Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Malware hosted on 3322.org AGAIN! InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware hosted on 3322.org AGAIN!

Published: 2007-08-15
Last Updated: 2007-08-15 21:07:56 UTC
by donald smith (Version: 2)
0 comment(s)

If you google for l61.3322.org you will find LOTS of “script” links to:

http://l61DOT3322DOTorg/eDOTjs. That first letter is a lower case L not a 1.

Be careful that java script attempts to exploit vulnerabilities in some browsers.

Fellow Handler BojanZ stated this about that malicious piece of java:

“The attached JS file calls other JS files (from various servers). At
least one of them tries to exploit an old vulnerability (MS06-014 -
Microsoft Data Access Components (MDAC)). Other JS files redirect the
browser to different sites:
http://wwwdot777seodotcom/seodotphp?username=happygold

http://wwwdotovosearchdotcom/advertising/?ref=happygold
http://kikclickdotcom/portal/?ref=happygold

(these are click through affiliate web sites)”

3322.org is a dynamic dns provider and has hosted malware several times in the past including a element of the zero day word exploit that was reported in 05-2005
http://isc.sans.org/diary.html?storyid=1348

It was also used as the ftp download site for a SAV based worm 12-2005.
https://isc.sans.org/diary.html?storyid=1945

Thanks Bryan and Evan for bringing this to our attention.
I recommend you monitor your IDS, firewall and other logs for access to l61DOT3322DOTORG if you see any access you should check the systems that accessed it for malware. You may decide to block that site within your enterprise. Many enterprise and educational networks did block 3322.org during the word zero day exploit in 2005.
 

UPDATE: Jose Nazario @ arbor networks provided the following analysis:
“e.js fetches http://161dot3322dotorg/hxw/wmm.htm which has iframes pointing to

http://l61dot3322.org/hxw/0614.htm and http://l61dot332dotorg/hxw/IE.htm

0614.HTM exploits ADOB.Stream()

IE.HTM exploits the following:
ExploitedSoftware  CVE ID (none listed means no cve match was found)
RDS.Dataspace MS06-014  CVE-2006-0003
Microsoft WMIScriptUtils.WMIObjectBroker  CVE-2006-4704
SoftwareDistribution.WebControl.1 
Outlook Data Object 
DExplore.AppObj.8.0 
Business Object Factory 
Microsoft.DbgClr.DTE.8.0 
VsaIDE.DTE 
VisualStudio.DTE.8.0 
Outlook.Application 
VsmIDE.DTE"

After exploiting those vulnerabilities they BOTH download and run http://l61dot3322dot/hxw/qq.exe
That downloads two more files.
AV vendors that did not detect these are not listed.
http://happy91dot9966dotorg/hxw/hx/200512.exe
AV engine                  Country      Signature
Avira (antivir)                 DE     HEUR/Crypted
ClamAV                                 Trojan.Crypted-4
F-Secure                        FI     Hupigon.gen130
Ikarus                          AT     Backdoor.VB.EV

Norman                          NO     Hupigon.gen130
Securecomputing (webwasher)     US     Heuristic.Crypted
Sunbelt                         US     VIPRE.Suspicious
 

http://happy91dot9966dotorg/hxw/hx/dd.exe
Aladdin (esafe)                 IL     Suspicious Trojan/Worm
Avira (antivir)                 DE     TR/Dldr.Delf.ALF.2
BitDefender                     RO     Trojan.Downloader.Delf.ALF
CAT (quickheal)                 IN     TrojanDownloader.Delf.bfu
Eset (nod32)                    US     Win32/TrojanDownloader.Delf
Fortinet                        US     W32/Delf.ALF!tr.dldr
F-Secure                        FI     Trojan-Downloader.Win32.Delf.bfu
Ikarus                          AT     Trojan-Downloader.Delf.ALF
Kaspersky                       RU     Trojan-Downloader.Win32.Delf.bfu
Panda                           ES     Trj/Downloader.PAG
Prevx                           GB     Trojan.DownZero
Securecomputing (webwasher)     US     Win32.ModifiedUPX.gen!90 (suspicious)
Sophos                          GB     Mal/Basine-C
VirusBlokAda (vba32)            BY     Trojan-PSW.Game.63 ()

Keywords:
0 comment(s)
Diary Archives