Saturday, November 2, 2013

MMD-0009-2013 - RunForrestRun DGA "Comeback" with new obfuscation

I was mentioned by our friend the for the detected RunForrestRun DGA obfuscation code as per below tweet (Thank's for the notification, Bart!) :

Yes I fetched and take a look at it:

--2013-11-02 17:06:54--  h00p://portail-val-de-loir.com/
Resolving portail-val-de-loir.com... seconds 0.00, 85.10.130.29
Caching portail-val-de-loir.com => 85.10.130.29
Connecting to portail-val-de-loir.com|85.10.130.29|:80... seconds 0.00, connected.
  :
GET / HTTP/1.0
Referer: remember.us.malwaremustdie.org
Host: portail-val-de-loir.com
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Date: Sat, 02 Nov 2013 08:06:30 GMT
Server: Apache/2.2.9 (Debian) mod_jk/1.2.26 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl
/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Last-Modified: Thu, 12 Jul 2012 01:52:59 GMT
ETag: "18f21da-32bd2b-4c498391b34c0"
Accept-Ranges: bytes
Content-Length: 3325227
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
  :
200 OK
Registered socket 1896 for persistent reuse.
Length: 3325227 (3.2M) [text/html]
Saving to: `index.html'
100%[============================>] 3,325,227    103K/s   in 39s
2013-11-02 17:07:35 (83.0 KB/s) - `index.html' saved [3325227/3325227]
This is the real worst case of code injection, the index html was injected more than 50 times with the obfuscation javascript code, sample is here with password=infected -->>[MMD Mediafire]. Obfuscation method used is improved as per marked parts below by trying to make gesture of the script used in Google Analytics:

The first decoding process can e viewed here -->>[MMD Pastebin]
And the result is as per below well-known DGA code:

Which is completely equal code to our case posted on July 23, 2013 here-->>[MMD PREV.POST]

So, we saw the RunForrestRun for almost one year and the logic haven't changed a bit. Just in case someone will meet with the similar case or codes in the future hereby I made simple script for you to use if you see one, as per snipped GOOD code and a "howto" below:

// manual crack...@unixfreaxjp
// erase the setTimeout(function () all of it, we don't need those mess..
// and replace with the below code...
// (make sure you include the rest of the functions..)
// The code :

var nextday = new Date();
nextday.setFullYear(2013);
for (var yyy=0;yyy<13;yyy++)
  { nextday.setMonth(yyy);
for (var xxx= 1;xxx<33;xxx++)
     {    
      var unix = Math.round(nextday.setDate(xxx)/1000);
      var domainName = generatePseudoRandomString(unix, 16, 'ru');
      document.write(xxx+" | "+domainName+ "  |  "+nextday+"\n"); }}
Using the script above you can extract the domains per dates as per snipped below:
 1 | oxkjnvhjnvnegtyb.ru  |  Tue Oct 01 2013 17:36:40 GMT+0900
 2 | bloxgsfzinxmdspt.ru  |  Wed Oct 02 2013 17:36:40 GMT+0900
 3 | mxpgggggukxqteoy.ru  |  Thu Oct 03 2013 17:36:40 GMT+0900
 4 | yjsovtnpgbwqcbbd.ru  |  Fri Oct 04 2013 17:36:40 GMT+0900
 5 | lwtcxuzbdrsnpqfb.ru  |  Sat Oct 05 2013 17:36:40 GMT+0900
 6 | xiwlnutkxsqxwjge.ru  |  Sun Oct 06 2013 17:36:40 GMT+0900
 7 | kwyyhhqtwxupnhyu.ru  |  Mon Oct 07 2013 17:36:40 GMT+0900
 8 | wicjgufeimlbmcus.ru  |  Tue Oct 08 2013 17:36:40 GMT+0900
 9 | ivewawjppavmkhwx.ru  |  Wed Oct 09 2013 17:36:40 GMT+0900
10 | uihgxtcniyolbobp.ru  |  Thu Oct 10 2013 17:36:40 GMT+0900
11 | hvitmnanuzbabudp.ru  |  Fri Oct 11 2013 17:36:40 GMT+0900
12 | thldkvcgbkzcbfxw.ru  |  Sat Oct 12 2013 17:36:40 GMT+0900
13 | gunqeyhnrhskxjdr.ru  |  Sun Oct 13 2013 17:36:40 GMT+0900
14 | shqyztdrsofsjnib.ru  |  Mon Oct 14 2013 17:36:40 GMT+0900
15 | eusngyfurlziprua.ru  |  Tue Oct 15 2013 17:36:40 GMT+0900
((snipped))
with the complete list of 709 days extracted here --->>[MMD PASTEBIN]

And by our useful tools here--->>[MMD Google Code] and following the DGA Procedure Wiki here-->>[MMD Wiki], I came to result the below domains are activated NOW: (format: domain, IP, DNS, and DATE):

yalkzsvudybexfgd.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 16 
lomxtgmgrswlgrrn.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 17 
wzbdwenwshfzglwt.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 17 
jnfrqmekhoevppvw.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 18 
vygzhvfiuommkqfj.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 19 
imjosxuhbcdonrco.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 20 
bhigmqckbqhleqlo.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 06 
nsjosicxuhpidhlp.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 07 
And also found the below domains are blocked/sinkholed:
gatrxzmokglyvnqh.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.
smvydqivtigcadxb.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.
I can say the reputation in IP: 91.233.244.102 is not good:
Virus Total history (with thank's!) -->>[HERE]
URLQuery records (many thank's) -->>[URLQuery]

Sometimes the bad guys has a unique ways to greet us! :-))

Below are bad URLs that can be switched alive:

h00p://yalkzsvudybexfgd.ru/runforestrun?sid=botnet2
h00p://lomxtgmgrswlgrrn.ru/runforestrun?sid=botnet2
h00p://wzbdwenwshfzglwt.ru/runforestrun?sid=botnet2
h00p://jnfrqmekhoevppvw.ru/runforestrun?sid=botnet2
h00p://vygzhvfiuommkqfj.ru/runforestrun?sid=botnet2
h00p://imjosxuhbcdonrco.ru/runforestrun?sid=botnet2
h00p://bhigmqckbqhleqlo.ru/runforestrun?sid=botnet2
h00p://nsjosicxuhpidhlp.ru/runforestrun?sid=botnet2
Just in case I recorded them all in URLQuery (Thank's guys!):
http://urlquery.net/report.php?id=7388672
http://urlquery.net/report.php?id=7388677
http://urlquery.net/report.php?id=7388681
http://urlquery.net/report.php?id=7388683
http://urlquery.net/report.php?id=7388687
http://urlquery.net/report.php?id=7388692
http://urlquery.net/report.php?id=7388694
http://urlquery.net/report.php?id=7388701
Those detected domains, are all activated in REGGI.RU of Russia Federation:
domain:        YALKZSVUDYBEXFGD.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        LOMXTGMGRSWLGRRN.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        WZBDWENWSHFZGLWT.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:21:36 MSK

domain:        JNFRQMEKHOEVPPVW.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        VYGZHVFIUOMMKQFJ.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        IMJOSXUHBCDONRCO.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.08.16
paid-till:     2014.08.16
free-date:     2014.09.16
source:        TCI
Last updated on 2013.11.02 13:26:32 MSK

domain:        BHIGMQCKBQHLEQLO.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.11.02 13:31:37 MSK

domain:        NSJOSICXUHPIDHLP.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.11.02 13:31:37 MSK
And the IP information also pointed to St. Petersburg IDC:
$ whois 91.233.244.102

% Information related to '91.233.244.0 - 91.233.245.255'

inetnum:        91.233.244.0 - 91.233.245.255
netname:        OLBORG-NET
descr:          Olborg Ltd
descr:          St.Petersburg
country:        RU
admin-c:        OLCR1-RIPE
tech-c:         OLCR1-RIPE
status:         ASSIGNED PI
mnt-by:         OLBORG-MNT
mnt-by:         RIPE-NCC-END-MNT
mnt-routes:     OLBORG-MNT
mnt-domains:    OLBORG-MNT
source:         RIPE # Filtered

role:           Olborg Ltd - Contact Role
address:        Olborg Ltd
address:        St.Petersburg, Russia
abuse-mailbox:  abuse@o1host.net
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *    abuse@o1host.net ,  not  this  address     *
remarks:        *************************************************
org:            ORG-OL89-RIPE
admin-c:        AK8017-RIPE
tech-c:         AK8017-RIPE
nic-hdl:        OLCR1-RIPE
mnt-by:         OLBORG-MNT
source:         RIPE # Filtered

% Information related to '91.233.244.0/23AS57636'

route:          91.233.244.0/23
descr:          Olborg Ltd.
origin:         AS57636
mnt-by:         OLBORG-MNT
source:         RIPE # Filtered
I really hope to see all domains in this logic blocked.. otherwise they sure will come again with a much better obfuscation.

#MalwareMustDie!!

4 comments:

  1. I love reading your work and learning from you brother ;)

    ReplyDelete
  2. They always are spotted in early stages, made them has no chance for payloads. ALIVE by the meaning of the below activities:

    In June it was activated by NAUNET.RU. we exposed it in July, suspended also in July via GroupIB.
    The domains was re-activated again by REGGI.RU in Aug (around 16th), with the 30 others DGA.
    But the DNS A records came up from those domains from Sept 2013 under hosts reported in blog. Both Registrars NAUNET and REGGI are pointing to same IP 91.233.244.102 always.

    If we can confirmed to OVH about injection incident, it must be between September or October 2013. Means they have steady activities = alive.
    Moreover the obfuscation by mis-leading the Google Analytics is a new tricks for this group, never seen it before.

    IF noone block the domains they will show again next time.

    ReplyDelete