Thursday, September 11, 2008

MEDTECS Taiwan Web Site is inserted malicious links

MEDTECS Taiwan Web Site is inserted malicious links, the malware name is Trojan.Asprox.

The home page of MEDTECS Taiwan Web Site as below:



The above home page contains malicious link as below:



The malicious scripts as below:




==The following focus on Web Reputation Service Testing==

Google Search CAN detect it as below:



Armorize HackAlert CAN detect it as below:



McAfee SiteAdvisor CANNOT detect it as below:



Trend Micro WRS CANNOT detect it as below:



finjan URL analysis CANNOT detect it as below:



Dr.Web URL analysis CANNOT detect it as below:



Exploit Prevention Labs's LinkScanner CANNOT detect it as below:



Symantec Safe Web CAN detect it as below:



After executed, it has the following behaviors:

[Added process]
C:\WINDOWS\system32\aspimgr.exe

[Added service]
NAME: aspimgr
DISPLAY: Microsoft ASPI Manager
FILE: C:\WINDOWS\system32\aspimgr.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\_check32.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1].htm
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\ws386.ini

==The following focus on AV Scanners Testing==

File script.js-malscript received on 09.11.2008 11:46:44 (CET)

Result: 4/36 (11.11%)

Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.11 -
AntiVir 7.8.1.28 2008.09.11 -
Authentium 5.1.0.4 2008.09.11 HTML/Iframe.A!Camelot
Avast 4.8.1195.0 2008.09.10 -
AVG 8.0.0.161 2008.09.10 -
BitDefender 7.2 2008.09.11 -
CAT-QuickHeal 9.50 2008.09.11 -
ClamAV 0.93.1 2008.09.11 -
DrWeb 4.44.0.09170 2008.09.11 -
eSafe 7.0.17.0 2008.09.10 -
eTrust-Vet 31.6.6084 2008.09.11 -
Ewido 4.0 2008.09.10 -
F-Prot 4.4.4.56 2008.09.10 -
F-Secure 8.0.14332.0 2008.09.11 HTML/Exploit!IFrame.G
Fortinet 3.113.0.0 2008.09.11 -
GData 19 2008.09.11 -
Ikarus T3.1.1.34.0 2008.09.11 -
K7AntiVirus 7.10.450 2008.09.10 -
Kaspersky 7.0.0.125 2008.09.11 -
McAfee 5381 2008.09.10 -
Microsoft 1.3903 2008.09.11 Trojan:JS/Redirector.N
NOD32v2 3429 2008.09.09 -
Norman 5.80.02 2008.09.11 HTML/Exploit!IFrame.G
Panda 9.0.0.4 2008.09.10 -
PCTools 4.4.2.0 2008.09.10 -
Prevx1 V2 2008.09.11 -
Rising 20.61.32.00 2008.09.11 -
Sophos 4.33.0 2008.09.11 -
Sunbelt 3.1.1624.1 2008.09.11 -
Symantec 10 2008.09.11 -
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.11 -
VBA32 3.12.8.5 2008.09.10 -
ViRobot 2008.9.11.1373 2008.09.11 -
VirusBuster 4.5.11.0 2008.09.10 -
Webwasher-Gateway 6.6.2 2008.09.11 -

Additional information
File size: 167 bytes
MD5…: 4247a10cd92d62d2a42daf9ea0441996
SHA1..: 320b19ade7d54cd610b3be788f6657ac91ee0d0e
SHA256: c3efcfc683c5777e4702ab443136c8f780cd78638030851616afb460c35b6b32
SHA512: 33df9bfb9825b689195a60459aa15889902f55308a9e2d7059884de393e7e2ba
f21b1bd8915095dcfd496f3e2f782c90d521c79784734a82ff713af1ec98446d
PEiD..: -
TrID..: File type identification
file seems to be plain text/ASCII (0.0%)
PEInfo: -

File aspimgr.exe received on 09.10.2008 18:34:58 (CET)

