[nsp-sec] Yahoo malware distribution
Joe St Sauver
joe at oregon.uoregon.edu
Thu Jun 23 11:12:38 EDT 2011
Jon mentioned:
#Both received in spam this morning.
#
#http :// federalreserve-report.com / transaction-report.pdf.exe
#http :// nacha-report.org / transaction-report.pdf.exe
#
#I haven't analyzed the exe's but what else would they be?
Same hash for both. Virustotal says 7/42 as of the point I checked it:
Antivirus Version Last Update Result
Comodo 9165 2011.06.23 Packed.Win32.MUPX.Gen
Kaspersky 9.0.0.837 2011.06.23 UDS:DangerousObject.Multi.Generic
Norman 6.07.10 2011.06.23 W32/Kryptik.ZJ
Panda 10.0.3.5 2011.06.23 Suspicious file
Symantec 20111.1.0.186 2011.06.23 Suspicious.Cloud
TrendMicro 9.200.0.1012 2011.06.23 PAK_Generic.012
TrendMicro-HouseCall9.200.0.1012 2011.06.23 PAK_Generic.012
Additional information
MD5 : ef3d45b93629d9b198a589f6e43b0a75
SHA1 : 684c3ea01a4c519441efdde4de3f0317f5731876
SHA256: c3938c49cfda3b94ecd69f4bfe3df81c19b0b1abaf22e0d6f1303449b9c45b6d
It's multiply packed. The initial packing is with upx. After unpacking it,
hardly anything detects it:
Antivirus Version Last Update Result
Panda 10.0.3.5 2011.06.23 Suspicious file
TrendMicro 9.200.0.1012 2011.06.23 PAK_Generic.012
TrendMicro-HouseCall 9.200.0.1012 2011.06.23 PAK_Generic.012
Additional information
MD5 : d73d0e4a805d9d54fee3f66faf96c4d5
SHA1 : f6ebc68e7f10498e55eb6d3fa1def1b6c6a8433b
SHA256: c10a38815f9d6065f24d6f9e0a4bedaaf8e2823be83cacda8e08baa2add5f0d4
Reportedly, this second layer of the onion is in turn packed with
PE_Patch.EPProt; I'll let someone else keep going with this one from here.
Personally, I'm convinced its software I don't want. :-)
Here's the sort of interesting followon part from my POV (likely not
directly relaeted to your bad guy): if you google for information on
"PE_Patch.EPProt" (the apparent packer the second layer uses) you find
sites such as:
-- hxxp://www[dot]pcsafedoctor[dot]com/Unknown/remove-PE_Patch.EPProt.html
The file that's available from that site, PCSafeDoctor_Setup[dot]exe
is large, 40,378,690 octets. Its MD5, fc449e783f1951a67969301624c831df
(not see in the Team Cymru MHR).
pcsafedoctor[dot]com is registered via Enom and hidden behind a Whois
Privacy Service, Inc., private registration.
hxxp://www[dot]pcsafedoctor[dot]com/contact-us.php offers only an email
point of contact. The domain was created on 14 May 2010.
208[dot]115[dot]197[dot]126 is part of a Limestone Networks /29 registered
to a Chinese address:
%rwhois V-1.5:003fff:00 rwhois.limestonenetworks.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:LSN-BLK-208.115.192.0/18
network:Auth-Area:208.115.192.0/18
network:Network-Name:LSN-208.115.192.0/18
network:IP-Network:208.115.197.120/29
network:IP-Network-Block:208.115.197.120 - 208.115.197.127
network:Organization-Name:liu jiachang
network:Organization-City:shen zhen
network:Organization-State:OT
network:Organization-Zip:518057
network:Organization-Country:CN
network:Tech-Contact;I:abuse at limestonenetworks.com
network:Admin-Contact;I:abuse at limestonenetworks.com
network:Updated-By:admin at limestonenetworks.com
[snip]
Might be legitimate, but I rather doubt it.
-- See also
hxxp://www[dot]removefakesoftware[dot]com/remove-PE_Patch.EPProt.html
www[dot]removefakesoftware[dot]com --> 98[dot]126[dot]135[dot]11
which again delivers PCSafeDoctor_Setup.exe from
www[dot]pcsafedoctor[dot]com
%rwhois V-1.5:003eff:00 rwhois.vpls.net (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-KRYPT-98.126.135.8/29
network:Auth-Area:98.126.0.0/16
network:Network-Name:KRYPT-98.126.135.8-29
network:IP-Network:98.126.135.8/29
network:IP-Network-Block:98.126.135.8 - 98.126.135.15
network:Organization;I:chan_teng
network:Admin-Contact;I:VPLS
network:Tech-Contact;I:hostmaster at vpls.net
network:Abuse-Contact;I:abuse at vpls.net
network:Created:20110201
network:Updated:20110201
network:Updated-By:hostmaster at vpls.net
[snip]
Checking the domain:
Registrant:
qi wang
6466 NE Chestnut Rd
Mobridge, SD 57685
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: REMOVEFAKESOFTWARE.COM
Created on: 01-Jul-10
Expires on: 01-Jul-11
Last Updated on: 07-Jun-11
Administrative Contact:
wang, qi cheesoftanalytics at gmail.com
6466 NE Chestnut Rd
Mobridge, SD 57685
United States
+1.6058992692 Fax --
[snip]
-- Another presumably related one:
hxxp://www[dot]spywareviruscleaner[dot]com/How-to-Remove-PE_Patch.EPProt.html
www[dot]spywareviruscleaner[dot]com --> 98[dot]126[dot]66[dot]85
Checking the IP whois for that one:
VPLS Inc. d/b/a Krypt Technologies VPLSNET (NET-98-126-0-0-1) 98.126.0.0 - 98.126.255.255
Robert DuBois NERDYSOUTHMARKETING (NET-98-126-66-80-1) 98.126.66.80 - 98.126.66.87
Following NET-98-126-66-80-1:
NetRange: 98.126.66.80 - 98.126.66.87
CIDR: 98.126.66.80/29
OriginAS: AS35908
NetName: NERDYSOUTHMARKETING
NetHandle: NET-98-126-66-80-1
Parent: NET-98-126-0-0-1
NetType: Reassigned
Comment: brandon at nerdysouthmarketing.com
RegDate: 2010-05-03
Updated: 2010-05-03
Ref: http://whois.arin.net/rest/net/NET-98-126-66-80-1
CustName: Robert DuBois
Address: 5464 N Port Washington Rd STE C-145
City: Milwaukee
StateProv: WI
PostalCode: 53217
Country: US
RegDate: 2010-05-03
Updated: 2011-03-19
Ref: http://whois.arin.net/rest/customer/C02484040
OrgAbuseHandle: KRYPT-ARIN
OrgAbuseName: Krypt Keeper
OrgAbusePhone: +1-866-599-9593
OrgAbuseEmail: abuse at krypt.com
OrgAbuseRef: http://whois.arin.net/rest/poc/KRYPT-ARIN
[snip]
spywareviruscleaner[dot]com is registered to:
Registrant:
qi wang
6466 NE Chestnut Rd
Mobridge, SD 57685
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: SPYWAREVIRUSCLEANER.COM
Created on: 01-Jul-10
Expires on: 01-Jul-11
Last Updated on: 07-Jun-11
Administrative Contact:
wang, qi cheesoftanalytics at gmail.com
6466 NE Chestnut Rd
Mobridge, SD 57685
United States
+1.6058992692 Fax --
[snip]
Domain servers in listed order:
NS11.DOMAINCONTROL.COM
NS12.DOMAINCONTROL.COM
nerdysouthmarketing.com, as mentioned in the IP whois, is hidden behind
a WhoisGuard registration.
The link from that site gives you BestSpywareScanner_Setup[dot]exe
It's 2,000,546 octets long, with an MD5 of 81e639c06b583ab493f0b1637d34e3cf
It was delivered from
hxxp://www[dot]bestspywarescanner[dot]net/BestSpywareScanner_Setup[dot]exe
www[dot]spywareviruscleaner[dot]com --> 98[dot]126[dot]66[dot]85
(as above).
Three hits for that one at Virustotal:
Antivirus Version Last Update Result
Antiy-AVL 2.0.3.7 2011.06.22 Trojan/win32.agent.gen
DrWeb 5.0.2.03300 2011.06.23 Trojan.Fakealert.20721
NOD32 6233 2011.06.23 a variant of Win32/Adware.SpywareCease
-- And see also hxxp://www[dot]spydig[dot]com/spyware-info/PE_Patch-EPProt.html
www[dot]spydig[dot]com --> 208[dot]115[dot]245[dot]26
%rwhois V-1.5:003fff:00 rwhois.limestonenetworks.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:LSN-BLK-208.115.192.0/18
network:Auth-Area:208.115.192.0/18
network:Network-Name:LSN-208.115.192.0/18
network:IP-Network:208.115.245.24/29
network:IP-Network-Block:208.115.245.24 - 208.115.245.31
network:Organization-Name:liu jiachang
network:Organization-City:shen zhen
network:Organization-State:OT
network:Organization-Zip:518057
network:Organization-Country:CN
network:Tech-Contact;I:abuse at limestonenetworks.com
network:Admin-Contact;I:abuse at limestonenetworks.com
network:Updated-By:admin at limestonenetworks.com
[snip]
spydig[dot]com is hidden behind a Whois Privacy Protection Service
private registration.
Spydig_Setup[dot]exe is 40,387,629 octets in length with an MD5 of
9bf553d39db3ff4fa24045c02862c4fe
Anyhow, probably just a sign that I'm easily amused, but thought that
some folks might be interested. I find that large exe size particularly
interesting, since that immediately excludes those executables from
eligibility for scanning via most public multi-product anti-virus site.
Of course, the downside is that the badguys need to work (marginally)
harder to deliver payloads of that size, instead of something that's
nice and small. I guess they're really not targeting the "dialup crowd",
shall we say.
Anyhow have a site they like for scanning or sandboxing large exe's
online?
Regards,
Joe
More information about the nsp-security
mailing list