2013-03-07



in the IP: 173.246.102.2At the below network registration:

It has an NEW UPDATED infections in these URL here-->>[UrlQuery]At the below IP:

↑The GeoIP result is↓ Which I checked it further to find a Blackhole Exploit Kit:

As a reference infector(URL)-->>[urlquery.net]And a long list of historical reports of same IP-->>[urlquery.net]
For the blackhole exploit kit configuration itself, it is a better tuned one, more than one tries thus requesting with bad parameters will get us an 502 or 404, shortly, if you put everything right as per our guide -->>[here], you'll get yourself a usual BHEK payload download url as below:

↑The details of decoding payload of BHEK was covered many times in our previous posts so forgive me for not going to discuss it here.. But I'll go to the next "important" part..

I received a separate report by "a friend" about an active end of TDS and another separated report of Spam destination pointed to the same infector server BUT with the different domain name as per below URL:

Yes, both routes are having same destination IP: 173.246.102.2 and in overall this infection is the double routes scheme of TDS/Spam combined with blackhole to infect a payload the main point of this post.

The Fake Adobe download page looks like below (looks lame isn't it?):
A view via Internet Explorer: A view via Mozilla Firefox:(sorry for the japanese browsers I used..)

which is having a redirect script is as per below:

If we follow this.. you'll get the payload url: a fake flash player updater:

You'll see safely the snapshot of this payload here-->>[URLQuery]

"What is with this payload? Why the double-routes infection scheme is so necessary?"These questions will be answered by studying the payloads as follows:

Payload: Fake Adobe Flash Updater

The bad guys are utilizing Adobe Flash Updates season to release this fake updater together with the lame Adobe home page. The payload binary looks like below:

↑the binary itself is encoded with a packer - with utilize using anti-reverse loops to avoid us getting the - imports data. Suggesting this wasn't a work of automation. Packer information:

hex of the 1st block:

The picture of binary is like this: ↑Well, it looks convincing... ..except..if you run it you'll see the "different" works as per below: The below are the overall summary of this infection: 1. The malware runs connect to these remote hosts:

2. Which sending the HTTP/1.1 POST i.e.: 3. And then send request to download OTHER malware to:

PoC: 4. The downloaded file was saved in %Temp%: 5. With little help of evil BAT file the payload was saved in %AppData% as random DLL: 6. The %AppData% saved DLL was executed via RUNDLL32.EXE, after running and it made changes in the registry:

7. And executed iexplorer.exe with the "-Embedding" option 8. Then via iexplore.exe it started next series of malware download from megaupload.com: 9. And also some malform UDP/137 request sent: What is the purpose of the POST request? Yes friends, is to steal credentials. The below information are aimed to be stolen by ths malware:

PLUS MORE credentials of this software list -->>[PASTEBIN]
How bad are these malicious stuffs?

The above data concluded that the Fake Flash Updater is a Trojan PWS Win32/Fareit variant (this verdict is judged by seeing the list of data grabber, the usage of particular packer and binary cryptic, and the header HTTP/1.0 used) see the definition in here too-->>[Microsoft], and the first downloaded binary malware, a "fake" DLL is the variant of Trojan Downloader Win32/Medfos is a malware downloader to download other malware implented in the various free-download sites (in our case is megaupload.com), with the reference here -->>[Microsoft]

What's the purpose of this IP's infection then?

The purpose is to grab as much's victim's credentials by using front end infection of Fake Software Updater. Just like the pages with url we saw, there are so many other Fake Updaters is served under other IPs too, and they are all using typical bogus url of http://[2digitnumber].[fakebrowser-bogus-strings].com/[adobe|chrome|other updater possibilities]/ which is suggested the same cryber crime group action, for example as per found in IP: 173.255.215.242 by our friend @hugbomb here:

Fake Adobe Flash Player Updates for Chrome:

Fake Google Chrome Update

The currently active domains pointed to IP used by this Criminal Group: 173.255.215.242 and 173.246.102.2 are strongly suggested to be blocked, i.e. below list:

To IP: 173.246.102.2

To IP: 173.255.215.242

PS: Please use the complete list made by Mr. Conrad Longmore here-->>[Dynamoo Blog]
With noted that the domains is changed frequently, to nail this scheme perfectly you will need to understand how they use the domain ragistration as per below details:

If you see what I see, the malware moronz' group is serving malware domains by the pattern of using GoDaddy registrar with DOMAINCONTROL.COM DNS of the legit domains which is somehow hacked, these domains are used by adding the numerical subdomains through its DNS to be used as infectors. Don't ask me how the crime group can gain of control of these domains, which could be procedural or technicality leaks.. This matter is to be strongly noted to GoDaddy (Registrar), DomainControl (DNS provider) and furthermore in higher authority is ICANN to be aware of this malicious scheme.

Virus Total Detection of Trojan Medfos-->>[URL], summary:

And the samples download for research purpose.. ..is here--->>[MEDIAFIRE]And these are PCAP data I recorded-->>[HERE]*) Please feel free to contact us by twitter for more research materials :-)

Today's #FAKE Adobe Flash Player Update"/#BHEK infector domain, URI: 22(.)bodysculpt*(.)com, PoC: urlquery.net/search.php?q=2… IP: 174.140.167.197

— Malware Crusaders (@MalwareMustDie) March 15, 2013

#MalwareMustDie! The NPO of Engineers who care of security | http://www.malwaremustdie.org

Show more