[nsp-sec] The ugly on AS39823 | 92.62.96.0/20
Brian Eckman
eckman at umn.edu
Mon May 4 15:56:31 EDT 2009
Rob Thomas wrote:
> ----------- nsp-security Confidential --------
>
> Hey, Steve.
>
>> betworldwager.cn 213.163.91.93
>
> Yeah we've seen one malware URL on 213.163.91.93.
<snip>
I've been watching this one as well ... for a week or so, anyways. A
bunch of sites are directing folks to URIs here. I copied some example
traffic at the bottom of this message. (URLs broken to prevent
accidental access)
Some intel I sent to a colleague on April 30th:
The DNS name they use keeps changing, so DNS interception isn't likely
to be fruitful (for long). I've noticed around 5-6 or so hits to both
exploits each day this week.
readme.pdf
----------
http://wepawet.iseclab.org/view.php?hash=515ac49895cd54436e803d31d7719a78&t=1241048173&type=js
http://wepawet.iseclab.org/view.php?hash=99f80488f3af00f958b4fe4db122b183&t=1241105189&type=js
http://www.virustotal.com/analisis/1e48a9853024742ab65f7504706bf7a6
(5/40) (Symantec just started catching it - I don't believe they did
yesterday)
flash.swf
---------
http://wepawet.iseclab.org/view.php?hash=2541fd8949443da7286b936c17eaab5b&type=swf
http://www.virustotal.com/analisis/1e48a9853024742ab65f7504706bf7a6
(6/40) (Symantec just started catching it - I don't believe they did
yesterday)
The virustotal results that Wepawet "swf" URL links to shows 1/40
coverage (Microsft detected it) on 4/26 when they first saw the URL.
If either exploit is successful, they both currently download and
execute /load.php?id=8 from the same host. However, I'm almost positive
I've seen different "id" values.
load.exe
--------
http://www.virustotal.com/analisis/cdffa43ce85ea03404d9a3ae95dbe9cd
http://anubis.iseclab.org/?action=result&task_id=1fcdf32984ee6aed40d7c79baec1f43d4
(9/40) (Symantec is NOT catching it)
The load.exe I downloaded today was quite smaller than the one I
downloaded yesterday, but the end result (according to Anubis results)
is quite similar.
The result of a host executing load.exe *should* trigger an existing
Snort rule (with "GET /new/controller.php?action=bot").
---------------
Example Session
---------------
GET /in.cgi?income36
Host: lotbetworld.cn
Referer:
hXXp://www.archerrocks.com/2008/1001/co-canal-bike-trail-traffic-free-and-gorgeous/
HTTP/1.1 302 Moved Temporarily
Location: hXXp://liteautogreatestonline.cn/index.php
...
GET /index.php
Host: liteautogreatestonline.cn
HTTP/1.1 200 OK
Content-Encoding: gzip
...
GET /cache/flash.swf
Host: liteautogreatestonline.cn
HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash
Content-Length: 16749
...
GET /cache/readme.pdf
Host: liteautogreatestonline.cn
HTTP/1.1 200 OK
Content-Type: application/pdf
Content-Length: 15414
...
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
More information about the nsp-security
mailing list