Upon visiting to rouge av, users not more presented with standard fake website and force users to download rouge av software. New method used to install on users system directly without users interaction. Users's system desktop wallpaper will be changed with "YOUR SYSTEM IS INFECTED", and red icon will appear under at icon panel.
What happen behind the scenario was visiting to compromised website will be redirecting to lucklysploits site.
After De-obfuscating
Redirector with hostname "morning1.cn" will redirecting to LuckySploit page that look similar like this.
Obfuscated code
First layer - De-obfuscate
Second layers - De-Obfuscate
CLSIDs found:
- BD96C556-65A3-11D0-983A-00C04FC29E30
- BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014)
- AB9BCEDD-EC7E-47E1-9322-D4A210617116 (MDAC Vulnerability)
- 0006F033-0000-0000-C000-000000000046
- 0006F03A-0000-0000-C000-000000000046
- 6e32070a-766d-4ee6-879c-dc1fa91d2fc3
- 6414512B-B978-451D-A0D8-FCFDF33E833C
- 7F5B7F63-F06F-4331-8A26-339E03C0AE3D
- 06723E09-F4C2-43c8-8358-09FCD1DB0766
- 639F725F-1B2D-4831-A9FD-874847682010
- BA018599-1DB3-44f9-83B4-461454C84BF8
- D0C07D56-7C69-43F1-B4A0-25F5A11FAB19
- E8CCCDDF-CA28-496b-B050-6C07C962476B (CVE-2007-0717)
- 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF (CVE 2008-0015)
MS Office Web Components Spreadsheet (OWC10.Spreadsheet Exploit)
Once system detected contain vulnerability, javascript contain with malware download links "Setup.exe" and "go.jpg" will be triggered. The "Setup.exe" currently has detection rate of about 2.44 percent on Virustotal. :(
"go.jpg" currently have detection rate of about 7.32 percent of Virustotal, contains code like below.
And the last was another two malware file "SetupAdvancedVirusRemover.exe" rogue av and "dfghfghgfj.dll" will be download to system. Each of sample gain 48.79% percent and 63.42% percent in Virustotal respectively.
Malicious IP address involved:
- morning1.cn - 91.212.198.152 (Rusia)
- coolcount1.com - 91.207.116.55
- downloadavr7.com- 91.207.116.55
Domains sharing same IP address: 91.212.198.152
morning1.cn
homut1.cn
morning1.cn
scan-your-pc.cn
www.morning1.cn
yt6tyg.cn
Domains sharing same IP address: 91.207.116.55
10-open-davinci.com
advanced-virus-remover-2009.com
advanced-virusremover-2009.com
advanced-virusremover2009.com
advancedvirusremover-2009.com
best-scan-pc.com
best-scanpc.com
best-scanpc.net
best-scanpc.org
cathrynzfunz.com
coolcount1.com
downloadavr6.com
downloadavr7.com
mail.10-open-davinci.com
mail.advanced-virus-remover-2009.com
mail.advanced-virusremover2009.com
mail.best-scan-pc.com
mail.best-scanpc.org
mail.cathrynzfunz.com
mail.coolcount1.com
mail.downloadavr6.com
mail.downloadavr7.com
mail.hard-xxx-tube.com
mail.testavrdown.com
mail.xxx-white-tube.net
testavrdown.com
www.advanced-virus-remover-2009.com
www.advancedvirus-remover2009.com
www.advancedvirusremover-2009.com
www.best-scan-pc.com
www.best-scanpc.net
www.best-scanpc.org
www.hard-xxx-tube.com
www.onlinescanxppro.com
xxx-white-tube.net
Thanks,
--X0end
0 comments:
Post a Comment