Global Crossing are currently hosting a whole host of rogues such as Fast Antvirus. One thing the latest ones have in common, is their use of a seemingly randomly named .js file, that does the bulk of the work to ensure you get infected with it.
Most of us will either;
1. Load the site up in the browser
2. Analyze the sites source code to identify the download location so we can automate downloads of new samples
I tend to opt for the latter myself, which is why I'm posting this. When I looked at a site a couple of days ago, I got the .js file decoded, went through it's code, and identified the download URL as;
Where [n] is a random number, for example;
This produced a downoad called Setup_build-1_7.exe. The newer sites since then however, have changed a bit, and now require a little extra. It does still produce the file without it, but the file is 0KB.
Lets start from the beginning shall we? The site we're going to look at today is trustshield.info (IP: 18.104.22.168). When you first load this site, if you've got scripts enabled (and I should warn, NEVER do this with ActiveX enabled aswell!!), you'll see a prompt, followed by the following, which then leads on to the usual "OH NOES! YAZ NEEDZ MA APPZ!" stuff.
But let's look behind this. If we pull the main URL's source code we can see that the source code shows the standard HTML, a landing.gif image, and everything else is contained within the script that's loaded;
vURL Online - http://trustshield.info/?p=WKmimHVlbHKHjsbIo21zdYWMpYOInKOjY4nT1m6uqI61h8WilnGbk4F5bw==
If we now look at the .js file, we see a rather large "a" var, that's processed by an incy bit of code at the bottom;
vURL Online - trustshield.info/Scripts/Strategies/6a20f3f566cb9dc9a1ef4af2dee0c2168120317.js
We can use Malzilla to decode this, without having to do any special modifications or replacements that are sometimes required by the more complex obfuscations, as they've made this extremely simple for us. The following is what the script eventually decodes to after going through two levels of obfuscation;
What we need to do now, is analyze this, to identify where the actual download is coming from. The easiest way to do this is look for key words such as download, URL, .php and of course, .exe. In this case, looking for download eventually takes us to the following snippet;
Which tells us to look at the getDownloadURL function. Looking for that, gives us the following;
From here, we can deduce that the download URL is going to be;
Previously, the &[var] wasn't required. However, as it is now, we now need to look for what kPromo.base.queryParameters is required to contain. Looking through the source for queryParameters= gives us;
Which kindly tells us it's expecting the contents of location.search, which in this case, would be the base64 encoded string we saw at the beginning;
If we now put this all together, we end up with the following URL, replacing [n] with random numbers;
Which results in a file called Setup_build6_149.exe (195K)
Threat Expert report:
The TE report also shows connections from the program to;
update1.fastantivirus09.com (also valid as update2.) - 22.214.171.124 (NetName: VELCOM)
updvmfnow.cn - 126.96.36.199 (proxy.virus-doctor.com) (NetName: VELCOM)