MMD-0009-2013 - RunForrestRun DGA "Comeback" with new obfuscation

I was mentioned by our friend the for the detected RunForrestRun DGA obfuscation code as per below tweet (Thank's for the notification, Bart!) :

Yes I fetched and take a look at it:

--2013-11-02 17:06:54--  h00p://portail-val-de-loir.com/
Resolving portail-val-de-loir.com... seconds 0.00, 85.10.130.29
Caching portail-val-de-loir.com => 85.10.130.29
Connecting to portail-val-de-loir.com|85.10.130.29|:80... seconds 0.00, connected.
:
GET / HTTP/1.0
Referer: remember.us.malwaremustdie.org
Host: portail-val-de-loir.com
HTTP request sent, awaiting response...
:
HTTP/1.1 200 OK
Date: Sat, 02 Nov 2013 08:06:30 GMT
Server: Apache/2.2.9 (Debian) mod_jk/1.2.26 PHP/5.2.6-1+lenny13 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl
/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Last-Modified: Thu, 12 Jul 2012 01:52:59 GMT
ETag: "18f21da-32bd2b-4c498391b34c0"
Accept-Ranges: bytes
Content-Length: 3325227
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
:
200 OK
Registered socket 1896 for persistent reuse.
Length: 3325227 (3.2M) [text/html]
Saving to: `index.html'
100%[============================>] 3,325,227 103K/s in 39s
2013-11-02 17:07:35 (83.0 KB/s) - `index.html' saved [3325227/3325227]
This is the real worst case of code injection, the index html was injected more than 50 times with the obfuscation javascript code, sample is here with password=infected -->>[MMD Mediafire]. Obfuscation method used is improved as per marked parts below by trying to make gesture of the script used in Google Analytics:

The first decoding process can e viewed here -->>[MMD Pastebin]
And the result is as per below well-known DGA code:

Which is completely equal code to our case posted on July 23, 2013 here-->>[MMD PREV.POST]

So, we saw the RunForrestRun for almost one year and the logic haven't changed a bit. Just in case someone will meet with the similar case or codes in the future hereby I made simple script for you to use if you see one, as per snipped GOOD code and a "howto" below:

// manual crack...@unixfreaxjp
// erase the setTimeout(function () all of it, we don't need those mess..
// and replace with the below code...
// (make sure you include the rest of the functions..)
// The code :

var nextday = new Date();
nextday.setFullYear(2013);
for (var yyy=0;yyy<13;yyy++)
{ nextday.setMonth(yyy);
for (var xxx= 1;xxx<33;xxx++)
{
var unix = Math.round(nextday.setDate(xxx)/1000);
var domainName = generatePseudoRandomString(unix, 16, 'ru');
document.write(xxx+" | "+domainName+ " | "+nextday+"\n"); }}
Using the script above you can extract the domains per dates as per snipped below:
 1 | oxkjnvhjnvnegtyb.ru  |  Tue Oct 01 2013 17:36:40 GMT+0900
2 | bloxgsfzinxmdspt.ru | Wed Oct 02 2013 17:36:40 GMT+0900
3 | mxpgggggukxqteoy.ru | Thu Oct 03 2013 17:36:40 GMT+0900
4 | yjsovtnpgbwqcbbd.ru | Fri Oct 04 2013 17:36:40 GMT+0900
5 | lwtcxuzbdrsnpqfb.ru | Sat Oct 05 2013 17:36:40 GMT+0900
6 | xiwlnutkxsqxwjge.ru | Sun Oct 06 2013 17:36:40 GMT+0900
7 | kwyyhhqtwxupnhyu.ru | Mon Oct 07 2013 17:36:40 GMT+0900
8 | wicjgufeimlbmcus.ru | Tue Oct 08 2013 17:36:40 GMT+0900
9 | ivewawjppavmkhwx.ru | Wed Oct 09 2013 17:36:40 GMT+0900
10 | uihgxtcniyolbobp.ru | Thu Oct 10 2013 17:36:40 GMT+0900
11 | hvitmnanuzbabudp.ru | Fri Oct 11 2013 17:36:40 GMT+0900
12 | thldkvcgbkzcbfxw.ru | Sat Oct 12 2013 17:36:40 GMT+0900
13 | gunqeyhnrhskxjdr.ru | Sun Oct 13 2013 17:36:40 GMT+0900
14 | shqyztdrsofsjnib.ru | Mon Oct 14 2013 17:36:40 GMT+0900
15 | eusngyfurlziprua.ru | Tue Oct 15 2013 17:36:40 GMT+0900
((snipped))
with the complete list of 709 days extracted here --->>[MMD PASTEBIN]

And by our useful tools here--->>[MMD Google Code] and following the DGA Procedure Wiki here-->>[MMD Wiki], I came to result the below domains are activated NOW: (format: domain, IP, DNS, and DATE):

yalkzsvudybexfgd.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 16 
lomxtgmgrswlgrrn.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Apr 17
wzbdwenwshfzglwt.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 17
jnfrqmekhoevppvw.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 18
vygzhvfiuommkqfj.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 19
imjosxuhbcdonrco.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Aug 20
bhigmqckbqhleqlo.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 06
nsjosicxuhpidhlp.ru, 91.233.244.102, dns1.webdrive.ru.,dns2.webdrive.ru. | Nov 07
And also found the below domains are blocked/sinkholed:
gatrxzmokglyvnqh.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.
smvydqivtigcadxb.ru, 195.22.26.253, 195.22.26.254, ns1.csof.net. ns2.csof.net.
I can say the reputation in IP: 91.233.244.102 is not good:
Virus Total history (with thank's!) -->>[HERE]
URLQuery records (many thank's) -->>[URLQuery]

Sometimes the bad guys has a unique ways to greet us! :-))

Below are bad URLs that can be switched alive:

h00p://yalkzsvudybexfgd.ru/runforestrun?sid=botnet2
h00p://lomxtgmgrswlgrrn.ru/runforestrun?sid=botnet2
h00p://wzbdwenwshfzglwt.ru/runforestrun?sid=botnet2
h00p://jnfrqmekhoevppvw.ru/runforestrun?sid=botnet2
h00p://vygzhvfiuommkqfj.ru/runforestrun?sid=botnet2
h00p://imjosxuhbcdonrco.ru/runforestrun?sid=botnet2
h00p://bhigmqckbqhleqlo.ru/runforestrun?sid=botnet2
h00p://nsjosicxuhpidhlp.ru/runforestrun?sid=botnet2
Just in case I recorded them all in URLQuery (Thank's guys!):
http://urlquery.net/report.php?id=7388672
http://urlquery.net/report.php?id=7388677
http://urlquery.net/report.php?id=7388681
http://urlquery.net/report.php?id=7388683
http://urlquery.net/report.php?id=7388687
http://urlquery.net/report.php?id=7388692
http://urlquery.net/report.php?id=7388694
http://urlquery.net/report.php?id=7388701
Those detected domains, are all activated in REGGI.RU of Russia Federation:
domain:        YALKZSVUDYBEXFGD.RU
nserver: dns1.webdrive.ru.
nserver: dns2.webdrive.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2013.04.15
paid-till: 2014.04.15
free-date: 2014.05.16
source: TCI
Last updated on 2013.11.02 13:21:36 MSK

domain: LOMXTGMGRSWLGRRN.RU
nserver: dns1.webdrive.ru.
nserver: dns2.webdrive.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2013.04.15
paid-till: 2014.04.15
free-date: 2014.05.16
source: TCI
Last updated on 2013.11.02 13:21:36 MSK

domain: WZBDWENWSHFZGLWT.RU
nserver: dns1.webdrive.ru.
nserver: dns2.webdrive.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2013.08.16
paid-till: 2014.08.16
free-date: 2014.09.16
source: TCI
Last updated on 2013.11.02 13:21:36 MSK

domain: JNFRQMEKHOEVPPVW.RU
nserver: dns1.webdrive.ru.
nserver: dns2.webdrive.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2013.08.16
paid-till: 2014.08.16
free-date: 2014.09.16
source: TCI
Last updated on 2013.11.02 13:26:32 MSK

domain: VYGZHVFIUOMMKQFJ.RU
nserver: dns1.webdrive.ru.
nserver: dns2.webdrive.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2013.08.16
paid-till: 2014.08.16
free-date: 2014.09.16
source: TCI
Last updated on 2013.11.02 13:26:32 MSK

domain: IMJOSXUHBCDONRCO.RU
nserver: dns1.webdrive.ru.
nserver: dns2.webdrive.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2013.08.16
paid-till: 2014.08.16
free-date: 2014.09.16
source: TCI
Last updated on 2013.11.02 13:26:32 MSK

domain: BHIGMQCKBQHLEQLO.RU
nserver: dns1.webdrive.ru.
nserver: dns2.webdrive.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2012.11.06
paid-till: 2013.11.06
free-date: 2013.12.07
source: TCI
Last updated on 2013.11.02 13:31:37 MSK

domain: NSJOSICXUHPIDHLP.RU
nserver: dns1.webdrive.ru.
nserver: dns2.webdrive.ru.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: REGGI-REG-RIPN
admin-contact: https://panel.reggi.ru/user/whois/webmail/
created: 2012.11.06
paid-till: 2013.11.06
free-date: 2013.12.07
source: TCI
Last updated on 2013.11.02 13:31:37 MSK
And the IP information also pointed to St. Petersburg IDC:
$ whois 91.233.244.102

% Information related to '91.233.244.0 - 91.233.245.255'

inetnum: 91.233.244.0 - 91.233.245.255
netname: OLBORG-NET
descr: Olborg Ltd
descr: St.Petersburg
country: RU
admin-c: OLCR1-RIPE
tech-c: OLCR1-RIPE
status: ASSIGNED PI
mnt-by: OLBORG-MNT
mnt-by: RIPE-NCC-END-MNT
mnt-routes: OLBORG-MNT
mnt-domains: OLBORG-MNT
source: RIPE # Filtered

role: Olborg Ltd - Contact Role
address: Olborg Ltd
address: St.Petersburg, Russia
abuse-mailbox: [email protected]
remarks: *************************************************
remarks: * For spam/abuse/security issues please contact *
remarks: * [email protected] , not this address *
remarks: *************************************************
org: ORG-OL89-RIPE
admin-c: AK8017-RIPE
tech-c: AK8017-RIPE
nic-hdl: OLCR1-RIPE
mnt-by: OLBORG-MNT
source: RIPE # Filtered

% Information related to '91.233.244.0/23AS57636'

route: 91.233.244.0/23
descr: Olborg Ltd.
origin: AS57636
mnt-by: OLBORG-MNT
source: RIPE # Filtered
I really hope to see all domains in this logic blocked.. otherwise they sure will come again with a much better obfuscation.

#MalwareMustDie!!