Home > Malware > Mystery!


August 6th, 2009

Studying for the CISSP exam makes me really bored, so here’s a whim I pursued.  I got a spam comment from the IP .  Allowing a system to post spam comments on my blog constitutes consent for me to do whatever I want to the system, so here’s what I did.  First stop: DShield.  There were no other reports of activity from this IP, but the Whois info contained this:

organisation:   ORG-Cjc5-RIPE
org-name:       Closed joint-stock company "AVIEL"
org-type:       LIR
address:        CJSC "AVIEL"
                Vadim Maksimovskiy
                2, Sovetskaya str
                140108 Ramenskoye
                Russian Federation

OMG THE RUSSIANS ARE HACKING ME!  The next logical step was to run Nmap on it.  I just did an Aggressive scan (service detection on the 1,000 most common ports and whatnot).  The results were a little odd:


16001/tcp open   unknown

60443/tcp closed unknown

63331/tcp closed unknown

64623/tcp closed unknown

65129/tcp closed unknown

65389/tcp closed unknown

What the hell is port 16001?  Back to DShield, which showed this intriguing activity graph for the last month:



A user says that port is for

Enlightened Sound Daemon (part of Gnome)

Well, that doesn’t really help me.  Being reckless, I connected to it with Ncat.  The connection was accepted but nothing came back.  On another whim, I opened it in Firefox.  It sat idle for a long time, then Firefox came up with the File Download dialog for a file called KLp+hPgD.part.  That’s really weird.  I saved it and opened it in a hex editor.  Here’s what it is:

cd 44 08 bc f4 44 ca 18   b5 d3 01 d7 d8 5b b4 5a
f9 31 c2 88 65 8c cd 07   0e 00 9a 9e 56 57 b1 a9
fa bf d5 0b aa 1a 7f f0   db c1 5f 4c f2 ab 77 3c
01 9b fd ea 79 73 e0 17   78 1c 7d 24 10 66 d5 e5
82 58 f8 5f d6 c7 1d 8d   52 b7 7b 68 22 8a 92 57
f9 e3 02 3a 52 d6 c5 71   a0 df c5 97 4b 2e 7d e3
2b 0d b4 79 cc 85 69 f1   34 1e c6 3b 12 c6 0b 95
08 c3 58 88 57 87 f5 6c   fb 02 57 f3 5b 6e 7c ed
25 f8 15 a0 a7 02 37 81   5b 56 bd b2 c6 b6 65 93
fe ac 36 5c 78 73 18 81   8e 75 84 c5 ff 7e e7 fe
d9 c3 c1 b8 9f 6a 33 a1   46 15 79 7a 5b b9 dd 2d
5d 7f b9 f3 e0 e5 74 ef   7c 4f 36 e8 23 7b d3 d6
0b b5 6f 8d 2d 57 44 4e   b3 70 7a 2f 88 2d a0 dd
0e df 3f 89 6c 8c 58 0a   71 e3 ad a1 ef ef 6e b4
8c 6f f7 02 88 a2 93 f6   ad 38 2f 16 47 2e ba 6d
1c 01 29 e1 4a f3 15 32   86 0c 22 33 41 d0 5e f3
14 8a 6b 36 36 13 d9 29   f6 7f 49 03 8c 59 12 bb
93 63 4e 67 65 70 63 05   6b ed 79 4f cd 92 d9 bc
62 53 00 82 30 5a c1 28   75 b3 8d 49 4b 0d ad bc
d1 ea b1 4e 05 b6 38 27

That doesn’t make a ton of sense either.  Is it shellcode?  It’s a long shot, but 0xCD means interrupt, right?  Static analysis of it as bytecode really didn’t reveal anything to me, but then I’m a nubcake.  So I tried using this Shellcode 2 Exe tool to make the bytes into an executable file.  I don’t have a VM program installed on my box, and I wasn’t about to run the thing natively… just in case Russia really is trying to hack me.  I did upload it to VirusTotal (link goes to complete results).  Two engines detected it as a Trojan, and four others seemed to guess it’s a downloader or some kind of badness.

I sent it to CWSandbox, which did its thing and then reported basically nothing.  The results are here (though I don’t know if they’ll be there permanently).  I’m a little confused now, because it reported no file changes, no registry changes, and no network activity but the results did include a pcap file (download it here) which itself doesn’t make much sense.  Maybe the CWSandbox system just happened to be checking for updates at that time or something.

And that’s all I got out of it.   Maybe next time I get bored studying, I’ll install VirtualBox and give the program a whirl.  I’m not even sure it’s code.  It seems unlikely, but the VirusTotal results do make me wonder.  Or maybe it’s encoded data meant to somehow control the botnet.  Or maybe it’s just a normally functioning Gnome server, or whatever.  Mystery!

Categories: Malware
  1. August 8th, 2009 at 10:17 | #1

    Hyer i got spam to from
    here this info from who is http://ws.arin.net/whois/?queryinput=

  2. Jason hickam
    August 26th, 2009 at 16:18 | #2

    16001 is open for pulse audio for me

Comments are closed.