Crimeware, Trojan Horse Bot

[Humpty]

The websites are hosted in Germany, England, and Estonia, and appear to be using round robin DNS, resolving to five unique IP address that revolve on each lookup. Each site hosts the same exploit code. This code attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

 

When end-users visit the site, they are directed to one of the five servers. If the end-user machine is vulnerable, a file called "iexplorer.exe" is downloaded and run. The site displays a simple page that says the sever is temporarily busy and suggests that the user shut down any firewall and antivirus software. The "iexplorer.exe" file downloads and installs five additional files from a server in Russia. The filenames are:

 

IEMod.dll

IEGrabber.dll

IEFaker.dll

CertGrabber.dll

PSGrabber.dll

 

The server in Russia also acts as a bot controller, allowing the attacker to control the machines remotely. Additional files can be uploaded or downloaded and new phishing attacks can be appended. In addition, several attack success statistics are recorded. The bot controller also has a database query interface that gives the attacker a simple-to-use search/query interface for additional information.

Websense Article

[DennisD]

Anyone remember the movie "Tron" with Jeff Bridges.

 

If they made a modern version of that, it would be one hell of an action movie, with the amount of s**t flying around in cyber space these days.

 

TRON:

 

Would you believe it. My firewall has just blocked a malware probe from this: p4052-ipbf202niigatani.niigata.ocn.ne.jp

 

Straight from the land of the rising sun.

[xbrianx]

Hahah, I know all the people at my school would fall for that trick- turning off the firewall/ anti virus to let the page load.

 

I use Norton( I know! How terrible of me) right now, and occasionally I get a message telling me that CCleaner, or some other programs that have been updated, is trying to contact a DNS server. What is DNS server, and why does CCleaner need to connect to it?

[Andavari]

I use Norton( I know! How terrible of me) right now, and occasionally I get a message telling me that CCleaner, or some other programs that have been updated, is trying to contact a DNS server. What is DNS server, and why does CCleaner need to connect to it?

Some of the firewalls I've used before are so paranoid they gripe about just the launching of an application that runs locally "127.0.0.1, 0.0.0.0, localhost" and they've always annoyed me. I can't remember the firewall I was using a long time ago that thought EasyCleaner was doing something suspicious.

[fireryone]

I use Norton( unsure.gif I know! How terrible of me) right now, and occasionally I get a message telling me that CCleaner, or some other programs that have been updated, is trying to contact a DNS server. What is DNS server, and why does CCleaner need to connect to it?

DNS (Domain Name System) is used to convert IP addresses (the real address of a website) and translates it to/from a web address. So the DNS Server being sent the request, will either hold the address to the location or will forward the query on to another dns server with the authority to know, then it'll send the info back to your PC's browser and 'bingo' either the site loads or 'grrrr' ...... "Page cannot be found".

 

 

 

So it would be quite usual for a program to request access to a dns server.

EG. CCleaner was probably checking for updates so in this case it would be safe to allow it.

 

 

 

Here is some further info for you to read up on:

 

IP addresses are so basic to the success of the Internet that you really don't need to know a web site's domain name if you know their IP. In fact, domain names are only a convenience for humans who have better luck remembering to type www.Google.com, when they want to do a search, then they would have trying to remember Google's IP address of 216.239.39.99.

 

Whenever you type http://www.Google.com into your browser, the browser sends a query off to a big telephone book in the sky and asks "Hey, what's the IP address for Google.com?". This big telephone book, more commonly called a "Domain Name Server" or DNS for short, returns 216.239.39.99 to your browser. Your browser then heads off to Google's web site using the IP address as a map.

 

Try it for yourself. Type http://216.239.39.99 into your browser. And, where did you end up? Bingo! Google.com

auditmypc.com IP-Address information

 

even more info on DNS and IP addresses

[xbrianx]

DNS (Domain Name System) is used to convert IP addresses (the real address of a website) and translates it to/from a web address. So the DNS Server being sent the request, will either hold the address to the location or will forward the query on to another dns server with the authority to know, then it'll send the info back to your PC's browser and 'bingo' either the site loads or 'grrrr' ...... "Page cannot be found".

So it would be quite usual for a program to request access to a dns server.

EG. CCleaner was probably checking for updates so in this case it would be safe to allow it.

Here is some further info for you to read up on:

 

auditmypc.com IP-Address information

 

even more info on DNS and IP addresses

 

Thanks. It makes a lot more sense now.