Strange malware now reported to virus AT avast dot com

Hi forum folks,

We stumbled upon a link with strange malware, now reported to virus at avast dot com.
You land at a page where there is a form method=“post” action" that redirects to a particular port on that site,
with a selection of various crypted bot dlls. As the one that reported the malware told "you tick the file you want and click crypt at the bottom,
then it seems to start making a file…then it seems to test it against AV…and then you get a download link

the results of the reported scans he gave, had never been seen before by VT

https://www.virustotal.com/file/2119e08ebd452aa712bf1c5e84c729ff3976de5d88184158d00e92772a2e2534/analysis/1345223374/

https://www.virustotal.com/file/1cdc019f1f2b93a844d68f14e7278b57f9cc66b9b82754bbfd99c397d84a9e23/analysis/1345222767/

https://www.virustotal.com/file/242c547be7f258acfcada5670cc9dcac8c9f7100516f528f438d7ffa6d21556a/analysis/1345224124/

all files were however detected by Malwarebytes
So we started a further investigation based on the malware type found and the IP characteristics (IP withheld for obvious reasons)
A description of the malware at hand, was found here: See: http://vadimkotov.wordpress.com/2011/08/21/how-i-met-the-trojan-win32-yakes-but/
There are 0 domains / websites hosted on the IP. This means that IP doesn’t have a domain/website allocated to it, and thereforeis not linked to a server.
92 baddies like these were on thisIP AS busy in both badware and phishing activities.
This is a trojan stealer & malware dropper,
Yes the "crypt"word was an important clue to see what had been abused on PHP 5.4.4. and bingo: http://www.h-online.com/security/news/item/PHP-5-4-4-and-5-3-14-releases-fix-security-vulnerabilities-1618852.html and so this was the way that our friend Yakes got to reside there…

polonus

+1 Very ggod find here.

As for “stumbling”, how did that happen?

ThreatExpert report on those samples above
http://www.threatexpert.com/report.aspx?md5=b87451b28f44719637752181e9623cb2
http://www.threatexpert.com/report.aspx?md5=3c32c6adff4c3f6f2d705a424aa6d426
http://www.threatexpert.com/report.aspx?md5=55552357e8524127d0378368bc72ef6e

also added a screenshot of the website

Hi Pondus,

As we look at the analysis of this malware it is a rootkit proxy-box backdoor (the clsid denotes that)
ShellIconOverlayIdentifiers\sp is the proxy agent there.
FSFilter Security Enhancer loads the filter drivers compressed for the container.
malware is somehow related to this malware: http://www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2
so behind it there must be botnet activity of some sort,

polonus

@ polonus,

Am I correct in stating that a part of the exploit, using the Symantec link you provided, is Adobe-based?

Hi mchain,

You are correct here and I must praise you for being such an attentive reader. Time to give an additional security advice.
Users are advised to NOT use Adobe right now. It is being massively abused…and quite some vulnerabilities haven’t been patched.
Read: http://gynvael.coldwind.pl/?id=483 Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind from the International Google Security Team

polonus

Must be why I binned adobe and got foxit

Hi essexboy,

If anyone you should be aware of the whys here,

polonus

Sumatra :smiley: