Sunday, September 16, 2012

A peek into "qaqipwel.ru" a Malicious Domain Redirector with Pseudo/Dynamic IP - Infector to RedKit Exploit Kit

This is a quicky, so please bare w/ it. The information might be important for the people who is handling the malware infector sites.

While handling a report lead to the RedKit Exploit Kit/Pack, I came to a domain who's actively redirecting users to the RedKit Exploit Kit's landing page.
This domain is qaqipwel.ru

It uses the pseudo dns for NS & A records to avoid blocking/tracking, currently is up and alive, and has a strong DNS network backbone for round-robin the IP/DNS address for the purpose to distribute malware Landing page or spam page distribution.
I tagged & checked this for only a couple days so far to confirm the redirection activities above. Here goes the details (Warning: This might be not too interesting for client security solution guys, and I am not going to discuss about RedKit Exploit itself in this post, please see this link for the details RedKit Exploit Kit Information--->>HERE)

The url provided by qaqipwel.ru is changed, currently is below:
h00p://qaqipwel.ru/count22.php
If you track it correctly you will ending up in these redirection - for the last 24hrs:
h00p://sa-wan.com/93020006.html // RedKit EK Landing Page
h00p://cestasefloresluana.com.br/30400006.html // RedKit EK Landing Page
h00p://mytabletcialis.com/ // Clialis/viagra site
h00p://goherdscan.com/  // Canadian Pharmacy
As PoC - When fetching the infector page you'll get many redirection tricks like: Case1
--15:35:30-- h00p://qaqipwel.ru/count22.php => `count22.php' Resolving qaqipwel.ru... 77.38.198.12 Connecting to qaqipwel.ru|77.38.198.12|:80... connected. HTTP request sent, awaiting response... 302 Location: h00p://sa-wan.com/93020006.html [following] --15:35:33-- h00p://sa-wan.com/93020006.html => `93020006.html' Resolving sa-wan.com... 72.167.232.75 Connecting to sa-wan.com|72.167.232.75|:80... connected.
Case2
--15:49:39-- h00p://qaqipwel.ru/count22.php => `count22.php.1' Resolving qaqipwel.ru... 77.90.120.34 Connecting to qaqipwel.ru|77.90.120.34|:80... connected. HTTP request sent, awaiting response... 200 Length: 146 [] 15:49:40 (0.00 B/s) - `count22.php' saved [146/146] HTTP/1.1 200 Server: Apache Content-Length: 142 Content-Type: Last-Modified: .., 16 ... 2012 06:42:12 GMT Accept-Ranges: bytes Server:nginx/0.8.34 Date:Sun, 16 Sep 2012 06:42:15 GMT X-Powered-By:PHP/5.3.2
<!DOCTYPE HTML><html><head>
<script type="text/javascript">
parent.location.href = "h00p://goherdscan.com/";</script>
:
Case3 (via tor)
--2012-09-16 15:16:04-- h00p://qaqipwel.ru/count22.php Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Proxy request sent, awaiting response... 302 Location: h00p://cestasefloresluana.com.br/30400006.html [following] --2012-09-16 15:16:12-- h00p://cestasefloresluana.com.br/30400006.html Connecting to localhost (localhost)|::1|:8118... connected.
Case4
--2012-09-16 15:20:10-- h00p://qaqipwel.ru/count22.php Resolving localhost (localhost)... 127.0.0.1, ::1 Connecting to localhost (localhost)|::1|:8118... connected. Proxy request sent, awaiting response... 200 Length: 146 [] Saving to: `count22.php' 100%[=============>] 146 361B/s in 0.4s Last-modified header invalid -- time-stamp ignored. 2012-09-16 15:20:12 (361 B/s) - `count22.php' saved [146/146] $ cat count22.php
<!DOCTYPE HTML><html><head>
<script type="text/javascript">
parent.location.href = "h00p://mytabletcialis.com/";</script>
:
If you lookup the domain registration it was mentioned these data:
IP: 62.84.60.2 INET: 62.84.60.0/22 AS: AS39824 ISP: ALMANET-AS JSC AlmaTV Country: Kazakhstan kz flag State/Region: Almaty City City: Almaty Latitude: 43.25 Longitude: 76.95
Which in the actual is like these ones:
PSEUDO A (IP) RECORDS DETECTED BY FACTS:
178.137.1.4
129.241.150.45
89.115.162.87
92.49.3.129
159.224.125.227
88.135.159.37
93.113.237.108
46.186.83.133
188.173.100.142
89.221.112.165
31.14.136.113
77.38.198.12
1.249.216.225
203.142.169.131
109.185.53.194
94.112.97.46
46.120.219.104
112.209.92.132
77.122.122.94
188.241.186.4
  :
  :
and so on...(last counted 233 IP's Sept 17th 2012)
And with the official DNS Registration was:
domain: QAQIPWEL.RU (A records per NS changes) nserver: ns1.chokode.com. 3545 IN A 217.144.208.27 nserver: ns2.chokode.com. 3469 IN A 175.194.252.182 nserver: ns3.chokode.com. 3394 IN A 87.110.121.10 nserver: ns4.chokode.com. 3394 IN A 178.155.43.251 nserver: ns5.chokode.com. 3600 IN A 111.184.220.233 nserver: ns6.chokode.com. 3394 IN A 94.53.46.22 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: REGGI-REG-RIPN admin-contact: http://www.webdrive.ru/webmail/ created: 2012.09.06 paid-till: 2013.09.06 free-date: 2013.10.07
While in actual you will get these Random DNS Records:
Domain Queried : qaqipwel.ru Tracing to qaqipwel.ru[a] via a.root-servers.net., maximum of 1 retries a.root-servers.net. (198.41.0.4) |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried |\___ a.dns.ripn.net [ru] (193.232.128.6) | |\___ ns1.chokode.com [qaqipwel.ru] (91.187.182.249) Got auth.answer | |\___ ns2.chokode.com [qaqipwel.ru] (46.229.107.36) Got auth.answer | |\___ ns3.chokode.com [qaqipwel.ru] (89.115.162.87) Got auth.answer | |\___ ns4.chokode.com [qaqipwel.ru] (109.87.58.1) Got auth.answer | |\___ ns6.chokode.com [qaqipwel.ru] (94.41.4.214) Got auth.answer | \___ ns5.chokode.com [qaqipwel.ru] (89.115.162.87) (cached) |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried |\___ b.dns.ripn.net [ru] (194.85.252.62) | |\___ ns6.chokode.com [qaqipwel.ru] (194.54.180.242) Got auth.answer | |\___ ns2.chokode.com [qaqipwel.ru] (46.211.255.80) Got auth.answer | |\___ ns4.chokode.com [qaqipwel.ru] (93.114.88.159) Got auth.answer | |\___ ns1.chokode.com [qaqipwel.ru] (180.149.212.148) Got auth.answer | |\___ ns3.chokode.com [qaqipwel.ru] (77.221.76.117) Got auth.answer | \___ ns5.chokode.com [qaqipwel.ru] (114.25.144.116) Got auth.answer |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried |\___ e.dns.ripn.net [ru] (193.232.142.17) | |\___ ns6.chokode.com [qaqipwel.ru] (89.102.91.73) Got auth.answer | |\___ ns5.chokode.com [qaqipwel.ru] (88.222.161.159) Got auth.answer | |\___ ns4.chokode.com [qaqipwel.ru] (93.114.88.159) (cached) | |\___ ns3.chokode.com [qaqipwel.ru] (180.149.212.148) (cached) | |\___ ns2.chokode.com [qaqipwel.ru] (93.105.30.91) Got auth.answer | \___ ns1.chokode.com [qaqipwel.ru] (89.40.57.110) Got auth.answer |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried |\___ f.dns.ripn.net [ru] (193.232.156.17) | |\___ ns6.chokode.com [qaqipwel.ru] (111.184.220.233) Got auth.answer | |\___ ns1.chokode.com [qaqipwel.ru] (109.87.58.1) (cached) | |\___ ns3.chokode.com [qaqipwel.ru] (46.160.95.107) Got auth.answer | |\___ ns5.chokode.com [qaqipwel.ru] (111.34.117.125) Got auth.answer | |\___ ns2.chokode.com [qaqipwel.ru] (109.87.58.1) (cached) | \___ ns4.chokode.com [qaqipwel.ru] (37.205.75.204) Got auth.answer |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried \___ d.dns.ripn.net [ru] (194.190.124.17) |\___ ns3.chokode.com [qaqipwel.ru] (75.64.99.215) Got auth.answer |\___ ns5.chokode.com [qaqipwel.ru] (89.39.7.1) Got auth.answer |\___ ns4.chokode.com [qaqipwel.ru] (89.40.57.110) (cached) |\___ ns6.chokode.com [qaqipwel.ru] (91.187.181.6) Got auth.answer |\___ ns1.chokode.com [qaqipwel.ru] (109.87.58.1) (cached) \___ ns2.chokode.com [qaqipwel.ru] (89.102.91.73) (cached)
↑Please see how the IP ADDRESS of each NS host are chnaging↑ Additionally some DNS delegation information:
+-d.dns.ripn.net (194.190.124.17) | +-e.dns.ripn.net (193.232.142.17) | | +-f.dns.ripn.net (193.232.156.17) | | | +-ns.ripn.net (194.85.105.17) | | | | +-ns2.nic.fr (192.93.0.4) | | | | | +-ns5.msk-ix.net (193.232.128.6) | | | | | | +-ns9.ripn.net (194.85.252.62) | | | | | | |
This infected url was uploaded to the urlquery here--->>[CLICK] And currently we have a weak detection of qaqipwel.ru in the blacklist: Conclusion: Such professional malicious redirector provider is currently exist. The below domain names are the ones used for this evil purpose:
nujqamdi.ru axbuzyg.ru aldiplil.ru uqnymtyq.ru bawodnes.ru gezahcyg.ru cilcenok.ru vecvycte.ru irroxux.ru unxajen.ru meewxib.ru deqbyyq.ru byxkauv.ru qovizki.ru huenhaz.eu axbuzyg.ru kykufep.ru luxypuj.eu ( ↑ domains detected until by the time this blog is written)
The combination possibilities for filename "count$.php" was detected as per below:
count4.php count20.php count21.php count19.php count18.php count16.php count17.php count14.php count5.php count13.php count11.php count12.php count25.php count6.php count15.php ( ↑ landing page detected until by the time this blog is written)
Domain names can be changed and the IP addresses are pseudo/dynamically changed. We cannot depend on blacklist anymore to nail this kind of infectors.

No comments:

Post a Comment