Archive for the ‘peacomm’ Category

« Older Entries

New Storm Worm Rootkit Domain happy2008toyou.com appears on the stroke of Midnight

Tuesday, January 1st, 2008

Another Storm Worm domain as popped up on the radar,

happy2008toyou.com

The whois…

Domain name:             HAPPY2008TOYOU.COM
Name Server:             ns.happy2008toyou.com 68.251.106.142
Name Server:             ns10.happy2008toyou.com 89.35.121.187
Name Server:             ns11.happy2008toyou.com 58.9.65.61
Name Server:             ns12.happy2008toyou.com 222.209.139.28
Name Server:             ns13.happy2008toyou.com 82.59.136.43
Name Server:             ns2.happy2008toyou.com 68.36.252.81
Name Server:             ns3.happy2008toyou.com 71.230.66.163
Name Server:             ns4.happy2008toyou.com 68.61.185.117
Name Server:             ns5.happy2008toyou.com 70.232.142.1
Name Server:             ns6.happy2008toyou.com 66.75.86.71
Name Server:             ns7.happy2008toyou.com 85.29.202.180
Name Server:             ns8.happy2008toyou.com 86.139.75.35
Name Server:             ns9.happy2008toyou.com 86.130.251.39
Creation Date:           2007.12.29
Updated Date:            2007.12.29
Expiration Date:         2008.12.29
Status:                  DELEGATED
Registrant ID:           X05O1TC-RU
Registrant Name:         Larry Claus
Registrant Organization: Larry Claus
Registrant Street1:      1874 str.  office 923
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  320784
Registrant Country:      US
Administrative  Technical Contact
Contact ID:              X05O1TC-RU
Contact Name:            Larry Claus
Contact Organization:    Larry Claus
Contact Street1:         1874 str.  office 923
Contact City:            Los-Angeles
Contact State:           CA
Contact Postal Code:     320784
Contact Country:         US
Contact Phone:           1 320 5216723
Contact E-mail:          larryknower931@yahoo.com

Registrar:               ANO Regional Network Information Center dba RU-CENTER
Last updated on 2008.01.01 03: 36: 27 MSK/MSD

The full list of domains we currently have is:

familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
Santapcards.com
Santawishes2008.com

The filename downloaded is happy_2008.exe

Most Virus Scanners find it,

Have a happy New Year,

Keep Safe,

regards,

Steo

Posted in Analysis, E-Cards, McAfee, Microsoft, New Rootkits, News, Nuwar, Other Malware, Rootkit Scanners, Rootkit Unhooker, Storm Worm, peacomm, wincom32 | 2 Comments »

Another Storm Worm Rootkit domain name – familypostcards2008.com

Saturday, December 29th, 2007

Another domain is being used to host the latest version of the Storm Worm. Millions of emails were spammed out from unsuspecting PC users enticing users to download the malware and rootkit.

familypostcards2008

If a user clicks on the link they will be shown a page like this,

newyearcards2008-site

If they click on the link a file called happynewyear2008.exe will be downloaded.

At this moment in time only 9 out of 32 scanners used by Virustotal can detect the current file as malware.

virustotal-happynewyear2008

Here is the whois details for familypostcards2008.com with a hint of humor – registered by Larry Claus…

 Domain name:             FAMILYPOSTCARDS2008.COM
 Name Server:             ns.familypostcards2008.com 66.215.91.63
 Name Server:             ns10.familypostcards2008.com 76.112.151.191
 Name Server:             ns11.familypostcards2008.com 76.107.40.165
 Name Server:             ns12.familypostcards2008.com 193.77.249.129
 Name Server:             ns13.familypostcards2008.com 77.202.25.169
 Name Server:             ns2.familypostcards2008.com 24.210.99.223
 Name Server:             ns3.familypostcards2008.com 66.159.176.149
 Name Server:             ns4.familypostcards2008.com 67.163.236.85
 Name Server:             ns5.familypostcards2008.com 98.196.175.5
 Name Server:             ns6.familypostcards2008.com 71.200.65.128
 Name Server:             ns7.familypostcards2008.com 71.12.160.177
 Name Server:             ns8.familypostcards2008.com 72.134.39.155
 Name Server:             ns9.familypostcards2008.com 98.226.9.190
 Creation Date:           2007.12.29
 Updated Date:            2007.12.29
 Expiration Date:         2007.12.29
 Status:                  DELEGATED
 Registrant ID:           X05O1TC-RU
 Registrant Name:         Larry Claus
 Registrant Organization: Larry Claus
 Registrant Street1:      1874 str.  office 923
 Registrant City:         Los-Angeles
 Registrant State:        CA
 Registrant Postal Code:  320784
 Registrant Country:      US
 Administrative  Technical Contact
 Contact ID:              X05O1TC-RU
 Contact Name:            Larry Claus
 Contact Organization:    Larry Claus
 Contact Street1:         1874 str.  office 923
 Contact City:            Los-Angeles
 Contact State:           CA
 Contact Postal Code:     320784
 Contact Country:         US
 Contact Phone:           1 320 5216723
 Contact E-mail:          larryknower931@yahoo.com
 Registrar:               ANO Regional Network Information Center dba RU-CENTER
 Last updated on 2007.12.30 02: 15: 52 MSK/MSD

We will keep you posted as new Storm Worm domains appear.

Keep Safe,

regards

Steo – www.antirootkit.com

Posted in Analysis, E-Cards, New Rootkits, News, Nuwar, Underground, peacomm | 1 Comment »

How to promote your Storm Worm Peacomm Rootkit via Google and newyearcards2008.com

Saturday, December 29th, 2007

Whats the first thing people all over the world do when they want to find out about something…they Google it!!! “Googling” something has become a keyword in so many people’s lives these days. Googling has an entry on popular online dictionaries http://dictionary.reference.com/browse/google which means it wont be long before you can actually use the word Googling “legally”.

So when millions of people recently got an email with a link to newyearcards2008.com where they could pick up their New Years E Card Greeting they went to Google and did a search for newyearcards2008.com and they would have seen newyearcards2008.com at the very top,

newyearcards2008

From Google….

Happy New Year!

Your download should begin shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download and then press
newyearcards2008.com/ – 1k – CachedSimilar pages

Most Google users would think it is legitimate such is the trust in Google these days. When clicked on the user would have seen a page delivered via someones PC whether it be in their front room, bedroom, office, factory floor even unsuspecting Internet Cafe’s all over the world.

newyearcards2008-site
Snapshot from newyearcards2008.com

These infected PC users do not suspect a thing because their Anti Virus program shows that everything is ok, all is well. Why? The latest Storm Worm is using a rootkit … http://www.antirootkit.com/blog/2007/12/27/happy-new-rootkit/ . Nothing shows because of the stealth capabilities of the rootkit. It hides all traces of itself from normal anti virus and anti spyware scanners. Different scanners are now required for checking for rootkits. Scanners that know exactly how the rootkit operates are required, check out the Antirootkit Software page for list of new scanners.

Why does a search of newyearcards2008.com show the main infection site up first on a Google search? It’s all about how many pages on the internet link to newyearcards2008.com. Even by me putting newyearcards2008.com in this blog will help the name climb the Google ladder so that it shows at the very top and stays top for as long as it can, fooling people into thing it is legitimate ( I mention newyearcards2008.com a lot here so that this blog entry will raise higher than newyearcards2008.com and people will read this warning before getting their New Year’s “Surprise” E-Card).

The people who registered newyearcards2008.com, they went about getting the domain name mentioned on a lot of internet pages around the world, mostly on blog pages belonging to Google. Most of the Blogspot pages have been disabled by Google but many Blogspot and Blogger owners who are using their own domain name have links to newyearcards2008.comnewyearcards2008-blog-site in thier “hacked” blogs.

 

 

If you suspect a site as being unusual with unusual activity then you can report it to Google and help them mark it as suspect. You can report to Google, suspect sites, via http://www.google.com/safebrowsing/report_badware/

A recent Trend Micro Blog entry highlights Blogger pages being used to harbor links to newyearcards2008.com… http://blog.trendmicro.com/hundreds-of-blogger-pages-harboring-new-years-storm-links/trackback/
So far as of 29th Dec GMT newyearcards2008.com is showing tops, lets see when it is highlighted as a suspect site by Google on a web search.

Also keep an eye out for newyearwithlove.com

(Asked whois.nic.ru:43 about newyearwithlove.com)

 Domain name:             NEWYEARWITHLOVE.COM
 Name Server:             ns.newyearwithlove.com 24.161.84.89
 Name Server:             ns10.newyearwithlove.com 69.179.23.34
 Name Server:             ns11.newyearwithlove.com 70.241.145.212
 Name Server:             ns12.newyearwithlove.com 69.137.25.197
 Name Server:             ns13.newyearwithlove.com 82.67.135.130
 Name Server:             ns2.newyearwithlove.com 71.201.48.186
 Name Server:             ns3.newyearwithlove.com 68.114.62.80
 Name Server:             ns4.newyearwithlove.com 76.226.178.239
 Name Server:             ns5.newyearwithlove.com 70.128.122.94
 Name Server:             ns6.newyearwithlove.com 76.201.158.149
 Name Server:             ns7.newyearwithlove.com 75.49.2.123
 Name Server:             ns8.newyearwithlove.com 67.8.191.249
 Name Server:             ns9.newyearwithlove.com 71.12.83.79
 Creation Date:           2007.12.26
 Updated Date:            2007.12.26
 Expiration Date:         2008.12.26
 Status:                  DELEGATED
 Registrant ID:           XHAEJUS-RU
 Registrant Name:         Bill Gudzon
 Registrant Organization: Bill Gudzon
 Registrant Street1:      1920 str.  office 345
 Registrant City:         Los-Angeles
 Registrant State:        CA
 Registrant Postal Code:  32089
 Registrant Country:      US
 Administrative  Technical Contact
 Contact ID:              XHAEJUS-RU
 Contact Name:            Bill Gudzon
 Contact Organization:    Bill Gudzon
 Contact Street1:         1920 str.  office 345
 Contact City:            Los-Angeles
 Contact State:           CA
 Contact Postal Code:     32089
 Contact Country:         US
 Contact Phone:           1 320 5427834
 Contact E-mail:          bgudzon1956@hotmail.com
 Registrar:               ANO Regional Network Information Center dba RU-CENTER
 Last updated on 2007.12.29 05: 07: 05 MSK/MSD

Keep Safe,

Steo – www.antirootkit.com

 

Posted in Analysis, Blogger, Blogspot, Debate, E-Cards, Google, New Rootkits, News, Nuwar, Prevx, Rootkit Scanners, Storm Worm, Underground, peacomm, wincom32 | 2 Comments »

In the Eye of the Storm Worm

Sunday, October 21st, 2007

Frank Boldewin, a German IT security specialist has recently published a clear and concise analysis of Peacomm.C code, otherwise known as The Storm Worm, Nuwar or Zhelatin.

The Storm Worm has been hitting hard since Jan 2007 when it was unleashed as spammed emails duping users into following news about the large storms that were hitting Europe at the same time. The Storm Worm has resurfaced under many guises throughout the year. Coming up to Valentines Day millions of emails were spammed out duping the users into viewing a message from a loved one.

This code and underlining Rootkit has helped criminals setup a major Botnet comprising of captured zombie PC’s from all around the world. Most of these PC owners are oblivious to the fact that their PC is part of a Botnet and is in control of criminals intend in using it to make money for themselves.

Frank dissected the code after receiving a spammed out email which had a link to malware which when installed would have installed the Peacomm.C rootkit and the PC would become part of the botnet.

“On 22th August 2007 I received an email informing me about “New Member Confirmation”, including Confirmation Number, Login-ID and Login-Password. To stay secure I should immediately change my Login info on a provided website link. So I’ve started investigating what surprises are awaiting people clicking on such kind of links. Next to a friendly message telling me that my download should start in some seconds, I also got a browser exploit for free, to ensure the “software package” gets really shipped. “Hey that’s cool”, I thought by myself. “It’s like Kinder Surprise® – three in one!” Unfortunately, at this time I hadn’t enough incentive for a deep analysis and so I just stored the malicious file called applet.exe in my archive for later fun with it.”

Frank goes into some depth in his analysis including topics such as:

  • First stage XOR decrypter
  • Second stage TEA decrypter
  • TIBS Unpacker
  • Anti-Debugging code
  • Files dropping
  • The driver-code infection
  • Finding the OEP to the native Peacomm code
  • Finding and patching the VM-detection tricks
  • SSDT file hiding
  • Shellcode injection for process spawning
  • System files locking

This excellent in-depth analysis in PDF format along with the Peacomm.C binaries can be downloaded from Frank’s site www.reconstructer.org.

A html version is available from antirootkit.com

Have fun, enjoy the read and be cautious with the binaries.

regards

Steo
www.antirootkit.com

 

Posted in Analysis, E-Cards, News, Nuwar, Storm Worm, peacomm, wincom32 | 1 Comment »

Abnormal activity from your IP…yeah sure

Monday, July 9th, 2007

There is another Storm Worm outbreak at the moment. The attackers are using the same social engineering tactic that was used last April, see Forecast – Massive Storms clouded by Rootkits
The way it works is that after a Storm Worm outbreak such as the 4th of July E-card outbreak users get an emails saying they are infected and should download a patch to fix it or their account will be suspended.

On the 4th of July emails were spammed out to millions of users with a link pretending to be an E-card for the 4th of July celebrations.
The subjects included:

4th Of July Celebration
American Pride, On The 4th
America’s 231st Birthday
Americas B-Day
America the Beautiful
Celebrate Your Independence
Celebrate Your Nation
Fireworks on The 4th
Fourth of July Party
God Bless America
Happy 4th of July
Happy B-Day USA
Happy Birthday America
Happy Fourth of July
Independence Day At The Park
Independence Day Celebration
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show
Your Nations Birthday

If a user clicked on the link they would have downloaded Troj/JSEcard-A and this would have in turn downloaded a Nuwar variant ( WORM_NUWAR.HC )

The same attacking spammers have sent out millions of emails warning users that their PC is infected and they should download a patch file to fix the PC.
The email looks like this below ( thanks Dan ).

Worm Alert!
Dear Customer,Our robot has detected an abnormal activity
from your IP adress on sending e-mails. Probably it is connected with the
last epidemic of a worm which does not have official patches at the
moment.We recommend you to install this patch
to remove worm files and stop email sending, otherwise your account will be
blocked.
Administrator

The attackers are playing on the publicity the 4th of July worm got. Many users may have this in the back of their mind as they read the latest email. Many will think that it is a legitimate email and “install” the patch only to be added to the massive bot net that has arisen from these spamming campaigns.
If you feel that you have downloaded your 4th of July Ecard or installed the patch to correct it then you should download some anti-rootkit software from our software page and check your system out as NUWAR is known to contain a rootkit to hide it’s suspicious activity.

Keep Safe
regards
Steo
www.antirootkit.com

References:
4th of July Ecard
Postcards or patches?

Posted in E-Cards, New Rootkits, News, Nuwar, Other Malware, Storm Worm, peacomm, wincom32 | 1 Comment »

First Full-Kernel Rootkit Malware spotted in the wild.

Friday, June 29th, 2007

In the last few days there has been an appearance of a new rootkit that has capabilities of bypassing Firewalls and Intrusion Detection systems.

The rootkit hooks the following kernel functions to hide its registry keys:
ZwOpenKey
ZwEnumerateKey

It also hooks the following kernel routine of NTFS filesystem driver to hide its files: \FileSystem\Ntfs\IRP_MJ_CREATE
\FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL

It patches TCP/IP network drivers chain to bypass completely firewalls, IDS systems, and network sniffer tools. The rootkit also works in Windows Safe Mode.

The rootkit is used to hide a Trojan that is used to send out spam. The trojan connects to servers to collect the configuration data it needs to send out the spam.

This rootkit also tries to delete competitor rootkits found on the users PC. ntio256.sys and wincom32.sys are two of its known targets.

The rootkit is currently being sent to users PC’s via hacked websites. Recently it was estimated that over  10000 websites were hacked and the rootkit installer was planted on the sites waiting for visitors to come along. When an unsuspecting user visited one of these sites an iframe is launched and various vulnerabilities are checked for by the malicious installer.

Here is a Youtube video showing the websites using Iframes and the MPack installer attacking a PC.

From the Symantec Blog….
Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.”

“We guess that the author of Trojan.Srizbi could be the same as Rustock’s because the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced.”

No doubt the rootkit writers are on an interesting path and this just goes to show that every day that passes newer techniques are being invented by malware authors.

Keep Safe,
regards

Steo
www.antirootkit.com

Posted in New Rootkits, News, Other Malware, peacomm, wincom32 | 1 Comment »

« Older Entries