Wednesday, November 13, 2013

MMD #Tango Down of 44 + 19 + 75 CryptoLocker CnC Domains

This is the report of the effort in our MalwareMustDie Tango Down with action initiated and finished by @essachin (well done!) responding to the request of known (read: old/used) CryptoLocker domains. FYI: we are following the similar suspension in daily basis for the smaller size for ZeuS/Zbots, Citadel (and etc banking trojans), botnet domains (Kelihos, Kuluoz, ZeroAccess, VLX, Pony, etc) and Exploit Kits (Nuclear, Neutrino, Magnitude, etc).

So, for the clearance I stated there is NO SPECIAL OPERATION nor treatment to shutdown/takedown malware hosts CnC of CryptoLocker (CL) was executed via this suspension since all of the resources we have was taken for the OP Kelihos takedowns to POC the relation between the CNC list to the payload served by the botnet (please noted this since press media wrote different wrong version about this common suspension on domains into an OP to shutdown CL).

Our MMD mission is stopping the bad people to use internet, and we follow request for suspension of domains as one of our method to perform the stopping malicious action in our beloved internet & helping evidence collective effort to the Law Enforcement. We published our suspended domains of CL in this post as a share to help and make it easier for fellow researchers and AV industries to trace about the status of the CL's suspended domains so good guys can focus on the currently active and alive ones.

This all started by the report in twitter from @ax0n as per snipped below:

The details of the suspended domains are as per below: 
afuxiuwttqpk,net
birtiwloyxlevi,com
brvjexaqfymnu,biz
byoluqqhvjsbnqa,org
ciecxcsbdldwx,net
conlutvbuvdrag,org
cutwdfsdcbfco,biz
cxdqqqusirolw,org
ddbmdffeglno,org
digvfgleengor,net
dilkqddvhstlnwe,net
djttjtiitnta,biz
dprlmrklnebppd,org
ecsombjlbjwgf,com
eyebjjtyvkaulgh,org
gjbgpjmsgflwwvx,org
htmemnwkvdiutet,biz
kdcvlslmyurory,biz
lsjpkatguitaohx,biz
lwvpgiabehxt,org
mehtwwwlnxiv,net
msiwfokeytsw,net
mubfexctuvmdt,biz
o2i2394073g2oh2b34,com
ofcxlybtofglm,org
pasnepjktwbcmwo,org
prwxcrswstle,org
qtcexpbgcusfp,com
qvvmhsxxidvjmil,biz
rwyngtbvunfpk,org
snnwkglbfvqvo,biz
stmdjbsbhojxp,net
tlsylihoxxmvc,org
topbmwwlkbokmn,com
ubrqsiirkqug,net
udvdjsdnmnisj,biz
vccpdadcaygc,biz
vvometmplvjwh,biz
wifgslrwgvxwsy,com
xqmrainncxrwho,net
xvaxsxbptmerjb,com
ywcqdulkrequqxt,net
ywculygjuxhxtsh,net
sypdwysctilgr,net
All domains listed above are also confirmed blocked by SURBL and SpamHaus that can be seen in the list here-->>[PASTEBIN], with also confirmed with overall infected CnC URL posted in Virus Total-->>[HERE], with supported by reference from good report of CIS Alert in: [1] and [2]

The domains were suspended with the below confirmation:

We also announce the suspension in twitter below:

First Additional : 19 (w/ pref dmm die hard double effort=3) CryptoLocker domains suspension

*) Noted, the domains conlutvbuvdrag,org , htmemnwkvdiutet,biz, and ddbmdffeglno,org was under double effort of suspension.

Second Additional : 75 CryptoLocker domains suspension

Below domains is confirmed suspended: 

