Tuesday, October 30, 2007

Possibility Media's Malware Fiasco

After both TrendMicro and Sophos acknowledged the attack on Possibility Media's portfolio of online publications, added detection, further clustered the attack, as well as came up with a fancy graph to visualize the IFRAME-ing attack, the attackers changed the IFRAME code and directed it to another location, and perhaps it's more interesting to see them express their feelings about getting exposed in such a coordinated manner. The second IFRAME URL from the previous post now greets with "ai siktir vee?" message. What does "ai siktir vee" means? It means "get lost". The new IFRAME URLs as of yesterday are exploiting MDAC ActiveX code execution (CVE-2006-0003), and here are more details :

(58.65.239.28) ilovemyloves.com/films/in.cgi?11
ilovemyloves.com/traff.php
ilovemyloves.com/fuck.php
ilovemyloves.com/lol.php
ilovemyloves.com/nuc/index.php
ilovemyloves.com/games/index.php
ilovemyloves.com/ra/load.php

Is there by any chance the possibility that the Russian Business Network's IPs might be somehow involved? Don't be naive - of course there are RBN IPs involved and talking about them, deobfuscating scripts or analyzing the binaries related to RBN is becoming a rather boring task given nothing's changing. Remember all those parked domains on the second IFRAME IP from the previous post? According to this writeup by Symantec's Kaoru Hayashi, some of the hosts - fiderfox.info:8081; gipperlox.info:8081; gipperlox.info:8081 - are acting as communication platforms with a trojan downloaded from an RBN IP - 81.95.144.146 in order for the trojan to receive spam sending configurations. Now, where do we know 81.95.144.146 from? From the Bank of India hack as it was among the several IPs used in the IFRAME attack.

Getting back to the latest developments behind the dynamic tactical warfare applied by the attackers at 208.72.168.176, they seem to have introduced a new obfuscation at : 208.72.168.176/e-Mikhalich2210/index.php which you can see in the screenshot attached. Once we get to feel the binary we can conclude it's a spam bot known under different names such as Dropped:Trojan.Proxy.Pixoliz.I; Trojan-Proxy.Pixoliz and W32/Pixoliz.

Detection rate : Result: 11/32 (34.38%)
File size: 123924 bytes
MD5: 15027f9e4dc93e95e70f7086f2bf22de
SHA1: 494a675df55167cf4ed5a2c0320cdaa90dbbc10e

New domains under different IPs are also connected with the previous and the current IFRAMEs as they all tell me to "ai siktir", for instance :

privatechecking.cn/stool/index.php
musicbox1.cn/iframe.php
xanjan.info/ad/index.php

There's even a Storm Worm connection. For instance, musicbox1.cn/iframe.php refreshes textdesk.com which is heavily polluted with known storm worm domains such as : eliteproject.cn/ts/in.cgi/alex; 88.255.90.74/su/in.cgi?3; 81.95.144.150/in.cgi?11; takenames.cn/in.php; bl0cker.info/in.php; space-sms.info etc.

Dots, dots, dots and data speaks for itself.

No comments:

Post a Comment