Posted by: realsecurity | December 12, 2008

Sources of Badness – UATelecom

The next source of badness I’ll cover is UATelecom (AS44997). With a /22, this host is much smaller than LeaseWeb. A Swiss blogger also had a run in with this host which you can read about here (written in German)

netname: BASTION-NET
descr: ISP UATelecom
country: EU
organisation: ORG-TG39-RIPE
org-name: UATELECOM LLC.
org-type: OTHER
address: Ukraine, Voznesensk, Lenina 52
remarks: ————————-
phone: +38-048-701-05-45
phone: +38-096-380-13-21
phone: +38-096-380-13-26
fax-no: +38-048-701-05-45
remarks: ————————-

We’ve seen lots of malware from their netblock:    2008-10-30 – site down    /mix/xcvb.pdf    2008-12-09 – site down    /2009/download/trial/InstallAVv_880460.exe    2008-12-02    /get/1xxx5912940/download.exe

Troj/Zlob-AOX    2008-12-02    /WinDefender2009.exe – fake AV

AntiVirus2008.AIJ    2008-12-03 (more on this below)    /spl/load.php – SPAM Bot


load.php (an exe) is downloaded from the index of /spl/. The exploit code has 2/38 detections, JS:Packed-X    2008-12-03 – site down    /2009/download/trial/A9installertest_880135.exe    2008-11-27 – sites down    /k-codec.335.exe
2008-12-02    /moviecodec.91.exe
2008-12-04    /moviecodec.136.exe

Since drops a SPAM bot I decided to dig a little deeper. When infected, the bot first calls home via a GET to

OrgName:    SoftLayer Technologies Inc.
OrgID:      SOFTL
Address:    1950 N Stemmons Freeway
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

GET /40E8001430303030303030303030303030303030303031306C00000
1A366000000007600000642EB00053098A9B3BE HTTP/1.0

HTTP/1.0 200 OK
Date: Fri, 12 Dec 2008 16:10:22 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 12 Dec 2008 16:10:22 GMT
Cache-Control: no-cache
Content-Length: 110604
Connection: close
Content-Type: application/octet-stream

The stream contains some sort of obfuscated payload. It then makes a bunch of DNS requests to various smtp servers and starts to send spam. There is also a side channel of some sort that it establishes to over port 2065.

OrgID:      HVC-3
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

This traffic also seems obfuscated with the only readable string below:


From doing a little digigng, this threat really is Pushdo/Cutwail. It’s interesting that the exploit site is hosted in the Ukraine, but the C&Cs are located in the US.

Fireeye article
Secure Works article

Happy hunting!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: