I’ve been looking at recently registered domains hoping to find new malicious content. Besides a couple of tech support scam / phishing sites, I found some weird stuff being hosted on a bunch of new Chinese-registered domains. I found several sites hosting a page with the following appearance:
After grabbing a bunch of these pages, I searched for various interesting strings and noticed that a bunch of these sites contained the words “svchost.exe” in the hosted page. Inside the pages served at these domains was the following code:
The beginning of a PE file is pretty obvious in this snippet. Taking what’s there and dumping it into a file resulted in a very old packed Ramnit sample. I found this sample being hosted in the same way at a bunch of other sites, as well as what might be a Zeus sample:
These two were packed (just with UPX), and the unpacked samples have the following hashes (uploaded to VT):
Originally I thought that I could find newly registered domains being used solely for hosting malware (open directories), but this is sort of different. Possible explanations include:
– Someone is registering these domains and then hosting the malware themselves
– These domains are being registered and then are used to host legitimate content, but someone compromises the sites to host the malicious file (see this comment on VirusTotal for someone else putting this idea forward). MalwareBytes has an article about something very similar, and there’s a FireEye report on the this.
Looking up some of the domains didn’t reveal much — two are newly registered over at Alibaba, one is registered to someone purportedly from Taiwan, another to someone in mainland China. Pivoting off of whatever information I could find, it appears that the registrant of 057416.com has also been associated with at least 1,000 other domains (all sort of “spammy” looking domain names) and the person behind beiyongde.com has three other domains associated with their name. None of those other domains are currently hosting anything.
I’m going to move on from this stuff. As interesting as it is to see that these relatively ancient samples are still going, I’d still like to try to find something new, so I don’t think I should spend more time here.