[nsp-sec] need a little info about .... www.wowio.net

[Tim Wilde]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/17/2010 12:35 AM, Chris Morrow wrote:
> I recall seeing wowio.net in the past (~3-4 yrs ago, dimly I remember)
> but I can't dig up anything else from my recollection. I believe it was
> being aimed around as it is now, in a futile attempt to find 'hosting'
> or perhaps as the pointy end of a ddos stick used to flood people :(
> (hard to tell from my perspective).

Chris & Team,

The only bit of malware in our menagerie that appears to reference
www.wowio.net is:

ee0e1ea04e5435b09ba09c5b52d8572621cf1641   2010-11-15 18:20:01
92 KB
md5: 4873da4691c50b797dc634adac83b6e9
filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit,
UPX compressed

AV detection on that sample is actually pretty minimal, interestingly
enough.  The only non-generic signature I see calls it Trojan.Siggen2.6027.

It's referenced in an AttackSet.dat file that the sample brings with it,
and puts in c:\Windows\system32.  The other section names read from that
file are www.rxjhsf.com and websun888.gotoip4.com.

This particular sample appears to be the one emulating the Baidu bot's
user-agent in its attack.

The earliest we saw this particular SHA1 was 2010-10-15, we've seen it
downloaded from a bunch of IP-based URLs on funky ports, probably all
0wned if I had to guess.

I don't see any obvious C&C traffic in a quick look through the
analysis, so it's possible this is fire & forget, though it's also
possible that I'm just missing it. :)

Hope this helps (or is at least interesting :))!

Tim

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzj92YACgkQluRbRini9tjijwCfckG3aGyX49WH6BftsIaWpDSe
zkUAnR+Wg63vE/LMlSewIONR+E/xYw7D
=RDdO
-----END PGP SIGNATURE-----