Hi all, Adam Thomas here from Sunbelt’s malware research team. I wanted to post a brief follow up to Alex’s earlier blog post re: the wave of “3D Screensaver” spam that we have been seeing.
Further investigation into this malware points back to the infamous malware loading group “Loads.cc”. Interestingly, the Loads.cc web site was taken off-line in late January after suffering a DDoS attack from a rival malware gang which utilized a Barracuda bot-net to perform its task.
While the “Loads.cc” domain (which is used by affiliates to sign up to have their malware installed by the botnet and monitor statistics) is no longer working (it resolves to 127.0.0.1), we were able to easily discover a new domain in use thus proving that Loads.cc is back in operation:
This malware gang is responsible for the distribution and installation of massive amounts of malware: Spambots, keyloggers, DDoS bots, adware and rootkits. The the whole kitten kaboodle. So, it cannot be stressed enough that this is very dangerous malware and to stay away from these Trojaned screensavers.
After installing the “screen saver”, the malware announces it’s presense by using an HTTP GET request for a PHP script. This PHP script (manda.php) may or may not return a URL of additional malware to for the bot to retrieve and install – malware that other authors have paid loads.cc to install.
GET http: //[removed].info/admin/manda.php?id=[user_id]&v=scr
The malware is then copied to the following location where it silently sits awaiting commands from the C&C server:
%HOMEDRIVE%Documents and SettingsLocalServiceLocal SettingsApplication Datacftmon.exe
Traversing to the “admin” directory reveals this slick looking login page:
Also hiding out on the same domain is (potentially) another pay-per-install affiliate program:
The fun never ends . . .