Long Lived Malware Distribution Sites
by Jose NazarioIn my malware investigations, I’ve repeatedly seen a UK-based host, so I began to dig deeper. I don’t have the time to dig this deep into every site, so it really has to be something that gets my attention to warrant such a distraction. In this case, it was seeing repeated downloads of files from one directory.
As you can expect, one of the first things I did was see if the directory allowed for open listings; sure enough, it did:
And this goes on for a few thousand files. Number dot CAB, EXE, JAR and JPG. The EXEs are just that, Windows EXE files. The JARs (Java Archives) contain a set of files:
$ fastjar -t -f 200296.jar 200296.exe installer.js META-INF/manifest.mf META-INF/zigbert.sf META-INF/zigbert.rsa
The JavaScript installer file just sets up the browser as the installation mechanism. The CAB files are Windows installation cabinets:
$ cabextract 200296.cab Extracting cabinet: 200296.cab extracting 200296.exe extracting installer.inf All done, no errors.
And the JPEGs? Interestingly enough, they just have the URL as an image. In all cases, the EXE’s MD5 values change, but they do the same thing, which is download a second stage tool, itself a part of some classic malware.
So, what do all of these files do? They’re small agents – just downloaders really – that use the browser to change the dial-up networking settings to get you to dial a for-pay service..essentially, billing you and fueling them. Visit a malicious site, your browser starts to install this and voila, you’re hosed.
What’s more, this has been going on since at least 2002! According to this Computer Associates (CA) write-up, this is well-known and no one has done anything about it. :-/ I have been pinging a few sites about takedown, because it’s active malware.
If you want to protect your users, consider blackhole’ing this malicious network: 217.73.64.0/20, belonging to AS16238. So far nothing, but long term suspicious activity there. And here I thought this was new, sadly it’s not!
Every now and then you find a site like this, nothing but malware and no one seems to do anything about it. In that case, I tend to recommend just blocking such traffic.
[...] In the course of my work, I see or hear about a lot of sites used for phishing and for distrubution malware. There are teams of people working constantly toward getting these shut down, but some just keep distributing malware even after the ISP/hosting company is notified. Security expert Jose Nazario of Arbor Networks blogged about one such site today. This site has been in operation since at least 2002 and is based in the UK. The site in question lives at IP address 217.73.66.1 (link to whois at domaintools.com). Nazario has a screenshot of a directory listing at the site, showing malware files with dates ranging from 11-Feb-2002 to 19-June 2006. Nazario states there are a "few thousand" files and explains: [...]