hxxp://89.188.16.30

setup_457_6777_.exe
Result: 1/36 (2.78%)
MD5: e9339f9045368947789ec70739de4b21
VirusTotal
ThreatExpert Analysis
hxxp://files.download-antispyware.com

scanner_457_6777_.exe
Result: 16/36 (44.44%)
MD5: e0f855c6c5fc93f0a8ed1fe9e702e492
VirusTotal
ThreatExpert Analysis
hxxp://dl.storage-antispyware.com/get/

42.exe
Result: 4/36 (11.12%)
MD5: f5201b9e77b7b31443b4e0e6190e219f
VirusTotal
ThreatExpert Analysis
hxxp://85.92.157.141/mxlivemedia/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

mvnzivtlmzhxi.dll
Result: 7/36 (19.45%)
MD5: 7614e7448f1983b9641e9699f67576a4
VirusTotal
ThreatExpert Analysis

pdf.pdf
Result: 6/36 (16.67%)
MD5: a3f83503a165a19c4b01328463175cd7
VirusTotal
hxxp://activision.cc/1/spl

twext.exe
Result: 11/36 (30.56%)
MD5: 5767c816cb20753976df2edb60eaf448
VirusTotal
ThreatExpert Analysis

load.exe
Result: 12/36 (33.34%)
MD5: 9b467bdc6dd1b3e68651b7039cd373c8
VirusTotal
ThreatExpert Analysis
hxxp://activision.cc/1/

xcvb.pdf
Result: 4/36 (11.12%)
MD5: e3b86145de00ebfab3e3159d24b81104
VirusTotal
hxxp://91.203.92.137/xcv/

install.exe
Result: 16/36 (44.45%)
MD5: 0869881865032bd1b3b08d82e5e4f404
VirusTotal
ThreatExpert Analysis
hxxp://91.203.92.137/xcv/

beep.sys & figaro.sys
Result: 29/36 (80.56%)
MD5: c4618f889863b5aa357f5f5ba8f353d6
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 14/36 (38.89%)
MD5: 0d63a88fdb4259de8280f8bb7d78ec35
VirusTotal
ThreatExpert Analysis

KB908268.exe
Result: 7/36 (19.45%)
MD5: 504eb66e741186a61792862f0a83ff82
VirusTotal
ThreatExpert Analysis
hxxp://76.74.239.143/weruoiq/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

12
Nov

EstDomains shut down effective November 24th, 2008

By djpnuemo Comments
Categories: Malicious Domains, Malware and Malware Distribution

I thought it was worth noting that today ICANN finally decided to terminate EstDomains ability to register domains. EstDomains has turned the other cheek to their clients use of their services. The shutting down of some, if not all of their registered domains, will definitely help in slowing down the spread of some new malware. Although the gangs I’m sure have already planned for this and have started to move some of their operations.

The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008.

On 28 October 2008, ICANN sent a notice of termination to EstDomains, Inc. (EstDomains) based on an Estonian Court record reflecting the conviction of EstDomains’ then president, Vladimir Tsastsin, of credit card fraud, money laundering and document forgery.

Pursuant to Section 5.3 of the Registrar Accreditation Agreement (RAA), ICANN may terminate the RAA before its expiration when, “Any officer or director of [a] Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.”

ICANN received a response from EstDomains on 29 October in which it indicated that the Estonian Court record on which ICANN relied was not final and had been appealed. ICANN pended the termination of EstDomains’ RAA to analyze the claims made by EstDomains and to obtain independent information regarding the status of the alleged appeal.

On 7 November 2008, EstDomains was informed that, based on ICANN’s findings, ICANN was proceeding with the termination of EstDomains’ RAA, effective 24 November 2008.

ICANN’s records indicate that EstDomains manages approximately 281,000 domain names. To protect the interests of registrants, on 28 October 2008, ICANN published a Request for Informations seeking expressions of interest from registrars to receive a bulk transfer of the domain names managed by de-accredited registrar EstDomains.

ICANN is analyzing the responses to that request and will take measures to effectuate a smooth transition of the domain names managed by EstDomains to a qualified ICANN- accredited registrar.

