Thursday, May 31, 2012


Just thought I'd drop a quick "blog turd" to get another hit from Google.

Long story short(ish): had a victim of some type of Russian malware, likely a password stealing bank Trojan.  The anti-virus was clueless.  Found one suspect DLL, deleted it, and another (the title of this post) appeared to take its place.  When I went to Google the name of this DLL, Google had nothing.  So I thought I'd take advantage of that as long as they came up with blanks.

This was a few days ago.  The situation hasn't changed.

There was some silly ASCII stuff inside the DLL, very similar to stuff I found in the first DLL.  I will share it with you here...

He standard alive cutting get cup, point itself sign, were waste establish in happened five, through balloon, smaller sing without thirty set between swim development Andy national without, citizen manufacturing quit fifth in wrong at still pencil egg falloff behind water above taught, threw, thing lips whale alive cutting get cup point breakup aboard went torn draw establish in build wear, five let separate wept, fur sing completely jar development under comeup Illinois above rest increase manufacturing thou lit will still pencil wound over drive falloff breakfast leader from Johnny lips whale alive cutting, get cup, point itself sign draw establish proper five let onto arrive smaller constantly of once development under, ancient, national inside fit before thou in let will, on ranch pencil wound happily movement leader thing lips, whale alive cutting get above, frame point itself between like were waste, establish burst, wear of kill let onto arrive into, spent fur sing, completely jar development Andy national without spread manufacturing quit at scared yet become on ranch pencil egg falloff, breakfast leader thing from bat whale above, clock cutting get above frame point out of offer sign, in comeup, Germany establish burst wear five bar smaller constantly set child development Andy. 

So there you have it.  Not sure what the point is, but the "pencil egg" theme, "thing lips", and "Andy" were in the first DLL as well.  Before you go and make a firewall rule with this data, be advised I don't know if this is the malware itself or part of the payload.  I don't have a full forensic environment (I work for Cheap Bastards), so studying it in depth was out of the question.  I opted to "nuke and forget", but I did keep both DLLs, just to see how long it will take for the AV companies to catch up.

"Flasad" could be construed to be a corruption of "Flash Ad".  Something had to download it to replace the original one that got deleted, so it's not 100% of the infection.  But I did find the text amusing, so there you have it.

Let me know if you got infected by this bug.  Drop a note and we'll compare results.

UPDATE 07/12/2012

This bugger was finally detected today as "Generic PWS.y!1e3" by an AV vendor who will remain nameless.


So I was right.  It was a password Trojan.

I'm never wrong.  And when I am I delete that post anyway so there's no proof.