As some of you know, I was born in France and although now living in Canada I still keep a strong connection there.
France is a lovely country, its people… meh… maybe not so much. Anyway, vacationing in France is still a treat especially if you go down south near the sea.
The following site (www.vacancesasete.com) helps you book your vacation in the beautiful city of Sete.
It’s all good except that the site has been hacked and is infecting people who browse to it.
You can see the full report here.
However, finding the source of the infection turned out to be somewhat challenging. The actual page itself does not contain any malicious code such as the obvious iframe or javascript obfuscated code.
You can tell they are using WordPress and determine it is version from the main page’s html:
The current and latest WordPress version is 3.1.2.
So, here is the sequence I observed when loading the page:
My guess was that one of this plugins was responsible for the malware redirect to: trip11209.cz.cc/js/jquery.min.php
The server is poorly secure as you can navigate its folder structure:
One file I had strong suspicions about is mootools-1.2.4.4-more.js. JSunpack analysis here.
Mootools is a javascript framework. mootools-1.2.4.4-more.js is an older version, but you can still download it from here: mootools.net/download/get/mootools-1.2.4-core-yc.js
I compared it with the one loaded by the site and immediately noticed a difference in size: 65.2 KB Vs 66.7 KB.
The beginning of the file is identical but at the very end is new code:
Kudos to the writer for using legit sounding variable names (var div_colors, var colors_picked).
This whole code is a custom made algorithm that will write a malicious javascript. You can have the string printed by modifying the code and saving the file as html:
Which gives you this:
It turns out this particular infection is really common:
Here is a look at the malicious payload:
Initial contact: trip11209.cz.cc/js/jquery.min.php (IP: 178.162.190.233; location: Frankfurt Germany)
Malicious PDF: 33129brownsvill.cz.cc/06f3bd.pdf (IP: 46.108.225.42; location: Bucharest, Romania)
Malicious Java Applet: morluzius.cz.cc/mndrtdsf.jar (Same as above)
Let’s do some digging on 46.108.225.42:
Ciprian Moldoveanu
iTelecom
Aleea Mozaicului Nr. 4
Bucharest, RO
The graph above is not actually complete. You can add ‘letbeservice.ru‘ to the list.
The ASN (AS50244) is notorious for hosting badness:
MalwareDomainlist report here.
Google Safe Browsing report here.
Back to our initial infection, the final payload is FakeAV, this one being called MS Removal Tool:
Virus Total detection is 7/43 (report here).
If you are infected with this rogue AV, please do not buy the license for it!
It is a pure rip-off that will cause you no end of troubles.
The payment page is hosted at: 46.161.10.220/b.php?affid= which also happens to be located in Bucharest, Romania.
ASN is AS29073. It turns out my friend Steven Burn has blogged about it before: AS29073 Ecatel: Need more proof of their being crimeware friendly?
Online criminals are raking in huge amounts of money from fake AV. They use exploit toolkits to compromise popular websites, infect computers and ‘sell’ bogus software.
There is a good read about cyber-criminals from Romania (How a Remote Town in Romania Has Become Cybercrime Central) which was published in January of 2011.
According to the story, luxury cars are plenty in this town. I thought I’d check for myself, by doing a Google Street View for Ramnicu Valcea:
Yes, a nice and shiny BMW…
Cybercrime is a billion dollar economy, no doubt about that.
Jerome Segura
Leave a reply
