This writing contains many points that are important information for fellow friends and the mentioned public services to be aware of being abused by this malware infection session. So I wrote this as fast as possible and leaving payload binary analysis and exploit analysis in a rain check. To anyone who can help to contact the related abuse, is very highly appreciated.
Infection Source:
First of all. The source of infection is the malware infection code/scripts that was implemented in the below IP and domain, located in OVH network, in France, I really hope to have help from France friends to clean this IP from any malware infector toolkits installed:
Secondly, the infector, is starting from Japan's IP under domain: shortening .biz
This needs to be cleaned up too, yet I think there are more infectors exist..
The background
It started when checking a suspicious URL, accessed it in the browser as per below:
I regenerated with the separate scheme to record the below log (for the source of infection details purpose), just to make sure that we had everything in our hands:
--2014-02-24 02:40:02-- h00p://shortening .biz/qnwrBack to the browser, in the short while the browser's address bar flickering to the redirection URL as per below:
Resolving shortening.biz... 59.106.171.55
Caching shortening.biz => 59.106.171.55
Connecting to shortening.biz|59.106.171.55|:80... connected.
:
GET /qnwr HTTP/1.1
Host: shortening.biz
HTTP request sent, awaiting response...
:
HTTP/1.1 301 Moved Permanently
Date: Sun, 23 Feb 2014 17:40:03 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8e
Location: http://shortening.biz/qnwr/
Keep-Alive: timeout=5, max=19
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
:
301 Moved Permanently
Registered socket 4 for persistent reuse.
Location: http://shortening.biz/qnwr/ [following]
Skipping 302 bytes of body: [
301 Moved Permanently
Moved Permanently
The document has moved (A HREF="h00p://shortening .biz/qnwr/")here(/A)
Apache/1.3.42 Server at shortening.biz Port 80
] done.
:
--2014-02-24 02:40:03-- h00p://shortening .biz/qnwr/
GET /qnwr/ HTTP/1.1
Host: shortening.biz
:
HTTP/1.1 200 OK
Date: Sun, 23 Feb 2014 17:40:03 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8e
Last-Modified: Thu, 23 Jan 2014 14:54:18 GMT
ETag: "1135-52e12d1a"
Accept-Ranges: bytes
Content-Length: 4405
Keep-Alive: timeout=5, max=19
Connection: Keep-Alive
Content-Type: text/html
:
200 OK
Length: 4405 (4.3K) [text/html]
Saving to: ‘sample.mmd’
100%[=======================================================>] 4,405 --.-K/s in 0.009s
2014-02-24 02:40:03 (459 KB/s) - ‘sample.mmd’ saved [4405/4405]

And this act is confirmed by the series of the html tag meta refresh code grepped below:

What happened next? I was being forwarded into a page with video of "a lady in the bed" as per captured below:
I just about to praise on how fortunate I am.. but the video soon got stopped and the warning message came up with popping the download of the Flash Player Setup.. as per shown below:
The Path to Payload
Back to the shell, I simulated the download page for evidence:
And that was giving me the below script actually:

And now we know why I got that redirection, the dropboxusercontent.com (the very bottom link) is serving the infection landing page and I was redirected into it. Will explain this later on. And there are other conditions for another redirection, for the mobile access and Opera browser in the GOO.GL short URL. Anyway if we extract those Short URL for Mobile and Opera browser we'll find the better image:

(I will have to leave other friends to check those two link deeper..)
And this is the malware file downloaded if you are matching to the desired condition:
Now this payload is well detected by AV industry as per shown in VirusTotal result here-->>[link]
If you run the payload you will get the query and response in HTTP as follows:
And this payload is downloading a "config" with the info on hash and URL of another malware, as per shown here:
Here's that "guncel.exe" malware download session in my shell..a simple wget will do..This could be the updates or sort of.
This is the VirusTotal report of the "guncel.exe", is the same file as original payload, it is also as an evidence explaining that the origin of the payload is wjetphp.com (46.105.55.251)-->>[link], the detection rates as the VBA basis Trojan Downloader is not so bad after all, good work.
Below is interesting trace of what this malware did in the memory:
This is just some traces of VBA calls used..(during the creation of registry key)
Quick analysis that might help fellow researchers and infected victims:
The payload will download the background.js JavaScript w/URL planted in the binary, as per traffic below:
Which is having the script as I pasted here-->>[link]
↑You can see clearly the malicious traffic redirection scheme and access URL to the landing page (origin of the infection), in that script..
The next traffic will explain how this background.js is called, the file manifest.json was downloaded, it contains the script to show how background.js is executed by setting several security privileges for the execution of the script itself..
You can see the effort to fake "Google Shockwave Player" (any such product??) upon the execution of background.js above? Things are starting to make much sense on why so many Google related "images" are used here.
PS: I will add some more reversing notes later on, but shall we move on a bit..too little time..for there are more important parts to cover..
What happened if we simulate the landing page access in shell is something like this:
GET /s/pwuh8wdutwot4dg/rezillik.html HTTP/1.1How I got the payload being downloaded then?? Let's see the code inside the page. Well..It seems like I got hit by the timer function stated by this code:
Host: dl.dropboxusercontent.com
:
HTTP/1.1 200 OK
accept-ranges: bytes
cache-control: max-age=0
Content-Type: text/html; charset=utf-8
Date: Sun, 23 Feb 2014 21:01:55 GMT
etag: 2n
pragma: public
Server: nginx
x-dropbox-request-id: ecd60af812734360278c876a87176a00
X-RequestId: 6f612d52e7e3c0e526aa4b355328e047
x-server-response-time: 202
Content-Length: 6841
Connection: keep-alive
:
---response end---
200 OK
Registered socket 4 for persistent reuse.
Length: 6841 (6.7K) [text/html]
Saving to: ‘sample4.mmd’

The Google short URL is again being used to hide the real malware payload URL which is served in the Google Code SVN download!!

The download log can be seen in the follow up section..
Well..the bad guy behind this is really trying hard to convince victim about the Google kind of application is installed :-)
Conclusion
How to conclude this matter generally? Obviously the public well-known internet services was targeted to spread this infection. Let me describe how many of those abused services spotted in this single case:
Number one, amazonaws.com (property of Amazon AWS) is utilised by this actor for the etc bad purpose scheme (see the mobile link and Opera browser link on the above explanation, whatever it is, is not a good thing), we'd better warn Amazon AWS for this link.
Number two is, dropboxusercontent.com (property of Dropbox, Inc) is also utilised to serve payload malware.
Is that all? No. Number three: see the domain in payload URL, googlecode.com, it is the abuse of Google Code's SVN facility.
More? Yes, the last one, number four, goo.gl service, the Google ShortURL is also abused to hide the URL of the malware payload.
The Google code is being abused to serve malware payloads of this threat's series for quite a while, you can view the reports posted by our friend @sarimura (twitter) to the Project Hosting on Google Code in Google groups-->[here]. It shows how persistent the malware actor to always create a new google project and to use its download URL to serve the malware payloads. On the other hand it shows that the bad actor(s) is leaving many traces in Google Code servers during uploading the payloads (account ID, IP addresses, etc).. a hint to follow isn't it?
Sample
I share all sample, under usual password, click the picture below to download:
Moral of the story: Our beloved internet and its services are badly abuse by malware. Stay safe please!
PS: Comments and additional are to be added in follow up section! And it looks like this threat is bigger than expected so I could't sleep again, gotta go to day work now!
Follow Up
Please help suspend user "buexe-x" of GoogleCode, he is spreading malware in via SVN - Attached=download log >@Googlepic.twitter.com/FT8cXTFFkg
— MalwareMustDie, NPO (@MalwareMustDie) February 24, 2014
To: @sakura_server添付した画像に書いたサイトがマルウェア感染に悪用されているので、IPはさくらさんのVPSで、ご対応は可能ですか?そのURLから今大変な事になっていた→ http://t.co/D6wJsYHCQfpic.twitter.com/2168JDJyBN
— Hendrik ADRIAN (@unixfreaxjp) February 24, 2014
Great follow, thank's for always fast in responses!
@unixfreaxjpご連絡ありがとうございます。確認いたします。
— さくらインターネット開発の中の人(α) (@sakura_server) February 24, 2014
@MalwareMustDie I have been reporting files on @googlecode and they have ignored the last report, apparently: https://t.co/SubFwB6Lc4
— Salim Sarımurat (@sarimura) February 24, 2014
#MalwareMustDie!