Monthly Archives: May 2016

Analysis SecureStudies.com OSSProxy MarketScore OpinionSpy Adware/PUP/Trojan/Malware comScore vs Nielsen

A few days back one of our Virus/Malware file submission sites received close to a hundred executables from two IP addresses over an hour period for comScore, Inc related samples running AV detection scans against each file. This activity flagged some interest at first because the binary files were for various Operating Systems such as Linux ELF and MAC OSX and various Windows exectuables with different creation dates going all the way back to 2010. Was this comScore submitting its own files for analysis or security researchers?

The scan results for all the Windows variants conclusively pointing to Adware or clean with virtually no detection for the OSX or ELF binaries with the exception of a few clean and a few trojan/backdoor results. Macs and Linux users are usually not the targets of malware writers as their targets are usually just of the masses for monetary gain. A quick Internet search revealed that a few Mac security sites were linking the OSX files as an OpinionSpy trojan backdoor which meant it was time to fire up some VMs!

Immediately it was apparent what was happening, Mac users aren’t used to dealing with Adware and when they install a program there usually isn’t usually much of a user agreement they have to read and accept. The Mac community may think it is rather progressive but to a lot of PC users they come off as unjustifiably snobby and self righteous with a Virus and malware free Operating System hubris, they may have a case. Point of fact, Trojan.Spyware.OpinionSpy which PC users know as annoying Adware and gradually learned over time it isn’t a good idea to install suspect applications.

Upon loading one of the Mac binaries a user agreement was presented which detailed that this software will track your Internet behavior and send it back to its’ makers. This is essentially the same type of agreement that TV watchers enter into when chosen to be part of the Nielsen Ratings programs. Nielsen would be seen as more prestigious as they select only a limited amount of users to send their custom TV watching and tracking box to. The obvious difference being that if you decide you don’t want your watching habits going to Nielsen you can disconnect the box and walk away, uninstalling software on the other hand must be a tasking endeavor for some.

opinionspy

After installation there is a toolbar on the browser and there is network traffic with a custom OSSProxy UA string sending and receiving data from PremierOpinion.com and SecureStudies.com. The software uninstalled rather easily and the network traffic stopped, this was the same for the Windows executables which had some annoying surveys and pop ups but nothing even remotely malicious in nature. This software strongly falls into the realm of adware/behavior tracking, the benefit of installing this software is that you may earn a few dollars or prizes for completely surveys.

The references to it being classified as spyware or a backdoor/trojan are false legally and Internet security wise. By accepting the user agreement you are allowing the software to update itself which can lead to more adware on your system. The company that pushes the various marketing and survey taking out is an A+ BBB rated billion dollar publicly traded corporation. They are not spawning reverse shells and taking over your Macs and PCs, one Mac site even claimed they found the hidden site publishing the size of their “botnet” which one can only find amusing. Wonder if the FBI knows how to work the Google, “largest malware botnets in the world.” Go get them! loltrees_knowledge

There is something else that is rather amusing, Symantec did a write up in 2007 claiming that MarketScore (a Windows version of the software) was a type of Spyware and left it published apparently forgetting that they now support and scan the companies sites.

Maybe they should of pulled this before taking their money:

https://www.symantec.com/security_response/writeup.jsp?docid=2004-042117-5317-99

Money changes everything:

opinionspy_norton

 

 

 

—————————-
Commercial Infrastructure
—————————-

comScore owns thousands of IP addresses that are rotated through the resolution for securestudies.com and premieropinion.com which they have owned and used for over ten years now. If comScore’s software was even remotely malicious or illegal you’d see something similar to this on their website overnight. The FBI can seize any commercial domain name pretty much at will now if there is any proof of illegal activity or warranting of an investigation.

 

fbi

 

TMRG and PremierOpinion are two of the larger pieces of comScore’s marketing solutions:

PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free. PremierOpinion DOES NOT sell personal information; nor do members receive any advertisements as a result of their participation in PremierOpinion. Responses to surveys are aggregated and the results help determine the content that members see when they surf. Member participation in PremierOpinion surveys is completely voluntary. We appreciate our members taking the time to answer the survey questions.

http://www.premieropinion.com

 

TMRG is a service of comScore, Inc., a leading Internet ratings system that provides insight into consumer behavior and attitudes. For assistance with your market research needs, please complete comScore’s Information Request form and someone will contact you shortly.
https://www.tmrginc.com/FAQ.aspx

The parent company:

ComScore Inc
Market Researcher
Address: 11950 Democracy Dr #600, Reston, VA 20190
Phone:(703) 438-2000
http://www.comscore.com/

bbb

comScore, Inc. (NASDAQ: SCOR) is a leading cross-platform measurement company that precisely measures audiences, brands and consumer behavior everywhere. comScore completed its merger with Rentrak Corporation in January 2016, to create the new model for a dynamic, cross-platform world. Built on precision and innovation, our unmatched data footprint combines proprietary digital, TV and movie intelligence with vast demographic details to quantify consumers’ multiscreen behavior at massive scale. This approach helps media companies monetize their complete audiences and allows marketers to reach these audiences more effectively. With more than 3,200 clients and global footprint in more than 75 countries, comScore is delivering the future of measurement.

 

ossproxy

 

Surprisingly there were only 5 complaints listed on the BBB.org, I would have thought a lot more people would be annoyed. All of the complaints were resolved with someone who got their first taste of some annoying adware but comScore actually responding on how to remove their software:

complaint

 

 

=======================================================
Here are some interesting binary strings pulled from one of the executables

You can note that it does install with a full uninstall package

You can also note that you will be getting a bundle of other adware loaded

There will be ads!

