[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] evil domain microsofiz.cn fake patch downloads (generic upx packed binaries)
From: daniel.clemens () packetninjas ! net (Daniel Clemens)
Date: 2008-06-23 20:03:26
Message-ID: CC3DF143-C202-4CA3-A897-28D7EF4F2B58 () packetninjas ! net
[Download RAW message or body]
-------- microsofiz.cn ------------
Possible generic UPX signature rule evasion by the similar naming
conventions used by the domain, followed by the similar naming
conventions used for the binary downloaded which could confuse users,
admins etc.
v6.windowsupdate.microsoft.com.e.cab.1093928547718.microsofiz.cn******/
KP380901.exe
;; ANSWER SECTION:
microsofiz.cn. 14400 IN SOA ns1.bulkhostingservice.com.
root.microsofiz.cn. 2007100301 14400 3600 1209600 86400
microsofiz.cn. 14400 IN A 202.75.38.139
microsofiz.cn. 14400 IN TXT "v=spf1 a mx ip4:202.75.38.138 ?all"
microsofiz.cn. 14400 IN MX 10 mail.microsofiz.cn.
microsofiz.cn. 14400 IN NS ns1.bulkhostingservice.com.
microsofiz.cn. 14400 IN NS ns2.bulkhostingservice.com.
/* Generic Rule */
alert tcp $HOME_NET any -> v6.windowsupdate.microsoft.com.e.cab.
1093928547718.microsofiz.cn $HTTP_PORTS \
(msg:"ET CURRENT_EVENTS Potential Microsoft Patch Trojan Activity"; \
flow:established,to_server; \
content:"GET "; \
depth:4; \
classtype:trojan-activity; sid:; rev:1;)
/* Specific Trojan Downloader Rule */
alert tcp $HOME_NET any -> v6.windowsupdate.microsoft.com.e.cab.
1093928547718.microsofiz.cn $HTTP_PORTS \
(msg:"ET CURRENT_EVENTS Attempted Microsoft Patch Trojan - Malware
Download"; \
flow:established,to_server; \
content:"GET "; \
depth:4; \
uricontent:"/KP380901.exe"; \
reference:url,www.cwsandbox.org/?page=samdet&id=204250&password=ftnzp;
reference:url,http://www.virustotal.com/analisis/4540bc7942473d3c54d573b8471060d4
;
classtype:trojan-activity; sid:; rev:1;)
Looks like this piece of malware has been alive since Wed Jun 18
16:24:48 2008 UTC.
Can someone spot check this , I am doing a few other thing, but
thought I would throw this out to the list.
The binaries are still available - they are upx packed, and written in
visual basic.
The interesting thing is after the binary does all sorts of *stuff on
the machine and then it goes to http://mycashloads.com/newuser.php?saff=373.0
Daniel Uriah Clemens
Packetninjas L.L.C
"Imagination is more important than knowledge."-- Albert Einstein
205.567.6850
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic