Sponsored by..

Wednesday 19 December 2012

Malware sites to block 19/12/12

This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).

This is a screenshot of the fake AV in action:


From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:

report.q7ws17sk1ywsk79g.com
report.7ws17sku7myws931u.com
report.u79i1qgmywskuo9o.com

There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent [1] [2] [3] but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:

inetnum:        46.105.131.120 - 46.105.131.127
netname:        marysanders1
descr:          marysanders1net
country:        IE
org:            ORG-OH5-RIPE
admin-c:        OTC9-RIPE
tech-c:         OTC9-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered


I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go.com registered in China which has been fingered as an attack site before (e.g. here, click at your own risk). I would recommend blocking the entire 46.105.131.120/29 to be on the safe side.

The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo.com, ez.lv and zyns.com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches.

79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.

Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo.com
ez.lv
zyns.com

Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here.

82.103.140.100
www2.x49v36a57puq66.ez.lv
www2.tpzqzg4k2scre0.mooo.com
www2.afc5l4vfohgsz0.mooo.com
www2.f4t9jm7x21.mooo.com
www2.q9iuiwcoq2uvy-2.mooo.com
www2.wwml9bvprhllq2.mooo.com
www2.cjpujub6n0e5u2.mooo.com
www2.t-hih2cnpkpjy2.mooo.com
www2.afbsv8ooj-3.mooo.com
www2.yhqgj6kntn9ru3.mooo.com
www2.q-5f75azo15f214.mooo.com
www2.pbsx2znwccc9a4.mooo.com
www2.wa9bb2z4r3ojz-5.mooo.com
www2.abjbxt7a65.mooo.com
www2.fmrmta0nhmql95.mooo.com
www2.xkpcakk8fnvp95.mooo.com
www2.l6gbfb6l5.mooo.com
www2.ewl91b7p86.mooo.com
www2.uwgsohupxy1de6.mooo.com
www2.g-gq0soprruf5h6.mooo.com
www2.m7yzf62rp6.mooo.com
www2.vov9fsmlyq9257.mooo.com
www2.r2qrxdwo979vj7.mooo.com
www2.j9qm7o00stdyx7.mooo.com
www2.laysltotae8xd8.mooo.com
www2.wp0poz3aq7a7q8.mooo.com
www2.lisbp4cv0v6w09.mooo.com
www2.a50oup6hw0u9c9.mooo.com
www2.pa68ewk9fuqoe9.mooo.com
www2.ohcaob1cffx4l9.mooo.com
www2.g-gysij61cwkkr9.mooo.com
www2.j-8pdx3cfjxgba.mooo.com
www2.h-3aq08aicxn2c.mooo.com
www2.i-7w3rj3j54msmc.mooo.com
www2.j94ysol4em1jd.mooo.com
www2.b5nxk76wnd.mooo.com
www2.r-72i3awaqe.mooo.com
www2.e1k6twcnwqkueh.mooo.com
www2.l00mfws4y9p7ci.mooo.com
www2.l-30w3ulnwvj0qi.mooo.com
www2.z9tbs222g9unk.mooo.com
www2.g-3hww04s0mv5mn.mooo.com
www2.d-9w6t7gvgqm1o.mooo.com
www2.v3sinde9go.mooo.com
www2.l926nykwyj27mo.mooo.com
www2.e8dp78999hr5u.mooo.com
www2.y-8ppqnq8kglsou.mooo.com
www2.k79jcizh268qu.mooo.com
www2.v-9ifaa40v4bu1w.mooo.com
www2.p-2l65dl6w.mooo.com
www2.w15s6udfkhp5ry.mooo.com
www2.jjiqnfn6gj5ht-0.ez.lv
www2.z1jdd6o1e1kss0.ez.lv
www2.h-ccawkohe3qpi3.ez.lv
www2.hzyr7bh8gok2p4.ez.lv
www2.djti1cxaiz9wk5.ez.lv
www2.i-lojtegi396u5.ez.lv
www2.zgurkoad-7.ez.lv
www2.z26df3ueq3j2t7.ez.lv
www2.u263xcu8.ez.lv
www2.kyumtava8e6qv-9.ez.lv
www2.vn6wbwn7abt319.ez.lv
www2.w-5e04vjusiibj9.ez.lv
www2.n9vrk7p00g.ez.lv
www2.t3fjazatb9yov.ez.lv

79.133.196.103
www1.d6kpgdkvrolql3.zyns.com
www1.v7cqv8zdy4pjn5.mooo.com
www1.gno1meqrlspf5-0.zyns.com
www1.ibtu6x7oi3278-0.zyns.com
www1.b95ixcr30.zyns.com
www1.z-xq6xi2p7yx60.zyns.com
www1.p-aijej0.zyns.com
www1.jzyycis0.zyns.com
www1.u1wfjjs0.zyns.com
www1.h7xwv84x1huu0.zyns.com
www1.o-3xvokohw0.zyns.com
www1.fetmg6oukfvvw0.zyns.com
www1.wxe3vgvuk6th-1.zyns.com
www1.nuiq1hvmga2d11.zyns.com
www1.w5ndppqbx3p21.zyns.com
www1.u8r2a5xfb0xp51.zyns.com
www1.gbrl4es5xro4b1.zyns.com
www1.z-gfckpx0nst8c1.zyns.com
www1.ma5x4qfhh1.zyns.com
www1.ps61hen1.zyns.com
www1.cvhc6cr1.zyns.com
www1.ucfjffrizboz1.zyns.com
www1.vlza5kzj32.zyns.com
www1.cutyfk82tkfc52.zyns.com
www1.p3gn08hp62.zyns.com
www1.xa9xfs70sn92.zyns.com
www1.tt4h8odbcfxtq2.zyns.com
www1.j8qi8gl3d5jpv2.zyns.com
www1.iatjl4x2.zyns.com
www1.zqclyyon8-3.zyns.com
www1.c4w46c-3.zyns.com
www1.iu3b7pys9yah23.zyns.com
www1.veduncogo0u683.zyns.com
www1.bq1la1lcr3.zyns.com
www1.sm30hwbrxb5az3.zyns.com
www1.osxzdpb-4.zyns.com
www1.e1xyho-4.zyns.com
www1.h5yqudc184.zyns.com
www1.bctzuagte4.zyns.com
www1.gr56vr5wxvg7n4.zyns.com
www1.m5sfchcmj27cq4.zyns.com
www1.l1rtz0zaj4fnq4.zyns.com
www1.y-4an259ivs7vq4.zyns.com
www1.t8lkv8y4.zyns.com
www1.ycj49f-5.zyns.com
www1.o31omt35.zyns.com
www1.w032ang27l9d55.zyns.com
www1.x-96pxhseft8vo5.zyns.com
www1.p8yzcs8ch-6.zyns.com
www1.dhapuz06.zyns.com
www1.k-1m2fwr1zkha6.zyns.com
www1.rqc6n0zob6.zyns.com
www1.uicqviiewuukp6.zyns.com
www1.y4fyk9kw4e0lu6.zyns.com
www1.nbv4tzxo9452-7.zyns.com
www1.a6f4udb912c49-7.zyns.com
www1.ao3r3psunacd-7.zyns.com
www1.b7k6w2pnmz127.zyns.com
www1.i-vmtcr70kg2up7.zyns.com
www1.j-2qw3j92dq8x7.zyns.com
www1.yhxt4s4j78ry7.zyns.com
www1.frmbxxqc875pj-8.zyns.com
www1.axttts-8.zyns.com
www1.w-5z76xligg58.zyns.com
www1.scowhjo755l6d8.zyns.com
www1.br3u9dxxar5td8.zyns.com
www1.y5nxjxm8.zyns.com
www1.b6bu6gh1zcp8.zyns.com
www1.tnluwilt6mp2-9.zyns.com
www1.nnn17u67qzt219.zyns.com
www1.agdd43g049.zyns.com
www1.bcg6p4ctazktc9.zyns.com
www1.yoioas053gtbe9.zyns.com
www1.a-rra5zgikgcf9.zyns.com
www1.sx5egikt2kmqf9.zyns.com
www1.du3ikfh9.zyns.com
www1.f-5uhlm9.zyns.com
www1.xfrqbmljcp48n9.zyns.com
www1.r-aaqewzo8mp9.zyns.com
www1.jllt99r0v9.zyns.com
www1.uyi3rupgv9pdw9.zyns.com
www1.g8z0v3j7gwd7of.zyns.com
www1.v-1ou2ri1zrg0qf.zyns.com
www1.j02zhivh.zyns.com
www1.m0xqnb0l4j.zyns.com
www1.p5yte9ud3fbxbj.zyns.com
www1.o-2kuc2s8nkirik.zyns.com
www1.c58qlq5xcj0jrl.zyns.com
www1.v6r445h3ffl3m.zyns.com
www1.y-1gh1dkd6m.zyns.com
www1.b5sfmondbm.zyns.com
www1.d0mprkrn.zyns.com
www1.m8gnbsm902rx1p.zyns.com
www1.q-1nvlobckqmv9q.zyns.com
www1.j8o4hnar.zyns.com
www1.a4d2od4p7wyxas.zyns.com
www1.w2up72la0jj4fs.zyns.com
www1.p-7mmwht.zyns.com
www1.b-8zowxdx7c9mt.zyns.com
www1.x6nal9syket14u.zyns.com
www1.q7l2p44v81oyxw.zyns.com
www1.x-1qeru80ijr0yw.zyns.com
www1.k2o7ux378x.zyns.com
www1.y-34sc9n3kutsy.zyns.com
www1.q3nxdktdixzfzy.zyns.com
www1.t7nh3q177z.zyns.com

1 comment:

unixfreaxjp said...

Hello Conrad, I am from #MalwareMustDie, just analyzed the payload and put comments on VT here: [VT(18/45) Link]
The payload binary pic snapshot is here: Orig. Binary Pic
Details on reversing is here: Go to pastebin text

I hope these are helping!

#MalwareMustDie!