There are browser hooks!

=======================================================

Permission Research
The following value-added programs will also be uninstalled as part of
the %s uninstall process:
%1d. %s
Do you want to continue and uninstall all of the listed programs?
%s cannot be uninstalled until all value-added software
obtained through %s has been uninstalled.
Do you wish to continue uninstalling the value-added programs?
Uninstall Confirmation
OSSProxy not shutting down in a timely manner.
Removing StartMenu: Failed to get startup menu folder[%d]
Remove: Unconfiguring LSP.
Remove: Unconfigure LSP failed.
Removing OSSProxy.
AddRemovePost
https://post.securestudies.com/ossremove.aspx
Software\Mozilla\Firefox\Extensions
shfscp.dat
nscf.dat
ncncf.dat
egdcf.dat
asmcf.dat
cm.crx
Software\Google\Chrome\Extensions
Software\Google\Chrome
msvcp71.dll
msvcr71.dll
Software\RelevantKnowledge
Remove Successful
Software\Netsetter\OSSProxy\Settings
BundleInstallPost
Software\Netsetter
https://post.securestudies.com/ossreceive.aspx
?CAMPAIGN_ID=
&MACHINE_ID=
SOFTWARE\ScreenSaver.com\Relevant Knowledge
&%s=%s
&%s=%d
Software\SOFTWARE\ScreenSaver.com\Relevant Knowledge
OSSProxy::Initialize startmenuRuleContainer init failed[%d]
Install: OSSProxy failed to create BID[%08x].
Install: OSSProxy install failed, no Internet connection.
Install Failed
You will need to have an Internet connection in order to complete the installation, please try again later.
Installing OSSProxy.
Install: Bundleware installation for campaign: %s
Install: failed to configure bundle machines.
Install: OSSProxy installed successfully.
OSSINSTALL: Requesting country code and language….
OSSINSTALL: IPCountry=’%s’ languageID=%s
instLanguage
OSSINSTALL: Country code request failed!
Install Successful
OSSINSTALL: Retrieving previous 25 HTTP URLS….
CS_INSTALL(%s)
http://oss-content.securestudies.com/cidpost
C:\Documents and Settings\Public\install25urls.xml
C:\install25urls.xml
UninstallString
re you want to uninstall?
brandinfo
OSSProxy 1.3.336.331 (Build 336.331 Win32 en-us)(May 12 2016 11:22:41)
SystemVersion: %s
OSSProxy was installed with another user, aborting
DisplayName
Install Failed: You must have admin right to install
OSSProxy 1.3.336.331 (Build 336.331 Win32 en-us)(May 12 2016 11:22:41)
OSSProxy Console
Console Window should be visible
eyixayt.rkr
rk.exe
AutoUpgrade: Searching for the newest DLLs
OSSUPGRADE: Country code request failed!
StartUpgradedFile
(Startupgraded) Executing %s %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
\sporder.dll
http://hawk.securestudies.com:80/ue.aspx
\ossproxy.exe
\osmim.dll
\ossservice.exe
service.exe
\dompilot.dll
\dompilot3.dll
\osspdf.dll
\ossproxy64.exe
\osmim64.dll
\osproxy64.exe
Initializing BrowserMonitor
BrowserMonitor
BrowserMonitor: Initializing BrowserMonitor
BrowserMonitor::Initialize: Waiting 1 Sec for shell to initialize
BrowserMonitor: Exception trying to connect to ShellWindowsEvent
BrowserMonitor: Failed to connect to ShellWindowsEvent
BrowserMonitor: Shutting Down BrowserMonitor
ConnectToBrowsers %x
BrowserMonitor: Connecting to browsers
ConnectToBrowsers Error(1) %x
ConnectToBrowsers Error(2) %x
BrowserMonitor: Already connected to new browser (disp:%08x)
ConnectToBrowsers(2) %x
DisconnectFromBrowsers
BrowserMonitor: Disconnecting from browsers
BrowserMonitor: Disconnecting from browsers (HWND)
BrowserMonitor: Disconnecting from browser %08x (hWnd=%x)
BrowserMonitor: Checking %s,%s for survey
BrowserMonitor: Checking Exit Survey
http://post.securestudies.com/upgraderesult.aspx?
http://proxycfg.securestudies.com/oss/aolnontlm.htm
aolopenride.exe
aolhelix.exe
aoldesktop.exe
chrome.exe
wcs2000.exe
https://adv.securestudies.com/ADVPost.aspx
AdViewPostURL
http://adv.securestudies.com/ADVQuery.aspx
AdViewQueryURL
http://rules.securestudies.com/oss/rule32.asp
DownloadTestRulesURL
http://rules.securestudies.com/oss/rule31.asp
AdViewRuleURL
http://rules.securestudies.com/oss/rule23.asp
VeriSign, Inc.10
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
111222000000Z
131221235959Z0
Virginia1
Reston1
TMRG Inc.1>0<
VeriSign, Inc.10
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
[0Y0W0U
image/gif0!00
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
VeriSignMPKI-2-80
VeriSign, Inc.10
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA
Symantec Corporation100.
‘Symantec Time Stamping Services CA – G2

Share Button

Adware loading Malware for Monetization? System Healer Social Engineers DNSChanger/Dynamer 185.17.184.11

Typically, malware will be installed through the use of exploit kits, spam e-mails, gifs laced with executables, torrents and so on. That being said, there is a fairly commonly downloaded software package known as “System Healer” being downloaded on the interwebs which claims to speed up your PC and optimize it. Are Sethealer.net/iSystemHealer.com/MagicPro.org serving up Adware or Malware or both? Where is the line between ADWARE and MALWARE really set? Typically they remain as Possibly unwanted Programs (PUPs) until further information emerges.