sypdwysctilgr,net
qwlpubwopsyj,org
xeogrhxquuubt,com
qaaepodedahnslq,org
txeuntcemcwj,biz
nssnplfkwamjkut,net
qqkoluhwexlr,biz
afmkdchedjkcai,org
ueymssvirqnwqqs,net
vbitnxdgsiwg,biz
sbfuwsxasjkp,net
asrktkfsixcyosb,org
dakpicuylsrfcl,biz
wojscmlfgvhw,net
uoerpkaffwnds,org
lajrsftcupiutoq,com
obgdchdlifmic,net
nuafhowbvpmgbn,net
wnoctmckyrtbou,org
aycysyspcpvwgtw,biz
qhqmhxuhapgkaq,biz
pahwvolnihur,biz
jyyfmnefedjogsh,biz
qjtwguxajaqqhu,org
rtqajjkivmltosy,org
lrexdcwwpyny,biz
nnpiceisyfgiprh,org
xtagmlgwrrqsto,biz
fyflgkbdydnf,biz
jebounnlykpt,org
vahroshwfnih,org
dookhuvnmgamvgr,net
kdsdsapurvgf,biz
rcoxshllfoldxie,org
lwxmytwfuwuk,net
ubnxaasfigrbhj,biz
hhmcyfspicpt,biz
xlftmqxqcekyip,org
lcvvmgpdfbty,biz
wypqdsmpfvuq,org
ewkovrirsprw,org
fukpbxfgejfllr,biz
bkfekyhvftxkwd,biz
nxosmtaifwud,org
emrsmpipfrtu,biz
qdbvwfnyurewx,com
gaeaglgxkkws,biz
jpkpiichjjdm,org
cmjbewheycxmr,net
vmkstanptubqm,net
rvkpjfyxpsocbsn,org
tsgmgrofgsbqtuw,com
myourlqubgdxles,org
suanecwngxhufr,biz
axugjsdemnjuso,org
mjyiemuobcwrxq,net
oxwqodvowcgr,biz
oamurnwjrrap,net
klnvbfainjtibmn,org
ybmdqshtbarpvxx,net
rntkondhjwybkja,com
iismgwmmwjvuka,org
uobuwcfaoerojos,net
feyrckkwwjymeo,org
megabigcashnow,com
devilhell13,com
qtqhbembdaeyrl,net
xpdvggfglnqa,com
odxrjkgnahebp,biz
gktibioivpqbot,net
dywpplmanlmsu,org
vaategmcgbpimoa,net
wshufkvuruwxsua,com
ismocallden,in
kwajtnjddqetolh,biz
Thank's to Mikko for the tweet:


#MalwareMustDie!!

Posted by unixfreaxjp at

Friday, November 8, 2013

A Step by Step Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)

Background

Now so long ago after during my recovery (had eyes surgery recently), I posted in our paste bin a disclosure of ESD.PHP malware redirector "The Server Side's Evil Code", the link is here -->>[MMD Pastebin], it was good post and receiving many questions about it. The main questions asked obviously about (1) how ACTUALLY this threat redirector works (in actual example), and (2) how to decode (read: crack) it in practical point of view, which I took a rain-check for this quite a while. And today while sorting all of my pending research task I found the issue, so this writing hopefully answering many curiosity and can be used as reference in decoding and mitigating the similar threat.
So today we are going to play a lot with JavaScript and switch to the PHP codes.

I must warn you that I am not the natural coder of those two languages, so please bear on "my way" kind of decoding method.

Infection

It was started by a local site (as per below snapshot) that was detected to be infected by cookie bomb script infector:

Some javascript was called from this site as per captured traffic below:

Code Analysis

I found two types of CookieBomb codes was injected in that site, the older one and "a bit" recent ones (noted: plural.. since multiple injection was detected), the obfuscation is using same kind of generator, as per snipped below: It looks like not so much differences spotted between those evil codes, isn't it?

But, after deobfuscation the differences appears, for your convenience I compared the deobfuscated codes below:

It looks obviously CookieBomb codes, so let's see where does it go. The older one goes looks already in the site for quite long so it infected EK in the site that's not exist anymore, so I skipped it.

Spoofing a CookieBomb ;-)

OK. Let's pay attention to the newer code.
Let's assemble the request for passing the correct condition and values this infector expect. Any tools or command line can be used for this purpose, I myself using any kind of method and gaining same result, but I prefer to use shell for this operation to be able to adjust here and there, the access is as per seen in the success attempt below:

Obviously the HTTP/1.0 500 Internal Server Error was accrued, some autonatio may not getting anything after the error, but the rest of the data is all that I need, the data parts contains two blob of codes as per explained below:

Now the partial form of the ESD.PHP codes was seen, let's go and crack this. It's not so difficult.

Decoding the threat

As we saw, the two blobs of codes is not JavaScript anymore, is PHP. And is a ESD script. So let's open the reference of previous ly disclosed the server side script here-->>[MMD Pastebin]. All you have to do is basically putting the pattern I pasted in the paste bin into this one. Step by step method is:

Take the Array blob put it into the modified PHP script below:

And let's run it, you'll get the value similar below, which I separated into sections for the better understanding:
You can also simulate it into any PHP environment to find the below output:

Moving along.. we will need to fill these variables: 

$key    = _862170111(0);
$Salt   = _862170111(1);
$Gamma  = _862170111(2);
Using the "cracked key" part decoded above to know the threat actual destination (for redirection), and we need the FORM information decoded above too to know the operation performed by this threat.

