Author Topic: Massive Httpd Botnet CnC/Binaries Included, ~50-90,000 Infected  (Read 3040 times)

0 Members and 1 Guest are viewing this topic.

July 16, 2010, 09:24:44 am
Read 3040 times

LiveVirusReports

  • Newbie

  • Offline
  • *

  • 4
Original Location http://173.204.119.122/net/debug.zip

Main file has moved live to http://173.231.144.66/net/debug.zip (This is a downloader which has been seen in multiple exploit-kit frameworks (BEPs) iframed into high-profile sites). Estimates are that over 120K downloads of the exe have been successful, the address above seems to be consistently updated with new binaries when the previous is detected.

This downloader grabs a few files (some filenames appear randomized each execute) which include:

C:\Documents and Settings\USERxplore.exe (This file appears broken to some extent - it gives a 16 bit error when it tries to execute)
%userpath%\local settings\temp\tgc.exe
%windir%\Txejea.exe
%windir%\system32\muwebg.exe (This filename is the one that doesn't stay constant, but the others do in our tests)

tgb.exe in the location described above is added to startup under HKCU\SOFTWARE\...\Run\
Files installed to %windir%\system32\%random%.exe and %windir%\Txejea.exe are added to startup and executed by explorer.exe after the system reboots.

All affected files mentioned above are included within this zip file
http://www.sendspace.com/file/vflizt
The password is "infected" no quotes.
Note: debug.zip must be renamed to an executable extension to be run, inside it has been renamed to debug.exe
The attached "infected.zip" is identical to the zip file linked here, both were added just in case the attachment might have been filtered.

All samples are currently live, they have been observed connecting to these domains.
imagehut4.cn
allxt.com
hitinto.com
These domains were grabbed from ethereal pcaps. A second note should be that all files appear to run fully under
Windows VMWare (They are resistant to other Sandboxes such as Threat-Expert or Anubis).

Any assistance in shutting down the server hosting these nasties, the affected domains, or information on those responsible would be greatly appreciated. Our infection occurred when a co-worker accidentally opened a iframed site through internet explorer, and then it began to popup all over the network.

/EDIT by SysAdmini
attached removed (available on sendspace) and malware urls defused.


July 16, 2010, 01:06:25 pm
Reply #2

S!Ri

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 21