 

They are using .com/.net and other easily seizable domain names by the FBI. I am dubbing this Kamikazeware as an “infected” or “effected” individual installed this package manually infecting themselves without crimeware perpetrators having to exploit vulnerabilities or lift a finger to take control, you gave it to them.After I installed the package, I was able to kill it from the taskmgr, disable it from autostarting and uninstall it, after immediately doing this all traffic did stop on next reboot – maybe laying dormant? I’ll have to rip apart and debug the binary further and update this post.

 

Software shown below:
Adware loading Malware for Monetization? System Healer bundles DNSChanger/Dynamer Malware Kamikaze 185.17.184.11

 

This package has been observed being downloaded as a drive-by-download, I found it browsing a torrent site and a popunder launched asking me if I wanted to speed up my PC (my VM reflex kicked in) and I grabbed a sample of the package. When browsing to the site hosted at isystemhealer[.]com with the crafted advertising URI I was prompted for a download which I download and ran, surprisingly the installation was that of typical adware which required my permission to install the software and accept the user agreement which basically attempted to legalize or legitimize the installation of malware, Kamikazeware, Adware on crack or whatever you want to call it. Once installed the System Healer software will start collecting information on optimizing your PC while acting as an Adware Downloader or Malware Downloader, it will download software using the very commonly used adware installer package Nullsoft Scriptable Install System (NSIS_INETC) User-Agent. After about an hour had passed, close to 30 separate executables were downloaded by my PC installing Adware/Malware/PUPs – virtually everything installed would be considered “RISKWARE” by the industry. Multiple anti-virus programs I utilized did not even blink at the installation and utilization of System Healer.

Here is a sample of what the traffic looked like after downloading the initial executable:

 

2016-05-11 21:55:00.267437 IP 192.168.1.107.60930 > 104.31.87.37.80: Flags [P.], seq 0:312, ack 1, win 256, length 312: HTTP: GET /351002513/SystemHealer.exe HTTP/1.1
E..`Y….._$…kh.W%…P…]..q.P…O’..GET /351002513/SystemHealer.exe HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: da.systemhealerhost[.]net
Connection: Keep-Alive

2016-05-11 21:55:14.132105 IP 192.168.1.107.60938 > 104.16.93.188.80: Flags [P.], seq 0:197, ack 1, win 256, length 197: HTTP: GET /COMODORSACodeSigningCA.crl HTTP/1.1
E…
_………kh.]..
.P.`..((.\P…@…GET /COMODORSACodeSigningCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.comodoca[.]com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

2016-05-11 21:55:22.293977 IP 192.168.1.107.60939 > 104.27.172.72.80: Flags [P.], seq 0:247, ack 1, win 256, length 247: HTTP: GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&hid=d93625a4c3271e540f699bb2e10a9
05e30ab1da2&os=5.1&tr=351002513-US-263&a=NA&adm=1&x64=0&sil=0&st=201604131&e=200 HTTP/1.1
E…C …. B…kh..H…P.r.43.*AP…LP..GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&hid=d93625a4c3271e540f699bb2e10a905e30ab1da2&os=5.1&tr=351002513-US-263&a=NA&adm=1&x64=0&sil=0&st=201604131&e=200 HTTP/1
.1
User-Agent: BI/0.1
Host: isystemhealer[.]com
Cache-Control: no-cache

2016-05-11 21:55:22.440974 IP 192.168.1.107.60939 > 104.27.172.72.80: Flags [.], ack 330, win 255, length 0
E..(C!….!8…kh..H…P.r.+3.+.P…f………
2016-05-11 21:55:22.464772 IP 192.168.1.107.60939 > 104.27.172.72.80: Flags [P.], seq 247:453, ack 330, win 255, length 206: HTTP: GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&e=210 HTTP/1.1
E…C”…. i…kh..H…P.r.+3.+.P…o$..GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&e=210 HTTP/1.1
User-Agent: BI/0.1
Host: isystemhealer[.]com
Cache-Control: no-cache
Cookie: __cfduid=d80d2ae57f7dbe30dc7f86ac9c2c035771463018102

2016-05-11 21:55:31.227008 IP 192.168.1.107.60944 > 199.180.184.220.80: Flags [P.], seq 0:129, ack 1, win 256, length 129: HTTP: HEAD / HTTP/1.1
E…3……|…k…….P..
e..@.P…AK..HEAD / HTTP/1.1
Host: dyn[.]com
Connection: close
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2)

2016-05-11 21:55:32.539860 IP 192.168.1.107.60947 > 185.17.184.11.80: Flags [S], seq 4217015879, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4.f@….-…k…….P.Z.G…… ……………..
2016-05-11 21:55:32.540076 IP 192.168.1.107.60946 > 185.17.184.11.80: Flags [P.], seq 0:1460, ack 1, win 256, length 1460: HTTP: HEAD /u/?a=qxWTS_llgtS7G1TYGxSzASkn3QtHt_N6AxwfRwBezvcwoJfGmmmyR4Sfqj4xbfja5PqAy1kpTXxE3sHcAWOlj2fklVybBeJreNI5HrZ6bZjlD4-lbRANsHFZeZF5J010FxOSMmOEMkq-QkaNlBPmYUfg7BSioKJst1JnT1H1stqKZh2WeuW5OKfwNpV10daJYgI34wuUfCwTV-uef0gzvzrpeQP4qiBo0Fp_f88PdDOXndhA8QKTBDkX4JkWkVD8ApvSeWjufLRQww0l8psJGSqrsNbt_j_gnwhkBUppKmEqbTvN0R1GpjxEFW32omeEnguytO9VerujsdLwQoMyNYZVIn_5I8YojmKol_MrBZ6E2m9EtXLoaTWjbJ86vBD-iMBhMtGCdXH2IF2h6WBw7DVKZ0kMOwbODPt0R9Stfl6MI5Zmkk4c-_ARCkFNd8VdrqlOKEOD2byp4e_ppGsWJoNWWXss25XqYtxSQT4DeP-Bd5h1yjcAI_uR3MMRhgBCNpC7NDGA3DXgKh4tOfDtv-5ZhqHZ8ayMoIdhQ55ffJ8HuUh9KZpRQpT7oMzHjgwzv8b5_5rR5dglkDybKzlEuVey9_ugHxTwHy3NAPp9rBI0L8NC9wanZF1PsNf2LFWFxQelfh8_xxWr575L55FOgpvS7ZuLOkJTdzzpD4UnM2lCvjJy1J1LQxPx5NFCa3mF5U9JxwyAMdDX6VnHyY3rdrdqxEdAP4EAIVJBqCruuz_P-YRKZvbhMQhI1QXTF_hQxsEHKtZxSyXWfnc9X83Cj6U3HeQ2_s_pAnixFvcuI6sXntZxHUtMRUYZicECjxa5nM8IfumrOBTM-gbLIQGMcQ7aikGC2fOJ2uLTYUWSNYW0Q0OehB57wmb-DUwJGElehbiQWpJyanBwRdSIQH7XNUV53eblTucMzfdLDQjPJFvVjbERaZPLNxLAdhro7RT-xmr08D-bRedtgz2XfGfFHWELnCI9aij3BXQV9KBN74N7TXXuVGvhz4WyP5L9L3vTKwTuvyKEML6RKzauvwDO0X8xZLfMkYrzgZq0dMVjYed2RgIVEchXUuMiTte61ajGf1sS8AscJogEz4D1pc82OVQKavGA&c=qAWxpc6VBUkXTNC1ZQaEy6V864dakTFHeXdl7gMQe_P0ffk4ovlDWQXpttHcfYzpkgpik_aj3I1D4dIo7GVwK6n9AXqJl0TL5DLm5XGsE-Ap1D901XnnFUbJmvInA6tAl66rk4-RFWo01_sYIHfJz3qJWjl_Kq-VvIbIjlNXF5lIl0R-Z1dp8t76gF2wMOIUadELU1a3pT2dfIHIuV9toWv6W_0al2xTrrQJsRCiY32D38HT2qmfIro6K0NwfFIZ2_vJtv4guiZJnVcC-CDYmUTXEicco_BqUT_6lhHaOajWnKi3IfJcU8S6BGR5piKURMGGmA-ChG[!http]
E….g………k…….P……n.P…G…HEAD /u/?a=qxWTS_llgtS7G1TYGxSzASkn3QtHt_N6AxwfRwBezvcwoJfGmmmyR4Sfqj4xbfja5PqAy1kpTXxE3sHcAWOlj2fklVybBeJreNI5HrZ6bZjlD4-lbRANsHFZeZF5J010FxOSMmOEMkq-QkaNlBPmYUfg7BSioKJst1JnT1H1stqKZh2WeuW5OKfwNpV10daJYgI34wuUfCwTV-uef0gzvzrpeQP4qiBo0Fp_f88PdDOXndhA8QKTBDkX4JkWkVD8ApvSeWjufLRQww0l8psJGSqrsNbt_j_gnwhkBUppKmEqbTvN0R1GpjxEFW32omeEnguytO9VerujsdLwQoMyNYZVIn_5I8YojmKol_MrBZ6E2m9EtXLoaTWjbJ86vBD-iMBhMtGCdXH2IF2h6WBw7DVKZ0kMOwbODPt0R9Stfl6MI5Zmkk4c-_ARCkFNd8VdrqlOKEOD2byp4e_ppGsWJoNWWXss25XqYtxSQT4DeP-Bd5h1yjcAI_uR3MMRhgBCNpC7NDGA3DXgKh4tOfDtv-5ZhqHZ8ayMoIdhQ55ffJ8HuUh9KZpRQpT7oMzHjgwzv8b5_5rR5dglkDybKzlEuVey9_ugHxTwHy3NAPp9rBI0L8NC9wanZF1PsNf2LFWFxQelfh8_xxWr575L55FOgpvS7ZuLOkJTdzzpD4UnM2lCvjJy1J1LQxPx5NFCa3mF5U9JxwyAMdDX6VnHyY3rdrdqxEdAP4EAIVJBqCruuz_P-YRKZvbhMQhI1QXTF_hQxsEHKtZxSyXWfnc9X83Cj6U3HeQ2_s_pAnixFvcuI6sXntZxHUtMRUYZicECjxa5nM8IfumrOBTM-gbLIQGMcQ7aikGC2fOJ2uLTYUWSNYW0Q0OehB57wmb-DUwJGElehbiQWpJyanBwRdSIQH7XNUV53eblTucMzfdLDQjPJFvVjbERaZPLNxLAdhro7RT-xmr08D-bRedtgz2XfGfFHWELnCI9aij3BXQV9KBN74N7TXXuVGvhz4WyP5L9L3vTKwTuvyKEML6RKzauvwDO0X8xZLfMkYrzgZq0dMVjYed2RgIVEchXUuMiTte61ajGf1sS8AscJogEz4D1pc82OVQKavGA&c=qAWxpc6VBUkXTNC1ZQaEy6V864dakTFHeXdl7gMQe_P0ffk4ovlDWQXpttHcfYzpkgpik_aj3I1D4dIo7GVwK6n9AXqJl0TL5DLm5XGsE-Ap1D901XnnFUbJmvInA6tAl66rk4-RFWo01_sYIHfJz3qJWjl_Kq-VvIbIjlNXF5lIl0R-Z1dp8t76gF2wMOIUadELU1a3pT2dfIHIuV9toWv6W_0al2xTrrQJsRCiY32D38HT2qmfIro6K0NwfFIZ2_vJtv4guiZJnVcC-CDYmUTXEicco_BqUT_6lhHaOajWnKi3IfJcU8S6BGR5piKURMGGmA-ChG
2016-05-11 21:55:32.665771 IP 192.168.1.107.60946 > 185.17.184.11.80: Flags [P.], seq 1460:2250, ack 1, win 256, length 790: HTTP
E..>.h…..!…k…….P…e..n.P…….J8FJETkMDqjbP721bLZqPku3KssNMajH3UL_efjj0i6vdTqPqZGFI5Ggxf1ws8_8-3p0wOj4dKfPfh8cdgBq4YGT7CA1SLqZ10XdyirL0TVb3L54vUbDKZq8FkokCRc7PyaM8yzDK5KcWT7GHrmz4XdOeiP4wfs_Wx_vvBnTNjaUBKwSRVXOYjHeqg8ynAkZZ_qgUOr5_surDSkKezvKaNkofgzYCgPBIx_4m1PRVn_dyTllsdt40q8lnJLUn2HZnyTvR8dekgZjqKLZ-nrYEo06tY2SWKbGKc_l59vhzfh0AbJ1_k_MjbDDCl-TjJEeNYjl0FpIR-rNGbuAEm_4whl5lY3Lkapfb7TfuJSg066H3jhVYSHNcHynDo_fumoy3qKiJzwKshUmRgXODakMmJMajKwcew_mwLsAFjztiAEXvo2tymLla1AP7z8e5ra9VfqF7Vpt8cCzz7-s6pG1f3HHR20jZzVlM98SFkoUVnkGrj72HPsxrCITksCZuPA-Cc0Ajc9TVgkJVSCBpmxy3pOOEsQ5xasjJzIqH2FKW7Jk9H37_zWyt7sT7xcrJ2Xci9Q3sipLW6Ncg&r=792735003519943452 HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2)
Pragma: no-cache
Host: sethealer[.]net
Connection: Keep-Alive

