< Honeynet Project's Status Report for 2007 | Trick or Treat: Storm's Halloween >

URI Handling Vulnerability and RBN

The URL handling vulnerability in Windows XP and Windows Server 2003 is being actively exploited in the wild according to a posting to full-disclosure. The PDF file attached to that mail contains an exploit for this vulnerability, which contains shellcode to download a binary via FTP from 81.95.146.130. A whois lookup of this IP shows that it belongs to RBN, the Russian Business Network. RBN was quite often in the press recently.

The downloaded binary injects itself into several Windows processes and collects various information from the infected machine. This data is then sent to http://81.95.147.107/cgi-bin/pstore.cgi, another IP address within the RBN network. A complete CWSandbox analysis of the binary is also available.
$ whois 81.95.147.107
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '81.95.144.0 - 81.95.147.255'

inetnum: 81.95.144.0 - 81.95.147.255
netname: RBNET
descr: RBusiness Network
admin-c: RNR4-RIPE
tech-c: RNR4-RIPE
mnt-by: RBN-MNT
status: ASSIGNED PA
country: PA
remarks: INFRA-AW
source: RIPE # Filtered

role: RBusiness Network Registry
address: RBusiness Network
address: The Century Tower Building
address: Ricardo J. Alfari Avenue
address: Panama City
address: Republic of Panama
phone: +1 401 369 8152
remarks: Points of contact for RBusiness Network Operations
remarks: ------------------------------------------------------
remarks: Routing and peering issues: noc@rbnnetwork.com
remarks: SPAM and Network security issues: abuse@rbnnetwork.com
remarks: Customer support: support@rbnnetwork.com
remarks: General information: info@rbnnetwork.com
remarks: ------------------------------------------------------
e-mail: noc@rbnnetwork.com
admin-c: JK4668-RIPE
tech-c: JI424-RIPE
nic-hdl: RNR4-RIPE
mnt-by: RBN-MNT
source: RIPE # Filtered

% Information related to '81.95.144.0/20AS40989'

route: 81.95.144.0/20
descr: TcS Network
origin: AS40989
mnt-by: RBN-MNT
source: RIPE # Filtered

% Information related to '81.95.144.0/22AS40989'

route: 81.95.144.0/22
descr: RBNetwork
origin: AS40989
mnt-by: RBN-MNT
source: RIPE # Filtered
This entry was posted by Thorsten Holz on Thursday, October 25. 2007 at 10:27. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.