Author Topic: Large Http Botnet: Update4, Update5(public)  (Read 2884 times)

0 Members and 1 Guest are viewing this topic.

July 17, 2010, 07:31:41 am
Read 2884 times

LiveVirusReports

  • Newbie

  • Offline
  • *

  • 4
Update4

Preface: Attached Zip includes screenshots of the malicious network activity, a PCAP log of the activity and all of the related binary files. A text file with noted Post/Gets is also included if you are unfamiliar with viewing PCAP Logs.

In case attachment is not delivered it is located here
http://www.sendspace.com/file/prygdf
The password to this link as well as the attached zip file is "infected"

The main file is live at http://173.231.144.66/net/debug.zip  (This is a downloader which has been seen in multiple exploit-kit frameworks (BEPs) iframed into high-profile sites). Estimates are that over 160K downloads of the exe have been successful, the address above seems to be consistently updated with new binaries when the previous is detected.

Webservers used in the download chain include:   216.240.146.119,   209.159.146.234,   64.191.12.38

Currently ONLY a few antivirus generically detect the packed files. Packed means that they are encrypted using a software protection process which can be generically detected if the time is taken to do so.


The Malware is currently downloading 3 files tgb.exe, tgc.exe, Txehea.exe

The tgx.exe files are downloaded to: %userpath%\local settings\temp\
Txehea.exe is downloaded to %windir%\

Please update databases accordingly and for the love of god add some detection for the packer these bastards are using. Stop using simple definitions and get some generic ones going otherwise these guys will just repack the file and do-away with any detections that were added.      As noted above the installation count for these files is growing rapidly generic detection must be added quickly or the virus will spread like a plague.

A Ethereal PCAP dump of the malicious network activity is included, from the PCAP logs this network activity has been noted below
======================================================================================================

homovisualarts.com (216.240.146.119)

216.240.146.119   HTTP   POST /n75jnkj46n45kj6n456.php?ini=v22MmDy2Qdb7WjNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7J8TegiBMF4cAHjzbYmRtufQpaX/Nfttue7okA== HTTP/1.1  (application/x-www-form-urlencoded)

theelectricarts.com (dead)
myartsportal.com (dead)
classyartsworld.com (dead)

neweraarts.com (209.159.146.234)

209.159.146.234   HTTP   POST /werber/a4b89612465/217.gif HTTP/1.1  (application/x-www-form-urlencoded)

kingfinearts.com (dead)
myeasyarts.com (64.191.12.38)

64.191.12.38   HTTP   POST /perce/a2e894787c49c0a584b07e5bc49b889d0e721a4c16b7de988648e1d266044f02fce48b792c4e1ca00/8408d612867/qwerce.gif HTTP/1.1  (application/x-www-form-urlencoded)

======================================================================================================

Update5
Due to a break in security of one of the servers active in the Botnet I have been able to obtain all the binaries hosted on the server. Many are undetected, some are not detected. Please take your time and analyze the encryption/packer method used on these files to develop generic detections so the bastards don't just repack a file in the future to clear antivirus detections as they have been doing.

Attached file is also posted here:
http://www.sendspace.com/file/lkee5e
The password to the attachment and the hosted file is "infected"