Author Topic: Large Http Botnet: New Binaries, New Domains |-Update6  (Read 3072 times)

0 Members and 1 Guest are viewing this topic.

July 17, 2010, 10:09:49 am
Read 3072 times

LiveVirusReports

  • Newbie

  • Offline
  • *

  • 4
In case  attachment is not delivered it is located here
http://www.sendspace.com/file/omgyeu
The password to this link as well as the attached zip file is "infected"

The main file is live at
http://216.38.23.50/net/debug.zip,    http://216.38.23.51/net/debug.zip,    http://216.38.23.52/net/debug.ziphttp://216.38.23.53/net/debug.zip,    http://216.38.23.54/net/debug.zip,    http://216.38.23.55/net/debug.zip   ,  http://216.38.23.56/net/debug.zip
(This is a downloader which has been seen in multiple exploit-kit frameworks (BEPs) iframed into high-profile sites). Estimates are that over 170K downloads of the exe have been successful, the address above seems to be consistently updated with new binaries when the previous is detected.

Webservers used in the download chain include:  216.240.146.119,  64.191.44.73,  64.191.64.105,  64.191.82.25,  64.20.35.3, 69.172.136.199,  124.193.216.206, 173.212.250.16,5  191.128.55.206, 118.94.228.1, 147.232.161.86

Currently ONLY a few antivirus generically detect the packed files. Packed means that they are encrypted using a software protection process which can be generically detected if the time is taken to do so.

The Malware is currently downloading 4 files tgb.exe, tgc.exe, Txehea.exe, l_excepti.exe

The tgx.exe files are downloaded to: %userpath%\local settings\temp\
Txehea.exe is downloaded to %windir%\
l_excpeti is downloaded to %windir%\system32\

Please update databases accordingly and for the love of god add some detection for the packer these bastards are using. Stop using simple definitions and get some generic ones going otherwise these guys will just repack the file and do-away with any detections that were added.           As noted above the installation count for these files is growing rapidly generic detection must be added quickly or the virus will spread like a plague.

A WireShark dump of the malicious network activity is included, from the PCAP logs this network activity has been noted below
======================================================================================================
nega-arts.com: 216.240.146.119
216.240.146.119   HTTP   POST /n75jnkj46n45kj6n456.php?ini=v22MmDy2Qdb7WjNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7J8TegiBMF4cAHjzfIuRtufQpaX+Ovtotu7vkA== HTTP/1.1  (application/x-www-form-urlencoded)

freeartstv.com: 64.191.44.73
64.191.44.73   HTTP   POST /cursors/92b8a468bc99805534f0eefbb48bd83d2e728a3c56376ef8161871c2f684cf824c64fb090c7e5c306/342826b2066/cursor_upp.gif HTTP/1.1  (application/x-www-form-urlencoded)

secondnaturearts.com: 64.20.35.3
64.20.35.3   HTTP   POST /werber/e4a87602d60/217.gif HTTP/1.1  (application/x-www-form-urlencoded)

kzqinferno.com: 69.172.136.199
69.172.136.199   HTTP   GET /html/license_43EC923632021E56663AFA1B35A5084430326B7AA5DD9B48154FB32C96460C732701115E8BD9D605EBCDCFF11A9E5E9A7961F4815B151E2B1DE7AD9144568A6472C328361C90634F68BA21D7E9738A12A1A7C664F6BC84AA1B5B4824A007F3FF825B61D42BC18DDF6855BC01B14ED11DB23551B70A9E31B4CE0A4AA9FB6BA91451E92975F6424C737B6B42C1B8BEA96A5F05DBD6810431327D171DAFF813B1E2BB6B3D708D34263D82E74C7E76821A1BE392CDE2D0575DDD714ED48080A0161025C78CD28B00BFA311E5CD1EDD4D80ACF0FE6F9B6003BD4641A76B7F0C60FD5B1BC65B88CAA8368079B770D35E7D89B018B642773926FB8B079CABA9969E03892356CF456F67C1E8C2EB4DD6F6CB0DEF36AAB7EAA963DBFCA449C65ECBFF35D5D3CC09C3909B1749C3B5FA375089ED9EB818D1B108A71EE3CABDE17469FF44506EE8A64E63560BA609549EF09C3A694CCCDE9438E081A9917D66911D3E8D44DC36B5D20DB3D32E2C1BB48DB0FB48048076642E134D2C47B81B77CF5A8E6BC7F2A08A4C32A9CA837A813D.html HTTP/1.1

freeboobsarts.com: 64.191.64.105
64.191.64.105   HTTP   POST /perce/923894e84c0960358460fe5b04fb184dce92baac4637be284648414276046f024c04fb990c6ecc90c/b4e8d6a2f62/qwerce.gif HTTP/1.1  (application/x-www-form-urlencoded)

imagehut4.cn: 124.193.216.206
124.193.216.206   HTTP   GET /update/utu.dat HTTP/1.1

directstraight.com: 173.212.250.165
173.212.250.165   HTTP   POST /borders.php HTTP/1.1  (application/x-www-form-urlencoded)

allxt.com: 64.191.82.25
phreeway.com: 191.128.55.206
middlelist.com: 118.94.228.1
hotdf.com: 147.232.161.86

======================================================================================================