i've been seeing this style of chinese loader (called because all of the samples coem from .cn space and poit back to .cn space) for a while now. this is one "family" of two or three. they all load a lot of EXEs on the box, many of which are similar.
here's the config URL: hxxp://60.190.114.235/ssl.txt it yields: hxxp://aa1.uiuill.cn/sce1.exe hxxp://aa1.uiuill.cn/sce2.exe hxxp://aa1.uiuill.cn/sce3.exe hxxp://aa1.uiuill.cn/sce4.exe hxxp://aa1.uiuill.cn/sce5.exe hxxp://aa1.uiuill.cn/sce6.exe hxxp://aa1.uiuill.cn/sce7.exe hxxp://aa1.uiuill.cn/sce8.exe hxxp://aa1.uiuill.cn/sce9.exe hxxp://aa1.uiuill.cn/sce10.exe hxxp://aa2.uiuill.cn/sce11.exe hxxp://aa2.uiuill.cn/sce12.exe hxxp://aa2.uiuill.cn/sce13.exe hxxp://aa2.uiuill.cn/sce14.exe hxxp://aa2.uiuill.cn/sce15.exe hxxp://aa2.uiuill.cn/sce16.exe hxxp://aa2.uiuill.cn/sce17.exe hxxp://aa2.uiuill.cn/sce18.exe hxxp://aa2.uiuill.cn/sce19.exe hxxp://aa2.uiuill.cn/sce20.exe hxxp://aa3.uiuill.cn/sce21.exe hxxp://aa3.uiuill.cn/sce22.exe hxxp://aa3.uiuill.cn/sce23.exe hxxp://aa3.uiuill.cn/sce24.exe hxxp://aa3.uiuill.cn/sce25.exe hxxp://aa3.uiuill.cn/sce26.exe hxxp://aa3.uiuill.cn/sce27.exe hxxp://aa3.uiuill.cn/sce28.exe hxxp://aa3.uiuill.cn/sce29.exe hxxp://aa3.uiuill.cn/sce30.exe hxxp://aa3.uiuill.cn/sce31.exe hxxp://aa3.uiuill.cn/sce32.exe hxxp://aa3.uiuill.cn/sce33.exe most of the samples are live. what i'm curious about is if anyone has any more info on the loader. like i said i have dozens of these in my repository, i have a lot of traces and technical info on it. what i don't have is anything in the forums or the .cn malcode community on it. most of what gets installed are infostealers. some bots at times. -- ________ jose nazario, ph.d. http://monkey.org/~jose/ _______________________________________________ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
