Friday, June 16, 2006

Is the AV industry failing?

Well, it's been a while since my last posting on this blog. In the meanwhile, it seems that the sleazebags described here have been quite busy. First of all, they have been putting their trash all over the place in Google by spamming blog comments, putting fake referers, etc. Second, their latest infection method involves a little bit of social engineering technique as well. And third, they have been making sure that antivirus applications miss their newest trojans, or at least some of them (and by the way, most antivirus engines are slipping lately, I've seen even the best of them -- KAV and NOD32, of course -- missing dozens of threats... I'll send you the samples, but get you acts together, please).

Anyway, here's what I found on a new page of theirs while searching for malware in Google (by the way, the sentence "clicca su si", Italian for "click on yes", yelds dozens of malware sites... these people are so damn predictable...)

The page ( do NOT open if you don't know what you're doing) shows graphics like this:

Soon to be followed by a WMF exploit (pic.tiff) and a funny-named executable ( clever, huh?). The executable has, of course, nothing to do with the domain, but it's a COM command.

When launched, the executable tries to contact first on port 80, then on port 80 and will stay active unless you terminate it. Both those IPs correspond to servers in the Ukraine. See a pattern here? Oh, yes... you guessed right.

And so, what do have antivirus applications have to say about that "nice" piece of executable code? This:

You're not doing very good, guys. So being me overly curious, I'm trying to see what these scammers are up to this time, again. So I let my system try to see what kind of good stuff they have for people who try to execute this "".

Well, file downloaded from is a random-named executable called "3e2a8d.exe". Will this one be detected? Nope.

This is awful, just awful. Well, let's see what this "3e2a8d.exe" does. It extracts launches a "ptwx1.exe":

A little better. Of course, by this point, you'll likely have already your system infected and rootkited (some system errors that happened in the sandbox I used really seem to indicate that attempt).

EDIT at 4.02: forwarded to a bunch of security sites and sent samples to a bunch of AV companies. KAV detects the first two trojans, now (after I sent them the samples).

EDIT June 20, 3.09 PM: the main downloader is finally starting getting detected:

PS: also detected by BOClean (I contacted them).

EDIT June 23, 0.28 PM: another one has appeared, and this one is YET AGAIN undetected by all the antivirus engines:

The original page was (DO NOT OPEN!); many more domains linking to this malware have actually been created, I found them in link spammed pages. I'm going to post a list here soon.

EDIT June 23, 0.51 PM: here's a (certainly partial) list of the domains to block. Please note that these are DOMAINS that should include all subdomains under them, you can't put them in your HOSTS file (and frankly, from what I've seen the subdomains are probably so many that you most probably won't be able to):

It's quite obvious that these are targeting Italy. It's also obvious that the authors of these exploit/trojans can NOT speak Italian (some words don't make any sense and they clearly come from an automated traslator).

EDIT June 23, 22.02: added and to the "domains to block" list above, as I'm not sure it was clear (the previous article underlined that THOSE are respectively the javascript loader and the trojan repository, but it was written in Italian).


Anonymous SpannerITWks said...


Nice research and breakdowns etc !

I went to - - with IE fully locked down as usual, got the main page + pic, but no exploit + clicking anywhere did nothing either. Also these IP's you mentioned - + - go straight to -



7:57 AM  
Blogger TNT said...

You don't really believe and are, do you?

Here's what the html on main page contains:

meta http-equiv="refresh" content="0; URL="

In other words, the main page on those IPs redirects you straight to, but it certainly is NOT nor has anything to do with it.

As for the exploits, if you don't have javascript enabled or if its restricted some way, they don't work.

11:14 AM  
Anonymous SpannerITWks said...

Here's what i get for - +

Address lookup
lookup failed Could not find a domain name corresponding to this IP address.

Domain Whois record
Don't have a domain name for which to get a record

Network Whois record
Whois query for failed: TimedOut

Service scan
FTP - 21 220 FTP server (Version 6.00LS) ready.
221 You could at least say goodbye.

SMTP - 25 Error: TimedOut
HTTP - 80 HTTP/1.1 200 OK
Date: Mon, 19 Jun 2006 21:58:02 GMT
Server: Apache/1.3.34 (Unix) PHP/4.4.2
Last-Modified: Wed, 19 Apr 2006 18:32:00 GMT
ETag: "f7c4b-66-44468220"
Accept-Ranges: bytes
Content-Length: 102
Connection: close
Content-Type: text/html
POP3 - 110 +OK Qpopper (version 4.0.8) at starting. <>
-ERR POP EOF or I/O Error
+OK Pop server at signing off.

IMAP - 143 Error: ConnectionRefused


Yep very suspicious. I already know that the main page on those IP's redirects you straight to, but ...

I launched 2 instances of IE side by side and went to - - and - - they both looked exactly the same. I clicked on the " Torrential rain brings deluge to Houston " link on both which goes to - - on both. I viewed the source on both side by side with 2 copies of notepad opened but resized for perfect comparison, they were exactly the same !

So what precisely is supposed to be happening, ONCE you REACH - - via - + - that way ? Nothing out of the ordinary occurred to me anyway !



8:26 PM  
Blogger TNT said...

Just because it's on the Internet, it doesn't mean it has to have a domain name. What you should look at is the whois information:

WHOIS results for
Generated by

Location: Ukraine (high)

ARIN says that this IP belongs to RIPE; I'm looking it up there.