2016-05-11 21:55:32.680833 IP 192.168.1.107.60947 > 185.17.184.11.80: Flags [.], ack 2827879072, win 64240, length 0
E..(.i…..6…k…….P.Z.H….P…^}……..
2016-05-11 21:55:32.681570 IP 192.168.1.107.60947 > 185.17.184.11.80: Flags [P.], seq 0:1460, ack 1, win 64240, length 1460: HTTP: HEAD /u/?a=2RySj4iFJzp6WKBCamF80A5rm2mBu2k-zqqxSq1jBd-YIikJ_Vb-LifvY94weA9GsgMOh_hlhJotpT-MDAaAyokWvOcyg36TXHbwsG4luKjlQuiJ66As2Esz1M08zjrNbCEt5OQl3ch4bxNww33ML3EKSRau09EOmWXcWLmtZMgC4YCQvc2Jw8ilOTcrrc4UGca0ysFDmCABvht1TCUyBAMmoWCBSW48Y69HYF6PhBlKZr7RuPJYmANckOFCbXKtM2wXL7FO9eSbnkWwUXS3yuxEGuaJb2Lo2eOq1e8n8BdACVmoL1ChHzIgVgCxAH-d00cIS4JqYEbq32IXLXSIvilFMjrikgPmzmY95_QmbteU7DLyQ_UzUXGXr0UyCKa_O2azpHyu9ozmrQ7ed3kpMSR4W3C2WQ6Tfnf9E8n_XnFgCzUgK617TvFVM5rayR4ZhHnfmZIsnShr0TFKWZzqTbfr67wJh66fnX7nhTbCNxE32isIzvErTpGPA7I7Y5CohL2bJWwTeumfi3MdwSW9WdYrK13BmAa9Q9Ts746xFklxFDW6DduKCqZpl_8d2wRzkJrTHjiJyRrFEEg_VN7cDqn0uak70SrN_kZ3G9W1Ofi5PdTcLE8R28TeG3GlhtL0dbmTjzx1CozjAqn-JJV2tTyxsM41SbUYAOA3uXQ6zrFe9N44jcbWy4h5nYhD93sMHnPgsw5Mvtbgpxfk6x3Ze4lkh1i2-JCS135ih5j4U_jnw7n0xvfpnf-dYAo3HZ44KEMHsa2mYKWPJAIbKOVgo3w3_oavJYEkr-YpPAg2qVMEGGU8DebjGocXn5gum5BMUkuWx3qLxeb_OCjvM5igvQHe72-YgAHEderraz2dqCd40OJPY4SXo1JQMik5Lh6luDUvUMaPsqgAyBZE5o6nhLYCgOv1g3hWHOJmip_aMyiUxD8wXLM1neqllhTU-_J61DPIJzXAAxhDZnZ_htuZ_MregaODRg06k9F-WoRHIskD9LXCc3TISfuN3C4HUbpseh5Qvgom_Ef-J8ZqGN6xpT2cxY_K6D3mLPwfLCKk12f0juIu3o2KmcitGsH64VnaNBy8jdMMnJZBe9Jk1yIvP_mSzz7jtm-nr9q&c=Ps8iX6-91_xE-aJFHzC391RC1YEKzdV4ghwDYmL1qGXS8ZtCY-ZsfuFxRvRKG09e1-mQyzgQmjIO8LcJNl_PEAwaRr-KEThONaUtmSHcpuWZbJGDvOGs2FGTbhmG2aHaebl_8lZjBpXdkEfkhqt1nTs4QEyTJX5lBUSGinWzBKw8miLdl18b78x7QnYMxL5VM0RGZqer0gWTB-j_eXavUMjUJsn2IhN9s4Cx1eFlpOpbPvCpnusD2zcT0KqOU3zGbZcg1Nx9jEtN8l2sgc12qhCfXrmnuqpBXqt2HYhJ3GwBI_rWGf-l5KseSETaGKf9WAe[!http]
E….j………k…….P.Z.H….P…….HEAD /u/?a=2RySj4iFJzp6WKBCamF80A5rm2mBu2k-zqqxSq1jBd-YIikJ_Vb-LifvY94weA9GsgMOh_hlhJotpT-MDAaAyokWvOcyg36TXHbwsG4luKjlQuiJ66As2Esz1M08zjrNbCEt5OQl3ch4bxNww33ML3EKSRau09EOmWXcWLmtZMgC4YCQvc2Jw8ilOTcrrc4UGca0ysFDmCABvht1TCUyBAMmoWCBSW48Y69HYF6PhBlKZr7RuPJYmANckOFCbXKtM2wXL7FO9eSbnkWwUXS3yuxEGuaJb2Lo2eOq1e8n8BdACVmoL1ChHzIgVgCxAH-d00cIS4JqYEbq32IXLXSIvilFMjrikgPmzmY95_QmbteU7DLyQ_UzUXGXr0UyCKa_O2azpHyu9ozmrQ7ed3kpMSR4W3C2WQ6Tfnf9E8n_XnFgCzUgK617TvFVM5rayR4ZhHnfmZIsnShr0TFKWZzqTbfr67wJh66fnX7nhTbCNxE32isIzvErTpGPA7I7Y5CohL2bJWwTeumfi3MdwSW9WdYrK13BmAa9Q9Ts746xFklxFDW6DduKCqZpl_8d2wRzkJrTHjiJyRrFEEg_VN7cDqn0uak70SrN_kZ3G9W1Ofi5PdTcLE8R28TeG3GlhtL0dbmTjzx1CozjAqn-JJV2tTyxsM41SbUYAOA3uXQ6zrFe9N44jcbWy4h5nYhD93sMHnPgsw5Mvtbgpxfk6x3Ze4lkh1i2-JCS135ih5j4U_jnw7n0xvfpnf-dYAo3HZ44KEMHsa2mYKWPJAIbKOVgo3w3_oavJYEkr-YpPAg2qVMEGGU8DebjGocXn5gum5BMUkuWx3qLxeb_OCjvM5igvQHe72-YgAHEderraz2dqCd40OJPY4SXo1JQMik5Lh6luDUvUMaPsqgAyBZE5o6nhLYCgOv1g3hWHOJmip_aMyiUxD8wXLM1neqllhTU-_J61DPIJzXAAxhDZnZ_htuZ_MregaODRg06k9F-WoRHIskD9LXCc3TISfuN3C4HUbpseh5Qvgom_Ef-J8ZqGN6xpT2cxY_K6D3mLPwfLCKk12f0juIu3o2KmcitGsH64VnaNBy8jdMMnJZBe9Jk1yIvP_mSzz7jtm-nr9q&c=Ps8iX6-91_xE-aJFHzC391RC1YEKzdV4ghwDYmL1qGXS8ZtCY-ZsfuFxRvRKG09e1-mQyzgQmjIO8LcJNl_PEAwaRr-KEThONaUtmSHcpuWZbJGDvOGs2FGTbhmG2aHaebl_8lZjBpXdkEfkhqt1nTs4QEyTJX5lBUSGinWzBKw8miLdl18b78x7QnYMxL5VM0RGZqer0gWTB-j_eXavUMjUJsn2IhN9s4Cx1eFlpOpbPvCpnusD2zcT0KqOU3zGbZcg1Nx9jEtN8l2sgc12qhCfXrmnuqpBXqt2HYhJ3GwBI_rWGf-l5KseSETaGKf9WAe

2016-05-11 21:55:32.813485 IP 192.168.1.107.60947 > 185.17.184.11.80: Flags [P.], seq 1460:2258, ack 1, win 64240, length 798: HTTP
E..F.m………k…….P.Z……P…}…QOyyO94LX_krToiT0V5kI4Gsp2wyyJ48—w80ZzKQ6Re-0LTdbI2h9qIWIJYxaSZGQaOIkSt5_sAgAFHjOtIsHh_vW2wYseobwTu6gcyVdiL0Zr8Q4BcisNcWE7PrPtUffJce_UWy7i8QpTLNUU3wUuHj5HRzC9XOdGCcPg-y3p8ULPgVYv7JWct2J56b8PbZ7TDMSEWnCijGeIeHjVnbbfNc5ja879ZcclXr4FbAJf9iUCc7wWriIG6d6-7qKSIuK7wnnEEfdK1SLxN8VANjLRHsMGRPVdDOgPRFVljsr3kl6OwbWK811_keSk5LxMJTTjW4yeqSHz35h7lJX2mn6g7b9LcOlr7EifBdkxszIUOzhIqJzfdomDipTUwzh-8lhyjV-5MBt8EZ_14Me5maV7524fzZkoDLIFhFESIw0GzsYfu-eE5or-nvC8WXD3azkNp4p56r63bn-aGocvrXXLhCMvyhZqdTwiW96c1M4udLTHtE9obCk8fNWclwCqf-oSXCZaEtH9gF4jPdTF1fBpijs-kbci6VVMr4EiqUA76pdQp4DeuGllvhLzzUocPxuwAF9VZzol3fwsnKmP&r=4331930647698152838 HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2)
Pragma: no-cache
Host: sethealer[.]com
Connection: Keep-Alive

