Transcript Bob`s machine compromisedx 350.25 KiB

Bob’s machine
Compromised by
Virtual Slut/Yahoo Search Assistant
and probably more…
Interesting
Looking DDNA
Page huh?

Virtual Slut
is inside of
svchost.exe
Chinese websites listed in svchost
Cnnic.cn = 159.226.202.44
3721.Com = 202.165.98.249
Some of the CMD/CTRL Servers
For
VirtualSlut/Yahoo Search
Assistant
Established Network Connections
IP Address from France
IP Address from Indonesia
212.198.253.80.rev.numericable.fr
inetnum: 114.56.0.0 - 114.59.255.255
netname: INDOSATNET
descr:
PT. INDOSAT MEGA MEDIA
descr:
INDOSATM2 INTERNET SERVICE PROVIDER
IP Address MCI
Communications Verizon
Ashburn VA
Established Network Connections
IP Address from France
212.198.253.80.rev.numericable.fr
IP Address from Indonesia
inetnum: 114.56.0.0 - 114.59.255.255
netname: INDOSATNET
descr:
PT. INDOSAT MEGA MEDIA
descr:
INDOSATM2 INTERNET SERVICE PROVIDER
All These Connections to svchost.exe
Process ID 1344
IP Address MCI
Communications
Verizon Ashburn VA
Chinese websites listed in svchost
Cnnic.cn = 159.226.202.44
3721.Com = 202.165.98.249
Mapping Devices in svchost
CMD & CTRL URLS
Malware metadata in svchost
Bob’ Machine – Lots of CnsHooks
2006
Google
Searches for
CNS Hooks
returns these
results
Jan 12, 2010
More Google
search results
for CNS Hooks
Online CNS is known
to be almost
impossible to
completely remove
Some of the
IP’s Connected to Bob’s Machine
111.0.110.0
China Mobile Communications
Corporation
Code injected into svchost
63.87.254.250
MCI Communications Ashburn VA
Code injected into svchost
120.125.201.101
Ministry of Education Computer
Center – Taiwan Government Org
Code injected into svchost
Peoples Republic of China
Education Ministry in Taiwan
WIKI LINK:
http://en.wikipedia.org/wiki/Educ
ation_in_Taiwan
114.57.77.72
INDOSATNET
Indonesia ISP connected to svchost
injected code
Other capabilities seen inside
• Terminal Services
• Keystroke Logging
• Hiding Processes, Registry, Network
Communications