[AusNOG] Trogan site and spam run using nuclear tests of North Korea as a hook (AUSCERT#2006ba825)

matthew at auscert.org.au matthew at auscert.org.au
Tue Oct 17 18:25:05 EST 2006

Hash: SHA1


Not sure if anyone else has seen this but here it is again if so.  First
seen discussed per SANS http://isc.sans.org/diary.php?date=2006-10-14

    * h t t p://cnnwarnews(dot)com/

uses an iframe to go to

    * h t t p://www.theaustralian.news.com.au/index/0,,5002460,00.html

which is a legit Australian news site but also uses another iframe to open

    * h t t p://zagevqsoii(dot)biz/dl/adv433_.php

and this opens:

    * h t t p://zagevqsoii(dot)biz/dl/loadadv433.exe

If you google for usage of the domain you can see that it has been seeding
web forums with supposed "news" stories about North Korea that entice
victims to get infected as above:

    * h t t p://www.google.com/search?q=www(dot)cnnwarnews(dot)com
    * h t t p://www.google.com/search?q=au(dot)cnnwarnews(dot)com

eg: h t t p://sv.wikipedia.org/wiki/The_Forum
    h t t p://www.kaigai-wedding.com/cgi-bin/wforum3/wforum.cgi?mode=new_sort
    h t t p://www.depdiknas.go.id/RPP/modules.php?name=Forums&file=posting&mode=topicreview&t=1331

The articles being seeded or spammed around usually look like this:

 Subject: North Korea vs Australia - nuclear stress

 Prime minister of Australia John Govard claimed that "..nuclear tests of
 North Korea was confirmed by seismological data", Associated Press.  In
 connection with increase of probability of nuclear attack from the
 direction of North Korea Minister of Defence of Australia along with
 Ministers of Defence of China, South Korea and Russia signed a memorandum
 on infliction?

 h t t p://au(dot)cnnwarnews(dot)com/topnews/

The infection process is/was the same as above.  Still accessible to the
spammed material via:

  wget --header="Host: au(dot)cnnwarnews(dot)com" h t t p://

The original infector file, loadadv433.exe, is detected as Harnig which

   * h t t p://zbobivgcso(dot)biz/dl/loadadv455.exe

And this then grabs:

   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/ffkzyu 
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/oswzvfcm
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/tkshrolhx.php
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/plgrx.php
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/rsamiscm 
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/djrhd.php
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/gwrkgq.php
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/mhghnoxhnv.php
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/wipfrokuw.php
   * h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/idlgmwf.php

We have submitted all of these binaries to AV and sent shutdown requests
for the four key domains above.  We haven't seen much discussion of this
but maybe the spam run hasn't really taken off yet.  The subject of the
upcoming spam run will probably look like "North Korea vs Australia -
nuclear stress" and have the same text at the forum spams above.  Credit
to F-Secure for some of their analysis on this.

Hope this is of some use.

Best regards,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

Version: GnuPG v1.4.5 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967


More information about the AusNOG mailing list