cz32ts – an interesting banana!
I think I’ve found the cz32ts executable – VirusTotal has this to say about it. What is more interesting is what Anubis has to say about it – check out the Network Activity section.
Basically, the executable goes off to a C&C server on 205.209.143.94 for a list of URLs to attack using the GETPHPURL command. It then tries to SQL inject the victim site, using the executable name as its user agent (all of the ones in my capture have i1 as the user agent, because that was the name of the executable I retrieved). Once the SQL injection tests have been carried out, it then reconnects to the C&C server to report the result of the attempt using the CMDPUTLINK command.
I have no idea how cz32ts.exe is distributed, but it would seem like the ideal thing for a dropper to pull down and set to run once on startup.
Anyone fancy shutting down 205.209.143.94?
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk
13 November, 2009 at 13:11
I see about 14-15 attempts within the same minute from different IP adresses from cz32ts on an ASP site with error handling that catches these attempts.
They come in bursts with days or weeks between. Previously it was from NV32ts as you write about.
14 November, 2009 at 20:21
Hi Magnus,
Make sure you check what’s in the error page. What cz32ts.exe is looking for is:
|number|
…in the response from your webserver. If something like this is anywhere on the error page, cz32ts will phone home to 205.209.143.94 to say that the site is vulnerable.
alec
28 November, 2009 at 21:38
FYI
IP : 205.209.143.94 Neighborhood
Host : ?
Country : United States
Address information
This address is an IPv4 address.
address : 205.209.143.94
It is presented in decimal.
For other ways to format this IP address, you can open
the Unfold… Conversions (IPv4 / IPv6) folder below.
Related IP adresses
No data available…
IP owner info (Whois)
OrgName: Managed Solutions Group, Inc.
OrgID: MSG-48
Address: 45535 Northport Loop East
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US
ReferralServer: rwhois://rwhois.managedsg-inc.com:4321
NetRange: 205.209.128.0 – 205.209.191.255
CIDR: 205.209.128.0/18
NetName: NET-MANAGED
NetHandle: NET-205-209-128-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Allocation
NameServer: RDNS1.MANAGEDSG-INC.COM
NameServer: RDNS2.MANAGEDSG-INC.COM
Comment:
RegDate: 2004-04-15
Updated: 2006-03-17
RAbuseHandle: ABUSE429-ARIN
RAbuseName: MSG Inc Abuse
RAbusePhone: +1-888-585-8889
RAbuseEmail: abuse@managedsg-inc.com
RTechHandle: MAT48-ARIN
RTechName: MSG Arin Tech
RTechPhone: +1-888-585-8889
RTechEmail: tech@managedsg-inc.com
OrgAbuseHandle: ABUSE429-ARIN
OrgAbuseName: MSG Inc Abuse
OrgAbusePhone: +1-888-585-8889
OrgAbuseEmail: abuse@managedsg-inc.com
OrgTechHandle: MAT48-ARIN
OrgTechName: MSG Arin Tech
OrgTechPhone: +1-888-585-8889
OrgTechEmail: tech@managedsg-inc.com
# ARIN WHOIS database, last updated 2009-11-27 20:00
# Enter ? for additional hints on searching ARIN’s WHOIS database.
28 November, 2009 at 21:47
Hi Martin,
I’ve already contacted their abuse mailbox, but I don’t hold out much hope. A quick Google search for “Managed Solutions Group” is most enlightening!
alec