Last Updated: 2007-06-16 12:07:05 UTC
by Maarten Van Horenbeeck (Version: 1)
Eric, one of our many valued contributors wrote in yesterday with various spam messages that contained nothing but a short piece of text and a link to a very simple HK domain. Different domains were used in each message.
Subject line: Hello, Pal
When investigating this, we noticed that these domains have no less than 10 authorative nameservers. Most interesting is that each of these appear to be located within an ISPs dynamic IP address range. This is naturally highly suspicious. Random querying for A records shows that a large number of other compromised hosts are being used to host the actual website.
On each of these servers, the index.html page contains nastiness:
- A final piece of human readable text that invites a user to click on a link, should the ‘download not start automatically’. Once you click on this link, a file ‘fun.exe’ will be downloaded from this same web server.
The resulting file ‘fun.exe’ appears to be different on each single server. We have currently seen the following SHA1 hashes:
Detection of the code by regular Anti-virus is very spotty, shown by the following output of Virustotal. These were the only solutions that detected malicious code. As you can see, even these are mostly generic detections:
BitDefender 7.2 06.16.2007 GenPack:Trojan.Peed.NG
CAT-QuickHeal 9.00 06.15.2007 (Suspicious) - DNAScan
DrWeb 4.33 06.16.2007 Trojan.Packed.138
eSafe 126.96.36.199 06.14.2007 Suspicious Trojan/Worm
Fortinet 188.8.131.52 06.16.2007 suspicious
F-Secure 6.70.13030.0 06.15.2007 Tibs.gen111
Kaspersky 184.108.40.206 06.16.2007 Email-Worm.Win32.Zhelatin.eu
Norman 5.80.02 06.15.2007 Tibs.gen111
Sophos 4.18.0 06.12.2007 Mal/EncPk-E
Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 06.16.2007 Worm.Win32.Malware.gen (suspicious)
This type of well-prepared and extensive attack is very difficult to shut down, mostly due to the amount of servers and authorities involved. As such, the most effective way of responding would be to have the domain itself taken down. This issue has been reported to the HKCERT as well as the administrators of the .hk TLD. In addition, we’re working with anti virus vendors to improve coverage of both the resulting file and the trojan droppers being used on the malicious site.
Maarten Van Horenbeeck