Friday, June 29, 2007 12:02 PM
cmosby
The 404 story - TrendLabs | Malware Blog - by Trend Micro
June 28th, 2007 by Roberto Tayag
We received reports of a kit being hosted in a website which on access redirect you to a malicious one. The site has different exploits whose ultimately would be to download the file vers.php which is in reality an executable file that Trend detects as TROJ_MURLO.AW. We have on our hands 8 files from this kit. Below are bits of information about the files. n404-0 Is an obfuscated script this is probably a test for the author because it just displays in a messagebox the deobfuscated unencrypted contents of the file n404-1.
n404-1 tries to download the file vers.php which is in reality a Win32 executable file. The file is being executed as ieupdate3r.exe. The file is a downloader that downloads a bunch of files. Trend already detects some of the files like TROJ_SPAMBOT.B, TROJ_AGENT.USE and TROJ_WOPLA.DX. The other files are detected generically as possible_nucrp-3. vers.php is currently being detected as TROJ_MURLO.AW.
n404-2 just like n404-1 but uses a different approach. It also downloads TROJ_MURLO.AW
n404-3 is a setsplice exploit being detected as EXPL_SSLICE.GEN. This file also tries to download TROJ_MURLO.AW
n404-4 we are not detecting this file but according to logs, it is related to MS bulletin MS06-006 which is a Media Player plug-in with non-IE browsers. This one also tries to download TROJ_MURLO.AW
n404-5 this is a possible Phel variant but it seems to be currently doing no harm. This one can probably be edited to attacker specification, probably for selling later in the game. This is also possible because this file is not being launched by version.php.
n404-6 This file is being detected as EXPL_TXTRANGE.A more information can be found here
n404-7 detected by Trend Micro as EXPL_IFRAMEBO.A this one still points to vers.php which is TROJ_MURLO.AW.
All the exploits above can be found within the site. However only n404-1, n404-2, n404-3 and n404-7 are directly launched when you are redirected to the malicious site.
Source: The 404 story - TrendLabs | Malware Blog - by Trend Micro
Filed under: Security and Anti-Virus, AntiVirus Information, Internet Hacks, Spam\Phishing