Friday, September 25, 2009

New Malware (ddos-bot.exe, etc.) and Malicious Domains

Last night I found a report for the following malicious file:

hxxp://gorodsnov .cn/file13.exe

Since the file was suspicious but wasn't detected by any major antivirus engine (except as a "suspicious file"), I decided to investigate further.

ThreatExpert's analysis shows that the executable downloads two files (as discussed below) and phones home to mylfix4 .cn:
Initial VirusTotal assessment (2/41 - "Heuristic.LooksLike.Win32.Suspicious.H!87"):
Lists of other malware files and exploits hosted on the same domain:

This malware is clearly a Trojan downloader, but most antivirus products didn't detect it at all.  I submitted the file to multiple companies.  Here's the current assessment as of the time of this post (main source VirusTotal):
File size: 29184 bytes
MD5...: f7a0f8d044c333ad3b7d65a6485af931
SHA1..: a381aed69ed753618e0b3930c78243701af44d7d
SHA256: 193589553f8f0d8d5c0d1712d72e4143c7fbd002bac06bc9c95b4e96eb47d098

13/41 detection rate as of 2009.09.25 20:04:02 (UTC)

Variously identified as: Artemis!F7A0F8D044C3, Downloader, Heuristic.LooksLike.Win32.Suspicious.H!87, TR/Sasfis.nyk, Troj/DwnLdr-HXD, Trojan.MulDrop.35369, Trojan.Win32.Sasfis.nyk, W32/Small.KFU!tr, Win32.SuspectCrc, Win32/Oficla.AG, Generic.TRA!f7a0f8d044c3, Generic.dx!fij, etc.
The malicious software described above automatically fetched the following files:

hxxp://pobedaim .cn/svchost.exe

Initial VirusTotal assessment (2/41 - "Trojan.DownLoad.42082"):
ThreatExpert's analysis shows that the file creates a startup registry entry for itself:
The Anubis assessment shows that this file phones home to proxy5my .cn:

Again, due to almost no detection from antivirus solutions, I submitted the file to multiple vendors.  Here's the current virus assessment as of the time of this post:
File size: 38400 bytes
MD5...: 6bb2a57c3bb3308b3a1519c987caddf4
SHA1..: 7b0c73e4d9b5fd58c89fc117a5f8ab576145898d
SHA256: c363a96530f122c75664af4afc77c63fb9a349aef648cfe2f0a91dd7e4ba4b29

15/41 detection rate as of 2009.09.25 20:04:08 (UTC)

Variously identified as: Artemis!6BB2A57C3BB3, High Risk Cloaked Malware, TR/Agent.cxge, Troj/Agent-LGK, Trojan Horse, Trojan.Agent.cxge, Trojan.Agent.OPPW, Trojan.DownLoad.42082, Trojan.Win32.Agent, Trojan.Win32.Agent.cxge, W32/Agent.CXGE!tr, Win32/Delf.OOR, Generic.TRA!6bb2a57c3bb3, Generic.dx!fio, etc.
The second file downloaded by file13.exe is this very suspiciously-named executable:

hxxp://pobedaim .cn/ddos-bot.exe

ThreatExpert's analysis shows that it creates a file nups.sys in C:\WINDOWS\system32\drivers\ and registers it as a service called "Nups":
The Anubis assessment shows that it creates a file named asyncmac.sys in C:\WINDOWS\system32\drivers\ and phones home to suxumzulum .cn:
Initial VirusTotal assessment (2/41 - "Heuristic.LooksLike.Win32.Suspicious.B!87"):

Once again, due to only "suspicious" detection,  I submitted the file to multiple antivirus companies.  Here's the current assessment as of the time of this post:
File size: 93696 bytes
MD5...: 4af3dc7f09f3dc39068ba4c176531937
SHA1..: 679a49279a7c26971ba6183bac78325fa720bfc2
SHA256: 11be232b824bae5ffbdd51892979b2cecfad3a28de6784ac4e76fe352720901f

13/41 detection rate as of 2009.09.25 20:04:19 (UTC)

Variously identified as: Artemis!4AF3DC7F09F3, Heuristic.LooksLike.Win32.Suspicious.B!87, TR/TDss.asbz, Troj/Agent-LGJ, Trojan.Dropper, Trojan.MulDrop.35371, Trojan.Win32.Tdss.asbz, W32/Agent.ASBZ!tr, Win32.SuspectCrc, Win32/SpamTool.Agent.NBW, Generic.TRA!4af3dc7f09f3, Generic.dx!fke, etc.
Reports for these two malware hosts, and three domains to which the malware phones home:

Other domains that have previously hosted variants of this malware, and were hosted on the same IP:

esenins .cn (search the page for ddos-bot.exe or svchost.exe) - Anubis analysis of ddos-bot.exe from eseins .cn - ThreatExpert analysis of ddos-bot.exe from eseins .cn - SUPERAntiSpyware's listing for "Trojan.Agent/Gen" with the same file name and MD5 hash, bbb64be95cc017dd30fa36a848fdcc6c - Anubis analysis of svchost.exe from eseins .cn

7oydomen .cn - Anubis analysis of ddos-bot.exe from 7oydomen .cn (search the page for ddos-bot.exe)

Reports for other domains on the same IP address (210.51.166 .247): (reported by Wepawet; it's unknown whether this domain has hosted malware)

Searches for ddos-bot.exe on MalwareURL and Malware Domain List:

Reports for other possibly related files:

Here are some other new malware domains I came across last night, unrelated to the malware described above. Most of these domains are related to Zbot malware and/or an Autostart worm, and several were registered within the past 48 hours: (including subdomain

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

No comments:

Post a Comment

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)