'[Emerging-Sigs] evil domain microsofiz.cn fake patch downloads (generic upx packed binaries)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] evil domain microsofiz.cn fake patch downloads (generic upx packed binaries)
From:       daniel.clemens () packetninjas ! net (Daniel Clemens)
Date:       2008-06-23 20:03:26
Message-ID: CC3DF143-C202-4CA3-A897-28D7EF4F2B58 () packetninjas ! net
[Download RAW message or body]

-------- microsofiz.cn ------------

Possible generic UPX signature rule evasion by the similar naming  
conventions used by the domain, followed by the similar naming
conventions used for the binary downloaded which could confuse users,  
admins etc.

v6.windowsupdate.microsoft.com.e.cab.1093928547718.microsofiz.cn******/ 
KP380901.exe

;; ANSWER SECTION:
microsofiz.cn.		14400	IN	SOA	ns1.bulkhostingservice.com.  
root.microsofiz.cn. 2007100301 14400 3600 1209600 86400
microsofiz.cn.		14400	IN	A	202.75.38.139
microsofiz.cn.		14400	IN	TXT	"v=spf1 a mx ip4:202.75.38.138 ?all"
microsofiz.cn.		14400	IN	MX	10 mail.microsofiz.cn.
microsofiz.cn.		14400	IN	NS	ns1.bulkhostingservice.com.
microsofiz.cn.		14400	IN	NS	ns2.bulkhostingservice.com.

/* Generic Rule */
alert tcp $HOME_NET any -> v6.windowsupdate.microsoft.com.e.cab. 
1093928547718.microsofiz.cn $HTTP_PORTS \
(msg:"ET CURRENT_EVENTS Potential Microsoft Patch Trojan Activity"; \
flow:established,to_server; \
content:"GET "; \
depth:4; \
classtype:trojan-activity; sid:; rev:1;)


/* Specific Trojan Downloader Rule */
alert tcp $HOME_NET any -> v6.windowsupdate.microsoft.com.e.cab. 
1093928547718.microsofiz.cn $HTTP_PORTS \
(msg:"ET CURRENT_EVENTS Attempted Microsoft Patch Trojan - Malware  
Download"; \
flow:established,to_server; \
content:"GET "; \
depth:4; \
uricontent:"/KP380901.exe"; \
reference:url,www.cwsandbox.org/?page=samdet&id=204250&password=ftnzp;
reference:url,http://www.virustotal.com/analisis/4540bc7942473d3c54d573b8471060d4 
;
classtype:trojan-activity; sid:; rev:1;)

Looks like this piece of malware has been alive since Wed Jun 18  
16:24:48 2008 UTC.

Can someone spot check this , I am doing a few other thing, but  
thought I would throw this out to the list.
The binaries are still available - they are upx packed, and written in  
visual basic.

The interesting thing is after the binary does all sorts of *stuff on  
the machine and then it goes to http://mycashloads.com/newuser.php?saff=373.0

Daniel Uriah Clemens
Packetninjas L.L.C
"Imagination is more important than knowledge."-- Albert Einstein
205.567.6850




[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic