Mid of July I discovered an obfuscated script on a compromised site.
After deobfuscation I realized that it is a domain generation algorithm which uses the Twitter API.
http://wepawet.iseclab.org/view.php?hash=3630a98dcfdebab8d2dd1eee84cce358&type=jshttp://pastebin.com/p7DAvPAjIt looks very similar to the known domain generation algorithm for Sinowal/Mebroot/Torpig.
The scripts generates a url. The target of this url is a Blackhole exploit kit. Payload is Sinowal.
So what I have found is a new domain generation algorithm for infection domains of Sinowal.
The most important fact is the move from NeoSploit to Blackhole. NeoSploit exploit pack was always
used in the past to infect machines with Sinowal.
Now we know the new algorithm and are able to precalculate next infection domains.
I have converted the javascript to php and now I have decided to publish my script.
I have been using the script for daily precalculation of new infection domains since July.
Script expects parameters hour, month, day and year.
sinowal.php?hour=21&month=9&day=3&year=2011
New domains always become active at 9:00 and 21:00 UTC. So 2 queries for hour=9 and hour=21 are enough.
<?php
class MyDateTime extends DateTime
{
public function setTimestamp( $timestamp )
{
$date = getdate( ( int ) $timestamp );
$this->setDate( $date['year'] , $date['mon'] , $date['mday'] );
$this->setTime( $date['hours'] , $date['minutes'] , $date['seconds'] );
}
public function getTimestamp()
{
return $this->format( 'U' );
}
}
if ( isset($_GET['hour']) AND isset($_GET['month']) AND isset($_GET['day']) AND isset($_GET['year']) ) {
$hour = intval($_GET['hour']);
$month = intval($_GET['month']);
$day = intval($_GET['day']);
$year = intval($_GET['year']);
$d = new MyDateTime();
$timestamp = gmmktime($hour, 0, 0, $month, $day, $year);
$d->setTimestamp($timestamp);
$kx_k = gmdate("H",$timestamp);
$UTCDate = new DateTime(gmdate("Y-m-d H:i:s",$timestamp));
if($kx_k>8)
{
$UTCDate->modify ('-2 day');
}
else
{
$UTCDate->modify ('-3 day');
};
$init = 'http://api.twitter.com/1/trends/daily.json?date='.$UTCDate->format('Y-m-d');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$init);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result = curl_exec($ch);
curl_close($ch);
$kx_f = json_decode($result, true);
$kx_a=0;
$offset2 = 25;
$kx_rz= $offset2;
foreach ($kx_f['trends'] as $i => $n1) {
if($kx_k>8 && $kx_k<21 &&strpos($i,' 07')!== false)
{
$kx_a=ord(substr($n1[4]['query'],1,1))+strlen($n1[4]['query']);
break;
}
else if(($kx_k<9||$kx_k>20)&&strpos($i,' 18')!== false)
{
$kx_a=ord(substr($n1[4]['query'],1,1))+10+strlen($n1[4]['query']);
break;
}
}
if($kx_a==0)
{
$kx_a=ord(substr($kx_f['trends'][i][6]['query'],1,1))+7+strlen($kx_f['trends'][i][6]['query']);
}
if($kx_a>0)
{
$kx_g=intval($UTCDate->format('Y'));
$kx_J=intval($UTCDate->format('m'));
$kx_v=intval($UTCDate->format('d'));
$kx_y=array('dbs','ytn','vmt','vmr','mlc','oxk','fds','bvf','yus','mcp','ncz','gdw');
$kx_o=array('a','b','c','d','e','f','g','h','j','i','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
$kx_L=array(3,2,1,4,5,6,7,8,9);
function kx_rt($kx_S,$kx_e,$kx_N,$kx_d)
{
return((($kx_N+($kx_d*$kx_S))+($kx_e ^ $kx_S)*$kx_d)+$kx_S);
}
$offset = 100;
$kx_rr= $offset;
$kx_u=kx_rt($kx_v,$kx_J,$kx_g,$kx_a)+$kx_rr;
$kx_r=$kx_o[((($kx_g&0xAA)+$kx_u)%63)%26].$kx_o[((($kx_g&0xAA)<<2)+$kx_u)%$kx_rz];
$kx_z=$kx_o[(((($kx_g&0x3311)>>3)+$kx_u)%10)].$kx_o[(((($kx_g&0x3311)>>4)+$kx_u)%10)];
$kx_q=$kx_o[(($kx_J+$kx_u)%$kx_rz)].$kx_o[(($kx_J*$kx_u)%$kx_rz)];
$kx_b=$kx_o[(($kx_v*6)%27)];
$kx_R=$kx_b=$kx_o[(($kx_v*$kx_u)%24)];
echo 'http://'.$kx_b.$kx_z.$kx_q.$kx_r.$kx_R.$kx_y[$kx_J-1].'.com/index.php?tp=001e4bb7b4d7333d'."<br>";
}
}
?>
BTW: You can find a lot of compromised sites by searching Google for join(t.pop()));eval(d)
Topic: Domain name prediction algorithm for Sinowal/Mebroot infection domains (Read 17168 times)