Rogue.AntiVirus2009 hosted by McColo
There's a segment of our Beta customers who have a data sharing agreement with us, wherein they allow the appliance to send up the malicious URLs and Botnet activity that it has discovered.
I wanted to take a quick poke at some of these URLs to see what they were exploiting, where they were hosted, whether they were "dual use" or not, etc.
A quick background: Last week, our engineering team released a new version of our software to our beta sites. It detects malicious webpages by replaying a copy of them (that was cached off the wire) against various web browser environments locally on the appliance. For example, IE7 running Flash 9 and PDF Reader 8, or FF3.0.3 running Real Player 5 and Yahoo Toolbar 6, etc. (I just made up these plugin versions... they probably aren't accurate). What it means from a product standpoint is that we can detect web exploits (that are obfuscated or otherwise) without signatures. There's a bunch of other stuff our appliance does once it detects an exploit, but this isn't a marketing article.
As I was following one URL down the rabbit holes that are <IFRAME>s, I came across this gem:
The above is obviously trying to emulate the Firefox/Google Safe Browsing feature. When you click it, it brings you to a variety of pages, all of which try to sell you the Fake AV software "AntiVirus 2009".
Out of curiosity, I went and poked at the server hosting it to see what I could glean. Imagine my surprise (sarcasm alert!) when I found it was hosted by my good friends as McColo!
If you look back in our articles, you'll see a fairly deep connection between Malware, Botnets, and McColo. With the shutdown of Atrivo, McColo seems to be the frontrunner for Botnet/Malware hosting - and who wouldn't appreciate an uptick in business, given this recent "economic downturn"?
10/27 A quick update - The sample in my lab downloaded a new DLL for itself called winsystems.dll last night. hxxp://securedownloadcenter.com/zsa09/winsystems.dll. I ran it through VirusTotal and 1 out of 32 detected the DLL as malicious. http://www.virustotal.com/analisis/281885b52905549a55b5cdef33543124.
10/27 edit 2 - (What is this, a Bill Simmons running diary?!) - It just fetched a new binary - hxxp://securedownloadcenter.com/zsa09/zs880000.exe - Looks like 1 our of 34 this time. http://www.virustotal.com/analisis/417bda712fb20e73d0aae3335c24c2ea
A quick aside - Do you think it's time that someone told VirusTotal (who provides an /awesome/ service) that in English analisis is spelled with a "y"? I know they're not an American company, but it seems like a quick symlink is in order.
Alex Lanstein @ FireEye Malware Intelligence Labs
Comments/Questions to fgong@fireeye.com
Comments