 

2016-05-11 21:55:34.086546 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [P.], seq 0:209, ack 1, win 256, length 209: HTTP: POST /u/ HTTP/1.1
E….r…..\…k…….P..v]…vP….g..POST /u/ HTTP/1.1
Host: zipoffice[.]info
Connection: close
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Length: 2093
Content-Type: application/x-www-form-urlencoded

 

2016-05-11 21:55:34.086580 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [P.], seq 209:1669, ack 1, win 256, length 1460: HTTP
E….s…..x…k…….P..w….vP…#…a=w4alrcxsYHZixanusZ9sNjl08URmJVkHsVcEa3oasFZJyvcbjI1Jh_1oJEJHNN1RD6SHD0yuuUXTXXrPvI98WrXarh_ikl68f0L5CKu7f55fvaGVQMFDRowOTocePvWGSwbp_xx12UPlPEwD415IP6a23yCCFpmjnKKvdHv-8xOcMejvRerNMM7FoK_eHIoNq_YTEVYCeAeAlwge6E8LtXFC31ukQpBwFhjVzfR1qQzmBIhwi5PJDCwWfpqfNqklrYf0CYDO7gURtyk_AhylwH_4HQVFCm3pJH354BXQ08WexNlBizERAybc8dFeEwgxOM7mnv54MBcPweOtM9nrUIohThsc-nAQGxM7Fk55rXqZUAnXHeErrMOD2csufa4-j5R8NYFqVbOJtTitYFs_rKzQjm02LgrnWiNlhPVagNMpeXC69v3yVbjKccjKJQ1XnXOOu02DjxQI63ZCx0F-xP1Qhs0O214m7K2IuaqegaP0Ho2GzbmC2jaORJCI9-DUg94mfmCz-HJ2WdK5CIiMAHqJRIwbspKBmpVBmQEvxT1nb28Ri9xoPa-cZ82BCna_PQmskpZ2gv0–Gj4RuYpdmFGIm6F5pENUDpcY4TqiXEFKWh1a-Ch5wy-Ta0vwZPbW83sOitCQrFNTmbhjitBhD3zx5iwyRhkA0SxkUIk1_zC7M7y5Bej4wT9TAorn6LDv75ZE_79YOge62qP0OXlFGVkrKVnp87FHFITfjx_R0xLENnIGHAJNVbPChbmpU9ZtxrCGV5bb0dEF4CNVlKp3EotLBRna96XnnXD1MnppSrVVJ4AcmbEvEVdzVkfSQBPyOTN-HDp6Kb-WE-DRL_wZ-8ocUDM4QatX2IDfDxgLvT9-719KhGZblalXZ86bzlevYdV3CcUC4zG0GRwQSOElg7_jaLuQDb8d13eazFE8ElS7w1RLL2i-S9wcmI0dIqzEodSUjel4D5rPIAG9tIgA_tmopQ25hjme43c_0PcwSUmcj2l7GG0vuul1DXxqvXWfG-8MiNGvfuu0QWgi-LHJq1j7Gu0B4Mo66TaYYapw_SH-HVvuLh1ujFcWFNEyBn_UJ5M9CEexmaV&c=x0onH5I5qsGBrCNjkobe3X3XFJV02vyIoTKAqKpgXyNfGyrOV4e2nl17-52_FCVMbHWBlrqUKbu08upuc94Zk6qLw0hTklNbD8jlTxK7Fd0wrbvCj50DC0ZR-7M8f_r6vT3I_ywFamHsDmRYZG4URnWpSK9Fn2hLHBDDv3ONRiDnulxldF0EiWLqIVG_eupnuFHO9BiCqM5pTQKkk-Z0Dcv0QZUu7sGTrpGQQzh8TsoF4ligvwAemZdg8NgXrWfvpktJvQz5AgnfFUU3WBuD5Zz9WEH2Mk73qXyyTAiLl39Za4m_lFlHi5KW1DJFjR_DxhAwI9d0tPd8r-fd7AIHIpNKf3jUJ9j-bu9
2016-05-11 21:55:34.230572 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [P.], seq 1669:2302, ack 1, win 256, length 633: HTTP
E….t………k…….P..|….vP…….zATBMxdGYDAoEOkplK0NAMkI3-S74UYx9dRLcn5EFkVhDf4C1yOXgSSoZvJcmcji4XdfLpM78CBEDZzwucIO3IabQUOWw8j25Dw7D_yAo1eRrwtNb9tcvcigDd0Kt6jEPZaemgzbfuxMJfofnouiVI9sW-fjPgEY2sdKFVWjwX5AbYMuipMcOQMLhow2vknQjWmjF-AipDLRI4Vl49KMB3IJ3GdkNEtk8kCcx6XG44R_-z3GmRMic6WWSiYKeCayYbeucWrfwmpn-HZCvps7s_0KIaQaQQfkFDIQm5A2EZ1YBbXtwauRxqeBB2GdMuTPALwB71ifos0oL5qmYdnh-zZ0zK5reTUkYvARsWAsG1lEF9JwlXeT_624d9FHdmILhbz5xcAHuntDutZ4s8bHFGRRNP-xBiWlKI67KkOQ74aPbo9IC6Ogofxz_UCo9C3FaElctTsSbVr7Xqp1InDghpBS3PmFAuKd64cseBHfs9dgpFKI4_uyZcioz_ZBXdMI931tlApNXDLXzp4W7JlJNviNcIR-oyYHv3loKwmJ3ZNlctVdmCXx&h=cQ5YlgOfn61tZo8IEirioecEzVKcwERMtmLP5670P_eg&r=5634697514542173977
2016-05-11 21:55:34.375051 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [.], ack 155, win 256, length 0
E..(.u…..*…k…….P…[….P………….
2016-05-11 21:55:34.375697 IP 192.168.1.107.60948 > 185.17.184.11.80: Flags [F.], seq 2302, ack 155, win 256, length 0
E..(.v…..)…k…….P…[….P………….
2016-05-11 21:55:55.078478 IP 192.168.1.107.60930 > 104.31.87.37.80: Flags [.], ack 5045813, win 1112, length 0
E..(`…..X….kh.W%…P……p.P..X&………
2016-05-11 21:55:58.841290 IP 192.168.1.107.60930 > 104.31.87.37.80: Flags [F.], seq 312, ack 5045813, win 1112, length 0
E..(`…..X….kh.W%…P……p.P..X&………
2016-05-11 21:56:00.186514 IP 192.168.1.107.60938 > 104.16.93.188.80: Flags [.], ack 99441, win 256, length 0
E..(

