To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
This is an other one from the Banker-trojan series (very popular in
Brasil, aimed at stealing peoples online-banking passwords). The three
components are:
- A downloader / process killer (amor.com). The taskkill and file paths
(which are files which it will try to delete) seem to be related to a
security / anti-fraud product called "G-Buster Browser Defense"
- The actual password stealer (derby.com), is compressed using the
PKLITE executable compressor (hence the strings). It is so big, because
it contains a lot of bitmaps, imitating the interfaces of the banks
- A mass-mailer (javas.com)
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
derby.com looks like an installer, given it's size (~ 1.8 MB). In
fact, if you take a look at section .pklstb (located at 0xa400), you
see:
0f73000 688030f7 0068bec7 12016800 000000e8 h.0..h....h.....
0f73010 aa971b00 e92fdc54 ff402823 29504b4c ...../.T.@(#)PKL
0f73020 49544533 3220436f 70797269 67687420 ITE32 Copyright
0f73030 31393938 20504b57 41524520 496e632e 1998 PKWARE Inc.
0f73040 2c20416c 6c205269 67687473 20526573 , All Rights Res
0f73050 65727665 64202824 52657669 73696f6e erved ($Revision
0f73060 3a202429 00504b4c 54333200 00100100 : $).PKLT32.....
On Sun, Nov 25, 2007 at 05:03:41AM +0000, Paul Ferguson babbled thus:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
FYI.
- ferg
[forwarded message[
Date: Sat, 24 Nov 2007 23:17:32 -0500
From: jayjwa <[EMAIL PROTECTED]>
To: Dshield Mail List <[EMAIL PROTECTED]>
(Possibly) new trojans. These came from a link spammed out in email
that ended up in my Hotmail inbox. The files are win32 PE's, with some
interesting strings embedded in them. One of the files appears to be a
server of some sort with smtp ability. There's also alot of calls to
graphics routines, so maybe one of the files is a client or user
interface of some type. Written in Delphi, downloaded from
suspiroamor.land.ru, root directory.
amor.com: The only file linked in the email. Probably downloads/exec
others.
Interesting strings:
taskkill -f /im gbpsv.exe
C:\Arquivos de programas\GbPlugin\gbieh.dll
C:\Arquivos de programas\GbPlugin\gbieh.gmd
C:\windows\Crime.exe
C:\WINDOWS\system32\WormList.exe
URLDownloadToFileA
shell32.dll
ShellExecuteA
derby.com: Referenced in the above file.
javas.com: Same. Contains an email template, lots of calls to Winsock.
Interesting hardcoded strings:
msnlist.txt
[EMAIL PROTECTED]
Lista MSN (
gsmtp185.google.com
hsResolving
hsConnecting
hsConnected
hsDisconnecting
hsDisconnected
hsStatusText
ftpTransfer
ftpReady
ftpAborted
IdComponent
TIdStatusEvent
ASender
Indy 9.00.10
X-Library
* About to connect() to suspiroamor.land.ru port 80 (#0)
* Trying 82.204.219.223... connected
* Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
GET /javas.com HTTP/1.1
User-Agent: from Russia with love?
Host: suspiroamor.land.ru
Accept: */*
< HTTP/1.1 200 OK
< Server: nginx/0.5.31
< Date: Sun, 25 Nov 2007 03:09:45 GMT
< Content-Type: application/octet-stream
< Content-Length: 523264
< Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT
< Connection: keep-alive
< Accept-Ranges: bytes
<
{ [data not shown]
The signature/data files are a bit old (Nov. 9) but F-prot had this to say:
amor.com Infection: Possibly a new variant of
W32/NewMalware-LSU-based!Maximus
Available as downloaded above, or local copies together in a zip for
anyone that wants to look at them:
https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspi
roamor-land-ru-trojan.zip
Useful tool to examine binaries:
http://hte.sourceforge.net/
_________________________________________
SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
SANS top instructors. http://www.sans.org/info/9346
[end]
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
--
Attila-Mihaly BALAZS
Virus Researcher
BitDefender
------------------------------
Email: [EMAIL PROTECTED]
Phone: +40 264 443 008
------------------------------
www.bitdefender.com
--
The content of this message and attachments are confidential and are
classified as BitDefender's Proprietary Information. The content of
this message is intended solely for the use of the individual or entity
to whom it is addressed and others authorized to receive it. If you are
not the intended recipient you are hereby notified that any disclosure,
copying, distribution or taking any action based on this information are
strictly prohibited and may be precluded by law. If you have received
this message in error, please notify us immediately and then delete it
from your system. BitDefender SRL is neither liable for the proper and
complete transmission of the information contained in this message nor
for any delay in its receipt.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
