Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 30 December 2009 When is a forum not a forum? ....

... When it's an exploit of course!

This URL (vURL results, PDF);

wants us to believe it's a forum, that's going to let us view the respective topic associated with the ID in the s= variable. Alas however, it's neither a valid ID, nor a forum at all. What you'll actually get, is a whole host of badness battered down the pipes onto your poor machine.

And what badness do you get? Glad you asked! The above URL, loads two additional URL's that deliver the payload;

PDF file

SWF (flash) file

These files have one purpose - to deliver the payload. The payload itself comes from;

The payload is a 39K file called pdfupdate.exe, and VT results as of December 29th, were absolutely rubbish, with only 3 vendors detecting it;

I've just submitted it to VT again, to see if the detections have improved yet, and though they could still be better, the 3 vendors is now up to 19;

The file is UPX packed, and unpacking it shows a 79K file, that according to VT reports is a fake alert (otherwise known as "this is gonna infect yer poor machine and ask you to pay it for the privilege of doing so").

I don't have my test box up at the moment as I'm busy with work, and sorting out a server issue, but the Anubis results for the unpacked file, can be found here. Of interest, is the following, which indicates the presence of a rootkit;


I did however, notice the following bit of confusion, when looking at the file in FileInsight;

....But where would he sleep?...He could be taller the..But where would he sleep?...No one wou..Imagine a pet dinosaur that live....when we played hid..and my pet would pass up th.He could be talle...pterodactyl instead.and the fences squashed ....M..[I0d have to spend ..I wouldn0...I wouldn0t have to worry....It would ...A pet dinosaur would be my house and.and then another and t..Wouldn0t it be fan..While he stood in t.While he st.b.CB

Nope, I've no idea what that's about either.

The site resides at, and my database is showing this entire /24 as being dirty (so nope, not just a case of the sites being hacked). Malicious activity seen within this /24 includes;

20091216205416          Failed resolution          hxxp://

20091216205423          Failed resolution          hxxp://

20091216220940          Failed resolution          hxxp://

20091218035413          Failed resolution          hxxp://

20091218035420          Failed resolution          hxxp://

20091218035427          Failed resolution          hxxp://

20091218035433          Failed resolution          hxxp://

20091218035440          Failed resolution          hxxp://

20091219231238          Failed resolution          hxxp://

20091220000111          Failed resolution          hxxp://

20091220000119          Failed resolution          hxxp://

20091220000340          Failed resolution          hxxp://

20091220001901          Failed resolution          hxxp://

20091220001908          Failed resolution          hxxp://

20091220011435          Failed resolution          hxxp://

20091222194143          Failed resolution          hxxp://

20091222194202          Failed resolution          hxxp://

20091222194209          Failed resolution          hxxp://

20091222194257          Failed resolution          hxxp://

20091222194330          Failed resolution          hxxp://

20091222194337          Failed resolution          hxxp://

20091222194344          Failed resolution          hxxp://

20091222194423          Failed resolution          hxxp://

20091222194438          Failed resolution          hxxp://

20091222194451          Failed resolution          hxxp://

20091222194529          Failed resolution          hxxp://

20091222194536          Failed resolution          hxxp://

20091222194543          Failed resolution          hxxp://

20091222194607          Failed resolution          hxxp://

20091222194613          Failed resolution          hxxp://

20091222194631          Failed resolution          hxxp://

20091222194652          Failed resolution          hxxp://

20091222194759          Failed resolution          hxxp://

20091222194842          Failed resolution          hxxp://

20091223201100          Failed resolution          hxxp://

20091223201217          Failed resolution          hxxp://

20091223201224          Failed resolution          hxxp://

20091229031704          Failed resolution          hxxp://

20091229031807          Failed resolution          hxxp://

20091229032535          Failed resolution          hxxp://

20091229032541          Failed resolution          hxxp://

20091229032858          Failed resolution          hxxp://

20091229033818          Failed resolution          hxxp://

20091229034534          Failed resolution          hxxp://

20091229034555          Failed resolution          hxxp://

20091229034658          Failed resolution          hxxp://

20091229034925          Failed resolution          hxxp://

20091229035534          Failed resolution          hxxp://

20091229035919          Failed resolution          hxxp://

20091229035932          Failed resolution          hxxp://

20091229040137          Failed resolution          hxxp://

20091229040143          Failed resolution          hxxp://

20091229040331          Failed resolution          hxxp://

20091229040853          Failed resolution          hxxp://

20091229041019          Failed resolution          hxxp://

20091229041204          Failed resolution          hxxp://

20091229042433          Failed resolution          hxxp://

20091229044311          Failed resolution          hxxp://

20091229044317          Failed resolution          hxxp://

20091229044324          Failed resolution          hxxp://

20091229044415          Failed resolution          hxxp://

20091229044426          Failed resolution          hxxp://

20091229044504          Failed resolution          hxxp://

20091229044510          Failed resolution          hxxp://

20091229044552          Failed resolution          hxxp://

20091229044633          Failed resolution          hxxp://

20091229044738          Failed resolution          hxxp://

20091229212404          Failed resolution          hxxp://

20091229212411          Failed resolution          hxxp://

20091229212419          Failed resolution          hxxp://

20091229212510          Failed resolution          hxxp://

The /24 lies within a range ( owned by;

ASN: 9803
Desc: JINGXUN Beijing Jingxun Public Information Technology Co., Ltd

/edit 18:52

Sunbelt sandbox results

Microsoft Malware Protection Center (results will be here once analysis is finished)

/edit 19:06

The following shows some interesting stats regarding the exploit pack being used here (Fragus/Nulled);

No comments: