Eric, one of our many valued contributors wrote in yesterday with various spam messages that contained nothing but a short piece of text and a link to a very simple HK domain. Different domains were used in each message.
Subject line: Hello, Pal
When investigating this, we noticed that these domains have no less than 10 authorative nameservers. Most interesting is that each of these appear to be located within an ISPs dynamic IP address range. This is naturally highly suspicious. Random querying for A records shows that a large number of other compromised hosts are being used to host the actual website.
On each of these servers, the index.html page contains nastiness:
The resulting file ‘fun.exe’ appears to be different on each single server. We have currently seen the following SHA1 hashes:
Detection of the code by regular Anti-virus is very spotty, shown by the following output of Virustotal. These were the only solutions that detected malicious code. As you can see, even these are mostly generic detections:
BitDefender 7.2 06.16.2007 GenPack:Trojan.Peed.NG
This type of well-prepared and extensive attack is very difficult to shut down, mostly due to the amount of servers and authorities involved. As such, the most effective way of responding would be to have the domain itself taken down. This issue has been reported to the HKCERT as well as the administrators of the .hk TLD. In addition, we’re working with anti virus vendors to improve coverage of both the resulting file and the trojan droppers being used on the malicious site.
Jun 16th 2007
1 decade ago