Friday, September 25, 2009

New Malware (ddos-bot.exe, etc.) and Malicious Domains

Last night I found a report for the following malicious file:

hxxp://gorodsnov .cn/file13.exe

Since the file was suspicious but wasn't detected by any major antivirus engine (except as a "suspicious file"), I decided to investigate further.

ThreatExpert's analysis shows that the executable downloads two files (as discussed below) and phones home to mylfix4 .cn:
http://www.threatexpert.com/report.aspx?md5=f7a0f8d044c333ad3b7d65a6485af931
http://anubis.iseclab.org/?action=result&task_id=1020202f49ecf30742da827c810205c13
Initial VirusTotal assessment (2/41 - "Heuristic.LooksLike.Win32.Suspicious.H!87"):
https://www.virustotal.com/analisis/193589553f8f0d8d5c0d1712d72e4143c7fbd002bac06bc9c95b4e96eb47d098-1253847644
Lists of other malware files and exploits hosted on the same domain:
http://wepawet.iseclab.org/domain.php?hash=02d30b0b4ba304b039d8efb9aa2b5c71&type=js
http://www.malwareurl.com/listing.php?domain=gorodsnov.cn

This malware is clearly a Trojan downloader, but most antivirus products didn't detect it at all.  I submitted the file to multiple companies.  Here's the current assessment as of the time of this post (main source VirusTotal):
File size: 29184 bytes
MD5...: f7a0f8d044c333ad3b7d65a6485af931
SHA1..: a381aed69ed753618e0b3930c78243701af44d7d
SHA256: 193589553f8f0d8d5c0d1712d72e4143c7fbd002bac06bc9c95b4e96eb47d098

13/41 detection rate as of 2009.09.25 20:04:02 (UTC)

Variously identified as: Artemis!F7A0F8D044C3, Downloader, Heuristic.LooksLike.Win32.Suspicious.H!87, TR/Sasfis.nyk, Troj/DwnLdr-HXD, Trojan.MulDrop.35369, Trojan.Win32.Sasfis.nyk, W32/Small.KFU!tr, Win32.SuspectCrc, Win32/Oficla.AG, Generic.TRA!f7a0f8d044c3, Generic.dx!fij, etc.
The malicious software described above automatically fetched the following files:

hxxp://pobedaim .cn/svchost.exe

Initial VirusTotal assessment (2/41 - "Trojan.DownLoad.42082"):
https://www.virustotal.com/analisis/c363a96530f122c75664af4afc77c63fb9a349aef648cfe2f0a91dd7e4ba4b29-1253849155
ThreatExpert's analysis shows that the file creates a startup registry entry for itself:
http://www.threatexpert.com/report.aspx?md5=6bb2a57c3bb3308b3a1519c987caddf4
The Anubis assessment shows that this file phones home to proxy5my .cn:
http://anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10

Again, due to almost no detection from antivirus solutions, I submitted the file to multiple vendors.  Here's the current virus assessment as of the time of this post:
File size: 38400 bytes
MD5...: 6bb2a57c3bb3308b3a1519c987caddf4
SHA1..: 7b0c73e4d9b5fd58c89fc117a5f8ab576145898d
SHA256: c363a96530f122c75664af4afc77c63fb9a349aef648cfe2f0a91dd7e4ba4b29

15/41 detection rate as of 2009.09.25 20:04:08 (UTC)

Variously identified as: Artemis!6BB2A57C3BB3, High Risk Cloaked Malware, TR/Agent.cxge, Troj/Agent-LGK, Trojan Horse, Trojan.Agent.cxge, Trojan.Agent.OPPW, Trojan.DownLoad.42082, Trojan.Win32.Agent, Trojan.Win32.Agent.cxge, W32/Agent.CXGE!tr, Win32/Delf.OOR, Generic.TRA!6bb2a57c3bb3, Generic.dx!fio, etc.
The second file downloaded by file13.exe is this very suspiciously-named executable:

hxxp://pobedaim .cn/ddos-bot.exe

ThreatExpert's analysis shows that it creates a file nups.sys in C:\WINDOWS\system32\drivers\ and registers it as a service called "Nups":
http://www.threatexpert.com/report.aspx?md5=4af3dc7f09f3dc39068ba4c176531937
The Anubis assessment shows that it creates a file named asyncmac.sys in C:\WINDOWS\system32\drivers\ and phones home to suxumzulum .cn:
http://anubis.iseclab.org/?action=result&task_id=19879314e87e2d93481ccec7a43498a6f&call=first
Initial VirusTotal assessment (2/41 - "Heuristic.LooksLike.Win32.Suspicious.B!87"):
https://www.virustotal.com/analisis/11be232b824bae5ffbdd51892979b2cecfad3a28de6784ac4e76fe352720901f-1253849161

Once again, due to only "suspicious" detection,  I submitted the file to multiple antivirus companies.  Here's the current assessment as of the time of this post:
File size: 93696 bytes
MD5...: 4af3dc7f09f3dc39068ba4c176531937
SHA1..: 679a49279a7c26971ba6183bac78325fa720bfc2
SHA256: 11be232b824bae5ffbdd51892979b2cecfad3a28de6784ac4e76fe352720901f

13/41 detection rate as of 2009.09.25 20:04:19 (UTC)

Variously identified as: Artemis!4AF3DC7F09F3, Heuristic.LooksLike.Win32.Suspicious.B!87, TR/TDss.asbz, Troj/Agent-LGJ, Trojan.Dropper, Trojan.MulDrop.35371, Trojan.Win32.Tdss.asbz, W32/Agent.ASBZ!tr, Win32.SuspectCrc, Win32/SpamTool.Agent.NBW, Generic.TRA!4af3dc7f09f3, Generic.dx!fke, etc.
Reports for these two malware hosts, and three domains to which the malware phones home:
http://www.mywot.com/en/scorecard/gorodsnov.cn
http://www.mywot.com/en/scorecard/pobedaim.cn
http://www.mywot.com/en/scorecard/mylfix4.cn
http://www.mywot.com/en/scorecard/proxy5my.cn
http://www.mywot.com/en/scorecard/suxumzulum.cn

Other domains that have previously hosted variants of this malware, and were hosted on the same IP:

esenins .cn
http://www.malwareurl.com/listing.php?domain=esenins.cn
http://www.malwarebytes.org/forums/index.php?s=3e38bf9bf7fb2c4b059da6ecb97d9bb7&showtopic=24758
http://www.malwaredomainlist.com/forums/index.php?topic=3190.150 (search the page for ddos-bot.exe or svchost.exe)
http://anubis.iseclab.org/?action=result&task_id=157f7e6d3d884b2841507aa750d6cb22d - Anubis analysis of ddos-bot.exe from eseins .cn
http://www.threatexpert.com/report.aspx?md5=bbb64be95cc017dd30fa36a848fdcc6c - ThreatExpert analysis of ddos-bot.exe from eseins .cn
http://www.superantispyware.com/malwarefiles/DDOS-BOT.EXE.html - SUPERAntiSpyware's listing for "Trojan.Agent/Gen" with the same file name and MD5 hash, bbb64be95cc017dd30fa36a848fdcc6c
http://anubis.iseclab.org/?action=result&task_id=1fa6798ca3a124b34599302c57d1286b9 - Anubis analysis of svchost.exe from eseins .cn
http://www.mywot.com/en/scorecard/esenins.cn

7oydomen .cn
http://www.malwareurl.com/listing.php?domain=7oydomen.cn
http://wepawet.iseclab.org/view.php?hash=4e39f0d6097d6e980bb77775e86f5611&t=1252590543&type=js
http://anubis.iseclab.org/?action=result&task_id=1071bf336e899c014ad62b6d13f705cf4 - Anubis analysis of ddos-bot.exe from 7oydomen .cn
http://www.virustotal.com/analisis/a89e9524c50b0af3c058ce7639feac20f1066b3ff14ee58aceab5a7692c5f517-1252590543
http://www.malwaredomainlist.com/forums/index.php?topic=3190.135 (search the page for ddos-bot.exe)
http://www.mywot.com/en/scorecard/7oydomen.cn

Reports for other domains on the same IP address (210.51.166 .247):
http://www.malwareurl.com/search.php?s=210.51.166.247&rp=200&urls=on&ip=on
http://wepawet.iseclab.org/domain.php?hash=02d30b0b4ba304b039d8efb9aa2b5c71&type=js
http://www.mywot.com/en/scorecard/pay-day.cn
http://www.mywot.com/en/scorecard/posledniy.cn
http://www.mywot.com/en/scorecard/predposledniy.cn
http://www.mywot.com/en/scorecard/ledyzpizdik.cn
http://www.mywot.com/en/scorecard/domainadminpanel.cn
http://www.mywot.com/en/scorecard/zelenayajava.cn
http://www.mywot.com/en/scorecard/dmitrygaiduk.cn
http://www.mywot.com/en/scorecard/admnqtc.cn
http://www.mywot.com/en/scorecard/bezzpaleva.cn
http://www.mywot.com/en/scorecard/megobill.cn (reported by Wepawet; it's unknown whether this domain has hosted malware)

Searches for ddos-bot.exe on MalwareURL and Malware Domain List:
http://www.malwareurl.com/search.php?s=ddos-bot.exe&rp=200&urls=on
http://www.malwaredomainlist.com/mdl.php?search=ddos-bot.exe&colsearch=All&quantity=50

Reports for other possibly related files:
http://www.prevx.com/filenames/X1722639219385542672-X1/DDOS-BOT.EXE.html
http://www.threatexpert.com/report.aspx?md5=8b2a9afa42df42bef4c904713e2cfc21


Here are some other new malware domains I came across last night, unrelated to the malware described above. Most of these domains are related to Zbot malware and/or an Autostart worm, and several were registered within the past 48 hours:

http://www.mywot.com/en/scorecard/redbullarts.com
http://www.mywot.com/en/scorecard/scarlettartsgallery.com
http://www.mywot.com/en/scorecard/myfoundryart.com
http://www.mywot.com/en/scorecard/allfilesstorage.com
http://www.mywot.com/en/scorecard/allfilesstoragecenter.com
http://www.mywot.com/en/scorecard/givemereasonx.com (including subdomain core2700.givemereasonx.com)
http://www.mywot.com/en/scorecard/psimage.cn
http://www.mywot.com/en/scorecard/htm6.co.cc
http://www.mywot.com/en/scorecard/explorersecuritysuite.com


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

No comments:

Post a Comment

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)