Comments for Andrew Martin

Comment on Major Stealthy Malware Campaign – 711 Domains Taken Down by Andrew from Vancouver

Andrew from Vancouver — Mon, 14 Dec 2009 07:06:01 +0000

The wgetdream.com is parked at GoDaddy after all, somehow. DNS cacheing, perhaps. The TLD servers return NXDOMAIN when queried.

fk0.info and oy7.info are both registered with GoDaddy but have not been suspended. They are currently active.

Comment on Major Stealthy Malware Campaign – 711 Domains Taken Down by Andrew from Vancouver

Andrew from Vancouver — Mon, 14 Dec 2009 05:44:57 +0000

At least some of these are still active. Still active:

hxxp://us.fk0.info/f/f.exe
hxxp://us.oy7.info/f/1/cosplay.swf
hxxp://goodfriend.wgreatdream.com/show.php

The last update stamp in WHOIS for wgreatdream.com is December 7th 2009. There may have been several updates but the last result was certainly not GoDaddy suspending it.

The .exe file above is a binary file but is not an executable. The .swf file is listed by Wepawet as malicious, but according to VirusTotal, only Microsoft detects it.

http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

http://www.virustotal.com/analisis/6804d14c311fc8a4b02a2b466b1e25fbd47a8cf87ae260e76972e486bcc72759-1260767519

Comment on Sources of Badness – LeaseWeb by Rune Jensen

Rune Jensen — Sat, 07 Nov 2009 05:41:55 +0000

I do not have _any_ patiense what-so-ever with Lease-web. Just blocked the entire IP-range.

Comment on Exploits Employed by Gumblar by Wasim Halani

Wasim Halani — Thu, 03 Sep 2009 16:11:49 +0000

Hi Andrew,

I too came across a similar malware, but I am stuck at one point in the wepawet analysis.
In the segment “var Kkbfhqas=” what is the decoded output of the variable. I had read some place that this is the ’shellcode’, but I am not able to figure that out myself . Any inputs on this or how I can better understand this segment ?

Thanks

Comment on Nine-Ball = Gumblar Redux? – 40,000 websites compromised by Tore Eriksson

Tore Eriksson — Sun, 30 Aug 2009 20:19:03 +0000

I have struggled with this malware all weekend. It’s called Krap.w and seems to be very new. All google hits are just hours old. No antivirus company has any news on it. It reinstalls a three-digit exe file every reboot, like 266.exe in temporary internet files folder, and also a random eight digit folder in user\temp\, eg. user\temp\15736234\ where three files are created: 15736234 15736234.ins and 15736234.exe (same random eight digits). F-secure’s antivirus program now detects and stops it from taking over the system, but does not find the installer yet. Neither have I.

Comment on Nine-Ball = Gumblar Redux? – 40,000 websites compromised by TheOne

TheOne — Fri, 14 Aug 2009 11:43:40 +0000

Well last time i booted into windows my desktop-background was izohore.bmp and a strange “Anti Virus” Software was scanning some files. So it seems like i have got this thing. The Problem was that i could not Run any App like firefox or taskmanager since the “AV” “detected an infection” So i quickliy shut down my computer and booted into Linux. I mounted the WINDOWS partition and fount strange nubered exe in an stange numbered folder in /all users/Application Data/ and the izohore.bmp in \user\Local Settings\Temp\ but i couldnot find any other file yet. I used ClamAV to scan this partition but it did not even find the exe in the “app data” folder(since it is not the best choice anyway). It seems like this scarware uses varied names to store its data but the server.exe and socks.exe should exist i think and the names do not seem like they varie.
Since the Program doesnot seem to corrupt any random data, im going to reboot into windows and see what i can do there since i have removed ev erything if found concerning this virus. Thank you

Comment on Real Host now shutdown by ejes

ejes — Fri, 07 Aug 2009 13:58:42 +0000

Good work man

Comment on Nine-Ball followup now with video! Part 2 by wario

wario — Sun, 02 Aug 2009 01:41:14 +0000

nice informative tutorial and the music is great, it really picks up at 2:30

Comment on Nine-Ball = Gumblar Redux? – 40,000 websites compromised by Lori

Lori — Fri, 10 Jul 2009 20:18:46 +0000

i have this virus on my computer and was unable to access certain websites. now whenever i try to open IE 7 to any page, it shows trughtsa.com, sticks there for a while, an adobe error comes up and then the whole program shuts down. how do i get this off of my computer???? please help!!!

Comment on Nine-Ball = Gumblar Redux? – 40,000 websites compromised by Jacob

Jacob — Tue, 07 Jul 2009 21:31:01 +0000

Hi, after reading this im absolutely positive that i have this on my computer. It seems to block my anti virus from working.
(I have Trend Micro) You’re website is the only place i’ve found information on this so far. If you could help me in removing it, or direct me somewhere that can it would be greatly appreciated.