Using 4 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% for more details.
% Rights restricted by copyright.
% See

% Information related to ' -'

inetnum: -
descr: NetcatHosting
country: UA
admin-c: VS1142-RIPE
tech-c: VS1142-RIPE
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: NETCATHOST-MNT
notify: **
changed: ********** 20040304
source: RIPE
remarks: ****************************************
remarks: * Abuse contacts: ***** *
remarks: ****************************************

person: Vsevolod Stetsinsky
address: 01110, Ukraine, Kiev, 20?, Solomenskaya street. room 206.
phone: +38 050 6226676
e-mail: **
nic-hdl: VS1142-RIPE
changed: ** 20040303
source: RIPE

% Information related to ''

descr: NETCATHOST (full block)
origin: AS31159
notify: **
remarks: ****************************************
remarks: * Abuse contacts: ***** *
remarks: ****************************************
changed: ** 20040311
source: RIPE

"I launched 2 instances of IE side by side and went to - - and - - they both looked exactly the same."

That's because they ARE the same. The meta http-equiv on "index.html" on just tells your browser to be redirected to, and your browser does just that. If you DOWNLOAD, you'll see it cointains the header (I used wget, personally, to download it).

Why does it do that? Clearly, to fool some into thinking belongs to MSN, where it clearly DOES NOT: it belongs to a Coolwebsearch affiliate.

10:07 PM  
Blogger TNT said...

EDIT: they actually changed the default page now to do a redirect through a server http header, but it still doesn't change a thing. The site is still not a MSN site. You can do that on any web server, all it takes is a server-side redirection (this can be done in php, asp, cgi, whatever).

10:27 PM  
Anonymous SpannerITWks said...

Yep very clever, not that i would ever log into Hotmail etc via a link from somewhere else, but i'm sure some people would + do !

CWS they just don't give up do they, and your edit proves that !




2:06 AM  
Blogger TNT said...

By the way (not sure it was clear in the post), the "" file, when launched, does contact, but it doesn't simply contact, it downloads a trojan from a subdirectory of that.

PS: I'll include another scan at virustotal. starts getting detected now.

3:09 AM  
Anonymous ste said...

I like very much your work. I had heavy spam attack on my blogs first with gromozon and then with this strange "waiting soon" thousand-domains-pages. I finally could block them with adding www1, www2 and so on to the movable type blacklist, but from this moment on the attack seem stopped. It seems hand-made and very well done. I'm using Suse Linux so I' can't see what awful things would be happening under windows. The whois for gromozon give name and phone-number.

11:32 PM  
Blogger TNT said...

Thanks ste.

The name and phone number are "almost without any doubt" fake, as it always happens with these exploits sites.

Good thing that you use Linux.

Although those pages apparently don't use any zero-day exploits, there is probably at least five or six exploits on there, including a WMF exploit, a Windows Media Player exploit, .ani exploit, Java ByteVerify exploit, etc. These are all always used by Coolwebsearch. Also, if any of these exploits succeeds in running the trojans (unless the browser is sandboxed some way) it'll probably even drop a rootkit, which means the Windows installation will be completely toast.

1:24 AM  
Anonymous Luke said...

Nothing happens with IE7

4:32 PM  
Anonymous SpannerITWks said...


Nice work and info etc on the new nasties over on wilders today ! Can you possibly ZIP + upload them to for eg and let me have the DL link via a PM on BBR/DSL.




3:50 AM  
Blogger TNT said...

I'm sorry, I'm not registered on the BBR/DSL forums... Any other way other than registering? :)

8:04 PM  
Anonymous SpannerITWks said...


I thought you were a member on there ! If you could ZIP and upload them to and then post the link on here, but change the http to hxxp so it can only be DL'd out of choice to prevent casual DL's.

After i get it i'll post back and you can use the delete link you get to remove it.



3:40 PM  
Anonymous Lapalissiano said...

You can add to domain list

11:26 AM  
Blogger TNT said...

Grazie lapalissiano. Molti erano giĆ  stati aggiunti alla blocklist (quella linkata a destra), ma alcuni sono nuovi.

Many of these were already in the blocklist (the one linked on the right), but some were new. Thanks.

8:33 AM  
Anonymous Anonymous said...


Further to, i've posted a link about your research above in here - From Italy, but not with Love -> = V Bad -

It's in the Security forum.

This contains other background info + links etc which people might be interested in.


8:15 AM  
Anonymous Anonymous said...

i have this. i know enough to be dangerous, but HOW are you seeing this stuff?? plz contact me ( i have to get rid of this (hijackthis doesn't see it).

2:03 PM  
Blogger Nepolian said...

My laptop is infected with a malicious .dll named cbxwutu.dll and ssttr.dll. I am not able to get rid of it, I tried using Safemode to get into the system to no ends. Anyways, I tried all detection tools e.g. Hijackthis, Spyware SD, Webroot, LSW etc, etc. to no avail Furthermore, it does not show up on the the taskmanger process tab. However, I was able to isolate it under the Manage Add on feature in IE7. Any help to get this pest out of my laptop would be great. Thanks in advance.

10:38 PM  
Anonymous Anonymous said...

Will you please contact me, we need to talk.

3:47 AM  

Post a Comment

<< Home