Please DO NOT under any circumstances download any files from that domain.
Below is my analysis from the exe/server
I can assure you IT IS NOT just a Bing toolbar installer
The main index.html page
Some javascript is completely obfuscated (gpl_lp.js)
Exe file installer :
Unpacks the following in temporary directory
NSISdl.dll <-- NSIS silent downloader. Attempts to download Zugo which is known for distirbution of malware
gmx-silent-1.exe <-- Spawned subprocess from the assaultcube-installer.exe file
getCountry <-- Text file containing region acquired from windows
System.dll <-- Set PAGE_EXECUTE_READWRITE on a certain block of Virtual memory
Math.dll <-- safe NSIS file
inetc.dll <-- Attempts to download any files from a remote ftp site (safe NSIS file)
nsisos.dll <-- Profile OS as winnt,9x,31 or unknown (safe NSIS file)
GetVersion.dll <-- Gets current version of windows. Checks for SP6 (safe NSIS file)
MD5dll.dll <-- Its fine...
registeraction
and much more, but I stopped debugging at that time
The sub installer gmx-silent-1.exe queries Application Data/Mozilla Firefox/profiles.ini
Reads under profiles/<name>.default/prefs.js
Reads browserconfig.properties
Checks for various registry keys
- HCKU\Software\Wyzo, Some firefox keys
And changes browser search settings to definitely unwanted stuff
Attempts to Install items in Program Files\GMX
Finds Internet Explorer, Opera, Firefox
Attempts to Install C:\Program Files\Search Toolbar
ShellExecute (Call the fake web page with some BS locale info gathering)
Installs Registry Key under HKCU\Software\Zugo
Subkey SID with string data 24xvb
Self Destruct
BTW, Still looking into it
Below is my analysis from the exe/server
I can assure you IT IS NOT just a Bing toolbar installer
The main index.html page
[SELECT ALL] Code:
<?php
$referrer = $_SERVER['HTTP_REFERER'];
if (preg_match("forum.cubers.net",$referrer)) {
header('Location: ');
} else {
};
?> completely visible and shows bad coding in generalSome javascript is completely obfuscated (gpl_lp.js)
[SELECT ALL] Code:
Open Ports on 69.167.x.x Thanks NMAP :)
21/tcp open ftp PureFTPd
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 3f:c9:96:84:9f:37:6a:20:4c:90:44:47:5b:ec:0e:05 (DSA)
|_2048 4b:80:de:1f:ad:3f:25:f4:a7:52:f9:6f:98:23:68:de (RSA)
53/tcp open domain
| dns-zone-transfer:
| assault-cube.com SOA ns1.awesomefreegames.net sid18.gmx.com
| assault-cube.com MX assault-cube.com
| assault-cube.com NS ns1.awesomefreegames.net
| assault-cube.com NS ns2.awesomefreegames.net
| assault-cube.com A 69.167.170.233
| cpanel.assault-cube.com A 69.167.170.233
| ftp.assault-cube.com A 69.167.170.233
| localhost.assault-cube.com A 127.0.0.1
| mail.assault-cube.com CNAME
| track.assault-cube.com A 69.167.170.233
| www.track.assault-cube.com A 69.167.170.233
| webdisk.assault-cube.com A 69.167.170.233
| webmail.assault-cube.com A 69.167.170.233
| whm.assault-cube.com A 69.167.170.233
| www.assault-cube.com CNAME
|_assault-cube.com SOA ns1.awesomefreegames.net sid18.gmx.com
80/tcp open http Apache httpd 2.0.63 ((Unix) mod_ssl/2.0.63 OpenSSL/0.9.
8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PH
P/5.2.14)
| robots.txt: has 3 disallowed entries
|_/final-step/ /track/ /files/
|_html-title: AssaultCube
|_http-favicon: Unknown favicon MD5: BDF12BD1423753562AAFB2E4E2CE9600
110/tcp open pop3 Courier pop3d
|_pop3-capabilities: USER STLS IMPLEMENTATION(Courier Mail Server) UIDL PIPELINI
NG LOGIN-DELAY(10) TOP OK(K Here s what I can do)
143/tcp open imap Courier Imapd (released 2008)
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA STARTTLS THREAD=REFERENCES UIDP
LUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
443/tcp open http Apache httpd 2.0.63 ((Unix) mod_ssl/2.0.63 OpenSSL/0.9.
8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PH
P/5.2.14)
|_html-title: Site doesn't have a title (text/html).
465/tcp open ssl/smtp Exim smtpd 4.69
|_sslv2: server still supports SSLv2
| smtp-commands: EHLO host.awesomefreegames.net Hello 206-248-163-81.dsl.teksavv
y.com [206.248.163.81], SIZE 52428800, PIPELINING, AUTH PLAIN LOGIN, HELP
|_HELP Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
993/tcp open ssl/imap Courier Imapd (released 2008)
|_sslv2: server still supports SSLv2
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA AUTH=PLAIN THREAD=REFERENCES UI
DPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
995/tcp open ssl/pop3 Courier pop3d
|_sslv2: server still supports SSLv2
|_pop3-capabilities: USER IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING OK
(K Here s what I can do) TOP LOGIN-DELAY(10)
3306/tcp open mysql MySQL (unauthorized)
6666/tcp open melange Melange Chat Server 1.10
Device type: WAP|general purpose|firewall
Running (JUST GUESSING) : Linksys Linux 2.4.X (92%), Linux 2.4.X|2.6.X (91%), Ch
eck Point Linux 2.4.X (86%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
1%), Linux 2.6.20.6 (87%), Linux 2.6.19 - 2.6.24 (87%), Linux 2.6.18 (86%), Linu
x 2.6.18 - 2.6.21 (86%), OpenWrt Kamikaze 7.09 (Linux 2.6.17 - 2.6.21) (86%), Li
nux 2.6.22 (Fedora 7) (86%), Check Point NGX R65 firewall (Linux 2.4.21) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: host.awesomefreegames.net
TRACEROUTE (using port 20/tcp)
HOP RTT ADDRESS
1 26.00 ms 206.248.154.104
2 79.00 ms 69.196.136.34
3 92.00 ms peer1.bdr02.tor.packetflow.ca (64.34.236.121)
4 119.00 ms 10ge.xe-2-0-0.tor-151f-cor-1.peer1.net (216.187.114.145)
5 121.00 ms 10ge.xe-0-0-0.tor-1yg-cor-1.peer1.net (216.187.114.133)
6 123.00 ms 10ge.xe-0-0-0.chi-eqx-dis-1.peer1.net (216.187.114.141)
7 125.00 ms ge-6-23.car4.Chicago1.Level3.net (4.71.102.13)
8 128.00 ms ae-32-56.ebr2.Chicago1.Level3.net (4.68.101.190)
9 130.00 ms ae-5-5.ebr2.Chicago2.Level3.net (4.69.140.194)
10 142.00 ms ae-2-52.edge2.Chicago2.Level3.net (4.69.138.163)
11 225.00 ms GLOBAL-INTE.edge2.Chicago2.Level3.net (4.59.29.78)
12 193.00 ms lw-core4-te91.rtr.liquidweb.com (209.59.157.206)
13 163.00 ms lw-dc3-dist8-po5.rtr.liquidweb.com (69.167.128.133)
14 139.00 ms 69.167.170.233 <---- The webserver
Location: Lansing, Michigan, United StatesExe file installer :
Unpacks the following in temporary directory
NSISdl.dll <-- NSIS silent downloader. Attempts to download Zugo which is known for distirbution of malware
gmx-silent-1.exe <-- Spawned subprocess from the assaultcube-installer.exe file
getCountry <-- Text file containing region acquired from windows
System.dll <-- Set PAGE_EXECUTE_READWRITE on a certain block of Virtual memory
Math.dll <-- safe NSIS file
inetc.dll <-- Attempts to download any files from a remote ftp site (safe NSIS file)
nsisos.dll <-- Profile OS as winnt,9x,31 or unknown (safe NSIS file)
GetVersion.dll <-- Gets current version of windows. Checks for SP6 (safe NSIS file)
MD5dll.dll <-- Its fine...
registeraction
and much more, but I stopped debugging at that time
The sub installer gmx-silent-1.exe queries Application Data/Mozilla Firefox/profiles.ini
Reads under profiles/<name>.default/prefs.js
Reads browserconfig.properties
Checks for various registry keys
- HCKU\Software\Wyzo, Some firefox keys
And changes browser search settings to definitely unwanted stuff
Attempts to Install items in Program Files\GMX
Finds Internet Explorer, Opera, Firefox
Attempts to Install C:\Program Files\Search Toolbar
ShellExecute (Call the fake web page with some BS locale info gathering)
Installs Registry Key under HKCU\Software\Zugo
Subkey SID with string data 24xvb
Self Destruct
BTW, Still looking into it