Wednesday, December 23, 2009

ebnvnos.com - Flash and Java vulnerabilities in the wild - Waledac - part 0

The domain ebnvnos.com it seem related to once of the spreading stage that exploit something about Adobe Flash Player and Java. The following usually robtex screen shot help to know a bit more about it:



Whois 217.23.12.79:

inetnum: 217.23.12.0 - 217.23.12.255
netname: WORLDSTREAM
descr: WorldStream IPv4.19
country: NL
admin-c: WS1670-RIPE
tech-c: WS1670-RIPE
status: ASSIGNED PA
mnt-by: MNT-WORLDSTREAM
source: RIPE # Filtered

role: WORLDSTREAM DBM
address: Honderdland 111F
address: 2676LT Maasdijk
phone: +31174712117
fax-no: +31174512310
e-mail: info@worldstream.nl
admin-c: DV1495-RIPE
tech-c: DV1495-RIPE
nic-hdl: WS1670-RIPE
mnt-by: MNT-WORLDSTREAM
source: RIPE # Filtered


The malicious URL it's:
hzzzzzzp://ebnvnos.com/lib1/ (search and replace hzzzzzzp with http at your risk)

The particularity of this site is that once you request the URL shown,must to wait an undisclosed time to do other HTTP requests. It can be inferred that the admin using the "hit and run" to make more 'difficult behavior analysis. For he next times that it's been requested the URL, the HTTP session it's hijacked to Google.

For keep a track of the facts it's been used wireshark. In this manner it's been discovered an exploiter that try to render 3 resources:

- a java class named:
isWith.class
- an swf object named:
ametMany.swf
- another swf object named:
goingBook.swf

The following shots shown the HTTP traffic related to the three object above:

An abtstract of the exploiter code:




The HTTP request once the exploiter it's run:





For a quickly analysis it's been used wepawet for goingBook.swf with the following result:
http://wepawet.cs.ucsb.edu/view.php?hash=3e107aa57b86deea966ab75c587f310b&type=swf

With a reminder to virustotal:
http://www.virustotal.com/analisis/9916df6c1e603ec297ee0489ef8774cce263860b48c2faf93917739d3ac6afe5-1261592005

A not so good analysis by anubis:
http://anubis.iseclab.org/?action=result&task_id=152965b4ce503e7b4b9f2caf56bddf37b&format=html

Anubis HTTP request appears like filtrate by the host above

Using an exploitable system, calling the malicious URL above, are been dropped the following binaries:

_ex-08.exe (md5 708aa73ace4e76988b8f295a2ed619cb)
http://www.threatexpert.com/report.aspx?md5=708aa73ace4e76988b8f295a2ed619cb
A note of interested is the following IPs list contacted by the binary above:

