Author Topic: clspring / clickspring  (Read 5270 times)

0 Members and 1 Guest are viewing this topic.

October 07, 2009, 05:27:11 pm
Read 5270 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Been seeing some clspring infections and haven't found these domains in any of the malware lists:

www.clickspring.net
nf.clickspring.net
cu.clickspring.net
pisces.clickspring.net
campaigns.outerinfo.com
legend.psdtools.com
66.150.193.xxx IP range
cu.outerinfo.com

Source (I know I know, its CA):
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=42280


Emergingthreats.net has some sigs for this stuff as well:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bullseye-Network.com; sid: 2001501; rev:6;)



October 07, 2009, 06:33:17 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I don't think that those domains are involved in malicious activity. All look offline or parked.
The CA report is very old.
Ruining the bad guy's day

October 07, 2009, 08:01:28 pm
Reply #2

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
We are having machines successfully connect to hosts within the outerinfo.com domain. We played around with it a bit, and it is pulling down some bin files:

http://campaigns.outerinfo.com/client_settings.bin
http://campaigns.outerinfo.com/campaigns2_2.bin
http://campaigns.outerinfo.com/campaigns3_2.bin
http://campaigns.outerinfo.com/campaigns4_2.bin
http://campaigns.outerinfo.com/campaigns5_2.bin
http://campaigns.outerinfo.com/campaigns6_2.bin
http://campaigns.outerinfo.com/campaigns7_2.bin
http://campaigns.outerinfo.com/campaigns8_2.bin
http://campaigns.outerinfo.com/campaigns9_2.bin
http://campaigns.outerinfo.com/campaigns10_2.bin
http://campaigns.outerinfo.com/campaigns11_2.bin


campaigns.outerinfo.com resolves to 63.251.135.15
www.outerinfo.com resolves to 63.251.135.18


Also found this goolging around:
http://fp.outerinfo.com/dispatcher.php

fp.outerinfo.com resolves to 63.251.135.24

ARIN:
ClickSpring LLC INAP-BSN-CLICKSPRING-0971 (NET-63-251-135-0-1)
                                  63.251.135.0 - 63.251.135.63

Of course nothing has reverse lookup. It looks like they may have moved IP space, but the old sigs are still firing off on the communcations.

Also seeing clicklinks.net on 63.251.135.21 (appears they discontinued the use of this domain after it was found out):
http://www.bing.com/search?q=ip%3A63.251.135.21&go=&form=QBRE

duhiki.com, adparatus.com, marketprecision.com, thesearchassistant.com (broke), on 63.251.135.22:
http://www.bing.com/search?q=ip%3A63.251.135.22&go=&form=QBRE3

October 07, 2009, 08:29:05 pm
Reply #3

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Coup de grāce:

http://www.outerinfo.com/OiUninstaller.exe
VirusTotal:
MD5:     c6f466ced488582ce66a05651f53206d
First received:    2008.09.18 11:36:48 UTC
Date:    2009.10.06 18:23:59 UTC [+1D]
Results:    32/41
Source:
http://www.virustotal.com/analisis/b860a3f4f63657bceffe5e3f3b043c088f7905b67672e07f09f0f62e60503a19-1254947224

Most classify as PurityScan/Yazzle.

ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=c6f466ced488582ce66a05651f53206d

Anubis:
http://anubis.iseclab.org/?action=result&task_id=1f6ffb7e619bccd34e51f5abcd9621576&format=html

October 08, 2009, 06:58:55 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 09, 2009, 01:22:22 am
Reply #5

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
...these are (more or less) "Potentially Unwanted" applications,adware at worst - wouldn't classify/blacklist them as malware...
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw