This looks like it could be a new series of blog posts. The infamous redspacetube.com (80.91.176.192) shows yet another payload using a more sophisticated technique.
I’ve been monitoring the situation closely and observed a change in today’s malware behaviour. The previous payload was the XP Home Security 2012 rogue which created a randomly named file with an MD5 that changed every day or so.
So, in our Database, we created signatures that had the following pattern:
Pretty straightforward given that the file was not using any technique to hide.
So, what’s new today? First of all, launching the malware sample blue-screened my PC if I was running a debugging tool: not a nice thing to do 
Using Process Explorer, I was able to see that it dumped a file in a similar directory:
VirusTotal detections here (9/43).
I ran the file a few times to confirm that the name itself (compmgm.exe) is hard-coded.
My next step was to check the folder where it should be located but to my dismay I found nothing!
My suspicions were that I was dealing with a rootkit. I went on to download and run GMER (a well known rootkit detector) only to notice that GMER was somehow being blocked and would mysteriously vanish upon execution.
Using a different rootkit detector from TrendMicro this time, I was able to confirm the infection:
A successful rootkit installation proceeds to call a remote server named puj-search.com:
Not too surprisingly, it is located in Estonia (80.79.117.200), the registrar is: CENTER OF UKRAINIAN INTERNET NAMES and the bad guys used a bogus registrant name and address.
Googling this IP address I found a gaming forum, where one of the gamers (from Estonia) is running a demo on that same IP, which also happens to be his server!
And here is his profile:
I like the ‘Job/hobbies’ that says Securitas
Feel free to draw any kind of conclusions you wish.
Jerome Segura
Leave a reply
