[275751198]

http://drops.wooyun.org/papers/13755

China Telecom Group Corporation（CTCC） is China's large state-owned communications enterprise, the Shanghai World Expo will be global partners, for many years selected "the world 500 strong enterprises", mainly engaged in fixed telephone, mobile communications, satellite communications, Internet access and application of comprehensive information service.
From the beginning of March 5th, We monitoring to a large number of CTCC software clients exist abnormal data release Downloader.
Hackers insert malicious code into advertisement, software clients display the advertisement,and user were Infected.

Here are the part of the sample .

sample.zip

(2.29 KiB) Downloaded 51 times

SepanderSoft.rar

(233.61 KiB) Downloaded 50 times

[xsc]

Code: Select all

[0x004241ed]> iz | grep http
vaddr=0x0043b5f0 paddr=0x00039df0 ordinal=066 sz=8 len=7 section=.rdata type=ascii string=http://
vaddr=0x0043fec4 paddr=0x0003e6c4 ordinal=389 sz=47 len=46 section=.rdata type=ascii string=http://sky.cpmok.net:9001/adapi/api/getadlist2
vaddr=0x0043fef4 paddr=0x0003e6f4 ordinal=390 sz=42 len=41 section=.rdata type=ascii string=http://sky.cpmok.net:9001/adapi/api/adone
vaddr=0x0043ff20 paddr=0x0003e720 ordinal=391 sz=39 len=38 section=.rdata type=ascii string=http://jpg.cpmok.net/886tel/10000.json

Some interesting strings
jpg.cpmok.net/886tel/10000.json contains

Code: Select all

[
{"name":"10000","downloadURL":"2nWViQ44UXRRoQoOUR5bHvtT+cWRakPNIaEt+NJ3+Dgrk0wGdXwOf6GU8A==","version":"1.0.0.26"}
]

sky.cpmok.net:9001/adapi/api/getadlist2 contains

Code: Select all

{"ret":-100000,"txt":"sLs=\n","host":"46.182.106.190"}

sky.cpmok.net:9001/adapi/api/adone is empty