Scam/Malware Warning
#21
Please DO NOT under any circumstances download any files from that domain.
Below is my analysis from the exe/server

I can assure you IT IS NOT just a Bing toolbar installer

The main index.html page
<?php
$referrer = $_SERVER['HTTP_REFERER'];
if (preg_match("forum.cubers.net",$referrer)) {
      header('Location: ');
} else {

};
?>   completely visible and shows bad coding in general

Some javascript is completely obfuscated (gpl_lp.js)

Open Ports on 69.167.x.x Thanks NMAP :)

21/tcp   open   ftp      PureFTPd
22/tcp   open   ssh      OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 3f:c9:96:84:9f:37:6a:20:4c:90:44:47:5b:ec:0e:05 (DSA)
|_2048 4b:80:de:1f:ad:3f:25:f4:a7:52:f9:6f:98:23:68:de (RSA)
53/tcp   open   domain
| dns-zone-transfer:
| assault-cube.com            SOA     ns1.awesomefreegames.net sid18.gmx.com
| assault-cube.com            MX      assault-cube.com
| assault-cube.com            NS      ns1.awesomefreegames.net
| assault-cube.com            NS      ns2.awesomefreegames.net
| assault-cube.com            A       69.167.170.233
| cpanel.assault-cube.com     A       69.167.170.233
| ftp.assault-cube.com        A       69.167.170.233
| localhost.assault-cube.com  A       127.0.0.1
| mail.assault-cube.com       CNAME
| track.assault-cube.com      A       69.167.170.233
| www.track.assault-cube.com  A       69.167.170.233
| webdisk.assault-cube.com    A       69.167.170.233
| webmail.assault-cube.com    A       69.167.170.233
| whm.assault-cube.com        A       69.167.170.233
| www.assault-cube.com        CNAME
|_assault-cube.com            SOA     ns1.awesomefreegames.net sid18.gmx.com
80/tcp   open   http     Apache httpd 2.0.63 ((Unix) mod_ssl/2.0.63 OpenSSL/0.9.
8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PH
P/5.2.14)
| robots.txt: has 3 disallowed entries
|_/final-step/ /track/ /files/
|_html-title: AssaultCube
|_http-favicon: Unknown favicon MD5: BDF12BD1423753562AAFB2E4E2CE9600
110/tcp  open   pop3     Courier pop3d
|_pop3-capabilities: USER STLS IMPLEMENTATION(Courier Mail Server) UIDL PIPELINI
NG LOGIN-DELAY(10) TOP OK(K Here s what I can do)
143/tcp  open   imap     Courier Imapd (released 2008)
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA STARTTLS THREAD=REFERENCES UIDP
LUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
443/tcp  open   http     Apache httpd 2.0.63 ((Unix) mod_ssl/2.0.63 OpenSSL/0.9.
8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PH
P/5.2.14)
|_html-title: Site doesn't have a title (text/html).
465/tcp  open   ssl/smtp Exim smtpd 4.69
|_sslv2: server still supports SSLv2
| smtp-commands: EHLO host.awesomefreegames.net Hello 206-248-163-81.dsl.teksavv
y.com [206.248.163.81], SIZE 52428800, PIPELINING, AUTH PLAIN LOGIN, HELP
|_HELP Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
993/tcp  open   ssl/imap Courier Imapd (released 2008)
|_sslv2: server still supports SSLv2
|_imap-capabilities: THREAD=ORDEREDSUBJECT QUOTA AUTH=PLAIN THREAD=REFERENCES UI
DPLUS ACL2=UNION SORT ACL IMAP4rev1 IDLE NAMESPACE CHILDREN
995/tcp  open   ssl/pop3 Courier pop3d
|_sslv2: server still supports SSLv2
|_pop3-capabilities: USER IMPLEMENTATION(Courier Mail Server) UIDL PIPELINING OK
(K Here s what I can do) TOP LOGIN-DELAY(10)
3306/tcp open   mysql    MySQL (unauthorized)
6666/tcp open   melange  Melange Chat Server 1.10
Device type: WAP|general purpose|firewall
Running (JUST GUESSING) : Linksys Linux 2.4.X (92%), Linux 2.4.X|2.6.X (91%), Ch
eck Point Linux 2.4.X (86%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), OpenWrt 0
.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (9
1%), Linux 2.6.20.6 (87%), Linux 2.6.19 - 2.6.24 (87%), Linux 2.6.18 (86%), Linu
x 2.6.18 - 2.6.21 (86%), OpenWrt Kamikaze 7.09 (Linux 2.6.17 - 2.6.21) (86%), Li
nux 2.6.22 (Fedora 7) (86%), Check Point NGX R65 firewall (Linux 2.4.21) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: host.awesomefreegames.net

TRACEROUTE (using port 20/tcp)
HOP RTT       ADDRESS
1   26.00 ms  206.248.154.104
2   79.00 ms  69.196.136.34
3   92.00 ms  peer1.bdr02.tor.packetflow.ca (64.34.236.121)
4   119.00 ms 10ge.xe-2-0-0.tor-151f-cor-1.peer1.net (216.187.114.145)
5   121.00 ms 10ge.xe-0-0-0.tor-1yg-cor-1.peer1.net (216.187.114.133)
6   123.00 ms 10ge.xe-0-0-0.chi-eqx-dis-1.peer1.net (216.187.114.141)
7   125.00 ms ge-6-23.car4.Chicago1.Level3.net (4.71.102.13)
8   128.00 ms ae-32-56.ebr2.Chicago1.Level3.net (4.68.101.190)
9   130.00 ms ae-5-5.ebr2.Chicago2.Level3.net (4.69.140.194)
10  142.00 ms ae-2-52.edge2.Chicago2.Level3.net (4.69.138.163)
11  225.00 ms GLOBAL-INTE.edge2.Chicago2.Level3.net (4.59.29.78)
12  193.00 ms lw-core4-te91.rtr.liquidweb.com (209.59.157.206)
13  163.00 ms lw-dc3-dist8-po5.rtr.liquidweb.com (69.167.128.133)
14  139.00 ms 69.167.170.233    <---- The webserver

Location: Lansing, Michigan, United States

Exe file installer :
Unpacks the following in temporary directory

NSISdl.dll <-- NSIS silent downloader. Attempts to download Zugo which is known for distirbution of malware
gmx-silent-1.exe <-- Spawned subprocess from the assaultcube-installer.exe file
getCountry <-- Text file containing region acquired from windows
System.dll <-- Set PAGE_EXECUTE_READWRITE on a certain block of Virtual memory
Math.dll <-- safe NSIS file
inetc.dll <-- Attempts to download any files from a remote ftp site (safe NSIS file)
nsisos.dll <-- Profile OS as winnt,9x,31 or unknown (safe NSIS file)
GetVersion.dll <-- Gets current version of windows. Checks for SP6 (safe NSIS file)
MD5dll.dll <-- Its fine...
registeraction
and much more, but I stopped debugging at that time

The sub installer gmx-silent-1.exe queries Application Data/Mozilla Firefox/profiles.ini
Reads under profiles/<name>.default/prefs.js
Reads browserconfig.properties

Checks for various registry keys
- HCKU\Software\Wyzo, Some firefox keys
And changes browser search settings to definitely unwanted stuff

Attempts to Install items in Program Files\GMX

Finds Internet Explorer, Opera, Firefox
Attempts to Install C:\Program Files\Search Toolbar

ShellExecute (Call the fake web page with some BS locale info gathering)

Installs Registry Key under HKCU\Software\Zugo
Subkey SID with string data 24xvb

Self Destruct

BTW, Still looking into it
Thanks given by:


Messages In This Thread
Scam/Malware Warning - by makkE - 18 Oct 10, 10:50PM
RE: Scam/Malware Warning - by Gibstick - 18 Oct 10, 10:55PM
RE: Scam/Malware Warning - by Habluka - 18 Oct 10, 11:26PM
RE: Scam/Malware Warning - by Alien - 18 Oct 10, 11:42PM
RE: Scam/Malware Warning - by Ronald_Reagan - 18 Oct 10, 11:59PM
RE: Scam/Malware Warning - by mikebefore - 19 Oct 10, 02:23AM
RE: Scam/Malware Warning - by Vermi - 19 Oct 10, 06:29AM
RE: Scam/Malware Warning - by Huntsman - 19 Oct 10, 06:36AM
RE: Scam/Malware Warning - by RandumKiwi - 19 Oct 10, 06:58AM
RE: Scam/Malware Warning - by RandumKiwi - 19 Oct 10, 07:25AM
RE: Scam/Malware Warning - by Shorty - 19 Oct 10, 08:43AM
RE: Scam/Malware Warning - by tempest - 19 Oct 10, 08:06PM
RE: Scam/Malware Warning - by Ghost - 19 Oct 10, 08:21PM
RE: Scam/Malware Warning - by Bullpup - 19 Oct 10, 09:05PM
RE: Scam/Malware Warning - by JGAN - 19 Oct 10, 09:38PM
RE: Scam/Malware Warning - by tempest - 19 Oct 10, 10:00PM
RE: Scam/Malware Warning - by ärkefiende - 19 Oct 10, 10:07PM
RE: Scam/Malware Warning - by tempest - 19 Oct 10, 10:07PM
RE: Scam/Malware Warning - by eynstyne - 20 Oct 10, 12:03AM
RE: Scam/Malware Warning - by Gibstick - 20 Oct 10, 12:19AM
RE: Scam/Malware Warning - by eynstyne - 20 Oct 10, 01:10AM
RE: Scam/Malware Warning - by Brahma - 20 Oct 10, 02:28AM
RE: Scam/Malware Warning - by Ghost - 20 Oct 10, 02:36AM
RE: Scam/Malware Warning - by eynstyne - 20 Oct 10, 02:46AM
RE: Scam/Malware Warning - by JGAN - 20 Oct 10, 03:18AM
RE: Scam/Malware Warning - by vonunov - 20 Oct 10, 03:45AM
RE: Scam/Malware Warning - by RandumKiwi - 20 Oct 10, 07:22AM
RE: Scam/Malware Warning - by OpenSource - 20 Oct 10, 05:11PM
RE: Scam/Malware Warning - by V-Man - 20 Oct 10, 07:28AM
RE: Scam/Malware Warning - by Lightning - 20 Oct 10, 11:46AM
RE: Scam/Malware Warning - by eynstyne - 20 Oct 10, 04:41PM
RE: Scam/Malware Warning - by JGAN - 20 Oct 10, 07:55PM
RE: Scam/Malware Warning - by eynstyne - 20 Oct 10, 08:12PM
RE: Scam/Malware Warning - by Private_Ale - 21 Oct 10, 08:44AM
RE: Scam/Malware Warning - by Brahma - 21 Oct 10, 05:15PM
RE: Scam/Malware Warning - by Zarjio - 22 Oct 10, 06:50PM
RE: Scam/Malware Warning - by JGAN - 22 Oct 10, 07:50PM
RE: Scam/Malware Warning - by V-Man - 23 Oct 10, 06:42AM
RE: Scam/Malware Warning - by XFA - 23 Oct 10, 04:09AM
RE: Scam/Malware Warning - by Jason - 26 Oct 10, 12:25AM