MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

29.6.09

A recent tour of scareware X

Again, the domains outlined in the present form only a tiny portion of the total volume of web addresses used to propagate scareware.

Our goal is channeled to expose a set of domains that can be used for research purposes, blocking them or just know what the threats of this kind that have emerged (or reemerged) in recent days.


Virus Remover Professional
MD5: 19f19c24e0b065696bec1906bc8f0961
IP: 213.182.197.229
Latvia Latvia Riga Real_host_net
Domains associated:
avpro-labs .com

Result: 2/41 (4.88%)

MalwareDoc +
IP: 72.9.108.26
United States United States New York Ezzi.net
Domains associated:
mal-warexls .net
malware-safe .com
kingpinservers .info
internetware-safe .com



Antivirus Agent Pro
MD5: 24176f08a13e09495b163ac3343ebba8
IP: 83.133.126.46
Germany Germany Lncde-greatnet-newmedia
Domains associated:
avagent-pro .com, actupdate .net, download-123 .cn, downloads-123 .com, t230.1paket .com, www.downloads-123 .com
Result: 15/41 (36.59%)

Personal Antivirus
IP: 208.76.56.56
United States United States Burlingame Everydns Llc
Domains associated:
folderantispywarescanner .com
123vuilen .net
A1pro .hn
Bestlaostours .com

areascan4.info/download/install.php, finescan4.info/download/install .php, goalscan4.info/download/install.php, hardscan4.info/download/install .php, modescan4.info/download/install.php, onescan4.info/download/install .php, pagescan4.info/download/install.php, portscan4.info/download/install .php, scan4into.info/download/install.php (209.44.126.102) - Canada Laval Netelligent Hosting Services Inc

Download "install.exe" (MD5: 6f4488dcb648054f3cf2a7a1bdbb44bf)
Result: 11/39 (28.21%)

av4best .net/?uid=106&pid=3, 7security.info/?uid=102&pid=3 (64.86.17.47) - Canada Brampton Velcom
best-adultnet .com/promo2 (91.212.132.11) - Serbia Interforum Ltd
fastpcscan3 .com/download.php?id=2022 (91.212.65.125) - Ukraine Eurohost Llc
fastpcscan3 .com/download/Setup-398_02022.exe (92.62.98.19) - Estonia Tallinn Collocation
powerantivirusscannerv2 .com/download/Setup-a5320fa_02018.exe (88.198.41.170) - Germany Gunzenhausen Hetzner-rz-nbg-net

safetywwwtools .com/hitin.php?land=98&affid=16100 (209.44.126.36) - Canada Laval Netelligent Hosting Services Inc
Result: 12/41 (29.27%)

avprotectionstat .com/index.php (74.50.99.236) - United States Tampa Noc4hosts Inc
registerantivirus .com (74.50.98.152) - United States Tampa Noc4hosts Inc
youravprotection .com/support (74.50.98.162) - United States Tampa Noc4hosts Inc
allfet .info/antispyware (208.100.34.148) - United States Chicago Nozone Inc
suprotect .com/hitin.php?land=20&affid=02909 (89.149.212.218) - Poland Netdirect-net-exportal
activeantivir .com (78.159.114.189) - Germany Berlin Netdirekt E.k
antivirusfolderscanner .com (69.4.230.205) - United States Chicago Hosting Services Inc
apoiweh .cn/x_private_backtraffnail.php/?uid=102 (222.73.219.74) - China Beijing Chinanet Shanghai Province Network
blanket.bitelere.us (93.190.142.134) - Netherlands Schiedam Worldstream

Antivirus Best
MD5: eba5ca538be5b69f59f4de9ae8a21f5f
IP: 174.142.113.205
Canada Canada Montreal Iweb Technologies Inc
Domains associated:
best-protect .info, av-protect.info
run.best-protect.info, scanner.av-protect.info
scanner.best-protect.info, download.best-protec.info

Result: 20/41 (48.78%)


Related information this Blog
Una recorrida por los últimos scareware IX
Una recorrida por los últimos scareware VIII
Una recorrida por los últimos scareware VII
Una recorrida por los últimos scareware VI
Una recorrida por los últimos scareware V
Una recorrida por los últimos scareware IV
Una recorrida por los últimos scareware III
Una recorrida por los últimos scareware II
Una recorrida por los últimos scareware

Jorge Mieres

Ver más

28.6.09

ElFiesta. Recruitment zombie across multiple threats

ElFiesta is another member of the family of web applications, created by Russian developer and made available to cyber-criminals, who can't only monitor and manage each of the infected computers as part of its network (zombies), but also execute attacks via the web through various techniques that involve the exploitation of vulnerabilities.

One of the modules has ElFiesta precisely target the spread/infection via PDF (Portable Document Format) looking for vulnerabilities in some versions of Adobe Acrobat Reader.


