This came in last night, and I didn't run it through any analysis until
many hours later.
VT submission at around 12:45 pm today, about 15 hours after it landed
in my spam-trap.
https://www.virustotal.com/en/file/0f10cbb82825c3c9b721af75c707502233ba0d3b0393
d988d874376727174ccf/analysis/1414860274/
Detection ratio: 19/53
AVG Crypt3.BBSQ
Ad-Aware Trojan.Injector.BBU
AegisLab Troj.W32.Swizzor
Avast Win32:Trojan-gen
Avira TR/Crypt.ZPACK.104434
BitDefender Trojan.Injector.BBU
Cyren W32/Trojan.XBNR-4087
DrWeb BackDoor.Kuluoz.4
ESET-NOD32 a variant of Win32/Kryptik.BWOY
Emsisoft Trojan.Injector.BBU (B)
F-Secure Trojan.Injector.BBU
GData Trojan.Injector.BBU
Kaspersky Net-Worm.Win32.Aspxor.dwaq
Norman Kuluoz.EP
Qihoo-360 Malware.QVM10.Gen
Rising PE:Malware.FakeDOC@CV!1.9C3C
Sophos Troj/Weelsof-JC
Tencent Win32.Trojan.Backdoor.Auto
TrendMicro-HC BKDR_KULUOZ.SM16
I threw it at Anubis:
https://anubis.iseclab.org/?action=result&task_id=1d49b38a824d27d1435acb09c9b5d
24df
Here's some junk from the pcap file:
===============
POST /index.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101
Firefox/28.0
Host: 50.56.238.195:8080
Content-Length: 310
================
Can anyone explain why the Anubis analysis doesn't mention DNS lookups
or http conversations, yet clearly there was some of that going on?
From Spamhaus:
---------------
Ref: SBL238324
50.56.238.195/32 is listed on the Spamhaus Block List - SBL
2014-10-30 06:47:13 GMT | rackspace.com
Asprox botnet controller @50.56.238.195 [compromised server]
The host at this IP address is running a malware botnet controller which
is being used to control infected computers (bots) around the globe
using a trojan horse.
Asprox botnet controller located at 50.56.238.195 on port 8080 (using
HTTP POST):
hXXp://50.56.238.195:8080/index.php
nslookup 50.56.238.195 = www.vpdxconnect.com
--------------
Here's the spam:
=================
Return-Path:
Received: from kentuckytruckaccidentlawyers.com ([209.206.237.36])
Fri, 31 Oct 2014 9:40 pm EST
From: "Notice to Appear" dontreplyMUNG@kentuckytruckaccidentlawyers.com
Subject: Urgent court notice
X-Mailer: XimianEvolution1.4.6
Notice to Appear,
The copy of the court notice is attached to this letter.
Note: If you do not attend the hearing the judge may hear the case in
your absence.
Truly yours,
Clerk to the Court,
Olivia Smith
=================
Again, from spamhaus:
------------------
http://www.spamhaus.org/query/bl?ip 9.206.237.36
209.206.237.36 is not listed in the SBL
209.206.237.36 is not listed in the PBL
209.206.237.36 is listed in the XBL, because it appears in: CBL
At 3 pm EST - It was last detected at 2014-11-01 08:00 GMT (+/- 30
minutes), approximately 11 hours ago.
-------------------
As I compose this, 11 hours ago was 4 am EST, Nov 1. That IP contacted
my server at 9:40 pm EST, Oct 31.
So it's not clear if it would have been listed by the CBL at the time it
hit my server. We know that it's not listed at spamhaus - even now.
If anyone wants this sample, let me know. I have no idea if Dustin has
been doing anything with the samples I've been posting.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|