Author Topic: To Website Analyst: Rise of the Malicious "acinfo.html"  (Read 11476 times)

0 Members and 1 Guest are viewing this topic.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
To Website Analyst: Rise of the Malicious "acinfo.html"
« on: July 06, 2012, 08:16:49 PM »
6 malicious acinfo.html sites were found 2012-07-06 08:31:51. Lets look at them together.

Site A (Host: humanas.rs):
URLQuery <Detected> | VirusTotal <Detected> | Zulu Scanner <Detected> | Sucuri SiteCheck <Detected> | URLVoid <Detected>

First thing, we get:
hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
   (referer=humanas.rs/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>

The homepage looks regular, but when we check the "acinfo.html", we get:
humanas.rs/acinfo.html
   [decodingLevel=0] found JavaScript
   DecodedIframe detected
   [var s] URL=humanas.rs/          if
   [var newurl] URL=humanas.rs/          if
   [iframe] hotspotboutique.net/main.php?page=f00fe909ad13ba45
   [decodingLevel=1] found JavaScript

We also get the phish title "NACHA - The Electronic Payments Association -" mentioned here (another acinfo.html site explained here). This site also has the same algorithm given in the above link. This provides evidence that the use of this specific algorithm and this phish title will be used in the future.


Site B (Host: ykwh.gov.cn):
URLQuery <Detected> | VirusTotal <Detected> | Zulu Scanner <Detected> | Sucuri SiteCheck <Detected> | URLVoid <MISSED>

Here, we get the same intro as Site A, assuming a partnership with the domains:
hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
   (referer=ykwh.gov.cn/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>

Several SWF files are also present. Results: top.swf | flash2.swf | focus1.swf

The main threat, "acinfo.html", looks exactly like Site A.
ykwh.gov.cn/acinfo.html
   [decodingLevel=0] found JavaScript
   DecodedIframe detected
   [var s] URL=ykwh.gov.cn/          if
   [var newurl] URL=ykwh.gov.cn/          if
   [iframe] hotspotboutique.net/main.php?page=f00fe909ad13ba45
   [decodingLevel=1] found JavaScript


Site C (Host: spbfencing.ru) -Taken Down-:
URLQuery <MISSED> | VirusTotal <MISSED> | Zulu Scanner <MISSED> | Sucuri SiteCheck <MISSED> | URLVoid <MISSED>

404 from wplus.net. Appears the site was found malicious and taken down.


Site D (Host: wk999.com.cn) -???-:
URLQuery <MISSED> | VirusTotal <MISSED> | Zulu Scanner <Suspicious> | Sucuri SiteCheck <MISSED> | URLVoid <MISSED>

The only thing happening on this page is a redirect to "/acinfo/" using the window.location method. Nothing suspect in the redirected page. Moving along...

Site E (Host: blog.cd3d.com.cn):
URLQuery <Detected> | VirusTotal <Detected> | Zulu Scanner <Detected> | Sucuri SiteCheck <Detected> | URLVoid <MISSED>

hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
   (referer=blog.cd3d.com.cn/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>

Same iframe, same phish title, and same algorithm from Site A and B. Now we know we have something.


Site F (Host: apps.org.rs):
URLQuery <Detected> | VirusTotal <Detected> | Zulu Scanner <Detected> | Sucuri SiteCheck <Detected> | URLVoid <MISSED>

hotspotboutique.net/main.php?page=f00fe909ad13ba45
(iframe) hotspotboutique.net/main.php?page=f00fe909ad13ba45
   (referer=apps.org.rs/acinfo.html)failure: <urlopen error [Errno -2] Name or service not known>

Same algorithm as all above.

=================================

So in summary, the "acinfo.html" sites appear to call the known blackhole exploit hotspot "hotspotboutique.net". This filename should be considered suspicious.


~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: To Website Analyst: Rise of the Malicious "acinfo.html" [SOLVED]
« Reply #1 on: July 06, 2012, 09:38:33 PM »
Hi !Donovan,

Realtime check reveals that  hotspotboutique dot net is being blocked as seen by mob view resourches...
2012/07/06_06:07   hotspotboutique dot net/main.php?page=f00fe909ad13ba45   109.164.221.176   cust.static.109-164-221-176.swisscomdata dot ch.   Blackhole exploit kit   Registrant ironeggmanATyahoo.com   44038   as on Malware Domain List
Mind the marked as malcious script on here: http://urlquery.net/report.php?id=83575
But GoogleSafebrowsing has also been alerted for this as we can see here: http://www.google.com/safebrowsing/diagnostic?site=http://hotspotboutique.net/main.php?page=f00fe909ad13ba45
and I get this with WebBug a 11004 [11004] Valid name, no data record (check DNS setup),
because my avast Web Shield neatly blocks this malcious site or file as JS:Blackhole-X[Trj] 
Conclusion we have detection from the avast shields. We are being protected!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
« Last Edit: July 13, 2012, 03:45:05 PM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #4 on: July 13, 2012, 03:58:52 PM »
hmm...the VT result i get comes up with wrong scan date ?

on jotti
http://virusscan.jotti.org/en/scanresult/f92a823d37b47f3d9abeec9368fefad83d9a5ce9

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #5 on: July 13, 2012, 04:06:15 PM »
Hi Pondus,

I get:
Code: [Select]
AntiVir JS/BlacoleRef.BS
Avast JS:Blacole-X [Trj]
BitDefender Trojan.JS.Iframe.BOT
Commtouch JS/IFrame.QY.gen
DrWeb Exploit.BlackHole.12
Emsisoft Trojan.JS.Blacole!IK
F-Prot JS/IFrame.QY.gen
F-Secure Trojan.JS.Iframe.BOT
Fortinet JS/Iframe.W!tr
GData Trojan.JS.Iframe.BOT
Ikarus Trojan.JS.Blacole
McAfee JS/Exploit-Blacole.ek
Microsoft Trojan:JS/BlacoleRef.BS
Norman JS/Blacole.GL
nProtect Trojan.JS.Iframe.BOT
Sophos Troj/ExpJs-CI
TrendMicro TROJ_GEN.RFFH1G9
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #6 on: July 13, 2012, 04:11:56 PM »
cliking on your VT link i now get correct scan date...and 18/42 result
guess it was a hickup at VT  ;)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #7 on: July 13, 2012, 05:06:32 PM »
Googling for acinfo.html you get many results for this particular malware campaign
Just some examples:
http://urlquery.net/report.php?id=83207
http://urlquery.net/report.php?id=84601
http://urlquery.net/report.php?id=89577
sucuri detects it here: http://sitecheck.sucuri.net/results/apps.org.rs/acinfo.html
and scumware  here: 2012-07-09 15:08:53   htxp://garmonia-milk.ru/acinfo.html   DF0D2D9BBD03FFB76C798E35B5C5C1F7   195.131.162.2   RU   Trojan.JS.Iframe.BOT

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #8 on: July 13, 2012, 05:16:40 PM »
3 More Here:
http://urlquery.net/report.php?id=89664
http://urlquery.net/report.php?id=89666
http://urlquery.net/report.php?id=89668

All use different IPs. Is it possible for one vendor to use multiple IPs?
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #9 on: July 13, 2012, 05:32:07 PM »
Hi !Donovan,

Normally there is no legit issue but this should not be performed at the same time having duplicate content on various IP. Only if your updating content while a searchengine is spidering it at the other server you may have created an issue.  You only have to find a very cooperative dedicated host and cybercriminals often do meet these friendly forces or rather lenient ones....
So we actively have to monitor the availability of each server. This whole exercise with malware is called malware migration, and on VirusWatch you can follow these migration patterns on a daily basis, plus malware that is being taken down, often by consent of the malcreants who move their circus elsewhere to open up shop and carry on.
Sometimesthe  malware is being closed or no longer responsive. Sometimes new versions are being launched from one domain in an ever changing sequence through ever changing url addresses and file names spewing the same malcreations or unique variantions on the same theme.
With  urlquery dot net  IDS alerts it is striking that over time you see various IP number for the same domain name, sometimes with 1 or more alerts, sometimes without one,

polonus
« Last Edit: July 13, 2012, 05:34:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #10 on: July 13, 2012, 07:29:04 PM »
Hi !Donovan,

Interesting webmaster's discussion on this particular malware:
http://stackoverflow.com/questions/11414694/typo3-function-generates-trojan-js-blacoleref-bs-every-time-new
reply there from maholtz on question from testing
For detection scores see  JS/BlacoleRef.BS at VW
here just 2

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #11 on: July 22, 2012, 04:49:38 PM »
Here we have another: http://urlquery.net/report.php?id=99344

Still alive after 5+ days.

19/42 antiviruses now detect the contents of these malicious acinfo.html pages. See:
https://www.virustotal.com/file/f4a890f6cbca08ea737e16098a9e60610dc3b41a4a88f2d3b9d5630a904889b7/analysis/
Eh.. the above is outdated, so lets hope more detect ATM
« Last Edit: July 22, 2012, 05:38:00 PM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #12 on: July 22, 2012, 05:16:35 PM »
Hi !Donovan,

Is this code in the attached image the malcode you refer to?
Get a live response from dungtank github for this url,

polonus
« Last Edit: July 22, 2012, 05:20:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #13 on: July 22, 2012, 05:36:39 PM »
Yeah,

If you look closely you notice eval.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: To Website Analyst: Rise of the Malicious "acinfo.html"
« Reply #14 on: July 22, 2012, 06:16:29 PM »
Hi !Donovan,

Again going to htxp://hotspotboutique.net/main.php. Good thing about it is that we have avast Webshield detection for it as JS;Blackole-X[Trj].
So we have protection,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!