Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 30 December 2009

nit99.biz: When is a forum not a forum? ....

... When it's an exploit of course!

This URL (vURL results, PDF);

nit99.biz/myy/viewtopic.php?s=bec8f62472

wants us to believe it's a forum, that's going to let us view the respective topic associated with the ID in the s= variable. Alas however, it's neither a valid ID, nor a forum at all. What you'll actually get, is a whole host of badness battered down the pipes onto your poor machine.

And what badness do you get? Glad you asked! The above URL, loads two additional URL's that deliver the payload;

PDF file
nit99.biz/myy/myreadme.php

SWF (flash) file
nit99.biz/myy//i.swf

These files have one purpose - to deliver the payload. The payload itself comes from;

nit99.biz/myy/post.php?e=6&

The payload is a 39K file called pdfupdate.exe, and VT results as of December 29th, were absolutely rubbish, with only 3 vendors detecting it;

http://www.virustotal.com/analisis/c6bf9b61d2ee07fea37adf13d3c0218d738d33914cb2525f58d4861c75bd662a-1261915184

I've just submitted it to VT again, to see if the detections have improved yet, and though they could still be better, the 3 vendors is now up to 19;

http://www.virustotal.com/analisis/c6bf9b61d2ee07fea37adf13d3c0218d738d33914cb2525f58d4861c75bd662a-1262196998

The file is UPX packed, and unpacking it shows a 79K file, that according to VT reports is a fake alert (otherwise known as "this is gonna infect yer poor machine and ask you to pay it for the privilege of doing so").

I don't have my test box up at the moment as I'm busy with work, and sorting out a server issue, but the Anubis results for the unpacked file, can be found here. Of interest, is the following, which indicates the presence of a rootkit;

....HKLM\System\CurrentControlSet\Services\AsyncMac


I did however, notice the following bit of confusion, when looking at the file in FileInsight;

....But where would he sleep?...He could be taller the..But where would he sleep?...No one wou..Imagine a pet dinosaur that live....when we played hid..and my pet would pass up th.He could be talle...pterodactyl instead.and the fences squashed ....M..[I0d have to spend ..I wouldn0...I wouldn0t have to worry....It would ...A pet dinosaur would be won.at my house and.and then another and t..Wouldn0t it be fan..While he stood in t.While he st.b.CB


Nope, I've no idea what that's about either.

The site resides at 115.100.250.104, and my database is showing this entire /24 as being dirty (so nope, not just a case of the sites being hacked). Malicious activity seen within this /24 includes;

20091216205416          115.100.250.107          Failed resolution          tt.allowjobs.cn          hxxp://tt.allowjobs.cn/

20091216205423          115.100.250.107          Failed resolution          tt.allowjobs.cn          hxxp://tt.allowjobs.cn/pdf.php?spl=pdf_ie2

20091216220940          115.100.250.107          Failed resolution          www.atatata.org          hxxp://www.atatata.org/777/sysmona.exe

20091218035413          115.100.250.72          Failed resolution          115.100.250.72          hxxp://115.100.250.72/server-status

20091218035420          115.100.250.107          Failed resolution          115.100.250.107          hxxp://115.100.250.107/server-status

20091218035427          115.100.250.115          Failed resolution          115.100.250.115          hxxp://115.100.250.115/server-status

20091218035433          115.100.250.116          Failed resolution          115.100.250.116          hxxp://115.100.250.116/server-status

20091218035440          115.100.250.119          Failed resolution          115.100.250.119          hxxp://115.100.250.119/server-status

20091219231238          115.100.250.107          Failed resolution          www.grobin1.cn          hxxp://www.grobin1.cn/pol/alwaysA.pdf

20091220000111          115.100.250.107          Failed resolution          chinaoilfactory.cn          hxxp://chinaoilfactory.cn/cp/build.exe

20091220000119          115.100.250.107          Failed resolution          chris25project.cn          hxxp://chris25project.cn/cp/bot.exe

20091220000340          115.100.250.107          Failed resolution          dia2.cn          hxxp://dia2.cn/123/ld.php?v=1&rs=13441600&n=1&uid=1

20091220001901          115.100.250.113          Failed resolution          online-counter.cn          hxxp://online-counter.cn/load.exe

