2013-04-14

It's been a while since I post report in this blog. Now we are posting a RedKit infection we traced sourced to the Ukrainian hosting server at 91.206.200.199. The report is pointing us to the suspicion of an IP which is used by RedKit for source infection, suspected payload's server is there in some used dommains by bad actors.

The difference between my previous analysis and this one is, this was purely analyzed & wrote from a "weaponized" OS X with my bunch of FreeBSD tools recompiled on it.

I hope this writing can be used as a how-to to my friends who used OSX same environment too. So for Mac users, specially for you who are familiar with UNIX/Linux command lines, don't be hurry to switch into other "X" OS for analysis, in my test-drive in writing this post, it proofed that OS X is more than enough to do a deep analysis of any threat.
OK, here we go!

It all begins with the infected site as per below url:


During the access to the site I recorded the below connection with the X11's based Wireshark:


If we follow the package within one http response well, it will show the request for infection below:


We saw 4 or 5 redirection in a row in accessing the infector site above. So I grabbed the "anti-aging-c-35.html?p___= to see the redirected IFRAME code was there, as per below snipped of TextMate:

Why a single html can caused the 4 or 5 redirection? Must be more.. I searched the components included to view this site as per below search tools:
Then I opened my firefox, faking the request to fool the RedKit script and to get the other files used as components to this html, then found the same IFRAME method was injected as per searched in my F*bug:

In details, I went to those script contains the iframe to confirm as per below row of snapshots:

Seeing these I realized that this site is (STILL) completely being used to infect.

I further checked whether the infector site's domain is legit or not:

Well.. it's ending up to a legit hacked site..in GoDaddy(s Network..

To my curiosity I studied the condition needed to grab this file by below HTTP header requests logged:

I turned to see the redirectred infector, also checked it with browser to find request & response result as per below..

Not trusting so much on GUI result? Me too. So I reproduced the access:

Yes the "switch" of the infector is turned "off" at the moment the log was taken.. to bad..
So always remember rule number one which is never doing too much "HTTP-banging" in dealing with RedKit infectors :-)

Anyhow, let's study the site used for second infector:

hmm, japanese legit domain, a SOHO legit business, in a hosting too,,

.. and good! Is under our jurisdiction to cleanup.

Fortunately, is the infector that I always keep an eye with, I always logged the "good response" as documentation which contained the Landing page that can be used as PoC as per pasted here -->>[HERE]
Now let's see the suspicious data in that landing page.. hope to see the interesting url for exploit infector or maybe a payload?

A Snip of Exploit Kit Landing Page

The plugin detect used...

we have a heavily customized old version of PluginDetect :-)

As per it is, the OS detection..

The condition for BSD OS are always empty anyway :-) Maybe next time I should test OpenBSD for accessing this?

Interesting flag of "status" to be pointed after after detecting java

As per with Adobe reader, below is the initialization for infection with Pdf-Ctrl function..

..with the handling after flag of version detected...

This is the part on how the HTML file got injected with IFRAME:

And the variable used for infection is at the beginning of the script:

This is it, the usage the 897.pdf exploit to infect the malware.

File's currently unavailable (smile), or tango moved faster?

I used both previous infector url referers to re-check and the results were the same. Well, at least we're sure now that there is no harmless site will have the script works as per described, it is good enough for the clean up purpose. So let'S invetigate further on the network & infection records.

What's with 91.206.200.199 ?

This is the main course of this story actually. As we can see the marykay-duka.kharkov.ua is a domain served in the Ukrainian Hosting service. The IP officially own by this host w/reversed IP registered by:

Which is a confirmed Hosting Service's IP address:

The thing is there are so many web infection ended up in this address:

One of the above infected url has a payload snapshot:

Thus, pDNS command line combined with domains checker script we posted in our Google Project can extract more domains used by malware infector & current ALIVE status:

Well, this is a hosting server.. so it has many domains.. Sure it is.
I didn't say that the 44 domains which are registered in this IP are verdicted bad, but some dangerous infector with the RedKit and etc Exploit Kit infector are found ending up to this IP.
( This is the list of active domains in 91.206.200.199 -->>[PASTEBIN] )

Furthermore the domain used for infection in our case is belong to below info:

If my deduction is correct, whether this hosting is also under hacking to be used for infection OR ...(Our Tango Team is investigating further now).
The bottom line is, in the mean time please keep an eye on a suspicious access which lead to 91.206.200.199. And all of the network analysis was conducted via OSX Terminal :-)

References

The below numbers are link to the infection references that can be used for our infector dismantling (TangoDown) purpose:

[1] [2] [3] [4] [5]

Show more