[en] Ramnit via Malvertising

Got a Malvertising from a Warez Website that leads to Ramnit virus :
Malvertising_Ramnit
from popads.net Malvertising_Ramnit2


the TDS : http://dristohren.biz (64.120.137.35)

NetRange: 64.120.128.0 – 64.120.255.255
CIDR: 64.120.128.0/17
OriginAS: AS21788
NetName: HOSTNOC-5BLK
NetHandle: NET-64-120-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
RegDate: 2009-04-27
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-64-120-128-0-1

Malvertising_Ramnit3
The dropper :  http://malwaredb.malekal.com/index.php?hash=8388ea91a2d7fd290a6b0c32f3dd5f7c

Detections are good : https://www.virustotal.com/fr/file/d64b3eff3613e301acb95dc057d604526aeb396854a73b1eca327262da5d85fb/analysis/1362590163/

SHA256: d64b3eff3613e301acb95dc057d604526aeb396854a73b1eca327262da5d85fb
Nom du fichier : 0.20802980489479506.exe
Ratio de détection : 11 / 46
Date d’analyse : 2013-03-06 17:16:03 UTC (il y a 10 minutes)

AhnLab-V3 Trojan/Win32.Lebag 20130306
CAT-QuickHeal (Suspicious) – DNAScan 20130306
DrWeb Trojan.Inject1.15519 20130306
Jiangmin Trojan/Lebag.bee 20130304
Kaspersky HEUR:Trojan.Win32.Generic 20130306
Malwarebytes Trojan.Lebag 20130306
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Obfuscated.D 20130306
Panda Trj/Genetic.gen 20130306
TrendMicro PAK_Generic.005 20130306
TrendMicro-HouseCall PAK_Generic.005 20130306

Malvertising_Ramnit4

Malvertising_Ramnit5

Malvertising_Ramnit6

Malvertising_Ramnit7
The driver : https://www.virustotal.com/fr/file/c1293f8dd8a243391d087742fc22c99b8263f70c6937f784c15e9e20252b38ae/analysis/

SHA256:c1293f8dd8a243391d087742fc22c99b8263f70c6937f784c15e9e20252b38ae
Nom du fichier :dnsgvbny.sys
Ratio de détection :43 / 46
Date d’analyse :2013-02-22 15:35:49 UTC (il y a 1 semaine, 5 jours)

Malvertising_Ramnit8Connect to : 188.40.45.67:443

inetnum: 188.40.45.64 – 188.40.45.127
netname: HETZNER-RZ10
descr: Hetzner Online AG
descr: Datacenter 10
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
source: RIPE # Filtered

EDIT April 18 2013

An other one : http://malwaredb.malekal.com/index.php?hash=3324d8f9d58a37d92b0c44a021e2a1f9

https://www.virustotal.com/fr/file/634ec041368d4e8a10cb1c7cf1e99b4a758bc5a3449635bc07354fb58f2ff20c/analysis/1366272286/

SHA256: 634ec041368d4e8a10cb1c7cf1e99b4a758bc5a3449635bc07354fb58f2ff20c
Nom du fichier : 0.5107251914043918.bfg
Ratio de détection : 12 / 46
Date d’analyse : 2013-04-18 08:04:46 UTC (il y a 0 minute)

BitDefender Gen:Variant.Kazy.165322 20130418
Comodo Heur.Suspicious 20130418
Emsisoft Gen:Variant.Kazy.165322 (B) 20130418
F-Secure Gen:Variant.Kazy.165322 20130418
Fortinet W32/Kryptik.AYLT!tr 20130418
GData Gen:Variant.Kazy.165322 20130418
Kaspersky Trojan.Win32.Lebag.uet 20130418
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.F 20130418
Microsoft Trojan:Win32/Ramnit.A 20130418
MicroWorld-eScan Gen:Variant.Kazy.165322 20130418
Symantec WS.Reputation.1 20130418

Malvertising from Clicksor :

Clicksor_Malvertising_Ramnit Clicksor_Malvertising_Ramnit2 Clicksor_Malvertising_Ramnit3

http://tikamoho.com/ad_track.php?s=2&aid=123&cn=eu&contextm=1 (31.207.2.154 – CEUSERVERS – CZ)
http://tikamoho.com/in.cgi?2&ngsno=1&lpbdd=1&jgocs=3667054860&ur=1&HTTP_REFERER=http%3A%2F%2Fads%2Ehooqy%2Ecom%2FnewServing%2Fbanner%5Fframe%2Ephp%3Fnid%3D1%26pid%3D102042%26sid%3D301172%26zone%3D%2D1%26image%3D3%26adtype%3D1%26key%3De9ecd422a05a733728190c0c2c455912&aid=123&cn=eu&contextm=1
http://lkghktyhyadvfl.biz/jkBD3v17ujQ17xg20Fnoc0VXj30haog0J9AW0Rovk0HtXS0F9gg04t2L0Gjch/ (94.198.96.9 – SEFLOW-DEDICATED-NET – IT)

Clicksor_Malvertising_Ramnit4

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 9 times, 1 visits today)

2 thoughts on “[en] Ramnit via Malvertising

  1. Hello, this is Tomasz from PopAds.net. Please be aware that we do all we can to filter dishonest advertisers, but sometimes they manage to slip through. The screenshots you have posted allowed us to find the offending campaign. The advertiser has been banned, his URLs and IPs have been blacklisted.
    In the future, if you notice similar problem, please drop us an email to support@popads.net. Thank you!

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *