Posted by: realsecurity | December 12, 2008

Sources of Badness – UATelecom

The next source of badness I’ll cover is UATelecom (AS44997). With a /22, this host is much smaller than LeaseWeb. A Swiss blogger also had a run in with this host which you can read about here (written in German)

91.203.92.0/22
AS44997

netname: BASTION-NET
descr: ISP UATelecom
country: EU
organisation: ORG-TG39-RIPE
org-name: UATELECOM LLC.
org-type: OTHER
address: Ukraine, Voznesensk, Lenina 52
remarks: ————————-
phone: +38-048-701-05-45
phone: +38-096-380-13-21
phone: +38-096-380-13-26
fax-no: +38-048-701-05-45
remarks: ————————-
e-mail: ipadmin@uatelecom.com.ua
abuse-mailbox: abuse@uatelecom.com.ua

We’ve seen lots of malware from their netblock:

91.203.92.138    2008-10-30 – site down
91.203.92.138    /mix/xcvb.pdf

91.203.92.47    2008-12-09 – site down
advancedscanner.com    /2009/download/trial/InstallAVv_880460.exe

91.203.93.25    2008-12-02
softwareformyvideo.com    /get/1xxx5912940/download.exe

Trojan-Dropper.Win32.Agent.abiq
TrojanDownloader:Win32/Renos.FS
Troj/Zlob-AOX

91.203.93.26    2008-12-02
91.203.93.26    /WinDefender2009.exe – fake AV

FraudTool.Win32.WinDefender.g
AntiVirus2008.AIJ

91.203.93.29    2008-12-03 (more on this below)
easywebsiteauditor.ru    /spl/load.php – SPAM Bot

Troj/Pushdo-G
TrojanDownloader:Win32/Cutwail.S
Trojan.Win32.Small.yrx

load.php (an exe) is downloaded from the index of /spl/. The exploit code has 2/38 detections, JS:Packed-X

91.203.93.68    2008-12-03 – site down
pcantivirusscan.com    /2009/download/trial/A9installertest_880135.exe

91.203.93.81    2008-11-27 - sites down
codecdownload.x-softportal.com    /k-codec.335.exe
2008-12-02     codecdownload.friendlysoftportal.com    /moviecodec.91.exe
2008-12-04     codecdownload.allfilesherefordownload.com    /moviecodec.136.exe

Since easywebsiteauditor.ru drops a SPAM bot I decided to dig a little deeper. When infected, the bot first calls home via a GET to 174.36.201.82

OrgName:    SoftLayer Technologies Inc.
OrgID:      SOFTL
Address:    1950 N Stemmons Freeway
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

GET /40E8001430303030303030303030303030303030303031306C00000
1A366000000007600000642EB00053098A9B3BE HTTP/1.0

HTTP/1.0 200 OK
Date: Fri, 12 Dec 2008 16:10:22 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 12 Dec 2008 16:10:22 GMT
Cache-Control: no-cache
Content-Length: 110604
Connection: close
Content-Type: application/octet-stream

The stream contains some sort of obfuscated payload. It then makes a bunch of DNS requests to various smtp servers and starts to send spam. There is also a side channel of some sort that it establishes to 69.46.20.65 over port 2065.

OrgName:    HIVELOCITY VENTURES CORP
OrgID:      HVC-3
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

This traffic also seems obfuscated with the only readable string below:

L…..9ifnospam.0.exe_url..exe_url……..

From doing a little digigng, this threat really is Pushdo/Cutwail. It’s interesting that the exploit site is hosted in the Ukraine, but the C&Cs are located in the US.

Fireeye article
Secure Works article

Happy hunting!

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: