Tuesday, February 7, 2012

Deutschen Post Strain 2 - Some information

Since this morning, as I am home sick, I have decided to give Strain 2 from my previous post a try.

I installed a Windows 2008 Standard in a virtual environment to run the malware.

It started by doing a DNS request for "kemolderin.com" (resolution 66.199.231.30 on 02/07/2012 at 2:09 EST). It then connected to that IP on port TCP/80 and did a "POST /wap/udp.php" with a very long string of data.

The answer from the server was "HTTP/1.1 302 Found" , with a few extra data (c0 83 a4 1c 1d 5f 72 ab).

The fun thing is I tried to browse to the same page, but I was greeted with a "Suspended Domain".

At this time, that's it folks. I will monitor the machine next time I reboot it, and I will try with a windows XP as soon as I have one.