Sunday, May 24, 2009

bulkbin.cn - strange AS - part 0.1

Hi there,

looking around It's was found some URLS that are related to bulkbin.cn

It was found the following malicious url (replace \ with / if you are interested):

http:\\azure.rr.nu\
http:\\adolas.passingg.as\
http:\\cemuryje.byinter.net\
http:\\costens.byinter.net\
http:\\colifit.redirect.hm\

For each of the URL above, there is a common point: a javascript redirector.

Specifically the following code, reports an abstract of the redirector code, the key for obtain clear HTML code and name of javascript redirector:

http:\\azure.rr.nu\
javascript redirector:
yfoqklmcoxthgybyu.js
abstract of array that contains HTML redirector:
var str = ["206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "206", "211", "224", "138", "221", "222", "227", "214", "207", "167", "140", "217", "224", "207", "220", "208", "214", "217", "225", "164", "203", "223", "222", "217", "165", "138", "210", "207", "211", "209", "210", "222", "164", "138", "155", "218", "226", "165", "138", "225", "211", "206", "222", "210", "164", "138", "160", "154", "154", "218", "226", "165", "140", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "203", "204", "214", "207", "138", "225", "211", "206", "222", "210", "167", "140", "155", "154", "154", "143", "140", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "220", "168", "145", "147", "165", "119", "116", "206", "217", "205", "223", "215", "207", "216", "222", "152", "225", "220", "211", "222", "207", "146", "145", "166", "222", "206", "138", "211", "206", "167", "140", "208", "211", "220", "221", "222", "140", "168", "190", "210", "211", "221", "138", "211", "221"....
decoder key: ss =
str[i] - 106;

http:\\adolas.passingg.as\
javascript redirector:
tqewcmvdltvtunbrozlo.js
abstract of array that contains HTML redirector:
var str = ["713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "713", "718", "731", "645", "728", "729", "734", "721", "714", "674", "647", "724", "731", "714", "727", "715", "721", "724", "732", "671", "710", "730", "729", "724", "672", "645", "717", "714", "718", "716", "717", "729", "671", "645", "662", "725", "733", "672", "645", "732", "718", "713", "729", "717", "671", "645", "667", "661", "661", "725", "733", "672", "647", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "710", "711", "721", "714", "645", "732", "718", "713", "729", "717", "674", "647", "662", "661", "661", "650", "647", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "727", "675", "652", "654", "672", "626", "623", "713", "724", "712", "730", "722", "714", "723", "729", "659", "732", "727", "718", "729", "714", "653", "652", "673", "729", "713", "645", "718", "713", "674", "647", "715", "718", "727", "728", "729", "647", "675", "697", "717", "718", "728", "645", "718", "728",....
decoder key:
ss = str[i] - 613;

http:\\cemuryje.byinter.net\
javascript redirector:
iddcvesism.js
abstract of array that contains HTML redirector:
var str = ["558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "558", "563", "576", "490", "573", "574", "579", "566", "559", "519", "492", "569", "576", "559", "572", "560", "566", "569", "577", "516", "555", "575", "574", "569", "517", "490", "562", "559", "563", "561", "562", "574", "516", "490", "507", "570", "578", "517", "490", "577", "563", "558", "574", "562", "516", "490", "512", "506", "506", "570", "578", "517", "492", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "555", "556", "566", "559", "490", "577", "563", "558", "574", "562", "519", "492", "507", "506", "506", "495", "492", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "572", "520", "497", "499", "517", "471", "468", "558", "569", "557", "575", "567", "559", "568", "574", "504", "577", "572", "563", "574", "559", "498", "497", "518", "574", "558", "490", "563", "558", "519", "492", "560", "563", "572", "573", "574", "492", "520", "542", "562", "563", "573", "490", "563", "573",
decoder key:
ss = str[i] - 458;

http:\\costens.byinter.net\
javascript redirector:
dmozgpkfxiusbwf.js
abstract of array that contains HTML redirector:
var str = ["990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "990", "995", "1008", "922", "1005", "1006", "1011", "998", "991", "951", "924", "1001", "1008", "991", "1004", "992", "998", "1001", "1009", "948", "987", "1007", "1006", "1001", "949", "922", "994", "991", "995", "993", "994", "1006", "948", "922", "939", "1002", "1010", "949", "922", "1009", "995", "990", "1006", "994", "948", "922", "944", "938", "938", "1002", "1010", "949", "924", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "987", "988", "998", "991", "922", "1009", "995", "990", "1006", "994", "951", "924", "939", "938", "938", "927", "924", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "1004", "952", "929", "931", "949", "903", "900", "990", "1001", "989", "1007", "999", "991", "1000", "1006", "936", "1009", "1004", "995", "1006", "991", "930", "929", "950", "1006", "990", ...
decoder key:
ss = str[i] - 890;

http:\\colifit.redirect.hm\
javascript redirector:
cajhrwljjnwerpvjrriw.js
abstract of array that contains HTML redirector:
var str = ["882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "882", "887", "900", "814", "897", "898", "903", "890", "883", "843", "816", "893", "900", "883", "896", "884", "890", "893", "901", "840", "879", "899", "898", "893", "841", "814", "886", "883", "887", "885", "886", "898", "840", "814", "831", "894", "902", "841", "814", "901", "887", "882", "898", "886", "840", "814", "836", "830", "830", "894", "902", "841", "816", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "879", "880", "890", "883", "814", "901", "887", "882", "898", "886", "843", "816", "831", "830", "830", "819", "816", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "896", "844", "821", "823", "841", "795", "792", "882", "893", "881", "899", "891", "883", "892", "898", "828", "901", "896", "887", "898", "883", "822", "821", "842", "898", "882", "814", "887", "882", "843", "816", "884", "887", "896", "897", "898", "816", "844", "866", "886", "887", "897",
decoder key:
ss = str[i] - 782;

The following screen shot shown the full decoded html redirector, common to all URLs above:



As shownthere is a spreading web site based on (IMHO) fake cgi script. Trying with malzilla to retrieve the malicious URL using only one "CGI" parameter it was discovered another redirection stage:



Making the GET HTTP request for simulate the redirection for the URL http:\\agentival.info\scan\download.php?said=10&ver=1.0.6 it appear a souspicious "install.exe" file.

From my submission to Threatexpert there wasn't info about binary:

http://www.threatexpert.com/report.aspx?md5=14077ad65fc28afa12b0f1b13c373f96

Only McAfee recognize the binary as" new malware".

A firt look about it with IDA shown some URL:



The ip address 174.133.202.181 is the DNS A record for bulkbin.cn

Some net info:
robtex response for
174.133.202.181:



robtex response for bulkbin.cn:


"AS? ???"


whois xgguy.com.theplanet.host ?
AS? it may be generated for the following reason:
the existence within the dns records of a host resolved only "in zone" like xgguy.com.theplanet.host.

A strange behavior is the following:
The only AS (AS21844) detected in the picture above for the 24 of April 2009 was been linked to the rest of the world in this manner:




While on 6th of May 2009, there was a route withdrawal with all others so:



Some notes:
- I know that may depend by a misconfiguration or a leak routing sources data used by BGPlay.
- AS21844 THEPLANET-AS2 ThePlanet.com Internet Services, Inc. it may be a backup AS.

Feedback are welcome.

No comments:

Post a Comment