Now is for extracting the key parts, using the decoded array values we know that the values are: 

$key    = 'gYwQF6jN';
$Salt   = 'LtgkD';
$Gamma  = '';
Now fill those variable with its values in the below script to generate the $c, which is the key of everything: 
$key = 'gYwQF6jN';
function string_cpt($String, $Password)
  {
    $Salt   = 'LtgkD';
    $StrLen = strlen($String);
    $Seq    = $Password;
    $Gamma  = '';
    while (strlen($Gamma) < $StrLen)
      {
        $Seq = pack('H*', sha1($Gamma . $Seq . $Salt));
        $Gamma .= substr($Seq, 0, 8);
      }
    return $String ^ $Gamma;
  }
 
$c    = string_cpt(base64_decode($cfg), $key);
 
print "$c";
And all we have to do is just executing the script to get the output below:

Let's put the values into the exact values in the cracked FORM above to fill the matrix and understanding what these are all about:

Well, obviously the infection will redirect user to IP: 5.152.200.50 and requesting access to 5.152.200.50/wds/ohlo.php, with the failover to access http://localhost/. Be noted that we need the value of KEY:'1lwk8Ch7tUUKQyO' and ID:'28435' in researching further, the below code is explaining the POST command that will be executed by using all of the above matrix's values:

Yes, we have the redirection by reversing without simulating the infection. The point of this post is helping the IR good friends to have a reference in investigation this infection, and also by understanding this decoding method, hopefully, many filtration logic can be applied to prevent the wide infection of latest CookieBomb with using ESD.PHP logic.

Epilogue

Thank's for @kafeine for the grabs for the server side codes and allowing me to pastebin-ed it, to MMD Germany team (can't mention more) for PHP codes discussion, and to all MMD folks, you all rocks.
Additionally for your information CookieBomb is a serious threat, it was operated by an automation as per snipped in the below twitter snapshot, and is related to the way much bigger threat that drives many more infection with Exploitation Tools with or without BotNets, I hope this threat also will be prioritised more.

Be free to ask in comment, it is moderated for security purpose. Ah, BTW, please don't worry for this disclosure, even though the bad actors will change the threat'S logic after I released this disclosure, their level isn't that high, and we can easily crack them again, and again, and again. Have faith friends!

#MalwareMustDie

Posted by unixfreaxjp at

Tuesday, November 5, 2013

MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer with New ASCII Obfuscation in POST Destination URL

Background

Yes, it is not a new news to hear about the Wordpress or etc PHP-base CMS got hacked with malicious injected codes.

The hacked sites was injected with codes scattered inside of Wordpress PHP files, that obviously a hard-to-find quest, with the (mostly) targeting on (1)compromising the server & (2)implementing backdoors to be used to (3)the further step of maliciousness.

This post covered one of the popular scheme at the initial stage of a compromised site, which is using the CURL library and FORM/POST method to upload files contain credential grabbed via snagging a wp-config.php data for site's database filename, username (and password) as the hacker's first effort, following by (not covered here) the remote execution (mostly involving the tweak of web server security settings in .htaccess or etc WP components) script to be triggered by spam to by redirection from another hacked non-PHP (i.e. Javascript) evil code. Here we go:

The Code

I received a heads up from fellow crusaders (with thank you for the good report) in detecting one new method to obfuscate the evil backdoor code (in this case the POST destination site). Obligated to spread the info around I wrote this post. The evil code was detected in the file functions.php as per snipped below:

The above malicious code structure contains the credential grabbing method by accessing config in wp-config.php then followed by preparation for uploading a file, following by FORM method used to upload the data which contains the obfuscated destination URL, and forming the path of the blog with wrapping altogether to be POST'ed by the CURL library in PHP.
The details breakdown of the code with the explanation is as per below:

The obfuscation used is the red-marked area can be decoded manually by using the ASCII table here-->>[LINK], or, in my case, I followed & tweak the original code to de-obfuscate the code as per following code:

Which "$ty" will burp us the value of bad URL (the URL is jinxed for security purpose) below:
ht tp : // thedojoreviews .com / post.php

OK, what we have here is a theft-case, a real credential and privacy stealing case which is needed to be followed down to the root of its individual bad actor (Read: Moronz) who implemented this threat.

Alive PoC

Currently the URL is up and alive as per shown in URLQuery (Thank's always guys!) without bad activities detected:

URLQuery link is here-->>[LINK]

Network Investigation

For legal purpose, below is the information needed to file this as cyber-crime case:

The domain registration record of THEDOJOREVIEWS.COM 

Domain Name: THEDOJOREVIEWS.COM
Registrar: CRAZY DOMAINS FZ-LLC 
Whois Server: whois.syra.com.au
Referral URL: http://www.crazydomains.com
Name Server: NS21.CHEAPHOSTINGBD.COM
Name Server: NS22.CHEAPHOSTINGBD.COM
Status: ok
Updated Date: 10-oct-2013
Creation Date: 06-feb-2013
Expiration Date: 06-feb-2014
The registrant data: 
Registrant Details..:
Registrant Name.....: Thomas Jacob
First Name..........: Thomas
Last Name...........: Jacob
Address Line 1......: The Alm
Address Line 2......: monte Lane
City................: Aluva
State...............: Kerala
Country.............: IN
Post Code...........: 683102
Phone...............: (+91) 9447024365
Fax.................: (+)
Email Address.......: rocker7887i@gmail.com
The current IP used: 
THEDOJOREVIEWS.COM. 14400 IN A 178.239.55.123

;; ANSWER SECTION:
THEDOJOREVIEWS.COM. 21600 IN SOA ns21.cheaphostingbd.COM. zahid230.gmail.COM. 2013101004 86400 7200 3600000 86400
THEDOJOREVIEWS.COM. 21600 IN NS ns21.cheaphostingbd.COM.
THEDOJOREVIEWS.COM. 21600 IN NS ns22.cheaphostingbd.COM.
THEDOJOREVIEWS.COM. 14400 IN A 178.239.55.123
THEDOJOREVIEWS.COM. 14400 IN MX 0 THEDOJOREVIEWS.COM.
The IP's Network Information & Abuse Handle: 
inetnum:        178.239.55.120 - 178.239.55.127
prefix:         178.239.48.0/20
AS Number:      47869
PTR Record:     srv10.cheaphostingbd.com.
AS Code:        GETITHEAVYS.COM
netname:        NR-CUST-HOST4OFFSHORE
descr:          HOST4OFFSHORE Network
country:        NL
admin-c:        HN1483-RIPE
tech-c:         HN1483-RIPE
status:         ASSIGNED PA
mnt-by:         NETROUTING-MNT
source:         RIPE # Filtered

person:         Host4Offshore Network
address:        Gulshan Avenue
address:        The Bangladesh
phone:          +8801710395432
abuse-mailbox:  abuse@host4offshore.com
nic-hdl:        HN1483-RIPE
mnt-by:         NETROUTING-MNT
source:         RIPE # Filtered

Bad Actor's (Read: Moronz) ID investigation:

The EXACT same registration data used (see the email address) is spotted here-->>[LINK]
That is NO WAY to be a coincidence if the both sides is using the registrant SAME EMAIL ADDRESS as contact info: rocker7887i@gmail.com, whoever own vishnumwilliam.com is a strong suspect, since the callback for credentials was sent to a non-hacked site...

Trailing the details:

This is the URL of Facebook Profile fetched--> https://www.facebook.com/iVishnu007
This is his Facebook profile's picture.. could this be our bad actor? Well, it is way too easy indeed..
Just in case we dumped everything.

Thank's to @essachin :-)

Furthermore the name popped up in "Security Researcher Acknowledgments for Microsoft Online Services - February 2013 Security Researchers" list, link -->>[HERE]
The investigation is still OPEN, be free to advise us to report the correct bad actor's ID to the law enforcement by sending us message via Comment part below (the information will be filtered for investigation purpose).

The Moral of Story

We will see more of this threat, this is a work of automation, our advise will sound like a cliche but: please always Update & Patch your Web Server, PHP, your WordPress, into the latest version, and don't forget to do hardening your configs by eliminating un-necessary services or holes to avoid being used by "bad people". Once in a while it will be a good idea for you to start scanning your own site to know how to improve its security. Please stay safe!.

#MalwareMustDie

Posted by unixfreaxjp at

Saturday, November 2, 2013

MMD-0009-2013 - RunForrestRun DGA "Comeback" with new obfuscation

I was mentioned by our friend the for the detected RunForrestRun DGA obfuscation code as per below tweet (Thank's for the notification, Bart!) :

Yes I fetched and take a look at it: 

--2013-11-02 17:06:54--  h00p://portail-val-de-loir.com/
Resolving portail-val-de-loir.com... seconds 0.00, 85.10.130.29
Caching portail-val-de-loir.com => 85.10.130.29
Connecting to portail-val-de-loir.com|85.10.130.29|:80... seconds 0.00, connected.
  :
GET / HTTP/1.0
Referer: remember.us.malwaremustdie.org
Host: portail-val-de-loir.com
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Sat, 02 Nov 2013 08:06:30 GMT
Server: Apache/2.2.9 (Debian) mod_jk/1.2.26 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl
/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Last-Modified: Thu, 12 Jul 2012 01:52:59 GMT
ETag: "18f21da-32bd2b-4c498391b34c0"
Accept-Ranges: bytes
Content-Length: 3325227
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 3325227 (3.2M) [text/html]
Saving to: `index.html'
100%[============================>] 3,325,227    103K/s   in 39s
2013-11-02 17:07:35 (83.0 KB/s) - `index.html' saved [3325227/3325227]
This is the real worst case of code injection, the index html was injected more than 50 times with the obfuscation javascript code, sample is here with password=infected -->>[MMD Mediafire]. Obfuscation method used is improved as per marked parts below by trying to make gesture of the script used in Google Analytics:

The first decoding process can e viewed here -->>[MMD Pastebin]
And the result is as per below well-known DGA code:

Which is completely equal code to our case posted on July 23, 2013 here-->>[MMD PREV.POST]

So, we saw the RunForrestRun for almost one year and the logic haven't changed a bit. Just in case someone will meet with the similar case or codes in the future hereby I made simple script for you to use if you see one, as per snipped GOOD code and a "howto" below: 

