Wednesday, April 15, 2009

Malware and Malicious Site Reports: googleadserver, interinetskim

Yesterday I researched two malware distribution sites, googleadserver dot com and interinetskim dot com.

For more detailed reports for googleadserver dot com and its malicious payload, see:
File details courtesy of VirusTotal:
File name: smss.exe
File size: 73728 bytes
MD5...: 4e3c8d06c0cd632926ccc7dd8a5d058c
SHA1..: 1626c4854ab4b5b47790ac350581c7c5a9fbe7ab
SHA256: 971d2d18a99ec2cdf1f98e0d9a241485666499ac7d8e828fd1a09a4cda324ad4
SHA512: 73d18f25d362af308018f610a4063aad2417c066b3d452ea89ef6a2506820c3e
3553f48bac31ad43938669a6b633fe343576912dab55c496c53d6577f61349bd
ssdeep: 1536:pPueEUR9TwT8DlhQTrhkvFUtvTAlayBOBlhYDrCkownAk:pmBUR9TwTmhQh
katDirCkownA
Variously identified as: Win-Trojan/Vaultac.73728, TR/PSW.Wow.fxc, PSW.OnlineGames.BRKZ, Trojan-GameThief.Win32.WOW.fyk, Trojan-Dropper.Win32.Vaultac, Trojan-PWS/W32.WebGame.73728.BD, Trj/Lineage.BZE, Mal/GameDll-A, etc.
Google Safe Browsing (built into Firefox 3 and Safari 3.2) blocks googleadserver dot com, and most major antivirus products (except Antiy, Authentium, ClamAV, eTrust, F-Prot, PCTools, and TheHacker) detect its payload as malware. I submitted a sample to several vendors and haven't heard back from any of them yet.

The second site I researched yesterday was interinetskim dot com. For more detailed reports for this domain and its malicious payload, see:
File details courtesy of VirusTotal:
File name: install.exe
File size: 101410 bytes
MD5...: fa2cc0ae61020365bfcb6af3b28730c9
SHA1..: deb23a2f5b65b53aedbf69907d84f2788df1e34d
SHA256: 45966f9367ef2bcdf68d3b5014693e851eb2c55b23e4e2ab045d48ecb6b1767a
SHA512: f986bfc325f951e452ad1af1ac66e3162eac0e73c423591b349a46c16ddd9d5a
3aa56dee52ff23f7d705126a558c6a67972755b10c362db19766ed1d7984973e
ssdeep: 3072:UZiIWBSRGGxZYHLz+UJLLIXXsUJLLIXX/:UYM6H/VJiXJiP

Variously identified as: ADSPY/AdSpy.Gen, Win32:FakeAlert-BD, Program:Win32/Winwebsec, a variant of Win32/Kryptik.MR, Mal/FakeAV-AK, etc.
As of yesterday, only 12 major antivirus products (Avira AntiVir, Authentium, Avast!, AVG, F-Prot, GData, McAfee-GW-Edition [which is not the same as the current commercial versions of McAfee VirusScan], Microsoft, NOD32, Prevx1, Sophos, and Sunbelt) detected the payload as malware.

I submitted a sample to several vendors and so far I have only heard back from two of them. McAfee merely sent an autoreply saying that their scan was inconclusive and that my submission would be forwarded to an Avert Labs Researcher for further analysis (which is typical), and I haven't gotten a follow-up from them since then. A Virus Analyst from Kaspersky got back to me within a couple hours and said that it would be included in the next update as "Trojan-Downloader.Win32.FraudLoad.edu".

No comments:

Post a Comment

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)