Author Topic: strange threatexpert result.  (Read 5254 times)

0 Members and 1 Guest are viewing this topic.

July 04, 2011, 02:13:17 pm
Read 5254 times

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
http://www.threatexpert.com/report.aspx?md5=df56fc3a9c1792851c689cec0f984c06


have a look on bottom...

Code: [Select]
The following HTTP URLs were started reading:
http://www.'+cj_dom[cj[get_random(max_cj)]]+'/st/stt.php!][!REF:http://newbot_'+bot_ver+'.com/!]'
http://www.'+cj_dom[cj[rcj]]+'/st/stt.php!][!REF:http://newbot_'+bot_ver+'.com/!]'
http://'+cj_dom[cj[rcj]]+'/st/stt.php!][!REF:http://newbot_'+bot_ver+'.com/!]'

-- gerhard

July 05, 2011, 10:49:43 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I'll try and get hold of the sample, but it looks like it's not interpreted the packet properly.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 05, 2011, 10:52:25 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Here we go, took a look at the source for rxcounteronline.in, and it gives away what's happening;

Code: [Select]
<html>
<body></body>
<script src=func.js></script>
<script>
var cur_url=document.URL;
var bot_ver=0;
var aid_pos=cur_url.indexOf("aid=")+4;
if (aid_pos>4)
{
var and_pos=cur_url.indexOf("&",aid_pos);
if (and_pos=-1) and_pos=cur_url.length+1;
bot_ver=cur_url.substring(aid_pos,and_pos-1);
}
var date = new Date();
date.setTime(date.getTime()+(12*60*60*1000));
var expires = "; expires="+date.toGMTString();
bcook=GetCookie('visited_traders1');
if (bcook>0) bc = parseInt(bcook); else bc=0;
document.write(bc)
if (bc<1){document.cookie='visited_traders1=1'+expires+'; path=/'}
var rcj=0;
var sGetStr='[!GET:]';
//if ((lang_ok==1)&&(max_cj>0)&&(bc>0)&&(bc<2000))
if ((max_cj>0)&&(bc>0)&&(bc<2000))
{
if (bc<max_cj)
rcj=bc;
else
rcj=get_random(max_cj);
document.cookie = 'visited_traders1='+(bc+1)+expires+'; path=/'
if ((Math.floor(Math.random()*100))<20)
{
//[!GET:http://homemadeflash.com/cgi-bin/at3/out.cgi?id=369&l=toplist2&910&trade=http://www.yummyvids.com/tube.shtml!] [!REF:http://homemadeflash.com/!]
/*
echo ("[!GET:http://tubedvids.com/st/stt.php!]\r\n");
    echo ("[!REF:http://newbot_$ver.com/!]\r\n");
*/

sGetStr='[!GET:http://www.'+cj_dom[cj[get_random(max_cj)]]+'/st/stt.php!][!REF:http://newbot_'+bot_ver+'.com/!]'
}
else
{
if ((Math.floor(Math.random()*100))<cj_koef[bc])
sGetStr='[!GET:http://www.'+cj_dom[cj[rcj]]+'/st/stt.php!][!REF:http://newbot_'+bot_ver+'.com/!]'
else
sGetStr='[!GET:http://'+cj_dom[cj[rcj]]+'/st/stt.php!][!REF:http://newbot_'+bot_ver+'.com/!]'
}


}
document.body.innerHTML=sGetStr
</script>
</html>

func.js contains;

Code: [Select]
function get_random(maxz)
{
    var ranNum=Math.floor(Math.random()*maxz)+1;
    return ranNum;
}

function GetCookie (name) {
     var arg = name + "=";
     var alen = arg.length;
     var clen = document.cookie.length;
     var endstr = 0;
     var i = 0;
     while (i < clen) {
        var j = i + alen;
        if (document.cookie.substring(i, j) == arg){
             endstr = document.cookie.indexOf (";", j);
             if (endstr == -1){
                  endstr = document.cookie.length;
             }
             return unescape(document.cookie.substring(j, endstr));
        }
        i = document.cookie.indexOf(" ", i) + 1;
        if (i == 0) { break; }
      }
      return null;
}

