The previous article about Judin.ru showed how system settings were changed and software installed without consent by exploiting a security hole in the operating system or in its accompanying software. This article is a follow-up with goes more into details on the network communication taking place when visiting Judin.ru. Observations presented here is based on two visits to judin.ru, while running several tools monitor the system changes and network communication. The article will also give details on what files and system setting were changed, however to avoid reiteration I only present those that did not appear in the previous article.
The network logs gives much details about what is going on during the exploit. For example, the following are the first 16 HTTP GET requests that occur when visiting judin.ru, and it appears that security hole is exploited at moonri.com:
judin.ru/
judin.ru/images/103.mn.jpg
judin.ru/images/103.01.jpg
judin.ru/images/103.02.jpg
images.jps.ru/spy.jpg
judin.ru/images/memo.gif
judin.ru/images/103.04.jpg
judin.ru/images/103.06.jpg
judin.ru/images/103.07.jpg
judin.ru/images/103.09.jpg
judin.ru/images/103.11.jpg
judin.ru/images/103.bg.gif
ras.moonri.com/e.html
ras.moonri.com/x.chm
ras.moonri.com/l.exe
ras.moonri.com/pop.exe
The network logs clearly shows from which servers the unrequested software was downloads from. Please notice that both network logs are quoted:
ras.moonri.com/x.chm
ras.moonri.com/l.exe
ras.moonri.com/pop.exe
download.moonri.com/pop.exe
www.mt-download.com/MediaTicketsInstaller.cab?refid=2173
iehelp.net/counter/help.chm
start1.aaa1screensavers.com/30005.exe
newupdates.lzio.com/aug/current/autoupgrader2.exe?affid=30005
www.iehelp.net/l/webdlg32.cab
www.iehelp.net/l/winsx.cab
www.iehelp.net/l/webx1.exe
cafeden.biz/poker.exe
61.131.54.618.cc/bin/BHO.dll
install.searchmiracle.com/silent.exe
yupsearch.com/protector.exe
yupsearch.com/sideb.exe
yupsearch.com/silent_install.exe
195.225.177.37/X.exe
cafeden.biz/tetris.exe
eza1netsearch.com/dl/Sweden.exe
cafeden.biz/lsp.exe
www.spysheriff.com/trial.php?rest=0&ver=1241732&a=00000038
The following are some of the system changes made during the exploit. Changes presented in previous article about Judin.ru is not reiterated here. Note that multiple logs are quoted.
C:\DOCUME~1\Roger\LOKALA~1\Temp\loader.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\WINDOWS\System32\ddywt\ehfslm.exe
C:\WINDOWS\System32\popupreporter.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [checkrun] c:\windows\system32\eliteskg32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/6.cab
Network logs
(1,
2)
HijackThis logs
(1,
2,
3,
4)
(1,
2,
3,
4,
5,
6)
SystemSherlock logs (1,
2) containing
the names of all files and registry entries that was added, deleted or modified during the exploit.
For your reference I have generated md5
(1,
2) and
sha1
(1,
2)
hashes for the files added during the exploit. Files are also available for analysis upon request.