Author Topic: Braviax Family  (Read 37287 times)

0 Members and 1 Guest are viewing this topic.

August 04, 2009, 11:58:05 am
Read 37287 times

sparsha

  • Special Members
  • Hero Member

  • Offline
  • *

  • 305
Creating a new topic to track the sites used to push rogue security applications through Braviax trojan infection!
Also to keep things organised and for easy look back!

PC Security 2009
Code: [Select]

pcsecurity09.com
pc-security09.com
pcsecurity-09.com
pcsecurity09.com
pcsecurity-2009.com

http://pcsecuslnk.com/1/files/PC_Security2009/Binaries1.cab
http://pcsecuslnk.com/1/files/BinariesAVE.cab
http://pcsecuslnk.com/1/files/BinariesAdd.cab
http://pcsecuslnk.com/1/files/BinariesGUI.cab
http://pcsecuslnk.com/1/files/BinariesSC.cab
http://pcsecuslnk.com/1/files/BinariesUpd.cab


Home Antivirus 2010
Code: [Select]
homeantivirus2010.com
home-antivirus2010.com
homeanti-virus2010.com
home-anti-virus2010.com
homeantivirus-2010.com
home-antivirus-2010.com
homeanti-virus-2010.com
home-anti-virus-2010.com
homeav2010.com
home-av2010.com
homeav-2010.com
home-av-2010.com


http://pulaseskanovios.com/files/ha21/Binaries1.cab
http://pulaseskanovios.com/files/BinariesAVE.cab
http://pulaseskanovios.com/files/BinariesAdd.cab
http://pulaseskanovios.com/files/ha21/BinariesGUI.cab
http://pulaseskanovios.com/files/BinariesSC.cab
http://pulaseskanovios.com/files/BinariesUpd.cab

PC Antispyware 2010
Code: [Select]
pc-anti-spyware-20-10.com
pcantispyware2010.com

uliondarvasoka.com/3/installer/Installer2.exe
http://bugermanosatora.com/files/pca21/Binaries1.cab
http://bugermanosatora.com/files/BinariesAVE.cab
http://bugermanosatora.com/files/BinariesAdd.cab
http://bugermanosatora.com/files/pca21/BinariesGUI.cab
http://bugermanosatora.com/files/BinariesSC.cab
http://bugermanosatora.com/files/BinariesUpd.cab

Other URL Strings found in Braviax exe file

Code: [Select]
http://bureltanovaderta.com/?wmid=1019&d=2&it=2&s=6
http://bureltanovaderta.com/2/installer/Installer.exe?u=1019&s=3871fb825b846b927c2ca88f9167a3de&t=2

http://apeskolinoskager.com/?wmid=1019&d=2&it=2&s=6
http://apeskolinoskager.com/2/installer/Installer.exe?u=1019&s=3871fb825b846b927c2ca88f9167a3de&t=2

http://komalinovskatas.com/?wmid=1019&d=2&it=2&s=6
http://komalinovskatas.com/2/installer/Installer.exe?u=1019&s=3871fb825b846b927c2ca88f9167a3de&t=2

http://nulermagolasenda.com/?wmid=1019&d=2&it=2&s=6
http://nulermagolasenda.com/2/installer/Installer.exe?u=1019&s=3871fb825b846b927c2ca88f9167a3de&t=2

August 07, 2009, 07:39:53 am
Reply #1

sparsha

  • Special Members
  • Hero Member

  • Offline
  • *

  • 305
The Next round of sites for PC Antispyware 2010 campaign

Code: [Select]
Pc-antispyware-2010.com
Pcanti-spyware-2010.com
Pc-anti-spyware-2010.com
Pcantispyware20-10.com
Pc-antispyware20-10.com
Pcantispyware-20-10.com
pcantispyware-2010.com
Pc-antispyware-20-10.com
Pc-anti-spyware2010.com
Pc-anti-spyware20-10.com
Pc-antispy2010.com
P-c-anti-spyware-2010.com

