MalwareMustDie

A wtf suspicious TDS..

Jan 27th, 2014
900
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie - Malvertisement check
  2. # Jan 27th 2014 | @unifreaxjp
  3. # THE FAIL ATTEMPT LOG
  4.  
  5.  
  6. // The suspect:
  7.  
  8. h00p://ftp.southernvac.com/bibliographic/index.html
  9.  
  10.  
  11. // Source = Spam's link from Spambot (template)
  12.  
  13. pic: http://goo.gl/h1uKmf
  14.  
  15.  
  16. // FULL URL accessed record:
  17.  
  18. http://ftp.southernvac.com/bibliographic/index.html
  19. http://img.sedoparking.com/js/jquery-1.4.2.min.js
  20. http://www.google.com/adsense/domains/caf.js
  21. http://www.google.com/ads/search/module/ads/1.0/e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82/n/domains.js
  22. http://www.google.com/adsense/domains/caf.js
  23. http://img.sedoparking.com/templates/brick_gfx/1/logo_white.png
  24. http://www.google.com/ads/search/module/ads/1.0/e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82/n/domains.js
  25. http://www.gstatic.com/domainads/tracking/caf.gif?ts=1390811702612&rid=6678328
  26. http://dp.g.doubleclick.net/static/caf/slave.html#slave-2-1
  27. http://dp.g.doubleclick.net/static/caf/slave.html#slave-1-1
  28. http://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=dp-sedo93&channel=auxa-control-1%2C406102&hl=ja&adtest=off&r=m&kw=southernvac&drid=as-drid-2799107389033096&oe=UTF-8&ie=UTF-8&fexp=21404&format=p5%7Cr10%7Cs&ad=a5&adrep=2&num=0&output=caf&domain_name=southernvac.com&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&u_his=5&u_tz=540&dt=1390811702634&u_w=1366&u_h=768&biw=769&bih=569&psw=769&psh=378&frm=0&ui=uv3aTsLsRcC-af3st24sd16sv16sa14lt28ld18lv18-st22sa14lt26-&rurl=http%3A%2F%2Fftp.southernvac.com%2Fbibliographic%2Findex.html#master-1
  29. http://ftp.southernvac.com/search/tsc.php?&ses=13908117012ad7f58e8d84f54b21bae1aa45bda581&200=MTkyMjYzNzcx&21=MTIzLjE5OC45NC4xNDM=&681=MTM5MDgxMTcwMTJhZDdmNThlOGQ4NGY1NGIyMWJhZTFhYTQ1YmRhNTgx&682=&616=&crc=2b27b276b0262d28416c7cba9a4e5104b50a2a92&cv=1
  30. http://www.google.com/adsense/domains/caf.js
  31. http://www.google.com/ads/search/module/ads/1.0/e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82/n/domains.js
  32. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=aD.1%3Aexists&cem=fsnbtGSB2&nc1390811702873
  33. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.b%3Aexists&cem=fsnbtGSB2&nc1390811702875
  34. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.aFS%3Aexists&cem=fsnbtGSB2&nc1390811702876
  35. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.aDULT%3Aexists&cem=fsnbtGSB2&nc1390811702879
  36. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.fL%3Aexists&cem=fsnbtGSB2&nc1390811702880
  37. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.tM%3Aexists&cem=fsnbtGSB2&nc1390811702882
  38. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.nR%3Aexists&cem=fsnbtGSB2&nc1390811702883
  39. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.eC%3Aexists&cem=fsnbtGSB2&nc1390811702884
  40. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702885
  41. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702886
  42. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702887
  43. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702887
  44. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702888
  45. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702889
  46. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702890
  47. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702891
  48. http://ajax.googleapis.com/ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702893
  49.  
  50.  
  51. // All GET requests' list
  52.  
  53. GET /bibliographic/index.html
  54. GET /adsense/domains/caf.js
  55. GET /js/jquery-1.4.2.min.js
  56. GET /ads/search/module/ads/1.0/e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82/n/domains.js
  57. GET /templates/brick_gfx/1/logo_white.png
  58. GET /static/caf/slave.html
  59. GET /domainads/tracking/caf.gif?ts=1390811702612&rid=6678328
  60. GET /apps/domainpark/domainpark.cgi?client=dp-sedo93&channel=auxa-control-1%2C406102&hl=ja&adtest=off&r=m&kw=southernvac&drid=as-drid-2799107389033096&oe=UTF-8&ie=UTF-8&fexp=21404&format=p5%7Cr10%7Cs&ad=a5&adrep=2&num=0&output=caf&domain_name=southernvac.com&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&u_his=5&u_tz=540&dt=1390811702634&u_w=1366&u_h=768&biw=769&bih=569&psw=769&psh=378&frm=0&ui=uv3aTsLsRcC-af3st24sd16sv16sa14lt28ld18lv18-st22sa14lt26-&rurl=http%3A%2F%2Fftp.southernvac.com%2Fbibliographic%2Findex.html
  61. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.b%3Aexists&cem=fsnbtGSB2&nc1390811702875
  62. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=aD.1%3Aexists&cem=fsnbtGSB2&nc1390811702873
  63. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.aFS%3Aexists&cem=fsnbtGSB2&nc1390811702876
  64. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.aDULT%3Aexists&cem=fsnbtGSB2&nc1390811702879
  65. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.fL%3Aexists&cem=fsnbtGSB2&nc1390811702880
  66. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.tM%3Aexists&cem=fsnbtGSB2&nc1390811702882
  67. GET /search/tsc.php?&ses=13908117012ad7f58e8d84f54b21bae1aa45bda581&200=MTkyMjYzNzcx&21=MTIzLjE5OC45NC4xNDM=&681=MTM5MDgxMTcwMTJhZDdmNThlOGQ4NGY1NGIyMWJhZTFhYTQ1YmRhNTgx&682=&616=&crc=2b27b276b0262d28416c7cba9a4e5104b50a2a92&cv=1
  68. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.nR%3Aexists&cem=fsnbtGSB2&nc1390811702883
  69. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702885
  70. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=s.eC%3Aexists&cem=fsnbtGSB2&nc1390811702884
  71. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702886
  72. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702887
  73. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702889
  74. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.hA%3Aexists&cem=fsnbtGSB2&nc1390811702890
  75. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-1-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702888
  76. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.h%3Aexists&cem=fsnbtGSB2&nc1390811702891
  77. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=slave-2-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702893
  78. GET /ajax/services/js/error?mn=ads.domains&vh=e40b68804af8fbde9dbb8d9a14d3ccb3ab13cd82&v=1.0&em=master-1.aC%3Aexists&cem=fsnbtGSB2&nc1390811702887
  79.  
  80.  
  81. // snapshot
  82.  
  83. pic: http://goo.gl/muiaPb
  84.  
  85.  
  86. // dive..
  87.  
  88. --2014-01-27 16:22:44-- http://ftp.southernvac.com/bibliographic/index.html
  89. Resolving ftp.southernvac.com... seconds 0.00, 82.98.86.179
  90. Caching ftp.southernvac.com => 82.98.86.179
  91. Connecting to ftp.southernvac.com|82.98.86.179|:80... seconds 0.00, connected.
  92.  
  93. ---request begin---
  94. GET /bibliographic/index.html HTTP/1.0
  95. Host: ftp.southernvac.com
  96. HTTP request sent, awaiting response...
  97.  
  98. ---response begin---
  99. HTTP/1.0 200 OK
  100. Date: Mon, 27 Jan 2014 07:22:45 GMT
  101. Server: Apache
  102. X-Powered-By: PHP/5.3.3-7+squeeze17
  103. Expires: Mon, 26 Jul 1997 05:00:00 GMT
  104. Last-Modified: Mon, 27 Jan 2014 07:22:45 GMT
  105. Cache-Control: no-store, no-cache, must-revalidate
  106. Cache-Control: post-check=0, pre-check=0
  107. Pragma: no-cache
  108. Set-Cookie: tu=e63e3b9270c5c09378346e8de69b277e; expires=Tue, 31-Dec-2019 23:00:00 GMT; path=/; domain=southernvac.com;httponly
  109. X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_RPgiFxDqSFIiVdV/hBv9vivShzE309uojuvF5cPC92cJgi8bDuG8txTE+vVGcqOl/L1LcDru/dAut7Mrvq0lnA==
  110. Vary: User-Agent,Accept-Encoding
  111. Content-Type: text/html
  112. X-Cache: MISS from 220143
  113. Connection: close
  114.  
  115. ---response end---
  116. 200 OK
  117. Stored cookie southernvac.com -1 (ANY) / <permanent> <insecure> [expiry 2020-01-01 08:00:00] tu e63e3b9270c5c09378346e8de69b277e
  118. Length: unspecified [text/html]
  119. Saving to: `index.html'
  120. 2014-01-27 16:22:46 (668 KB/s) - `index.html' saved [23506]
  121.  
  122. // cookie:
  123.  
  124. # HTTP cookie file.
  125. .southernvac.com TRUE / FALSE 1577833200 tu e63e3b9270c5c09378346e8de69b277e
  126.  
  127. // in the last part there is a script, to be auto executed to GET:
  128.  
  129. http://ftp.southernvac.com/search/tsc.php?&ses=1390807365f7d8fabb1efc200587f15a25c1e391cf&200=MTkyMjYzNzcx&21=MTIzLjE5OC45NC4xNDM=&681=MTM5MDgwNzM2NWY3ZDhmYWJiMWVmYzIwMDU4N2YxNWEyNWMxZTM5MWNm&682=&616=&crc=5d59035def968c12d36c094c262f4f662ac13cb8&cv=1
  130.  
  131. // checks:
  132.  
  133. ---request begin---
  134. GET /search/tsc.php?&ses=1390807365f7d8fabb1efc200587f15a25c1e391cf&200=MTkyMjYzNzcx&21=MTIzLjE5OC45NC4xNDM=&681=MTM5MDgwNzM2NWY3ZDhmYWJiMWVmYzIwMDU4N2YxNWEyNWMxZTM5MWNm&682=&616=&crc=5d59035def968c12d36c094c262f4f662ac13cb8&cv=1 HTTP/1.0
  135. Host: ftp.southernvac.com
  136. HTTP request sent, awaiting response...
  137.  
  138. ---response begin---
  139. HTTP/1.0 200 OK
  140. Date: Mon, 27 Jan 2014 07:28:14 GMT
  141. Server: Apache
  142. X-Powered-By: PHP/5.3.3-7+squeeze17
  143. Vary: User-Agent,Accept-Encoding
  144. Content-Length: 0
  145. Content-Type: text/html
  146. X-Cache: MISS from 230350
  147. Connection: close
  148.  
  149. ---response end---
  150. 200 OK
  151. Length: 0 [text/html] // DOH!.
  152.  
  153. // PCAP: http://www.mediafire.com/download/yrqy80dj3dj7p8a/001(2).pcap
  154.  
  155.  
  156. // Verdict:
  157.  
  158. A wtf suspicious TDS..
  159.  
  160.  
  161. ----
  162. #MalwareMustDie!
RAW Paste Data