Script Kids in Romania

serpisorIeri ( 18 iunie ) am avut surpiza ( placuta pentru ca nu am analizat malware de ceva vreme ) sa primesc urmatorul mail continind un link catre un malware. Ce nu stie autorul este ca nu folosesc windows. Oricum veti vedea mai jos cine si cu ce se mai “distreaza” in Romania undernetiana.

Ecce Homo ( mailicus )


Received: from unknown (HELO gabe.harrimanllc.com) (70.84.87.74)
by mx with SMTP; 18 Jun 2006 08:57:51 -0000
Received: from nobody by gabe.harrimanllc.com with local (Exim 4.52)
id 1Frt79-0005Zn-4G
for CENSORED; Sun, 18 Jun 2006 01:58:39 -0700
To: CENSORED
Subject:  You have received a postcard !
From: postcard.com
Content-Type: text/html
Message-Id:
Date: Sun, 18 Jun 2006 01:58:39 -0700
X-AntiAbuse: This header was added to track
abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gabe.harrimanllc.com
X-AntiAbuse: Original Domain - CENSORED.ro
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - gabe.harrimanllc.com
X-Source:
X-Source-Args:
X-Source-Dir:

Hello friend !
You have just received a postcard from someone
who cares about you!
This is a part of the message:
"Hy there! It has been a long time since I haven't heared about you!
I've just found out about this service from
Claire, a friend of mine who also told me that..."
If you'd like to see the rest of the message click
http://72.21.38.198/~adriano/postcard.gif.exe
here to receive your animated postcard!
===================
Thank you for using www.yourpostcard.com's services !!!
Please take this opportunity to let your
friends hear about us by sending them a
postcard from our collection !
==================

postcard.gif.exe 🙂 Interesant. Adevarul este ca a trecut ceva timp de cind nu am mai analizat un malware.
Am downloadat executabilul si m-am uitat un pic in el. Dezamagitor…. O arhiva RAR self extract.
Parte interesanta este totusi in arhiva: un mirc impreuna cu scripturile aferente de remote control.
In urma unei analize rapide am constatat urmatoarea functionalitate:
Mizeria se conecta la undernet intra in canalul: #qwertyzxcvbn unde asculta comenzi
de la “master”. So far so good. Partea ingrijoratoare este ca in acel minunat canal erau o gramada de zombie-uri gata de atac.
Iata lista:

#qwertyzxc linux15    H   catch@h28.57.55.139.ip.alltel.net (notepad)
#qwertyzxc linux12    H   ~go@70.177.18.77 (top)
#qwertyzxc max4       H   ~winrar@66.57.28.132 (pause)
#qwertyzxc hippokrate G   ~guest@81.196.146.226 (chat)
#qwertyzxc Yv1mCz5cN  G   ~site@81.196.146.226 (esc)
#qwertyzxc He9qTn3oV  G   ~site@81.196.146.226 (ping)
#qwertyzxc Nm0sFk3bE  G   ban@82.76.153.209 (you)
#qwertyzxc sadayo     H   ~up@67.139.168.186 (pr)
#qwertyzxc mirc14     H   ~email@70.172.233.144 (edit)
#qwertyzxc hulda      H   ~ontime@69.242.168.248 (password)
#qwertyzxc base5      H   ~lock@81.79.203.191 (upgrade)
#qwertyzxc nick15     H   ~apply@216.124.224.116 (net)
#qwertyzxc motoie     H   ~shit@142.161.90.166 (e[qw)
#qwertyzxc insa       G   ~esc@c-69-242-168-248.hsd1.mo.comcast.net (nokia)
#qwertyzxc hiroguch   G   ~psy@81.181.94.203 (ctcp)
#qwertyzxc user13     H   ~flodel@69.162.17.71 (chat)
#qwertyzxc delia5615  H@  ~delia@69.31.1.172 (delia)
#qwertyzxc imed       G   ~internet@81.181.94.203 (ctcp)
#qwertyzxc jaycee     G   ~oper@81.181.94.203 (txt)
#qwertyzxc exe20      H   ~var@24-176-117-243.dhcp.jcsn.tn.charter.com (go)
#qwertyzxc kailee     G   dev@68.232.20.55 (fkf)
#qwertyzxc mayoko     G   ~who@68.196.109.166 (12)
#qwertyzxc barbro     G   ~shit@66.166.103.202 (ga)
#qwertyzxc munaish    G   ~mass@ool-44c46da6.dyn.optonline.net (12)
#qwertyzxc stacy      G   ~kid@h-66-166-103-202.nycmny83.covad.net (dasa)
#qwertyzxc notlord    H   ~Lord@52.b.344a.static.theplanet.com (Lord)
#qwertyzxc isiah      G   enter@82.76.153.209 (www)
#qwertyzxc issa       G   timer@82.76.153.209 (red)
#qwertyzxc delia___   H@  ~sweet@www.ampedgamer.com (13sweet baby ®)
#qwertyzxc Franck     H@d ~Franck@iubeam.users.undernet.org (12protecting Franck on undernet ....)
#qwertyzxc T-RrExX    H@d ~root@UpGrade.users.undernet.org (2protecting Franck !)
#qwertyzxc Ana        H@d ~Defence@alexey15.users.undernet.org (12Defending T-RrExX !)
#qwertyzxc Franck4    H@x ~Franck@TheBest4All.users.undernet.org (1FRANCK !)
#qwertyzxc hist       H@d ~Sclav@EuSclavete.users.undernet.org (2sunt un gunoi mergator !)
#qwertyzxc mIRC       H@d ~Franck@MyUserName.users.undernet.org (rãmân un anonim .)
#qwertyzxc Low        H@x ~Low@LowTeam.users.undernet.org (12protecting #Low .)
#qwertyzxc Alinutu    H@d ~Sclav@pig.users.undernet.org (2i don't care ... i'm a pig ! =)))
#qwertyzxc mihaita    H@x ~fighter@murdoc.users.undernet.org ()
#qwertyzxc boomz__    H@  darkiller@82.165.153.147 ()
#qwertyzxc Franck2    H@x ~Guard@eduro.users.undernet.org (2Franck's NickName Guard !)
#qwertyzxc afk        H@x ~sea@pureserver.users.undernet.org ()
#qwertyzxc boomz___   H@  darkiller@82.165.153.147 ()
#qwertyzxc boomz      H@  darkiller@82.165.153.147 (Warior)
#qwertyzxc boomz_     H@  darkiller@82.165.153.148 ()
#qwertyzxc mihaitsa   H@x ~Lord@h0st.users.undernet.org (das)
#qwertyzxc Gm5wLw1pB  G   ~page@63.243.114.186 (game)
#qwertyzxc cop16      G   message@adsl-68-249-236-7.dsl.sfldmi.sbcglobal.net (top)
#qwertyzxc Sn8qHj4jX  G   ~show@CPE-65-26-140-58.kc.res.rr.com (home)
#qwertyzxc Da8lWi4qV  G   ~mkdir@67-139-168-186.dsl2.brv.mn.frontiernet.net (q[t)
#qwertyzxc Ee7yCz5yA  G   ~dj@c-67-164-43-95.hsd1.or.comcast.net (Own)
#qwertyzxc Xt6zRe3rR  G   ~rmdir@c-67-164-43-95.hsd1.or.comcast.net (Hacker)
#qwertyzxc Xb3pMs0bI  G   ~options@wnpgmb09dc1-90-166.dynamic.mts.net (12)
#qwertyzxc Xd6cKb3gB  G   ~name@fw1.lks.net (scroll)
#qwertyzxc strength   G   ~left@142.58.245.247 (close)
#qwertyzxc Yq2bIb2yR  G   ~cut@fw1.lks.net (aol)
#qwertyzxc ______na_  H   ~boot@216.241.45.34 (2BooT ®)
#qwertyzxc lol14      G   ~dcc@crystalpix.com (cs)
#qwertyzxc ping14     H   ~out@CPE-65-26-140-58.kc.res.rr.com (shift)
#qwertyzxc test2      G   ~is@65.26.140.58 (info)
#qwertyzxc low4       G   ~var@nv-71-49-172-252.dhcp.sprint-hsd.net (whois)
#qwertyzxc }{6        G   ~site@c-24-21-145-247.hsd1.or.comcast.net (exe)
#qwertyzxc tab15      G   ~sagem@pool-70-18-165-168.nwrk.east.verizon.net (scroll)
#qwertyzxc tab14      H   ~status@cpe-70-117-8-238.satx.res.rr.com (compaq)
#qwertyzxc Cf9jPp4qR  G   ~enjoy@d66-222-251-120.abhsia.telus.net (e[qw)
#qwertyzxc Yz2vZj5sJ  G   ~psybnc@dpc674566218.direcpc.com (4Muie 13;))
#qwertyzxc Cs6sNq3nP  G   ~psybnc@dpc674566218.direcpc.com (4Muie 13;))
#qwertyzxc korenao    G   ~ebay@dpc674566218.direcpc.com (4Muie 13;))
#qwertyzxc cop6       H   ~clear@cpe-70-117-8-238.satx.res.rr.com (smecher)
#qwertyzxc name10     H   root@host217-43-20-109.range217-43.btcentralplus.com (help)
#qwertyzxc }{27       G   ~so@80.227.94.201 (full)
#qwertyzxc help2      H   ~zapp@cpe-70-114-255-216.houston.res.rr.com (temp)

Oare s-a mai intrebat cineva de impotriva acestor gen de actiuni nu se face nimic din punct de vedere legal? Din analiza executabilului se pot stringe suficiente “probe” care sa duca la localizarea beneficiarului acestor tipuri de zombie net. E cineva interesat ?