Sunday, December 30, 2012

Parentesis URL Pattern, Likely Associated with Badness

I ran into an interesting URL pattern containing parenthesis in a specific method. On deeper inspection, it looks like this pattern may be associated with badness, the details of which I am not certain but thought good enough to bring to the community. 


My research on this so far indicates that some of the URLs are associated with known Zeus/Spyeye C2 servers, and a large number of these patterns hosted on legitimate sites whose subdirectories containing these patters are not indexed by Google. Also, it appears this pattern has been active for some time and may have been identified by other researchers, I am not sure.

Some URLquery patterns show redirects to a domain that was reported in December associated with drive by downloads in an Andriod forum which is no longer operational (at least today).

The observations at this time are that these are redirects, or contain redirects, to badness which is why I am bringing it to the community.







The URL pattern in question is:

\(s\(\w{24}\)\)?\/\w{2,}\.aspx

There is one URLquery report on this type of URL here. On inspection, this report shows a series of get requests including one URL which traces back to a report on undroid.us as containing badness ( hxxp://zirycatum.com/k985ytv.htm). I also noticed the k985ytv.htm more than once.




And I'm not alone in looking at this, going back a while now.

AVG did recognize the content.


Jsunpack 





www.undroid.us/wordpress/?cat=19
Dec 8, 2012 - 2. zirycatum.com (ex: hxxp://zirycatum.com/k985ytv.htm) 3. numudozaf.com (ex: hxxp://numudozaf.com/k985ytv.htm) Above all resolve to the same Moldova (south ...



Any feedback or further info, hit me up @fknsec

I have not researched if any IDS (Snort) sigs match this pattern.

HAPPY NEW YEAR





References:
http://urlquery.net/report.php?id=14666
www.undroid.us/wordpress/?cat=19
http://jsunpack.jeek.org/?report=fc505de91ae02e6ed905bb22746975e5d4d70c93
http://forums.cnet.com/7726-6132_102-3375245.html

No comments:

Post a Comment