Wednesday, January 6, 2010

Malware and Malicious Site Reports: evamendesochka, showmelovetube, mp3dir, etc.

On New Year's Day I found an old blog post from last June written by Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham (who referenced my "How to Preview Shortened URLs" article—thanks, Gary!).  I was curious to see whether one of the malware URLs mentioned in his blog post was still active more than 6 months later, and sure enough, it was.  Here's what I found out:

showmealltube .com/paqi-video/7.html
used obscured JavaScript code [see the Wepawet analysis] to redirect to
evamendesochka .com/go.php?sid=9
which redirected to
jumbotubes .com/xplaymovie.php?id=40012

(It doesn't redirect to jumbotubes anymore, but I'll get back to that.)  The jumbotubes page pretended to contain an embedded video which in reality linked to a malicious payload:

megaloadfile .com/flash-HQ-plugin.40012.exe

I submitted the file to VirusTotal and found that only 4 out of 39 engines detected it.  I sent the sample to multiple AV vendors, and detection improved gradually over the next several days:
File name: flash-HQ-plugin.40012.exe
File size: 111104 bytes
MD5...: 84e8fcd09215fe4555b5532f22f1f96e
SHA1..: 5084a5ecdfd16220809c59ef5a6ca8e692237841
SHA256: 89d2f41d182fad11d71e4312b589c8b8a4ebdaf3384ae01ca9827091e4f55097

4/39 detection rate as of 2010.01.01 20:50:54 (UTC)

16/40 detection rate as of 2010.01.03 10:10:30 (UTC)

21/40 detection rate as of 2010.01.04 07:48:32 (UTC)

33/41 detection rate as of 2010.01.06 08:03:47 (UTC)

Variously identified as: Artemis!84E8FCD09215, Downloader-BWS, Downloader.Generic9.AEFL, Mal/Krap-H, Medium Risk Malware, Trj/CI.A, Trojan-Downloader.Win32.FraudLoad, Trojan-Downloader.Win32.FraudLoad!IK, Trojan-Downloader.Win32.FraudLoad.ghh, Trojan-Downloader/W32.FraudLoad.111104.F, Trojan.DL.FraudLoad.VFX, Trojan.Dldr.FraudLoad.ghh, Trojan.DownLoad1.5059, Trojan.FakeAV, Trojan.FakeAV!gen11, Trojan.Generic.2928325, Trojan.Win32.FakeAV!IK, Trojan.Win32.Generic!BT, Trojan/Downloader.FraudLoad.ghh, Trojan/Win32.FraudLoad.gen, TrojanDownloader:Win32/Renos.JM, TrojWare.Win32.Trojan.Agent.Gen, W32/FakeAlert.EK.gen!Eldorado, W32/FraudLoad.GHH!tr.dldr, Win-Trojan/Downloader.111104.M, Win32:FakeAV-AES, Win32:Trojan-gen,, Win32.TrojanDownload, Win32/TrojanDownloader.FakeAlert.ADA, Win32/Warduncrypt!packed, etc.
See the Web of Trust reports for the domains mentioned above:

This malware phones home to multiple domains according to the Panda Autovin, ThreatExpert, and Anubis behavioral analyses.  See the WOT reports for these phone-home domains, sorted roughly in order of least to most well known at the time of this post:

There are dozens of other malware distribution sites similar to jumbotubes; a Google search reveals many such domains (note that SafeSearch is disabled in this query, and the results will likely lead to malware):

In researching some of the phone-home domains on ThreatExpert using searches like this one, I found a number of related domains as well (again listed roughly in order of least to most widely known):

While preparing to write this blog post, I retraced my steps and found that the evamendesochka site now redirects to a different site:

showmelovetube .cn/tube.htm (WARNING: site contains explicit images in addition to malware)

Once again, the site attempts to trick the user into clicking on what appears to be a video, which is actually just a link to a malicious file:

mp3dir .cn/1/install_plugin.exe

See the Web of Trust reports for these additional domains, neither of which seems to be well-known yet:

The initial detection rate for this second piece of malware is only 3 out of 41 anti-virus engines, with detection coming soon from Fortinet and McAfee:
File name: install_plugin.exe
File size: 38400 bytes
MD5...: d9644ba632c0d774dcff57323eeb968d
SHA1..: bce22a0c67da01441478cd327affbf632a9908c4
SHA256: 46a9620c06c4d143a77c36f658d9f2e272960dd4db47ab2fb8f6208822e2d566

3/41 detection rate as of 2010.01.06 06:41:05 (UTC)

Variously identified as: Generic.TRA!d9644ba632c0, Medium Risk Malware Dropper, Trojan-Dropper.Win32.Agent.bkie, W32/Agent.BKI!tr, W32/Malware
This malware disables Data Execution Prevention (DEP) for Internet Explorer and injects a new DLL into the system, among other things, as shown in these Anubis, ThreatExpert, and Panda Autovin reports.

Stay safe out there!

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

1 comment:

  1. I think this may have been the link that I clicked on yesterday that gave me the fake windows looking system scan / Trojan.Win32.FakeAV!IK. The browser I am using is firefox. The search term I googled to bump into the malware website is; ram implosion wing;jid=27206
    I believe that this is my second time running into the same bad URL. Back in November I had the same problem with this nasty malware that mimics Windows security icons and changes my desktop image and I also was researching Ram Implosion Wing.


Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)