This URL (vURL results, PDF);
nit99.biz/myy/viewtopic.php?s=bec8f62472
wants us to believe it's a forum, that's going to let us view the respective topic associated with the ID in the s= variable. Alas however, it's neither a valid ID, nor a forum at all. What you'll actually get, is a whole host of badness battered down the pipes onto your poor machine.
And what badness do you get? Glad you asked! The above URL, loads two additional URL's that deliver the payload;
PDF file
nit99.biz/myy/myreadme.php
SWF (flash) file
nit99.biz/myy//i.swf
These files have one purpose - to deliver the payload. The payload itself comes from;
nit99.biz/myy/post.php?e=6&
The payload is a 39K file called pdfupdate.exe, and VT results as of December 29th, were absolutely rubbish, with only 3 vendors detecting it;
http://www.virustotal.com/analisis/c6bf9b61d2ee07fea37adf13d3c0218d738d33914cb2525f58d4861c75bd662a-1261915184
I've just submitted it to VT again, to see if the detections have improved yet, and though they could still be better, the 3 vendors is now up to 19;
http://www.virustotal.com/analisis/c6bf9b61d2ee07fea37adf13d3c0218d738d33914cb2525f58d4861c75bd662a-1262196998
The file is UPX packed, and unpacking it shows a 79K file, that according to VT reports is a fake alert (otherwise known as "this is gonna infect yer poor machine and ask you to pay it for the privilege of doing so").
I don't have my test box up at the moment as I'm busy with work, and sorting out a server issue, but the Anubis results for the unpacked file, can be found here. Of interest, is the following, which indicates the presence of a rootkit;
....HKLM\System\CurrentControlSet\Services\AsyncMac
I did however, notice the following bit of confusion, when looking at the file in FileInsight;
....But where would he sleep?...He could be taller the..But where would he sleep?...No one wou..Imagine a pet dinosaur that live....when we played hid..and my pet would pass up th.He could be talle...pterodactyl instead.and the fences squashed ....M..[I0d have to spend ..I wouldn0...I wouldn0t have to worry....It would ...A pet dinosaur would be won.at my house and.and then another and t..Wouldn0t it be fan..While he stood in t.While he st.b.CB
Nope, I've no idea what that's about either.
The site resides at 115.100.250.104, and my database is showing this entire /24 as being dirty (so nope, not just a case of the sites being hacked). Malicious activity seen within this /24 includes;
20091216205416 115.100.250.107 Failed resolution tt.allowjobs.cn hxxp://tt.allowjobs.cn/
20091216205423 115.100.250.107 Failed resolution tt.allowjobs.cn hxxp://tt.allowjobs.cn/pdf.php?spl=pdf_ie2
20091216220940 115.100.250.107 Failed resolution www.atatata.org hxxp://www.atatata.org/777/sysmona.exe
20091218035413 115.100.250.72 Failed resolution 115.100.250.72 hxxp://115.100.250.72/server-status
20091218035420 115.100.250.107 Failed resolution 115.100.250.107 hxxp://115.100.250.107/server-status
20091218035427 115.100.250.115 Failed resolution 115.100.250.115 hxxp://115.100.250.115/server-status
20091218035433 115.100.250.116 Failed resolution 115.100.250.116 hxxp://115.100.250.116/server-status
20091218035440 115.100.250.119 Failed resolution 115.100.250.119 hxxp://115.100.250.119/server-status
20091219231238 115.100.250.107 Failed resolution www.grobin1.cn hxxp://www.grobin1.cn/pol/alwaysA.pdf
20091220000111 115.100.250.107 Failed resolution chinaoilfactory.cn hxxp://chinaoilfactory.cn/cp/build.exe
20091220000119 115.100.250.107 Failed resolution chris25project.cn hxxp://chris25project.cn/cp/bot.exe
20091220000340 115.100.250.107 Failed resolution dia2.cn hxxp://dia2.cn/123/ld.php?v=1&rs=13441600&n=1&uid=1
20091220001901 115.100.250.113 Failed resolution online-counter.cn hxxp://online-counter.cn/load.exe
20091220001908 115.100.250.113 Failed resolution online-counter.cn hxxp://online-counter.cn/stats/211/loadshow.php
20091220011435 115.100.250.119 Failed resolution www.socks5servic.cn hxxp://www.socks5servic.cn/zs/bot.exe
20091222194143 115.100.250.115 Failed resolution www.useranalyticsreporting.net hxxp://www.useranalyticsreporting.net/ir/pack/exe.php?spl=MDAC
20091222194202 115.100.250.104 Failed resolution www.not99.biz hxxp://www.not99.biz/myy/sdfg.jar
20091222194209 115.100.250.104 Failed resolution client158.faster-hosting.com hxxp://client158.faster-hosting.com/cache/homepage.exe
20091222194257 115.100.250.115 Failed resolution www.useranalyticsreporting.net hxxp://www.useranalyticsreporting.net/ir/pack/exp/pdf.php
20091222194330 115.100.250.104 Failed resolution www.not99.biz hxxp://www.not99.biz/myy/myreadme.php
20091222194337 115.100.250.115 Failed resolution kijojg.net hxxp://kijojg.net/fr/files/leerydumbbunny.pdf
20091222194344 115.100.250.115 Failed resolution kijojg.net hxxp://kijojg.net/fr/files/scamtodosomething.pdf
20091222194423 115.100.250.104 Failed resolution www.not99.biz hxxp://www.not99.biz/myy/f.swf
20091222194438 115.100.250.105 Failed resolution www.aolas.cn hxxp://www.aolas.cn/Smilex/az-alliance/iereg.exe
20091222194451 115.100.250.104 Failed resolution www.kimosimotuma.cn hxxp://www.kimosimotuma.cn/777.exe
20091222194529 115.100.250.104 Failed resolution www.rss-lenta-news.ru hxxp://www.rss-lenta-news.ru/123132/New2.exe
20091222194536 115.100.250.104 Failed resolution client158.faster-hosting.com hxxp://client158.faster-hosting.com/cache/anime2/13.exe
20091222194543 115.100.250.115 Failed resolution kijojg.net hxxp://kijojg.net/fr/loadjavad.php
20091222194607 115.100.250.107 Failed resolution atatata.org hxxp://atatata.org/123/file.php?upd
20091222194613 115.100.250.104 Failed resolution www.rss-lenta-news.ru hxxp://www.rss-lenta-news.ru/ad/file.php?upd
20091222194631 115.100.250.104 Failed resolution www.not99.biz hxxp://www.not99.biz/myy/post.php?e=1&&
20091222194652 115.100.250.104 Failed resolution www.rss-lenta-news.ru hxxp://www.rss-lenta-news.ru/123132/your_exe.exe
20091222194759 115.100.250.107 Failed resolution www.footballcappers.biz hxxp://www.footballcappers.biz/exe.php
20091222194842 115.100.250.104 Failed resolution www.kimosimotuma.cn hxxp://www.kimosimotuma.cn/888.exe
20091223201100 115.100.250.105 Failed resolution www.aolas.cn hxxp://www.aolas.cn/az-hsbc/iereg.exe
20091223201217 115.100.250.104 Failed resolution kotopes.cn hxxp://kotopes.cn/forum/image/exe.php
20091223201224 115.100.250.117 Failed resolution westnorths.cn hxxp://westnorths.cn/load.php?spl=mdac
20091229031704 115.100.250.107 Failed resolution chris25project.cn hxxp://chris25project.cn/cp/zsbcs.exe
20091229031807 115.100.250.107 Failed resolution footballcappers.biz hxxp://footballcappers.biz
20091229032535 115.100.250.107 Failed resolution footballcappers.biz hxxp://footballcappers.biz/exe.php
20091229032541 115.100.250.107 Failed resolution footballcappers.biz hxxp://footballcappers.biz/load.exe
20091229032858 115.100.250.104 Failed resolution not99.biz hxxp://not99.biz/myy/post.php
20091229033818 115.100.250.115 Failed resolution useranalyticsreporting.net hxxp://useranalyticsreporting.net/ir/pack/exp/pdf.php
20091229034534 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id125/
20091229034555 115.100.250.104 Failed resolution kotopes.cn hxxp://kotopes.cn/forum/image/index.php
