We stumbled upon a link with strange malware, now reported to virus at avast dot com.
You land at a page where there is a form method=“post” action" that redirects to a particular port on that site,
with a selection of various crypted bot dlls. As the one that reported the malware told "you tick the file you want and click crypt at the bottom,
then it seems to start making a file…then it seems to test it against AV…and then you get a download link
the results of the reported scans he gave, had never been seen before by VT
all files were however detected by Malwarebytes
So we started a further investigation based on the malware type found and the IP characteristics (IP withheld for obvious reasons)
A description of the malware at hand, was found here: See: http://vadimkotov.wordpress.com/2011/08/21/how-i-met-the-trojan-win32-yakes-but/
There are 0 domains / websites hosted on the IP. This means that IP doesn’t have a domain/website allocated to it, and thereforeis not linked to a server.
92 baddies like these were on thisIP AS busy in both badware and phishing activities.
This is a trojan stealer & malware dropper,
Yes the "crypt"word was an important clue to see what had been abused on PHP 5.4.4. and bingo: http://www.h-online.com/security/news/item/PHP-5-4-4-and-5-3-14-releases-fix-security-vulnerabilities-1618852.html and so this was the way that our friend Yakes got to reside there…
As we look at the analysis of this malware it is a rootkit proxy-box backdoor (the clsid denotes that)
ShellIconOverlayIdentifiers\sp is the proxy agent there.
FSFilter Security Enhancer loads the filter drivers compressed for the container.
malware is somehow related to this malware: http://www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2
so behind it there must be botnet activity of some sort,
You are correct here and I must praise you for being such an attentive reader. Time to give an additional security advice.
Users are advised to NOT use Adobe right now. It is being massively abused…and quite some vulnerabilities haven’t been patched.
Read: http://gynvael.coldwind.pl/?id=483 Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind from the International Google Security Team