[nsp-sec] [DDoS - City of New York]

Rob Thomas robt at cymru.com
Mon Aug 22 17:31:03 EDT 2011 

Hi, Joel.

> This reminded me, I sent this to DOITT.NYC.GOV on the 17th - the
> attached .txt file is really an executable, my guess is "nothing good" :-)

Indeed!  :)  I ran this one through our malware-o-matic and
query-o-matic, and found a few interesting bits.

It looks up sfkdhjnsfjg.ru, which presently resolves to 195.189.226.119.

AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
41018   | 195.189.226.119  | 195.189.226.0/23    | UA | ripencc  |
2006-05-30 | SERVER-UA-AS SERVER-UKRAINE DC

DNS RRs pointed to 195.189.226.119 this month include:

        stamp        |     qname      | class | type |      rdata
--------------------- ---------------- ------- ------ -----------------
 2011-08-19 15:46:12  |  sfkdhjnsfjg.ru  |  IN     |  A     |
195.189.226.119
 2011-08-22 07:36:04  |  rattsillis.com  |  IN     |  A     |
195.189.226.119

It then fetches the following URL:

   h x x p : / / sfkdhjnsfjg.ru / pusk3.exe

This is installed as:

   C:\Documents and Settings\IT\Local Settings\Temp\pusk3.exe

It then does another GET for:

   h x x p : / / sfkdhjnsfjg.ru / ftp / g.php

This is probably some sort of configuration file.  It is installed as:

   C:\Documents and Settings\IT\Local Settings\Temporary Internet
Files\Content.IE5\Z7L7D65P\g[1].htm

The file pusk3.exe looks up findtype.org, which presently resolves to
141.136.16.13.

AS      | IP               | BGP Prefix          | CC | Registry |
Allocated  | AS Name
50515   | 141.136.16.13    | 141.136.16.0/24     | RO | ripencc  |
2011-06-29 | TIER-DATA-CENTER Tier SRL

141.136.16.13 appears to be a Linux box.

DNS RRs pointed to 141.136.16.13 this month include:

        stamp        |       qname        | class | type |     rdata
--------------------- -------------------- ------- ------ ---------------
 2011-08-01 00:01:34  |  findtry.org         |  IN     |  A     |
141.136.16.13
 2011-08-01 00:01:34  |  findtube.org        |  IN     |  A     |
141.136.16.13
 2011-08-01 23:34:53  |  finddelightful.org  |  IN     |  A     |
141.136.16.13
 2011-08-01 23:34:54  |  findtune.org        |  IN     |  A     |
141.136.16.13
 2011-08-04 00:51:21  |  findturn.org        |  IN     |  A     |
141.136.16.13
 2011-08-07 02:51:08  |  findtwenty.org      |  IN     |  A     |
141.136.16.13
 2011-08-12 04:56:37  |  findtwice.org       |  IN     |  A     |
141.136.16.13
 2011-08-16 12:27:15  |  findtwo.org         |  IN     |  A     |
141.136.16.13
 2011-08-20 15:51:08  |  findtype.org        |  IN     |  A     |
141.136.16.13

We have at least 277 samples in our malware menagerie that point to
141.136.16.13.  Oofah!  If anyone would like the full list, let me know.
 It dates back to at least 2011-07-06 07:22:51 UTC.

pusk3.exe then issues the following GETs:

   h x x p : / / findtype.org / pica1 / 531-direct

This appears to be some sort of data file.

   h x x p : / / findtype.org / 404.php?type=stats&affid=531&subid=03&awok

That's probably some sort of counter or beacon method.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15

More information about the nsp-security mailing list