Screenshots were easy to obtain from the statistics page of the .cn site. The first page reveals browsers; some of these are likely to be researchers but most are probably victims. IE6 hit hardest (what a surprise)
Next up were operating system stats. XP of course was the largest. I was a bit surprised at Windows 2003 appearing as much as it did. I guess people are still surfing the web from their servers despite being warned against doing this since 1950. I haven't seen the back-end code but I'm guessing that "Loads" means an actual exploit is loaded, or is successfully executed (need to see the kit itself to understand how this is calcuated; any researcher got the kit source? drop me a line please if so)
Countries - USA is the largest target/victim
Next up were the referers - I didn't check these sites but the stats show an infection trail (or in some cases, obvious security/malware researchers poking about as you got further down the list). The actual URL's were not included here, so it's hard to know where in a site a redirect, IFRAME or other trickery is placed. In the case of the top referer, www.bearmarketcentral.com, I see that they have a forum and this seems like a likely location for trouble. Also troubling are several references to Grant Morrison, a fabulous comics creator.
Next up are the actual exploits used. Nothing too exciting here. All of these have been documented elsewhere at length so I won't go into much detail, but one can see a typical array of Adobe Reader exploits, the older Microsoft MDAC bug, an IE 7 exploit and the Snapshot viewer exploit. Despite MDAC being such an old bug, if Loads or Efficiency represents actual exploitation, it's higher than it should be and is just another indication of unskilled computer users who are unfortunately easy prey.
Later analysis with Wepawet reveals one of these pages, serving the Acrobat Reader stack overflow/format string in util.printf PDF exploit (CVE-2008-2992) - (see http://wepawet.cs.ucsb.edu/view.php?hash=3cbe658f62c9324793b132178717e81a&t=1261673543&type=js for the full report)
http:// tomorrrrow.cn /difpack/cache/readme.pdf
The PDF exploit contains two payloads, both downloaded with the URLDownloadToFile function (I'm unsure what the string crash.php is doing) to the destination file pdfupd.exe. The first payload is targeted at http:// souzmov.cn /difpack/load.php?id=4,
URLDownloadToFil eA.pdfupd.exe.cr ash.php.http://s ouzmov.cn/difpac k/load.php?id=4
and the second payload targeted at http:// souzmov.cn /difpack/load.php?id=5
URLDownloadToFil eA.pdfupd.exe.cr ash.php.http://s ouzmov.cn/difpac k/load.php?id=5
Very good static AV coverage on page delivered via load.php (pushes load.exe)
37/41 (90.24%), findings included mostly the Sasfis trojan.
The malware also is involved in Zeus installations; installation of load.exe performs the following:
The following HTTP URLs were started reading:
Command data is apparently delivered via bb.php as such:
game.exe contains Zeus/Zbot. The "backurls" url did not resolve.
The ThreatExpert report for Zeus (game.exe) has new (to me) functionality that apparently parses the list of target domains that is normally contained in the zeus config file (cfg.bin is a filename I've often seen). This is a nice feature that's a time saver in an incident response situation.
Check out the useful and informativeThreatExpert report which includes a list of the targeted financial institutions - a very nice addition to ThreatExpert that I don't recall seeing before.
MD5 = 0x01605D291B427C8564E7E13CDEEA1AE9
The first five financial institutions are listed as such:
I found it interesting that a mutex named _AVIRA_21099 was created. This may be documented in other much more deep analysis but I don't recall.
The Zeus/Zbot config file is obtained from http://spysystemcom.cn/gamedata2/res.bin
Trying to reverse engineer this malware, even dynamic analysis, would take me far longer than what ThreatExpert offers. Sure, sandboxes have been evaded and are not perfect, but what a huge time-saver. I offer my thanks to the creators and maintainers of Wepawet, ThreatExpert, Anubis, VirusTotal and other sandoxes.