Courtesy of ICANN

12
Nov

Database Update - 13 Files (Low-Moderate Detection)

By djpnuemo Comments
Categories: Database Update, Low Detection, Malicious Domains, Malware and Rootkit

Only a smaller update today. Files available in /pnuemo-malware/. The installers I’ve been collecting are getting nastier and nastier. Keep everything updated!

xloader.exe
Result: 6/36 (16.67%)
MD5: efe48c6ea123b7d5a07f1beaf4b9efb1
VirusTotal
ThreatExpert Analysis
hxxp://adwords.google.com.upload.main.update.kliauj.cn

winlogon.exe
Result: 5/36 (13.89%)
MD5: 6c161cf9aefd577235547a0514ea7336
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 23/36 (63.89%)
MD5: 89bbe87df33a7722ce6bc890023a82c0
VirusTotal
ThreatExpert Analysis

uesiuqcr.exe & svchost.exe
Result: 14/36 (38.89%)
MD5: f74dc617cec41d36aca9ffc793add258
VirusTotal
ThreatExpert Analysis

getfn32.dll
Result: 6/36 (16.67%)
MD5: 98c8c4cc9ae42cbd630fc8c1aec50a50
VirusTotal
ThreatExpert Analysis

smwin32.dll
Result: 6/36 (16.67%)
MD5: 47c4fa178eefe5379856c7d35e953acd
VirusTotal
ThreatExpert Analysis

beep.sys
Result: 32/36 (88.89%)
MD5: e2bba2140204d6e4134828445a9c486c
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 19/36 (52.78%)
MD5: 57841b5c7ed709f6b5ff0027c014083b
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 24/36 (66.67%)
MD5: 26fafa838db23646661bfde34b537059
VirusTotal
ThreatExpert Analysis

l.exe
Result: 12/36 (33.34%)
MD5: 3f052a786ef71d4d9368732f9d25bfdf
VirusTotal
ThreatExpert Analysis
hxxp://worldfirefighter.com/wellstonfd

LDR24.tmp
Result: 18/36 (50%)
MD5: bd336a1191044325d0165b70fecc5520
VirusTotal
ThreatExpert Analysis

svchost.exe
Result: 17/36 (47.23%)
MD5: ff22b4365b9d2f8b8940c1558c82effd
VirusTotal
ThreatExpert Analysis

KB908995.exe (TDSServ Rootkit)
Result: 6/36 (16.67%)
MD5: 942aa524ab0de25a6750c5e9772fa387
VirusTotal
ThreatExpert Analysis
hxxp://google-analyze.cn

12
Nov

Fake control panel app installing multiple malware binaries

By djpnuemo Comments
Categories: Database Update and Malicious Links

Came across this nasty bugger today. It installs a few banker trojans, generic trojans, and a rootkit. Below you can see all of the files that it installs on the computer. These files are available in /pnuemo-malware/. Please read our FAQ for access to our repository.

BE ADVISED: These URL’s may still be active.  Proceed at your own risk!

video.cpl
Result: 19/36 (52.78%)
MD5: c87f1736ab9ac5d80a4027b5ba139f7c
VirusTotal
ThreatExpert Analysis
hxxp://amateur-sexy.whyza.net

kodnkwnv.sys
Result: 3/36 (8.34%)
MD5: 4ad5d5229f85f42e873fda98190b2f19
VirusTotal
ThreatExpert Analysis

certificado.exe
Result: 11/36 (30.56%)
MD5: 500a7df333ebe3d1e11d18b08b005e1e
VirusTotal
ThreatExpert Analysis

msnsgs.exe
Result: 17/36 (47.23%)
MD5: f53fea0cef9389535f9df74981527268
VirusTotal
ThreatExpert Analysis

codecs.exe & svchosts.exe & avg.exe
Result: 20/36 (55.56%)
MD5: 7b51419b022709cffec32fa24a23f510
VirusTotal
ThreatExpert Analysis

nppagent.exe
Result: 13/36 (36.12%)
MD5: 91f4c75a4f000f3b5bdc2cd74fb5d0d8
VirusTotal
ThreatExpert Analysis

outlok.exe
Result: 24/36 (66.67%)
MD5: 4dd0afcca8764bce567ebd853f022db7
VirusTotal
ThreatExpert Analysis

sounds.exe
Result: 11/35 (31.43%)
MD5: 0fba190253a84d28d022008ee42ea8e5
VirusTotal
ThreatExpert Analysis

sysmod.exe
Result: 11/35 (31.43%)
MD5: 2eb09ac08f87b9c4dd54c9d4be9241cc
VirusTotal
ThreatExpert Analysis

« Previous Entries

Malware Database Forum



Click for

Malware Removal Information



Special Deals


$20 Off Panda Internet Security 2009

 

December 2008
M T W T F S S
« Nov    
1234567
891011121314
15161718192021
22232425262728
293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit