Win32/Matsnu #BotNet w/Fake TOR domains made in China

1. // #MalwareMustDie! $ date
2. // Thu Jul 4 00:38:40 JST 2013
3. // The malware: Trojan:Win32/Matsnu infection botnet
4. // With Domain Registration in CHINA
5. // Detected the Botnet Ips (For cleaning up purpose)
6.  
7. // Huge infection in Germany using spam email attachment files:
8. Anwaltschaft Kostenrechnung 03.07.2013 Apodiscounter Online Store GmbH.com
9. Inkasso Forderung 03.07.2013 Thalia Online GmbH AG.com
10. Anwaltschaft Mahnung 03.07.2013 Computeruniverse GmbH Online.com
11. Inkasso Kostenrechnung 03.07.2013 Cunda Shop Online GmbH.com
12. Inkasso Rechnung 03.07.2013 Pearl Shop Online GmbH.com
13. Rechtsanwalt Aufforderung 03.07.2013 Reifen Online Store GmbH.com
14. Inkasso Mahnung 03.07.2013 Dress-for-less Online Store GmbH.com
15. Anwaltschaft Aufforderung 03.07.2013 TomTom Shop GmbH.com
16. Anwaltschaft Kostenrechnung 03.07.2013 Weltbild Online Store GmbH.com
17. Inkasso Mahnung 03.07.2013 Heine GmbH Online.co_
18. file-5693314_com
19. Anwaltschaft Forderung 03.07.2013 Norton Online Store GmbH.com
20. Inkasso Rechnung 03.07.2013 Tchibo Shop GmbH.com
21. Anwaltschaft Forderung 03.07.2013 Reifen GmbH Online.com
22. Inkasso Mahnung 03.07.2013 Mindfactory Online GmbH.com
23. Anwaltschaft Aufforderung 03.07.2013 Apple Online Store GmbH.com_
24. Inkasso Mahnung 03.07.2013 Deichmann Online Store GmbH.com
25. Rechtsanwalt Mahnung 03.07.2013 Moebel-profi GmbH Online.com
26. Rechtsanwalt Kostenrechnung 03.07.2013 Dell Shop GmbH.com
27. Inkasso Rechnung 03.07.2013 Yves-rocher Shop Online GmbH.com
28. Anwaltschaft Kostenrechnung 03.07.2013 Planet-sports Online GmbH.com
29. Rechtsanwalt Kostenrechnung 03.07.2013 Notebooksbilliger Shop Online GmbH.com
30. Anwaltschaft Forderung 03.07.2013 Alternate GmbH.com
31.  
32. // ↑Those are fresh Win32/Matsnu
33. typical win32/matsnu, aiming Germany network using germany filename.
34. reversed it to find anti VM, it messed up registry deep so we cant fire regedit & etc commands,
35. The popup message appears a fake alert of Adobe Reader..
36. malware used %temp% with random name (smallcaps 10 letters).pre
37. Drops & runs Documents and Settings\Administrator\Cmclmohvdpk\random name (smallcaps 10 letters).exe
38. YoU'll see code injection to the svchost.exe upon the malicious sample daemonized.
39. Autostart detected at HKLM\Software\..\CurrentVersion\Winlogon
40.  
41. //VT:
42. https://www.virustotal.com/en/file/cea961f5a077e5cd24182bdb71451b61e96da75b55783e29e238d2c7a268fffc/analysis/
43.  
44. ====================
45. POINT OF BOTNETS
46. ====================
47. // Leads to the the below malicious proxy domains:
48. privat-tor-service.com
49. tor-connect-secure.com
50. nvufvwieg.com
51. bnamecorni.com
52. vip-proxy-to-tor.com
53.  
54. // Which are "currently" under these IP addresses:
55. -------------------------------------------------------------------------------------------------
56. IP | ASN | Prefix |ASName | CN | Domain |ISP of an IP Address
57. -------------------------------------------------------------------------------------------------
58. 5.135.198.41 | 16276 | 5.135.0.0/16 | OVH | FR | OVH.COM | OVH SYSTEMS
59. 91.121.229.230 | 16276 | 91.121.0.0/16 | OVH | FR | OVH.COM | OVH SYSTEMS
60. 162.210.175.114 | 46841 | 162.210.172.0/22 | FORKNETWORKING | US | - | FORK-NETWORKING LLC
61. -------------------------------------------------------------------------------------------------
62.  
63. // All of these domains is using China registrar:
64. Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
65.  
66. // With the below DNS:
67. Name Server.......... ns2.usergateproxy.net
68. Name Server.......... ns1.usergateproxy.net
69.  
70. // Are receiving malware botnet requests from infected PC:
71.  
72. * take one..
73.  
74. h00p://privat-tor-service.com/forums.php?ltype=ld&ccr=1&id=E8933835454D4F480000&stat=0&ver=100613&loc=0x0409&os=Windows%20XP
75. h00p://tor-connect-secure.com/forums.php?ltype=ld&ccr=1&id=E8933835454D4F480000&stat=0&ver=100613&loc=0x0409&os=Windows%20XP
76. h00p://nvufvwieg.com/forums.php?ltype=ld&ccr=1&id=E8933835454D4F480000&stat=0&ver=100613&loc=0x0409&os=Windows%20XP
77. :
78.  
79. * take two..
80. h00p://privat-tor-service.com/forums.php?id=34303541444341304238&stat=9&ver=01.024
81. h00p://tor-connect-secure.com/forums.php?id=34303541444341304238&stat=9&ver=01.024
82. :
83.  
84. // These requests are aiming the below landing pages:
85.  
86. - h00p://privat-tor-service.com/forums.php
87. - h00p://tor-connect-secure.com/forums.php
88. - h00p://nvufvwieg.com/forums.php
89. - h00p://bnamecorni.com/file.php
90. - h00p://bnamecorni.com/forums.php
91. - h00p://vip-proxy-to-tor.com/forums.php
92.  
93.  
94. // currently with the below replies:
95. 84 1B 17 98 (4 bytes)
96.  
97. // PoC:
98. http://urlquery.net/report.php?id=3506956
99. http://urlquery.net/report.php?id=3508147
100. https://www.virustotal.com/en/url/a8af6fef1ac31f3fc165b53c7448e87ac138fd81b6ff9bd1fd6fe4a712b6e17c/analysis/
101.  
102. // Verdict
103. All of the evidence (sent URL, replies & recorded reports) show the malicious activity.
104. It is on active infection, the clean up for this IP is in the highest priority to conduct.
105.  
106. ADDITIONALS: DNS, pDNS, WHOIS information:
107.  
108.  
109. // current DNS report if these three domains:
110.  
111. privat-tor-service.com internet address = 5.135.198.41
112. privat-tor-service.com internet address = 91.121.229.230
113. privat-tor-service.com internet address = 162.210.175.114
114. privat-tor-service.com
115. primary name server = ns1.usergateproxy.net
116. responsible mail addr = (root)
117. serial = 1372864802
118. refresh = 60 (1 min)
119. retry = 120 (2 mins)
120. expire = 1048576 (12 days 3 hours 16 mins 16 secs)
121. default TTL = 300 (5 mins)
122. privat-tor-service.com nameserver = ns1.usergateproxy.net
123. privat-tor-service.com nameserver = ns2.usergateproxy.net
124. ns1.usergateproxy.net internet address = 91.215.156.62
125. ns2.usergateproxy.net internet address = 12.179.132.98
126.  
127. tor-connect-secure.com internet address = 91.121.229.230
128. tor-connect-secure.com internet address = 5.135.198.41
129. tor-connect-secure.com internet address = 162.210.175.114
130. tor-connect-secure.com
131. primary name server = ns1.usergateproxy.net
132. responsible mail addr = (root)
133. serial = 1372865402
134. refresh = 60 (1 min)
135. retry = 120 (2 mins)
136. expire = 1048576 (12 days 3 hours 16 mins 16 secs)
137. default TTL = 300 (5 mins)
138. tor-connect-secure.com nameserver = ns1.usergateproxy.net
139. tor-connect-secure.com nameserver = ns2.usergateproxy.net
140.  
141. tor-connect-secure.com nameserver = ns1.usergateproxy.net
142. tor-connect-secure.com nameserver = ns2.usergateproxy.net
143. ns1.usergateproxy.net internet address = 91.215.156.62
144. ns2.usergateproxy.net internet address = 12.179.132.98
145.  
146. nvufvwieg.com internet address = 91.121.229.230
147. nvufvwieg.com internet address = 5.135.198.41
148. nvufvwieg.com internet address = 162.210.175.114
149. nvufvwieg.com
150. primary name server = ns1.usergateproxy.net
151. responsible mail addr = (root)
152. serial = 1372865402
153. refresh = 60 (1 min)
154. retry = 120 (2 mins)
155. expire = 1048576 (12 days 3 hours 16 mins 16 secs)
156. default TTL = 300 (5 mins)
157. nvufvwieg.com nameserver = ns1.usergateproxy.net
158. nvufvwieg.com nameserver = ns2.usergateproxy.net
159.  
160. nvufvwieg.com nameserver = ns2.usergateproxy.net
161. nvufvwieg.com nameserver = ns1.usergateproxy.net
162. ns1.usergateproxy.net internet address = 91.215.156.62
163. ns2.usergateproxy.net internet address = 12.179.132.98
164.  
165.  
166. // passive DNS reports:
167.  
168. privat-tor-service.com A 14.63.198.119
169. privat-tor-service.com A 62.152.59.248
170. privat-tor-service.com A 67.202.109.141
171. privat-tor-service.com A 88.150.221.56
172. privat-tor-service.com A 91.121.229.230
173. privat-tor-service.com A 109.95.23.4
174. privat-tor-service.com A 162.210.175.114
175. privat-tor-service.com A 184.22.36.4
176. privat-tor-service.com A 202.147.169.211
177. privat-tor-service.com A 206.72.193.180
178. privat-tor-service.com NS ns1.usergateproxy.net
179. privat-tor-service.com NS ns2.usergateproxy.net
180.  
181. tor-connect-secure.com A 14.63.198.119
182. tor-connect-secure.com A 62.152.59.248
183. tor-connect-secure.com A 67.202.109.141
184. tor-connect-secure.com A 88.150.221.56
185. tor-connect-secure.com A 91.121.229.230
186. tor-connect-secure.com A 109.95.23.4
187. tor-connect-secure.com A 162.210.175.114
188. tor-connect-secure.com A 184.22.36.4
189. tor-connect-secure.com A 202.147.169.211
190. tor-connect-secure.com A 206.72.193.180
191. tor-connect-secure.com NS ns1.usergateproxy.net
192. tor-connect-secure.com NS ns2.usergateproxy.net
193.  
194. nvufvwieg.com A 14.63.198.119
195. nvufvwieg.com A 62.152.59.248
196. nvufvwieg.com A 67.202.109.141
197. nvufvwieg.com A 88.150.221.56
198. nvufvwieg.com A 91.121.229.230
199. nvufvwieg.com A 109.95.23.4
200. nvufvwieg.com A 162.210.175.114
201. nvufvwieg.com A 184.22.36.4
202. nvufvwieg.com A 202.147.169.211
203. nvufvwieg.com A 206.72.193.180
204. nvufvwieg.com NS ns1.usergateproxy.net
205. nvufvwieg.com NS ns2.usergateproxy.net
206.  
207. // WHOIS...China bad actors...
208.  
209. Domain Name: PRIVAT-TOR-SERVICE.COM
210. Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
211. Whois Server: whois.dns.com.cn
212. Referral URL: http://www.dns.com.cn
213. Name Server: NS1.USERGATEPROXY.NET
214. Name Server: NS2.USERGATEPROXY.NET
215. Status: clientTransferProhibited
216. Updated Date: 06-jun-2013
217. Creation Date: 19-apr-2013
218. Expiration Date: 19-apr-2014
219. Domain Name.......... privat-tor-service.com
220. Creation Date........ 2013-04-19 21:52:58
221. Registration Date.... 2013-04-19 21:52:58
222. Expiry Date.......... 2014-04-19 21:52:58
223. Organisation Name.... liu wenge
224. Organisation Address. jiefanglu344hao
225. Organisation Address.
226. Organisation Address. wuhan
227. Organisation Address. 424000
228. Organisation Address. HB
229. Organisation Address. CN
230.  
231. Domain Name: TOR-CONNECT-SECURE.COM
232. Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
233. Whois Server: whois.dns.com.cn
234. Referral URL: http://www.dns.com.cn
235. Name Server: NS1.USERGATEPROXY.NET
236. Name Server: NS2.USERGATEPROXY.NET
237. Status: clientTransferProhibited
238. Updated Date: 19-apr-2013
239. Creation Date: 19-apr-2013
240. Expiration Date: 19-apr-2014
241. Domain Name.......... tor-connect-secure.com
242. Creation Date........ 2013-04-19 21:52:39
243. Registration Date.... 2013-04-19 21:52:39
244. Expiry Date.......... 2014-04-19 21:52:39
245. Organisation Name.... liu wenge
246. Organisation Address. jiefanglu344hao
247. Organisation Address.
248. Organisation Address. wuhan
249. Organisation Address. 424000
250. Organisation Address. HB
251. Organisation Address. CN
252.  
253.  
254. Domain Name: NVUFVWIEG.COM
255. Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
256. Whois Server: whois.dns.com.cn
257. Referral URL: http://www.dns.com.cn
258. Name Server: NS1.USERGATEPROXY.NET
259. Name Server: NS2.USERGATEPROXY.NET
260. Status: clientTransferProhibited
261. Updated Date: 17-mar-2013
262. Creation Date: 06-feb-2013
263. Expiration Date: 06-feb-2014
264. Domain Name.......... nvufvwieg.com
265. Creation Date........ 2013-02-07 00:01:49
266. Registration Date.... 2013-02-07 00:01:49
267. Expiry Date.......... 2014-02-07 00:01:49
268. Organisation Name.... liu wenge
269. Organisation Address. jiefanglu344hao
270. Organisation Address.
271. Organisation Address. wuhan
272. Organisation Address. 424000
273. Organisation Address. HB
274. Organisation Address. CN
275.  
276. ----
277. #MalwareMustDie!
278. @unixfreaxjp /malware]$ date
279. Thu Jul 4 01:01:18 JST 2013