// manual crack...@unixfreaxjp
// erase the setTimeout(function () all of it, we don't need those mess..
// and replace with the below code...
// (make sure you include the rest of the functions..)
// The code :

var nextday = new Date();
nextday.setFullYear(2013);
for (var yyy=0;yyy<13;yyy++)
  { nextday.setMonth(yyy);
for (var xxx= 1;xxx<33;xxx++)
     {    
      var unix = Math.round(nextday.setDate(xxx)/1000);
      var domainName = generatePseudoRandomString(unix, 16, 'ru');
      document.write(xxx+" | "+domainName+ "  |  "+nextday+"\n"); }}
Using the script above you can extract the domains per dates as per snipped below: 
 1 | oxkjnvhjnvnegtyb.ru  |  Tue Oct 01 2013 17:36:40 GMT+0900
 2 | bloxgsfzinxmdspt.ru  |  Wed Oct 02 2013 17:36:40 GMT+0900
 3 | mxpgggggukxqteoy.ru  |  Thu Oct 03 2013 17:36:40 GMT+0900
 4 | yjsovtnpgbwqcbbd.ru  |  Fri Oct 04 2013 17:36:40 GMT+0900
 5 | lwtcxuzbdrsnpqfb.ru  |  Sat Oct 05 2013 17:36:40 GMT+0900
 6 | xiwlnutkxsqxwjge.ru  |  Sun Oct 06 2013 17:36:40 GMT+0900
 7 | kwyyhhqtwxupnhyu.ru  |  Mon Oct 07 2013 17:36:40 GMT+0900
 8 | wicjgufeimlbmcus.ru  |  Tue Oct 08 2013 17:36:40 GMT+0900
 9 | ivewawjppavmkhwx.ru  |  Wed Oct 09 2013 17:36:40 GMT+0900
10 | uihgxtcniyolbobp.ru  |  Thu Oct 10 2013 17:36:40 GMT+0900
11 | hvitmnanuzbabudp.ru  |  Fri Oct 11 2013 17:36:40 GMT+0900
12 | thldkvcgbkzcbfxw.ru  |  Sat Oct 12 2013 17:36:40 GMT+0900
13 | gunqeyhnrhskxjdr.ru  |  Sun Oct 13 2013 17:36:40 GMT+0900
14 | shqyztdrsofsjnib.ru  |  Mon Oct 14 2013 17:36:40 GMT+0900
15 | eusngyfurlziprua.ru  |  Tue Oct 15 2013 17:36:40 GMT+0900
((snipped))
with the complete list of 709 days extracted here --->>[MMD PASTEBIN]

And by our useful tools here--->>[MMD Google Code] and following the DGA Procedure Wiki here-->>[MMD Wiki], I came to result the below domains are activated NOW: (format: domain, IP, DNS, and DATE): 

yalkzsvudybexfgd.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 16 
lomxtgmgrswlgrrn.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 17 
wzbdwenwshfzglwt.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 17 
jnfrqmekhoevppvw.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 18 
vygzhvfiuommkqfj.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 19 
imjosxuhbcdonrco.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 20 
bhigmqckbqhleqlo.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 06 
nsjosicxuhpidhlp.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 07
And also found the below domains are blocked/sinkholed: 
gatrxzmokglyvnqh.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.
smvydqivtigcadxb.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.
I can say the reputation in IP: 91.233.244.102 is not good:
Virus Total history (with thank's!) -->>[HERE]
URLQuery records (many thank's) -->>[URLQuery]

Sometimes the bad guys has a unique ways to greet us! :-))

Below are bad URLs that can be switched alive: 

h00p://yalkzsvudybexfgd.ru/runforestrun?sid=botnet2
h00p://lomxtgmgrswlgrrn.ru/runforestrun?sid=botnet2
h00p://wzbdwenwshfzglwt.ru/runforestrun?sid=botnet2
h00p://jnfrqmekhoevppvw.ru/runforestrun?sid=botnet2
h00p://vygzhvfiuommkqfj.ru/runforestrun?sid=botnet2
h00p://imjosxuhbcdonrco.ru/runforestrun?sid=botnet2
h00p://bhigmqckbqhleqlo.ru/runforestrun?sid=botnet2
h00p://nsjosicxuhpidhlp.ru/runforestrun?sid=botnet2
Just in case I recorded them all in URLQuery (Thank's guys!): 
http://urlquery.net/report.php?id=7388672
http://urlquery.net/report.php?id=7388677
http://urlquery.net/report.php?id=7388681
http://urlquery.net/report.php?id=7388683
http://urlquery.net/report.php?id=7388687
http://urlquery.net/report.php?id=7388692
http://urlquery.net/report.php?id=7388694
http://urlquery.net/report.php?id=7388701
Those detected domains, are all activated in REGGI.RU of Russia Federation: 
domain:        YALKZSVUDYBEXFGD.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        LOMXTGMGRSWLGRRN.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        WZBDWENWSHFZGLWT.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        JNFRQMEKHOEVPPVW.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        VYGZHVFIUOMMKQFJ.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        IMJOSXUHBCDONRCO.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        BHIGMQCKBQHLEQLO.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.11.02 13:31:37 MSK

domain:        NSJOSICXUHPIDHLP.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.11.02 13:31:37 MSK
And the IP information also pointed to St. Petersburg IDC: 
$ whois 91.233.244.102

% Information related to '91.233.244.0 - 91.233.245.255'

inetnum:        91.233.244.0 - 91.233.245.255
netname:        OLBORG-NET
descr:          Olborg Ltd
descr:          St.Petersburg
country:        RU
admin-c:        OLCR1-RIPE
tech-c:         OLCR1-RIPE
status:         ASSIGNED PI
mnt-by:         OLBORG-MNT
mnt-by:         RIPE-NCC-END-MNT
mnt-routes:     OLBORG-MNT
mnt-domains:    OLBORG-MNT
source:         RIPE # Filtered

role:           Olborg Ltd - Contact Role
address:        Olborg Ltd
address:        St.Petersburg, Russia
abuse-mailbox:  abuse@o1host.net
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *    abuse@o1host.net ,  not  this  address     *
remarks:        *************************************************
org:            ORG-OL89-RIPE
admin-c:        AK8017-RIPE
tech-c:         AK8017-RIPE
nic-hdl:        OLCR1-RIPE
mnt-by:         OLBORG-MNT
source:         RIPE # Filtered

% Information related to '91.233.244.0/23AS57636'

route:          91.233.244.0/23
descr:          Olborg Ltd.
origin:         AS57636
mnt-by:         OLBORG-MNT
source:         RIPE # Filtered
I really hope to see all domains in this logic blocked.. otherwise they sure will come again with a much better obfuscation.

#MalwareMustDie!!

Posted by unixfreaxjp at

How bad an IP's Reputation can be? A story of: 31.170.179.179 & 62.116.143.18 (park domains)

Many people often asked me "Can we trust malicious IP report?", and I always answer: "Hell, yes!", because actually behind those reports there are dedicated researchers working hard in proofing its badness, and believe me that nobody wants to verdict a false positive report ever.., so mostly malware and security researchers involved are confirming other reference or discuss to others to be sure beforehand.

This is a story about an IP address of : 31.170.179.179, it is still happily up and alive with the below details:

The IP is marked up bad (now). Has a very bad history, I was actually thinking this is a parked domains' IP, but yet, it still "IS" a bad bad evil IP, and I will describe its badness in the poor writing below:
(Note: Please block 31.170.179.179 and 62.116.143.18, so malware served by these hosts)

Historical & Reputation Research of 31.170.179.179 :

Below is the recent historical data of the IP, be free to search each domains stated in the details below to PoC what I stated.

xxx.wds03.com series of DGA... 

nxfifwwsia.wds03.com  A  31.170.179.179
lbkxibmtqb.wds03.com  A  31.170.179.179
wpad.wds03.com  A  31.170.179.179
yaivjmqekg.wds03.com  A  31.170.179.179
drwfvaol.wds03.com  A  31.170.179.179
sgtxranpom.wds03.com  A  31.170.179.179
isatap.wds03.com  A  31.170.179.179
ggrixhspar.wds03.com  A  31.170.179.179
ltbgnkzrzr.wds03.com  A  31.170.179.179
batmoflaqft.wds03.com  A  31.170.179.179
jwmspvljlv.wds03.com  A  31.170.179.179
vqblegfygqwgrqv.wds03.com  A  31.170.179.179
qpfjfcpsdy.wds03.com  A  31.170.179.179
ygwnaxsuoy.wds03.com  A  31.170.179.179
zsnwosoziz.wds03.com  A  31.170.179.179
xxx.x[1|2]-line.com series of DGA... 
xjfiozjjbg.a1-line.com  A  31.170.179.179
saqzurmcudg.a1-line.com  A  31.170.179.179
vrnftosdtr.a1-line.com  A  31.170.179.179
frrdwoidpt.a1-line.com  A  31.170.179.179
mcipgaxv.a1-line.com  A  31.170.179.179
bamaghbarm.c1-line.com  A  31.170.179.179
ivcodrfdmw.c1-line.com  A  31.170.179.179
xwvxbjxnpc.c2-line.com  A  31.170.179.179
nkrjtpmbjlaf.c2-line.co  A  31.170.179.179
imcuctlmdch.c2-line.com  A  31.170.179.179
bdukyhcboxps.c2-line.co  A  31.170.179.179
uvypmbkkqa.e2-line.com  A  31.170.179.179
marduxfkcp.e2-line.com  A  31.170.179.179
boodeyprwq.e2-line.com  A  31.170.179.179
aodnmpcvcv.e2-line.com  A  31.170.179.179
ulalzvsniy.e2-line.com  A  31.170.179.179
zxvsfkgraz.e2-line.com  A  31.170.179.179

(Spoofing?? Parking??) Records for Reverse-IP "addr.arpa" addresses..weird.. 

