6 malicious acinfo.html sites were found 2012-07-06 08:31:51. Lets look at them together.
Site A (Host: humanas.rs):
URLQuery <Detected> |
VirusTotal <Detected> |
Zulu Scanner <Detected> |
Sucuri SiteCheck <Detected> |
URLVoid <Detected>First thing, we get:
hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=humanas.rs/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>
The homepage looks regular, but when we check the "acinfo.html", we get:
humanas.rs/acinfo.html
[decodingLevel=0] found JavaScript
DecodedIframe detected
[var s] URL=humanas.rs/ if
[var newurl] URL=humanas.rs/ if
[iframe] hotspotboutique.net/main.php?page=f00fe909ad13ba45
[decodingLevel=1] found JavaScript
We also get the phish title "NACHA - The Electronic Payments Association -" mentioned
here (another acinfo.html site explained
here). This site also has the same algorithm given in the above link. This provides evidence that the use of this specific algorithm and this phish title will be used in the future.
Site B (Host: ykwh.gov.cn):
URLQuery <Detected> |
VirusTotal <Detected> |
Zulu Scanner <Detected> |
Sucuri SiteCheck <Detected> |
URLVoid <MISSED>Here, we get the same intro as Site A, assuming a partnership with the domains:
hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=ykwh.gov.cn/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>
Several SWF files are also present. Results:
top.swf |
flash2.swf |
focus1.swfThe main threat, "acinfo.html", looks exactly like Site A.
ykwh.gov.cn/acinfo.html
[decodingLevel=0] found JavaScript
DecodedIframe detected
[var s] URL=ykwh.gov.cn/ if
[var newurl] URL=ykwh.gov.cn/ if
[iframe] hotspotboutique.net/main.php?page=f00fe909ad13ba45
[decodingLevel=1] found JavaScript
Site C (Host: spbfencing.ru) -Taken Down-:
URLQuery <MISSED> |
VirusTotal <MISSED> |
Zulu Scanner <MISSED> |
Sucuri SiteCheck <MISSED> |
URLVoid <MISSED>404 from wplus.net. Appears the site was found malicious and taken down.
Site D (Host: wk999.com.cn) -???-:
URLQuery <MISSED> |
VirusTotal <MISSED> |
Zulu Scanner <Suspicious> |
Sucuri SiteCheck <MISSED> |
URLVoid <MISSED>The only thing happening on this page is a redirect to "/acinfo/" using the
window.location method. Nothing suspect in the redirected page. Moving along...
Site E (Host: blog.cd3d.com.cn):
URLQuery <Detected> |
VirusTotal <Detected> |
Zulu Scanner <Detected> |
Sucuri SiteCheck <Detected> |
URLVoid <MISSED>hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=blog.cd3d.com.cn/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>
Same iframe, same phish title, and same algorithm from Site A and B. Now we know we have something.
Site F (Host: apps.org.rs):
URLQuery <Detected> |
VirusTotal <Detected> |
Zulu Scanner <Detected> |
Sucuri SiteCheck <Detected> |
URLVoid <MISSED>hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
(referer=apps.org.rs/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>
Same algorithm as all above.
=================================So in summary, the "acinfo.html" sites appear to call the known blackhole exploit hotspot "hotspotboutique.net". This filename should be considered suspicious.
~!Donovan