Author Topic: bad .gif  (Read 9402 times)

0 Members and 1 Guest are viewing this topic.

July 16, 2008, 01:03:04 am
Read 9402 times

Kayrac

  • Guest
up.50db34d5.info/update.gif

so this sets my AV off, but i don't know how to pull the exe out of it, anyone know how?

also this

8d77b42a.info

http://www.dslreports.com/forum/r20796656-infected-web-site-or-false-positive

has the offending issue, i gotta goto work perhaps someone else can do a bit more research on it :)

is the link
gibson.com/en-us/Lifestyle/Contests/

July 16, 2008, 08:29:47 am
Reply #1

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Hi Kayrac,

up.50db34d5.info/update.gif is a windows executable, renamed to .gif, probably waiting to get picked up by a trojan-downloader:
update.gif: MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit, UPX compressed

after execution, it downloads
hxxp://sun.update999.cn:53/moon.gif
which is a data file, containing links to more binaries (also renamed to gif):
Code: [Select]
hxxp://125.83.89.62/pic/1.gif
hxxp://125.83.89.62/pic/2.gif
hxxp://125.83.89.62/pic/3.gif
hxxp://125.83.89.62/pic/4.gif
hxxp://125.83.89.62/pic/5.gif
hxxp://60.191.223.14/pic/10.gif
hxxp://60.191.223.14/pic/11.gif
hxxp://60.191.223.14/pic/12.gif
hxxp://60.191.223.14/pic/13.gif
hxxp://60.191.223.14/pic/14.gif
hxxp://60.191.223.14/pic/15.gif
hxxp://60.191.223.14/pic/16.gif
hxxp://60.191.223.14/pic/17.gif
hxxp://60.191.223.14/pic/18.gif
hxxp://60.191.223.14/pic/19.gif
hxxp://60.191.223.14/pic/20.gif
hxxp://60.191.223.14/pic/6.gif
hxxp://60.191.223.14/pic/7.gif
hxxp://60.191.223.14/pic/8.gif
hxxp://60.191.223.14/pic/9.gif
hxxp://60.191.239.191/pic/21.gif
hxxp://60.191.239.191/pic/22.gif
hxxp://60.191.239.191/pic/23.gif
hxxp://60.191.239.191/pic/24.gif
hxxp://60.191.239.191/pic/25.gif
hxxp://60.191.239.191/pic/26.gif
hxxp://60.191.239.191/pic/27.gif
hxxp://60.191.239.191/pic/28.gif
hxxp://60.191.239.191/pic/29.gif
hxxp://60.191.239.191/pic/30.gif
hxxp://60.191.239.191/pic/A.gif
hxxp://60.191.239.191/pic/B.gif
hxxp://60.191.239.191/pic/C.gif
hxxp://60.191.239.191/pic/D.gif
hxxp://60.191.239.191/pic/E.gif

here are the md5sums of all files:
e057a502e094af26c63ec17a338765a4  ./13.gif
31e9967c489e096beb251413bfb802a5  ./21.gif
acad40e04ef2deed424fdcc84c87262e  ./8.gif
d15408b0b09cfafce1a0c8d3e5e006e3  ./2.gif
d3cd2f29353d1336c31914bbc93b20db  ./19.gif
2b46235df548cd82a6f42be256fc6ccb  ./24.gif
c3fa89b0f985f1381b858eb18a8545a8  ./27.gif
2be2dab8a684aab4951e1b18233ce671  ./10.gif
708a350b9cc5d5bba621184ab39bf213  ./16.gif
a2359abbaf6e671d6fb7f134880130fd  ./18.gif
11a4638ce91cb2652b96bf0ba98e10e9  ./4.gif
935e62bfa18cf95a20cf480ce5a301c9  ./D.gif
ce80f585ffacd9fe360a35b96bfdf156  ./5.gif
427fecde36022c85054f3b00913d7efd  ./20.gif
30ba0cbd4afcb25b71f3a49e846e9cca  ./A.gif
fefec24cf9c0e4d1e26498a09d7ed159  ./update.gif
6dca27f9bc81e821f9d5f74686780d74  ./23.gif
616e31c2ed331cfe0c1368959c5fe172  ./3.gif
c188ba2fc499523d0e5567ee1360ccbb  ./22.gif
db6a91cb78b34e51f36f90880ac1bf2a  ./6.gif
cad30e671f23fb0e696804e705a3eeaa  ./15.gif
161de1d69ace4ff0a2c7ca04d23215b2  ./30.gif
7b8b6973bd71498050dd1b1e28397869  ./11.gif
795764fada3820635195cde3a066c0b8  ./C.gif
8b0580cc3e4692eb58e7d3374e32c507  ./12.gif
3a02ac302df6b7ab996431eb1a1825d3  ./9.gif
b33e1f93ba77d704987a7f9b1828c13d  ./moon.gif
27de487dcab0420fa6493d574a736e31  ./17.gif
303a5d76d2cd024cae15ff93c31ac6a1  ./B.gif


as for 8d77b42a.info i couldnt find any malicious content. it looks like a parked domain, but who knows.
anyway, thanks for sharing :)

regards,
philipp

July 16, 2008, 10:16:30 am
Reply #2

Kayrac

  • Guest
AH i still got alot to learn, that makes perfect sense :), i'll relay him to this thread for info about it :)

July 16, 2008, 10:19:57 am
Reply #3

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
wait, it gets even more interesting. give me just a few more minutes and i will tell you why ;)

July 16, 2008, 10:25:31 am
Reply #4

Kayrac

  • Guest
Hopefully quick, need shower, then just worked 8, got 8 off, then 8more on, need sleep :)

July 16, 2008, 11:05:52 am
Reply #5

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
hehe, ok here we go. little network behaviour analysis:

after execution of update.gif the infected host downloads moon.gif and afterwards all of the included binaries.
then does a POST to /server/AdviseCounter.dll on post.ad9178.com.
now downloads another binary requesting
hxxp://sun.update999.cn:53/moon.asp?action=update&version=0
finally it gets
hxxp://cs.rm510.com:53/ads.txt

and now its getting interesting. the infected host begins arp spoofing the lan. and this is where 8d77b42a.info enters the game. due to arp poisoning, the infected host inserts the following javascript into every webpage in order to infect further hosts on the local network:
hxxp://ad.8d77b42a.info/day.js

the 'infection schema' (nested iframes/scripts) looks like this:
Code: [Select]
hxxp://ad.8d77b42a.info/day.js
- hxxp://ads.633f94d3.info/f/index.htm
  - hxxp://ads.633f94d3.info/f/ilink.html
    - hxxp://ads.633f94d3.info/f/swfobject.js
    -> detect flash version and load according exploit
       - i115.swf
       - i16.swf
       - i28.swf
       - i45.swf
       - i47.swf
       - i64.swf
  - hxxp://ads.633f94d3.info/f/flink.html
    - hxxp://ads.633f94d3.info/f/swfobject.js
    -> detect flash version and load according exploit
       - f115.swf
       - f64.swf (not found)
       - f47.swf
       - f45.swf
       - f28.swf
       - f16.swf
- hxxp://ads.633f94d3.info/014.htm (MDAC exploit)
  -> hxxp://ad.50db34d5.info/rm/rm.exe
- hxxp://ads.633f94d3.info/real11.htm (RealPlayer <= 6.0.14.552 Exploit)
- hxxp://ads.633f94d3.info/real10.htm (RealPlayer Exploit)
- hxxp://ads.633f94d3.info/lz.htm (Ourgame GLWorld Exploit)
- hxxp://ads.633f94d3.info/bf.htm (Baofeng Storm Exploit)
- hxxp://ads.633f94d3.info/kong.htm (DPClient Exploit - empty page)


well, furthermore, the infected host requests
hxxp://dat.goodnetads.org:53/dat.asp?action=post&HD=68ACD724756E654749656E696C65746E&OT=3&IV=6.0&AV=0
and downloads/updates (parts of) its malware
hxxp://dat.goodnetads.org:53/dat.asp?action=update&version=0
then downloads
hxxp://cs.rm510.com:53/ads.txt
and
hxxp://log.goodnetads.org:53/log.gif

and thats as far as i can tell for now. will take a closer look and provide snort signatures later.
good night :)

July 16, 2008, 08:17:59 pm
Reply #6

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
just for the records,

ad.8d77b42a.info (hosting the malicious javascript 'day.js') resolves to the ip:
222.216.28.25

other hosts resolving to 222.216.28.25 :
ad.5iyy.info   
ad.8d77b42a.info   
ads.1234214.info   
ads.50db34d5.info   
ads.633f94d3.info
ads.adslooks.info   
ads.goodnetads.org   
cpm.goodnetads.org   
err.www404.cn   
hk.www404.cn   
list.adslooks.info   
real.kav2008.com   
soft.kav2008.com   
sun.63afe561.info


snort signatures provided by emergingthreats.org:
sids: 2008420 2008421 2008427

July 16, 2008, 10:50:28 pm
Reply #7

Kayrac

  • Guest
amazing philipp, thanks for taking a peak at it for me :)

i have got to learn how to analyze/find stuff better :)

July 17, 2008, 11:21:54 am
Reply #8

sowhat-x

  • Guest
Quote
i have got to learn how to analyze/find stuff better :)

Kayrac,more or less,for this kind of tasks,
you'll find that two types of tools are completely necessary:

1)A "strings" viewer...for example:
http://www.foundstone.com/us/resources/proddesc/bintext.htm

2)A hex editor...good freeware choices would be:
http://www.mh-nexus.de/hxd/
http://sourceforge.net/projects/hexplorer/

Ie.you can easily then identify a pseudo-extension malware like the update.gif above,
because you'll see the 'magic number' with which win32 executables begin,MZ (4D 5A in hex).
And obviously,if there are any further malicious urls contained there,
(unless they have been xored / 'encrypted' or so),you will also see them in plain text...

You can use any other alternative string viewers and hex-editors obviously,
these are merely the freeware solutions that I'm personally used to...

PS:Just remembered it...if ever in the need for mass-scanning of 'camouflaged' win32 .exes:
http://www.malwaredomainlist.com/forums/index.php?topic=1619.0

July 17, 2008, 03:59:23 pm
Reply #9

Kayrac

  • Guest
that first link'd program works well for analyzing the javascript file, makes it easier to read :)

the hex editors i'll have to checkout


now had i been able to find that javascript i may have been able to make it farther, but i honestly can't even find the javascript on the website

gibson.com/en-us/Lifestyle/Contests/

i see nothing pointing to that day.js there :|

July 19, 2008, 05:21:42 pm
Reply #10

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thank you.