AS | IP | AS Name
1221 | 58.164.81.97 | ASN-TELSTRA Telstra Pty Ltd
3462 | 114.46.137.39 | HINET Data Communication Business Group
3784 | 141.223.131.191 | ERX-POSTECHNET Pohang University of Science and Technology
4766 | 112.166.68.146 | KIXS-AS-KR Korea Telecom
4766 | 112.172.161.208 | KIXS-AS-KR Korea Telecom
4766 | 118.33.251.194 | KIXS-AS-KR Korea Telecom
4766 | 118.42.252.43 | KIXS-AS-KR Korea Telecom
4766 | 118.46.248.41 | KIXS-AS-KR Korea Telecom
4766 | 119.198.133.167 | KIXS-AS-KR Korea Telecom
4766 | 119.203.58.72 | KIXS-AS-KR Korea Telecom
4766 | 119.205.26.248 | KIXS-AS-KR Korea Telecom
4766 | 119.207.3.95 | KIXS-AS-KR Korea Telecom
4766 | 119.207.4.172 | KIXS-AS-KR Korea Telecom
4766 | 121.131.83.41 | KIXS-AS-KR Korea Telecom
4766 | 121.133.163.17 | KIXS-AS-KR Korea Telecom
4766 | 121.139.43.91 | KIXS-AS-KR Korea Telecom
4766 | 121.140.239.124 | KIXS-AS-KR Korea Telecom
4766 | 121.142.10.207 | KIXS-AS-KR Korea Telecom
4766 | 121.145.223.211 | KIXS-AS-KR Korea Telecom
4766 | 121.145.245.42 | KIXS-AS-KR Korea Telecom
4766 | 121.146.70.163 | KIXS-AS-KR Korea Telecom
4766 | 121.154.247.235 | KIXS-AS-KR Korea Telecom
4766 | 121.157.70.230 | KIXS-AS-KR Korea Telecom
4766 | 121.158.254.64 | KIXS-AS-KR Korea Telecom
4766 | 121.158.66.40 | KIXS-AS-KR Korea Telecom
4766 | 121.167.225.111 | KIXS-AS-KR Korea Telecom
4766 | 121.168.26.108 | KIXS-AS-KR Korea Telecom
4766 | 121.172.98.145 | KIXS-AS-KR Korea Telecom
4766 | 121.174.84.123 | KIXS-AS-KR Korea Telecom
4766 | 121.177.129.115 | KIXS-AS-KR Korea Telecom
4766 | 121.181.206.132 | KIXS-AS-KR Korea Telecom
4766 | 121.186.57.109 | KIXS-AS-KR Korea Telecom
4766 | 121.187.218.104 | KIXS-AS-KR Korea Telecom
4766 | 121.189.184.161 | KIXS-AS-KR Korea Telecom
4766 | 211.105.102.48 | KIXS-AS-KR Korea Telecom
4766 | 211.194.174.90 | KIXS-AS-KR Korea Telecom
4766 | 211.221.151.20 | KIXS-AS-KR Korea Telecom
4766 | 211.223.29.20 | KIXS-AS-KR Korea Telecom
4766 | 211.229.142.10 | KIXS-AS-KR Korea Telecom
4766 | 211.231.18.31 | KIXS-AS-KR Korea Telecom
4766 | 211.35.145.201 | KIXS-AS-KR Korea Telecom
4766 | 220.116.76.18 | KIXS-AS-KR Korea Telecom
4766 | 220.120.63.244 | KIXS-AS-KR Korea Telecom
4766 | 220.121.21.216 | KIXS-AS-KR Korea Telecom
4766 | 220.82.100.217 | KIXS-AS-KR Korea Telecom
4766 | 220.83.101.42 | KIXS-AS-KR Korea Telecom
4766 | 220.86.224.160 | KIXS-AS-KR Korea Telecom
4766 | 221.156.113.180 | KIXS-AS-KR Korea Telecom
4766 | 221.161.156.247 | KIXS-AS-KR Korea Telecom
4766 | 221.164.249.135 | KIXS-AS-KR Korea Telecom
4766 | 61.81.33.88 | KIXS-AS-KR Korea Telecom
4766 | 61.82.13.32 | KIXS-AS-KR Korea Telecom
6746 | 85.186.0.216 | ASTRAL UPC Romania Srl, Romania
6746 | 89.136.87.60 | ASTRAL UPC Romania Srl, Romania
6830 | 80.98.91.127 | UPC UPC Broadband
9318 | 114.201.176.206 | HANARO-AS Hanaro Telecom Inc.
9318 | 114.202.35.143 | HANARO-AS Hanaro Telecom Inc.
