*** From one of our Analysts ***
Today, I became aware of a new community portal at http://mwm.rising.com.cn/ [via: http://www.thedarkvisitor.com/2009/01/new-interactive-website-tracks-malicious-programs-in-china/].
It provides some interesting statistics as well as top 5 malicious domains. One of those domains serves exploits that connect to the prior EvilFingers analysis [at http://evilfingers.blogspot.com/2009/01/analysis-of-12112173218.html]. Specifically, I used the jsunpack.jeek.org analysis tool to identify the purpose of the JavaScript and identify several malicious executables.
Analysis of the iframes at
alimcma. 3322.org/b107224/b10.htm [analysis at http://jsunpack.jeek.org/dec/go?url=alimcma.3322.org_b107224_b10.htm]
alimcma .3322.org/a0076159/a07.htm [analysis at http://jsunpack.jeek.org/dec/go?url=alimcma.3322.org_a0076159_a07.htm]
Shows one executable at qq.18i16.net_exe1_ce.css:
Sections ( PSÿÕ«ëçà @üV@ wB@ü @ )
File: MS-DOS executable, MZ for MS-DOS
Packer: Upack V0.37 -> Dwing,Upack v0.399 -> Dwing,
Strings:UNPACKED %s\Down_Temp\%d.exe
Strings:UNPACKED http://121.12.173.218/w/ce.txt
Size: 2596 bytes,
MD5: d3e56ea1a1a5f8d7e21cae20a4d63805
From that executable, we can see that ce.txt is a downloader, and hxxp://121.12.173.218/w/ce.txt reveals additional executables for us to analyze.
http://jsunpack.jeek.org/dec/go?url=121.12.173.218_baidu.exe
http://jsunpack.jeek.org/dec/go?url=121.12.173.218_tan_ce.exe
*** From one of our Analysts ***
http://jsunpack.jeek.org/dec/go?url=121.12.173.218_baidu.exe:
Sections ( PS�ի��� @@�C �eC�@ )
File: MS-DOS executable, MZ for MS-DOS
Packer: Upack V0.37 -> Dwing,
Strings:UNPACKED C:\%08X
Strings:UNPACKED XsMenu.exe
Strings:UNPACKED .exe
Strings:UNPACKED SoftWare\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Strings:UNPACKED human.exe
Strings:UNPACKED \human.exe
Strings:UNPACKED \winhlp32.exe
Strings:UNPACKED \mmc.exe
Strings:UNPACKED %windir%\system32\userinit.exe
Strings:UNPACKED %windir%\system32\mmc.exe
Strings:UNPACKED http://121.12.173.218/uu
Strings:UNPACKED %windir%\hh.exe
Strings:UNPACKED %windir%\system32\calc.exe
Strings:UNPACKED %windir%\system32\netstat.exe
Strings:UNPACKED %windir%\system32\edit.com
Strings:UNPACKED %windir%\system32\command.com
Strings:UNPACKED %windir%\system32\ftp.exe
Strings:UNPACKED %windir%\winhlp32.exe
Strings:UNPACKED %windir%\winhelp.exe
Strings:UNPACKED %windir%\twunk_32.exe
Strings:UNPACKED %windir%\twunk_16.exe
Strings:UNPACKED %s\data.exe
Strings:UNPACKED %s\pack_%d.exe
Strings:UNPACKED %s\kill.exe
Strings:UNPACKED %windir%\system32\winhlp32.exe
Strings:UNPACKED c:\windows\main.exe
Strings:UNPACKED ntoskrnl.exe
Size: 21608 bytes,
MD5: e8d700f2af2a2048e900e7a0b17c0ef8
http://jsunpack.jeek.org/dec/go?url=121.12.173.218_tan_ce.exe:
Sections ( .nsp0 .nsp1 .nsp2 )
File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Packer: NsPack 2.9 -> North Star,
Size: 5368 bytes,
MD5: f095d29bc1f6d49bdc295e19dae07d1a
Tsk, tsk, tsk... 121.12.173.218 is so naughty and their ISP still lets them do it...
- EF
Friday, January 16, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment