Author Topic: GLP trojan distributed as Adobe software  (Read 3763 times)

0 Members and 1 Guest are viewing this topic.

May 28, 2010, 03:19:43 pm
Read 3763 times

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
These guys are posing malware as an Adobe Flash installer. Dirty tricks call for detailed research :)

Malware:
hxxp://alwaysprokladka.com/tube/Adobe__Flash__Player.exe

Virus Total:
http://www.virustotal.com/analisis/4cbcdf751e44d4faec6d1fae86beb5777eaa4cc8cdd28ce0bc7a0345a980fb07-1275056734

Anubis Report:
http://anubis.iseclab.org/?action=result&task_id=181973be63f571fc421e406a5cc27ecd5

These guys have a few pages up and only one is caught by the google safe browsing protocol:

hxxp://onlinefeeds.ru/tube/?
hxxp://www.hetkwispelaartje.ru/tube/?
hxxp://6dpg3khy.ru/tube/?
hxxp://8reclame.ru/tube/?
hxxp://alwaysprokladka.com/tube/?
hxxp://ashcbzbbbz.ru/tube/?
hxxp://cateredchaletfrankrijk.ru/tube/?
hxxp://crosslinks-services.ru/tube/?
hxxp://csokolom.ru/tube/?
hxxp://ebiebi.me/tube/?
hxxp://gdwre766.ru/tube/?
hxxp://gopchicken.ru/tube/?
hxxp://ic2u8kk0.ru/tube/?
hxxp://ihjddgqs.ru/tube/?
hxxp://jongfcmp.ru/tube/?
hxxp://kojvdspw.ru/tube/?
hxxp://koliander.ru/tube/?
hxxp://lipsticpi.ru/tube/?
hxxp://lopolok.ru/tube/?
hxxp://meeenti.ru/tube/?
hxxp://mokojikol.ru/tube/?
hxxp://okiolk.ru/tube/?
hxxp://onlinefreeze.ru/tube/?
hxxp://onlinegop.ru/tube/?
hxxp://onlinejobsfrees.ru/tube/?
hxxp://onlinelongjorn.ru/tube/?
hxxp://onlineteammaster.ru/tube/?
hxxp://onlinetechnicals.ru/tube/?
hxxp://panamais.me/tube/?
hxxp://patronah.ru/tube/?
hxxp://piscine-ecologique.ru/tube/?
hxxp://qzhvlpso.ru/tube/?
hxxp://ronaldknol.ru/tube/?
hxxp://selavis.ru/tube/?
hxxp://smart-accountant.ru/tube/?
hxxp://t0a2afyq.ru/tube/?
hxxp://trustincompanies.ru/tube/?
hxxp://uplcash.com/tube/?
hxxp://wiiqiieiqa.ru/tube/?
hxxp://zatuhnichmo.com/tube/?
hxxp://zxcvsbrds.ru/tube/?
hxxp://nesselandeportal.info/tube/?
hxxp://gerotal.info/tube/?

May 30, 2010, 02:26:22 pm
Reply #1

boston

  • Sr. Member

  • Offline
  • ****

  • 175
These guys are posing malware as an Adobe Flash installer.
these trojans(%temp%\<3 random characters>.exe + %system%\sshnas21.dll) are widespread.
they're also distributed as crack.XXXXX.exe and video-plugin.XXXXX.exe
http://www.malwaredomainlist.com/forums/index.php?topic=4075.0

May 30, 2010, 04:55:24 pm
Reply #2

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
These guys are posing malware as an Adobe Flash installer.
these trojans(%temp%\<3 random characters>.exe + %system%\sshnas21.dll) are widespread.
they're also distributed as crack.XXXXX.exe and video-plugin.XXXXX.exe
http://www.malwaredomainlist.com/forums/index.php?topic=4075.0


Thanks for the info. Group research like this is what I like about MDL. Also you have an awesome handle; gotta love the city of Boston.

May 31, 2010, 09:48:54 pm
Reply #3

boston

  • Sr. Member

  • Offline
  • ****

  • 175
Quote
Thanks for the info. Group research like this is what I like about MDL. 
+1 :)
this family of trojans is also related to "take a look at this photo..."-worms, which targeted german users lately.

May 31, 2010, 09:59:11 pm
Reply #4

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Code: [Select]
http://alwaysprokladka.com/tube/load.php
http://alwaysprokladka.com/tube/1.php

This currently returns '114688'.
It does not seem to be a unique id (I tried with different IPs also).
It also does not seem to be a counter of hits for watch.php.
So what is that? Anyone have an idea? :D