New Virus (Dec 12)

Discussion in 'Anti-Virus' started by Virus Guy, Dec 12, 2011.

  1. Virus Guy

    Virus Guy Guest

    Got a few more of these today. Two of which I checked, and one URL was
    taken down, one still worked. So I'm posting the results of the working
    link.

    I captured two temporary files that I've never gotten before (they are
    deleted from \temp as soon as I kill java.dll) but this time I grabbed
    them. I note this interesting string inside them:

    Obfuscation by Allatori Obfuscator v3.5
    http://www.allatori.com

    I'm trying to upload this package to fileden, but I'm having a hard time
    bringing up the file-upload page right now.

    I'll post back when I've got it. So if anyone else wants to grab these
    files:

    ============================

    Original spam-link:

    hxxp://www.bmi-asia.com/b2a434/index.html

    www.bmi-asia.com -> 180.210.205.241

    Subject: ACH transaction report
    Date: Mon, 12 Dec 2011 19:40:48 +0900
    Return-Path: <>
    Received: from GPXQRNQGS ([112.187.40.162])

    ======================
    Files created / modified:

    c:\windows\temp
    java_install_reg.log
    gggf0.72726379409629.exe
    jar_cache37478.tmp
    jar_cache37479.tmp

    c:\windows\application data\mozilla\firefox\profiles\4ncwclw6.default
    localstore.rdf
    sessionstore.js
    history.dat
    downloads.rdf

    c:\windows\application
    data\mozilla\firefox\profiles\4ncwclw6.default\cache
    435A7B66d01
    09CE08A0d01

    c:\windows\application data\sun\java\deployment\cache\javapi\v1.0\jar
    g43kb6j34kblq6jh34kb6j3kl4.jar-33c00619-4469a01c.hst
    g43kb6j34kblq6jh34kb6j3kl4.jar-33c00619-4469a01c.idx
    g43kb6j34kblq6jh34kb6j3kl4.jar-33c00619-4469a01c.zip

    c:\windows\application data\sun\java\deployment\host
    67e6ec37.hst
    5225a28f.hst

    c:\windows\application data\sun\java\deployment\log
    plugin150_16.trace

    -------------

    pdf download from:
    http://sadsmiled.com/content/fdp1.php?f=49

    www.bmi-asia.com -> 180.210.205.241
    sadsmiled.com -> 173.255.198.177
    blaise.webd.pl -> 94.75.225.45 -> kquery.js (1)
    bilgelergida.com -> 89.19.30.10 -> kquery.js (2)
    sammy.dommel.be -> 193.109.184.81 -> kquery.js (3)
     
    Virus Guy, Dec 12, 2011
    #1
    1. Advertisements

  2. Virus Guy

    Virus Guy Guest

    http://www.fileden.com/files/2008/7/19/2010382//DEC-12.ZIP

    Password is "a" (no quotes). Unpack rar to get files.

    (sorry for posting the URL to the pdf file without obfuscation)

    The jar_cache files are new. Hope they are useful.
     
    Virus Guy, Dec 12, 2011
    #2
    1. Advertisements

  3. Virus Guy

    Virus Guy Guest

    Wow - is everyone on vacation?

    Here are a bunch of fresh URL's that came in today - all of them being
    that stupid "ACH payment" spam.

    Warning: These are malicious URL's. Do not follow them unless you know
    what you're doing.

    hxxp://ccfgabon.org/6f82ee/index.html
    hxxp://www.bonimpex.ch/c3ac64/index.html
    hxxp://skyad.me/8824c4/index.html
    hxxp://planetmorix.com/a1a3d2/index.html

    These URL's came from a different class of spam today. I haven't tried
    them yet:

    hxxp://erifdevelopment.it/area_riservata/posta/Lunaitaly.php
    hxxp://balticum.lt/zaidimas/italy/italy.php
     
    Virus Guy, Dec 12, 2011
    #3

  4. SSDD

    There wasn't anything really new about the malware associated with the Black Hole Exploit
    site.
     
    David H. Lipman, Dec 12, 2011
    #4
  5. Virus Guy

    Virus Guy Guest

    Was the use of Allatori Obfuscator known?

    What part of the cocktail of files I've been posting (if any) is the
    Carberp payload?
     
    Virus Guy, Dec 12, 2011
    #5
  6. Allatori Obfuscator has been seen before.

    Carberp payload ?

    I ran the first exploit site and it was the same.

    I ran rthe last four sites and two were active and I got results and their payload was a
    different site. I assume that's what you mean by Carberp payload.

    Those two were...
    and they had the same results.
     
    David H. Lipman, Dec 12, 2011
    #6
  7. Virus Guy

    Virus Guy Guest

    Reports from early december about Black Hole say it's being paired with
    carberp.

    But these same reports seem to talk more about browser hijacking as the
    exposure mechanism - not following links in spam.
     
    Virus Guy, Dec 12, 2011
    #7
  8. I see - thanx.
     
    David H. Lipman, Dec 13, 2011
    #8

  9. http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fCarberp

    " Win32/Carberp is a family of trojans that may be delivered via malicious code, for
    instance by variants of Exploit:JS/Blacole. "

    JS/Blacole has been associated with CVE-2010-0840

    The Nacha spam Java has been so far associated with CVE-2011-3544
     
    David H. Lipman, Dec 13, 2011
    #9
  10. Virus Guy

    Virus Guy Guest

    I think the malware that I've been seeing (and posting here) is being
    spammed by the Cutwail botnet. The full payload apparently includes
    SpyEye and Bobax. Have we confirmed that?

    http://labs.m86security.com/2011/12/cutwail-spam-campaigns-lure-users-to-blackhole-exploit-kit/
     
    Virus Guy, Dec 13, 2011
    #10

  11. No. Different malicious family groups.
    Different email bodies and URL formats.

    What they do have in common in the Black Hole Exploit Kit.
     
    David H. Lipman, Dec 13, 2011
    #11
  12. Virus Guy

    Virus Guy Guest

    For what it's worth, I can't find anything on the web linking Black hole
    (or Blacole?) and the use of Allatori obfuscator.
     
    Virus Guy, Dec 13, 2011
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.