(Updated) Beware of the BABYLON, Adware that spreads like Exploit Kit
31 Aug 2012 A lot of you know about Babylon Adwares, don't you?We ignored these guys so long. We thought they will raise no threat. Now they are spreading "with" the good evil-distribution scheme (If I cannot say it infection)
Realizing the investigated network they have, Babylon now is an AdWare yet spreads like a Exploit Pack. We should raise market awareness of this trend, who knows one day malwares came and ride under babylon scheme to become a new epidemic vector..
Please read the PoC below:
Analysis:
We snip a research and found the url like below:>> --12:23:06--
>> http://www.destorage.info/installmate/php/get_cfg.php?step_id=1
>> => `get_cfg.php@step_id=1'
>> Resolving www.destorage.info... 46.165.199.26
>> Connecting to www.destorage.info|46.165.199.26|:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 6,614 (6.5K) [text/html]
>> 100%[====================================>] 6,614 --.--K/s
>> 12:23:07 (1.07 MB/s) - `get_cfg.php@step_id=1' saved [6614/6614]
Got curious so I see the inside↓>> blah\GnuWin32\bin\dump>cat "get_cfg.php@step_id=1"
>> ■[ I n s t a l l e r ]
>> P u b l i s h e r N a m e = " P r e m i u m "
>> P r o d u c t N a m e = " S e t u p "
>> P r o d u c t V e r s i o n = " 1 . 0 "
>> P r o d u c t C o d e = " { 1 7 E B 6 D D C - 1 5 2 2 - 7 2 F 9 - D 5 A E
>> - 7 B
>> 1 F C 1 C 4 8 7 C E } "
>> P u b l i s h e r I D = " 0 "
>> S o u r c e I D = " 0 "
>> P a g e I D = " 0 "
>> A f f i l i a t e I D = " % I n s t a l l e r _ A f f i l i a t e I D % "
>> I n s t a l l e r I D = " 0 "
>> V i s i t o r I D = " 0 "
>> L o c a l e = " e n "
>> D a t e = " 2 0 1 2 / 0 8 / 3 1 "
>> T i m e = " 3 : 2 3 : 0 6 "
>> S h o w I n T a s k b a r = " 1 "
>> H i d e S c r e e n s = " 0 "
>> I n s t a l l e r M o d e = " "
>>
>> [ S e r v e r ]
>> I D = " 0 "
>> L o c a t i o n = " D E "
>>
>> [ U s e r I n f o ]
>> G e o L o c a t i o n = " J P "
>> I P A d d r e s s = " 1 2 1 . 3 . 1 7 3 . 1 9 1 "
>> W e b B r o w s e r = " 0 "
>>
>> [ R n d G e n ]
>> P e r c e n t a g e = " 2 1 "
>>
>>
>> [ S c r e e n 7 5 ]
>> T i t l e = " S e t u p "
>> B u t t o n 1 = " Y e s "
>> B u t t o n 2 = " & N o "
>> L a b e l 1 = " A r e y o u s u r e ? "
>> :
>> :
>> etc
FYI, this server is serving babylon adware and is spreading either with its "kinda" exploit
pack, or using Exploit Pack method. So below is conclusion:1. The infector url is using exploit pack format.
2. Definitely logging the PC information during installation via browser and took
snapshot of it in the server
3. Backdooring the installer w/o user's permission
Good researcher friends who I promised confidentiality was advising the site also comprised with a "suspected" malwares (I didn't analyze it yet) as follows:
As you can see, adware is the thing that we cannot just be ignored. This adware's distributor starts to play nasty way & to victimize innocent people.> 46.165.199.26/v9/
> 46.165.199.26/v10/ VirusTotal Check is HERE-->>>[CLICK]
> 46.165.199.26/v14/
> 46.165.199.26/v52/
> 46.165.199.26/v209/
Additional/updated Note:
↑I am following the reported downloaded program described in above (VT Report).
This file is explaining to us why the PC information got uploaded to server.
File: WxDownload.exe 68ee6e35ef7f495be727131dc4ef5ed9
It is a binary installer using Tarma InstallMate 7 which like usual installer it drops:C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setup.dll
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setupx.dll
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.exe
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.ico
C:\Document..\Local Settings\Temp\Tsu5F686192.dll
(I don't go to details on it yet.....)
↑It is "assumed" those will start install nasty adwares in your PC and so on..
(I am sorry for not going into detail on it either)
My point is, this installer sends your PC data to motherships as per below;DNS QUERRIES:
www.reportde.info IN A +
www.destorage.info IN A +
www.reportnl.info IN A +
www.nlstorage.info IN A +
HTTP POSTS:
www.reportde.info POST
www.reportnl.info POST
values: "/installmate/php/track_installer_products.php?installer_version=75 HTTP/1.1"
HTTP REQUESTS:
www.destorage.info GET (3 times)
www.nlstorage.info GET (3 times)
values =
/installmate/php/get_cfg.php?
step_id=1&
installer_id=5040612c774655.01371722&
publisher_id=10&
source_id=0&
page_id=0&
affiliate_id=0
&geo_location=JP&
locale=EN&
browser_id=4 HTTP/1.1
In the HTTP/POST part it sends the installer version info's, maybe is OK, but..
In the HTTP/GET part it sends your GeoIP Location, PC local Lang, Browser information,
and of course your IP addresses. It is a PoC proven why records in the server exists.
OK, research continues to the detected IP addresses of Babylon spreader services,
It was detected the multiple directories to be used to download links distribution:> Fast check showed :
> /v9/
> /v17/
> /v14/
> /v16/
> /v20/
> /v21/
> /v10/
> /v26/
> /v37/
> /v33/
> /v27/
> /v34/
> /v31/
> /v43/
> /v46/
> /v47/
> /v48/
> /v45/
> /v51/
> /v42/
> /v58/
> /v56/
> /v52/
> /v54/
> /v53/
> /v57/
> /v62/
> /v68/
> /v64/
> /v66/
> /v69/
> /v70/
> /v72/
> /v67/
> /v75/
> /v71/
> /v73/
> /v78/
> /v76/
> /v74/
> /v77/
> /v79/
> /v82/
> /v80/
> /v81/
> /v87/
> /v86/
> /v88/
> /v84/
> /v83/
> /v98/
> /v94/
> /v96/
> /v95/
> /v99/
> /v97/
>
> I guess you can try 1xx, 2xx, 3xx
Other researcher detected the mirroring scheme on 46.165.199.26 to same segment IP ADDR:46.165.199.26/v14/ 301720
46.165.199.3/v14/ 301720
46.165.199.25/v14/ 301720
Which some similarities of downloaded files are detected:> http://95.211.152.157/v17/ 299048
> filename="BCool.exe"
> http://95.211.150.1/v17/ 299048
> filename="BCool.exe"
> http://95.211.152.156/v17/ 299048
> filename="BCool.exe"
Be free to put your comment to add he current information.