".sys" Directories Delivering Driveby Downloads
Our read Paul observed malware being delivered from the ".sys" directory of various web sites. The URL follows the scheme:
http://evilexample.com/.sys/?action=....
In response to clicking on the link, the user is asked to install the software. According to Paul, he observed the link being delivered via Facebook which of course makes the message more plausible and it is likely that users install the software thinking it came from a "Friend". Before adding a specific block for ".sys", Paul's web filter caught about 60% of these exploits.
Once a user follows the link, additional exe files are downloaded from ".sys" directories. The file names Paul observed are p.exe, go.exe and v2captcha21.exe.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
martin
Mar 24th 2010
1 decade ago
/.sys/?action=fbgen&v=
/.sys/index.html?getexe=fb.101.exe
/.sys/index.html?getexe=fb.75.exe
/.sys/index.html?getexe=fb.84.exe
/.sys/index.html?getexe=fbcheck.exe
/.sys/index.html?getexe=get.exe
/.sys/index.html?getexe=go.exe
/.sys/index.html?getexe=hosts2.exe
/.sys/index.html?getexe=loader.exe
/.sys/index.html?getexe=pp.12.exe
/.sys/index.html?getexe=pp.14.exe
/.sys/index.html?getexe=v2captcha.exe
/.sys/index.html?getexe=v2captcha21.exe
/.sys/index.html?getexe=v2prx.exe
/.sys/index.html?getexe=v2webserver.exe
filenames:
v2captcha21.exe
v2bloggerjs.exe
fb.84.exe
fbcheck.exe
go.exe
v2prx.exe
fb.82.exe
pp.14.exe
v2webserver.exe
hosts2.exe
be.20.exe
tg.16.exe
ms.26.exe
Sanesecurity
Mar 24th 2010
1 decade ago
Paul
Mar 24th 2010
1 decade ago
peter
Mar 24th 2010
1 decade ago
str3tch
Mar 24th 2010
1 decade ago
Paul
Mar 24th 2010
1 decade ago
> 2010-03-16-16:16:34 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/57960 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=p.exe
> 2010-03-16-16:21:57 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/36411 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=v2webserver.exe
> 2010-03-16-16:21:57 HTTP_WatchedMIMEType (L)
<bro> a.b.c.d/36411 > 82.165.207.69/http application/x-dosexec GET http://handball76.com/.sys/?getexe=v2captcha21.exe
so the .sys part seems to be consistent, but the latter part may vary. MD5 Hashes are:
cb255ee2f94d5c6ed11eb5c111ea45c1 v2captcha.exe
d5db0c2908d025c792231901deeacf42 v2webserver.exe
7531ab1f4480b80ecb57d0a955d0b7c6 com-p.exe
Ewald
Mar 26th 2010
1 decade ago