July 2009

ZB Block Racks Up More Bot and Script Virus Kills!

Well, Avira has gotten back to me, and it looks like I have found some viral gold they can add to their arsenal for all of us.

Here's a run-down of the fresh kills I have added to ZB Block's (custom in-house version w/ probe trap) record. Please note that ZB Block caused "natural" immunity to all attacks attempting to install these. So do the wise thing and go to http://www.spambotsecurity.com/zbblock.php and get protected.

#1

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394824 Bildb 2.03 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result Bildb MALWARE

The file 'Bildb' has been determined to be 'MALWARE'. Our analysts named the threat BDS/PHP.ali.31. The term "BDS/" denotes a Backdoor-Server program. Backdoor-Server programs are used to spy out, modify or delete data.Detection is added to our virus definition file (VDF) starting with version 7.01.04.223.

#2

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394829 dudul3.txt 40.88 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result dudul3.txt MALWARE

The file 'dudul3.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.2. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#3

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394826 bot_ping.txt 100.52 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result bot_ping.txt MALWARE

The file 'bot_ping.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP.IrcBot.nad. Detection will be added to our virus definition file (VDF) with one of the next updates.

#4

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

A listing of files alongside their results can be found below:File ID Filename Size (Byte) Result

25394836 spread.txt 19.34 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result spread.txt MALWARE

The file 'spread.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.A.6. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#5

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

We received the following archive files:

File ID Filename Size (Byte) Result

25395810 feelcomz 1.7 bot.zip 12.06 KB OK

A listing of files contained inside archives alongside their results can be found below:File ID Filename Size (Byte) Result

25395811 botphp.txt 48.89 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result botphp.txt MALWARE

The file 'botphp.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/Pbot.A.7. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

#6 & 7

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.

Tracking number: (REMOVED).

We received the following archive files:

File ID Filename Size (Byte) Result

25395813 One attack from t...ts.zip 23.89 KB OK

A listing of files contained inside archives alongside their results can be found below:File ID Filename Size (Byte) Result

25395814 pbota.txt 27.42 KB MALWARE
25395815 pbotb.txt 27.39 KB MALWARE
25395816 pbotc.txt 27.72 KB MALWARE
25395817 pbotd.txt 27.73 KB MALWARE

Please find a detailed report concerning each individual sample below:

Filename Result pbota.txt MALWARE

The file 'pbota.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.3. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotb.txt MALWARE

The file 'pbotb.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotc.txt MALWARE

The file 'pbotc.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Filename Result pbotd.txt MALWARE

The file 'pbotd.txt' has been determined to be 'MALWARE'. Our analysts named the threat PHP/IrcBot.E.4. The term "PHP/" denotes a PHP scriptvirus.Detection will be added to our virus definition file (VDF) with one of the next updates.

Sweetness I tell you. Nothing feels better than being the shiv in the dark that takes some of this crap off the virtual streets. Real hackers don't use scripts... they may write them, but they don't use them. (Ever wonder if your pre-made script isn't designed to take away your toys eventually, eh skiddy?)

If you want to see the places these were injected, well, where they were attempted to be injected, just pour over the killed_log.txt files shared with the public on ZB Block's page.

Most will be there. Some won't.

Where are the others? Other servers!

Where are the other servers? Wouldn't you like to know!

Zap!

A little bird told me about an aviary.com full of poopy pigeons.

"But there's one thing that makes spring complete for me,
And makes ev'ry Sunday a treat for me.

All the world seems in tune
On a spring afternoon,
When we're poisoning pigeons in the park.
Ev'ry Sunday you'll see
My sweetheart and me,
As we poison the pigeons in the park." - Tom Lehrer

Okay, to start this story, I have to give proper credit to Amber MacArthur and her netcast on TWiT.tv. She's the little bird that told me about a big nasty pidgeon ready to poop on my site, and yours, just the way tynted does. No, I have not had a chance to listen to the show, but the notes gave me all the "beef" I needed.

The pidgeon's name is Aviary.com. It's another content scraper / content theif that also allows an attacker to send a malicious request to your machine, both from the previously protected against AmazonAWS cloud, and the newly killed pwebtech / FortressITX spamhost. Modus operandi? Same as tynt.com, that being content theft and acting as an un-regulated proxy for hackers.

Here is my first screenshot I wish to share with you after establishing that Aviary.com is operating out of multiple netblocks. What you see is a shot of the aviary.com site loading my site into their "screenshot". But, by the tests below, you can see it passes queries just fine, as in any exploits out there could have been done through them as an unregulated proxy server. The method used to send this query was http://aviary.com/http://www.spambotsecurity.com/?xtestx . As you can see, it bounced the AmazonAWS perfectly, and caught the trigger. Click the image for a larger (readable) one in a new window. And here is the block that it generated.

#: 6896 @: Mon, 13 Jul 2009 11:48:48 -0600
Host: ec2-174-129-94-22.compute-1.amazonaws.com
IP: 174.129.94.22
Score: 1
Why blocked: Amazon Web Services. Not an ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories. Checked for bypass.
Query: xtextx
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; Data Center; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Reconstructed URL: http:// www.spambotsecurity.com /?xtextx

Yet another probe of Aviary.com after addition of the new spamhost ( pwebtech/FortressITX ). Please note that now it is pulling from viary.com! Viary.com, is, like Aviary.com, hosted on the same ridin' dirty webhost. You can see, however, this time it choked. But, it still did actually hit my site. Here's the blocked request. Please note it is using random user agents to try to cloak itself. This is EXCEEDINGLY bad, and very suspicious behavior.

#: 6899 @: Mon, 13 Jul 2009 12:32:21 -0600
Host: 65.98.13.118
IP: 65.98.13.118
Score: 2
Why blocked: pwebtech/FortressITX spam-friendly host/aviary.com unregulated proxy service. Test Trigger to test function.
Query: xtestx4
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Reconstructed URL: http:// www.spambotsecurity.com /?xtestx4

I also used their services, if they check their logs, to send them a "you've been bad, so here's the scoop, all you get for Christmas is snowman poop!" message. And, here's the logging of that hit. (Which actually came before the previous image, but cemented FortressITX / pwebtech's doom.)

#: 6897 @: Mon, 13 Jul 2009 11:51:10 -0600
Host: 65.98.13.118
IP: 65.98.13.118
Score: 1
Why blocked: Test Trigger to test function.
Query: xtestx=your_site_is_an_unregulated_proxy_server_used_by_hackers_and_will_be_added_to_the_signatures_of_ZB_block
Referer:
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Reconstructed URL: http:// www.spambotsecurity.com /?xtestx=your_site_is_an_unregulated_proxy_server_used_by_hackers_and_will_be_added_to_the_signatures_of_ZB_block

I would be remiss if I didn't mention IncrediBILL's Random Rants, his pages first turned me onto a good description of this kind of problem. (Also, previous logs were showing hacking attempts from tynt.com / tynted.net).

Zap!