20091229034658 115.100.250.104 Failed resolution not99.biz hxxp://not99.biz/myy/viewtopic.php?s=f6e678fe95
20091229034925 115.100.250.119 Failed resolution wen.nei28.com hxxp://wen.nei28.com/index.php
20091229035534 115.100.250.104 Failed resolution kotopes.cn hxxp://kotopes.cn/forum/image/spl/pdf.pdf
20091229035919 115.100.250.104 Failed resolution www.kotopes.cn hxxp://www.kotopes.cn/forum/image/spl/pdf.pdf
20091229035932 115.100.250.115 Failed resolution www.useranalyticsreporting.net hxxp://www.useranalyticsreporting.net:80/ir/pack/exp/pdf.php
20091229040137 115.100.250.107 Failed resolution grobin1.cn hxxp://grobin1.cn/pol/alwaysA.pdf
20091229040143 115.100.250.107 Failed resolution grobin1.cn hxxp://grobin1.cn/pol/update.php
20091229040331 115.100.250.117 Failed resolution westnorths.cn hxxp://westnorths.cn/index.php?spl=3&br=MSIE&vers=6.0&s=826f3bdce007009c5ceb6c26ccf638bc
20091229040853 115.100.250.104 Failed resolution fopsl.cn hxxp://fopsl.cn/forum/index.php
20091229041019 115.100.250.104 Failed resolution nit99.biz hxxp://nit99.biz/new/viewtopic.php?s=0ec9d1a063
20091229041204 115.100.250.117 Failed resolution todaymaytomorrow.cn hxxp://todaymaytomorrow.cn//load.php?spl=mdac
20091229042433 115.100.250.104 Failed resolution www.nit99.biz hxxp://www.nit99.biz/myy/viewtopic.php?s=bec8f62472
20091229044311 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id125/index.php
20091229044317 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com:80/id125/files/annonce.pdf
20091229044324 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com:80/id125/loadpdf.php
20091229044415 115.100.250.117 Failed resolution ispugais.cn hxxp://ispugais.cn/load.php?s=70861f0ffb301246f95e3f7cb8293213&spl=pdf_all
20091229044426 115.100.250.117 Failed resolution kitaiclock.cn hxxp://kitaiclock.cn/load.php?s=70861f0ffb301246f95e3f7cb8293213&spl=pdf_all
20091229044504 115.100.250.114 Failed resolution macaples.in hxxp://macaples.in/my_usa/index.php?spl=3&br=MSIE&vers=7.0&s=a514f2595261bcd6ebcb69320172f022
20091229044510 115.100.250.114 Failed resolution macaples.in hxxp://macaples.in/my_usa/load.php?spl=ActiveX_pack
20091229044552 115.100.250.104 Failed resolution nit99.biz hxxp://nit99.biz/new/viewtopic.php?s=62d4f4343c
20091229044633 115.100.250.121 Failed resolution rasejo.cn hxxp://rasejo.cn/thecompany/mk/er32.exe
20091229044738 115.100.250.117 Failed resolution systemanalizerscom.cn hxxp://systemanalizerscom.cn/load.php?s=2eafd76b775db4d941022df28348bfd1&spl=pdf_all
20091229212404 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id120/index.php
20091229212411 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id126/index.php
20091229212419 115.100.250.73 Failed resolution tds-info.net hxxp://tds-info.net/in.cgi?2
20091229212510 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id126/mdac.php
20091216205423 115.100.250.107 Failed resolution tt.allowjobs.cn hxxp://tt.allowjobs.cn/pdf.php?spl=pdf_ie2
20091216220940 115.100.250.107 Failed resolution www.atatata.org hxxp://www.atatata.org/777/sysmona.exe
20091218035413 115.100.250.72 Failed resolution 115.100.250.72 hxxp://115.100.250.72/server-status
20091218035420 115.100.250.107 Failed resolution 115.100.250.107 hxxp://115.100.250.107/server-status
20091218035427 115.100.250.115 Failed resolution 115.100.250.115 hxxp://115.100.250.115/server-status
20091218035433 115.100.250.116 Failed resolution 115.100.250.116 hxxp://115.100.250.116/server-status
20091218035440 115.100.250.119 Failed resolution 115.100.250.119 hxxp://115.100.250.119/server-status
20091219231238 115.100.250.107 Failed resolution www.grobin1.cn hxxp://www.grobin1.cn/pol/alwaysA.pdf
