Thursday, September 6, 2012

When #malware infector goes to Cloud: Trojan Banker in Free Cloud Storage - MediaFire

This is really sad to know the infection goes to cloud, this is one true case example.
I grep the trojan infections in the phising databases just now, came to my interest the list of the file "Application+Form.zip" saved in the many infector urls. As I dns-reversed it came up with the Free Cloud Storage - MediaFire's url. The list and proof itself is as per below:
NetRange: 199.91.152.0 - 199.91.159.255 CIDR: 199.91.152.0/21 OriginAS: AS46179 NetName: MEDIAFIRE-IP-199-91-159-0-21 IP: 199.91.154.64 h00p://199.91.154.64/0zosrljb8eig/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/axfmj3yimhog/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/cbjb39yy2mtg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/mbl6b62bplfg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/q2p8bqdtdawg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/q8fm4zqkmkjg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/su5qgslo1dlg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/txh6n26njnlg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/v9c3p3zh5vqg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/0g1ttmtrg8pg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/f7rq37qx1s9g/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/k5493ofo85lg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/42tt073rt8mg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/sze9xfm656qg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.64/uomppw789gbg/uoqv786sj08g7e2/ApplicationForm.zip
NetRange: 199.91.152.0 - 199.91.159.255 CIDR: 199.91.152.0/21 OriginAS: AS46179 NetName: MEDIAFIRE-IP-199-91-159-0-21 IP: 199.91.154.107 h00p://199.91.154.107/1alpy8w96qjg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/613u633z438g/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/c6oipid67kzg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/l45b9swc4lvg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/rjim6bnfwjzg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/ud90mqgbtggg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/un8fcnc6npgg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/ynvn4i7525qg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/dsxdicu0oscg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.154.107/xagqhgwml7hg/uoqv786sj08g7e2/ApplicationForm.zip
NetRange: 205.196.120.0 - 205.196.123.255 CIDR: 205.196.120.0/22 OriginAS: AS46179 NetName: MEDIAFIRE-IP-205-196-120-0-22 IP: 205.196.120.110 h00p://205.196.120.110/0zsxf2wmc7zg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/1zkvem7l3ipg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/d1yheukvdr8g/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/dfdi9b6chudg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/hj0bpbgpc2rg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/sb9u45a424pg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/xsbmhu0su5rg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/28zr61bk88sg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/gi91y11z190g/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/j3bab9zbovyg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/tmdto78d7pqg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/381r6n65yyng/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/cmc1sjgaazzg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/pv4jkdpb7nzg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/hedpcf570tgg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/cyy4oe5dimbg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/72095k6k72ag/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/s875tvod3mwg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/yu4td1yx6vdg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/bt6l2tp1nwcg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/t0w3djft3pfg/uoqv786sj08g7e2/ApplicationForm.zip h00p://205.196.120.110/kl8a20aaadkg/uoqv786sj08g7e2/ApplicationForm.zip
NetRange: 199.91.152.0 - 199.91.159.255 CIDR: 199.91.152.0/21 OriginAS: AS46179 NetName: MEDIAFIRE-IP-199-91-159-0-21 IP: 199.91.153.124 h00p://199.91.153.124/4cd3dm7gtpzg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/zk1e4ecxarag/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/0okt4q6bj5wg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/3erqoa6mwalg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/420ko8d0jmng/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/7p3zi7vggg0g/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/7dqs3rj203ng/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/v73t589ijw1g/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/35jbz97j4vkg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/af1ofxzwxz6g/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/e4zta0q4y2ng/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/k5e5qrpfvqxg/uoqv786sj08g7e2/ApplicationForm.zip h00p://199.91.153.124/iddo976x8rkg/uoqv786sj08g7e2/ApplicationForm.zip
A download PoC are below: Case 1:
--22:40:15-- h00p://199.91.154.64/0zosrljb8eig/uoqv786sj08g7e2/ApplicationForm. zip => `ApplicationForm.zip' Connecting to 199.91.154.64:80... connected. HTTP request sent, awaiting response... 302 Found Location: h00p://www.mediafire.com/?uoqv786sj08g7e2 [following] --22:40:15-- h00p://www.mediafire.com/?uoqv786sj08g7e2 => `index.html@uoqv786sj08g7e2' Resolving www.mediafire.com... 205.196.120.6, 205.196.120.8 Connecting to www.mediafire.com|205.196.120.6|:80... connected. HTTP request sent, awaiting response... 302 Found Location: h00p://205.196.122.152/ipb7dusor0zg/uoqv786sj08g7e2/Application+Form.z ip [following] --22:40:16-- h00p://205.196.122.152/ipb7dusor0zg/uoqv786sj08g7e2/Application+Fo rm.zip => `Application+Form.zip' Connecting to 205.196.122.152:80... connected. HTTP request sent, awaiting response... 