Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 10 November 2009

Crimeware friendly ISP's: Hosting Panama

Hosting Panama have several ranges that are or have been, involved in malicious activity. The latest of these being 200.106.145.0/24, which is responsible for this little baggage of fun;

http://proanalytics.cn/stats.txt


This text file of course, isn't a text file at all, it's a Javascript file that leads to a whole heap of malicious exploit goodness;

http://proanalytics.cn/tds/go.php?sid=1
http://proanalytics.cn/tds/got.php?sid=1
http://proanalytics.cn/frag2/show.php
http://proanalytics.cn/frag2/show.php?get_ajax=1&r=0.34832734843634716
http://proanalytics.cn/frag2/pdf.php
http://proanalytics.cn/frag2/directshow.php
http://proanalytics.cn/frag2/admin.php


Payloads:

http://proanalytics.cn/frag2/load.php?e=1
http://proanalytics.cn/frag2/load.php?e=2
http://proanalytics.cn/frag2/load.php?e=3


The payload, adobeupdate.exe is a Zbot variant (these almost always come with a keylogger and backdoor trojan, which leaves YOUR machine compromised, in this case, it also comes with a rootkit).

Anubis error'd out when trying to analyze this, suggesting it's VM aware (not surprising given it's associated with the Fragus exploit pack), and I've not got my test machine on at present as I'm still busy going through a ton of stuff for work, but I'll see about running it later (I don't do VM's, only test machine I use is a "real" machine).

ThreatExpert was able to work with this one, and showed some interesting results;

http://www.threatexpert.com/report.aspx?md5=faf4506500217a741767db68d9a5d72c

You'll notice, this variant also steals your Facebook credentials .....

proanalytics.cn is registered to "Mareks Vabels" (mareksvab@gmail.com), via Tucows domain registration. Only reference to that name I could find, aside from MalwareURL and MalwareDomainList, was this one, suggesting the individual, if he/she is real, is alledgedly from Latvia.

Domain Name: proanalytics.cn
ROID: 20091021s10001s07931514-cn
Domain Status: ok
Registrant Organization: Personal use
Registrant Name: Mareks Vabels
Administrative Email: mareksvab@gmail.com
Sponsoring Registrar: Tucows, Inc.
Name Server:ns1.proanalytics.cn
Name Server:ns2.proanalytics.cn
Registration Date: 2009-10-21 23:50
Expiration Date: 2010-10-21 23:50

WhoIs server: whois.cnnic.cn


This URL is amongst MANY others that are currently hiding in compromised websites, so if you're running a website yourself, or know a friend who has a website, PLEASE make sure you're peridically checking the files for signs of infection.

In the meantime, perhaps Hosting Panama would care to explain their lack of action?

No comments: