… and now have their pages full of malware infecting and object dumping <iframe>’s.
Tracking the iframe’s I found a series of different servers hosting the malware and exploits, the flow is as follows:
- hxxp://boc.sbb22.com/home/index.htm (This is the inserted Iframe)
- hxxp://boc.sbb22.com/
- hxxp://aa.llsging.com/ww/new82.htm
- hxxp://aa.llsging.com/a2/haha.htm
- hxxp://aa.llsging.com/a2/pps.htm
- hxxp://js.users.51.la/1299644.js
- hxxp://vip2.51.la/go.asp
- hxxp://ww4.tongji123.com/g1.aspx?id=42916235
- hxxp://ww4.tongji123.com/s.aspx
- hxxp://aa.llsging.com/ww/new82.htm
- hxxp://nn.mm5208.com/nn.htm
- Not reachable at the time
- hxxp://xx.9365.org/
- hxxp://5.xqhgm.com/sha1.htm
- hxxp://5.xqhgm.com/new/1.gif (ANI exploit, loads on page).
- Downloads and runs hxxp://1.xqhgm.com/x.exe
- hxxp://5.xqhgm.com/new/1.htm (other exploit, not investigated)
- References hxxp://1.xqhgm.com/x.exe
- hxxp://5.xqhgm.com/new/2.htm
- Not reachable at the time
- hxxp://5.xqhgm.com/new/3.htm
- Returns empty page
- hxxp://5.xqhgm.com/new/4.htm
- Tries to load hxxp://3.xqhgm.com/zs.exe as an object
- hxxp://s30.cnzz.com/stat.php?id=658703&web_id=658703
- Seems to be a statistics engine
- hxxp://js.users.51.la/1402795.js
- Not reachable at the time
- hxxp://5.xqhgm.com/new/1.gif (ANI exploit, loads on page).
- hxxp://5.xqhgm.com/sha1.htm
- hxxp://a.2008yi.com/hu.htm
- Not reachable at the time
- hxxp://acc.jqxx.org/ac.htm
- hxxp://dfs.jfkdlirjnfirpocr.com/web/6619038.htm
- Not reachable at the time
- hxxp://dfs.jfkdlirjnfirpocr.com/web/6619038.htm
- hxxp://boc.sbb22.com/
The primary payload of these iframed pages seems to be “x.exe” and “zs.exe”. When dumping the strings from these executables (no obfuscation used) it becomes apparent that both are droppers for a whole bunch of malware files (possibly the same files, just recompiled/packed/encrypted for AV evasion). The downloads referenced in the files were:
- hxxp://1.xqhgm.com/1.exe
- hxxp://1.xqhgm.com/2.exe
- hxxp://1.xqhgm.com/3.exe
- hxxp://1.xqhgm.com/4.exe
- and so on up to…
- hxxp://1.xqhgm.com/24.exe
File number “1″ and “16″ resulted in a 404 not found.
“23.exe” seems to be the same malware that I found some time back (see this post). As said in that post, the main infector do not want to run in my sandbox. As a cause of that I have not yet been able to get the pcihdd.sys rootkit component as I do not have a computer to “waste time restoring” atm. If someone would like to infect themselves, contact me for a sample 
Another thing linking this infection to the other that I found is the use of the same stats engine, hxxp://s30.cnzz.com/.
Cheers and stay safe !
Recent posts
- Wonderful networking cheat sheets…
- Monty Python goes 2.0
- Q.P - On my way to Borås & Jönköping…
- Does this mean…
- Aspire One wallpaper, Tree
Categories
- censorship
- cryptography
- democracy
- dns
- exploit
- fraud
- linux
- malware
- microsoft
- misc
- networking
- party
- patents
- personal
- privacy
- programming
- reverse engineering
- security
- standards
- vista
- webapps
- work
Links
- Anti-virus Rants
- Henrik Alexandersson (HAX)
- Nyström’s fotoblog
- Opassande
- Oscar Swartz
- Panda Labs
- Panda Research
- PCM International
- Piratpartiet
- Rick Falkvinge (pp)
- Rosetta Sten
sdas
All photos and media by Daniel Nyström that is published on this site is licensed under a Creative Commons Attribution-Share Alike 2.5 Sweden License if nothing else is mentioned in the caption or description.