The next source of badness I’ll cover is UATelecom (AS44997). With a /22, this host is much smaller than LeaseWeb. A Swiss blogger also had a run in with this host which you can read about here (written in German)
91.203.92.0/22
AS44997
netname: BASTION-NET
descr: ISP UATelecom
country: EU
organisation: ORG-TG39-RIPE
org-name: UATELECOM LLC.
org-type: OTHER
address: Ukraine, Voznesensk, Lenina 52
remarks: ————————-
phone: +38-048-701-05-45
phone: +38-096-380-13-21
phone: +38-096-380-13-26
fax-no: +38-048-701-05-45
remarks: ————————-
e-mail: ipadmin@uatelecom.com.ua
abuse-mailbox: abuse@uatelecom.com.ua
We’ve seen lots of malware from their netblock:
91.203.92.138 2008-10-30 – site down
91.203.92.138 /mix/xcvb.pdf
91.203.92.47 2008-12-09 – site down
advancedscanner.com /2009/download/trial/InstallAVv_880460.exe
91.203.93.25 2008-12-02
softwareformyvideo.com /get/1xxx5912940/download.exe
Trojan-Dropper.Win32.Agent.abiq
TrojanDownloader:Win32/Renos.FS
Troj/Zlob-AOX
91.203.93.26 2008-12-02
91.203.93.26 /WinDefender2009.exe – fake AV
FraudTool.Win32.WinDefender.g
AntiVirus2008.AIJ
91.203.93.29 2008-12-03 (more on this below)
easywebsiteauditor.ru /spl/load.php – SPAM Bot
Troj/Pushdo-G
TrojanDownloader:Win32/Cutwail.S
Trojan.Win32.Small.yrx
load.php (an exe) is downloaded from the index of /spl/. The exploit code has 2/38 detections, JS:Packed-X
91.203.93.68 2008-12-03 – site down
pcantivirusscan.com /2009/download/trial/A9installertest_880135.exe
91.203.93.81 2008-11-27 - sites down
codecdownload.x-softportal.com /k-codec.335.exe
2008-12-02 codecdownload.friendlysoftportal.com /moviecodec.91.exe
2008-12-04 codecdownload.allfilesherefordownload.com /moviecodec.136.exe
Since easywebsiteauditor.ru drops a SPAM bot I decided to dig a little deeper. When infected, the bot first calls home via a GET to 174.36.201.82
OrgName: SoftLayer Technologies Inc. OrgID: SOFTL Address: 1950 N Stemmons Freeway City: Dallas StateProv: TX PostalCode: 75207 Country: US
GET /40E8001430303030303030303030303030303030303031306C00000
1A366000000007600000642EB00053098A9B3BE HTTP/1.0
HTTP/1.0 200 OK
Date: Fri, 12 Dec 2008 16:10:22 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 12 Dec 2008 16:10:22 GMT
Cache-Control: no-cache
Content-Length: 110604
Connection: close
Content-Type: application/octet-stream
The stream contains some sort of obfuscated payload. It then makes a bunch of DNS requests to various smtp servers and starts to send spam. There is also a side channel of some sort that it establishes to 69.46.20.65 over port 2065.
OrgName: HIVELOCITY VENTURES CORP OrgID: HVC-3 Address: 400 N Tampa St Address: #1025 City: Tampa StateProv: FL PostalCode: 33602 Country: US
This traffic also seems obfuscated with the only readable string below:
L…..9ifnospam.0.exe_url..exe_url……..
From doing a little digigng, this threat really is Pushdo/Cutwail. It’s interesting that the exploit site is hosted in the Ukraine, but the C&Cs are located in the US.
Fireeye article
Secure Works article
Happy hunting!
