Pushing the Envelope with Analyzers and Emulators
Via our spam traps, we see a malicious URL being spammed out that was highlighted as suspicious by the MITRE honeyclient and then further analyzed by Wepawet. three exploits leadig to an EXE, a PDF, and a SWF file. This one is interesting because it’s one of a handful that are pushing the boundaries of what our current honeyclient and emulated client-side tools can handle reliably. The URL chain is described below:
This is the URL being spammed out. Wepawet correctly calls it suspicious, but not malicious. Like a lot of web exploit toolkits it does some reasonable browser qualification (e.g. wget wouldn’t work).
Wepawet was unable to describe the IE7 object reference bug in it by the way.
File type: MS Windows PE
File size: 20435 bytes
Looking at this file we can see that VirusTotal has 0% detection .. maybe this is a benign file. The Anubis report is inconclusive. This binary has some modest anti-auto-analysis techniques in it and requires a human to look at it to qualify it.
Definitely an exploit document, looks like it’s using a newer exploit maybe. Via VirusTotal we can see that a bunch of AV tools flag it.
The Webpawet report shows how the file basically thwarts detection by common toolkits. More manual analysis is required if you want to see how this is malicious.
Looking at blacklisting of the IP and hostname, we can see that Google doesn’t flag the IP. Maybe they will now. As far as other DNS BLs go we can see that it’s getting a green light from the ones I checked:
-- Fri Apr 10 16:55:27 2009 GMT
==> Checking bezotezi.wz.cz
==> Checking bezotezi.wz.cz (188.8.131.52)
zen.spamhaus.org Direct UBE sources, verified spam services and ROKSO spammers
We know that attackers will continue to evolve their techniques to evade automated analysis tools (which are simply a requirement in today’s flood of malicious code, even for triage purposes). So, we’ll have to continue to push our analysis tools to handle these changes.