Result: 18/36 (50.00%)

Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.10 -
AntiVir 7.8.1.28 2008.09.10 -
Authentium 5.1.0.4 2008.09.10 W32/NewMalware-Rootkit-I-based!Maximus
Avast 4.8.1195.0 2008.09.10 Win32:Agent-GPS
AVG 8.0.0.161 2008.09.10 BackDoor.Small.54.I
BitDefender 7.2 2008.09.10 Backdoor.Agent.1
CAT-QuickHeal 9.50 2008.09.10 -
ClamAV 0.93.1 2008.09.10 -
DrWeb 4.44.0.09170 2008.09.10 -
eSafe 7.0.17.0 2008.09.10 -
eTrust-Vet 31.6.6082 2008.09.10 Win32/Danmec!generic
Ewido 4.0 2008.09.10 -
F-Prot 4.4.4.56 2008.09.09 W32/NewMalware-Rootkit-I-based!Maximus
F-Secure 8.0.14332.0 2008.09.10 Backdoor.Win32.Agent.rfz
Fortinet 3.112.0.0 2008.09.10 -
GData 19 2008.09.10 Backdoor.Win32.Agent.rfz
Ikarus T3.1.1.34.0 2008.09.10 Virus.Win32.Agent.GPS
K7AntiVirus 7.10.450 2008.09.10 -
Kaspersky 7.0.0.125 2008.09.10 Backdoor.Win32.Agent.rfz
McAfee 5380 2008.09.09 Proxy-Agent.af.gen
Microsoft 1.3903 2008.09.10 Backdoor:Win32/Agent.ACG
NOD32v2 3429 2008.09.09 probably a variant of Win32/Agent.NEQ
Norman 5.80.02 2008.09.10 -
Panda 9.0.0.4 2008.09.09 -
PCTools 4.4.2.0 2008.09.10 Trojan.Damnec.Gen
Prevx1 V2 2008.09.10 -
Rising 20.61.22.00 2008.09.10 -
Sophos 4.33.0 2008.09.10 -
Sunbelt 3.1.1616.1 2008.09.09 -
Symantec 10 2008.09.10 Trojan.Asprox
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.10 Mal_Asprox
VBA32 3.12.8.5 2008.09.10 suspected of Trojan-PSW.Pinch.10 (paranoid heuristics)
ViRobot 2008.9.10.1371 2008.09.10 -
VirusBuster 4.5.11.0 2008.09.10 Trojan.Damnec.Gen
Webwasher-Gateway 6.6.2 2008.09.10 -

Additional information
File size: 86016 bytes
MD5…: 3f9f89d46a837b98cce7b111b77a4bd0
SHA1..: fd6ceeb472a85ebb63d3388eea73d817c211743d
SHA256: 1d9dac4e247a79f6395c52f88c1b4216b06115468786a0dc2fad52a0c3e0cb7d
SHA512: e63a3b6ab7b43b7fd9a8700def0a1d638a810af0bc8c47485c2114e90993b9e8
14f8f45e556b8918aae35e5f3d7c706d08ba530465b896a02afd537ba30b17ce
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×40d5a6
timedatestamp…..: 0×48c4c985 (Mon Sep 08 06:43:17 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0xc6e4 0xd000 6.36 0338632724a92a1815238090c4369794
.rdata 0xe000 0×66e 0×1000 2.39 063ae8b57dd1310e48bd9aa7cc45e386
.data 0xf000 0×4ee84 0×5000 5.79 5dd472b5b7732f62724237fee4f8bb23
.rsrc 0×5e000 0×408 0×1000 1.10 770474c641b722d2a41d098dbd5bb7d6

( 3 imports )
> KERNEL32.dll: lstrcpynA, lstrlenA, lstrcpyA, lstrcatA, Sleep, GetLastError, HeapFree, GetProcessHeap, HeapAlloc, GetProcAddress, LoadLibraryA, GetModuleHandleA, LeaveCriticalSection, EnterCriticalSection, lstrcmpA, lstrcmpiA, FreeLibrary, GlobalFree, GlobalAlloc
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, atol, _strlwr, _itoa, strcpy, _beginthread, _endthread, sscanf, strstr, memset, atoi, memcpy, free, malloc, fclose, fwrite, fopen, strncmp, memmove, strlen, isspace, strchr

( 0 exports )

Thursday, September 4, 2008

The Analysis of a Malicious Link

The analysis of the following is related to a malicious link in some Taiwan web site.


