[nsp-sec] Wannabrowser - possible embedded malcode
Rob Thomas
robt at cymru.com
Thu Oct 30 22:02:38 EDT 2008
Hey, Matt.
Some of this you know, but perhaps some of this is useful to you and others.
> When it was being abused (including earlier today), there was some
> obfuscated javascript that downloaded a binary (targeting Adobe Flash I
> think, don't know what version yet) from 91.142.64.91.
Yeah, we see that one running at least one malware URL:
timestamp | ip | asn | category | comment
--------------------- -------------- ------- ------------
------------------------------
2008-10-12 02:50:05 | 91.142.64.91 | 27970 | malwareurl |
hxxp://91.142.64.91/soi/?t=2
It appears to be a Debian box running Apache 2.2.3.
We have one sample in our malware menagerie that references that IP.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
2008-10-26 03:03:16 | 4de171067a8c6bf9fccf5fac67aef7e536f1c26d |
931a87e1b67baef140cfdc80e5a02179 | 91.142.64.91 | 80 | 6 |
The malware is packed with UPX.
That malware looks up both google.com and www.google.com.
It then does a HTTP GET of the following URLs:
hxxp://91.142.64.91/tds/in.cgi?default
hxxp://91.142.64.91/soi/?t=25
hxxp://google.com/
hxxp://www.google.com/
It creates the file:
C:\Documents and
Settings\Administrator\Cookies\administrator at 91.142.64[2].txt
Back on 2008-09-04 15:32:38 UTC only four AV packages tagged this as
malware. As of 2008-10-31 01:27:11 only six AV packages tag this as
malware.
> hxxp://3876373tr.org/baasseulu/mix1/cfg.bin (91.142.64.112)
This host has been hosting a HTTP-based C&C since at least 2008-10-19
12:30:32 UTC. The DNS RR has been around at least that long as well.
Interestingly this host is running the BIND with recursion open.
We see seven samples in our malware menagerie that point to this IP.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
-------
2008-10-30 22:03:58 | 157fbbdd453248fb4fc41042851526fdeb75f4be |
0f33d30c5b11cf8d1dc455ba77fd7a61 | 91.142.64.112 | 80 | 6 |
448
2008-10-31 00:50:34 | 2ae91036c2590334cd6351e710b0f5d90c05cc26 |
5f9bbeb166f3ca9f6ad27b6475615d0d | 91.142.64.112 | 80 | 6 |
4208
2008-10-27 13:01:32 | 369b501324fb689ede78922e5dfe13375015d7b8 |
e4f0372971d56b1f2c55963cefb98df7 | 91.142.64.112 | 80 | 6 |
448
2008-10-19 12:30:32 | 5af37f8fb24a4029b80cd80e6c32fa7a2317e337 |
4e57842b77c5f65c122f11712930ed47 | 91.142.64.112 | 80 | 6 |
477
2008-10-25 21:30:16 | 745a87d937c1d25a36f16de0977a36af5f14bf14 |
83e5ee1dbb70521661aa678944dad748 | 91.142.64.112 | 80 | 6 |
779
2008-10-28 02:31:32 | 806a746795380500d9357399a1e7bc9d5c2cf049 |
3274cf235e4cf81191fb50a3b0f2b0bc | 91.142.64.112 | 80 | 6 |
448
2008-10-28 14:00:41 | c7574e37b9af696862deab666483860d73b541ff |
157c4a8be8395aadb4e44fcf031921b4 | 91.142.64.112 | 80 | 6 |
23296
I checked one of these samples, and here is what we found:
It creates the following files:
C:\Documents and Settings\NetworkService\Application Data\twain_32
C:\Documents and Settings\NetworkService\Application
Data\twain_32\user.ds
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
C:\WINDOWS\system32\twext.exe
It does a DNS lookup of 3876373tr.org. It then does a HTTP GET of:
hxxp://3876373tr.org//baasseulu/mix1/cfg.bin
Presently six AV packages tag this as malware.
This appears to be a Unix box running Apache 1.3.41.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list