404 toolkit used by Vundo creators

March 9th, 2008 by Loucif Kharouni (Threats Analyst)

While checking my personal spam emails received yesterday, I got interested on a certain email asking the user to view adult pictures by clicking on the following picture:

Once you click on the picture, it is linked to hxxp://{BLOCKED}-carvalhal.pt/tits.exe, a malicious file detected as TROJ_SHEUR.HD (the link, however, is no longer available since yesterday afternoon).

Once I got hold of this file, I was curious to know what could be on the main page of this web site. So I just typed hxxp://{BLOCKED}-carvalhal.pt on my browser’s address bar. Now I got really infected by a succession of malware loading in memory, reminding me of a 404 toolkit which at this end of its infection installs a rogue anti-virus product named winifixer in the system:

I decided to take a look closer at the main page’s source code, revealed to contain 2 scripts redirecting to 2 different URLs:

Once these scripts are executed, access to your computer becomes near impossible, as it becomes too busy loading iFrames, scripts and malware.

Let’s now take hxxp://{BLOCKED}hosting.net/404.php which redirects us to:

And hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20 redirects us to:

The downloaded file t.php is an encoded script which also redirects us to another location to acquire malware.

Another 2 files are being loaded, an HTM file and a file named svchost.t__ which downloads the following files:

  • FR
  • |429–hxxp://{BLOCKED}.65.239.42/msc61/u_f1_v34_78.exe
  • |406–hxxp://{BLOCKED}.65.239.42/msc61/inst250.exe
  • |428–hxxp://{BLOCKED}.65.239.42/msc61/krab.exe
  • |251–hxxp://{BLOCKED}.54.89.222/loader.exe
  • |230–hxxp://{BLOCKED}.65.239.42/msc61/ldig002.exe
  • |437–hxxp://{BLOCKED}.65.239.42/msc61/terasole.exe
  • |374–hxxp://{BLOCKED}.65.239.42/msc61/2302.exe
  • |

To summarize the Web site architecture on how all of this happens, here is a short picture:

hxxp://{BLOCKED}-carvalhal.pt JS_CLICKER.ZU     

|     

|     

|link     

---> hxxp://{BLOCKED}hosting.net/404.php     

|     

|     

|script     

---> hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20     

|     

 			|     

 			|iframe     

 			---> hxxp://{BLOCKED}nhex.org/t.php

Here are all the URLs called in this threat:

  • hxxp://{BLOCKED}-carvalhal.pt/tits.exe
  • hxxp://{BLOCKED}-carvalhal.pt/
  • hxxp://{BLOCKED}forama.com/tds/in.cgi
  • hxxp://{BLOCKED}hosting.net/404.php
  • hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20
  • hxxp://{BLOCKED}nhex.org/t.php
  • hxxp://{BLOCKED}8.72.168.176/e-n0303vt/index.php
  • hxxp://{BLOCKED}5.93.219.206/gr/index.php
  • hxxp://{BLOCKED}landdreams.com/check/versionl.php?t=577
  • hxxp://{BLOCKED}landdreams.com/check/n14041.htm
  • hxxp://{BLOCKED}landdreams.com/check/n14042.htm

The following ones are not called, but knowing the 404 rootkit, I assumed they were existing. I tried to retrieve them and found them to be all working:

  • hxxp://{BLOCKED}landdreams.com/check/n14043.htm
  • hxxp://{BLOCKED}landdreams.com/check/n14044.htm
  • hxxp://{BLOCKED}landdreams.com/check/n14045.htm
  • hxxp://{BLOCKED}landdreams.com/check/n14046.htm
  • hxxp://{BLOCKED}landdreams.com/check/n14047.htm
  • hxxp://{BLOCKED}landdreams.com/check/n14048.htm
  • hxxp://{BLOCKED}landdreams.com/check/n14049.htm

By decrypting some code within some of the HTM files above, I found the following links to be malicious:

  • http://{BLOCKED}earscontract.com/check/vers195.php?q=3
  • http://{BLOCKED}earscontract.com/check/vers195.php
  • http://{BLOCKED}.93.219.206/gr/ - fake apache error, due to Winifixer installation
  • http://{BLOCKED}.93.219.206/gr/loader.exe
  • http://{BLOCKED}.93.219.206/1stat/get_exa.php
  • http://{BLOCKED}.93.219.206/1stat/get_exb.php
  • http://{BLOCKED}.93.219.206/1stat/get_exc.php
  • http://{BLOCKED}.93.21 .206/1stat/get_exd.php
  • http://{BLOCKED}.93.219.206/1files/mix/file1.exe
  • http://{BLOCKED}.93.219.206/1files/mix/file2.exe
  • http://{BLOCKED}.93.219.206/1files/mix/file3.exe
  • http://{BLOCKED}.93.219.206/1files/mix/file4.exe

Since yesterday, the malicious script on hxxp://{BLOCKED}-carvalhal.pt/ has been already modified. Trend Micro detects the script as HTML_IFRAME.GQ.

All files gathered have been already submitted as well as the malicious URLs.

An ethereal capture and a video (25Mb) of the whole infection are available on demand.

Here is a short list of all malware detected:

  • ctfmona.exe -> TROJ_DLOADER.JG
  • Fsd9mk4g.dll -> TROJ_DLOADER.DUF
  • inst250.exe -> TROJ_DROPPER.DRL
  • Jfs9jg.dll -> TROJ_SMALL.BKJ
  • krab.exe -> TROJ_AGENT.WNQ
  • ldig002.exe ->TROJ_DLOADER.ENR
  • msgk429.exe -> TROJ_DNSCHANGE.Y
  • symavc32.sys -> TROJ_ROOTKIT.EZ
  • u_f1_v34_78.exe ->TROJ_DNSCHANGE.Y
  • winlogan.exe -> TROJ_DLOADER.DJH
  • Wmgq44.sys -> TROJ_ROOTKIT.EZ
  • ieupdr2.exe -> TROJ_DLOADER.LSI
  • ie_updates3r.exe -> TROJ_DLOADER.LSI
  • jf-carvalhal[1].txt -> JS_CLICKER.ZU
  • loader.exe -> TROJ_CUTWAIL.AR
  • msgk251.exe -> TROJ_CUTWAIL.AR
  • nwan.dat -> TROJ_PROXY.TO
  • terasole.exe -> BKDR_MOMIBOT.B
  • tits.exe -> TROJ_SHEUR.HD
  • WinIFixer.exe -> TROJ_WINFIXER.FD
  • winlugan.exe -> TROJ_DLOADER.LSI
  • WLCtrl32.dll TROJ_AGENT.ANX

Print Posts
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 4.33 out of 5)
Loading ... Loading ...

Subscribe in a reader

Most Recent Posts

Most Popular Posts

Links

Blogroll


Scan for free!