Author Topic: Various stuff...  (Read 6266 times)

0 Members and 1 Guest are viewing this topic.

November 02, 2007, 04:56:36 am
Read 6266 times

sowhat-x

  • Guest
Quote
hxxp://rb.vg/1.js
hxxp://cool.47555.com/vvv/444.exe
hxxp://cool.47555.com/vvv/rss.dll
hxxp://vip.jqxx.org/xxx.htm
hxxp://eee.jopenqc.com/xm20.htm
hxxp://eee.jopenqc.com/eeecom.cab#version=1,0,0,002
hxxp://qgzlkzbhlk.cn/adv735.exe
hxxp://lamodano.info/tim_data/modules/c.bin
hxxp://lamodano.info/tim_data/modules/regalka.exe
hxxp://methasearch.info/goog3/explorer1.exe
hxxp://methasearch.info/goog3/explorer2.exe
hxxp://methasearch.info/goog3/explorer3.exe
hxxp://methasearch.info/goog3/explorer4.exe
hxxp://methasearch.info/goog3/explorer5.exe
hxxp://methasearch.info/goog3/explorer6.exe
hxxp://o1.o1wy.com/goto/top.exe
hxxp://o1.o1wy.com/kiss/logo.gif

Quote
hxxp://66.11.115.52/accessdenied/?w=3000&a=1
-> It spawns an executable,but without a proper .exe file extension...

Quote
hxxp://85.255.114.164/gdnOT2904.exe
-> Main address just shows the common Apache successful installation logo,
and the malware in question is Trojan.Win32.Pakes.akq...

Quote
hxxp://119.img.pp.sohu.com/images/2007/9/20/21/3/115bd969307.jpg
hxxp://120.img.pp.sohu.com/images/2007/10/14/22/3/1163a046c39.jpg
hxxp://120.img.pp.sohu.com/images/2007/10/21/22/6/1165e4064e8.jpg
hxxp://122.img.pp.sohu.com/images/2007/10/20/20/4/116589ef142.jpg
hxxp://119.img.pp.sohu.com/images/2007/10/21/22/5/1165e3b5ee2.jpg
-> All of them obviously pseudo-extensions...main page is hxxp://pp.sohu.com/
It seems to be some kind of DeviantArt-alike site...

November 02, 2007, 08:08:33 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks these will be in the list soon.

Quote
hxxp://119.img.pp.sohu.com/images/2007/9/20/21/3/115bd969307.jpg
hxxp://120.img.pp.sohu.com/images/2007/10/14/22/3/1163a046c39.jpg
hxxp://120.img.pp.sohu.com/images/2007/10/21/22/6/1165e4064e8.jpg
hxxp://122.img.pp.sohu.com/images/2007/10/20/20/4/116589ef142.jpg
hxxp://119.img.pp.sohu.com/images/2007/10/21/22/5/1165e3b5ee2.jpg
-> All of them obviously pseudo-extensions...main page is hxxp://pp.sohu.com/
It seems to be some kind of DeviantArt-alike site...

As you pointed out these have fake file extensions. Usually when you see malware with a fake file extension it is still just a regular PE file but renamed. These however don't start with MZ, they start with GIF89a. Then I guess there is a header, which is how they are able to upload their malware to an image host. Because image hosts don't normally check for file extensions alone. After the little bit of data which I guess is the header comes the PE file, you can see where it starts if you look for MZ. If you scan this file as it is, these are the virus total results:

Quote
File 115bd969307.jpg received on 11.02.2007 20:37:12 (CET)
Current status:  finished
Result: 1/32 (3.13%)

Antivirus Version Last Update Result
AhnLab-V3 2007.11.3.0 2007.11.02 -
AntiVir 7.6.0.30 2007.11.02 -
Authentium 4.93.8 2007.11.02 -
Avast 4.7.1074.0 2007.11.02 -
AVG 7.5.0.503 2007.11.02 -
BitDefender 7.2 2007.11.02 Trojan.Clicker.Vb.SL
CAT-QuickHeal 9.00 2007.11.02 -
ClamAV 0.91.2 2007.11.02 -
DrWeb 4.44.0.09170 2007.11.02 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5262 2007.11.02 -
Ewido 4.0 2007.11.02 -
FileAdvisor 1 2007.11.02 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.02 -
F-Secure 6.70.13030.0 2007.11.02 -
Ikarus T3.1.1.12 2007.11.02 -
Kaspersky 7.0.0.125 2007.11.02 -
McAfee 5155 2007.11.02 -
Microsoft 1.2908 2007.11.02 -
NOD32v2 2634 2007.11.02 -
Norman 5.80.02 2007.11.02 -
Panda 9.0.0.4 2007.11.02 -
Prevx1 V2 2007.11.02 -
Rising 20.16.42.00 2007.11.02 -
Sophos 4.23.0 2007.11.02 -
Sunbelt 2.2.907.0 2007.11.02 -
Symantec 10 2007.11.02 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.11.02 -
VirusBuster 4.3.26:9 2007.11.01 -
Webwasher-Gateway 6.6.1 2007.11.02 -

Additional information
File size: 19499 bytes
MD5: 099a93be86819f908fd899a5e1e6725a
SHA1: ce983bb4d1822634043f3db15db467ca6e913dad

If you "fix" the file and scan it, this is what you get:

Quote
File 115bd969307_.jpg received on 11.02.2007 20:51:45 (CET)
Current status: finished
Result: 20/31 (64.52%)

Antivirus Version Last Update Result
AhnLab-V3 2007.11.3.0 2007.11.02 -
AntiVir 7.6.0.30 2007.11.02 TR/Click.VB.QG.70
Authentium 4.93.8 2007.11.02 -
Avast 4.7.1074.0 2007.11.02 Win32:Delf-GBO
AVG 7.5.0.503 2007.11.02 Clicker.JBO
BitDefender 7.2 2007.11.02 Trojan.Clicker.Vb.SL
CAT-QuickHeal 9.00 2007.11.02 TrojanClicker.VB.qg
ClamAV 0.91.2 2007.11.02 -
DrWeb 4.44.0.09170 2007.11.02 Trojan.Click.4645
eSafe 7.0.15.0 2007.10.28 suspicious Trojan/Worm
eTrust-Vet 31.2.5262 2007.11.02 Win32/VMalum.AAXX
Ewido 4.0 2007.11.02 -
FileAdvisor 1 2007.11.02 High threat detected
Fortinet 3.11.0.0 2007.10.19 Adware/VB
F-Prot 4.4.2.54 2007.11.02 -
F-Secure 6.70.13030.0 2007.11.02 Trojan-Clicker.Win32.VB.qg
Ikarus T3.1.1.12 2007.11.02 Virus.Win32.VB.FGK
Kaspersky 7.0.0.125 2007.11.02 Trojan-Clicker.Win32.VB.qg
McAfee 5155 2007.11.02 -
Microsoft 1.2908 2007.11.02 -
NOD32v2 2634 2007.11.02 probably a variant of Win32/TrojanClicker.VB.TK
Norman 5.80.02 2007.11.02 -
Panda 9.0.0.4 2007.11.02 Trj/Downloader.MDW
Prevx1 V2 2007.11.02 -
Rising 20.16.42.00 2007.11.02 Trojan.DL.Win32.AdLoad.km
Sophos 4.23.0 2007.11.02 Mal/VB-A
Sunbelt 2.2.907.0 2007.11.02 -
Symantec 10 2007.11.02 Downloader
TheHacker 6.2.9.110 2007.10.27 Trojan/Clicker.VB.qg
VBA32 3.12.2.4 2007.11.02 Trojan-Clicker.Win32.VB.qg
VirusBuster 4.3.26:9 2007.11.01 -
Additional information
File size: 19456 bytes
MD5: 3d5894d32d109efe75370f5328e3c298
SHA1: ee88fe55cefc3aa0f32874ad1f2cbc837283cabc
packers: UPX
packers: UPX
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=3d5894d32d109efe75370f5328e3c298
packers: UPX
packers: PE_Patch.UPX, UPX

As you can see there is a huge difference in detection rates. I would assume the antivirus products are checking to see if the file is an executable before scanning it. Though they do also detect files that were used for jpeg exploits, so perhaps they include JPEG file formats for scanning, or maybe just checked for malformed file headers. I'm not quite sure.

Thanks for the files.

November 03, 2007, 12:56:10 am
Reply #2

sowhat-x

  • Guest
Quote
...or maybe just checked for malformed file headers...
Jpg file extension,GIF89a pseudo-header,MZ actual header and UPX sections afterwards...
It kind of reminded me of a "funny" poc I had read about a couple of years ago,
named by his author as the..."Triple Headed program"... :)
http://www.securityelf.org/magicbyte.html

...what actually made me curious/skeptical,is...why they used the GIF89a header,
when at the same time,the files have the .jpg extension.
Were they say bored of reading the JPEG specs,
and found the GIF header easier/more comfortable to implement,or what else...
'cause I don't remember any win32 exploits related to gif rendering or so...

Maybe again the answer simply has to do with what you've already said...
that since most AV products more or less scan for malformed jpeg headers...
they simply thought,why not make use of gif header instead,
as it might have more chances of successfully invading AVs...