hs.3-151.zlkon.lv -(94.247.3.151)

[SysAdMini]

Story is related to hyperliteautoservices.cn

http://mnin.blogspot.com/2009/04/malware-forensics-how-ironic-can-it-get.html

[Malware-Web-Threats]

Exploits:

Code: [Select]

hxxp://liteautogreatest.cn

Wepawet

Code: [Select]

hxxp://liteautogreatest.cn/cache/readme.pdf

Wepawet for readme.pdf
VirusTotal for readme.pdf - 5/40 (12.5%)

Code: [Select]

hxxp://liteautogreatest.cn/cache/flash.swf

VirusTotal for flash.swf - 4/39 (10.26%)

Code: [Select]

hxxp://liteautogreatest.cn/load.php?id=5

VirusTotal for load.exe - 12/40 (30%)
Anubis report for load.exe

Botnet C&C: 78.109.29.112

78.109.29.112:80
Request: GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=1824245000&rnd=981633 
Response: 200 "OK" 

[SysAdMini]

PDF/Flash exploits

Code: [Select]

liteupyourride.cn

Code: [Select]

liteupyourride.cn/cache/readme.pdfhttp://www.virustotal.com/analisis/46adc25de221146ea1a2458c97602518 6/40
http://wepawet.cs.ucsb.edu/view.php?hash=4925255f3716377f7fcb7c9bfb038795&t=1240163655&type=js

Code: [Select]

liteupyourride.cn/cache/flash.swfhttp://www.virustotal.com/analisis/470c291cdcc653d9fa59067bcd0e2549 0/40

readme.pdf redirects to

Code: [Select]

litehitscar.cn/load.php?id=5
flash.swf redirects to

Code: [Select]

autobestwestern.cn/load.php?id=7&0

[SysAdMini]

Code: [Select]

liteupyourride.cn/load.php?id=0http://www.virustotal.com/analisis/84c843b670e272983c36df81d489b1c7 11/40

[SysAdMini]

Code: [Select]

autobestwestern.cn/load.php?id=7&0
finditbig.cn/load.php?id=0
lotwageronline.cn/load.php?id=0
bestfindaloan.cn/load.php?id=0
casinobigtop.cn/load.php?id=0
findbigthinker.cn/load.php?id=0
nanotopdiscover.cn/load.php?id=0http://www.virustotal.com/analisis/07cbfa835cf93c2f866d7e7fa18eabf5 10/40

[SysAdMini]

Code: [Select]

bigtopliteworld.cn/index.php

Code: [Select]

bigtopliteworld.cn/cache/readme.pdfhttp://www.virustotal.com/analisis/04849a3b94bd19e3744dad8c73fe1837 5/40

Code: [Select]

bigtopliteworld.cn/cache/flash.swfhttp://www.virustotal.com/analisis/e6aa538f7429685ebc57c229fcf60e12 0/40

payload

Code: [Select]

liteupyourride.cn/load.php?id=5http://www.virustotal.com/analisis/a7235085d030a368a2e252b2f349e88c 5/40

[SysAdMini]

Code: [Select]

bigfirststopnonfat.cn/cache/readme.pdfhttp://www.virustotal.com/de/analisis/9df853e9e91da997d69ffa57cdfc1009 6/40

Code: [Select]

bigfirststopnonfat.cn/cache/flash.swfhttp://www.virustotal.com/de/analisis/1062ccad3b0ca5230aa812b1e2a0fe75 8/40

Code: [Select]

bigfirststopnonfat.cn/load.php?id=0http://www.virustotal.com/analisis/4addace3fd995166bd398c49f36730eb 4/40

[CkreM]

Exploits/trojan:

Code: [Select]

liteautoexcellent.cn/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=a36d423bba260475c37ddb159934d3c7&t=1240725719&type=js
The downloaded trojan:

Code: [Select]

bigfindtopguide.cn/load.php?id=8http://www.virustotal.com/analisis/1d3885e6ca1855e868cff94a6470dba5

[CkreM]

Exploits/trojan:

Code: [Select]

liteautomobileinsurance.cn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=2e8bf3872891782a22bdf1ed93b49c5f&t=1240801054&type=js

[SysAdMini]

Code: [Select]

litevehiclemall.cn
the usual readme.pdf /flash.swf combination of exploits

Code: [Select]

litevehiclemall.cn/cache/readme.pdfhttp://wepawet.cs.ucsb.edu/view.php?hash=b9963d36150f370f54c1ac1281d58805&t=1240858677&type=js
http://www.virustotal.com/analisis/a125d69e7fb2522c4c83d07516f1793d 6/40

Code: [Select]

litevehiclemall.cn/cache/flash.swfhttp://www.virustotal.com/analisis/d8aea9a028fce12370bcd373df28b170 2/40