20091220001908          115.100.250.113          Failed resolution          online-counter.cn          hxxp://online-counter.cn/stats/211/loadshow.php

20091220011435          115.100.250.119          Failed resolution          www.socks5servic.cn          hxxp://www.socks5servic.cn/zs/bot.exe

20091222194143          115.100.250.115          Failed resolution          www.useranalyticsreporting.net          hxxp://www.useranalyticsreporting.net/ir/pack/exe.php?spl=MDAC

20091222194202          115.100.250.104          Failed resolution          www.not99.biz          hxxp://www.not99.biz/myy/sdfg.jar

20091222194209          115.100.250.104          Failed resolution          client158.faster-hosting.com          hxxp://client158.faster-hosting.com/cache/homepage.exe

20091222194257          115.100.250.115          Failed resolution          www.useranalyticsreporting.net          hxxp://www.useranalyticsreporting.net/ir/pack/exp/pdf.php

20091222194330          115.100.250.104          Failed resolution          www.not99.biz          hxxp://www.not99.biz/myy/myreadme.php

20091222194337          115.100.250.115          Failed resolution          kijojg.net          hxxp://kijojg.net/fr/files/leerydumbbunny.pdf

20091222194344          115.100.250.115          Failed resolution          kijojg.net          hxxp://kijojg.net/fr/files/scamtodosomething.pdf

20091222194423          115.100.250.104          Failed resolution          www.not99.biz          hxxp://www.not99.biz/myy/f.swf

20091222194438          115.100.250.105          Failed resolution          www.aolas.cn          hxxp://www.aolas.cn/Smilex/az-alliance/iereg.exe

20091222194451          115.100.250.104          Failed resolution          www.kimosimotuma.cn          hxxp://www.kimosimotuma.cn/777.exe

20091222194529          115.100.250.104          Failed resolution          www.rss-lenta-news.ru          hxxp://www.rss-lenta-news.ru/123132/New2.exe

20091222194536          115.100.250.104          Failed resolution          client158.faster-hosting.com          hxxp://client158.faster-hosting.com/cache/anime2/13.exe

20091222194543          115.100.250.115          Failed resolution          kijojg.net          hxxp://kijojg.net/fr/loadjavad.php

20091222194607          115.100.250.107          Failed resolution          atatata.org          hxxp://atatata.org/123/file.php?upd

20091222194613          115.100.250.104          Failed resolution          www.rss-lenta-news.ru          hxxp://www.rss-lenta-news.ru/ad/file.php?upd

20091222194631          115.100.250.104          Failed resolution          www.not99.biz          hxxp://www.not99.biz/myy/post.php?e=1&&

20091222194652          115.100.250.104          Failed resolution          www.rss-lenta-news.ru          hxxp://www.rss-lenta-news.ru/123132/your_exe.exe

20091222194759          115.100.250.107          Failed resolution          www.footballcappers.biz          hxxp://www.footballcappers.biz/exe.php

20091222194842          115.100.250.104          Failed resolution          www.kimosimotuma.cn          hxxp://www.kimosimotuma.cn/888.exe

20091223201100          115.100.250.105          Failed resolution          www.aolas.cn          hxxp://www.aolas.cn/az-hsbc/iereg.exe

20091223201217          115.100.250.104          Failed resolution          kotopes.cn          hxxp://kotopes.cn/forum/image/exe.php

20091223201224          115.100.250.117          Failed resolution          westnorths.cn          hxxp://westnorths.cn/load.php?spl=mdac

20091229031704          115.100.250.107          Failed resolution          chris25project.cn          hxxp://chris25project.cn/cp/zsbcs.exe

20091229031807          115.100.250.107          Failed resolution          footballcappers.biz          hxxp://footballcappers.biz

20091229032535          115.100.250.107          Failed resolution          footballcappers.biz          hxxp://footballcappers.biz/exe.php

20091229032541          115.100.250.107          Failed resolution          footballcappers.biz          hxxp://footballcappers.biz/load.exe

20091229032858          115.100.250.104          Failed resolution          not99.biz          hxxp://not99.biz/myy/post.php

20091229033818          115.100.250.115          Failed resolution          useranalyticsreporting.net          hxxp://useranalyticsreporting.net/ir/pack/exp/pdf.php

20091229034534          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id125/

