We’ve had reports that some systems have had their DNS resolution settings modified to resolve domains from:
188.229.89.121
The IP belongs to a known “bad” /24 netblock in Romania, part of AS43134 (COMPLIFE-AS CompLife Ltd) … a netblock that we had perviously noted within Scrapbook.
Which in effect, redirects all web browsing attempts to:
hxxp://188.229.89.121
Which presents a screen showing that you need to “Update your browser”:
The image file and malware download viewable from my system linked to a placeholder “update.browser.com”:
At least the attacker has a sense of humor 🙂 the meta tag shows “(C) Bank of Nkolai. Look I have a pen !” — this is in reference to this very funny awareness ad on cyber crime, see YouTube video.
The actual malware is live and downloadable from:
hxxp://188.229.89.121/X
A malware report related to this is viewable here:
MD5: 2dff3265278fb6a894829a75f6275c8aV/T report: 28/44
The malware variant goes by many names: Rorpian, Buterat, Kolab, and SillyFDC. For ease, we’ll just call it Rorpian — which numerous sources describe it as a worm that spreads through network shares, exploits the .LNK vulnerability (MS10-046), and exploits a vulnerability (MS07-029) in DNS Server service (MS Encyclopedia entry). This worm can act as a loader for the TDSS rootkit (reference).
Further check-ins from the infected are made to the 188.229.89.121 c2 with the format:/slog&log=startum&id=[ID number]&os=[OS version]&version=1d&data=
Note: the User-Agent string used in the check-ins was:Microsoft-WebDAV-MiniRedir/5.1.2600
There have been Internet reports of Mac and Ubuntu systems having this DNS change occurring within their /etc/resolv.conf … however, this appears to just be a result of infected Windows systems that are setting DNS setting through DHCP for all devices on the network versus this malware infecting Mac/Ubuntu.
Leave a reply
