Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 18 October 2009 & (, AS10929 NETELLIGENT)

Whilst analyzing URL's in the malware DB, I noticed a URL with .sys, which are associated with Koobface. I decided to analyze the executable and noticed something interesting.

The executable is UPX packed, and contains some interesting strings. Most notably, references to Facebook, and The only things I could get from both of these domains, were a login page, so I decided to dig further. This led me to a Threat Expert report which provided me with two more URL's;

This report identifies the following, which return strings suggesting they're used for manual breaking of captcha's (not really surprising given the domains involved).

These URL's pull an image from ( -, AS21840 SAGONET-TPA - Sago Networks, NetTuner Corporation ( WEBMASTERS-20020618) with the words "Enter both words below, separated by a space.". The image name is an MD5, with the jpg extension, and the return value starts with the identical MD5, suggesting these are then stored in the attackers database once the user has entered the words in the image.

What is interesting however, is that the URL to the image redirected to for me, that contained a 404 error, and a search box leading to;

www resolves to (AS30217 DESYNC - Desync Networks), an IP with lots of suspect domains that I'll be having a look at;

Doing a search for "spyware", shows a few legit domains, but a plethora of rogues (surprise surprise);


There was however, an additional executable over at however, v2captcha.exe. This executable contains a resource file, that contains another UPX packed executable. Extracting this and then unpacking it, shows references to the URL's referenced in the above Threat Expert report, suggesting it's likely the same file.

However, there are also further references, including;


Presumably, this is used when processing the words the user has entered from the image.

Paths in the executable suggests it stores itself in the Program Files folder, along with a file called captcha.dll. It further stores itself in the Run hive of the registry, so it loads each time the computer is booted. The value it is stored as is Captcha7 from what I can see in the ref in FileInsight;

Sadly I don't have access to a test system at present, or I could've saved myself some time, and just ran it.

I've not yet scanned these at VT, but Malwarebytes AntiMalware detects these as Trojan.Agent and Worm.Koobface respectively.

I had NOD32 disabled whilst analyzing the files and URL's, but had it scan them whilst writing this and interestingly, it said they were clean (though it also said it couldn't contact the Eset Smart Security Kernel aswell, which is strange).

No comments: