Ancient Malware Still Circulating on Chinese Sites

I’ve been looking at recently registered domains hoping to find new malicious content. Besides a couple of tech support scam / phishing sites, I found some weird stuff being hosted on a bunch of new Chinese-registered domains. I found several sites hosting a page with the following appearance:

After grabbing a bunch of these pages, I searched for various interesting strings and noticed that a bunch of these sites contained the words “svchost.exe” in the hosted page. Inside the pages served at these domains was the following code:

The beginning of a PE file is pretty obvious in this snippet. Taking what’s there and dumping it into a file resulted in a very old packed Ramnit sample. I found this sample being hosted in the same way at a bunch of other sites, as well as what might be a Zeus sample:


Ramnit fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
7team[.]net
860574[.]net
87154659[.]com
aerlo[.]net
ahups[.]net
ai7kc[.]com
aiaru[.]net
anemp[.]net
aosad[.]net
apump[.]net
arkhk[.]net
arsenalcn[.]net
asivy[.]net
atwtw[.]net
bayac[.]net
bbwcf[.]net
benkan[.]net
betzc[.]net
bjhouse2008[.]com
bleol[.]com
bubeng[.]net
buchong[.]net
bucun[.]net
caiyo[.]net
canrun[.]net
caujuan[.]net
0435rcw[.]com
057416[.]com
7team[.]net
860574[.]net
87154659[.]com

Zeus(?) 2607060535475325658da314960748b9927b93b944f66ba53340e99dcaa00cc5
beiyongde[.]com

These two were packed (just with UPX), and the unpacked samples have the following hashes (uploaded to VT):
876c5cea11bbbcbe4089a3d0e8f95244cf855d3668e9bf06a97d8e20c1ff237c
85e57ff057c7969e0e45e046b5000dfcd4fef3afd8f3c803034af479ef05a43e

Originally I thought that I could find newly registered domains being used solely for hosting malware (open directories), but this is sort of different. Possible explanations include:
– Someone is registering these domains and then hosting the malware themselves
– These domains are being registered and then are used to host legitimate content, but someone compromises the sites to host the malicious file (see this comment on VirusTotal for someone else putting this idea forward). MalwareBytes has an article about something very similar, and there’s a FireEye report on the this.

Looking up some of the domains didn’t reveal much — two are newly registered over at Alibaba, one is registered to someone purportedly from Taiwan, another to someone in mainland China. Pivoting off of whatever information I could find, it appears that the registrant of 057416.com has also been associated with at least 1,000 other domains (all sort of “spammy” looking domain names) and the person behind beiyongde.com has three other domains associated with their name. None of those other domains are currently hosting anything.

The unpacked versions of these files are even older than I expected (2008 timeframe). These samples all call home to a known Ramnit C2, fget-career[.]com. Both samples also contain what looks like an IP address as a version number, 106.42.73[.]61. The domain is pretty impressive in the sense that it’s very old and still in use — taking a look at it in VT or in Hybrid Analysis shows all kinds of samples communicating with it very recently. A couple of other people have taken a look at these samples and found the same IP address as a version number. I’m not currently seeing anything resolving to that IP, nor am I finding much else in terms of useful info on that possible IP address.

I’m going to move on from this stuff. As interesting as it is to see that these relatively ancient samples are still going, I’d still like to try to find something new, so I don’t think I should spend more time here.