Avast WEBforum
Other => Viruses and worms => Topic started by: !Donovan on July 06, 2012, 08:16:49 PM
-
6 malicious acinfo.html sites were found 2012-07-06 08:31:51. Lets look at them together.
Site A (Host: humanas.rs):
URLQuery <Detected> (http://urlquery.net/report.php?id=83980) | VirusTotal <Detected> (https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/) | Zulu Scanner <Detected> (http://zulu.zscaler.com/submission/show/b02ec2b156cc058469db7e8d707bce60-1341590378) | Sucuri SiteCheck <Detected> (http://sitecheck.sucuri.net/results/humanas.rs/acinfo.html) | URLVoid <Detected> (http://urlvoid.com/scan/humanas.rs/)
First thing, we get:
hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=humanas.rs/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>
The homepage looks regular, but when we check the "acinfo.html", we get:
humanas.rs/acinfo.html
[decodingLevel=0] found JavaScript
DecodedIframe detected
[var s] URL=humanas.rs/ if
[var newurl] URL=humanas.rs/ if
[iframe] hotspotboutique.net/main.php?page=f00fe909ad13ba45
[decodingLevel=1] found JavaScript
We also get the phish title "NACHA - The Electronic Payments Association -" mentioned here (https://www.virustotal.com/file/eecaab8dd661421a1731e0baff23827e17a272de98de6ce3dbed6f00d60e933b/analysis/) (another acinfo.html site explained here (http://forum.avast.com/index.php?topic=100591.msg805252#msg805252)). This site also has the same algorithm given in the above link. This provides evidence that the use of this specific algorithm and this phish title will be used in the future.
Site B (Host: ykwh.gov.cn):
URLQuery <Detected> (http://urlquery.net/report.php?id=83976) | VirusTotal <Detected> (https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/) | Zulu Scanner <Detected> (http://zulu.zscaler.com/submission/show/1b7a1c9f7aa1ddaefef9a038e892c3ec-1341590972) | Sucuri SiteCheck <Detected> (http://sitecheck.sucuri.net/results/ykwh.gov.cn/acinfo.html) | URLVoid <MISSED> (http://urlvoid.com/scan/ykwh.gov.cn/)
Here, we get the same intro as Site A, assuming a partnership with the domains:
hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=ykwh.gov.cn/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>
Several SWF files are also present. Results: top.swf (https://www.virustotal.com/file/a119161751ff3ba44e78071ca9cf8abd416f7831a86d09dd163e5802fe7b671a/analysis/1341597295/) | flash2.swf (https://www.virustotal.com/file/4cd5c682dd1d1bc285ea26d22be4e1a6b7f2f20873986bfde44aff2ac7a2ec43/analysis/1341597361/) | focus1.swf (https://www.virustotal.com/file/4b4ab28446a9aa49f69479dadef45b46e0e8f03075c7077eb47957ff73d16f4d/analysis/1341597409/)
The main threat, "acinfo.html", looks exactly like Site A.
ykwh.gov.cn/acinfo.html
[decodingLevel=0] found JavaScript
DecodedIframe detected
[var s] URL=ykwh.gov.cn/ if
[var newurl] URL=ykwh.gov.cn/ if
[iframe] hotspotboutique.net/main.php?page=f00fe909ad13ba45
[decodingLevel=1] found JavaScript
Site C (Host: spbfencing.ru) -Taken Down-:
URLQuery <MISSED> (http://urlquery.net/report.php?id=83977) | VirusTotal <MISSED> (https://www.virustotal.com/file/f6f813753aeed2a7c4aa68a97a6d98f2850baa58e90e79d1d647643732488e5b/analysis/) | Zulu Scanner <MISSED> (http://zulu.zscaler.com/submission/show/a645719464f320f84fd046c164a101e4-1341591259) | Sucuri SiteCheck <MISSED> (http://sitecheck.sucuri.net/results/spbfencing.ru/acinfo.html) | URLVoid <MISSED> (http://urlvoid.com/scan/spbfencing.ru/)
404 from wplus.net. Appears the site was found malicious and taken down.
Site D (Host: wk999.com.cn) -???-:
URLQuery <MISSED> (http://urlquery.net/report.php?id=83981) | VirusTotal <MISSED> (https://www.virustotal.com/file/3a03b72be85b96bfd5fb866952fa81f0ef6f7a2d881fde6d374adcaeb36e8d8e/analysis/) | Zulu Scanner <Suspicious> (http://zulu.zscaler.com/submission/show/65d781c8c6e6b56e32051b797b8b045c-1341591518) | Sucuri SiteCheck <MISSED> (http://sitecheck.sucuri.net/results/wk999.com.cn/acinfo.html) | URLVoid <MISSED> (http://urlvoid.com/scan/wk999.com.cn/)
The only thing happening on this page is a redirect to "/acinfo/" using the window.location method. Nothing suspect in the redirected page. Moving along...
Site E (Host: blog.cd3d.com.cn):
URLQuery <Detected> (http://urlquery.net/report.php?id=83978) | VirusTotal <Detected> (https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/) | Zulu Scanner <Detected> (http://zulu.zscaler.com/submission/show/018c7a9f22f8b77bf25b15642d3291f3-1341591780) | Sucuri SiteCheck <Detected> (http://sitecheck.sucuri.net/results/blog.cd3d.com.cn/acinfo.html) | URLVoid <MISSED> (http://urlvoid.com/scan/blog.cd3d.com.cn/)
hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=blog.cd3d.com.cn/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>
Same iframe, same phish title, and same algorithm from Site A and B. Now we know we have something.
Site F (Host: apps.org.rs):
URLQuery <Detected> (http://urlquery.net/report.php?id=83979) | VirusTotal <Detected> (https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/) | Zulu Scanner <Detected> (http://zulu.zscaler.com/submission/show/12c87ffbe91b5c16dc158e4d1046c249-1341592120) | Sucuri SiteCheck <Detected> (http://sitecheck.sucuri.net/results/apps.org.rs/acinfo.html) | URLVoid <MISSED> (http://urlvoid.com/scan/apps.org.rs/)
hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=apps.org.rs/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>
Same algorithm as all above.
=================================
So in summary, the "acinfo.html" sites appear to call the known blackhole exploit hotspot "hotspotboutique.net". This filename should be considered suspicious.
~!Donovan
-
Hi !Donovan,
Realtime check reveals that hotspotboutique dot net is being blocked as seen by mob view resourches...
2012/07/06_06:07 hotspotboutique dot net/main.php?page=f00fe909ad13ba45 109.164.221.176 cust.static.109-164-221-176.swisscomdata dot ch. Blackhole exploit kit Registrant ironeggmanATyahoo.com 44038 as on Malware Domain List
Mind the marked as malcious script on here: http://urlquery.net/report.php?id=83575
But GoogleSafebrowsing has also been alerted for this as we can see here: http://www.google.com/safebrowsing/diagnostic?site=http://hotspotboutique.net/main.php?page=f00fe909ad13ba45
and I get this with WebBug a 11004 [11004] Valid name, no data record (check DNS setup),
because my avast Web Shield neatly blocks this malcious site or file as JS:Blackhole-X[Trj]
Conclusion we have detection from the avast shields. We are being protected!
polonus
-
A new one today. See: http://urlquery.net/report.php?id=89577
Many antiviruses now detect this threat, including avast! :)
https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/
-
A new one today. See: http://urlquery.net/report.php?id=89577
Many antiviruses now detect this threat, including avast! :)
https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/
at virustotal only Fortinet
Sucuri
http://sitecheck.sucuri.net/results/projekt.mops.lodz.pl
Zulu analyzer
http://zulu.zscaler.com/submission/show/37e4289b823d965f9df3a4be0c03dd4a-1342187446
-
hmm...the VT result i get comes up with wrong scan date ?
on jotti
http://virusscan.jotti.org/en/scanresult/f92a823d37b47f3d9abeec9368fefad83d9a5ce9
-
Hi Pondus,
I get:
AntiVir JS/BlacoleRef.BS
Avast JS:Blacole-X [Trj]
BitDefender Trojan.JS.Iframe.BOT
Commtouch JS/IFrame.QY.gen
DrWeb Exploit.BlackHole.12
Emsisoft Trojan.JS.Blacole!IK
F-Prot JS/IFrame.QY.gen
F-Secure Trojan.JS.Iframe.BOT
Fortinet JS/Iframe.W!tr
GData Trojan.JS.Iframe.BOT
Ikarus Trojan.JS.Blacole
McAfee JS/Exploit-Blacole.ek
Microsoft Trojan:JS/BlacoleRef.BS
Norman JS/Blacole.GL
nProtect Trojan.JS.Iframe.BOT
Sophos Troj/ExpJs-CI
TrendMicro TROJ_GEN.RFFH1G9
-
cliking on your VT link i now get correct scan date...and 18/42 result
guess it was a hickup at VT ;)
-
Googling for acinfo.html you get many results for this particular malware campaign
Just some examples:
http://urlquery.net/report.php?id=83207
http://urlquery.net/report.php?id=84601
http://urlquery.net/report.php?id=89577
sucuri detects it here: http://sitecheck.sucuri.net/results/apps.org.rs/acinfo.html
and scumware here: 2012-07-09 15:08:53 htxp://garmonia-milk.ru/acinfo.html DF0D2D9BBD03FFB76C798E35B5C5C1F7 195.131.162.2 RU Trojan.JS.Iframe.BOT
polonus
-
3 More Here:
http://urlquery.net/report.php?id=89664
http://urlquery.net/report.php?id=89666
http://urlquery.net/report.php?id=89668
All use different IPs. Is it possible for one vendor to use multiple IPs?
-
Hi !Donovan,
Normally there is no legit issue but this should not be performed at the same time having duplicate content on various IP. Only if your updating content while a searchengine is spidering it at the other server you may have created an issue. You only have to find a very cooperative dedicated host and cybercriminals often do meet these friendly forces or rather lenient ones....
So we actively have to monitor the availability of each server. This whole exercise with malware is called malware migration, and on VirusWatch you can follow these migration patterns on a daily basis, plus malware that is being taken down, often by consent of the malcreants who move their circus elsewhere to open up shop and carry on.
Sometimesthe malware is being closed or no longer responsive. Sometimes new versions are being launched from one domain in an ever changing sequence through ever changing url addresses and file names spewing the same malcreations or unique variantions on the same theme.
With urlquery dot net IDS alerts it is striking that over time you see various IP number for the same domain name, sometimes with 1 or more alerts, sometimes without one,
polonus
-
Hi !Donovan,
Interesting webmaster's discussion on this particular malware:
http://stackoverflow.com/questions/11414694/typo3-function-generates-trojan-js-blacoleref-bs-every-time-new
reply there from maholtz on question from testing
For detection scores see JS/BlacoleRef.BS at VW
here just 2
polonus
-
Here we have another: http://urlquery.net/report.php?id=99344
Still alive after 5+ days.
19/42 antiviruses now detect the contents of these malicious acinfo.html pages. See:
https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/
Eh.. the above is outdated, so lets hope more detect ATM
-
Hi !Donovan,
Is this code in the attached image the malcode you refer to?
Get a live response from dungtank github for this url,
polonus
-
Yeah,
If you look closely you notice eval.
-
Hi !Donovan,
Again going to htxp://hotspotboutique.net/main.php. Good thing about it is that we have avast Webshield detection for it as JS;Blackole-X[Trj].
So we have protection,
polonus
-
This one has already been closed: http://www.google.com/safebrowsing/diagnostic?site=winners.co.rs/acinfo.html
The requested URL /acinfo.html was not found on this server.
Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.
See on trojan Cidrix: http://cbnetsecurity.com/colors/archives/825 (link author cristian on Eye on Spam)
Do a look-up there and you will see the IP for the malware is undef for the mdl_trojan Cridex senderbase,
contributor was malware domain list
Malicious software consitst of 213 trojans, 15 scripting exploits, 7 exploits.
Site us being hosted on 3 networks, e.g.: AS17772 (CHINACOM), AS44038 (BLUEWIN), AS20860 (IOMART).
polonus