This IP address is infected with, and/or is NATting for a machine infected with the Worm.Boinberg. This Worm:Win32/Boinberg is part of the Malware-family of IRC-controlled worms that may be ordered to spread via Windows Live Messenger (ICQ, AOL Instant Messenger, Yahoo Pager, Skype, etc.) and/or USB drives. It may also spread through USB drives, RAR and ZIP files by adding a copy of itself into the target archive. Its first detection has been made in March 2011, and the threat level almost 4 years later is classified as severe. In order to spread, IM-Worms usually send a link (URL) to a list of message contacts. The link leads to a network resource where a file containing the body of the worm has been placed. This tactic is almost exactly the same as that used by Email-Worms.
This Worms Aliases by AVVendors:
- Malware.Shadesrat (PCTools)
- W32.Shadesrat (Symantec)
- Backdoor.Win32.IRCBot.abgt (Kaspersky Lab)
- W32/IRCbot.gen.a (McAfee)
- Mal/VBCheMan-A (Sophos)
- Worm:Win32/Boinberg (Microsoft)
- Worm.Win32.Boinberg (Ikarus)
-----------------------------------------------------------------------------
It`s Installation:
When executed, Worm:Win32/Boinberg copies itself with a variable file name to the %APPDATA% directory, then executes this dropped copy.The malware creates the following registry entries to ensure that its copy executes each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%APPDATA%\<random file name>.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "%APPDATA%\<random filename>.exe"
In the background, the worm injects itself into known Windows running processes, such as 'winlogon', 'svchost' and 'Explorer'.
The following mutex indicates the presence of the worm on the affected computer:
"__PDH_PLA_MUTEX__"
"<random string>"
"<empty / blank>"
Spreads via...
Instant messengerThe worm may send messages to the affected user's Windows Live Messenger contacts containing a URL pointing to the worm, or an attachment containing a copy of the worm.
Removable drives
Worm:Win32/Boinberg copies itself to the following locations on removable drives:
<targeted drive>:\<malware file>.exe
<targeted drive>:\autorun.ini - detected as Worm:Win32/Boinberg
It attempts to download an updated version from a remote server and spread this latest copy via removable drive.
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system (OS), so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
File infection
It searches for RAR and ZIP files on the system and, if found, infects them by adding a copy of the worm into the target archive file. This may enable the worm to spread itself through file sharing or emailing.
IMPORTANT: PAYLOAD...
...allows backdoor access and controlWorm:Win32/Boinberg attempts to connect to an IRC server and join a channel to receive commands.
The following is a list of servers and TCP ports that Worm:Win32/Boinberg has been observed to use in this manner:
- 178.216.50.245 at TCP port 6668 (SWEDEN)
- 46.4.176.204 at TCP port 7777 (GERMANY)
- k8f.no-ip.info at TCP port 6668 (UNKNOWN)
- ixloader.com (IP:209.222.14.3) at TCP port 9754 (UNITED STATES, Matawan, N.J.)
- shockwavezz.net at TCP port 7000 (UNKNOWN)
- worksextv.info (IP:69.73.174.163) TCP port 6567 (UNITED STATES, Fulshear, TX)
- total.homler.net (IP:66.252.5.52) TCP port 22322 (UNITED STATES, Arlington Heights, IL)
- hermes.divinusdeus.net (IP:82.165.37.26) at TCP port 9872 (GERMANY)
- mojrem.org at TCP port 1998 (UNKNOWN)
- haso.dukatlgg.com at TCP port 8888 (UNITED STATES)
- jwednsajd.alismalatya.co.cc (IP:199.2.137.140) at TCP port 6667 (UNITED STATES)
- anal.fag.wanger.biz (IP:82.98.86.169) at TCP port 8782 (GERMANY)
- bsrat.zapto.org at TCP port 3080 (UNKNOWN)
- xsi.hi5fotos.info (LOCAL HOST: 127.0.0.1) at TCP port 4042 (UNITED STATES, Dallas, TX)
The CBL detection is being made using sinkholing techniques.
To find an infected computer on a NATted network you will have to search through your firewall logs for connections to port 4042 TCP. In additional, evidence can be found in DNS logs by searching for the domain name "hi5fotos.info", for example:
cash.hi5fotos.info
xsi.hi5fotos.info
kkk.hi5fotos.info
This was detected by a TCP/IP connection from 94.242.204.74 on port 56501 going to IP address 87.255.51.229 (the sinkhole) on port 4042.
The botnet command and control domain for this connection was "hi5fotos.info".
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 87.255.51.229 or host name hi5fotos.info on any port with a network sniffer such as Wireshark.
Equivalently, you can examine your DNS server or proxy server logs to references to 87.255.51.229 or hi5fotos.info. See Advanced Techniques for more detail on how to use Wireshark & ignore the references to port 25/SMTP traffic, the identifying activity is NOT on port 25.
This detection corresponds to a connection at 2013-11-19.
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer, so better stay Awake. ;-)
RELATED POST: Symantec: Blackshades Remote Access Tool still being bargained
Keine Kommentare:
Kommentar veröffentlichen