40e80014.... what is going on here?

[tjs]

Does anyone know what is going on with these:

208.66.195.15/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
208.66.195.71/40e8001430303030303030303030303030303030303031306c0000008766000000017600000002
208.66.194.180/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
208.66.195.165/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002

I've noticed that by changing bits in the param, you get different malware. Sometimes you get duplicates, sometimes not. I've never gotten two different samples by passing the same param- and that applies to the different IPs.

Does anyone know what this is about? What is with the weird parameters? Does anyone have any clues about what these IPs are used for and how they work???


seg000:0101                 call    near ptr 1504h
seg000:0104                 xor     [bx+si], dh
seg000:0106                 xor     [bx+si], dh
seg000:0108                 xor     [bx+si], dh
seg000:010A                 xor     [bx+si], dh
seg000:010C                 xor     [bx+si], dh
seg000:010E                 xor     [bx+si], dh
seg000:0110                 xor     [bx+si], dh
seg000:0112                 xor     [bx+si], dh
seg000:0114                 xor     [bx+si], dh
seg000:0116                 xor     [bx+si], si
seg000:0118                 insb

--

seg000:0100  40 E8 00 14 30 30 30 30  30 30 30 30 30 30 30 30  @F.¶000000000000
seg000:0110  30 30 30 30 30 30 31 30  6C 00 00 00 4D 66 00 00  00000010l...Mf..
seg000:0120  00 00 76 00 00 00 02                              ..v...

Thanks,
tjs

[tjs]

Examples:

208.66.195.15/40e8001430303030303030303030303030303030303031306c0000001c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000002c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000005c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000006c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000007c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000008c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c0000009c66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000ac66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000bc66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000cc66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000dc66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000ec66000000007600000002
208.66.195.15/40e8001430303030303030303030303030303030303031306c000000fc66000000007600000002


All malware.. You can generate all sorts of random urls and get unique malware :S

[andrewmccain]

I'm wondering the same thing. I posted links like these at   http://www.malwaredomainlist.com/forums/index.php?topic=1578.0

Since then my honeypot has found these urls...
hxxttp://208.66.194.180/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
hxxttp://208.66.194.231/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
hxxttp://208.66.195.15/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002
hxxttp://208.66.195.165/40e8001430303030303030303030303030303030303031306c0000003c66000000007600000002

hxxttp://208.66.194.180
hxxttp://208.66.194.180/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
hxxttp://208.66.194.231
hxxttp://208.66.194.231/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
hxxttp://208.66.195.15
hxxttp://208.66.195.15/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
hxxttp://208.66.195.165
hxxttp://208.66.195.165/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002
hxxttp://208.66.195.71/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002

[andrewmccain]

Might as well mention I first starting seeing these urls 2 weeks ago.

First discovered on 'ThePlanet'

Code: [Select]

http://207.218.237.82/40e8001430303030303030303030303030303030303031306c0000005866000000007600000002
http://74.53.251.34/40e8001430303030303030303030303030303030303031306c0000005866000000007600000002
http://75.125.207.50/40e8001430303030303030303030303030303030303031306c0000005866000000007600000002
http://75.125.207.82/40e8001430303030303030303030303030303030303031306c0000005866000000007600000002
Urls were reported and disabled.

[andrewmccain]

If you search those ips on threatexpert.com you get some reports of malware downloading these urls

Here's one example...
http://www.threatexpert.com/reports.aspx?find=208.66.195.15&x=0&y=0

[tjs]

Can you ellaborate a little on how they were found? Were they embedded into another page, and if so, can you post a URL or a snippet on how it is being propagated?

Based on the sequential IP addresses being used here, I would guess that the people behind this are scanning IP ranges and installing this distribution system.

208.66.195.15
208.66.195.71
208.66.195.165

208.66.194.180
208.66.194.231

75.125.207.50
75.125.207.82

tjs

[andrewmccain]

I ran a huge chunk of malware I received from some Av vendor in my VM and logged what was being downloaded.

[tjs]

Interesting. I wonder if the malware that downloads these samples somehow uses those weird parameters. Can you share a sample with me?