// #MalwareMustDie // Today's Zeus gameover (GM) // Campaign: Malvertisement via Spambot (Cutwail template) // [0x00000000:0x00400000]> !date // Sat Mar 15 12:40:42 JST 2014 Pic: http://goo.gl/dxvb8p #BLOCK THESE URL!! ↓ h00p://sienashops.it/image_data/al2602.nub h00p://theeventroom.co.uk/Images/al2602.nub h00p://gobemall.com/img/p/1/0/1/1203a.ton h00p://gobehost.info/images/headers/13003UKp.ton h00p://creativemindsplanet.com/images/headers/a.ssa h00p://mpbp.org/images/banners/1203UKp.ssa //Typical headers in requested URL to block ---snips---- Accept: text/*, application/* User-Agent: Updates downloader ---- end snips---- ============ Sample1 ============ MD5 : 4c643c7aa58203e2aa2f82297fd2f71c SHA256 : 539f168f1e79a98f6e2d642c3464a9913fee1e4bf56696dbf8c963145eda66fa URL : https://www.virustotal.com/latest-scan/539f168f1e79a98f6e2d642c3464a9913fee1e4bf56696dbf8c963145eda66fa F-Secure : Trojan:W32/Agent.DUTV DrWeb : Trojan.DownLoad3.28161 F-Prot : W32/Trojan2.ODQM VIPRE : Win32.Malware!Drop Commtouch : W32/Trojan.DDGP-1880 McAfee-GW-Edition : Downloader-FSH!4C643C7AA582 ESET-NOD32 : Win32/TrojanDownloader.Waski.A TrendMicro-HouseCall : TROJ_GEN.F0D1H00CE14 MicroWorld-eScan : Trojan.GenericKD.1605898 Avast : Win32:Trojan-gen Sophos : Troj/DwnLdr-LKT GData : Trojan.GenericKD.1605898 Kaspersky : Trojan.Win32.Bublik.ccdg BitDefender : Trojan.GenericKD.1605898 McAfee : Downloader-FSH!4C643C7AA582 Malwarebytes : Trojan.Downloader.RRE Panda : Generic Malware Ikarus : Trojan-Spy.Zbot AntiVir : TR/Yarwi.B.214 Ad-Aware : Trojan.GenericKD.1605898 Emsisoft : Trojan-Downloader.Win32.Waski (A) Malvertisement: Spam zip attachment Downloads: Zbot/GMO h00p://sienashops.it/image_data/al2602.nub h00p://theeventroom.co.uk/Images/al2602.nub Header: GET /image_data/al2602.nub HTTP/1.1 Accept: text/*, application/* User-Agent: Updates downloader Host: sienashops.it Cache-Control: no-cache GET /Images/al2602.nub HTTP/1.1 Accept: text/*, application/* User-Agent: Updates downloader Host: theeventroom.co.uk Cache-Control: no-cache download/decrypted: N/A ============ Sample2 ============ MD5 : d4de8bbd2bdee1211ae97d0bb79ab65f SHA256 : 809154e0402366e7dfb272ea1620cc4a7b1d03ea0c6880835d394d117608fda9 URL : https://www.virustotal.com/latest-scan/809154e0402366e7dfb272ea1620cc4a7b1d03ea0c6880835d394d117608fda9 TotalDefense : Win32/Zbot.VXNPJB MicroWorld-eScan : Trojan.GenericKD.1604712 nProtect : Trojan.GenericKD.1604712 McAfee : RDN/Downloader.a!pl Malwarebytes : Trojan.Downloader.RRE K7AntiVirus : Trojan-Downloader ( 0048f6391 ) K7GW : Trojan-Downloader ( 0048f6391 ) F-Prot : W32/Trojan2.ODQJ Symantec : Downloader.Upatre Norman : Kryptik.CDLW ESET-NOD32 : Win32/TrojanDownloader.Waski.A TrendMicro-HouseCall : TROJ_UPATRE.YYJN Avast : Win32:Trojan-gen Kaspersky : Trojan.Win32.Bublik.cbrd BitDefender : Trojan.GenericKD.1604712 NANO-Antivirus : Trojan.Win32.Kryptik.cuogqk Ad-Aware : Trojan.GenericKD.1604712 Sophos : Troj/Upatre-AF F-Secure : Trojan.GenericKD.1604712 DrWeb : Trojan.DownLoad3.32271 VIPRE : Trojan.Win32.Generic.pak!cobra AntiVir : TR/Yarwi.B.210 TrendMicro : TROJ_UPATRE.YYJN McAfee-GW-Edition : Downloader-FSH!D4DE8BBD2BDE Emsisoft : Trojan.GenericKD.1604712 (B) Kingsoft : Win32.Troj.Bublik.cb.(kcloud) Microsoft : TrojanDownloader:Win32/Upatre.O ViRobot : Trojan.Win32.Downloader.20600.B GData : Trojan.GenericKD.1604712 Commtouch : W32/Trojan.KVED-7604 AhnLab-V3 : Spyware/Win32.Zbot Panda : Trj/Zbot.M Ikarus : Trojan-Spy.Agent Fortinet : W32/Upatre.A!tr AVG : Luhe.Fiha.A Baidu-International : Trojan.Win32.Bublik.AduA Malvertisement: Spam zip attachment Downloads: Zbot/GMO h00p://gobemall.com/img/p/1/0/1/1203a.ton h00p://gobehost.info/images/headers/13003UKp.ton Header: GET /img/p/1/0/1/1203a.ton HTTP/1.1 Accept: text/*, application/* User-Agent: Updates downloader Host: gobemall.com Cache-Control: no-cache GET /images/headers/13003UKp.ton HTTP/1.1 Accept: text/*, application/* User-Agent: Updates downloader Host: gobehost.info Cache-Control: no-cache download/decrypted: 1203a.ton 03f2135d7dbd41c5ac617a6128f17cf6 403,086 13003UKp.ton 498962f2564a7d5de0664a9fd15abb0e 479,858 dmpal.exe 2c059b381eaca3085b2f1cc28acbf580 452,096 fmpal.exe 80ce7e4ddab8e95b0c82b80c85179d0a 500,224 // components: aplib.dll 7fe2b0b3fc2078130f20070a05daf8d5 11,264 aplib64.dll 3f4fe60b6d1e05144f6efa098ac381a8 12,800 client.dll 35c7b7eebe35bc4db0d01965b1193823 228,864 zlib1.dll 80e41408f6d641dc1c0f5353a0cc8125 59,904 ============ Sample3 ============ MD5 : edcb08d296a68e5f84f69fd14e66cf00 SHA256 : 130c95f8fd548d4246b5fe045cbe8572da70fcae9006a7aaeec3e4da18104d10 URL : https://www.virustotal.com/latest-scan/130c95f8fd548d4246b5fe045cbe8572da70fcae9006a7aaeec3e4da18104d10 MicroWorld-eScan : Trojan.GenericKD.1603804 nProtect : Trojan.GenericKD.1603804 CAT-QuickHeal : TrojanDownloader.Upatre.A4 McAfee : RDN/Generic.bfr!gg Malwarebytes : Trojan.Email.FakeDoc K7AntiVirus : Trojan-Downloader ( 0040f7931 ) K7GW : Trojan-Downloader ( 0040f7931 ) F-Prot : W32/Trojan3.HSW Symantec : Downloader.Upatre Norman : Upatre.BD ESET-NOD32 : Win32/TrojanDownloader.Waski.A TrendMicro-HouseCall : TROJ_GEN.F0D1H00CC14 Avast : Win32:Malware-gen Kaspersky : Trojan.Win32.Bublik.cbqm BitDefender : Trojan.GenericKD.1603804 Ad-Aware : Trojan.GenericKD.1603804 Sophos : Mal/Upatre-A Comodo : TrojWare.Win32.UMal.~A F-Secure : Trojan:W32/Agent.DUTS DrWeb : Trojan.DownLoad3.28161 VIPRE : Trojan.Win32.Generic!SB.0 AntiVir : TR/Yarwi.B.209 TrendMicro : TROJ_UPATRE.SMBB McAfee-GW-Edition : RDN/Generic.bfr!gg Emsisoft : Trojan-Downloader.Win32.Agent (A) Microsoft : TrojanDownloader:Win32/Upatre.O GData : Trojan.GenericKD.1603804 Commtouch : W32/Trojan.IKAD-3051 TotalDefense : Win32/Upatre.dGDRDS Panda : Generic Malware Rising : PE:Malware.XPACK/RDM!5.1 Ikarus : Trojan-Spy.Zbot Fortinet : W32/Waski.A!tr.dldr AVG : Zbot.GHA Baidu-International : Trojan.Win32.Bublik.axUl Qihoo-360 : Win32/Trojan.255 Malvertisement: Spam zip attachment Downloads: Zbot/GMO h00p://creativemindsplanet.com/images/headers/a.ssa h00p://mpbp.org/images/banners/1203UKp.ssa Header: GET /images/headers/a.ssa HTTP/1.1 Accept: text/*, application/* User-Agent: Updates downloader Host: creativemindsplanet.com Cache-Control: no-cache GET /images/banners/1203UKp.ssa HTTP/1.1 Accept: text/*, application/* User-Agent: Updates downloader Host: mpbp.org Cache-Control: no-cache download/decrypted: a.ssa 908be60bc13fe0869dbd6bffe49bda29 269,603 1203UKp.ssa 3add040d3f079e06503f5a7ea6a0953e 479,952 deget.exe 5b396ac3e013b991773f64c9d0f2d4ab 499,200 igbyv.exe 4401e509fd2a1592bfc6a7fc3aa7a5df 499,200 beget.exe d5f7d4fe99ccff10178b6d770e1d4f3a 340,992 // components: aplib.dll 7fe2b0b3fc2078130f20070a05daf8d5 11,264 aplib64.dll 3f4fe60b6d1e05144f6efa098ac381a8 12,800 client.dll 4dfde38ff8e1df866e863261f9ba2c07 228,864 zlib1.dll 80e41408f6d641dc1c0f5353a0cc8125 59,904 --- #MalwareMustDie!