 

2016-05-11 21:56:13.080690 IP 192.168.1.107.60960 > 104.31.87.37.80: Flags [P.], seq 0:357, ack 1, win 256, length 357: HTTP: GET /t/i/sh?sid=351002513-US-263&dt=1463018139&gid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&mi=d93625a4c3271e540f699bb2e10a905e30ab1da2&tz=-5&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&crg=0&os=5.1&f=506455860 HTTP/1.1
E…`…..W….kh.W%. .Pb…..e[P…….GET /t/i/sh?sid=351002513-US-263&dt=1463018139&gid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&mi=d93625a4c3271e540f699bb2e10a905e30ab1da2&tz=-5&ln=1&lc=0&bis=0&bief=0&biefx=0&bif=0&crg=0&os=5.1&f=506455860 HTTP/1.1
User-Agent: System Healer
Host: ba.systemhealerhost[.]net
Cache-Control: no-cache
Cookie: __cfduid=dea6c4c57171fde2b0220bd19fe6b807d1463018080

2016-05-11 21:56:13.343002 IP 192.168.1.107.60961 > 104.27.172.72.80: Flags [P.], seq 0:215, ack 1, win 256, length 215: HTTP: GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&du=51984&e=400 HTTP/1.1
E…C(…. Z…kh..H.!.P……f.P…….GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&du=51984&e=400 HTTP/1.1
User-Agent: BI/0.1
Host: isystemhealer[.]com
Cache-Control: no-cache
Cookie: __cfduid=d80d2ae57f7dbe30dc7f86ac9c2c035771463018102

2016-05-11 21:56:13.343002 IP 192.168.1.107.60961 > 104.27.172.72.80: Flags [P.], seq 0:215, ack 1, win 256, length 215: HTTP: GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&du=51984&e=400 HTTP/1.1
E…C(…. Z…kh..H.!.P……f.P…….GET /inst?sid=AE4C637E-E1E1-42DD-B34B-68FE3D47FFE2&st=0&du=51984&e=400 HTTP/1.1
User-Agent: BI/0.1
Host: isystemhealer[.]com
Cache-Control: no-cache
Cookie: __cfduid=d80d2ae57f7dbe30dc7f86ac9c2c035771463018102

 

Open source information:

 

https://www.hybrid-analysis.com/sample/0b1026c619699a8a3b925a7a4c741d959a6a4b30e1e2603492b842ba3ea8d33a?environmentId=1

https://malwr.com/analysis/OGQ1YWU4YzJlNmE0NGE3ZjlkZjAzZmRmM2NiNmFhZjU/

http://blogs.cisco.com/security/dnschanger-outbreak-linked-to-adware-install-base

 

Share Button