[nsp-sec] need a little info about .... www.wowio.net
Chris Morrow
morrowc at ops-netman.net
Wed Nov 17 12:44:30 EST 2010
On 11/17/10 10:40, Tim Wilde wrote:
> On 11/17/2010 12:35 AM, Chris Morrow wrote:
>> I recall seeing wowio.net in the past (~3-4 yrs ago, dimly I remember)
>> but I can't dig up anything else from my recollection. I believe it was
>> being aimed around as it is now, in a futile attempt to find 'hosting'
>> or perhaps as the pointy end of a ddos stick used to flood people :(
>> (hard to tell from my perspective).
>
> Chris & Team,
>
> The only bit of malware in our menagerie that appears to reference
> www.wowio.net is:
oh, neat info :0 can I copy/paste the reply to an internal person?
(damian menscher - damian at google)
-chris
> ee0e1ea04e5435b09ba09c5b52d8572621cf1641 2010-11-15 18:20:01
> 92 KB
> md5: 4873da4691c50b797dc634adac83b6e9
> filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit,
> UPX compressed
>
> AV detection on that sample is actually pretty minimal, interestingly
> enough. The only non-generic signature I see calls it Trojan.Siggen2.6027.
>
> It's referenced in an AttackSet.dat file that the sample brings with it,
> and puts in c:\Windows\system32. The other section names read from that
> file are www.rxjhsf.com and websun888.gotoip4.com.
>
> This particular sample appears to be the one emulating the Baidu bot's
> user-agent in its attack.
>
> The earliest we saw this particular SHA1 was 2010-10-15, we've seen it
> downloaded from a bunch of IP-based URLs on funky ports, probably all
> 0wned if I had to guess.
>
> I don't see any obvious C&C traffic in a quick look through the
> analysis, so it's possible this is fire & forget, though it's also
> possible that I'm just missing it. :)
>
> Hope this helps (or is at least interesting :))!
>
> Tim
>
More information about the nsp-security
mailing list