In this case, the downloaded file is called 4573.pdf (MD5: b7b7d52a205e950adf4795c14c7f7178), whose name is random, has a detection rate of almost 50%, thus a very important infection rate at the moment.

As mentioned above, exploits a vulnerability (the CVE-2007-5659) multiple causes a buffer overflow through the pdf file previously handled by embedding a malicious script in the same JavaScript that downloads and executes a binary called load.exe (MD5: 5ee26f43139a2cdb3a79a835574285a0) from /load.php?id=1118&spl=3.


Another focuses ElFiesta modules incorporating a method of attack scripting subject to an obfuscation technique.

Making a deeper analysis of the case, we found a newly implemented version ElFiesta. In the following screen shows that the statistical information corresponds to our data.


These methods are common to most of crimeware applications of this style, but we appreciate a more interesting detail: the domain used is a known scareware called XP Police Antivirus.

Consequently, the first question that comes to mind is: XP Police Antivirus working with the recruitment ElFiesta zombie? 

Related information this Blog
Fusión. Un concepto adoptado por el crimeware actual
Estrategia de infección agresiva de XP Police Antivirus
Campaña de propagación de XP Police Antivirus a través de Ingeniería Social Visual

Jorge Mieres

Ver más

21.6.09

Symbiosis malware present. Koobface

Koobface is a worm designed to exploit the user profiles of popular social networks like MySpace and FaceBook in order to obtain sensitive and confidential information of their victims, although the latest versions limiting their goal FaceBook. In fact, the word Koobface is a transposition of the word Facebook.

His early versions date back to late 2008 and since then continues In-the-Wild with an infection rate of concern. Thus, the same company released a series of preventive measures to minimize the potential risk of infection, which is constantly latent for users who use the social network.

In principle, the usual means of dissemination used Koobface is via web through visual Social Engineering and is the first facet of propagation.

The second facet (infection) channeled their malicious actions in a very common at present, based on a combination of malware, creating a symbiosis where each component of ambient display instructions to seek a common objective and comprehensive.

But let's see which are these components that form a part of the stage of infection of the variant Koobface. NBO. This worm, detected nowadays by approximately 31 companies antivirus of 41 (75.61 %), on having infected the system establishes connection with the following URL's:

    http://oberaufseher.net/img/cmd.php 
    http://pornfat.net/img/cmd.php

    It also downloads the following malware:

    TrojanDownloader.Small.OCS Troyano 
    Tinxy.AD Troyano 
    Tinxy.AF Troyano 
    BHO.NOE Troyano 
    Koobface.NBH gusano 
    PSW.LdPinch.NEL Troyano
      From the technical point of view, some data can be collected in the brief preliminary analysis of each of the malicious code downloaded by Koobface:

      The trojan TrojanDownloader.Small.OCS has a detection rate of 35/40 (87.5%) creates keys in the registry and backs himself. 

        HKLM\SOFTWARE\Microsoft\MSSMGR\   
        HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\winccf32   
        C:\WINDOWS\system32\winccf32.dll (copy of itself). 

        Tinxy.AF, another trojan, it also creates files in the system and has a detection rate of slightly less than the previous 30/40 (75.00%). 

          C:\windows\ld09.exe   
          C:\docume~1\user\locals~1\temp\podmena.bat 

          The trojan Tinxy.AD has a detection rate of 35/40, was detected by approximately 87.50% of the virus. Creates a copy of itself and makes use of the tool to enable a NetShell DLL, open ports, and specify a proxy. 

            C:\WINDOWS\system32\SYSDLL.exe (copy of itself)   
            netsh add allowedprogram "SYSDLL" C:\WINDOWS\System32\SYSDLL.exe ENABLE   
            netsh firewall add portopening TCP 80 SYSDLL ENABLE   
            netsh firewall add portopening TCP 7171 SYSDLL ENABLE   
            netsh winhttp set proxy proxy-server="http=localhost:7171" Agrega la información del proxy en:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f 

            BHO.NOE is another of the trojans as part of the process of infection Koobface, with a detection rate of 92.11% (35/38), create a folder and a file. 

              C:\WINDOWS\system32\796525   
              C:\WINDOWS\system32\796525\796525.dll

              As to PSW.LdPinch.NEL trojan, detected by 34 antivirus of 40 (85.00%), is designed to steal passwords from different web browsers, mail clients, IM clients and other services.

              Finally, download a variant of the family, the worm Koobface.NBH, in this case, the detection rate was 27/40 (approx. 67.50%).

              As we can see, the infection of this malware isn't just limited to malicious instructions they have, but it goes beyond that and download another. This action is a common behavior in the present, where the fusion of Web applications and control of botnets and the administration of different types of malware, joining forces with a common goal: improving the economics of crime. 

              Jorge Mieres

              Ver más