Blog for hpHosts, and whatever else I feel like writing about ....

Friday 23 January 2009

Stolen r00t-y0u DB leads to malware

What happens when you cross a stolen hacker database with open distribution? Why this of course (graphic version to the left);

Exported by: Outlook Export v0.1.4


From: Enric
E-mail:Enric@gmail.com [ 64.233.161.83 - od-in-f83.google.com ]
Date: 23/01/2009 18:57:07
Subject: realy nice video check it.
**************************************************************************
Links
**************************************************************************

Link: http://sm1.intellimaxx.net:80/track?mailingid=112233&messageid=121&databaseid=1234&type=open&serial=1222716134&emailid=[REMOVED]&userid=43912&extra=&&&
Domain: sm1.intellimaxx.net
IP: 209.171.53.170 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://video-share.servegame.org/Best.html
Domain: video-share.servegame.org
IP: 63.208.196.110 [ hop.mywebhop.org ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
<http://sm1.intellimaxx.net:80/track?mailingid=112233&messageid=121&databaseid=1234&type=open&serial=1222716134&emailid=[REMOVED]&userid=43912&extra=&&&> nice video http://video-share.servegame.org/Best.html enjoy!!!


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2> <<A HREF="http://sm1.intellimaxx.net:80/track?mailingid=112233&messageid=121&databaseid=1234&type=open&serial=1222716134&emailid=[REMOVED]&userid=43912&extra=&&&">http://sm1.intellimaxx.net:80/track?mailingid=112233&messageid=121&databaseid=1234&type=open&serial=1222716134&emailid=[REMOVED]&userid=43912&extra=&&&</A>> nice video <A HREF="http://video-share.servegame.org/Best.html">http://video-share.servegame.org/Best.html</A> enjoy!!!<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: enric@gmail.com
Delivered-To: [REMOVED]
X-FDA: 61833107406
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 73,5,0,8e5bddad4f42bc39,8efcb81be1d9d39e,enric@gmail.com,[REMOVED],RULES_HIT:46:150:152:355:375:379:495:509:541:857:946:967:972:973:980:988:989:996:1183:1224:1260:
1261:1311:1312:1313:1314:1345:1432:1515:1516:1517:1519:1527:1534:1537:1569:1593:1594:
1595:1596:1676:1696:1699:1711:1714:1730:1747:1766:1792:2194:2198:2199:2200:2393:2525:
2561:2564:2682:2685:2857:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3770:3872:
3876:3877:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4321:4648:5007:6114:6117:
7679:8501:8599:8985:9025:9040:9108:9388:9391:9413,0,RBL:209.171.53.172-lbl7
.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5
,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fu,MSBL:none,DNSBL:none
Received: from sm1.intellimaxx.net (unknown [209.171.53.172])
by imf19.hostedemail.com (Postfix) with ESMTP
for <[REMOVED]>; Fri, 23 Jan 2009 20:12:41 +0000 (UTC)
Received: from sm1.intellimaxx.net ([10.4.0.170])
by sm1.intellimaxx.net (StrongMail Enterprise 4.1.0(4.1.0-41174)); Fri, 23 Jan 2009 13:54:16 -0500
X-VirtualServerGroup: Default
X-MailingID: 1222716134::112233::1234::121::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.0(4.1.0-41174)
X-Destination-ID: [REMOVED]
X-SMFBL: cjAwdC15MHVfb3JnQGl0LW1hdGUuY28udWs=
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
charset="UTF-8"
Reply-To: Enric@gmail.com
MIME-Version: 1.0
Message-ID: <1222716134.43912@gmail.com>
Subject: =?UTF-8?B?IHJlYWx5IG5pY2UgdmlkZW8gY2hlY2sgaXQu?=
Date: Fri, 23 Jan 2009 13:57:07 -0500
To: [REMOVED]
From: "Enric" <Enric@gmail.com>


The malicious link in this case is the one leading to;

video-share.servegame.org/Best.html (IP: 63.208.196.110 [ hop.mywebhop.org ])

... as this leads directly to codec infections at;

danicamarkovic.ca/php/codecs/codec_pack_3.2.1.exe (IP: 38.113.185.126)
track-turbo.com/download/TestCodec.v.3.127.cab (IP: 203.169.164.18 [ vp164018.hk.uac65.hknet.com ])

The latter of these two, track-turbo.com, returns a 404. Detection for codec_pack_3.2.1.exe is absolutely rubbish as usual.

http://www.virustotal.com/analisis/85cbee23493d14f184cf6f5777d98c52

File properties;

Company: BCN
Version: 1.0.0.0
Size: 164K
MD5: 6B6159546D2AC50487D953D3B500366F

Basing it on the strings, attempts to run it in VMWare, Sandboxie, Anubis, ThreatExpert et al, would fail (not that it'll stop me trying);



Needless to say, this is being targetted specifically to r00t-y0u members (not that surprising - the various forums are often trying to hack each other and/or out-do each other in varying ways). However, this domain is likely going to be used in other less targetted campaigns, so block it ASAP.

No comments: