Date: 21 December 2010
Click here for printable version
Hi all,
A little bit of follow up information in relation to the alert (ASB-2010.0254) we pushed earlier today.
The website hosts some malicious files which are used to exploit the clients system. All of these at the time of writing are poorly detected but fortunately are now better than when I first scanned them.
The website attempts to exploit several vulnerabilities. The first is the Java Web Start Arbitrary command-line injection (CVE-2010-0886).
javaobe.jar -> MD5 = eaecf10ba5163edd3975e1393bf662e0
Emsisoft 5.1.0.1 2010.12.21 Trojan-Downloader.Java.OpenConnection!IK
GData 21 2010.12.21 Java:Jade-A
Kaspersky 7.0.0.125 2010.12.21 Trojan-Downloader.Java.OpenConnection.ck
Ikarus T3.1.1.90.0 2010.12.21 Trojan-Downloader.Java.OpenConnection
Antiy-AVL 2.0.3.7 2010.12.21 Trojan/Java.OpenConnection
Avast 4.8.1351.0 2010.12.20 Java:Jade-A
Avast5 5.0.677.0 2010.12.20 Java:Jade-A
Sophos 4.60.0 2010.12.21 Mal/JavaHeL-F
Then the website tries to exploit the HPC URL Help Center URL Validation Vulnerability (CVE-2010-1885). This can be seen in the javascript. Further along the javascript on the site, there is a section for detecting the Adobe Reader version. If less than version 8 it tries a different PDF than if it is between version 8 and version 9.3.1. I haven't analysed the PDF files yet but here are the VirusTotal results:
pdf1.pdf -> MD5 = 05d22c4d1e53d2889a516f8113c0b63c
No detection
pdf2.pdf -> MD5 = c3ed1a578cb92b83a55bcecf80564e71
TrendMicro-HouseCall 9.120.0.1004 2010.12.21 TROJ_PIDIEF.SMZB
TrendMicro 9.120.0.1004 2010.12.20 TROJ_PIDIEF.SMZB
The site drops a file called it mxmt.exe here. It is not very well detect. At the time of writing, these are the only vendors that do detect it.
mxmt.exe -> MD5 = 7e186ad404f718e02585d82c0436e200
BitDefender 7.2 2010.12.21 Gen:Variant.Kazy.6256
GData 21 2010.12.21 Gen:Variant.Kazy.6256
Microsoft 1.6402 2010.12.21 PWS:Win32/Zbot.gen!Y
Comodo 7134 2010.12.21 TrojWare.Win32.Trojan.Agent.Gen
Kaspersky 7.0.0.125 2010.12.21 Packed.Win32.Krap.ao
NOD32 5719 2010.12.20 a variant of Win32/Kryptik.JBF
Antiy-AVL 2.0.3.7 2010.12.21 Packed/Win32.Krap
Prevx 3.0 2010.12.21 Medium Risk Malware
Mxmt.exe creates:
%USERPROFILE%\Application Data\Fevo\ikyle.exe
%USERPROFILE%\Application Data\Xurub\yzmev.ony
mxmt.exe then starts ikyle.exe. This is the main part of the malware. Mxmt.exe is deleted a little later by ikyle.exe.
ikyle.exe -> MD5 = 7cecdd9f7e663b450317e2b23bb4c4f9
Prevx 3.0 2010.12.21 Medium Risk Malware
Emsisoft 5.1.0.1 2010.12.21 Packed.Win32.Krap!IK
AVG 9.0.0.851 2010.12.21 Cryptic.BQY
DrWeb 5.0.2.03300 2010.12.21 Trojan.PWS.Panda.570
F-Secure 9.0.16160.0 2010.12.21 Gen:Variant.Kazy.6226
BitDefender 7.2 2010.12.21 Gen:Variant.Kazy.6226
AhnLab-V3 2010.12.20.06 2010.12.20 Packed/Win32.Krap
GData 21 2010.12.21 Gen:Variant.Kazy.6226
Kaspersky 7.0.0.125 2010.12.21 Packed.Win32.Krap.ao
McAfee 5.400.0.1158 2010.12.21 Artemis!7CECDD9F7E66
McAfee-GW-Edition 2010.1C 2010.12.20 Artemis!7CECDD9F7E66
CAT-QuickHeal 11.00 2010.12.21 (Suspicious) - DNAScan
Ikarus T3.1.1.90.0 2010.12.21 Packed.Win32.Krap
Microsoft 1.6402 2010.12.21 PWS:Win32/Zbot.gen!Y
NOD32 5719 2010.12.20 a variant of Win32/Kryptik.JAK
Panda 10.0.2.7 2010.12.20 Trj/CI.A
VIPRE 7742 2010.12.21 Trojan.Win32.Generic!BT
ikyle.exe creates a key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Ceozub
under this key, it creates some others to store some binary data. The malware seems to perform a number of DNS requests using random domain names and appends a variety of TLDs to them. This will assist in keeping the "owners" of this botnet in control of the botnet. For example here are a few that are NXing:
tboofoolgssiuhp.net
tboofoolgssiuhp.org
tvpqvrrskuqkpuk.biz
tvpqvrrskuqkpuk.net
xmgqrtqpwrngquj.net
xmgqrtqpwrngquj.org
The malware is also setup to start every time the user log
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
{3127FBF5-0638-7A2B-3EF3-960598EBD1E8}
This contains the expanded path to the malware in %USERPROFILE%\Application Data\Fevo\ikyle.exe.
Over and out,
Zane.
|