Wednesday, August 13, 2008

Fake CNN Alerts: Breaking news

Today I receive another fake CNN Alerts News, subject is "CNN Alerts: Breaking news", when clicked the link, it will download "adobe_flash.exe". In the following, I will test web reputation service (most are not live analysis) and AV scanners separately.

Fake "CNN Alerts: Breaking news" email and email source code as below:





After clicked the links, it will display as below:



==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CANNOT find it as below:



finjan URL analysis CANNOT find it as below:



Dr.Web URL analysis CANNOT find it as below:



Exploit Prevention Labs's LinkScanner CAN find it as below:



Symantec Safe Web CANNOT find it as below:



==The following focus on AV Scanners Testing==

The following test result is from VirusTotal (14/36 (38.89%)):

File adobe_flash.exe-1 received on 08.13.2008 00:18:58 (CET)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Dldr.Exchanger.DW
Authentium - - -
Avast - - -
AVG - - Downloader.Agent.AJFH
BitDefender - - Trojan.Downloader.Exchanger.Gen.2
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - Trojan.DownLoad.3248
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - W32/PolyExchanger.A!tr
GData - - -
Ikarus - - Trojan-Downloader.Exchanger.Gen.2
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Exchanger.mn
McAfee - - -
Microsoft - - Trojan:Win32/Tibs.gen!K
NOD32v2 - - a variant of Win32/Agent.ETH
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - Malware Dropper
Rising - - -
Sophos - - Mal/EncPk-DA
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Dldr.Exchanger.DW
Additional information
MD5: 06bd0701d470475d32c6d98a0c685e4b
SHA1: 0e1a02834b931a5d34d684f7708c918e0c8fa187
SHA256: a629c6ea28327a467e666a2a7d5a5ccc3194858b2217f608431b98dff268c2d9
SHA512: cf15fc7e1a26ef63cf7a1483b4a50a52deaae00a3f2667acf3d3396985dfbf20ba2033a0081656d5463de640116fc7ec49019683f63123afd3dd0d23e790710f

The following test result is from VirusTotal (10/33 (30.30%)):

File update.htm-malscript received on 08.13.2008 04:26:00 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.13.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 HEUR/HTML.Malware
Authentium 5.1.0.4 2008.08.12 JS/Agent.FA
Avast 4.8.1195.0 2008.08.12 -
AVG 8.0.0.161 2008.08.12 Downloader.Zlob.HTML
BitDefender 7.2 2008.08.13 Trojan.HTML.Zlob.Y
CAT-QuickHeal 9.50 2008.08.12 HTM/Zlob.GEN.2
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 -
eSafe 7.0.17.0 2008.08.12 JS.Agent.ib.
eTrust-Vet 31.6.6029 2008.08.13 -
Ewido 4.0 2008.08.12 -
F-Prot 4.4.4.56 2008.08.12 JS/Agent.FA
Fortinet 3.14.0.0 2008.08.12 JS/Zlob!tr.dldr
GData 2.0.7306.1023 2008.08.13 -
Ikarus T3.1.1.34.0 2008.08.13 Trojan.HTML.Zlob.Y
K7AntiVirus 7.10.412 2008.08.12 -
Kaspersky 7.0.0.125 2008.08.13 -
McAfee 5359 2008.08.12 -
Microsoft 1.3807 2008.08.13 -
NOD32v2 3350 2008.08.12 -
Norman 5.80.02 2008.08.12 -
Panda 9.0.0.4 2008.08.12 -
PCTools 4.4.2.0 2008.08.12 -
Prevx1 V2 2008.08.13 -
Rising 20.57.12.00 2008.08.12 -
Sophos 4.32.0 2008.08.13 -
Sunbelt 3.1.1542.1 2008.08.13 -
TheHacker 6.3.0.3.046 2008.08.12 -
TrendMicro 8.700.0.1004 2008.08.12 -
ViRobot 2008.8.12.1333 2008.08.12 -
VirusBuster 4.5.11.0 2008.08.12 -
Webwasher-Gateway 6.6.2 2008.08.13 Heuristic.HTML.Malware
Additional information
File size: 20881 bytes
MD5...: f610dd6607641f7de0a0e504147534a1
SHA1..: 27c52ffd95c799a787c081f3a55cbf61a4b9e528
SHA256: 56086eb41f081f1b7faea2807082097a0b677858a45336edd30e6a756c69afae
SHA512: 78395acdb375c97692110fc0f263a07f5b173cc443e6c0d688af4dc9774927d3
7fcb3ea7eca617c42d14fe7001b9f68e5242594e60443fd5722894182de47fc7
PEiD..: -
PEInfo: -

After executed, this malware has the following behaviors:

[Added process]
C:\WINDOWS\System32\CbEvtSvc.exe

[DLL injection]
C:\Program Files\Internet Explorer\setupapi.dll

[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

[Added file]
C:\9ndb39.exe
C:\Documents and Settings\Administrator\Desktop\adobe_flash.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\bvp[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\metai[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\update[1].htm
C:\Documents and Settings\LocalService\Application Data\521632863.exe
C:\Documents and Settings\LocalService\Application Data\633968421.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\install[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\12scan2[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WDWHWPH6\fg[1].exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\5a92b36c.sys (Rootkit Behavior)
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\AB.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp


Posted by: Roger Chiu at 11:03 AM Label: ,

1 comment:

www.rivas-vaciamadrid.biz said...

Hey, there is so much worthwhile info above!

November 10, 2011 at 9:24 PM

Post a Comment

Subscribe to: Post Comments (Atom)