Suspect Sendori software

Published: 2013-08-29
Last Updated: 2013-08-29 15:29:58 UTC
by Russ McRee (Version: 1)
4 comment(s)

Reader Kevin Branch wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori.  In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process.

The URL path (to be considered hostile) is: hxxp://upgrade.sendori.com/upgrade/2_0_16/sendori-win-upgrader.exe.
MD5 hash:  9CBBAE007AC9BD4A6ACEE192175811F4
For those of you who may block or monitor for this, the updater request data follows:
GET /upgrade/2_0_16/sendori-win-upgrader.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Sendori-Client-Win32/2.0.15
Host: upgrade.sendori.com
 
VirusTotal results currently nine malware hits (9/46).
Malwr results are rather damning, and as Kevin stated, Zeus-like. In particular the mutexes are very reminiscent. 
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
_!MSFTHISTORY!_
c:!documents and settings!user!local settings!temporary internet files!content.ie5!
c:!documents and settings!user!cookies!
c:!documents and settings!user!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
 
Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe
 
Password and credential stealing are definitely in play and I experienced ransomware activity in my sandbox; it hijacked my VM with the "This is the FBI, you have been blocked warning." Awesome.
It is recommended that, should you allow Sendori at all in your environments that you block update.sendori.com via web filtering for the time being.
 
Sendori replied to Kevin's notification with; they are engaged and investigating:
Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks
Sendori Support team
 
Thanks for sharing, Kevin. 
Readers, if you spot similar or variations on the theme, please feel free to let us know.
 
 
Keywords: malware advisory
4 comment(s)
ISC StormCast for Thursday, August 29th 2013 http://isc.sans.edu/podcastdetail.html?id=3506

Comments


Diary Archives