cz32ts – an interesting banana!

I think I’ve found the cz32ts executable – VirusTotal has this to say about it. What is more interesting is what Anubis has to say about it – check out the Network Activity section.

Basically, the executable goes off to a C&C server on 205.209.143.94 for a list of URLs to attack using the GETPHPURL command. It then tries to SQL inject the victim site, using the executable name as its user agent (all of the ones in my capture have i1 as the user agent, because that was the name of the executable I retrieved). Once the SQL injection tests have been carried out, it then reconnects to the C&C server to report the result of the attempt using the CMDPUTLINK command.

I have no idea how cz32ts.exe is distributed, but it would seem like the ideal thing for a dropper to pull down and set to run once on startup.

Anyone fancy shutting down 205.209.143.94?


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

Advertisements

4 Responses to “cz32ts – an interesting banana!”

  1. I see about 14-15 attempts within the same minute from different IP adresses from cz32ts on an ASP site with error handling that catches these attempts.

    They come in bursts with days or weeks between. Previously it was from NV32ts as you write about.

  2. Hi Magnus,

    Make sure you check what’s in the error page. What cz32ts.exe is looking for is:

    |number|

    …in the response from your webserver. If something like this is anywhere on the error page, cz32ts will phone home to 205.209.143.94 to say that the site is vulnerable.

    alec

  3. FYI

    IP : 205.209.143.94 Neighborhood
    Host : ?
    Country : United States

    Address information

    This address is an IPv4 address.

    address : 205.209.143.94

    It is presented in decimal.

    For other ways to format this IP address, you can open
    the Unfold… Conversions (IPv4 / IPv6) folder below.
    Related IP adresses
    No data available…
    IP owner info (Whois)

    OrgName: Managed Solutions Group, Inc.
    OrgID: MSG-48
    Address: 45535 Northport Loop East
    City: Fremont
    StateProv: CA
    PostalCode: 94538
    Country: US

    ReferralServer: rwhois://rwhois.managedsg-inc.com:4321

    NetRange: 205.209.128.0 – 205.209.191.255
    CIDR: 205.209.128.0/18
    NetName: NET-MANAGED
    NetHandle: NET-205-209-128-0-1
    Parent: NET-205-0-0-0-0
    NetType: Direct Allocation
    NameServer: RDNS1.MANAGEDSG-INC.COM
    NameServer: RDNS2.MANAGEDSG-INC.COM
    Comment:
    RegDate: 2004-04-15
    Updated: 2006-03-17

    RAbuseHandle: ABUSE429-ARIN
    RAbuseName: MSG Inc Abuse
    RAbusePhone: +1-888-585-8889
    RAbuseEmail: abuse@managedsg-inc.com

    RTechHandle: MAT48-ARIN
    RTechName: MSG Arin Tech
    RTechPhone: +1-888-585-8889
    RTechEmail: tech@managedsg-inc.com

    OrgAbuseHandle: ABUSE429-ARIN
    OrgAbuseName: MSG Inc Abuse
    OrgAbusePhone: +1-888-585-8889
    OrgAbuseEmail: abuse@managedsg-inc.com

    OrgTechHandle: MAT48-ARIN
    OrgTechName: MSG Arin Tech
    OrgTechPhone: +1-888-585-8889
    OrgTechEmail: tech@managedsg-inc.com

    # ARIN WHOIS database, last updated 2009-11-27 20:00
    # Enter ? for additional hints on searching ARIN’s WHOIS database.

    • Hi Martin,

      I’ve already contacted their abuse mailbox, but I don’t hold out much hope. A quick Google search for “Managed Solutions Group” is most enlightening!

      alec

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: