Friday, June 16, 2006

Is the AV industry failing?

Well, it's been a while since my last posting on this blog. In the meanwhile, it seems that the sleazebags described here have been quite busy. First of all, they have been putting their trash all over the place in Google by spamming blog comments, putting fake referers, etc. Second, their latest infection method involves a little bit of social engineering technique as well. And third, they have been making sure that antivirus applications miss their newest trojans, or at least some of them (and by the way, most antivirus engines are slipping lately, I've seen even the best of them -- KAV and NOD32, of course -- missing dozens of threats... I'll send you the samples, but get you acts together, please).

Anyway, here's what I found on a new page of theirs while searching for malware in Google (by the way, the sentence "clicca su si", Italian for "click on yes", yelds dozens of malware sites... these people are so damn predictable...)

The page (horus.dnshighspeed.com/~liberaco/2/temisvoltiolocausto.html... do NOT open if you don't know what you're doing) shows graphics like this:



Soon to be followed by a WMF exploit (pic.tiff) and a funny-named executable (www.google.com... clever, huh?). The www.google.com executable has, of course, nothing to do with the domain, but it's a COM command.



When launched, the www.google.com executable tries to contact first 195.225.177.22 on port 80, then 195.225.177.145 on port 80 and will stay active unless you terminate it. Both those IPs correspond to servers in the Ukraine. See a pattern here? Oh, yes... you guessed right.

And so, what do have antivirus applications have to say about that "nice" piece of executable code? This:



You're not doing very good, guys. So being me overly curious, I'm trying to see what these scammers are up to this time, again. So I let my system try to see what kind of good stuff they have for people who try to execute this "www.google.com".

Well, file downloaded from 195.225.177.22 is a random-named executable called "3e2a8d.exe". Will this one be detected? Nope.



This is awful, just awful. Well, let's see what this "3e2a8d.exe" does. It extracts launches a "ptwx1.exe":



A little better. Of course, by this point, you'll likely have already your system infected and rootkited (some system errors that happened in the sandbox I used really seem to indicate that attempt).

EDIT at 4.02: forwarded to a bunch of security sites and sent samples to a bunch of AV companies. KAV detects the first two trojans, now (after I sent them the samples).

EDIT June 20, 3.09 PM: the main downloader is finally starting getting detected:



PS: also detected by BOClean (I contacted them).

EDIT June 23, 0.28 PM: another one has appeared, and this one is YET AGAIN undetected by all the antivirus engines:



The original page was (DO NOT OPEN!) http://www2521.webattrezzi.com/hurghada/; many more domains linking to this malware have actually been created, I found them in link spammed pages. I'm going to post a list here soon.

EDIT June 23, 0.51 PM: here's a (certainly partial) list of the domains to block. Please note that these are DOMAINS that should include all subdomains under them, you can't put them in your HOSTS file (and frankly, from what I've seen the subdomains are probably so many that you most probably won't be able to):

accettazione.com
adluvio.net
allineare.com
ambrato.com
annuncitutti.com
attesa.net
attrezziutili.com
azionamento.com
bruciarsi.com
buoncodice.com
casadiarte.com
codicecarta.com
dannidicervello.com
datiimportanti.com
delsud.net
devevedere.com
eamicizia.com
festaattuale.com
gbeb.cc
gromozon.com
guerredellastella.com
horus.dnshighspeed.com
imparilo.com
importanti.net
lavostraricerca.com
maniinsu.com
nubibianche.com
nuovoordine.com
nuovosenso.com
potetefarli.com
sanguinante.com
sededolce.com
segualo.com
soddisfare.com
speziazona.com
stampabile.net
superaquota.com
unanuovavolta.com
unoprincipali.com
uomodelferro.com
webattrezzi.com

It's quite obvious that these are targeting Italy. It's also obvious that the authors of these exploit/trojans can NOT speak Italian (some words don't make any sense and they clearly come from an automated traslator).

EDIT June 23, 22.02: added gbeb.cc and gromozon.com to the "domains to block" list above, as I'm not sure it was clear (the previous article underlined that THOSE are respectively the javascript loader and the trojan repository, but it was written in Italian).

19 Comments:

Anonymous SpannerITWks said...

Hi TNT,

Nice research and breakdowns etc !

I went to - horus.dnshighspeed.com/~liberaco/2/temisvoltiolocausto.html - with IE fully locked down as usual, got the main page + pic, but no exploit + clicking anywhere did nothing either. Also these IP's you mentioned - 195.225.177.22 + 195.225.177.145 - go straight to - http://www.msn.com/

Spanner

SpannerITWks

7:57 AM  
Blogger TNT said...

You don't really believe 195.225.177.22 and 195.225.177.145 are MSN.com, do you?

Here's what the html on 195.225.177.22 main page contains:

meta http-equiv="refresh" content="0; URL=http://www.msn.com"

In other words, the main page on those IPs redirects you straight to msn.com, but it certainly is NOT msn.com nor has anything to do with it.

As for the exploits, if you don't have javascript enabled or if its restricted some way, they don't work.

11:14 AM  
Anonymous SpannerITWks said...

Here's what i get for - 195.225.177.22 + 195.225.177.145

Address lookup
lookup failed 195.225.177.22 Could not find a domain name corresponding to this IP address.

Domain Whois record
Don't have a domain name for which to get a record

Network Whois record
Whois query for 195.225.177.22 failed: TimedOut

Service scan
FTP - 21 220 netcat22.isprime.com FTP server (Version 6.00LS) ready.
221 You could at least say goodbye.

SMTP - 25 Error: TimedOut
HTTP - 80 HTTP/1.1 200 OK
Date: Mon, 19 Jun 2006 21:58:02 GMT
Server: Apache/1.3.34 (Unix) PHP/4.4.2
Last-Modified: Wed, 19 Apr 2006 18:32:00 GMT
ETag: "f7c4b-66-44468220"
Accept-Ranges: bytes
Content-Length: 102
Connection: close
Content-Type: text/html
POP3 - 110 +OK Qpopper (version 4.0.8) at netcat22.isprime.com starting. <34215.1150754282@netcat22.isprime.com>
-ERR POP EOF or I/O Error
+OK Pop server at netcat22.isprime.com signing off.

IMAP - 143 Error: ConnectionRefused

-

Yep very suspicious. I already know that the main page on those IP's redirects you straight to msn.com, but ...

I launched 2 instances of IE side by side and went to - 195.225.177.22 - and - http://www.msn.com/ - they both looked exactly the same. I clicked on the " Torrential rain brings deluge to Houston " link on both which goes to - http://www.msnbc.msn.com/id/13418885/ - on both. I viewed the source on both side by side with 2 copies of notepad opened but resized for perfect comparison, they were exactly the same !

So what precisely is supposed to be happening, ONCE you REACH - http://www.msn.com/ - via - 195.225.177.22 + 195.225.177.145 - that way ? Nothing out of the ordinary occurred to me anyway !

Spanner

SpannerITWks

8:26 PM  
Blogger TNT said...

Just because it's on the Internet, it doesn't mean it has to have a domain name. What you should look at is the whois information:

http://www.dnsstuff.com/tools/whois.ch?ip=195.225.177.22

WHOIS results for 195.225.177.22
Generated by www.DNSstuff.com

Location: Ukraine (high)

ARIN says that this IP belongs to RIPE; I'm looking it up there.

Using 4 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '195.225.176.0 - 195.225.179.255'

inetnum: 195.225.176.0 - 195.225.179.255
netname: NETCATHOST
descr: NetcatHosting
country: UA
admin-c: VS1142-RIPE
tech-c: VS1142-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: NETCATHOST-MNT
mnt-routes: NETCATHOST-MNT
notify: **@netcathost.com
changed: **********@ripe.net 20040304
source: RIPE
remarks: ****************************************
remarks: * Abuse contacts: *****@netcathost.com *
remarks: ****************************************

person: Vsevolod Stetsinsky
address: 01110, Ukraine, Kiev, 20?, Solomenskaya street. room 206.
phone: +38 050 6226676
e-mail: **@netcathost.com
nic-hdl: VS1142-RIPE
changed: **@netcathost.com 20040303
source: RIPE

% Information related to '195.225.176.0/22AS31159'

route: 195.225.176.0/22
descr: NETCATHOST (full block)
origin: AS31159
notify: **@netcathost.com
mnt-by: NETCATHOST-MNT
remarks: ****************************************
remarks: * Abuse contacts: *****@netcathost.com *
remarks: ****************************************
changed: **@netcathost.com 20040311
source: RIPE


"I launched 2 instances of IE side by side and went to - 195.225.177.22 - and - http://www.msn.com/ - they both looked exactly the same."

That's because they ARE the same. The meta http-equiv on "index.html" on 195.225.177.22 just tells your browser to be redirected to MSN.com, and your browser does just that. If you DOWNLOAD http://195.225.177.22/index.html, you'll see it cointains the header (I used wget, personally, to download it).

Why does it do that? Clearly, to fool some into thinking 195.225.177.22 belongs to MSN, where it clearly DOES NOT: it belongs to a Coolwebsearch affiliate.

10:07 PM  
Blogger TNT said...

EDIT: they actually changed the default page now to do a redirect through a server http header, but it still doesn't change a thing. The site is still not a MSN site. You can do that on any web server, all it takes is a server-side redirection (this can be done in php, asp, cgi, whatever).

10:27 PM  
Anonymous SpannerITWks said...

Yep very clever, not that i would ever log into Hotmail etc via a link from somewhere else, but i'm sure some people would + do !

CWS they just don't give up do they, and your edit proves that !

Thanx

Spanner

SpannerITWks

2:06 AM  
Blogger TNT said...

By the way (not sure it was clear in the post), the "www.google.com" file, when launched, does contact 195.225.177.22, but it doesn't simply contact http://195.225.177.22, it downloads a trojan from a subdirectory of that.

PS: I'll include another scan at virustotal. www.google.com starts getting detected now.

3:09 AM  
Anonymous ste said...

I like very much your work. I had heavy spam attack on my blogs first with gromozon and then with this strange "waiting soon" thousand-domains-pages. I finally could block them with adding www1, www2 and so on to the movable type blacklist, but from this moment on the attack seem stopped. It seems hand-made and very well done. I'm using Suse Linux so I' can't see what awful things would be happening under windows. The whois for gromozon give name and phone-number.

11:32 PM  
Blogger TNT said...

Thanks ste.

The name and phone number are "almost without any doubt" fake, as it always happens with these exploits sites.

Good thing that you use Linux.

Although those pages apparently don't use any zero-day exploits, there is probably at least five or six exploits on there, including a WMF exploit, a Windows Media Player exploit, .ani exploit, Java ByteVerify exploit, etc. These are all always used by Coolwebsearch. Also, if any of these exploits succeeds in running the trojans (unless the browser is sandboxed some way) it'll probably even drop a rootkit, which means the Windows installation will be completely toast.

1:24 AM  
Anonymous Luke said...

Nothing happens with IE7

4:32 PM  
Anonymous SpannerITWks said...

Hi TNT,

Nice work and info etc on the new nasties over on wilders today ! Can you possibly ZIP + upload them to for eg rapidshare.de and let me have the DL link via a PM on BBR/DSL.

Thanx

Spanner

SpannerITWks

3:50 AM  
Blogger TNT said...

I'm sorry, I'm not registered on the BBR/DSL forums... Any other way other than registering? :)

8:04 PM  
Anonymous SpannerITWks said...

Hi,

I thought you were a member on there ! If you could ZIP and upload them to rapidshare.de and then post the link on here, but change the http to hxxp so it can only be DL'd out of choice to prevent casual DL's.

After i get it i'll post back and you can use the delete link you get to remove it.

TIA

Spanner

3:40 PM  
Anonymous Lapalissiano said...

You can add to domain list

abbracciava.org
altoseggio.com
apigliarle.com
alvestito.com
buonofferta.com
chemiguidi.com
cheproprio.com
contentidivivere.com
cotestopunto.org
diquelli.com
diquestomonte.com
disperatestrida.com
dolceguida.com
dovresti.org
earticolo.com
epromettendo.com
eradaprevedere.com
escherzoso.com
fattaviva.com
fossetardi.com
fuorgirati.com
grandiserto.com
ilsecondo.com
ivielegge.com
lagrimetta.org
lapietate.com
lesensazioni.com
lipiacqui.com
masapienza.com
mioautore.com
nonconoscesti.com
nonpiacque.com
nonsofferse.com
ognemale.com
pocoqueta.com
procurata.org
prestamolto.com
primadipartilla.com
primissimi.com
quelleparole.com
questomale.com
quiviregge.com
raccoglie.com
rimettesse.com
rinvigorito.com
sonopassato.com
sovragiunto.com
studiavano.com
tuanobilitate.com
tuofratello.com
unconto.com
unoscoppio.com
unreprobo.com
vadinanzi.org
viverlieto.com
volontieri.com
vostropagina.com

11:26 AM  
Blogger TNT said...

Grazie lapalissiano. Molti erano giĆ  stati aggiunti alla blocklist (quella linkata a destra), ma alcuni sono nuovi.

Many of these were already in the blocklist (the one linked on the right), but some were new. Thanks.

8:33 AM  
Anonymous Anonymous said...

Hi,

Further to, i've posted a link about your research above in here - From Italy, but not with Love -> www.google.com = V Bad - www.dslreports.com/forum

It's in the Security forum.

This contains other background info + links etc which people might be interested in.

Spanner

8:15 AM  
Anonymous Anonymous said...

dude...
i have this. i know enough to be dangerous, but HOW are you seeing this stuff?? plz contact me (djbohn@comcast.net). i have to get rid of this (hijackthis doesn't see it).
dan

2:03 PM  
Blogger Nepolian said...

Hi,
My laptop is infected with a malicious .dll named cbxwutu.dll and ssttr.dll. I am not able to get rid of it, I tried using Safemode to get into the system to no ends. Anyways, I tried all detection tools e.g. Hijackthis, Spyware SD, Webroot, LSW etc, etc. to no avail Furthermore, it does not show up on the the taskmanger process tab. However, I was able to isolate it under the Manage Add on feature in IE7. Any help to get this pest out of my laptop would be great. Thanks in advance.

10:38 PM  
Anonymous Anonymous said...

spanner,
Will you please contact me, we need to talk.
Rick
~catseyenu~

3:47 AM  

Post a Comment

<< Home

microscopic-scrabbly