Apr 28, 2009

Malicious Website: u-toys.com

U-toys.com

This Website "www.u-toys.com" was forwarded to me by commandrine as an suspicious website. While accessing the website, there seems to be a JavaScript running. By checking on the page source (HTML code), there is a obfuscated JavaScript (shown below). It seems to be created by some JavaScript Obfuscator application that i am not able to de-obfuscated.

Obfuscated Javascript

After doing some behaviour analysis on the Javascript, it seems to be exploiting on some Internet browser vulnerabilities. It manage to inject an executable files into the C:\ folder on older and unpatched browser. Newly patched browser do not seems to find any "injected" files. Below is the analysis on the executable file.

Analysis Report:
##############

Filename: b01kyk.exe
Size: 327680
MD5: 615A8484F113DA99D2C172A44C9E7D31
Virus found: Trojan:W32/Mebroot.gen!A (F-Secure)

On the VirusTotal website, 11 out of 38 AV detected it (Shown below). Well-known AV not detected (Symantec, McAfee).

VirusTotal

Registry values added:
================
1> HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00

2> HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00

3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\o01xlx.rkr: 0B 00 00 00 06 00 00 00 00 78 6B 45 46 D4 C9 01

4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\b01kyk.exe: "b01kyk"

Registry values modified:
==================
1> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000B

2> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000C

3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 7F 00 00 00 70 D2 53 1A 46 D4 C9 01

4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 80 00 00 00 20 91 5F 45 46 D4 C9 01

5> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D3 00 00 00 20 5B 70 1A 46 D4 C9 01

6> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D4 00 00 00 00 78 6B 45 46 D4 C9 01

w01f advise: Always patched up your Internet browser and beware of suspicious scripts and pop-up running in the website.

Other reports on this site:
- Security Republic - Innocent???

Posted by w01f at 5:41:00 PM 0 comments
Labels: ,

Mar 27, 2009

Welcome

This site is created to provide a platform for anyone to share their ideas, experiences and findings on malware analysis. Feel free to comment or e-mail me any suspicious files.
Posted by w01f at 11:40:00 AM 0 comments
Labels:

Mar 22, 2009

Info on Conficker

Found some excellent read-ups on Conficker virus by the researchers at SRI International. It is one of the best analysis on the malware so far. You can find those reports from the link below.

- An Analysis of Conficker
- Addendum on Conficker C

There are others Malware information from the SRI Malware Threat Center.
Posted by w01f at 1:01:00 PM 0 comments
Labels:
Subscribe to: Posts (Atom)