Skip navigation.
Home

Unknown malware

|

Have any of you come across a piece of malware that phones home to the following addresses?

givuifib.com
fibido.com
iebdesp.biz
nirkaza.com
190.183.63.81

About every 10-20 minutes it makes an http request to 2-3 of these addresses on port 80.

I haven't been able to find the actual binary, but I did find a log file named "fa56d7ec.$$$"

The http traffic looks like this:

-----------------------------
POST /BAD1D22264228F65/QWJn4mNkVVAlwhTEH5Vw82QjF1IgsRERdVcRERsCJXFWZZd30tRQBWBzJHUNRRVnBBcDp6Jn4dQAVjExW2XUJqASlwayULERBUfhdR+wMbMg0gcSN+F1FcAzBVCbVUXXEUJX09fQMSHlM6RQW3VltmHCVxJnIeEFcQ HTTP/1.0
Host: nirkaza.com
Content-Length: 0
Connection: close
Content-Type: application/x-www-form-urlencoded

HTTP/1.1 200 OK
Server: nginx/0.5.32
Date: Fri, 19 Sep 2008 16:38:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.1

okn
-----------------------------

The log file was stored in a directory in c:\ named "$[something]" (should've written it down). We cut internet access to the machine and it cleaned itself up, so I can't look again. I do have dumps of the entire content of RAM at the time it was running (any suggestions for pulling useful dumps from the file?).

The log file contains complete logs of form data for IE and FF in the form "tag=value." So there are a lot of "username=x" "password=y" and "cc=z" type lines.

Any information/help you guys can provide would be appreciated.

Thanks,
Daniel

EDIT: It also appears to hide via a rootkit of some sort. Traffic sniffing on the machine itself was useless, we had to sniff at the gateway.

I've run rootkit revealer, black light, rootkit detective, and a-squared. All show nothing. Also, the machine has symantec installed on it. After 'stiring things up a bit' symantec did manage to detect 'Trojan.Mebroot' and 'SafeStrip' trojans.

ZBot or Sinowal

- this looks like a Zbot or Sinowal -variant.
- Safestrip is (AFAIK) not actually a trojan, it is rogueware.
- The 'Mebroot-trojan' you mentioned is a Banker (like Sinowal)
So the machine is/was infected with PSW-trojan(s). Did you already changed the passwords (and usernames) on the machine?
Mebroot can modify the MBR to run rootkit code. Also it creates files in the %WindowsRoot%\temp-folder.

I recommend to empty the temps and use the SDFix (by AndyManchesta) and Gmer rootkitdetector. Run SDFix in safe mode.
Scan the machine with one of the online scanners or (better) download an on-demand virus/malware-scanner and scan in safe mode (after disabling symantec's scanner).
Use your favorite search-engine to find this progs.

You can find some ZBot, Sinowal and Webroot -malware in the OC-database for analyzing them and find more information about system-modifications.

Useful info about Bankers:
http://research.pandasecurity.com/archive/Banking-Trojans-I.aspx

Thanks for the information...

Our solution was simply to reinstall the OS on the machine (rather than risk still being infected) and have everyone who used it to change all of their passwords and cancel any cc's they might have used. I'm fairly sure that your analysis is accurate as far as being a 'banker' type of malware. The ram dumps I took included lists of several banking and otherwise useful websites (the target list obviously). However, I think this is possibly a new variation of this malware as it didn't use c:\temp. It actually used c:\'dollar sign''something' seems like the directory name started with '$S'. This directory was not visible in windows; I only found it by using an app to traverse the drive itself (probably hidden with the rootkit). I'm going to dig into the ram dump and see what kind of binary I can extract.

MBR Rooter :) Windows CD and

MBR Rooter :)

Windows CD and FIXMBR

Prevx CSI or DrWeb Cureit