9318 | 116.121.226.26 | HANARO-AS Hanaro Telecom Inc.
9318 | 180.70.64.142 | HANARO-AS Hanaro Telecom Inc.
9318 | 211.177.99.161 | HANARO-AS Hanaro Telecom Inc.
9318 | 211.207.180.117 | HANARO-AS Hanaro Telecom Inc.
9318 | 211.209.13.189 | HANARO-AS Hanaro Telecom Inc.
9318 | 61.255.79.225 | HANARO-AS Hanaro Telecom Inc.
9319 | 210.124.149.173 | HCNCHUNGJU-AS-KR CHEONGJU CABLE TV SYSTEMS
9323 | 210.94.189.119 | DGUNET-AS Dongguk University Information Management Center
9569 | 210.57.254.156 | HCNSEOCHOCATV-AS-KR SEOCHO CABLE SYSTEMS CO., LTD.
9694 | 124.153.148.82 | SEOKYUNG-CATV-AS-KR Seokyung Cable Television Co..LTD.
9756 | 211.247.34.208 | CHEONANVITSSEN-AS-KR Cheonan Broadcast Corporation
9943 | 113.10.20.29 | KNCTV-AS Kangnam Cable TV
10036 | 120.142.121.192 | CNM-AS-KR C&M Communication Co.,Ltd.
10036 | 121.88.142.144 | CNM-AS-KR C&M Communication Co.,Ltd.
11427 | 72.177.204.239 | SCRR-11427 - Road Runner HoldCo LLC
17488 | 116.72.208.60 | HATHWAY-NET-AP Hathway IP Over Cable Internet
17820 | 210.7.73.6 | DIL-AP DIRECT INTERNET LTD.
17858 | 112.150.254.18 | KRNIC-ASBLOCK-AP KRNIC
17858 | 115.137.20.63 | KRNIC-ASBLOCK-AP KRNIC
17858 | 115.140.151.63 | KRNIC-ASBLOCK-AP KRNIC
17858 | 115.140.159.60 | KRNIC-ASBLOCK-AP KRNIC
17858 | 119.64.109.187 | KRNIC-ASBLOCK-AP KRNIC
17858 | 119.70.120.112 | KRNIC-ASBLOCK-AP KRNIC
17858 | 124.50.100.62 | KRNIC-ASBLOCK-AP KRNIC
17858 | 124.54.117.157 | KRNIC-ASBLOCK-AP KRNIC
17858 | 124.56.83.94 | KRNIC-ASBLOCK-AP KRNIC
17858 | 125.180.16.50 | KRNIC-ASBLOCK-AP KRNIC
17858 | 125.182.165.136 | KRNIC-ASBLOCK-AP KRNIC
17858 | 125.187.168.223 | KRNIC-ASBLOCK-AP KRNIC
17872 | 210.125.92.98 | SUNGSHIN-AS-KR SUNGSHIN WOMEN_S UNIVERSITY
18302 | 124.136.47.172 | SKG_NW-AS-KR SK Global co., Ltd
18302 | 165.194.116.237 | SKG_NW-AS-KR SK Global co., Ltd
18330 | 220.95.142.203 | HONGIK-AS-KR HONGIK UNIVERSITY
20845 | 94.21.199.32 | DIGICABLE DIGI Ltd.
22258 | 98.239.53.112 | COMCAST-22258 - Comcast Cable Communications Holdings, Inc
25375 | 212.203.37.187 | LEU-AS Leunet AG
31554 | 89.44.131.200 | ALTFEL SC Almsoft Computers SRL
33668 | 69.137.212.184 | CMCS - Comcast Cable Communications, Inc.
33668 | 98.224.160.221 | CMCS - Comcast Cable Communications, Inc.
35505 | 89.38.195.16 | PRONETIT-AS SC Pronet Solutii IT SRL
35530 | 93.126.104.158 | PROLINE Proline TM Ltd.
39006 | 85.202.221.144 | NETIS-AS Systemy Informatyczne Netis Sp. z.o.o.

( generated with the support of cymru whois service)
Theese sound like a fastflux architecture

32782224.exe (md5
770199bb1a8aa78ccccd135656cc8ca7)
http://www.threatexpert.com/report.aspx?md5=770199bb1a8aa78ccccd135656cc8ca7

153.exe (md5 9d702b6292dff05453fb475a08842a2c)
http://www.threatexpert.com/report.aspx?md5=9d702b6292dff05453fb475a08842a2c
This binary it maybe ike an evidence for waledac connection

No comments:

Post a Comment