Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 18 September 2008

AARP Site "Hack", more than just porn promotion

There's slightly more to it than just spam for promotion of porn pages via Google. Looking through the code, shows multiple redirections via 301 then 302, which eventually leads to a Cernel hosted site that will infect the unsuspecting user with the Zlob trojan;

Start here;
http://vurl.mysteryfcm.co.uk/?url=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=4&ref=

/Begin edit 22-09-08 00:58

A check a few seconds ago, shows the aarp profile no longer exists. Alas there doesn't seem to be a cache of it either ....

/-End edit 22-09-08 00:58

Next, it leads you to;

http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/in.cgi?2¶meter=teen+galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://www.aarp.org/community/c1w2y8

If you look at the headers (displayed just above the source code), you'll notice the 301 via joyfulclipz.com followed by the 302 via breeddirect.com.

The final result, is the Zlob trojan (12K UPX, 32K unpacked (Visual C++ 6 file) - setup.exe), courtesy of movsdevices.com, as shown in the source at the following.



http://vurl.mysteryfcm.co.uk/?url=http://plzwait.info/st/st.php?cat=63&script=1&url=http://www.wootmovs.com/m4/index.php?id=1117&n=teen&a=fireplace&v=2133734&preview=http://img2.joyfulclipz.com/st/thumbs/010/7598829497.jpg&p=100&selUAStr=1&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://plzwait.info/in.cgi?2¶meter=teen%20galleries&ur=1&HTTP_REFERER=http://www.aarp.org/community/c1w2y8

Detection for the file, packed and unpacked, is rubbish :o(

Packed (5/36)
http://www.virustotal.com/analisis/a65ca4aea5af13882b9e3c340a419922

Unpacked (1/36)
http://www.virustotal.com/analisis/9f242182ca38a09c4e050043e22b5b76

Alas I'm in the process of fixing my laptop at the moment, so I'll leave the detailed analysis of the executable to someone else.

Sites involved:

breeddirect.com (78.157.143.200)
joyfulclipz.com (78.108.177.124)
img2.joyfulclipz.com (78.108.177.124, also valid as img1-4.)
wootmovs.com (78.157.143.133)
movsdevices.com (77.91.231.201)

References:

AARP Site Hacked and Spammed
http://www.mxlogic.com/itsecurityblog/1/2008/09/AARP-Site-Hacked-and-Spammed.cfm

Porn Operators Hijack Pages on AARP Website
http://www.darkreading.com/document.asp?doc_id=164115&f_src=darkreading_section_296

Knew I'd find the original reference that led me to this ;o)

Porn Operators Hijack Pages on AARP Website
http://temerc.com/forums/viewtopic.php?f=4&t=5780

No comments: