Have Your Malware In a Timely Fashion

December 15, 2007 / Comments (0) / by Dancho Danchev

Keep your allies close, the human right violators closer. French officials have been receiving lots of criticism by human rights groups regarding Moammar Gadhafi's visit in France, in fact Human Rights Watch issued a press release entitled Al-Qadhafi in France. Despite the logical response in the form of criticism, it's lacking the long-term strategic vision and the proven approach of dealing with crying kids - pay them attention, give them a candy and therefore try to integrate them don't isolate them.

If it were "embedded malware as usual" the wannabes would have started mass mailing links to malware infected sites spreading rumors regarding the visit, like a previous PSYOPS operation on behalf of an unnamed intelligence agency. However, in this case they embedded malware at a French Government's site related to Libya in order to eventually infect all the visitors looking for more information during the visit. That's a social engineering trick taking advantage of the momentum by proactively anticipating the rush of visitors to the site. Another such recent combination of tactics aimed to increase the lifecycle of the malware embedded attack by embedding it at Chinese Internet Security Response Team's site during the China's "Golden Week" holiday.

According to McAfee "Web Site of the French Embassy in Libya Under Attack" :

"The people behind these attacks love to use highly topical issues in order to attract as many people as possible. This week in my country, the visit by Libyan President Muammar Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why the French Embassy Web Site is now infected by malicious code. Please do not attempt to reach the site, it is still dangerous."

Let's pick up from where McAfee left in the assessment. 4qobj63z.tarog.us/tds/in.cgi?14 (58.65.233.98) loads an IFRAME to fernando123.ws/forum/index.php (88.255.94.114) which is MPack hosting the actual binary at fernando123.ws/forum/load.php or fernando123.ws/forum/load.exe

Detection rate : Result: 9/32 (28.13%)
File size: 43008 bytes
MD5: 8ce2134060b284fa9826d8d7ca119f33
SHA1: 3074f95d6b54fa49079b20876efa0f4722e7fe7d

As for the second campaign at 4583lwi4.tarog.us/in.cgi?19, the malicious parties were quick enough to redirect the IFRAME to Google.com, in exactly the same fashion the RBN did in the Bank of India incident definitely monitoring the exposure activities in real-time. However, accessing through a secondary IP retrieves the real IFRAME, namely winhex.org/tds/in.cgi?19 (85.255.120.194) which loads winhex.org/traff/all.php that on the other hand loads kjlksjwflk.com/check/versionl.php?t=577 which is now down, and 208.72.168.176/e-notfound1212/index.php where an obfuscation that's once deobfuscated attempts to load 208.72.168.176/e-notfound1212/load.php

Detection rate : Result: 14/32 (43.75%)
File size: 116244 bytes
MD5: 42dacb9f7dd4beeb7a1718a8d843e000
SHA1: d595dd0e4dcf37b69b48b8932dcf08e9f73623d0

Deja vu - 208.72.168.176 is the "New Media Malware Gang" in action, whose ecosystem clearly indicated connections with the RBN, Possibility Media's malware attack, Bank of India and the Syrian Embassy malware attacks, and Storm Worm which I assessed in numerous previous posts.

All your malware downloaders are belong to us - again and again.