The Latest in IT Security

Fake AV network steps up its game with rootkit

20
Aug
2011

This looks like it could be a new series of blog posts. The infamous redspacetube.com (80.91.176.192) shows yet another payload using a more sophisticated technique.

I’ve been monitoring the situation closely and observed a change in today’s malware behaviour. The previous payload was the XP Home Security 2012 rogue which created a randomly named file with an MD5 that changed every day or so.

So, in our Database, we created signatures that had the following pattern:

Pretty straightforward given that the file was not using any technique to hide.

So, what’s new today? First of all, launching the malware sample blue-screened my PC if I was running a debugging tool: not a nice thing to do ;-)

Using Process Explorer, I was able to see that it dumped a file in a similar directory:

VirusTotal detections here (9/43).

I ran the file a few times to confirm that the name itself (compmgm.exe) is hard-coded.

My next step was to check the folder where it should be located but to my dismay I found nothing!

My suspicions were that I was dealing with a rootkit. I went on to download and run GMER (a well known rootkit detector) only to notice that GMER was somehow being blocked and would mysteriously vanish upon execution.

Using a different rootkit detector from TrendMicro this time, I was able to confirm the infection:

A successful rootkit installation proceeds to call a remote server named puj-search.com:

Not too surprisingly, it is located in Estonia (80.79.117.200), the registrar is: CENTER OF UKRAINIAN INTERNET NAMES and the bad guys used a bogus registrant name and address.

Googling this IP address I found a gaming forum, where one of the gamers (from Estonia) is running a demo on that same IP, which also happens to be his server!

And here is his profile:

I like the ‘Job/hobbies’ that says Securitas ;-)

Feel free to draw any kind of conclusions you wish.

Jerome Segura

Leave a reply


Categories

FRIDAY, OCTOBER 30, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments