|
New Trojan named DSB?
Hi, All,
I've found a new trojan (?) named DSB recently. It occured last week, since I found there are many entries in my Apache access_log that only reach my web site's / and the user-agent field was filled "DSB 1.1.1h". Last weekend, there were more "DSB 1.2.0h" than "DSB 1.1.1h", it seems it's updating itself, now there're all "DSB 1.2.0h", the updating seems finished. The source IPs are mostly from Italy, and the number of entries is increasing fast, seems it's spreading fast over the Internet. Fortunately I found these valuable entries in my access_log: ----------------------------------- 218.**.198.87 - - [30/Aug/2004:06:20:01 -0600] "GET / HTTP/1.1" 200 40842 "-" "DSB 1.2.0h" 218.**.198.87 - - [30/Aug/2004:06:20:02 -0600] "GET /www.safe-download.biz/access.php?a=15631CD7- 09004OEM007148160365&w=20&d=20040830213551&o=4.10.67766446.1.%20A%20&i=5.00.2614.3500&n=&v=1.2.0h &e=&c=&b=&m=n&t=104&f=DSB&HTTP/1.1" 404 216 "-" "DSB 1.2.0h" 218.**.198.87 - - [30/Aug/2004:06:20:03 -0600] "GET /www.safe-download.biz/update.php?a=15631CD7- 09004OEM007148160365&w=20&v=1.2.0h&&f=DSB&HTTP/1.1" 404 216 "-" "DSB 1.2.0h" 218.**.198.87 - - [30/Aug/2004:06:20:03 -0600] "GET /www.safe-download.biz/kill.php?a=15631CD7- 09004OEM007148160365&w=20&f=DSB& HTTP/1.1" 404 214 "-" "DSB 1.2.0h" ------------------------------- The first entry is a typical entry, 99.99% of the malicious accessing like this, and the next three lines seems odd. Is "access.php" a statistics page? Is "update.php" a online updating page? ( DSB 1.1.1h --> DSB 1.2.0h ) Is "kill.php" a suicide page? Anyone has experiences with it? |
It's updating to 1.2.1h
|
Is it a trojan originally from Vietnam?
Domain Name: SAFE-DOWNLOAD.BIZ Domain ID: D5822451-BIZ Sponsoring Registrar: ENOM, INC. Domain Status: ok Registrant ID: PWAQPAGPCAFE68C1 Registrant Name: P.A Vietnam Ltd Registrant Organization: P.A Vietnam Ltd - $9.99/Domain/Yearly Registrant Address1: 65 Su Van Hanh (Ext),District 10, HCMC Registrant Address2: House 8, Quang Trung Software City, District 12, HCMC Registrant City: Ho Chi Minh Registrant Postal Code: 70000 Registrant Country: Vietnam Registrant Country Code: VN Registrant Email: domain@pavietnam.com Administrative Contact ID: PWAQPAGPCAFE68C1 Administrative Contact Name: P.A Vietnam Ltd Administrative Contact Organization: P.A Vietnam Ltd - $9.99/Domain/Yearly Administrative Contact Address1: 65 Su Van Hanh (Ext),District 10, HCMC Administrative Contact Address2: House 8, Quang Trung Software City, District 12, HCMC Administrative Contact City: Ho Chi Minh Administrative Contact Postal Code: 70000 Administrative Contact Country: Vietnam Administrative Contact Country Code: VN Administrative Contact Email: domain@pavietnam.com Billing Contact ID: PWAQPAGPCAFE68C1 Billing Contact Name: P.A Vietnam Ltd Billing Contact Organization: P.A Vietnam Ltd - $9.99/Domain/Yearly Billing Contact Address1: 65 Su Van Hanh (Ext),District 10, HCMC Billing Contact Address2: House 8, Quang Trung Software City, District 12, HCMC Billing Contact City: Ho Chi Minh Billing Contact Postal Code: 70000 Billing Contact Country: Vietnam Billing Contact Country Code: VN Billing Contact Email: domain@pavietnam.com Technical Contact ID: PWAQPAGPCAFE68C1 Technical Contact Name: P.A Vietnam Ltd Technical Contact Organization: P.A Vietnam Ltd - $9.99/Domain/Yearly Technical Contact Address1: 65 Su Van Hanh (Ext),District 10, HCMC Technical Contact Address2: House 8, Quang Trung Software City, District 12, HCMC Technical Contact City: Ho Chi Minh Technical Contact Postal Code: 70000 Technical Contact Country: Vietnam Technical Contact Country Code: VN Technical Contact Email: domain@pavietnam.com Name Server: DNS5.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS1.NAME-SERVICES.COM Created by Registrar: ENOM, INC. Last Updated by Registrar: ENOM, INC. Domain Registration Date: Fri Dec 05 06:06:19 GMT+00:00 2003 Domain Expiration Date: Sat Dec 04 23:59:59 GMT+00:00 2004 Domain Last Updated Date: Tue Jan 13 14:30:19 GMT+00:00 2004 >>>> Whois database was last updated on: Tue Aug 31 06:43:58 GMT 2004 <<<< |
I don't see nothing classifying this as a trojan. If you want to see the payload try running tcpdump (this *will* put the interface in promiscuous mode by default). Since dumps grow fast it would be best you add a BPF filter to only look for traffic from a specific range you're seeing lotsa traffic from: tcpdump -w /tmp/dsb.dmp 'tcp and src net 218.123' would get you traffic from the 218.123.0.0./16.
|
I think it's a trojan, let me show you some logs:
-------------------------------------------------------------------------------- 200.100.81.32 - - [31/Aug/2004:17:43:20 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.0h" 201.4.31.124 - - [31/Aug/2004:17:43:22 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 64.76.33.53 - - [31/Aug/2004:17:43:25 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 81.211.210.88 - - [31/Aug/2004:17:43:27 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 62.10.6.2 - - [31/Aug/2004:17:43:32 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 200.175.183.251 - - [31/Aug/2004:17:43:46 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 151.197.30.145 - - [31/Aug/2004:17:43:51 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 151.28.154.56 - - [31/Aug/2004:17:43:54 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 80.183.94.129 - - [31/Aug/2004:17:43:57 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 200.64.207.159 - - [31/Aug/2004:17:43:57 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" 195.209.227.165 - - [31/Aug/2004:17:44:08 -0700] "GET /www.xxxxxxx.com/ HTTP/1.1" 200 41042 "-" "DSB 1.2.1h" ---------------------------------------------------------------------------------- It's spreading over the Internet so fast, and you may found that it's updating through the www.liveupdate.biz from version "DSB 1.2.0h" to "DSB 1.2.1h": --------------------------------------------------------------------------------------------- 195.209.227.165 - - [31/Aug/2004:17:44:11 -0700] "GET /www.liveupdate.biz/access.php?a=4C68B996-55683OEM001391741056&w=16&d=20040901044340&o=5.1.2600.2.Service%20Pack%201&i=6.0.2800.1106&n=p595382 2&v=1.2.1h&e=nadin_x@list.ru&c=\xd0\xee\xf1\xf1\xe8\xff&b=44&m=y&t=8&f=DSB& HTTP/1.1" 404 216 "-" "DSB 1.2.1h" 195.209.227.165 - - [31/Aug/2004:17:44:12 -0700] "GET /www.liveupdate.biz/configuration.php?x=Off0001 HTTP/1.1" 404 223 "-" "DSB 1.2.1h" 195.209.227.165 - - [31/Aug/2004:17:44:12 -0700] "GET /www.liveupdate.biz/update.php?a=4C68B996-55683OEM001391741056&w=16&v=1.2.1h&&f=DSB& HTTP/1.1" 404 216 "-" "DSB 1.2.1h" 195.209.227.165 - - [31/Aug/2004:17:44:13 -0700] "GET /www.liveupdate.biz/kill.php?a=4C68B996-55683OEM001391741056&w=16&f=DSB& HTTP/1.1" 404 214 "-" "DSB 1.2.1h" --------------------------------------------------------------------------------------------- |
www.liveupdate.biz 200.16.144.174
inetnum: 200.16.144/22 status: reassigned owner: S&M International S.A. ownerid: AR-SISA3-LACNIC address: Av Roque Saenz Pe#a 971 4 Piso address: Buenos Aires, BA 1035 country: AR owner-c: MC90-ARIN inetrev: 200.16.144/22 nserver: NS1.SMINTER.COM.AR nsstat: 20040829 AA nslastaa: 20040829 nserver: NS2.SMINTER.COM.AR nsstat: 20040829 AA nslastaa: 20040829 created: 19980421 changed: 19980421 inetnum-up: 200.16.128/17 source: ARIN-LACNIC-TRANSITION nic-hdl: MC90-ARIN person: Marcelo Cassino e-mail: marcelo@MECON.AR address: Mexico 664 1st 4 address: Buenos Aires, Buenos Aires 1927 country: AR phone: (541) 349 8040 source: ARIN-LACNIC-TRANSITION |
| All times are GMT -5. The time now is 06:18 PM. |