Many people have received an email:

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team

Attached is a zip file, in my case user-EA49943X-activities.zip.

MD5's:

6ba40e29db8fb6f9145fde7a45708875 user-EA49943X-activities.exe
92d9f920d470e3bc12a33768893fd734 user-EA49943X-activities.zip

Once opened the victim machine is infected with a rootkit and two seemingly random high TCP ports are opened.
The rootkit hides the presence of %system32%\cabpck.dll and %system32%\krnlcab.sys. You can identify if your infected by opening a command prompt and typing: type c:\windows\system32\krnlcab.sys Unless your infected, the response will be "The system cannot find the file specified."

Currently VirusTotal shows 22/36 AV Vendors have signatures out to detect the binary. The most common signature is Goldun (Spyware/Rookit/Password Stealer)

The Anubis results are here.

The following registry keys are created/modified to start the rootkit on reboot:

HKLM\​System\​CurrentControlSet\​Services\​krnlcab
HKLM\​SYSTEM\​CurrentControlSet\​Control\​SafeBoot\​Minimal\​krnlcab.sys

Contact is made with either social-bos.biz or osliki.net. Snort signatures that watch for URI Content "data.php?trackid=" should catch infected hosts.

the "trackid" contains a hex encoded string like:

706172616D3D636D64266C616E673D454E552669643D30267368656C6C3D3026736F636B73706F72
743D3439303532267665723D39412668747470706F72743D323638303626757074696D656D3D372675
7074696D65683D30267569643D5B43374132393038313039413641363141395D

Which translates to:

param=cmd&lang=ENU&id=0&shell=0&socksport=49052&ver=9A&httpport=26806&uptimem=7&uptimeh=0&uid=[C7A2908109A6A61A9]

My good friend Joel Esler from Sans ISC reported on something like this a couple weeks ago: http://isc.sans.org/diary.html?storyid=4927.

As of 16:08 UTC 2008/9/12:

social-bos.biz has address 91.200.144.8
osliki.net has address 195.93.219.207

Technical contact for social-bos.biz:

Name: Denis Klinov
Organization: Denis LTD
Address1: Ne dom i Ne uica
City: Big city
Postal Code: 239932
Country: Russian Federation
Country Code: RU
Phone Number: +7.4955123456
Email: pavelzosimov@yandex.ru

Technical Contact for osliki.net:

Name: Anton Butov
Email: buhalovvasya@yandex.ru
Organization: Inner Tec
Address: Stroitelnaya 77 15
City: Moscow
State: Moskovskaya
ZIP: 676437
Country: RU
Phone: +7.4952176185

UPDATE: Emerging Threats has posted Snort signatures to detect infected hosts:

http://doc.emergingthreats.net/2008545

I will continue to monitor this run and report any findings.

Labels: Anubis Sandbox, Emerging Threats, malware research, rookits, virustotal