Dangerous trojans on the loose

Discussion in 'malware problems & news' started by TNT, Jun 22, 2006.

Thread Status:
Not open for further replies.
  1. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Nope, there's a server-side script that detect user agent and the webpage changes accordingly to browser used. For example IE6 tries directly to exploit, IE7 asks to install FreeAccess.ocx (that ocx then drops a dll under system32 dir), Firefox is what have you written and with Opera it only asks to download ww.google.com agent.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Nothing happened at js.gbeb.cc/advertizing. I then tried td8eau9td.com/page_new.php and again nothing. I switched on javascript and was bombarded as expected with several prompts for this and active x. I accepted only the js ones and got a prompt for the google.com file which i then saved = google.com13

    Internet explorer didn't respond after this so I rebooted, and after confirming everything as normal came back online

    From mioctad.com/e.php?50000_11 I got no js prompt, but a prompt for the e.gif file which i then saved = google.com11

    Nothing happening at these for me

    mioctad.com/get_st.php?50000

    mioctad.com/605316cd/50000/11/co.htm

    mioctad.com/605316cd/50000/8/java.htm

    mioctad.com/605316cd/50000/5/ccr.htm

    mioctad.com/605316cd/50000/1/xp/activex.htm

    mioctad.com/605316cd/50000/1/wxp.php

    mioctad.com/605316cd/50000/1/google.htm

    It's good to see some indepth analysis on exploits like this, with the hxxp links included so we can test too, thank you tnt
     
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Hmmm. That's exactly what I meant by "it seems likely that the actual exploit code gets loaded accordingly to the user agent detected"... meaning the server actually loads a certain code when it detects a certain browser. It sure doesn't load anything when it detects wget. ;)

    All the examples I gave where with wget -user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", so those are actually all their IE6-related pages.
     
    Last edited: Aug 14, 2006
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    As I said in the post, the links keep changing every few minutes. Those you listed don't exist anymore. You have to look at the html source of td8eau9td.com/page_new.php (WATCH OUT, malware) to see what the "new" links are.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Sounds like you'll be up all night then lol, and maybe even longer if this keeps on. Your efforts and posts are appreciated
     
  6. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    ops sorry :D hadn't understood :)

    Well it's a strange mechanism behind these websites and, however, there's some strange mechanism too during rootkit infection. Not always you are infected with a rootkit when launching www.google.com, sometimes it drops only windows service and not rootkit, that's pretty strange.

    Actually this is a point to research a bit more as I could say actually it's "random" :)

    However actual elements are enough to write some automatic disinfection routine
     
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    It certainly needs to be analyzed a lot; these are without any doubt between the most carefully planned infections I've seen, and the amount of "search engine spamming" (so to speak) I've seen is bewildering. Now many entries have been dropped off by Google, fortunately, but for some time it was virtually impossible to do any research (with Italian words) and not stumble upon one of these. Why Italy anyway? And are these people part of the iframecash gang?
     
  8. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    This is a good question to which I 'm not able to answer :D Yeah, lot of infections here :( Everyday I receive a lot of reports and since now I hadn't so much time to analyze this threat. Luckily now I had some nights to spend on this threat.
     
  9. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    Hi TNT!:) ...as I was reading your thread that I found very interesting
    I was wondering what kind of antivirus or utility are you using to detect
    those threats. Since many antivirus listed here have not been able to detect the threats my question is what applications are you presently using to detect them and what do you actually do to protect yourself?
     
  10. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I use KAV and BOClean realtime, Ewido, Spybot Search & Destroy, Ad-Aware and Clamwin on demand.

    I actually turn off KAV to surf those sites. I also most networked programs restricted with Core Force (with very strict "custom" rules), and I run the browser always sandboxed in Sandboxie (when doing that research, that is). I also have Process Guard full on, and Deep Freeze.

    Sometimes I try these in OpenBSD Unix instead of Windows, but lately I've a little neglected that system as I have to upgrade it and I never find the time.

    As for "detecting" those threats, well, let's just say some of them are so obviously threats that it's not like I need something to tell me. When a site runs exploits, it's clearly doing so for an evil reason. To analyze their behavior, I mostly run just them in Sandboxie (or in VMWare).
     
    Last edited: Aug 14, 2006
  11. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    Hey, thank you! Although I knew a few of the applications you mentionned here
    I did not know much about Sanboxie. So I went to Sanboxie and did some reading....

    Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox...Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.


    Sounds interesting, especially for someone who goes through the kind of tests that you did. :cool:
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Thanks TNT for all your efforts and information. The malware "business" become more and more aggressive. I"m seriously thinking to unplug my PC for a while :D :D :D
     
  13. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    TNT, could I get a sample of this infection so I can sent it to Nick at SAS? He may already have it, but I want to make sure.
     
  14. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    That's very strange as antivir detects google.com for me onmy computer
     

    Attached Files:

  16. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Did you just download it? The file keeps changing every day, although the name is the same.
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Yes a few days ago, this one is 14.5KB
     
  18. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    "A few days ago" is not enough. Even yesterday it was different from today's. Check the md5 or (better) sha-1 checksum (by the way, as you can see in the picture above, today it is 16 kb).
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    It is different, this will go on for a while yet i think

    CRC-32 = B0E24435

    MD5 = 837028B1A3D0D743835085C2984DEAA6

    SHA1 = 847F33399D2D8C30C4C7B0E5B6E43DCEB38C3275
     
  20. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I'm gonna write up an automated script for getting the file (although the links keep changing, it takes nothing to write it). :D
     
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    That should save you lots of time, and what a collection you will have at this rate lol
     
  22. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    The file changes when the link changes. I just verified it.

    EDIT: not really. Now the link changed and the file was the same.
     
    Last edited: Aug 16, 2006
  23. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Now I have an automated download script. Ho ho ho. ;)
     
  24. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    825
    Location:
    United States
    TNT,
    You know way more about this stuff than I ever hope to know. This posting is not going add anything of real value. I just wanted to congratulate you on a job well done. The good guys need more people like you. You are a blessing to this forum and the computer security community.
     
  25. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    mioctad.com
    Code:
    <ip address/hostname>
    85.255.116.10
    mioctad.com
    Host reachable, 4018 ms. average
    
    <net block>
    85.255.112.0 - 85.255.127.255
    
    <owner>
    Inhoster hosting company
    OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
    Abuse notifications to: abuse@inhoster.com
    
    <administrative contact>
    Andrei Kislizin
    OOO Inhoster,
    ul.Antonova 5, Kiev,
    03186, Ukraine
    phone: +38 044 2404332
    
    <technical contact>
    Fast Web Hosting Support
    01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
    UA
    phone: +35 79 91 17 759
    
    <additional data>
    inhoster
    Source: whois.ripe.net
    
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.