Author Topic: Large Http Botnet: New Binary Location, Binary files repacked  (Read 2877 times)

0 Members and 1 Guest are viewing this topic.

July 16, 2010, 04:57:17 pm
Read 2877 times

LiveVirusReports

  • Newbie

  • Offline
  • *

  • 4
Preface: Attached Zip includes screenshots of the malicious network activity, a PCAP log of the activity and all of the related binary files. A text file with noted Post/Gets is also included if you are unfamiliar with viewing PCAP Logs.

In case attachment is not delivered it is located here
http://www.sendspace.com/file/5ykk7j
The password to this link as well as the attached zip file is "infected"

The main file is live at http://173.231.144.66/net/debug.zip  (This is a downloader which has been seen in multiple exploit-kit frameworks (BEPs) iframed into high-profile sites). Estimates are that over 160K downloads of the exe have been successful, the address above seems to be consistently updated with new binaries when the previous is detected.

Webservers used in the download chain include: 62.122.75.42, 64.20.35.3,  64.191.64.105,  216.240.146.119,  93.174.90.17,  173.212.250.165
Webservers with unknown network activity generated by the executables: 174.36.199.25,  118.94.228.1,  147.232.161.86

Currently ONLY these antivirus have generically detected the packer: McAfee,NOD32,Prevx,Sophos
If your antivirus is not in the list you need to contact these vendors and figure out how they have generically detected the software used to pack the binaries and add detection to your software as well.

The Malware is currently downloading 4 files tgb.exe, tgc.exe, tgd.exe, Txehea.exe

The tgx.exe files are downloaded to: %userpath%\local settings\temp\
Txehea.exe is downloaded to %windir%\

All files have been repacked as of this morning which can be observed by their cleanish looking virustotal scans
Debug.exe -> 9/38
http://www.virustotal.com/analisis/124a592f2edea2e8fc682c9a5f07ccca70a075135aa8ac194a8207e814330876-1279291357
Tgb.exe -> 3/41
http://www.virustotal.com/analisis/d6c7b484e01fe788dc3ba0a47da00c847e753d90086c478b39b9cd8f5b82409d-1279293050
Tgc.exe -> 11/40
http://www.virustotal.com/analisis/97d8a5353a0eb2689abbb08fc495c1f5aa58184c5765fa5d0138cac2d833af1e-1279293057
Tgd.exe -> 10/41
http://www.virustotal.com/analisis/43b1eea7c292b0762953e17b05cff2e7756f29ae7b10bc761f1e5dfb2617238d-1279293064
Txehea.exe 13/42
http://www.virustotal.com/analisis/97d8a5353a0eb2689abbb08fc495c1f5aa58184c5765fa5d0138cac2d833af1e-1279293100

Please update databases accordingly and for the love of god add some detection for the packer these bastards are using. Stop using simple definitions and get some generic ones going otherwise these guys will just repack the file and do-away with any detections that were added.  As noted above the installation count for these files is growing rapidly generic detection must be added quickly or the virus will spread like a plague.

A Ethereal PCAP dump of the malicious network activity is included, from the PCAP logs this network activity has been noted below
======================================================================================================
homovisualarts.com: 216.240.146.119
Post: /n75jnkj46n45kj6n456.php?
ini=v22MmDy2Qdb7WjNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7J8TegiBMF4cAHjzbYmRtufQpaX/Nfttue7okA==

xpresdnet.com: 93.174.90.17
Get: xpresdnet.com/get.php?id=2

classyartsworld.com: 64.20.35.3
POST: /werber/9458366286d/217.gif

kingfinearts.com: 64.191.64.105
Post:/perce/72888478bcf9d0a5b4304eabc47b781d4e623adcb6674e38365801e236e41fb27ca42b39acfedc503/14f8f682760/qwerce.gif

directstraight.com: 173.212.250.165
Post: /borders.php

Uknown Activity
hitinto.com: 174.36.199.25
middlelist.com 118.94.228.1
hotdf.com: 147.232.161.86
======================================================================================================