Saturday, September 15, 2012

Fake AV Strain - New URL Callbacks

I have observed a new fake AV strain in the wild at a site that does not have Layer 7 forensics. They do, however, have full URL logging which enabled me to backtrack the events and callouts to what appears to be a total of 15 separate sites. The common string among them appears to be that many of them are  Registrar: BIZCN.COM, INC.

The malware in this case was very noisy to the user, changed attributes to hidden on all files in the system and changed GP settings.

The infection point in the case I investigated was a random ftp1.biz website. The user searched online for a specific type of weight lifting technique, was redirected from a legitimate page to the ftp1.biz and hit with an exploit kit of unknown type which was successful.

What was interesting in this case is two points:
1. Once the user ran combofix, malwarebytes and Windows updates on their workstation, the system appears to call back out  through a series of different octet-stream requests.
2. The URLs follow a pattern that appears to be new (fresh in the last 2 days according to urlquery.net).

Here are the URLs in order, in case anyone else runs into them.

hxxp://108.178.59.39/links/reveals_formed.php

Some in formation on this URL exists in urlquery. The researched links here have contained only two direct to IP requests, 174.140.166.71 and 46.249.37.122.


http://urlquery.net/report.php?id=177843
http://urlquery.net/report.php?id=177013



hxxp://108.178.59.39/links/reveals_formed.php?udvf=03080407333603030a3302340235073836093508033706363836353505080833&tvaxpmbue=0a09380b0a3508360208&rdm=02&bnvru=dolz&gwxjfli=ewsxs

hxxp://108.178.59.39/links/reveals_formed.php?iwzwf=03080407333603030a3302340235073836093508033706363836353505080833&biwoe=03090708363335340408&qymzixvp=02&amoo=vypv&kcdo=ljyuum

hxxp://108.178.59.39/links/reveals_formed.php?psgm=03080407333603030a3302340235073836093508033706363836353505080833&ygxrse=333d&xfkcr=iqu&rhdays=ewmp

hxxp://108.178.59.39/links/reveals_formed.php?psgm=03080407333603030a3302340235073836093508033706363836353505080833&ygxrse=333d&xfkcr=iqu&rhdays=ewmp

hxxp://108.178.59.39/links/reveals_formed.php?yxuaovb=03080407333603030a3302340235073836093508033706363836353505080833&cgqua=47&jgysdt=030907083633353404080c0c0a09380b0a3508360208&hwalpqs=0302000200020002

hxxp://108.178.59.39/links/reveals_formed.php?psgm=03080407333603030a3302340235073836093508033706363836353505080833&ygxrse=333d&xfkcr=iqu&rhdays=ewmp

The next URL is indiciative of known Fake AV Urls

hxxp://175.41.28.157/api/urls/?ts=3e73d632&affid=60830

As seen, for example, here:
http://urlquery.net/report.php?id=177167


hxxp://report.o7o3179a1k931wsk.com/?Y93o31=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%8Al%98%A2%98%95%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0%7F%A6%9C%D3pu%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%92iu%A0Y%A3%D7%D8%AD%9F%A2%A4%5E%9Fj%A0cagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%89ic%9Fdf%AB%89

hxxp://report.o7o3179a1k931wsk.com/?Y31716=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%8Af%96j%96%9A%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0%7F%A0%9A%9Bnz%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%92cshW%A8%D7%D8%AD%A0%A2%A4%5E%9Fh%A5cagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%89cagbk%AB%89

hxxp://report.o7o3179a1k931wsk.com/?Q31717=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%82f%96j%96%9B%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0w%A0%9A%9Bn%7B%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%8AcshW%A9%D7%D8%AD%A0%A2%A4%5E%9Fh%A6cagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%81cagbl%AB%89

hxxp://report.o7o3179a1k931wsk.com/?Q93120=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%82l%98d%97%94%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0w%A6%9C%95ot%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%8AiubX%A2%D7%D8%AD%9F%A2%A4%5E%9Fi%9Fcagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%81icace%AB%89

hxxp://update2.hpl4i1i6elvmn3.com/?i4=kdbTmsPWmJNlndHQZ5mSoZrI0arTnmpnnKfPpqPJlNnJWJHX3uCm2J3Vm9ep3s7hm1TQ2NGy0ceX1sdlj5%2BlzZicYcpuyc%2FbodRjZZyopdehl8anypZS