var cj=new Array(2000)

var max_cj=0
var cj_dom=new Array(2000)
var cj_koef=new Array(2000)

cj_dom[123]="paradisecuties.com";
cj_koef[123]=20;
cj_dom[124]="eighteenmovs.com";
cj_koef[124]=20;
cj_dom[127]="moviesgals.com";
cj_koef[127]=20;
cj_dom[128]="homemadeflash.com";
cj_koef[128]=20;
cj_dom[129]="magicteenies.com";
cj_koef[129]=20;
cj_dom[130]="tubemama.com";
cj_koef[130]=20;
cj_dom[131]="teenageteenies.com";
cj_koef[131]=20;
cj_dom[132]="tubedmovies.com";
cj_koef[132]=20;
cj_dom[133]="plainmovies.com";
cj_koef[133]=20;
cj_dom[134]="eighteenpix.com";
cj_koef[134]=20;
cj_dom[135]="sortedmovies.com";
cj_koef[135]=20;
cj_dom[136]="tubedvids.com";
cj_koef[136]=20;
cj_dom[137]="tubewifes.com";
cj_koef[137]=20;
cj_dom[138]="homemadestream.com";
cj_koef[138]=20;
cj_dom[139]="tubecunts.com";
cj_koef[139]=20;
cj[1]=139;
cj[2]=136;
cj[3]=128;
cj[4]=130;
cj[5]=139;
cj[6]=134;
cj[7]=128;
cj[8]=134;
cj[9]=139;
cj[10]=134;
cj[11]=139;
cj[12]=124;
cj[13]=139;
cj[14]=124;
cj[15]=139;
cj[16]=139;
cj[17]=139;
cj[18]=135;
cj[19]=134;
cj[20]=139;
cj[21]=133;
cj[22]=130;
cj[23]=131;
cj[24]=134;
cj[25]=130;
cj[26]=139;
cj[27]=139;
cj[28]=139;
cj[29]=139;
cj[30]=124;
cj[31]=124;
cj[32]=138;
cj[33]=124;
cj[34]=130;
cj[35]=139;
cj[36]=124;
cj[37]=134;
cj[38]=129;
cj[39]=138;
cj[40]=138;
cj[41]=138;
cj[42]=138;
cj[43]=139;
cj[44]=130;
cj[45]=124;
cj[46]=139;
cj[47]=124;
cj[48]=132;
cj[49]=135;
cj[50]=135;
cj[51]=133;
cj[52]=132;
max_cj=53;



var lang1=navigator.systemLanguage
var lang2=navigator.userLanguage

var lang_ok=0;

if ((lang1.indexOf("cn")<0)&&
(lang1.indexOf("tr")<0)&&
(lang1.indexOf("br")<0)&&
(lang1.indexOf("mx")<0)&&
(lang1.indexOf("in")<0)&&
(lang1.indexOf("pl")<0)&&
(lang1.indexOf("pk")<0)&&
(lang1.indexOf("ro")<0)&&
(lang1.indexOf("eg")<0)&&
(lang2.indexOf("cn")<0)&&
(lang2.indexOf("tr")<0)&&
(lang2.indexOf("br")<0)&&
(lang2.indexOf("mx")<0)&&
(lang2.indexOf("in")<0)&&
(lang2.indexOf("pl")<0)&&
(lang2.indexOf("pk")<0)&&
(lang2.indexOf("ro")<0)&&
(lang2.indexOf("eg")<0))
lang_ok=1;


Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 05, 2011, 10:59:48 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
When the query is sent btw, stt.php returns a result such as;

Code: [Select]
[!GET:http://tubedvids.com/cgi-bin/at3/out.cgi?id=162&l=toplist2&518&trade=http://freepornxxxtube.com/!]
[!REF:http://tubedvids.com/!]

<script type="text/javascript">
<!--
document.cookie='atref=newbot_1034.com$#; path=/;'
// -->
</script>

Curiously, not seeing any fake codec or other malicious download - most unusual, just a run-around various porn sites.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 05, 2011, 11:13:34 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just spoken to DirectI and the .in has now been nuked :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net