ClickBot/Affiliate Bot
With the help of UploadMalware.com and Atribune.org, we have uncovered what appears to be a clickthru/affiliatebot with a possible keylogger and password stealer.
A user noticed some odd behavior on his PC and decided to run several anti-malware programs and post his findings on the popular Atribune forums.
The Atribune moderator was able to notice an oddly named file, notedad.exe, a spoof on notepad.exe - a valid windows text editor.
It was coded in VB6 and it installs a keylogger while downloading a secondary trojan from carordriver.com. This second trojan is also coded in VB6.
The file, named 070323.exe, makes connections to
The first line of each webpage is decoded,
<p><a href=\"http://<rk>http:// www.beaniechild.com/<rg><cik> 1<cig> \">1</a></p>
is parsed to read (spaces added)
Every couple of minutes the carordriver pages are pulled again and another affiliate/click thru is accomplished. By visiting the pages over and over again and viewing the source code, you can see the extent of this clickware.
The keylogger data is stored in a .dbt file located in
%system32%\IExplorer.dll .dbt
The malware itself doesn't make any changes to the browser. It makes no attempts to hijack the home or search pages and does not open popup windows. It appears to only open the sites in an attempt to make money. Of course sometimes affiliate links turn out to be binaries. This bot will happily download and run the binary code. For example, one of the affiliate links forced a download of:
http://installs .spamblockerutility .com /installs/spamblockerutility/programs/spamblockerutility.exe (spaces added for click protection) which is infected with Trojan.Hotbar.A
netstat -ao shows several dozen websites open by the bot. The md5 hash of 070323.exe is 59c80110f8952fd3f4fafe7c503d051f.
Domain name: carordriver.com
Administrative Contact:
Gold-Domain, Inc.
Whois Protector (support@gold-domain.com)
+1.2132740657
Fax:
PMB 368, 14150 NE 20th St - F1
Bellevue, WA 98007
US
carordriver.com has address 124.133.18.151
route: 124.128.0.0/13
descr: CNC Group CHINA169 Shandong Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060306
source: APNIC
role: CNCGroup Hostmaster
e-mail: abuse@cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
4837 | 124.133.18.151 | 124.128.0.0/13 | CN | apnic | 2006-02-24 | CHINA169-BACKBONE CNCGROUP China169 Backbone
A user noticed some odd behavior on his PC and decided to run several anti-malware programs and post his findings on the popular Atribune forums.
The Atribune moderator was able to notice an oddly named file, notedad.exe, a spoof on notepad.exe - a valid windows text editor.
It was coded in VB6 and it installs a keylogger while downloading a secondary trojan from carordriver.com. This second trojan is also coded in VB6.
The file, named 070323.exe, makes connections to
http://www.carordriver.com/070323/cpccpmqian.asp and http://www.carordriver.com/070323/cpccpm.asp.
The first line of each webpage is decoded,
<p><a href=\"http://<rk>http:// www.beaniechild.com/<rg><cik> 1<cig> \">1</a></p>
is parsed to read (spaces added)
http:// www.beaniechild.com /
Every couple of minutes the carordriver pages are pulled again and another affiliate/click thru is accomplished. By visiting the pages over and over again and viewing the source code, you can see the extent of this clickware.
The keylogger data is stored in a .dbt file located in
%system32%\IExplorer.dll .dbt
The malware itself doesn't make any changes to the browser. It makes no attempts to hijack the home or search pages and does not open popup windows. It appears to only open the sites in an attempt to make money. Of course sometimes affiliate links turn out to be binaries. This bot will happily download and run the binary code. For example, one of the affiliate links forced a download of:
http://installs .spamblockerutility .com /installs/spamblockerutility/programs/spamblockerutility.exe (spaces added for click protection) which is infected with Trojan.Hotbar.A
netstat -ao shows several dozen websites open by the bot. The md5 hash of 070323.exe is 59c80110f8952fd3f4fafe7c503d051f.
Domain name: carordriver.com
Administrative Contact:
Gold-Domain, Inc.
Whois Protector (support@gold-domain.com)
+1.2132740657
Fax:
PMB 368, 14150 NE 20th St - F1
Bellevue, WA 98007
US
carordriver.com has address 124.133.18.151
route: 124.128.0.0/13
descr: CNC Group CHINA169 Shandong Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@cnc-noc.net 20060306
source: APNIC
role: CNCGroup Hostmaster
e-mail: abuse@cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
4837 | 124.133.18.151 | 124.128.0.0/13 | CN | apnic | 2006-02-24 | CHINA169-BACKBONE CNCGROUP China169 Backbone
Labels: carordriver.com, clickbot, cpccpm
posted by Nicholas at
12:34
