One Click Hosting Spreads Banking Trojan
While this is not totally new, I only recently came across my first event involving a one click host servingĀ malware. What is one click hosting? These are providers which you have probably heard of before such as RapidShare, Megaupload, yousendit and many many more. Wikipedia has a listing of many of them. These providers allow you to share files via HTTP for free or a small fee for premium service.
In the last few weeks (beginning June 17th), a particular OCH (one click host) hotlinkfiles.com began serving up malware. The host uses AV according to a March 25th, 2008 post on their website:
“Today we introduce a new feature of virus scanning on all uploaded files. This is part of our service to protect you from downloading any virus. The feature is seamlessly integrated into Hotlinkfiles.com, our anti-virus software will automatically perform a scan on all uploaded files and will reject any infected file.”
The malware being served must be going undetected by whatever AV hotlinkfiles.com is using. Here is what is being served:
| hotlinkfiles.com | /files/2607508_gs2zp/eudenoite1.scr |
| premium.hotlinkfiles.com | /files/2619000_idqqh/fotosanexadas.scryh |
| hotlinkfiles.com | /files/2637460_lnqnl/DSC_804.jpg.scr |
| premium.hotlinkfiles.com | /files/2645684_c2awa/fotosanexadas.scr |
| hotlinkfiles.com | /files/2645758_i45ka/DSC_805.jpg.scr |
Notice the use of premium.hotlinkfiles.com? This means the attacker has either bought an account or has used a account stolen from an unsuspecting victim.
Detection for the first stage download is pretty good at 30/41, most vendors detect it as Banload which is also classed as a banking trojan. [Virustotal1] [Virustotal2]
Downloader.Banload.AMIX
Win-Trojan/Banload.71680.O
Win32/TrojanDownloader.Banload.BDA
PWS-Banker!ee
Mal_Banker
The file downloads several more payloads which are all executables [Threatexpert] however the detection rate is terrible on them with most being detected by 0/41 vendors. [Virustotal]
hxxp://gay24×01.hpg.ig.com.br/ree1.html
hxxp://gay24×01.hpg.ig.com.br/ree2.html
hxxp://gay24×02.hpg.ig.com.br/nl2.html
hxxp://gay24×02.hpg.ig.com.br/nl3.html
hxxp://gay24×02.hpg.ig.com.br/nl4.html
hxxp://gay24×02.hpg.ig.com.br/nl5.html
hxxp://gay24×02.hpg.ig.com.br/nl6.html
hxxp://gay24×02.hpg.ig.com.br/nl7.html
So what does this mean? Since sites like hotlinkfiles.com are perfectly legitimate, web content filtering will not block them. The second stage URL can still be blocked, however it can change and analysis must be performed before the second stage URL can be found. In a corporate environment, you may want to consider blocking these file transfer services if they are not needed.
As for where this attack came from, it was delivered via SPAM with a subject line of “fotos [date]” and is written in Portuguese. The text reads “These photos are very funny”.
For what it’s worth, hotlinkfiles.com is categorized Malicious by trustedsource.org/smartfilter