Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC: InfoSec Handlers Diary Blog - Spamvertized URL with multistage downloads and lots of spyware InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Spamvertized URL with multistage downloads and lots of spyware

Published: 2008-04-26
Last Updated: 2008-04-29 18:31:19 UTC
by donald smith (Version: 2)
0 comment(s)

A new virus was submitted to us today by a friend of ours known
as SPAM_Buster. The Spamvertized URL redirects to
hxxp://www.tera.cartoes1.com/saudlov.scr

This thing had several download stages and to do a complete
analysis could take a long time. Ultimately it is some type of
spyware/Trojan. I will use VirusTotal and CWSandbox to analysis
some of the binaries involved.

 Saudlov.src 12/32 “recognized” it.
Virus Total Results
http://www.virustotal.com/analisis/021d7c1131b1130f35051d41df
b05370
AntiVir -> TR/Spy.Gen
BitDefender->Trojan.Downloader.Banload.QL
ClamAV->Trojan.Downloader.Banload-4552
F-Secure->Q32/Downloader
Ikarus->Trojan-Downloader.Wn32.Banload.auf
Kaspesky->Heur.Downloader
Norman->W32/Downloader
Panda->Suspicious file
Rising->Trojan.DL.Delf.yhc
Sophos->Mal/Emogen-N
VBA32->Trojan-Downloader.Win32.Banload.tz
WebWasher-Gateway ->Trojan.Spy.Gen
MD5...: 19172589717bd700088e49af196a8a39
SHA1..: 0ad0cfc9d17126ccce07ffce7ae94efb72564c85
SHA256: ebbc15c2236d8615b899267954eb6482cc392be49b56f6a305d050e1e491780e
SHA512: a1a65d6f0e3c4f005ba898aec58dda1b462f0743faea28fd0f9ba609cc205287
e507de2bf2809a4f3ccc18774ee9c203a917b7e8377cf078fdcc993516cb37e7

CWSandbox analysis for saudlov.scr
https://cwsandbox.org/?page=details&id=220785&password=vyagd

Interesting strings in sadlov.scr:
c:\windows\mdword.exe
http://caixa.nexenservices.com/game/game01.exe
c:\windows\mdword.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
hxxp://www.terra.com.br/avisolegal/

Looks like it downloads game01.exe and something from
www[dot]terra[dot]com/br/avisolegal/

So I downloaded game01.exe and ran it thru VirusTotal.
1/32 “recognized” it F-Secure called it
“Suspicious:W32/Malware/Gemini
http://www.virustotal.com/analisis/00e6839634881c4b247c0fa983
32ea95

MD5: 7cf3a4ea1422e2f890728a964ec7d877
SHA1: 5bf10216b4163be15b27102ada8f034bb8c0280e
SHA256: 2f2df59bb0997e362cc6b24b3bf8fd0288de07f588ea8670a4e67efcafd78fb6
SHA512:8308de1f3f7e66fe19325c937da1d97bc9dcfaee8a70932e575ec7a79d4a533f17b211fd475a6ceb74
75b3969960ea2a7ed91061e263210a6e81dd7180ebed27


CWSandbox analysis for game01.exe
https://cwsandbox.org/?page=details&id=220822&password=irkom

Game01.exe has several interesting strings.
,hxxp://www.skzinfos.com.br/module/ModCx2.jpg
,hxxp://www.skzinfos.com.br/module/ccciti.jpg
+hxxp://www.skzinfos.com.br/module/citit.jpg
-hxxp://www.skzinfos.com.br/module/ModBrd2.jpg
,hxxp://www.skzinfos.com.br/module/modctl.jpg
,hxxp://www.skzinfos.com.br/module/ModCx1.jpg
+hxxp://www.skzinfos.com.br/module/ieico.jpg
-hxxp://www.skzinfos.com.br/module/ModBrd1.jpg
+hxxp://www.skzinfos.com.br/module/modbb.jpg
-hxxp://www.skzinfos.com.br/module/modsant.jpg
-hxxp://www.skzinfos.com.br/module/ModItit.jpg

So I downloaded them using wget. They are NOT jpegs.
They are PE windows binaries.
I submitted the binaries off to VirusTotal.

ccciti.jpg: 1/32 recognize it.
F-Secure ->Suspicious:W32/Malware!Gemni.
http://www.virustotal.com/analisis/7d9fe4b43ba6006ec2236b581300cef4
MD5...: 2be7e8ef38456531a1167131e8c5f813
SHA1..: 14f22e66fc93a69e19682fda4d5a406ad6a435bc
SHA256: 748c377e3c3bb98a453118499d4ee3006bae980e85523944c4d1adfffe146e18
SHA512: f24f891e313a22050d09332262e433ae62d48f74b86f2f94a5fe1575fd5a9e3c
48835658e4d7400e9b635ba089c772bac85084a47642c7d3f9a01fb9868e4013

CWSandbox report for cccti.jpg
https://cwsandbox.org/?page=details&id=220912&password=nuxln

ieico.jpg: 0/32 recognize it.
MD5...: c2716e7250578d925597e2d0e4cfb61e
SHA1..: ffe8bf78b8af059561df1889b3bfa6bce7e49d16
SHA256: 65249d5b9881693c940212451dcd3ed663fa04d5faf7023c3865947e952ad10d
SHA512: c73029eeb21b068ebddaf48a9339035e39cee94f50ee22e1cf2f0a64eccf3eec
9be6f6dbb4796ef4f5d2af2f8137308f34b611d49c92f38a0d58817fb771ef96

modbb.jpg 0/32 recognize it.
MD5...: 83552437675b3b3e2c7896d5132e1c55
SHA1..: 21c2cdef153fdfdd234bafbc6492998e7d1dc505
SHA256: 5c372fe2a5b894abf124984a99a01360cb007a66ddbfc67eb9fb6bc2a16bc841
SHA512: 45e5ab93748a606e9ca93df1db14f487a687d0e3b2f8a1d993a551dbf334ba23
1f1da0cba8f05dad37adec90cd141f5af54ea724add0c428bdb251c506081004

ModBrd1.jpg 2/32 recognize it.
http://www.virustotal.com/analisis/1ba6837131cb006f0be95a56a1
ae7b03
F-Secure -> Suspicious:W32/Malware!Gemini
Ikarus -> Trojan-Downloader.Win32.Banload.BO
MD5...: 46bc7deda088fdfc83f7cd680dd50306
SHA1..: 1b22c0be1fe35e72c826f8931f5e9b02902fc775
SHA256: faf4ac8dd1f2b32776a68333c03779210ea2aa17dff7dac8a1e7594c3ad67fdc
SHA512: 79c43dff6fb609508e457f2d295229be5f5161a2922a24d34ae754759ade1969
4ad2158437c9baa41e9fc286fb3578bb22d1f8c806ccffaef6ba72fe2298e60b

ModBrd2.jpg 3/32 recognize it.
http://www.virustotal.com/analisis/627cadb1182b5448c903604acc
ccc4ef
ClamAV -> Trojan.Downloader.banload-4567
F-Secure -> Suspicious:W32/Malware!Gemini
Panda -> Suspicious file
MD5...: e9942d01deb1880b216b822e00529e16
SHA1..: 8d98427a0a569c7d77f31199ecaa56d84f9b1808
SHA256: 1709e26ad069926ea1304cde6b5fd3fbe124e66d142ab6e0e4430b77e2be3990
SHA512: ee4a386811a8afcc5be58a7d92f5d623e90edad19e25e7d784096071a283217c
ad21e702654b257a226abc534ffd5df5a8e6274de4de5ac5ecb6ab812553f1a2

modctl.jpg 1/32 recognize it.
http://www.virustotal.com/analisis/df445086c71a9dc87f421907d12f2951
F-Secure-> Suspicious:W32/Malware!Gemini
MD5...: 255385e309203be5d0297a06e846c8bb
SHA1..: 8c9be7e4ec140183edaee743e0f52ff573360889
SHA256: d17b42e47d35ed29827bbc0200146738bdb44d698c190942c3055e86f1e440fb
SHA512: 466984b4fe2810de2485867fe4d1e1864eead8a60992ea39312a4be7376e962c
c558835374298ca259656867fe372535e63769ff43afad31657e3edb705c9c6d

ModCx1.jpg 2/32 recognize it.
http://www.virustotal.com/analisis/461015498f21a611f4ec56fe129
43433
ClamAV -> Trojan.Downloader.banload-4567
F-Secure -> Suspicious:W32/Malware!Gemini
MD5...: 146c37ba985b9f231cc676f3b2f4ca49
SHA1..: 0ec68669eb9b7c05f0707c8dca11f349c280e285
SHA256: b5107d998301ee086bac925c759ea5b80f4459e4d458ec8219420b6a8849c29a
SHA512: 5db644d2885211b1ab8d3f6ccc40c2517519350153764a25106a3afcb7f9fe70
44e78f4f77cbc505665e97c8c4b269e9624ef30a787d724e67ade33b57e3b7e9

MocCx2.jpg 0/32 recognize it.
MD5...: 02ab04a384b2c655c4c22d2aae6a9a0f
SHA1..: ff0689073c220ad0679030247dba748dc23589b4
SHA256: 889087021dfb81b97a1a0e58d201f7e5c066d9ff44c74c133092e707df651b5d
SHA512: 0f7ae9efe50a5000d2705b55f3adcb8f315a0d1736249d49b1abcc56307c5aa8
0b288938b9830149a85309c1dd8958978f71651c4a364a843089135351fa1b96

modsant.jpg 5/32 recognize it.
http://www.virustotal.com/analisis/89c768b4a87676b9a7c450ce62
973e92
ClamAV -> Trojan.Downloader.banload-4567
F-Secure -> Suspicious:W32/Malware!Gemini
Microsoft->TrojanSpy:win32/Bancos.gen!C
Panda->Suspicious file
Sophos Mal/Banspy-I
MD5...: 417fed34ffe6d22e47ef06b49d41a571
SHA1..: 2bb064d18caf0a7ae6925dd09f13a0a9877c55b4
SHA256: 41e0ccdd1b3d143d35af3b9132dc05297f32a3ef26ae6bae36078f6577fe9bf3
SHA512: aedeb2f5eed793314a3a43ff1ae432c3de04cca7476f2402a02bd21f7353c3ce
7878e133e340a4802e3ef012cf5441099829c52fcbfa29c6dfcc34d9d45af5b5

 

UPDATE

There are some additional binaries found in caixa.nexenservices.com/game.

game01_1.exe, game01_2.exe and txt.exe were also found. They are msdos executables. There are some interesting strings in those files.

Interesting strings in game01_02.exe
"Cef.log
Citi.log
Itau.log
Brada.log
Ctl.log
BB.log
Sant.log
Itit.log
OrkDown.log
Theme Manger Mike Lischke"


Cef is a private firm that buys and sells gold.
Citi is Citi bank.
Itau appears to be an italian bank.
BB could be BBBank.de
Sant could be Santo Bank of spain.

We knew this was some type of banking trojan now we know at least some of the banks they are targeting. It appears they used elements of Mike Lischke's theme manager libraries with this binary. http://www.soft-gems.net/index.php?option=com_content&task=view&id=17&Itemid=33

tst.exe contains "BodieExtractor" strings.

Bodie's @xtractor is a tool that is used to extract email addresses from binary files.

 From: http://bodie.hostinggratisargentina.com/ingles.html

"It allows to extract e-mail addresses from any Windows file (Word, Excel, Outlook Express, Web Pages, etc...) Useful if you need to join all the e-mail addresses that you have in your differents O.E. folders, with others that are in files like DOC, XLS, TXT, HTML, etc... The same ones will be listed ordinate alphabetically (without duplicates) and they will be able to be exported to a text file or, to a compatible Outlook file (.CSV)"

So I suspect this tool was included to pull emails from binaries for spamming purposes.

 

Keywords:
0 comment(s)
Diary Archives