20091220000111 115.100.250.107 Failed resolution chinaoilfactory.cn hxxp://chinaoilfactory.cn/cp/build.exe
20091220000119 115.100.250.107 Failed resolution chris25project.cn hxxp://chris25project.cn/cp/bot.exe
20091220000340 115.100.250.107 Failed resolution dia2.cn hxxp://dia2.cn/123/ld.php?v=1&rs=13441600&n=1&uid=1
20091220001901 115.100.250.113 Failed resolution online-counter.cn hxxp://online-counter.cn/load.exe
20091220001908 115.100.250.113 Failed resolution online-counter.cn hxxp://online-counter.cn/stats/211/loadshow.php
20091220011435 115.100.250.119 Failed resolution www.socks5servic.cn hxxp://www.socks5servic.cn/zs/bot.exe
20091222194143 115.100.250.115 Failed resolution www.useranalyticsreporting.net hxxp://www.useranalyticsreporting.net/ir/pack/exe.php?spl=MDAC
20091222194202 115.100.250.104 Failed resolution www.not99.biz hxxp://www.not99.biz/myy/sdfg.jar
20091222194209 115.100.250.104 Failed resolution client158.faster-hosting.com hxxp://client158.faster-hosting.com/cache/homepage.exe
20091222194257 115.100.250.115 Failed resolution www.useranalyticsreporting.net hxxp://www.useranalyticsreporting.net/ir/pack/exp/pdf.php
20091222194330 115.100.250.104 Failed resolution www.not99.biz hxxp://www.not99.biz/myy/myreadme.php
20091222194337 115.100.250.115 Failed resolution kijojg.net hxxp://kijojg.net/fr/files/leerydumbbunny.pdf
20091222194344 115.100.250.115 Failed resolution kijojg.net hxxp://kijojg.net/fr/files/scamtodosomething.pdf
20091222194423 115.100.250.104 Failed resolution www.not99.biz hxxp://www.not99.biz/myy/f.swf
20091222194438 115.100.250.105 Failed resolution www.aolas.cn hxxp://www.aolas.cn/Smilex/az-alliance/iereg.exe
20091222194451 115.100.250.104 Failed resolution www.kimosimotuma.cn hxxp://www.kimosimotuma.cn/777.exe
20091222194529 115.100.250.104 Failed resolution www.rss-lenta-news.ru hxxp://www.rss-lenta-news.ru/123132/New2.exe
20091222194536 115.100.250.104 Failed resolution client158.faster-hosting.com hxxp://client158.faster-hosting.com/cache/anime2/13.exe
20091222194543 115.100.250.115 Failed resolution kijojg.net hxxp://kijojg.net/fr/loadjavad.php
20091222194607 115.100.250.107 Failed resolution atatata.org hxxp://atatata.org/123/file.php?upd
20091222194613 115.100.250.104 Failed resolution www.rss-lenta-news.ru hxxp://www.rss-lenta-news.ru/ad/file.php?upd
20091222194631 115.100.250.104 Failed resolution www.not99.biz hxxp://www.not99.biz/myy/post.php?e=1&&
20091222194652 115.100.250.104 Failed resolution www.rss-lenta-news.ru hxxp://www.rss-lenta-news.ru/123132/your_exe.exe
20091222194759 115.100.250.107 Failed resolution www.footballcappers.biz hxxp://www.footballcappers.biz/exe.php
20091222194842 115.100.250.104 Failed resolution www.kimosimotuma.cn hxxp://www.kimosimotuma.cn/888.exe
20091223201100 115.100.250.105 Failed resolution www.aolas.cn hxxp://www.aolas.cn/az-hsbc/iereg.exe
20091223201217 115.100.250.104 Failed resolution kotopes.cn hxxp://kotopes.cn/forum/image/exe.php
20091223201224 115.100.250.117 Failed resolution westnorths.cn hxxp://westnorths.cn/load.php?spl=mdac
20091229031704 115.100.250.107 Failed resolution chris25project.cn hxxp://chris25project.cn/cp/zsbcs.exe
20091229031807 115.100.250.107 Failed resolution footballcappers.biz hxxp://footballcappers.biz
20091229032535 115.100.250.107 Failed resolution footballcappers.biz hxxp://footballcappers.biz/exe.php
20091229032541 115.100.250.107 Failed resolution footballcappers.biz hxxp://footballcappers.biz/load.exe
20091229032858 115.100.250.104 Failed resolution not99.biz hxxp://not99.biz/myy/post.php
20091229033818 115.100.250.115 Failed resolution useranalyticsreporting.net hxxp://useranalyticsreporting.net/ir/pack/exp/pdf.php
20091229034534 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id125/
20091229034555 115.100.250.104 Failed resolution kotopes.cn hxxp://kotopes.cn/forum/image/index.php
20091229034658 115.100.250.104 Failed resolution not99.biz hxxp://not99.biz/myy/viewtopic.php?s=f6e678fe95
20091229034925 115.100.250.119 Failed resolution wen.nei28.com hxxp://wen.nei28.com/index.php
20091229035534 115.100.250.104 Failed resolution kotopes.cn hxxp://kotopes.cn/forum/image/spl/pdf.pdf
20091229035919 115.100.250.104 Failed resolution www.kotopes.cn hxxp://www.kotopes.cn/forum/image/spl/pdf.pdf
20091229035932 115.100.250.115 Failed resolution www.useranalyticsreporting.net hxxp://www.useranalyticsreporting.net:80/ir/pack/exp/pdf.php
20091229040137 115.100.250.107 Failed resolution grobin1.cn hxxp://grobin1.cn/pol/alwaysA.pdf
20091229040143 115.100.250.107 Failed resolution grobin1.cn hxxp://grobin1.cn/pol/update.php
20091229040331 115.100.250.117 Failed resolution westnorths.cn hxxp://westnorths.cn/index.php?spl=3&br=MSIE&vers=6.0&s=826f3bdce007009c5ceb6c26ccf638bc
20091229040853 115.100.250.104 Failed resolution fopsl.cn hxxp://fopsl.cn/forum/index.php
20091229041019 115.100.250.104 Failed resolution nit99.biz hxxp://nit99.biz/new/viewtopic.php?s=0ec9d1a063
20091229041204 115.100.250.117 Failed resolution todaymaytomorrow.cn hxxp://todaymaytomorrow.cn//load.php?spl=mdac
20091229042433 115.100.250.104 Failed resolution www.nit99.biz hxxp://www.nit99.biz/myy/viewtopic.php?s=bec8f62472
20091229044311 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id125/index.php
20091229044317 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com:80/id125/files/annonce.pdf
20091229044324 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com:80/id125/loadpdf.php
20091229044415 115.100.250.117 Failed resolution ispugais.cn hxxp://ispugais.cn/load.php?s=70861f0ffb301246f95e3f7cb8293213&spl=pdf_all
20091229044426 115.100.250.117 Failed resolution kitaiclock.cn hxxp://kitaiclock.cn/load.php?s=70861f0ffb301246f95e3f7cb8293213&spl=pdf_all
20091229044504 115.100.250.114 Failed resolution macaples.in hxxp://macaples.in/my_usa/index.php?spl=3&br=MSIE&vers=7.0&s=a514f2595261bcd6ebcb69320172f022
20091229044510 115.100.250.114 Failed resolution macaples.in hxxp://macaples.in/my_usa/load.php?spl=ActiveX_pack
20091229044552 115.100.250.104 Failed resolution nit99.biz hxxp://nit99.biz/new/viewtopic.php?s=62d4f4343c
20091229044633 115.100.250.121 Failed resolution rasejo.cn hxxp://rasejo.cn/thecompany/mk/er32.exe
20091229044738 115.100.250.117 Failed resolution systemanalizerscom.cn hxxp://systemanalizerscom.cn/load.php?s=2eafd76b775db4d941022df28348bfd1&spl=pdf_all
20091229212404 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id120/index.php
20091229212411 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id126/index.php
20091229212419 115.100.250.73 Failed resolution tds-info.net hxxp://tds-info.net/in.cgi?2
20091229212510 115.100.250.73 Failed resolution grizzli-counter.com hxxp://grizzli-counter.com/id126/mdac.php
The /24 lies within a range (115.100.248.0/22) owned by;
ASN: 9803
Desc: JINGXUN Beijing Jingxun Public Information Technology Co., Ltd
/edit 18:52
Sunbelt sandbox results
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12053994&cs=BFFBC294022DB10C44EE633BAC06CAF4
Microsoft Malware Protection Center (results will be here once analysis is finished)
https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=a06eea71-cb87-4af3-aafa-6ba621b248ac
/edit 19:06
The following shows some interesting stats regarding the exploit pack being used here (Fragus/Nulled);
No comments:
Post a Comment