Preface: Attached Zip includes screenshots of the malicious network activity, a PCAP log of the activity and all of the related binary files. A text file with noted Post/Gets is also included if you are unfamiliar with viewing PCAP Logs.
In case attachment is not delivered it is located here
http://www.sendspace.com/file/5ykk7jThe password to this link as well as the attached zip file is "infected"
The main file is live at h
ttp://173.231.144.66/net/debug.zip (This is a downloader which has been seen in multiple exploit-kit frameworks (BEPs) iframed into high-profile sites). Estimates are that over 160K downloads of the exe have been successful, the address above seems to be consistently updated with new binaries when the previous is detected.
Webservers used in the download chain include: 62.122.75.42, 64.20.35.3, 64.191.64.105, 216.240.146.119, 93.174.90.17, 173.212.250.165
Webservers with unknown network activity generated by the executables: 174.36.199.25, 118.94.228.1, 147.232.161.86
Currently ONLY these antivirus have generically detected the packer: McAfee,NOD32,Prevx,Sophos
If your antivirus is not in the list you need to contact these vendors and figure out how they have generically detected the software used to pack the binaries and add detection to your software as well.
The Malware is currently downloading 4 files tgb.exe, tgc.exe, tgd.exe, Txehea.exe
The tgx.exe files are downloaded to: %userpath%\local settings\temp\
Txehea.exe is downloaded to %windir%\
All files have been repacked as of this morning which can be observed by their cleanish looking virustotal scans
Debug.exe -> 9/38
http://www.virustotal.com/analisis/124a592f2edea2e8fc682c9a5f07ccca70a075135aa8ac194a8207e814330876-1279291357Tgb.exe -> 3/41
http://www.virustotal.com/analisis/d6c7b484e01fe788dc3ba0a47da00c847e753d90086c478b39b9cd8f5b82409d-1279293050Tgc.exe -> 11/40
http://www.virustotal.com/analisis/97d8a5353a0eb2689abbb08fc495c1f5aa58184c5765fa5d0138cac2d833af1e-1279293057Tgd.exe -> 10/41
http://www.virustotal.com/analisis/43b1eea7c292b0762953e17b05cff2e7756f29ae7b10bc761f1e5dfb2617238d-1279293064Txehea.exe 13/42
http://www.virustotal.com/analisis/97d8a5353a0eb2689abbb08fc495c1f5aa58184c5765fa5d0138cac2d833af1e-1279293100Please update databases accordingly and for the love of god add some detection for the packer these bastards are using. Stop using simple definitions and get some generic ones going otherwise these guys will just repack the file and do-away with any detections that were added. As noted above the installation count for these files is growing rapidly generic detection must be added quickly or the virus will spread like a plague.
A Ethereal PCAP dump of the malicious network activity is included, from the PCAP logs this network activity has been noted below
======================================================================================================
homovisualarts.com: 216.240.146.119
Post: /n75jnkj46n45kj6n456.php?
ini=v22MmDy2Qdb7WjNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7J8TegiBMF4cAHjzbYmRtufQpaX/Nfttue7okA==
xpresdnet.com: 93.174.90.17
Get: xpresdnet.com/get.php?id=2
classyartsworld.com: 64.20.35.3
POST: /werber/9458366286d/217.gif
kingfinearts.com: 64.191.64.105
Post:/perce/72888478bcf9d0a5b4304eabc47b781d4e623adcb6674e38365801e236e41fb27ca42b39acfedc503/14f8f682760/qwerce.gif
directstraight.com: 173.212.250.165
Post: /borders.php
Uknown Activity
hitinto.com: 174.36.199.25
middlelist.com 118.94.228.1
hotdf.com: 147.232.161.86
======================================================================================================
Topic: Large Http Botnet: New Binary Location, Binary files repacked (Read 706 times)