Reader Kevin Branch wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori. In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 184.108.40.206 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process.
The URL path (to be considered hostile) is: hxxp://upgrade.sendori.com/upgrade/2_0_16/sendori-win-upgrader.exe.
MD5 hash: 9CBBAE007AC9BD4A6ACEE192175811F4
For those of you who may block or monitor for this, the updater request data follows:
GET /upgrade/2_0_16/sendori-win-upgrader.exe HTTP/1.1
currently nine malware hits (9/46).
are rather damning, and as Kevin stated, Zeus-like. In particular the mutexes are very reminiscent.
c:!documents and settings!user!local settings!temporary internet files!content.ie5!
c:!documents and settings!user!cookies!
c:!documents and settings!user!local settings!history!history.ie5!
Other filenames for this sample as seen in the wild:
Password and credential stealing are definitely in play and I experienced ransomware
activity in my sandbox; it hijacked my VM with the "This is the FBI, you have been blocked warning." Awesome.
It is recommended that, should you allow Sendori at all in your environments that you block update.sendori.com via web filtering for the time being.
Sendori replied to Kevin's notification with; they are engaged and investigating:
Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Sendori Support team
Thanks for sharing, Kevin.
Readers, if you spot similar or variations on the theme, please feel free to let us know.