171.80.117.50.in-addr.arpa  A  31.170.179.179
219.80.117.50.in-addr.arpa  A  31.170.179.179
149.80.117.50.in-addr.arpa  A  31.170.179.179
201.128.241.213.202.in-addr.arpa  A  31.170.179.179
106.216.234.173.in-addr.arpa  A  31.170.179.179
200.196.234.173.in-addr.arpa  A  31.170.179.179
140.196.234.173.in-addr.arpa  A  31.170.179.179
240.196.234.173.in-addr.arpa  A  31.170.179.179
50.196.234.173.in-addr.arpa  A  31.170.179.179
221.196.234.173.in-addr.arpa  A  31.170.179.179
22.196.234.173.in-addr.arpa  A  31.170.179.179
84.196.234.173.in-addr.arpa  A  31.170.179.179
125.196.234.173.in-addr.arpa  A  31.170.179.179
65.196.234.173.in-addr.arpa  A  31.170.179.179
95.196.234.173.in-addr.arpa  A  31.170.179.179
6.196.234.173.in-addr.arpa  A  31.170.179.179
16.196.234.173.in-addr.arpa  A  31.170.179.179
186.196.234.173.in-addr.arpa  A  31.170.179.179
127.196.234.173.in-addr.arpa  A  31.170.179.179
187.196.234.173.in-addr.arpa  A  31.170.179.179
8.196.234.173.in-addr.arpa  A  31.170.179.179
48.196.234.173.in-addr.arpa  A  31.170.179.179
98.196.234.173.in-addr.arpa  A  31.170.179.179
9.196.234.173.in-addr.arpa  A  31.170.179.179
219.196.234.173.in-addr.arpa  A  31.170.179.179
139.196.234.173.in-addr.arpa  A  31.170.179.179
6.218.74.64.in-addr.arpa  A  31.170.179.179
194.242.61.94.in-addr.arpa  A  31.170.179.179
141.173.117.195.in-addr.arpa  A  31.170.179.179
200.128/25.139.151.216.in-addr.arpa  A  31.170.179.179
241.128/25.139.151.216.in-addr.arpa  A  31.170.179.179
155.128/25.250.152.216.in-addr.arpa  A  31.170.179.179

Palevo Botnet's CnC:


URL: https://palevotracker.abuse.ch/?ipaddress=31.170.179.179 (Thank's to ABUSE.CH)

With the UrlQuery Records flagged as threat by Emerging Threat (good work!): URL: http://goo.gl/KD6XxT

Kelihos Domains and Payloads (I thank to OP-Kelihos, great team!): 

h00p://bixepfet.nl/inkr001.exe
h00p://yjtucerr.nl/nothin3.exe
h00p://jegijfyr.nl/nothin3.exe
h00p://huvjeyjq.nl/userid2.exe
h00p://qavukzak.nl/inkr001.exe
h00p://judnopem.nl/traff01.exe

Virus Total has longer history of this IP (Thank's for the good record!):

Link-->>[HERE]

OpenDNS Umbrella Lab's Graph (with thank you for sharing the tool!) has long records too:

And so on...

The past stays in the past.. No?

Up to this point some people may think like: "Yes, it was harmful, but maybe it was as a VPS used by bad actors, so now it "maybe" becoming a clean and parked one.
Well, the above possibility exists, but let's check it deeper using fresh status too. So I checked link to that IP to find the below recent verdict..

CookieBomb Infection as per TODAY (noted the uppercase)

I am lucky..a local site with infection just freshly spotted in honeypot, see the marked date:

(Noted the date of the screenshot)

This is that evil code:

With a simple JS decode:

Lead us to the ww9.jolyzgus.nl (31.170.179.179)…with some unusual hoolahoop multiple self-redirection.
PS: Below is the correct way to trace a CookieBomb in case you need a reference, PS2: mind the referrer used ;-)) 

* Connect() to jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET /count21.php HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 12:04:22 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww9.jolyzgus.nl
< Vary: Accept-Encoding
< 
:
* Connected to ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:36:01 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
:
* About to connect() to ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:36:47 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.3.10-1ubuntu3.7
< Location: h00p://ww9.ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
:
* About to connect() to ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 31.170.179.179...
* connected
* Connected to ww9.ww9.ww9.jolyzgus.nl (31.170.179.179) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 302 Found
< Server: nginx
< Date: Fri, 01 Nov 2013 14:37:16 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.4.4-14
< Location: h00p://ww6.ww9.ww9.ww9.jolyzgus.nl
< Vary: Accept-Encoding
To be forwarded into a TDS in ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) with kicking the parked domain's script. 
* Connect() to ww6.ww9.ww9.ww9.jolyzgus.nl port 80 (#0)
*   Trying 62.116.143.18...
* connected
* Connected to ww6.ww9.ww9.ww9.jolyzgus.nl (62.116.143.18) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
> Host: ww6.ww9.ww9.ww9.jolyzgus.nl
> Accept: * / *
> Referer: greetz.from.malwaremustdie.org
> Cookie: visited_uq=55; expires=Tue, 2 Nov 2013 14:40:07 GMT; path=/
> 
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 01 Nov 2013 14:16:49 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=5
< Vary: Accept-Encoding
< X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
< 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
 <head>
  <title>jolyzgus.nl</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <script type='text/javascript' language='JavaScript'>
var domain = 'jolyzgus.nl';
var uniqueTrackingID = 'MTM4MzMxNTQwOS43OTY4OmQ0ZjMzMTViMWY2NDUxMTY5NzlmMjM0ZmViNDZiZTUwYTI2Zjk0NWE=';
var clickTracking = true;
var themedata = '';
var xkw = '';
var xsearch = '';
var xpcat = '';
var rxid = '';
var bucket = '';
var clientID = '';
var clientIDs = '';
var num_ads = 0;
var adtest = 'off';
var scriptPath = '';
  </script>
  <script src='h00p://parkingcrew.net/assets/scripts/js3.js' type='text/javascript' language='JavaScript'></script>
  <script type='text/javascript' language='JavaScript'>clickTracking = false;</script>
 </head>
 <body>
  <script type='text/javascript' language='JavaScript'>
window.onload = function() {
 if(clickTracking && typeof track_onclick == 'function') track_onclick("d767765fe07cda70072a07be8009b9e13b9ce70d");
 location.href = "h00p://searchresultsguide.com/?dn=jolyzgus.nl&pid=9POGER71L";
};
  </script>
 </body>
* Connection #0 to host ww6.ww9.ww9.ww9.jolyzgus.nl left intact
</html>* Closing connection #0
Below are payloads on attempts to fetch malware files onto & calls to 62.116.143.18, the VT report for each payloads is so self-explanatory please see the behaviour analysis tab (if available): 
https://www.virustotal.com/en/file/19545f41f732280631e1b67302cdd8ab0d0e446a49c2022d6588f170ca9cbfb5/analysis/
https://www.virustotal.com/en/file/7c4a07f4c4fd3f9643cb1cf3d4aa7851ad790cf506efb150c0accc1fc85c2222/analysis/
https://www.virustotal.com/en/file/7fc85db12578612d73b5c670c4addec2d20f0154775addd43fab19450b8cd46a/analysis/
https://www.virustotal.com/en/file/8cab9d5987d5f72338981423043b9118d6eb20b146ea5f1f8000f25b50d2e46e/analysis/
https://www.virustotal.com/en/file/4280a7be51e34088d34eacd628af58b459672ac45b85b18113f8ed1f8bd19898/analysis/
https://www.virustotal.com/en/file/b7657dfc20e077929c89afb6d9c47dc16d1ef3a0404d7a5168d318651c223add/analysis/
https://www.virustotal.com/en/file/39d69b0a16a16c7cbb6b0118f1b5999f75c425918b66c9293509dc822593d383/analysis/
Additionally, Virus Total report of the 62.116.143.18 is here-->>[VirusTotal]

Just in case, the domain jolyzgus.nl is actually SUSPENDED and PARKED under below details, is it still infecting us? This is actually a real big mystery to all of us to check.. 

$ nslookup jolyzgus.nl

jolyzgus.nl
 origin = ns.parktons.com
 mail addr = root.gransy.com
 serial = 2013010310
 refresh = 1800
 retry = 10800
 expire = 604800
 minimum = 1800
jolyzgus.nl nameserver = ns.parktons.com.
jolyzgus.nl nameserver = ns2.parktons.com.
jolyzgus.nl internet address = 31.170.179.179


$ whois jolyzgus.nl|less

Domain name: jolyzgus.nl
Status:      active

Registrar:
   1API Gmbh
   Talstrasse 27
   66424 Homburg
   Deutschland
   Germany

Registrant DemieGoudswaard
Administrative contact admin@jolyzgus.nl
Technical contact(s) admin@jolyzgus.nl

Domain nameservers:
   ns1.1apidomainondispute.net
   ns2.1apidomainondispute.net
   ns3.1apidomainondispute.net
   DNSSEC:      no

Date registered  2013-08-28
Date of last change  2013-09-02
Record maintained by  NL Domain Registry
Be free to comment! :-)

Additional / Final Conclusion:

As per initially suspected, after deeper investigation taken, the cookiebomb malware domain jolyzgus.nl was gone and the domains was parked under 31.170.179.179 (parktons.com) which having auto-forwarder to affiliate parking domain service in 62.116.143.18 (parkingcrew.com)

We still have question HOW a parked domain's IP can still provide malware samples as per reported, and this matter's investigation is still open with the result to be added accordingly.

#MalwareMustDie!

Posted by unixfreaxjp at
Subscribe to: Posts (Atom)