Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 26 May 2011

Dear bad guys ....

Seems the bad guys don't believe we actually check sites/files we're coming across anymore, only that we look for a specific filename. I've been monitoring a couple sites leading to trojans, and having the domains shut down. Over the past few days (approx the 20th), they've disabled the specific filename the malicious code points to, possibly believing we'll say "okay, it doesn't exist anymore, stop checking it".

Up until yesterday, the filename the code always pointed to was FlashPlayer.45187.exe, and indeed, as of 2 mins ago, it still does - but loading the URL with that filename, results in a 404.



If we change the numeric, it magically works again. For example (note, DirectI have now suspended this domain (and almost beat the record, responding to and actioning the report in ~6 mins!));

toolsmedianet.in/FlashPlayer.4.exe

Incidentally, detection for this is still rubbish (detection for the previous incarnation is a little, but not much better);

http://www.virustotal.com/file-scan/report.html?id=c68fae87cb4f4843dae50b032ba4cc26af0431577cbca016e435df4e20e29d93-1306459209

The MD5 for this particular file (all files have a different MD5) is 9f292e8c1c8bcb3943dfc1c8d638e1b9, and in addition to the new filename, it's got a new size too (previously 95K, now 109K).

The IP for all domains has stayed static and is still the same as of the latest incarnation;

IP: 66.45.243.36
PTR: reverse243-34.reserver.ru
ASN: 19318 66.45.224.0/19 NJIIX-AS-1 - NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC

What's curious is the fact the code still points to the filename that's 404'ing, but is still being updated with the new domains. I do love a puzzle.

No comments: