Rogue security software XP Total Security spreads by email
We have received an email that states we have an unread message and someone has sent us a private message. But it does not state if the unread message is from a social network, it only says it comes from SecureMessage.System, as you can see from this image:
The body of the email is this:
Inside the body of the email there are 4 links in total that are clickable and we have extracted 3 different malicious and very dangerous URLs that are all active, as of the time of writing this message, and all of them point to a remote file named link.php:
hxxp:// datingcool2012 . asia/ link.php hxxp:// site-dating2010 . info/ link.php hxxp:// datingbest2011 . asia/ link.php |
We have analyzed the activity of one URL and we can clearly see that the malicious URL leads to a web page that tries to scare the user by displaying an alert window stating the PC is infected by trojans and spyware, a well known method used to spread rogue security software:
When the button “Clean computer” is clicked, we are prompted to download a file:
File: freescan_seven_2013_exe Size: 274624 bytes MD5 Hash: 42DD7BD51C37B15965E67357517BFCBF SHA1 Hash: 8D2D541CD4E3C7D0E9246940AA21DF84DAC06C49 SHA256 Hash: 7D6918FAA12EA588D6F7838267C60C6F8A3F51D5AC27A894D472F74E8B037CFB SHA384 Hash: B7EEDBEF30B55276EAB875CABE5BFE33AD7A3B3DE1D772EF78B06651FA906362EACD6845DD2BAC3C5C7C2BD8E541C1EA SHA512 Hash: EAEA7C1623F27BA75D11A6A2F1174DCF10B89461A5185C95E5E66FBD9A6400218247E8262DC6F3D96D88ED46A1877A657AB84444EEFA3B5608B9BE9E08569366 |
When the file is executed, it installs the rogue security software XP Total Security:
This is the network traffic generated by the malicious web page:
GET /link.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: datingcool2012 . asia GET /?affid=00110&promo_type=5&promo_opt=1 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: datingcool2012 . asia GET /images/alert.png HTTP/1.1 Referer: hxxp:// datingcool2012 . asia/?affid=00110&promo_type=5&promo_opt=1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: datingcool2012 . asia Cookie: PHPSESSID=umr4543d59rfa2lmq2fhbnue07 GET /index/two/ HTTP/1.1 Referer: hxxp:// datingcool2012 . asia /?affid=00110&promo_type=5&promo_opt=1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: datingcool2012 . asia Cookie: PHPSESSID=umr4543d59rfa2lmq2fhbnue07 |
This is the data logged by the sandbox after the malicious file has been executed:
Process Created - C:\WINDOWS\explorer.exe - %Desktop%\freescan_2013.exe - Unknown Publisher - A413A21AF671DD1DA45E3CFA81515D11 - 274624 bytes File Modified - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe Process Created - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe - Unknown Publisher - 0F5AB3B66E5F14CDDBA31B7258DDB168 - 274624 bytes File Created - %Desktop%\freescan_2013.exe - %LocalAppData%\epi.exe - 0F5AB3B66E5F14CDDBA31B7258DDB168 - 274624 bytes - attr: [-hidden] - PE File Deleted - %LocalAppData%\epi.exe - %Desktop%\freescan_2013.exe - 274624 bytes Write Registry - %LocalAppData%\epi.exe - \REGISTRY\USER\S-1-5-21-1177236615-1770027372-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Run - ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe Connection Established - %LocalAppData%\epi.exe - TCP - 212.48.8.140 - 80 Connection Established - %LocalAppData%\epi.exe - UDP - 192.168.119.2 - 53 Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d44623 Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d4462a Connection Established - %LocalAppData%\epi.exe - TCP - 127.0.0.1 - 1116 Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d4462f Connection Established - %LocalAppData%\epi.exe - TCP - 127.0.0.1 - 80 Web Request - %LocalAppData%\epi.exe - GET - statav2013 .com - /a6a7ccfae1135dbe00110050d44635 |
New malicious URL logged:
hxxp:// statav2013 . com / a6a7ccfae1135dbe00110050d44635 |
This is the malicious executable file installed by the rogue software:
Links to the scan reports generated by URLVoid:
http://www.urlvoid.com/scan/datingcool2012.asia/
http://www.urlvoid.com/scan/site-dating2010.info/
http://www.urlvoid.com/scan/datingbest2011.asia/
http://www.urlvoid.com/scan/mailstorybig.info/
http://www.urlvoid.com/scan/statav2013.com/
Other scan reports related malicious URLs of XP Total Security:
http://www.urlvoid.com/scan/pyxes.asia/
http://www.urlvoid.com/scan/terlies.asia/
http://www.urlvoid.com/scan/purveying.asia/
Leave a Reply