hxxp://report.o7o3179a1k931wsk.com/?W79343=%96%C6%D3%A5%D4%D6a%D0n%A4%94%95ji%C2i%CF%9C%98e%DD%A3%A2g%9C%A7%CF%88j%9Ef%99%97%98%DC%E6%AC%E9%EA%86%BF%5D%E4%9C%95tn%99f%9E_%9F%9F%DE%B0%D0%9C%90%C4%C0%7D%A4%A2%97qw%A3%A7%A7%A4%A5%A5%60%B5m%A8hh%7C%7B%93d%A3~dd%B9%A7%AFa%A5%A0%9F%90g%7BdZ%A5%D7%D8%AD%9F%A2%A4%5E%9Fk%A2cagi%92a%9Bica%A7%A3%9BT%D9%AC%9D%87giceh%AB%89

hxxp://update.9ik8rgxkc3zlg0.com/?xi=kdbTmsPWmI9wnsycpZfZo8eW36DNYGWcqKXXoZfGp8qSX8zapubZ59fPmOyp2pmV0ZXR1uTFntuoiH3duIPA2bG8oFnn1cttj8alz9ejxZipxpJsmcxw1srdn8ljsaWgaJCUotKo1ciF

hxxp://billingshoper.com/p/?&lid=3060001&affid=60830&nid=F4C9B6B4&group=liv



At this point, the user ran combofix, malware bytes and avg. Then, after 5 hours, these occurred, I am unsure if they are related to the infection, but centralops reports the registered owner as:

person:         Dariusz Mach
address:        SuperHost.pl sp. z o.o.
address:        ul. Slaska 9/1
address:        81-319 Gdynia
address:        POLAND
phone:          +48587396369 
fax-no: +48587396368

hxxp://tiptoppoprock2.com/bv?type=js

hxxp://tiptoppoprock2.com/ga.js?W1u9=%98%D6%D9%D8%AC%A5%A0%B3%A7%B7%A0%A5%AFsf%96%A0%A3%8Bf%A8q%AA%9F%B3%B5%A4%B6%B1%A2%A2%A3%B1%A6%B0v_%89%E4%D6%BBn%A5_%EA%CE%E2%E7%D8%DF%DE%AC%A2%A4%A1%87

1 minute later

hxxp://tiptoppoprock2.com/gs.js?1&code=5053a968f1483&title=&keywords=&keywords_text=hollow%2Cnews%2Cny%2Cseptember%2Ccredit%2Cevents&ref=http%3A%2F%2Ftarrytown.patch.com%2F&u=7&pref=&utmcc=__utma%3D195079987.693177053.1333033673.1347020645.1347544109.23%2B__utmz%3D195079987.1344265429.12.4.utmcsr%3Dgoogle%7Cutmccn%3D(organic)%7Cutmcmd%3Dorganic%7Cutmctr%3Dsuffolk%20county%20pd%20contract&bd=

After nearly an hour, the system ran Windows updates and was immediately followed by the following Get requests (rerverse chronological order here, oldest last). The /support/u and /support/ur are MIME octet-stream.



hxxp://exasmicine.com/support/u
hxxp://icturesofam.com/support/ur
hxxp://icturesofam.com/support/u
hxxp://icturesofam.com/support/u
hxxp://icturesofam.com/support/u
hxxp://exasmicine.com/support/u
hxxp://menecalenesyny.com/support/u
hxxp://uperctvalm.com/support/u
hxxp://opateomin.com/u.php?0Q9oBPXEN0uECUgzEJ95RQsajz7vq1aG3F/2q5oNvBGAyHya0iCsG5//bBw9iKz11e/law==
hxxp://yjbgcalof.com/support/u
hxxp://dicasenowenuc.com/?ylOdR9GQqXquMlTvsmXlkaz1x3Ea+w==
hxxp://dicasenowenuc.com/updates/msupdate.dat
hxxp://sutonsbaym.com/updates/msupdate.dat
hxxp://cguielinesfo.com/updates/msupdate.dat
hxxp://cguielinesfo.com/updates/msupdate.dat
hxxp://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab?1209142251


exasmicine.com - Registrar is Bizcn.com
menecalenesyny.com- Registrar is Bizcn.com

Posted by at 2:44 PM

1 comment:

Subscribe to: Post Comments (Atom)