20091229034555          115.100.250.104          Failed resolution          kotopes.cn          hxxp://kotopes.cn/forum/image/index.php

20091229034658          115.100.250.104          Failed resolution          not99.biz          hxxp://not99.biz/myy/viewtopic.php?s=f6e678fe95

20091229034925          115.100.250.119          Failed resolution          wen.nei28.com          hxxp://wen.nei28.com/index.php

20091229035534          115.100.250.104          Failed resolution          kotopes.cn          hxxp://kotopes.cn/forum/image/spl/pdf.pdf

20091229035919          115.100.250.104          Failed resolution          www.kotopes.cn          hxxp://www.kotopes.cn/forum/image/spl/pdf.pdf

20091229035932          115.100.250.115          Failed resolution          www.useranalyticsreporting.net          hxxp://www.useranalyticsreporting.net:80/ir/pack/exp/pdf.php

20091229040137          115.100.250.107          Failed resolution          grobin1.cn          hxxp://grobin1.cn/pol/alwaysA.pdf

20091229040143          115.100.250.107          Failed resolution          grobin1.cn          hxxp://grobin1.cn/pol/update.php

20091229040331          115.100.250.117          Failed resolution          westnorths.cn          hxxp://westnorths.cn/index.php?spl=3&br=MSIE&vers=6.0&s=826f3bdce007009c5ceb6c26ccf638bc

20091229040853          115.100.250.104          Failed resolution          fopsl.cn          hxxp://fopsl.cn/forum/index.php

20091229041019          115.100.250.104          Failed resolution          nit99.biz          hxxp://nit99.biz/new/viewtopic.php?s=0ec9d1a063

20091229041204          115.100.250.117          Failed resolution          todaymaytomorrow.cn          hxxp://todaymaytomorrow.cn//load.php?spl=mdac

20091229042433          115.100.250.104          Failed resolution          www.nit99.biz          hxxp://www.nit99.biz/myy/viewtopic.php?s=bec8f62472

20091229044311          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id125/index.php

20091229044317          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com:80/id125/files/annonce.pdf

20091229044324          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com:80/id125/loadpdf.php

20091229044415          115.100.250.117          Failed resolution          ispugais.cn          hxxp://ispugais.cn/load.php?s=70861f0ffb301246f95e3f7cb8293213&spl=pdf_all

20091229044426          115.100.250.117          Failed resolution          kitaiclock.cn          hxxp://kitaiclock.cn/load.php?s=70861f0ffb301246f95e3f7cb8293213&spl=pdf_all

20091229044504          115.100.250.114          Failed resolution          macaples.in          hxxp://macaples.in/my_usa/index.php?spl=3&br=MSIE&vers=7.0&s=a514f2595261bcd6ebcb69320172f022

20091229044510          115.100.250.114          Failed resolution          macaples.in          hxxp://macaples.in/my_usa/load.php?spl=ActiveX_pack

20091229044552          115.100.250.104          Failed resolution          nit99.biz          hxxp://nit99.biz/new/viewtopic.php?s=62d4f4343c

20091229044633          115.100.250.121          Failed resolution          rasejo.cn          hxxp://rasejo.cn/thecompany/mk/er32.exe

20091229044738          115.100.250.117          Failed resolution          systemanalizerscom.cn          hxxp://systemanalizerscom.cn/load.php?s=2eafd76b775db4d941022df28348bfd1&spl=pdf_all

20091229212404          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id120/index.php

20091229212411          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id126/index.php

20091229212419          115.100.250.73          Failed resolution          tds-info.net          hxxp://tds-info.net/in.cgi?2

20091229212510          115.100.250.73          Failed resolution          grizzli-counter.com          hxxp://grizzli-counter.com/id126/mdac.php


The /24 lies within a range (115.100.248.0/22) owned by;

ASN: 9803
Desc: JINGXUN Beijing Jingxun Public Information Technology Co., Ltd

/edit 18:52

Sunbelt sandbox results
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12053994&cs=BFFBC294022DB10C44EE633BAC06CAF4

Microsoft Malware Protection Center (results will be here once analysis is finished)
https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=a06eea71-cb87-4af3-aafa-6ba621b248ac

/edit 19:06

The following shows some interesting stats regarding the exploit pack being used here (Fragus/Nulled);

No comments: