Thursday, September 4, 2008

The Analysis of a Malicious Link

The analysis of the following is related to a malicious link in some Taiwan web site.


(Above picture is a malicious web site)


(Above picture is the web page's source code of the malicious link)

==The following focus on Web Reputation Service Testing==

Armorize HackAlert CAN find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CANNOT find it as below:



finjan URL analysis CAN find it as below:



Dr.Web URL analysis CANNOT find it as below:



Exploit Prevention Labs's LinkScanner CANNOT find it as below:



Symantec Safe Web CANNOT find it as below:



Wireshark captures files downloaded as below:



==The following focus on AV Scanners Testing==

File index.htm_ received on 09.02.2008 15:18:50 (CET)

Result: 2/36 (5.56%)

Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 HEUR/HTML.Malware
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.01 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.01 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.01 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.02 Heuristic.HTML.Malware

Additional information
File size: 1426 bytes
MD5…: 9c0247737546316b5dd8e4a4a491888e
SHA1..: bb20aeea0bd2e0f5b90aa4a54643e6439cd4bfc9
SHA256: 233d1d9d450b34d3ade2101dcf999a7bcf7685620c6b2864775095b896e55b67
SHA512: 6f92636d043226aa3f14aa3596ec4bd17ac840d956fe6ae67ff36461672ea5c2
50ea5c75acc0921753636b990a5c82ab25baa676e267bf243b23071997232275
PEiD..: -
TrID..: File type identification
HyperText Markup Language (100.0%)
PEInfo: -

File sytes_1_.exe-1 (the original file name is sytes.exe) received on 09.02.2008 22:33:10 (CET)

Result: 19/36 (52.78%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Spy.Gen
Authentium - - W32/Heuristic-KPP!Eldorado
Avast - - -
AVG - - Generic11.POT
BitDefender - - Generic.Malware.Fdldg.F895E7CB
CAT-QuickHeal - - Trojan.SystemHijack.gen
ClamAV - - -
DrWeb - - Trojan.DownLoad.4228
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Heuristic-KPP!Eldorado
F-Secure - - Trojan-Downloader.Win32.Agent.aevv
Fortinet - - -
GData - - Trojan-Downloader.Win32.Agent.aevv
Ikarus - - Virus.Win32.Agent.UWD
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Agent.aevv
McAfee - - -
Microsoft - - Trojan:Win32/SystemHijack.gen
NOD32v2 - - probably a variant of Win32/Genetik
Norman - - -
Panda - - Suspicious file
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - Mal/Heuri-D
Sunbelt - - -
Symantec - - Downloader
TheHacker - - -
TrendMicro - - PAK_Generic.001
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Spy.Gen

Additional information
MD5: c09cf4992d2d578e27814bc030c1ecf1
SHA1: 9f31efd2842b8460a3ad848761aedc4b7ea8f4a2
SHA256: d1c2cb0da0e2e7b8fc07ce9c2feb5e709380b5a610fe9b4009d4afa57767ead0
SHA512: 9a55e9143c433872a665606102274df67bcb4fc91f8ad37ba73eab05a367e9c5e6bd8807e406bc99aeeed21cdd7ae61674c5edde7b63071219f2aa77a013dff0

After executed, it has the following behaviors:

[Added service]
NAME: TopDriver
DISPLAY: DeskDrivers
FILE: C:\WINDOWS\system32\explsore.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\bd[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\of[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\uc[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\uu[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\reg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\sytes[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ie[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\stat[1].htm
C:\WINDOWS\system32\explsore.exe


No comments: