Arbor Networks: Security to the Core

Your email just isn’t safe, is it? And your inbox just isn’t spam free enough for some people, especially as far as Bai Ming or Bai Ming are concerned. Tonight’s Stration uses the domain vaserjungenfujinas.com, and presently the web server they download the malware from resolves to 64.28.179.66. Whois information lines up with previous Stration stuff, too:

Domain Name………. vaserjungenfujinas.com
Creation Date…….. 2006-11-28 17:21:57
Registration Date…. 2006-11-28 17:21:57
Expiry Date………. 2007-11-28 17:21:57
Organisation Name…. Bai Ming
Organisation Address. Bei Jing
Organisation Address.
Organisation Address. Bei Jing
Organisation Address. 100021
Organisation Address. BJ
Organisation Address. CN

This variant uses the subdirectory 869, and it downloads the same basic files. In short, nothing too new here. Expect a variety of MD5s, names like Update-KB9896-x86.exe and such in some cases (others are just junk names), and a flood of these in the next few days.

Some great background on Stration:

• The STRATION Strategy, from Trend Micro. A great writeup.
• Domains known to be used by Warezov variants for downloading from F-Secure. Constantly updated (althought when a new outbreak like this occurs, expect it to be out of date briefly).
• Stration: The Worm with the Plan, from Fortinet.

Just when I thought I would get to bed early, instead I got a few of these and did some analysis.

This entry was posted on Thursday, November 30th, 2006 at 12:20 am and is filed under Arbor Networks, Malware, Reverse Engineering. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.