Have any of you come across a piece of malware that phones home to the following addresses?
About every 10-20 minutes it makes an http request to 2-3 of these addresses on port 80.
I haven't been able to find the actual binary, but I did find a log file named "fa56d7ec.$$$"
The http traffic looks like this:
POST /BAD1D22264228F65/QWJn4mNkVVAlwhTEH5Vw82QjF1IgsRERdVcRERsCJXFWZZd30tRQBWBzJHUNRRVnBBcDp6Jn4dQAVjExW2XUJqASlwayULERBUfhdR+wMbMg0gcSN+F1FcAzBVCbVUXXEUJX09fQMSHlM6RQW3VltmHCVxJnIeEFcQ HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 19 Sep 2008 16:38:00 GMT
The log file was stored in a directory in c:\ named "$[something]" (should've written it down). We cut internet access to the machine and it cleaned itself up, so I can't look again. I do have dumps of the entire content of RAM at the time it was running (any suggestions for pulling useful dumps from the file?).
The log file contains complete logs of form data for IE and FF in the form "tag=value." So there are a lot of "username=x" "password=y" and "cc=z" type lines.
Any information/help you guys can provide would be appreciated.
EDIT: It also appears to hide via a rootkit of some sort. Traffic sniffing on the machine itself was useless, we had to sniff at the gateway.
I've run rootkit revealer, black light, rootkit detective, and a-squared. All show nothing. Also, the machine has symantec installed on it. After 'stiring things up a bit' symantec did manage to detect 'Trojan.Mebroot' and 'SafeStrip' trojans.