Installers
Code: [Select]
qwedasertafoas.com
turbonavigators.com
smailionovkajio.com
vertuganoskilotas.com
opaserduchiosa.com


all these domain pushes a installer if you use the following suffix /?wmid=1019&d=3&it=2&s=6

which leads to site name followed by the following string

/3/installer/Installer.exe?u=1019&s=3871fb825b846b927c2ca88f9167a3de&t=2

and then the rest of rogue is downloaded from the same site:

http://qwedasertafoas.com/files/pca21/(1).(t)
http://qwedasertafoas.com/files/(AVE).(t)
http://qwedasertafoas.com/files/(Add).(t)
http://qwedasertafoas.com/files/pca21/(GUI).(t)
http://qwedasertafoas.com/files/(SC).(t)
http://qwedasertafoas.com/files/(Upd).(t)

August 07, 2009, 08:04:07 am
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Rogue installer
Code: [Select]
qwedasertafoas.com/1054033
uiterbunagoretas.com/1054033
wervaferganiota.com/1054033
nusatorkaleprovis.com/1054033
ulibertagolionas.com/1054033
buteralksaweda.com/1054033
Ruining the bad guy's day

August 07, 2009, 09:15:37 am
Reply #3

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
Code: [Select]
http://buteralksaweda.com/1054033
http://opaserduchiosa.com/10250350
http://opaserduchiosa.com/1054037
http://qwedasertafoas.com/1054033
http://smailionovkajio.com/10250350
http://smailionovkajio.com/1054037
http://turbonavigators.com/10250350
http://turbonavigators.com/1054037
http://uiterbunagoretas.com/1054033
http://ulibertagolionas.com/1054033
http://vertuganoskilotas.com/10250350
http://vertuganoskilotas.com/1054037
http://wervaferganiota.com/1054033

August 07, 2009, 01:40:43 pm
Reply #4

Jaxryley

  • Full Member

  • Offline
  • ***

  • 54
Code: [Select]
http://zenitchampion.cn/nic/uzp.php
http://fruostate.com/pic/uzp.php
http://delzzerro.cn/pic/uzp.php
http://nafrogt.com/nic/uzp.php
http://updatedate.cn/img/uzt.php
Code: [Select]
http://rapidshare.de/files/48055970/installb.rar.html

August 07, 2009, 02:17:13 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Code: [Select]
http://zenitchampion.cn/nic/uzp.php
http://fruostate.com/pic/uzp.php
http://delzzerro.cn/pic/uzp.php
http://nafrogt.com/nic/uzp.php
http://updatedate.cn/img/uzt.php

Interesting.
We have seen 3 of those urls some days ago and had already listed them. But I didn't know that it's Braviax.

Some more info about it can be found here:
http://xanalysis.blogspot.com/2009/07/9121219837-badness.html
Ruining the bad guy's day

August 07, 2009, 03:01:38 pm
Reply #6

Jaxryley

  • Full Member

  • Offline
  • ***

  • 54
Had previously run those installb's in a sandbox where they wouldn't fully deploy so ran them in a vm a bit earlier with Home AV 2010 coming up after an install instigated reboot.

Seem to drop quite a few other malware.exes as well, including Koobface variants.

http://i28.tinypic.com/2zste9g.jpg

Below are the droppers that I could grab from within a sandbox.
Code: [Select]
http://rapidshare.de/files/48056535/Installb_and_Droppers.rar.html





August 11, 2009, 08:46:11 am
Reply #7

Torteth

  • Newbie

  • Offline
  • *

  • 1
I personally got hit with this last night from a link on the top 10 of digg.com

Can't remember which link I clicked or if it was a hacked advertiser or what, but it was a classic PDF exploit. (Yeah, I had Acrobat 7.0.7 installed on my shitty personal PC and no AV since I use it about once a month and don't care...)

Resulted in several files, including braviax. I have the executables if anyone would like them.

Anyway, the URL is:
Code: [Select]
http://roncastler.com/va4ds/234_654/p13.php
Wepawet Result: Malicious: http://wepawet.iseclab.org/view.php?hash=56dc8f38408d7c5bf692105040d046b6&t=1249980747&type=js

August 13, 2009, 09:35:20 am
Reply #8

Jaxryley

  • Full Member

  • Offline
  • ***

  • 54
Code: [Select]
http://www.pcantispyware2010.com/
http://www.pcantispyware2010.com/download.html?startdownload
http://www.pcantispyware2010.com/buy.html
http://secure.pay-cc-24.com/payment/?sku_name=PCANSP_EN,PCANSP_EN_00,PCANSP_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&affid=-2421264686,1017,0,&nid=431ae3a42aa877d0d3ac816da0e4b772

August 13, 2009, 12:39:22 pm
Reply #9

Jaxryley

  • Full Member

  • Offline
  • ***

  • 54
Code: [Select]
http://vulesdaboknoerba.com/1054037
http://berhutervalonio.com/1054037
http://vuleskanorionas.com/1054037
http://veranadujdaer.com/1054037
http://guletrmonahertuli.com/1054037
http://numbergatoriosso.com/1054037
Code: [Select]
http://rapidshare.de/files/48105918/Install.rar.html

August 14, 2009, 06:33:51 am
Reply #10

Jaxryley

  • Full Member

  • Offline
  • ***

  • 54
Code: [Select]
http://ahulafertagov.com/1054037
http://ganionasetugav.com/1054037
http://polkajiuolioer.com/1054037
http://gorbaritosaona.com/1054037
http://alinadertabug.com/1054037
http://retorganionader.com/1054037

August 14, 2009, 12:18:34 pm
Reply #11

Jaxryley

  • Full Member

  • Offline
  • ***

  • 54
No download atm?
Code: [Select]
http://www.comunivate.com/
http://www.comunivate.com/download.html
http://www.comunivate.com/download.html?startdownload
https://secure.365daysbilling.com/

August 15, 2009, 06:04:38 am
Reply #12

Jaxryley

  • Full Member

  • Offline
  • ***

  • 54
Code: [Select]
http://obituraneskov.com/10250372
http://lolkabernadofa.com/10250372
http://polikolsantrevasd.com/10250372
http://aminoserbuhavata.com/10250372
http://alimonionasertosado.com/10250372
http://vertigonasotra.com/10250372
http://olafeskanotiro.com/10250372
http://bumganoskatios.com/10250372
Result: 23/41 (56.1%)
http://www.virustotal.com/analisis/f133a9f3a7997d2acbc3caeb4d1fd208f2950d9562886bea1c5a6e894bb2d9e3-1250316696
Code: [Select]
http://rapidshare.de/files/48120959/Install.rar.html

August 19, 2009, 08:43:26 am
Reply #13

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Sophos has 2 articles about the Braviax installer. It replaces beep.sys.
The replaced version of beep.sys terminates av processes.

More Than Just A Beep On The Radar Screen
http://www.sophos.com/blogs/sophoslabs/?p=6129

BEEP! Now you see it, Now you donít!
http://www.sophos.com/blogs/sophoslabs/v/post/5689
Ruining the bad guy's day

August 20, 2009, 05:40:15 am
Reply #14

Jaxryley

  • Full Member

  • Offline
  • ***

  • 54
Code: [Select]
http://retrobaziliona.com/s1NP0Z2j5Bv0chy3o1p1h7a
http://oretoderfat.com//o1QII0FB2Uf5Bez0zg3hjf1iFE1C7MIm
http://gulapercatovka.com/go1GPC0Nw2CZb5E0mrF3gE1vqk1ITo7TwE
http://orioneskoda.com//1ue0qrd2rHv5Je0TAS3cu1D1uM7/
http://upinosatoretr.com/Pi1Fdw0Cm2-a5D0CLI3q1eC1b7dn
http://afedewascet.com/IZ1Td0D2g5k0kD3sh1On1eyY7YHo