Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-04-30 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware from China; Googkle is gone; IM Worm/Botnet going in circles

Published: 2005-04-30
Last Updated: 2005-05-01 07:29:01 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Chinese malware for Breakfast


The day started with fellow handler Kevin Hong reporting a malware hosting site in China. We've mirrored the contents and have started analysis. Getting to the core of the mess turns out to be quite difficult, as most AV tools and debuggers simply claim that the files are corrupt and refuse to analyze them. If the files really were corrupt, this would be the end of it -- but a doubleclick still launches the evil stuff on XP and 2003. Ugh.

Googkle is no more


Remember the diary four days ago when we were reporting a number of malware sites that were conveniently hosted only a typo away from google.com? Yesterday, the DNS hoster (joker.com in Switzerland) has finally taken action and has suspended DNS services for all the malware zones (ghoogle, googkle, etc). Good news for a change.

Freespyware.com


The freeware site Download.com has started a commendable initiative to combat spyware and malware embedded in free software and shareware available through the site. How difficult it is to keep software repositories free of crud was proven today when a reader reported a trojan inside the Bittorrent client "ABC" that he had just retrieved from the download.com mirror. Closer analysis revealed that the package contained an Adware identified as "AdWare.WiAD.af" as well as a keylogger spyware called "Trojan.Win32.Zapchast". The file has been reported to the abuse department of download.com.

New SDBot / Kelvir / Opanki combination making the rounds


A reader reported receiving an email containing a link to a picture that, once downloaded, turned out to be an EXE. The file came from a host within the netpark.net domain and contained a variant of SDBot. The IRC channel used by the botnet initially instructed all bots to download a copy of W32.Kelvir.AJ. After about an hour, the instructions changed, and a copy of W32.Opanki.A (Symantec: W32.Allim.A) was retrieved. Both of these IM worms are retrieved from a box in the angelfire.com domain. W32.Opanki/Allim is a pretty recent (3 days old) AOL IM worm, which in turn again spreads a copy of SDBot by downloading it from a host in the anapereira.com domain. The hosters of the various components have been contacted, and one of the boxes is offline by now, but the botnet itself is virtually unreachable, hidden behind a bunch of obscure hosters and DNS providers in Germany and Italy.
---------------

Daniel Wesemann

EMail: echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
Keywords:
0 comment(s)
Diary Archives