(Above picture is a malicious web site)


(Above picture is the web page's source code of the malicious link)

==The following focus on Web Reputation Service Testing==

Armorize HackAlert CAN find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CANNOT find it as below:



finjan URL analysis CAN find it as below:



Dr.Web URL analysis CANNOT find it as below:



Exploit Prevention Labs's LinkScanner CANNOT find it as below:



Symantec Safe Web CANNOT find it as below:



Wireshark captures files downloaded as below:



==The following focus on AV Scanners Testing==

File index.htm_ received on 09.02.2008 15:18:50 (CET)

Result: 2/36 (5.56%)

Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 HEUR/HTML.Malware
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.01 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.01 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.01 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.02 Heuristic.HTML.Malware

Additional information
File size: 1426 bytes
MD5…: 9c0247737546316b5dd8e4a4a491888e
SHA1..: bb20aeea0bd2e0f5b90aa4a54643e6439cd4bfc9
SHA256: 233d1d9d450b34d3ade2101dcf999a7bcf7685620c6b2864775095b896e55b67
SHA512: 6f92636d043226aa3f14aa3596ec4bd17ac840d956fe6ae67ff36461672ea5c2
50ea5c75acc0921753636b990a5c82ab25baa676e267bf243b23071997232275
PEiD..: -
TrID..: File type identification
HyperText Markup Language (100.0%)
PEInfo: -

File sytes_1_.exe-1 (the original file name is sytes.exe) received on 09.02.2008 22:33:10 (CET)

Result: 19/36 (52.78%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Spy.Gen
Authentium - - W32/Heuristic-KPP!Eldorado
Avast - - -
AVG - - Generic11.POT
BitDefender - - Generic.Malware.Fdldg.F895E7CB
CAT-QuickHeal - - Trojan.SystemHijack.gen
ClamAV - - -
DrWeb - - Trojan.DownLoad.4228
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Heuristic-KPP!Eldorado
F-Secure - - Trojan-Downloader.Win32.Agent.aevv
Fortinet - - -
GData - - Trojan-Downloader.Win32.Agent.aevv
Ikarus - - Virus.Win32.Agent.UWD
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Agent.aevv
McAfee - - -
Microsoft - - Trojan:Win32/SystemHijack.gen
NOD32v2 - - probably a variant of Win32/Genetik
Norman - - -
Panda - - Suspicious file
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - Mal/Heuri-D
Sunbelt - - -
Symantec - - Downloader
TheHacker - - -
TrendMicro - - PAK_Generic.001
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Spy.Gen

Additional information
MD5: c09cf4992d2d578e27814bc030c1ecf1
SHA1: 9f31efd2842b8460a3ad848761aedc4b7ea8f4a2
SHA256: d1c2cb0da0e2e7b8fc07ce9c2feb5e709380b5a610fe9b4009d4afa57767ead0
SHA512: 9a55e9143c433872a665606102274df67bcb4fc91f8ad37ba73eab05a367e9c5e6bd8807e406bc99aeeed21cdd7ae61674c5edde7b63071219f2aa77a013dff0

After executed, it has the following behaviors:

[Added service]
NAME: TopDriver
DISPLAY: DeskDrivers
FILE: C:\WINDOWS\system32\explsore.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\bd[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\of[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\uc[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\uu[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\reg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\sytes[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ie[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\stat[1].htm
C:\WINDOWS\system32\explsore.exe