200 OK Length: 640,712 (626K) [application/zip] 100%[====================================>] 640,712 148.40K/s ETA 00:00 22:40:21 (130.61 KB/s) - `Application+Form.zip' saved [640712/640712] GET /0zosrljb8eig/uoqv786sj08g7e2/ApplicationForm.zip HTTP/1.0 User-Agent: MalwareMustDie/1.10.1 Accept: */* Host: 199.91.154.64 Connection: Keep-Alive HTTP/1.1 302 Found Location: h00p://www.mediafire.com/?uoqv786sj08g7e2 Connection: Close GET /?uoqv786sj08g7e2 HTTP/1.0 User-Agent: MalwareMustDie/1.10.1 Accept: */* Host: www.mediafire.com Connection: Keep-Alive HTTP/1.1 302 Found Date: Thu, 06 Sep 2012 13:41:36 GMT Cache-control: no-cache Pragma: no-cache Expires: 0 Set-Cookie: ukey=7th4ubnj5cc2ucw0hhiemxt6bi6hh8z8; expires=Thu, 07-Aug-2014 13:41:36 GMT; path=/; domain=.mediafire.com; httponly Location: h00p://199.91.153.246/4ejd935utdag/uoqv786sj08g7e2/Application+Form.zip Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 Server: MediaFire GET /4ejd935utdag/uoqv786sj08g7e2/Application+Form.zip HTTP/1.0 User-Agent: MalwareMustDie/1.10.1 Accept: */* Host: 199.91.153.246 Connection: Keep-Alive HTTP/1.1 200 OK Server: LRBD-stable-724 Date: Thu, 6 Sep 2012 13:41:37 GMT Connection: close Accept-Ranges: bytes Content-transfer-encoding: binary Content-Length: 640712 Content-Disposition: attachment; filename="Application Form.zip" Content-Type: application/zip
Case 2 :
--22:46:34-- h00p://205.196.120.110/hj0bpbgpc2rg/uoqv786sj08g7e2/ApplicationForm.zip => `ApplicationForm.zip' Connecting to 205.196.120.110:80... connected. HTTP request sent, awaiting response... 302 Found Location: h00p://www.mediafire.com/?uoqv786sj08g7e2 [following] --22:46:35-- h00p://www.mediafire.com/?uoqv786sj08g7e2 => `index.html@uoqv786sj08g7e2' Resolving www.mediafire.com... 205.196.120.6, 205.196.120.8 Connecting to www.mediafire.com|205.196.120.6|:80... connected. HTTP request sent, awaiting response... 302 Found Location: h00p://199.91.153.58/3h59697w91jg/uoqv786sj08g7e2/Application+Form.zip [following] --22:46:36-- h00p://199.91.153.58/3h59697w91jg/uoqv786sj08g7e2/Application+Form .zip => `Application+Form.zip.1' Connecting to 199.91.153.58:80... connected. HTTP request sent, awaiting response... 200 OK Length: 640,712 (626K) [application/zip] 100%[====================================>] 640,712 155.64K/s ETA 00:00 22:46:40 (149.68 KB/s) - `Application+Form.zip.1' saved [640712/640712] GET /hj0bpbgpc2rg/uoqv786sj08g7e2/ApplicationForm.zip HTTP/1.0 User-Agent: MalwareMustDie/1.10.1 Accept: */* Host: 205.196.120.110 Connection: Keep-Alive HTTP/1.1 302 Found Location: h00p://www.mediafire.com/?uoqv786sj08g7e2 Connection: Close GET /?uoqv786sj08g7e2 HTTP/1.0 User-Agent: MalwareMustDie/1.10.1 Accept: */* Host: www.mediafire.com Connection: Keep-Alive HTTP/1.1 302 Found Date: Thu, 06 Sep 2012 13:46:27 GMT Cache-control: no-cache Pragma: no-cache Expires: 0 Set-Cookie: ukey=5l8f4622p85a2nl61q8yadidbjjyx0wr; expires=Thu, 07-Aug-2014 13:46:27 GMT; path=/; domain=.mediafire.com; httponly Location: h00p://199.91.153.58/3h59697w91jg/uoqv786sj08g7e2/Application+Form.zip Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 Server: MediaFire GET /3h59697w91jg/uoqv786sj08g7e2/Application+Form.zip HTTP/1.0 User-Agent: MalwareMustDie/1.10.1 Accept: */* Host: 199.91.153.58 Connection: Keep-Alive HTTP/1.1 200 OK Server: LRBD-stable-724 Date: Thu, 6 Sep 2012 13:46:27 GMT Connection: close Accept-Ranges: bytes Content-transfer-encoding: binary Content-Length: 640712 Content-Disposition: attachment; filename="Application Form.zip" Content-Type: application/zip
I bet there are more of these, since I have to stop my scanning script because it looks never ending.. I downloaded it and it was a plain zip file contains this file: According to the server's time stamp it looks like months ago released / uploaded trojan. A quicky of binary analysis below:
*) PE Information: Entry Point at 0x132d3e Virtual Address is 0x53493e Sections: .text 0x2000 0x132944 1255936 <---Entry Point .sdata 0x136000 0x7d 512 .rsrc 0x138000 0x10470 67072 .reloc 0x14a000 0xc 512 *) Suspicious Points: CRC Fail! Claimed: 0 Actual: 1358198 Compiled: 0x4F087C53 [Sat Jan 07 17:09:39 2012 UTC] Compiler Trace: Microsoft Visual C# / Basic .NET /Microsoft Visual Studio .NET Some URLs: Checking h00p://ns.adobe.com/xap/1.0/sType/ResourceRef# ... OK Checking h00p://purl.org/dc/elements/1.1/ ... OK Checking h00p://www.w3.org/1999/02/22-rdf-syntax-ns# ... OK Checking h00p://ns.adobe.com/xap/1.0/mm/ ... OK Checking h00p://ns.adobe.com/xap/1.0/ ... OK Checking h00p://ns.adobe.com/photoshop/1.0/ ... OK Checking h00p://ns.adobe.com/exif/1.0/ ... OK Checking h00p://ns.adobe.com/tiff/1.0/ ... OK Checking h00p://www.apple.com/DTDs/PropertyList-1.0.dtd ... OK *) Attribute: LangID: 000004b0 LegalCopyright: Copyright \xa9 2011 Assembly Version: 1.0.0.0 InternalName: ApplicationForm.exe FileVersion: 1.0.0.0 ProductName: Microsoft Word ProductVersion: 1.0.0.0 FileDescription: Microsoft Word OriginalFilename: ApplicationForm.exe
I bet many others already analyzed this sample so I just checked in into VT:
MD5: 0ce2039d64903171243b6206dc889807 File size: 1.3 MB ( 1325056 bytes ) File name: ApplicationForm.exe File type: Win32 EXE Detection: 30 / 42 Analysis date: 2012-05-07 20:38:32 UTC ( 4month ago ) URL: --->>>[CLICK] Malware Names: CAT-QuickHeal : TrojanBanker.MSIL.MultiPhishi McAfee : Artemis!0CE2039D6490 K7AntiVirus : Trojan TheHacker : Trojan/MultiPhishing.aa NOD32 : a variant of MSIL/Spy.Banker.O Symantec : Infostealer.Bancos Norman : W32/Troj_Generic.NPFX TrendMicro-HouseCall : TROJ_SPNR.06B512 Avast : MSIL:Banker-A [Trj] eSafe : Win32.Infostealer.Ba Kaspersky : Trojan-Banker.MSIL.MultiPhishing.aa BitDefender : Gen:Variant.Kazy.42127 Comodo : UnclassifiedMalware F-Secure : Gen:Variant.Kazy.42127 DrWeb : Trojan.Siggen3.42852 VIPRE : Trojan.Win32.Generic!BT AntiVir : TR/Kazy.42127.34 TrendMicro : TROJ_SPNR.06B512 McAfee-GW-Edition : Artemis!0CE2039D6490 Emsisoft : Trojan-Banker.MSIL!IK Jiangmin : Trojan/Banker.MSIL.x Antiy-AVL : Trojan/MSIL.MultiPhishing.gen Microsoft : Trojan:Win32/Sisron GData : Gen:Variant.Kazy.42127 VBA32 : TrojanBanker.MSIL.MultiPhishing.aa PCTools : Trojan-PSW.Bancos!rem Ikarus : Trojan-Banker.MSIL Fortinet : W32/MultiPhishing.AA!tr AVG : Generic26.CGTQ Panda : Generic Trojan
Yep, this is the trojan banker which steals your credentials. It was last detected 4months ago according to the VT database. I am not going to analyze this because of is an obvious known & well handled malware. Complete technical analysis can be found in microsoft site↓ And this trojan was reported suddenly grows according to this news↓ Hope Media Fire see this blog to soon get rid of them from their server.

4 comments:

  1. Some Q & A I received in twitter:

    1. Q: @MalwareMustDie Great post about cloud-based malware. Have to mention: Dropbox & Fileserve also widely used for malware spreading.
    A: DropBox & others cloud strorage are wellknown too for malwares, the problem is those phising/spam mails are having link to these url that made me so sick.. #malwareMustDie

    2. Q: These trojans are in the servers for a long time without wiped out, why?
    A: I don't know, but since they are all linked to spams url they should erase it for good don't they?

    ReplyDelete
  2. Please write your any comments or findings related to the story here or refer to your blog which I can link to. Thank you #MalwareMustDie

    ReplyDelete
  3. Files were removed. Below is PoC:
    --17:44:14-- http://www.mediafire.com/?uoqv786sj08g7e2
    => `index.html@uoqv786sj08g7e2'
    Resolving www.mediafire.com... 205.196.120.6, 205.196.120.8
    Connecting to www.mediafire.com|205.196.120.6|:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: /error.php?errno=378&quickkey=uoqv786sj08g7e2 [following]
    --17:44:14-- http://www.mediafire.com/error.php?errno=378&quickkey=uoqv786sj08g
    7e2
    => `error.php@errno=378&quickkey=uoqv786sj08g7e2.1'
    Connecting to www.mediafire.com|205.196.120.6|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/html]

    It said:
    =================================
    File Removed for Violation.
    =================================

    ReplyDelete