About Me

Pedro Bueno

Pedro Bueno
Security and Malware Researcher
Pedro Bueno is a Security and Malware Researcher at McAfee Labs for almost 5 years. He also has a volunteer job at the SANS ...

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Following a bouncing Waledac

Tuesday, March 24, 2009 at 1:00pm by Pedro Bueno
Pedro Bueno

You know that your malware investigation day will be a pain when you reach the first iframe on the webpage…

This one was pointing:

iframe src=”http://[REMOVED].cn/in.cgi?[REMOVED]

This iframe is a redirect to:

http:// [REMOVED].hostindianet.com/index.php?[REMOVED]

Now it gets interesting. This url contains a script that will send a PDF file, called readme.pdf. As an additional note, this pdf looks like part of the Luckysploit kit.

Readme.pdf is a malicious PDF file as you can imagine.

Dissecting it, there is a shellcode, with several functions like:

-GetTempPathA

-LoadLibraryA

-GetProcAddress

-WinExec

And our friend URLDownloadToFileA , which as the name implies, downloads something form a url to a file :)

The url is : http:// [REMOVED2].hostindianet.com/l[REMOVED2]?id=4 and id=5

Following these urls, it was possible to find out that both id=4 and id=5 returned the same file, which is one variant of the Waledac.

And yes, both Malicious PDF and the downloaded file are detected by us :)

And yes2, REMOVED and REMOVED2 are different blocks.

An additional thanks to my friend Tom Liston for the title. I will always remember the Bouncing following malware series…;)

Bookmark and Share

Tags: , ,

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (2)

  • jdb2009 April 17, 2009 1:33PM

    Why is this likely LuckySploit? LuckySploit is quite sophisticated including the use of encryption between client and server.

    Reply
  • sathish April 13, 2009 2:19AM

    How to remove iframe , I got affected in most of my websites. Even after removing the frame, it is getting inserted again and again automatically.

    Reply