Xxx41.exe is a filename commonly associated with a trojan-downloader family that we’ve seen prevented all over the community for the past couple of weeks. It sometimes is dropped and run by phony video codecs with names like “moviecodec.278.exe”, “k-codec.232.exe”, etc. Xxx41.exe downloads fakealert executable components from sites like image-big-library.com and top100image.com using GET requests that evade weak firewall filters, looking like image file requests “/images/item_edjf.gif” and “/infoweek/footernav/new0808/ethrexpo.gif”, which are then renamed to ~tmpc.exe (and similar names) and run on the system.
Interestingly, amongst the AntiVirus 2009 and ProAntiSpyware rogueware component downloads, a valid digital certificate popped up from “AntiSpywareSolutionsPro, Inc” out of Belize City, Belize for a “VirusRemover2008″ component.
So, we can see who provided the certificate, the next question is why. Can some of the most prevalent rogueware groups on the internet continue to get valid digital certs from trusted providers? Next, will the Rustock, Coreflood and Storm groups have digitally signed certs for secure botnet sessions?
